Patient Safety Rule

DEPARTMENT OF HEALTH AND HUMAN SERVICES

42 CFR Part 3
RIN 0919-AA01
Patient Safety and Quality Improvement

AGENCY: Agency for Healthcare Research and Quality, Office for Civil Rights, Department of Health and Human Services.
ACTION: Final rule.
SUMMARY: The Secretary of Health and Human Services is adopting rules to implement certain aspects of the Patient Safety and Quality Improvement Act of 2005, Pub. L. 109-41, 42 U.S.C. 299b-21-b-26 (Patient Safety Act). The Patient Safety and Quality Improvement final rule (Patient Safety Rule) establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for the aggregation and analysis of patient safety events.
The Patient Safety Rule outlines the requirements that entities must meet to become PSOs and the processes by which the Secretary will review and accept certifications and list PSOs. It also describes the privilege and confidentiality protections for the information that is assembled and developed by providers and PSOs, the exceptions to these privilege and confidentiality protections, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product.
DATES: The Patient Safety Rule is effective on January 19, 2009.
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427- 1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION: On February 12, 2008, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the Patient Safety Act. The comment period closed on April 14, 2008. One-hundred-sixty-one comments were received during the comment period.

Table of Contents

For the reasons stated in the preamble, the Department of Health and Human Services amends Title 42 of the Code of Federal Regulations by adding a new part 3 to read as follows:

PART 3-PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK PRODUCT

  1. Subpart A-General Provisions
    1. Section 3.10-Purpose
    2. Section 3.20-Definitions
  2. Subpart B-PSO Requirements and Agency Procedures
    1. Section 3.102-Process and requirements for initial and continued listing of PSOs
    2. Section 3.104-Secretarial actions
    3. Section 3.106-Security requirements
    4. Section 3.108-Correction of deficiencies, revocation, and voluntary relinquishment
    5. Section 3.110-Assessment of PSO compliance
    6. Section 3.112-Submissions and forms
  3. Subpart C-Confidentiality and Privilege Protections of Patient Safety Work Product.
    1. Section 3.204- Privilege of patient safety work product
    2. Section 3.206- Confidentiality of patient safety work product
    3. Section 3.208-Continued protection of patient safety work product
    4. Section 3.210-Required disclosure of patient safety work product to the Secretary
    5. Section 3.212- Nonidentification of patient safety work product
  4. Subpart D-Enforcement Program
    1. Section 3.304-Principles for achieving compliance
    2. Section 3.306-Complaints to the Secretary
    3. Section 3.308-Compliance reviews
    4. Section 3.310-Responsibilities of respondents
    5. Section 3.312-Secretarial action regarding complaints and compliance reviews
    6. Section 3.314-Investigational subpoenas and inquiries
    7. Section 3.402-Basis for a civil money penalty
    8. Section 3.404-Amount of a civil money penalty
    9. Section 3.408-Factors considered in determining the amount of a civil money penalty
    10. Section 3.414-Limitations
    11. Section 3.416-Authority to settle
    12. Section 3.418-Exclusivity of penalty
    13. Section 3.420-Notice of proposed determination
    14. Section 3.422-Failure to request a hearing
    15. Section 3.424-Collection of penalty
    16. Section 3.426- Notification of the public and other agencies
    17. Section 3.504-Hearings before an ALJ
    18. Section 3.506-Rights of the parties
    19. Section 3.508-Authority of the ALJ
    20. Section 3.510-Ex parte contacts
    21. Section 3.512-Prehearing conferences
    22. Section 3.514-Authority to settle
    23. Section 3.516-Discovery
    24. Section 3.518-Exchange of witness lists, witness statements, and exhibits
    25. Section 3.520-Subpoenas for attendance at hearing
    26. Section 3.522-Fees
    27. Section 3.524-Form, filing, and service of papers
    28. Section 3.526-Computation of time
    29. Section 3.528-Motions
    30. Section 3.530-Sanctions
    31. Section 3.532-Collateral estoppel
    32. Section 3.534-The hearing
    33. Section 3.538-Witnesses
    34. Section 3.540-Evidence
    35. Section 3.542-The record
    36. Section 3.544-Post hearing briefs
    37. Section 3.546-ALJ's decision
    38. Section 3.548-Appeal of the ALJ's decision
    39. Section 3.550-Stay of the Secretary's decision
    40. Section 3.552-Harmless error

Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C. 299c-6

Subpart A-General Provisions

§ 3.10 Purpose.

The purpose of this Part is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299et seq.) by adding sections 921 through 926, 42 U.S.C. 299b- 21 through 299b-26.

§ 3.20 Definitions.

As used in this Part, the terms listed alphabetically below have the meanings set forth as follows:

Affiliated provider means, with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider.

AHRQ stands for the Agency for Healthcare Research and Quality in HHS.

ALJ stands for an Administrative Law Judge of HHS.

Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, which issues decisions in panels of three.

Bona fide contract means:

  1. A written contract between a provider and a PSO that is executed in good faith by officials authorized to execute such contract; or
  2. A written agreement (such as a memorandum of understanding or equivalent recording of mutual commitments) between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO that is executed in good faith by officials authorized to execute such agreement.

Complainant means a person who files a complaint with the Secretary pursuant to § 3.306.

Component organization means an entity that:

  1. Is a unit or division of a legal entity (including a corporation, partnership, or a Federal, State, local or Tribal agency or organization); or
  2. Is owned, managed, or controlled by one or more legally separate parent organizations.

Component PSO means a PSO listed by the Secretary that is a component organization.

Confidentiality provisions means for purposes of Subparts C and D, any requirement or prohibition concerning confidentiality established by sections 921 and 922(b)-(d), (g) and (i) of the Public Health Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the provisions, at § § 3.206 and 3.208, that implement the statutory prohibition on disclosure of identifiable patient safety work product.

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by:

  1. An entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a health care provider holding privileges with, the entity holding the patient safety work product; or
  2. A component PSO to another entity or natural person outside the component PSO and within the legal entity of which the component PSO is a part.

Entity means any organization or organizational unit, regardless of whether the organization is public, private, for-profit, or not-for- profit.

Group health plan means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income Security Act of 1974 (ERISA)) to the extent that the plan provides medical care (as defined in paragraph (2) of section 2791(a) of the Public Health Service Act, including items and services paid for as medical care) to employees or their dependents (as defined under the terms of the plan) directly or through insurance, reimbursement, or otherwise.

Health insurance issuer means an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2)). This term does not include a group health plan.

Health maintenance organization means:

  1. A Federally qualified health maintenance organization (HMO) (as defined in 42 U.S.C. 300e (a));
  2. An organization recognized under State law as a health maintenance organization; or
  3. A similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization.

HHS stands for the United States Department of Health and Human Services.

HIPAA Privacy Rule means the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.

Identifiable patient safety work productmeans patient safety work product that:

  1. Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in, or are responsible for, activities that are a subject of the work product;
  2. Constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
  3. Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO or to a provider with the intention of having the information reported to a PSO ("reporter").

Nonidentifiable patient safety work productmeans patient safety work product that is not identifiable patient safety work product in accordance with the nonidentification standards set forth at § 3.212.

OCR stands for the Office for Civil Rights in HHS.

Parent organization means an organization that: owns a controlling interest or a majority interest in a component organization; has the authority to control or manage agenda setting, project management, or day- to-day operations; or the authority to review and override decisions of a component organization. The component organization may be a provider.

Patient Safety Act means the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299et seq.) by inserting a new Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b- 21 through 299b-26.

Patient safety activities means the following activities carried out by or on behalf of a PSO or a provider:

  1. Efforts to improve patient safety and the quality of health care delivery;
  2. The collection and analysis of patient safety work product;
  3. The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
  4. The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
  5. The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
  6. The provision of appropriate security measures with respect to patient safety work product;
  7. The utilization of qualified staff; and
  8. Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

Patient safety evaluation system means the collection, management, or analysis of information for reporting to or by a PSO.

Patient safety organization (PSO) means a private or public entity or component thereof that is listed as a PSO by the Secretary in accordance with Subpart B. A health insurance issuer or a component organization of a health insurance issuer may not be a PSO. See also the exclusions in § 3.102 of this Part.

Patient safety work product:

  1. Except as provided in paragraph (2) of this definition, patient safety work product means any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material)
    1. Which could improve patient safety, health care quality, or health care outcomes; and
      1. Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO, which includes information that is documented as within a patient safety evaluation system for reporting to a PSO, and such documentation includes the date the information entered the patient safety evaluation system; or
      2. Are developed by a PSO for the conduct of patient safety activities; or
    2. Which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.
    1. Patient safety work product does not include a patient's medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO shall not by reason of its reporting be considered patient safety work product.
       
    2. Patient safety work product assembled or developed by a provider for reporting to a PSO may be removed from a patient safety evaluation system and no longer considered patient safety work product if:
      1. The information has not yet been reported to a PSO; and
      2. The provider documents the act and date of removal of such information from the patient safety evaluation system.
    3. Nothing in this part shall be construed to limit information that is not patient safety work product from being:
      1. Discovered or admitted in a criminal, civil or administrative proceeding;
      2. Reported to a Federal, State, local or Tribal governmental agency for public health or health oversight purposes; or
      3. Maintained as part of a provider's recordkeeping obligation under Federal, State, local or Tribal law.

Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

Provider means:

  1. An individual or entity licensed or otherwise authorized under State law to provide health care services, including-
    1. A hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician or health care practitioner's office (includes a group practice), long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or
    2. A physician, physician assistant, registered nurse, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietitian or nutrition professional, physical or occupational therapist, pharmacist, or other individual health care practitioner.
  2. Agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, organizations engaged as contractors by the Federal, State, local, or Tribal governments to deliver health care, and individual health care practitioners employed or engaged as contractors by the Federal State, local, or Tribal governments to deliver health care; or
     
  3. A parent organization of one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in paragraphs (1)(i) or (2) of this definition.

Research has the same meaning as the term is defined in the HIPAA Privacy Rule at 45 CFR 164.501.

Respondent means a provider, PSO, or responsible person who is the subject of a complaint or a compliance review.

Responsible person means a person, other than a provider or a PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions.

Workforce means employees, volunteers, trainees, contractors, or other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person.

Subpart B-PSO Requirements and Agency Procedures

Section 3.102-Process and requirements for initial and continued listing of PSO

  1. Eligibility and process for initial and continued listing-
    1. Submission of certification. Any entity, except as specified in paragraph (a)(2) of this section, may request from the Secretary an initial or continued listing as a PSO by submitting a completed certification form that meets the requirements of this section, in accordance with § 3.112. An individual with authority to make commitments on behalf of the entity seeking listing will be required to submit contact information for the entity and:
      1. Attest that the entity is not subject to any exclusion in paragraph (a)(2) of this section;
      2. Provide certifications that the entity meets each requirement for PSOs in paragraph (b) of this section;
      3. If the entity is a component of another organization, provide the additional certifications that the entity meets the requirements of paragraph (c)(1)(i) of this section;
      4. If the entity is a component of an excluded entity described in paragraph (a)(2) (ii), provide the additional certifications and information required by paragraph (c)(1)(ii) of this section;
      5. Attest that the entity has disclosed if the Secretary has ever delisted this entity (under its current name or any other) or refused to list the entity or whether any of its officials or senior managers held comparable positions of responsibility in an entity that was denied listing or delisted and, if any of these circumstances apply, submit with its certifications and related disclosures, the name of the entity or entities that the Secretary declined to list or delisted;
      6. Attest that the PSO will promptly notify the Secretary during its period of listing if it can no longer comply with any of its attestations and the applicable requirements in § § 3.102(b) and 3.102(c) or if there have been any changes in the accuracy of the information submitted for listing, along with the pertinent changes; and
      7. Provide other information that the Secretary determines to be necessary to make the requested listing determination.
    2. Exclusion of certain entities. The following types of entities may not seek listing as a PSO:
      1. A health insurance issuer; a unit or division of a health insurance issuer; or an entity that is owned, managed, or controlled by a health insurance issuer;
         
        1. An entity that accredits or licenses health care providers;
        2. An entity that oversees or enforces statutory or regulatory requirements governing the delivery of health care services;
        3. An agent of an entity that oversees or enforces statutory or regulatory requirements governing the delivery of health care services; or
        4. An entity that operates a Federal, state, local or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation.
      2. A component of an entity listed in paragraph (a)(2)(ii) may seek listing as a component PSO subject to the requirements and restrictions of paragraph (c)(1)(ii) of this section.
    3. Submission of certification for continued listing. To facilitate a timely Secretarial determination regarding acceptance of its certification for continued listing, a PSO must submit the required certification no later than 75 days before the expiration of a PSO's three-year period of listing.
    1. Fifteen general PSO certification requirements.The certifications submitted to the Secretary in accordance with paragraph (a)(1)(ii) of this section must conform to the following 15 requirements:
      1. Required certification regarding eight patient safety activities.
        1. Initial listing. An entity seeking initial listing as a PSO must certify that it has written policies and procedures in place to perform each of the eight patient safety activities, defined in § 3.20. With respect to paragraphs (5) and (6) in the definition of patient safety activities regarding confidentiality and security, the policies and procedures must include and provide for:
          1. Compliance with the confidentiality provisions of Subpart C of this part and with appropriate security measures as required by § 3.106 of this subpart.
          2. Notification of each provider that submitted patient safety work product or data as described in § 3.108(b)(2) to the entity if the submitted work product or data was subject to an unauthorized disclosure or its security was breached.
        2. Continued Listing. A PSO seeking continued listing must certify that it is performing, and will continue to perform, each of the patient safety activities defined in § 3.20, and is and will continue to comply with the requirements of paragraphs (b)(1)(i)(A) and (B) of this section.
      2. Required certification regarding seven PSO criteria.
        1. Initial Listing. In its initial certification submission, an entity must also certify that, if listed as a PSO, it will comply with the seven requirements in paragraphs (b)(2) (i)(A) through (G) of this section.
          1. The mission and primary activity of the PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery.
          2. The PSO must have appropriately qualified workforce members, including licensed or certified medical professionals.
          3. The PSO, within the 24-month period that begins on the date of its initial listing as a PSO, and within each sequential 24-month period thereafter, must have 2 bona fide contracts, each of a reasonable period of time, each with a different provider for the purpose of receiving and reviewing patient safety work product.
          4. The PSO is not a health insurance issuer, and is not a component of a health insurance issuer.
          5. The PSO must make disclosures to the Secretary as required under § 3.102(d), in accordance with § 3.112 of this subpart.
          6. To the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.
          7. The PSO must utilize patient safety work product for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.
        2. Continued Listing. A PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of paragraphs (b)(2)(i)(A) through (G) of this section.
           
        3. Compliance with the criterion for collecting patient safety work product in a standardized manner to the extent practical and appropriate. With respect to paragraph (b)(2)(i)(F) of this section, the Secretary will assess compliance by a PSO in the following manner.
          1. PSO seeking continued listing must:
            1. Certify that the PSO is using the Secretary's published guidance for common formats and definitions in its collection of patient safety work product (option (I));
            2. Certify that the PSO is using an alternative system of formats and definitions that permits valid comparisons of similar cases among similar providers (option (II)); or
            3. Provide a clear explanation for why it is not practical or appropriate for the PSO to comply with options (I) or (II) at this time.
          2. The Secretary will consider a PSO to be in compliance if the entity complies with option (I), satisfactorily demonstrates that option (II) permits valid comparisons of similar cases among similar providers, or satisfactorily demonstrates that it is not practical or appropriate for the PSO to comply with options (I) or (II) at this time.
    2. Additional certifications required of component organizations-
      1. Requirements when seeking listing-
        1. Requirements that all component organizations must meet. In addition to meeting the 15 general PSO certification requirements of paragraph (b) of this section, an entity seeking initial listing that is a component of another organization must certify that it will comply with the requirements of paragraph (c)(2) of this section. A component PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of this same paragraph (c)(2). At initial and continued listing, a component entity must attach to its certifications for listing contact information for its parent organization(s).

        2. Additional requirements and limitations applicable to components of entities that are excluded from listing. In addition to the requirements under paragraph (c)(1)(i) of this section, a component of an organization excluded from listing under paragraph (a)(2)(ii) of this section must submit the additional certifications and specified information for initial and continued listing and comply with paragraph (c)(4) of this section.
      2. Required component certifications-
        1. Separation of patient safety work product. A component PSO must maintain patient safety work product separately from the rest of the parent organization(s) of which it is a part, and establish appropriate security measures to maintain the confidentiality of patient safety work product. The information system in which the component PSO maintains patient safety work product must not permit unauthorized access by one or more individuals in, or by units of, the rest of the parent organization(s) of which it is a part.

        2. Nondisclosure of patient safety work product. A component PSO must require that members of its workforce and any other contractor staff not make unauthorized disclosures of patient safety work product to the rest of the parent organization(s) of which it is a part.
        3. No conflict of interest. The pursuit of the mission of a component PSO must not create a conflict of interest with the rest of the parent organization(s) of which it is a part.
      3. Written agreements for assisting a component PSO in the conduct of patient safety activities. Notwithstanding the requirements of paragraph (c)(2) of this section, a component PSO may provide access to identifiable patient safety work product to one or more individuals in, or to one or more units of, the rest of the parent organization(s) of which it is a part, if the component PSO enters into a written agreement with such individuals or units which requires that:
        1. The component PSO will only provide access to identifiable patient safety work product to enable such individuals or units to assist the component PSO in its conduct of patient safety activities, and

        2. Such individuals or units that receive access to identifiable patient safety work product pursuant to such written agreement will only use or disclose such information as specified by the component PSO to assist the component PSO in its conduct of patient safety activities, will take appropriate security measures to prevent unauthorized disclosures and will comply with the other certifications the component has made pursuant to paragraph (c)(2) of this section regarding unauthorized disclosures and conducting the mission of the PSO without creating conflicts of interest.
      4. Required attestations, information and operational limitations for components of entities excluded from listing. A component organization of an entity that is subject to the restrictions of paragraph (a)(2)(ii) of this section must:
        1. Submit the following information with its certifications for listing:
          1. A statement describing its parent organization's role, and the scope of the parent organization's authority, with respect to any of the following that apply: accreditation or licensure of health care providers, oversight or enforcement of statutory or regulatory requirements governing the delivery of health care services, serving as an agent of such a regulatory oversight or enforcement authority, or administering a public mandatory patient safety reporting system;

          2. An attestation that the parent organization has no policies or procedures that would require or induce providers to report patient safety work product to their component organization once listed as a PSO and that the component PSO will notify the Secretary within 5 calendar days of the date on which the component organization has knowledge of the adoption by the parent organization of such policies or procedures, and an acknowledgment that the adoption of such policies or procedures by the parent organization during the component PSO's period of listing will result in the Secretary initiating an expedited revocation process in accordance with § 3.108(e); and
          3. An attestation that the component organization will prominently post notification on its Web site and publish in any promotional materials for dissemination to providers, a summary of the information that is required by paragraph (c)(4)(i)(A) of this section.
        2. Comply with the following requirements during its period of listing:
          1. The component organization may not share staff with its parent organization(s).

          2. The component organization may enter into a written agreement pursuant to paragraph (c)(3) but such agreements are limited to units or individuals of the parent organization(s) whose responsibilities do not involve the activities specified in the restrictions in paragraph (a) (2)(ii) of this section.
    3. Required notifications. Upon listing, PSOs must meet the following notification requirements:
      1. Notification regarding PSO compliance with the minimum contract requirement. No later than 45 calendar days prior to the last day of the pertinent 24-month assessment period, specified in paragraph (b)(2)(iii)(C) of this section, the Secretary must receive from a PSO a certification that states whether it has met the requirement of that paragraph regarding two bona fide contracts, submitted in accordance with § 3.112 of this subpart.
      2. Notification regarding a PSO's relationships with its contracting providers.
        1. Requirement. A PSO must file a disclosure statement regarding a provider with which it has a contract that provides the confidentiality and privilege protections of the Patient Safety Act (hereinafter referred to as a Patient Safety Act contract) if the PSO has any other relationships with this provider that are described in paragraphs (d)(2)(i)(A) through (D) of this section. The PSO must disclose all such relationships. A disclosure statement is not required if all of its other relationships with the provider are limited to Patient Safety Act contracts.
          1. The provider and PSO have current contractual relationships, other than those arising from any Patient Safety Act contracts, including formal contracts or agreements that impose obligations on the PSO.

          2. The provider and PSO have current financial relationships other than those arising from any Patient Safety Act contracts. A financial relationship may include any direct or indirect ownership or investment relationship between the PSO and the contracting provider, shared or common financial interests or direct or indirect compensation arrangements whether in cash or in-kind.

          3. The PSO and provider have current reporting relationships other than those arising from any Patient Safety Act contracts, by which the provider has access to information regarding the work and operation of the PSO that is not available to other contracting providers.

          4. Taking into account all relationships that the PSO has with the provider, the PSO is not independently managed or controlled, or the PSO does not operate independently from, the contracting provider.
        2. Content. A PSO must submit to the Secretary the required attestation form for disclosures with the information specified below in accordance with § 3.112 and this section. The substantive information that must be included with each submission has two required parts:
          1. The Required Disclosures. The first part of the substantive information must provide a succinct list of obligations between the PSO and the contracting provider apart from their Patient Safety Act contract(s) that create, or contain, any of the types of relationships that must be disclosed based upon the requirements of paragraphs (d)(2)(i) (A) through (D) of this section. Each reportable obligation or discrete set of obligations that the PSO has with this contracting provider should be listed only once; noting the specific aspects of the obligation(s) that reflect contractual or financial relationships, involve access to information that is not available to other providers, or affect the independence of PSO operations, management, or control.

          2. An Explanatory Narrative. The second required part of the substantive information must provide a brief explanatory narrative succinctly describing: the policies and procedures that the PSO has in place to ensure adherence to objectivity and professionally recognized analytic standards in the assessments it undertakes; and any other policies or procedures, or agreements with this provider, that the PSO has in place to ensure that it can fairly and accurately perform patient safety activities.
        3. Deadlines for submission. The Secretary must receive a disclosure statement within 45 days of the date on which a PSO enters a contract with a provider if the circumstances described in any of the paragraphs (d)(2)(i)(A) through (D) of this section are met on the date the contract is entered. During the contract period, if these circumstances subsequently arise, the Secretary must receive a disclosure statement from the PSO within 45 days of the date that any disclosure requirement in paragraph (d)(2)(i) of this section first applies.

§ 3.104 Secretarial actions.

  1. Actions in response to certification submissions for initial and continued listing as a PSO.
    1. In response to an initial or continued certification submission by an entity, pursuant to the requirements of § 3.102 of this subpart, the Secretary may-
      1. Accept the certification submission and list the entity as a PSO, or maintain the listing of a PSO, if the Secretary determines that the entity meets the applicable requirements of the Patient Safety Act and this subpart;
      2. Deny acceptance of a certification submission and, in the case of a currently listed PSO, remove the entity from the list if the entity does not meet the applicable requirements of the Patient Safety Act and this subpart; or
      3. Condition the listing of an entity or the continued listing of a PSO, following a determination made pursuant to paragraph (c) of this section or a determination after review of the pertinent history of an entity that has been delisted or refused listing and its officials and senior managers.
    2. Basis for determination. In making a determination regarding listing, the Secretary will consider the certification submission; any prior actions by the Secretary regarding the entity or PSO including delisting; any history of or current non- compliance by the entity or the PSO or its officials or senior managers with statutory or regulatory requirements or requests from the Secretary; the relationships of the entity or PSO with providers; and any findings made by the Secretary in accordance with paragraph (c) of this section.

    3. Notification. The Secretary will notify in writing each entity of action taken on its certification submission for initial or continued listing. The Secretary will provide reasons when an entity's certification is conditionally accepted and the entity is conditionally listed, when an entity's certification is not accepted and the entity is not listed, or when acceptance of its certification is revoked and the entity is delisted.
  2. Actions regarding PSO compliance with the minimum contract requirement. After the date on which the Secretary, under § 3.102(d)(1) of this subpart, must receive notification regarding compliance of a PSO with the minimum contract requirement-
    1. If the PSO has met the minimum contract requirement, the Secretary will acknowledge in writing receipt of the notification and add information to the list established pursuant to paragraph (d) of this section stating that the PSO has certified that it has met the requirement.
    2. If the PSO states that it has not yet met the minimum contract requirement by the date specified in §3.102(d)(1), or if notice is not received by that date, the Secretary will issue to the PSO a notice of a preliminary finding of deficiency as specified in § 3.108(a)(2) and establish a period for correction that extends until midnight of the last day of the PSO's applicable 24- month period of assessment. Thereafter, if the requirement has not been met, the Secretary will provide the PSO a written notice of proposed revocation and delisting in accordance with § 3.108 (a)(3).
  3. Actions regarding required disclosures by PSOs of relationships with contracting providers. The Secretary will review and make findings regarding each disclosure statement submitted by a PSO, pursuant to § 3.102(d)(2), regarding its relationships with contracting provider(s), determine whether such findings warrant action regarding the listing of the PSO in accordance with paragraph (c)(2) of this section, and make the findings public.
    1. Basis of findings regarding PSO disclosure statements. In reviewing disclosure statements, submitted pursuant to § 3.102(d)(2) of this subpart, the Secretary will consider the disclosed relationship (s) between the PSO and the contracting provider and the statements and material submitted by the PSO describing the policies and procedures that the PSO has in place to determine whether the PSO can fairly and accurately perform the required patient safety activities.
    2. Determination by the Secretary. Based on the Secretary's review and findings, he may choose to take any of the following actions:
      1. For an entity seeking an initial or continued listing, the Secretary may list or continue the listing of an entity without conditions, list the entity subject to conditions, or deny the entity's certification for initial or continued listing; or

      2. For a listed PSO, the Secretary may determine that the entity will remain listed without conditions, continue the entity's listing subject to conditions, or remove the entity from the list of PSOs.
    3. Release of disclosure statements and Secretarial findings.
      1. Subject to paragraph (c)(3)(ii) of this section, the Secretary will make disclosure statements available to the public along with related findings that are made available in accordance with paragraph (c) of this section.
      2. The Secretary may withhold information that is exempt from public disclosure under the Freedom of Information Act, e.g., trade secrets or confidential commercial information that are subject to the restrictions of 18 U.S.C. 1905.
  4. Maintaining a list of PSOs. The Secretary will compile and maintain a publicly available list of entities whose certifications as PSOs have been accepted. The list will include contact information for each entity, a copy of all certification forms and disclosure statements submitted by each entity in accordance with paragraph (c)(3)(ii) of this section, the effective date of the PSO's listing, and information on whether a PSO has certified that it has met the two contract requirement. The list also will include a copy of the Secretary's findings regarding each disclosure statement submitted by an entity, information describing any related conditions that have been placed by the Secretary on the listing of an entity as a PSO, and other information that this Subpart states may be made public. AHRQ may maintain a PSO Web site (or a comparable future form of public notice) and may post the list on this Web site.
  5. Three-year period of listing.
    1. The three-year period of listing of a PSO will automatically expire at midnight of the last day of this period, unless the listing had been revoked or relinquished earlier in accordance with § 3.108 of this subpart, or if, prior to this automatic expiration, the PSO seeks a new three-year listing, in accordance with § 3.102, and the Secretary accepts the PSO's certification for a new three-year listing, in accordance with § 3.104(a).
    2. The Secretary plans to send a written notice of imminent expiration to a PSO at least 60 calendar days prior to the date on which its three-year period of listing expires if the Secretary has not yet received a certification for continued listing. The Secretary plans to indicate, on the AHRQ PSO Web site, the PSOs from whom certifications for continued listing have not been timely received.
  6. Effective dates of Secretarial actions. Unless otherwise stated, the effective date of each action by the Secretary pursuant to this subpart will be specified in the written notice of such action that is sent to the entity. When the Secretary sends a notice that addresses acceptance or revocation of an entity's certifications or voluntary relinquishment by an entity of its status as a PSO, the notice will specify the effective date and time of listing or delisting.

§ 3.106 Security requirements.

  1. Application. A PSO must secure patient safety work product in conformance with the security requirements of paragraph (b) of this section. These requirements must be met at all times and at any location at which the PSO, its workforce members, or its contractors receive, access, or handle patient safety work product. Handling patient safety work product includes its processing, development, use, maintenance, storage, removal, disclosure, transmission and destruction.

  2. Security framework. A PSO must have written policies and procedures that address each of the considerations specified in this subsection. In addressing the framework that follows, the PSO may develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization.
    1. Security management. A PSO must address:
      1. (i) Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is received, accessed, or handled; and to monitor and improve the effectiveness of such policies and procedures, and
      2. (ii) Training of the PSO workforce and PSO contractors who receive, access, or handle patient safety work product regarding the requirements of the Patient Safety Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.
    2. Distinguishing patient safety work product. A PSO must address:
      1. Maintenance of the security of patient safety work product, whether in electronic or other media, through either physical separation from non-patient safety work product, or if co-located with non-patient safety work product, by making patient safety work product distinguishable so that the appropriate form and level of security can be applied and maintained;
      2. Protection of the media, whether in electronic, paper, or other media or format, that contain patient safety work product, limiting access to authorized users, and sanitizing and destroying such media before their disposal or release for reuse; and
      3. Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is received, accessed, or handled.
    3. Security control and monitoring. A PSO must address:
      1. (i) Identification of those authorized to receive, access, or handle patient safety work product and an audit capacity to detect unlawful, unauthorized, or inappropriate receipt, access, or handling of patient safety work product, and
      2. Methods to prevent unauthorized receipt, access, or handling of patient safety work product.
    4. Security assessment. A PSO must address:
      1. Periodic assessments of security risks and controls to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.
      2. System and communications protection, to monitor, control, and protect PSO receipt, access, or handling of patient safety work product with particular attention to the transmission of patient safety work product to and from providers, other PSOs, contractors or any other responsible persons.

§ 3.108 Correction of deficiencies, revocation, and voluntary relinquishment.

