[Federal Register Volume 73, Number 226 (Friday, November 21, 2008)]
[Rules and Regulations]
[Pages 70732-70814]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-27475]
[[Page 70731]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 3
Patient Safety and Quality Improvement; Final Rule
��Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 /
Rules and Regulations��
[[Page 70732]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 3
RIN 0919-AA01
Patient Safety and Quality Improvement
AGENCY: Agency for Healthcare Research and Quality, Office for Civil
Rights, Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Health and Human Services is adopting rules
to implement certain aspects of the Patient Safety and Quality
Improvement Act of 2005, Pub. L. 109-41, 42 U.S.C. 299b-21--b-26
(Patient Safety Act). The final rule establishes a framework by which
hospitals, doctors, and other health care providers may voluntarily
report information to Patient Safety Organizations (PSOs), on a
privileged and confidential basis, for the aggregation and analysis of
patient safety events.
The final rule outlines the requirements that entities must meet to
become PSOs and the processes by which the Secretary will review and
accept certifications and list PSOs. It also describes the privilege
and confidentiality protections for the information that is assembled
and developed by providers and PSOs, the exceptions to these privilege
and confidentiality protections, and the procedures for the imposition
of civil money penalties for the knowing or reckless impermissible
disclosure of patient safety work product.
DATES: The final rule is effective on January 19, 2009.
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare
Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-
1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION: On February 12, 2008, the Department of
Health and Human Services (HHS) published a Notice of Proposed
Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the
Patient Safety Act. The comment period closed on April 14, 2008. One-
hundred-sixty-one comments were received during the comment period.
I. Background
Statutory Background
This final rule establishes the authorities, processes, and rules
necessary to implement the Patient Safety Act that amended the Public
Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections
921 through 926, 42 U.S.C. 299b-21 through 299b-26.\1\ The Patient
Safety Act focuses on creating a voluntary program through which health
care providers can share information relating to patient safety events
with PSOs, with the aim of improving patient safety and the quality of
care nationwide. The statute attaches privilege and confidentiality
protections to this information, termed ``patient safety work
product,'' to encourage providers to share this information without
fear of liability and creates PSOs to receive this protected
information and analyze patient safety events. These protections will
enable all health care providers, including multi-facility health care
systems, to share data within a protected legal environment, both
within and across states, without the threat that the information will
be used against the subject providers.
---------------------------------------------------------------------------
\1\ All citations to provisions in the Patient Safety Act will
be to the sections in the Public Health Service Act or to its
location in the U.S. Code.
---------------------------------------------------------------------------
However, we note that section 922(g)(2) of the Public Health
Service Act is quite specific that these protections do not relieve a
provider from its obligation to comply with other Federal, State, or
local laws pertaining to information that is not privileged or
confidential under the Patient Safety Act: section 922(g)(5) of the
Public Health Service Act states that the Patient Safety Act does not
affect any State law requiring a provider to report information that is
not patient safety work product. The fact that information is
collected, developed, or analyzed under the protections of the Patient
Safety Act does not shield a provider from needing to undertake similar
activities, if applicable, outside the ambit of the statute, so that
the provider can meet its obligations with non-patient safety work
product. The Patient Safety Act, while precluding other organizations
and entities from requiring providers to provide them with patient
safety work product, recognizes that the original records underlying
patient safety work product remain available in most instances for the
providers to meet these other reporting requirements.
We note also that the Patient Safety Act references the Standards
for the Privacy of Individually Identifiable Health Information under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA
Privacy Rule), 45 CFR parts 160 and 164. Many health care providers
participating in this program will be covered entities under the HIPAA
Privacy Rule and will be required to comply with the HIPAA Privacy Rule
when they disclose patient safety work product that contains protected
health information. The Patient Safety Act is clear that it is not
intended to interfere with the implementation of any provision of the
HIPAA Privacy Rule. See 42 U.S.C. 299b-22(g)(3). The statute also
provides that civil money penalties cannot be imposed under both the
Patient Safety Act and the HIPAA Privacy Rule for a single violation.
See 42 U.S.C. 299b-22(f). In addition, the statute states that PSOs
shall be treated as business associates, and patient safety activities
are deemed to be health care operations under the HIPAA Privacy Rule.
See 42 U.S.C. 299b and 299-22(i). Since patient safety activities are
deemed to be health care operations, the HIPAA Privacy Rule does not
require covered providers to obtain patient authorizations to disclose
patient safety work product containing protected health information to
PSOs. Additionally, as business associates of providers, PSOs must
abide by the terms of their HIPAA business associate contracts, which
require them to notify the provider of any impermissible use or
disclosure of the protected health information of which they are aware.
See 45 CFR 164.504(e)(2)(ii)(C).
II. Overview of the Proposed and Final Rules
A. The Proposed Rule
The proposed rule sought to implement the Patient Safety Act to
create a voluntary system through which providers could share sensitive
information relating to patient safety events without fear of
liability, which should lead to improvements in patient safety and in
the quality of patient care. The proposal reflected an approach to the
implementation of the Patient Safety Act intended to ensure adequate
flexibility within the bounds of the statutory provisions and to
encourage providers to participate in this voluntary program. The
proposed rule emphasized that this program is not federally funded and
will be put into operation by the providers and PSOs that wish to
participate with little direct federal involvement. However, the
process for certification and listing of PSOs will be implemented and
overseen by the Agency for Healthcare Research and Quality (AHRQ),
while compliance with the confidentiality provisions will be
investigated and enforced by the Office for Civil Rights (OCR).
Subpart A of the proposed rule set forth the definitions of
essential terms,
[[Page 70733]]
such as patient safety work product, patient safety evaluation system,
and PSO. In order to facilitate the sharing of patient safety work
product and the analysis of patient safety events, Subpart B of the
proposed rule implemented the statutory requirements for the listing of
PSOs, the entities that will offer their expert advice in analyzing the
patient safety events and other information they collect or develop to
provide feedback and recommendations to providers. The proposed rule
established the criteria and set forth a process for certification and
listing of PSOs and described how the Secretary would review, accept,
condition, deny, or revoke certifications for listing and continued
listing of entities as PSOs.
Based on the statutory mandates in the Patient Safety Act, Subpart
C of the proposed rule set forth the privilege and confidentiality
protections that attach to patient safety work product; it also set
forth the exceptions to these protections. The proposed rule provided
that patient safety work product generally continues to be protected as
privileged and confidential following a disclosure and set certain
limitations on redisclosure of patient safety work product.
Subpart D of the proposed rule established a framework to enable
the Secretary to monitor and ensure compliance with this Part, a
process for imposing a civil money penalty for breach of the
confidentiality provisions, and procedures for a hearing contesting the
imposition of a civil money penalty. These provisions were modeled
largely on the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D
and E.
B. The Final Rule
We received over 150 comments on the proposed rule from a variety
of entities, including small providers and large institutional
providers, hospital associations, medical associations, accrediting
bodies, medical liability insurers, and state and federal agencies.
Many of the commenters expressed support for the proposed rule and the
protections it granted to sensitive information related to patient
safety events.
Based upon the comments received, the final rule adopts most of the
provisions of the proposed rule without modification; however, several
significant changes to certain provisions of the proposed rule have
been made in response to these comments. Changes to Subpart A include
the addition of a definition of affiliated provider. The definitions of
component organization, parent organization, and provider were modified
for clarity, and the definition of disclosure was modified to clarify
that the sharing of patient safety work product, between a component
PSO and the entity of which it is a part, qualifies as a disclosure,
while the sharing of patient safety work product between a physician
with staff privileges and the entity with which it holds privileges is
not a disclosure. We have also modified the definition of patient
safety work product to include information that, while not yet reported
to a PSO, is documented as being within a provider's patient safety
evaluation system and that will be reported to a PSO. This modification
allows for providers to voluntarily remove, and document the removal
of, information from the patient safety evaluation system that has not
yet been reported to a PSO, in which case, the information is no longer
patient safety work product.
The most significant modifications to Subpart B include the
following. With respect to the listing of PSOs, we have broadened the
list of excluded entities at Sec. 3.102(a)(2)(ii), required PSOs at
Sec. 3.102(b)(1)(i)(B) to notify reporting providers of inappropriate
disclosures or security breaches related to the information they
reported, specified compliance with the requirement regarding the
collection of patient safety work product in Sec. 3.102(b)(2)(iii),
eliminated the requirements for separate information systems and
restrictions on shared staff for most component PSOs but added
additional restrictions and limitations for PSOs that are components of
excluded entities at Sec. 3.102(c), and narrowed and clarified the
disclosure requirements that PSOs must file regarding contracting
providers with whom they have additional relationships at Sec.
3.102(d)(2). We have modified the security requirement to provide
flexibility for PSOs to determine whether to maintain patient safety
work product separately from unprotected information. The final rule
includes a new expedited revocation process at Sec. 3.108(e) for
exceptional circumstances that require prompt action, and eliminates
implied voluntary relinquishment, providing instead in Sec. 3.104(e)
that a PSO's listing automatically expires at the end of three years,
unless it is revoked for cause, voluntarily relinquished, or its
certifications for continued listing are approved.
Changes to proposed Subpart C include the addition of language in
Sec. 3.206(b)(2) that requires a reporter seeking equitable relief to
obtain a protective order to protect the confidentiality of patient
safety work product during the course of the proceedings. Proposed
Sec. 3.206(b)(4) has been amended to allow disclosures of
identifiable, non-anonymized patient safety work product among
affiliated providers for patient safety activities. In addition,
proposed Sec. 3.206(b)(7) has been modified to make clear that the
provision permits disclosures to and among FDA, entities required to
report to FDA, and their contractors. We also have modified proposed
Sec. 3.206(b)(8) to require providers voluntarily disclosing patient
safety work product to accrediting bodies either to obtain the
agreement of identified non-disclosing providers or to anonymize the
information with respect to the non-disclosing providers prior to
disclosure. Finally, we modified Sec. Sec. 3.204(c), 3.206(d), and
3.210 to allow disclosures of patient safety work product to or by the
Secretary for the purposes of determining compliance with not only the
Patient Safety Act, but also the HIPAA Privacy Rule.
In Subpart D, we adopt the proposed provisions except, where
reference was made in the proposed rule to provisions of the HIPAA
Privacy Rule, the final rule includes the text of such provisions for
convenience of the reader.
We describe more fully these provisions, the comments received, and
our responses to these comments below in the section-by-section
description of the final rule below.
III. Section-by-Section Description of Final Rule and Response to
Comments
A. Subpart A--General Provisions
1. Section 3.10--Purpose
Proposed Rule: Proposed Sec. 3.10 provided that the purpose of
proposed Part 3 is to implement the Patient Safety and Quality
Improvement Act of 2005 (Pub. L. 109-41), which amended the Public
Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections
921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Overview of Public Comments: No comments were received pertaining
to this section.
Final Rule: The Department adopts the proposed provision without
modification.
2. Section 3.20--Definitions
Proposed Rule: Proposed Sec. 3.20 provided for definitions
applicable to Part 3. Some definitions were restatements of the
definitions at section 921 of the Public Health Service Act, 42 U.S.C.
299b-21, and other definitions were provided for convenience or to
clarify the application and operation of the proposed rule.
[[Page 70734]]
Overview of Public Comments: With respect to the definitions for
AHRQ, ALJ, Board, complainant, component PSO, confidentiality
provisions, entity, group health plan, health maintenance organization,
HHS, HIPAA Privacy Rule, identifiable patient safety work product,
nonidentifiable patient safety work product, OCR, Patient Safety Act,
patient safety activities, patient safety organization, person,
research, respondent, responsible person, and workforce, we received no
comments.
We received a number of comments on the various other definitions
and these comments will be addressed below in reference to the specific
term.
Final Rule: The Department adopts the above definitions as
proposed. Certain definitions were added for convenience or clarity of
the reader.
Response to Public Comments
Comment: Commenters requested definitions for accrediting body,
reporter, redisclosure, impermissible disclosure, use, evaluation and
demonstration projects, and legislatively created PSO.
Response: The Department does not agree that the additional
definitions requested by commenters are necessary. Some definitions
requested have generally accepted meanings and we do not believe there
is benefit in imposing more limitations on such terms. Some terms such
as legislatively created PSO are not used within the final rule. Other
terms such as impermissible disclosure, use, and reporter are readily
understood from the context of the final rule and do not need
definitions.
(A) Section 3.20--New Definition of Affiliated Provider
Final Rule: The proposed rule did not include a definition for
affiliated provider. The Department adopts the term affiliated provider
to mean, with respect to a provider, a legally separate provider that
is the parent organization of the provider, is under common ownership,
management, or control with the provider, or is owned, managed, or
controlled by the provider. The Department includes this term to
identify to whom patient safety work product may be disclosed pursuant
to a clarification of the disclosure permission for patient safety
activities.
Overview of Comments: Several commenters were concerned about
limitations of disclosures for patient safety activities among
providers. Commenters raised concerns that limitations may inhibit the
sharing and learning among providers of the analysis of patient safety
events. Other commenters viewed the disclosure limitations as
restricting a provider's use of its own data. These comments are
addressed more fully below as part of the discussion of the patient
safety activities disclosure permission.
(B) Section 3.20--Definition of Bona Fide Contract
Proposed Rule: Proposed Sec. 3.20 provided that bona fide contract
would mean a written contract between a provider and a PSO that is
executed in good faith or a written agreement between a Federal, State,
local, or Tribal provider and a Federal, State, local, or Tribal PSO.
Overview of Public Comments: One comment was received noting that
``good faith'' need not be a part of a bona fide contract.
Final Rule: Because meeting the minimum contract requirement is
essential for a PSO to remain listed by the Secretary, the Department
believes that the requirement that contracts to be entered in good
faith should be retained. We also note that Federal, State, local or
Tribal providers are free to enter into an agreement with any PSO that
would serve their needs; thus, they can enter bona fide contracts with
PSOs pursuant to paragraph (1) of the definition, or enter comparable
arrangements with a Federal, State, local or Tribal PSO pursuant to
paragraph (2). The Department adopts the proposed provision without
modification.
(C) Section 3.20--Definition of Component Organization
Proposed Rule: Proposed Sec. 3.20 provided that component
organization would mean an entity that is either: (a) A unit or
division of a corporate organization or of a multi-organizational
enterprise; or (b) a separate organization, whether incorporated or
not, that is owned, managed or controlled by one or more other
organizations, i.e., its parent organization(s). Because this
definition used terms in a manner that was broader than traditional
usage, the proposed rule sought comment on whether it was appropriate
for purposes of the regulation to consider a subsidiary, an otherwise
legally independent entity, as a component organization.
With respect to the terms ``owned, managed, or controlled,'' the
preamble directed readers to our description of these concepts in our
discussion of the term ``parent organization.'' The preamble to the
proposed rule discussed the various ways that an organization may be
controlled by others. In particular, there was a discussion of multi-
organizational enterprises and the variety of management relationships
or forms of control that such enterprises can create that might impact
component entities. The preamble also discussed the traditional meaning
of subsidiaries as being separate legal entities and, therefore, not
within the ordinary meaning of the term ``component.'' However, the
approach of the proposed rule was to express the Department's intention
to encourage all forms of PSO organizational arrangements including the
ownership of PSOs as subsidiaries. At the same time, we wanted to be
able to accurately determine and to indicate to providers which PSOs
should be considered components of other entities and the identity of a
component PSO's parent organization. We explained our intent was not to
limit our approach to corporate forms of organizations.
Overview of Public Comments: The majority of commenters supported
our proposal to consider subsidiaries as component organizations for
the purposes of this rule. Several commenters sought reassurance that
our interpretation does not impose additional legal liability on the
parent organization.
Concern was expressed that our approach suggested an over-reliance
on the corporate model and the definition needed to reflect other types
of legally recognized entities. One comment reflected concern that our
reference to ``multi-organizational enterprise'' in the definition was
unnecessarily confusing because it was not commonly used. Another
commenter disagreed with our approach entirely, arguing that the scope
of our definition was overly broad and unnecessary.
Final Rule: The final rule now defines ``component organization''
to mean an entity that: ``(1) is a unit or division of a legal entity
(including a corporation, partnership, or a Federal, State, local or
Tribal agency or organization); or
(2) Is owned, managed, or controlled by one or more legally
separate parent organizations.''
The definition of component organization is intended to be read
with a focus on management or control by others as its defining
feature. The definition must be read in conjunction with the
complementary definition of ``parent organization.'' While our approach
remains little changed, we have rearranged and streamlined the text of
the definition of component in response to the comments and concerns we
received on it. For example, there is no longer an explicit reference
in the definition of component to multi-organizational enterprises,
which are undertakings with separate corporations or organizations that
are integrated in a common business activity. The revised
[[Page 70735]]
definition, however, is sufficiently broad to apply to components of
such enterprises. In response to concerns that the earlier definition
was too focused on corporate organizations, we have incorporated an
explicit reference to ``other legal entities'' besides corporations. In
addition, specific references have been added to more clearly
accommodate possible organizational relationships of public agencies,
such as the Department of Defense (DoD), Department of Veterans Affairs
(VA), the Indian Health Service (IHS), and other State, local, and
Tribal organizations that manage or deliver health care services.
In the scenario envisioned by the first prong of the definition,
the legal entity is a parent organization and the component
organization is a unit or division within the parent organization. An
underlying assumption of the modified paragraph (1) is that a unit or
division of a legal entity may be managed or controlled by one or more
parent organizations. Consistent with this paragraph, a component PSO
may be managed or controlled by the legal entity of which it is a part
or by another unit or division of that entity. It could also be
controlled by a legally separate entity under the second paragraph of
the definition.
The first prong of the definition encompasses a component PSO that
is a unit of a governmental agency that is a legal entity. This could
include a component organization managed by another division of such a
governmental agency, e.g., a health care division of VA or DoD. Thus, a
component PSO could be a unit or component of a Federal agency that is
a legal entity and it could at the same time be a component of another
unit or division of that agency which controls and directs or manages
its operation. So too in the private sector, a component PSO could have
more than one parent and thus be a component, for example, of a
professional society as well as a component of the unit or division of
the professional society that controls or manages the PSO.
The second prong of the definition addresses a variety of
organizational relationships that could arise between component PSOs
and legally separate parent organizations that manage or control them.
Under paragraph (2), a subsidiary PSO could be managed or controlled by
its legally separate parent organization. In addition, we note that a
component PSO could be managed or controlled by another unit or
division of its legally separate parent, e.g., if this unit or division
uses its knowledge and skills to control or manage certain aspects of
the component's operations. If that occurs, we would consider the
sibling subsidiary that exercises control or management over the PSO as
another parent organization of the PSO.
Obtaining the identity and contact information of an entity's
parent organizations is useful for the purpose of letting providers
know who may be managing or controlling a PSO. This information also
will be useful in implementing the certification and listing process
for PSOs described in the rule which, for instance, excludes any health
insurance issuer from becoming a PSO and excludes a component of a
health insurance issuer from becoming a PSO.
In response to commenters concerned about the legal liability for
parent organizations of component PSOs, we note that the preamble to
the proposed rule stated as follows: ``We stress that neither the
statute nor the proposed regulation imposes any legal responsibilities,
obligations, or liability on the organization(s) of which it [the PSO]
is a part.'' The Department reaffirms its position. At the same time,
we note that the rule, at Sec. 3.402(b), recognizes, provides for, and
does not alter the liability of principals based on Federal common law.
Response to Other Public Comments
Comment: One concern that was expressed by several commenters
pertained to whether or not a health system that has a component or
subsidiary health insurance issuer, e.g., a group health plan offered
to the public, would be precluded from having a component PSO as well.
Response: So long as the component health insurance issuer does not
come within the definition of a parent organization of the PSO, i.e.,
own a controlling or majority interest in, manage, or control the
health system's component PSO (i.e., the PSO would not be a component
of the health insurance issuer), the parent health system could
establish a component PSO.
Comment: It was asserted that including subsidiaries as components
would require a PSO that is not controlled by another parent
organization, but itself has a subsidiary, to seek listing as a
component PSO.
Response: The revised definition of component organization
emphasizes that a component is an organization that is controlled by
another entity. It is not the Department's intention to require a PSO
that is not controlled by another entity to seek listing as a component
PSO. For this reason, the fact that a PSO has a subsidiary does not
trigger the requirement to seek listing as a component organization.
Comment: It was suggested that the inclusion of subsidiaries within
the meaning of component would require a health system that wished to
create a PSO to create it as a component.
Response: There are several issues that a health system needs to
consider in determining whether and how to create a PSO, but the
inclusion of subsidiary within the meaning of component is not
necessarily determinative. The statute requires the improvement of
quality and patient safety to be the primary activity of the entity
seeking listing. Since few multifaceted health system organizations
will meet this requirement, existing organizations will have an
incentive to create single-purpose component organizations that clearly
meet the requirement. The second issue is whether to create a PSO as an
internal component organization or as a separate legal entity. Because
the final rule requires each PSO to enter two contracts, provider
organizations may find it useful for its component PSO to be a separate
legal entity. Otherwise, the component PSO may be precluded from
contracting with its parent organization.
Comment: There was a request for a definition of ``own'' with a
suggestion for reference to Internal Revenue Code 26 I.R.C. Sec. 1563
to clarify its meaning and the meaning of having a controlling
interest. This same commenter sought strong separation requirements
between a component PSO and any parent organization.
Response: We have reviewed the cited regulation but conclude that
the approach presented is unlikely to clarify the meaning of ``own'' or
``having a controlling interest'' for purposes of the regulation.
Accordingly, the definition of component in the final rule will use the
term ``owns,'' but it should be read in conjunction with the phrase
``owns a controlling or majority interest in'' that is used in the
related definition of ``parent organization.'' This will indicate that
the definition of component uses the term ``owns'' to mean having a
sufficient ownership interest to control or manage a PSO. The holder of
a controlling or majority interest in the entity seeking to be listed
should be identified as a parent organization.
Comment: Components of government entities should not be listed as
PSOs.
Response: The Patient Safety Act specifically permits public sector
entities, and components of public sector entities, to seek listing as
a PSO. We have incorporated several exclusions, however, of entities
with
[[Page 70736]]
regulatory authority and those administering mandatory state reporting
programs because these activities are incompatible with fostering a
non-punitive culture of safety among providers. As we explain in Sec.
3.102(a)(2)(ii), we conclude that it is not necessary to exclude
components of such entities but have adopted additional restrictions
and requirements in Sec. 3.102(c) for such component entities.
(D) Section 3.20--Definition of Disclosure
Proposed Rule: Proposed Sec. 3.20 provided that disclosure would
mean the release, transfer, provision of access to, or divulging in any
other manner of patient safety work product by a person holding patient
safety work product to another person.
We did not generally propose to regulate uses of patient safety
work product within an entity, i.e., when this information is exchanged
or shared among the workforce members of an entity. We believe that
regulating uses within providers and PSOs would be unnecessarily
intrusive given the voluntary aspect of participation with a PSO. We
believe that regulating uses would not further the statutory goal of
facilitating the sharing of patient safety work product with PSOs and
that sufficient incentives exist for providers and PSOs to prudently
manage the internal sharing of sensitive patient safety work product.
However, based on the statutory provision, we did propose that we would
recognize as a disclosure the sharing of patient safety work product
between a component PSO and the organization of which it is a
component. Such sharing would, absent the statutory provision and the
proposed regulation, be a use within the larger organization because
the component PSO is not a separate entity. The Patient Safety Act
supports this position by demonstrating a strong desire for the
protection of patient safety work product from the rest of the
organization of which the PSO is a part. We sought public comment on
whether the decision to not regulate uses was appropriate.
The proposed rule discussed that sharing patient safety work
product with a contractor that is under the direct control of an
entity, i.e., a workforce member, would not be a disclosure, but rather
a use within the entity. However, sharing patient safety work product
with an independent contractor would be a disclosure requiring an
applicable disclosure permission.
Overview of Public Comments: Some commenters supported the proposed
definition of disclosure. No commenters opposed the proposed definition
or requested further clarification.
Most commenters that responded to the question whether uses of
patient safety work product should be regulated supported the decision
not to regulate uses. Those commenters agreed that regulating uses
would be overly intrusive without significant benefit and that entities
are free to enter into agreements with greater protections. Other
commenters disagreed with the Department's proposal and stated that
regulation of uses would improve confidentiality and thereby increase
provider participation.
No commenters opposed the proposal that sharing of patient safety
work product from a component PSO to the rest of the parent entity of
which it is a part would be a disclosure for purposes of enforcement
rather than a use internal to the entity.
Final Rule: The Department adopts the provision with modifications.
In general, the modified definition of disclosure means the release of,
transfer of, provision of access to, or divulging in any other manner
of, patient safety work product by an entity or natural person holding
the patient safety work product to another legally separate entity or
natural person, other than a workforce member of, or a physician
holding privileges with, the entity holding the patient safety work
product. Additionally, we have defined as a disclosure the release of,
transfer of, provision of access to, or divulging in any other manner
of, patient safety work product by a component PSO to another entity or
natural person outside the component PSO.
We have modified the language for clarity to distinguish the
actions that are a disclosure for a natural person and an entity,
separately. We have also included language in the definition that makes
clear that sharing of patient safety work product from a component PSO
to the entity of which it is a part is a disclosure even though the
disclosure would be internal to an entity and generally permitted.
Finally, we have added language to clearly indicate that the sharing of
patient safety work product between a health care provider with
privileges and the entity with which it holds privileges does not
constitute a disclosure, consistent with the treatment of patient
safety work product shared among workforce members.
Response to Other Public Comments
Comment: Commenters asked that the Department clarify the terms
``disclosure'' and ``use''. Commenters stated that the terms were used
interchangeably and this caused confusion.
Response: The term ``disclosure'' describes the scope of the
confidentiality protections and the manner in which patient safety work
product may be shared. ``Disclosure'' is also employed by the Patient
Safety Act when describing the assessment of civil money penalties for
the failure to maintain confidentiality (see 42 U.S.C. 299b-22(f)(1)).
Although the Patient Safety Act employs the term ``use'' in several
provisions, we did not interpret those provisions to include a
restriction on the use of patient safety work product based on the
confidentiality protections.
Because the focus of the proposed rule was on disclosures, we did
not believe that defining the term ``use'' was helpful; nor did we
believe the terms would be confusing. Use of patient safety work
product is the sharing within a legal entity, such as between members
of the workforce, which is not a disclosure. By contrast, a disclosure
is the sharing or release of information outside of the entity for
which a specific disclosure permission must be applicable.
Comment: One commenter requested clarification regarding the
sharing of patient safety work product among legally separate
participants that join to form a single joint venture component PSO.
Response: The Department distinguishes between the disclosure of
patient safety work product between legal entities and the use of
patient safety work product internal to a single legal entity. If a
component PSO is part of a multi-organizational enterprise, uses of
patient safety work product internal to the component PSO are not
regulated by this final rule, but sharing of patient safety work
product between the component PSO and another entity or with a parent
organization are considered disclosures for which a disclosure
permission must apply.
Comment: One commenter raised concerns that the final rule would
restrict a provider's use of its own data and thereby discourage
collaboration with other care givers.
Response: The Department believes that the final rule balances the
interests between the privacy of identified providers, patients and
reporters and the need to aggregate and share patient safety work
product to improve patient safety among all providers. The final rule
does not limit the sharing of patient safety work product within an
entity and permits sharing among providers under certain conditions.
Affiliated
[[Page 70737]]
providers may share patient safety work product for patient safety
activities and non-affiliated providers may share anonymized patient
safety work product. A provider may also share patient safety work
product with a health care provider that has privileges to practice at
the provider facility. Further, if all identified providers are in
agreement regarding the need to share identifiable patient safety work
product, each provider may authorize and thereby permit a disclosure.
Comment: Several commenters asked whether uses were restricted
based upon the purpose for which the patient safety work product is
being shared internally.
Response: The final rule does not limit the purpose for which
patient safety work product may be shared internal to an entity.
Entities should consider the extent to which sensitive patient safety
work product is available to members of its workforce as a good
business practice.
(E) Section 3.20--Definition of Entity
Proposed Rule: Proposed Sec. 3.20 provided that entity would mean
any organization or organizational unit, regardless of whether the
entity is public, private, for-profit, or not-for-profit.
Overview of Public Comments: One comment was received suggesting
that the terms ``governmental'' or ``body politic'' should be added to
clarify that the term ``public'' includes Federal, State, or local
government as well as public corporations.
Final Rule: The term ``public'' has long been used throughout Title
42 of the Code of Federal Regulations as encompassing governmental
agencies; therefore we do not believe that the addition is necessary.
The Department adopts the proposed provision without modification.
(F) Section 3.20--Definition of Health Insurance Issuer
Proposed Rule: Proposed Sec. 3.20 provided that health insurance
issuer would mean an insurance company, insurance service, or insurance
organization (including a health maintenance organization, as defined
in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the
business of insurance in a State and which is subject to State law
which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2).
The definition specifically excluded group health plans from the
meaning of the term.
Overview of Public Comments: Several commenters expressed concern
that the Department needed to be vigilant in its exclusion of health
insurance issuers and components of health insurance issuers, urging
that HHS clearly define health insurance issuers in the final rule.
Another commenter sought clarification regarding risk management
service companies, i.e., those that offer professional liability
insurance, reinsurance, or consulting services.
Final Rule: The Department has reviewed the definition of ``health
insurance issuer'' and determined that the definition is clear. Because
the reference to group health plans could be a source of confusion, we
note that we have defined the term above. Accordingly, the Department
adopts the proposed provision without modification.
In response to several comments regarding the scope of the term
health insurance issuer, the Department has concluded that, for
purposes of this rule, risk management service companies, professional
liability insurers and reinsurers do not fall within the definition of
health insurance issuer.
Response to Other Public Comments
Comment: One commenter asked if a provider system that was owned as
a subsidiary by an HMO could create a component PSO.
Response: Section 3.102(a)(2)(i) excludes a health insurance
issuer, a unit or division of a health insurance issuer, or an entity
that is owned, managed, or controlled by a health insurance issuer from
seeking listing as a PSO. In this case, the HMO is considered a health
insurance issuer and the provider system would be a component of the
health insurance issuer. Under the rule, the HMO and the provider
system may not seek listing as a PSO, and the entity created by the
provider system could not seek listing as a component PSO if it is
owned, managed or controlled by the provider system or the HMO.
Comment: One commenting organization requested discussion of what
organizational structure might allow a health insurance issuer to
participate in the patient safety work of an independent PSO.
Response: The statutory exclusion means that the following entities
may not seek listing: a health insurance issuer or a component of a
health insurance issuer.
(G) Section 3.20--Definition of Parent Organization
Proposed Rule: Proposed Sec. 3.20 provided that ``parent
organization'' would mean an entity, that alone or with others, either
owns a provider entity or a component organization, or has the
authority to control or manage agenda setting, project management, or
day-to-day operations of the component, or the authority to review and
override decisions of a component organization. The proposed rule did
not provide a definition of ``owned'' but provided controlling interest
(holding enough stock in an entity to control it) as an example of
ownership in the preamble discussion of the term, ``parent
organization.'' The proposed rule specifically sought comment on our
use of the term ``controlling interest,'' whether it was appropriate,
and whether we needed to further define ``owns.'' The remaining terms,
``manage or control,'' were explained in the proposed rule's definition
of ``parent organization,'' as having ``the authority to control or
manage agenda setting, project management, or day-to-day operations of
the component, or the authority to review and override decisions of a
component organization.''
Overview of Public Comments: We received eight comments on the
question of ``controlling interest'' and there was no consensus among
the commenters. Four commenters thought our discussion was appropriate.
Another agreed with the concept of controlling interest but wanted to
limit its application to a provider who reported patient safety work
product to the entity. One commenter cautioned that the term
``controlling interest'' was open to various interpretations and the
final rule should provide additional guidance. Another commenter
suggested ``controlling interest'' was worrisome but did not provide a
rationale for this assessment. One commenter supported additional
protections, contending that it was appropriate for HHS to pierce the
corporate veil when there was fraud or collusion, and recommended the
preamble outline situations in which HHS would pierce the corporate
veil.
We received no negative comments on our proposed interpretation of
what it means to manage or control another entity. One commenter
suggested that the definition should recognize the significant
authority or control of a provider entity or component organization
through reserve powers, by agreement, statute, or both.
Final Rule: While approximately half of the comments supported our
approach, there was not a clear consensus in the comments we reviewed.
So the approach we have taken with the definition of ``parent
organization'' was to strive for greater clarity, taking into account
its interaction with our definition of
[[Page 70738]]
``component organization,'' described above.
The definition of ``parent organization'' in the final rule retains
the basic framework of the proposed rule definition: an organization is
a parent if it owns a component organization, has the ability to manage
or control a component, or has the authority to review and overrule the
component's decisions.
The language of the proposed rule used only the term ``own'' while
the preamble cited the example of stock ownership. Without further
specification, we were concerned that this approach could have been
interpreted to mean that an organization owning just a few shares of
stock of a component organization would be considered a parent
organization. This is not our intent. For clarity, we have modified the
text to read ``owns a controlling or majority interest.''
We have also removed the phrase ``alone or with others'' from the
first clause. We did so for two reasons. First, it is unnecessary since
it does not matter whether ownership is shared with other
organizations, as in a joint venture. An entity seeking listing as a
PSO will use this definition solely to determine if it has any parent
organizations and, if it does, it must seek listing as a component
organization and disclose the names and contact information for each of
its parent organizations. Second, we have tried to make it as clear as
possible that any organization that has controlling ownership
interests, or management or control authority over a PSO, should be
considered, and reported in accordance with the requirements of Sec.
3.102(c)(1)(i), as a parent organization.
For similar reasons, we have removed the reference to provider from
the first part of the definition and instead consistently used the term
``component organization'' with respect to each characteristic of a
parent organization. We added a second sentence to clarify that a
provider could be the component organization in all three descriptive
examples given of parental authority.
In response to one commenter's concern, we believe that the phrase
``has the authority'' as used in the definition is sufficiently broad
to encompass reserve powers.
(H) Section 3.20--Definition of Patient Safety Evaluation System
Proposed Rule: Proposed Sec. 3.20 provided that patient safety
evaluation system would mean the collection, management, or analysis of
information for reporting to or by a PSO. The patient safety evaluation
system would be the mechanism through which information can be
collected, maintained, analyzed, and communicated. The proposed rule
discussed that a patient safety evaluation system would not need to be
documented because it exists whenever a provider engages in patient
safety activities for the purpose of reporting to a PSO or a PSO
engages in these activities with respect to information for patient
safety purposes. The proposed rule provided that formal documentation
of a patient safety evaluation system could designate secure physical
and electronic space for the conduct of patient safety activities and
better delineate various functions of a patient safety evaluation
system, such as when and how information would be reported by a
provider to a PSO, how feedback concerning patient safety events would
be communicated between PSOs and providers, within what space
deliberations and analyses of information are conducted, and how
protected information would be identified and separated from
information collected, maintained, or developed for purposes other than
reporting to a PSO.
The Department recommended that a provider consider documentation
of a patient safety evaluation system to support the identification and
protection of patient safety work product. Documentation may provide
substantial proof to support claims of privilege and confidentiality
and will give notice to, will limit access to, and will create
awareness among employees of, the privileged and confidential nature of
the information within a patient safety evaluation system which may
prevent unintended or impermissible disclosures.
We recommended that providers and PSOs consider documenting how
information enters the patient safety evaluation system; what
processes, activities, physical space(s) and equipment comprise or are
used by the patient safety evaluation system; which personnel or
categories of personnel need access to patient safety work product to
carry out their duties involving operation of, or interaction with, the
patient safety evaluation system; the category of patient safety work
product to which access is needed and any conditions appropriate to
such access; and what procedures the patient safety evaluation system
uses to report information to a PSO or disseminate information outside
of the patient safety evaluation system.
The proposed rule sought comment about whether a patient safety
evaluation system should be required to be documented.
Overview of Public Comments: Several commenters supported the
efforts to enable the patient safety evaluation system to be flexible
and scalable to individual provider operations. Most commenters that
responded to the question whether a patient safety evaluation system
should be documented supported the decision to not require
documentation. Commenters stated that requiring documentation would
inhibit the flexibility in the design of patient safety evaluation
systems and the ability of providers to design systems best suited for
their specific practices and settings. Documentation would also be
burdensome to providers and should ultimately be left to the discretion
of individual providers based on their needs. Other commenters
supported a requirement for documentation, suggesting that
documentation would go further in ensuring compliance with the
confidentiality provisions and the protection of information, thereby
encouraging provider participation.
Final Rule: The Department adopts the proposed provision without
modification. Based on the comments, we have not modified the proposed
decision to not require documentation. We have, as described in the
definition of patient safety work product below, clarified how
documentation of a patient safety evaluation system clearly establishes
when information is patient safety work product. We encourage providers
to document their patient safety evaluation systems for the benefits
mentioned above. We believe documentation is a best practice.
Response to Other Public Comments
Comment: Two commenters raised concerns about how a patient safety
evaluation system operates within a multi-hospital system comprised of
a parent corporation and multiple hospitals that are separately
incorporated and licensed. One commenter asked whether a parent
corporation can establish a single patient safety evaluation system in
which all hospitals participate. The other commenter recommended that
individual institutional affiliates of a multi-hospital system be part
of a single patient safety evaluation system.
Response: For a multi-provider entity, the final rule permits
either the establishment of a single patient safety evaluation system
or permits the sharing of patient safety work product as a patient
safety activity among affiliated providers. For example, a hospital
chain that operates multiple hospitals may include the parent
organization along with each hospital in a single patient
[[Page 70739]]
safety evaluation system. Thus, each hospital may share patient safety
work product with the parent organization and the patient safety
evaluation system may exist within the parent organization as well as
the individual hospitals.
There may be situations where establishing a single patient safety
evaluation system may be burdensome or a poor solution to exchanging
patient safety work product among member hospitals. To address this
concern, we have modified the disclosure permission for patient safety
activities to permit affiliated providers to disclose patient safety
work product with each other based on commonality of ownership.
Comment: One commenter asked how a patient safety evaluation system
exists within an institutional provider.
Response: A patient safety evaluation system is unique and specific
to a provider. The final rule retains a definition of a patient safety
evaluation system that is flexible and scalable to meet the specific
needs of particular providers.
With respect to a single institutional provider, such as a
hospital, a provider may establish a patient safety evaluation system
that exists only within a particular office or that exists at
particular points within the institution. The decisions as to how a
patient safety evaluation system operates will depend upon the
functions the institutional provider desires the patient safety
evaluation system to perform and its tolerances regarding access to the
sensitive information contained within the system. Providers should
consider how a patient safety evaluation system is constructed,
carefully weighing the balance between coordination and fragmentation
of a provider's activities.
Comment: Some commenters were concerned that the patient safety
evaluation system provided a loophole for providers to avoid
transparency of operations and hide information about patient safety
events. Some commenters suggested that a provider may establish a
patient safety evaluation system that is inside of a PSO, thus stashing
away harmful documents and information.
Response: The Department does not believe that the patient safety
evaluation system enables providers to avoid transparency. A patient
safety evaluation system provides a protected space for the candid
consideration of quality and safety. Nonetheless, the Patient Safety
Act and the final rule have carefully assured that information
generally available today remains available, such as medical records,
original provider documents, and business records. Providers must
fulfill external reporting obligations with information that is not
patient safety work product. Further, a provider may not maintain a
patient safety evaluation system within a PSO.
Comment: One commenter asked whether all information in a patient
safety evaluation system is protected.
Response: Information collected within a patient safety evaluation
system that has been collected for the purpose of reporting to a PSO is
patient safety work product if documented as collected for reporting to
a PSO. This is discussed more fully at the definition of patient safety
work product below. Information that is reported to a PSO is also
protected, as discussed more fully at the definition of patient safety
work product below.
Comment: One commenter was concerned that the lack of a framework
and too much flexibility may interfere with interoperability and data
aggregation at a later date.
Response: The Department believes that a patient safety evaluation
system must of necessity be flexible and scalable to meet the needs of
specific providers and PSOs. Without such flexibility, a provider may
not participate, which may, lessen the overall richness of the
information that could be obtained about patient safety events. The
Department recognizes the value of aggregated data and has, pursuant to
the Patient Safety Act, begun the process of identifying standard data
reporting terms to facilitate aggregation and interoperability.
Further, the Patient Safety Act requires that PSOs, to the extent
practical and appropriate, collect patient safety work product in a
standardized manner (see 42 U.S.C. 299b-24(b)(1)(F)). The Department
hopes that, by permitting the widest range possible of providers to
participate in the gathering and analysis of patient safety events,
increased participation will generate more data and greater movement
towards addressing patient safety issues.
Comment: Many commenters encouraged the Department to provide
technical assistance to providers and PSOs on the structuring and
operation of a patient safety evaluation system.
Response: The Department expects to provide such guidance on the
operation and activities of patient safety evaluation systems as it
determines is necessary.
(I) Section 3.20--Definition of Patient Safety Work Product
Proposed Rule: Proposed Sec. 3.20 adopted the statutory definition
of patient safety work product as defined in the Patient Safety Act.
The proposed rule provided that many types of information can become
patient safety work product to foster robust exchanges between
providers and PSOs. Any information must be collected or developed for
the purpose of reporting to a PSO.
Three provisions identified how information becomes patient safety
work product. First, information may become patient safety work product
if it is assembled or developed by a provider for the purpose of
reporting to a PSO and is reported to a PSO. Second, patient safety
work product is information developed by a PSO for the conduct of
patient safety activities. Third, patient safety work product is
information that constitutes the deliberations or analysis of, or
identifies the fact of reporting pursuant to, a patient safety
evaluation system.
The proposed rule provided that reporting means the actual
transmission or transfer of information to a PSO. We recognized that
requiring the transmission of every piece of paper or electronic file
to a PSO could impose significant transmission, management, and storage
burdens on providers and PSOs. The proposed rule sought comment on
whether alternatives for actual reporting should be recognized as
sufficient to meet the reporting requirement. For example, the proposed
rule suggested that a provider that contracts with a PSO may
functionally report information to a PSO by providing access and
control of information to a PSO without needing to physically transmit
information. The proposed rule also sought comment on whether
additional terms and conditions should be required to permit functional
reporting and whether functional reporting should be permitted only
after an initial actual report of information related to an event.
The proposed rule also sought comment on whether a short period of
protection for information assembled but not yet reported is necessary
for flexibility or for providers to efficiently report information to a
PSO. We also sought comment on an appropriate time period for such
protection and whether a provider must demonstrate intent to report in
order to obtain protection.
The proposed rule also sought comment on when a provider could
begin collecting information for the purpose of reporting to a PSO such
that it is not excluded from becoming patient safety work product
because it was collected, maintained or developed separately from a
patient safety evaluation system.
[[Page 70740]]
The proposed rule indicated that, if a PSO is delisted for cause, a
provider would be able to continue to report to that PSO for 30 days
after the date of delisting and the information reported would be
treated as patient safety work product (section 924(f)(1) of the Public
Health Service Act). However, after delisting, the proposed rule
indicated that the former PSO may not generate patient safety work
product by developing information for the conduct of patient safety
activities or through deliberations and analysis of information. Even
though a PSO may not generate new patient safety work product after
delisting, it may still possess patient safety work product, which must
be kept confidential and be disposed of in accordance with requirements
in Subpart B.
The proposed rule also described what is not patient safety work
product, such as a patient's original medical record, billing and
discharge information, or any other original patient or provider
record. Patient safety work product does not include information that
is collected, maintained, or developed separately or exists separately
from, a patient safety evaluation system. This distinction is made
because these and similar records must be maintained by providers for
other purposes.
The proposed rule also discussed that external reporting
obligations as well as voluntary reporting activities that occur for
the purpose of maintaining accountability in the health care system
cannot be satisfied with patient safety work product. Thus, information
that is collected to comply with external obligations is not patient
safety work product. The proposed rule provided that such activities
include: state incident reporting requirements; adverse drug event
information reporting to the Food and Drug Administration (FDA);
certification or licensing records for compliance with health oversight
agency requirements; reporting to the National Practitioner Data Bank
of physician disciplinary actions; or complying with required
disclosures by particular providers or suppliers pursuant to Medicare's
conditions of participation or conditions of coverage.
The proposed rule also addressed the issue that external
authorities may seek information about how effectively a provider has
instituted corrective action following identification of a threat to
the quality or safety of patient care. The Patient Safety Act does not
relieve a provider of its responsibility to respond to such requests
for information or to undertake or provide to external authorities
evaluations of the effectiveness of corrective action, but the provider
must respond with information that is not patient safety work product.
The proposed rule provided that recommendations for changes from the
provider's patient safety evaluation system or the PSO are patient
safety work product. However, the actual changes that the provider
implements to improve how it manages or delivers health care services
are not patient safety work product, and it would be virtually
impossible to keep such changes confidential.
Overview of Public Comments: Commenters raised a significant number
of concerns regarding how information becomes patient safety work
product under particular provisions of the definition.
Functional Reporting
We received significant feedback from commenters in support of
recognizing alternative reporting methods. Most commenters agreed that
an alternative reporting arrangement should be permitted to promote
efficiency and relieve providers of the burden of continued
transmission. Two commenters opposed permitting alternative reporting
methods based on the concern that a shared resource may confuse clear
responsibility for a breach of information and that a PSO that has
access to a provider information system may also have access to patient
records and similar information for which access may not be
appropriate.
Most commenters rejected the suggestion that functional reporting
should be limited to subsequent reports of information rather than
allowing functional reports for the first report of an event.
Commenters believed that such a limitation would inhibit participation
and offset the benefits of allowing functional reporting. Commenters
also believed such a limitation would create an artificial distinction
between information that is initially and subsequently reported to a
PSO. Some commenters believed that details regarding functional
reporting are better left to agreement between the provider and PSO
engaging in functional reporting. Two commenters did support
restricting functional reporting to subsequent information, but did not
provide any rationale or concern to support their comment.
No commenters identified additional requirements or criteria that
should be imposed beyond a formal contract or agreement. Thus, the
final rule permits functional reporting.
When Is Information Protected
Commenters raised significant and substantial concerns regarding
when the protections for patient safety work product begins, how
existing patient safety processes will occur given the protections for
patient safety work product, and the likelihood that providers may need
to maintain separate systems with substantially duplicate information.
A significant majority of commenters responded to the concern regarding
the status of information collected, but not yet reported to a PSO.
Most commenters agreed with concerns raised by the Department that
early protection could ease the burden on providers, preventing a race
to report to a PSO. These commenters recommended that information be
protected upon collection and prior to reporting. Protection during
this time would permit providers to investigate an event and conduct
preliminary analyses regarding causes of the event or whether to report
information to a PSO. Many commenters were concerned that information
related to patient safety events be protected at the same time the
information is preserved for other uses. Some providers indicated that
if duplication of information is required, providers may opt to not
participate due to costs and burdens. Three commenters indicated that
there should be no protection until information is reported to a PSO.
One commenter was concerned that early protection may interfere with
State reporting requirements because information needed to report to a
State may become protected and unavailable for State reporting. Another
commenter stated that earlier protection would not alleviate the
concerns regarding protection prior to reporting.
Commenters provided a wide range of recommendations in response to
when protection of information should begin prior to creation of
patient safety work product. Commenters suggested that information be
protected prior to reporting for as little as 24 hours from an event up
to 12 months. Other commenters suggested that a timeframe be reasonable
and based upon relevant factors such as the complexity of facts and
circumstances surrounding an event.
State Reporting
One of the most significant areas of comment was how processes to
create patient safety work product may operate alongside similar
processes within a provider. Commenters were particularly concerned
that information collected for
[[Page 70741]]
similar purposes, such as for reporting to a PSO and for reporting to a
State health authority, would need to be maintained in separate
systems, thereby increasing the burden on providers. The most
significant comments received related to how information related to
patient safety events may be protected at the same time the information
is preserved for other uses. Some providers indicated that if
duplication is required, provider may opt to not participate due to
costs and burdens.
Earliest Time for Collection of Information
Few commenters responded to the request for comment on the earliest
date information could be collected for purposes of reporting to a PSO,
a requirement for information to become patient safety work product.
Four commenters recommended that information collection be permitted
back to the passage of the Patient Safety Act. Four commenters
recommended that the earliest date of collection be dependent upon each
provider's good faith and intent to collect information for reporting
to a PSO.
Final Rule: The Department adopts the proposed provision with some
modification.
Functional Reporting
The Department recognizes the concerns raised by commenters
regarding the functional reporting proposal, but believes the benefits
outweigh the potential negative consequences; the relief of burden, and
the flexibility that derives from not adhering to a narrow reading of
the reporting requirement. First, we recognize that a provider and PSO
engaging in this alternative method of reporting have an established
relationship for the reporting of information and have spent some time
considering how best to achieve a mutually useful and suitable
reporting relationship. That relationship will necessitate
consideration of what information is necessary and not necessary to
achieve the purpose of reporting. Neither a provider nor a PSO is
required to accept an alternative reporting mechanism. Further,
providers continue to be under the same obligations to protect patient
and other medical records from inappropriate access from others,
including the PSO, without exception. Second, such a relationship
should establish clearly the mechanism for control of information
reported or to which the PSO will have access, and the scope of PSO
authority to use the information. In addition, the assessment of
liability should be addressed and need be no more complex than exists
in provider settings today with shared resources and integrated
services.
We agree with commenters that limitations regarding the initial or
subsequent reporting of information are better left to the providers
and PSOs engaging in the practice and that providers and PSOs should be
permitted to design the appropriately flexible reporting mechanism
befitting the circumstances of their practice setting. We further agree
that additional limitations on the ability to use functional reporting
are unwarranted, absent clear identification of risks or concerns to be
addressed by further limitations.
For these reasons, we clarify that reporting of information to a
PSO for the purposes of creating patient safety work product may
include authorizing PSO access, pursuant to a contract or equivalent
agreement between a provider and a PSO, to specific information in a
patient safety evaluation system and authority to process and analyze
that information, e.g., comparable to the authority a PSO would have if
the information were physically transmitted to the PSO. We do not
believe a formal change in the regulatory text is necessitated by this
clarification.
When Is Information Protected
The Department recognizes that the Patient Safety Act's protections
are the foundation to furthering the overall goal of the statute to
develop a national system for analyzing and learning from patient
safety events. To encourage voluntary reporting of patient safety
events by providers, the protections must be substantial and broad
enough so that providers can participate in the system without fear of
liability or harm to reputation. Further, we believe the protections
should attach in a manner that is as administratively flexible as
permitted to accommodate the many varied business processes and systems
of providers and to not run afoul of the statute's express intent to
not interfere with other Federal, State or local reporting obligations
on providers.
The proposed rule required that information must be reported to a
PSO before the information may become patient safety work product under
the reporting provision of the definition of patient safety work
product. However, this standard left information collected, but not yet
reported to a PSO, unprotected, a cause of significant commenter
concern. This standard also might encourage providers to race to report
information indiscriminately to obtain protection in situations where a
report ultimately may be unhelpful, causing the expenditure of scarce
resources both by a provider and a PSO to secure the information as
patient safety work product. The proposed rule also may have caused
some providers to choose between not participating or developing dual
systems for handling similar information at increased costs.
We believe it is important to address the shortcomings of a strict
reporting requirement through the following modification. The final
rule provides that information documented as collected within a patient
safety evaluation system by a provider shall be protected as patient
safety work product. A provider would document that the information was
collected for reporting to a PSO and the date of collection. The
information would become patient safety work product upon collection.
Additionally, a provider may document that the same information is
being voluntarily removed from the patient safety evaluation system and
that the provider no longer intends to report the information to a PSO,
in which case there are no protections. If a provider fails to document
this information, the Department will presume the intent to report
information in the patient safety evaluation system to the PSO is
present, absent evidence to the contrary.
We believe this modification addresses the concerns raised by the
commenters. Protection that begins from the time of collection will
encourage participation by providers without causing significant
administrative burden. The alternative is a system that encourages
providers to indiscriminately report information to PSOs in a race for
protection, resulting in PSOs receiving large volumes of unimportant
information. By offering providers the ability to examine patient
safety event reports in the patient safety evaluation system without
requiring that all such information be immediately reported to a PSO,
and by providing a means to remove such information from the patient
safety evaluation system and end its status as patient safety work
product, the final rule permits providers to maximize organizational
and system efficiencies and lessens the need to maintain duplicate
information for different needs. Because documentation will be crucial
to the protection of patient safety work product at collection,
providers are encouraged to document their patient safety evaluation
system. We note, however, that a provider should not place information
into its patient safety evaluation system unless it
[[Page 70742]]
intends for that information to be reported to the PSO.
Although this approach substantially addresses commenter concerns,
three issues do cause concern. First, because information may be
protected back to the time of collection, providers are no longer
required to promptly report information to a PSO to ensure protection.
Although we believe this is an unavoidable result of the modification,
we believe the likely impact may be rare because providers are likely
to engage PSOs for their expertise which requires such reporting.
Second, the requirement to document collection in a patient safety
evaluation system and, potentially, removal from a patient safety
evaluation system could be burdensome to a provider. However, we
believe these are important requirements particularly in light of the
enforcement role OCR will play. A provider will need to substantiate
that information is patient safety work product, or OCR will be unable
to determine the status of information potentially leaving sensitive
information unprotected--or subjecting the provider to penalties for
improperly disclosing patient safety work product. Third, the ability
of a provider to remove information from a patient safety evaluation
system raises concern that a provider may circumvent the intent of a
provider employee to obtain protection for information when reporting
to the provider's patient safety evaluation system. For providers that
engage in functional reporting, the concern is substantially mitigated
because, under functional reporting, information is reported to a PSO
when it is transmitted to the patient safety evaluation system to which
the PSO has access, and, thus, protected. Alternatively, a provider
employee may report as permitted directly to a PSO. Ultimately, this
issue is to be settled between a provider that wishes to encourage
reports that may not otherwise come to light and its employees who must
be confident that reporting will not result in adverse consequences.
For these reasons, the Department modifies the definition of
patient safety work product to include additional language in the first
provision of the definition that protects information based upon
reporting to a PSO.
State Reporting
To address commenter concerns about the duplication of resources
for similar patient safety efforts and the lack of protection upon
collection, we have clarified the requirements for how information
becomes patient safety work product when reported to a PSO. Generally,
information may become patient safety work product when reported to a
PSO. Information may also become patient safety work product upon
collection within a patient safety evaluation system. Such information
may be voluntarily removed from a patient safety evaluation system if
it has not been reported and would no longer be patient safety work
product. As a result, providers need not maintain duplicate systems to
separate information to be reported to a PSO from information that may
be required to fulfill state reporting obligations. All of this
information, collected in one patient safety evaluation system, is
protected as patient safety work product unless the provider determines
that certain information must be removed from the patient safety
evaluation system for reporting to the state. Once removed from the
patient safety evaluation system, this information is no longer patient
safety work product.
Earliest Time for Collection of Information
The Department believes that a clear indication of a specific time
when information may first be collected is beneficial to providers by
reducing the complexity and ambiguity concerning when information is
protected as patient safety work product. Although each provider
collecting information for reporting to a PSO may need to support the
purpose of information collection at the time of collection, such a
standard may be overly burdensome. The Department agrees that
information may have been collected for the purpose of reporting to a
PSO beginning from passage of the Patient Safety Act. Information that
existed prior to the passage of the Patient Safety Act may be
subsequently collected for reporting to a PSO, but the original record
remains unprotected. This clarification does not require any regulatory
language change in the proposed rule.
What Is Not Patient Safety Work Product
We reaffirm that patient safety work product does not include a
patient's original medical record, billing and discharge information,
or any other original patient or provider record; nor does it include
information that is collected, maintained, or developed separately or
exists separately from, a patient safety evaluation system. The final
rule includes the statutory provision that prohibits construing
anything in this Part from limiting (1) the discovery of or
admissibility of information that is not patient safety work product in
a criminal, civil, or administrative proceeding; (2) the reporting of
information that is not patient safety work product to a Federal,
State, or local governmental agency for public health surveillance,
investigation, or other public health purposes or health oversight
purposes; or (3) a provider's recordkeeping obligation with respect to
information that is not patient safety work product under Federal,
State or local law. Section 921(7)(B)(iii) of the Public Health Service
Act, 42 U.S.C. 299b-21(7)(B)(iii). The final rule does not limit
persons from conducting additional analyses for any purpose regardless
of whether such additional analyses involve issues identical to or
similar to those for which information was reported to or assessed by a
PSO or a patient safety evaluation system. Section 922(h) of the Public
Health Service Act, 42 U.S.C. 299b-22(h).
Even when laws or regulations require the reporting of the
information regarding the type of events also reported to PSOs, the
Patient Safety Act does not shield providers from their obligation to
comply with such requirements. These external obligations must be met
with information that is not patient safety work product and oversight
entities continue to have access to this original information in the
same manner as such entities have had access prior to the passage of
the Patient Safety Act. Providers should carefully consider the need
for this information to meet their external reporting or health
oversight obligations, such as for meeting public health reporting
obligations. Providers have the flexibility to protect this information
as patient safety work product within their patient safety evaluation
system while they consider whether the information is needed to meet
external reporting obligations. Information can be removed from the
patient safety evaluation system before it is reported to a PSO to
fulfill external reporting obligations. Once the information is
removed, it is no longer patient safety work product and is no longer
subject to the confidentiality provisions.
The Patient Safety Act establishes a protected space or system that
is separate, distinct, and resides alongside but does not replace other
information collection activities mandated by laws, regulations, and
accrediting and licensing requirements as well as voluntary reporting
activities that occur for the purpose of maintaining accountability in
the health care system. Information is not patient safety work product
if it is collected to comply with external obligations, such as: state
incident reporting requirements;
[[Page 70743]]
adverse drug event information reporting to the Food and Drug
Administration (FDA); certification or licensing records for compliance
with health oversight agency requirements; reporting to the National
Practitioner Data Bank of physician disciplinary actions; complying
with required disclosures by particular providers or suppliers pursuant
to Medicare's conditions of participation or conditions of coverage; or
provision of access to records by Protection and Advocacy organizations
as required by law.
Response to Other Public Comments
Comment: One commenter in responding to questions about timing and
early protection interpreted the timing concern to be an expiration of
an allowed period of time to report, such that an event must be
reported within a certain number of days or it may not become
protected.
Response: As noted above, the timing issues in the final rule
relate to when information may have been collected for reporting to a
PSO. There is no expiration date for an event that would prohibit
future protection of a report of it as patient safety work product so
long as the protection of the information is pursuant to the final
rule.
Comment: One commenter suggested that event registries may seek to
become PSOs because the model is well positioned to allow for tracking
and identification of patients that require follow-up.
Response: The Department recognizes that event registries may have
particular benefits that may be helpful in the analysis of patient
safety events, but we caution any holder of patient safety work product
that future disclosure of patient safety work product must be done
pursuant to the disclosure permissions. Thus, while it may be
appropriate for event registries to identify and track patients who may
require follow-up care, the final rule would generally not permit
disclosure of patient safety work product to patients for such a
purpose. Accordingly, while there may be benefits to an event registry
becoming a PSO, a registry should take into consideration the
limitations on disclosure of patient safety work product, and what
impact such limits would have on its mission, prior to seeking listing.
Comment: Several commenters sought clarification whether
information underlying analyses within a patient safety evaluation
system was protected. One commenter suggested that data used to conduct
an analysis should be protected at the same time as the analysis.
Response: As indicated in the definition of patient safety work
product, information that constitutes the deliberation or analysis
within a patient safety evaluation system is protected. Information
underlying the analysis may have been either reported to a PSO and
protected or collected in a patient safety evaluation system.
Information documented as collected within a patient safety evaluation
system is protected based on the modification to the definition of
patient safety work product. Thus, information underlying an analysis
may be protected. However, underlying information that is original
medical records may not be protected if it is excluded by the
definition of patient safety work product.
Comment: Two commenters raised concerns that PSOs do not have
discretion regarding the receipt of unsolicited information reported to
PSOs from providers. One commenter was concerned about the burden on a
PSO receiving unsolicited reports and the obligation a PSO may have
regarding unsolicited reports. Another commenter was concerned that
unsolicited reports may be materially flawed or contain incorrect
information.
Response: The Department does not agree that this is a major issue
for PSOs or that PSOs need some regulatory ability to reject reported
information. If a PSO receives information from a provider that was
collected by that provider for the purposes of sending to a PSO, then
the information is patient safety work product. PSOs may use or analyze
the information, but must protect it as patient safety work product and
dispose of the information properly. However, there is no requirement
that a PSO maintain or analyze the information. For these reasons, we
do not modify the proposed rule position regarding these issues.
Comment: Some commenters were concerned that recommendations of
PSOs may be treated as a standard of care. Commenters recommended that
recommendations from PSOs be protected as patient safety work product.
Response: The Department stated in the proposed rule that PSO
recommendations are patient safety work product, but the changes
undertaken by a provider based upon a PSO's recommendations are not
patient safety work product. With respect to the concern that PSO
recommendations may establish a standard of care, the issue is not
within the scope of the Patient Safety Act and not appropriate for the
regulation to address. Generally, the establishment of a standard of
care is a function of courts and entities that have jurisdiction over
the issue for which a standard of care is relevant. The introduction of
patient safety work product as information that may help establish a
standard of care is highly unlikely given the limited disclosure
permissions. For these reasons, we make no modifications in the final
rule.
Comment: Several commenters raised concerns about the distinction
between original documents and copies of original documents. One
commenter stated that it was an artificial distinction in an electronic
environment.
Response: The Patient Safety Act and the final rule distinguish
certain original records from information collected for reporting to a
PSO. Because information contained in these original records may be
valuable to the analysis of a patient safety event, the important
information must be allowed to be incorporated into patient safety work
product. However, the original information must be kept and maintained
separately to preserve the original records for their intended
purposes. If the information were to become patient safety work
product, it could only be disclosed pursuant to the confidentiality
protections.
Comment: One commenter was concerned that information collected for
reporting to a PSO may be the same information providers collect for
reporting to a state regulatory agency. The commenter suggested that
protections should only attach to information after state-mandated
reporting requirements have been fulfilled. The commenter was concerned
that the confidentiality protections may impede state data collection,
surveillance and enforcement efforts. A separate commenter requested
clarification that if patient safety work product is reported under a
state mandated incident reporting system, the patient safety work
product continues to be protected.
Response: The final rule is clear that providers must comply with
applicable regulatory requirements and that the protection of
information as patient safety work product does not relieve a provider
of any obligation to maintain information separately. The Department
believes that some providers, such as hospitals, have been operating in
similar circumstances previously when conducting peer review activities
under state peer review law protections. For patient safety work
product to be disclosed, even to a State entity, the discloser must
have an applicable disclosure permission. While the Patient Safety Act
does not preempt state laws that require providers to report
[[Page 70744]]
information that is not patient safety work product, a State may not
require that patient safety work product be disclosed.
Comment: One commenter advised that the final rule should build on
existing infrastructure for reporting and examination of patient safety
events to minimize duplication of resources and maximize existing
efforts.
Response: The Department has modified the proposed rule to address
the potential issue of duplicated resources by allowing providers the
flexibility to collect and review information within a patient safety
evaluation system to determine if the information is needed to fulfill
external reporting obligations as addressed above. The Department
recognizes the high costs of health care, both in dollars and in the
health of individuals. The final rule establishes a workable and
flexible framework to permit providers that have mature patient safety
efforts to fully participate as well as for providers with no patient
safety activities to be encouraged to begin patient safety efforts.
Comment: One commenter asked whether multiple PSOs can establish a
single reporting portal for receiving reports from providers.
Response: The final rule does not address procedures regarding how
a PSO receives information. Providers must meet any requirements
regarding sharing information that is protected health information,
such as the HIPAA Privacy Rule, in any circumstances when reporting
information to a PSO or joint PSO portal.
Comment: Several commenters asked whether retrospective analyses
could be included as patient safety work product.
Response: The final rule permits any data, which is a term that is
broadly defined and would include retrospective analyses, to become
patient safety work product. The fact that information was developed
prior to the collection for reporting to a PSO does not bar a provider
from reporting an analysis to a PSO and creating patient safety work
product. Providers should be cautioned to consider whether there are
other purposes for which an analysis may be used to determine whether
protection as patient safety work product is necessary or warranted.
Further, the definition of patient safety work product is clear that
information collected for a purpose other than for reporting to a PSO
may not become patient safety work product only based upon the
reporting of that information to a PSO. Such information, particularly
information collected or developed prior to the passage of the Patient
Safety Act, may become protected as a copy, but the original document
remains unprotected.
(J) Section 3.20--Definition of Provider
Proposed Rule: Proposed Sec. 3.20 would have divided the meaning
of provider into three categories. The first paragraph included ``an
individual or entity licensed or otherwise authorized under State law
to provide health care services, including'' and this introductory
language was followed by a list of institutional health care providers
in subparagraph (1) and a list of individual health care practitioners
in subparagraph (2). The preamble indicated that these statutory lists
were illustrative.
Under the Secretary's authority to expand the list of providers in
the statutory definition, the proposed rule would have added two
categories to the list of providers. The second paragraph would have
covered agencies, organizations, and individuals within Federal, State,
local, or Tribal governments that deliver health care, the contractors
these entities engage, and individual health care practitioners
employed or engaged as contractors by these entities. We included this
addition because public health care entities and their staff are not
always authorized or licensed by state law to provide their services
and, therefore, might not be included within the terms of the original
statutory definition.
The third paragraph would have included a parent organization that
has a controlling interest in one or more entities described in
paragraph (1)(i) of this definition or a Federal, State, local, or
Tribal government unit that manages or controls one or more entities
described in (1)(i) or (2) of this definition. This addition was
intended to permit the parent organization of a health care provider
system to enter a system-wide contract with a PSO. The parent of a
health system also may not be licensed or authorized by state law to
provide health care services as required by the statutory definition.
Overview of Public Comments: There were a number of comments with
respect to the entities and individuals that are identified as
providers in the subparagraphs of paragraph (1). For example, one
commenter sought clarification that ``assisted living residential care
and other community based care'' providers are included in the broader
term ``long term care facilities'' as identified in the list of covered
providers. A number of other individual commenters each identified
entities that the Secretary should include in the definition of
providers: medical product vendors, pharmaceutical companies, medical
device manufacturers, risk retention groups, and captive professional
liability insurance companies that are controlled by risk retention
groups.
There was general support for the inclusion of parent organizations
of private and public sector providers in paragraph (3), although two
commenters disagreed. One commenter argued that naming the parent
organization as a provider suggested a ``one size fits all'' solution
and suggested that eligibility should be linked to whether the parent
organization is involved in the patient safety evaluation system for
its subsidiaries. Other commenters, while not objecting, worried that
this addition could open the door for organizations such as health
insurance issuers, including Health Maintenance Organizations,
regulatory and accrediting entities to qualify as component PSOs. One
commenter suggested that by using the phrase ``controlling interest''
with respect to private sector parent organizations, the focus of this
part of the proposed paragraph was inappropriately narrow, appearing to
emphasize a corporate parent, and that the language needed to reflect a
broader array of potential parent organizations, such as partnerships
or limited liability companies.
Several commenters expressed concern that by encompassing entities
that are not traditionally providers, under HIPAA or other rules, our
definition of ``provider'' would lead to confusion. One commenter
suggested it would be appropriate for the commentary accompanying the
final rule to address the two terms, emphasize the differences, and
clarify the obligations.
Final Rule: We have modified the definition of provider in the
final rule in response to several comments. The first modification is a
non-substantive substitution of the term behavioral health for behavior
health. In response to the comments we received and to ensure clarity,
we reiterate what we stated in the proposed rule that a list preceded
by ``including'' is an illustrative list, not an exhaustive list.
In general, the question of whether any private sector individual
or entity, such as assisted living residential care and other
community-based care providers, comes within the rule's meaning of
``provider'' is determined by whether the individual or entity is
licensed or otherwise authorized under state law to deliver health care
services. We note that paragraphs (2) and (3) of the definition address
public sector
[[Page 70745]]
providers and parent organizations of health care providers.
We have not adopted any of the other recommendations for additions
to the list of providers. The statute provides confidentiality and
privilege protections for reporting by individuals and entities that
actually provide health care services to patients. In our view, it was
not intended to apply to those who manufacture or supply materials used
in treatments or to entities that provide fiscal or administrative
support to those providing health care services.
With respect to paragraph (3) of the definition, the use of the
term parent organization here should conform to our definition of
``parent organization'' above. Therefore, we have streamlined the
language, deleting unnecessary text that might suggest that we were
applying a different definition.
The Department does not share the concerns of commenters that
incorporating a broader definition of ``provider'' in this rule will
cause confusion in the marketplace, because its use will be limited.
The application of the term ``provider'' in this rule is intended to
give the full range of health care providers the ability to report
information to, and work with, PSOs and receive confidentiality and
privilege protections as set forth in the Patient Safety Act and this
rule. Although we appreciate the administrative benefits of uniformity,
and have tried to maximize the consistency or interoperability of this
rule with the HIPAA Privacy and Security Rules, it would not be
appropriate in this rule to adhere to any less inclusive definition of
provider used in other regulations.
We did not condition the designation of provider status for a
parent organization on its involvement in a patient safety evaluation
system. We expect that most parent organizations will, in fact, be a
part of a system-wide patient safety evaluation system if they choose
to pursue PSO services. However, establishing such a requirement now,
when it is unclear what types of innovative arrangements and effective
strategies might emerge, might prove more detrimental than helpful.
Response to Other Public Comments
Comment: One commenter raised concerns that paragraph (2) may not
include Indian tribes that operate or contract for their own health
care systems under the Indian Self-Determination and Education
Assistance Act (ISDEAA), rather than relying upon the Indian Health
Service.
Response: Tribal organizations carrying out self-determination
contracts or compacts under the ISDEAA to deliver health care fall
squarely within paragraph (2) of the definition of provider because
they are organizations engaged as contractors by the Federal government
to deliver health care. Additionally, the workforce of a provider
covered under the rule, by definition, includes employees, volunteers,
trainees, contractors, and other persons, whether or not paid by the
provider, that perform work under the direct control of that provider.
Federal employees detailed to a tribe or Tribal organization carrying
out an ISDEAA contract would be covered under paragraph (2) in the
definition of provider, even if they were not part of the Tribal
organization's workforce. Therefore, no change is needed in response to
this comment.
B. Subpart B--PSO Requirements and Agency Procedures
Proposed Subpart B would have set forth requirements for Patient
Safety Organizations (PSOs) including the certification and
notification requirements that PSOs must meet, the actions that the
Secretary may and will take relating to PSOs, the requirements that
PSOs must meet for the security of patient safety work product, the
processes governing correction of PSO deficiencies, revocation, and
voluntary relinquishment, and related administrative authorities and
implementation responsibilities. The requirements of the proposed
Subpart would have applied to entities that seek to be listed as PSOs,
PSOs, their workforce, a PSO's contractors when they hold patient
safety work product, and the Secretary.
The proposed rule did not require a provider to contract with a PSO
to obtain the protections of the Patient Safety Act; however, we noted
that we anticipate that most providers would enter into contracts with
PSOs when seeking the confidentiality and privilege protections of the
statute. We proposed to enable a broad variety of health care providers
to work voluntarily with entities that would be listed as PSOs by the
Secretary based upon their certifications that, among other things,
state that they have the ability and expertise to carry out the broadly
defined patient safety activities of the Patient Safety Act and,
therefore, to serve as consultants to eligible providers to improve
patient care. In accordance with the Patient Safety Act, the proposed
rule set out an attestation-based process to qualify for 3-year
renewable periods of listing as a PSO. Proposed Subpart B attempted to
minimize regulatory burden, while fostering transparency to enhance the
ability of providers to assess the strengths and weaknesses of their
choice of PSOs.
We proposed a security framework pertaining to the separation of
data and systems and to security management, control, monitoring, and
assessment. Thus, each PSO would address the framework with standards
it determines appropriate to the size and complexity of its
organization. We proposed additional requirements to ensure that a
strong firewall would be maintained between a component PSO and the
rest of the organization(s) of which it is a part.
We noted that we expect to offer technical assistance and encourage
transparency wherever possible to promote implementation, compliance,
and correction of deficiencies. At the same time, this proposed Subpart
established processes that would permit the Secretary promptly to
revoke a PSO's certification and remove it from listing, if such action
proves necessary.
1. Section 3.102--Process and Requirements for Initial and Continued
Listing of PSOs
Proposed Rule: The proposed rule in Sec. 3.102 addressed the
eligibility of, and the processes and requirements for, an entity
seeking a three-year period of listing by the Secretary as a PSO and
described the timing and requirements of notifications that a PSO must
submit to the Secretary during its period of listing. The proposed rule
described our intention to minimize barriers to entry for entities
seeking listing and create maximum transparency to create a robust
marketplace for PSO services. The Patient Safety Act set forth limited
prerequisites that must be met to be listed by the Secretary as a PSO,
which the regulation incorporates. The Department expects that
providers will be the ultimate arbiters of the quality of services that
an individual PSO provides.
Overview of Public Comments: The following discussion focuses on
the broad comments we received concerning our overall approach to
initial and continued listing of PSOs. These comments do not address
specific provisions of the proposed rule. Public comments that address
specific provisions of Sec. 3.102 are addressed in the individual
subsection discussions that follow. Questions and situation-specific
comments are addressed below under the heading of ``Response to Other
Public Comments.''
The Department received generally favorable comment on our proposed
approach in this section, which
[[Page 70746]]
emphasizes a streamlined certification process, and public release of
documentation submitted by PSOs whenever appropriate. There were,
however, two broad sets of concerns expressed about our overall
approach.
The first concern related to the potential number of PSOs that
might be listed by the Secretary as a result of the Department's
proposed ``ease of entry'' approach. These comments focused on the
importance of PSOs being able to aggregate significant amounts of data
across multiple providers to develop meaningful analyses. Noting that
patient safety events are often rare events, one commenter noted that
in some cases it may be necessary to aggregate data for an entire state
in order to develop insights regarding the underlying causes of such
events. Another commenter noted that if every hospital in the state
established its own component PSO, the potential impact of PSO analyses
could be minimal. Because most PSOs will be dependent upon revenue from
providers submitting data, one commenter worried that too many PSOs
could also affect the ability of individual PSOs to obtain adequate
funding to perform their analytic functions and to implement
potentially costly security requirements.
These concerns led some commenters to suggest inclusion in the
final rule of a limitation on the number of PSOs that the Secretary
would list. One commenter asked whether it would be possible for the
Department to list one national PSO, noting this could improve
efficiency for providers. Another commenter suggested listing of 2-4
PSOs per state using a competitive process or limiting the number of
PSOs by increasing the number of required provider contracts that each
PSO must have. Most commenters who favored limiting the number of
listed PSOs did not suggest a specific approach.
A second broad set of recommendations focused on the need for
periodic or ongoing evaluation of the effectiveness of PSOs that could
be linked to, or be separate from, the evaluation of certifications for
continued listing. Some commenters recommended that the Department
routinely collect information from PSOs to evaluate whether the
individual and collective work of PSOs is actually reducing medical
errors and improving the quality of care that is delivered. One
commenter stressed the importance of establishing in the final rule
expectations related to PSO performance and demonstrated results and
provided draft language for inclusion in the final rule.
Final Rule: The Department has not modified the approach taken in
the proposed rule in response to these comments. With respect to
limiting the number of PSOs that are listed by the Secretary, the
statutory language is clear that any entity, public or private, that
can meet the stated requirements is eligible for listing by the
Secretary. While the Department understands the concerns of the
commenters that a very large number of PSOs could frustrate the
statutory goal of data aggregation across multiple providers, we
believe that this scenario is unlikely for several reasons.
First, a provider does not need to shoulder the financial burden
alone to support a full-time PSO. Providers enjoy the same protections
under the Patient Safety Act when they contract with an independent PSO
or when they create a component organization to seek listing as a PSO.
A provider that establishes a working relationship with a PSO can have
a division of labor between the analyses that its staff undertakes in-
house within its patient safety evaluation system and the tasks it
assigns to the PSO. In both circumstances, the statutory protections
apply. Thus, for a provider, establishing its own PSO is an option, not
a necessity.
Second, there are important insights into patient safety that can
only be derived from aggregating data across multiple providers. Given
the low frequency of some patient safety events, even larger health
systems are likely to derive additional benefits from working with PSOs
that have multiple and, potentially, diverse clients.
A final limiting factor is the shortage of personnel who are well-
trained or experienced in the use of the methodologies of patient
safety analyses. While the marketplace will respond to the need for the
development of additional training and certification programs, the
availability of highly-skilled staff will be a constraining factor
initially. In combination, these three factors should provide a natural
constraint on the number of single-provider PSOs.
Regarding the other general set of comments related to the listing
process, the Department has considered these suggestions and has
determined not to incorporate in the final rule requirements for an
ongoing evaluation process or the routine collection of data from PSOs.
PSOs are not a Federal program in the traditional sense. Most
significantly, they are not Federally funded. Their project goals,
priorities, and the specific analyses that they undertake are not
Federally directed. The value and impact of an individual PSO will be
determined primarily by the providers that use its services on an
ongoing basis.
It is unclear at this point how providers will choose to use PSOs.
Only with experience will it become clear which analyses a provider
will choose to undertake in its own patient safety evaluation system
and which analyses a provider will rely upon a PSO to undertake. The
mix and balance of activities between a provider's patient safety
evaluation system and its PSO (or PSOs) will undoubtedly shift over
time as the working relationships between providers and PSOs evolve
toward greater efficiency. Thus, we remain convinced that providers are
in the best position to assess the value of a PSO and its ability to
contribute to improving the quality and safety of patient care.
Response to Other Public Comments
Comment: While contracts are not required between PSOs and
providers to obtain protections, the Department stated that it
anticipates most providers will enter contracts with providers. In
light of this expectation, one commenter urged the Department to
develop and make available a model contract.
Response: We do not think a model contract can be developed easily.
The issues that need to be addressed will vary significantly based upon
the nature of the relationship. Therefore, we do not expect to be
developing and releasing a model contract.
Comment: One commenter suggested that the final rule should explain
how AHRQ will publish the results from which providers and others can
evaluate a PSO before entering a contract.
Response: For the reasons discussed above, AHRQ will not require or
release PSO-specific performance information.
Comment: One commenter suggested that AHRQ should ensure that PSOs
should not be able to make commercial gain from the knowledge it
derives as a PSO.
Response: The statute permits all types of private and public
entities to seek listing as a PSO; it does not limit private entities
to not-for-profits. The final rule mirrors that formulation. The
Department concludes that the statute does not invite us to impose such
restrictions and expects that providers' decisions will determine the
acceptability of for-profit PSOs.
Comment: One commenter suggested that providers should only be
permitted to submit data to one PSO.
Response: The Patient Safety Act's framework for PSO-provider
relationships is voluntary from a public policy perspective. In our
view, it
[[Page 70747]]
would be inconsistent with section 922(e)(1)(B) of the Public Health
Service Act for the Department or any entity to use the authority of
law or regulation to limit or direct provider reporting.
Comment: One commenter suggested that the final rule should require
PSOs to share aggregated, non-identifiable patient safety work product
with state regulatory authorities.
Response: The Department does not agree that it is appropriate to
place such an unfunded mandate upon PSOs.
Comment: One commenter stated that it is a waste of effort and
expense to create new government entities to work with providers when
current organizations can do that just as well. The commenter also
asked whether anyone has estimated the 10-year costs.
Response: As this final rule makes clear, these entities are not
government entities and will not receive Federal funding. While we
expect implementation will spur the development of new entities, we
also expect that existing entities will be able to expand their current
patient safety improvement efforts if they seek listing and are able to
offer the confidentiality and privilege protections provided by the
Patient Safety Act. While we have not done a 10-year cost estimate, our
regulatory impact statement at the end of the preamble projects net
savings of $76 to $92 million in 2012, depending upon whether the net
present value discount rate is estimated at 7% or 3%.
(A) Section 3.102(a)--Eligibility and Process for Listing
Proposed Rule: Section 3.102(a) of the proposed rule would have
provided that, with several exceptions discussed below, any entity--
public or private, for-profit or not-for profit--that can meet the
statutory and regulatory requirements may seek initial or continued
listing by the Secretary as a PSO. The Department proposed to establish
a streamlined certification process for entities seeking initial or
continued listing that relied upon attestations that the entities met
statutory and regulatory requirements. To foster informed provider
choice, entities were encouraged, but would not be required, to post
narratives on their respective Web sites that explained how each entity
intended to comply with these requirements and carry out its mission.
The proposed rule incorporated a statutory prohibition that
precludes a health insurance issuer and a component of a health
insurance issuer from becoming a PSO. The Department also proposed to
exclude any entity, public or private, that conducts regulatory
oversight of health care providers, which included organizations that
accredit or license providers. We proposed this restriction for
consistency with the statute, which seeks to foster a ``culture of
safety'' in which health care providers are confident that the patient
safety events that they report will be used for learning and
improvement, not oversight, penalties, or punishment. The proposed rule
would permit a component organization of such an entity to seek listing
as a PSO. To ensure that providers would know the parent organizations
of such PSOs, we proposed that certifications include the name(s) of
its parent organization(s), which the Secretary would release to the
public. We sought comment on whether we should consider broader
restrictions on eligibility.
The proposed rule would permit a delisted entity, whether delisted
for cause or because of voluntary relinquishment of its status,
subsequently to seek a new listing as a PSO. To ensure that the
Secretary would be able to take into account the history of such
entities, we proposed such entities submit this information with their
certifications for listing.
Overview of Public Comments: The Department received generally
favorable comments on our proposal to adopt a streamlined attestation-
based approach to initial listing of PSOs. A number of commenters
expressed concern about our attestation-based approach, however,
arguing for a more in-depth assessment to ensure that an entity had the
capability to carry out its statutory and regulatory responsibilities
and meet the patient safety objectives of the statute. Some believed
that the private marketplace is not necessarily well-equipped to judge
which organizations can most effectively meet these requirements.
Arguing that one misguided or fraudulent organization could taint the
entire enterprise for years, a few commenters suggested that we require
interested organizations at initial listing to submit documentation of
their ability to meet their statutory and regulatory responsibilities.
Most commenters who urged a stronger approach to the evaluation of
certifications for listing acknowledged the value of an expedited
process for initial listing and instead focused their recommendations
on the importance of creating a more rigorous process for continued
listing. A common recommendation was to require, in addition to the
proposed certifications for continued listing, that a PSO be required
to submit documentation that described in detail how it is complying
with the requirements underlying its certifications and urged the
Department to arrange for independent review of such documentation,
coupled with an audit process that would ensure compliance.
The comments we received were supportive of including a requirement
that entities certify whether there is any relevant history regarding
delisting about which the Secretary needs to be aware. Several
commenters suggested that the entity seeking to be relisted should be
required to include reason(s) for any prior delisting. Another
suggestion was that the Secretary should have discretion in relisting
an entity not to release the names of officials who had positions of
responsibility in a previously delisted entity.
The proposed restrictions on eligibility engendered considerable
comment. With respect to the statutory restriction on health insurance
issuers, concerns and questions were raised regarding whether the
exclusion applied to self-insured providers or malpractice liability
insurers and whether health systems that include a subsidiary that is a
health insurance issuer could establish a component PSO.
We received a significant level of comment regarding our proposed
restriction on listing of regulatory oversight bodies. While the
majority of commenters supported the proposed exclusion, some
commenters took issue with various aspects of our proposal.
Commenters engaged in accreditation activities generally criticized
our characterization of these activities as regulatory. They pointed
out that the proposed rule did not take into account the distinction
between voluntary and mandatory accreditation and, in their view, most
accreditation was voluntary. They also noted that accreditation
activities were initially developed to ensure the quality and safety of
patient care and that accreditation entities, unlike licensure
agencies, have greater discretion in addressing any problems that they
identify with a provider's operations in a non-punitive way. For these
commenters, accreditation activities were not inconsistent with
fostering a ``culture of safety.'' By contrast, most provider comments
supported the exclusion, and singled out accreditation entities as
warranting exclusion.
State health departments and state-created entities expressed
concern about an outright prohibition on their being listed as PSOs,
noting that the prohibition could disrupt effective patient safety
initiatives now underway. A number of specific state-sanctioned patient
safety initiatives were described in their submissions. Commenters
[[Page 70748]]
pointed to the fact that state health departments have both regulatory
and non-regulatory elements to their authority, have routinely
demonstrated that they can effectively keep these elements separate,
and thus, they saw no reason for the Department to doubt that state
agencies could continue to do so effectively if they were permitted to
operate PSOs.
Other commenters suggested extending the prohibition to other types
of entities (such as purchasers of health care or agents of regulatory
entities) and raised questions regarding the scope of the exclusion.
We received a significant number of comments in response to a
specific question raised in the proposed rule whether the exclusion of
regulatory entities should be extended to components of such
organizations. Commenters that supported extension of the prohibition
generally argued that the firewalls that the statute requires a
component PSO to maintain between itself and its parent organization(s)
could be circumvented, that the flexibility in the proposed rule to
enable a component PSO to draw upon the expertise of its parent
organization(s) would be inappropriate in this situation, and there was
a significant possibility that such a parent organization could use its
position of authority to attempt to coerce providers into reporting
patient safety work product to its component PSO.
A majority of commenters, however, opposed expanding the exclusion
to components of such regulatory organizations. They contend that the
statutorily required separations between a component PSO and its parent
organization(s) would provide adequate protection against improper
access and adverse use of confidential patient safety work product by
the excluded entities with which such a component PSO is affiliated. A
number of commenters noted that an expansion of the exclusion to
components of such entities would have unintended consequences. For
example, an increasing number of medical specialty societies operate,
or are in the process of developing, accreditation programs for their
members in response to growing public and private sector pressure for
quality improvement. These organizations see the creation of specialty-
specific component PSOs as an important complement to their other
quality improvement activities. Similarly, some commenters contend that
widespread patient safety improvements require coordination and
communication across the public and private sectors. These commenters
argued that a broader exclusion could both disrupt existing, effective
public sector patient safety initiatives and preclude opportunities for
the public sector to play a meaningful role.
Many commenters that opposed extending the exclusion to component
organizations nevertheless suggested additional restrictions to
strengthen the separation of activities between component PSOs and
these types of parent organizations. Their suggestions are discussed
below with respect to Sec. 3.102(c).
Final Rule: The Department considered whether to modify the
attestation process either for initial or continued listing of PSOs or
both but ultimately concluded that streamlined attestations should be
retained for both. Given the voluntary, unfunded nature of this
initiative and the centrality of the client-consultant paradigm of
provider-PSO relationships, an approach that requires documentation and
routine audits is likely to be costly and burdensome, both to entities
seeking listing and the Department. More importantly, such an approach
is unlikely to achieve its intended objective, for the reasons
discussed below.
There are limitations of a documentation approach to ensuring the
capabilities and compliance of PSOs with the requirements for listing,
and such an approach is unlikely to yield the types of information that
providers will need in selecting a PSO. Consider, for example, two of
these requirements: the criterion that requires that a PSO have
qualified staff, including licensed or certified medical professionals,
and the patient safety activity that requires the provision of feedback
to participants in a (provider's) patient safety evaluation system.
Documentation, through submission of resumes or summaries of the
credentials of professional staff, can demonstrate that the PSO meets
the statutory requirement. What each provider really needs to assess,
however, is whether the skill sets of the professional staff employed
by or under contract to the PSO are an appropriate match for the
specific tasks that led the provider to seek a PSO's assistance.
Depending upon the analytic tasks, a provider may need expertise that
is setting-specific, e.g., nursing homes versus acute care settings,
technology-specific, specialty-specific, or, may require expertise
outside the traditional scope of health care. Thus, there is not a
single template against which the expertise of a PSO's professional
staff can be judged. In addition, we anticipate that PSOs seeking
additional clients (providers) will post on their websites, or
otherwise advertise, the names and qualifications of their top staff
experts and consultants. Their Web site locations will be on the AHRQ
PSO Web site.
Similarly, documentation can demonstrate that a PSO has provided
feedback to participants in a provider's patient safety evaluation
system and thereby met the statutory requirement. But the most relevant
questions are whether the feedback reflected a valid analysis of the
provider's patient safety work product and existing scientific
knowledge, and whether the feedback was framed in ways that made it
understandable, ``actionable,'' and appropriate to the nature of the
provider's operation. The answers to these questions cannot be assessed
by the Department readily through the listing process.
As a result, in many cases, the provider-client, rather than the
Department, will be better able to determine whether the outcomes of a
PSO's conduct of patient safety activities meet its needs in a
meaningful way. The Department believes that providers, especially
institutional providers, will have access to the expertise to make them
especially sophisticated customers for PSO services. Providers are
likely to assess very carefully the capabilities of a PSO and will be
in a position to request appropriate documentation, if necessary, to
assess a PSO's ability to meet their specific requirements. Therefore,
the Department does not see a compelling public policy rationale for
substituting its judgment for that of a provider. Providers can demand
references and evidence of relevant accomplishments, and effectively
evaluate the adequacy and suitability of a PSO's expertise and
experience. In summary, a listing process that imposes documentation
and audit requirements on each PSO will impose a significant burden on
all parties, but yield only marginally useful information to
prospective clients.
Accordingly, we believe the approach outlined in the proposed rule
offers a more efficient and effective approach. The approach does
include authority for spot-checking compliance outlined in Sec. 3.110,
responding to complaints or concerns, and enabling the Secretary, in
making listing decisions (see Sec. 3.104(b)), to take into
consideration the history of an entity and its key officials and senior
managers. This approach will be buttressed with a program of technical
assistance for PSOs administered by AHRQ. In addition, the final rule
incorporates a new expedited revocation process that can be used when
the
[[Page 70749]]
Secretary determines that there would be serious adverse consequences
if a PSO were to remain listed. False statements contained in a PSO's
submitted certifications can result in a loss of listing or other
possible penalties under other laws.
For convenience and clarity, we have restructured Sec. 3.102(a)(1)
to provide a unified list of the certifications and information that an
entity must submit for listing as a PSO. Sections 3.102(a)(1)(i)
through 3.102(a)(1)(vii) set forth and cross-reference the requirements
of the final rule. Two of these requirements are new. Section
3.102(a)(1)(iv) cross-references the additional requirements in Sec.
3.102(c)(1)(ii) that components of entities that are excluded from
listing must meet in order for such components to be listed. Section
3.102(a)(1)(v) incorporates our proposal, for which comments were
supportive, to require disclosure to the Secretary if the entity
seeking listing (under its current name or another) has ever been
denied listing or delisted or if the officials or senior managers of
the entity now seeking listing have held comparable positions in a PSO
that the Secretary delisted or refused to list.
We have not adopted recommendations that we require explanations
for the historical situations encompassed by Sec. 3.102(a)(1)(v).
Instead, we require that the name(s) of any delisted PSO or of any
entity that was denied listing be included with the certifications. The
Department can then search its records for background information. In
response to concerns regarding public disclosure of the names of the
officials or senior managers that would trigger the notification
requirement, we do not require submission of the names of the
individuals with the certifications. With respect to the workforce of
the entity, we note that we have narrowed the requirement in two ways.
First, we have narrowed the focus from ``any'' employee to officials
and senior managers. Second, the requirement to disclose only applies
when officials or senior managers of the entity seeking listing also
held comparable positions of responsibility in the entity that was
delisted or refused listing.
Restructured Sec. 3.102(a)(2) retains the statutory exclusion from
listing of health insurance issuers and components of health insurance
issuers in subparagraph (i). For greater clarity, we have restated the
exclusion to reflect the rule's definition of component so it now
references: a health insurance issuer; a unit or division of a health
insurance issuer; or an entity that is owned, managed, or controlled by
a health insurance issuer. New subparagraph (ii) modifies and restates
the exclusion from listing of any entity that: (1) Accredits or
licenses health care providers; (2) oversees or enforces statutory or
regulatory requirements governing the delivery of health care services;
(3) acts as an agent of a regulatory entity by assisting in the conduct
of that entity's oversight or enforcement responsibilities vis-a-vis
the delivery of health care services; or (4) operates a Federal, State,
local or Tribal patient safety reporting system to which health care
providers (other than members of the entity's workforce or health care
providers holding privileges with the entity) are required to report
information by law or regulation.
In reviewing the comments on the proposed regulatory exclusion, we
did not find the arguments for narrowing the prohibition compelling.
Almost every provider group expressed concern regarding the possible
operation of PSOs by entities that accredit or license providers as
well as possible operation of PSOs by regulatory entities. We share
their concerns that entities with the potential to compel or penalize
provider behavior cannot create the ``culture of safety'' (which
emphasizes communication and cooperation rather than a culture of blame
and punishment) that is envisioned by the statute.
We also concluded that it is difficult to draw a ``bright-line''
distinction between voluntary and mandatory accreditation as several of
the commenters from accreditation organizations proposed. While most
accreditation is technically voluntary from the standpoint of many
accreditation entities, its mandatory aspect generally derives from
requirements established by, or its use by, other entities such as
payers. Thus, if we were to incorporate such a distinction that
permitted the listing of organizations that provide voluntary
accreditation today, its voluntary nature could disappear over time if
other organizations mandated use of its accreditation services. Thus, a
listed PSO might need to be delisted at some point in the future solely
because of the actions of a third party mandating that organization's
accreditation as a requirement. Therefore, we have retained the
prohibition on accreditation and licensure entities and have not
incorporated any distinctions regarding voluntary versus mandatory
accreditation in the final rule. We have reformulated the exclusion and
no longer include accreditation or licensure activities as examples of
regulatory activities.
Similarly, we have retained the broad exclusion from listing of
regulatory entities, by which we mean public or private entities that
oversee or enforce statutory or regulatory requirements governing the
delivery of health care services. Their defining characteristic is that
these entities have the authority to discipline institutional or
individual providers for the failure to comply with statutory or
regulatory requirements, by withholding, limiting, or revoking
authority to deliver health care services, by denying payment for such
services, or through fines or other sanctions.
We consider entities with a mix of regulatory and non-regulatory
authority and activities also to be appropriately excluded from being
listed. We acknowledge that health departments and other entities with
regulatory authority may undertake a mix of regulatory and non-
regulatory functions. It may also be true, as several comments
reflected, that state health departments have experience, and a track
record, for maintaining information separately and securely from the
regulatory portions of their operations when necessary. However, we
note that the final rule retains the proposed approach not to regulate
uses of patient safety work product within a PSO. However, the final
rule retains the ability of a state health department to establish a
component organization that could seek listing as a PSO, subject to the
additional restrictions discussed in Sec. 3.102(c) below. The benefit
of this approach is that providers will have the reassurance that the
penalties under the Patient Safety Act and the final rule will apply to
any impermissible disclosures of patient safety work product from such
a PSO to the rest of the state health department.
We have not included the proposal of several commenters to exclude
purchasers of health care from becoming PSOs. Commenters did not
suggest a compelling public policy case for the exclusion of any
particular type of purchasers. Given the vagueness and potential scope
of such a prohibition, the potential for unintended consequences is
simply too great to warrant its inclusion. For example, health care
institutions in their role as employers can also be considered
purchasers of health care.
We have incorporated two additional exclusions. First, based upon
recommendation from commenters, we exclude from listing entities that
serve as the agents of a regulatory entity, e.g. by conducting site
visits or investigations for the regulatory entity.
[[Page 70750]]
While we understand that such agents generally do not take action
directly against providers, their findings or recommendations serve as
the basis for potential punitive actions against providers. As a
result, we believe that the rationale we outlined in the proposed rule
regarding the exclusion of regulatory bodies is also applicable to
agents of regulatory entities helping to carry out these regulatory
functions.
Second, as we considered comments seeking clarification on the
eligibility of entities that operate certain mandatory or voluntary
patient safety reporting systems to seek listing as PSOs, we concluded
that mandatory systems, to which some or all health care providers are
required by law or regulation to report patient safety information to a
designated entity, were inconsistent with the voluntary nature of the
activities which the Patient Safety Act sought to foster. However, this
exclusion does not apply to mandatory reporting systems operated by
Federal, State, local or Tribal entities if the reporting requirements
only affect their own workforce as defined in Sec. 3.20 and health
care providers holding privileges with the entity. The exception is
intended to apply to Federal, State, local or Tribal health care
facilities in which the reporting requirement applies only to its
workforce and health care providers holding privileges with the
facility or health care system. This exception ensures that, with
respect to eligibility for listing as a PSO, entities that administer
an internal patient safety reporting system within a public or private
section health care facility or health care system are treated
comparably under the rule and would be eligible to seek listing as a
PSO.
The final rule retains the ability of components of the four
categories of excluded entities in Sec. 3.102(a)(2)(ii) to seek
listing as a component PSO. After careful review, the Department
concluded that there was a significant degree of congruence in the
concerns expressed by both proponents and opponents of extending the
exclusion to such components. The opponents of extending the exclusion
routinely suggested that the Department address their core concerns by
adopting additional protections, rather than the blunt tool of a
broader exclusion. We have adopted this approach, and we have
incorporated in Sec. 3.102(c) additional requirements and limitations
for components of excluded entities.
In addition, we have incorporated a new requirement in Sec.
3.102(a)(3) that submissions for continued listing must be received by
the Secretary no later than 75 days before the expiration of a PSO's
three-year period of listing. This requirement derives from our concern
for protecting providers if a PSO decides not to seek continued listing
and simply lets its certifications expire at the end of a three-year
period of listing. To preclude an inadvertent lapse, the proposed rule
included a provision to send PSOs a notice of imminent expiration
shortly before the end of its period of listing and sought comment on
posting that notice publicly so that providers reporting patient safety
work product could take appropriate action. Section 3.104(e)(2) states
that the Secretary will send a notice of imminent expiration to a PSO
at least 60 days before its last day of listing if certifications for
continued listing have not been received. However, the failure of the
Secretary to send this notice does not relieve the PSO of its
responsibilities regarding continued listing. The requirement to submit
certifications 75 days in advance is intended to ensure that such a
notice is not sent or publicly posted until after the submissions are
expected by the Department.
Response to Other Public Comments
Comment: One commenter urged the Secretary not to require
organizations to have specific infrastructure and technology in place
before they could be listed.
Response: The Department has not proposed any specific
infrastructure or technology requirements. However, the statute and the
final rule require a PSO at initial listing to certify that it has
policies and procedures in place to ensure the security of patient
safety work product. The final rule requires that those policies and
procedures be consistent with the framework established by Sec. 3.106.
The Department interprets the statute to require a listed PSO to be
able to provide security for patient safety work product during its
entire period of listing, which includes its first day of listing.
Comment: Two commenters agreed that PSOs should be encouraged, but
not required, to post on their Web sites narrative statements regarding
their capabilities.
Response: The Department continues to encourage PSOs to develop and
post such narrative statements.
Comment: One commenter suggested that the listing process should
include an opportunity for the Secretary to receive public comment
before making a listing decision, especially in the case of continued
listing, when providers may want to share their experiences with the
Secretary regarding a specific PSO.
Response: While we expect customer satisfaction evaluations of PSOs
will develop naturally in the private sector, the Department has not
incorporated this recommendation in the listing process. If a provider
or any individual believes that a PSO's performance is not in
compliance with the requirements of the rule, this concern can be
communicated to AHRQ at any time. Improper disclosures may also be
reported to the Office for Civil Rights in accordance with Subpart D.
Incorporation of a public consultation process poses a number of
implementation issues. For example, it could potentially delay a time
sensitive Secretarial determination regarding continued listing (which
must be made before expiration of a PSO's current period of listing)
and could require the Department to assess the validity of each
specific complaint, e.g., the extent to which dissatisfaction with an
analysis reflects the competence with which it was performed or a lack
of precision in the assignment to the PSO.
Comment: One commenter suggested that state-sanctioned patient
safety organizations should be deemed to meet the requirements for
listing.
Response: The Department does not believe that the Patient Safety
Act gives the Secretary authority to delegate listing decisions to
states. Moreover, the statute establishes the requirements that an
entity must meet for listing as a PSO; automatically deeming state-
sanctioned organizations to be PSOs would inappropriately override
federal statutory requirements and mandate the Secretary to list PSOs
that may not be in compliance with all the statutory requirements.
Accordingly, the final rule does not include such a provision.
Comment: Several commenters asked if the exclusion on health
insurance issuers precludes a self-insured entity from seeking listing.
Response: The Department has examined this issue and concluded that
the exclusion of health insurance issuers does not apply to self-
insured organizations that provide health benefit plans to their
employees. The statutory exclusion contained in section 924(b)(1)(D) of
the Public Health Service Act incorporates by reference the definition
of health insurance issuer in section 2971 of the Public Health Service
Act and that definition explicitly excludes health benefit plans that a
health care provider organization offers to its employees.
Comment: Several commenters inquired whether organizations that
provide professional liability insurance coverage (also referred to as
medical liability insurance or malpractice
[[Page 70751]]
liability insurance) for health care providers are covered by the
health insurance issuer exclusion. The commenters uniformly argued that
the exclusion should not apply. Several commenters noted their intent
to have their ``captive'' liability insurer seek listing as a PSO.
Another commenter sought assurances that if a captive liability insurer
sought listing as a PSO, the PSO would not be considered a component of
the provider organizations that owned the liability insurer.
Response: The Department notes that there is some ambiguity in the
statutory language but concludes that the health insurance issuer
exclusion does not apply to such organizations.
While the health insurance issuer exclusion does not apply, the
Department notes that the statute and the final rule require that an
entity seeking listing must attest that its mission and primary
activity is the improvement of patient safety. That test is readily met
when an organization, such as a captive liability insurer, creates a
component organization since the creation of a distinct new entity can
be established in a manner that clearly addresses and meets the
``primary activity'' criterion. The Department has the authority to
review all applications, including those from organizations with
multiple activities, and to look behind the attestations to determine
whether the applicant meets the ``primary activity'' criterion.
We note that a captive entity meets the definition of a component
organization in this rule. Therefore, if the captive organization is
eligible for listing because it meets the ``primary activity''
criterion, it must seek listing as a component organization and clearly
would be subject to the requirements on component PSOs. If the captive
organization does not meet the primary activity criterion for listing,
it is free to create a component organization to seek listing. Once
again, however, the additional requirements for a component PSO apply.
Comment: Several commenters asked whether the health insurance
issuer exclusion prevents a health system that has subsidiaries that
include providers and a health insurance issuer, from establishing a
component organization to seek listing as a PSO.
Response: As described by several commenters, the PSO and the
health insurance issuer would be affiliates in a ``brother-sister''
relationship within the parent organization. As long as the health
insurance issuer does not have the authority to control or manage the
PSO, the health system is not precluded from having both a health
insurance issuer subsidiary and a component PSO.
Comment: Several commenters raised questions from different
perspectives regarding situations in which providers might be required
to report data to a PSO. Some commenters suggested that the final rule
should prohibit a facility or health care delivery system from
requiring individual clinicians (who are employed, under contract, or
have privileges at the facility or within the system) to report data to
a specific PSO. Others raised questions regarding the eligibility for
listing of existing Federal, state, local or Tribal patient safety
reporting systems that are administered by an entity without regulatory
authority.
Response: While the Patient Safety Act does not require any
provider to report data to a PSO, the statute is silent on whether
others (such as institutional providers or other public entities) can
impose such requirements on providers. The Department makes a
distinction based upon the source of reporting requirements and the
extent to which the requirement can be viewed as consistent with the
statutory goal of fostering a ``culture of safety.'' Thus, the
Department has declined to include in the final rule any restriction on
the ability of a multi-facility health care system to require its
facilities to report to a designated PSO or of a provider practice,
facility, or health care system to require reporting data to a
designated PSO by those providing health care services under its aegis,
whether as employees, contractors, or providers who have been granted
privileges to practice. A patient safety event reporting requirement as
a condition of employment or practice can be consistent with the
statutory goal of encouraging institutional or organizational providers
to develop a protected confidential sphere for examination of patient
safety issues. While an employer may require its providers to make
reports through its patient safety evaluation system, section
922(e)(1)(B) prohibits an employer from taking an adverse employment
action against an individual based upon the individual's reporting
information in good faith directly to a PSO.
By contrast, the Department views mandatory reporting requirements
that are applicable to providers that are not workforce members and
that are based in law or regulation, regardless of whether the specific
data collected by these systems is anonymous or identifiable, as
incompatible with the intent of the Patient Safety Act to foster
voluntary patient safety reporting activities. In these situations,
provider failure to make legally required reports can potentially
result in a loss of individual or institutional licensure and the
ability to practice or deliver health care services. Accordingly, we
have added to the list of entities excluded from listing in Sec.
3.102(b)(2)(ii) entities that administer such mandatory patient safety
reporting systems.
A voluntary Federal, state, local, or Tribal patient safety
reporting system can seek listing as a PSO. This means that the entity
administering the reporting system does not have statutory or
regulatory authority to require providers to submit data to the
administering organization, and that organization is not required by
statute or regulation to make the collected identifiable data available
in ways that would be incompatible with the limitations on disclosure
discussed in Subpart C.
Comment: Two commenters addressed the issue of whether Quality
Improvement Organizations (QIOs), which are organizations that have
contracts with Medicare and often with other payers or purchasers to
review compliance with regulatory or contractual requirements and make
reports that may adversely impact providers financially, can seek
listing as PSOs.
Response: QIOs are precluded from seeking listing as PSOs. The
final rule precludes agents of a regulatory entity from seeking listing
and QIOs serve as agents of Medicare. Some QIOs also serve in similar
capacities as agents of state regulatory bodies. As noted above, an
agent of a regulator may create a component organization that would be
eligible to seek listing as a PSO, provided such a component
organization meets the additional requirements of Sec.
3.102(c)(1)(ii).
Comment: Several commenters asked if the proposed exclusions of
entities applied to State Boards of Health, programs offering providers
certifications, and physician specialty boards.
Response: With respect to State Boards of Health, there are two
issues regarding their potential ineligibility for becoming PSOs. The
first, raised by the commenter, is whether these boards can be
considered regulatory entities and in most cases they would be. While
State Boards of Health provide leadership and policy coordination for
state health policies, they generally have the power to oversee,
enforce or administer regulations governing the delivery of health care
services and would, therefore, be ineligible to be listed as a PSO. The
second issue is whether such a board with its multiple
[[Page 70752]]
responsibilities could attest that the conduct of activities to improve
patient safety and health care quality is its primary activity.
With respect to entities that offer certifications, physician
specialty boards, or similar activities, we would use a fact-based
approach that assesses the activities in light of the exclusions in the
rule at Sec. 3.102(a)(2)(ii).
Comment: One commenter questioned whether the proposed requirement
that a PSO notify the Secretary if it can no longer meet the
requirements for listing essentially meant that the PSO was admitting a
deficiency.
Response: We expect this requirement to operate prospectively so
that the Secretary can evaluate whether the changed circumstances may
still be cured. While it is possible that this requirement in some
situations would be the equivalent of a PSO admitting a current, rather
than prospective deficiency, we note two aspects of the process
outlined here. First, the correction of deficiencies is not a punitive
process. Second, the obligation to inform the Secretary of changes is a
companion element to the Department's approach in listing entities
based upon attestations.
(B) Section 3.102(b)--Fifteen General PSO Certification Requirements
Proposed Rule: Section 3.102(b) of the proposed rule incorporated
the 15 requirements specified in the Patient Safety Act that every
entity must meet for listing as a PSO. These 15 requirements are
comprised of eight patient safety activities and seven other criteria.
At initial listing, an entity would certify that it has policies and
procedures in place to perform the eight specified patient safety
activities and, upon listing, would comply with the seven other
criteria during its period of listing. At continued listing, the PSO
would certify that it has performed during its period of listing, and
would continue to perform, all eight patient safety activities and
that, it has complied with, and would continue to comply with, the
seven other statutory criteria during its next period of listing.
We proposed to define the confidentiality and security requirements
that are part of the patient safety activities that PSOs must carry out
as requiring compliance with the confidentiality provisions of Subpart
C and the security measures required by Sec. 3.106. We did not propose
that, but sought comment on whether the final rule should include a
requirement that a PSO inform any provider from which it received
patient safety work product if there are impermissible disclosures of,
or security breaches occur, with respect to the provider's patient
safety work product.
A PSO would meet the minimum contract requirement under the
proposed rule with two contracts, each with a different provider, at
some point during a PSO's sequential 24-month periods of listing. The
proposed rule sought comment on how to interpret the requirement that
the required contracts must be ``for a reasonable period of time,''
asking whether the final rule should use a standard that was time-
based, task-based, or include both options.
The proposed rule noted that PSOs are required by the statute, to
the extent practical and appropriate, to collect patient safety work
product from providers in a standardized manner that permits valid
comparisons of similar cases among similar providers. We stated that we
were considering including in the final rule, and sought comment on, a
clarification that compliance would mean that a PSO, to the extent
practical and appropriate, will collect patient safety work product
consistent with guidance that the Secretary is developing regarding
reporting formats and common definitions when the guidance becomes
available. We also sought comment on the process for the development of
common formats and definitions.
Overview of Public Comment: Most of the comments we received on
this subsection focused on the contract requirement and the specific
questions posed by the proposed rule. Nearly all of the commenters who
addressed the issue supported the inclusion in the final rule of a
requirement that PSOs must notify a provider if the work product
submitted by the provider was inappropriately disclosed or its security
was breached. Those favoring the inclusion of the requirement cited
concern about the sensitivity of patient safety work product and the
importance of ensuring that providers know if the PSO to which they
reported data was living up to its obligations to protect the security
and confidentiality of their data. They noted that the HIPAA Privacy
and Security Rules will not always be applicable: That some providers
will not be considered covered entities and identifiable patient safety
work product may not always contain protected health information.
Those opposed to the requirement argued that most patient safety
work product will contain protected health information and providers
reporting to a PSO are likely to be covered entities. Thus, the HIPAA
Privacy Rule will cover most situations and, if providers had
additional concerns, they could address them contractually. It was also
suggested that the preamble to the final rule should carefully describe
a PSO's obligations when the HIPAA Privacy and Security Rules apply and
the requirements to report impermissible disclosures even when
protected health information is not involved.
With respect to the statutory requirement for contracts with more
than one provider, several commenters proposed that one contract with
multiple providers should be deemed to meet the statutory requirement.
These commenters often argued that it was inefficient to require a PSO
to enter multiple contracts when the statutory intent of collecting
data from multiple providers could be met through a single contract.
Several commenters alleged that the proposed rule did not interpret the
requirement that contracts be entered with ``different providers'' and
sought clarification in the final rule.
The vast majority of commenters opposed including any standard in
the final rule for determining when one of the required contracts was
``for a reasonable period of time.'' Many argued that this decision
should be left to the marketplace, permitting providers and PSOs to
enter customized arrangements. A few commenters supported incorporation
of a time-based standard, ranging from 3-12 months. One commenter
recommended incorporating both time-based and task-based standards.
In response to our specific request for comment on whether the
final rule should reference the Secretary's guidance on common formats
and definitions, the vast preponderance of comments were supportive,
with many detailing reasons why use of common formats was important.
Several organizations offered caveats to their support, such as concern
that the development of Secretarial guidance might slow the process and
may further interfere with innovation. Many organizations offered
suggestions to the Department such as: Allowing private sector
feedback; harmonizing with other data reporting requirements; allowing
collection of data in addition to the common formats, particularly for
use at the local level; and allowing time to phase in use of common
formats.
Virtually all comments were supportive of the process by which the
Department was developing guidance on common formats. Many commenters
suggested steps that they wished the Department to take such as:
Greater or earlier involvement of the private sector; transparency in
the process; acceptance of comments from outside government;
[[Page 70753]]
and use of evidence from existing reporting systems. The process we
outlined for private sector consultation was viewed positively. We
received several comments and recommendations related to this process
that were outside the scope of the rule and, therefore, are not
addressed below.
Final Rule: For convenience and clarity, we have modified the text
in the final rule to separate initial and continued listing within
Sec. 3.102(b)(1), which states the required certifications for the
eight patient safety activities and within Sec. 3.102(b)(2), which
states the required certifications for the seven PSO criteria. This
modification does not reflect a substantive change.
We have incorporated in Sec. 3.102(b)(1)(B) of the final rule one
additional requirement, posed as a question in the proposed rule and
strongly supported by commenters, that a PSO must inform the provider
from which it received patient safety work product if the work product
submitted by that provider is inappropriately disclosed or its security
is breached. The Department recognizes that in certain cases a PSO may
not know the identity of the provider that submitted patient safety
work product, e.g., anonymous submissions, or it might not be possible
to contact the provider, e.g., if the provider has gone out of business
or retired. In these cases, the Department would expect the PSO to be
able to demonstrate, if selected for a ``spot check,'' that it made a
good faith effort to reach every provider that submitted the work
product subject to an inappropriate disclosure or a security breach. We
also note that this requirement only requires the PSO to contact the
provider that submitted the information; the PSO is not expected to
contact providers or others whose names are included in the patient
safety work product. As a business associate of a provider covered by
the HIPAA Privacy Rule, the PSO must abide by its business associate
contract with that provider, obligating it to notify the provider if it
becomes aware of an impermissible disclosure of protected health
information. See 45 CFR 164.504(e)(2)(ii)(C). Once the PSO has informed
the provider of the impermissible disclosure, the HIPAA Privacy Rule
requires the provider to mitigate the harmful effects of an
impermissible disclosure. See 45 CFR 164.530(f).