  1. Process for correction of a deficiency and revocation-
    1. Circumstances leading to revocation. The Secretary may revoke his acceptance of an entity's certification ("revocation") and delist the entity as a PSO if he determines-
      1. The PSO is not fulfilling the certifications made to the Secretary as required by § 3.102;
      2. The PSO has not met the two contract requirement, as required by § 3.102(d)(1);
      3. Based on a PSO's disclosures made pursuant to § 3.102(d)(2), that the entity cannot fairly and accurately perform the patient safety activities of a PSO with a public finding to that effect; or
      4. The PSO is not in compliance with any other provision of the Patient Safety Act or this Part.
    2. Notice of preliminary finding of deficiency and establishment of an opportunity for correction of a deficiency.
      1. Except as provided by paragraph (e) of this section, if the Secretary determines that a PSO is not in compliance with its obligations under the Patient Safety Act or this Subpart, the Secretary must send a PSO written notice of the preliminary finding of deficiency. The notice must state the actions or inactions that encompass the deficiency finding, outline the evidence that the deficiency exists, specify the possible and/or required corrective actions that must be taken, and establish a date by which the deficiency must be corrected. The Secretary may specify in the notice the form of documentation required to demonstrate that the deficiency has been corrected.
      2. The notice of a preliminary finding of deficiency is presumed received five days after it is sent, absent evidence of the actual receipt date. If a PSO does not submit evidence to the Secretary within 14 calendar days of actual or constructive receipt of such notice, whichever is longer, which demonstrates that the preliminary finding is factually incorrect, the preliminary finding will be the basis for a finding of deficiency.
    3. Determination of correction of a deficiency.
      1. Unless the Secretary specifies another date, the Secretary must receive documentation to demonstrate that the PSO has corrected any deficiency cited in the preliminary finding of deficiency no later than five calendar days following the last day of the correction period that is specified by the Secretary in such notice.
      2. In making a determination regarding the correction of any deficiency, the Secretary will consider the documentation submitted by the PSO, any assessments under § 3.110, recommendations of program staff, and any other information available regarding the PSO that the Secretary deems appropriate and relevant to the PSO's implementation of the terms of its certification.
      3. After completing his review, the Secretary may make one of the following determinations:
        1. The action(s) taken by the PSO have corrected any deficiency, in which case the Secretary will withdraw the notice of deficiency and so notify the PSO;
        2. The PSO has acted in good faith to correct the deficiency, but the Secretary finds an additional period of time is necessary to achieve full compliance and/or the required corrective action specified in the notice of a preliminary finding of deficiency needs to be modified in light of the experience of the PSO in attempting to implement the corrective action, in which case the Secretary will extend the period for correction and/or modify the specific corrective action required; or
        3. The PSO has not completed the corrective action because it has not acted with reasonable diligence or speed to ensure that the corrective action was completed within the allotted time, in which case the Secretary will issue to the PSO a notice of proposed revocation and delisting.
      4. When the Secretary issues a written notice of proposed revocation and delisting, the notice will specify the deficiencies that have not been timely corrected and will detail the manner in which the PSO may exercise its opportunity to be heard in writing to respond to the deficiencies specified in the notice.
    4. Opportunity to be heard in writing following a notice of proposed revocation and delisting. The Secretary will afford a PSO an opportunity to be heard in writing, as specified in paragraph (a)(4)(i) of this section, to provide a substantive response to the deficiency finding(s) set forth in the notice of proposed revocation and delisting.
      1. The notice of proposed revocation and delisting is presumed received five days after it is sent, absent evidence of actual receipt. The Secretary will provide a PSO with a period of time, beginning with the date of receipt of the notice of proposed revocation and delisting of which there is evidence, or the presumed date of receipt if there is no evidence of earlier receipt, and ending at midnight 30 calendar days thereafter, during which the PSO may submit a substantive response to the deficiency findings in writing.
      2. The Secretary will provide to the PSO any rules of procedure governing the form or transmission of the written response to the notice of proposed revocation and delisting. Such rules may also be posted on the AHRQ PSO Web site or published in the Federal Register.
      3. If a PSO does not submit a written response to the deficiency finding (s) within 30 calendar days of receipt of the notice of proposed revocation and delisting, the notice of proposed revocation becomes final as a matter of law and the basis for Secretarial action under paragraph (b)(1) of this section.
    5. The Secretary's decision regarding revocation. The Secretary will review the entire administrative record pertaining to a notice of proposed revocation and delisting and any written materials submitted by the PSO under paragraph (a)(4) of this section. The Secretary may affirm, reverse, or modify the notice of proposed revocation and delisting and will make a determination with respect to the continued listing of the PSO.
  2. Revocation of the Secretary's acceptance of a PSO's certifications-
    1. Establishing the date and time of revocation and delisting. When the Secretary concludes, in accordance with a decision made under paragraphs (a)(5), (e)(3)(iii) or (e)(3)(iv)(C) of this section, that revocation of the acceptance of a PSO's certification is warranted for its failure to comply with requirements of the Patient Safety Act or of this Part, the Secretary will establish the effective time and date for such prompt revocation and removal of the entity from the list of PSOs, so notify the PSO in writing, and provide the relevant public notice required by § 3.108(d) of this subpart.

    2. Required notification of providers and status of data.
      1. Upon being notified of the Secretary's action pursuant to paragraph (b)(1) of this section, the former PSO will take all reasonable actions to notify each provider, whose patient safety work product it collected or analyzed, of the Secretary's action(s) and the following statutory information: Confidentiality and privilege protections that applied to patient safety work product while the former PSO was listed continue to apply after the entity is removed from listing. Data submitted by providers to the former PSO for 30 calendar days following the date and time on which the entity was removed from the list of PSOs pursuant to paragraph (b)(1) of this section will have the same status as data submitted while the entity was still listed.
      2. Within 15 days of being notified of the Secretary's action pursuant to paragraph (b)(1) of this section, the former PSO shall submit to the Secretary confirmation that it has taken the actions in paragraph (b)(2)(i) of this section.
    3. Disposition of patient safety work product and data. Within 90 days following the effective date of revocation and delisting pursuant to paragraph (b)(1) of this section, the former PSO will take one or more of the following measures in regard to patient safety work product and data described in paragraph (b)(2)(i) of this section:
      1. Transfer such patient safety work product or data, with the approval of the source from which it was received, to a PSO that has agreed to receive such patient safety work product or data;
      2. Return such work product or data to the source from which it was submitted; or
      3. If returning such patient safety work product or data to its source is not practicable, destroy such patient safety work product or data.
  3. Voluntary relinquishment-
    1. Circumstances constituting voluntary relinquishment. A PSO will be considered to have voluntarily relinquished its status as a PSO if the Secretary accepts a notification from a PSO that it wishes to relinquish voluntarily its listing as a PSO.

    2. Notification of voluntary relinquishment. A PSO's notification of voluntary relinquishment to the Secretary must include the following:
      1. An attestation that all reasonable efforts have been made, or will have been made by a PSO within 15 calendar days of this statement, to notify the sources from which it received patient safety work product of the PSO's intention to cease PSO operations and activities, to relinquish voluntarily its status as a PSO, to request that these other entities cease reporting or submitting any further information to the PSO as soon as possible, and inform them that any information reported after the effective date and time of delisting that the Secretary sets pursuant to paragraph (c)(3) of this section will not be protected as patient safety work product under the Patient Safety Act.
      2. An attestation that the entity has established a plan, or within 15 calendar days of this statement, will have made all reasonable efforts to establish a plan, in consultation with the sources from which it received patient safety work product, that provides for the disposition of the patient safety work product held by the PSO consistent with, to the extent practicable, the statutory options for disposition of patient safety work product as set out in paragraph (b)(3) of this section; and
      3. Appropriate contact information for further communications from the Secretary.
    3. Response to notification of voluntary relinquishment.
      1. After a PSO provides the notification required by paragraph (c)(2) of this section, the Secretary will respond in writing to the entity indicating whether the proposed voluntary relinquishment of its PSO status is accepted. If the voluntary relinquishment is accepted, the Secretary's response will indicate an effective date and time for the entity's removal from the list of PSOs and will provide public notice of the voluntary relinquishment and the effective date and time of the delisting, in accordance with § 3.108(d) of this subpart.
      2. If the Secretary receives a notification of voluntary relinquishment during or immediately after revocation proceedings for cause under paragraphs (a)(4) and (a)(5) of this section, the Secretary, as a matter of discretion, may accept voluntary relinquishment in accordance with the preceding paragraph or decide not to accept the entity's proposed voluntary relinquishment and proceed with the revocation for cause and delisting pursuant to paragraph (b)(1) of this section.
    4. Non-applicability of certain procedures and requirements.
      1. A decision by the Secretary to accept a request by a PSO to relinquish voluntarily its status as a PSO pursuant to paragraph (c)(2) of this section does not constitute a determination of a deficiency in PSO compliance with the Patient Safety Act or with this Subpart.
      2. The procedures and requirements of § 3.108(a) of this subpart regarding deficiencies including the opportunity to correct deficiencies and to be heard in writing, and the procedures and requirements of § 3.108(b) are not applicable to determinations of the Secretary made pursuant to this subsection.
  4. Public notice of delisting regarding removal from listing. If the Secretary removes an entity from the list of PSOs following revocation of acceptance of the entity's certification pursuant to § 3.108(b)(1), voluntary relinquishment pursuant to § 3.108(c)(3), or expiration of an entity's period of listing pursuant to § 3.104(e)(1), the Secretary will promptly publish in the Federal Registerand on the AHRQ PSO Web site, or in a comparable future form of public notice, a notice of the actions taken and the effective dates.

  5. Expedited revocation and delisting-
    1. Basis for expedited revocation. Notwithstanding any other provision of this section, the Secretary may use the expedited revocation process described in paragraph (e)(3) of this section if he determines-
      1. The PSO is not in compliance with this Part because it is or is about to become an entity described in § 3.102(a)(2).
      2. The parent organization of the PSO is an entity described in § 3.102 (a)(2) and requires or induces health care providers to report patient safety work product to its component PSO; or
      3. The circumstances for revocation in paragraph (a)(1) of this section exist, and the Secretary has determined that there would be serious adverse consequences if the PSO were to remain listed.
    2. Applicable provisions. If the Secretary uses the expedited revocation process described in paragraph (e)(3) of this section, the procedures in paragraphs (a)(2) through (5) of this section shall not apply and paragraph (a)(1) and paragraphs (b) and (d) of this section shall apply.

    3. Expedited revocation process.
      1. The Secretary must send the PSO a written notice of deficiency that:
        1. Identifies the evidence that the circumstances for revocation and delisting under paragraph (a)(1) of this section exist, and any corrective action that the PSO must take if the Secretary determines that corrective action may resolve the matter so that the entity would not be delisted; and
        2. Provides an opportunity for the PSO to respond in writing to correct the facts or the legal bases for delisting found in the notice, and to offer any other grounds for its not being delisted.
      2. The notice of deficiency will be presumed to be received five days after it is sent, absent evidence of the actual receipt date.
      3. If the PSO does not submit a written response to the Secretary within 14 calendar days of actual or constructive receipt of such notice, whichever is longer, the Secretary may revoke his acceptance of the PSO's certifications and remove the entity from the list of PSOs.
      4. If the PSO responds in writing within the required 14-day time period, the Secretary may take any of the following actions:
        1. Withdraw the notice of deficiency;
        2. Provide the PSO with more time to resolve the matter to the Secretary's satisfaction; or
        3. Revoke his acceptance of the PSO's certifications and remove the entity from the list of PSOs.

§ 3.110 Assessment of PSO compliance.

The Secretary may request information or conduct announced or unannounced reviews of, or site visits to, PSOs, to assess or verify PSO compliance with the requirements of this subpart and for these purposes will be allowed to inspect the physical or virtual sites maintained or controlled by the PSO. The Secretary will be allowed to inspect and/or be given or sent copies of any PSO records deemed necessary and requested by the Secretary to implement the provisions of this subpart. Such PSO records may include patient safety work product in accordance with § 3.206(d) of this part.

§ 3.112 Submissions and forms.

  1. Forms referred to in this subpart may be obtained on the PSO Web site (http://www.pso.ahrq.gov) maintained for the Secretary by AHRQ or a successor agency or on successor publication technology or by requesting them in writing by email at pso@ahrq.hhs.gov, or by mail from the Agency for Healthcare Research and Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any required attachments) must be submitted in accordance with the accompanying instructions.

  2. Information submitted to AHRQ in writing, but not required to be on or attached to a form, and requests for information from AHRQ, may be submitted by mail or other delivery to the Agency for Healthcare Research and Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850, by facsimile at (301) 427-1341, or by email at pso@ahrq.hhs.gov.

  3. If a submission to the Secretary is incomplete or additional information is needed to allow a determination to be made under this subpart, the submitter will be notified if any additional information is required.

Subpart C-Confidentiality and Privilege Protections of Patient Safety Work Product

§ 3.204 Privilege of patient safety work product.

  1. Privilege. Notwithstanding any other provision of Federal, State, local, or Tribal law and subject to paragraph (b) of this section and § 3.208 of this subpart, patient safety work product shall be privileged and shall not be:
    1. Subject to a Federal, State, local, or Tribal civil, criminal, or administrative subpoena or order, including in a Federal, State, local, or Tribal civil or administrative disciplinary proceeding against a provider;
    2. Subject to discovery in connection with a Federal, State, local, or Tribal civil, criminal, or administrative proceeding, including in a Federal, State, local, or Tribal civil or administrative disciplinary proceeding against a provider;
    3. Subject to disclosure pursuant to section 552 of Title 5, United States Code (commonly known as the Freedom of Information Act) or any other similar Federal, State, local, or Tribal law;
    4. Admitted as evidence in any Federal, State, local, or Tribal governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or
    5. Admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law.
  2. Exceptions to privilege. Privilege shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:
    1. Disclosure of relevant patient safety work product for use in a criminal proceeding, subject to the conditions at § 3.206 (b)(1) of this subpart.

    2. Disclosure to the extent required to permit equitable relief subject to the conditions at § 3.206(b)(2) of this subpart.

    3. Disclosure pursuant to provider authorizations subject to the conditions at § 3.206(b)(3) of this subpart.

    4. Disclosure of non-identifiable patient safety work product subject to the conditions at § 3.206(b)(5) of this subpart.
  3. Implementation and enforcement by the Secretary. Privilege shall not apply to (and shall not be construed to prohibit) disclosures of relevant patient safety work product to or by the Secretary if such patient safety work product is needed to investigate or determine compliance, or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.

§ 3.206 Confidentiality of patient safety work product.

  1. Confidentiality. Subject to paragraphs (b) through (e) of this section, and § § 3.208 and 3.210 of this subpart, patient safety work product shall be confidential and shall not be disclosed.
  2. Exceptions to confidentiality. The confidentiality provisions shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:
    1. Disclosure in criminal proceedings. Disclosure of relevant patient safety work product for use in a criminal proceeding, but only after a court makes an in camera determination that:
      1. Such patient safety work product contains evidence of a criminal act;
      2. Such patient safety work product is material to the proceeding; and
      3. Such patient safety work product is not reasonably available from any other source.
    2. Disclosure to permit equitable relief for reporters. Disclosure of patient safety work product to the extent required to permit equitable relief under section 922 (f)(4)(A) of the Public Health Service Act, provided the court or administrative tribunal has issued a protective order to protect the confidentiality of the patient safety work product in the course of the proceeding.

    3. Disclosure authorized by identified providers.
      1. Disclosure of identifiable patient safety work product consistent with a valid authorization if such authorization is obtained from each provider identified in such work product prior to disclosure. A valid authorization must:
        1. Be in writing and signed by the provider from whom authorization is sought; and
        2. Contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized;
      2. A valid authorization must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request.
    4. Disclosure for patient safety activities-
      1. Disclosure between a provider and a PSO. Disclosure of patient safety work product for patient safety activities by a provider to a PSO or by a PSO to that disclosing provider.

      2. Disclosure to a contractor of a provider or a PSO. A provider or a PSO may disclose patient safety work product for patient safety activities to an entity with which it has contracted to undertake patient safety activities on its behalf. A contractor receiving patient safety work product for patient safety activities may not further disclose patient safety work product, except to the provider or PSO with which it is contracted.

      3. Disclosure among affiliated providers. Disclosure of patient safety work product for patient safety activities by a provider to an affiliated provider.

      4. Disclosure to another PSO or provider. Disclosure of patient safety work product for patient safety activities by a PSO to another PSO or to another provider that has reported to the PSO, or, except as otherwise permitted in paragraph (b)(4)(iii) of this section, by a provider to another provider, provided:
        1. The following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers are removed:
          1. Names;
          2. Postal address information, other than town or city, State and zip code;
          3. Telephone numbers;
          4. Fax numbers;
          5. Electronic mail addresses;
          6. Social security numbers or taxpayer identification numbers;
          7. Provider or practitioner credentialing or DEA numbers;
          8. National provider identification number;
          9. Certificate/license numbers;
          10. Web Universal Resource Locators (URLs);
          11. Internet Protocol (IP) address numbers;
          12. Biometric identifiers, including finger and voice prints; and
          13. Full face photographic images and any comparable images; and
        2. With respect to any individually identifiable health information in such patient safety work product, the direct identifiers listed at 45 CFR 164.514(e)(2) have been removed.
    5. Disclosure of nonidentifiable patient safety work product. Disclosure of nonidentifiable patient safety work product when patient safety work product meets the standard for nonidentification in accordance with § 3.212 of this subpart.
    6. Disclosure for research.
      1. Disclosure of patient safety work product to persons carrying out research, evaluation or demonstration projects authorized, funded, certified, or otherwise sanctioned by rule or other means by the Secretary, for the purpose of conducting research.
      2. If the patient safety work product disclosed pursuant to paragraph (b)(6)(i) of this section is by a HIPAA covered entity as defined at 45 CFR 160.103 and contains protected health information as defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient safety work product may only be disclosed under this exception in the same manner as would be permitted under the HIPAA Privacy Rule.

    7. Disclosure to the Food and Drug Administration (FDA) and entities required to report to FDA.
      1. Disclosure by a provider of patient safety work product concerning an FDA- regulated product or activity to the FDA, an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, or a contractor acting on behalf of FDA or such entity for these purposes.

      2. Any person permitted to receive patient safety work product pursuant to paragraph (b)(7)(i) of this section may only further disclose such patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity to another such person or the disclosing provider.
    8. Voluntary disclosure to an accrediting body.
      1. Voluntary disclosure by a provider of patient safety work product to an accrediting body that accredits that provider, provided, with respect to any identified provider other than the provider making the disclosure:
        1. The provider agrees to the disclosure; or
        2. The identifiers at § 3.206(b)(4)(iv)(A) are removed.

      2. An accrediting body may not further disclose patient safety work product it receives pursuant to paragraph (b)(8)(i) of this section.
      3. An accrediting body may not take an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with this Part. An accrediting body may not require a provider to reveal its communications with any PSO.
    9. Disclosure for business operations.
      1. Disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. Such contractors may not further disclose patient safety work product, except to the entity from which they received the information.

      2. Disclosure of patient safety work product for such other business operations that the Secretary may prescribe by regulation as consistent with the goals of this part.
    10. Disclosure to law enforcement.
      1. Disclosure of patient safety work product to an appropriate law enforcement authority relating to an event that either constitutes the commission of a crime, or for whic confidentiality provisions shall not apply to (and shall not be construed to prohibit) disclosures of relevant patient safety work product to or by the Secretary if suchh the disclosing person reasonably believes constitutes the commission of a crime, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes.

      2. Law enforcement personnel receiving patient safety work product pursuant to paragraph (b)(10)(i) of this section only may disclose that patient safety work product to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the disclosure under paragraph (b)(10)(i) of this section.
  3. Safe harbor. A provider or responsible person, but not a PSO, is not considered to have violated the requirements of this subpart if a member of its workforce discloses patient safety work product, provided that the disclosure does not include materials, including oral statements, that:
    1. Assess the quality of care of an identifiable provider; or
    2. Describe or pertain to one or more actions or failures to act by an identifiable provider.
  4. Implementation and enforcement by the Secretary. The patient safety work product is needed to investigate or determine compliance or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.

  5. No limitation on authority to limit or delegate disclosure or use. Nothing in subpart C of this part shall be construed to limit the authority of any person to enter into a contract requiring greater confidentiality or delegating authority to make a disclosure or use in accordance with this subpart.

§ 3.208 Continued protection of patient safety work product.

  1. Except as provided in paragraph (b) of this section, patient safety work product disclosed in accordance with this subpart, or disclosed impermissibly, shall continue to be privileged and confidential.

    1. Patient safety work product disclosed for use in a criminal proceeding pursuant to section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A), and/or pursuant to § 3.206(b)(1) of this subpart continues to be privileged, but is no longer confidential.

    2. Non-identifiable patient safety work product that is disclosed is no longer privileged or confidential and not subject to the regulations under this part.

    3. Paragraph (b) of this section applies only to the specific patient safety work product disclosed.

§ 3.210 Required disclosure of patient safety work product to the Secretary.

Notwithstanding any other provision in this part, providers, PSOs, and responsible persons must disclose patient safety work product upon request by the Secretary when the Secretary determines such patient safety work product is needed to investigate or determine compliance or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.

§ 3.212 Nonidentification of patient safety work product.

  1. Patient safety work product is nonidentifiable with respect to a particular identified provider or a particular identified reporter if:
    1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
      1. Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider or reporter; and
      2. Documents the methods and results of the analysis that justify such determination; or
      1. The following identifiers of such provider or reporter and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers or reporters are removed:
        1. The direct identifiers listed at § 3.206(b)(4)(iv)(A)(1) through (13) of this subpart;
        2. Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people;
        3. All elements of dates (except year) for dates directly related to a patient safety incident or event; and
        4. Any other unique identifying number, characteristic, or code except as permitted for re-identification; and
      2. The provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter.
    2. Re-identification. A provider, PSO, or responsible person may assign a code or other means of record identification to allow information made nonidentifiable under this section to be re-identified by such provider, PSO, or responsible person, provided that:
      1. The code or other means of record identification is not derived from or related to information about the provider or reporter and is not otherwise capable of being translated so as to identify the provider or reporter; and
      2. The provider, PSO, or responsible person does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re- identification.
  2. Patient safety work product is non-identifiable with respect to a particular patient only if the individually identifiable health information regarding that patient is de-identified in accordance with the HIPAA Privacy Rule standard and implementation specifications for the de-identification at 45 CFR 164.514(a) through (c).

Subpart D-Enforcement Program

§ 3.304 Principles for achieving compliance.

  1. Cooperation. The Secretary will, to the extent practicable, seek the cooperation of providers, PSOs, and responsible persons in obtaining compliance with the applicable confidentiality provisions.

  2. Assistance. The Secretary may provide technical assistance to providers, PSOs, and responsible persons to help them comply voluntarily with the applicable confidentiality provisions.

§ 3.306 Complaints to the Secretary.

  1. Right to file a complaint. A person who believes that patient safety work product has been disclosed in violation of the confidentiality provisions may file a complaint with the Secretary.

  2. Requirements for filing complaints. Complaints under this section must meet the following requirements:
    1. A complaint must be filed in writing, either on paper or electronically.
    2. A complaint must name the person that is the subject of the complaint and describe the act(s) believed to be in violation of the applicable confidentiality provision(s).
    3. A complaint must be filed within 180 days of when the complainant knew or should have known that the act complained of occurred, unless this time limit is waived by the Secretary for good cause shown.
    4. The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register.
  3. Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include a review of the pertinent policies, procedures, or practices of the respondent and of the circumstances regarding any alleged violation. At the time of initial written communication with the respondent about the complaint, the Secretary will describe the act(s) that are the basis of the complaint.

§ 3.308 Compliance reviews.

The Secretary may conduct compliance reviews to determine whether a respondent is complying with the applicable confidentiality provisions.

§ 3.310 Responsibilities of respondents.

  1. Provide records and compliance reports. A respondent must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the respondent has complied or is complying with the applicable confidentiality provisions.

  2. Cooperate with complaint investigations and compliance reviews. A respondent must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the respondent to determine whether it is complying with the applicable confidentiality provisions.

  3. Permit access to information.
    1. A respondent must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including patient safety work product, that are pertinent to ascertaining compliance with the applicable confidentiality provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a respondent must permit access by the Secretary at any time and without notice.
    2. If any information required of a respondent under this section is in the exclusive possession of any other agency, institution, or person, and the other agency, institution, or person fails or refuses to furnish the information, the respondent must so certify and set forth what efforts it has made to obtain the information.

§ 3.312 Secretarial action regarding complaints and compliance reviews.

  1. Resolution when noncompliance is indicated.
    1. If an investigation of a complaint pursuant to § 3.306 of this subpart or a compliance review pursuant to § 3.308 of this subpart indicates noncompliance, the Secretary may attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement.

    2. If the matter is resolved by informal means, the Secretary will so inform the respondent and, if the matter arose from a complaint, the complainant, in writing.

    3. If the matter is not resolved by informal means, the Secretary will-
      1. So inform the respondent and provide the respondent an opportunity to submit written evidence of any mitigating factors. The respondent must submit any evidence to the Secretary within 30 days (computed in the same manner as prescribed under § 3.526 of this subpart) of receipt of such notification; and
      2. If, following action pursuant to paragraph (a)(3)(i) of this section, the Secretary decides that a civil money penalty should be imposed, inform the respondent of such finding in a notice of proposed determination in accordance with § 3.420 of this subpart.
  2. Resolution when no violation is found.If, after an investigation pursuant to § 3.306 of this subpart or a compliance review pursuant to § 3.308 of this subpart, the Secretary determines that further action is not warranted, the Secretary will so inform the respondent and, if the matter arose from a complaint, the complainant, in writing.

  3. Uses and disclosures of information obtained.
    1. Identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review under this subpart will not be disclosed by the Secretary, except in accordance with §3.206(d) of this subpart, or if otherwise permitted by this part or the Patient Safety Act.

    2. Except as provided for in paragraph (c)(1) of this section, information, including testimony and other evidence, obtained by the Secretary in connection with an investigation or compliance review under this subpart may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding.

§ 3.314 Investigational subpoenas and inquiries.

  1. The Secretary may issue subpoenas in accordance with 42 U.S.C. 405(d) and (e), and 1320a-7a (j), to require the attendance and testimony of witnesses and the production of any other evidence including patient safety work product during an investigation or compliance review pursuant to this part.
    1. A subpoena issued under this paragraph must-
      1. State the name of the person (including the entity, if applicable) to whom the subpoena is addressed;
      2. State the statutory authority for the subpoena;
      3. Indicate the date, time, and place that the testimony will take place;
      4. Include a reasonably specific description of any documents or items required to be produced; and
      5. If the subpoena is addressed to an entity, describe with reasonable particularity the subject matter on which testimony is required. In that event, the entity must designate one or more natural persons who will testify on its behalf, and must state as to each such person that person's name and address and the matters on which he or she will testify. The designated person must testify as to matters known or reasonably available to the entity.
    2. A subpoena under this section must be served by-
      1. Delivering a copy to the natural person named in the subpoena or to the entity named in the subpoena at its last principal place of business; or
      2. Registered or certified mail addressed to the natural person at his or her last known dwelling place or to the entity at its last known principal place of business.
    3. A verified return by the natural person serving the subpoena setting forth the manner of service or, in the case of service by registered or certified mail, the signed return post office receipt, constitutes proof of service.

    4. Witnesses are entitled to the same fees and mileage as witnesses in the district courts of the United States (28 U.S.C. 1821 and 1825). Fees need not be paid at the time the subpoena is served.

    5. A subpoena under this section is enforceable through the district court of the United States for the district where the subpoenaed natural person resides or is found or where the entity transacts business.
  2. Investigational inquiries are non-public investigational proceedings conducted by the Secretary.
    1. Testimony at investigational inquiries will be taken under oath or affirmation.

    2. Attendance of non-witnesses is discretionary with the Secretary, except that a witness is entitled to be accompanied, represented, and advised by an attorney.

    3. Representatives of the Secretary are entitled to attend and ask questions.

    4. A witness will have the opportunity to clarify his or her answers on the record following questioning by the Secretary.

    5. Any claim of privilege must be asserted by the witness on the record.

    6. Objections must be asserted on the record. Errors of any kind that might be corrected if promptly presented will be deemed to be waived unless reasonable objection is made at the investigational inquiry. Except where the objection is on the grounds of privilege, the question will be answered on the record, subject to objection.

    7. If a witness refuses to answer any question not privileged or to produce requested documents or items, or engages in conduct likely to delay or obstruct the investigational inquiry, the Secretary may seek enforcement of the subpoena under paragraph (a)(5) of this section.

    8. The proceedings will be recorded and transcribed. The witness is entitled to a copy of the transcript, upon payment of prescribed costs, except that, for good cause, the witness may be limited to inspection of the official transcript of his or her testimony.

      1. The transcript will be submitted to the witness for signature.
        1. Where the witness will be provided a copy of the transcript, the transcript will be submitted to the witness for signature. The witness may submit to the Secretary written proposed corrections to the transcript, with such corrections attached to the transcript. If the witness does not return a signed copy of the transcript or proposed corrections within 30 days (computed in the same manner as prescribed under §3.526 of this part) of its being submitted to him or her for signature, the witness will be deemed to have agreed that the transcript is true and accurate.

        2. Where, as provided in paragraph (b)(8) of this section, the witness is limited to inspecting the transcript, the witness will have the opportunity at the time of inspection to propose corrections to the transcript, with corrections attached to the transcript. The witness will also have the opportunity to sign the transcript. If the witness does not sign the transcript or offer corrections within 30 days (computed in the same manner as prescribed under § 3.526 of this part) of receipt of notice of the opportunity to inspect the transcript, the witness will be deemed to have agreed that the transcript is true and accurate.
      2. The Secretary's proposed corrections to the record of transcript will be attached to the transcript.

§ 3.402 Basis for a civil money penalty.

  1. General rule. A person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions shall be subject to a civil money penalty for each act constituting such violation.

  2. Violation attributed to a principal. A principal is independently liable, in accordance with the federal common law of agency 2, for a civil money penalty based on the act of the principal's agent, including a workforce member, acting within the scope of the agency if such act could give rise to a civil money penalty in accordance with § 3.402(a) of this subpart.

§ 3.404 Amount of a civil money penalty.

  1. The amount of a civil money penalty will be determined in accordance with paragraph (b) of this section and § 3.408 of this subpart.

  2. The Secretary may impose a civil money penalty in the amount of not more than $10,000.

§ 3.408 Factors considered in determining the amount of a civil money penalty.

In determining the amount of any civil money penalty, the Secretary may consider as aggravating or mitigating factors, as appropriate, any of the following:

  1. The nature of the violation.

  2. The circumstances, including the consequences, of the violation, including:
    1. The time period during which the violation(s) occurred; and
    2. Whether the violation caused physical or financial harm or reputational damage;
  3. The degree of culpability of the respondent, including:
    1. Whether the violation was intentional; and
    2. Whether the violation was beyond the direct control of the respondent.
  4. Any history of prior compliance with the Patient Safety Act, including violations, by the respondent, including:
    1. Whether the current violation is the same or similar to prior violation(s);
    2. Whether and to what extent the respondent has attempted to correct previous violations;
    3. How the respondent has responded to technical assistance from the Secretary provided in the context of a compliance effort; and
    4. How the respondent has responded to prior complaints.
  5. The financial condition of the respondent, including:
    1. Whether the respondent had financial difficulties that affected its ability to comply;
    2. Whether the imposition of a civil money penalty would jeopardize the ability of the respondent to continue to provide health care or patient safety activities; and
    3. The size of the respondent.
  6. Such other matters as justice may require.

§ 3.414 Limitations.

No action under this subpart may be entertained unless commenced by the Secretary, in accordance with § 3.420 of this subpart, within 6 years from the date of the occurrence of the violation.

§ 3.416 Authority to settle.

Nothing in this subpart limits the authority of the Secretary to settle any issue or case or to compromise any penalty.

§ 3.418 Exclusivity of penalty.

  1. Except as otherwise provided by paragraph (b) of this section, a penalty imposed under this part is in addition to any other penalty prescribed by law.

  2. Civil money penalties shall not be imposed both under this part and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).

§ 3.420 Notice of proposed determination.