We have also incorporated in Sec. 3.102(b)(2)(i)(C) a minor
modification in the text of the criterion relating to the required two
contracts. The text in the proposed rule stated that a PSO ``must have
entered into two bona fide contracts'' with different providers; we
have deleted the words ``entered into.'' Our intent in the proposed
rule text was to encourage PSOs to enter long-term contracts with
providers by enabling a multi-year contract to be counted toward the
two contract minimum in each of the 24-month periods during which the
contract was in effect. By deleting the words ``entered into,'' the
text of the final rule more clearly reflects our original intent.
We also provide clarification here, which we did not consider
necessary to include in the rule text, regarding the obligations of a
PSO. The certifications for initial listing regarding patient safety
activities track the statute and require a PSO to have policies and
procedures in place to perform patient safety activities. At continued
listing, PSOs will be expected to have performed all eight patient
safety activities. Some of the required patient safety activities must
be performed at all times, such as utilizing qualified staff, having
effective policies and systems to protect the security and
confidentiality of patient safety work product when the PSO receives
work product, undertaking efforts to improve the quality and safety of
patient care, and developing and disseminating information to improve
patient safety. Other required patient safety activities can only be
performed when the PSO is working with a provider (such as providing
feedback to participants in a patient safety evaluation system) and
receiving patient safety work product from providers (such as
utilization of patient safety work product to develop a culture of
safety).
The Department recognizes that, for any given contractual
arrangement, providers, not PSOs, will determine the tasks PSOs
undertake and for which they will be compensated. Therefore, our
approach to assessing compliance will be as follows. If subject to a
spot check for compliance, a PSO must be able to demonstrate that it
has performed all eight patient safety work products at some point
during its three-year period of listing. However, we will expect a PSO
to demonstrate that it performs throughout its period of listing the
patient safety activities that are not dependent upon a relationship
with a provider or receipt of patient safety work product. We will
expect compliance with the other patient safety activities consistent
with the contracts or agreements that the PSO has with providers. A
component PSO that is established by a health care provider, and for
which the parent-provider organization is a primary client, would not
be dependent on external contracts and would be expected to be in
compliance with all eight patient safety activities during its entire
period of listing.
In response to commenters who sought clarification on what is meant
by compliance with the two-contract requirement, we reaffirm that the
statutory requirement is clear. There must be two written contracts; a
single contract with multiple providers can only be counted as one
contract. We interpret the requirement that the contracts must be with
``different'' providers straight-forwardly. The only requirement is
that the bona fide contracts must be with individuals or institutions
that are providers as defined in the rule. We have imposed no other
requirements; the contracts can be with an institutional provider and
an individual clinician, or with two entities within the same or
different system(s).
After careful consideration of the comments we received, the
Department has concluded that we will not incorporate an interpretation
of the term ``each for a reasonable period of time'' regarding the
required contracts. As we noted in the proposed rule, our intent in
proposing to interpret the language was to give providers increased
certainty that the listing of the PSO to which they are reporting data
could not be challenged on the basis that its required contracts were
not for a reasonable period of time. However, the provider community
opposed interpreting the provision, fearing that it would limit their
ability to customize contracts to meet their analytic needs and urged
the Department to rely upon the marketplace to interpret this
requirement. With no empirical basis for choosing one standard or one
time frame over another, and given the inability to anticipate what
types of contractual relationships will evolve under the final rule,
the Department concluded that incorporating a standard at this time
could have unintended negative consequences and has chosen not to do
so. As a result, a PSO will be required to have two contracts in effect
at some point during each 24-month reporting period established by the
statute but the contracts are not required to cover a specific or
minimum time period and they are not required to be in effect at the
same time.
While we received overwhelmingly favorable support for requiring
compliance with the Secretary's guidance on common definitions and
reporting formats (common formats) for the collection of patient safety
work product, we recognize that the Department's efforts to develop
[[Page 70754]]
guidance will take time. We issued common formats in August 2008
addressing all patient safety events in acute-care hospitals; AHRQ has
made the common formats available on its Web site to facilitate their
use by providers with varying levels of sophistication as well as by
PSOs. The guidance will be expanded over time to other settings of
care. Because we anticipate that some PSOs may choose to concentrate
their work in areas for which guidance from the Secretary is not yet
available, we have modified the text of the rule by incorporating a new
paragraph (iii) that interprets compliance in the following way.
At initial listing, the requirement will be interpreted as a
commitment by the entity seeking listing to adopt the Secretary's
recommended formats and definitions by the time it seeks continued
listing ``to the extent practical and appropriate.'' During the initial
three-year period of listing, AHRQ will not issue a preliminary finding
of deficiency to any PSO that has not adopted the Secretary's
recommended formats and definitions.
At continued listing, a PSO will be required to: (1) Certify that
the PSO is using the Secretary's guidance for common formats and
definitions; (2) certify that the PSO is using an alternative system of
formats and definitions that permits valid comparisons of similar cases
among similar providers; or (3) provide a clear explanation for why it
is not practical or appropriate for the PSO to comply with options (1)
or (2) at this time. The Secretary will consider a PSO to be in
compliance if it is using the Secretary's guidance, satisfactorily
demonstrates that the alternative system it is using permits valid
comparisons of similar cases among similar providers, or satisfactorily
demonstrates why neither option is practical or appropriate at this
time. An example of a satisfactory justification might be that the PSO
specializes in analyses in a specific niche of health care delivery in
which there remains significant controversy over relevant reporting
formats and definitions and/or the Secretary has not recommended any
relevant common formats or definitions. The Secretary, if he determines
that the PSO is otherwise eligible for continued listing, but has not
satisfactorily demonstrated that it meets one of the three requirements
in Sec. 3.102(b)(2)(iii), may exercise his discretion to continue the
listing of the PSO and use the process for correction of deficiencies
in Sec. 3.108(a) to bring the PSO into compliance after its listing
has been continued.
We believe this approach effectively balances the statutory goal of
promoting the ability to aggregate, and learn from, patient safety work
product, while recognizing the statutory caveat that this requirement
applies ``to the extent practical and appropriate.'' Our approach
ensures that PSOs will take the requirement seriously and that a PSO's
statement that it is not ``practical or appropriate'' to comply at this
time is well-founded.
Response to Other Public Comments.
Comment: Several commenters suggested that the final rule include a
requirement that entities provide assurances that they are financially
viable.
Response: The Department has not adopted this proposal. We do not
believe that assuring the financial viability of PSOs is either an
authorized or an appropriate Federal task in carrying out the Patient
Safety Act. The statutory framework leaves this inquiry and
determination to prospective clients in the market for PSO services.
PSOs will learn to address this concern routinely if required by
providers to do so.
Comment: One commenter suggested that the final rule include a
provision to require PSOs to have policies and procedures in place to
safeguard the privacy and confidentiality of a staff member of a PSO,
who is identified in patient safety work product.
Response: The Department agrees that PSOs should consider and
address issues of confidentiality, including those of its workforce
members. However, we do not believe it is appropriate or necessary to
mandate how a PSO addresses this issue.
Comment: Several commenters raised concerns regarding the statutory
requirement that ``the mission and primary activity of a PSO must be to
conduct activities that are to improve patient safety and the quality
of health care delivery'' might make it difficult for existing
organizations with multiple activities to qualify for listing. One
commenter suggested that the requirement be altered so that the mission
and primary activity ``includes'' quality improvement and patient
safety. Questions were also raised whether organizations that currently
undertake other activities such as provider education or other
collections and analyses of clinical data to improve the quality,
safety, and efficiency of health care would meet the requirement.
Response: It is important to recognize that the language at issue
was incorporated into the proposed rule directly from the statute.
Accordingly, it has been retained. We note that this statutory language
imposes a dual requirement: improvement of patient safety and the
quality of health care delivery must be reflected in the entity's
mission and this improvement activity must constitute the entity's
primary activity. Since many organizations could reasonably claim that
improvement of the quality of health care and patient safety are
fundamental to their missions and even have these words in their
mission statements, the critical and distinguishing requirement in this
statutorily-based criterion is that such improvement activities must be
the entity's primary activity.
While we understand the rationale of the commenter--many of the
organizations interested in becoming PSOs will have difficulty
attesting that this is their primary activity--the Department does not
have the authority to alter this statutory requirement by making
improvement of health care delivery and patient safety one of any
number of significant activities that an organization performs. The
statute effectively recognizes this dilemma and provides an option in
this situation. An entity can create a component organization,
discussed in the next subsection, to seek listing. Such a new component
created for this exclusive purpose or with this purpose as its primary
activity would inherently meet this requirement.
It is likely that some providers will find it more reassuring to
work with a PSO that is focused solely on the statutorily mandated
objectives. If an organization with other activities and personnel is
listed in its entirety as a PSO, it can share a provider's identifiable
patient safety work product throughout the legal entity, including with
individuals who are not involved in the work of the PSO, without
violating the disclosure restrictions of the statute and without
triggering Federal enforcement action pursuant to subparts C and D of
the rule. We expect many providers will prefer that their protected
information be closely held. Thus, existing organizations have other
reasons, in addition to the mission and primary activity criterion, to
consider the option of establishing a PSO as a component organization.
In response to an example posed in two separate comments, if an
entity's primary activity is the collection and analysis of clinical
data to improve the quality, safety, and efficiency, the Department
would consider these activities consistent with the statutory
requirement. Other situations may warrant discussion with AHRQ staff
during the planning stage of a PSO or
[[Page 70755]]
at least before submitting certifications for listing. Another example
posed by a commenter--an entity that provides general health education
to providers--would appear to require further discussion. As presented,
general health education would appear to have a link to, but an
inadequate emphasis on, the analytic focus of a PSO's mandatory patient
safety and quality improvement activities. The health education entity
can certainly avail itself of the option to establish a component
organization to seek listing.
Comment: One commenter asked what is meant by the concept of
carrying out patient safety activities. Does this mean that patient
safety activities must be performed and, if so, when?
Response: We note that this obligation rests with a PSO, not
providers. The requirement means that a PSO must perform all eight
patient safety activities during its period of listing. We clarify how
the Department will assess PSO compliance with this requirement in the
discussion of the final rule above.
Comment: One commenter asked if a PSO could meet the minimum
contract requirement by entering a contract with a 50-hospital system
and one independent practitioner (either with a physician or nurse
practitioner).
Response: To meet the requirement, a PSO must have at least two
contracts with different providers. In this case, a contract with a
solo health care practitioner (such as a physician or a nurse
practitioner) would meet the requirement for the second contract.
Comment: One commenter asked if a contract between the parent of a
health system and a PSO is tantamount to entering a contract with each
provider that comprises the health system.
Response: Such an arrangement does not meet the requirement; the
requirement focuses on the number of contracts, not the number of
providers that are involved with any contract. The rule, based on the
terms of section 924(b)(1)(C) of the Public Health Service Act,
requires two contracts.
Comment: Can providers within the same system count as different
providers for meeting the minimum contract requirement?
Response: The answer to this question is yes if the PSO has
separate contracts with at least two different providers. Whether the
providers have a common organizational affiliation is not relevant. The
only requirements are that the individuals or facilities must be
providers as defined in Sec. 3.20 of the rule and that there are at
least two contracts with different providers. Once again, the focus of
the requirement is the number of contracts.
Comment: A commenter asked if the establishment of a
``relationship'' with a provider is sufficient to meet the minimum
contract requirement.
Response: No. The rule requires two bona fide contracts, as defined
in section 3.20, meeting the requirements of the rule.
Comment: One commenter expressed concern about the ability of his
agency to meet the minimum contract requirement. His agency administers
a public patient safety reporting system to which hospitals are
required to report by state law. His concern was that the hospitals
might see no need to enter contracts with his agency if it were listed
as a PSO.
Response: The modifications to the final rule in Sec.
3.102(a)(2)(ii) preclude an entity that manages or operates a mandatory
patient safety reporting system from seeking listing as a PSO.
Comment: One commenter urged that the final rule not marginalize
State mandatory reporting systems through the separation of provider
reporting to PSOs. The commenter recommended that the final rule permit
States to become listed as PSOs or enter into collaborative
arrangements with PSOs to share data and staff.
Response: While we believe that an entity that operates a Federal,
state, local, or Tribal mandatory patient safety reporting system
should not be listed as a PSO, the rule does permit a component of such
an entity to seek listing. A PSO that is a component of an excluded
entity is prohibited from sharing staff with the excluded entity and
has limitations on its ability to contract with such a parent
organization (see Sec. 3.102(c)(4)). However, the component PSO could
enter into some types of limited collaboration with an excluded entity.
For example, a PSO may accept additional data from an excluded entity
for inclusion in its analyses with the understanding that the PSO may
only share its findings pursuant to one of the permissible disclosures
in Subpart C, e.g., if the findings are made non-identifiable. In
addition, other PSOs similarly may share their nonidentifiable findings
with mandatory state patient safety reporting systems and to the extent
permitted by state law the state systems might give data to completely
separate PSOs for analysis and reports in nonidentifiable terms.
Comment: Several commenters suggested that excluded entities might
become members of a PSO as long as they were not vertically linked to
the PSO, although they did not explain what they meant by the term,
members.
Response: It is not clear what the commenters mean by a ``member''
of a PSO in this context. To the extent that the comments are referring
to a possible joint venture that creates a PSO, there are few
productive roles that an excluded entity could play. Such excluded
entities could not have or exercise any level of control over the
activities or operation of a PSO. Thus, they could not have access to
patient safety work product. As a result, the potential for involvement
of an excluded entity with a PSO would be very limited.
We note, however, that a component of an entity excluded by Sec.
3.102(a)(2)(ii) can seek listing. These types of component
organizations must meet additional requirements set forth in Sec.
3.102(c)(1).
Comment: One commenter requested clarification regarding the
required patient safety activity to provide feedback and assistance to
providers to effectively minimize patient risk.
Response: We recognize that the performance of some patient safety
activities will be dependent upon a PSO's arrangements with its
clients. As we noted in our discussion of the final rule, we will
interpret a PSO to be in compliance with this requirement if the
feedback and assistance is performed at some point during the PSO's
period of listing.
Comment: Two commenters pointed to the importance of the use of
contracted staff to enable a PSO to carry out its duties, especially in
rural or low population density areas. In such circumstances, a PSO
needs to draw upon competencies and skills as needed and asked that we
clarify that such contractors, whether paid or volunteer, could enable
a PSO to meet the qualified staff requirement.
Response: The Department assumes that many PSOs, especially
component PSOs, will use a mix of full-time personnel and individuals
from whom they seek services as needed, whether paid or on a volunteer
or shared basis. That is why we have incorporated a broad definition of
``workforce'' in the rule that encompasses employees, volunteers,
trainees, contractors, and other persons whether or not they are paid
by the PSO. As defined in this rule, workforce refers to persons whose
performance of activities for the PSO is under the direct control of
the PSO. In addition, however, a PSO is free to enter contracts for
specific or specialized services, subject to other requirements of the
rule.
[[Page 70756]]
(C) Section 3.102(c)--Additional Certifications Required of Component
Organizations
Proposed Rule: Along with the 15 requirements under subsection (b)
that all PSOs would have to meet, Sec. 3.102(c) of the proposed rule
would require an entity that is a component of another organization to
make three additional certifications regarding: (1) The secure
maintenance of patient safety work product separate from the rest of
the organization(s) of which it is a part; (2) the avoidance of
unauthorized disclosures of patient safety work product to the rest of
the organization(s) of which it is a part; and (3) the mission of the
component organization not creating a conflict of interest with the
rest of the organization(s) of which it is a part.
We proposed two additional requirements that would interpret these
statutory provisions: (1) A component PSO could not have a shared
information system with the rest of the organization(s) of which it is
a part; and (2) the workforce of the component PSO could not engage in
work for the rest of the organization(s) if such work could be informed
or influenced by the individual's knowledge of identifiable patient
safety work product (except if the work for the rest of the
organization is solely the provision of patient care). The proposed
rule did not propose an interpretation, but sought public comment, on
the requirement that a component organization not create a conflict of
interest with the rest of the organization(s) of which it is a part.
We proposed, and sought comment on, a limited option for a
component PSO to take advantage of the expertise of the rest of its
parent organization(s) to assist the PSO in carrying out patient safety
activities. Under this proposal, a component PSO could enter into a
written agreement with individuals or units of the rest of the
organization involving the use of patient safety work product, subject
to specified requirements.
Overview of Public Comments: Numerous commenters strongly disagreed
with the Department's proposal that PSOs must maintain separate
information systems. These commenters argued that it would impose a
tremendous financial and administrative burden to establish separate
information systems. A number of commenters suggested alternative
approaches that could achieve the same goal. For example, one commenter
recommended that HHS adopt a non-directive concept of functional
separation and require PSOs to submit with their certifications for
listing a description of how they intend to meet the requirement for
technological and other controls to ensure that there is an effective
protection against inappropriate access to the patient safety work
product held by the component PSO.
There was significant concern with the proposal to limit the
sharing of employees between the parent organization(s) and the
component PSO if the employee's work could be informed by knowledge of
a provider's identifiable patient safety work product. Some commenters
argued that the prohibition was too broad, that it should be narrowed,
or that the standard was too vague and had the potential for creating
confusion. A number of commenters recognized the merits of the intended
prohibition but thought that the proposed rule's formulation was so
vague that it might limit the ability of any physician in an academic
health center to assist the component PSO if the physician supervised
and evaluated interns and residents during their training, presuming
this to be an unintended result.
Several alternative approaches were suggested, including: (1) Limit
the prohibition to staff in the parent organization who would use
patient safety work product for non-patient safety activities; (2)
obtain pledges by staff not to use patient safety work product for
``facility administrative functions;'' (3) limit the prohibition to
persons with disciplinary/credentialing functions; (4) require
management staff to sign agreements not to use patient safety work
product in hiring/firing, credential/privilege decisions; and (5)
permit shared staff for specific types of entities, such as state
hospital associations, but not others.
Our proposal to provide a limited option for a component PSO to
draw upon the expertise of its parent organization(s) to assist the PSO
in carrying out patient safety activities was well received. Most
commenters were supportive of the flexibility provided by this
provision although one commenter suggested deleting it. Several
commenters stressed that a ``substantial firewall'' should be
maintained and that such contracting should only be allowed ``for
clearly defined and limited staff services.'' One commenter urged that
such contracts or agreements should be submitted to the Secretary in
advance so that they ``can be scrutinized by HHS to assess whether
confidentiality or privilege protections can practically remain
intact.''
In our discussion regarding entities excluded from listing in Sec.
3.102(a)(2)(ii), we noted that a number of commenters that supported
permitting components of such entities to seek listing, suggested,
nevertheless, that we establish additional limitations and
requirements. Their suggestions included requiring that such a
component organization seeking listing must: Specifically identify its
parent organization as a regulator and specify the scope of the parent
organization's regulatory authority; submit to the Secretary
attestations from providers choosing to report to the PSO that they
have been informed of the scope of regulatory authority of the parent
organization; and provide assurances to the Secretary that the parent
organization has no policies that compel providers to report patient
safety work product to its component PSO. They also suggested such a
PSO not be permitted to share staff with the parent organization and
not be able to take advantage of the proposed limited provision that
would permit a component PSO to contract with its parent organization
for assistance in the review of patient safety work product.
The proposed rule did not propose an interpretation but sought
comment on the circumstances under which the mission of a component PSO
could create a conflict of interest for the rest of the parent
organization(s) of which it is a part. The recommendations of
commenters reflected a variety of perspectives: One view was that the
rule should not adopt a general standard; a component organization
should disclose what it believes may be its conflicts and that this
disclosure should be deemed sufficient to have cured the conflict;
another said the Department should undertake case-by-case analysis; and
a third suggested the Department should adopt guidance, not regulatory
language.
Another commenter wrote that there could be no conflict of interest
if the parent organization is a provider; others suggested that certain
types of parent organizations posed conflicts of interest, such as when
the parent organization is an investor-owned hospital or if there are
certain legal relationships which providers have with a parent
organization or its subsidiaries. Similarly, one commenter suggested
that not-for-profit status of a PSO should be an indicator that there
is no conflict of interest. In a parallel vein, another commenter
argued that if the PSO could use or sell its information for commercial
gain, this was a conflict. This commenter also argued that if a PSO
could be used to create an oasis solely for protection of information
reported by the system that created it, this represented a conflict;
the
[[Page 70757]]
information held by a PSO must be made available at minimal or no cost
for further aggregation. Another commenter suggested that a component
PSO should never evaluate patient safety work product of an affiliated
organization; if it does so, this creates a conflict-of-interest.
Finally, several commenters also suggested that there must be no
conflict between patient safety work product and non-patient safety
work product functions. A similar comment from another entity argued
that a PSO must certify that members of the component PSO workforce are
not engaged in work for the parent organization that conflicts with the
mission of the PSO.
Final Rule: After careful consideration of the extensive number of
comments received regarding component organizations, the Department has
modified and restructured the text for Sec. 3.102(c) in the following
ways.
We have restructured Sec. 3.102(c) into four separate paragraphs.
New Sec. 3.102(c)(1)(i) lists the provisions with which different
component organizations must comply. This subparagraph sets forth the
requirements that all component organizations must meet. The language
of this subparagraph is retained from the proposed rule but includes a
requirement that all component organizations must submit with their
certifications contact information for their parent organization(s) and
provide an update to the Secretary in a timely manner if the
information changes. This requirement was proposed in the preamble but
was not incorporated in the text of the proposed rule. Many of the
commenters noted the importance to providers of having information
regarding the parent organization of a component PSO and, therefore, we
have incorporated the provision.
New Sec. 3.102(c)(1)(ii) outlines the requirements for components
of entities excluded from listing under Sec. 3.102(a)(2)(ii) of this
section. These components must meet the requirements for all component
PSOs in Sec. 3.102(c)(1)(i) as well as submit the additional
certifications and information and adhere to the further limitations
set forth in Sec. 3.102(c)(4) that are discussed below.
New Sec. 3.102(c)(2) restates the three additional statutory
certifications that must be made by all component organizations seeking
listing. We have deleted two requirements for component entities from
the text of the proposed rule that were intended to interpret these
statutory requirements: the requirement for separate information
systems and the restriction on the use of shared staff. The final rule
does not impose these proposed requirements on most component
organizations. However, as discussed below regarding Sec. 3.102(c)(4),
we have retained the prohibition on shared staff only with respect to
components of entities that are excluded from listing and, for such
component PSOs, narrowed the circumstances when contracting with a
parent organization is permissible only with respect to components of
entities that are excluded from listing.
With respect to separate information systems, the Department has
concluded, based upon the information that was included by commenters,
that there are a number of cost-effective alternatives for achieving
the statutory goal of separate maintenance of patient safety work
product. Accordingly, we have included new language that requires a
component PSO to ensure that the information system in which patient
safety work product is maintained must not permit unauthorized access
by any individuals in, or units of, the rest of the parent
organization(s) of which it is a part.
Similarly, after careful consideration of the comments, we have
eliminated the proposed restriction on the use of shared staff for most
component PSOs. The Department has concluded that there are significant
incentives for component PSOs and parent organizations to be very
cautious in their use of shared personnel, protecting against
inappropriate disclosures, and the disclosure of patient safety work
product. A number of commenters appeared to appreciate the importance
of maintaining separation between their patient safety activities and
internal disciplinary, privileges, and credentialing decisions, which
were the focus of our concern.
Our review has led us to conclude that the potential negative
consequences for providers, independent of any fear of Department
action, lessens the need for the rule to address this issue. For
example, institutional providers are likely to find it difficult to
develop robust reporting systems if the clinicians on their staff learn
or even suspect that the same individuals involved in analysis of
patient safety work product play key roles in administrative decisions
that can lead to adverse personnel decisions. This may lead to
decreased reporting of patient safety events. The suspicion of
contamination between the processes could also provide a new basis for
challenging adverse employment actions, which could require providers
to prove that their actions were not influenced by inappropriate use of
patient safety work product. Finally, there is the right of action that
the statute grants to individual providers who believe and allege that
their employer took an adverse employment action against them based
upon their providing information to the employer's patient safety
evaluation system for reporting to the PSO or based upon their
providing information directly to the PSO. Given the importance to
providers of maintaining protections for their work product, we
conclude that it is unlikely that a parent organization will
intentionally jeopardize those protections. Therefore, we have
eliminated the proposed restriction on the use of shared staff, except
for components of entities excluded from listing as discussed below
regarding Sec. 3.102(c)(4). In its place, we have restated the
statutory requirement that the component organization (and its
workforce and contractors) may not make unauthorized disclosures to the
rest of the organization(s) of which the PSO is a part.
We have retained without change in Sec. 3.102(c)(2)(iii) the
proposed rule text prohibiting the pursuit of the mission of the PSO
from creating a conflict of interest with the rest of the
organization(s) of which it is a part. To the extent that individuals
or units of the rest of the parent organization(s) have obligations and
responsibilities that are inconsistent with the ``culture of safety''
that the statute seeks to foster, a component PSO could create a
conflict of interest by sharing identifiable patient safety work
product with them as shared staff or under a written agreement pursuant
to Sec. 3.102(c)(3), discussed below. On the other hand, the component
PSO could draw upon the expertise of these same individuals in other
capacities in which identifiable work product is not shared and,
thereby, avoid creating conflicts of interest. Thus, we would interpret
permitting the creation of conflicting situations for staff or units of
the parent organization(s) as inconsistent with a component PSO's
attestation.
Section 3.102(c)(3) retains without substantive change the
provision in the proposed rule to enable a component PSO, within
limits, to take advantage of the expertise of the rest of the
organization of which it is part. In response to concerns expressed by
some commenters, we stress the statutory requirement for the PSO to
maintain patient safety work product separately from the rest of the
organization. In such circumstances, it cannot be transferred to
individuals or units of the rest of the organization except as
permitted by the rule. As a practical matter, if the parent
[[Page 70758]]
organization is a provider organization and the component PSO is
evaluating the parent organization's data, the parent-provider is
likely to have a copy of all of the data transmitted to the component
PSO.
We do not dismiss the concerns of commenters that this contracting
authority could be used inappropriately. We remind each component PSO
that the statute requires it to maintain patient safety work product
separately from the rest of the organization(s) of which the component
PSO is a part and prohibits unauthorized disclosures to the rest of the
organization(s) of which they are a part. Therefore, it may not be
appropriate for its parent organization to serve as its main provider
of analytic or data services if such arrangements would effectively
confound statutory intent for a firewall between a component PSO and
the rest of the organization(s) of which it is a part. The flexibility
provided by the rule to use in-house expertise is intended to
supplement, not replace, the PSO's authority to contract with external
expert individuals and organizations.
Section 3.102(c)(4) incorporates new requirements, drawn from our
review of public comments, that only apply to organizations that are
components of entities excluded from listing under Sec.
3.102(a)(2)(ii). Thus, these component organizations have three sets of
requirements to meet: The 15 general certification requirements in
Sec. Sec. 3.102(b)(1) and 3.102 (b)(2); the requirements that all
component PSOs must meet in Sec. Sec. 3.102(c)(1)(i) and 3.102(c)(2);
and the requirements that are established by Sec. 3.102(c)(4).
Section 3.102(c)(4) establishes a requirement for additional
information and certifications that must be submitted with the
component organization's certifications for listing and it establishes
two additional restrictions with which a component organization must
comply during its period of listing. The additional information and
certifications require a component PSO of an entity described in Sec.
3.102(a)(2)(ii) to:
1. Describe the parent organization's role, and the scope of the
parent organization's authority, with respect to the activities which
are the basis of the parent organization's exclusion from being listed
under Sec. 3.102(a)(2)(ii).
2. Certify that the parent organization has no policies or
procedures that would require or induce providers to report patient
safety work product to the component organization once it is listed as
a PSO, and affirm that the component PSO will notify the Secretary if
the parent organization takes any such actions during its period of
listing. An example of an inducement would be if a parent organization
that accredited or licensed providers awarded special scoring
consideration to providers reporting to the parent organization's
component PSO; additional scoring consideration for reporting to any
PSO, by contrast, would not violate this restriction.
3. Certify that the component PSO will include information on its
website and in any promotional materials for providers describing the
activities which were the basis of the parent organization's exclusion
under Sec. 3.102(a)(2)(ii).
We have incorporated these additional requirements for information
and attestations to address widespread concerns among commenters that
an excluded parent organization might attempt to compel providers to
report data to its component PSO and circumvent the firewalls for
access to that data. These extra requirements for such component PSOs
will strengthen transparency and the additional statements submitted
with the component organization's certifications will be posted on the
AHRQ PSO Web site along with all its other certifications. Our intent
is to ensure that such a component organization's website and its
promotional materials for providers will inform providers regarding the
nature and role of its parent organization. The rule is emphatically
clear that the Department will take prompt action to revoke and delist
a component organization whose excluded parent organization attempts to
compel providers to report data to its component PSO. New Sec.
3.108(e)(1) lists specific circumstances, including this situation, in
which revocation and delisting will take place on an expedited basis.
During its period of listing, the final rule also prohibits a PSO
that is a component organization of an entity excluded from listing to
share staff with the rest of the organization(s) of which it is a part.
Such a component PSO may enter into contracts or written agreements
with the rest of the organization(s) under the authority provided to
all component PSOs by Sec. 3.102(c)(3) but with one additional
limitation. Such contracts or written agreements are limited to units
or individuals of the parent organization(s) whose responsibilities do
not involve the activities that are the basis of the parent
organization's exclusion under Sec. 3.102(a)(2)(ii). If the parent
organization's sole activity is the reason for its exclusion, the
component organization could never enter a contract or written
agreement to have staff from the rest of the organization assist the
PSO in carrying out patient safety activities. If the parent
organization engages in a mix of activities, some of which are not a
basis for exclusion from listing, the component organization will be
able to take advantage of this contracting option, subject to our
caveat above.
Response to Other Public Comments
Comment: One commenter asked us to confirm that component PSOs can
maintain patient safety work product behind secure firewalls using
existing information systems.
Response: The modifications we have adopted and discussed above
means that the final rule permits this approach.
Comment: Several commenters suggested that it was unrealistic for
the component PSO to maintain patient safety work product separately
from its parent organization if the parent organization is a provider
reporting data to the component PSO.
Response: The Patient Safety Act requires a component PSO maintain
patient safety work product separately from the rest of the
organization(s) of which it is a part; therefore, we cannot remove the
restriction. While contracts between a PSO and a provider are likely to
address the extent to which a provider has access to information held
by a PSO, we caution contracting parties to be mindful of this
statutory restriction in crafting their contracts. The requirement for
separation does not mean that the component organization cannot share
information with a parent organization but any sharing must be
consistent with the permissible disclosures of this rule.
(D) Section 3.102(d) Required Notifications
(1) Section 3.102(d)(1)--Notification Regarding PSO Compliance With
Minimum Contract Requirement
Proposed Rule: Section 3.102(d)(1) of the proposed rule would
require PSOs to attest within every 24-month period, beginning with its
initial date of listing, that the PSO has met the two-contract
requirement. We proposed to require notification of the Secretary 45
days before the end of the applicable 24-month period. Early
notification would enable the Department to meet another statutory
requirement to provide PSOs with an opportunity to correct a
deficiency. If the requirement is not yet met, this would enable the
Secretary to establish an opportunity for correction that ends at
midnight on the last day of the 24-month period.
[[Page 70759]]
Overview of Public Comments: The comments we received endorsed our
proposed approach. One commenter suggested we should consider requiring
notification 60 days in advance.
Final Rule: We expect that, in most circumstances, contracts will
be the primary source of revenue for PSOs. In light of the fact that
only two contracts are required, we do not anticipate that many PSOs
will reach this point in their period of listing without meeting the
requirement. We have not accepted the recommendation to require
notification sooner. The Department adopts the provision as recommended
in the proposed rule without modification.
(2) Section 3.102(d)(2)--Notification Regarding a PSO's Relationships
With Its Contracting Providers
Proposed Rule: The proposed rule incorporated in Sec. 3.102(d)(2)
the statutory requirement that a PSO would make disclosures to the
Secretary regarding its relationship(s) with any provider(s) with whom
the PSO enters a contract pursuant to the Patient Safety Act (Patient
Safety Act contract). The statute requires PSOs to disclose whether a
PSO has any financial, contractual, or reporting relationships with
this contracting provider and, if applicable, whether the PSO is not
managed, controlled, or operated independently of this contracting
provider.
The proposed rule noted that a PSO would need to make this
assessment when it enters a contract with a provider and, if
disclosures are required, submit a disclosure statement within 45 days
of the effective date of the contract. If relationships arise during
the contract period, submission would be required within 45 days of the
date the relationships are established.
The proposed rule would have provided guidance on our
interpretation of financial, contractual, and reporting relationships
and emphasized that the statute required a PSO to ``fully disclose''
the relationships. We noted that disclosure would be required only when
the PSO entered a Patient Safety Act contract with a provider and there
were relationships that required disclosure. We also encouraged, but
did not require, PSOs to list any agreements, stipulations, or
procedural safeguards that might offset the influence of the provider
and that might protect the ability of the PSO to operate independently.
Overview of Public Comments: Commenters expressed concern that the
proposed rule was not sufficiently specific with respect to the
required disclosure statements. They suggested that the emphasis in the
proposed rule on the statutory requirement for full disclosure, without
a corresponding discussion of the parameters for the contents and level
of detail of the statements, raised the prospect that PSOs would feel
compelled to develop disproportionately detailed information that might
not be germane. One commenter suggested what was most important is
awareness of the fundamental relationship(s) that exist, not the
specific details, suggesting that if the provider in question is the
parent entity of the PSO, it should be sufficient to know that the
parent-provider is the source of financial support to the PSO, employs
its workforce, and provides management to its activities.
In addition, there was concern that since the disclosure statements
are going to be made public, detailed submissions regarding the
financial and contractual obligations would make it difficult to
maintain the confidentiality of potentially sensitive business
information. Several commenters noted that it is not unusual for
certain types of contractual work with commercially sensitive
implications to include confidentiality agreements and one commenter
suggested that the process permit a PSO to request that the Secretary
not disclose specific information under certain circumstances.
A number of commenters expressed concern about the potential
unintended consequences of disclosure, especially with respect to the
identity of providers. One commenter raised concern that the
requirement would lead to ``differential'' disclosure, by which the
commenter meant that, of the total number of providers with which a PSO
enters contracts, only those with other relationships would have their
names disclosed and the other providers would not have their names made
known through the proposed public release of disclosure statements by
the Secretary.
Final Rule: After careful review of the comments, the Department
has reconsidered its approach to this disclosure requirement and has
made modifications to the text that are incorporated in the final rule.
Based upon this review, we have shifted the emphasis of the term
``fully disclose'' from stressing the level of detail that a PSO must
provide in describing each of the other types of relationships (listed
below) that the PSO has with a contracting provider to an emphasis on
requiring that the PSO disclose clearly and concisely every
relationship that requires disclosure. This shift in emphasis remains
consistent with our overall emphasis on transparency; without being
burdensome, it enables both the Secretary and providers considering
contracts with a PSO to request additional information regarding any
relationships of concern. We have adopted a clearer and narrower
interpretation of the disclosures of relationships that must be made in
view of concerns expressed by commenters about the scope of the
required reports. In response to requests for more guidance on the
required submissions, this final rule calls for a two-part disclosure
statement and describes what must be included in each part.
These modifications to the final rule reflect several
considerations. The Department has concluded that the Patient Safety
Act does not provide incentives for a provider to control or manipulate
the findings of a PSO with respect to its own patient safety
information. A PSO's conclusions and recommendations are patient safety
work product and, whether the PSO is critical or complimentary of the
provider or the provider agrees or disagrees with the PSO, the PSO
analysis and guidance remains confidential and privileged under the
Act, which means that there are constraints on the ability of a
provider to disclose the PSO's conclusions and recommendations. Even
when they can be disclosed, calling the public's attention to positive
findings is likely to engender scrutiny of the extent to which the
provider's relationship with its PSO is truly an arms-length
relationship. In sum, providers have little to gain under the statute's
framework from attempting to control or manipulate the analyses and
findings of a PSO.
At the same time, the Department expects the statutory disclosure
requirements, coupled with public release of disclosure statements and
the Secretary's findings as provided by Sec. 3.104(b), will provide
important and useful information to providers seeking to contract with
a PSO. As we pointed out in the proposed rule, a provider seeking to
contract with a PSO will have its own standards for what other PSO
relationships it considers to be acceptable. Therefore, the submission
and public release of this information should improve the efficiency of
the search process by providers.
In light of these considerations, the Department has determined
that the most appropriate interpretation of the statutory requirement
to ``fully disclose'' other relationships is to emphasize the need to
require the disclosure of every pertinent relationship specified by the
statute. Providers that are considering entering a contract with a PSO
can determine for themselves if any
[[Page 70760]]
disclosed relationships pose concerns. If so, they can then request
further detailed information as they see fit. This approach has the
further benefit of limiting the potential for inappropriate release of
proprietary or commercial information, another matter of concern to
commenters. The Department will protect confidential commercial
information as permitted by the Freedom of Information Act and in
accordance with 18 U.S.C. 1905.
Thus, in making his required determination, the Secretary will both
give great weight to, and hold a PSO accountable for, its attestation
that it will fully disclose all relationships required to be reported
and whether the PSO's operations, management, and control are not
independent of any provider with whom it has entered a Patient Safety
Act contract. The Secretary retains the authority to require an entity
to provide more detailed information if necessary to make his required
determination under 42 U.S.C. 299b-24(c)(3) regarding the ability of
the PSO to fairly and accurately perform its patient safety activities
in light of any reported relationships.
The final rule retains the general framework of the proposed rule
for a PSO to use in determining when a disclosure statement must be
submitted. The two thresholds remain unchanged. The disclosure
requirement only applies when a PSO has entered a contract that
provides the protections of the Patient Safety Act, i.e., a Patient
Safety Act contract, and the PSO has other relationships with that
contracting provider of the types specified below. A disclosure
statement is not required if the PSO has a Patient Safety contract with
a provider and the relationships described below are not present, nor
is a disclosure statement required if the relationships are present but
there is no Patient Safety Act contract.
We have restructured the text in the final rule. There are now
three paragraphs: A restatement of the requirement in paragraph (i), a
description of the required content of a disclosure statement in
paragraph (ii), and the deadlines for submission of disclosure
statements set forth in paragraph (iii).
Section 3.102(d)(2)(i) contains the following substantive changes.
Compared with the requirements of the proposed rule, this paragraph
eliminates the need to submit a disclosure statement if the PSO's only
other relationships with this contracting provider are limited to
Patient Safety Act contracts.
In response to commenters' questions and concerns, we have modified
the text describing the statutory list of disclosures: contractual,
financial, and reporting relationships are incorporated in
subparagraphs (A)-(C) and control, management, and operation of the
PSO, independent from the provider, is incorporated in subparagraph
(D). We have narrowed the language in paragraphs (A)-(C) by limiting
the required disclosures to current contractual, financial, and
reporting relationships and restating the requirements to emphasize
that disclosure is only required for relationships other than those in
Patient Safety Act contract(s). We have restated and streamlined the
language of subparagraph (A) to emphasize contracts and arrangements
that impose obligations on the PSO.
We have retained the substantive requirements for financial
relationships. Based upon comments received, we have determined that if
the PSO is a membership organization, the Department does not consider
dues or other assessments applied to all members to constitute a
financial relationship for this purpose. The rule narrows the scope of
subparagraph (C), where the text narrows the definition of reporting
relationships to those in which this contracting provider has access to
information about the work and internal operation of the PSO that is
not available to other contracting providers. By focusing on this
particular aspect of reporting relationships, we have tried to make
plain that it is not our intent to collect information regarding the
multiple ordinary types of reporting relationships that exist routinely
between contracting parties. We have made the requirement narrower both
for clarity and simplicity. The deleted reference to control is
addressed by subparagraph (D), which we have narrowed to simply restate
the statutory language on what must be disclosed or reported regarding
management, control, and operation independent of the contracting
provider. We deleted the language requiring a PSO to assess whether any
of the relationships in what is now subparagraph (D) might impair its
ability to perform patient safety activities fairly and accurately
because PSOs will now address these issues in the required narrative
that comprises the second part of the disclosure statement, described
below.
New Sec. 3.102(d)(2)(ii) specifies the two required parts of a
disclosure statement. The first part must disclose in summary form
succinct descriptions of all of the obligations that the PSO has with
this provider. The second part must be a related short narrative (we
recommend no more than 1,000 words) that addresses the issues described
below and is intended to explain the measures taken by the PSO to
assure that its analyses and findings are fair and accurate.
We use the term ``obligations''--rather than the statutory term
``relationships''--in Sec. 3.102(d)(2)(ii) of the rule for the
following reason. If a PSO has multiple relationships with a provider,
many of these relationships are likely to be both contractual and
financial (and may involve other relationships for which the statute
requires disclosure). A disclosure statement that was organized by the
four types of relationships that require disclosure (subparagraphs (A)-
(D) discussed above) would be confusing and difficult to interpret
since items in different categories would be related. For example, if
the PSO already has a contract with a provider to render a service for
which it is paid, we do not see the benefit of having the contract
listed in one reporting category and the financial relationship in
another reporting category since they are clearly related.
Therefore, in drafting the required disclosure statement, a PSO
should address the four statutorily-required disclosures discussed
above as aspects of the separate obligations or arrangements that exist
between a PSO and the provider with which the PSO is entering or has a
Patient Safety Act contract. A PSO should focus on clarity and brevity
in explaining each obligation in a single paragraph: A sentence or two
describing the nature of the obligation, and the remainder of the
paragraph should address each of the four required disclosures that are
present and specifically note any of the four that are not.
As we use the term, an obligation is not limited to services that a
PSO renders to a provider (such as developing information and
undertaking analyses or providing a service or technical assistance).
An obligation could also reflect a PSO's relationship with an investor
or owner and any arrangement that affects the PSO's independence or
involves any of the statutorily-required disclosures described above.
In developing its list, a PSO should not combine separate and distinct
obligations such as more than one contract, nor should it disaggregate
a single obligation. For example, if a PSO undertakes technology
assessments and has three separate contracts for different assessments,
these would be three separate obligations and should be reported
separately. On the other hand, an obligation that has more than one
[[Page 70761]]
task, such as providing assistance in implementing and evaluating a
process improvement, should only be listed once; we are not suggesting
that PSOs report separately on the different elements of a single
unified project.
To apply these concepts, consider a hospital that was one of five
hospitals that invested in the creation of a PSO and the hospital
subsequently enters a Patient Safety Act contract with the PSO. If this
investment is the only obligation other than the Patient Safety Act
contract that exists between the PSO and the provider, the PSO's
disclosure statement would include only one obligation and it could be
described in a single paragraph. Within that paragraph, the PSO should
systematically address the required statutory disclosures or note that
they are not present. In addressing financial relationships, the PSO
should not include the amount of the investment or specific terms. In
this case, the required paragraph would describe the essential nature
of the financial relationship, e.g., it is a loan requiring repayment
over X years; it is a long-term investment requiring the payment of
dividends, etc., whether it was formalized by a contract, whether a
reporting relationship exists, e.g., the provider has access to
internal quarterly financial statements not available to other
providers, and whether the obligation gives the provider any ability to
control or manage the PSO's operations, e.g., the provider has a seat
on the board or review or veto authority over new clients, specific
contracts, budgets, staff hiring, etc.
If the PSO is a subsidiary of a health system, the paragraph could
indicate that PSO is a subsidiary of the provider, the provider is the
primary source of revenue for the component PSO, the types of internal
PSO information to which the provider has access, e.g., all financial,
personnel, administrative internal information, and that the provider
manages or controls (or has review and approval authority) of day-to-
day decision-making, hiring and firing decisions, etc. By incorporating
the required statutory disclosures into a succinct discussion of the
obligations that a PSO has with this provider, we anticipate that the
descriptions will be more comprehensible.
Part II of a disclosure statement must describe why or how the PSO,
given the disclosures in part I, can fairly and accurately perform
patient safety activities. The PSO must address: The policies and
procedures that the PSO has in place to ensure adherence to
professional analytic standards and objectivity in the analyses it
undertakes; and any other policies, procedures, or agreements that
ensure that the PSO can fairly and accurately perform patient safety
activities.
Section 3.102(d)(2)(iii) of the rule retains the deadlines for
submission of disclosure statements that were included in the proposed
rule.
Response to Other Public Comments
Comment: One commenter asked that we exempt a PSO with fewer than 5
clients from releasing the names of its clients.
Response: We note that a PSO never has to reveal the names of its
clients (providers) as long as the PSO does not have the other types of
relationships described in this subsection with those providers.
However, when such relationships are present, the statute does not
provide authority for us to create such exceptions.
Comment: One commenter asked that we clarify that the required
disclosures can be made in a way that the PSO does not breach the
confidentiality requirements that may be a part of another contractual
arrangement with a contracting provider.
Response: The Department cannot make a definitive statement that
such confidentiality agreements can always be honored; this requires a
case-by-case determination. A PSO is encouraged to discuss the issue
with AHRQ staff before submitting a disclosure statement. As noted
above, the agency's public disclosures are constrained by 18 U.S.C.
1905, but agency officials have some discretion with respect to
determining what information would be restricted under that statute. We
note also that the agency has the discretion to deny Freedom of
Information Act requests for information it regards as confidential
commercial information (5 U.S.C. 552(b)(4)). Agency determinations will
be assisted by explanations of what is viewed by a submitter as
confidential commercial information and the reasons why that is the
case.
Comment: One commenter posed a series of questions related to an
entity that seeks listing that receives general membership dues or
assessments, i.e., whether such general dues or assessments would be
considered financial relationships and, therefore, require the filing
of disclosure statements. The commenter also asked if disclosure of
such membership dues or assessments is required under any other section
of the rule.
Response: The Department has determined that membership dues or
general assessments applied to all members do not constitute
``financial relationships'' between a provider and a PSO. There is no
other section of the rule that would require disclosure of membership
dues or assessments. Before seeking listing, however, a membership
organization should carefully assess whether it meets the statutory
requirement that its primary activity must be the conduct of activities
to improve patient safety and the quality of health care delivery.
2. Section 3.104--Secretarial Actions
(A) Section 3.104(a)--Actions in Response to Certification Submissions
for Initial and Continued Listing as a PSO
Proposed Rule: Section 3.104(a) described the actions that the
Secretary could and will take in response to the certification material
submitted for initial or continued listing as a PSO. We proposed that,
in making a listing determination, the Secretary would consider the
submitted certifications, issues related to the history of the entity,
and any findings by the Secretary regarding disclosure statements. The
proposed rule also included authority for the Secretary, under certain
circumstances, to condition the listing of a PSO. We did not propose a
deadline for Secretarial review of certifications submitted, but noted
that we expect the Secretary to be able to conclude review within 30
days of receipt unless additional information or assurances are
required.
Overview of Public Comments: We received several comments
pertaining to this section. One comment endorsed the proposed
provision. Another requested that we modify the rule to require
Secretarial action within 60 days. A third commenter recommended that
the Secretary establish timetables for all actions and opposed open-
ended timeframes.
Final Rule: We have retained the text from the proposed rule with
two modifications. The text of Sec. 3.104(a)(1)(iii) of the proposed
rule stated that the Secretary may require conditions for listing as
part of his review of disclosure statements submitted pursuant to Sec.
3.102(d)(2); that text has been retained. We also noted in the preamble
discussing proposed Sec. 3.104(a) that there may be certain
circumstances in which the Secretary determines that it would not be
prudent to rely solely on the certifications for listing submitted by
an entity that was previously revoked and delisted for cause or
previously refused listing by the Secretary. In such limited
circumstances, we suggested the Secretary may seek additional
[[Page 70762]]
assurances from the PSO that would increase the Secretary's confidence
that, despite the history of the entity and its officers and senior
staff, the entity could now be relied upon to comply with its statutory
and regulatory obligations. To reflect the potential need for
assurances in such cases, and to better align the text with the
preamble discussion of the proposed rule, we have modified the text of
Sec. 3.104(a)(1)(iii) to permit the Secretary to condition the listing
of a PSO in this limited circumstance to ensure that such a PSO honors
the assurances it makes in seeking listing.
The second change is a conforming modification to the basis for the
Secretary's determination in Sec. 3.104(a)(2), which specifically
recognizes the right of the Secretary to take into account any history
of or current non-compliance with requirements of the rule by officials
and senior managers of the entity. This change also mirrors the
requirement in Sec. 3.102(a)(1) that entities seeking listing inform
the Secretary if their officials or senior managers held comparable
positions in a PSO that was delisted or with an entity that was denied
listing by the Secretary.
We have not accepted the commenter's recommendation to establish a
regulatory deadline of 60 days for Secretarial action. This is a novel
initiative and without a better sense of the potential issues that may
arise, such as when a delisted PSO seeks a new listing, we are
reluctant to circumscribe the flexibility that the statute and the
proposed rule provided the Secretary. In addition, the statute requires
an affirmative acceptance and listing action by the Secretary. Listing
cannot occur as a result of any failure to meet a deadline.
Accordingly, we have not adopted the recommendation.
(B) Section 3.104(b)--Actions Regarding PSO Compliance With the Minimum
Contract Requirement
Proposed Rule: Section 3.104(b) of the proposed rule stated that,
after reviewing the required notification from a PSO regarding its
compliance with the minimum contract requirement, the Secretary would,
for a PSO that attests that it has met the requirement, would
acknowledge in writing receipt of the attestation and include
information on the list of PSOs. If the PSO notifies the Secretary that
it has not yet met the requirement, or if notification is not received
from the PSO by the required date, the proposed rule stated that the
Secretary would promptly issue a notice of a preliminary finding of
deficiency and provide the PSO an opportunity for correction that will
extend no later than midnight of the last day of its applicable 24-
month assessment period. If the Secretary verifies that the PSO has not
met the requirement by the last day of the 24-month period, he would
issue a notice of proposed revocation and delisting.
Overview of Public Comments: We received no comments on this
subsection.
Final Rule: The final rule incorporates the substance of the NPRM
text without modification but restructures the text for clarity. The
restructured text clarifies that the Secretary will only issue a notice
of a preliminary finding of deficiency after the date on which a PSO's
notification to the Secretary is required by Sec. 3.102(d)(1).
(C) Section 3.104(c)--Actions Regarding Required Disclosures by PSOs of
Relationships With Contracting Providers
Proposed Rule: Section 3.104(c) of the proposed rule stated that
the Secretary would evaluate a disclosure statement submitted by a PSO
regarding its relationships with contracting providers by considering
the nature, significance, and duration of the relationships between the
PSO and the contracting provider. We sought public comment on other
appropriate factors to consider. The statute requires disclosure of the
Secretary's findings, and we proposed public release, consistent with
the Freedom of Information Act and 18 U.S.C. 1905, of PSO disclosure
statements as well.
This proposed section also listed the statutorily permissible
actions that the Secretary could take following his review: Conclude
that the disclosed relationships require no action on his part or,
depending on whether the entity is listed or seeking listing, condition
his listing of the PSO, exercise his authority to refuse to list, or
exercise his authority to revoke the listing of the entity. The
Secretary would notify each entity of his findings and decisions.
Overview of Public Comments: One commenter suggested that our
proposal that the Secretary consider the nature, significance, and
duration of the relationship in evaluating the relationships had no
statutory foundation. Another commenter suggested that we take into
account corrective action. Several commenters proposed that we rely
upon the inter-agency work group that is assisting AHRQ in developing
common formats and definitions for reporting patient safety work
product to assist in developing disclosure statements. One commenter
suggested that we create a ``safe harbor'' for multi-hospital parent
organization systems that contract with a PSO on behalf of some or all
of its hospitals so that a disclosure statement would not be required,
deeming that the component PSO of a multi-hospital organization can
perform patient safety activities fairly and accurately. Another
suggestion was that the Secretary should adopt a standard requiring
that there be no conflicts of interests.
Final Rule: We have retained much of the text from the proposed
rule but have modified the paragraph setting forth the basis for the
Secretary's findings regarding disclosure statements. In light of the
comments, we have deleted the reference to ``nature, significance, and
duration'' as not appropriate in every circumstance. The modification
to the rule now requires the Secretary to consider the disclosures made
by the PSO and an explanatory statement from the PSO making the case
for why the PSO can fairly and accurately perform patient safety
activities.
We have not adopted the other suggestions. As we discuss above,
with respect to Sec. 3.102(d)(2), we agree with the commenter that
there is little reason for a provider organization to exert
inappropriate control over its component PSO. At the same time we do
not believe the statute permits us to waive Secretarial review under
any set of circumstances.
We do not agree with commenters that the common formats inter-
agency work group is the appropriate group to address disclosure
statements. At this time, their informatics and clinical expertise and
responsibilities are not congruent with assisting in the design or
substantive requirements for disclosure statements.
(D) Section 3.104(d)--Maintaining a List of PSOs
Proposed Rule: The proposed rule sought to incorporate in Sec.
3.104(d) the statutory requirement that the Secretary compile and
maintain a list of those entities whose PSO certifications have been
accepted and which certifications have not been revoked or voluntarily
relinquished. We proposed that the list would include information
related to certifications for listing, disclosure statements,
compliance with the minimum contract requirement, and any other
information required by this Subpart. We noted that we expected to post
this information on the AHRQ PSO Web site, and sought comment on
whether there are specific types of information that the Secretary
should consider posting routinely on this Web site for the benefit of
PSOs, providers, and other consumers of PSO services.
[[Page 70763]]
Overview of Public Comments: In addition to the list in the
proposed rule, several commenters urged that we post the contact
information for the parent organizations, subsidiaries, and affiliates,
a list of states in which the parent organization does business, and
the business objectives of the parent organizations, and whether each
parent organization is for-profit or not-for-profit.
Two commenters suggested that the Secretary's guidance on common
reporting formats and definitions should be available on the PSO Web
site. One commenter urged that the final rule and contact information
for AHRQ staff should also be available there. Another commenter
suggested that, since AHRQ works with PSOs, the value to prospective
providers would be increased if we posted information on areas of
specialization of individual PSOs and use the Web site as one tool for
facilitating confirming analyses by other PSOs of initial work.
Final Rule: The final rule incorporates the proposed rule text
without modification. We have not modified the text of the rule because
most of the recommendations relate to information that AHRQ will be
receiving or producing for PSOs and can be posted to the Web site
without additions or changes to the rule text. Recommendations to post
information related to AHRQ staff and the final rule can be done
without regulation as well. As AHRQ provides technical assistance to
PSOs and works with the provider community to encourage the use of PSO
services, we expect to publish information on the Web site that PSOs
and the provider community request. In addition, the names and contact
information of parent organizations of component PSOs and other
information submitted at listing will be posted in accordance with the
proposed rule text.
Commenters urged us to post some information that we have no plans
to collect, and, therefore, we have not accepted their recommendations.
Most of these recommendations related to the business objectives, or
the for-profit or not-for-profit status of parent organizations of
component PSOs. In our view, requiring component organizations to
submit such information would be burdensome and unnecessary. Providers
will be able to find that information by using the published contact
information on PSOs and parent organizations.
(E) Section 3.104(e)--Three-Year Period of Listing
Proposed Rule: Section 3.104(e) proposed that listing as a PSO
would be for three years, unless the Secretary revokes the listing or
the PSO voluntarily relinquished its status. We also proposed that the
Secretary would send a written notice of imminent expiration to a PSO
no later than 45 calendar days before its listing expires if the
Secretary has not received a certification seeking continued listing.
We sought comment on a requirement that the Secretary publicly post the
names of PSOs to which a notice of imminent expiration has been sent.
Overview of Public Comments: Commenters were virtually unanimous
that, at the time we send a PSO a notice of imminent expiration, we
should post similar information on the AHRQ PSO website. Several
commenters suggested that PSOs should be required to notify providers
that the PSO has received a notice of imminent expiration and
expressing concerns about the time needed for providers to make
alternative arrangements. One commenter suggested that notice to
providers should be a part of the contract with the PSO. Another
suggested that the Department establish an email listserv that
providers could join for alerts such as this. One commenter opposed
public notice and one expressed conditional support, provided the
Department ensured the accuracy of the information on the Web site.
Final Rule: We have modified and redrafted Sec. 3.104(e) of the
final rule. The final rule retains the proposed provision that the
period of listing will be for three years, unless revoked or
relinquished. The first modification is that this section now
explicitly provides for the automatic expiration of a PSO's listing at
the end of three years, unless the Secretary approves its certification
for continued listing before the date of expiration. By incorporating
this modification and making the process automatic, we have been able
to eliminate the proposal in Sec. 3.108(c) for a process we termed
``implied voluntary relinquishment.'' In comparison with the proposed
rule approach, which required the Secretary to take affirmative action
to delist a PSO that let its certifications lapse, this automatic
approach simplifies the administrative process.