  1. If a penalty is proposed in accordance with this part, the Secretary must deliver, or send by certified mail with return receipt requested, to the respondent, written notice of the Secretary's intent to impose a penalty. This notice of proposed determination must include:
    1. Reference to the statutory basis for the penalty;
    2. A description of the findings of fact regarding the violations with respect to which the penalty is proposed;
    3. The reason(s) why the violation(s) subject(s) the respondent to a penalty;
    4. The amount of the proposed penalty;
    5. Any factors described in § 3.408 of this subpart that were considered in determining the amount of the proposed penalty; and
    6. Instructions for responding to the notice, including a statement of the respondent's right to a hearing, a statement that failure to request a hearing within 60 days permits the imposition of the proposed penalty without the right to a hearing under § 3.504 of this subpart or a right of appeal under § 3.548 of this subpart, and the address to which the hearing request must be sent.
  2. The respondent may request a hearing before an ALJ on the proposed penalty by filing a request in accordance with § 3.504 of this subpart.

§ 3.422 Failure to request a hearing.

If the respondent does not request a hearing within the time prescribed by § 3.504 of this subpart and the matter is not settled pursuant to § 3.416 of this subpart, the Secretary may impose the proposed penalty or any lesser penalty permitted by sections 921 through 926 of the Public Health Service Act, 42 U.S.C. 299b-21 through 299b-26. The Secretary will notify the respondent by certified mail, return receipt requested, of any penalty that has been imposed and of the means by which the respondent may satisfy the penalty, and the penalty is final on receipt of the notice. The respondent has no right to appeal a penalty under § 3.548 of this subpart with respect to which the respondent has not timely requested a hearing.

§ 3.424 Collection of penalty.

  1. Once a determination of the Secretary to impose a penalty has become final, the penalty will be collected by the Secretary, subject to the first sentence of 42 U.S.C. 1320a-7a(f).

  2. The penalty may be recovered in a civil action brought in the United States district court for the district where the respondent resides, is found, or is located.

  3. The amount of a penalty, when finally determined, or the amount agreed upon in compromise, may be deducted from any sum then or later owing by the United States, or by a State agency, to the respondent.

  4. Matters that were raised or that could have been raised in a hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may not be raised as a defense in a civil action by the United States to collect a penalty under this part.

§ 3.426 Notification of the public and other agencies.

Whenever a proposed penalty becomes final, the Secretary will notify, in such manner as the Secretary deems appropriate, the public and the following organizations and entities thereof and the reason it was imposed: The appropriate State or local medical or professional organization, the appropriate State agency or agencies administering or supervising the administration of State health care programs (as defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and quality control peer review organization, and the appropriate State or local licensing agency or organization (including the agency specified in 42 U.S.C. 1395aa(a), 1396a(a)(33)).

§ 3.504 Hearings before an ALJ.

  1. A respondent may request a hearing before an ALJ. The parties to the hearing proceeding consist of-
    1. The respondent; and
    2. The officer(s) or employee(s) of HHS to whom the enforcement authority involved has been delegated.

  2. The request for a hearing must be made in writing signed by the respondent or by the respondent's attorney and sent by certified mail, return receipt requested, to the address specified in the notice of proposed determination. The request for a hearing must be mailed within 60 days after notice of the proposed determination is received by the respondent. For purposes of this section, the respondent's date of receipt of the notice of proposed determination is presumed to be 5 days after the date of the notice unless the respondent makes a reasonable showing to the contrary to the ALJ.

  3. The request for a hearing must clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination with regard to which the respondent has any knowledge. If the respondent has no knowledge of a particular finding of fact and so states, the finding shall be deemed denied. The request for a hearing must also state the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty.
  4. The ALJ must dismiss a hearing request where-
    1. On motion of the Secretary, the ALJ determines that the respondent's hearing request is not timely filed as required by paragraph (b) or does not meet the requirements of paragraph (c) of this section;
    2. The respondent withdraws the request for a hearing;
    3. The respondent abandons the request for a hearing; or
    4. The respondent's hearing request fails to raise any issue that may properly be addressed in a hearing.

§ 3.506 Rights of the parties.

  1. Except as otherwise limited by this subpart, each party may-
    1. Be accompanied, represented, and advised by an attorney;
    2. Participate in any conference held by the ALJ;
    3. Conduct discovery of documents as permitted by this subpart;
    4. Agree to stipulations of fact or law that will be made part of the record;
    5. Present evidence relevant to the issues at the hearing;
    6. Present and cross-examine witnesses;
    7. Present oral arguments at the hearing as permitted by the ALJ; and
    8. Submit written briefs and proposed findings of fact and conclusions of law after the hearing.

  2. A party may appear in person or by a representative. Natural persons who appear as an attorney or other representative must conform to the standards of conduct and ethics required of practitioners before the courts of the United States.

  3. Fees for any services performed on behalf of a party by an attorney are not subject to the provisions of 42 U.S.C. 406, which authorizes the Secretary to specify or limit their fees.

Section 3.508-Authority of the ALJ.

  1. The ALJ must conduct a fair and impartial hearing, avoid delay, maintain order, and ensure that a record of the proceeding is made.

  2. The ALJ may-
    1. Set and change the date, time and place of the hearing upon reasonable notice to the parties;
    2. Continue or recess the hearing in whole or in part for a reasonable period of time;
    3. (Hold conferences to identify or simplify the issues, or to consider other matters that may aid in the expeditious disposition of the proceeding;
    4. Administer oaths and affirmations;
    5. Issue subpoenas requiring the attendance of witnesses at hearings and the production of documents at or in relation to hearings;
    6. Rule on motions and other procedural matters;
    7. Regulate the scope and timing of documentary discovery as permitted by this subpart;
    8. Regulate the course of the hearing and the conduct of representatives, parties, and witnesses;
    9. Examine witnesses;
    10. Receive, rule on, exclude, or limit evidence;
    11. Upon motion of a party, take official notice of facts;
    12. Conduct any conference, argument or hearing in person or, upon agreement of the parties, by telephone; and
    13. Upon motion of a party, decide cases, in whole or in part, by summary judgment where there is no disputed issue of material fact. A summary judgment decision constitutes a hearing on the record for the purposes of this subpart.
  3. The ALJ-
    1. May not find invalid or refuse to follow Federal statutes, regulations, or Secretarial delegations of authority and must give deference to published guidance to the extent not inconsistent with statute or regulation;
    2. May not enter an order in the nature of a directed verdict;
    3. May not compel settlement negotiations; or
    4. May not enjoin any act of the Secretary.

§ 3.510 Ex parte contacts.

No party or person (except employees of the ALJ's office) may communicate in any way with the ALJ on any matter at issue in a case, unless on notice and opportunity for both parties to participate. This provision does not prohibit a party or person from inquiring about the status of a case or asking routine questions concerning administrative functions or procedures.

§ 3.512 Prehearing conferences.

  1. The ALJ must schedule at least one prehearing conference, and may schedule additional prehearing conferences as appropriate, upon reasonable notice, which may not be less than 14 business days, to the parties.

  2. The ALJ may use prehearing conferences to discuss the following-
    1. Simplification of the issues;
    2. The necessity or desirability of amendments to the pleadings, including the need for a more definite statement;
    3. Stipulations and admissions of fact or as to the contents and authenticity of documents;
    4. Whether the parties can agree to submission of the case on a stipulated record;
    5. Whether a party chooses to waive appearance at an oral hearing and to submit only documentary evidence (subject to the objection of the other party) and written argument;
    6. Limitation of the number of witnesses;
    7. Scheduling dates for the exchange of witness lists and of proposed exhibits;
    8. Discovery of documents as permitted by this subpart;
    9. The time and place for the hearing;
    10. The potential for the settlement of the case by the parties; and
    11. Other matters as may tend to encourage the fair, just and expeditious disposition of the proceedings, including the protection of confidentiality of identifiable patient safety work product that may be submitted into evidence or otherwise used in the proceeding, if appropriate.
  3. The ALJ must issue an order containing the matters agreed upon by the parties or ordered by the ALJ at a prehearing conference.

§ 3.514 Authority to settle.

The Secretary has exclusive authority to settle any issue or case without the consent of the ALJ.

§ 3.516 Discovery.

  1. A party may make a request to another party for production of documents for inspection and copying that are relevant and material to the issues before the ALJ.

  2. For the purpose of this section, the term "documents" includes information, reports, answers, records, accounts, papers and other data and documentary evidence. Nothing contained in this section may be interpreted to require the creation of a document, except that requested data stored in an electronic data storage system must be produced in a form accessible to the requesting party.

  3. Requests for documents, requests for admissions, written interrogatories, depositions and any forms of discovery, other than those permitted under paragraph (a) of this section, are not authorized.

  4. This section may not be construed to require the disclosure of interview reports or statements obtained by any party, or on behalf of any party, of persons who will not be called as witnesses by that party, or analyses and summaries prepared in conjuncti on with the investigation or litigation of the case, or any otherwise privileged documents.

    1. When a request for production of documents has been received, within 30 days the party receiving that request must either fully respond to the request, or state that the request is being objected to and the reasons for that objection. If objection is made to part of an item or category, the part must be specified. Upon receiving any objections, the party seeking production may then, within 30 days or any other time frame set by the ALJ, file a motion for an order compelling discovery. The party receiving a request for production may also file a motion for protective order any time before the date the production is due.

    2. The ALJ may grant a motion for protective order or deny a motion for an order compelling discovery if the ALJ finds that the discovery sought-
      1. Is irrelevant;
      2. Is unduly costly or burdensome;
      3. Will unduly delay the proceeding; or
      4. Seeks privileged information.

    3. The ALJ may extend any of the time frames set forth in paragraph (e)(1) of this section.

    4. The burden of showing that discovery should be allowed is on the party seeking discovery.

§ 3.518 Exchange of witness lists, witness statements, and exhibits.

  1. The parties must exchange witness lists, copies of prior written statements of proposed witnesses, and copies of proposed hearing exhibits, including copies of any written statements that the party intends to offer in lieu of live testimony in accordance with §3.538, not more than 60, and not less than 15, days before the scheduled hearing.

    1. If, at any time, a party objects to the proposed admission of evidence not exchanged in accordance with paragraph (a) of this section, the ALJ must determine whether the failure to comply with paragraph (a) of this section should result in the exclusion of that evidence.
    2. Unless the ALJ finds that extraordinary circumstances justified the failure timely to exchange the information listed under paragraph (a) of this section, the ALJ must exclude from the party's case-in-chief-
      1. The testimony of any witness whose name does not appear on the witness list; and
      2. Any exhibit not provided to the opposing party as specified in paragraph (a) of this section.
    3. If the ALJ finds that extraordinary circumstances existed, the ALJ must then determine whether the admission of that evidence would cause substantial prejudice to the objecting party.
      1. If the ALJ finds that there is no substantial prejudice, the evidence may be admitted.

      2. If the ALJ finds that there is substantial prejudice, the ALJ may exclude the evidence, or, if he or she does not exclude the evidence, must postpone the hearing for such time as is necessary for the objecting party to prepare and respond to the evidence, unless the objecting party waives postponement.
  2. Unless the other party objects within a reasonable period of time before the hearing, documents exchanged in accordance with paragraph (a) of this section will be deemed to be authentic for the purpose of admissibility at the hearing.

§ 3.520 Subpoenas for attendance at hearing.

  1. A party wishing to procure the appearance and testimony of any person at the hearing may make a motion requesting the ALJ to issue a subpoena if the appearance and testimony are reasonably necessary for the presentation of a party's case.

  2. A subpoena requiring the attendance of a person in accordance with paragraph (a) of this section may also require the person (whether or not the person is a party) to produce relevant and material evidence at or before the hearing.

  3. When a subpoena is served by a respondent on a particular employee or official or particular office of HHS, the Secretary may comply by designating any knowledgeable HHS representative to appear and testify.

  4. A party seeking a subpoena must file a written motion not less than 30 days before the date fixed for the hearing, unless otherwise allowed by the ALJ for good cause shown. That motion must-
    1. Specify any evidence to be produced;
    2. Designate the witnesses; and
    3. Describe the address and location with sufficient particularity to permit those witnesses to be found.

  5. The subpoena must specify the time and place at which the witness is to appear and any evidence the witness is to produce.

  6. Within 15 days after the written motion requesting issuance of a subpoena is served, any party may file an opposition or other response.

  7. If the motion requesting issuance of a subpoena is granted, the party seeking the subpoena must serve it by delivery to the person named, or by certified mail addressed to that person at the person's last dwelling place or principal place of business.

  8. The person to whom the subpoena is directed may file with the ALJ a motion to quash the subpoena within 10 days after service.

  9. The exclusive remedy for contumacy by, or refusal to obey a subpoena duly served upon, any person is specified in 42 U.S.C. 405 (e).

§ 3.522 Fees.

The party requesting a subpoena must pay the cost of the fees and mileage of any witness subpoenaed in the amounts that would be payable to a witness in a proceeding in United States District Court. A check for witness fees and mileage must accompany the subpoena when served, except that, when a subpoena is issued on behalf of the Secretary, a check for witness fees and mileage need not accompany the subpoena.

§ 3.524 Form, filing, and service of papers.

  1. Forms.
    1. Unless the ALJ directs the parties to do otherwise, documents filed with the ALJ must include an original and two copies.

    2. Every pleading and paper filed in the proceeding must contain a caption setting forth the title of the action, the case number, and a designation of the paper, such as motion to quash subpoena.

    3. Every pleading and paper must be signed by and must contain the address and telephone number of the party or the person on whose behalf the paper was filed, or his or her representative.

    4. Papers are considered filed when they are mailed.
  2. Service. A party filing a document with the ALJ or the Board must, at the time of filing, serve a copy of the document on the other party. Service upon any party of any document must be made by delivering a copy, or placing a copy of the document in the United States mail, postage prepaid and addressed, or with a private delivery service, to the party's last known address. When a party is represented by an attorney, service must be made upon the attorney in lieu of the party.

  3. Proof of service. A certificate of the natural person serving the document by personal delivery or by mail, setting forth the manner of service, constitutes proof of service.

§ 3.526 Computation of time.

  1. In computing any period of time under this subpart or in an order issued thereunder, the time begins with the day following the act, event or default, and includes the last day of the period unless it is a Saturday, Sunday, or legal holiday observed by the Federal Government, in which event it includes the next business day.

  2. When the period of time allowed is less than 7 days, intermediate Saturdays, Sundays, and legal holidays observed by the Federal Government must be excluded from the computation.

  3. Where a document has been served or issued by placing it in the mail, an additional 5 days must be added to the time permitted for any response. This paragraph does not apply to requests for hearing under § 3.504.

§ 3.528 Motions.

  1. An application to the ALJ for an order or ruling must be by motion. Motions must state the relief sought, the authority relied upon and the facts alleged, and must be filed with the ALJ and served on all other parties.

  2. Except for motions made during a prehearing conference or at the hearing, all motions must be in writing. The ALJ may require that oral motions be reduced to writing.

  3. Within 10 days after a written motion is served, or such other time as may be fixed by the ALJ, any party may file a response to the motion.

  4. The ALJ may not grant a written motion before the time for filing responses has expired, except upon consent of the parties or following a hearing on the motion, but may overrule or deny the motion without awaiting a response.

  5. The ALJ must make a reasonable effort to dispose of all outstanding motions before the beginning of the hearing.

§ 3.530 Sanctions.

The ALJ may sanction a person, including any party or attorney, for failing to comply with an order or procedure, for failing to defend an action or for other misconduct that interferes with the speedy, orderly or fair conduct of the hearing. The sanctions must reasonably relate to the severity and nature of the failure or misconduct. The sanctions may include-

  1. In the case of refusal to provide or permit discovery under the terms of this part, drawing negative factual inferences or treating the refusal as an admission by deeming the matter, or certain facts, to be established;
  2. Prohibiting a party from introducing certain evidence or otherwise supporting a particular claim or defense;
  3. Striking pleadings, in whole or in part;
  4. Staying the proceedings;
  5. Dismissal of the action;
  6. Entering a decision by default;
  7. Ordering the party or attorney to pay the attorney's fees and other costs caused by the failure or misconduct; and
  8. Refusing to consider any motion or other action that is not filed in a timely manner.

§ 3.532 Collateral estoppel.

When a final determination that the respondent violated a confidentiality provision has been rendered in any proceeding in which the respondent was a party and had an opportunity to be heard, the respondent is bound by that determination in any proceeding under this part.

§ 3.534 The hearing.

  1. The ALJ must conduct a hearing on the record in order to determine whether the respondent should be found liable under this part.

    1. The respondent has the burden of going forward and the burden of persuasion with respect to any challenge to the amount of a proposed penalty pursuant to § § 3.404 and 3.408, including any factors raised as mitigating factors.

    2. The Secretary has the burden of going forward and the burden of persuasion with respect to all other issues, including issues of liability and the existence of any factors considered as aggravating factors in determining the amount of the proposed penalty.

    3. The burden of persuasion will be judged by a preponderance of the evidence.
  2. The hearing must be open to the public unless otherwise ordered by the ALJ for good cause shown, which may be that identifiable patient safety work product has been introduced into evidence or is expected to be introduced into evidence.

    1. Subject to the 15-day rule under § 3.518(a) and the admissibility of evidence under § 3.540, either party may introduce, during its case in chief, items or information that arose or became known after the date of the issuance of the notice of proposed determination or the request for hearing, as applicable. Such items and information may not be admitted into evidence, if introduced-
      1. By the Secretary, unless they are material and relevant to the acts or omissions with respect to which the penalty is proposed in the notice of proposed determination pursuant to § 3.420 of this part, including circumstances that may increase penalties; or
      2. By the respondent, unless they are material and relevant to an admission, denial or explanation of a finding of fact in the notice of proposed determination under § 3.420 of this part, or to a specific circumstance or argument expressly stated in the request for hearing under § 3.504, including circumstances that may reduce penalties.
    2. After both parties have presented their cases, evidence may be admitted in rebuttal even if not previously exchanged in accordance with § 3.518.

§ 3.538 Witnesses.

  1. Except as provided in paragraph (b) of this section, testimony at the hearing must be given orally by witnesses under oath or affirmation.

  2. At the discretion of the ALJ, testimony of witnesses other than the testimony of expert witnesses may be admitted in the form of a written statement. The ALJ may, at his or her discretion, admit prior sworn testimony of experts that has been subject to adverse examination, such as a deposition or trial testimony. Any such written statement must be provided to the other party, along with the last known address of the witness, in a manner that allows sufficient time for the other party to subpoena the witness for cross- examination at the hearing. Prior written statements of witnesses proposed to testify at the hearing must be exchanged as provided in § 3.518.

  3. The ALJ must exercise reasonable control over the mode and order of interrogating witnesses and presenting evidence so as to:
    1. Make the interrogation and presentation effective for the ascertainment of the truth;
    2. Avoid repetition or needless consumption of time; and
    3. Protect witnesses from harassment or undue embarrassment.

  4. The ALJ must permit the parties to conduct cross-examination of witnesses as may be required for a full and true disclosure of the facts.

  5. The ALJ may order witnesses excluded so that they cannot hear the testimony of other witnesses, except that the ALJ may not order to be excluded-
    1. A party who is a natural person;
    2. In the case of a party that is not a natural person, the officer or employee of the party appearing for the entity pro se or designated as the party's representative; or
    3. A natural person whose presence is shown by a party to be essential to the presentation of its case, including a person engaged in assisting the attorney for the Secretary.

§ 3.540 Evidence.

  1. The ALJ must determine the admissibility of evidence.

  2. Except as provided in this subpart, the ALJ is not bound by the Federal Rules of Evidence. However, the ALJ may apply the Federal Rules of Evidence where appropriate, for example, to exclude unreliable evidence.

  3. The ALJ must exclude irrelevant or immaterial evidence.

  4. Although relevant, evidence may be excluded if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or by considerations of undue delay or needless presentation of cumulative evidence.

  5. Although relevant, evidence must be excluded if it is privileged under Federal law.

  6. Evidence concerning offers of compromise or settlement is inadmissible to the extent provided in Rule 408 of the Federal Rules of Evidence.

  7. Evidence of crimes, wrongs, or acts other than those at issue in the instant case is admissible in order to show motive, opportunity, intent, knowledge, preparation, identity, lack of mistake, or existence of a scheme. This evidence is admissible regardless of whether the crimes, wrongs, or acts occurred during the statute of limitations period applicable to the acts or omissions that constitute the basis for liability in the case and regardless of whether they were referenced in the Secretary's notice of proposed determination under § 3.420.

  8. The ALJ must permit the parties to introduce rebuttal witnesses and evidence.

  9. All documents and other evidence offered or taken for the record must be open to examination by both parties, unless otherwise ordered by the ALJ for good cause shown.

§ 3.542 The record.

  1. The hearing must be recorded and transcribed. Transcripts may be obtained following the hearing from the ALJ. A party that requests a transcript of hearing proceedings must pay the cost of preparing the transcript unless, for good cause shown by the party, the payment is waived by the ALJ or the Board, as appropriate.

  2. The transcript of the testimony, exhibits, and other evidence admitted at the hearing, and all papers and requests filed in the proceeding constitute the record for decision by the ALJ and the Secretary.

  3. The record may be inspected and copied (upon payment of a reasonable fee) by any person, unless otherwise ordered by the ALJ for good cause shown, which may include the presence in the record of identifiable patient safety work product.

  4. For good cause, which may include the presence in the record of identifiable patient safety work product, the ALJ may order appropriate redactions made to the record.

§ 3.544 Post hearing briefs.

The ALJ may require the parties to file post-hearing briefs. In any event, any party may file a post- hearing brief. The ALJ must fix the time for filing the briefs. The time for filing may not exceed 60 days from the date the parties receive the transcript of the hearing or, if applicable, the stipulated record. The briefs may be accompanied by proposed findings of fact and conclusions of law. The ALJ may permit the parties to file reply briefs.

§ 3.546 ALJ's decision.

  1. The ALJ must issue a decision, based only on the record, which must contain findings of fact and conclusions of law.

  2. The ALJ may affirm, increase, or reduce the penalties imposed by the Secretary.

  3. The ALJ must issue the decision to both parties within 60 days after the time for submission of post-hearing briefs and reply briefs, if permitted, has expired. If the ALJ fails to meet the deadline contained in this paragraph, he or she must notify the parties of the reason for the delay and set a new deadline.

  4. Unless the decision of the ALJ is timely appealed as provided for in § 3.548, the decision of the ALJ will be final and binding on the parties 60 days from the date of service of the ALJ's decision.

§ 3.548 Appeal of the ALJ's decision.

  1. Any party may appeal the decision of the ALJ to the Board by filing a notice of appeal with the Board within 30 days of the date of service of the ALJ decision. The Board may extend the initial 30 day period for a period of time not to exceed 30 days if a party files with the Board a request for an extension within the initial 30 day period and shows good cause.

  2. If a party files a timely notice of appeal with the Board, the ALJ must forward the record of the proceeding to the Board.

  3. A notice of appeal must be accompanied by a written brief specifying exceptions to the initial decision and reasons supporting the exceptions. Any party may file a brief in opposition to the exceptions, which may raise any relevant issue not addressed in the exceptions, within 30 days of receiving the notice of appeal and the accompanying brief. The Board may permit the parties to file reply briefs.

  4. There is no right to appear personally before the Board or to appeal to the Board any interlocutory ruling by the ALJ.

  5. The Board may not consider any issue not raised in the parties' briefs, nor any issue in the briefs that could have been raised before the ALJ but was not.

  6. If any party demonstrates to the satisfaction of the Board that additional evidence not presented at such hearing is relevant and material and that there were reasonable grounds for the failure to adduce such evidence at the hearing, the Board may remand the matter to the ALJ for consideration of such additional evidence.

  7. The Board may decline to review the case, or may affirm, increase, reduce, reverse or remand any penalty determined by the ALJ.

  8. The standard of review on a disputed issue of fact is whether the initial decision of the ALJ is supported by substantial evidence on the whole record. The standard of review on a disputed issue of law is whether the decision is erroneous.

  9. Within 60 days after the time for submission of briefs and reply briefs, if permitted, has expired, the Board must serve on each party to the appeal a copy of the Board's decision and a statement describing the right of any respondent who is penalized to seek judicial review.

    1. The Board's decision under paragraph (i) of this section, including a decision to decline review of the initial decision, becomes the final decision of the Secretary 60 days after the date of service of the Board's decision, except with respect to a decision to remand to the ALJ or if reconsideration is requested under this paragraph.

    2. The Board will reconsider its decision only if it determines that the decision contains a clear error of fact or error of law. New evidence will not be a basis for reconsideration unless the party demonstrates that the evidence is newly discovered and was not previously available.

    3. A party may file a motion for reconsideration with the Board before the date the decision becomes final under paragraph (j) (1) of this section. A motion for reconsideration must be accompanied by a written brief specifying any alleged error of fact or law and, if the party is relying on additional evidence, explaining why the evidence was not previously available. Any party may file a brief in opposition within 15 days of receiving the motion for reconsideration and the accompanying brief unless this time limit is extended by the Board for good cause shown. Reply briefs are not permitted.

    4. The Board must rule on the motion for reconsideration not later than 30 days from the date the opposition brief is due. If the Board denies the motion, the decision issued under paragraph (i) of this section becomes the final decision of the Secretary on the date of service of the ruling. If the Board grants the motion, the Board will issue a reconsidered decision, after such procedures as the Board determines necessary to address the effect of any error. The Board's decision on reconsideration becomes the final decision of the Secretary on the date of service of the decision, except with respect to a decision to remand to the ALJ.

    5. If service of a ruling or decision issued under this section is by mail, the date of service will be deemed to be 5 days from the date of mailing.(k)(1) A respondent's petition for judicial review must be filed within 60 days of the date on which the decision of the Board becomes the final decision of the Secretary under paragraph (j) of this section.

    1. A respondent's petition for judicial review must be filed within 60 days of the date on which the decision of the Board becomes the final decision of the Secretary under paragraph (j) of this section.

    2. In compliance with 28 U.S.C. 2112(a), a copy of any petition for judicial review filed in any U.S. Court of Appeals challenging the final decision of the Secretary must be sent by certified mail, return receipt requested, to the General Counsel of HHS. The petition copy must be a copy showing that it has been time-stamped by the clerk of the court when the original was filed with the court.

    3. If the General Counsel of HHS received two or more petitions within 10 days after the final decision of the Secretary, the General Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation of any petitions that were received within the 10 day period.

§ 3.550 Stay of the Secretary's decision.

  1. Pending judicial review, the respondent may file a request for stay of the effective date of any penalty with the ALJ. The request must be accompanied by a copy of the notice of appeal filed with the Federal court. The filing of the request automatically stays the effective date of the penalty until such time as the ALJ rules upon the request.

  2. The ALJ may not grant a respondent's request for stay of any penalty unless the respondent posts a bond or provides other adequate security.

  3. The ALJ must rule upon a respondent's request for stay within 10 days of receipt.

§ 3.552 Harmless error.

No error in either the admission or the exclusion of evidence, and no error or defect in any ruling or order or in any act done or omitted by the ALJ or by any of the parties is ground for vacating, modifying or otherwise disturbing an otherwise appropriate ruling or order or act, unless refusal to take such action appears to the ALJ or the Board inconsistent with substantial justice. The ALJ and the Board at every stage of the proceeding must disregard any error or defect in the proceeding that does not affect the substantial rights of the parties.

Dated: September 2, 2008
__________________________________________
Michael O. Leavitt,
Secretary.
[FR Doc. E8-27475 Filed 11-20-08; 8: 45 am]
BILLING CODE 4150-28-P

 

Preamble

42 CFR Part 3
RIN 0919-AA01
Patient Safety and Quality Improvement

AGENCY: Agency for Healthcare Research and Quality, Office for Civil Rights, Department of Health and Human Services.
ACTION: Final rule.
SUMMARY: The Secretary of Health and Human Services is adopting rules to implement certain aspects of the Patient Safety and Quality Improvement Act of 2005, Pub. L. 109-41, 42 U.S.C. 299b-21-b-26 (Patient Safety Act). The Patient Safety and Quality Improvement final rule (Patient Safety Rule) establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for the aggregation and analysis of patient safety events.
The Patient Safety Rule outlines the requirements that entities must meet to become PSOs and the processes by which the Secretary will review and accept certifications and list PSOs. It also describes the privilege and confidentiality protections for the information that is assembled and developed by providers and PSOs, the exceptions to these privilege and confidentiality protections, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product.
DATES: The Patient Safety Rule is effective on January 19, 2009.
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427- 1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION: On February 12, 2008, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the Patient Safety Act. The comment period closed on April 14, 2008. One-hundred-sixty-one comments were received during the comment period.

Table of Contents

[Note: These links take the reader to descriptions of the proposed and final rules. The final rule includes a section-by-section summary of the public comments received regarding the proposed rule and a discussion of the extent to which those comments shaped the provisions of the final rule.]

  1. Background
  2. Overview of the Proposed and Final Rules
    1. The Proposed Rule
    2. The Final Rule
  3. Section-by- Section Description of Final Rule and Response to Comments
    1. Subpart A-General Provisions
      1. Section 3.10-Purpose
      2. Section 3.20-Definitions
    2. Subpart B-PSO Requirements and Agency Procedures
      1. Section 3.102-Process and Requirements for Initial and Continued Listings of PSOs
      2. Section 3.104-Secretarial Actions
      3. Section 3.106-Security Requirements
      4. Section 3.108-Correction of Deficiencies, Revocation and Voluntary Relinquishment
      5. Section 3.110-Assessment of PSO Compliance
      6. Section 3.112-Submissions and Forms
    3. Subpart C-Confidentiality and Privilege Protections of Patient Safety Work Product
      1. Section 3.204- Privilege of Patient Safety Work Product
      2. Section 3.206-Confidentiality of Patient Safety Work Product
      3. Section 3.208-Continued Protection of Patient Safety Work Product
      4. Section 3.210-Required Disclosure of Patient Safety Work Product to the Secretary
      5. Section 3.212-Nonidentification of Patient Safety Work Product
    4. Subpart D-Enforcement Program
      1. Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314-Compliance and Investigations
      2. Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422, 3.424, 3.426- Civil Money Penalties
      3. Section 3.504-Procedures for Hearings
    5. Impact Statement and Other Required Analyses

[Note: The following link includes the complete text of the final rule from Part 3 of Title 42 of the Code of Federal Regulations, which is entitled "Patient Safety Organizations and Patient Safety Work Product."]

Regulatory Text

(I) Background

Statutory Background

This final rule establishes the authorities, processes, and rules necessary to implement the Patient Safety Act that amended the Public Health Service Act (42 U.S.C. 299et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.1 The Patient Safety Act focuses on creating a voluntary program through which health care providers can share information relating to patient safety events with PSOs, with the aim of improving patient safety and the quality of care nationwide. The statute attaches privilege and confidentiality protections to this information, termed "patient safety work product," to encourage providers to share this information without fear of liability and creates PSOs to receive this protected information and analyze patient safety events. These protections will enable all health care providers, including multi-facility health care systems, to share data within a protected legal environment, both within and across states, without the threat that the information will be used against the subject providers.

1 All citations to provisions in the Patient Safety Act will be to the sections in the Public Health Service Act or its location in the U.S. Code.