We have modified subparagraph 3.104(e)(2) in two ways. We will send
a PSO a notice of imminent expiration even earlier--at least 60 days
rather than 45 days--before its certifications expire. We adopted the
earlier notification date in response to general concerns reflected in
the comments about the time a provider needed to make alternative
arrangements and to ensure sufficient time for the Secretary to review
and make a determination regarding certifications for continued
listing. The second modification incorporates our proposal to post a
notice on the AHRQ PSO website, for which commenters expressed strong
support. In combination, we expect these modifications will provide
both the PSO and the providers from which it receives data sufficient
notice that the entity's period of listing is drawing to a close.
We have not incorporated the recommendation to require PSOs
receiving the notice to contact all providers. We expect most providers
and PSOs to take advantage of AHRQ's existing listserv that will
provide electronic notice to all subscribers when a notice such as this
is posted on the AHRQ PSO website. Providers will also be able to sign
up on the web site to receive individual emails if their PSO becomes
delisted. In this way, we can be assured that notification is sent to,
and received by, all interested parties.
(F) Section 3.104(f)--Effective Date of Secretarial Actions
Proposed Rule: The proposed rule in section 3.104(f) states that,
unless otherwise specified, the effective date of each action by the
Secretary would be specified in the written notice that is sent to the
entity. We noted that the Department anticipates sending notices by
electronic mail or other electronic means in addition to a hard copy
version. We also pointed out that for listing and delisting decisions,
the Secretary would specify both an effective time and date for such
actions in the written notice to ensure clarity regarding when
information received by the entity will be protected as patient safety
work product.
Overview of Public Comments: We received no public comments on this
subsection.
Final Rule: The final rule incorporates the proposed rule text
without modification.
3. Section 3.106--Security Requirements
Proposed Rule: Section 3.106 of the proposed rule outlined a
framework consisting of four categories for the security of patient
safety work product that PSOs would consider in developing policies and
procedures for the protection of data. Because Sec. 3.106 contains
only two subsections and we received few comments, we will discuss both
subsections of the rule together.
Section 3.106(a) proposed that the security requirements of this
section would apply to each PSO, its workforce members, and its
contractors whenever
[[Page 70764]]
the contractors hold patient safety work product. If contractors cannot
meet these security requirements, we proposed that their tasks be
performed at locations at which the PSO can meet these requirements. We
stated that the rule does not impose these requirements on providers;
this Subpart would only apply to PSOs.
Proposed Sec. 3.106(b) would have established a framework
consisting of four categories for the security of patient safety work
product that a PSO must consider. We proposed that each PSO develop
appropriate and scalable standards that are suitable for the size and
complexity of its organization.
The four categories of the framework would have included: Security
management issues (documenting its security requirements, ensuring that
its workforce and contractors understand the requirements, and
monitoring and improving the effectiveness of its policies and
procedures); separation of systems (required physical separation of
patient safety work product, appropriate disposal or sanitization of
media, and preventing physical access to patient safety work product by
unauthorized users or recipients); security control and monitoring
controls (ability to identify and authenticate users, an audit capacity
to detect unlawful, unauthorized, or inappropriate activities, and
controls to preclude unauthorized removal, transmission or
disclosures); and policies and procedures for periodic assessment of
the effectiveness and weaknesses of its overall approach to security
(determine when it needs to undertake risk assessment exercises and
specify how it would assess and adjust its procedures to ensure the
security of its communications involving patient safety work product to
and from providers and other authorized parties).
Overview of Public Comments: There were no public comments that
specifically addressed Sec. 3.106(a) of the rule. Commenters focused
instead on the overall security framework established by Sec.
3.106(b). The majority of commenters supported the proposed
requirements and emphasized the concepts of scalability and flexibility
that were reflected in the proposed rule. Two commenters urged the
Department to adopt the HIPAA Security Rule instead. Another commenter
suggested that the final rule should emphasize the need for PSOs to
maintain up-to-date security processes and urged that the final rule
specifically recognize that PSOs can include HIPAA Security Rule
requirements in their business associate contracts with providers that
are covered entities.
While there were few comments overall on this section of the rule,
the specific provision that elicited the most concern was the
requirement in Sec. 3.106(b)(2) that patient safety work product
needed to be maintained securely separate from other systems of
records. As discussed above with respect to obligations of component
organizations, commenters expressed concern regarding the potential
burden of such a requirement and several pointed to the analytic
benefits of being able to readily merge data sets for specific
analyses. It was recommended that the final rule permit the patient
safety work product and non-patient safety work product to be stored in
the same database as long as the security requirements are implemented
for the database as a whole.
Another commenter pointed to the confusion, inconsistency, and
errors that were likely to result from the rule text in which each
paragraph began with the words that a PSO ``must address'' each
security issue within the framework while introductory paragraph (b)
indicated that PSOs merely needed to ``consider'' the security
framework.
Final Rule: We have modified the text of Sec. 3.106 both to
improve its clarity in non-substantive ways and to incorporate several
substantive modifications in response to the comments we received. The
changes to Sec. 3.106(a) are for clarity. For uniformity and brevity,
throughout Sec. 3.106, we have standardized references regarding the
application of security requirements to the ``receipt, access, and
handling'' of patient safety work product. The rule text defines
``handling'' of patient safety work product as including its
processing, development, use, maintenance, storage, removal,
disclosure, transmission and destruction.
We have incorporated several modifications to the text of Sec.
3.106(b). We have both simplified the text of the opening paragraph of
this subsection and substituted the requirement that ``PSOs must have
written policies and procedures that address'' for the language of the
proposed rule that stated the ``PSO must consider.'' We agree with the
commenter that retention of the proposed rule language would create
confusion regarding what is required of a PSO. By retaining the
language that permits a PSO to develop specific standards that address
the security framework in this section with standards that are
appropriate and scalable, we intend to retain flexibility for PSOs to
determine how they will address each element of the security framework.
The most significant substantive change in the security framework
is in Sec. 3.106(b)(2), which had required the separation of patient
safety work product from non-patient safety work product at all times.
Based on comments received, we have modified both the title of Sec.
3.106(b)(2) and the text of Sec. 3.106(b)(2)(i). Section 3.106(b)(2)
is now entitled ``Distinguishing Patient Safety Work Product,'' rather
than ``Separation of Systems,'' and Sec. 3.106(b)(2)(i) recognizes
that the security of patient safety work product can be maintained
either when patient safety work product is maintained separately from
non-patient safety work product or when it is co-located with non-
patient safety work product, provided that the patient safety work
product is distinguishable. This will ensure that the appropriate form
and level of security can be maintained. This change responds to
several comments that opposed the absolute requirement for separation
in the proposed rule.
While we have, thus, allowed greater procedural flexibility, we
caution PSOs to be attentive to ensuring that patient safety work
product remains distinguishable at all times if it is not kept
separated. To the extent that patient safety work product becomes co-
mingled with non-protected information, there is increased risk of
impermissible disclosures and violations of the confidentiality
requirements of the rule and the Patient Safety Act.
We have also eliminated a reference to a PSO determination of
appropriateness that was in the text of the proposed rule in Sec.
3.106(b)(4)(i) as redundant, since the rule permits a PSO to develop
appropriate and scalable standards for each element of the security
framework, including this element.
Given the strong support for our flexible and scalable framework,
we have not adopted recommendations of two commenters to substitute the
HIPAA Security Rule for these provisions. We would expect that PSOs
that are familiar with, and have existing rules that implement, the
HIPAA Security Rule will incorporate those standards as appropriate,
when they develop their written policies and procedures to implement
security for the patient safety work product they receive, access and
handle. The security framework presented here does not impose any
limitations on the ability of PSOs to incorporate or address additional
security requirements or issues as the PSO determines to be
appropriate. The flexible approach we have adopted should minimize the
[[Page 70765]]
potential for conflict with the requirements of other programs. By
taking advantage of this flexibility, and ensuring that its security
requirements also address the requirements of the HIPAA Security Rule,
a PSO should be able to meet its obligations as a business associate of
any provider that is also a ``covered entity'' under HIPAA regulations.
4. Section 3.108--Correction of Deficiencies, Revocation and Voluntary
Relinquishment
Section 3.108 establishes the processes and procedures related to
correction of deficiencies, revocation, and voluntary relinquishment.
Section 3.108(a) establishes the processes and procedures for
correction of deficiencies by PSOs and, when deficiencies have not been
timely corrected, the process leading to a decision by the Secretary to
revoke his acceptance of the entity's certification and delist a PSO.
Section 3.108(b) sets forth the actions that the Secretary and a PSO
must take following a decision by the Secretary to revoke his
acceptance of the entity's certification and delist the entity. Section
3.108(c) establishes the process by which an entity can voluntarily
relinquish its status as a PSO. Section 3.108(d) requires publication
of notices in the Federal Register whenever an entity is being removed
from listing. New Sec. 3.108(e) establishes an expedited process for
revoking the Secretary's acceptance of the entity's certification under
certain circumstances.
(A) Section 3.108(a)--Process for Correction of a Deficiency and
Revocation
Proposed Rule: Section 3.108(a) listed in paragraph (a)(1) the
circumstances that could lead to revocation and delisting and the
remaining subsections set forth our proposed process for correction by
a PSO of a deficiency identified by the Secretary and, if the
deficiencies are not timely corrected or cannot be ``cured,'' the
process that could lead to the revocation and delisting. We review the
entirety of Sec. 3.108(a) here.
Once the Secretary believes that a PSO is deficient in meeting its
requirements, proposed Sec. 3.108(a)(2) outlined the processes he
would follow. First, the Secretary would send a written notice of a
preliminary finding of deficiency; the contents of the deficiency
notice are specified in the rule. Following receipt of the notice, a
PSO would have 14 days to correct the record by submitting evidence
that the information on which the preliminary finding had been based
was factually incorrect. The Secretary could then withdraw the notice
or require the PSO to proceed with correction. The preamble sought
comment on whether there should be an expedited revocation process when
deficiencies are not, or cannot, be cured. Public comment and the
provisions of the final rule are discussed below in new subsection (e),
expedited revocation.
Following the correction period, proposed Sec. 3.108(a)(3) would
have required the Secretary to determine whether a deficiency has been
corrected. The Secretary could determine: (1) The deficiency is
corrected and withdraw the notice of deficiency; (2) additional time
for, or modification of, the required corrective action is warranted;
or (3) the deficiency is not corrected, the PSO has not acted with
reasonable diligence or timeliness, and issue a Notice of Proposed
Revocation and Delisting.
Section 3.108(a)(4) would have provided an automatic 30 calendar
day period, unless waived by the PSO, for it to respond in writing to
the proposed revocation and delisting. If a PSO fails to submit a
written response, the Secretary would revoke his acceptance of its
certification, and delist the entity. After review of the response and
other relevant information, Sec. 3.108(a)(5) proposed that the
Secretary could affirm, reverse, or modify the notice of proposed
revocation and delisting, and notify the PSO in writing of his decision
with respect to any revocation of his prior acceptance of its
certification and delisting. We noted that the proposed rule did not
include an administrative process for appealing the Secretary's
decision to revoke his acceptance of the entity's certification and
delist a PSO, and specifically sought public comment on our approach.
Overview of Public Comments: Commenters focused on the due process
aspects of subsection (a). While most commenters commended the proposed
rule for its focus on working with PSOs to resolve deficiencies and its
inclusion of due process elements throughout the process, the
commenters recommended that the final rule incorporate an additional
opportunity for an administrative appeal of a revocation and delisting
decision and expressed concern that the final rule should not limit the
due process rights and opportunities that had been proposed.
For example, while several commenters endorsed our overall
approach, no commenter specifically stated agreement with our decision
not to include an administrative appeal mechanism following a decision
by the Secretary to revoke his acceptance of the entity's certification
and delist a PSO for cause. The eight commenters that specifically
addressed the issue recommended inclusion of such a mechanism.
Final Rule: The final rule incorporates only technical
modifications to the text of subsection 3.108(a). The deletion of text
in Sec. 3.108(a)(1)(ii) is intended to clarify that the basis for
revocation and delisting matches our intent in the proposed rule, i.e.,
the failure to meet the two-contract requirement, not the failure to
timely notify the Secretary that the requirement had been met. In
addition, we have incorporated a related new Sec. 3.108(e) that
establishes a new expedited revocation process to be used in
exceptional circumstances.
Despite the strong support by commenters that we incorporate in the
final rule an opportunity for an administrative appeal when the
Secretary decides to revoke his acceptance of a PSO's certification and
delist a PSO for cause, we have not modified the rule. The process
described in Sec. 3.108(a) permits an early response to findings of
deficiency and where facts cited by the Secretary are correct, the
process emphasizes the Department will work with PSOs to correct
deficiencies, rather than punishing PSOs for deficiencies. Given the
flexibility and extensive nature of the communication and correction
opportunities and procedures outlined in 3.108(a), we expect that the
revocation process will be utilized rarely, and only after significant
efforts have been made to bring a PSO back into compliance. However, if
a PSO is not working with us in good faith to correct any remaining
deficiencies, there must be a timely finality to the process. For this
system to work, providers must have confidence that the Department will
act in a timely manner when a PSO chooses not to meet its statutory and
regulatory obligations.
Response to Other Public Comments
Comment: One commenter recommended that the rule provide some
degree of transparency regarding PSOs that have received notice of
deficiencies by posting some limited information about this on the PSO
Web site.
Response: The Department gave careful consideration to this comment
because of our overall commitment to providing transparency wherever
possible. Our conclusion is that we will not post information on
deficiencies because of our concern that this will undermine another of
our objectives, which is to promote and permit correction of
deficiencies in a non-
[[Page 70766]]
punitive manner. Providers considering entering a contract with a
specific PSO are, of course, free to seek information from the PSO
regarding whether it has received deficiency notices and is currently
under an obligation to take corrective actions.
Comment: Another commenter suggested that the final rule
specifically recognize the authority of the Secretary, if warranted by
the circumstances that led to the delisting of a PSO, to debar the
entity from seeking a new listing for a period of time.
Response: We have not adopted this specific suggestion, but we note
that the Secretary is not required to relist an entity automatically.
The Secretary can and will take into account the reasons for the
revocation and delisting and the entity's compliance with its
obligations following revocation and delisting.
Comment: Several commenters suggested that the period of time
provided to the PSO to submit a written response to a notice of
proposed revocation and delisting should be expanded from 30 days to 45
days.
Response: We have not accepted this recommendation. We recognize
the importance of striking a balance between providing an entity
sufficient time to respond to such a notice and ensuring that providers
can have confidence that the Department will act in a timely manner
when a PSO do not meet its obligations. It is important to realize that
by the time the PSO receives a notice of proposed revocation and
delisting under the process set forth in Sec. 3.108(a)(3), the
Department has already worked with the PSO to correct the deficiencies
and has indicated remaining problems so the PSO will have reason to
anticipate any such notice of proposed revocation in advance of its
issuance. Thus the PSO, realistically, will have more than 30 days to
prepare its response to a proposed revocation.
Comment: One commenter suggested that, if the Secretary determines
that the PSO has conflicts of interest, this should serve as a basis
for proceeding directly to revocation.
Response: The Department recognizes the commenter's underlying
point that conflicts of interest may, in fact, not be curable and thus,
in certain circumstances, may warrant proceeding directly to
revocation. To the extent that such a conflict of interest provides a
basis for the Secretary determining that continued listing would have
serious adverse consequences, we could address it under Sec. 3.108(e),
the subsection establishing the new expedited revocation process. We
should note that, in crafting that new authority, the Department
believed that it had an obligation to establish a process for truly
exceptional circumstances. We do not intend to use this authority as a
substitute for the normal process established by subsection (a). Thus,
if a conflict-of-interest does not raise the prospect of serious
adverse consequences for providers or others, it is our intention to
use the correction processes of subsection (a).
Comment: Would a provider's patient safety work product be at risk
if the Department failed to alert the provider in a timely manner of a
deficiency in its PSO?
Response: No. As we pointed out in the preamble discussion of Sec.
3.108 in the proposed rule, the presence of deficiencies or the fact
that an entity is undergoing revocation has no impact on the
information submitted to the entity by providers until the date and
time that an entity is revoked and removed from listing. If the PSO is
revoked and delisted for cause, the statute provides an additional 30-
day period that begins at the time of delisting during which data
reported to the former PSO receives the same protections as patient
safety work product.
(B) Section 3.108(b)--Revocation of the Secretary's Acceptance of a
PSO's Certification
Proposed Rule: When the Secretary makes a determination to remove
the listing of a PSO for cause, proposed Sec. 3.108(b)(1) required the
Secretary to establish, and notify the entity, of the effective date
and time of its delisting and inform the entity of its obligations
under Sec. Sec. 3.108(b)(2) and 3.108(b)(3).
Section 3.108(b)(2) proposed to implement two statutory provisions.
First, the former PSO would be required to notify providers with which
it has been working of its removal from listing and confirm to the
Secretary within 15 days of the date of revocation and delisting that
it has done so. In light of the brief notification period, we sought
comment on whether there are other steps the Secretary should take to
ensure that affected providers receive timely notice. Second, this
subsection would have reaffirmed the continued protection of patient
safety work product received while the entity was listed. In addition,
any data received by the former PSO from a provider in the 30 days
following the date of revocation and delisting would be accorded the
same protections as patient safety work product. We noted that this
additional period of protection was only for the benefit of providers
reporting data; it would not permit a former PSO to continue to
generate new patient safety work product.
Section 3.108(b)(3) proposed to implement the statutory
requirements regarding the disposition of patient safety work product
or data following revocation and delisting of a PSO. The three
alternatives provided by the statute are: Transfer of the patient
safety work product with the approval of the source from which it was
received to a PSO which has agreed to accept it; return of the patient
safety work product or data to the source from which it was received;
or, if return is not practicable, destruction of such work product or
data. We noted that the text of the proposed rule refers to the
``source'' of the patient safety work product or data; this would be a
broader formulation than the statutory language and includes
individuals. The statute does not establish a time frame for a PSO to
comply with disposition requirements; we sought comment on setting a
deadline.
Overview of Public Comments: Most commenters addressed the specific
questions raised in the proposed rule, although a few commenters raised
questions and offered recommendations related to the requirements for
disposition of patient safety work product. In response to the
Department's question in the proposed rule of whether there were other
steps that the Secretary could take to ensure that providers were
informed when a PSO to which they reported data was revoked and
delisted, many commenters concluded that the statutory requirement for
notification by the former PSO was sufficient. Others urged AHRQ to
post notices of revocation and delisting on the PSO website. Several
commenters urged the Secretary to require the former PSO to provide
AHRQ with a list of its providers when it submits its required
confirmation 15 days after revocation that it has notified providers.
Presumably, the intent was to permit the Secretary to follow up with
these providers to confirm that they had been notified.
There were only three comments in response to our question in the
proposed rule whether it was appropriate to require disposition of
patient safety work product that was received from all sources. Two
comments supported our interpretation of the statutory requirement. One
commenter raised concerns that this requirement could be difficult to
accomplish.
Commenters strongly supported inclusion in the final rule of a
deadline by which former PSOs needed to complete their disposition of
patient
[[Page 70767]]
safety work product. Some commenters suggested that we follow existing
HIPAA guidelines and others suggested that the rule set a deadline,
ranging from 90 days to 180 days following the date of revocation. One
commenter suggested setting standards linked to the volume of patient
safety work product held by the former PSO.
The options for disposition of patient safety work product elicited
a number of comments. Some noted the difficulty of returning patient
safety work product to its source as the former PSO closes its
operations and expressed concern that destruction was not an option
until the PSO concluded that returning the work product was not
possible. In the view of this commenter, this could lead a PSO to
simply abandon the patient safety work product since it may have
neither time nor resources to contact the sources of the work product.
However, most commenters focused on the importance of identifying ways
to avoid destruction of patient safety work product.
Final Rule: Section 3.108(b) has been modified in several ways. The
first changes, in Sec. 3.108(b)(1), are technical changes. The first
change renames the section to more accurately describe its provisions.
The second technical change incorporates two additional cross-
references to the ability of the Secretary to revoke his acceptance of
a PSO's certifications and delist an entity pursuant to the new
expedited revocation process established in Sec. 3.108(e).
We have not imposed any new requirements on the Department in Sec.
3.108(b)(2) to notify providers. Many commenters did not see the need
for additional intervention by the Department and several commenters
suggested additional steps that we can and will take independent of the
rule. For example, AHRQ has already established an e-mail-based
listserv for individuals interested in electronic alerts regarding the
agency's implementation of the Patient Safety Act. Following
publication of the final rule, AHRQ will encourage all interested
providers and PSOs to add their names to the listserv, which will
provide immediate notification when the Secretary takes actions related
to the listing and delisting of PSOs or posts significant new
information on AHRQ's PSO Web site. Providers will also be able to
signup on the Web site to receive individual e-mails if their PSO
becomes delisted.
We have modified Sec. 3.108(b)(2) in another way. This paragraph
retains the restatement that was in the proposed rule of the statutory
assurances regarding the continued protections for patient safety work
product reported to a PSO before the effective date of a revocation and
delisting action by the Secretary and the protections for data reported
to the former PSO during the 30-day period following the date of
delisting. The modification requires the former PSO to include this
information in its notices to providers regarding its delisting. We
incorporated this modification to better effectuate the statutory
purpose by ensuring that the providers contacted by the former PSO are
aware of these protections for the data they may still want to report
during the 30-day period.
Several commenters sought ways to preserve patient safety work
product and data for continued learning. However, the requirements for
disposition of patient safety work product and ``data'' in the final
regulation follow the statutory formulation. We note that ``data'' in
this context refers to information submitted to a former PSO in the 30
days following its delisting. Some amount of patient safety work
product can be preserved if the PSO shares or discloses this
information prior to the effective date of its revocation as permitted
by the rule, e.g., to other PSOs in non-identifiable or anonymized
form.
We have modified the text of Sec. 3.108(b)(3) in one respect. In
response to comments, we require the disposition requirement to be
completed within 90 days. Some commenters suggested that we follow
existing HIPAA guidelines in establishing deadlines for the disposition
of patient safety work product. Neither the HIPAA Privacy Rule nor the
HIPAA Security Rule have deadlines for the disposition of protected
health information. Providers are, of course, free to establish in
their contracts an earlier date for disposition of their patient safety
work product or data and may provide prior authorization for transfer
to another PSO.
Response to Other Public Comments
Comment: One commenter asked whether the disposition requirement
applies to non-identifiable patient safety work product, such as data
reported anonymously by hospitals.
Response: The statutory section on disposition of patient safety
work product does not make an explicit distinction between disposition
of identifiable and non-identifiable patient safety work product and
data, nor does the final rule in the disposition requirements. The
Department reads this disposition requirement as applying to both
identifiable and non-identifiable patient safety work product and data.
We note that Subpart C permits disclosure of non-identifiable patient
safety work product at any time by a PSO. However, after the date and
time that the Secretary sets for revocation and delisting, the former
PSO must follow the prescribed disposition requirements. Thus, prior to
the effective date and time of a PSO's delisting, the PSO can transfer
to another PSO non-identifiable and anonymized patient safety work
product, without consent of the source(s) of that information.
Comment: One commenter suggested that there may be good business
reasons for a former PSO that has been delisted to retain patient
safety work product and asked that we provide that option.
Response: The statutory disposition requirement does not permit
such an option for an entity that is revoked and delisted for cause,
and the final rule mirrors this limitation. A PSO that voluntarily
relinquishes its status is required to attest that it has made all
reasonable efforts to comply with the disposition requirements.
Comment: One commenter noted that the disposition options appear to
be premised on a concept of the source's ownership interest in the
patient safety work product provided to the PSO. Noting that as PSOs
continue to aggregate data from multiple providers or through the
sharing of work product with other PSOs, the commenter asserted that at
some point the PSO's work product becomes its own. The question to
consider is whether this distinction can be made in applying the
disposition requirement.
Response: The Department reads the disposition requirement of the
Patient Safety Act to apply to all patient safety work product and data
held by an involuntarily delisted former PSO. Most work product created
by PSOs will be based upon reports from providers. While the commenter
points to repeated aggregation of data from larger and larger numbers
of providers as making the linkage to the reporting providers more
tenuous, in our view the linkage remains as long as there is
information that identifies any source of the data in the analysis. The
linkage is only broken when the source(s) is (are) truly non-
identifiable. As we noted above, the statute does not make a
distinction between identifiable and non-identifiable information, so
the disposition requirements apply to both.
Comment: One commenter noted that certain public PSO entities may
face conflicts with state laws or regulations that establish
requirements for the
[[Page 70768]]
disposition of information that they hold.
Response: The final rule's requirements for disposition of patient
safety work product would preempt conflicting state statutory
requirements for disposition of information when it is patient safety
work product.
Comment: What are the responsibilities of a contractor holding
patient safety work product under contract with a PSO that is revoked
and delisted for cause?
Response: The contractor must return the former PSO's patient
safety work product that it is holding for disposition as required by
the rule.
(C) Section 3.108(c)--Voluntary Relinquishment
Proposed Rule: Section 3.108(c)(1) proposed two circumstances under
which a PSO would be considered to have voluntarily relinquished its
status as a PSO: When a PSO advises the Secretary in writing that it no
longer wishes to be a PSO, and when a PSO permits its three-year period
of listing to expire. To ensure that such a lapse is not inadvertent,
the proposed rule would require the Secretary to send a notice of
imminent expiration 45 calendar days before the expiration of its
period of listing.
We proposed in Sec. 3.108(c)(2) that a PSO seeking to relinquish
its listing should include in its notification to the Secretary
attestations regarding its compliance with the provider notification
and patient safety work product disposition requirements, and would
have required appropriate contact information for further
communications from the Secretary. The Secretary would be authorized by
Sec. 3.108(c)(3) to accept or reject the PSO's notification. We sought
comment on our preliminary conclusion that, when a PSO voluntarily
relinquishes its status, the statutory provisions providing protections
for an additional 30 days for data submitted to the former PSO by
providers do not apply.
Section 3.108(c)(4) would have enabled the Secretary to determine
that implied voluntary relinquishment has taken place when a PSO
permits its listing to expire. The Secretary would remove the entity
from the list of PSOs at midnight on that day, notify the entity, and
request that the entity make reasonable efforts to comply with the
provider notification and patient safety work product disposition
requirements, and to provide appropriate contact information. Finally,
Sec. 3.108(c)(5) proposed that voluntary relinquishment would not
constitute a deficiency as referenced in subsection (a).
Overview of Public Comments: Public comment on the proposed
provisions for voluntary relinquishment focused primarily on the two
questions raised in the proposed rule.
Two commenters agreed with our interpretation that the statute
limited the application of the additional protections for data
submitted by providers to a former PSO in the 30-day period following
the date and time of revocation and delisting to situations in which
the PSO had been revoked and delisted for cause. A number of commenters
argued for inclusion of a 30-day period of continued reporting for PSOs
that voluntarily relinquished their status. They noted the importance
of comparability but did not provide a legal rationale for reading the
statute differently.
The second question posed by the proposed rule was the
appropriateness of paragraph (c)(5) which would eliminate the right to
challenge any decision by the Secretary regarding voluntary
relinquishment. Several large provider groups supported our position
while others argued that a PSO should always have the right to
challenge or appeal any decision by the Secretary.
Final Rule: We have modified and narrowed the scope of voluntary
relinquishment in the final rule. We have eliminated from this section
the application of voluntary relinquishment to situations in which a
PSO has let its certifications lapse. As noted above, we have modified
Sec. 3.104(e) to make expiration of a PSO's listing automatic in these
circumstances. Revised Sec. 3.108(c) provides for voluntary
relinquishment in only one circumstance: When a PSO writes the
Secretary seeking to relinquish its listing as a PSO.
We have carefully reviewed again the statutory authority that
enables PSOs that have their listing revoked for cause to continue to
receive data for 30 days following the date and time of revocation and
delisting that will be treated as patient safety work product. We
reaffirm our interpretation that the statutory authority does not apply
to an entity seeking to voluntarily relinquish its status as a PSO.
Commenters provided no basis for a different reading of the statute.
Accordingly, we have not incorporated any change in the rule.
We have also deleted inappropriate references to ``patient safety
work product and data'' in Sec. 3.108(c)(2) and replaced them with a
reference only to patient safety work product. As we noted above, the
term ``data'' in this context refers only to information received by a
former PSO in the 30-day period following revocation for cause and is
not applicable here. The only other modifications are deletions of text
relating to implied voluntary relinquishment and a conforming change in
a cross-reference.
We have not accepted the views of commenters supporting appeals of
relinquishment determinations by the Secretary in light of our decision
to narrow the scope of voluntary relinquishment to situations in which
the PSO has requested relinquishment. The comments regarding due
process for those who voluntarily relinquish their status would no
longer be apt.
(D) Section 3.108(d)--Public Notice of Delisting Regarding Removal From
Listing
Proposed Rule: Proposed Sec. 3.108(d) would have incorporated the
statutory requirement that the Secretary must publish a notice in the
Federal Register regarding the revocation of acceptance of
certification of a PSO and its removal from listing. The proposed rule
would have broadened the requirement to include publication of such a
notice if delisting results from a determination of voluntary
relinquishment.
Overview of Public Comments: We received no comments on this
subsection.
Final Rule: We have modified Sec. 3.108(d) in the final rule to
reflect our changes to subsection (c) that narrowed the scope of
voluntary relinquishment. We also added a new reference that requires
the Secretary to publish a notice when a PSO's listing terminates
automatically at the end of the statutorily based three-year period,
pursuant to Sec. 3.104(e).
(E) Section 3.108(e)--Expedited Revocation
Proposed Rule: The proposed rule did not contain a proposed Sec.
3.108(e). The proposed rule did include in subsection (a) a request for
comment about the possible inclusion in the final rule of an expedited
revocation process. We noted that, while we anticipate that in the vast
majority of circumstances, the PSO's deficiency(ies) can and will be
corrected, there may be situations in which a PSO's conduct is so
egregious that the Secretary's acceptance of the PSO's certification
should be revoked without the opportunity to cure because there is no
meaningful cure. We invited comments regarding this approach and how
best to characterize the situations in which the opportunity to
``cure,'' e.g., to change policies, practices or procedures, sanction
employees, send out correction notices, would not be sufficient,
meaningful, or appropriate.
[[Page 70769]]
Overview of Public Comments: Several commenters expressed concern,
requested that we define the term ``egregious,'' and opposed the
elimination of a right for the PSO to respond to the proposed expedited
revocation action. One commenter suggested that our proposal was
appropriate in situations involving multiple willful violations and in
which immediate action is necessary to protect patients and providers
from further improper actions by the PSO.
Only one commenter addressed, and opposed, our suggestion that we
might eliminate in the final rule the opportunity for a PSO to contest
revocation when the entity had verifiably failed to meet the statutory
minimum contract requirement.
Final Rule: The Department has modified the rule to include a new
Sec. 3.108(e) to provide for expedited revocation in a limited number
of circumstances. In deciding to include this new subsection, we
considered all of the comments received regarding Subpart B, not only
those discussed here. There was a strong overall sentiment that the
Secretary must be vigilant in ensuring that PSOs meet their obligations
to protect the confidentiality of patient safety work product. These
concerns were especially strong in response to our proposal to permit
components of excluded entities to seek listing. We also received
support for prompt Secretarial action for multiple willful violations
and when providers and patients are at risk because of a PSO's actions.
Accordingly, we have incorporated an expedited revocation process based
around these concerns.
New Sec. 3.108(e)(1) lists three circumstances in which the
Secretary may use an expedited process for revocation. The first two
circumstances reflect commenter concern regarding excluded entities.
The first of these, specified in Sec. 3.108(e)(1)(i), is if the
Secretary determines that a PSO is, or is about to become, an entity
excluded from listing by Sec. 3.102(a)(2). That section excludes from
listing: A health insurance issuer; a unit or division of a health
insurance issuer; an entity that is owned, managed or controlled by a
health insurance issuer; entities that accredit or license health care
providers; entities that oversee or enforce statutory or regulatory
requirements governing the delivery of health care services; agents of
an entity that oversees or enforces statutory or regulatory
requirements governing the delivery of health care services; or
entities that operate a Federal, State, Local, or Tribal patient safety
reporting system to which health care providers (other than members of
the entity's workforce or health care providers holding privileges with
the entity) are required to report information by law or regulation.
Because the certifications for listing specifically require an
entity to attest that it is not excluded from seeking listing, this
situation would mean that the PSO had either filed a false
certification, or that the nature of the entity had significantly
changed during the course of its listing. An example of an entity
``about to become an excluded entity'' would be when there is advance
notice of a merger of the parent organization of a component PSO with a
health insurance issuer. A health insurance issuer is the only excluded
entity that may not have a component become a PSO. If the Secretary
learns that a PSO is about to become a component of a health insurance
issuer, this is one circumstance under which we believe prompt action
by the Secretary is essential.
The second circumstance, specified in Sec. 3.108(e)(1)(ii), is
when the parent organization of a PSO is an excluded entity and the
parent organization uses its authority over providers to require or
induce them to use the patient safety services of its component PSO.
This was a major concern of commenters in permitting components of
accreditation, licensure and regulatory entities to seek listing; the
final rule in Sec. 3.102(c) permits such a component to be listed only
if it can certify that its parent organization does not impose such
requirements on providers. When an excluded entity attempts to require
or induce providers to report information to its component PSO, there
is reasonable cause for concern regarding the integrity of the firewall
between the component PSO and its parent organization. Given the
potential harm to providers if their identifiable patient safety work
product is made available to the excluded entity, the Department
concludes that the need for prompt action is compelling.
The third circumstance specified in Sec. 3.108(e)(1)(iii) of the
rule is when the Secretary has determined that the failure to act
promptly would lead to serious adverse consequences. We would expect to
use this authority sparingly. Despite the confidential and protected
nature of patient safety work product, we remain concerned that there
can still be serious harm to providers, patients, and reporters named
in patient safety work product if a PSO demonstrates reckless or
willful misconduct in its protection or use of the work product with
which it is entrusted, especially when there is reason to believe there
have been repeated deficiencies, or when the PSO engages in fraudulent
or illegal conduct. In light of these risks, we believe it is only
prudent to give the Secretary the authority to respond promptly to
situations where there is a risk of serious adverse harm, even if we
cannot adequately foresee all of the specific situations that might
require prompt action.
We note that we have accepted the position of another commenter
that we not include failure to meet the minimum contract requirement as
a basis for expedited revocation. Our intent is to limit expedited
revocation to those situations which pose a risk to providers or
others.
To accomplish expeditious remedial revocation action, Sec.
3.108(e)(2) waives the procedures in Sec. Sec. 3.108(a)(2) through
3.108(a)(5) for correction of deficiencies, determinations regarding
correction of deficiencies, processes related to the opportunity for a
written response by the PSO to a notice of proposed revocation and
delisting, and final determination by the Secretary regarding
revocation and delisting of the PSO. Instead, the provisions of Sec.
3.108(e)(3) apply.
Under Sec. 3.108(e)(3) of the expedited revocation process, the
Secretary would issue a notice of deficiency and expedited revocation
that identifies the evidence that the circumstances for expedited
revocation exist and indicates any corrective action the PSO can take
if the Secretary determines that corrective action may resolve the
matter so that revocation and delisting could be avoided. Absent
evidence of actual receipt of this notice of deficiency and expedited
revocation, the Secretary's notice will be deemed to be received five
days after it was sent.
In developing this process, we have taken note of commenters'
concern that as a general matter, a PSO alleged to be deficient in
compliance should have an opportunity to be heard and have provided the
PSO with an opportunity to respond as part of the expedited revocation
process. The Secretary must receive a response from the PSO within 14
days of actual or constructive receipt of the notice, whichever is
longer. In its written response, the PSO can correct the alleged facts
or argue the applicability of the legal basis given for expedited
revocation and delisting and offer reasons that would support its case
for not being delisted.
If the PSO does not submit a written response, the Secretary may
revoke and delist the PSO. Provided the PSO responds within the
required time, the Secretary may withdraw the notice,
[[Page 70770]]
grant the PSO with additional time to resolve the matter, or revoke and
delist the PSO. If the Secretary decides to revoke and delist the PSO,
we note that the requirements of Sec. 3.108(b) discussed above apply.
These requirements relate to notification of the providers who have
reported patient safety work product to the PSO, disposition of the
PSO's patient safety work product and data, and the ability of
providers to continue to report data to the former PSO for 30 calendar
days following the effective date and time of delisting and have these
data protected as patient safety work product.
5. Section 3.110--Assessment of PSO Compliance
Proposed Rule: Section 3.110 proposed the framework by which the
Secretary would assess compliance of PSOs with the requirements of the
statute and the rule. This section provided that the Secretary may
request information or conduct spot-checks (reviews or site visits to
PSOs, announced or unannounced) to assess or verify PSO compliance with
the requirements of the statute and this proposed subpart. We noted
that we anticipate that such spot checks would involve no more than 5-
10% of PSOs in any year. We also noted that this section would
reference the Department's overall authority to have access to patient
safety work product, if necessary, as part of its implementation and
enforcement of the Patient Safety Act.
Overview of Public Comments: There were few comments on this
section. Commenters agreed that AHRQ's authority under this section
should be limited to PSOs. Several commenters expressed concern about
our discussion that we only anticipated spot-checking 5%-10% of PSOs
for compliance in any given year. The projected number of spot checks
in their view would not be adequate to maintain provider confidence and
PSO compliance. Another commenter asked which agency would be delegated
the task and identified entities within HHS to which the Secretary
should not delegate this responsibility.
Final Rule: We have made no substantive modifications to Sec.
3.110 in the final rule. We note in response to the commenters that
urged a higher level of spot checks and inspections that the rule does
not limit the ability of the Department to increase the number if
warranted. However, we have no basis for assuming that higher levels of
spot checks or inspections are warranted in light of the fact that
Patient Safety Organizations are not federally funded or controlled and
a provider's decision to work with a PSO is voluntary. Therefore, we
intend to maintain the approach outlined in the proposed rule. In
response to another commenter, the authority to implement Subpart B
rests squarely within the authorities to foster patient safety and
health care quality improvement of the Agency for Healthcare Research
and Quality, and there is no reason to expect it to be delegated to
another part of the Department.
6. Section 3.112--Submissions and Forms
Proposed Rule: Proposed Sec. 3.112 would have provided
instructions for obtaining required forms and the submission of
materials, would have provided contact information for AHRQ (mailing
address, Web site, and e-mail address), and would have authorized the
Department to request additional information if a submission is
incomplete or additional information is needed to enable the Secretary
to make a determination on any submission.
Overview of Public Comments: We received no comments on this
section.
Final Rule: We have made no substantive modifications to this
section. We have made technical changes and incorporated citations for
the AHRQ PSO Web site address and corrected the e-mail address.
C. Subpart C--Confidentiality and Privilege Protections of Patient
Safety Work Product
Proposed Subpart C would have described the general privilege and
confidentiality protections for patient safety work product, the
permitted disclosures, and the conditions under which the specific
protections no longer apply. The proposed Subpart also would have
established the conditions under which a provider, PSO, or responsible
person must disclose patient safety work product to the Secretary in
the course of compliance and enforcement activities, and what the
Secretary may do with such information. Moreover, the proposed subpart
would have established the standards for nonidentifiable patient safety
work product.
Proposed Subpart C sought to balance key objectives of the Patient
Safety Act. First, the proposal sought to address provider concerns
about the potential for damage from unauthorized release of
information, including the potential for the information to serve as a
roadmap for provider liability from negative patient outcomes. It also
promoted the sharing of information about adverse patient safety events
among providers and PSOs for the purpose of learning from those events
to improve patient safety and the quality of care. To achieve these
objectives, Subpart C proposed that patient safety work product would
be privileged and confidential, except in the certain limited
circumstances identified by the Patient Safety Act and as needed by the
Department to implement and enforce the Patient Safety Act. In
addition, proposed Subpart C provided, in accordance with the Patient
Safety Act, that patient safety work product that is disclosed
generally would continue to be privileged and confidential, subject to
the delineated exceptions. Thus, under the proposal, an entity or
person receiving patient safety work product only would be able to
disclose such information for a purpose permitted by the Patient Safety
Act and the proposed rule, or if patient safety work product was no
longer confidential because it was nonidentifiable or subject to an
exception to confidentiality. Providers, PSOs, and responsible persons
who failed to adhere to these confidentiality rules would be subject to
enforcement by the Department, including the imposition of civil money
penalties, if appropriate, as provided in Subpart D of the proposed
rule.
The proposed rule also explained that several provisions of the
Patient Safety Act recognize that the patient safety regulatory scheme
will exist alongside other requirements for the use and disclosure of
protected health information under the HIPAA Privacy Rule. For example,
the Patient Safety Act establishes that PSOs will be business
associates of providers and the patient safety activities they conduct
will be health care operations of the providers, incorporates
individually identifiable health information under the HIPAA Privacy
Rule as an element of identifiable patient safety work product, and
adopts a rule of construction that states the intention not to alter or
affect any HIPAA Privacy Rule implementation provision (see section
922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)).
As we explained in the proposed rule, we anticipate that most providers
reporting to PSOs will be HIPAA covered entities under the HIPAA
Privacy Rule, and as such, will be required to recognize and comply
with the requirements of the HIPAA Privacy Rule when disclosing
identifiable patient safety work product that includes protected health
information. As Subpart C addresses disclosure of patient safety work
product that may include protected health information,
[[Page 70771]]
we discuss, where appropriate, the overlap between this rule and the
HIPAA Privacy Rule in the preamble description of this Subpart, as we
did in the proposed rule.
1. Section 3.204--Privilege of Patient Safety Work Product
Proposed Sec. 3.204 described the privilege protections of patient
safety work product and the exceptions to privilege. As we explained in
the proposed rule, the Patient Safety Act does not give authority to
the Secretary to enforce breaches of the privilege protections, as it
does with respect to breaches of the confidentiality provisions.
Rather, we anticipate that the tribunals, agencies or professional
disciplinary bodies before whom the proceedings take place and before
which patient safety work product is sought, will adjudicate the
application of the privilege provisions of the Patient Safety Act at
section 922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-
22(a)(1)-(5) and the exceptions to privilege at section 922(c)(1) of
the Public Health Service Act, 42 U.S.C. 299b-22(c)(1). Even though the
privilege protections will be enforced through the court systems, and
not by the Secretary, we repeat the statutory privilege protections and
exceptions in this final rule, as we did in the proposed rule. This is
done both for convenience and completeness, as well as because the same
exceptions in the privilege provisions are repeated in the
confidentiality provisions and the term ``disclosure'' in the final
rule describes both the transfer of patient safety work product
pursuant to a privilege exception as well as a confidentiality
exception. Thus, a disclosure of patient safety work product that is a
violation of privilege may also be a violation of confidentiality,
which the Secretary does have authority to enforce and for which he can
impose a civil money penalty, if appropriate.
We also proposed to include at Sec. 3.204(c) a regulatory
exception to privilege for disclosures to the Secretary for the purpose
of enforcing the confidentiality provisions and for making or
supporting PSO certification or listing decisions. In the final rule,
we adopt this proposed provision but also add language to make clear
that the exception also applies to disclosures to the Secretary for
HIPAA Privacy Rule enforcement, given the significant overlap with
respect to disclosures under the two rules. We discuss that change, as
well as the public comments and our responses with respect to the other
privilege provisions, below.
(A) Section 3.204(a)--Privilege
Proposed Rule: Proposed Sec. 3.204(a) would have described the
general rule that, notwithstanding any other provision of Federal,
State, local, or Tribal law, patient safety work product is privileged
and shall not be: (1) Subject to Federal, State, local, or Tribal
civil, criminal, or administrative subpoena or order, including in a
disciplinary proceeding against a provider; (2) subject to discovery in
connection with a Federal, State, local, or Tribal civil, criminal, or
administrative proceeding, including a disciplinary proceeding against
a provider; (3) subject to disclosure under the Freedom of Information
Act (section 552 of Title 5, United States Code) or similar Federal,
State, local, or Tribal law; (4) admitted as evidence in any Federal,
State, local, or Tribal governmental civil proceeding, criminal
proceeding, administrative rulemaking proceeding, or administrative
adjudicatory proceeding, including any such proceeding against a
provider; or (5) admitted in a professional disciplinary proceeding of
a professional disciplinary body established or specifically authorized
under State law. The proposed provision generally repeated the
statutory language at section 922(a) of the Public Health Service Act,
42 U.S.C. 299b-22(a) but also clarified that privilege would have
applied to protect against use of the information in Tribal courts and
administrative proceedings.
Overview of Public Comments: We received no comments opposed to
this proposed provision.
Final Rule: The final rule adopts this proposed provision.
Response to Other Public Comments
Comment: Several commenters expressed concern about the lack of
detailed explanation and information about the privilege protections as
compared to the confidentiality provisions in the proposed rule. Some
commenters asked for clarification about how breaches of privilege can
be enforced and who can assert privilege protection. Two commenters
asked whether hospital peer review committees established under state
law qualify as disciplinary bodies for purposes of the privilege
protection and if there is a distinction between discipline by a state
licensing body and discipline by an internal peer review committee.
Response: The Secretary does not have the authority to interpret
and enforce the privilege protections of the statute, and thus, the
proposed rule did not contain a detailed discussion of these provisions
nor can we provide further explanation or interpretation in this final
rule. Rather, as described above, the privilege provisions are included
only for convenience and completeness, and because the privilege
exceptions mirror exceptions to confidentiality. The privilege
protections attach to patient safety work product, and we expect that
the privilege of patient safety work product will be adjudicated and
enforced by the tribunals, agencies or professional disciplinary bodies
before which the information is sought and before whom the proceedings
take place. A provider facing an opposing party who seeks to introduce
patient safety work product in court may seek to enforce the privilege
by filing the appropriate motions with the court asserting the
privilege to exclude the patient safety work product from the
proceeding.
(B) Section 3.204(b)--Exceptions to privilege
Proposed Rule: Proposed Sec. 3.204(b) described the exceptions to
privilege established at section 922(c) of the Public Health Service
Act, 42 U.S.C. 299b-22c, thereby permitting disclosure of patient
safety work product under such circumstances. In all cases, the
exceptions to privilege were also proposed as exceptions to
confidentiality at Sec. 3.206(b). Proposed Sec. 3.204(b)(1) would
have permitted the disclosure of relevant patient safety work product
for use in a criminal proceeding after a court makes an in camera
determination that the patient safety work product contains evidence of
a criminal act, is material to the proceeding, and is not reasonably
available from any other source. Proposed Sec. 3.204(b)(2) would have
permitted disclosure of identifiable patient safety work product to the
extent required to carry out the securing and provision of equitable
relief as provided under section 922(f)(4)(A) of the Public Health
Service Act, 42 U.S.C. 299b-22(f)(4)(A). Proposed Sec. 3.204(b)(3)
would have permitted disclosure of identifiable patient safety work
product when each of the identified providers authorized the
disclosure. Finally, proposed Sec. 3.204(b)(4) would have excepted
patient safety work product from privilege when disclosed in
nonidentifiable form.
Overview of Public Comments: Some commenters expressed concern that
allowing exceptions to privilege may not adequately protect patient
safety work product.
Final Rule: The final rule adopts the proposed provisions. The
statute explicitly provides for these limited
[[Page 70772]]
exceptions to privilege and thus, they are included in this final rule.
Response to Other Public Comments
Comment: One commenter asked that the final rule align the
privilege exceptions in Sec. 3.204(b) with the permitted disclosures
to law enforcement in the HIPAA Privacy Rule at 45 CFR 164.512(f).
Response: We do not agree that expanding the exceptions to
privilege in such a manner is appropriate or prudent. Congress
expressly limited the exceptions to privilege to those we have repeated
in the final rule. As relevant to law enforcement, the Patient Safety
Act permits an exception from privilege protection for law enforcement
purposes in only very narrow circumstances--that is, patient safety
work product may be used in a criminal proceeding, but only after a
judge makes an in camera determination that the information contains
evidence of a criminal act, is material to the proceeding, and is not
reasonably available from any other source. See Sec. 3.204(b)(1). We
do not have authority to further expand or interpret the exceptions to
privilege provided for in the statute. Further, we believe strong
privilege protections are essential to ensuring the goals of the
statute are met by encouraging maximum provider participation in
patient safety reporting. We note that Sec. 3.206(c)(10) permits the
disclosure of patient safety work product relating to an event that
either constitutes the commission of a crime, or for which the
disclosing person reasonably believes constitutes the commission of a
crime, to law enforcement, provided that the disclosing person
believes, reasonably under the circumstances, that the patient safety
work product that is disclosed is necessary for criminal law
enforcement purposes. In other cases where law enforcement needs access
to information that is contained within patient safety work product, we
emphasize that the definition of ``patient safety work product''
specifically excludes a patient's medical or billing record or other
original patient information. See Sec. 3.20, paragraph (2)(i) of the
definition of ``patient safety work product.'' Thus, such original
patient information remains available to law enforcement in accordance
with the conditions set out in the HIPAA Privacy Rule, if applicable.
(C) Section 3.204(c)--Implementation and Enforcement of the Patient
Safety Act
Proposed Rule: Proposed Sec. 3.204(c) would have excepted from
privilege disclosures of relevant patient safety work product to or by
the Secretary as needed for investigating or determining compliance, or
seeking or imposing civil money penalties, with respect to this rule or
for making or supporting PSO certification or listing decisions under
the Patient Safety Act. We proposed that these disclosures also be
permitted as an exception to confidentiality at Sec. 3.206(d). We
explained that, in order to perform investigations and compliance
reviews to determine whether a violation occurred, the Secretary may
need to have access to privileged and confidential patient safety work
product and that we believe Congress could not have intended the
privilege and confidentiality protections of the Patient Safety Act to
impede such enforcement by prohibiting access to necessary information
by the Secretary. Thus, the proposed provision would have allowed
disclosure of patient safety work product to and by the Secretary for
enforcement purposes, including the introduction of such information
into ALJ or Board proceedings, disclosure by the Board to properly
review determinations or to provide records for court review, as well
as disclosure during investigations by OCR or activities in reviewing
PSO certifications by AHRQ. Patient safety work product disclosed under
this proposed exception would have remained privileged and confidential
pursuant to proposed Sec. 3.208, and proposed Sec. 3.312 limited the
Secretary to only disclosing identifiable patient safety work product
obtained in connection with an investigation or compliance review for
enforcement purposes or as otherwise permitted by the proposed rule or
Patient Safety Act.
We also explained in the preamble to the proposed rule that the
privilege provisions in the Patient Safety Act would not bar the
Secretary from using patient safety work product for compliance and
enforcement activities related to the HIPAA Privacy Rule. This
interpretation was based on the statutory provision at section
922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3),
which provides that the Patient Safety Act does not affect the
implementation of the HIPAA Privacy Rule.
Overview of Public Comments: We received one comment in support of
and no comments opposed to this proposed provision.
Final Rule: The final rule adopts the proposed provision, but
expands it to expressly provide that patient safety work product also
may be disclosed to or by the Secretary as needed to investigate or
determine compliance with or to impose a civil money penalty under the
HIPAA Privacy Rule. This new language implements the statutory
provision at section 922(g)(3) of the Public Health Service Act, 42
U.S.C. 299b-22(g)(3), which, as explained above, makes clear that the
Patient Safety Act is not intended to affect implementation of the
HIPAA Privacy Rule. Given the significant potential for an alleged
impermissible disclosure to implicate both this rule's confidentiality
provisions, as well as the HIPAA Privacy Rule, the Secretary may
require access to privileged patient safety work product for purposes
of determining compliance with the HIPAA Privacy Rule. The Secretary
will use such information consistent with the statutory prohibition
against imposing civil money penalties under both authorities for the
same act.
With respect to this rule, the provision, as it did in the proposed
rule, makes clear that privilege does not apply to patient safety work
product disclosed to or by the Secretary if needed to investigate or
determine compliance with this rule, or to make or support decisions
with respect to listing of a PSO. This may include access to and
disclosure of patient safety work product to enforce the
confidentiality provisions of the rule, to make or support decisions
regarding the acceptance of certification and listing as a PSO, or to
revoke such acceptance and to delist a PSO, or to assess or verify PSO
compliance with the rule.
2. Section 3.206--Confidentiality of Patient Safety Work Product
Proposed Sec. 3.206 described the confidentiality protection of
patient safety work product, as well as the exceptions from
confidentiality protection.
(A) Section 3.206(a)--Confidentiality
Proposed Rule: Proposed Sec. 3.206(a) would have established the
general principle that patient safety work product is confidential and
shall not be disclosed by anyone holding the patient safety work
product, except as permitted or required by the rule.
Overview of Public Comments: We received no comments directly in
reference to this provision.
Final Rule: The final rule adopts this proposed provision.
(B) Section 3.206(b)--Exceptions to confidentiality
Proposed Rule: Proposed Sec. 3.206(b) described the exceptions to
confidentiality, or permitted disclosures. The preamble to the proposed
rule explained that there were several overarching principles that
[[Page 70773]]
applied to these exceptions from confidentiality. First, these
exceptions were ``permissions'' to disclose patient safety work product
and the holder of the information retained full discretion whether to
disclose. Further, as the proposed rule was a Federal baseline of
protection, a provider, PSO, or responsible person could impose more
stringent confidentiality policies and procedures on patient safety
work product and condition the release of patient safety work product
within these exceptions by contract, employment relationship, or other
means. However, the Secretary would not enforce such policies or
private agreements. Second, when exercising discretion to disclose
patient safety work product, we encouraged providers, PSOs, and
responsible persons to attempt to disclose the amount of information
commensurate with the purpose of the disclosure and to disclose the
least amount of identifiable patient safety work product appropriate
for the disclosure even if that was less than what would otherwise be
permitted by the rule and regardless of whether the information
continued to be protected under the rule after the disclosure. Third,
the proposal prohibited persons receiving patient safety work product
from redisclosing it except as permitted by the rule, and we requested
comment on whether there were any negative implications of limiting
redisclosures in such a manner.
We also described how the proposal would work with respect to
entities also subject to the Privacy Act and/or the HIPAA Privacy Rule.
We explained that agencies subject to the Patient Safety Act and the
Privacy Act, 5 U.S.C. 552a, must comply with both statutes when
disclosing patient safety work product. This means that, for agencies
subject to both laws, a disclosure of patient safety work product could
only be made if permitted by both laws. The Privacy Act permits
agencies to make disclosures pursuant to established routine uses. See
5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). Accordingly, we
recommended that Federal agencies that maintain a Privacy Act system of
records containing information that is patient safety work product
include routine uses that will permit the disclosures allowed by the
Patient Safety Act. For HIPAA covered entities, we explained that when
a patient's protected health information is encompassed within patient
safety work product, any disclosure of such information also must
comply with the HIPAA Privacy Rule.
Overview of Public Comments: Some commenters expressed general
support for the narrowly drawn exceptions to confidentiality in the
proposed rule, while one commenter expressed concern that the
exceptions were unnecessarily complex to accomplish their purpose.
Several commenters asked that the final rule include additional
exceptions to confidentiality or disclosure permissions. For example,
some commenters suggested that the final rule permit the disclosure of
patient safety work product to federal, state, and local agencies to
fulfill mandatory reporting requirements. Other commenters suggested an
exception be created to permit the disclosure of patient safety work
product to state survey agencies, regulatory bodies, or to any federal
or state agency for oversight purposes. Another commenter requested
that the final rule include a disclosure permission for emergency
circumstances similar to the HIPAA Privacy Rule disclosure at 54 CFR
164.512(j), allowing a PSO to disclose patient safety work product if
it determines a pattern of harm and that disclosure is necessary to
prevent an individual from harming a person or the public. One
commenter, however, believed the proposed rule contained too many
exceptions to confidentiality, and thus, did not adequately protect
patient safety work product; this commenter suggested that some
disclosure permissions be eliminated in the final rule but did not
recommend which ones.
Several commenters responded to the question regarding whether
there were any negative implications of limiting redisclosures as
outlined in the proposed rule. These commenters supported the
limitations on redisclosures of patient safety work product in the
proposed rule; we received no comments identifying any negative
implications of this limitation. One commenter, however, noted that the
redisclosures should be governed by the HIPAA Privacy and Security
Rules.
Finally, some commenters sought clarification regarding preemption.
Several commenters asked whether the federal patient safety work
product protections preempted existing State law that permitted or
required disclosure of similar types of records. Other commenters asked
whether greater State law protections continue to exist alongside
patient safety work product protections, stating that some providers
may decide not to participate with a PSO if they would lose existing
State law protections.