However, we note that section 922(g)(2) of the Public Health Service Act is quite specific that these protections do not relieve a provider from its obligation to comply with other Federal, State, or local laws pertaining to information that is not privileged or confidential under the Patient Safety Act: section 922 (g)(5) of the Public Health Service Act states that the Patient Safety Act does not affect any State law requiring a provider to report information that is not patient safety work product. The fact that information is collected, developed, or analyzed under the protections of the Patient Safety Act does not shield a provider from needing to undertake similar activities, if applicable, outside the ambit of the statute, so that the provider can meet its obligations with non-patient safety work product. The Patient Safety Act, while precluding other organizations and entities from requiring providers to provide them with patient safety work product, recognizes that the original records underlying patient safety work product remain available in most instances for the providers to meet these other reporting requirements.

We note also that the Patient Safety Act references the Standards for the Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule), 45 CFR parts 160 and 164. Many health care providers participating in this program will be covered entities under the HIPAA Privacy Rule and will be required to comply with the HIPAA Privacy Rule when they disclose patient safety work product that contains protected health information. The Patient Safety Act is clear that it is not intended to interfere with the implementation of any provision of the HIPAA Privacy Rule. See 42 U.S.C. 299b-22(g)(3). The statute also provides that civil money penalties cannot be imposed under both the Patient Safety Act and the HIPAA Privacy Rule for a single violation. See 42 U.S.C. 299b-22 (f). In addition, the statute states that PSOs shall be treated as business associates, and patient safety activities are deemed to be health care operations under the HIPAA Privacy Rule. See 42 U.S.C. 299b and 299- 22(i). Since patient safety activities are deemed to be health care operations, the HIPAA Privacy Rule does not require covered providers to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. Additionally, as business associates of providers, PSOs must abide by the terms of their HIPAA business associate contracts, which require them to notify the provider of any impermissible use or disclosure of the protected health information of which they are aware. See 45 CFR 164.504(e)(2)(ii)(C).

(II) Overview of the Proposed and Final Rules

(A) The Proposed Rule

The proposed rule sought to implement the Patient Safety Act to create a voluntary system through which providers could share sensitive information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care. The proposal reflected an approach to the implementation of the Patient Safety Act intended to ensure adequate flexibility within the bounds of the statutory provisions and to encourage providers to participate in this voluntary program. The proposed rule emphasized that this program is not federally funded and will be put into operation by the providers and PSOs that wish to participate with little direct federal involvement. However, the process for certification and listing of PSOs will be implemented and overseen by the Agency for Healthcare Research and Quality (AHRQ), while compliance with the confidentiality provisions will be investigated and enforced by the Office for Civil Rights (OCR).

Subpart A of the proposed rule set forth the definitions of essential terms, such as patient safety work product, patient safety evaluation system, and PSO. In order to facilitate the sharing of patient safety work product and the analysis of patient safety events, Subpart B of the proposed rule implemented the statutory requirements for the listing of PSOs, the entities that will offer their expert advice in analyzing the patient safety events and other information they collect or develop to provide feedback and recommendations to providers. The proposed rule established the criteria and set forth a process for certification and listing of PSOs and described how the Secretary would review, accept, condition, deny, or revoke certifications for listing and continued listing of entities as PSOs.

Based on the statutory mandates in the Patient Safety Act, Subpart C of the proposed rule set forth the privilege and confidentiality protections that attach to patient safety work product; it also set forth the exceptions to these protections. The proposed rule provided that patient safety work product generally continues to be protected as privileged and confidential following a disclosure and set certain limitations on redisclosure of patient safety work product.

Subpart D of the proposed rule established a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting the imposition of a civil money penalty. These provisions were modeled largely on the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D and E.

(B) The Final Rule

We received over 150 comments on the proposed rule from a variety of entities, including small providers and large institutional providers, hospital associations, medical associations, accrediting bodies, medical liability insurers, and state and federal agencies. Many of the commenters expressed support for the proposed rule and the protections it granted to sensitive information related to patient safety events.

Based upon the comments received, the final rule adopts most of the provisions of the proposed rule without modification; however, several significant changes to certain provisions of the proposed rule have been made in response to these comments. Changes to Subpart A include the addition of a definition ofaffiliated provider. The definitions ofcomponent organization, parent organization,andproviderwere modified for clarity, and the definition ofdisclosurewas modified to clarify that the sharing of patient safety work product, between a component PSO and the entity of which it is a part, qualifies as a disclosure, while the sharing of patient safety work product between a physician with staff privileges and the entity with which it holds privileges is not a disclosure. We have also modified the definition ofpatient safety work productto include information that, while not yet reported to a PSO, is documented as being within a provider's patient safety evaluation system and that will be reported to a PSO. This modification allows for providers to voluntarily remove, and document the removal of, information from the patient safety evaluation system that has not yet been reported to a PSO, in which case, the information is no longer patient safety work product.

The most significant modifications to Subpart B include the following. With respect to the listing of PSOs, we have broadened the list of excluded entities at § 3.102(a)(2)(ii), required PSOs at § 3.102(b)(1) (i)(B) to notify reporting providers of inappropriate disclosures or security breaches related to the information they reported, specified compliance with the requirement regarding the collection of patient safety work product in § 3.102(b)(2)(iii), eliminated the requirements for separate information systems and restrictions on shared staff for most component PSOs but added additional restrictions and limitations for PSOs that are components of excluded entities at § 3.102(c), and narrowed and clarified the disclosure requirements that PSOs must file regarding contracting providers with whom they have additional relationships at § 3.102(d)(2). We have modified the security requirement to provide flexibility for PSOs to determine whether to maintain patient safety work product separately from unprotected information. The final rule includes a new expedited revocation process at § 3.108(e) for exceptional circumstances that require prompt action, and eliminates implied voluntary relinquishment, providing instead in § 3.104(e) that a PSO's listing automatically expires at the end of three years, unless it is revoked for cause, voluntarily relinquished, or its certifications for continued listing are approved.

Changes to proposed Subpart C include the addition of language in § 3.206(b)(2) that requires a reporter seeking equitable relief to obtain a protective order to protect the confidentiality of patient safety work product during the course of the proceedings. Proposed § 3.206(b)(4) has been amended to allow disclosures of identifiable, non-anonymized patient safety work product among affiliated providers for patient safety activities. In addition, proposed § 3.206(b)(7) has been modified to make clear that the provision permits disclosures to and among FDA, entities required to report to FDA, and their contractors. We also have modified proposed § 3.206(b)(8) to require providers voluntarily disclosing patient safety work product to accrediting bodies either to obtain the agreement of identified non-disclosing providers or to anonymize the information with respect to the non-disclosing providers prior to disclosure. Finally, we modified § § 3.204 (c), 3.206(d), and 3.210 to allow disclosures of patient safety work product to or by the Secretary for the purposes of determining compliance with not only the Patient Safety Act, but also the HIPAA Privacy Rule.

In Subpart D, we adopt the proposed provisions except, where reference was made in the proposed rule to provisions of the HIPAA Privacy Rule, the final rule includes the text of such provisions for convenience of the reader.

We describe more fully these provisions, the comments received, and our responses to these comments below in the section-by-section description of the final rule below.

(III) Section-by-Section Description of Final Rule and Response to Comments

Subpart A. General Provisions

(1) § 3.10-Purpose

Proposed Rule: Proposed § 3.10 provided that the purpose of proposed Part 3 is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.

Overview of Public Comments: No comments were received pertaining to this section.

Final Rule: The Department adopts the proposed provision without modification.

(2) § 3.20-Definitions

Proposed Rule: Proposed § 3.20 provided for definitions applicable to Part 3. Some definitions were restatements of the definitions at section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, and other definitions were provided for convenience or to clarify the application and operation of the proposed rule.

Overview of Public Comments: With respect to the definitions for AHRQ, ALJ, Board, complainant, component PSO, confidentiality provisions, entity, group health plan, health maintenance organization, HHS, HIPAA Privacy Rule, identifiable patient safety work product, nonidentifiable patient safety work product, OCR, Patient Safety Act, patient safety activities, patient safety organization, person, research, respondent, responsible person, and workforce, we received no comments.

We received a number of comments on the various other definitions and these comments will be addressed below in reference to the specific term.

Final Rule: The Department adopts the above definitions as proposed. Certain definitions were added for convenience or clarity of the reader.

Response to Public Comments

Comment: Commenters requested definitions for accrediting body, reporter, redisclosure, impermissible disclosure, use, evaluation and demonstration projects, and legislatively created PSO.

Response: The Department does not agree that the additional definitions requested by commenters are necessary. Some definitions requested have generally accepted meanings and we do not believe there is benefit in imposing more limitations on such terms. Some terms such as legislatively created PSO are not used within the final rule. Other terms such as impermissible disclosure, use, and reporter are readily understood from the context of the final rule and do not need definitions.

(A) § 3.20-New Definition of Affiliated Provider

Final Rule: The proposed rule did not include a definition foraffiliated provider. The Department adopts the termaffiliated providerto mean, with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider. The Department includes this term to identify to whom patient safety work product may be disclosed pursuant to a clarification of the disclosure permission for patient safety activities.

Overview of Comments: Several commenters were concerned about limitations of disclosures for patient safety activities among providers. Commenters raised concerns that limitations may inhibit the sharing and learning among providers of the analysis of patient safety events. Other commenters viewed the disclosure limitations as restricting a provider's use of its own data. These comments are addressed more fully below as part of the discussion of the patient safety activities disclosure permission.

(B) § 3.20-Definition of Bona Fide Contract

Proposed Rule: Proposed § 3.20 provided thatbona fide contractwould mean a written contract between a provider and a PSO that is executed in good faith or a written agreement between a Federal, State, local, or Tribal provider and a Fed a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations, i.e., its parent organization(s). Because this definition used terms in a manner that was broader than traditional usage, the proposed rule sought comment on whether it was appropriate for purposes of the regulation to consider a eral, State, local, or Tribal PSO.

Overview of Public Comments: One comment was received noting that "good faith" need not be a part of a bona fide contract.

Final Rule: Because meeting the minimum contract requirement is essential for a PSO to remain listed by the Secretary, the Department believes that the requirement that contracts to be entered in good faith should be retained. We also note that Federal, State, local or Tribal providers are free to enter into an agreement with any PSO that would serve their needs; thus, they can enter bona fide contracts with PSOs pursuant to paragraph (1) of the definition, or enter comparable arrangements with a Federal, State, local or Tribal PSO pursuant to paragraph (2). The Department adopts the proposed provision without modification.

(C) § 3.20-Definition of Component Organization

Proposed Rule: Proposed § 3.20 provided that component organization would mean an entity that is either:

  1. a unit or division of a corporate organization or of a multi-organizational enterprise; or
  2. a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations, i.e., its parent organization(s).

Because this definition used terms in a manner that was broader than traditional usage, the proposed rule sought comment on whether it was appropriate for purposes of the regulation to consider a subsidiary, an otherwise legally independent entity, as a component organization.

With respect to the terms "owned, managed, or controlled," the preamble directed readers to our description of these concepts in our discussion of the term "parent organization." The preamble to the proposed rule discussed the various ways that an organization may be controlled by others. In particular, there was a discussion of multi-organizational enterprises and the variety of management relationships or forms of control that such enterprises can create that might impact component entities. The preamble also discussed the traditional meaning of subsidiaries as being separate legal entities and, therefore, not within the ordinary meaning of the term "component." However, the approach of the proposed rule was to express the Department's intention to encourage all forms of PSO organizational arrangements including the ownership of PSOs as subsidiaries. At the same time, we wanted to be able to accurately determine and to indicate to providers which PSOs should be considered components of other entities and the identity of a component PSO's parent organization. We explained our intent was not to limit our approach to corporate forms of organizations.

Overview of Public Comments: The majority of commenters supported our proposal to consider subsidiaries as component organizations for the purposes of this rule. Several commenters sought reassurance that our interpretation does not impose additional legal liability on the parent organization.

Concern was expressed that our approach suggested an over-reliance on the corporate model and the definition needed to reflect other types of legally recognized entities. One comment reflected concern that our reference to "multi-organizational enterprise" in the definition was unnecessarily confusing because it was not commonly used. Another commenter disagreed with our approach entirely, arguing that the scope of our definition was overly broad and unnecessary.

Final Rule: The final rule now defines "component organization" to mean an entity that:

  1. "Is a unit or division of a legal entity (including a corporation, partnership, or a Federal, State, local or Tribal agency or organization); or
  2. Is owned, managed, or controlled by one or more legally separate parent organizations."

The definition of component organization is intended to be read with a focus on management or control by others as its defining feature. The definition must be read in conjunction with the complementary definition of "parent organization." While our approach remains little changed, we have rearranged and streamlined the text of the definition of component in response to the comments and concerns we received on it. For example, there is no longer an explicit reference in the definition of component to multi-organizational enterprises, which are undertakings with separate corporations or organizations that are integrated in a common business activity. The revised definition, however, is sufficiently broad to apply to components of such enterprises. In response to concerns that the earlier definition was too focused on corporate organizations, we have incorporated an explicit reference to "other legal entities" besides corporations. In addition, specific references have been added to more clearly accommodate possible organizational relationships of public agencies, such as the Department of Defense (DoD), Department of Veterans Affairs (VA), the Indian Health Service (IHS), and other State, local, and Tribal organizations that manage or deliver health care services.

In the scenario envisioned by the first prong of the definition, the legal entity is a parent organization and the component organization is a unit or division within the parent organization. An underlying assumption of the modified paragraph (1) is that a unit or division of a legal entity may be managed or controlled by one or more parent organizations. Consistent with this paragraph, a component PSO may be managed or controlled by the legal entity of which it is a part or by another unit or division of that entity. It could also be controlled by a legally separate entity under the second paragraph of the definition.

The first prong of the definition encompasses a component PSO that is a unit of a governmental agency that is a legal entity. This could include a component organization managed by another division of such a governmental agency, e.g., a health care division of VA or DoD. Thus, a component PSO could be a unit or component of a Federal agency that is a legal entity and it could at the same time be a component of another unit or division of that agency which controls and directs or manages its operation. So too in the private sector, a component PSO could have more than one parent and thus be a component, for example, of a professional society as well as a component of the unit or division of the professional society that controls or manages the PSO.

The second prong of the definition addresses a variety of organizational relationships that could arise between component PSOs and legally separate parent organizations that manage or control them. Under paragraph (2), a subsidiary PSO could be managed or controlled by its legally separate parent organization. In addition, we note that a component PSO could be managed or controlled by another unit or division of its legally separate parent, e.g., if this unit or division uses its knowledge and skills to control or manage certain aspects of the component's operations. If that occurs, we would consider the sibling subsidiary that exercises control or management over the PSO as another parent organization of the PSO.

Obtaining the identity and contact information of an entity's parent organizations is useful for the purpose of letting providers know who may be managing or controlling a PSO. This information also will be useful in implementing the certification and listing process for PSOs described in the rule which, for instance, excludes any health insurance issuer from becoming a PSO and excludes a component of a health insurance issuer from becoming a PSO.

In response to commenters concerned about the legal liability for parent organizations of component PSOs, we note that the preamble to the proposed rule stated as follows: "We stress that neither the statute nor the proposed regulation imposes any legal responsibilities, obligations, or liability on the organization(s) of which it [the PSO] is a part." The Department reaffirms its position. At the same time, we note that the rule, at § 3.402(b), recognizes, provides for, and does not alter the liability of principals based on Federal common law.

Response to Other Public Comments

Comment: One concern that was expressed by several commenters pertained to whether or not a health system that has a component or subsidiary health insurance issuer, e.g., a group health plan offered to the public, would be precluded from having a component PSO as well.

Response: So long as the component health insurance issuer does not come within the definition of a parent organization of the PSO, i.e., own a controlling or majority interest in, manage, or control the health system's component PSO (i.e., the PSO would not be a component of the health insurance issuer), the parent health system could establish a component PSO.

Comment: It was asserted that including subsidiaries as components would require a PSO that is not controlled by another parent organization, but itself has a subsidiary, to seek listing as a component PSO.

Response: The revised definition of component organization emphasizes that a component is an organization that is controlled by another entity. It is not the Department's intention to require a PSO that is not controlled by another entity to seek listing as a component PSO. For this reason, the fact that a PSO has a subsidiary does not trigger the requirement to seek listing as a component organization.

Comment: It was suggested that the inclusion of subsidiaries within the meaning of component would require a health system that wished to create a PSO to create it as a component.

Response: There are several issues that a health system needs to consider in determining whether and how to create a PSO, but the inclusion of subsidiary within the meaning of component is not necessarily determinative. The statute requires the improvement of quality and patient safety to be theprimaryactivity of the entity seeking listing. Since few multifaceted health system organizations will meet this requirement, existing organizations will have an incentive to create single-purpose component organizations that clearly meet the requirement. The second issue is whether to create a PSO as an internal component organization or as a separate legal entity. Because the final rule requires each PSO to enter two contracts, provider organizations may find it useful for its component PSO to be a separate legal entity. Otherwise, the component PSO may be precluded from contracting with its parent organization.

Comment: There was a request for a definition of "own" with a suggestion for reference to Internal Revenue Code 26 I.R.C. § 1563 to clarify its meaning and the meaning of having a controlling interest. This same commenter sought strong separation requirements between a component PSO and any parent organization.

Response: We have reviewed the cited regulation but conclude that the approach presented is unlikely to clarify the meaning of "own" or "having a controlling interest" for purposes of the regulation. Accordingly, the definition of component in the final rule will use the term "owns," but it should be read in conjunction with the phrase "owns a controlling or majority interest in" that is used in the related definition of "parent organization." This will indicate that the definition of component uses the term "owns" to mean having a sufficient ownership interest to control or manage a PSO. The holder of a controlling or majority interest in the entity seeking to be listed should be identified as a parent organization.

Comment: Components of government entities should not be listed as PSOs.

Response: The Patient Safety Act specifically permits public sector entities, and components of public sector entities, to seek listing as a PSO. We have incorporated several exclusions, however, of entities with regulatory authority and those administering mandatory state reporting programs because these activities are incompatible with fostering a non-punitive culture of safety among providers. As we explain in § 3.102(a)(2) (ii), we conclude that it is not necessary to exclude components of such entities but have adopted additional restrictions and requirements in § 3.102(c) for such component entities.

(D) § 3.20-Definition of Disclosure

Proposed Rule: Proposed § 3.20 provided that disclosure would mean the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding patient safety work product to another person.

We did not generally propose to regulate uses of patient safety work product within an entity, i.e., when this information is exchanged or shared among the workforce members of an entity. We believe that regulating uses within providers and PSOs would be unnecessarily intrusive given the voluntary aspect of participation with a PSO. We believe that regulating uses would not further the statutory goal of facilitating the sharing of patient safety work product with PSOs and that sufficient incentives exist for providers and PSOs to prudently manage the internal sharing of sensitive patient safety work product. However, based on the statutory provision, we did propose that we would recognize as a disclosure the sharing of patient safety work product between a component PSO and the organization of which it is a component. Such sharing would, absent the statutory provision and the proposed regulation, be a use within the larger organization because the component PSO is not a separate entity. The Patient Safety Act supports this position by demonstrating a strong desire for the protection of patient safety work product from the rest of the organization of which the PSO is a part. We sought public comment on whether the decision to not regulate uses was appropriate.

The proposed rule discussed that sharing patient safety work product with a contractor that is under the direct control of an entity, i.e., a workforce member, would not be a disclosure, but rather a use within the entity. However, sharing patient safety work product with an independent contractor would be a disclosure requiring an applicable disclosure permission.

Overview of Public Comments: Some commenters supported the proposed definition of disclosure. No commenters opposed the proposed definition or requested further clarification.

Most commenters that responded to the question whether uses of patient safety work product should be regulated supported the decision not to regulate uses. Those commenters agreed that regulating uses would be overly intrusive without significant benefit and that entities are free to enter into agreements with greater protections. Other commenters disagreed with the Department's proposal and stated that regulation of uses would improve confidentiality and thereby increase provider participation.

No commenters opposed the proposal that sharing of patient safety work product from a component PSO to the rest of the parent entity of which it is a part would be a disclosure for purposes of enforcement rather than a use internal to the entity.

Final Rule: The Department adopts the provision with modifications. In general, the modified definition of disclosure means the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a physician holding privileges with, the entity holding the patient safety work product. Additionally, we have defined as a disclosure the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by a component PSO to another entity or natural person outside the component PSO.

We have modified the language for clarity to distinguish the actions that are a disclosure for a natural person and an entity, separately. We have also included language in the definition that makes clear that sharing of patient safety work product from a component PSO to the entity of which it is a part is a disclosure even though the disclosure would be internal to an entity and generally permitted. Finally, we have added language to clearly indicate that the sharing of patient safety work product between a health care provider with privileges and the entity with which it holds privileges does not constitute a disclosure, consistent with the treatment of patient safety work product shared among workforce members.

Response to Other Public Comments

Comment: Commenters asked that the Department clarify the terms "disclosure" and "use." Commenters stated that the terms were used interchangeably and this caused confusion.

Response: The term "disclosure" describes the scope of the confidentiality protections and the manner in which patient safety work product may be shared. "Disclosure" is also employed by the Patient Safety Act when describing the assessment of civil money penalties for the failure to maintain confidentiality (see 42 U.S.C. 299b-22(f)(1)). Although the Patient Safety Act employs the term "use" in several provisions, we did not interpret those provisions to include a

Because the focus of the proposed rule was on disclosures, we did not believe that defining the term "use" was helpful; nor did we believe the terms would be confusing. Use of patient safety work product is the sharing within a legal entity, such as between members of the workforce, which is not a disclosure. By contrast, a disclosure is the sharing or release of information outside of the entity for which a specific disclosure permission must be applicable.

Comment: One commenter requested clarification regarding the sharing of patient safety work product among legally separate participants that join to form a single joint venture component PSO.

Response: The Department distinguishes between the disclosure of patient safety work product between legal entities and the use of patient safety work product internal to a single legal entity. If a component PSO is part of a multi-organizational enterprise, uses of patient safety work product internal to the component PSO are not regulated by this final rule, but sharing of patient safety work product between the component PSO and another entity or with a parent organization are considered disclosures for which a disclosure permission must apply.

Comment: One commenter raised concerns that the final rule would restrict a provider's use of its own data and thereby discourage collaboration with other care givers.

Response: The Department believes that the final rule balances the interests between the privacy of identified providers, patients and reporters and the need to aggregate and share patient safety work product to improve patient safety among all providers. The final rule does not limit the sharing of patient safety work product within an entity and permits sharing among providers under certain conditions. Affiliated providers may share patient safety work product for patient safety activities and non-affiliated providers may share anonymized patient safety work product. A provider may also share patient safety work product with a health care provider that has privileges to practice at the provider facility. Further, if all identified providers are in agreement regarding the need to share identifiable patient safety work product, each provider may authorize and thereby permit a disclosure.

Comment: Several commenters asked whether uses were restricted based upon the purpose for which the patient safety work product is being shared internally.

Response: The final rule does not limit the purpose for which patient safety work product may be shared internal to an entity. Entities should consider the extent to which sensitive patient safety work product is available to members of its workforce as a good business practice.

(E) § 3.20-Definition of Entity

Proposed Rule: Proposed § 3.20 provided that entity would mean any organization or organizational unit, regardless of whether the entity is public, private, for-profit, or not-for-profit.

Overview of Public Comments: One comment was received suggesting that the terms "governmental" or "body politic" should be added to clarify that the term "public" includes Federal, State, or local government as well as public corporations.

Final Rule: The term "public" has long been used throughout Title 42 of the Code of Federal Regulations as encompassing governmental agencies; therefore we do not believe that the addition is necessary. The Department adopts the proposed provision without modification.

(F) § 3.20-Definition of Health Insurance Issuer

Proposed Rule: Proposed § 3.20 provided that health insurance issuer would mean an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2). The definition specifically excluded group health plans from the meaning of the term.

Overview of Public Comments: Several commenters expressed concern that the Department needed to be vigilant in its exclusion of health insurance issuers and components of health insurance issuers, urging that HHS clearly define health insurance issuers in the final rule. Another commenter sought clarification regarding risk management service companies, i.e., those that offer professional liability insurance, reinsurance, or consulting services.

Final Rule: The Department has reviewed the definition of "health insurance issuer" and determined that the definition is clear. Because the reference to group health plans could be a source of confusion, we note that we have defined the term above. Accordingly, the Department adopts the proposed provision without modification.

In response to several comments regarding the scope of the term health insurance issuer, the Department has concluded that, for purposes of this rule, risk management service companies, professional liability insurers and reinsurers do not fall within the definition of health insurance issuer.

Response to Other Public Comments

Comment: One commenter asked if a provider system that was owned as a subsidiary by an HMO could create a component PSO.

Response: Section 3.102(a)(2)(i) excludes a health insurance issuer, a unit or division of a health insurance issuer, or an entity that is owned, managed, or controlled by a health insurance issuer from seeking listing as a PSO. In this case, the HMO is considered a health insurance issuer and the provider system would be a component of the health insurance issuer. Under the rule, the HMO and the provider system may not seek listing as a PSO, and the entity created by the provider system could not seek listing as a component PSO if it is owned, managed or controlled by the provider system or the HMO.

Comment: One commenting organization requested discussion of what organizational structure might allow a health insurance issuer to participate in the patient safety work of an independent PSO.

Response: The statutory exclusion means that the following entities may not seek listing: a health insurance issuer or a component of a health insurance issuer.

(G) § 3.20-Definition of Parent Organization

Proposed Rule: Proposed § 3.20 provided that "parent organization" would mean an entity, that alone or with others, either owns a provider entity or a component organization, or has the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component organization. The proposed rule did not provide a definition of "owned" but provided controlling interest (holding enough stock in an entity to control it) as an example of ownership in the preamble discussion of the term, "parent organization." The proposed rule specifically sought comment on our use of the term "controlling interest," whether it was appropriate, and whether we needed to further define "owns." The remaining terms, "manage or control," were explained in the proposed rule's definition of "parent organization," as having "the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component organization."

Overview of Public Comments: We received eight comments on the question of "controlling interest" and there was no consensus among the commenters. Four commenters thought our discussion was appropriate. Another agreed with the concept of controlling interest but wanted to limit its application to a provider who reported patient safety work product to the entity. One commenter cautioned that the term "controlling interest" was open to various interpretations and the final rule should provide additional guidance. Another commenter suggested "controlling interest" was worrisome but did not provide a rationale for this assessment. One commenter supported additional protections, contending that it was appropriate for HHS to pierce the corporate veil when there was fraud or collusion, and recommended the preamble outline situations in which HHS would pierce the corporate veil.

We received no negative comments on our proposed interpretation of what it means to manage or control another entity. One commenter suggested that the definition should recognize the significant authority or control of a provider entity or component organization through reserve powers, by agreement, statute, or both.

Final Rule: While approximately half of the comments supported our approach, there was not a clear consensus in the comments we reviewed. So the approach we have taken with the definition of "parent organization" was to strive for greater clarity, taking into account its interaction with our definition of "component organization," described above.

The definition of "parent organization" in the final rule retains the basic framework of the proposed rule definition: an organization is a parent if it owns a component organization, has the ability to manage or control a component, or has the authority to review and overrule the component's decisions.

The language of the proposed rule used only the term "own" while the preamble cited the example of stock ownership. Without further specification, we were concerned that this approach could have been interpreted to mean that an organization owning just a few shares of stock of a component organization would be considered a parent organization. This is not our intent. For clarity, we have modified the text to read "owns a controlling or majority interest."

We have also removed the phrase "alone or with others" from the first clause. We did so for two reasons. First, it is unnecessary since it does not matter whether ownership is shared with other organizations, as in a joint venture. An entity seeking listing as a PSO will use this definition solely to determine if it has any parent organizations and, if it does, it must seek listing as a component organization and disclose the names and contact information for each of its parent organizations. Second, we have tried to make it as clear as possible that any organization that has controlling ownership interests, or management or control authority over a PSO, should be considered, and reported in accordance with the requirements of § 3.102(c) (1)(i), as a parent organization.

For similar reasons, we have removed the reference to provider from the first part of the definition and instead consistently used the term "component organization" with respect to each characteristic of a parent organization. We added a second sentence to clarify that a provider could be the component organization in all three descriptive examples given of parental authority.

In response to one commenter's concern, we believe that the phrase "has the authority" as used in the definition is sufficiently broad to encompass reserve powers.

(H) § 3.20-Definition of Patient Safety Evaluation System

Proposed Rule: Proposed § 3.20 provided that patient safety evaluation system would mean the collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system would be the mechanism through which information can be collected, maintained, analyzed, and communicated. The proposed rule discussed that a patient safety evaluation system would not need to be documented because it exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes. The proposed rule provided that formal documentation of a patient safety evaluation system could designate secure physical and electronic space for the conduct of patient safety activities and better delineate various functions of a patient safety evaluation system, such as when and how information would be reported by a provider to a PSO, how feedback concerning patient safety events would be communicated between PSOs and providers, within what space deliberations and analyses of information are conducted, and how protected information would be identified and separated from information collected, maintained, or developed for purposes other than reporting to a PSO.

The Department recommended that a provider consider documentation of a patient safety evaluation system to support the identification and protection of patient safety work product. Documentation may provide substantial proof to support claims of privilege and confidentiality and will give notice to, will limit access to, and will create awareness among employees of, the privileged and confidential nature of the information within a patient safety evaluation system which may prevent unintended or impermissible disclosures.

We recommended that providers and PSOs consider documenting how information enters the patient safety evaluation system; what processes, activities, physical space(s) and equipment comprise or are used by the patient safety evaluation system; which personnel or categories of personnel need access to patient safety work product to carry out their duties involving operation of, or interaction with, the patient safety evaluation system; the category of patient safety work product to which access is needed and any conditions appropriate to such access; and what procedures the patient safety evaluation system uses to report information to a PSO or disseminate information outside of the patient safety evaluation system.

The proposed rule sought comment about whether a patient safety evaluation system should be required to be documented.

Overview of Public Comments: Several commenters supported the efforts to enable the patient safety evaluation system to be flexible and scalable to individual provider operations. Most commenters that responded to the question whether a patient safety evaluation system should be documented supported the decision to not require documentation. Commenters stated that requiring documentation would inhibit the flexibility in the design of patient safety evaluation systems and the ability of providers to design systems best suited for their specific practices and settings. Documentation would also be burdensome to providers and should ultimately be left to the discretion of individual providers based on their needs. Other commenters supported a requirement for documentation, suggesting that documentation would go further in ensuring compliance with the confidentiality provisions and the protection of information, thereby encouraging provider participation.

Final Rule: The Department adopts the proposed provision without modification. Based on the comments, we have not modified the proposed decision to not require documentation. We have, as described in the definition of patient safety work product below, clarified how documentation of a patient safety evaluation system clearly establishes when information is patient safety work product. We encourage providers to document their patient safety evaluation systems for the benefits mentioned above. We believe documentation is a best practice.

Response to Other Public Comments

Comment: Two commenters raised concerns about how a patient safety evaluation system operates within a multi- hospital system comprised of a parent corporation and multiple hospitals that are separately incorporated and licensed. One commenter asked whether a parent corporation can establish a single patient safety evaluation system in which all hospitals participate. The other commenter recommended that individual institutional affiliates of a multi-hospital system be part of a single patient safety evaluation system.