Final Rule: The final rule generally adopts the proposed
provisions, with some modifications as explained below in the specific
discussions of the individual disclosure permissions. The disclosure
permissions in this section reflect those provided by the statute, and
the Secretary has no authority to eliminate or neglect to implement
certain of the provisions. Further, the statute provides only limited
authority to the Secretary to expand the disclosure permissions. See,
for example, section 922(c)(2)(F) of the Public Health Service Act, 42
U.S.C. 299b-22(c)(2)(F), providing the Secretary with authority to
create permissions for disclosures that the Secretary may determine, by
rule or other means, are necessary for business operations and are
consistent with the goals of the statute. Thus, the final rule does not
create any new, or eliminate any proposed, categories of disclosure
permissions.
With respect to those commenters who requested a disclosure
permission be added to allow for the disclosure of patient safety work
product to federal, state, and local agencies to fulfill mandatory
reporting requirements or for oversight purposes, we disagree that such
a modification is necessary. The final rule gives providers much
flexibility in defining and structuring their patient safety evaluation
system, as well as determining what information is to become patient
safety work product and, thus, protected from disclosure. Providers can
structure their systems in a manner that allows for the use of
information that is not patient safety work product to fulfill their
mandatory reporting obligations. See the discussion regarding the
definition of ``patient safety work product'' in this preamble for more
information. Further, as original medical and other records are
expressly excepted from the definition of ``patient safety work
product,'' providers always have the option of using those records to
generate the reports necessary for their mandatory reporting
obligations to federal, state, and local agencies.
With respect to disclosures for emergency circumstances, the
Patient Safety Act provides no general exception for such disclosures.
However, patient safety work product may be disclosed under Sec.
3.206(b)(10) to law enforcement if the disclosing party reasonably
believes the patient safety work product contains information that
constitutes a crime. For emergency circumstances that do not rise to
the level of criminal conduct, the information necessary to identify
and address such emergencies should be readily available and accessible
in medical records and other original
[[Page 70774]]
documents that are not protected as patient safety work product.
The final rule also adopts the redisclosure limitations of the
proposed rule. As described above, commenters largely supported, and
did not identify negative implications of, these restrictions. We
discuss the individual redisclosure limitations below in the specific
discussions regarding the disclosure permissions to which they apply.
We note that the HIPAA Privacy and Security Rules will govern
redisclosures of patient safety work product only to the extent that
the redisclosures are made by a HIPAA covered entity and the patient
safety work product encompasses protected health information.
In response to the comments and questions regarding preemption, we
note that the Patient Safety Act provides that, notwithstanding any
other provision of Federal, State, or local law, and subject to the
prescribed exceptions, patient safety work product shall be privileged
and confidential. See sections 922(a) and (b) of the Public Health
Service Act, 42 U.S.C. 299b-22(a) and (b). The statute also provides as
rules of construction the following: (1) that the Patient Safety Act
does not limit the application of other Federal, State, or local laws
that provide greater privilege or confidentiality protections than
those provided by the Patient Safety Act; and (2) the Patient Safety
Act does not preempt or otherwise affect any State law requiring a
provider to report information that is not patient safety work product.
See section 922(g) of the Public Health Service Act, 42 U.S.C. 299b-
22(g). Thus, the patient safety work product protections provided for
under the statute generally preempt State or other laws that would
permit or require disclosure of information contained within patient
safety work product. However, State laws that provide for greater
protection of patient safety work product are not preempted and
continue to apply.
Response to Other Public Comments
Comment: Several commenters asked that the final rule discuss
redisclosures in more detail and further explain the consequences of
redisclosures.
Response: A redisclosure, or ``further disclosure'' as described in
the regulatory text, of patient safety work product, like a disclosure,
is the release, transfer, provision of access to, or divulging in any
other manner of patient safety work product by an entity or natural
person holding the patient safety work product to another legally
separate entity or natural person outside the entity holding the
patient safety work product. Natural persons or entities who receive
patient safety work product generally may further disclose such
information pursuant to any of the disclosure permissions in the final
rule at Sec. 3.206, except where expressly limited pursuant to the
provision under which the natural person or entity received the
information. These restrictions on further disclosures may be found at
Sec. Sec. 3.206(b)(4)(ii) (disclosure to a contractor of a provider or
PSO for patient safety activities), 3.206(b)(7) (disclosure to the Food
and Drug Administration (FDA) and entities required to report to FDA),
3.206(b)(8) (voluntary disclosure to an accrediting body), 3.206(b)(9)
(business operations), and 3.206(b)(10) (disclosure to law
enforcement). These limitations are described more fully below in the
discussions concerning the disclosure permissions to which they apply.
As with an impermissible disclosure, impermissible redisclosures are
subject to enforcement by the Secretary and potential civil money
penalties.
Comment: Two commenters asked that we monitor the impact of the
rule to ensure that it does not improperly impede the necessary sharing
of patient safety work product.
Response: As the rule is implemented, we will monitor its impact
and consider whether any concerns that are raised by providers, PSOs,
and others should be addressed through future modification to the rule
or guidance, as appropriate.
(1) Section 3.206(b)(1)--Criminal Proceedings
Proposed Rule: Proposed Sec. 3.206(b)(1) would have permitted the
disclosure of identifiable patient safety work product for use in a
criminal proceeding, if a court makes an in camera determination that
the identifiable patient safety work product sought for disclosure
contains evidence of a criminal act, is material to the proceeding, and
is not reasonably available from other sources. See section
922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(A). The proposed provision paralleled the exception to
privilege at proposed Sec. 3.204(b)(1).
As we explained in the proposed rule, the Patient Safety Act
establishes that patient safety work product generally will continue to
be privileged and confidential upon disclosure. See section 922(d)(1)
of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1) and Sec.
3.208 of this rule. However, the Patient Safety Act limits the
continued protection of patient safety work product disclosed for use
in a criminal proceeding pursuant to this provision. In particular,
patient safety work product disclosed pursuant to this provision
continues to be privileged after disclosure but is no longer
confidential. See section 922(d)(2)(A) of the Public Health Service
Act, 42 U.S.C. 299b-22(d)(2)(A). We explained that this would mean, for
example, that law enforcement personnel who obtain patient safety work
product used in a criminal proceeding could further disclose that
information because confidentiality protection would not apply;
however, law enforcement could not seek to introduce the patient safety
work product in another proceeding without a new in camera
determination that would have complied with the privilege exception at
proposed Sec. 3.204(b)(1).
We also reminded entities that are subject to the HIPAA Privacy
Rule that any disclosures pursuant to this provision that encompass
protected health information also would need to comply with the HIPAA
Privacy Rule's provision at 45 CFR 164.512(e) for disclosures pursuant
to judicial proceedings. We explained that we expected court rulings
following an in camera determination to be issued as a court order,
which would satisfy the HIPAA Privacy Rule's requirements.
Overview of Public Comments: We received no comments opposed to
this provision.
Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
Comment: One commenter asked that the final rule make clear that
patient safety work product disclosed under this provision continues to
be privileged and cannot be used or reused as evidence in any civil
proceeding even though the information is no longer confidential.
Response: The final rule makes this clear. See Sec. 3.208(b)(1).
(2) Section 3.206(b)(2)--Equitable Relief for Reporters
Proposed Rule: The Patient Safety Act prohibits a provider from
taking an adverse employment action against an individual who, in good
faith, reports information to the provider for subsequent reporting to
a PSO or to a PSO directly. See section 922(e)(1) of the Public Health
Service Act, 42 U.S.C. 299b-22(e)(1). For purposes of this provision,
adverse employment actions include loss of employment, failure to
promote, or adverse evaluations or decisions regarding credentialing or
licensing. See 922(e)(2) of the Public Health Service Act, 42 U.S.C.
299b-22(e)(2). The Patient Safety Act provides adversely affected
reporters a civil right
[[Page 70775]]
of action to enjoin such adverse employment actions and obtain other
equitable relief, including back pay or reinstatement, to redress the
prohibited actions. See 922(f)(4) of the Public Health Service Act, 42
U.S.C. 299b-22(f)(4). To effectuate the obtaining of equitable relief
under this provision, the Patient Safety Act provides that patient
safety work product is not subject to the privilege protections or to
the confidentiality protections. Thus, proposed Sec. 3.206(b)(2) would
have permitted the disclosure of identifiable patient safety work
product by an employee seeking redress for adverse employment actions
to the extent that the information is necessary to permit the equitable
relief. This proposed provision paralleled the privilege exception to
permit equitable relief at proposed Sec. 3.204(b)(2). Also, in
accordance with the statute, we proposed that once patient safety work
product is disclosed pursuant to this provision, it would have remained
subject to confidentiality and privilege protection in the hands of all
subsequent holders and could not be further disclosed except as
otherwise permitted by the rule.
We also provided guidance with respect to the application of the
HIPAA Privacy Rule if a covered entity (or its business associate) was
making the disclosure and the patient safety work product included
protected health information. In that regard, we explained that, under
the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health
information is sought to be disclosed in a judicial proceeding via
subpoenas and discovery requests without a court order, the disclosing
HIPAA covered entity must seek satisfactory assurances that the party
requesting the information has made reasonable efforts to provide
written notice to the individual who is the subject of the protected
health information or to secure a qualified protective order.
Finally, the proposed rule solicited comments on whether the
obtaining of a protective order should be a condition of the disclosure
under this provision or whether, instead, the final rule should require
only a good faith effort to obtain a protective order as a condition of
this disclosure.
Overview of Public Comments: Two commenters expressed general
support for the proposed provision, stating that it struck the
appropriate balance between maintaining the confidentiality and
privilege protections on patient safety work product and allowing
reporters of patient safety work product to seek redress for adverse
employment actions based upon their good faith reporting of this
information to a PSO. Several commenters responded to the question
posed in the proposed rule asking whether a protective order should be
a condition of disclosure under this provision or if a good faith
effort in obtaining a protective order should be sufficient. All of
these commenters agreed that the obtaining of a protective order should
be a condition of disclosure of patient safety work product under this
provision.
Final Rule: The final rule adopts the proposed disclosure
permission at Sec. 3.206(b)(2) but conditions the permitted disclosure
for equitable relief on the provision of a protective order by the
court or administrative tribunal to protect the confidentiality of the
patient safety work product during the course of the proceeding.
Although patient safety work product remains confidential and
privileged in the hands of all recipients after disclosure under this
provision, we recognize that the sensitive nature of the patient safety
work product warrants requiring a protective order as additional
protection on this information. Because some participants and observers
of a proceeding involving equitable relief for an adverse employment
action may not be aware that certain information is protected as
patient safety work product to which penalties attach for impermissible
disclosures, requiring a protective order is prudent to ensure that
patient safety work product is adequately protected and that
individuals are put on notice of its protected status. As we explained
in the proposed rule, such a protective order could take many forms
that preserve the confidentiality of patient safety work product. For
example, the order could limit the use of the information to case
preparation, but not make it evidentiary. Or, the order might prohibit
the disclosure of the patient safety work product in publicly
accessible proceedings and in court records to prevent liability from
moving to a myriad of unsuspecting parties.
We recognize that, in some cases, a reporter seeking equitable
relief may be unable to obtain a protective order from a court prior to
making a necessary disclosure of patient safety work product, despite
the reporter's good faith and diligent effort to obtain one. If the
Secretary receives a complaint that patient safety work product was
disclosed by a reporter seeking equitable relief, the Secretary has
discretion not to impose a civil money penalty, if appropriate. While
the final rule requires a protective order as a condition of
disclosure, it is not the Secretary's intent to frustrate the obtaining
of equitable relief provided for under the statute. Thus, the Secretary
will review the circumstances of such complaints to determine whether
to exercise his enforcement discretion to not pursue a civil money
penalty.
(3) Section 3.206(b)(3)--Authorized by Identified Providers
Proposed Rule: Proposed Sec. 3.206(b)(3) would have permitted a
disclosure of patient safety work product when each provider identified
in the patient safety work product separately authorized the
disclosure. This provision paralleled the privilege exception at
proposed Sec. 3.204(b)(3) and was based on section 922(c)(1)(C) of the
Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). The proposed
rule explained that patient safety work product disclosed under this
exception would continue to be confidential pursuant to the continued
confidentiality provisions at section 922(d)(1) of the Public Health
Service Act, 42 U.S.C. 299b-22(d)(1), and persons would be subject to
liability for further disclosures in violation of that confidentiality.
We also explained that it would be insufficient to make
identifiable information regarding a nonauthorizing provider
nonidentifiable in lieu of obtaining an authorization. While we
considered such an approach, we rejected it as impractical given that
it seemed there would be very few, if any, situations in which a
nonauthorizing provider could be nonidentified without also needing to
nonidentify, or nearly so, an authorizing provider in the same patient
safety work product.
We encouraged persons disclosing patient safety work product to
exercise discretion with respect to the scope of patient safety work
product disclosed and to consider whether identifying information
regarding reporters or patients was necessary, even though the statute
required neither patient nor reporter authorization under this
provision. We also explained that, if the disclosing entity is a HIPAA
covered entity (or business associate), the HIPAA Privacy Rule,
including the minimum necessary standard when applicable, would apply
to the disclosure of protected health information contained within the
patient safety work product. Further, if the disclosure was not also
permitted under the HIPAA Privacy Rule, the patient information would
need to be de-identified. We sought public comment as to whether the
proposed approach was sufficient to protect the interests of reporters
and patients identified in the patient safety work
[[Page 70776]]
product permitted to be disclosed pursuant to this provision.
While the Patient Safety Act does not specify the form of the
authorization under this exception, we proposed that an authorization
be in writing, be signed by the authorizing provider, and contain
sufficient detail to fairly inform the provider of the nature and scope
of the disclosures being authorized. The proposed rule would not have
required that any specific terms be included in the authorization, only
that disclosures be made in accordance with the terms of the
authorization, whatever they may be. We sought public comment on
whether a more stringent standard would be prudent and workable, such
as an authorization process that is disclosure specific.
We also proposed that any authorization be maintained by the
disclosing entity or person for a period of six years from the date of
the last disclosure made in reliance on the authorization, the limit of
time within which the Secretary must initiate an enforcement action.
Overview of Public Comments: Several commenters responded that
patients and reporters identified in patient safety work product are
adequately protected by this regulation and by the HIPAA Privacy Rule
for covered entities. Some commenters, however, suggested that the
HIPAA Privacy Rule's minimum necessary standard be applied to
disclosures under this provision so that only the minimum necessary
amount of patient safety work product would be permitted to be
disclosed.
Several commenters also responded to the question of whether a
stricter or more prescribed standard for the authorizations should be
included in the final rule, the majority of whom stated that the
authorization requirements outlined in the proposed rule were adequate.
One commenter recommended that the final rule not regulate the terms of
the provider authorization and that such terms be left to the parties.
Another commenter suggested that provider authorizations be time-
limited, while other commenters asked for a model authorization form
and that the final rule provide a process for revocation of
authorizations.
Final Rule: The final rule adopts the proposed provision. Thus, a
provider, PSO, or responsible person may disclose identifiable patient
safety work product if a valid authorization is obtained from each
identified provider and the disclosure is consistent with such
authorization. As in the proposed rule, such authorizations must be
retained by the disclosing entity for six years from the date of the
last disclosure made in reliance on the authorization and made
available to the Secretary upon request. Further, as the Department
agrees with those commenters who believed the specific terms of the
provider authorizations should be left to the parties, the final rule,
as in the proposed rule, requires only that the authorization of each
of the identified providers be in writing and signed, and contain
sufficient detail to fairly inform the provider of the nature and scope
of the disclosures being authorized. Thus, the parties are free to
define their own specific terms for provider authorizations, including
any time limitations and to what extent and the process through which
such authorizations are revocable. Given the final rule does not
prescribe a particular form or the terms of provider authorizations
under this provision, we do not believe providing a model authorization
form is appropriate or feasible.
With respect to patient and reporter identifiers, we continue to
strongly encourage disclosers to consider how much patient safety work
product is necessary, and whether patient or reporter identifiers are
necessary, to accomplish the purpose of the authorized disclosure.
However, this final rule does not include specific limitations on the
disclosure of patient and reporter identifiers under this provision, so
long as the disclosure is in accordance with the terms of the provider
authorizations. In addition, the HIPAA Privacy Rule, including the
minimum necessary or de-identification standard, as appropriate,
continues to apply to the disclosure of any protected health
information contained within the patient safety work product.
Response to Other Public Comments
Comment: One commenter asked for clarification as to whether state
laws requiring greater protection for patient safety work product would
apply to disclosures pursuant to this provision.
Response: Section 922(g)(1) of the Public Health Service Act, 42
U.S.C. 299b-22(g)(1), provides that the Patient Safety Act does not
limit the application of other Federal, State, or local laws that
provide greater privilege or confidentiality protections than provided
by the Act. Thus, state laws providing greater protection for patient
safety work product are not preempted and would apply to disclosures of
patient safety work product.
Comment: One commenter expressed concern that this disclosure
permission conflicts with the disclosure permission for patient safety
activities at proposed Sec. 3.206(b)(4) because this disclosure
permission does not allow the sharing of any provider information, even
if made nonidentifiable, unless all providers identified in the patient
safety work product authorize the disclosure, while the disclosure
permission for patient safety activities allows the sharing of provider
information between PSOs and between providers, as long as it is
anonymized.
Response: These disclosure permissions are separate and independent
of one another and serve different purposes. Disclosures of patient
safety work product may be made pursuant to either permission, provided
the relevant conditions are met.
Comment: One commenter expressed concern about the disclosure
permission's prohibition on disclosing patient safety work product in
nonidentifiable form with respect to a provider who has not authorized
the disclosure of the information, stating that this construct would
make the provision difficult to implement.
Response: The final rule adopts the provisions of the proposed rule
and does not permit patient safety work product to be disclosed if the
information is rendered nonidentifiable with respect to a
nonauthorizing provider. As explained above, there are likely few
situations in which a nonauthorizing provider could be nonidentified
without having to also nonidentify the authorizing providers in the
patient safety work product to be disclosed under this provision.
Therefore, allowing nonidentification of the nonauthorizing provider is
impractical.
Comment: One commenter recommended that a copy of the provider
authorization be kept in a patient's file, if the provider's authorized
disclosure of patient safety work product resulted in a disclosure of
the patient's protected health information, so that these disclosures
can be tracked and included in an accounting of disclosures as required
by 45 CFR 164.528 of the HIPAA Privacy Rule.
Response: While the commenter's suggestion may assist in complying
with the HIPAA Privacy Rule's accounting of disclosures standard, we do
not include such a requirement in the final rule. Given that the
authorizations provided for under this provision are focused on the
disclosure of the provider's identifiable information and that the
specific terms of such authorizations will vary based on the
circumstances of the disclosure and the parties, it is
[[Page 70777]]
unlikely that such authorizations will contain the information
necessary for a HIPAA covered entity to meet its accounting obligations
to the individual patient. Further, HIPAA covered entities are free to
design and use approaches for compliance with the HIPAA Privacy Rule's
accounting standard that are best suited to their business needs and
information systems.
(4) Section 3.206(b)(4)--Patient Safety Activities
Proposed Rule: Proposed Sec. 3.206(b)(4) would have permitted the
disclosure of identifiable patient safety work product for patient
safety activities (i) by a provider to a PSO or by a PSO to that
disclosing provider; or (ii) by a provider or a PSO to a contractor of
the provider or PSO; or (iii) by a PSO to another PSO or to another
provider that has reported to the PSO, or by a provider to another
provider, provided, in both cases, certain direct identifiers are
removed. This proposed permissible disclosure provision was based on
section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(2)(A), which permits the disclosure of identifiable patient
safety work product for patient safety activities. The proposed rule
provided that, consistent with the statute, patient safety work product
would remain privileged and confidential once disclosed under this
provision.
We explained in the proposed rule that patient safety activities
are the core mechanism by which providers may disclose patient safety
work product to obtain external expertise from PSOs and through which
PSOs may aggregate information from multiple providers, and communicate
feedback and analyses back to providers. Thus, the rule needs to
facilitate such communications so that improvements in patient safety
can occur. To realize this goal, the proposed rule at Sec.
3.206(b)(4)(i) would have allowed for the disclosure of identifiable
patient safety work product reciprocally between providers and the PSOs
to which they have reported. This would allow PSOs to collect,
aggregate, and analyze patient safety event information and disseminate
findings and recommendations for safety and quality improvements.
The proposed rule at Sec. 3.206(b)(4)(ii) also would have allowed
for disclosures by providers and PSOs to their contractors who are not
workforce members, recognizing that there may be situations where
providers and PSOs want to engage contractors who are not agents to
carry out patient safety activities. However, to ensure patient safety
work product remained adequately protected in such cases, the proposed
rule would have prohibited contractors from further disclosing patient
safety work product, except to the provider or PSO from which they
first received the information. We explained in the proposed rule that
this limitation would not, however, preclude a provider or PSO from
exercising its authority under section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power
to the contractor to make other disclosures. We also stated that,
although the proposed rule did not require a contract between the
provider or PSO and the contractor, we fully expected the parties to
engage in prudent practices to ensure patient safety work product
remained confidential.
Further, to allow for more effective aggregation of patient safety
work product, the proposal at Sec. 3.206(b)(4)(iii) would have allowed
PSOs to disclose patient safety work product to other PSOs or to other
providers that have reported to the PSO (but not about the specific
event(s) to which the patient safety work product relates), and
providers to disclose patient safety work product to other providers,
for patient safety activities, as long as the patient safety work
product was anonymized through the removal of direct identifiers of
providers and patients. See proposed Sec. 3.206(b)(4)(iii)(A). In
particular, to anonymize provider identifiers, the proposed rule would
have required the removal of the following direct identifiers of any
providers and of affiliated organizations, corporate parents,
subsidiaries, practice partners, employers, members of the workforce,
or household members of such providers: (1) Names; (2) postal address
information, other than town or city, State and zip code; (3) telephone
numbers; (4) fax numbers; (5) electronic mail addresses; (6) social
security numbers or taxpayer identification numbers; (7) provider or
practitioner credentialing or DEA numbers; (8) national provider
identification number; (9) certificate/license numbers; (10) web
universal resource locators; (11) internet protocol (IP) address
numbers; (12) biometric identifiers, including finger and voice prints;
and (13) full face photographic images and any comparable images. For
patient identifiers, the proposed rule would have applied the HIPAA
Privacy Rule limited data set standard. See 45 CFR 164.514(e). We
explained in the proposed rule that removal of the required identifiers
could be absolute or be done through encryption, provided the
disclosing entity did not disclose the key to the encryption or the
mechanism for re-identification.
Recognizing that fully nonidentifiable patient safety work product
may have limited usefulness due to the removal of key elements of
identification, the proposed rule specifically sought public comment on
whether there were any entities other than providers, PSOs, or their
contractors that would need fully identifiable or anonymized patient
safety work product for patient safety activities.
The proposed rule also explained the intersection with the HIPAA
Privacy Rule with respect to these disclosures, and noted that, as
provided by the statute, PSOs would be treated as business associates
and patient safety activities performed by, or on behalf of, a covered
provider by a PSO would be deemed health care operations as defined by
the HIPAA Privacy Rule. For a more detailed discussion of the
application of the HIPAA Privacy Rule with respect to disclosures under
this proposed provision, see the preamble to the proposed rule at 73 FR
8146-8147. The proposed rule sought public comment on whether the HIPAA
Privacy Rule definition of ``health care operations'' should be
modified to include a specific reference to patient safety activities
and whether the HIPAA Privacy Rule disclosure permission for health
care operations should be modified to include a reference to patient
safety activities.
Overview of Public Comments: The commenters expressed general
support for the reciprocal disclosure of patient safety work product
between providers and PSOs for patient safety activities. Additionally,
commenters expressed general support for the disclosure of patient
safety work product by a PSO or provider to its contractor to carry out
patient safety activities.
Commenters also generally supported the proposed permissible
disclosure of patient safety work product between PSOs for patient
safety activities, between PSOs and other providers that have reported
to that PSO, and between providers. However, many commenters expressed
concern about the proposed rule requirement at Sec. 3.206(b)(4)(iii)
to anonymize patient safety work product prior to disclosure. Some
commenters stated that this requirement inappropriately limited a PSO's
ability to share this information with other PSOs and could prevent
PSOs from being able to identify duplicate reports of a single event
coming from independent sources in the patient safety work product
received from other
[[Page 70778]]
PSOs. One suggested that PSOs be able to share identifiable patient
safety work product with other PSOs, while another commenter stated
that provider names, addresses, and phone numbers should be included in
patient safety work product to permit follow up contact with the
provider and as a way to identify duplicate adverse event reports. This
commenter suggested that PSOs be able to contract with other PSOs as
their contractors so that they could share patient safety information
that has not been anonymized with one another subject to Sec.
3.206(b)(4)(ii), or alternatively, that the final rule allow PSOs to
share patient safety work product identifying providers with other PSOs
if a contract ensuring the confidentiality of this information is in
place between the PSOs. Other commenters expressed concern that the
anonymization requirement limited the ability of providers to use and
disclose patient safety work product to other providers or students for
educational, academic, or professional purposes. These commenters
feared that the proposed rule would inhibit providers' ability to
consult with other providers about patient safety events and requested
clarification from the Department that the rule would not prohibit the
disclosure of patient safety work product among physicians and other
health care professionals, particularly for education purposes or for
preventing or ameliorating harm.
Many commenters also responded to the question in the proposed rule
regarding whether the patient safety activities disclosure permission
should be expanded to encompass additional entities. Commenters
identified no additional entities to include in this disclosure
permission; however, some commenters suggested that the Department
monitor this provision so that exceptions for disclosures to additional
entities may be made in the future if necessary.
Final Rule: The final rule adopts without modification proposed
Sec. 3.206(b)(4)(i) and Sec. 3.206(b)(4)(ii), permitting disclosure
of patient safety work product for patient safety activities between
providers and PSOs, and between providers or PSOs and their contractors
that undertake patient safety activities on their behalf. In addition,
the final rule modifies proposed Sec. 3.206(b)(4)(iii) with respect to
disclosures to another PSO or provider, redesignates the provision as
Sec. 3.206(b)(4)(iv), and adds a new Sec. 3.206(b)(4)(iii).
New Sec. 3.206(b)(4)(iii) of the final rule permits disclosure of
identifiable patient safety work product among affiliated providers for
patient safety activities. Unlike disclosures between providers in
Sec. 3.206(b)(4)(iv), the patient safety work product disclosed
pursuant to this permission need not be anonymized prior to disclosure.
An affiliated provider is defined in the final rule as ``with respect
to a provider, a legally separate provider that is the parent
organization of the provider, is under common ownership, management, or
control with the provider, or is owned, managed, or controlled by the
provider.'' See Sec. 3.20. This addition to the final rule is included
in recognition that certain provider entities with a common corporate
affiliation, such as integrated health systems, may have a need, just
as a single legal entity, to share identifiable and non-anonymized
patient safety work product among the various provider affiliates and
their parent organization for patient safety activities and to
facilitate, if desired, one corporate patient safety evaluation system.
We emphasize that provider entities can choose not to use this
disclosure mechanism if they believe that doing so would adversely
affect provider participation, given that patient safety work product
would be shared more broadly across the affiliated entities.
The final rule adopts the disclosure permission for patient safety
work product proposed at Sec. 3.206(b)(4)(iii) in the proposed rule;
however, the final rule relocates this disclosure permission to Sec.
3.206(b)(4)(iv) and retitles this section for clarity. This disclosure
permission requires that patient safety work product disclosed for
patient safety activities by a PSO to another PSO or to another
provider that has reported to the PSO or by a provider to another
provider must be anonymized through the removal of certain provider-
related direct identifiers listed in Sec. 3.206(b)(4)(iii)(A), as well
as the removal of patient direct identifiers pursuant to the HIPAA
Privacy Rule's limited data set standard at 45 CFR 164.514(e)(2).
Although the final rule includes a provision for disclosure of
fully identifiable patient safety work product among affiliated
providers, we believe it is unnecessary to provide a similar provision
that would allow for the sharing of identifiable and non-anonymized
patient safety work product between PSOs since the final rule includes
multiple avenues for secondary PSOs, i.e., those PSOs that do not have
the direct reporting relationship with the provider, to receive
provider identifiable data, if needed. In particular, the final rule
allows: (1) A PSO receiving patient safety work product from a provider
to contact that provider and recommend that the provider also report
the patient safety work product to an additional PSO; (2) a provider
reporting to a PSO to delegate its authority to the PSO to report its
patient safety work product to an additional PSO; (3) a PSO to hire
another PSO as a consultant to assist in the evaluation of patient
safety work product received from a reporting provider, pursuant to
Sec. 3.206(b)(4)(ii); and (4) a PSO to disclose identifiable and non-
anonymized patient safety work product to another PSO if it has
obtained authorization to do so from each provider identified in the
patient safety work product. See Sec. 3.206(b)(3).
To address the concerns of providers generally that the rule would
prohibit the disclosure of patient safety work product among physicians
and other health care professionals, particularly for educational
purposes or for preventing or ameliorating patient harm, we emphasize
that the rule does not regulate uses of patient safety work product
within a single legal entity. (However, we note that we have expressly
defined as a disclosure the sharing of patient safety work product
between a component PSO and the rest of the legal entity of which it is
a part.) Thus, consistent with this policy, providers within a single
legal entity are free to discuss and share patient safety work product
in identifiable and non-anonymized form for educational, academic, or
other professional purposes. We have made this policy clear in the
final rule by modifying the definition of disclosure to apply only to
the release, transfer, provision of access to, or divulging in any
other manner of patient safety work product by: (1) an entity or
natural person holding the patient safety work product to another
legally separate entity or natural person outside the entity holding
the patient safety work product; or (2) a component PSO to another
entity or natural person outside the component organization. Further,
as described above, the new provision at Sec. 3.206(b)(4)(iii) allows
the sharing of fully identifiable patient safety work product among
affiliated providers. However, if providers wish to disclose patient
safety work product to other providers outside of their legal entity or
to non-affiliated providers, the information must be anonymized subject
to Sec. 3.206(b)(4)(iv)(A) and (B) or disclosed subject to another
applicable disclosure permission.
Response to Other Public Comments
Comment: One commenter asked that the final rule prohibit the
[[Page 70779]]
recommendations made by a PSO from being introduced as evidence of a
standard of care or for other purposes in a judicial or administrative
proceeding.
Response: A recommendation made by a PSO is patient safety work
product to which the privilege and confidentiality protections attach.
Therefore, the information can only be disclosed through an applicable
disclosure permission. However, as we explained in the proposed rule,
while the recommendations themselves are protected, the corrective
actions implemented by a provider, even if based on the protected
recommendations from a PSO, are not patient safety work product.
Comment: One commenter asked if permissible disclosures of patient
safety work product for patient safety activities under this disclosure
permission could include disclosures for credentialing, disciplinary,
and peer review purposes.
Response: The disclosure permission at Sec. 3.206(b)(4) of the
final rule for patient safety activities does not encompass the
disclosure of patient safety work product to an external entity or
within an administrative proceeding for credentialing, disciplinary, or
peer review purposes. However, as explained above, uses of patient
safety work product within a legal entity are not regulated and thus,
patient safety work product may be used within an entity for any
purpose, including those described by the commenter, so long as such
use does not run afoul of the statutory prohibition on a provider
taking an adverse employment action against an individual based on the
fact that the individual in good faith reported information either to
the provider with the intention of having the information reported to a
PSO or directly to a PSO. (Note, though, that we have expressly defined
as a disclosure the sharing of patient safety work product between a
component PSO and the rest of the legal entity of which it is a part.)
Comment: One commenter suggested that PSOs should be required to
maintain an accounting of all disclosures of patient safety work
product containing individually identifiable health information in
parallel to the HIPAA Privacy Rule requirement for covered entities. In
order to further protect patient privacy, this commenter suggested that
patients be made third party beneficiaries of the contracts between
providers and PSOs.
Response: A HIPAA covered entity is responsible for ensuring that
disclosures of protected health information made by a PSO, as its
business associate, are included in an accounting of disclosures to the
extent such disclosures are subject to an accounting at 45 CFR 164.528.
Further, the HIPAA Privacy Rule provides that a contract between a
HIPAA covered entity and its business associate must require the
business associate to make available to the covered entity the
information it needs to comply with the HIPAA Privacy Rule's accounting
standard. See 45 CFR 164.504(e). However, we expect that most
permissible disclosures of patient safety work product that include
protected health information will not be subject to the HIPAA Privacy
Rule's accounting requirements. The HIPAA Privacy Rule's accounting
standard does not require that disclosures made for health care
operations be included in an accounting. See 45 CFR 164.528(a)(1)(i).
Thus, because disclosures for patient safety activities at Sec.
3.206(b)(4), business operations at Sec. 3.206(b)(9), or accreditation
purposes at Sec. 3.206(b)(8) will generally be for the provider's
health care operations, the provider does not need to account for these
disclosures. Additionally, for disclosures of patient safety work
product that are subject to the HIPAA Privacy Rule's accounting
requirement, such as disclosures to the FDA and entities required to
report to the FDA at Sec. 3.206(b)(7), the HIPAA Privacy Rule offers
enough flexibility for a provider generally to provide an accounting of
those disclosures without revealing the existence of patient safety
work product. Therefore, we do not believe including a requirement
directly on PSOs with respect to the HIPAA Privacy Rule's accounting
standard is needed or appropriate. Nor do we agree that contracts
between providers and PSOs should designate individuals as third party
beneficiaries of such contracts. We believe the HIPAA Privacy Rule's
existing provisions provide adequate protections for identifiable
patient information that may be encompassed within patient safety work
product; however, we also expect PSOs generally to disclose anonymized
and nonidentifiable patient safety work product.
Comment: Another commenter suggested that patient safety work
product should be able to be used and disclosed in the same
circumstances that protected health information can be used and
disclosed under the HIPAA Privacy Rule for health care operations.
Response: The final rule does not regulate ``uses'' of patient
safety work product within a legal entity; thus, a provider, PSO, or
responsible person may use patient safety work product for any purpose
within the legal entity, including those considered ``health care
operations'' for purposes of the HIPAA Privacy Rule. With respect to
disclosures, however, we do not agree that expanding the disclosure
permission in the manner suggested by the commenter is appropriate. The
disclosure permissions in the final rule are carefully crafted to
balance the need for the information to remain confidential with the
need to disclose patient safety work product to effectuate the goals of
the statute or for other limited purposes provided by the statute. With
respect to disclosures for patient safety activities, while it is clear
that patient safety activities are health care operations under the
HIPAA Privacy Rule, only a subset of activities within the definition
of ``health care operations'' are relevant to patient safety.
Comment: One commenter asked for clarification about whether a
provider can report a single patient safety event to multiple PSOs.
Response: Providers are free to report patient safety work product
to, and have relationships with, multiple PSOs.
Comment: A commenter asked that the final rule explain the process
for disclosing patient safety work product to the National Patient
Safety Databank.
Response: The Department intends to provide further guidance and
information regarding the creation of and reporting to and among the
network of patient safety databases, as part of implementation of
section 923 of the Public Health Service Act, including information on
common formats for collecting and disclosing nonidentifiable patient
safety work product for such purposes. The Department announced the
availability of, and sought comment on, common formats for common
hospital-based patient safety events in the Federal Register on August
29, 2008 (http://www.pso.ahrq.gov/formats/commonfmt.htm).
Comment: One commenter suggested that the final rule require
providers and PSOs to have written contracts in place with contractors
who are not their agents but who will carry out patient safety
activities on their behalf. Another commenter asked if the final rule
will include a requirement similar to a business associate contract
under the HIPAA Privacy Rule between PSOs and its contractors.
Response: The final rule does not require providers and PSOs to
have written contracts in place with contractors who are not their
agents but who will carry out patient safety activities on their
behalf. However, we expect that, in practice, such relationships will
be governed by
[[Page 70780]]
contract, but we leave the terms of those relationships up to the
parties. We note, though, that if a HIPAA covered entity hires a
contractor to conduct patient safety activities on its behalf, which
requires access to protected health information, the HIPAA Privacy Rule
would require that a business associate agreement be in place prior to
any disclosure of such information to the contractor. See 45 CFR
164.502(e) and 164.504(e).
Comment: Some commenters asked that the final rule provide
clarification regarding the circumstances under which PSOs can disclose
patient safety work product to other PSOs to aggregate this information
for patient safety activities purposes.
Response: Section 3.206(b)(4)(iv) of the final rule permits such
disclosures, provided the patient safety work product is anonymized by
removal of the direct identifiers of both providers and patients. Also,
the final rule permits a PSO to disclose patient safety work product to
another PSO if authorized by the identified providers as provided in
Sec. 3.206(b)(3) or in non-identifiable form in accordance with Sec.
3.206(b)(5). Finally, a provider reporting to a PSO may delegate its
authority to the PSO to report its patient safety work product to an
additional PSO, as provided by Sec. 3.206(e).
Comment: A commenter suggested that a data use agreement be
required when any information, including individually identifiable
health information, is being shared through a limited data set.
Response: If a HIPAA covered entity is sharing a limited data set,
as defined by the HIPAA Privacy Rule, the covered entity must enter
into a data use agreement with the recipient of the information. See 45
CFR 164.504(e). For entities that are not covered by the HIPAA Privacy
Rule, the final rule does not include such a requirement; however, we
encourage such parties to engage in these and similar practices to
further protect patient safety work product.
Comment: Two commenters asked for clarification in the final rule
about whether patient safety work product disclosed by a provider to a
PSO or by a PSO to a provider can identify other providers regardless
of whether they have also reported to that PSO. One commenter asked if
the rule requires that authorization from all the identified providers
is required before this disclosure can be made.
Response: The final rule at Sec. 3.206(b)(4)(i) allows the
disclosure of patient safety work product in identifiable form
reciprocally between the provider and the PSO to which it reports. This
information can contain information identifying other providers. If the
patient safety work product is being disclosed between PSOs, between
unaffiliated providers, or between a PSO and other providers that have
reported to it, then the information must be anonymized prior to
disclosure subject to Sec. 3.206(b)(4)(iv)(A) and (B). In addition, if
a provider or PSO obtains authorizations from all providers identified
in the patient safety work product, or if the patient safety work
product is being shared among affiliated providers, then such
information may be disclosed in identifiable form under Sec.
3.206(b)(3) and 3.206(b)(4)(iii).
Comment: Several commenters expressed concern about the
anonymization requirement at proposed Sec. 3.206(b)(4)(iii)(A) and
stated that a provider may be identifiable even if the patient safety
work product is anonymized. One commenter suggested that zip codes
should be included in the list of identifiers that must be removed from
the patient safety work product. Other commenters felt that the
anonymization standard was too strict.
Response: We believe the anonymization standard in the final rule
at Sec. 3.206(b)(4)(iv)(A) strikes the appropriate balance between the
need to protect patient safety work product and the need for broader
sharing of such information at an aggregate level, outside of the
direct provider and PSO relationship, to achieve the goals of the
statute and improve patient safety.
Comment: We received several comments in response to the questions
asked in the proposed rule about whether the HIPAA Privacy Rule
definition of ``health care operations'' should include a specific
reference to patient safety activities and whether the Privacy Rule
disclosure permission for health care operations should be modified to
conform to the disclosure for patient safety activities. These
commenters expressed overwhelming support for modifying the HIPAA
Privacy Rule's definition of ``health care operations'' to include such
a specific reference and to aligning the disclosure permission for
health care operations with that for patient safety activities. The
commenters stated that including such specific references would make
the intersection of both regulations clear, and would encourage patient
safety discourse among providers and PSOs. One commenter stated that
there was no need to modify the definition of ``health care
operations'' because it already unambiguously encompassed patient
safety activities. No commenters suggested that modifications to the
Privacy Rule were necessary to address any workability issues.
Response: OCR will consider these comments and will seek
opportunity to address them in regulation or in guidance.
(5) Section 3.206(b)(5)--Disclosure of Nonidentifiable Patient Safety
Work Product
Proposed Rule: Proposed Sec. 3.206(b)(5) would have permitted the
disclosure of nonidentifiable patient safety work product if the
patient safety work product met the standard for nonidentification in
proposed Sec. 3.212. See section 922(c)(2)(B) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(2)(B). As described in proposed Sec.
3.208(b)(ii), nonidentifiable patient safety work product, once
disclosed, would no longer be privileged and confidential and thus,
could be redisclosed by a recipient without any Patient Safety Act
limitations or liability. Any provider, PSO or responsible person could
nonidentify patient safety work product. See the discussion regarding
Sec. 3.212 for more information about the nonidentification standard.
Overview of Public Comments: We received no comments opposed to
this proposed provision.
Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
Comment: One commenter asked that the final rule require data use
agreements for disclosures of nonidentifiable patient safety work
product in cases where there is a chance for identification or
reidentification of provider identities.
Response: We emphasize that patient safety work product is
considered nonidentifiable only if, either: (1) the statistical method
at Sec. 3.212(a)(1) is used and there is a very small risk that the
information could be used, alone or in combination with other
reasonably available information, by an anticipated recipient to
identify an identified provider; or (2) the identifiers listed at Sec.
3.212(a)(2) are stripped and the person making the disclosure does not
have actual knowledge that the remaining information could be used,
alone or in combination with other information that is reasonably
available to the intended recipient, to identify a provider. Thus, the
commenter should consider whether the information about which it is
concerned would be nonidentifiable for purposes of this rule. Further,
while the final rule does not require that the disclosure of
nonidentifiable patient safety work product be conditioned on
[[Page 70781]]
an agreement between the parties to the disclosure, we note that
providers, PSOs, and responsible persons are free to contract or enter
into agreements that place further conditions on the release of patient
safety work product, including in nonidentifiable form, than required
by the final rule. See Sec. 3.206(e).
Comment: Several commenters stated that identifiable information
about nondisclosing providers should not be disclosed and that adequate
safeguards should be in place to ensure that information identifying
nondisclosing providers is not released. These commenters also
suggested that AHRQ set up a workgroup to evaluate the standards and
approaches set forth in the proposed rule.
Response: The nonidentification standard at Sec. 3.212 of the
final rule addresses the commenters' concern by requiring either that:
(1) a statistician determine, with respect to information, that the
risk is very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an identified provider; or (2) all of
the provider-related identifiers listed at Sec. 3.212(a)(2) be removed
and the provider, PSO, or responsible person making the disclosure not
have actual knowledge that the information could be used, alone or in
combination with other information that is reasonably available to the
intended recipient, to identify the particular provider.
(6) Section 3.206(b)(6)--For Research
Proposed Rule: Proposed Sec. 3.206(b)(6) would have allowed the
disclosure of identifiable patient safety work product to entities
carrying out research, evaluations, or demonstration projects that are
funded, certified, or otherwise sanctioned by rule or other means by
the Secretary. See section 922(c)(2)(C) of the Public Health Service
Act, 42 U.S.C. 299b-22(c)(2)(C). We explained in the proposed rule that
this disclosure permission was only for research sanctioned by the
Secretary. We also explained that we expected that most research that
may be subject to this disclosure permission would be related to the
methodologies, analytic processes, and interpretation, feedback and
quality improvement results from PSOs, rather than general medical, or
even health services, research. Patient safety work product disclosed
for research under this provision would continue to be confidential and
privileged.
Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(C), requires that patient safety work product which
identifies patients may only be released to the extent that protected
health information would be disclosable for research purposes under the
HIPAA Privacy Rule. We interpreted this provision as requiring HIPAA
covered entities to ensure any disclosures of patient safety work
product under this provision that also include protected health
information comply with the HIPAA Privacy Rule's research provisions.
Accordingly, the proposal incorporated by reference 45 CFR 164.512(i)
of the HIPAA Privacy Rule, which generally requires a covered entity to
obtain documentation of a waiver (or alteration of waiver) of
authorization by either an Institutional Review Board (IRB) or a
Privacy Board prior to using or disclosing protected health information
without the individual's authorization.
We noted that our interpretation of the statute would not impact
the disclosure of identifiable patient safety work product by entities
or persons that are not HIPAA covered entities. We also explained that
the incorporation by reference of the HIPAA Privacy Rule should provide
for the proper alignment of disclosures for research purposes under the
two rules. However, the exception under the Patient Safety Act also
refers to evaluations and demonstration projects, some of which may not
meet the definition of research under the HIPAA Privacy Rule because
they may not result in generalizable knowledge but rather may fall
within the HIPAA Privacy Rule's definition of ``health care
operations.'' We stated that, in such cases, HIPAA covered entities
disclosing patient safety work product that includes protected health
information under this exception could do so without violation of the
HIPAA Privacy Rule. See the definition of ``health care operations'' at
45 CFR 164.501 of the HIPAA Privacy Rule.
Overview of Public Comments: We received no comments in reference
to this provision.
Final Rule: The final rule adopts the proposed provision, except
that the specific reference to ``45 CFR 164.512(i)'' is deleted. We
have included only a general reference to the HIPAA Privacy Rule in
recognition of the fact that disclosures of patient safety work product
containing protected health information pursuant to this provision
could be permissible under the HIPAA Privacy Rule under provisions
other than 45 CFR 164.512(i), such as, for example, disclosures for
health care operations pursuant to 45 CFR 164.506, or disclosures of a
limited data set for research purposes pursuant to 45 CFR 164.514(e).
(7) Section 3.206(b)(7)--To the Food and Drug Administration
Proposed Rule: Section 922(c)(2)(D) of the Public Health Service
Act, 42 U.S.C. 299b-22(c)(2)(D), permits the disclosure by a provider
to the Food and Drug Administration (FDA) with respect to a product or
activity regulated by the FDA. Proposed Sec. 3.206(b)(7) would have
implemented this provision by permitting providers to disclose patient
safety work product concerning products or activities regulated by the
FDA to the FDA or to an entity required to report to the FDA concerning
the quality, safety, or effectiveness of an FDA-regulated product or
activity. The proposed rule also would have permitted the sharing of
patient safety work product between the FDA, entities required to
report to the FDA, and their contractors concerning the quality,
safety, or effectiveness of an FDA-regulated product or activity.
Patient safety work product disclosed pursuant to this disclosure
permission would continue to be privileged and confidential.
We specifically sought public comment on our interpretation that
the statutory language concerning reporting ``to the FDA'' included
reporting by the provider to persons or entities regulated by the FDA
and that are required to report to the FDA concerning the quality,
safety, or effectiveness of an FDA-regulated product or activity. We
proposed this interpretation to allow providers to report to entities
that are required to report to the FDA, such as drug manufacturers,
without violating this rule, and asked if including such language would
bring about any unintended consequences for providers.
We further proposed at Sec. 3.206(b)(7)(ii) that the FDA and
entities required to report to the FDA may only further disclose
patient safety work product for the purpose of evaluating the quality,
safety, or effectiveness of that product or activity and such further
disclosures would only be permitted between the FDA, entities required
to report to the FDA, their contractors, and the disclosing providers.
Thus, for example, the FDA or a drug manufacturer receiving adverse
drug event information that is patient safety work product may engage
in further communications with the disclosing provider(s), for the
purpose of evaluating the quality, safety, or effectiveness of the
particular regulated product or activity, or may work with their
contractors. Moreover, an entity regulated by the FDA may further
disclose the information to the FDA. The proposed provision also would
[[Page 70782]]
have prohibited contractors receiving patient safety work product under
this provision from further disclosing such information, except to the
entity from which they received the information.
Finally, we explained that the HIPAA Privacy Rule at 45 CFR
164.512(b) permits HIPAA covered entities to disclose protected health
information concerning FDA-regulated activities and products to persons
responsible for collection of information about the quality, safety,
and effectiveness of those FDA-regulated activities and products.
Therefore, disclosures under this exception of patient safety work
product containing protected health information would be permitted
under the HIPAA Privacy Rule.
Overview of Public Comments: We received general support in the
public comments for the express reference to FDA-regulated entities
within this disclosure permission; only one commenter opposed this
provision. Some commenters asked that the final rule provide examples
of the types of disclosures that might occur to FDA-regulated entities,
and one commenter suggested that if such disclosures are permitted, the
final rule should include a comprehensive list of acceptable
disclosures to these entities. Another commenter noted that if
disclosures to FDA-regulated entities are permitted under this
disclosure permission, the final rule should limit the use of patient
safety work product to the purposes stated in the statute and should
prohibit the use of this information for marketing purposes. No
commenters identified any unintended consequences of including FDA-
regulated entities within the disclosure permission.
Final Rule: The final rule adopts the provisions of the proposed
rule at Sec. 3.206(b)(7), including the express reference to FDA-
regulated entities. We also modify the title of the provision to
reflect that disclosures to such entities are encompassed within the
disclosure permission. As explained in the proposed rule, we believe
including FDA-regulated entities within the scope of the disclosure
permission is consistent with both the rule of construction in the
statute which preserves required reporting to the FDA, as well as the
goals of the statute which are to improve patient safety. See section
922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6). In
addition, the final rule includes modifications to more clearly
indicate who can receive patient safety work product under this
provision, as well as what further disclosures may be made of such
information. Specifically, Sec. 3.206(b)(7)(i) now makes clear that a
provider may disclose patient safety work product concerning an FDA-
regulated product or activity to the FDA, an entity required to report
to the FDA concerning the quality, safety, or effectiveness of an FDA-
regulated product or activity, or a contractor acting on behalf of FDA
or such entity for these purposes. Further, Sec. 3.206(b)(7)(ii)
clarifies that the FDA, its regulated entity entitled to receive
information under this provision, and their contractors may share
patient safety work product received under this provision for the
purpose of evaluating the quality, safety, or effectiveness of that
product or activity among themselves, as well as with the disclosing
provider.
We do not include a comprehensive list of acceptable disclosures to
FDA-regulated entities as it would be impractical to do so. As we
explained in the proposed rule, drug, device, and biological product
manufacturers are required to report adverse experiences to the FDA and
currently rely on voluntary reports from product users, including
providers. Further, the analysis of events by a provider or PSO that
constitutes patient safety work product may generate information that
should be reported to the FDA or FDA-regulated entity because it
relates to the safety or effectiveness of an FDA-regulated product or
activity. This provision allows providers to report such information
without violating the confidentiality provisions of the statute or
rule. However, we emphasize that, despite this disclosure permission,
we expect that most reporting to the FDA and its regulated entities
will be done with information that is not patient safety work product,
as is done today. This disclosure permission is intended to allow for
reporting to the FDA or FDA-regulated entity in those special cases
where, only after an analysis of patient safety work product, does a
provider realize it should make a report. As in the proposed rule,
patient safety work product disclosed pursuant to this provision
remains privileged and confidential.
Response to Other Public Comments
Comment: Five commenters asked that the final rule allow PSOs as
well as providers to disclose or report patient safety work product to
the FDA or to an entity that is required to report to the FDA.
Response: We do not modify the provision as there is no statutory
authority to allow PSOs to report patient safety work product to the
FDA or to an entity required to report to the FDA. However, the statute
does permit providers to report patient safety work product to the FDA
or to an entity required to report to the FDA.
Comment: One commenter asked for clarification as to whether lot
numbers and device identifiers and serial numbers may be reported to
the FDA under this disclosure permission.
Response: Section 3.206(b)(7) would allow such information
contained within patient safety work product to be reported to FDA
provided it concerned an FDA-regulated product or activity.
(8) Section 3.206(b)(8)--Voluntary Disclosure to an Accrediting Body
Proposed Rule: Proposed Sec. 3.206(b)(8) would have permitted the
voluntary disclosure of identifiable patient safety work product by a
provider to an accrediting body that accredits that disclosing
provider. See section 922(c)(2)(E) of the Public Health Service Act, 42
U.S.C. 299b-22(c)(2)(E). Patient safety work product disclosed pursuant
to this proposed exception would remain privileged and confidential.
This provision would have allowed a provider to disclose patient
safety work product that identifies that disclosing provider. Further,
the proposed rule would not have required that patient safety work
product be nonidentifiable as to nondisclosing providers. The proposed
rule specifically sought public comment on whether patient safety work
product should be anonymized with respect to nondisclosing providers
prior to disclosure to an accrediting body under this provision.
The proposed rule also provided that an accrediting body could not
take an accreditation action against a provider based on that
provider's participation, in good faith, in the collection, reporting
or development of patient safety work product. It also would have
prohibited accrediting bodies from requiring a provider to reveal its
communications with any PSO.
Overview of Public Comments: Several commenters responded to the
question of whether the final rule should require the anonymization of
patient safety work product with respect to nondisclosing providers,
all of which supported such a requirement. Another commenter noted that
the final rule should expressly prohibit accrediting bodies from taking
accreditation actions against nondisclosing providers based upon the
patient safety work product reported to them by disclosing providers.
Final Rule: In light of the comments received, the final rule
modifies the proposed provision at Sec. 3.206(b)(8) to condition the
voluntary disclosure by a provider of patient safety work product
[[Page 70783]]
to an accrediting body that accredits the provider on either: (1) the
agreement of the nondisclosing providers to the disclosure; or (2) the
anonymization of the patient safety work product with respect to any
nondisclosing providers identified in the patient safety work product,
by removal of the direct identifiers listed at Sec.
3.206(b)(4)(iv)(A). Direct identifiers of the disclosing providers do
not need to be removed. We also note that the final rule does not
prescribe the form of the agreement obtained from non-disclosing
providers. Providers are free to design their own policies for
obtaining such agreements. Some institutional providers may, for
example, make it a condition of employment or privileges that providers
agree to the disclosure of patient safety work product to accrediting
bodies. In addition, unlike the provision at Sec. 3.206(b)(3) of the
final rule, with respect to any of the non-disclosing providers
identified in the patient safety work product, the disclosing provider
need obtain either the provider's agreement or anonymize the provider's
information.
Response to Other Public Comments
Comment: Several commenters stated that they did not support this
disclosure permission allowing voluntary disclosures of patient safety
work product to accrediting bodies due to possible unintended
consequences of these disclosures. Another commenter asked that we be
aware of punitive actions by regulatory organizations as a result of
voluntary disclosures to accrediting bodies and monitor this process
carefully for any unintended consequences.
Response: The disclosure permission allowing providers to
voluntarily disclose patient safety work product to accrediting bodies
is prescribed by the statute and thus, is included in this final rule.
However, as described above, the final rule requires either
anonymization or agreement with respect to non-disclosing providers as
a condition of the disclosure. This provision, along with the express
prohibition at Sec. 3.206(b)(8)(iii) on an accrediting body taking an
accrediting action against a provider based on a good faith
participation of the provider in the collection, development,
reporting, or maintenance of patient safety work product should
alleviate commenter concerns.
Comment: One commenter asked if the regulation allowed accrediting
bodies to disclose patient safety work product to CMS as part a
commitment to advise CMS of adverse accreditation decisions.
Response: The final rule prohibits accrediting bodies from further
disclosing patient safety work product they have voluntarily received
from providers under Sec. 3.206(b)(8).
Comment: One commenter asked if survey and licensure bodies were
considered to be accrediting bodies and thus, precluded from taking
action against providers who voluntarily submit patient safety work
product to them.
Response: Survey and licensure bodies are not accrediting bodies
and are not treated as such under this provision. Thus, such entities
are not entitled to receive patient safety work product voluntarily
from providers under this provision.
Comment: Two commenters expressed concern about this disclosure
permission for accrediting bodies that create component PSOs. One
commenter stated that allowing accrediting bodies to create component
PSOs creates a potential conflict of interest that may adversely affect
provider organizations. If an accrediting body's component organization
is a PSO, the commenter asked how OCR will determine whether the
component organization improperly disclosed information or whether the
accrediting body received the information voluntarily from a provider.
Response: Providers are free to choose the PSOs with which they
want to work. We expect that any selection by a provider will involve a
thorough vetting and consideration of a number of factors, including
whether the PSO is a component of an accrediting body and if so, what
assurances are in place to protect against improper access by the
accrediting body to patient safety work product. Component
organizations have clear requirements to maintain patient safety work
product separately from parent organizations. Further, the final rule
recognizes that a disclosure from a component organization to a parent
organization is a disclosure which must be made pursuant to one of the
permissions set forth in the statute and here; disclosures for which
there is no permission are subject to enforcement by the Department and
imposition of civil money penalties, as well as may adversely impact on
the PSO's continued listing by the Secretary as a PSO. Should OCR
receive a complaint or conduct a compliance review that implicates an
impermissible disclosure by a component PSO of an accrediting body, OCR
will investigate and review the particular facts and circumstances
surrounding the alleged impermissible disclosure, including, if
appropriate, whether the accrediting body received the patient safety
work product directly from a provider pursuant to Sec. 3.206(b)(8).
Comment: One commenter asked that the final rule allow accrediting
bodies to use voluntarily reported patient safety work product in
accreditation decisions, or that the final rule give accrediting bodies
immunity from liability that might arise from their failure to take
this patient safety work product into account in its accreditation
decisions. This commenter also stated that, since accrediting bodies
cannot take action based on information voluntarily disclosed pursuant
to this provision, the final rule should make clear that accrediting
bodies cannot be held responsible for decisions that might have been
different if the accrediting body had been able to act based on the
patient safety work product received.
Response: We clarify that the final rule, as the proposed rule,
does not prohibit an accrediting body from using patient safety work
product voluntarily reported by a provider pursuant to this provision
in its accreditations decisions with respect to that provider. Thus, it
is not necessary nor is it appropriate for the Secretary to give
accrediting bodies immunity from liability. However, an accrediting
body may not require a provider to disclose patient safety work
product, or take an accrediting action against a provider who refuses
to disclose patient safety work product, to the accrediting body. See
section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-
22(d)(4)(B), and Sec. 3.206(b)(8)(iii), which expressly prohibits an
accrediting body from taking an accrediting action against a provider
based on the good faith participation of the provider in the
collection, development, reporting, or maintenance of patient safety
work product in accordance with the statute.
Comment: One commenter asked if the limitation on redisclosure of
voluntarily reported patient safety work product received by an
accrediting body applies if the information sent to the accrediting
body was not patient safety work product at the time the accrediting
body received the information, but was later reported, by the provider
to a PSO and became protected.
Response: If the information submitted to an accrediting body was
not patient safety work product as defined at Sec. 3.20 at the time it
was reported, then Sec. 3.206(b)(8), including the redisclosure
limitation, does not apply to such information.
Comment: One commenter asked that the final rule clarify that the
disclosure of patient safety work product to an accrediting body is
voluntary.
[[Page 70784]]
Response: Section 3.208(b)(8) expressly provides only for the
voluntary reporting of patient safety work product, provided the
conditions are met. We do not see a need for further clarification.
(9) Section 3.206(b)(9)--Business Operations
Proposed Rule: Proposed Sec. 3.206(b)(9) would have allowed
disclosures of patient safety work product by a provider or a PSO to
professionals such as attorneys and accountants for the business
operations purposes of the provider or PSO. See section 922(c)(2)(F) of
the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F). Under the
proposed rule, such contractors could not further disclose patient
safety work product, except to the entity from which it received the
information. However, the proposed rule made clear that a provider or
PSO still would have had the authority to delegate its power to the
contractor to make other disclosures. In addition, the proposed rule
provided that any patient safety work product disclosed pursuant to
this provision continued to be privileged and confidential.
The Patient Safety Act gives the Secretary authority to designate
additional exceptions as necessary business operations that are
consistent with the goals of the statute. The proposed rule sought
public comment regarding whether there are any other consultants or
contractors, to whom a business operations disclosure should also be
permitted, or whether the Secretary should consider any additional
exceptions under this authority. The proposed rule noted that the
Secretary would designate additional exceptions only through
regulation; however, it asked if other mechanisms for the adoption of
business operations exceptions should be adopted or incorporated.
The proposed rule also explained that a business operations
designation by the Secretary that enables a HIPAA covered entity to
disclose patient safety work product containing protected health
information to professionals is permissible as a health care operations
disclosure under the HIPAA Privacy Rule. See 45 CFR 164.506. Generally,
such professionals will be business associates of the covered entity,
which will require that a business associate agreement be in place. See
45 CFR 160.103, 164.502(e), and 164.504(e).
Overview of Public Comments: Several commenters expressed general
support for the business operations disclosures to attorneys,
accountants, and other professionals in the proposed rule. We also
received several responses to the question asking if the final rule
should allow for any additional disclosures under the business
operations provision. Three commenters stated that the final rule
should not include any additional business operations disclosures.
Others asked that the business operations disclosure permission be
broad enough to encompass all the activities defined as ``health care
operations'' in the HIPAA Privacy Rule, which would then include
disclosures to entities such as photocopy shops, document storage
services, shredding companies, IT support companies, and other entities
involved in a PSO's management or administration. Other commenters
suggested that disclosures of patient safety work product to
independent contractors, professional liability insurance companies,
captives, and risk retention groups be included as disclosures for
business operations under this provision in the final rule.
All commenters responding to the question about how the Secretary
should adopt additional business operations stated that additional
business operations should be adopted only through the rulemaking
process.
Final Rule: The final rule adopts the proposed provision, allowing
disclosure of patient safety work product by a provider or a PSO for
business operations to attorneys, accountants, and other professionals.
The final rule allows disclosure of patient safety work product to
these professionals who are bound by legal and ethical duties to
maintain the confidence of their clients and the confidentiality of
client information, including patient safety work product. These
professionals will provide a broad array of services to and functions
for the providers and PSOs with whom they are contracted and will need
access to patient safety work product to perform their duties. We are
not persuaded by the comments of a need to expand, at this time, the
disclosure permission to encompass other categories of persons or
entities. However, as described in the proposed rule, should the
Secretary seek in the future to designate additional business
operations exceptions to be encompassed within this disclosure
permission, he will do so through regulation to provide adequate
opportunity for public comment.
With respect to many of the other entities identified by the
commenters, we note that, to the extent the services provided by such
entities are necessary for the maintenance of patient safety work
product or the operation of a patient safety evaluation system, or
otherwise support activities included in the definition of ``patient
safety activities'' at Sec. 3.20 of this rule, these disclosures may
be made to such contractors pursuant to Sec. 3.206(b)(4)(ii).
Response to Other Public Comments
Comment: Two commenters suggested that the final rule include a
requirement for a contract between providers or PSOs and their
attorneys, accountants, and other professionals to whom patient safety
work product will be disclosed as a business operation.
Response: We do not require a contract as a condition of disclosure
in the final rule. However, we agree that a contract between these
parties is a prudent business practice and expect that parties will
enter into appropriate agreements to ensure patient safety work product
remains protected. Further, where HIPAA covered entities are concerned,
we note that the HIPAA Privacy Rule requires that such entities have a
business associate agreement in place with professionals providing
services that require access to protected health information.
(10) Section 3.206(b)(10)--Disclosure to Law Enforcement
Proposed Rule: Proposed Sec. 3.206(b)(10) would have permitted the
disclosure of identifiable patient safety work product to law
enforcement authorities, so long as the person making the disclosure
believes--and that belief is reasonable under the circumstances--that
the patient safety work product disclosed relates to a crime and is
necessary for criminal law enforcement purposes. See section
922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(2)(G). The proposed rule provided that patient safety work
product disclosed under this provision would remain privileged and
confidential.
The proposed rule also provided that the law enforcement entity
receiving the patient safety work product could use the patient safety
work product to pursue any law enforcement purposes; however, the
recipient law enforcement entity could only redisclose the information
to other law enforcement authorities as needed for law enforcement
activities related to the event that necessitated the original
disclosure. The proposed rule sought comment regarding whether these
provisions would allow for legitimate law enforcement needs, while
ensuring appropriate protections.
Overview of Public Comments: Commenters responding to the question
in the proposed rule regarding whether this disclosure permission would
allow
[[Page 70785]]
for legitimate law enforcement needs while ensuring that information
remain appropriately protected stated that the proposed disclosure
permission was appropriate and did permit legitimate disclosures to law
enforcement.
Final Rule: The final rule adopts the proposed provision with
slight modification for purposes of clarification only. We add the word
``only'' to the final rule to clarify that law enforcement receiving
patient safety work product pursuant to this exception may only further
disclose this information to other law enforcement authorities as
needed for law enforcement activities related to the event that gave
rise to the original disclosure.
Response to Other Public Comments
Comment: Two commenters suggested that the statutory standard of
reasonable belief was vague and that clarity was needed to reduce the
uncertainty of disclosures and to further define what could constitute
a reasonable belief. Another commenter noted that the phrase ``relates
to a crime and is necessary for criminal law enforcement purposes'' is
too broad and leaves too much discretion to entities such as PSOs.
Response: The final rule provision at Sec. 3.206(b)(10) generally
repeats the statutory provision upon which it is based, which provides
that the disclosure of patient safety work product be permitted if it
relates to the commission of a crime and the person making the
disclosure believes, reasonably under the circumstances, that the
patient safety work product is necessary for criminal law enforcement
purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42
U.S.C. 299b-22(c)(2)(G).
Comment: One commenter expressed concern regarding the redisclosure
of patient safety work product to law enforcement under this disclosure
permission. The commenter stated that there could be successive
disclosures of protected information to law enforcement without
consideration of whether there is a reasonable belief that the
redisclosure is necessary for criminal law enforcement purposes.
Another commenter recommended that this disclosure permission should
expressly prohibit patient safety work product from being used against
patients who are identified in the patient safety work product but who
are not the subject of the criminal act for which the information was
originally disclosed.
Response: We believe Sec. 3.206(b)(10) addresses the commenters'
concerns by expressly limiting law enforcement's redisclosure of
patient safety work product received pursuant to the provision to other
law enforcement authorities as needed for law enforcement activities
related to the event that gave rise to the initial disclosure. Thus,
law enforcement is not permitted to further disclose the patient safety
work product for the enforcement of a crime unrelated to the crime for
which the patient safety work product was originally disclosed to the
law enforcement entity.
Comment: One commenter stated that the proposed rule represented an
expansion of the statutory language because it allowed persons to
disclose patient safety work product to law enforcement entities in the
absence of an active law enforcement investigation and in the absence
of a request for this information by law enforcement.
Response: The statute does not require that a law enforcement
entity be involved in an active investigation or that a law enforcement
entity request information prior to a person making a disclosure of
patient safety work product to a law enforcement entity pursuant to
this disclosure permission. See 922(c)(2)(G) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(2)(G).
(C) Section 3.206(c)--Safe Harbor
Proposed Rule: Proposed Sec. 3.206(c) would have prohibited the
disclosure of a subject provider's identity with information, whether
oral or written, that: (1) assesses that provider's quality of care; or
(2) identifies specific acts attributable to such provider. See section
922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(2)(H). This provision would have been only applicable to
providers. Patient safety work product disclosed under this exception
could identify providers, reporters or patients so long as the
provider(s) that were the subject of the actions described were
nonidentified. The proposed rule would have required that
nonidentification be accomplished in accordance with the
nonidentification standard set forth in proposed Sec. 3.212.
Overview of Public Comments: We received no comments opposed to
this provision.
Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
Comment: Several commenters suggested that the safe harbor
provision be extended to PSOs as well as providers. One commenter noted
that there was no reason to exclude PSOs from this provision and
including PSOs would provide them with the same leeway for inadvertent
disclosures of patient safety work product as providers.
Response: The statute expressly limits the safe harbor provision to
providers. Therefore, we do not have the authority to extend this
provision to PSOs.
(D) Section 3.206(d)--Implementation and Enforcement of the Patient
Safety Act
Proposed Rule: Proposed Sec. 3.206(d) would have permitted the
disclosure of relevant patient safety work product to or by the
Secretary as needed for investigating or determining compliance with or
to seek or impose civil money penalties with respect to this Part or
for making or supporting PSO certification or listing decisions, under
the Patient Safety Act. Patient safety work product disclosed under
this exception would remain confidential.
Overview of Public Comments: We received no comments in reference
to this provision.
Final Rule: Consistent with the changes made to Sec. 3.204(c) with
respect to privilege, the final rule adopts the proposed provision, but
expands it to expressly provide that patient safety work product also
may be disclosed to or by the Secretary as needed to investigate or
determine compliance with or to impose a civil money penalty under the
HIPAA Privacy Rule. This new language implements the statutory
provision at section 922(g)(3) of the Public Health Service Act, 42
U.S.C. 299b-22(g)(3), which makes clear that the Patient Safety Act is
not intended to affect implementation of the HIPAA Privacy Rule. As in
the privilege context, given the significant potential for an alleged
impermissible disclosure to implicate both this rule's confidentiality
provisions, as well as the HIPAA Privacy Rule, the Secretary may
require access to confidential patient safety work product for purposes
of determining compliance with the HIPAA Privacy Rule. The Secretary
will use such information consistent with the statutory prohibition
against imposing civil money penalties under both authorities for the
same act.
With respect to this rule, the final rule, as in the proposed rule,
makes clear that disclosures of patient safety work product to or by
the Secretary are permitted to investigate or determine compliance with
this rule, or to make or support decisions with respect to listing of a
PSO. This may include access to and disclosure of patient safety work
product to enforce the confidentiality provisions of the rule, to make
or support decisions regarding the
[[Page 70786]]
acceptance of certification and listing as a PSO, or to revoke such
acceptance and to delist a PSO, or to assess or verify PSO compliance
with the rule.
Response to Other Public Comments
Comment: Several commenters asked the Secretary to use judicious
restraint when requesting patient safety work product for compliance
and enforcement activities. Some of these commenters also asked that
the Secretary reserve his full enforcement power for only the most
egregious violations of the confidentiality provisions.
Response: We acknowledge the commenters' concerns regarding the
disclosure of patient safety work product for enforcement purposes. As
we explained in the proposed rule, we strongly believe in the
protection of patient safety work product as provided by the Patient
Safety Act. However, confidentiality protections are meaningless
without the ability to enforce breaches of the protections,
investigations of which may require access to confidential patient
safety work product. Further, Sec. 3.310 of the final rule provides
the Secretary with authority to obtain access to only that patient
safety work product and other information that is pertinent to
ascertaining compliance with the rule's confidentiality provisions.
Also, as we explained in the proposed rule, we will seek to
minimize the risk of improper disclosure of patient safety work product
by using and disclosing patient safety work product only in limited and
necessary circumstances, and by limiting the amount of patient safety
work product disclosed to that necessary to accomplish the purpose.
Further, Sec. 3.312 of the final rule expressly prohibits the
Secretary from disclosing identifiable patient safety work product
obtained by the Secretary in connection with an investigation or
compliance review except as permitted by Sec. 3.206(d) for compliance
and enforcement or as otherwise permitted by the rule or the Patient
Safety Act.
See the discussion of the provisions of Subpart D of the final rule
for more information on how the Secretary may exercise discretion in
enforcement.
(E) Section 3.206(e)--No Limitation on Authority To Limit or Delegate
Disclosure or use
Proposed Rule: Proposed Sec. 3.206(e) would have established that
a person holding patient safety work product may enter into a contract
that requires greater confidentiality protections or may delegate its
authority to make a disclosure in accordance with this Subpart. Neither
the statute nor the proposed rule limited the authority of a provider
to place limitations on disclosures or uses.
Overview of Public Comments: We received no comments opposed to
this provision.
Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
Comment: One commenter suggested that providers and PSOs should not
be able to enter into agreements that would prohibit the disclosure of
patient safety work product to report a crime or to comply with state
reporting requirements.
Response: The Patient Safety Act expressly provides that it does
not preempt or otherwise affect any State law requiring a provider to
report information that is not patient safety work product. See section
922(g)(5) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(5).
Further, patient safety work product does not include original medical
and other records. Thus, nothing in the final rule or the statute
relieves a provider from his or her obligation to disclose information
from such original records or other information that is not patient
safety work product to comply with state reporting or other laws.
Moreover, the final rule at Sec. 3.206(b)(10)(i) permits providers and
PSOs to disclose patient safety work product to report a crime to a law
enforcement authority provided that the disclosing person reasonably
believes that the patient safety work product that is disclosed is
necessary for criminal law enforcement purposes. However, the
Department cannot, through this rule, prevent such agreements because
the Patient Safety Act, at section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), specifically provides that the
Act cannot be construed ``to limit the authority of any provider,
patient safety organization, or other entity to enter into a contract
requiring greater confidentiality'' than that provided under the Act.
3. Section 3.208--Continued Protection of Patient Safety Work Product
Proposed Rule: Proposed Sec. 3.208 provided that the privilege and
confidentiality protections would continue to apply to patient safety
work product following disclosure and also described the narrow
circumstances when the protections terminate. See section 922(d) of the
Public Health Service Act, 42 U.S.C. 299b-22(d). In particular, the
proposed rule would have provided two exceptions to the continued
protection of patient safety work product. The first was an exception
to continued confidentiality protection when patient safety work
product is disclosed for use in a criminal proceeding, pursuant to
Sec. 3.206(b)(1). See section 922(d)(2)(A), 42 U.S.C. 299b-
22(d)(2)(A). The second exception to continued protection was in
circumstances where patient safety work product is disclosed in
nonidentifiable form, pursuant to Sec. Sec. 3.204(b)(4) and
3.206(b)(5). See section 922(d)(2)(B), 42 U.S.C. 299b-22(d)(2)(B).
The proposed rule would not have required the labeling of
information as patient safety work product or that disclosure of
patient safety work product be accompanied by a notice as to either the
fact that the information disclosed is patient safety work product or
that it is confidential. The proposed rule did acknowledge that both
practices may be prudent business practices.
Overview of Public Comments: We received several comments
suggesting that the final rule require that patient safety work product
be labeled as such or that a recipient of patient safety work product
be given notice of the protected status of the information received.
Commenters suggested that putting recipients of patient safety work
product on notice about the sensitive and confidential nature of the
information would assure and encourage appropriate treatment of this
information.
Final Rule: The final rule adopts this proposed provision but does
not require that patient safety work product be labeled or that
disclosing parties provide recipients of patient safety work product
with notice that they are receiving protected information. We believe
imposing a labeling or notice requirement would be overly burdensome on
entities. We do, however, expect providers, PSOs, and responsible
persons holding patient safety work product to treat and safeguard such
sensitive information appropriately and encourage such persons to
consider whether labeling or notice may be an appropriate safeguard in
certain circumstances. Further, we note that the final rule provides
that information that is documented as within a patient safety
evaluation system for reporting to a PSO is patient safety work
product. In addition, the final rule allows patient safety work product
to be removed from a patient safety evaluation system and no longer
considered patient safety work product if it has not yet been reported
to a PSO and its removal is documented. See the definition of ``patient
safety work product'' at Sec. 3.20. These
[[Page 70787]]
documentation provisions may assist in identifying, and putting persons
on notice as to, what is and is not protected information.
Response to Other Public Comments
Comment: With respect to Sec. Sec. 3.206(b)(2), 3.206(b)(3),
3.206(b)(8), 3.206(b)(9), and 3.206(b)(10), commenters asked that the
final rule emphasize the fact that subsequent holders of patient safety
work product are subject to the privilege and confidentiality
provisions when they receive the patient safety work product pursuant
to a privilege or confidentiality exception and that this patient
safety work product cannot be subpoenaed, ordered, or entered into
evidence in a civil or criminal proceeding through any of these
exceptions.
Response: Section 3.208 makes clear that, with limited exceptions,
patient safety work product continues to be privileged and confidential
upon disclosure.
Comment: One commenter expressed concern over the proposed rule's
statement that an impermissible disclosure of patient safety work
product, even if unintentional, does not terminate the confidentiality
of the information and that individuals and entities receiving this
patient safety work product may be subject to civil money penalties.
The commenter stated that the applicability of this broad statement to
third and fourth party recipients of patient safety work product could
violate the First Amendment and expressed concern with the possibility
that the Secretary would seek to impose a civil money penalty upon a
newspaper for printing patient safety information.
Response: Section 3.208 implements the statutory provision that
patient safety work product continues to be privileged and confidential
upon disclosure, including when in the possession of the person to whom
the disclosure was made. See section 922(d) of the Public Health
Service Act, 42 U.S.C. 299b-22(d). To encourage provider reporting of
sensitive patient safety information, Congress saw a need for strong
privilege and confidentiality protections that continue to apply
downstream even after disclosure, regardless of who holds the
information. With respect to the commenter's concern regarding
``unintentional'' disclosures, we note that the Secretary has
discretion to elect not to impose civil money penalties for an
impermissible disclosure of patient safety work product, in appropriate
circumstances. Thus, if it is determined, through a complaint
investigation or a compliance review, that an impermissible disclosure
of patient safety work product has been made, the Secretary will
examine each situation based on the individual circumstances and make
an appropriate determination about whether to impose a civil money
penalty. See the discussion regarding Subpart D of this final rule for
a more extensive discussion of the Secretary's enforcement discretion.
Finally, with respect to the commenter's First Amendment concerns, we
do not believe the confidentiality provisions afforded to patient
safety work product in the statute and the rule contravene the First
Amendment.
4. Section 3.210--Required Disclosure of Patient Safety Work Product to
the Secretary
Proposed Rule: Proposed Sec. 3.210 would have required providers,
PSOs, and other persons holding patient safety work product to disclose
such information to the Secretary upon a determination by the Secretary
that such patient safety work product is needed for the investigation
and enforcement activities related to this Part, or is needed in
seeking and imposing civil money penalties.
Overview of Public Comments: We received no comments opposed to
this provision.
Final Rule: The final rule adopts the proposed provision but
expands it to encompass disclosures of patient safety work product
needed for investigation and enforcement activities with respect to the
HIPAA Privacy Rule, consistent with changes made to Sec. Sec. 3.204(c)
and 3.206(d). As in the proposed rule, the final rule makes clear that,
with respect to this rule, providers, PSOs, and responsible persons
must disclose patient safety work product to the Secretary upon request
when needed to investigate or determine compliance with this rule, or
to make or support decisions with respect to listing of a PSO. This may
include disclosure of patient safety work product to the Secretary as
necessary to enforce the confidentiality provisions of the rule, to
make or support decisions regarding the acceptance of certification and
listing as a PSO, or to revoke such acceptance and to delist a PSO, or
to assess or verify PSO compliance with the rule.
Response to Other Public Comments
Comment: Several commenters suggested that disclosures to the
Secretary be limited to only the patient safety work product that is
needed for the Secretary's activities.
Response: Section 3.210 requires disclosure of patient safety work
product only in those cases where the Secretary has determined that
such information is needed for compliance or enforcement of this rule
or the HIPAA Privacy Rule or for PSO certification or listing. Further,
during an investigation or compliance review, Sec. 3.310(c) requires a
respondent to provide the Secretary with access to only that
information, including patient safety work product, that is pertinent
to ascertaining compliance with this rule.
5. Section 3.212--Nonidentification of Patient Safety Work Product
Proposed Rule: Proposed Sec. 3.212 would have established the
standard by which patient safety work product would be rendered
nonidentifiable, implementing section 922(c)(2)(B) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under the Patient Safety Act
and this Part, identifiable patient safety work product includes
information that identifies any provider or reporter or contains
individually identifiable health information under the HIPAA Privacy
Rule (see 45 CFR 160.103). See section 921(2) of the Public Health
Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient
safety work product does not include information that permits
identification of any provider, reporter or subject of individually
identifiable health information. See section 921(3) of the Public
Health Service Act, 42 U.S.C. 299b-21(3).
The proposed rule explained that because individually identifiable
health information as defined in the HIPAA Privacy Rule is one element
of identifiable patient safety work product, the de-identification
standard provided in the HIPAA Privacy Rule would apply with respect to
the patient-identifiable information in the patient safety work
product. Therefore, where patient safety work product contained
individually identifiable health information, the proposal would have
required that the information be de-identified in accordance with 45
CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work
product with respect to individually identifiable health information
under the Patient Safety Act.
Further, with respect to providers and reporters, the proposal
imported and adapted the HIPAA Privacy Rule's standards for de-
identification. In particular, the proposal included two methods by
which nonidentification could be accomplished: (1) A statistical method
of nonidentification and (2) the removal of 15 specified categories of
direct identifiers of providers or reporters and of parties related to
the providers and reporters, including
[[Page 70788]]
corporate parents, subsidiaries, practice partners, employers,
workforce members, or household members, and that the discloser have no
actual knowledge that the remaining information, alone or in
combination with other information reasonably available to the intended
recipient, could be used to identify any provider or reporter, i.e., a
contextual nonidentification standard. In addition, the proposal would
have permitted a provider, PSO, or other disclosing entity or person to
assign a code or other means of record identification to allow
information made nonidentifiable to be re-identified by the disclosing
person, provided certain conditions were met.
The proposal specifically invited comment on the proposed standards
and approaches and asked whether it would be possible to include any
geographical identifiers, and if so, at what level of detail (state,
county, zip code). We also requested comment regarding whether there
were alternative approaches to standards for entities determining when
health information could reasonably be considered nonidentifiable.
Overview of Public Comments: We received a variety of comments
addressing the nonidentification standard. One commenter supported the
proposed methodologies for nonidentification, while several commenters
expressed concern that the nonidentification standard was too strict
and rendered patient safety work product useless to its recipients. One
commenter was concerned that imposing an inflexible, stringent
nonidentification standard would impede the future disclosures of
aggregated patient safety information that the commenter currently
makes. Some of these commenters proposed alternatives to the proposed
nonidentification standard, such as considering information
nonidentified even if it contains dates of treatment and geographic
identifiers as long as data of a certain threshold number of providers
was aggregated or eliminating the nonidentification standard entirely
and applying a less stringent anonymization standard. In contrast,
several other commenters expressed concern that the nonidentification
standard was too flexible, was inadequate to truly nonidentify
information and protect provider identities, and could be too easily
reverse engineered.
Final Rule: The final rule adopts this proposed provision with only
a minor technical change to incorporate by reference the direct
identifiers listed at Sec. 3.206(b)(4)(iv)(A) of the anonymization
standard, as appropriate, to eliminate unnecessary duplication of such
elements in the regulatory text. Therefore, persons wishing to
nonidentify patient safety work product must remove the direct
identifiers listed in the anonymization standard at Sec.
3.206(b)(4)(iv)(A)(1) through (13), as well as any additional
geographic subdivisions smaller than a State that are not required to
be removed by Sec. 3.206(b)(4)(A)(2), e.g., town or city, all elements
of dates (except year) that are directly related to a patient safety
incident or event, and any other unique identifying number,
characteristic, or code (except as permitted for reidentification). We
were not persuaded by commenters that changes to the standard were
necessary, especially given the lack of consensus among commenters as
to whether the standard was too stringent or not stringent enough.
Further, commenters did not offer suggestions as to potential
alternative approaches to nonidentification. Additionally, because this
rule's nonidentification standard with respect to providers and
reporters is adapted from the HIPAA Privacy Rule's de-identification
standard and with respect to individuals, incorporates the HIPAA
Privacy Rule's de-identification standard, this approach minimizes
complexity and burden for entities that are subject to both regulatory
schemes.
Response to Other Public Comments
Comment: One commenter expressed concern over the possibility that
provider identities could be derived from nonidentifiable patient
safety work product and asked that the final rule require a party
disclosing identifiable information to produce evidence, if challenged,
of how the information was obtained if not via nonidentifiable patient
safety work product. Another commenter suggested that the final rule
include a provision that prohibits the use or disclosure of any
individually identifiable information that was obtained via the use of
nonidentifiable patient safety work product. Finally, another commenter
suggested that keys to reidentification of nonidentifiable patient
safety work product be protected from discovery and should be protected
as patient safety work product to prevent reidentification by
unintended parties.
Response: We believe that the nonidentification standard in the
final rule, which is based upon the existing HIPAA Privacy Rule's de-
identification standard, is appropriate and sufficient to protect the
identities of providers. With respect to protection of reidentification
keys, we note that Sec. 3.212(a)(3) prohibits a provider, PSO, or
responsible party disclosing nonidentifiable patient safety work
product from also disclosing the mechanism for reidentification. If a
reidentification key is disclosed along with patient safety work
product that would otherwise be nonidentifiable, then such information
is identifiable patient safety work product to which the privilege and
confidentiality protections attach.
Comment: One commenter asked to whom must patient safety work
product be made nonidentifiable and if information is adequately
nonidentifiable despite the ability of a provider or patient involved
in the event to recognize their case.
Response: Under Sec. 3.212(a)(1), patient safety work product is
rendered nonidentifiable if a determination is made, applying generally
accepted statistical and scientific principles, that the risk is very
small that the information could be used, alone or in combination with
other reasonably available information, by an anticipated recipient to
identify a provider or reporter. Similarly, under Sec. 3.212(a)(2),
patient safety work product is rendered nonidentifiable if the listed
identifiers are stripped and the provider, PSO or responsible person
making the disclosure does not have actual knowledge that the
information could be used, alone or in combination with other
information that is reasonably available to the intended recipient, to
identify the particular provider or reporter. So long as the remaining
information meets either of these two standards, such information is
considered nonidentifiable for purposes of this rule, despite the
hypothetical ability of a provider or patient involved in the event to
recognize their case.
Comment: One commenter asked for clarification that
nonidentification can be accomplished through either the statistical
method or through the safe harbor method but that entities are not
required to nonidentify patient safety work product subject to both
methods.
Response: We clarify that either method may be used to render
information nonidentifiable for purposes of this rule.
D. Subpart D--Enforcement Program
Subpart D of the final rule establishes a framework to enable the
Secretary to monitor and ensure compliance with this Part, a process
for imposing a civil money penalty for breach of the confidentiality
provisions, and procedures for a hearing contesting a civil money
penalty. The provisions in
[[Page 70789]]
Subpart D are modeled largely on the HIPAA Enforcement Rule at 45 CFR
Part 160, Subparts C, D and E. This will maintain a common approach to
enforcement and appeals of civil money penalty determinations based on
section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, upon
which both the HIPAA and Patient Safety Act penalties are based, as
well as minimize complexity for entities that are subject to both
regulatory schemes. This enforcement scheme also provides the Secretary
maximum flexibility to address confidentiality violations so as to
encourage participation in patient safety activities and achieve the
goals of the Patient Safety Act.
General Comments: Several commenters expressed support for the
decision to base this rule's enforcement regime on the HIPAA
Enforcement Rule and noted that the HIPAA Enforcement Rule was properly
adapted to the patient safety context. However, two commenters
expressed concern that basing the enforcement regime in this rule on
the HIPAA Enforcement Rule will be insufficient to adequately address
and penalize violations of the confidentiality provisions because of
the Department's approach to enforcement of the HIPAA Privacy Rule. One
commenter argued that this might cause providers to decide against
reporting the most serious patient safety events, and therefore, would
undermine the purpose of the statute.
Response to General Comments: The Department believes that modeling
this rule's enforcement provisions on the existing HIPAA Enforcement
Rule is prudent and appropriate. As noted above, such an approach
grants the Secretary maximum flexibility to address violations of the
confidentiality provisions, relies on an existing and established
enforcement regime, and minimizes complexity for entities subject to
both the Patient Safety Act and HIPAA.
1. Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314--Compliance and
Investigations
Proposed Rule: Sections 3.304-3.314 of the proposed rule provided
the framework by which the Secretary would seek compliance by
providers, PSOs, and responsible persons with the confidentiality
provisions of the rule. These proposed requirements included: (1)
Provisions for the Secretary to seek cooperation from these entities in
obtaining compliance and to provide technical assistance (proposed
Sec. 3.304); (2) procedures for any person who believes there has been
a violation of the confidentiality provisions to file a complaint with
the Secretary and provisions for the Secretary to investigate such
complaints (proposed Sec. 3.306); (3) provisions for the Secretary to
conduct compliance reviews (proposed Sec. 3.308); (4) provisions
establishing responsibilities of respondents with respect to
cooperating with the Secretary during investigations or compliance
reviews and providing access to information necessary and pertinent to
the Secretary determining compliance (proposed Sec. 3.310); (5)
provisions describing the Secretary's course of action during
complaints and compliance reviews, including the circumstances under
which the Secretary may attempt to resolve compliance matters by
informal means or issue a notice of proposed determination, as well as
the circumstances under which the Secretary may use or disclose
information, including identifiable patient safety work product,
obtained during an investigation or compliance review (proposed Sec.
3.312); and (6) provisions and procedures for the Secretary to issue
subpoenas to require witness testimony and the production of evidence
and to conduct investigational inquiries (proposed Sec. 3.314).
Overview of Public Comments: We received no comments opposed to the
proposed provisions.
Final Rule: The final rule adopts the provisions of the proposed
rule, except, where reference was made in the proposed rule to
provisions of the HIPAA Enforcement Rule, the final rule includes the
text of such provisions for convenience of the reader.
Response to Other Public Comments
Comment: One commenter asked how and when the Secretary will
provide technical assistance to providers, PSOs, and responsible
persons regarding compliance with the confidentiality provisions.
Response: The Secretary intends to provide technical assistance
through a variety of mechanisms. First, as authorized by the Patient
Safety Act, the Secretary intends, as practical, to convene annual
meetings for PSOs to discuss methodology, communication, data
collection, privacy concerns, or other issues relating to their patient
safety systems. See section 925 of the Public Health Service Act, 42
U.S.C. 299b-25. Second, the Secretary intends to exercise his
discretion under Sec. 3.304 by, when practicable and appropriate,
providing technical assistance to affected persons and entities both on
an individual basis when such persons or entities are involved in
complaint investigations or compliance reviews, as well as more
generally through published guidance that addresses common compliance
or other questions about the rule. As we noted in the preamble to the
proposed rule, however, the absence of technical assistance or guidance
by the Secretary may not be raised as a defense to civil money penalty
liability. We also encourage persons participating in patient safety
activities and subject to this rule to develop and share with others
similarly situated in the industry ``best practices'' for the
confidentiality of patient safety work product.
Comment: One commenter requested that the final rule provide
additional detail on the consideration that will go into the
determination of whether to pursue an investigation or to conduct a
compliance review.
Response: We do not believe that including additional detail in the
final rule regarding when we will investigate or conduct compliance
reviews is prudent or feasible. The decision of whether to conduct an
investigation or compliance review is left to the discretion of the
Secretary and will be made based on the specific circumstances of each
individual case. The decision to investigate a complaint is necessarily
fact specific. For example, some complaints may not allege facts that
fall within the Secretary's jurisdiction or that constitute a violation
if true. With respect to compliance reviews, the Secretary needs to
maintain flexibility to conduct whatever reviews are necessary to
ensure compliance. Compliance reviews may be initiated based on, for
example, information that comes to the Department's attention outside
of the formal complaint process, or trends the Department is seeing as
a result of its enforcement activities. It would be premature at this
time to indicate the specific circumstances under which such reviews
may be conducted, given the absence of any compliance and enforcement
experience with the rule. Further, making public the Department's
considerations in this area may undermine the effectiveness of such
reviews. Thus, we did not propose and do not include in this final rule
affirmative criteria for conducting compliance reviews.
Comment: One commenter requested clarification that the Secretary
may only require respondents to produce records, books, and accounts
that are reasonably related to an investigation.
Response: Section 3.310(c) of the proposed rule, which the final
rule adopts, provided that a respondent must permit the Secretary
access to the information that is pertinent to ascertaining compliance
with the
[[Page 70790]]
confidentiality provisions of the rule. Given this provision in the
final rule, we do not see a need to provide further clarification.
2. Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422,
3.424, 3.426--Civil Money Penalties
Proposed Rule: Sections 3.402-3.426 of the proposed rule provided
the process for the Secretary to impose a civil money penalty for
noncompliance by a PSO, provider, or responsible person with the
confidentiality provisions of the rule. These proposed provisions: (1)
Described the basis for imposing a civil money penalty on a person who
discloses identifiable patient safety work product in knowing or
reckless violation of the confidentiality provisions, as well as on a
principal, in accordance with the federal common law of agency \2\,
based on the act of its agent acting within the scope of the agency
(proposed Sec. 3.402); (2) described how a penalty amount would be
determined, and provided the statutory cap of any such penalty
(proposed Sec. 3.404); (3) provided the list of factors the Secretary
may consider as aggravating or mitigating, as appropriate, in
determining the amount of a civil money penalty, including the nature
and circumstances of the violation and the degree of culpability of the
respondent (proposed Sec. 3.408); (4) set forth the 6-year limitations
period on the Secretary initiating an action for imposition of a civil
money penalty (proposed Sec. 3.414); (5) set out the Secretary's
authority to settle any issue or case or to compromise any penalty
(proposed Sec. 3.416); (6) provided that a civil money penalty imposed
under this rule would be in addition to any other penalty prescribed by
law, except that a civil money penalty may not be imposed both under
this rule and the HIPAA Privacy Rule for the same act (proposed Sec.
3.418); (7) required that the Secretary provide a respondent with
written notice of his intent to impose a civil money penalty, prescribe
the contents of such notice, and provide the respondent with a right to
request a hearing before an ALJ to contest the proposed penalty
(proposed Sec. 3.420); (8) provided that if the respondent fails to
timely request a hearing and the matter is not settled by the
Secretary, the Secretary may impose the proposed penalty (or any lesser
penalty) and will notify the respondent of any penalty imposed, and
that the respondent has no right to appeal such penalty (proposed Sec.
3.422); (9) provided that once the penalty becomes final, it will be
collected by the Secretary, unless compromised, and describes the
methods for collection (proposed Sec. 3.424); and (10) provided that
the Secretary will notify the public and the appropriate State or local
medical or professional organizations, appropriate State agencies
administering or supervising the administration of State health care
programs, appropriate utilization and quality control peer review
organizations, and appropriate State or local licensing agencies or
organizations, of a final penalty and the reason it was imposed
(proposed Sec. 3.426).
---------------------------------------------------------------------------
\2\ For more information and guidance about violations of the
rule attributed to a principal based on the federal common law of
agency, see the preamble to the proposed rule at 73 FR 8158-8159.
---------------------------------------------------------------------------
In addition, with respect to the factors at proposed Sec. 3.408,
we specifically sought comment on whether the factors should be
expanded to expressly include a factor for persons who self-report
disclosures that may potentially violate the confidentiality provisions
such that voluntary self-reporting would be a mitigating consideration
when assessing a civil money penalty.
Overview of Public Comments: We received no comments opposed to
these proposed provisions. With respect to proposed Sec. 3.408,
commenters generally supported the list of detailed factors, which may
be aggravating or mitigating depending on the context, for use by the
Secretary in determining the amount of a civil money penalty. In
response to the question in the proposed rule regarding whether the
final rule should include a factor for persons who self-report
disclosures that may be potential violations, some commenters opposed
such an expansion, arguing that such a provision could be viewed as an
additional reporting obligation on persons and entities. Several other
commenters expressed general support for the consideration of such a
mitigating factor in the determination of any penalty, and one
commenter specifically recommended expanding the list of factors to
include self-reporting.
Final Rule: The final rule adopts the provisions of the proposed
rule except, where reference was made in the proposed rule to
provisions of the HIPAA Enforcement Rule, the final rule includes the
text of such provisions for convenience of the reader. We do not expand
the list of factors at Sec. 3.408 to include the fact of self-
reporting by a respondent in the final rule. As we noted in the
preamble to the proposed rule, while including a factor for voluntary
self-reporting may encourage persons to report breaches of
confidentiality, particularly those that may otherwise go unnoticed, as
well as demonstrate the security practices that led to the discovery of
the breach and how the breach was remedied, we agree with those
commenters who argued that including such a factor may be viewed
incorrectly as an additional and ongoing reporting obligation on
providers, PSOs, and others to report every potentially impermissible
disclosure. This would unnecessarily increase administrative burden
both on the Department and the reporting persons. Additionally,
inclusion of such a factor may interfere with contractual relationships
between providers and PSOs that address how parties are to deal with
breaches.
However, we note that even though we are not expressly including a
self-reporting factor in the list at Sec. 3.408, the Secretary retains
discretion to consider self-reports on a case-by-case basis under Sec.
3.408(f), which permits the Secretary to consider ``such other matters
as justice may require'' in determining the amount of a civil money
penalty.
Response to Other Public Comments
Comment: One commenter supported the knowing or reckless standard
for establishing the basis for imposing a civil money penalty for a
confidentiality violation but also stated that every effort should be
made to reduce the risk of liability and to encourage provider
participation. Another commenter supported the Secretary's ability to
exercise discretion in determining whether to impose a civil money
penalty for a knowing or reckless violation of the confidentiality
provisions but also suggested that, in cases where a PSO is compelled
to disclose patient safety work product by a court and has, in good
faith, attempted to assert the privilege protection, the PSO
automatically should be excused from a civil money penalty for the
impermissible disclosure of patient safety work product to the court.
Response: We agree that the appropriate basis for imposing a civil
money penalty is for knowing or reckless disclosures of identifiable
patient safety work product in violation of the confidentiality
provisions of the rule and that it is important the Secretary
ultimately retain discretion as to whether to impose a penalty pursuant
to this standard. This provision is based on section 922(f) of the
Public Health Service Act, 42 U.S.C. 299b-22(f). We also agree that
provider participation is essential to meeting the overall goal of the
statute to improve patient safety and quality of care, and we believe
that strong privilege and confidentiality protections for patient
safety work
[[Page 70791]]
product are fundamental to ensuring this participation. As we explained
in the preamble to the proposed rule, a civil money penalty under Sec.
3.402 may only be imposed if the Secretary first establishes a wrongful
disclosure--that is, the information disclosed was identifiable patient
safety work product and the manner of the disclosure does not fit
within any permitted exception. The Secretary must then determine
whether a person making the disclosure acted ``knowingly'' or
``recklessly.'' To do so, the Secretary must prove either that: (1) The
person making the disclosure knew a disclosure was being made (not that
the person knew he or she was disclosing identifiable patient safety
work product in violation of the rule or statute); or (2) the person
acted recklessly in making the disclosure, that is, the person was
aware, or a reasonable person in his or her situation should have been
aware, that his or her conduct created a substantial risk of disclosure
of information and to disregard such risk constituted a gross deviation
from reasonable conduct. For more guidance on this standard or the
knowing or reckless standard, see the preamble to the proposed rule at
73 FR 8157-8158. Once a knowing or reckless violation has been
established, the Secretary still retains discretion as to whether to
impose a penalty for a violation and may elect not to do so. Thus, we
believe the standard at Sec. 3.402 of the final rule strikes the right
balance in ensuring those who are culpable are subject to penalties,
while still encouraging maximum participation by providers.
For example, circumstances where a person who disclosed
identifiable patient safety work product in violation of the rule can
show he or she did not know and had no reason to know that the
information was patient safety work product may warrant discretion by
the Secretary. Further, as we stated in the preamble to the proposed
rule, the Secretary may exercise discretion and not pursue a civil
money penalty against a respondent ordered by a court to produce
patient safety work product where the respondent has in good faith
undertaken reasonable steps to avoid production and is, nevertheless,
compelled to produce the information or be held in contempt of court.
We do not, however, agree that an automatic exception from liability
for respondents in such circumstances is appropriate or necessary. The
Secretary will examine each situation based on the individual
circumstances and make an appropriate determination about whether to
impose a civil money penalty.
Comment: One commenter asked that the final rule state that
inappropriate disclosures to, for example, the media or to the public,
would result in civil money penalties.
Response: Section 3.402(a) of the final rule provides that persons
who disclose identifiable patient safety work product in knowing or
reckless violation of the confidentiality provisions are subject to
civil money penalty liability for such violations. This liability would
include disclosures to the media or public, to the extent the knowing
or reckless standard of Sec. 3.402(a) is met.
Comment: We received two comments stating that the maximum penalty
of $10,000 for a single violation is insufficient to serve as a
deterrent against impermissible disclosures. In contrast, one commenter
expressed concern that the maximum penalty would be far too severe for
some small providers and in cases in which the impermissible disclosure
was incidental or accidental.
Response: In response to those commenters who believe the penalty
amount is not high enough, the $10,000 maximum penalty for each act
constituting a violation is prescribed by the statute and thus, cannot
be increased by the Secretary in this rule. We expect, however, that
there will be cases where multiple related acts are at issue as
discrete violations, each of which could result in separate penalties
up to $10,000. The preamble to the proposed rule indicated that the
Patient Safety Act provides that a person who violates the Patient
Safety Act shall be subject to a civil money penalty of ``not more than
$10,000'' for each act constituting such violation. We note that
pursuant to the Federal Civil Penalties Inflation Adjustment Act of
1990, as amended by the Debt Collection Improvement Act of 1996, the
Department will be required to adjust this civil money penalty amount
based on increases in the consumer price index (CPI). The Department
has up to four years to update the civil money penalty amount, and the
adjustment will be based on the percent increase in the CPI from the
time the Patient Safety Act was enacted, in accordance with the cost-
of-living adjustment set forth at the Federal Civil Penalties Inflation
Adjustment Act of 1990 Sec. 5, at 28 U.S.C. 2461 note. However, the
first adjustment may not exceed ten percent of the penalty. Thus,
pursuant to this statute, the $10,000 maximum penalty will be adjusted
upwards periodically to account for inflation.
With respect to those commenters who were concerned that the
$10,000 penalty may be too severe in certain circumstances, we
emphasize that the $10,000 amount is a maximum penalty and the
Secretary has discretion to impose penalties that are less than that
amount or can elect not to impose a penalty at all for a violation,
depending on the circumstances. In particular, Sec. 3.404 provides
that the amount of any penalty will be determined using the factors at
Sec. 3.408, which include such factors as the nature and circumstances
of the violation, the degree of culpability of the respondent including
whether the violation was intentional, as well as the financial
condition and size of the respondent.
Comment: Several commenters asked for clarification regarding the
Secretary's authority to levy separate fines under the Patient Safety
Act and HIPAA. Many of these commenters argued that the Secretary
should be able to impose penalties under both authorities for the same
act to maximize the enforcement tools at his disposal and to
effectively penalize bad behavior. In contrast, one commenter supported
the statutory mandate that civil money penalties not be imposed under
both the Patient Safety Act and HIPAA for a single violation. One
commenter asked for clarification as to how civil money penalties may
be imposed under both the Patient Safety Act and HIPAA when a PSO is a
business associate of a covered entity for HIPAA Privacy Rule purposes.
Response: The final rule at Sec. 3.418 reflects the statutory
prohibition against the Secretary imposing civil money penalties under
both the Patient Safety Act and HIPAA for a single act that constitutes
a violation. As the preamble to the proposed rule explained, Congress
recognized that, because patient safety work product includes
individually identifiable health information about patients, a HIPAA
covered entity making a disclosure of patient safety work product could
be liable for a violation under both the Patient Safety Act and HIPAA,
and made such penalties mutually exclusive. Thus, in situations in
which a single violation could qualify as both a violation of the
Patient Safety Act and HIPAA, the Secretary has discretion to impose a
civil money penalty under either regulatory scheme, not both. However,
as we explained in the proposed rule, we interpreted the Patient Safety
Act as only prohibiting the imposition of a civil money penalty under
the Patient Safety Act when there has been a civil, as opposed to
criminal, penalty imposed under HIPAA for the same act. Therefore, a
person could have a civil money penalty imposed under the Patient
Safety Act as well as
[[Page 70792]]
a criminal penalty under HIPAA for the same act.
With respect to the commenter who requested clarification about
penalties relating to a PSO that is a business associate of a HIPAA
covered entity, we note that it is possible for a civil money penalty
to be imposed under both the Patient Safety Act and HIPAA, where such
penalty is imposed against different entities. Thus, for example,
because a PSO will be a business associate of a covered entity under
HIPAA, any violation involving patient safety work product that
contains protected health information by the PSO will be a violation of
the Patient Safety Act and not HIPAA, since the PSO is not a covered
entity. However, if the PSO notifies the covered entity of the
impermissible disclosure (as required by the business associate
contract under HIPAA), and the covered entity does not take the
appropriate steps to mitigate and address the consequences of the
impermissible disclosure of protected health information, the covered
entity may then be liable for a penalty under HIPAA.
3. Section 3.504--Procedures for Hearings
Proposed Rule: Proposed Sec. 3.504 provided the procedures for an
administrative hearing to contest a civil money penalty. The proposed
section set forth the authority of the ALJ, the rights and burdens of
proof of the parties, requirements for the exchange of information and
pre-hearing, hearing, and post-hearing processes. This section cross-
referenced the relevant provisions of the HIPAA Enforcement Rule
extensively. Specifically, Sec. Sec. 3.504(b), (d), (f)-(g), (i)-(k),
(m), (n), (t), (w) and (x) of the proposed rule incorporated unchanged
the provisions of the HIPAA Enforcement Rule. Sections 3.504(a), (c),
(e), (h), (l), (o)-(s), (u) and (v) of the proposed rule incorporated
the HIPAA Enforcement Rule but included technical changes to adapt
these provisions to the Patient Safety Act confidentiality provisions.
These technical changes addressed the following: (1) Proposed
Sec. Sec. 3.504(a) and 3.504 (v) excluded language from 45 CFR
160.504(c) and 160.548(e), respectively, relating to an affirmative
defense under 45 CFR 160.410(b)(1), which is a defense unique to HIPAA
and not included in the Patient Safety Act; (2) proposed Sec. 3.504(c)
excluded the provision at 45 CFR 160.508(c)(5) for remedied violations
based on reasonable cause to be insulated from liability for a civil
money penalty because there is no such requirement under the Patient
Safety Act; (3) proposed Sec. 3.504(e) substituted the term
``identifiable patient safety work product'' for ``individually
identifiable health information''; (4) proposed Sec. 3.504(h) excluded
the language in 45 CFR 160.518(a) relating to the provision of a
statistical expert's report not less than 30 days before a scheduled
hearing because we did not propose language permitting use of
statistical sampling to estimate the number of violations; (5) proposed
Sec. 3.504(o) substituted ``a confidentiality provision'' for ``an
administrative simplification provision'' in 45 CFR 160.532; (6)
proposed Sec. 3.504(p) substituted, for language not relevant to the
Patient Safety Act in 45 CFR 160.534(b)(1), new language stating that
the respondent has the burden of going forward and the burden of
persuasion with respect to any challenge to the amount of a proposed
civil money penalty, including any mitigating factors raised, and
provided that good cause shown under 45 CFR 160.534(c) may be that
identifiable patient safety work product has been introduced into
evidence or is expected to be introduced into evidence; (7) proposed
Sec. 3.504(s) added language to provide that good cause for making
redactions to the record would include the presence of identifiable
patient safety work product; and (8) proposed Sec. Sec. 3.504(l), (q),
(r), and (u) substituted citations to subpart D of the Patient Safety
rule, as appropriate.
We also explained in the proposed rule that we intended to maintain
the alignment between these provisions and the HIPAA Enforcement Rule
by incorporating any changes to the HIPAA Enforcement Rule that would
become final based on the Department's Notice of Proposed Rulemaking
entitled, ``Revisions to Procedures for the Departmental Appeals Board
and Other Departmental Hearings'' (see 72 FR 73708 (December 28,
2007)). That Notice of Proposed Rulemaking proposed to amend the HIPAA
Enforcement Rule at 45 CFR 160.508(c) and 160.548, and add a new
provision at 160.554, providing that the Secretary may review all ALJ
decisions that the Board has declined to review and all Board decisions
for error in applying statutes, regulations, or interpretive policy. As
of the publication date of this final rule, however, that regulation is
not final.
Overview of Public Comments: We received no comments opposed to
these provisions.
Final Rule: The final rule adopts the proposed provisions, except
renumbers them into individual sections and republishes the referenced
provisions of the HIPAA Enforcement Rule, as modified by the technical
changes described above to adapt the provisions to the Patient Safety
Act confidentiality provisions. The final rule includes the full text
of such provisions for convenience of the reader.
Also, we incorporate one additional technical change to better
adapt the language to this rule's confidentiality provisions, as well
as one conforming change. In particular, at Sec. 3.512(b)(11), we
replace the term ``privacy of'' with ``confidentiality of'' in addition
to replacing ``individually identifiable health information'' with
``identifiable patient safety work product.'' In addition, at Sec.
3.504(b), we replace the term ``90 days'' with ``60 days.'' We proposed
at Sec. 3.420(a)(6) to include in a notice of proposed determination a
statement that a respondent must request a hearing within 60 days or
lose its right to a hearing under Sec. 3.504. However, we
inadvertently omitted from Sec. 3.504 a conforming change to the
language incorporated from 45 CFR 160.504(b) to change the hearing
request deadline from 90 days to 60 days. Thus, this change is
necessary to align the two provisions.
Response to Other Public Comments
Comment: One commenter asked that the final rule clarify the
involvement of the Departmental Appeals Board during the hearings and
appeals processes as well as whether the Secretary has authority to
review ALJ decisions.
Response: Sections 3.504-3.552 of the final rule incorporate the
provisions of the HIPAA Enforcement Rule, which lay out the hearings
and appeals process. The current process provides that any party,
including the Secretary, may appeal a decision of the ALJ to the
Departmental Appeals Board, as well as file a reconsideration request
with the Board following any Board decision. Unless the ALJ decision is
timely appealed, such decision becomes final and binding on the parties
60 days from the date of service of the ALJ's decision.
Comment: One commenter asked that the final rule provide no
restrictions to full judicial review for appeals and hearing requests.
Response: Section 3.548(k) provides respondents the right to
petition for judicial review of the final decision of the Secretary
once all administrative appeals have been exhausted, that is, once the
Departmental Appeals Board has rendered a decision on appeal or
reconsideration that has become the final decision of the Secretary, as
appropriate.
Comment: One commenter suggested that any time patient safety work
product could be disclosed in an ALJ
[[Page 70793]]
proceeding, the proceeding should be closed to the public.
Response: The final rule at Sec. 3.534(c) expressly provides that
the ALJ may close a proceeding to the public for good cause shown,
which may include the potential for patient safety work product to be
introduced as evidence in the proceeding. We do not see a need to
require that proceedings be closed under such circumstances but rather
will continue to rely on the experienced discretion of the ALJ in
determining such matters.
IV. Impact Statement and Other Required Analyses
Regulatory Impact Analysis
AHRQ has previously analyzed the potential economic impact of this
rule as part of its February 2008 Notice of Proposed Rulemaking
(proposed rule) as required by Executive Order 12866 (September 1993,
Regulatory Planning and Review), the Regulatory Flexibility Act (RFA)
(September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social
Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4),
and Executive Order 13132. This analysis can be found on pages 8164 to
8171 of the proposed rule, which was published in the Federal Register
on February 12, 2008.
Executive Order 12866 (as amended by Executive Order 13258,
February 2002, and Executive Order 13422, January 2007), directs
agencies to assess all costs and benefits of available regulatory
alternatives and, if regulation is necessary, to select regulatory
approaches that maximize net benefits (including potential economic,
environmental, public health and safety effects, distributive impacts,
and equity). A regulatory impact analysis (RIA) must be prepared for
major rules with economically significant effects ($100 million or more
in any 1 year). Although we cannot determine the specific economic
impact of this final rule, we believe that the economic impact may
approach $100 million. HHS has determined that the rule is
``significant'' because it raises novel legal and policy issues with
the establishment of a new regulatory framework, authorized by the
Patient Safety Act, and imposes requirements, albeit voluntary, on
entities that had not been subject to regulation in this area.
In preparing the regulatory impact analysis for inclusion in the
proposed rule, AHRQ did not develop an alternative to the statutorily
authorized voluntary framework. In light of the approach taken in the
proposed rule, alternatives would have been mandatory or more
proscriptive as well as inconsistent with statutory intent. The
proposed rule established a system in which entities would voluntarily
seek designation (or ``listing'') by the Secretary as a Patient Safety
Organization (PSO), most PSO requirements would be met by attestation
and overall compliance assessed by spot-checks rather than document
submission or routine audits, and the Department would look to the
marketplace to assess the quality and value of each PSO. PSOs will not
be Federally funded nor directed; their funding and activities will be
determined by health care providers who seek their expert assistance in
identifying the underlying causes of, and the best strategies for
reducing or eliminating, medical errors. The proposed rule provided a
foundation of confidentiality and privilege protections for information
developed and exchanged when health care providers voluntarily choose
to work with a PSO. We proposed that health care providers could
receive the confidentiality and privilege protections of the statute by
reporting information to a PSO occasionally, without entering contracts
or incurring significant costs. Other health care providers could
develop more costly internal systems that would serve as the hub of the
provider's interactions with a PSO with which the provider had a
contractual relationship; such structured, documented internal systems
with dedicated personnel would be more costly. To create an ``upper
bound'' on the analyses in the proposed rule, we assumed that all
providers that would choose to work with PSOs would follow this more
costly approach. It should be noted that most hospital providers
already have patient safety reporting activities in place (98%
according to a 2006 AHRQ survey). While documenting these activities
and, it is hoped, expanding them through participation with a PSO will
result in increased costs, that increase will be marginal, not
complete, in the hospital community.
A summary of the AHRQ analysis of costs and benefits of Patient
Safety Act costs and benefits from the proposed rule follows below. For
a full discussion of the assumptions underlying these estimates, please
refer to the proposed rule.
Table 3--Total Patient Safety Act Costs Including Hospital Costs and PSO Costs: 2009-2013
----------------------------------------------------------------------------------------------------------------
Year
-------------------------------------------------------------------------------
2009 2010 2011 2012 2013
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate....... 10% 40% 60% 75% 85%
Hospital Cost................... $7.5 M $30.0 M $45.0 M $56.2 M $63.7 M
PSO Cost........................ $61.4 M $92.1 M $122.8 M $122.8 M $122.8 M
-------------------------------------------------------------------------------
Total cost.................. $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M
----------------------------------------------------------------------------------------------------------------
Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112-8183.