Response: For a multi-provider entity, the final rule permits either the establishment of a single patient safety evaluation system or permits the sharing of patient safety work product as a patient safety activity among affiliated providers. For example, a hospital chain that operates multiple hospitals may include the parent organization along with each hospital in a single patient safety evaluation system. Thus, each hospital may share patient safety work product with the parent organization and the patient safety evaluation system may exist within the parent organization as well as the individual hospitals.

There may be situations where establishing a single patient safety evaluation system may be burdensome or a poor solution to exchanging patient safety work product among member hospitals. To address this concern, we have modified the disclosure permission for patient safety activities to permit affiliated providers to disclose patient safety work product with each other based on commonality of ownership.

Comment: One commenter asked how a patient safety evaluation system exists within an institutional provider.

Response: A patient safety evaluation system is unique and specific to a provider. The final rule retains a definition of a patient safety evaluation system that is flexible and scalable to meet the specific needs of particular providers.

With respect to a single institutional provider, such as a hospital, a provider may establish a patient safety evaluation system that exists only within a particular office or that exists at particular points within the institution. The decisions as to how a patient safety evaluation system operates will depend upon the functions the institutional provider desires the patient safety evaluation system to perform and its tolerances regarding access to the sensitive information contained within the system. Providers should consider how a patient safety evaluation system is constructed, carefully weighing the balance between coordination and fragmentation of a provider's activities.

Comment: Some commenters were concerned that the patient safety evaluation system provided a loophole for providers to avoid transparency of operations and hide information about patient safety events. Some commenters suggested that a provider may establish a patient safety evaluation system that is inside of a PSO, thus stashing away harmful documents and information.

Response: The Department does not believe that the patient safety evaluation system enables providers to avoid transparency. A patient safety evaluation system provides a protected space for the candid consideration of quality and safety. Nonetheless, the Patient Safety Act and the final rule have carefully assured that information generally available today remains available, such as medical records, original provider documents, and business records. Providers must fulfill external reporting obligations with information that is not patient safety work product. Further, a provider may not maintain a patient safety evaluation system within a PSO.

Comment: One commenter asked whether all information in a patient safety evaluation system is protected.

Response: Information collected within a patient safety evaluation system that has been collected for the purpose of reporting to a PSO is patient safety work product if documented as collected for reporting to a PSO. This is discussed more fully at the definition of patient safety work product below. Information that is reported to a PSO is also protected, as discussed more fully at the definition of patient safety work product below.

Comment: One commenter was concerned that the lack of a framework and too much flexibility may interfere with interoperability and data aggregation at a later date.

Response: The Department believes that a patient safety evaluation system must of necessity be flexible and scalable to meet the needs of specific providers and PSOs. Without such flexibility, a provider may not participate, which may, lessen the overall richness of the information that could be obtained about patient safety events. The Department recognizes the value of aggregated data and has, pursuant to the Patient Safety Act, begun the process of identifying standard data reporting terms to facilitate aggregation and interoperability. Further, the Patient Safety Act requires that PSOs, to the extent practical and appropriate, collect patient safety work product in a standardized manner (see 42 U.S.C. 299b-24(b)(1)(F)). The Department hopes that, by permitting the widest range possible of providers to participate in the gathering and analysis of patient safety events, increased participation will generate more data and greater movement towards addressing patient safety issues.

Comment: Many commenters encouraged the Department to provide technical assistance to providers and PSOs on the structuring and operation of a patient safety evaluation system.

Response: The Department expects to provide such guidance on the operation and activities of patient safety evaluation systems as it determines is necessary.

(I) § 3.20-Definition of Patient Safety Work Product

Proposed Rule: Proposed § 3.20 adopted the statutory definition of patient safety work product as defined in the Patient Safety Act. The proposed rule provided that many types of information can become patient safety work product to foster robust exchanges between providers and PSOs. Any information must be collected or developed for the purpose of reporting to a PSO.

Three provisions identified how information becomes patient safety work product. First, information may become patient safety work product if it is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO. Second, patient safety work product is information developed by a PSO for the conduct of patient safety activities. Third, patient safety work product is information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system.

The proposed rule provided that reporting means the actual transmission or transfer of information to a PSO. We recognized that requiring the transmission of every piece of paper or electronic file to a PSO could impose significant transmission, management, and storage burdens on providers and PSOs. The proposed rule sought comment on whether alternatives for actual reporting should be recognized as sufficient to meet the reporting requirement. For example, the proposed rule suggested that a provider that contracts with a PSO may functionally report information to a PSO by providing access and control of information to a PSO without needing to physically transmit information. The proposed rule also sought comment on whether additional terms and conditions should be required to permit functional reporting and whether functional reporting should be permitted only after an initial actual report of information related to an event.

The proposed rule also sought comment on whether a short period of protection for information assembled but not yet reported is necessary for flexibility or for providers to efficiently report information to a PSO. We also sought comment on an appropriate time period for such protection and whether a provider must demonstrate intent to report in order to obtain protection.

The proposed rule also sought comment on when a provider could begin collecting information for the purpose of reporting to a PSO such that it is not excluded from becoming patient safety work product because it was collected, maintained or developed separately from a patient safety evaluation system.

The proposed rule indicated that, if a PSO is delisted for cause, a provider would be able to continue to report to that PSO for 30 days after the date of delisting and the information reported would be treated as patient safety work product (section 924(f)(1) of the Public Health Service Act). However, after delisting, the proposed rule indicated that the former PSO may not generate patient safety work product by developing information for the conduct of patient safety activities or through deliberations and analysis of information. Even though a PSO may not generate new patient safety work product after delisting, it may still possess patient safety work product, which must be kept confidential and be disposed of in accordance with requirements in Subpart B.

The proposed rule also described what is not patient safety work product, such as a patient's original medical record, billing and discharge information, or any other original patient or provider record. Patient safety work product does not include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. This distinction is made because these and similar records must be maintained by providers for other purposes.

The proposed rule also discussed that external reporting obligations as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system cannot be satisfied with patient safety work product. Thus, information that is collected to comply with external obligations is not patient safety work product. The proposed rule provided that such activities include: state incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; or complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage.

The proposed rule also addressed the issue that external authorities may seek information about how effectively a provider has instituted corrective action following identification of a threat to the quality or safety of patient care. The Patient Safety Act does not relieve a provider of its responsibility to respond to such requests for information or to undertake or provide to external authorities evaluations of the effectiveness of corrective action, but the provider must respond with information that is not patient safety work product. The proposed rule provided that recommendations for changes from the provider's patient safety evaluation system or the PSO are patient safety work product. However, the actual changes that the provider implements to improve how it manages or delivers health care services are not patient safety work product, and it would be virtually impossible to keep such changes confidential.

Overview of Public Comments: Commenters raised a significant number of concerns regarding how information becomes patient safety work product under particular provisions of the definition.

Functional Reporting

We received significant feedback from commenters in support of recognizing alternative reporting methods. Most commenters agreed that an alternative reporting arrangement should be permitted to promote efficiency and relieve providers of the burden of continued transmission. Two commenters opposed permitting alternative reporting methods based on the concern that a shared resource may confuse clear responsibility for a breach of information and that a PSO that has access to a provider information system may also have access to patient records and similar information for which access may not be appropriate.

Most commenters rejected the suggestion that functional reporting should be limited to subsequent reports of information rather than allowing functional reports for the first report of an event. Commenters believed that such a limitation would inhibit participation and offset the benefits of allowing functional reporting. Commenters also believed such a limitation would create an artificial distinction between information that is initially and subsequently reported to a PSO. Some commenters believed that details regarding functional reporting are better left to agreement between the provider and PSO engaging in functional reporting. Two commenters did support restricting functional reporting to subsequent information, but did not provide any rationale or concern to support their comment.

No commenters identified additional requirements or criteria that should be imposed beyond a formal contract or agreement. Thus, the final rule permits functional reporting.

When is Information Protected

Commenters raised significant and substantial concerns regarding when the protections for patient safety work product begins, how existing patient safety processes will occur given the protections for patient safety work product, and the likelihood that providers may need to maintain separate systems with substantially duplicate information. A significant majority of commenters responded to the concern regarding the status of information collected, but not yet reported to a PSO. Most commenters agreed with concerns raised by the Department that early protection could ease the burden on providers, preventing a race to report to a PSO. These commenters recommended that information be protected upon collection and prior to reporting. Protection during this time would permit providers to investigate an event and conduct preliminary analyses regarding causes of the event or whether to report information to a PSO. Many commenters were concerned that information related to patient safety events be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication of information is required, providers may opt to not participate due to costs and burdens. Three commenters indicated that there should be no protection until information is reported to a PSO. One commenter was concerned that early protection may interfere with State reporting requirements because information needed to report to a State may become protected and unavailable for State reporting. Another commenter stated that earlier protection would not alleviate the concerns regarding protection prior to reporting.

Commenters provided a wide range of recommendations in response to when protection of information should begin prior to creation of patient safety work product. Commenters suggested that information be protected prior to reporting for as little as 24 hours from an event up to 12 months. Other commenters suggested that a timeframe be reasonable and based upon relevant factors such as the complexity of facts and circumstances surrounding an event.

State Reporting

One of the most significant areas of comment was how processes to create patient safety work product may operate alongside similar processes within a provider. Commenters were particularly concerned that information collected for similar purposes, such as for reporting to a PSO and for reporting to a State health authority, would need to be maintained in separate systems, thereby increasing the burden on providers. The most significant comments received related to how information related to patient safety events may be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication is required, provider may opt to not participate due to costs and burdens.

Earliest Time for Collection of Information

Few commenters responded to the request for comment on the earliest date information could be collected for purposes of reporting to a PSO, a requirement for information to become patient safety work product. Four commenters recommended that information collection be permitted back to the passage of the Patient Safety Act. Four commenters recommended that the earliest date of collection be dependent upon each provider's good faith and intent to collect information for reporting to a PSO.

Final Rule: The Department adopts the proposed provision with some modification.

Functional Reporting

The Department recognizes the concerns raised by commenters regarding the functional reporting proposal, but believes the benefits outweigh the potential negative consequences; the relief of burden, and the flexibility that derives from not adhering to a narrow reading of the reporting requirement. First, we recognize that a provider and PSO engaging in this alternative method of reporting have an established relationship for the reporting of information and have spent some time considering how best to achieve a mutually useful and suitable reporting relationship. That relationship will necessitate consideration of what information is necessary and not necessary to achieve the purpose of reporting. Neither a provider nor a PSO is required to accept an alternative reporting mechanism. Further, providers continue to be under the same obligations to protect patient and other medical records from inappropriate access from others, including the PSO, without exception. Second, such a relationship should establish clearly the mechanism for control of information reported or to which the PSO will have access, and the scope of PSO authority to use the information. In addition, the assessment of liability should be addressed and need be no more complex than exists in provider settings today with shared resources and integrated services.

We agree with commenters that limitations regarding the initial or subsequent reporting of information are better left to the providers and PSOs engaging in the practice and that providers and PSOs should be permitted to design the appropriately flexible reporting mechanism befitting the circumstances of their practice setting. We further agree that additional limitations on the ability to use functional reporting are unwarranted, absent clear identification of risks or concerns to be addressed by further limitations.

For these reasons, we clarify that reporting of information to a PSO for the purposes of creating patient safety work product may include authorizing PSO access, pursuant to a contract or equivalent agreement between a provider and a PSO, to specific information in a patient safety evaluation system and authority to process and analyze that information, e.g., comparable to the authority a PSO would have if the information were physically transmitted to the PSO. We do not believe a formal change in the regulatory text is necessitated by this clarification.

When is Information Protected

The Department recognizes that the Patient Safety Act's protections are the foundation to furthering the overall goal of the statute to develop a national system for analyzing and learning from patient safety events. To encourage voluntary reporting of patient safety events by providers, the protections must be substantial and broad enough so that providers can participate in the system without fear of liability or harm to reputation. Further, we believe the protections should attach in a manner that is as administratively flexible as permitted to accommodate the many varied business processes and systems of providers and to not run afoul of the statute's express intent to not interfere with other Federal, State or local reporting obligations on providers.

The proposed rule required that information must be reported to a PSO before the information may become patient safety work product under the reporting provision of the definition of patient safety work product. However, this standard left information collected, but not yet reported to a PSO, unprotected, a cause of significant commenter concern. This standard also might encourage providers to race to report information indiscriminately to obtain protection in situations where a report ultimately may be unhelpful, causing the expenditure of scarce resources both by a provider and a PSO to secure the information as patient safety work product. The proposed rule also may have caused some providers to choose between not participating or developing dual systems for handling similar information at increased costs.

We believe it is important to address the shortcomings of a strict reporting requirement through the following modification. The final rule provides that information documented as collected within a patient safety evaluation system by a provider shall be protected as patient safety work product. A provider would document that the information was collected for reporting to a PSO and the date of collection. The information would become patient safety work product upon collection. Additionally, a provider may document that the same information is being voluntarily removed from the patient safety evaluation system and that the provider no longer intends to report the information to a PSO, in which case there are no protections. If a provider fails to document this information, the Department will presume the intent to report information in the patient safety evaluation system to the PSO is present, absent evidence to the contrary.

We believe this modification addresses the concerns raised by the commenters. Protection that begins from the time of collection will encourage participation by providers without causing significant administrative burden. The alternative is a system that encourages providers to indiscriminately report information to PSOs in a race for protection, resulting in PSOs receiving large volumes of unimportant information. By offering providers the ability to examine patient safety event reports in the patient safety evaluation system without requiring that all such information be immediately reported to a PSO, and by providing a means to remove such information from the patient safety evaluation system and end its status as patient safety work product, the final rule permits providers to maximize organizational and system efficiencies and lessens the need to maintain duplicate information for different needs. Because documentation will be crucial to the protection of patient safety work product at collection, providers are encouraged to document their patient safety evaluation system. We note, however, that a provider should not place information into its patient safety evaluation system unless it intends for that information to be reported to the PSO.

Although this approach substantially addresses commenter concerns, three issues do cause concern. First, because information may be protected back to the time of collection, providers are no longer required to promptly report information to a PSO to ensure protection. Although we believe this is an unavoidable result of the modification, we believe the likely impact may be rare because providers are likely to engage PSOs for their expertise which requires such reporting. Second, the requirement to document collection in a patient safety evaluation system and, potentially, removal from a patient safety evaluation system could be burdensome to a provider. However, we believe these are important requirements particularly in light of the enforcement role OCR will play. A provider will need to substantiate that information is patient safety work product, or OCR will be unable to determine the status of information potentially leaving sensitive information unprotected-or subjecting the provider to penalties for improperly disclosing patient safety work product. Third, the ability of a provider to remove information from a patient safety evaluation system raises concern that a provider may circumvent the intent of a provider employee to obtain protection for information when reporting to the provider's patient safety evaluation system. For providers that engage in functional reporting, the concern is substantially mitigated because, under functional reporting, information is reported to a PSO when it is transmitted to the patient safety evaluation system to which the PSO has access, and, thus, protected. Alternatively, a provider employee may report as permitted directly to a PSO. Ultimately, this issue is to be settled between a provider that wishes to encourage reports that may not otherwise come to light and its employees who must be confident that reporting will not result in adverse consequences.

For these reasons, the Department modifies the definition of patient safety work product to include additional language in the first provision of the definition that protects information based upon reporting to a PSO.

State Reporting

To address commenter concerns about the duplication of resources for similar patient safety efforts and the lack of protection upon collection, we have clarified the requirements for how information becomes patient safety work product when reported to a PSO. Generally, information may become patient safety work product when reported to a PSO. Information may also become patient safety work product upon collection within a patient safety evaluation system. Such information may be voluntarily removed from a patient safety evaluation system if it has not been reported and would no longer be patient safety work product. As a result, providers need not maintain duplicate systems to separate information to be reported to a PSO from information that may be required to fulfill state reporting obligations. All of this information, collected in one patient safety evaluation system, is protected as patient safety work product unless the provider determines that certain information must be removed from the patient safety evaluation system for reporting to the state. Once removed from the patient safety evaluation system, this information is no longer patient safety work product.

Earliest Time for Collection of Information

The Department believes that a clear indication of a specific time when information may first be collected is beneficial to providers by reducing the complexity and ambiguity concerning when information is protected as patient safety work product. Although each provider collecting information for reporting to a PSO may need to support the purpose of information collection at the time of collection, such a standard may be overly burdensome. The Department agrees that information may have been collected for the purpose of reporting to a PSO beginning from passage of the Patient Safety Act. Information that existed prior to the passage of the Patient Safety Act may be subsequently collected for reporting to a PSO, but the original record remains unprotected. This clarification does not require any regulatory language change in the proposed rule.

What is Not Patient Safety Work Product

We reaffirm that patient safety work product does not include a patient's original medical record, billing and discharge information, or any other original patient or provider record; nor does it include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. The final rule includes the statutory provision that prohibits construing anything in this Part from limiting:

  1. the discovery of or admissibility of information that is not patient safety work product in a criminal, civil, or administrative proceeding;
  2. the reporting of information that is not patient safety work product to a Federal, State, or local governmental agency for public health surveillance, investigation, or other public health purposes or health oversight purposes; or
  3. a provider's recordkeeping obligation with respect to information that is not patient safety work product under Federal, State or local law. Section 921(7)(B)(iii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii).

The final rule does not limit persons from conducting additional analyses for any purpose regardless of whether such additional analyses involve issues identical to or similar to those for which information was reported to or assessed by a PSO or a patient safety evaluation system. Section 922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h).

Even when laws or regulations require the reporting of the information regarding the type of events also reported to PSOs, the Patient Safety Act does not shield providers from their obligation to comply with such requirements. These external obligations must be met with information that is not patient safety work product and oversight entities continue to have access to this original information in the same manner as such entities have had access prior to the passage of the Patient Safety Act. Providers should carefully consider the need for this information to meet their external reporting or health oversight obligations, such as for meeting public health reporting obligations. Providers have the flexibility to protect this information as patient safety work product within their patient safety evaluation system while they consider whether the information is needed to meet external reporting obligations. Information can be removed from the patient safety evaluation system before it is reported to a PSO to fulfill external reporting obligations. Once the information is removed, it is no longer patient safety work product and is no longer subject to the confidentiality provisions.

The Patient Safety Act establishes a protected space or system that is separate, distinct, and resides alongside but does not replace other information collection activities mandated by laws, regulations, and accrediting and licensing requirements as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system. Information is not patient safety work product if it is collected to comply with external obligations, such as: state incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage; or provision of access to records by Protection and Advocacy organizations as required by law.

Response to Other Public Comments

Comment: One commenter in responding to questions about timing and early protection interpreted the timing concern to be an expiration of an allowed period of time to report, such that an event must be reported within a certain number of days or it may not become protected.

Response: As noted above, the timing issues in the final rule relate to when information may have been collected for reporting to a PSO. There is no expiration date for an event that would prohibit future protection of a report of it as patient safety work product so long as the protection of the information is pursuant to the final rule.

Comment: One commenter suggested that event registries may seek to become PSOs because the model is well positioned to allow for tracking and identification of patients that require follow-up.

Response: The Department recognizes that event registries may have particular benefits that may be helpful in the analysis of patient safety events, but we caution any holder of patient safety work product that future disclosure of patient safety work product must be done pursuant to the disclosure permissions. Thus, while it may be appropriate for event registries to identify and track patients who may require follow-up care, the final rule would generally not permit disclosure of patient safety work product to patients for such a purpose. Accordingly, while there may be benefits to an event registry becoming a PSO, a registry should take into consideration the limitations on disclosure of patient safety work product, and what impact such limits would have on its mission, prior to seeking listing.

Comment: Several commenters sought clarification whether information underlying analyses within a patient safety evaluation system was protected. One commenter suggested that data used to conduct an analysis should be protected at the same time as the analysis.

Response: As indicated in the definition of patient safety work product, information that constitutes the deliberation or analysis within a patient safety evaluation system is protected. Information underlying the analysis may have been either reported to a PSO and protected or collected in a patient safety evaluation system. Information documented as collected within a patient safety evaluation system is protected based on the modification to the definition of patient safety work product. Thus, information underlying an analysis may be protected. However, underlying information that is original medical records may not be protected if it is excluded by the definition of patient safety work product.

Comment: Two commenters raised concerns that PSOs do not have discretion regarding the receipt of unsolicited information reported to PSOs from providers. One commenter was concerned about the burden on a PSO receiving unsolicited reports and the obligation a PSO may have regarding unsolicited reports. Another commenter was concerned that unsolicited reports may be materially flawed or contain incorrect information.

Response: The Department does not agree that this is a major issue for PSOs or that PSOs need some regulatory ability to reject reported information. If a PSO receives information from a provider that was collected by that provider for the purposes of sending to a PSO, then the information is patient safety work product. PSOs may use or analyze the information, but must protect it as patient safety work product and dispose of the information properly. However, there is no requirement that a PSO maintain or analyze the information. For these reasons, we do not modify the proposed rule position regarding these issues.

Comment: Some commenters were concerned that recommendations of PSOs may be treated as a standard of care. Commenters recommended that recommendations from PSOs be protected as patient safety work product.

Response: The Department stated in the proposed rule that PSO recommendations are patient safety work product, but the changes undertaken by a provider based upon a PSO's recommendations are not patient safety work product. With respect to the concern that PSO recommendations may establish a standard of care, the issue is not within the scope of the Patient Safety Act and not appropriate for the regulation to address. Generally, the establishment of a standard of care is a function of courts and entities that have jurisdiction over the issue for which a standard of care is relevant. The introduction of patient safety work product as information that may help establish a standard of care is highly unlikely given the limited disclosure permissions. For these reasons, we make no modifications in the final rule.

Comment: Several commenters raised concerns about the distinction between original documents and copies of original documents. One commenter stated that it was an artificial distinction in an electronic environment.

Response: The Patient Safety Act and the final rule distinguish certain original records from information collected for reporting to a PSO. Because information contained in these original records may be valuable to the analysis of a patient safety event, the important information must be allowed to be incorporated into patient safety work product. However, the original information must be kept and maintained separately to preserve the original records for their intended purposes. If the information were to become patient safety work product, it could only be disclosed pursuant to the confidentiality protections.

Comment: One commenter was concerned that information collected for reporting to a PSO may be the same information providers collect for reporting to a state regulatory agency. The commenter suggested that protections should only attach to information after state-mandated reporting requirements have been fulfilled. The commenter was concerned that the confidentiality protections may impede state data collection, surveillance and enforcement efforts. A separate commenter requested clarification that if patient safety work product is reported under a state mandated incident reporting system, the patient safety work product continues to be protected.

Response: The final rule is clear that providers must comply with applicable regulatory requirements and that the protection of information as patient safety work product does not relieve a provider of any obligation to maintain information separately. The Department believes that some providers, such as hospitals, have been operating in similar circumstances previously when conducting peer review activities under state peer review law protections. For patient safety work product to be disclosed, even to a State entity, the discloser must have an applicable disclosure permission. While the Patient Safety Act does not preempt state laws that require providers to report information that is not patient safety work product, a State may not require that patient safety work product be disclosed.

Comment: One commenter advised that the final rule should build on existing infrastructure for reporting and examination of patient safety events to minimize duplication of resources and maximize existing efforts.

Response: The Department has modified the proposed rule to address the potential issue of duplicated resources by allowing providers the flexibility to collect and review information within a patient safety evaluation system to determine if the information is needed to fulfill external reporting obligations as addressed above. The Department recognizes the high costs of health care, both in dollars and in the health of individuals. The final rule establishes a workable and flexible framework to permit providers that have mature patient safety efforts to fully participate as well as for providers with no patient safety activities to be encouraged to begin patient safety efforts.

Comment: One commenter asked whether multiple PSOs can establish a single reporting portal for receiving reports from providers.

Response: The final rule does not address procedures regarding how a PSO receives information. Providers must meet any requirements regarding sharing information that is protected health information, such as the HIPAA Privacy Rule, in any circumstances when reporting information to a PSO or joint PSO portal.

Comment: Several commenters asked whether retrospective analyses could be included as patient safety work product.

Response: The final rule permits any data, which is a term that is broadly defined and would include retrospective analyses, to become patient safety work product. The fact that information was developed prior to the collection for reporting to a PSO does not bar a provider from reporting an analysis to a PSO and creating patient safety work product. Providers should be cautioned to consider whether there are other purposes for which an analysis may be used to determine whether protection as patient safety work product is necessary or warranted. Further, the definition of patient safety work product is clear that information collected for a purpose other than for reporting to a PSO may not become patient safety work product only based upon the reporting of that information to a PSO. Such information, particularly information collected or developed prior to the passage of the Patient Safety Act, may become protected as a copy, but the original document remains unprotected.

(J) § 3.20-Definition of Provider

Proposed Rule: Proposed § 3.20 would have divided the meaning ofproviderinto three categories. The first paragraph included "an individual or entity licensed or otherwise authorized under State law to provide health care services, including" and this introductory language was followed by a list of institutional health care providers in subparagraph (1) and a list of individual health care practitioners in subparagraph (2). The preamble indicated that these statutory lists were illustrative.

Under the Secretary's authority to expand the list of providers in the statutory definition, the proposed rule would have added two categories to the list of providers. The second paragraph would have covered agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, the contractors these entities engage, and individual health care practitioners employed or engaged as contractors by these entities. We included this addition because public health care entities and their staff are not always authorized or licensed by state law to provide their services and, therefore, might not be included within the terms of the original statutory definition.

The third paragraph would have included a parent organization that has a controlling interest in one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in (1) (i) or (2) of this definition. This addition was intended to permit the parent organization of a health care provider system to enter a system- wide contract with a PSO. The parent of a health system also may not be licensed or authorized by state law to provide health care services as required by the statutory definition.

Overview of Public Comments: There were a number of comments with respect to the entities and individuals that are identified as providers in the subparagraphs of paragraph (1). For example, one commenter sought clarification that "assisted living residential care and other community based care" providers are included in the broader term "long term care facilities" as identified in the list of covered providers. A number of other individual commenters each identified entities that the Secretary should include in the definition of providers: medical product vendors, pharmaceutical companies, medical device manufacturers, risk retention groups, and captive professional liability insurance companies that are controlled by risk retention groups.

There was general support for the inclusion of parent organizations of private and public sector providers in paragraph (3), although two commenters disagreed. One commenter argued that naming the parent organization as a provider suggested a "one size fits all" solution and suggested that eligibility should be linked to whether the parent organization is involved in the patient safety evaluation system for its subsidiaries. Other commenters, while not objecting, worried that this addition could open the door for organizations such as health insurance issuers, including Health Maintenance Organizations, regulatory and accrediting entities to qualify as component PSOs. One commenter suggested that by using the phrase "controlling interest" with respect to private sector parent organizations, the focus of this part of the proposed paragraph was inappropriately narrow, appearing to emphasize a corporate parent, and that the language needed to reflect a broader array of potential parent organizations, such as partnerships or limited liability companies.

Several commenters expressed concern that by encompassing entities that are not traditionally providers, under HIPAA or other rules, our definition of "provider" would lead to confusion. One commenter suggested it would be appropriate for the commentary accompanying the final rule to address the two terms, emphasize the differences, and clarify the obligations.

Final Rule: We have modified the definition of provider in the final rule in response to several comments. The first modification is a non-substantive substitution of the term behavioral health for behavior health. In response to the comments we received and to ensure clarity, we reiterate what we stated in the proposed rule that a list preceded by "including" is an illustrative list, not an exhaustive list.

In general, the question of whether any private sector individual or entity, such as assisted living residential care and other community- based care providers, comes within the rule's meaning of "provider" is determined by whether the individual or entity is licensed or otherwise authorized under state law to deliver health care services. We note that paragraphs (2) and (3) of the definition address public sector providers and parent organizations of health care providers.

We have not adopted any of the other recommendations for additions to the list of providers. The statute provides confidentiality and privilege protections for reporting by individuals and entities that actually provide health care services to patients. In our view, it was not intended to apply to those who manufacture or supply materials used in treatments or to entities that provide fiscal or administrative support to those providing health care services.

With respect to paragraph (3) of the definition, the use of the term parent organization here should conform to our definition of "parent organization" above. Therefore, we have streamlined the language, deleting unnecessary text that might suggest that we were applying a different definition.

The Department does not share the concerns of commenters that incorporating a broader definition of "provider" in this rule will cause confusion in the marketplace, because its use will be limited. The application of the term "provider" in this rule is intended to give the full range of health care providers the ability to report information to, and work with, PSOs and receive confidentiality and privilege protections as set forth in the Patient Safety Act and this rule. Although we appreciate the administrative benefits of uniformity, and have tried to maximize the consistency or interoperability of this rule with the HIPAA Privacy and Security Rules, it would not be appropriate in this rule to adhere to any less inclusive definition of provider used in other regulations.

We did not condition the designation of provider status for a parent organization on its involvement in a patient safety evaluation system. We expect that most parent organizations will, in fact, be a part of a system-wide patient safety evaluation system if they choose to pursue PSO services. However, establishing such a requirement now, when it is unclear what types of innovative arrangements and effective strategies might emerge, might prove more detrimental than helpful.

Response to Other Public Comments

Comment: One commenter raised concerns that paragraph (2) may not include Indian tribes that operate or contract for their own health care systems under the Indian Self-Determination and Education Assistance Act (ISDEAA), rather than relying upon the Indian Health Service.

Response: Tribal organizations carrying out self-determination contracts or compacts under the ISDEAA to deliver health care fall squarely within paragraph (2) of the definition of provider because they are organizations engaged as contractors by the Federal government to deliver health care. Additionally, the workforce of a provider covered under the rule, by definition, includes employees, volunteers, trainees, contractors, and other persons, whether or not paid by the provider, that perform work under the direct control of that provider. Federal employees detailed to a tribe or Tribal organization carrying out an ISDEAA contract would be covered under paragraph (2) in the definition of provider, even if they were not part of the Tribal organization's workforce. Therefore, no change is needed in response to this comment.

(B) Subpart B-PSO Requirements and Agency Procedures

Proposed Subpart B would have set forth requirements for Patient Safety Organizations (PSOs) including the certification and notification requirements that PSOs must meet, the actions that the Secretary may and will take relating to PSOs, the requirements that PSOs must meet for the security of patient safety work product, the processes governing correction of PSO deficiencies, revocation, and voluntary relinquishment, and related administrative authorities and implementation responsibilities. The requirements of the proposed Subpart would have applied to entities that seek to be listed as PSOs, PSOs, their workforce, a PSO's contractors when they hold patient safety work product, and the Secretary.

The proposed rule did not require a provider to contract with a PSO to obtain the protections of the Patient Safety Act; however, we noted that we anticipate that most providers would enter into contracts with PSOs when seeking the confidentiality and privilege protections of the statute. We proposed to enable a broad variety of health care providers to work voluntarily with entities that would be listed as PSOs by the Secretary based upon their certifications that, among other things, state that they have the ability and expertise to carry out the broadly defined patient safety activities of the Patient Safety Act and, therefore, to serve as consultants to eligible providers to improve patient care. In accordance with the Patient Safety Act, the proposed rule set out an attestation-based process to qualify for 3-year renewable periods of listing as a PSO. Proposed Subpart B attempted to minimize regulatory burden, while fostering transparency to enhance the ability of providers to assess the strengths and weaknesses of their choice of PSOs.