Costs for PSO implementation were calculated by considering two
components: Costs incurred by hospitals in engaging in PSO activities
and costs of PSOs themselves. It was assumed that in early years of PSO
operation, the hospital would be the primary site of PSO-related
activity. Hospital costs were assumed to be incremental, given that a
previously-completed survey funded by AHRQ revealed that 98% of U.S.
hospitals already have adverse event reporting systems, and virtually
all hospitals have a safety/quality function. We assumed that PSOs
would be staffed modestly, relying on existing hospital activities in
reporting adverse events, and that a significant proportion of PSOs are
likely to be component PSOs, with support and expertise provided by a
parent organization. Our assumptions were that PSOs will hire dedicated
staff of 1.5 to 4 FTEs, assuming an average salary rate of $67/hour. We
also estimated that a significant overhead figure of 100%, coupled with
20% for General and Administrative (G&A) expenses, will cover the
appreciable costs anticipated for legal, security, travel, and
miscellaneous PSO expenses.
[[Page 70794]]
Provider--PSO Costs and Charges
We have not figured into our calculations any estimates for the
price of PSO services, amounts paid by hospitals and other health care
providers to PSOs, PSO revenues, or PSO break-even analyses. We have
not speculated about subsidies or business models. Regardless of what
the costs and charges are between providers and PSOs, they will cancel
each other out, as expenses to providers will become revenue to PSOs.
Table 4--Total Estimated Cost Savings by Percent Reduction in Adverse Events: 2009-2013 *
----------------------------------------------------------------------------------------------------------------
Year
-------------------------------------------------------------------------------
2009 2010 2011 2012 2013
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate....... 10% 40% 60% 75% 85%
Percent Reduction in Adverse 1% 1.5% 2% 2.5% 3%
Events.........................
Savings......................... $11.5 M $69 M $138 M $215.625 M $293.25 M
----------------------------------------------------------------------------------------------------------------
* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with
preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point
figures.
Table 5--Net Benefits: 2009-2013
----------------------------------------------------------------------------------------------------------------
Year
-------------------------------------------------------------------------------
2009 2010 2011 2012 2013
----------------------------------------------------------------------------------------------------------------
Total Benefits.................. $11.5 M $69 M $138 M $215.625 M $293.25 M
Total Costs..................... $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M
Net Benefits.................... ($57.4) M ($53.1) M ($29.8) M $36.625 M $106.75 M
Discounted net present value at ($55.7) M ($50.0) M ($27.3) M $32.5 M $92.1 M
3%.............................
Discounted net present value at ($53.6) M ($46.4) M ($24.3) M $27.9 M $76.1 M
7%.............................
----------------------------------------------------------------------------------------------------------------
The final rule includes several modifications that could alter the
actual economic impact of the Patient Safety Act, but AHRQ concludes
that these changes will not exceed the ``upper bound'' established in
our previous analysis, and we anticipate that the actual economic
impact may be less. Several changes incorporated in the final rule are
likely to lower the costs of implementation. For example, the final
rule has removed a requirement that PSOs that are components of other
existing organizations must maintain separate information systems and,
for all but a small category of component PSOs, we have removed
restrictions on the use of shared staff. As we noted in our economic
analysis, we expect the most common type of PSO to be ones that are
established by one or more existing organizations. As commenters
pointed out, personnel costs are likely to be the most significant cost
facing a PSO, and the ability to share personnel means that skilled
personnel are available at significantly less cost, and in some cases
at no cost, than the PSO would pay to hire or externally contract for
personnel. Similarly, the costs and administrative burdens associated
with the development and maintenance were a major focus of commenters.
These two changes are likely to have the greatest impact on reducing
costs for PSOs.
There are two changes in the final rule that might increase costs
slightly but selectively. The final rule parallels a HIPAA Privacy Rule
requirement that business associates of covered entities must notify
the covered entity if any of its protected health information has been
inappropriately disclosed or its security breached. The final rule
requires PSOs to notify the providers that submitted patient safety
work product to the PSO if the work product it submitted has been
disclosed or its security breached. As we noted in the proposed rule,
the vast majority of providers reporting data will be covered entities
under HIPAA and will need to include such notification requirements in
the business associate agreements they will enter with PSOs. In
addition, the HIPAA requirement is likely to apply in many disclosure
or security breach situations because most work product is expected to
contain protected health information. Nevertheless, this requirement
may increase costs to the extent that PSOs receive work product from
non-covered entities, although these potential increased costs will be
dependent upon the vigilance with which the providers and PSOs meet
their confidentiality and security requirements.
With respect to health care providers, the final rule does not
impose requirements. The final rule does afford increased flexibility
and protections to providers that voluntarily choose to both establish
and document a more structured process for working with a PSO, i.e.,
what the rule terms a patient safety evaluation system, and document
the flow of information into and out of the patient safety evaluation
system. For providers who choose this option, the information they
assemble and develop within their patient safety evaluation system will
be accorded privilege and confidentiality, contingent upon the
information ultimately being reported to a PSO, from the outset. To the
extent that this encourages providers, who would not otherwise have
done so, to establish a structured, documented patient safety
evaluation system, there would be an increase in costs. As noted above,
this should not significantly affect our previous analysis since we
assumed all providers working with a PSO would have established a
documented patient safety evaluation system.
Taking advantage of this option will also enable health care
providers with integrated health information technology systems to
avoid the requirement in the proposed rule that they maintain the
assembly and development of patient safety work product separately from
their routine data collection activities, which would have required a
number of providers to establish dual information systems. While we
expect that the costs of developing dual information collection systems
would exceed the costs of developing and maintaining a structured,
documented patient safety evaluation system, we do not estimate any
savings because we cannot be clear how many providers would have
incurred the dual health information
[[Page 70795]]
technology systems costs or would have simply chosen to forego
participation.
After considering the impact of the increased flexibility in the
final rule for PSOs and health care providers, we now expect the
implementation costs will be lower than those in our previous analysis.
Final Regulatory Flexibility Analysis
Since formation of a PSO is voluntary, formation is not likely to
occur unless the organization believes it is an economically viable
endeavor. Furthermore, PSOs are not likely to undertake tasks that will
provide insufficient payment to cover their costs. Therefore, the
Secretary certifies that the regulation will not impose a significant
economic burden on a substantial number of small entities.
Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act requires that a
covered agency prepare a budgetary impact statement before promulgating
a rule that includes any Federal mandate that may result in the
expenditure by State, local, and Tribal governments, in the aggregate,
or by the private sector, of $100 million or more in any one year. The
Department has determined that this final rule will not impose a
mandate that will result in the expenditure by State, Local, and Tribal
governments, in the aggregate, or by the private sector, of more than
$100 million in any one year.
Paperwork Reduction Act
This final rule adding a new Part 3 to volume 42 of the Code of
Federal Regulations contains information collection requirements. This
summary includes the estimated costs and assumptions for the paperwork
requirements related to the final rule.
With respect to Sec. 3.102 concerning the submission of
certifications for initial and continued listing as a PSO, and of
updated information, all such information would be submitted on the
``Patient Safety Organization: Certification for Initial Listing''
form. To maintain its listing, a PSO must also submit a brief
attestation, once every 24-month period after its initial date of
listing, submitted on the ``Attestation Regarding the Two Bona Fide
Contracts Requirement'' form, stating that it has entered contracts
with two providers. We estimate that the final rule will create an
average burden of 30 minutes annually for each entity that seeks to
become a PSO to complete the necessary certification forms. Table 1
summarizes burden hours.
Table 1--Total Burden Hours Related to Certification Forms
[Summary of all burden hours, by provision, for PSOs]
------------------------------------------------------------------------
Provision Annualized burden hours
------------------------------------------------------------------------
3.112.................................. 30 minutes.
------------------------------------------------------------------------
Under 5 CFR 1320.3(c), a covered collection of information includes
the requirement by an agency of a disclosure of information to third
parties by means of identical reporting, recordkeeping, or disclosure
requirements, imposed on ten or more persons. The final rule reflects
the previously established reporting requirements for breach of
confidentiality applicable to business associates under HIPAA
regulations requiring contracts to contain a provision requiring the
business associate (in this case, the PSO) to notify providers of
breaches of their identifiable patient data's confidentiality or
security. Accordingly, this reporting requirement referenced in the
regulation previously met Paperwork Reduction Act review requirements.
The final rule requires in Sec. 3.108(c) that a PSO notify the
Secretary if it intends to relinquish voluntarily its status as a PSO.
The entity is required to notify the Secretary that it has, or will
soon, alert providers and other organizations from which it has
received patient safety work product or data of its intention and
provide for the appropriate disposition of the data in consultation
with each source of patient safety work product or data held by the
entity. In addition, the entity is asked to provide the Secretary with
current contact information for further communication from the
Secretary as the entity ceases operations. The reporting aspect of this
requirement is essentially an attestation that is equivalent to the
requirements for listing, continued listing, and meeting the minimum
contracts requirement. This minimal data requirement would come within
5 CFR 1320.3(h)(1) which provides an exception from PRA requirements
for affirmations, certifications, or acknowledgments as long as they
entail no burden other than that necessary to identify the respondent,
the date, the respondent's address, and the nature of the instrument.
In this case, the nature of the instrument is an attestation that the
PSO is working with its providers for the orderly cessation of
activities. The following other collections of information that are
required by the final regulation under Sec. 3.108 are also exempt from
PRA requirements pursuant to an exception in 5 CFR 1320.4 for
information gathered as part of administrative investigations and
actions regarding specific parties: information supplied in response to
preliminary agency determinations of PSO deficiencies or in response to
proposed revocation and delisting, e.g., information providing the
agency with correct facts, reporting corrective actions taken, or
appealing proposed agency revocation decisions.
AHRQ and OCR published in the Federal Register their proposed
information collection forms on February 20, 2008. Following the first,
60-day comment period, the forms were again published in the Federal
Register on April 21, 2008, to begin the second, 30-day comment period.
The forms were not changed following the first comment period, and they
and the one comment received were sent to OMB, which received them on
April 25, 2008. Minor changes to the proposed forms will be necessary
to align them with the final rule. AHRQ and OCR will work with OMB to
ensure that the forms needed to implement the Patient Safety Act
conform to the requirements of the final rule.
Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a final rule that imposes
substantial direct requirement costs on state and local governments,
preempts State law, or otherwise has Federalism implications. The
Patient Safety Act upon which the final regulation is based makes
patient safety work product confidential and privileged. To the extent
this is inconsistent with any state law, including court decisions, the
Federal statute preempts such state law or court order. The final rule
will not have any greater preemptive effect on state or local
governments than that imposed by the statute. While the Patient Safety
Act does establish new Federal confidentiality and privilege
protections for certain information, these protections only apply when
health care providers work with PSOs and new processes, such as patient
safety evaluation systems, that do not currently exist. These Federal
data protections provide a mechanism for protection of sensitive
information that could improve the quality, safety, and outcomes of
health care by fostering a non-threatening environment in which
information about adverse medical events and near misses can be
discussed. It is hoped that confidential
[[Page 70796]]
analysis of patient safety events will reduce the occurrence of adverse
medical events and, thereby, reduce the costs arising from such events,
including costs incurred by state and local governments attributable to
such events. In addition, the Patient Safety Act and the final rule do
not relieve health care providers of their responsibilities to comply
with state reporting requirements.
AHRQ, in conjunction with OCR, held three public listening sessions
prior to drafting the proposed rule. Representatives of several states
participated in these sessions. In particular, states that had begun to
collect and analyze patient safety event information spoke about their
related experiences and plans. Following publication of the proposed
rule, AHRQ consulted with state officials and organizations to review
the scope of the proposed rule and to specifically seek input on
federalism issues and a proposal in the rule at proposed Sec.
3.102(a)(2) that would limit the ability of public or private sector
regulatory entities to seek listing as a PSO. AHRQ received no
expressions of concerns regarding the Federalism aspects of the
proposed rule although several State health departments and commissions
submitted written comments regarding the PSO eligibility criteria in
the proposed rule.
OMB Accounting Statement
The table below summarizes the estimated costs and benefits of
implementing the Patient Safety and Quality Improvement Act for the
next five years, beginning with January 1, 2009, by which time it is
expected that the rule will be effective.
The figures in the table are derived from the regulatory impact
analyses outlined above and, more completely, in the February 12, 2008
NPRM published in the Federal Register, on pages 8164 to 8171. As in
the previous analyses, the range of benefits derives directly from the
range of potentially-avoidable incidents cited (estimated) in IOM
Report, To Err Is Human. The range of costs is the same as was included
in the NPRM, where minimum and maximum estimates were calculated as 10%
above and 10% below the Agency's primary estimate of costs.
All figures are calculated at two discount rates, 7% and 3%, and
dollars are held constant at the 2008 level. The discount rates, 3% or
7%, represent two rates of return that might be expected from
government investments. The purpose is to project the expected future
costs and benefits in today's dollars. (Future dollars will be worth
less than today's dollars, barring appropriate investments.) Figures
are annualized, that is average-per-year over the five years. The
discount rates, 3% or 7%, represent two rates of return that might be
expected from government investments. The purpose is to project the
expected future costs and benefits in today's dollars. (Future dollars
will be worth less than today's dollars, barring appropriate
investments.)
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
OMB : Agency/Program Office: AHRQ
������������������������������������
Rule Title: Patient Safety and
Quality Improvement Act
������������������������������������
RIN : Date: 8/25/2008
������������������������������������
CATEGORY Primary Minimum Maximum Source citation (RIA,
estimate estimate estimate preamble, etc.)
(millions) (millions) (millions)
----------------------------------------------------------------------------
BENEFITS........................... $145.5 $107.5 $183.4 AHRQ Analysis.
������������������������������������
Annualized discounted (5 years):
@ 7%........................... 111.5 82.4 140.5
@ 3%........................... 129.4 95.7 163.2 ...........................
COSTS.............................. 144.9 130.4 159.3 AHRQ Analysis.
Annualized discounted (5 years):
@ 7%........................... 115.5 104.0 127.1
@ 3%........................... 131.1 118.0 144.2 ...........................
������������������������������������
Transfers.......................... N/A
Effects on small businesses........ N/A
Effects on States and tribes....... N/A
----------------------------------------------------------------------------------------------------------------
List of Subjects in 42 CFR Part 3
Administrative practice and procedure, Civil money penalty,
Confidentiality, Conflict of interests, Courts, Freedom of information,
Health, Health care, Health facilities, Health insurance, Health
professions, Health records, Hospitals, Investigations, Law
enforcement, Medical research, Organization and functions, Patient,
Patient safety, Privacy, Privilege, Public health, Reporting and
recordkeeping requirements, Safety, State and local governments,
Technical assistance.
0
For the reasons stated in the preamble, the Department of Health and
Human Services amends Title 42 of the Code of Federal Regulations by
adding a new part 3 to read as follows:
PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK
PRODUCT
Subpart A--General Provisions
Sec.
3.10 Purpose.
3.20 Definitions.
Subpart B--PSO Requirements and Agency Procedures
3.102 Process and requirements for initial and continued listing of
PSOs.
3.104 Secretarial actions.
3.106 Security requirements.
3.108 Correction of deficiencies, revocation, and voluntary
relinquishment.
3.110 Assessment of PSO compliance.
3.112 Submissions and forms.
Subpart C--Confidentiality and Privilege Protections of Patient Safety
Work Product
3.204 Privilege of patient safety work product.
3.206 Confidentiality of patient safety work product.
3.208 Continued protection of patient safety work product.
3.210 Required disclosure of patient safety work product to the
Secretary.
3.212 Nonidentification of patient safety work product.
Subpart D--Enforcement Program
3.304 Principles for achieving compliance.
[[Page 70797]]
3.306 Complaints to the Secretary.
3.308 Compliance reviews.
3.310 Responsibilities of respondents.
3.312 Secretarial action regarding complaints and compliance
reviews.
3.314 Investigational subpoenas and inquiries.
3.402 Basis for a civil money penalty.
3.404 Amount of a civil money penalty.
3.408 Factors considered in determining the amount of a civil money
penalty.
3.414 Limitations.
3.416 Authority to settle.
3.418 Exclusivity of penalty.
3.420 Notice of proposed determination.
3.422 Failure to request a hearing.
3.424 Collection of penalty.
3.426 Notification of the public and other agencies.
3.504 Hearings before an ALJ.
3.506 Rights of the parties.
3.508 Authority of the ALJ.
3.510 Ex parte contacts.
3.512 Prehearing conferences.
3.514 Authority to settle.
3.516 Discovery.
3.518 Exchange of witness lists, witness statements, and exhibits.
3.520 Subpoenas for attendance at hearing.
3.522 Fees.
3.524 Form, filing, and service of papers.
3.526 Computation of time.
3.528 Motions.
3.530 Sanctions.
3.532 Collateral estoppel.
3.534 The hearing.
3.538 Witnesses.
3.540 Evidence.
3.542 The record.
3.544 Post hearing briefs.
3.546 ALJ's decision.
3.548 Appeal of the ALJ's decision.
3.550 Stay of the Secretary's decision.
3.552 Harmless error.
Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C.
299c-6.
Subpart A--General Provisions
Sec. 3.10 Purpose.
The purpose of this Part is to implement the Patient Safety and
Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title
IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Sec. 3.20 Definitions.
As used in this Part, the terms listed alphabetically below have
the meanings set forth as follows:
Affiliated provider means, with respect to a provider, a legally
separate provider that is the parent organization of the provider, is
under common ownership, management, or control with the provider, or is
owned, managed, or controlled by the provider.
AHRQ stands for the Agency for Healthcare Research and Quality in
HHS.
ALJ stands for an Administrative Law Judge of HHS.
Board means the members of the HHS Departmental Appeals Board, in
the Office of the Secretary, which issues decisions in panels of three.
Bona fide contract means:
(1) A written contract between a provider and a PSO that is
executed in good faith by officials authorized to execute such
contract; or
(2) A written agreement (such as a memorandum of understanding or
equivalent recording of mutual commitments) between a Federal, State,
local, or Tribal provider and a Federal, State, local, or Tribal PSO
that is executed in good faith by officials authorized to execute such
agreement.
Complainant means a person who files a complaint with the Secretary
pursuant to Sec. 3.306.
Component organization means an entity that:
(1) Is a unit or division of a legal entity (including a
corporation, partnership, or a Federal, State, local or Tribal agency
or organization); or
(2) Is owned, managed, or controlled by one or more legally
separate parent organizations.
Component PSO means a PSO listed by the Secretary that is a
component organization.
Confidentiality provisions means for purposes of Subparts C and D,
any requirement or prohibition concerning confidentiality established
by sections 921 and 922(b)-(d), (g) and (i) of the Public Health
Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the
provisions, at Sec. Sec. 3.206 and 3.208, that implement the statutory
prohibition on disclosure of identifiable patient safety work product.
Disclosure means the release, transfer, provision of access to, or
divulging in any other manner of patient safety work product by:
(1) An entity or natural person holding the patient safety work
product to another legally separate entity or natural person, other
than a workforce member of, or a health care provider holding
privileges with, the entity holding the patient safety work product; or
(2) A component PSO to another entity or natural person outside the
component PSO and within the legal entity of which the component PSO is
a part.
Entity means any organization or organizational unit, regardless of
whether the organization is public, private, for-profit, or not-for-
profit.
Group health plan means an employee welfare benefit plan (as
defined in section 3(1) of the Employee Retirement Income Security Act
of 1974 (ERISA)) to the extent that the plan provides medical care (as
defined in paragraph (2) of section 2791(a) of the Public Health
Service Act, including items and services paid for as medical care) to
employees or their dependents (as defined under the terms of the plan)
directly or through insurance, reimbursement, or otherwise.
Health insurance issuer means an insurance company, insurance
service, or insurance organization (including a health maintenance
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed
to engage in the business of insurance in a State and which is subject
to State law which regulates insurance (within the meaning of 29 U.S.C.
1144(b)(2)). This term does not include a group health plan.
Health maintenance organization means:
(1) A Federally qualified health maintenance organization (HMO) (as
defined in 42 U.S.C. 300e(a));
(2) An organization recognized under State law as a health
maintenance organization; or
(3) A similar organization regulated under State law for solvency
in the same manner and to the same extent as such a health maintenance
organization.
HHS stands for the United States Department of Health and Human
Services.
HIPAA Privacy Rule means the regulations promulgated under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (HIPAA), at 45 CFR part 160 and Subparts A and E of Part 164.
Identifiable patient safety work product means patient safety work
product that:
(1) Is presented in a form and manner that allows the
identification of any provider that is a subject of the work product,
or any providers that participate in, or are responsible for,
activities that are a subject of the work product;
(2) Constitutes individually identifiable health information as
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner that allows the
identification of an individual who in good faith reported information
directly to a PSO or to a provider with the intention of having the
information reported to a PSO (``reporter'').
Nonidentifiable patient safety work product means patient safety
work product that is not identifiable patient safety work product in
accordance with the nonidentification standards set forth at Sec.
3.212.
[[Page 70798]]
OCR stands for the Office for Civil Rights in HHS.
Parent organization means an organization that: owns a controlling
interest or a majority interest in a component organization; has the
authority to control or manage agenda setting, project management, or
day-to-day operations; or the authority to review and override
decisions of a component organization. The component organization may
be a provider.
Patient Safety Act means the Patient Safety and Quality Improvement
Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public
Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C,
sections 921 through 926, which are codified at 42 U.S.C. 299b-21
through 299b-26.
Patient safety activities means the following activities carried
out by or on behalf of a PSO or a provider:
(1) Efforts to improve patient safety and the quality of health
care delivery;
(2) The collection and analysis of patient safety work product;
(3) The development and dissemination of information with respect
to improving patient safety, such as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety work product for the purposes
of encouraging a culture of safety and of providing feedback and
assistance to effectively minimize patient risk;
(5) The maintenance of procedures to preserve confidentiality with
respect to patient safety work product;
(6) The provision of appropriate security measures with respect to
patient safety work product;
(7) The utilization of qualified staff; and
(8) Activities related to the operation of a patient safety
evaluation system and to the provision of feedback to participants in a
patient safety evaluation system.
Patient safety evaluation system means the collection, management,
or analysis of information for reporting to or by a PSO.
Patient safety organization (PSO) means a private or public entity
or component thereof that is listed as a PSO by the Secretary in
accordance with Subpart B. A health insurance issuer or a component
organization of a health insurance issuer may not be a PSO. See also
the exclusions in Sec. 3.102 of this Part.
Patient safety work product:
(1) Except as provided in paragraph (2) of this definition, patient
safety work product means any data, reports, records, memoranda,
analyses (such as root cause analyses), or written or oral statements
(or copies of any of this material)
(i) Which could improve patient safety, health care quality, or
health care outcomes; and
(A) Which are assembled or developed by a provider for reporting to
a PSO and are reported to a PSO, which includes information that is
documented as within a patient safety evaluation system for reporting
to a PSO, and such documentation includes the date the information
entered the patient safety evaluation system; or
(B) Are developed by a PSO for the conduct of patient safety
activities; or
(ii) Which identify or constitute the deliberations or analysis of,
or identify the fact of reporting pursuant to, a patient safety
evaluation system.
(2)(i) Patient safety work product does not include a patient's
medical record, billing and discharge information, or any other
original patient or provider information; nor does it include
information that is collected, maintained, or developed separately, or
exists separately, from a patient safety evaluation system. Such
separate information or a copy thereof reported to a PSO shall not by
reason of its reporting be considered patient safety work product.
(ii) Patient safety work product assembled or developed by a
provider for reporting to a PSO may be removed from a patient safety
evaluation system and no longer considered patient safety work product
if:
(A) The information has not yet been reported to a PSO; and
(B) The provider documents the act and date of removal of such
information from the patient safety evaluation system.
(iii) Nothing in this part shall be construed to limit information
that is not patient safety work product from being:
(A) Discovered or admitted in a criminal, civil or administrative
proceeding;
(B) Reported to a Federal, State, local or Tribal governmental
agency for public health or health oversight purposes; or
(C) Maintained as part of a provider's recordkeeping obligation
under Federal, State, local or Tribal law.
Person means a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private.
Provider means:
(1) An individual or entity licensed or otherwise authorized under
State law to provide health care services, including--
(i) A hospital, nursing facility, comprehensive outpatient
rehabilitation facility, home health agency, hospice program, renal
dialysis facility, ambulatory surgical center, pharmacy, physician or
health care practitioner's office (includes a group practice), long
term care facility, behavior health residential treatment facility,
clinical laboratory, or health center; or
(ii) A physician, physician assistant, registered nurse, nurse
practitioner, clinical nurse specialist, certified registered nurse
anesthetist, certified nurse midwife, psychologist, certified social
worker, registered dietitian or nutrition professional, physical or
occupational therapist, pharmacist, or other individual health care
practitioner;
(2) Agencies, organizations, and individuals within Federal, State,
local, or Tribal governments that deliver health care, organizations
engaged as contractors by the Federal, State, local, or Tribal
governments to deliver health care, and individual health care
practitioners employed or engaged as contractors by the Federal State,
local, or Tribal governments to deliver health care; or
(3) A parent organization of one or more entities described in
paragraph (1)(i) of this definition or a Federal, State, local, or
Tribal government unit that manages or controls one or more entities
described in paragraphs (1)(i) or (2) of this definition.
Research has the same meaning as the term is defined in the HIPAA
Privacy Rule at 45 CFR 164.501.
Respondent means a provider, PSO, or responsible person who is the
subject of a complaint or a compliance review.
Responsible person means a person, other than a provider or a PSO,
who has possession or custody of identifiable patient safety work
product and is subject to the confidentiality provisions.
Workforce means employees, volunteers, trainees, contractors, or
other persons whose conduct, in the performance of work for a provider,
PSO or responsible person, is under the direct control of such
provider, PSO or responsible person, whether or not they are paid by
the provider, PSO or responsible person.
Subpart B--PSO Requirements and Agency Procedures
Sec. 3.102 Process and requirements for initial and continued listing
of PSOs.
(a) Eligibility and process for initial and continued listing--(1)
Submission of certification. Any entity, except as specified in
paragraph (a)(2) of this section, may request from the Secretary
[[Page 70799]]
an initial or continued listing as a PSO by submitting a completed
certification form that meets the requirements of this section, in
accordance with Sec. 3.112. An individual with authority to make
commitments on behalf of the entity seeking listing will be required to
submit contact information for the entity and:
(i) Attest that the entity is not subject to any exclusion in
paragraph (a)(2) of this section;
(ii) Provide certifications that the entity meets each requirement
for PSOs in paragraph (b) of this section;
(iii) If the entity is a component of another organization, provide
the additional certifications that the entity meets the requirements of
paragraph (c)(1)(i) of this section;
(iv) If the entity is a component of an excluded entity described
in paragraph (a)(2)(ii), provide the additional certifications and
information required by paragraph (c)(1)(ii) of this section;
(v) Attest that the entity has disclosed if the Secretary has ever
delisted this entity (under its current name or any other) or refused
to list the entity or whether any of its officials or senior managers
held comparable positions of responsibility in an entity that was
denied listing or delisted and, if any of these circumstances apply,
submit with its certifications and related disclosures, the name of the
entity or entities that the Secretary declined to list or delisted;
(vi) Attest that the PSO will promptly notify the Secretary during
its period of listing if it can no longer comply with any of its
attestations and the applicable requirements in Sec. Sec. 3.102(b) and
3.102(c) or if there have been any changes in the accuracy of the
information submitted for listing, along with the pertinent changes;
and
(vii) Provide other information that the Secretary determines to be
necessary to make the requested listing determination.
(2) Exclusion of certain entities. The following types of entities
may not seek listing as a PSO:
(i) A health insurance issuer; a unit or division of a health
insurance issuer; or an entity that is owned, managed, or controlled by
a health insurance issuer;
(ii) (A) An entity that accredits or licenses health care
providers;
(B) An entity that oversees or enforces statutory or regulatory
requirements governing the delivery of health care services;
(C) An agent of an entity that oversees or enforces statutory or
regulatory requirements governing the delivery of health care services;
or
(D) An entity that operates a Federal, state, local or Tribal
patient safety reporting system to which health care providers (other
than members of the entity's workforce or health care providers holding
privileges with the entity) are required to report information by law
or regulation.
(iii) A component of an entity listed in paragraph (a)(2)(ii) may
seek listing as a component PSO subject to the requirements and
restrictions of paragraph (c)(1)(ii) of this section.
(3) Submission of certification for continued listing. To
facilitate a timely Secretarial determination regarding acceptance of
its certification for continued listing, a PSO must submit the required
certification no later than 75 days before the expiration of a PSO's
three-year period of listing.
(b) Fifteen general PSO certification requirements. The
certifications submitted to the Secretary in accordance with paragraph
(a)(1)(ii) of this section must conform to the following 15
requirements:
(1) Required certification regarding eight patient safety
activities.
(i) Initial listing. An entity seeking initial listing as a PSO
must certify that it has written policies and procedures in place to
perform each of the eight patient safety activities, defined in Sec.
3.20. With respect to paragraphs (5) and (6) in the definition of
patient safety activities regarding confidentiality and security, the
policies and procedures must include and provide for:
(A) Compliance with the confidentiality provisions of Subpart C of
this part and with appropriate security measures as required by Sec.
3.106 of this subpart.
(B) Notification of each provider that submitted patient safety
work product or data as described in Sec. 3.108(b)(2) to the entity if
the submitted work product or data was subject to an unauthorized
disclosure or its security was breached.
(ii) Continued Listing. A PSO seeking continued listing must
certify that it is performing, and will continue to perform, each of
the patient safety activities defined in Sec. 3.20, and is and will
continue to comply with the requirements of paragraphs (b)(1)(i)(A) and
(B) of this section.
(2) Required certification regarding seven PSO criteria.
(i) Initial Listing. In its initial certification submission, an
entity must also certify that, if listed as a PSO, it will comply with
the seven requirements in paragraphs (b)(2)(i)(A) through (G) of this
section.
(A) The mission and primary activity of the PSO must be to conduct
activities that are to improve patient safety and the quality of health
care delivery.
(B) The PSO must have appropriately qualified workforce members,
including licensed or certified medical professionals.
(C) The PSO, within the 24-month period that begins on the date of
its initial listing as a PSO, and within each sequential 24-month
period thereafter, must have 2 bona fide contracts, each of a
reasonable period of time, each with a different provider for the
purpose of receiving and reviewing patient safety work product.
(D) The PSO is not a health insurance issuer, and is not a
component of a health insurance issuer.
(E) The PSO must make disclosures to the Secretary as required
under Sec. 3.102(d), in accordance with Sec. 3.112 of this subpart.
(F) To the extent practical and appropriate, the PSO must collect
patient safety work product from providers in a standardized manner
that permits valid comparisons of similar cases among similar
providers.
(G) The PSO must utilize patient safety work product for the
purpose of providing direct feedback and assistance to providers to
effectively minimize patient risk.
(ii) Continued Listing. A PSO seeking continued listing must
certify that it is complying with, and will continue to comply with,
the requirements of paragraphs (b)(2)(i)(A) through (G) of this
section.
(iii) Compliance with the criterion for collecting patient safety
work product in a standardized manner to the extent practical and
appropriate. With respect to paragraph (b)(2)(i)(F) of this section,
the Secretary will assess compliance by a PSO in the following manner.
(A) A PSO seeking continued listing must:
(1) Certify that the PSO is using the Secretary's published
guidance for common formats and definitions in its collection of
patient safety work product (option (I));
(2) Certify that the PSO is using an alternative system of formats
and definitions that permits valid comparisons of similar cases among
similar providers (option (II)); or
(3) Provide a clear explanation for why it is not practical or
appropriate for the PSO to comply with options (I) or (II) at this
time.
(B) The Secretary will consider a PSO to be in compliance if the
entity complies with option (I), satisfactorily demonstrates that
option (II) permits valid comparisons of similar cases among similar
providers, or satisfactorily demonstrates that it is not practical or
appropriate for the PSO to
[[Page 70800]]
comply with options (I) or (II) at this time.
(c) Additional certifications required of component organizations--
(1) Requirements when seeking listing--(i) Requirements that all
component organizations must meet. In addition to meeting the 15
general PSO certification requirements of paragraph (b) of this
section, an entity seeking initial listing that is a component of
another organization must certify that it will comply with the
requirements of paragraph (c)(2) of this section. A component PSO
seeking continued listing must certify that it is complying with, and
will continue to comply with, the requirements of this same paragraph
(c)(2). At initial and continued listing, a component entity must
attach to its certifications for listing contact information for its
parent organization(s).
(ii) Additional requirements and limitations applicable to
components of entities that are excluded from listing. In addition to
the requirements under paragraph (c)(1)(i) of this section, a component
of an organization excluded from listing under paragraph (a)(2)(ii) of
this section must submit the additional certifications and specified
information for initial and continued listing and comply with paragraph
(c)(4) of this section.
(2) Required component certifications--(i) Separation of patient
safety work product. A component PSO must maintain patient safety work
product separately from the rest of the parent organization(s) of which
it is a part, and establish appropriate security measures to maintain
the confidentiality of patient safety work product. The information
system in which the component PSO maintains patient safety work product
must not permit unauthorized access by one or more individuals in, or
by units of, the rest of the parent organization(s) of which it is a
part.
(ii) Nondisclosure of patient safety work product. A component PSO
must require that members of its workforce and any other contractor
staff not make unauthorized disclosures of patient safety work product
to the rest of the parent organization(s) of which it is a part.
(iii) No conflict of interest. The pursuit of the mission of a
component PSO must not create a conflict of interest with the rest of
the parent organization(s) of which it is a part.
(3) Written agreements for assisting a component PSO in the conduct
of patient safety activities. Notwithstanding the requirements of
paragraph (c)(2) of this section, a component PSO may provide access to
identifiable patient safety work product to one or more individuals in,
or to one or more units of, the rest of the parent organization(s) of
which it is a part, if the component PSO enters into a written
agreement with such individuals or units which requires that:
(i) The component PSO will only provide access to identifiable
patient safety work product to enable such individuals or units to
assist the component PSO in its conduct of patient safety activities,
and
(ii) Such individuals or units that receive access to identifiable
patient safety work product pursuant to such written agreement will
only use or disclose such information as specified by the component PSO
to assist the component PSO in its conduct of patient safety
activities, will take appropriate security measures to prevent
unauthorized disclosures and will comply with the other certifications
the component has made pursuant to paragraph (c)(2) of this section
regarding unauthorized disclosures and conducting the mission of the
PSO without creating conflicts of interest.
(4) Required attestations, information and operational limitations
for components of entities excluded from listing. A component
organization of an entity that is subject to the restrictions of
paragraph (a)(2)(ii) of this section must:
(i) Submit the following information with its certifications for
listing:
(A) A statement describing its parent organization's role, and the
scope of the parent organization's authority, with respect to any of
the following that apply: Accreditation or licensure of health care
providers, oversight or enforcement of statutory or regulatory
requirements governing the delivery of health care services, serving as
an agent of such a regulatory oversight or enforcement authority, or
administering a public mandatory patient safety reporting system;
(B) An attestation that the parent organization has no policies or
procedures that would require or induce providers to report patient
safety work product to their component organization once listed as a
PSO and that the component PSO will notify the Secretary within 5
calendar days of the date on which the component organization has
knowledge of the adoption by the parent organization of such policies
or procedures, and an acknowledgment that the adoption of such policies
or procedures by the parent organization during the component PSO's
period of listing will result in the Secretary initiating an expedited
revocation process in accordance with Sec. 3.108(e); and
(C) An attestation that the component organization will prominently
post notification on its Web site and publish in any promotional
materials for dissemination to providers, a summary of the information
that is required by paragraph (c)(4)(i)(A) of this section.
(ii) Comply with the following requirements during its period of
listing:
(A) The component organization may not share staff with its parent
organization(s).
(B) The component organization may enter into a written agreement
pursuant to paragraph (c)(3) but such agreements are limited to units
or individuals of the parent organization(s) whose responsibilities do
not involve the activities specified in the restrictions in paragraph
(a)(2)(ii) of this section.
(d) Required notifications. Upon listing, PSOs must meet the
following notification requirements:
(1) Notification regarding PSO compliance with the minimum contract
requirement. No later than 45 calendar days prior to the last day of
the pertinent 24-month assessment period, specified in paragraph
(b)(2)(iii)(C) of this section, the Secretary must receive from a PSO a
certification that states whether it has met the requirement of that
paragraph regarding two bona fide contracts, submitted in accordance
with Sec. 3.112 of this subpart.
(2) Notification regarding a PSO's relationships with its
contracting providers.
(i) Requirement. A PSO must file a disclosure statement regarding a
provider with which it has a contract that provides the confidentiality
and privilege protections of the Patient Safety Act (hereinafter
referred to as a Patient Safety Act contract) if the PSO has any other
relationships with this provider that are described in paragraphs
(d)(2)(i)(A) through (D) of this section. The PSO must disclose all
such relationships. A disclosure statement is not required if all of
its other relationships with the provider are limited to Patient Safety
Act contracts.
(A) The provider and PSO have current contractual relationships,
other than those arising from any Patient Safety Act contracts,
including formal contracts or agreements that impose obligations on the
PSO.
(B) The provider and PSO have current financial relationships other
than those arising from any Patient Safety Act contracts. A financial
relationship may include any direct or indirect ownership or investment
relationship between the PSO and the contracting provider, shared or
common
[[Page 70801]]
financial interests or direct or indirect compensation arrangements
whether in cash or in-kind.
(C) The PSO and provider have current reporting relationships other
than those arising from any Patient Safety Act contracts, by which the
provider has access to information regarding the work and operation of
the PSO that is not available to other contracting providers.
(D) Taking into account all relationships that the PSO has with the
provider, the PSO is not independently managed or controlled, or the
PSO does not operate independently from, the contracting provider.
(ii) Content. A PSO must submit to the Secretary the required
attestation form for disclosures with the information specified below
in accordance with Sec. 3.112 and this section. The substantive
information that must be included with each submission has two required
parts:
(A) The Required Disclosures. The first part of the substantive
information must provide a succinct list of obligations between the PSO
and the contracting provider apart from their Patient Safety Act
contract(s) that create, or contain, any of the types of relationships
that must be disclosed based upon the requirements of paragraphs
(d)(2)(i)(A) through (D) of this section. Each reportable obligation or
discrete set of obligations that the PSO has with this contracting
provider should be listed only once; noting the specific aspects of the
obligation(s) that reflect contractual or financial relationships,
involve access to information that is not available to other providers,
or affect the independence of PSO operations, management, or control.
(B) An Explanatory Narrative. The second required part of the
substantive information must provide a brief explanatory narrative
succinctly describing: The policies and procedures that the PSO has in
place to ensure adherence to objectivity and professionally recognized
analytic standards in the assessments it undertakes; and any other
policies or procedures, or agreements with this provider, that the PSO
has in place to ensure that it can fairly and accurately perform
patient safety activities.
(iii) Deadlines for submission. The Secretary must receive a
disclosure statement within 45 days of the date on which a PSO enters a
contract with a provider if the circumstances described in any of the
paragraphs (d)(2)(i)(A) through (D) of this section are met on the date
the contract is entered. During the contract period, if these
circumstances subsequently arise, the Secretary must receive a
disclosure statement from the PSO within 45 days of the date that any
disclosure requirement in paragraph (d)(2)(i) of this section first
applies.
Sec. 3.104 Secretarial actions.
(a) Actions in response to certification submissions for initial
and continued listing as a PSO. (1) In response to an initial or
continued certification submission by an entity, pursuant to the
requirements of Sec. 3.102 of this subpart, the Secretary may--
(i) Accept the certification submission and list the entity as a
PSO, or maintain the listing of a PSO, if the Secretary determines that
the entity meets the applicable requirements of the Patient Safety Act
and this subpart;
(ii) Deny acceptance of a certification submission and, in the case
of a currently listed PSO, remove the entity from the list if the
entity does not meet the applicable requirements of the Patient Safety
Act and this subpart; or
(iii) Condition the listing of an entity or the continued listing
of a PSO, following a determination made pursuant to paragraph (c) of
this section or a determination after review of the pertinent history
of an entity that has been delisted or refused listing and its
officials and senior managers.
(2) Basis for determination. In making a determination regarding
listing, the Secretary will consider the certification submission; any
prior actions by the Secretary regarding the entity or PSO including
delisting; any history of or current non-compliance by the entity or
the PSO or its officials or senior managers with statutory or
regulatory requirements or requests from the Secretary; the
relationships of the entity or PSO with providers; and any findings
made by the Secretary in accordance with paragraph (c) of this section.
(3) Notification. The Secretary will notify in writing each entity
of action taken on its certification submission for initial or
continued listing. The Secretary will provide reasons when an entity's
certification is conditionally accepted and the entity is conditionally
listed, when an entity's certification is not accepted and the entity
is not listed, or when acceptance of its certification is revoked and
the entity is delisted.
(b) Actions regarding PSO compliance with the minimum contract
requirement. After the date on which the Secretary, under Sec.
3.102(d)(1) of this subpart, must receive notification regarding
compliance of a PSO with the minimum contract requirement--
(1) If the PSO has met the minimum contract requirement, the
Secretary will acknowledge in writing receipt of the notification and
add information to the list established pursuant to paragraph (d) of
this section stating that the PSO has certified that it has met the
requirement.
(2) If the PSO states that it has not yet met the minimum contract
requirement by the date specified in Sec. 3.102(d)(1), or if notice is
not received by that date, the Secretary will issue to the PSO a notice
of a preliminary finding of deficiency as specified in Sec.
3.108(a)(2) and establish a period for correction that extends until
midnight of the last day of the PSO's applicable 24-month period of
assessment. Thereafter, if the requirement has not been met, the
Secretary will provide the PSO a written notice of proposed revocation
and delisting in accordance with Sec. 3.108(a)(3).
(c) Actions regarding required disclosures by PSOs of relationships
with contracting providers. The Secretary will review and make findings
regarding each disclosure statement submitted by a PSO, pursuant to
Sec. 3.102(d)(2), regarding its relationships with contracting
provider(s), determine whether such findings warrant action regarding
the listing of the PSO in accordance with paragraph (c)(2) of this
section, and make the findings public.
(1) Basis of findings regarding PSO disclosure statements. In
reviewing disclosure statements, submitted pursuant to Sec.
3.102(d)(2) of this subpart, the Secretary will consider the disclosed
relationship(s) between the PSO and the contracting provider and the
statements and material submitted by the PSO describing the policies
and procedures that the PSO has in place to determine whether the PSO
can fairly and accurately perform the required patient safety
activities.
(2) Determination by the Secretary. Based on the Secretary's review
and findings, he may choose to take any of the following actions:
(i) For an entity seeking an initial or continued listing, the
Secretary may list or continue the listing of an entity without
conditions, list the entity subject to conditions, or deny the entity's
certification for initial or continued listing; or
(ii) For a listed PSO, the Secretary may determine that the entity
will remain listed without conditions, continue the entity's listing
subject to conditions, or remove the entity from the list of PSOs.
(3) Release of disclosure statements and Secretarial findings. (i)
Subject to paragraph (c)(3)(ii) of this section, the Secretary will
make disclosure statements available to the public along
[[Page 70802]]
with related findings that are made available in accordance with
paragraph (c) of this section.
(ii) The Secretary may withhold information that is exempt from
public disclosure under the Freedom of Information Act, e.g., trade
secrets or confidential commercial information that are subject to the
restrictions of 18 U.S.C. 1905.
(d) Maintaining a list of PSOs. The Secretary will compile and
maintain a publicly available list of entities whose certifications as
PSOs have been accepted. The list will include contact information for
each entity, a copy of all certification forms and disclosure
statements submitted by each entity in accordance with paragraph
(c)(3)(ii) of this section, the effective date of the PSO's listing,
and information on whether a PSO has certified that it has met the two
contract requirement. The list also will include a copy of the
Secretary's findings regarding each disclosure statement submitted by
an entity, information describing any related conditions that have been
placed by the Secretary on the listing of an entity as a PSO, and other
information that this Subpart states may be made public. AHRQ may
maintain a PSO website (or a comparable future form of public notice)
and may post the list on this website.
(e) Three-year period of listing. (1) The three-year period of
listing of a PSO will automatically expire at midnight of the last day
of this period, unless the listing had been revoked or relinquished
earlier in accordance with Sec. 3.108 of this subpart, or if, prior to
this automatic expiration, the PSO seeks a new three-year listing, in
accordance with Sec. 3.102, and the Secretary accepts the PSO's
certification for a new three-year listing, in accordance with Sec.
3.104(a).
(2) The Secretary plans to send a written notice of imminent
expiration to a PSO at least 60 calendar days prior to the date on
which its three-year period of listing expires if the Secretary has not
yet received a certification for continued listing. The Secretary plans
to indicate, on the AHRQ PSO website, the PSOs from whom certifications
for continued listing have not been timely received.
(f) Effective dates of Secretarial actions. Unless otherwise
stated, the effective date of each action by the Secretary pursuant to
this subpart will be specified in the written notice of such action
that is sent to the entity. When the Secretary sends a notice that
addresses acceptance or revocation of an entity's certifications or
voluntary relinquishment by an entity of its status as a PSO, the
notice will specify the effective date and time of listing or
delisting.
Sec. 3.106 Security requirements.
(a) Application. A PSO must secure patient safety work product in
conformance with the security requirements of paragraph (b) of this
section. These requirements must be met at all times and at any
location at which the PSO, its workforce members, or its contractors
receive, access, or handle patient safety work product. Handling
patient safety work product includes its processing, development, use,
maintenance, storage, removal, disclosure, transmission and
destruction.
(b) Security framework. A PSO must have written policies and
procedures that address each of the considerations specified in this
subsection. In addressing the framework that follows, the PSO may
develop appropriate and scalable security standards, policies, and
procedures that are suitable for the size and complexity of its
organization.
(1) Security management. A PSO must address:
(i) Maintenance and effective implementation of written policies
and procedures that conform to the requirements of this section to
protect the confidentiality, integrity, and availability of the patient
safety work product that is received, accessed, or handled; and to
monitor and improve the effectiveness of such policies and procedures,
and
(ii) Training of the PSO workforce and PSO contractors who receive,
access, or handle patient safety work product regarding the
requirements of the Patient Safety Act, this Part, and the PSO's
policies and procedures regarding the confidentiality and security of
patient safety work product.
(2) Distinguishing patient safety work product. A PSO must address:
(i) Maintenance of the security of patient safety work product,
whether in electronic or other media, through either physical
separation from non-patient safety work product, or if co-located with
non-patient safety work product, by making patient safety work product
distinguishable so that the appropriate form and level of security can
be applied and maintained;
(ii) Protection of the media, whether in electronic, paper, or
other media or format, that contain patient safety work product,
limiting access to authorized users, and sanitizing and destroying such
media before their disposal or release for reuse; and
(iii) Physical and environmental protection, to control and limit
physical and virtual access to places and equipment where patient
safety work product is received, accessed, or handled.
(3) Security control and monitoring. A PSO must address:
(i) Identification of those authorized to receive, access, or
handle patient safety work product and an audit capacity to detect
unlawful, unauthorized, or inappropriate receipt, access, or handling
of patient safety work product, and
(ii) Methods to prevent unauthorized receipt, access, or handling
of patient safety work product.
(4) Security assessment. A PSO must address:
(i) Periodic assessments of security risks and controls to
establish if its controls are effective, to correct any deficiency
identified, and to reduce or eliminate any vulnerabilities.
(ii) System and communications protection, to monitor, control, and
protect PSO receipt, access, or handling of patient safety work product
with particular attention to the transmission of patient safety work
product to and from providers, other PSOs, contractors or any other
responsible persons.
Sec. 3.108 Correction of deficiencies, revocation, and voluntary
relinquishment.
(a) Process for correction of a deficiency and revocation--(1)
Circumstances leading to revocation. The Secretary may revoke his
acceptance of an entity's certification (``revocation'') and delist the
entity as a PSO if he determines--
(i) The PSO is not fulfilling the certifications made to the
Secretary as required by Sec. 3.102;
(ii) The PSO has not met the two contract requirement, as required
by Sec. 3.102(d)(1);
(iii) Based on a PSO's disclosures made pursuant to Sec.
3.102(d)(2) , that the entity cannot fairly and accurately perform the
patient safety activities of a PSO with a public finding to that
effect; or
(iv) The PSO is not in compliance with any other provision of the
Patient Safety Act or this Part.
(2) Notice of preliminary finding of deficiency and establishment
of an opportunity for correction of a deficiency. (i) Except as
provided by paragraph (e) of this section, if the Secretary determines
that a PSO is not in compliance with its obligations under the Patient
Safety Act or this Subpart, the Secretary must send a PSO written
notice of the preliminary finding of deficiency. The notice must state
the actions or inactions that encompass the deficiency finding, outline
the evidence that the deficiency exists, specify the
[[Page 70803]]
possible and/or required corrective actions that must be taken, and
establish a date by which the deficiency must be corrected. The
Secretary may specify in the notice the form of documentation required
to demonstrate that the deficiency has been corrected.
(ii) The notice of a preliminary finding of deficiency is presumed
received five days after it is sent, absent evidence of the actual
receipt date. If a PSO does not submit evidence to the Secretary within
14 calendar days of actual or constructive receipt of such notice,
whichever is longer, which demonstrates that the preliminary finding is
factually incorrect, the preliminary finding will be the basis for a
finding of deficiency.
(3) Determination of correction of a deficiency. (i) Unless the
Secretary specifies another date, the Secretary must receive
documentation to demonstrate that the PSO has corrected any deficiency
cited in the preliminary finding of deficiency no later than five
calendar days following the last day of the correction period that is
specified by the Secretary in such notice.
(ii) In making a determination regarding the correction of any
deficiency, the Secretary will consider the documentation submitted by
the PSO, any assessments under Sec. 3.110, recommendations of program
staff, and any other information available regarding the PSO that the
Secretary deems appropriate and relevant to the PSO's implementation of
the terms of its certification.
(iii) After completing his review, the Secretary may make one of
the following determinations:
(A) The action(s) taken by the PSO have corrected any deficiency,
in which case the Secretary will withdraw the notice of deficiency and
so notify the PSO;
(B) The PSO has acted in good faith to correct the deficiency, but
the Secretary finds an additional period of time is necessary to
achieve full compliance and/or the required corrective action specified
in the notice of a preliminary finding of deficiency needs to be
modified in light of the experience of the PSO in attempting to
implement the corrective action, in which case the Secretary will
extend the period for correction and/or modify the specific corrective
action required; or
(C) The PSO has not completed the corrective action because it has
not acted with reasonable diligence or speed to ensure that the
corrective action was completed within the allotted time, in which case
the Secretary will issue to the PSO a notice of proposed revocation and
delisting.
(iv) When the Secretary issues a written notice of proposed
revocation and delisting, the notice will specify the deficiencies that
have not been timely corrected and will detail the manner in which the
PSO may exercise its opportunity to be heard in writing to respond to
the deficiencies specified in the notice.
(4) Opportunity to be heard in writing following a notice of
proposed revocation and delisting. The Secretary will afford a PSO an
opportunity to be heard in writing, as specified in paragraph (a)(4)(i)
of this section, to provide a substantive response to the deficiency
finding(s) set forth in the notice of proposed revocation and
delisting.
(i) The notice of proposed revocation and delisting is presumed
received five days after it is sent, absent evidence of actual receipt.
The Secretary will provide a PSO with a period of time, beginning with
the date of receipt of the notice of proposed revocation and delisting
of which there is evidence, or the presumed date of receipt if there is
no evidence of earlier receipt, and ending at midnight 30 calendar days
thereafter, during which the PSO may submit a substantive response to
the deficiency findings in writing.
(ii) The Secretary will provide to the PSO any rules of procedure
governing the form or transmission of the written response to the
notice of proposed revocation and delisting. Such rules may also be
posted on the AHRQ PSO Web site or published in the Federal Register.
(iii) If a PSO does not submit a written response to the deficiency
finding(s) within 30 calendar days of receipt of the notice of proposed
revocation and delisting, the notice of proposed revocation becomes
final as a matter of law and the basis for Secretarial action under
paragraph (b)(1) of this section.
(5) The Secretary's decision regarding revocation. The Secretary
will review the entire administrative record pertaining to a notice of
proposed revocation and delisting and any written materials submitted
by the PSO under paragraph (a)(4) of this section. The Secretary may
affirm, reverse, or modify the notice of proposed revocation and
delisting and will make a determination with respect to the continued
listing of the PSO.
(b) Revocation of the Secretary's acceptance of a PSO's
certifications--(1) Establishing the date and time of revocation and
delisting. When the Secretary concludes, in accordance with a decision
made under paragraphs (a)(5), (e)(3)(iii) or (e)(3)(iv)(C) of this
section, that revocation of the acceptance of a PSO's certification is
warranted for its failure to comply with requirements of the Patient
Safety Act or of this Part, the Secretary will establish the effective
time and date for such prompt revocation and removal of the entity from
the list of PSOs, so notify the PSO in writing, and provide the
relevant public notice required by Sec. 3.108(d) of this subpart.
(2) Required notification of providers and status of data. (i) Upon
being notified of the Secretary's action pursuant to paragraph (b)(1)
of this section, the former PSO will take all reasonable actions to
notify each provider, whose patient safety work product it collected or
analyzed, of the Secretary's action(s) and the following statutory
information: Confidentiality and privilege protections that applied to
patient safety work product while the former PSO was listed continue to
apply after the entity is removed from listing. Data submitted by
providers to the former PSO for 30 calendar days following the date and
time on which the entity was removed from the list of PSOs pursuant to
paragraph (b)(1) of this section will have the same status as data
submitted while the entity was still listed.
(ii) Within 15 days of being notified of the Secretary's action
pursuant to paragraph (b)(1) of this section, the former PSO shall
submit to the Secretary confirmation that it has taken the actions in
paragraph (b)(2)(i) of this section.
(3) Disposition of patient safety work product and data. Within 90
days following the effective date of revocation and delisting pursuant
to paragraph (b)(1) of this section, the former PSO will take one or
more of the following measures in regard to patient safety work product
and data described in paragraph (b)(2)(i) of this section:
(i) Transfer such patient safety work product or data, with the
approval of the source from which it was received, to a PSO that has
agreed to receive such patient safety work product or data;
(ii) Return such work product or data to the source from which it
was submitted; or
(iii) If returning such patient safety work product or data to its
source is not practicable, destroy such patient safety work product or
data.
(c) Voluntary relinquishment--(1) Circumstances constituting
voluntary relinquishment. A PSO will be considered to have voluntarily
relinquished its status as a PSO if the Secretary accepts a
notification from a PSO that it wishes to relinquish voluntarily its
listing as a PSO.
[[Page 70804]]
(2) Notification of voluntary relinquishment. A PSO's notification
of voluntary relinquishment to the Secretary must include the
following:
(i) An attestation that all reasonable efforts have been made, or
will have been made by a PSO within 15 calendar days of this statement,
to notify the sources from which it received patient safety work
product of the PSO's intention to cease PSO operations and activities,
to relinquish voluntarily its status as a PSO, to request that these
other entities cease reporting or submitting any further information to
the PSO as soon as possible, and inform them that any information
reported after the effective date and time of delisting that the
Secretary sets pursuant to paragraph (c)(3) of this section will not be
protected as patient safety work product under the Patient Safety Act.
(ii) An attestation that the entity has established a plan, or
within 15 calendar days of this statement, will have made all
reasonable efforts to establish a plan, in consultation with the
sources from which it received patient safety work product, that
provides for the disposition of the patient safety work product held by
the PSO consistent with, to the extent practicable, the statutory
options for disposition of patient safety work product as set out in
paragraph (b)(3) of this section; and
(iii) Appropriate contact information for further communications
from the Secretary.
(3) Response to notification of voluntary relinquishment. (i) After
a PSO provides the notification required by paragraph (c)(2) of this
section, the Secretary will respond in writing to the entity indicating
whether the proposed voluntary relinquishment of its PSO status is
accepted. If the voluntary relinquishment is accepted, the Secretary's
response will indicate an effective date and time for the entity's
removal from the list of PSOs and will provide public notice of the
voluntary relinquishment and the effective date and time of the
delisting, in accordance with Sec. 3.108(d) of this subpart.
(ii) If the Secretary receives a notification of voluntary
relinquishment during or immediately after revocation proceedings for
cause under paragraphs (a)(4) and (a)(5) of this section, the
Secretary, as a matter of discretion, may accept voluntary
relinquishment in accordance with the preceding paragraph or decide not
to accept the entity's proposed voluntary relinquishment and proceed
with the revocation for cause and delisting pursuant to paragraph
(b)(1) of this section.
(4) Non-applicability of certain procedures and requirements. (i) A
decision by the Secretary to accept a request by a PSO to relinquish
voluntarily its status as a PSO pursuant to paragraph (c)(2) of this
section does not constitute a determination of a deficiency in PSO
compliance with the Patient Safety Act or with this Subpart.