We proposed a security framework pertaining to the separation of data and systems and to security management, control, monitoring, and assessment. Thus, each PSO would address the framework with standards it determines appropriate to the size and complexity of its organization. We proposed additional requirements to ensure that a strong firewall would be maintained between a component PSO and the rest of the organization(s) of which it is a part.

We noted that we expect to offer technical assistance and encourage transparency wherever possible to promote implementation, compliance, and correction of deficiencies. At the same time, this proposed Subpart established processes that would permit the Secretary promptly to revoke a PSO's certification and remove it from listing, if such action proves necessary.

(1) Section 3.102-Process and Requirements for Initial and Continued Listing of PSOs

Proposed Rule: The proposed rule in § 3.102 addressed the eligibility of, and the processes and requirements for, an entity seeking a three-year period of listing by the Secretary as a PSO and described the timing and requirements of notifications that a PSO must submit to the Secretary during its period of listing. The proposed rule described our intention to minimize barriers to entry for entities seeking listing and create maximum transparency to create a robust marketplace for PSO services. The Patient Safety Act set forth limited prerequisites that must be met to be listed by the Secretary as a PSO, which the regulation incorporates. The Department expects that providers will be the ultimate arbiters of the quality of services that an individual PSO provides.

Overview of Public Comments: The following discussion focuses on the broad comments we received concerning our overall approach to initial and continued listing of PSOs. These comments do not address specific provisions of the proposed rule. Public comments that address specific provisions of § 3.102 are addressed in the individual subsection discussions that follow. Questions and situation-specific comments are addressed below under the heading of "Response to Other Public Comments."

The Department received generally favorable comment on our proposed approach in this section, which emphasizes a streamlined certification process, and public release of documentation submitted by PSOs whenever appropriate. There were, however, two broad sets of concerns expressed about our overall approach.

The first concern related to the potential number of PSOs that might be listed by the Secretary as a result of the Department's proposed "ease of entry" approach. These comments focused on the importance of PSOs being able to aggregate significant amounts of data across multiple providers to develop meaningful analyses. Noting that patient safety events are often rare events, one commenter noted that in some cases it may be necessary to aggregate data for an entire state in order to develop insights regarding the underlying causes of such events. Another commenter noted that if every hospital in the state established its own component PSO, the potential impact of PSO analyses could be minimal. Because most PSOs will be dependent upon revenue from providers submitting data, one commenter worried that too many PSOs could also affect the ability of individual PSOs to obtain adequate funding to perform their analytic functions and to implement potentially costly security requirements.

These concerns led some commenters to suggest inclusion in the final rule of a limitation on the number of PSOs that the Secretary would list. One commenter asked whether it would be possible for the Department to list one national PSO, noting this could improve efficiency for providers. Another commenter suggested listing of 2-4 PSOs per state using a competitive process or limiting the number of PSOs by increasing the number of required provider contracts that each PSO must have. Most commenters who favored limiting the number of listed PSOs did not suggest a specific approach.

A second broad set of recommendations focused on the need for periodic or ongoing evaluation of the effectiveness of PSOs that could be linked to, or be separate from, the evaluation of certifications for continued listing. Some commenters recommended that the Department routinely collect information from PSOs to evaluate whether the individual and collective work of PSOs is actually reducing medical errors and improving the quality of care that is delivered. One commenter stressed the importance of establishing in the final rule expectations related to PSO performance and demonstrated results and provided draft language for inclusion in the final rule.

Final Rule: The Department has not modified the approach taken in the proposed rule in response to these comments. With respect to limiting the number of PSOs that are listed by the Secretary, the statutory language is clear that any entity, public or private, that can meet the stated requirements is eligible for listing by the Secretary. While the Department understands the concerns of the commenters that a very large number of PSOs could frustrate the statutory goal of data aggregation across multiple providers, we believe that this scenario is unlikely for several reasons.

First, a provider does not need to shoulder the financial burden alone to support a full-time PSO. Providers enjoy the same protections under the Patient Safety Act when they contract with an independent PSO or when they create a component organization to seek listing as a PSO. A provider that establishes a working relationship with a PSO can have a division of labor between the analyses that its staff undertakes in-house within its patient safety evaluation system and the tasks it assigns to the PSO. In both circumstances, the statutory protections apply. Thus, for a provider, establishing its own PSO is an option, not a necessity.

Second, there are important insights into patient safety that can only be derived from aggregating data across multiple providers. Given the low frequency of some patient safety events, even larger health systems are likely to derive additional benefits from working with PSOs that have multiple and, potentially, diverse clients.

A final limiting factor is the shortage of personnel who are well-trained or experienced in the use of the methodologies of patient safety analyses. While the marketplace will respond to the need for the development of additional training and certification programs, the availability of highly-skilled staff will be a constraining factor initially. In combination, these three factors should provide a natural constraint on the number of single-provider PSOs.

Regarding the other general set of comments related to the listing process, the Department has considered these suggestions and has determined not to incorporate in the final rule requirements for an ongoing evaluation process or the routine collection of data from PSOs. PSOs are not a Federal program in the traditional sense. Most significantly, they are not Federally funded. Their project goals, priorities, and the specific analyses that they undertake are not Federally directed. The value and impact of an individual PSO will be determined primarily by the providers that use its services on an ongoing basis.

It is unclear at this point how providers will choose to use PSOs. Only with experience will it become clear which analyses a provider will choose to undertake in its own patient safety evaluation system and which analyses a provider will rely upon a PSO to undertake. The mix and balance of activities between a provider's patient safety evaluation system and its PSO (or PSOs) will undoubtedly shift over time as the working relationships between providers and PSOs evolve toward greater efficiency. Thus, we remain convinced that providers are in the best position to assess the value of a PSO and its ability to contribute to improving the quality and safety of patient care.

Response to Other Public Comments

Comment: While contracts are not required between PSOs and providers to obtain protections, the Department stated that it anticipates most providers will enter contracts with providers. In light of this expectation, one commenter urged the Department to develop and make available a model contract.

Response: We do not think a model contract can be developed easily. The issues that need to be addressed will vary significantly based upon the nature of the relationship. Therefore, we do not expect to be developing and releasing a model contract.

Comment: One commenter suggested that the final rule should explain how AHRQ will publish the results from which providers and others can evaluate a PSO before entering a contract.

Response: For the reasons discussed above, AHRQ will not require or release PSO-specific performance information.

Comment: One commenter suggested that AHRQ should ensure that PSOs should not be able to make commercial gain from the knowledge it derives as a PSO.

Response: The statute permits all types of private and public entities to seek listing as a PSO; it does not limit private entities to not-for-profits. The final rule mirrors that formulation. The Department concludes that the statute does not invite us to impose such restrictions and expects that providers' decisions will determine the acceptability of for-profit PSOs.

Comment: One commenter suggested that providers should only be permitted to submit data to one PSO.

Response: The Patient Safety Act's framework for PSO-provider relationships is voluntary from a public policy perspective. In our view, it would be inconsistent with section 922(e)(1)(B) of the Public Health Service Act for the Department or any entity to use the authority of law or regulation to limit or direct provider reporting.

Comment: One commenter suggested that the final rule should require PSOs to share aggregated, non- identifiable patient safety work product with state regulatory authorities.

Response: The Department does not agree that it is appropriate to place such an unfunded mandate upon PSOs.

Comment: One commenter stated that it is a waste of effort and expense to create new government entities to work with providers when current organizations can do that just as well. The commenter also asked whether anyone has estimated the 10-year costs.

Response: As this final rule makes clear, these entities are not government entities and will not receive Federal funding. While we expect implementation will spur the development of new entities, we also expect that existing entities will be able to expand their current patient safety improvement efforts if they seek listing and are able to offer the confidentiality and privilege protections provided by the Patient Safety Act. While we have not done a 10-year cost estimate, our regulatory impact statement at the end of the preamble projects net savings of $76 to $92 million in 2012, depending upon whether the net present value discount rate is estimated at 7% or 3%.

(A) Section 3.102(a)-Eligibility and Process for Listing

Proposed Rule: Section 3.102(a) of the proposed rule would have provided that, with several exceptions discussed below, any entity-public or private, for-profit or not-for profit-that can meet the statutory and regulatory requirements may seek initial or continued listing by the Secretary as a PSO. The Department proposed to establish a streamlined certification process for entities seeking initial or continued listing that relied upon attestations that the entities met statutory and regulatory requirements. To foster informed provider choice, entities were encouraged, but would not be required, to post narratives on their respective Web sites that explained how each entity intended to comply with these requirements and carry out its mission.

The proposed rule incorporated a statutory prohibition that precludes a health insurance issuer and a component of a health insurance issuer from becoming a PSO. The Department also proposed to exclude any entity, public or private, that conducts regulatory oversight of health care providers, which included organizations that accredit or license providers. We proposed this restriction for consistency with the statute, which seeks to foster a "culture of safety" in which health care providers are confident that the patient safety events that they report will be used for learning and improvement, not oversight, penalties, or punishment. The proposed rule would permit a component organization of such an entity to seek listing as a PSO. To ensure that providers would know the parent organizations of such PSOs, we proposed that certifications include the name(s) of its parent organization(s), which the Secretary would release to the public. We sought comment on whether we should consider broader restrictions on eligibility.

The proposed rule would permit a delisted entity, whether delisted for cause or because of voluntary relinquishment of its status, subsequently to seek a new listing as a PSO. To ensure that the Secretary would be able to take into account the history of such entities, we proposed such entities submit this information with their certifications for listing.

Overview of Public Comments: The Department received generally favorable comments on our proposal to adopt a streamlined attestation-based approach to initial listing of PSOs. A number of commenters expressed concern about our attestation-based approach, however, arguing for a more in-depth assessment to ensure that an entity had the capability to carry out its statutory and regulatory responsibilities and meet the patient safety objectives of the statute. Some believed that the private marketplace is not necessarily well- equipped to judge which organizations can most effectively meet these requirements. Arguing that one misguided or fraudulent organization could taint the entire enterprise for years, a few commenters suggested that we require interested organizations at initial listing to submit documentation of their ability to meet their statutory and regulatory responsibilities.

Most commenters who urged a stronger approach to the evaluation of certifications for listing acknowledged the value of an expedited process for initial listing and instead focused their recommendations on the importance of creating a more rigorous process for continued listing. A common recommendation was to require, in addition to the proposed certifications for continued listing, that a PSO be required to submit documentation that described in detail how it is complying with the requirements underlying its certifications and urged the Department to arrange for independent review of such documentation, coupled with an audit process that would ensure compliance.

The comments we received were supportive of including a equirement that entities certify whether there is any relevant history regarding delisting about which the Secretary needs to be aware. Several commenters suggested that the entity seeking to be relisted should be required to include reason(s) for any prior delisting. Another suggestion was that the Secretary should have discretion in relisting an entity not to release the names of officials who had positions of responsibility in a previously delisted entity.

The proposed restrictions on eligibility engendered considerable comment. With respect to the statutory restriction on health insurance issuers, concerns and questions were raised regarding whether the exclusion applied to self-insured providers or malpractice liability insurers and whether health systems that include a subsidiary that is a health insurance issuer could establish a component PSO.

We received a significant level of comment regarding our proposed restriction on listing of regulatory oversight bodies. While the majority of commenters supported the proposed exclusion, some commenters took issue with various aspects of our proposal.

Commenters engaged in accreditation activities generally criticized our characterization of these activities as regulatory. They pointed out that the proposed rule did not take into account the distinction between voluntary and mandatory accreditation and, in their view, most accreditation was voluntary. They also noted that accreditation activities were initially developed to ensure the quality and safety of patient care and that accreditation entities, unlike licensure agencies, have greater discretion in addressing any problems that they identify with a provider's operations in a non-punitive way. For these commenters, accreditation activities were not inconsistent with fostering a "culture of safety." By contrast, most provider comments supported the exclusion, and singled out accreditation entities as warranting exclusion.

State health departments and state-created entities expressed concern about an outright prohibition on their being listed as PSOs, noting that the prohibition could disrupt effective patient safety initiatives now underway. A number of specific state-sanctioned patient safety initiatives were described in their submissions. Commenters pointed to the fact that state health departments have both regulatory and non- regulatory elements to their authority, have routinely demonstrated that they can effectively keep these elements separate, and thus, they saw no reason for the Department to doubt that state agencies could continue to do so effectively if they were permitted to operate PSOs.

Other commenters suggested extending the prohibition to other types of entities (such as purchasers of health care or agents of regulatory entities) and raised questions regarding the scope of the exclusion.

We received a significant number of comments in response to a specific question raised in the proposed rule whether the exclusion of regulatory entities should be extended to components of such organizations. Commenters that supported extension of the prohibition generally argued that the firewalls that the statute requires a component PSO to maintain between itself and its parent organization(s) could be circumvented, that the flexibility in the proposed rule to enable a component PSO to draw upon the expertise of its parent organization(s) would be inappropriate in this situation, and there was a significant possibility that such a parent organization could use its position of authority to attempt to coerce providers into reporting patient safety work product to its component PSO.

A majority of commenters, however, opposed expanding the exclusion to components of such regulatory organizations. They contend that the statutorily required separations between a component PSO and its parent organization(s) would provide adequate protection against improper access and adverse use of confidential patient safety work product by the excluded entities with which such a component PSO is affiliated. A number of commenters noted that an expansion of the exclusion to components of such entities would have unintended consequences. For example, an increasing number of medical specialty societies operate, or are in the process of developing, accreditation programs for their members in response to growing public and private sector pressure for quality improvement. These organizations see the creation of specialty-specific component PSOs as an important complement to their other quality improvement activities. Similarly, some commenters contend that widespread patient safety improvements require coordination and communication across the public and private sectors. These commenters argued that a broader exclusion could both disrupt existing, effective public sector patient safety initiatives and preclude opportunities for the public sector to play a meaningful role.

Many commenters that opposed extending the exclusion to component organizations nevertheless suggested additional restrictions to strengthen the separation of activities between component PSOs and these types of parent organizations. Their suggestions are discussed below with respect to § 3.102(c).

Final Rule: The Department considered whether to modify the attestation process either for initial or continued listing of PSOs or both but ultimately concluded that streamlined attestations should be retained for both. Given the voluntary, unfunded nature of this initiative and the centrality of the client-consultant paradigm of provider-PSO relationships, an approach that requires documentation and routine audits is likely to be costly and burdensome, both to entities seeking listing and the Department. More importantly, such an approach is unlikely to achieve its intended objective, for the reasons discussed below.

There are limitations of a documentation approach to ensuring the capabilities and compliance of PSOs with the requirements for listing, and such an approach is unlikely to yield the types of information that providers will need in selecting a PSO. Consider, for example, two of these requirements: the criterion that requires that a PSO have qualified staff, including licensed or certified medical professionals, and the patient safety activity that requires the provision of feedback to participants in a (provider's) patient safety evaluation system. Documentation, through submission of resumes or summaries of the credentials of professional staff, can demonstrate that the PSO meets the statutory requirement. What each provider really needs to assess, however, is whether the skill sets of the professional staff employed by or under contract to the PSO are an appropriate match for the specific tasks that led the provider to seek a PSO's assistance. Depending upon the analytic tasks, a provider may need expertise that is setting-specific, e.g., nursing homes versus acute care settings, technology-specific, specialty-specific, or, may require expertise outside the traditional scope of health care. Thus, there is not a single template against which the expertise of a PSO's professional staff can be judged. In addition, we anticipate that PSOs seeking additional clients (providers) will post on their Web sites, or otherwise advertise, the names and qualifications of their top staff experts and consultants. Their Web site locations will be on the AHRQ PSO Web site.

Similarly, documentation can demonstrate that a PSO has provided feedback to participants in a provider's patient safety evaluation system and thereby met the statutory requirement. But the most relevant questions are whether the feedback reflected a valid analysis of the provider's patient safety work product and existing scientific knowledge, and whether the feedback was framed in ways that made it understandable, "actionable," and appropriate to the nature of the provider's operation. The answers to these questions cannot be assessed by the Department readily through the listing process.

As a result, in many cases, the provider-client, rather than the Department, will be better able to determine whether the outcomes of a PSO's conduct of patient safety activities meet its needs in a meaningful way. The Department believes that providers, especially institutional providers, will have access to the expertise to make them especially sophisticated customers for PSO services. Providers are likely to assess very carefully the capabilities of a PSO and will be in a position to request appropriate documentation, if necessary, to assess a PSO's ability to meet their specific requirements. Therefore, the Department does not see a compelling public policy rationale for substituting its judgment for that of a provider. Providers can demand references and evidence of relevant accomplishments, and effectively evaluate the adequacy and suitability of a PSO's expertise and experience. In summary, a listing process that imposes documentation and audit requirements on each PSO will impose a significant burden on all parties, but yield only marginally useful information to prospective clients.

Accordingly, we believe the approach outlined in the proposed rule offers a more efficient and effective approach. The approach does include authority for spot-checking compliance outlined in § 3.110, responding to complaints or concerns, and enabling the Secretary, in making listing decisions (see § 3.104(b)), to take into consideration the history of an entity and its key officials and senior managers. This approach will be buttressed with a program of technical assistance for PSOs administered by AHRQ. In addition, the final rule incorporates a new expedited revocation process that can be used when the Secretary determines that there would be serious adverse consequences if a PSO were to remain listed. False statements contained in a PSO's submitted certifications can result in a loss of listing or other possible penalties under other laws.

For convenience and clarity, we have restructured § 3.102(a)(1) to provide a unified list of the certifications and information that an entity must submit for listing as a PSO. Sections 3.102(a)(1)(i) through 3.102(a)(1)(vii) set forth and cross-reference the requirements of the final rule. Two of these requirements are new. Section 3.102(a)(1)(iv) cross-references the additional requirements in § 3.102(c)(1) (ii) that components of entities that are excluded from listing must meet in order for such components to be listed. Section 3.102(a)(1)(v) incorporates our proposal, for which comments were supportive, to require disclosure to the Secretary if the entity seeking listing (under its current name or another) has ever been denied listing or delisted or if the officials or senior managers of the entity now seeking listing have held comparable positions in a PSO that the Secretary delisted or refused to list.

We have not adopted recommendations that we require explanations for the historical situations encompassed by § 3.102(a)(1)(v). Instead, we require that the name(s) of any delisted PSO or of any entity that was denied listing be included with the certifications. The Department can then search its records for background information. In response to concerns regarding public disclosure of the names of the officials or senior managers that would trigger the notification requirement, we do not require submission of the names of the individuals with the certifications. With respect to the workforce of the entity, we note that we have narrowed the requirement in two ways. First, we have narrowed the focus from "any" employee to officials and senior managers. Second, the requirement to disclose only applies when officials or senior managers of the entity seeking listing also held comparable positions of responsibility in the entity that was delisted or refused listing.

Restructured § 3.102(a)(2) retains the statutory exclusion from listing of health insurance issuers and components of health insurance issuers in subparagraph (i). For greater clarity, we have restated the exclusion to reflect the rule's definition of component so it now references: a health insurance issuer; a unit or division of a health insurance issuer; or an entity that is owned, managed, or controlled by a health insurance issuer. New subparagraph (ii) modifies and restates the exclusion from listing of any entity that: (1) accredits or licenses health care providers; (2) oversees or enforces statutory or regulatory requirements governing the delivery of health care services; (3) acts as an agent of a regulatory entity by assisting in the conduct of that entity's oversight or enforcement responsibilities vis-a-vis the delivery of health care services; or (4) operates a Federal, State, local or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation.

In reviewing the comments on the proposed regulatory exclusion, we did not find the arguments for narrowing the prohibition compelling. Almost every provider group expressed concern regarding the possible operation of PSOs by entities that accredit or license providers as well as possible operation of PSOs by regulatory entities. We share their concerns that entities with the potential to compel or penalize provider behavior cannot create the "culture of safety" (which emphasizes communication and cooperation rather than a culture of blame and punishment) that is envisioned by the statute.

We also concluded that it is difficult to draw a "bright-line" distinction between voluntary and mandatory accreditation as several of the commenters from accreditation organizations proposed. While most accreditation is technically voluntary from the standpoint of many accreditation entities, its mandatory aspect generally derives from requirements established by, or its use by, other entities such as payers. Thus, if we were to incorporate such a distinction that permitted the listing of organizations that provide voluntary accreditation today, its voluntary nature could disappear over time if other organizations mandated use of its accreditation services. Thus, a listed PSO might need to be delisted at some point in the future solely because of the actions of a third party mandating that organization's accreditation as a requirement. Therefore, we have retained the prohibition on accreditation and licensure entities and have not incorporated any distinctions regarding voluntary versus mandatory accreditation in the final rule. We have reformulated the exclusion and no longer include accreditation or licensure activities as examples of regulatory activities.

Similarly, we have retained the broad exclusion from listing of regulatory entities, by which we mean public or private entities that oversee or enforce statutory or regulatory requirements governing the delivery of health care services. Their defining characteristic is that these entities have the authority to discipline institutional or individual providers for the failure to comply with statutory or regulatory requirements, by withholding, limiting, or revoking authority to deliver health care services, by denying payment for such services, or through fines or other sanctions.

We consider entities with a mix of regulatory and non-regulatory authority and activities also to be appropriately excluded from being listed. We acknowledge that health departments and other entities with regulatory authority may undertake a mix of regulatory and non-regulatory functions. It may also be true, as several comments reflected, that state health departments have experience, and a track record, for maintaining information separately and securely from the regulatory portions of their operations when necessary. However, we note that the final rule retains the proposed approach not to regulate uses of patient safety work product within a PSO. However, the final rule retains the ability of a state health department to establish a component organization that could seek listing as a PSO, subject to the additional restrictions discussed in § 3.102(c) below. The benefit of this approach is that providers will have the reassurance that the penalties under the Patient Safety Act and the final rule will apply to any impermissible disclosures of patient safety work product from such a PSO to the rest of the state health department.

We have not included the proposal of several commenters to exclude purchasers of health care from becoming PSOs. Commenters did not suggest a compelling public policy case for the exclusion of any particular type of purchasers. Given the vagueness and potential scope of such a prohibition, the potential for unintended consequences is simply too great to warrant its inclusion. For example, health care institutions in their role as employers can also be considered purchasers of health care.

We have incorporated two additional exclusions. First, based upon recommendation from commenters, we exclude from listing entities that serve as the agents of a regulatory entity, e.g. by conducting site visits or investigations for the regulatory entity. While we understand that such agents generally do not take action directly against providers, their findings or recommendations serve as the basis for potential punitive actions against providers. As a result, we believe that the rationale we outlined in the proposed rule regarding the exclusion of regulatory bodies is also applicable to agents of regulatory entities helping to carry out these regulatory functions.

Second, as we considered comments seeking clarification on the eligibility of entities that operate certain mandatory or voluntary patient safety reporting systems to seek listing as PSOs, we concluded that mandatory systems, to which some or all health care providers are required by law or regulation to report patient safety information to a designated entity, were inconsistent with the voluntary nature of the activities which the Patient Safety Act sought to foster. However, this exclusion does not apply to mandatory reporting systems operated by Federal, State, local or Tribal entities if the reporting requirements only affect their own workforce as defined in § 3.20 and health care providers holding privileges with the entity. The exception is intended to apply to Federal, State, local or Tribal health care facilities in which the reporting requirement applies only to its workforce and health care providers holding privileges with the facility or health care system. This exception ensures that, with respect to eligibility for listing as a PSO, entities that administer an internal patient safety reporting system within a public or private section health care facility or health care system are treated comparably under the rule and would be eligible to seek listing as a PSO.

The final rule retains the ability of components of the four categories of excluded entities in § 3.102 (a)(2)(ii) to seek listing as a component PSO. After careful review, the Department concluded that there was a significant degree of congruence in the concerns expressed by both proponents and opponents of extending the exclusion to such components. The opponents of extending the exclusion routinely suggested that the Department address their core concerns by adopting additional protections, rather than the blunt tool of a broader exclusion. We have adopted this approach, and we have incorporated in § 3.102(c) additional requirements and limitations for components of excluded entities.

In addition, we have incorporated a new requirement in § 3.102 (a)(3) that submissions for continued listing must be received by the Secretary no later than 75 days before the expiration of a PSO's three-year period of listing. This requirement derives from our concern for protecting providers if a PSO decides not to seek continued listing and simply lets its certifications expire at the end of a three-year period of listing. To preclude an inadvertent lapse, the proposed rule included a provision to send PSOs a notice of imminent expiration shortly before the end of its period of listing and sought comment on posting that notice publicly so that providers reporting patient safety work product could take appropriate action. Section 3.104(e)(2) states that the Secretary will send a notice of imminent expiration to a PSO at least 60 days before its last day of listing if certifications for continued listing have not been received. However, the failure of the Secretary to send this notice does not relieve the PSO of its responsibilities regarding continued listing. The requirement to submit certifications 75 days in advance is intended to ensure that such a notice is not sent or publicly posted until after the submissions are expected by the Department.

Response to Other Public Comments

Comment: One commenter urged the Secretary not to require organizations to have specific infrastructure and technology in place before they could be listed.

Response: The Department has not proposed any specific infrastructure or technology requirements. However, the statute and the final rule require a PSO at initial listing to certify that it has policies and procedures in place to ensure the security of patient safety work product. The final rule requires that those policies and procedures be consistent with the framework established by § 3.106. The Department interprets the statute to require a listed PSO to be able to provide security for patient safety work product during its entire period of listing, which includes its first day of listing.

Comment: Two commenters agreed that PSOs should be encouraged, but not required, to post on their Web sites narrative statements regarding their capabilities.

Response: The Department continues to encourage PSOs to develop and post such narrative statements.

Comment: One commenter suggested that the listing process should include an opportunity for the Secretary to receive public comment before making a listing decision, especially in the case of continued listing, when providers may want to share their experiences with the Secretary regarding a specific PSO.

Response: While we expect customer satisfaction evaluations of PSOs will develop naturally in the private sector, the Department has not incorporated this recommendation in the listing process. If a provider or any individual believes that a PSO's performance is not in compliance with the requirements of the rule, this concern can be communicated to AHRQ at any time. Improper disclosures may also be reported to the Office for Civil Rights in accordance with Subpart D. Incorporation of a public consultation process poses a number of implementation issues. For example, it could potentially delay a time sensitive Secretarial determination regarding continued listing (which must be made before expiration of a PSO's current period of listing) and could require the Department to assess the validity of each specific complaint, e.g., the extent to which dissatisfaction with an analysis reflects the competence with which it was performed or a lack of precision in the assignment to the PSO.

Comment: One commenter suggested that state-sanctioned patient safety organizations should be deemed to meet the requirements for listing.

Response: The Department does not believe that the Patient Safety Act gives the Secretary authority to delegate listing decisions to states. Moreover, the statute establishes the requirements that an entity must meet for listing as a PSO; automatically deeming state-sanctioned organizations to be PSOs would inappropriately override federal statutory requirements and mandate the Secretary to list PSOs that may not be in compliance with all the statutory requirements. Accordingly, the final rule does not include such a provision.

Comment: Several commenters asked if the exclusion on health insurance issuers precludes a self-insured entity from seeking listing.

Response: The Department has examined this issue and concluded that the exclusion of health insurance issuers does not apply to self-insured organizations that provide health benefit plans to their employees. The statutory exclusion contained in section 924 (b)(1)(D) of the Public Health Service Act incorporates by reference the definition of health insurance issuer in section 2971 of the Public Health Service Act and that definition explicitly excludes health benefit plans that a health care provider organization offers to its employees.

Comment: Several commenters inquired whether organizations that provide professional liability insurance coverage (also referred to as medical liability insurance or malpractice liability insurance) for health care providers are covered by the health insurance issuer exclusion. The commenters uniformly argued that the exclusion should not apply. Several commenters noted their intent to have their "captive" liability insurer seek listing as a PSO. Another commenter sought assurances that if a captive liability insurer sought listing as a PSO, the PSO would not be considered a component of the provider organizations that owned the liability insurer.

Response: The Department notes that there is some ambiguity in the statutory language but concludes that the health insurance issuer exclusion does not apply to such organizations.

While the health insurance issuer exclusion does not apply, the Department notes that the statute and the final rule require that an entity seeking listing must attest that its mission and primary activity is the improvement of patient safety. That test is readily met when an organization, such as a captive liability insurer, creates a component organization since the creation of a distinct new entity can be established in a manner that clearly addresses and meets the "primary activity" criterion. The Department has the authority to review all applications, including those from organizations with multiple activities, and to look behind the attestations to determine whether the applicant meets the "primary activity" criterion.

We note that a captive entity meets the definition of a component organization in this rule. Therefore, if the captive organization is eligible for listing because it meets the "primary activity" criterion, it must seek listing as a component organization and clearly would be subject to the requirements on component PSOs. If the captive organization does not meet the primary activity criterion for listing, it is free to create a component organization to seek listing. Once again, however, the additional requirements for a component PSO apply.

Comment: Several commenters asked whether the health insurance issuer exclusion prevents a health system that has subsidiaries that include providers and a health insurance issuer, from establishing a component organization to seek listing as a PSO.

Response: As described by several commenters, the PSO and the health insurance issuer would be affiliates in a "brother-sister" relationship within the parent organization. As long as the health insurance issuer does not have the authority to control or manage the PSO, the health system is not precluded from having both a health insurance issuer subsidiary and a component PSO.

Comment: Several commenters raised questions from different perspectives regarding situations in which providers might be required to report data to a PSO. Some commenters suggested that the final rule should prohibit a facility or health care delivery system from requiring individual clinicians (who are employed, under contract, or have privileges at the facility or within the system) to report data to a specific PSO. Others raised questions regarding the eligibility for listing of existing Federal, state, local or Tribal patient safety reporting systems that are administered by an entity without regulatory authority.

Response: While the Patient Safety Act does not require any provider to report data to a PSO, the statute is silent on whether others (such as institutional providers or other public entities) can impose such requirements on providers. The Department makes a distinction based upon the source of reporting requirements and the extent to which the requirement can be viewed as consistent with the statutory goal of fostering a "culture of safety." Thus, the Department has declined to include in the final rule any restriction on the ability of a multi-facility health care system to require its facilities to report to a designated PSO or of a provider practice, facility, or health care system to require reporting data to a designated PSO by those providing health care services under its aegis, whether as employees, contractors, or providers who have been granted privileges to practice. A patient safety event reporting requirement as a condition of employment or practice can be consistent with the statutory goal of encouraging institutional or organizational providers to develop a protected confidential sphere for examination of patient safety issues. While an employer may require its providers to make reports through its patient safety evaluation system, section 922(e)(1)(B) prohibits an employer from taking an adverse employment action against an individual based upon the individual's reporting information in good faith directly to a PSO.

By contrast, the Department views mandatory reporting requirements that are applicable to providers that are not workforce members and that are based in law or regulation, regardless of whether the specific data collected by these systems is anonymous or identifiable, as incompatible with the intent of the Patient Safety Act to foster voluntary patient safety reporting activities. In these situations, provider failure to make legally required reports can potentially result in a loss of individual or institutional licensure and the ability to practice or deliver health care services. Accordingly, we have added to the list of entities excluded from listing in § 3.102(b)(2)(ii) entities that administer such mandatory patient safety reporting systems.

A voluntary Federal, state, local, or Tribal patient safety reporting system can seek listing as a PSO. This means that the entity administering the reporting system does not have statutory or regulatory authority to require providers to submit data to the administering organization, and that organization is not required by statute or regulation to make the collected identifiable data available in ways that would be incompatible with the limitations on disclosure discussed in Subpart C.

Comment: Two commenters addressed the issue of whether Quality Improvement Organizations (QIOs), which are organizations that have contracts with Medicare and often with other payers or purchasers to review compliance with regulatory or contractual requirements and make reports that may adversely impact providers financially, can seek listing as PSOs.

Response: QIOs are precluded from seeking listing as PSOs. The final rule precludes agents of a regulatory entity from seeking listing and QIOs serve as agents of Medicare. Some QIOs also serve in similar capacities as agents of state regulatory bodies. As noted above, an agent of a regulator may create a component organization that would be eligible to seek listing as a PSO, provided such a component organization meets the additional requirements of § 3.102(c)(1)(ii).

Comment: Several commenters asked if the proposed exclusions of entities applied to State Boards of Health, programs offering providers certifications, and physician specialty boards.

Response: With respect to State Boards of Health, there are two issues regarding their potential ineligibility for becoming PSOs. The first, raised by the commenter, is whether these boards can be considered regulatory entities and in most cases they would be. While State Boards of Health provide leadership and policy coordination for state health policies, they generally have the power to oversee, enforce or administer regulations governing the delivery of health care services and would, therefore, be ineligible to be listed as a PSO. The second issue is whether such a board with its multiple responsibilities could attest that the conduct of activities to improve patient safety and health care quality is its primary activity.

With respect to entities that offer certifications, physician specialty boards, or similar activities, we would use a fact-based approach that assesses the activities in light of the exclusions in the rule at § 3.102(a)(2)(ii).

Comment: One commenter questioned whether the proposed requirement that a PSO notify the Secretary if it can no longer meet the requirements for listing essentially meant that the PSO was admitting a deficiency.

Response: We expect this requirement to operate prospectively so that the Secretary can evaluate whether the changed circumstances may still be cured. While it is possible that this requirement in some situations would be the equivalent of a PSO admitting a current, rather than prospective deficiency, we note two aspects of the process outlined here. First, the correction of deficiencies is not a punitive process. Second, the obligation to inform the Secretary of changes is a companion element to the Department’s approach in listing entities based upon attestations.

(B) Section 3.102(b)—Fifteen General PSO Certification Requirements

Proposed Rule: Section 3.102(b) of the proposed rule incorporated the 15 requirements specified in the Patient Safety Act that every entity must meet for listing as a PSO. These 15 requirements are comprised of eight patient safety activities and seven other criteria. At initial listing, an entity would certify that it has policies and procedures in place to perform the eight specified patient safety activities and, upon listing, would comply with the seven other criteria during its period of listing. At continued listing, the PSO would certify that it has performed during its period of listing, and would continue to perform, all eight patient safety activities and that, it has complied with, and would continue to comply with, the seven other statutory criteria during its next period of listing.

We proposed to define the confidentiality and security requirements that are part of the patient safety activities that PSOs must carry out as requiring compliance with the confidentiality provisions of Subpart C and the security measures required by § 3.106. We did not propose that, but sought comment on whether the final rule should include a requirement that a PSO inform any provider from which it received patient safety work product if there are impermissible disclosures of, or security breaches occur, with respect to the provider's patient safety work product.

A PSO would meet the minimum contract requirement under the proposed rule with two contracts, each with a different provider, at some point during a PSO's sequential 24-month periods of listing. The proposed rule sought comment on how to interpret the requirement that the required contracts must be "for a reasonable period of time," asking whether the final rule should use a standard that was time-based, task-based, or include both options.

The proposed rule noted that PSOs are required by the statute, to the extent practical and appropriate, to collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers. We stated that we were considering including in the final rule, and sought comment on, a clarification that compliance would mean that a PSO, to the extent practical and appropriate, will collect patient safety work product consistent with guidance that the Secretary is developing regarding reporting formats and common definitions when the guidance becomes available. We also sought comment on the process for the development of common formats and definitions.

Overview of Public Comment: Most of the comments we received on this subsection focused on the contract requirement and the specific questions posed by the proposed rule. Nearly all of the commenters who addressed the issue supported the inclusion in the final rule of a requirement that PSOs must notify a provider if the work product submitted by the provider was inappropriately disclosed or its security was breached. Those favoring the inclusion of the requirement cited concern about the sensitivity of patient safety work product and the importance of ensuring that providers know if the PSO to which they reported data was living up to its obligations to protect the security and confidentiality of their data. They noted that the HIPAA Privacy and Security Rules will not always be applicable: that some providers will not be considered covered entities and identifiable patient safety work product may not always contain protected health information.

Those opposed to the requirement argued that most patient safety work product will contain protected health information and providers reporting to a PSO are likely to be covered entities. Thus, the HIPAA Privacy Rule will cover most situations and, if providers had additional concerns, they could address them contractually. It was also suggested that the preamble to the final rule should carefully describe a PSO's obligations when the HIPAA Privacy and Security Rules apply and the requirements to report impermissible disclosures even when protected health information is not involved.

With respect to the statutory requirement for contracts with more than one provider, several commenters proposed that one contract with multiple providers should be deemed to meet the statutory requirement. These commenters often argued that it was inefficient to require a PSO to enter multiple contracts when the statutory intent of collecting data from multiple providers could be met through a single contract. Several commenters alleged that the proposed rule did not interpret the requirement that contracts be entered with "different providers" and sought clarification in the final rule.

The vast majority of commenters opposed including any standard in the final rule for determining when one of the required contracts was "for a reasonable period of time." Many argued that this decision should be left to the marketplace, permitting providers and PSOs to enter customized arrangements. A few commenters supported incorporation of a time-based standard, ranging from 3-12 months. One commenter recommended incorporating both time-based and task-based standards.

In response to our specific request for comment on whether the final rule should reference the Secretary's guidance on common formats and definitions, the vast preponderance of comments were supportive, with many detailing reasons why use of common formats was important. Several organizations offered caveats to their support, such as concern that the development of Secretarial guidance might slow the process and may further interfere with innovation. Many organizations offered suggestions to the Department such as: allowing private sector feedback; harmonizing with other data reporting requirements; allowing collection of data in addition to the common formats, particularly for use at the local level; and allowing time to phase in use of common formats.

Virtually all comments were supportive of the process by which the Department was developing guidance on common formats. Many commenters suggested steps that they wished the Department to take such as: greater or earlier involvement of the private sector; transparency in the process; acceptance of comments from outside government; and use of evidence from existing reporting systems. The process we outlined for private sector consultation was viewed positively. We received several comments and recommendations related to this process that were outside the scope of the rule and, therefore, are not addressed below.

Final Rule: For convenience and clarity, we have modified the text in the final rule to separate initial and continued listing within § 3.102(b)(1), which states the required certifications for the eight patient safety activities and within § 3.102(b) (2), which states the required certifications for the seven PSO criteria. This modification does not reflect a substantive change.

We have incorporated in § 3.102(b)(1)(B) of the final rule one additional requirement, posed as a question in the proposed rule and strongly supported by commenters, that a PSO must inform the provider from which it received patient safety work product if the work product submitted by that provider is inappropriately disclosed or its security is breached. The Department recognizes that in certain cases a PSO may not know the identity of the provider that submitted patient safety work product, e.g., anonymous submissions, or it might not be possible to contact the provider, e.g., if the provider has gone out of business or retired. In these cases, the Department would expect the PSO to be able to demonstrate, if selected for a "spot check," that it made a good faith effort to reach every provider that submitted the work product subject to an inappropriate disclosure or a security breach. We also note that this requirement only requires the PSO to contact the provider that submitted the information; the PSO is not expected to contact providers or others whose names are included in the patient safety work product. As a business associate of a provider covered by the HIPAA Privacy Rule, the PSO must abide by its business associate contract with that provider, obligating it to notify the provider if it becomes aware of an impermissible disclosure of protected health information. See 45 CFR. 164.504(e)(2)(ii)(C). Once the PSO has informed the provider of the impermissible disclosure, the HIPAA Privacy Rule requires the provider to mitigate the harmful effects of an impermissible disclosure. See 45 CFR. 164.530(f).

We have also incorporated in § 3.102(b)(2)(i)(C) a minor modification in the text of the criterion relating to the required two contracts. The text in the proposed rule stated that a PSO "must have entered into two bona fide contracts" with different providers; we have deleted the words "entered into." Our intent in the proposed rule text was to encourage PSOs to enter long-term contracts with providers by enabling a multi-year contract to be counted toward the two contract minimum in each of the 24-month periods during which the contract was in effect. By deleting the words "entered into," the text of the final rule more clearly reflects our original intent.

We also provide clarification here, which we did not consider necessary to include in the rule text, regarding the obligations of a PSO. The certifications for initial listing regarding patient safety activities track the statute and require a PSO to have policies and procedures in place to perform patient safety activities. At continued listing, PSOs will be expected to have performed all eight patient safety activities. Some of the required patient safety activities must be performed at all times, such as utilizing qualified staff, having effective policies and systems to protect the security and confidentiality of patient safety work product when the PSO receives work product, undertaking efforts to improve the quality and safety of patient care, and developing and disseminating information to improve patient safety. Other required patient safety activities can only be performed when the PSO is working with a provider (such as providing feedback to participants in a patient safety evaluation system) and receiving patient safety work product from providers (such as utilization of patient safety work product to develop a culture of safety).

The Department recognizes that, for any given contractual arrangement, providers, not PSOs, will determine the tasks PSOs undertake and for which they will be compensated. Therefore, our approach to assessing compliance will be as follows. If subject to a spot check for compliance, a PSO must be able to demonstrate that it has performed all eight patient safety work products at some point during its three-year period of listing. However, we will expect a PSO to demonstrate that it performs throughout its period of listing the patient safety activities that are not dependent upon a relationship with a provider or receipt of patient safety work product. We will expect compliance with the other patient safety activities consistent with the contracts or agreements that the PSO has with providers. A component PSO that is established by a health care provider, and for which the parent-provider organization is a primary client, would not be dependent on external contracts and would be expected to be in compliance with all eight patient safety activities during its entire period of listing.

In response to commenters who sought clarification on what is meant by compliance with the two-contract requirement, we reaffirm that the statutory requirement is clear. There must be two written contracts; a single contract with multiple providers can only be counted as one contract. We interpret the requirement that the contracts must be with "different" providers straight-forwardly. The only requirement is that the bona fide contracts must be with individuals or institutions that are providers as defined in the rule. We have imposed no other requirements; the contracts can be with an institutional provider and an individual clinician, or with two entities within the same or different system(s).

After careful consideration of the comments we received, the Department has concluded that we will not incorporate an interpretation of the term "each for a reasonable period of time" regarding the required contracts. As we noted in the proposed rule, our intent in proposing to interpret the language was to give providers increased certainty that the listing of the PSO to which they are reporting data could not be challenged on the basis that its required contracts were not for a reasonable period of time. However, the provider community opposed interpreting the provision, fearing that it would limit their ability to customize contracts to meet their analytic needs and urged the Department to rely upon the marketplace to interpret this requirement. With no empirical basis for choosing one standard or one time frame over another, and given the inability to anticipate what types of contractual relationships will evolve under the final rule, the Department concluded that incorporating a standard at this time could have unintended negative consequences and has chosen not to do so. As a result, a PSO will be required to have two contracts in effect at some point during each 24-month reporting period established by the statute but the contracts are not required to cover a specific or minimum time period and they are not required to be in effect at the same time.

While we received overwhelmingly favorable support for requiring compliance with the Secretary's guidance on common definitions and reporting formats (common formats) for the collection of patient safety work product, we recognize that the Department's efforts to develop guidance will take time. We issued common formats in August 2008 addressing all patient safety events in acute-care hospitals; AHRQ has made the common formats available on its Web site to facilitate their use by providers with varying levels of sophistication as well as by PSOs. The guidance will be expanded over time to other settings of care. Because we anticipate that some PSOs may choose to concentrate their work in areas for which guidance from the Secretary is not yet available, we have modified the text of the rule by incorporating a new paragraph (iii) that interprets compliance in the following way.

At initial listing, the requirement will be interpreted as a commitment by the entity seeking listing to adopt the Secretary's recommended formats and definitions by the time it seeks continued listing "to the extent practical and appropriate." During the initial three-year period of listing, AHRQ will not issue a preliminary finding of deficiency to any PSO that has not adopted the Secretary's recommended formats and definitions.

At continued listing, a PSO will be required to: (1) certify that the PSO is using the Secretary's guidance for common formats and definitions; (2) certify that the PSO is using an alternative system of formats and definitions that permits valid comparisons of similar cases among similar providers; or (3) provide a clear explanation for why it is not practical or appropriate for the PSO to comply with options (1) or (2) at this time. The Secretary will consider a PSO to be in compliance if it is using the Secretary's guidance, satisfactorily demonstrates that the alternative system it is using permits valid comparisons of similar cases among similar providers, or satisfactorily demonstrates why neither option is practical or appropriate at this time. An example of a satisfactory justification might be that the PSO specializes in analyses in a specific niche of health care delivery in which there remains significant controversy over relevant reporting formats and definitions and/or the Secretary has not recommended any relevant common formats or definitions. The Secretary, if he determines that the PSO is otherwise eligible for continued listing, but has not satisfactorily demonstrated that it meets one of the three requirements in § 3.102(b) (2) (iii), may exercise his discretion to continue the listing of the PSO and use the process for correction of deficiencies in §3.108(a) to bring the PSO into compliance after its listing has been continued.

We believe this approach effectively balances the statutory goal of promoting the ability to aggregate, and learn from, patient safety work product, while recognizing the statutory caveat that this requirement applies "to the extent practical and appropriate." Our approach ensures that PSOs will take the requirement seriously and that a PSO's statement that it is not "practical or appropriate" to comply at this time is well-founded.

Response to Other Public Comments

Comment: Several commenters suggested that the final rule include a requirement that entities provide assurances that they are financially viable.

Response: The Department has not adopted this proposal. We do not believe that assuring the financial viability of PSOs is either an authorized or an appropriate Federal task in carrying out the Patient Safety Act. The statutory framework leaves this inquiry and determination to prospective clients in the market for PSO services. PSOs will learn to address this concern routinely if required by providers to do so.

Comment: One commenter suggested that the final rule include a provision to require PSOs to have policies and procedures in place to safeguard the privacy and confidentiality of a staff member of a PSO, who is identified in patient safety work product.

Response: The Department agrees that PSOs should consider and address issues of confidentiality, including those of its workforce members. However, we do not believe it is appropriate or necessary to mandate how a PSO addresses this issue.

Comment: Several commenters raised concerns regarding the statutory requirement that "the mission and primary activity must be to conduct activities that are to improve patient safety and the quality of health care delivery" might make it difficult for existing organizations with multiple activities to qualify for listing. One commenter suggested that the requirement be altered so that the mission and primary activity "includes" quality improvement and patient safety. Questions were also raised whether organizations that currently undertake other activities such as provider education or other collections and analyses of clinical data to improve the quality, safety, and efficiency of health care would meet the requirement.

Response: It is important to recognize that the language at issue was incorporated into the proposed rule directly from the statute. Accordingly, it has been retained. We note that this statutory language imposes a dual requirement: improvement of patient safety and the quality of health care delivery must be reflected in the entity's mission and this improvement activity must constitute the entity's primary activity. Since many organizations could reasonably claim that improvement of the quality of health care and patient safety are fundamental to their missions and even have these words in their mission statements, the critical and distinguishing requirement in this statutorily-based criterion is that such improvement activities must be the entity's primary activity.

While we understand the rationale of the commenter-many of the organizations interested in becoming PSOs will have difficulty attesting that this is their primary activity-the Department does not have the authority to alter this statutory requirement by making improvement of health care delivery and patient safety one of any number of significant activities that an organization performs. The statute effectively recognizes this dilemma and provides an option in this situation. An entity can create a component organization, discussed in the next subsection, to seek listing. Such a new component created for this exclusive purpose or with this purpose as its primary activity would inherently meet this requirement.

It is likely that some providers will find it more reassuring to work with a PSO that is focused solely on the statutorily mandated objectives. If an organization with other activities and personnel is listed in its entirety as a PSO, it can share a provider's identifiable patient safety work product throughout the legal entity, including with individuals who are not involved in the work of the PSO, without violating the disclosure restrictions of the statute and without triggering Federal enforcement action pursuant to subparts C and D of the rule. We expect many providers will prefer that their protected information be closely held. Thus, existing organizations have other reasons, in addition to the mission and primary activity criterion, to consider the option of establishing a PSO as a component organization.

In response to an example posed in two separate comments, if an entity's primary activity is the collection and analysis of clinical data to improve the quality, safety, and efficiency, the Department would consider these activities consistent with the statutory requirement. Other situations may warrant discussion with AHRQ staff during the planning stage of a PSO or at least before submitting certifications for listing. Another example posed by a commenter-an entity that provides general health education to providers-would appear to require further discussion. As presented, general health education would appear to have a link to, but an inadequate emphasis on, the analytic focus of a PSO's mandatory patient safety and quality improvement activities. The health education entity can certainly avail itself of the option to establish a component organization to seek listing.

Comment: One commenter asked what is meant by the concept of carrying out patient safety activities. Does this mean that patient safety activities must be performed and, if so, when?

Response: We note that this obligation rests with a PSO, not providers. The requirement means that a PSO must perform all eight patient safety activities during its period of listing. We clarify how the Department will assess PSO compliance with this requirement in the discussion of the final rule above.

Comment: One commenter asked if a PSO could meet the minimum contract requirement by entering a contract with a 50 -hospital system and one independent practitioner (either with a physician or nurse practitioner).

Response: To meet the requirement, a PSO must have at least two contracts with different providers. In this case, a contract with a solo health care practitioner (such as a physician or a nurse practitioner) would meet the requirement for the second contract.

Comment: One commenter asked if a contract between the parent of a health system and a PSO is tantamount to entering a contract with each provider that comprises the health system.

Response: Such an arrangement does not meet the requirement; the requirement focuses on the number of contracts, not the number of providers that are involved with any contract. The rule, based on the terms of section 924(b)(1)(C) of the Public Health Service Act, requires two contracts.

Comment: Can providers within the same system count as different providers for meeting the minimum contract requirement?

Response: The answer to this question is yes if the PSO has separate contracts with at least two different providers. Whether the providers have a common organizational affiliation is not relevant. The only requirements are that the individuals or facilities must be providers as defined in § 3.20 of the rule and that there are at least two contracts with different providers. Once again, the focus of the requirement is the number of contracts.

Comment: A commenter asked if the establishment of a "relationship" with a provider is sufficient to meet the minimum contract requirement.

Response: No. The rule requires two bona fide contracts, as defined in section 3.20, meeting the requirements of the rule.

Comment: One commenter expressed concern about the ability of his agency to meet the minimum contract requirement. His agency administers a public patient safety reporting system to which hospitals are required to report by state law. His concern was that the hospitals might see no need to enter contracts with his agency if it were listed as a PSO.

Response: The modifications to the final rule in §3.102(a)(2)(ii) preclude an entity that manages or operates a mandatory patient safety reporting system from seeking listing as a PSO.

Comment: One commenter urged that the final rule not marginalize State mandatory reporting systems through the separation of provider reporting to PSOs. The commenter recommended that the final rule permit States to become listed as PSOs or enter into collaborative arrangements with PSOs to share data and staff.

Response: While we believe that an entity that operates a Federal, state, local, or Tribal mandatory patient safety reporting system should not be listed as a PSO, the rule does permit a component of such an entity to seek listing. A PSO that is a component of an excluded entity is prohibited from sharing staff with the excluded entity and has limitations on its ability to contract with such a parent organization (see §3.102(c)(4)). However, the component PSO could enter into some types of limited collaboration with an excluded entity. For example, a PSO may accept additional data from an excluded entity for inclusion in its analyses with the understanding that the PSO may only share its findings pursuant to one of the permissible disclosures in Subpart C, e.g., if the findings are made non-identifiable. In addition, other PSOs similarly may share their nonidentifiable findings with mandatory state patient safety reporting systems and to the extent permitted by state law the state systems might give data to completely separate PSOs for analysis and reports in nonidentifiable terms.

Comment: Several commenters suggested that excluded entities might become members of a PSO as long as they were not vertically linked to the PSO, although they did not explain what they meant by the term, members.

Response: It is not clear what the commenters mean by a "member" of a PSO in this context. To the extent that the comments are referring to a possible joint venture that creates a PSO, there are few productive roles that an excluded entity could play. Such excluded entities could not have or exercise any level of control over the activities or operation of a PSO. Thus, they could not have access to patient safety work product. As a result, the potential for involvement of an excluded entity with a PSO would be very limited.

We note, however, that a component of an entity excluded by § 3.102(a)(2)(ii) can seek listing. These types of component organizations must meet additional requirements set forth in § 3.102(c)(1).

Comment: One commenter requested clarification regarding the required patient safety activity to provide feedback and assistance to providers to effectively minimize patient risk.

Response: We recognize that the performance of some patient safety activities will be dependent upon a PSO's arrangements with its clients. As we noted in our discussion of the final rule, we will interpret a PSO to be in compliance with this requirement if the feedback and assistance is performed at some point during the PSO's period of listing.

Comment: Two commenters pointed to the importance of the use of contracted staff to enable a PSO to carry out its duties, especially in rural or low population density areas. In such circumstances, a PSO needs to draw upon competencies and skills as needed and asked that we clarify that such contractors, whether paid or volunteer, could enable a PSO to meet the qualified staff requirement.

Response: The Department assumes that many PSOs, especially component PSOs, will use a mix of full-time personnel and individuals from whom they seek services as needed, whether paid or on a volunteer or shared basis. That is why we have incorporated a broad definition of "workforce" in the rule that encompasses employees, volunteers, trainees, contractors, and other persons whether or not they are paid by the PSO. As defined in this rule, workforce refers to persons whose performance of activities for the PSO is under the direct control of the PSO. In addition, however, a PSO is free to enter contracts for specific or specialized services, subject to other requirements of the rule.

(C) Section 3.102(c)-Additional Certifications Required of Component Organizations

Proposed Rule: Along with the 15 requirements under subsection (b) that all PSOs would have to meet, § 3.102(c) of the proposed rule would require an entity that is a component of another organization to make three additional certifications regarding:

  1. the secure maintenance of patient safety work product separate from the rest of the organization (s) of which it is a part;
  2. the avoidance of unauthorized disclosures of patient safety work product to the rest of the organization(s) of which it is a part; and
  3. the mission of the component organization not creating a conflict of interest with the rest of the organization(s) of which it is a part.

We proposed two additional requirements that would interpret these statutory provisions:

  1. a component PSO could not have a shared information system with the rest of the organization(s) of which it is a part; and
  2. the workforce of the component PSO could not engage in work for the rest of the organization(s) if such work could be informed or influenced by the individual's knowledge of identifiable patient safety work product (except if the work for the rest of the organization is solely the provision of patient care).

The proposed rule did not propose an interpretation, but sought public comment, on the requirement that a component organization not create a conflict of interest with the rest of the organization(s) of which it is a part.

We proposed, and sought comment on, a limited option for a component PSO to take advantage of the expertise of the rest of its parent organization(s) to assist the PSO in carrying out patient safety activities. Under this proposal, a component PSO could enter into a written agreement with individuals or units of the rest of the organization involving the use of patient safety work product, subject to specified requirements.

Overview of Public Comments: Numerous commenters strongly disagreed with the Department's proposal that PSOs must maintain separate information systems. These commenters argued that it would impose a tremendous financial and administrative burden to establish separate information systems. A number of commenters suggested alternative approaches that could achieve the same goal. For example, one commenter recommended that HHS adopt a non-directive concept of functional separation and require PSOs to submit with their certifications for listing a description of how they intend to meet the requirement for technological and other controls to ensure that there is an effective protection against inappropriate access to the patient safety work product held by the component PSO.

There was significant concern with the proposal to limit the sharing of employees between the parent organization(s) and the component PSO if the employee's work could be informed by knowledge of a provider's identifiable patient safety work product. Some commenters argued that the prohibition was too broad, that it should be narrowed, or that the standard was too vague and had the potential for creating confusion. A number of commenters recognized the merits of the intended prohibition but thought that the proposed rule's formulation was so vague that it might limit the ability of any physician in an academic health center to assist the component PSO if the physician supervised and evaluated interns and residents during their training, presuming this to be an unintended result.

Several alternative approaches were suggested, including:

  1. limit the prohibition to staff in the parent organization who would use patient safety work product for non-patient safety activities;
  2. obtain pledges by staff not to use patient safety work product for "facility administrative functions";
  3. limit the prohibition to persons with disciplinary/credentialing functions;
  4. require management staff to sign agreements not to use patient safety work product in hiring/firing, credential/privilege decisions; and
  5. permit shared staff for specific types of entities, such as state hospital associations, but not others.

Our proposal to provide a limited option for a component PSO to draw upon the expertise of its parent organization(s) to assist the PSO in carrying out patient safety activities was well received. Most commenters were supportive of the flexibility provided by this provision although one commenter suggested deleting it. Several commenters stressed that a "substantial firewall" should be maintained and that such contracting should only be allowed "for clearly defined and limited staff services." One commenter urged that such contracts or agreements should be submitted to the Secretary in advance so that they "can be scrutinized by HHS to assess whether confidentiality or privilege protections can practically remain intact."

In our discussion regarding entities excluded from listing in § 3.102(a)(2)(ii), we noted that a number of commenters that supported permitting components of such entities to seek listing, suggested, nevertheless, that we establish additional limitations and requirements. Their suggestions included requiring that such a component organization seeking listing must: specifically identify its parent organization as a regulator and specify the scope of the parent organization's regulatory authority; submit to the Secretary attestations from providers choosing to report to the PSO that they have been informed of the scope of regulatory authority of the parent organization; and provide assurances to the Secretary that the parent organization has no policies that compel providers to report patient safety work product to its component PSO. They also suggested such a PSO not be permitted to share staff with the parent organization and not be able to take advantage of the proposed limited provision that would permit a component PSO to contract with its parent organization for assistance in the review of patient safety work product.

The proposed rule did not propose an interpretation but sought comment on the circumstances under which the mission of a component PSO could create a conflict of interest for the rest of the parent organization(s) of which it is a part. The recommendations of commenters reflected a variety of perspectives: one view was that the rule should not adopt a general standard; a component organization should disclose what it believes may be its conflicts and that this disclosure should be deemed sufficient to have cured the conflict; another said the Department should undertake case-by-case analysis; and a third suggested the Department should adopt guidance, not regulatory language.

Another commenter wrote that there could be no conflict of interest if the parent organization is a provider; others suggested that certain types of parent organizations posed conflicts of interest, such as when the parent organization is an investor-owned hospital or if there are certain legal relationships which providers have with a parent organization or its subsidiaries. Similarly, one commenter suggested that not- for-profit status of a PSO should be an indicator that there is no conflict of interest. In a parallel vein, another commenter argued that if the PSO could use or sell its information for commercial gain, this was a conflict. This commenter also argued that if a PSO could be used to create an oasis solely for protection of information reported by the system that created it, this represented a conflict; the information held by a PSO must be made available at minimal or no cost for further aggregation. Another commenter suggested that a component PSO should never evaluate patient safety work product of an affiliated organization; if it does so, this creates a conflict-of-interest.

Finally, several commenters also suggested that there must be no conflict between patient safety work product and non-patient safety work product functions. A similar comment from another entity argued that a PSO must certify that members of the component PSO workforce are not engaged in work for the parent organization that conflicts with the mission of the PSO.

Final Rule: After careful consideration of the extensive number of comments received regarding component organizations, the Department has modified and restructured the text for § 3.102(c) in the following ways.

We have restructured § 3.102(c) into four separate paragraphs. New § 3.102(c)(1)(i) lists the provisions with which different component organizations must comply. This subparagraph sets forth the requirements that all component organizations must meet. The language of this subparagraph is retained from the proposed rule but includes a requirement that all component organizations must submit with their certifications contact information for their parent organization(s) and provide an update to the Secretary in a timely manner if the information changes. This requirement was proposed in the preamble but was not incorporated in the text of the proposed rule. Many of the commenters noted the importance to providers of having information regarding the parent organization of a component PSO and, therefore, we have incorporated the provision.

New § 3.102(c)(1)(ii) outlines the requirements for components of entities excluded from listing under § 3.102(a)(2)(ii) of this section. These components must meet the requirements for all component PSOs in § 3.102(c)(1)(i) as well as submit the additional certifications and information and adhere to the further limitations set forth in § 3.102(c)(4) that are discussed below.

New § 3.102(c)(2) restates the three additional statutory certifications that must be made by all component organizations seeking listing. We have deleted two requirements for component entities from the text of the proposed rule that were intended to interpret these statutory requirements: the requirement for separate information systems and the restriction on the use of shared staff. The final rule does not impose these proposed requirements on most component organizations. However, as discussed below regarding § 3.102 (c)(4), we have retained the prohibition on shared staff only with respect to components of entities that are excluded from listing and, for such component PSOs, narrowed the circumstances when contracting with a parent organization is permissible only with respect to components of entities that are excluded from listing.

With respect to separate information systems, the Department has concluded, based upon the information that was included by commenters, that there are a number of cost-effective alternatives for achieving the statutory goal of separate maintenance of patient safety work product. Accordingly, we have included new language that requires a component PSO to ensure that the information system in which patient safety work product is maintained must not permit unauthorized access by any individuals in, or units of, the rest of the parent organization(s) of which it is a part.

Similarly, after careful consideration of the comments, we have eliminated the proposed restriction on the use of shared staff for most component PSOs. The Department has concluded that there are significant incentives for component PSOs and parent organizations to be very cautious in their use of shared personnel, protecting against inappropriate disclosures, and the disclosure of patient safety work product. A number of commenters appeared to appreciate the importance of maintaining separation between their patient safety activities and internal disciplinary, privileges, and credentialing decisions, which were the focus of our concern.

Our review has led us to conclude that the potential negative consequences for providers, independent of any fear of Department action, lessens the need for the rule to address this issue. For example, institutional providers are likely to find it difficult to develop robust reporting systems if the clinicians on their staff learn or even suspect that the same individuals involved in analysis of patient safety work product play key roles in administrative decisions that can lead to adverse personnel decisions. This may lead to decreased reporting of patient safety events. The suspicion of contamination between the processes could also provide a new basis for challenging adverse employment actions, which could require providers to prove that their actions were not influenced by inappropriate use of patient safety work product. Finally, there is the right of action that the statute grants to individual providers who believe and allege that their employer took an adverse employment action against them based upon their providing information to the employer's patient safety evaluation system for reporting to the PSO or based upon their providing information directly to the PSO. Given the importance to providers of maintaining protections for their work product, we conclude that it is unlikely that a parent organization will intentionally jeopardize those protections. Therefore, we have eliminated the proposed restriction on the use of shared staff, except for components of entities excluded from listing as discussed below regarding § 3.102(c)(4). In its place, we have restated the statutory requirement that the component organization (and its workforce and contractors) may not make unauthorized disclosures to the rest of the organization(s) of which the PSO is a part.