(ii) The procedures and requirements of Sec. 3.108(a) of this
subpart regarding deficiencies including the opportunity to correct
deficiencies and to be heard in writing, and the procedures and
requirements of Sec. 3.108(b) are not applicable to determinations of
the Secretary made pursuant to this subsection.
(d) Public notice of delisting regarding removal from listing. If
the Secretary removes an entity from the list of PSOs following
revocation of acceptance of the entity's certification pursuant to
Sec. 3.108(b)(1), voluntary relinquishment pursuant to Sec.
3.108(c)(3), or expiration of an entity's period of listing pursuant to
Sec. 3.104(e)(1), the Secretary will promptly publish in the Federal
Register and on the AHRQ PSO website, or in a comparable future form of
public notice, a notice of the actions taken and the effective dates.
(e) Expedited revocation and delisting--(1) Basis for expedited
revocation. Notwithstanding any other provision of this section, the
Secretary may use the expedited revocation process described in
paragraph (e)(3) of this section if he determines--
(i) The PSO is not in compliance with this Part because it is or is
about to become an entity described in Sec. 3.102(a)(2).
(ii) The parent organization of the PSO is an entity described in
Sec. 3.102(a)(2) and requires or induces health care providers to
report patient safety work product to its component PSO; or
(iii) The circumstances for revocation in paragraph (a)(1) of this
section exist, and the Secretary has determined that there would be
serious adverse consequences if the PSO were to remain listed.
(2) Applicable provisions. If the Secretary uses the expedited
revocation process described in paragraph (e)(3) of this section, the
procedures in paragraphs (a)(2) through (5) of this section shall not
apply and paragraph (a)(1) and paragraphs (b) and (d) of this section
shall apply.
(3) Expedited revocation process. (i) The Secretary must send the
PSO a written notice of deficiency that:
(A) Identifies the evidence that the circumstances for revocation
and delisting under paragraph (a)(1) of this section exist, and any
corrective action that the PSO must take if the Secretary determines
that corrective action may resolve the matter so that the entity would
not be delisted; and
(B) Provides an opportunity for the PSO to respond in writing to
correct the facts or the legal bases for delisting found in the notice,
and to offer any other grounds for its not being delisted.
(ii) The notice of deficiency will be presumed to be received five
days after it is sent, absent evidence of the actual receipt date.
(iii) If the PSO does not submit a written response to the
Secretary within 14 calendar days of actual or constructive receipt of
such notice, whichever is longer, the Secretary may revoke his
acceptance of the PSO's certifications and remove the entity from the
list of PSOs.
(iv) If the PSO responds in writing within the required 14-day time
period, the Secretary may take any of the following actions:
(A) Withdraw the notice of deficiency;
(B) Provide the PSO with more time to resolve the matter to the
Secretary's satisfaction; or
(C) Revoke his acceptance of the PSO's certifications and remove
the entity from the list of PSOs.
Sec. 3.110 Assessment of PSO compliance.
The Secretary may request information or conduct announced or
unannounced reviews of, or site visits to, PSOs, to assess or verify
PSO compliance with the requirements of this subpart and for these
purposes will be allowed to inspect the physical or virtual sites
maintained or controlled by the PSO. The Secretary will be allowed to
inspect and/or be given or sent copies of any PSO records deemed
necessary and requested by the Secretary to implement the provisions of
this subpart. Such PSO records may include patient safety work product
in accordance with Sec. 3.206(d) of this part.
Sec. 3.112 Submissions and forms.
(a) Forms referred to in this subpart may be obtained on the PSO
Web site (http://www.pso.ahrq.gov) maintained for the Secretary by AHRQ
or a successor agency or on successor publication technology or by
requesting them in writing by e-mail at [email protected], or by mail
from the Agency for Healthcare Research and Quality, CQuIPS, PSO
Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any
required attachments) must be submitted in accordance with the
accompanying instructions.
[[Page 70805]]
(b) Information submitted to AHRQ in writing, but not required to
be on or attached to a form, and requests for information from AHRQ,
may be submitted by mail or other delivery to the Agency for Healthcare
Research and Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville,
MD 20850, by facsimile at (301) 427-1341, or by e-mail at
[email protected].
(c) If a submission to the Secretary is incomplete or additional
information is needed to allow a determination to be made under this
subpart, the submitter will be notified if any additional information
is required.
Subpart C--Confidentiality and Privilege Protections of Patient
Safety Work Product
Sec. 3.204 Privilege of patient safety work product.
(a) Privilege. Notwithstanding any other provision of Federal,
State, local, or Tribal law and subject to paragraph (b) of this
section and Sec. 3.208 of this subpart, patient safety work product
shall be privileged and shall not be:
(1) Subject to a Federal, State, local, or Tribal civil, criminal,
or administrative subpoena or order, including in a Federal, State,
local, or Tribal civil or administrative disciplinary proceeding
against a provider;
(2) Subject to discovery in connection with a Federal, State,
local, or Tribal civil, criminal, or administrative proceeding,
including in a Federal, State, local, or Tribal civil or administrative
disciplinary proceeding against a provider;
(3) Subject to disclosure pursuant to section 552 of Title 5,
United States Code (commonly known as the Freedom of Information Act)
or any other similar Federal, State, local, or Tribal law;
(4) Admitted as evidence in any Federal, State, local, or Tribal
governmental civil proceeding, criminal proceeding, administrative
rulemaking proceeding, or administrative adjudicatory proceeding,
including any such proceeding against a provider; or
(5) Admitted in a professional disciplinary proceeding of a
professional disciplinary body established or specifically authorized
under State law.
(b) Exceptions to privilege. Privilege shall not apply to (and
shall not be construed to prohibit) one or more of the following
disclosures:
(1) Disclosure of relevant patient safety work product for use in a
criminal proceeding, subject to the conditions at Sec. 3.206(b)(1) of
this subpart.
(2) Disclosure to the extent required to permit equitable relief
subject to the conditions at Sec. 3.206(b)(2) of this subpart.
(3) Disclosure pursuant to provider authorizations subject to the
conditions at Sec. 3.206(b)(3) of this subpart.
(4) Disclosure of non-identifiable patient safety work product
subject to the conditions at Sec. 3.206(b)(5) of this subpart.
(c) Implementation and enforcement by the Secretary. Privilege
shall not apply to (and shall not be construed to prohibit) disclosures
of relevant patient safety work product to or by the Secretary if such
patient safety work product is needed to investigate or determine
compliance, or to seek or impose civil money penalties, with respect to
this part or the HIPAA Privacy Rule, or to make or support decisions
with respect to listing of a PSO.
Sec. 3.206 Confidentiality of patient safety work product.
(a) Confidentiality. Subject to paragraphs (b) through (e) of this
section, and Sec. Sec. 3.208 and 3.210 of this subpart, patient safety
work product shall be confidential and shall not be disclosed.
(b) Exceptions to confidentiality. The confidentiality provisions
shall not apply to (and shall not be construed to prohibit) one or more
of the following disclosures:
(1) Disclosure in criminal proceedings. Disclosure of relevant
patient safety work product for use in a criminal proceeding, but only
after a court makes an in-camera determination that:
(i) Such patient safety work product contains evidence of a
criminal act;
(ii) Such patient safety work product is material to the
proceeding; and
(iii) Such patient safety work product is not reasonably available
from any other source.
(2) Disclosure to permit equitable relief for reporters. Disclosure
of patient safety work product to the extent required to permit
equitable relief under section 922 (f)(4)(A) of the Public Health
Service Act, provided the court or administrative tribunal has issued a
protective order to protect the confidentiality of the patient safety
work product in the course of the proceeding.
(3) Disclosure authorized by identified providers. (i) Disclosure
of identifiable patient safety work product consistent with a valid
authorization if such authorization is obtained from each provider
identified in such work product prior to disclosure. A valid
authorization must:
(A) Be in writing and signed by the provider from whom
authorization is sought; and
(B) Contain sufficient detail to fairly inform the provider of the
nature and scope of the disclosures being authorized;
(ii) A valid authorization must be retained by the disclosing
entity for six years from the date of the last disclosure made in
reliance on the authorization and made available to the Secretary upon
request.
(4) Disclosure for patient safety activities--(i) Disclosure
between a provider and a PSO. Disclosure of patient safety work product
for patient safety activities by a provider to a PSO or by a PSO to
that disclosing provider.
(ii) Disclosure to a contractor of a provider or a PSO. A provider
or a PSO may disclose patient safety work product for patient safety
activities to an entity with which it has contracted to undertake
patient safety activities on its behalf. A contractor receiving patient
safety work product for patient safety activities may not further
disclose patient safety work product, except to the provider or PSO
with which it is contracted.
(iii) Disclosure among affiliated providers. Disclosure of patient
safety work product for patient safety activities by a provider to an
affiliated provider.
(iv) Disclosure to another PSO or provider. Disclosure of patient
safety work product for patient safety activities by a PSO to another
PSO or to another provider that has reported to the PSO, or, except as
otherwise permitted in paragraph (b)(4)(iii) of this section, by a
provider to another provider, provided:
(A) The following direct identifiers of any providers and of
affiliated organizations, corporate parents, subsidiaries, practice
partners, employers, members of the workforce, or household members of
such providers are removed:
(1) Names;
(2) Postal address information, other than town or city, State and
zip code;
(3) Telephone numbers;
(4) Fax numbers;
(5) Electronic mail addresses;
(6) Social security numbers or taxpayer identification numbers;
(7) Provider or practitioner credentialing or DEA numbers;
(8) National provider identification number;
(9) Certificate/license numbers;
(10) Web Universal Resource Locators (URLs);
(11) Internet Protocol (IP) address numbers;
[[Page 70806]]
(12) Biometric identifiers, including finger and voice prints; and
(13) Full face photographic images and any comparable images; and
(B) With respect to any individually identifiable health
information in such patient safety work product, the direct identifiers
listed at 45 CFR 164.514(e)(2) have been removed.
(5) Disclosure of nonidentifiable patient safety work product.
Disclosure of nonidentifiable patient safety work product when patient
safety work product meets the standard for nonidentification in
accordance with Sec. 3.212 of this subpart.
(6) Disclosure for research. (i) Disclosure of patient safety work
product to persons carrying out research, evaluation or demonstration
projects authorized, funded, certified, or otherwise sanctioned by rule
or other means by the Secretary, for the purpose of conducting
research.
(ii) If the patient safety work product disclosed pursuant to
paragraph (b)(6)(i) of this section is by a HIPAA covered entity as
defined at 45 CFR 160.103 and contains protected health information as
defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient
safety work product may only be disclosed under this exception in the
same manner as would be permitted under the HIPAA Privacy Rule.
(7) Disclosure to the Food and Drug Administration (FDA) and
entities required to report to FDA. (i) Disclosure by a provider of
patient safety work product concerning an FDA-regulated product or
activity to the FDA, an entity required to report to the FDA concerning
the quality, safety, or effectiveness of an FDA-regulated product or
activity, or a contractor acting on behalf of FDA or such entity for
these purposes.
(ii) Any person permitted to receive patient safety work product
pursuant to paragraph (b)(7)(i) of this section may only further
disclose such patient safety work product for the purpose of evaluating
the quality, safety, or effectiveness of that product or activity to
another such person or the disclosing provider.
(8) Voluntary disclosure to an accrediting body. (i) Voluntary
disclosure by a provider of patient safety work product to an
accrediting body that accredits that provider, provided, with respect
to any identified provider other than the provider making the
disclosure:
(A) The provider agrees to the disclosure; or
(B) The identifiers at Sec. 3.206(b)(4)(iv)(A) are removed.
(ii) An accrediting body may not further disclose patient safety
work product it receives pursuant to paragraph (b)(8)(i) of this
section.
(iii) An accrediting body may not take an accrediting action
against a provider based on a good faith participation of the provider
in the collection, development, reporting, or maintenance of patient
safety work product in accordance with this Part. An accrediting body
may not require a provider to reveal its communications with any PSO.
(9) Disclosure for business operations. (i) Disclosure of patient
safety work product by a provider or a PSO for business operations to
attorneys, accountants, and other professionals. Such contractors may
not further disclose patient safety work product, except to the entity
from which they received the information.
(ii) Disclosure of patient safety work product for such other
business operations that the Secretary may prescribe by regulation as
consistent with the goals of this part.
(10) Disclosure to law enforcement. (i) Disclosure of patient
safety work product to an appropriate law enforcement authority
relating to an event that either constitutes the commission of a crime,
or for which the disclosing person reasonably believes constitutes the
commission of a crime, provided that the disclosing person believes,
reasonably under the circumstances, that the patient safety work
product that is disclosed is necessary for criminal law enforcement
purposes.
(ii) Law enforcement personnel receiving patient safety work
product pursuant to paragraph (b)(10)(i) of this section only may
disclose that patient safety work product to other law enforcement
authorities as needed for law enforcement activities related to the
event that gave rise to the disclosure under paragraph (b)(10)(i) of
this section.
(c) Safe harbor. A provider or responsible person, but not a PSO,
is not considered to have violated the requirements of this subpart if
a member of its workforce discloses patient safety work product,
provided that the disclosure does not include materials, including oral
statements, that:
(1) Assess the quality of care of an identifiable provider; or
(2) Describe or pertain to one or more actions or failures to act
by an identifiable provider.
(d) Implementation and enforcement by the Secretary. The
confidentiality provisions shall not apply to (and shall not be
construed to prohibit) disclosures of relevant patient safety work
product to or by the Secretary if such patient safety work product is
needed to investigate or determine compliance or to seek or impose
civil money penalties, with respect to this part or the HIPAA Privacy
Rule, or to make or support decisions with respect to listing of a PSO.
(e) No limitation on authority to limit or delegate disclosure or
use. Nothing in subpart C of this part shall be construed to limit the
authority of any person to enter into a contract requiring greater
confidentiality or delegating authority to make a disclosure or use in
accordance with this subpart.
Sec. 3.208 Continued protection of patient safety work product.
(a) Except as provided in paragraph (b) of this section, patient
safety work product disclosed in accordance with this subpart, or
disclosed impermissibly, shall continue to be privileged and
confidential.
(b)(1) Patient safety work product disclosed for use in a criminal
proceeding pursuant to section 922(c)(1)(A) of the Public Health
Service Act, 42 U.S.C. 299b-22(c)(1)(A), and/or pursuant to Sec.
3.206(b)(1) of this subpart continues to be privileged, but is no
longer confidential.
(2) Non-identifiable patient safety work product that is disclosed
is no longer privileged or confidential and not subject to the
regulations under this part.
(3) Paragraph (b) of this section applies only to the specific
patient safety work product disclosed.
Sec. 3.210 Required disclosure of patient safety work product to the
Secretary.
Notwithstanding any other provision in this part, providers, PSOs,
and responsible persons must disclose patient safety work product upon
request by the Secretary when the Secretary determines such patient
safety work product is needed to investigate or determine compliance or
to seek or impose civil money penalties, with respect to this part or
the HIPAA Privacy Rule, or to make or support decisions with respect to
listing of a PSO.
Sec. 3.212 Nonidentification of patient safety work product.
(a) Patient safety work product is nonidentifiable with respect to
a particular identified provider or a particular identified reporter
if:
(1) A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods
for
[[Page 70807]]
rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk
is very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an identified provider or reporter;
and
(ii) Documents the methods and results of the analysis that justify
such determination; or
(2)(i) The following identifiers of such provider or reporter and
of affiliated organizations, corporate parents, subsidiaries, practice
partners, employers, members of the workforce, or household members of
such providers or reporters are removed:
(A) The direct identifiers listed at Sec. 3.206(b)(4)(iv)(A)(1)
through (13) of this subpart;
(B) Geographic subdivisions smaller than a State, including street
address, city, county, precinct, zip code and equivalent geocodes,
except for the initial three digits of a zip code if, according to the
current publicly available data from the Bureau of the Census, the
geographic unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people;
(C) All elements of dates (except year) for dates directly related
to a patient safety incident or event; and
(D) Any other unique identifying number, characteristic, or code
except as permitted for re-identification; and
(ii) The provider, PSO or responsible person making the disclosure
does not have actual knowledge that the information could be used,
alone or in combination with other information that is reasonably
available to the intended recipient, to identify the particular
provider or reporter.
(3) Re-identification. A provider, PSO, or responsible person may
assign a code or other means of record identification to allow
information made nonidentifiable under this section to be re-identified
by such provider, PSO, or responsible person, provided that:
(i) The code or other means of record identification is not derived
from or related to information about the provider or reporter and is
not otherwise capable of being translated so as to identify the
provider or reporter; and
(ii) The provider, PSO, or responsible person does not use or
disclose the code or other means of record identification for any other
purpose, and does not disclose the mechanism for re-identification.
(b) Patient safety work product is non-identifiable with respect to
a particular patient only if the individually identifiable health
information regarding that patient is de-identified in accordance with
the HIPAA Privacy Rule standard and implementation specifications for
the de-identification at 45 CFR 164.514(a) through (c).
Subpart D--Enforcement Program
Sec. 3.304 Principles for achieving compliance.
(a) Cooperation. The Secretary will, to the extent practicable,
seek the cooperation of providers, PSOs, and responsible persons in
obtaining compliance with the applicable confidentiality provisions.
(b) Assistance. The Secretary may provide technical assistance to
providers, PSOs, and responsible persons to help them comply
voluntarily with the applicable confidentiality provisions.
Sec. 3.306 Complaints to the Secretary.
(a) Right to file a complaint. A person who believes that patient
safety work product has been disclosed in violation of the
confidentiality provisions may file a complaint with the Secretary.
(b) Requirements for filing complaints. Complaints under this
section must meet the following requirements:
(1) A complaint must be filed in writing, either on paper or
electronically.
(2) A complaint must name the person that is the subject of the
complaint and describe the act(s) believed to be in violation of the
applicable confidentiality provision(s).
(3) A complaint must be filed within 180 days of when the
complainant knew or should have known that the act complained of
occurred, unless this time limit is waived by the Secretary for good
cause shown.
(4) The Secretary may prescribe additional procedures for the
filing of complaints, as well as the place and manner of filing, by
notice in the Federal Register.
(c) Investigation. The Secretary may investigate complaints filed
under this section. Such investigation may include a review of the
pertinent policies, procedures, or practices of the respondent and of
the circumstances regarding any alleged violation. At the time of
initial written communication with the respondent about the complaint,
the Secretary will describe the act(s) that are the basis of the
complaint.
Sec. 3.308 Compliance reviews.
The Secretary may conduct compliance reviews to determine whether a
respondent is complying with the applicable confidentiality provisions.
Sec. 3.310 Responsibilities of respondents.
(a) Provide records and compliance reports. A respondent must keep
such records and submit such compliance reports, in such time and
manner and containing such information, as the Secretary may determine
to be necessary to enable the Secretary to ascertain whether the
respondent has complied or is complying with the applicable
confidentiality provisions.
(b) Cooperate with complaint investigations and compliance reviews.
A respondent must cooperate with the Secretary, if the Secretary
undertakes an investigation or compliance review of the policies,
procedures, or practices of the respondent to determine whether it is
complying with the applicable confidentiality provisions.
(c) Permit access to information. (1) A respondent must permit
access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including
patient safety work product, that are pertinent to ascertaining
compliance with the applicable confidentiality provisions. If the
Secretary determines that exigent circumstances exist, such as when
documents may be hidden or destroyed, a respondent must permit access
by the Secretary at any time and without notice.
(2) If any information required of a respondent under this section
is in the exclusive possession of any other agency, institution, or
person, and the other agency, institution, or person fails or refuses
to furnish the information, the respondent must so certify and set
forth what efforts it has made to obtain the information.
Sec. 3.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution when noncompliance is indicated. (1) If an
investigation of a complaint pursuant to Sec. 3.306 of this subpart or
a compliance review pursuant to Sec. 3.308 of this subpart indicates
noncompliance, the Secretary may attempt to reach a resolution of the
matter satisfactory to the Secretary by informal means. Informal means
may include demonstrated compliance or a completed corrective action
plan or other agreement.
(2) If the matter is resolved by informal means, the Secretary will
so inform the respondent and, if the matter arose from a complaint, the
complainant, in writing.
[[Page 70808]]
(3) If the matter is not resolved by informal means, the Secretary
will--
(i) So inform the respondent and provide the respondent an
opportunity to submit written evidence of any mitigating factors. The
respondent must submit any evidence to the Secretary within 30 days
(computed in the same manner as prescribed under Sec. 3.526 of this
subpart) of receipt of such notification; and
(ii) If, following action pursuant to paragraph (a)(3)(i) of this
section, the Secretary decides that a civil money penalty should be
imposed, inform the respondent of such finding in a notice of proposed
determination in accordance with Sec. 3.420 of this subpart.
(b) Resolution when no violation is found. If, after an
investigation pursuant to Sec. 3.306 of this subpart or a compliance
review pursuant to Sec. 3.308 of this subpart, the Secretary
determines that further action is not warranted, the Secretary will so
inform the respondent and, if the matter arose from a complaint, the
complainant, in writing.
(c) Uses and disclosures of information obtained. (1) Identifiable
patient safety work product obtained by the Secretary in connection
with an investigation or compliance review under this subpart will not
be disclosed by the Secretary, except in accordance with Sec. 3.206(d)
of this subpart, or if otherwise permitted by this part or the Patient
Safety Act.
(2) Except as provided for in paragraph (c)(1) of this section,
information, including testimony and other evidence, obtained by the
Secretary in connection with an investigation or compliance review
under this subpart may be used by HHS in any of its activities and may
be used or offered into evidence in any administrative or judicial
proceeding.
Sec. 3.314 Investigational subpoenas and inquiries.
(a) The Secretary may issue subpoenas in accordance with 42 U.S.C.
405(d) and (e), and 1320a-7a(j), to require the attendance and
testimony of witnesses and the production of any other evidence
including patient safety work product during an investigation or
compliance review pursuant to this part.
(1) A subpoena issued under this paragraph must--
(i) State the name of the person (including the entity, if
applicable) to whom the subpoena is addressed;
(ii) State the statutory authority for the subpoena;
(iii) Indicate the date, time, and place that the testimony will
take place;
(iv) Include a reasonably specific description of any documents or
items required to be produced; and
(v) If the subpoena is addressed to an entity, describe with
reasonable particularity the subject matter on which testimony is
required. In that event, the entity must designate one or more natural
persons who will testify on its behalf, and must state as to each such
person that person's name and address and the matters on which he or
she will testify. The designated person must testify as to matters
known or reasonably available to the entity.
(2) A subpoena under this section must be served by--
(i) Delivering a copy to the natural person named in the subpoena
or to the entity named in the subpoena at its last principal place of
business; or
(ii) Registered or certified mail addressed to the natural person
at his or her last known dwelling place or to the entity at its last
known principal place of business.
(3) A verified return by the natural person serving the subpoena
setting forth the manner of service or, in the case of service by
registered or certified mail, the signed return post office receipt,
constitutes proof of service.
(4) Witnesses are entitled to the same fees and mileage as
witnesses in the district courts of the United States (28 U.S.C. 1821
and 1825). Fees need not be paid at the time the subpoena is served.
(5) A subpoena under this section is enforceable through the
district court of the United States for the district where the
subpoenaed natural person resides or is found or where the entity
transacts business.
(b) Investigational inquiries are non-public investigational
proceedings conducted by the Secretary.
(1) Testimony at investigational inquiries will be taken under oath
or affirmation.
(2) Attendance of non-witnesses is discretionary with the
Secretary, except that a witness is entitled to be accompanied,
represented, and advised by an attorney.
(3) Representatives of the Secretary are entitled to attend and ask
questions.
(4) A witness will have the opportunity to clarify his or her
answers on the record following questioning by the Secretary.
(5) Any claim of privilege must be asserted by the witness on the
record.
(6) Objections must be asserted on the record. Errors of any kind
that might be corrected if promptly presented will be deemed to be
waived unless reasonable objection is made at the investigational
inquiry. Except where the objection is on the grounds of privilege, the
question will be answered on the record, subject to objection.
(7) If a witness refuses to answer any question not privileged or
to produce requested documents or items, or engages in conduct likely
to delay or obstruct the investigational inquiry, the Secretary may
seek enforcement of the subpoena under paragraph (a)(5) of this
section.
(8) The proceedings will be recorded and transcribed. The witness
is entitled to a copy of the transcript, upon payment of prescribed
costs, except that, for good cause, the witness may be limited to
inspection of the official transcript of his or her testimony.
(9)(i) The transcript will be submitted to the witness for
signature.
(A) Where the witness will be provided a copy of the transcript,
the transcript will be submitted to the witness for signature. The
witness may submit to the Secretary written proposed corrections to the
transcript, with such corrections attached to the transcript. If the
witness does not return a signed copy of the transcript or proposed
corrections within 30 days (computed in the same manner as prescribed
under Sec. 3.526 of this part) of its being submitted to him or her
for signature, the witness will be deemed to have agreed that the
transcript is true and accurate.
(B) Where, as provided in paragraph (b)(8) of this section, the
witness is limited to inspecting the transcript, the witness will have
the opportunity at the time of inspection to propose corrections to the
transcript, with corrections attached to the transcript. The witness
will also have the opportunity to sign the transcript. If the witness
does not sign the transcript or offer corrections within 30 days
(computed in the same manner as prescribed under Sec. 3.526 of this
part) of receipt of notice of the opportunity to inspect the
transcript, the witness will be deemed to have agreed that the
transcript is true and accurate.
(ii) The Secretary's proposed corrections to the record of
transcript will be attached to the transcript.
Sec. 3.402 Basis for a civil money penalty.
(a) General rule. A person who discloses identifiable patient
safety work product in knowing or reckless violation of the
confidentiality provisions shall be subject to a civil money penalty
for each act constituting such violation.
(b) Violation attributed to a principal. A principal is
independently liable, in accordance with the federal common law of
agency, for a civil money penalty based on the act of the principal's
agent,
[[Page 70809]]
including a workforce member, acting within the scope of the agency if
such act could give rise to a civil money penalty in accordance with
Sec. 3.402(a) of this subpart.
Sec. 3.404 Amount of a civil money penalty.
(a) The amount of a civil money penalty will be determined in
accordance with paragraph (b) of this section and Sec. 3.408 of this
subpart.
(b) The Secretary may impose a civil money penalty in the amount of
not more than $10,000.
Sec. 3.408 Factors considered in determining the amount of a civil
money penalty.
In determining the amount of any civil money penalty, the Secretary
may consider as aggravating or mitigating factors, as appropriate, any
of the following:
(a) The nature of the violation.
(b) The circumstances, including the consequences, of the
violation, including:
(1) The time period during which the violation(s) occurred; and
(2) Whether the violation caused physical or financial harm or
reputational damage;
(c) The degree of culpability of the respondent, including:
(1) Whether the violation was intentional; and
(2) Whether the violation was beyond the direct control of the
respondent.
(d) Any history of prior compliance with the Patient Safety Act,
including violations, by the respondent, including:
(1) Whether the current violation is the same or similar to prior
violation(s);
(2) Whether and to what extent the respondent has attempted to
correct previous violations;
(3) How the respondent has responded to technical assistance from
the Secretary provided in the context of a compliance effort; and
(4) How the respondent has responded to prior complaints.
(e) The financial condition of the respondent, including:
(1) Whether the respondent had financial difficulties that affected
its ability to comply;
(2) Whether the imposition of a civil money penalty would
jeopardize the ability of the respondent to continue to provide health
care or patient safety activities; and
(3) The size of the respondent.
(f) Such other matters as justice may require.
Sec. 3.414 Limitations.
No action under this subpart may be entertained unless commenced by
the Secretary, in accordance with Sec. 3.420 of this subpart, within 6
years from the date of the occurrence of the violation.
Sec. 3.416 Authority to settle.
Nothing in this subpart limits the authority of the Secretary to
settle any issue or case or to compromise any penalty.
Sec. 3.418 Exclusivity of penalty.
(a) Except as otherwise provided by paragraph (b) of this section,
a penalty imposed under this part is in addition to any other penalty
prescribed by law.
(b) Civil money penalties shall not be imposed both under this part
and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).
Sec. 3.420 Notice of proposed determination.
(a) If a penalty is proposed in accordance with this part, the
Secretary must deliver, or send by certified mail with return receipt
requested, to the respondent, written notice of the Secretary's intent
to impose a penalty. This notice of proposed determination must
include:
(1) Reference to the statutory basis for the penalty;
(2) A description of the findings of fact regarding the violations
with respect to which the penalty is proposed;
(3) The reason(s) why the violation(s) subject(s) the respondent to
a penalty;
(4) The amount of the proposed penalty;
(5) Any factors described in Sec. 3.408 of this subpart that were
considered in determining the amount of the proposed penalty; and
(6) Instructions for responding to the notice, including a
statement of the respondent's right to a hearing, a statement that
failure to request a hearing within 60 days permits the imposition of
the proposed penalty without the right to a hearing under Sec. 3.504
of this subpart or a right of appeal under Sec. 3.548 of this subpart,
and the address to which the hearing request must be sent.
(b) The respondent may request a hearing before an ALJ on the
proposed penalty by filing a request in accordance with Sec. 3.504 of
this subpart.
Sec. 3.422 Failure to request a hearing.
If the respondent does not request a hearing within the time
prescribed by Sec. 3.504 of this subpart and the matter is not settled
pursuant to Sec. 3.416 of this subpart, the Secretary may impose the
proposed penalty or any lesser penalty permitted by sections 921
through 926 of the Public Health Service Act, 42 U.S.C. 299b-21 through
299b-26. The Secretary will notify the respondent by certified mail,
return receipt requested, of any penalty that has been imposed and of
the means by which the respondent may satisfy the penalty, and the
penalty is final on receipt of the notice. The respondent has no right
to appeal a penalty under Sec. 3.548 of this subpart with respect to
which the respondent has not timely requested a hearing.
Sec. 3.424 Collection of penalty.
(a) Once a determination of the Secretary to impose a penalty has
become final, the penalty will be collected by the Secretary, subject
to the first sentence of 42 U.S.C. 1320a-7a(f).
(b) The penalty may be recovered in a civil action brought in the
United States district court for the district where the respondent
resides, is found, or is located.
(c) The amount of a penalty, when finally determined, or the amount
agreed upon in compromise, may be deducted from any sum then or later
owing by the United States, or by a State agency, to the respondent.
(d) Matters that were raised or that could have been raised in a
hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may
not be raised as a defense in a civil action by the United States to
collect a penalty under this part.
Sec. 3.426 Notification of the public and other agencies.
Whenever a proposed penalty becomes final, the Secretary will
notify, in such manner as the Secretary deems appropriate, the public
and the following organizations and entities thereof and the reason it
was imposed: The appropriate State or local medical or professional
organization, the appropriate State agency or agencies administering or
supervising the administration of State health care programs (as
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and
quality control peer review organization, and the appropriate State or
local licensing agency or organization (including the agency specified
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).
Sec. 3.504 Hearings before an ALJ.
(a) A respondent may request a hearing before an ALJ. The parties
to the hearing proceeding consist of--
(1) The respondent; and
(2) The officer(s) or employee(s) of HHS to whom the enforcement
authority involved has been delegated.
(b) The request for a hearing must be made in writing signed by the
respondent or by the respondent's attorney and sent by certified mail,
[[Page 70810]]
return receipt requested, to the address specified in the notice of
proposed determination. The request for a hearing must be mailed within
60 days after notice of the proposed determination is received by the
respondent. For purposes of this section, the respondent's date of
receipt of the notice of proposed determination is presumed to be 5
days after the date of the notice unless the respondent makes a
reasonable showing to the contrary to the ALJ.
(c) The request for a hearing must clearly and directly admit,
deny, or explain each of the findings of fact contained in the notice
of proposed determination with regard to which the respondent has any
knowledge. If the respondent has no knowledge of a particular finding
of fact and so states, the finding shall be deemed denied. The request
for a hearing must also state the circumstances or arguments that the
respondent alleges constitute the grounds for any defense and the
factual and legal basis for opposing the penalty.
(d) The ALJ must dismiss a hearing request where--
(1) On motion of the Secretary, the ALJ determines that the
respondent's hearing request is not timely filed as required by
paragraph (b) or does not meet the requirements of paragraph (c) of
this section;
(2) The respondent withdraws the request for a hearing;
(3) The respondent abandons the request for a hearing; or
(4) The respondent's hearing request fails to raise any issue that
may properly be addressed in a hearing.
Sec. 3.506 Rights of the parties.
(a) Except as otherwise limited by this subpart, each party may--
(1) Be accompanied, represented, and advised by an attorney;
(2) Participate in any conference held by the ALJ;
(3) Conduct discovery of documents as permitted by this subpart;
(4) Agree to stipulations of fact or law that will be made part of
the record;
(5) Present evidence relevant to the issues at the hearing;
(6) Present and cross-examine witnesses;
(7) Present oral arguments at the hearing as permitted by the ALJ;
and
(8) Submit written briefs and proposed findings of fact and
conclusions of law after the hearing.
(b) A party may appear in person or by a representative. Natural
persons who appear as an attorney or other representative must conform
to the standards of conduct and ethics required of practitioners before
the courts of the United States.
(c) Fees for any services performed on behalf of a party by an
attorney are not subject to the provisions of 42 U.S.C. 406, which
authorizes the Secretary to specify or limit their fees.
Sec. 3.508 Authority of the ALJ.
(a) The ALJ must conduct a fair and impartial hearing, avoid delay,
maintain order, and ensure that a record of the proceeding is made.
(b) The ALJ may--
(1) Set and change the date, time and place of the hearing upon
reasonable notice to the parties;
(2) Continue or recess the hearing in whole or in part for a
reasonable period of time;
(3) Hold conferences to identify or simplify the issues, or to
consider other matters that may aid in the expeditious disposition of
the proceeding;
(4) Administer oaths and affirmations;
(5) Issue subpoenas requiring the attendance of witnesses at
hearings and the production of documents at or in relation to hearings;
(6) Rule on motions and other procedural matters;
(7) Regulate the scope and timing of documentary discovery as
permitted by this subpart;
(8) Regulate the course of the hearing and the conduct of
representatives, parties, and witnesses;
(9) Examine witnesses;
(10) Receive, rule on, exclude, or limit evidence;
(11) Upon motion of a party, take official notice of facts;
(12) Conduct any conference, argument or hearing in person or, upon
agreement of the parties, by telephone; and
(13) Upon motion of a party, decide cases, in whole or in part, by
summary judgment where there is no disputed issue of material fact. A
summary judgment decision constitutes a hearing on the record for the
purposes of this subpart.
(c) The ALJ--
(1) May not find invalid or refuse to follow Federal statutes,
regulations, or Secretarial delegations of authority and must give
deference to published guidance to the extent not inconsistent with
statute or regulation;
(2) May not enter an order in the nature of a directed verdict;
(3) May not compel settlement negotiations; or
(4) May not enjoin any act of the Secretary.
Sec. 3.510 Ex parte contacts.
No party or person (except employees of the ALJ's office) may
communicate in any way with the ALJ on any matter at issue in a case,
unless on notice and opportunity for both parties to participate. This
provision does not prohibit a party or person from inquiring about the
status of a case or asking routine questions concerning administrative
functions or procedures.
Sec. 3.512 Prehearing conferences.
(a) The ALJ must schedule at least one prehearing conference, and
may schedule additional prehearing conferences as appropriate, upon
reasonable notice, which may not be less than 14 business days, to the
parties.
(b) The ALJ may use prehearing conferences to discuss the
following--
(1) Simplification of the issues;
(2) The necessity or desirability of amendments to the pleadings,
including the need for a more definite statement;
(3) Stipulations and admissions of fact or as to the contents and
authenticity of documents;
(4) Whether the parties can agree to submission of the case on a
stipulated record;
(5) Whether a party chooses to waive appearance at an oral hearing
and to submit only documentary evidence (subject to the objection of
the other party) and written argument;
(6) Limitation of the number of witnesses;
(7) Scheduling dates for the exchange of witness lists and of
proposed exhibits;
(8) Discovery of documents as permitted by this subpart;
(9) The time and place for the hearing;
(10) The potential for the settlement of the case by the parties;
and
(11) Other matters as may tend to encourage the fair, just and
expeditious disposition of the proceedings, including the protection of
confidentiality of identifiable patient safety work product that may be
submitted into evidence or otherwise used in the proceeding, if
appropriate.
(c) The ALJ must issue an order containing the matters agreed upon
by the parties or ordered by the ALJ at a prehearing conference.
Sec. 3.514 Authority to settle.
The Secretary has exclusive authority to settle any issue or case
without the consent of the ALJ.
Sec. 3.516 Discovery.
(a) A party may make a request to another party for production of
documents for inspection and copying that are relevant and material to
the issues before the ALJ.
(b) For the purpose of this section, the term ``documents''
includes
[[Page 70811]]
information, reports, answers, records, accounts, papers and other data
and documentary evidence. Nothing contained in this section may be
interpreted to require the creation of a document, except that
requested data stored in an electronic data storage system must be
produced in a form accessible to the requesting party.
(c) Requests for documents, requests for admissions, written
interrogatories, depositions and any forms of discovery, other than
those permitted under paragraph (a) of this section, are not
authorized.
(d) This section may not be construed to require the disclosure of
interview reports or statements obtained by any party, or on behalf of
any party, of persons who will not be called as witnesses by that
party, or analyses and summaries prepared in conjunction with the
investigation or litigation of the case, or any otherwise privileged
documents.
(e)(1) When a request for production of documents has been
received, within 30 days the party receiving that request must either
fully respond to the request, or state that the request is being
objected to and the reasons for that objection. If objection is made to
part of an item or category, the part must be specified. Upon receiving
any objections, the party seeking production may then, within 30 days
or any other time frame set by the ALJ, file a motion for an order
compelling discovery. The party receiving a request for production may
also file a motion for protective order any time before the date the
production is due.
(2) The ALJ may grant a motion for protective order or deny a
motion for an order compelling discovery if the ALJ finds that the
discovery sought--
(i) Is irrelevant;
(ii) Is unduly costly or burdensome;
(iii) Will unduly delay the proceeding; or
(iv) Seeks privileged information.
(3) The ALJ may extend any of the time frames set forth in
paragraph (e)(1) of this section.
(4) The burden of showing that discovery should be allowed is on
the party seeking discovery.
Sec. 3.518 Exchange of witness lists, witness statements, and
exhibits.
(a) The parties must exchange witness lists, copies of prior
written statements of proposed witnesses, and copies of proposed
hearing exhibits, including copies of any written statements that the
party intends to offer in lieu of live testimony in accordance with
Sec. 3.538, not more than 60, and not less than 15, days before the
scheduled hearing.
(b)(1) If, at any time, a party objects to the proposed admission
of evidence not exchanged in accordance with paragraph (a) of this
section, the ALJ must determine whether the failure to comply with
paragraph (a) of this section should result in the exclusion of that
evidence.
(2) Unless the ALJ finds that extraordinary circumstances justified
the failure timely to exchange the information listed under paragraph
(a) of this section, the ALJ must exclude from the party's case-in-
chief--
(i) The testimony of any witness whose name does not appear on the
witness list; and
(ii) Any exhibit not provided to the opposing party as specified in
paragraph (a) of this section.
(3) If the ALJ finds that extraordinary circumstances existed, the
ALJ must then determine whether the admission of that evidence would
cause substantial prejudice to the objecting party.
(i) If the ALJ finds that there is no substantial prejudice, the
evidence may be admitted.
(ii) If the ALJ finds that there is substantial prejudice, the ALJ
may exclude the evidence, or, if he or she does not exclude the
evidence, must postpone the hearing for such time as is necessary for
the objecting party to prepare and respond to the evidence, unless the
objecting party waives postponement.
(c) Unless the other party objects within a reasonable period of
time before the hearing, documents exchanged in accordance with
paragraph (a) of this section will be deemed to be authentic for the
purpose of admissibility at the hearing.
Sec. 3.520 Subpoenas for attendance at hearing.
(a) A party wishing to procure the appearance and testimony of any
person at the hearing may make a motion requesting the ALJ to issue a
subpoena if the appearance and testimony are reasonably necessary for
the presentation of a party's case.
(b) A subpoena requiring the attendance of a person in accordance
with paragraph (a) of this section may also require the person (whether
or not the person is a party) to produce relevant and material evidence
at or before the hearing.
(c) When a subpoena is served by a respondent on a particular
employee or official or particular office of HHS, the Secretary may
comply by designating any knowledgeable HHS representative to appear
and testify.
(d) A party seeking a subpoena must file a written motion not less
than 30 days before the date fixed for the hearing, unless otherwise
allowed by the ALJ for good cause shown. That motion must--
(1) Specify any evidence to be produced;
(2) Designate the witnesses; and
(3) Describe the address and location with sufficient particularity
to permit those witnesses to be found.
(e) The subpoena must specify the time and place at which the
witness is to appear and any evidence the witness is to produce.
(f) Within 15 days after the written motion requesting issuance of
a subpoena is served, any party may file an opposition or other
response.
(g) If the motion requesting issuance of a subpoena is granted, the
party seeking the subpoena must serve it by delivery to the person
named, or by certified mail addressed to that person at the person's
last dwelling place or principal place of business.
(h) The person to whom the subpoena is directed may file with the
ALJ a motion to quash the subpoena within 10 days after service.
(i) The exclusive remedy for contumacy by, or refusal to obey a
subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).
Sec. 3.522 Fees.
The party requesting a subpoena must pay the cost of the fees and
mileage of any witness subpoenaed in the amounts that would be payable
to a witness in a proceeding in United States District Court. A check
for witness fees and mileage must accompany the subpoena when served,
except that, when a subpoena is issued on behalf of the Secretary, a
check for witness fees and mileage need not accompany the subpoena.
Sec. 3.524 Form, filing, and service of papers.
(a) Forms. (1) Unless the ALJ directs the parties to do otherwise,
documents filed with the ALJ must include an original and two copies.
(2) Every pleading and paper filed in the proceeding must contain a
caption setting forth the title of the action, the case number, and a
designation of the paper, such as motion to quash subpoena.
(3) Every pleading and paper must be signed by and must contain the
address and telephone number of the party or the person on whose behalf
the paper was filed, or his or her representative.
(4) Papers are considered filed when they are mailed.
(b) Service. A party filing a document with the ALJ or the Board
must, at the time of filing, serve a copy of the
[[Page 70812]]
document on the other party. Service upon any party of any document
must be made by delivering a copy, or placing a copy of the document in
the United States mail, postage prepaid and addressed, or with a
private delivery service, to the party's last known address. When a
party is represented by an attorney, service must be made upon the
attorney in lieu of the party.
(c) Proof of service. A certificate of the natural person serving
the document by personal delivery or by mail, setting forth the manner
of service, constitutes proof of service.
Sec. 3.526 Computation of time.
(a) In computing any period of time under this subpart or in an
order issued thereunder, the time begins with the day following the
act, event or default, and includes the last day of the period unless
it is a Saturday, Sunday, or legal holiday observed by the Federal
Government, in which event it includes the next business day.
(b) When the period of time allowed is less than 7 days,
intermediate Saturdays, Sundays, and legal holidays observed by the
Federal Government must be excluded from the computation.
(c) Where a document has been served or issued by placing it in the
mail, an additional 5 days must be added to the time permitted for any
response. This paragraph does not apply to requests for hearing under
Sec. 3.504.
Sec. 3.528 Motions.
(a) An application to the ALJ for an order or ruling must be by
motion. Motions must state the relief sought, the authority relied upon
and the facts alleged, and must be filed with the ALJ and served on all
other parties.
(b) Except for motions made during a prehearing conference or at
the hearing, all motions must be in writing. The ALJ may require that
oral motions be reduced to writing.
(c) Within 10 days after a written motion is served, or such other
time as may be fixed by the ALJ, any party may file a response to the
motion.
(d) The ALJ may not grant a written motion before the time for
filing responses has expired, except upon consent of the parties or
following a hearing on the motion, but may overrule or deny the motion
without awaiting a response.
(e) The ALJ must make a reasonable effort to dispose of all
outstanding motions before the beginning of the hearing.
Sec. 3.530 Sanctions.
The ALJ may sanction a person, including any party or attorney, for
failing to comply with an order or procedure, for failing to defend an
action or for other misconduct that interferes with the speedy, orderly
or fair conduct of the hearing. The sanctions must reasonably relate to
the severity and nature of the failure or misconduct. The sanctions may
include--
(a) In the case of refusal to provide or permit discovery under the
terms of this part, drawing negative factual inferences or treating the
refusal as an admission by deeming the matter, or certain facts, to be
established;
(b) Prohibiting a party from introducing certain evidence or
otherwise supporting a particular claim or defense;
(c) Striking pleadings, in whole or in part;
(d) Staying the proceedings;
(e) Dismissal of the action;
(f) Entering a decision by default;
(g) Ordering the party or attorney to pay the attorney's fees and
other costs caused by the failure or misconduct; and
(h) Refusing to consider any motion or other action that is not
filed in a timely manner.
Sec. 3.532 Collateral estoppel.
When a final determination that the respondent violated a
confidentiality provision has been rendered in any proceeding in which
the respondent was a party and had an opportunity to be heard, the
respondent is bound by that determination in any proceeding under this
part.
Sec. 3.534 The hearing.
(a) The ALJ must conduct a hearing on the record in order to
determine whether the respondent should be found liable under this
part.
(b)(1) The respondent has the burden of going forward and the
burden of persuasion with respect to any challenge to the amount of a
proposed penalty pursuant to Sec. Sec. 3.404 and 3.408, including any
factors raised as mitigating factors.
(2) The Secretary has the burden of going forward and the burden of
persuasion with respect to all other issues, including issues of
liability and the existence of any factors considered as aggravating
factors in determining the amount of the proposed penalty.
(3) The burden of persuasion will be judged by a preponderance of
the evidence.
(c) The hearing must be open to the public unless otherwise ordered
by the ALJ for good cause shown, which may be that identifiable patient
safety work product has been introduced into evidence or is expected to
be introduced into evidence.
(d)(1) Subject to the 15-day rule under Sec. 3.518(a) and the
admissibility of evidence under Sec. 3.540, either party may
introduce, during its case in chief, items or information that arose or
became known after the date of the issuance of the notice of proposed
determination or the request for hearing, as applicable. Such items and
information may not be admitted into evidence, if introduced--
(i) By the Secretary, unless they are material and relevant to the
acts or omissions with respect to which the penalty is proposed in the
notice of proposed determination pursuant to Sec. 3.420 of this part,
including circumstances that may increase penalties; or
(ii) By the respondent, unless they are material and relevant to an
admission, denial or explanation of a finding of fact in the notice of
proposed determination under Sec. 3.420 of this part, or to a specific
circumstance or argument expressly stated in the request for hearing
under Sec. 3.504, including circumstances that may reduce penalties.
(2) After both parties have presented their cases, evidence may be
admitted in rebuttal even if not previously exchanged in accordance
with Sec. 3.518.
Sec. 3.538 Witnesses.
(a) Except as provided in paragraph (b) of this section, testimony
at the hearing must be given orally by witnesses under oath or
affirmation.
(b) At the discretion of the ALJ, testimony of witnesses other than
the testimony of expert witnesses may be admitted in the form of a
written statement. The ALJ may, at his or her discretion, admit prior
sworn testimony of experts that has been subject to adverse
examination, such as a deposition or trial testimony. Any such written
statement must be provided to the other party, along with the last
known address of the witness, in a manner that allows sufficient time
for the other party to subpoena the witness for cross-examination at
the hearing. Prior written statements of witnesses proposed to testify
at the hearing must be exchanged as provided in Sec. 3.518.
(c) The ALJ must exercise reasonable control over the mode and
order of interrogating witnesses and presenting evidence so as to:
(1) Make the interrogation and presentation effective for the
ascertainment of the truth;
(2) Avoid repetition or needless consumption of time; and
[[Page 70813]]
(3) Protect witnesses from harassment or undue embarrassment.
(d) The ALJ must permit the parties to conduct cross-examination of
witnesses as may be required for a full and true disclosure of the
facts.
(e) The ALJ may order witnesses excluded so that they cannot hear
the testimony of other witnesses, except that the ALJ may not order to
be excluded--
(1) A party who is a natural person;
(2) In the case of a party that is not a natural person, the
officer or employee of the party appearing for the entity pro se or
designated as the party's representative; or
(3) A natural person whose presence is shown by a party to be
essential to the presentation of its case, including a person engaged
in assisting the attorney for the Secretary.
Sec. 3.540 Evidence.
(a) The ALJ must determine the admissibility of evidence.
(b) Except as provided in this subpart, the ALJ is not bound by the
Federal Rules of Evidence. However, the ALJ may apply the Federal Rules
of Evidence where appropriate, for example, to exclude unreliable
evidence.
(c) The ALJ must exclude irrelevant or immaterial evidence.
(d) Although relevant, evidence may be excluded if its probative
value is substantially outweighed by the danger of unfair prejudice,
confusion of the issues, or by considerations of undue delay or
needless presentation of cumulative evidence.
(e) Although relevant, evidence must be excluded if it is
privileged under Federal law.
(f) Evidence concerning offers of compromise or settlement is
inadmissible to the extent provided in Rule 408 of the Federal Rules of
Evidence.
(g) Evidence of crimes, wrongs, or acts other than those at issue
in the instant case is admissible in order to show motive, opportunity,
intent, knowledge, preparation, identity, lack of mistake, or existence
of a scheme. This evidence is admissible regardless of whether the
crimes, wrongs, or acts occurred during the statute of limitations
period applicable to the acts or omissions that constitute the basis
for liability in the case and regardless of whether they were
referenced in the Secretary's notice of proposed determination under
Sec. 3.420.
(h) The ALJ must permit the parties to introduce rebuttal witnesses
and evidence.
(i) All documents and other evidence offered or taken for the
record must be open to examination by both parties, unless otherwise
ordered by the ALJ for good cause shown.
Sec. 3.542 The record.
(a) The hearing must be recorded and transcribed. Transcripts may
be obtained following the hearing from the ALJ. A party that requests a
transcript of hearing proceedings must pay the cost of preparing the
transcript unless, for good cause shown by the party, the payment is
waived by the ALJ or the Board, as appropriate.
(b) The transcript of the testimony, exhibits, and other evidence
admitted at the hearing, and all papers and requests filed in the
proceeding constitute the record for decision by the ALJ and the
Secretary.
(c) The record may be inspected and copied (upon payment of a
reasonable fee) by any person, unless otherwise ordered by the ALJ for
good cause shown, which may include the presence in the record of
identifiable patient safety work product.
(d) For good cause, which may include the presence in the record of
identifiable patient safety work product, the ALJ may order appropriate
redactions made to the record.
Sec. 3.544 Post hearing briefs.
The ALJ may require the parties to file post-hearing briefs. In any
event, any party may file a post-hearing brief. The ALJ must fix the
time for filing the briefs. The time for filing may not exceed 60 days
from the date the parties receive the transcript of the hearing or, if
applicable, the stipulated record. The briefs may be accompanied by
proposed findings of fact and conclusions of law. The ALJ may permit
the parties to file reply briefs.
Sec. 3.546 ALJ's decision.
(a) The ALJ must issue a decision, based only on the record, which
must contain findings of fact and conclusions of law.
(b) The ALJ may affirm, increase, or reduce the penalties imposed
by the Secretary.
(c) The ALJ must issue the decision to both parties within 60 days
after the time for submission of post-hearing briefs and reply briefs,
if permitted, has expired. If the ALJ fails to meet the deadline
contained in this paragraph, he or she must notify the parties of the
reason for the delay and set a new deadline.
(d) Unless the decision of the ALJ is timely appealed as provided
for in Sec. 3.548, the decision of the ALJ will be final and binding
on the parties 60 days from the date of service of the ALJ's decision.
Sec. 3.548 Appeal of the ALJ's decision.
(a) Any party may appeal the decision of the ALJ to the Board by
filing a notice of appeal with the Board within 30 days of the date of
service of the ALJ decision. The Board may extend the initial 30 day
period for a period of time not to exceed 30 days if a party files with
the Board a request for an extension within the initial 30 day period
and shows good cause.
(b) If a party files a timely notice of appeal with the Board, the
ALJ must forward the record of the proceeding to the Board.
(c) A notice of appeal must be accompanied by a written brief
specifying exceptions to the initial decision and reasons supporting
the exceptions. Any party may file a brief in opposition to the
exceptions, which may raise any relevant issue not addressed in the
exceptions, within 30 days of receiving the notice of appeal and the
accompanying brief. The Board may permit the parties to file reply
briefs.
(d) There is no right to appear personally before the Board or to
appeal to the Board any interlocutory ruling by the ALJ.
(e) The Board may not consider any issue not raised in the parties'
briefs, nor any issue in the briefs that could have been raised before
the ALJ but was not.
(f) If any party demonstrates to the satisfaction of the Board that
additional evidence not presented at such hearing is relevant and
material and that there were reasonable grounds for the failure to
adduce such evidence at the hearing, the Board may remand the matter to
the ALJ for consideration of such additional evidence.
(g) The Board may decline to review the case, or may affirm,
increase, reduce, reverse or remand any penalty determined by the ALJ.
(h) The standard of review on a disputed issue of fact is whether
the initial decision of the ALJ is supported by substantial evidence on
the whole record. The standard of review on a disputed issue of law is
whether the decision is erroneous.
(i) Within 60 days after the time for submission of briefs and
reply briefs, if permitted, has expired, the Board must serve on each
party to the appeal a copy of the Board's decision and a statement
describing the right of any respondent who is penalized to seek
judicial review.
(j)(1) The Board's decision under paragraph (i) of this section,
including a decision to decline review of the initial decision, becomes
the final decision of the Secretary 60 days after
[[Page 70814]]
the date of service of the Board's decision, except with respect to a
decision to remand to the ALJ or if reconsideration is requested under
this paragraph.
(2) The Board will reconsider its decision only if it determines
that the decision contains a clear error of fact or error of law. New
evidence will not be a basis for reconsideration unless the party
demonstrates that the evidence is newly discovered and was not
previously available.
(3) A party may file a motion for reconsideration with the Board
before the date the decision becomes final under paragraph (j)(1) of
this section. A motion for reconsideration must be accompanied by a
written brief specifying any alleged error of fact or law and, if the
party is relying on additional evidence, explaining why the evidence
was not previously available. Any party may file a brief in opposition
within 15 days of receiving the motion for reconsideration and the
accompanying brief unless this time limit is extended by the Board for
good cause shown. Reply briefs are not permitted.
(4) The Board must rule on the motion for reconsideration not later
than 30 days from the date the opposition brief is due. If the Board
denies the motion, the decision issued under paragraph (i) of this
section becomes the final decision of the Secretary on the date of
service of the ruling. If the Board grants the motion, the Board will
issue a reconsidered decision, after such procedures as the Board
determines necessary to address the effect of any error. The Board's
decision on reconsideration becomes the final decision of the Secretary
on the date of service of the decision, except with respect to a
decision to remand to the ALJ.
(5) If service of a ruling or decision issued under this section is
by mail, the date of service will be deemed to be 5 days from the date
of mailing.
(k)(1) A respondent's petition for judicial review must be filed
within 60 days of the date on which the decision of the Board becomes
the final decision of the Secretary under paragraph (j) of this
section.
(2) In compliance with 28 U.S.C. 2112(a), a copy of any petition
for judicial review filed in any U.S. Court of Appeals challenging the
final decision of the Secretary must be sent by certified mail, return
receipt requested, to the General Counsel of HHS. The petition copy
must be a copy showing that it has been time-stamped by the clerk of
the court when the original was filed with the court.
(3) If the General Counsel of HHS received two or more petitions
within 10 days after the final decision of the Secretary, the General
Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation
of any petitions that were received within the 10 day period.
Sec. 3.550 Stay of the Secretary's decision.
(a) Pending judicial review, the respondent may file a request for
stay of the effective date of any penalty with the ALJ. The request
must be accompanied by a copy of the notice of appeal filed with the
Federal court. The filing of the request automatically stays the
effective date of the penalty until such time as the ALJ rules upon the
request.
(b) The ALJ may not grant a respondent's request for stay of any
penalty unless the respondent posts a bond or provides other adequate
security.
(c) The ALJ must rule upon a respondent's request for stay within
10 days of receipt.
Sec. 3.552 Harmless error.
No error in either the admission or the exclusion of evidence, and
no error or defect in any ruling or order or in any act done or omitted
by the ALJ or by any of the parties is ground for vacating, modifying
or otherwise disturbing an otherwise appropriate ruling or order or
act, unless refusal to take such action appears to the ALJ or the Board
inconsistent with substantial justice. The ALJ and the Board at every
stage of the proceeding must disregard any error or defect in the
proceeding that does not affect the substantial rights of the parties.
Dated: September 2, 2008.
Michael O. Leavitt,
Secretary.
[FR Doc. E8-27475 Filed 11-20-08; 8:45 am]
BILLING CODE 4150-28-P