We have retained without change in § 3.102(c)(2)(iii) the proposed rule text prohibiting the pursuit of the mission of the PSO from creating a conflict of interest with the rest of the organization(s) of which it is a part. To the extent that individuals or units of the rest of the parent organization(s) have obligations and responsibilities that are inconsistent with the "culture of safety" that the statute seeks to foster, a component PSO could create a conflict of interest by sharing identifiable patient safety work product with them as shared staff or under a written agreement pursuant to § 3.102(c)(3), discussed below. On the other hand, the component PSO could draw upon the expertise of these same individuals in other capacities in which identifiable work product is not shared and, thereby, avoid creating conflicts of interest. Thus, we would interpret permitting the creation of conflicting situations for staff or units of the parent organization(s) as inconsistent with a component PSO's attestation.

Section 3.102(c)(3) retains without substantive change the provision in the proposed rule to enable a component PSO, within limits, to take advantage of the expertise of the rest of the organization of which it is part. In response to concerns expressed by some commenters, we stress the statutory requirement for the PSO to maintain patient safety work product separately from the rest of the organization. In such circumstances, it cannot be transferred to individuals or units of the rest of the organization except as permitted by the rule. As a practical matter, if the parent organization is a provider organization and the component PSO is evaluating the parent organization's data, the parent- provider is likely to have a copy of all of the data transmitted to the component PSO.

We do not dismiss the concerns of commenters that this contracting authority could be used inappropriately. We remind each component PSO that the statute requires it to maintain patient safety work product separately from the rest of the organization(s) of which the component PSO is a part and prohibits unauthorized disclosures to the rest of the organization(s) of which they are a part. Therefore, it may not be appropriate for its parent organization to serve as its main provider of analytic or data services if such arrangements would effectively confound statutory intent for a firewall between a component PSO and the rest of the organization(s) of which it is a part. The flexibility provided by the rule to use in-house expertise is intended to supplement, not replace, the PSO's authority to contract with external expert individuals and organizations.

Section 3.102(c)(4) incorporates new requirements, drawn from our review of public comments, that only apply to organizations that are components of entities excluded from listing under § 3.102(a)(2)(ii). Thus, these component organizations have three sets of requirements to meet: the 15 general certification requirements in § § 3.102(b)(1) and 3.102(b)(2); the requirements that all component PSOs must meet in § § 3.102(c)(1)(i) and 3.102(c)(2); and the requirements that are established by § 3.102(c)(4).

Section 3.102(c)(4) establishes a requirement for additional information and certifications that must be submitted with the component organization's certifications for listing and it establishes two additional restrictions with which a component organization must comply during its period of listing. The additional information and certifications require a component PSO of an entity described in § 3.102(a)(2)(ii) to:

  1. Describe the parent organization's role, and the scope of the parent organization's authority, with respect to the activities which are the basis of the parent organization's exclusion from being listed under § 3.102(a)(2)(ii).
  2. Certify that the parent organization has no policies or procedures that would require or induce providers to report patient safety work product to the component organization once it is listed as a PSO, and affirm that the component PSO will notify the Secretary if the parent organization takes any such actions during its period of listing. An example of an inducement would be if a parent organization that accredited or licensed providers awarded special scoring consideration to providers reporting to the parent organization's component PSO; additional scoring consideration for reporting to any PSO, by contrast, would not violate this restriction.
  3. Certify that the component PSO will include information on its Web site and in any promotional materials for providers describing the activities which were the basis of the parent organization's exclusion under § 3.102(a)(2)(ii).

We have incorporated these additional requirements for information and attestations to address widespread concerns among commenters that an excluded parent organization might attempt to compel providers to report data to its component PSO and circumvent the firewalls for access to that data. These extra requirements for such component PSOs will strengthen transparency and the additional statements submitted with the component organization's certifications will be posted on the AHRQ PSO Web site along with all its other certifications. Our intent is to ensure that such a component organization's Web site and its promotional materials for providers will inform providers regarding the nature and role of its parent organization. The rule is emphatically clear that the Department will take prompt action to revoke and delist a component organization whose excluded parent organization attempts to compel providers to report data to its component PSO. New § 3.108(e)(1) lists specific circumstances, including this situation, in which revocation and delisting will take place on an expedited basis.

During its period of listing, the final rule also prohibits a PSO that is a component organization of an entity excluded from listing to share staff with the rest of the organization(s) of which it is a part. Such a component PSO may enter into contracts or written agreements with the rest of the organization(s) under the authority provided to all component PSOs by § 3.102(c)(3) but with one additional limitation. Such contracts or written agreements are limited to units or individuals of the parent organization(s) whose responsibilities do not involve the activities that are the basis of the parent organization's exclusion under § 3.102(a)(2)(ii). If the parent organization's sole activity is the reason for its exclusion, the component organization could never enter a contract or written agreement to have staff from the rest of the organization assist the PSO in carrying out patient safety activities. If the parent organization engages in a mix of activities, some of which are not a basis for exclusion from listing, the component organization will be able to take advantage of this contracting option, subject to our caveat above.

Response to Other Public Comments

Comment: One commenter asked us to confirm that component PSOs can maintain patient safety work product behind secure firewalls using existing information systems.

Response: The modifications we have adopted and discussed above means that the final rule permits this approach.

Comment: Several suggested that it was unrealistic for the component to maintain patient safety work product separately from its parent organization if the parent organization is a provider reporting data to the component PSO.

Response: The Patient Safety Act requires a component PSO maintain patient safety work product separately from the rest of the organization(s) of which it is a part; therefore, we cannot remove the restriction. While contracts between a PSO and a provider are likely to address the extent to which a provider has access to information held by a PSO, we caution contracting parties to be mindful of this statutory restriction in crafting their contracts. The requirement for separation does not mean that the component organization cannot share information with a parent organization but any sharing must be consistent with the permissible disclosures of this rule.

(D) Section 3.102(d) Required Notifications
(1) Section 3.102(d)(1)-Notification Regarding PSO Compliance With Minimum Contract Requirement

Proposed Rule: Section 3.102(d)(1) of the proposed rule would require PSOs to attest within every 24-month period, beginning with its initial date of listing, that the PSO has met the two-contract requirement. We proposed to require notification of the Secretary 45 days before the end of the applicable 24-month period. Early notification would enable the Department to meet another statutory requirement to provide PSOs with an opportunity to correct a deficiency. If the requirement is not yet met, this would enable the Secretary to establish an opportunity for correction that ends at midnight on the last day of the 24-month period.

Overview of Public Comments: The comments we received endorsed our proposed approach. One commenter suggested we should consider requiring notification 60 days in advance.

Final Rule: We expect that, in most circumstances, contracts will be the primary source of revenue for PSOs. In light of the fact that only two contracts are required, we do not anticipate that many PSOs will reach this point in their period of listing without meeting the requirement. We have not accepted the recommendation to require notification sooner. The Department adopts the provision as recommended in the proposed rule without modification.

(2) Section 3.102(d)(2)-Notification Regarding a PSO's Relationships With Its Contracting Providers

Proposed Rule: The proposed rule incorporated in § 3.102(d)(2) the statutory requirement that a PSO would make disclosures to the Secretary regarding its relationship(s) with any provider(s) with whom the PSO enters a contract pursuant to the Patient Safety Act (Patient Safety Act contract). The statute requires PSOs to disclose whether a PSO has any financial, contractual, or reporting relationships with this contracting provider and, if applicable, whether the PSO is not managed, controlled, or operated independently of this contracting provider.

The proposed rule noted that a PSO would need to make this assessment when it enters a contract with a provider and, if disclosures are required, submit a disclosure statement within 45 days of the effective date of the contract. If relationships arise during the contract period, submission would be required within 45 days of the date the relationships are established.

The proposed rule would have provided guidance on our interpretation of financial, contractual, and reporting relationships and emphasized that the statute required a PSO to "fully disclose" the relationships. We noted that disclosure would be required only when the PSO entered a Patient Safety Act contract with a provider and there were relationships that required disclosure. We also encouraged, but did not require, PSOs to list any agreements, stipulations, or procedural safeguards that might offset the influence of the provider and that might protect the ability of the PSO to operate independently.

Overview of Public Comments: Commenters expressed concern that the proposed rule was not sufficiently specific with respect to the required disclosure statements. They suggested that the emphasis in the proposed rule on the statutory requirement for full disclosure, without a corresponding discussion of the parameters for the contents and level of detail of the statements, raised the prospect that PSOs would feel compelled to develop disproportionately detailed information that might not be germane. One commenter suggested what was most important is awareness of the fundamental relationship(s) that exist, not the specific details, suggesting that if the provider in question is the parent entity of the PSO, it should be sufficient to know that the parent-provider is the source of financial support to the PSO, employs its workforce, and provides management to its activities.

In addition, there was concern that since the disclosure statements are going to be made public, detailed submissions regarding the financial and contractual obligations would make it difficult to maintain the confidentiality of potentially sensitive business information. Several commenters noted that it is not unusual for certain types of contractual work with commercially sensitive implications to include confidentiality agreements and one commenter suggested that the process permit a PSO to request that the Secretary not disclose specific information under certain circumstances.

A number of commenters expressed concern about the potential unintended consequences of disclosure, especially with respect to the identity of providers. One commenter raised concern that the requirement would lead to "differential" disclosure, by which the commenter meant that, of the total number of providers with which a PSO enters contracts, only those with other relationships would have their names disclosed and the other providers would not have their names made known through the proposed public release of disclosure statements by the Secretary.

Final Rule: After careful review of the comments, the Department has reconsidered its approach to this disclosure requirement and has made modifications to the text that are incorporated in the final rule. Based upon this review, we have shifted the emphasis of the term "fully disclose" from stressing the level of detail that a PSO must provide in describing each of the other types of relationships (listed below) that the PSO has with a contracting provider to an emphasis on requiring that the PSO disclose clearly and concisely every relationship that requires disclosure. This shift in emphasis remains consistent with our overall emphasis on transparency; without being burdensome, it enables both the Secretary and providers considering contracts with a PSO to request additional information regarding any relationships of concern. We have adopted a clearer and narrower interpretation of the disclosures of relationships that must be made in view of concerns expressed by commenters about the scope of the required reports. In response to requests for more guidance on the required submissions, this final rule calls for a two-part disclosure statement and describes what must be included in each part.

These modifications to the final rule reflect several considerations. The Department has concluded that the Patient Safety Act does not provide incentives for a provider to control or manipulate the findings of a PSO with respect to its own patient safety information. A PSO's conclusions and recommendations are patient safety work product and, whether the PSO is critical or complimentary of the provider or the provider agrees or disagrees with the PSO, the PSO analysis and guidance remains confidential and privileged under the Act, which means that there are constraints on the ability of a provider to disclose the PSO's conclusions and recommendations. Even when they can be disclosed, calling the public's attention to positive findings is likely to engender scrutiny of the extent to which the provider's relationship with its PSO is truly an arms-length relationship. In sum, providers have little to gain under the statute's framework from attempting to control or manipulate the analyses and findings of a PSO.

At the same time, the Department expects the statutory disclosure requirements, coupled with public release of disclosure statements and the Secretary's findings as provided by § 3.104(b), will provide important and useful information to providers seeking to contract with a PSO. As we pointed out in the proposed rule, a provider seeking to contract with a PSO will have its own standards for what other PSO relationships it considers to be acceptable. Therefore, the submission and public release of this information should improve the efficiency of the search process by providers.

In light of these considerations, the Department has determined that the most appropriate interpretation of the statutory requirement to "fully disclose" other relationships is to emphasize the need to require the disclosure of every pertinent relationship specified by the statute. Providers that are considering entering a contract with a PSO can determine for themselves if any disclosed relationships pose concerns. If so, they can then request further detailed information as they see fit. This approach has the further benefit of limiting the potential for inappropriate release of proprietary or commercial information, another matter of concern to commenters. The Department will protect confidential commercial information as permitted by the Freedom of Information Act and in accordance with 18 U.S.C. 1905.

Thus, in making his required determination, the Secretary will both give great weight to, and hold a PSO accountable for, its attestation that it will fully disclose all relationships required to be reported and whether the PSO's operations, management, and control are not independent of any provider with whom it has entered a Patient Safety Act contract. The Secretary retains the authority to require an entity to provide more detailed information if necessary to make his required determination under 42 U.S.C. 299b-24(c)(3) regarding the ability of the PSO to fairly and accurately perform its patient safety activities in light of any reported relationships.

The final rule retains the general framework of the proposed rule for a PSO to use in determining when a disclosure statement must be submitted. The two thresholds remain unchanged. The disclosure requirement only applies when a PSO has entered a contract that provides the protections of the Patient Safety Act, i.e., a Patient Safety Act contract, and the PSO has other relationships with that contracting provider of the types specified below. A disclosure statement is not required if the PSO has a Patient Safety contract with a provider and the relationships described below are not present, nor is a disclosure statement required if the relationships are present but there is no Patient Safety Act contract.

We have restructured the text in the final rule. There are now three paragraphs: a restatement of the requirement in paragraph (i), a description of the required content of a disclosure statement in paragraph (ii), and the deadlines for submission of disclosure statements set forth in paragraph (iii).

Section 3.102(d)(2)(i) contains the following substantive changes. Compared with the requirements of the proposed rule, this paragraph eliminates the need to submit a disclosure statement if the PSO's only other relationships with this contracting provider are limited to Patient Safety Act contracts.

In response to commenters' questions and concerns, we have modified the text describing the statutory list of disclosures: contractual, financial, and reporting relationships are incorporated in subparagraphs (A)-(C) and control, management, and operation of the PSO, independent from the provider, is incorporated in subparagraph (D). We have narrowed the language in paragraphs (A)-(C) by limiting the required disclosures to current contractual, financial, and reporting relationships and restating the requirements to emphasize that disclosure is only required for relationships other than those in Patient Safety Act contract(s). We have restated and streamlined the language of subparagraph (A) to emphasize contracts and arrangements that impose obligations on the PSO.

We have retained the substantive requirements for financial relationships. Based upon comments received, we have determined that if the PSO is a membership organization, the Department does not consider dues or other assessments applied to all members to constitute a financial relationship for this purpose. The rule narrows the scope of subparagraph (C), where the text narrows the definition of reporting relationships to those in which this contracting provider has access to information about the work and internal operation of the PSO that is not available to other contracting providers. By focusing on this particular aspect of reporting relationships, we have tried to make plain that it is not our intent to collect information regarding the multiple ordinary types of reporting relationships that exist routinely between contracting parties. We have made the requirement narrower both for clarity and simplicity. The deleted reference to control is addressed by subparagraph (D), which we have narrowed to simply restate the statutory language on what must be disclosed or reported regarding management, control, and operation independent of the contracting provider. We deleted the language requiring a PSO to assess whether any of the relationships in what is now subparagraph (D) might impair its ability to perform patient safety activities fairly and accurately because PSOs will now address these issues in the required narrative that comprises the second part of the disclosure statement, described below.

New § 3.102(d)(2)(ii) specifies the two required parts of a disclosure statement. The first part must disclose in summary form succinct descriptions of all of the obligations that the PSO has with this provider. The second part must be a related short narrative (we recommend no more than 1,000 words) that addresses the issues described below and is intended to explain the measures taken by the PSO to assure that its analyses and findings are fair and accurate.

We use the term "obligations"-rather than the statutory term "relationships"-in § 3.102(d)(2)(ii) of the rule for the following reason. If a PSO has multiple relationships with a provider, many of these relationships are likely to be both contractual and financial (and may involve other relationships for which the statute requires disclosure). A disclosure statement that was organized by the four types of relationships that require disclosure (subparagraphs (A)-(D) discussed above) would be confusing and difficult to interpret since items in different categories would be related. For example, if the PSO already has a contract with a provider to render a service for which it is paid, we do not see the benefit of having the contract listed in one reporting category and the financial relationship in another reporting category since they are clearly related.

Therefore, in drafting the required disclosure statement, a PSO should address the four statutorily- required disclosures discussed above as aspects of the separate obligations or arrangements that exist between a PSO and the provider with which the PSO is entering or has a Patient Safety Act contract. A PSO should focus on clarity and brevity in explaining each obligation in a single paragraph: a sentence or two describing the nature of the obligation, and the remainder of the paragraph should address each of the four required disclosures that are present and specifically note any of the four that are not.

As we use the term, an obligation is not limited to services that a PSO renders to a provider (such as developing information and undertaking analyses or providing a service or technical assistance). An obligation could also reflect a PSO's relationship with an investor or owner and any arrangement that affects the PSO's independence or involves any of the statutorily-required disclosures described above. In developing its list, a PSO should not combine separate and distinct obligations such as more than one contract, nor should it disaggregate a single obligation. For example, if a PSO undertakes technology assessments and has three separate contracts for different assessments, these would be three separate obligations and should be reported separately. On the other hand, an obligation that has more than one task, such as providing assistance in implementing and evaluating a process improvement, should only be listed once; we are not suggesting that PSOs report separately on the different elements of a single unified project.

To apply these concepts, consider a hospital that was one of five hospitals that invested in the creation of a PSO and the hospital subsequently enters a Patient Safety Act contract with the PSO. If this investment is the only obligation other than the Patient Safety Act contract that exists between the PSO and the provider, the PSO's disclosure statement would include only one obligation and it could be described in a single paragraph. Within that paragraph, the PSO should systematically address the required statutory disclosures or note that they are not present. In addressing financial relationships, the PSO should not include the amount of the investment or specific terms. In this case, the required paragraph would describe the essential nature of the financial relationship, e.g., it is a loan requiring repayment over X years; it is a long-term investment requiring the payment of dividends, etc., whether it was formalized by a contract, whether a reporting relationship exists, e.g., the provider has access to internal quarterly financial statements not available to other providers, and whether the obligation gives the provider any ability to control or manage the PSO's operations, e.g., the provider has a seat on the board or review or veto authority over new clients, specific contracts, budgets, staff hiring, etc.

If the PSO is a subsidiary of a health system, the paragraph could indicate that PSO is a subsidiary of the provider, the provider is the primary source of revenue for the component PSO, the types of internal PSO information to which the provider has access, e.g., all financial, personnel, administrative internal information, and that the provider manages or controls (or has review and approval authority) of day-to-day decision-making, hiring and firing decisions, etc. By incorporating the required statutory disclosures into a succinct discussion of the obligations that a PSO has with this provider, we anticipate that the descriptions will be more comprehensible.

Part II of a disclosure statement must describe why or how the PSO, given the disclosures in part I, can fairly and accurately perform patient safety activities. The PSO must address: the policies and procedures that the PSO has in place to ensure adherence to professional analytic standards and objectivity in the analyses it undertakes; and any other policies, procedures, or agreements that ensure that the PSO can fairly and accurately perform patient safety activities.

Section 3.102(d)(2)(iii) of the rule retains the deadlines for submission of disclosure statements that were included in the proposed rule.

Response to Other Public Comments

Comment: One commenter asked that we exempt a PSO with fewer than 5 clients from releasing the names of its clients.

Response: We note that a PSO never has to reveal the names of its clients (providers) as long as the PSO does not have the other types of relationships described in this subsection with those providers. However, when such relationships are present, the statute does not provide authority for us to create such exceptions.

Comment: One commenter asked that we clarify that the required disclosures can be made in a way that the PSO does not breach the confidentiality requirements that may be a part of another contractual arrangement with a contracting provider.

Response: The Department cannot make a definitive statement that such confidentiality agreements can always be honored; this requires a case-by-case determination. A PSO is encouraged to discuss the issue with AHRQ staff before submitting a disclosure statement. As noted above, the agency's public disclosures are constrained by 18 U.S.C. 1905, but agency officials have some discretion with respect to determining what information would be restricted under that statute. We note also that the agency has the discretion to deny Freedom of Information Act requests for information it regards as confidential commercial information (5 U.S.C. 552(b)(4)). Agency determinations will be assisted by explanations of what is viewed by a submitter as confidential commercial information and the reasons why that is the case.

Comment: One commenter posed a series of questions related to an entity that seeks listing that receives general membership dues or assessments, i.e., whether such general dues or assessments would be considered financial relationships and, therefore, require the filing of disclosure statements. The commenter also asked if disclosure of such membership dues or assessments is required under any other section of the rule.

Response: The Department has determined that membership dues or general assessments applied to all members do not constitute "financial relationships" between a provider and a PSO. There is no other section of the rule that would require disclosure of membership dues or assessments. Before seeking listing, however, a membership organization should carefully assess whether it meets the statutory requirement that its primary activity must be the conduct of activities to improve patient safety and the quality of health care delivery.

(2) Section 3.104-Secretarial Actions

(A) Section 3.104(a)-Actions in Response to Certification Submissions for Initial and Continued Listing as a PSO

Proposed Rule: Section 3.104(a) described the actions that the Secretary could and will take in response to the certification material submitted for initial or continued listing as a PSO. We proposed that, in making a listing determination, the Secretary would consider the submitted certifications, issues related to the history of the entity, and any findings by the Secretary regarding disclosure statements. The proposed rule also included authority for the Secretary, under certain circumstances, to condition the listing of a PSO. We did not propose a deadline for Secretarial review of certifications submitted, but noted that we expect the Secretary to be able to conclude review within 30 days of receipt unless additional information or assurances are required.

Overview of Public Comments: We received several comments pertaining to this section. One comment endorsed the proposed provision. Another requested that we modify the rule to require Secretarial action within 60 days. A third commenter recommended that the Secretary establish timetables for all actions and opposed open-ended timeframes.

Final Rule: We have retained the text from the proposed rule with two modifications. The text of § 3.104 (a)(1) (iii) of the proposed rule stated that the Secretary may require conditions for listing as part of his review of disclosure statements submitted pursuant to § 3.102(d)(2); that text has been retained. We also noted in the preamble discussing proposed § 3.104(a) that there may be certain circumstances in which the Secretary determines that it would not be prudent to rely solely on the certifications for listing submitted by an entity that was previously revoked and delisted for cause or previously refused listing by the Secretary. In such limited circumstances, we suggested the Secretary may seek additional assurances from the PSO that would increase the Secretary's confidence that, despite the history of the entity and its officers and senior staff, the entity could now be relied upon to comply with its statutory and regulatory obligations. To reflect the potential need for assurances in such cases, and to better align the text with the preamble discussion of the proposed rule, we have modified the text of § 3.104(a)(1)(iii) to permit the Secretary to condition the listing of a PSO in this limited circumstance to ensure that such a PSO honors the assurances it makes in seeking listing.

The second change is a conforming modification to the basis for the Secretary's determination in § 3.104 (a)(2), which specifically recognizes the right of the Secretary to take into account any history of or current non-compliance with requirements of the rule by officials and senior managers of the entity. This change also mirrors the requirement in § 3.102(a)(1) that entities seeking listing inform the Secretary if their officials or senior managers held comparable positions in a PSO that was delisted or with an entity that was denied listing by the Secretary.

We have not accepted the commenter's recommendation to establish a regulatory deadline of 60 days for Secretarial action. This is a novel initiative and without a better sense of the potential issues that may arise, such as when a delisted PSO seeks a new listing, we are reluctant to circumscribe the flexibility that the statute and the proposed rule provided the Secretary. In addition, the statute requires an affirmative acceptance and listing action by the Secretary. Listing cannot occur as a result of any failure to meet a deadline. Accordingly, we have not adopted the recommendation.

(B) Section 3.104(b)-Actions Regarding PSO Compliance With the Minimum Contract Requirement

Proposed Rule: Section 3.104(b) of the proposed rule stated that, after reviewing the required notification from a PSO regarding its compliance with the minimum contract requirement, the Secretary would, for a PSO that attests that it has met the requirement, would acknowledge in writing receipt of the attestation and include information on the list of PSOs. If the PSO notifies the Secretary that it has not yet met the requirement, or if notification is not received from the PSO by the required date, the proposed rule stated that the Secretary would promptly issue a notice of a preliminary finding of deficiency and provide the PSO an opportunity for correction that will extend no later than midnight of the last day of its applicable 24-month assessment period. If the Secretary verifies that the PSO has not met the requirement by the last day of the 24-month period, he would issue a notice of proposed revocation and delisting.

Overview of Public Comments: We received no comments on this subsection.

Final Rule: The final rule incorporates the substance of the NPRM text without modification but restructures the text for clarity. The restructured text clarifies that the Secretary will only issue a notice of a preliminary finding of deficiency after the date on which a PSO's notification to the Secretary is required by § 3.102(d)(1).

(C) Section 3.104(c)-Actions Regarding Required Disclosures by PSOs of Relationships With Contracting Providers

Proposed Rule: Section 3.104(c) of the proposed rule stated that the Secretary would evaluate a disclosure statement submitted by a PSO regarding its relationships with contracting providers by considering the nature, significance, and duration of the relationships between the PSO and the contracting provider. We sought public comment on other appropriate factors to consider. The statute requires disclosure of the Secretary's findings, and we proposed public release, consistent with the Freedom of Information Act and 18 U.S.C. 1905, of PSO disclosure statements as well.

This proposed section also listed the statutorily permissible actions that the Secretary could take following his review: conclude that the disclosed relationships require no action on his part or, depending on whether the entity is listed or seeking listing, condition his listing of the PSO, exercise his authority to refuse to list, or exercise his authority to revoke the listing of the entity. The Secretary would notify each entity of his findings and decisions.

Overview of Public Comments: One commenter suggested that our proposal that the Secretary consider the nature, significance, and duration of the relationship in evaluating the relationships had no statutory foundation. Another commenter suggested that we take into account corrective action. Several commenters proposed that we rely upon the inter-agency work group that is assisting AHRQ in developing common formats and definitions for reporting patient safety work product to assist in developing disclosure statements. One commenter suggested that we create a "safe harbor" for multi-hospital parent organization systems that contract with a PSO on behalf of some or all of its hospitals so that a disclosure statement would not be required, deeming that the component PSO of a multi-hospital organization can perform patient safety activities fairly and accurately. Another suggestion was that the Secretary should adopt a standard requiring that there be no conflicts of interests.

Final Rule: We have retained much of the text from the proposed rule but have modified the paragraph setting forth the basis for the Secretary's findings regarding disclosure statements. In light of the comments, we have deleted the reference to "nature, significance, and duration" as not appropriate in every circumstance. The modification to the rule now requires the Secretary to consider the disclosures made by the PSO and an explanatory statement from the PSO making the case for why the PSO can fairly and accurately perform patient safety activities.

We have not adopted the other suggestions. As we discuss above, with respect to § 3.102(d)(2), we agree with the commenter that there is little reason for a provider organization to exert inappropriate control over its component PSO. At the same time we do not believe the statute permits us to waive Secretarial review under any set of circumstances.

We do not agree with commenters that the common formats inter-agency work group is the appropriate group to address disclosure statements. At this time, their informatics and clinical expertise and responsibilities are not congruent with assisting in the design or substantive requirements for disclosure statements.

(D) Section 3.104(d)-Maintaining a List of PSOs

Proposed Rule: The proposed rule sought to incorporate in § 3.104(d) the statutory requirement that the Secretary compile and maintain a list of those entities whose PSO certifications have been accepted and which certifications have not been revoked or voluntarily relinquished. We proposed that the list would include information related to certifications for listing, disclosure statements, compliance with the minimum contract requirement, and any other information required by this Subpart. We noted that we expected to post this information on the AHRQ PSO Web site, and sought comment on whether there are specific types of information that the Secretary should consider posting routinely on this Web site for the benefit of PSOs, providers, and other consumers of PSO services.

Overview of Public Comments: In addition to the list in the proposed rule, several commenters urged that we post the contact information for the parent organizations, subsidiaries, and affiliates, a list of states in which the parent organization does business, and the business objectives of the parent organizations, and whether each parent organization is for-profit or not-for-profit.

Two commenters suggested that the Secretary's guidance on common reporting formats and definitions should be available on the PSO Web site. One commenter urged that the final rule and contact information for AHRQ staff should also be available there. Another commenter suggested that, since AHRQ works with PSOs, the value to prospective providers would be increased if we posted information on areas of specialization of individual PSOs and use the Web site as one tool for facilitating confirming analyses by other PSOs of initial work.

Final Rule: The final rule incorporates the proposed rule text without modification. We have not modified the text of the rule because most of the recommendations relate to information that AHRQ will be receiving or producing for PSOs and can be posted to the Web site without additions or changes to the rule text. Recommendations to post information related to AHRQ staff and the final rule can be done without regulation as well. As AHRQ provides technical assistance to PSOs and works with the provider community to encourage the use of PSO services, we expect to publish information on the Web site that PSOs and the provider community request. In addition, the names and contact information of parent organizations of component PSOs and other information submitted at listing will be posted in accordance with the proposed rule text.

Commenters urged us to post some information that we have no plans to collect, and, therefore, we have not accepted their recommendations. Most of these recommendations related to the business objectives, or the for-profit or not-for- profit status of parent organizations of component PSOs. In our view, requiring component organizations to submit such information would be burdensome and unnecessary. Providers will be able to find that information by using the published contact information on PSOs and parent organizations.

(E) Section 3.104(e)-Three-Year Period of Listing

Proposed Rule: Section 3.104(e) proposed that listing as a PSO would be for three years, unless the Secretary revokes the listing or the PSO voluntarily relinquished its status. We also proposed that the Secretary would send a written notice of imminent expiration to a PSO no later than 45 calendar days before its listing expires if the Secretary has not received a certification seeking continued listing. We sought comment on a requirement that the Secretary publicly post the names of PSOs to which a notice of imminent expiration has been sent.

Overview of Public Comments: Commenters were virtually unanimous that, at the time we send a PSO a notice of imminent expiration, we should post similar information on the AHRQ PSO Web site. Several commenters suggested that PSOs should be required to notify providers that the PSO has received a notice of imminent expiration and expressing concerns about the time needed for providers to make alternative arrangements. One commenter suggested that notice to providers should be a part of the contract with the PSO. Another suggested that the Department establish an email listserv that providers could join for alerts such as this. One commenter opposed public notice and one expressed conditional support, provided the Department ensured the accuracy of the information on the Web site.

Final Rule: We have modified and redrafted § 3.104(e) of the final rule. The final rule retains the proposed provision that the period of listing will be for three years, unless revoked or relinquished. The first modification is that this section now explicitly provides for the automatic expiration of a PSO's listing at the end of three years, unless the Secretary approves its certification for continued listing before the date of expiration. By incorporating this modification and making the process automatic, we have been able to eliminate the proposal in § 3.108(c) for a process we termed "implied voluntary relinquishment." In comparison with the proposed rule approach, which required the Secretary to take affirmative action to delist a PSO that let its certifications lapse, this automatic approach simplifies the administrative process.

We have modified subparagraph 3.104(e)(2) in two ways. We will send a PSO a notice of imminent expiration even earlier-at least 60 days rather than 45 days-before its certifications expire. We adopted the earlier notification date in response to general concerns reflected in the comments about the time a provider needed to make alternative arrangements and to ensure sufficient time for the Secretary to review and make a determination regarding certifications for continued listing. The second modification incorporates our proposal to post a notice on the AHRQ PSO Web site, for which commenters expressed strong support. In combination, we expect these modifications will provide both the PSO and the providers from which it receives data sufficient notice that the entity's period of listing is drawing to a close.

We have not incorporated the recommendation to require PSOs receiving the notice to contact all providers. We expect most providers and PSOs to take advantage of AHRQ's existing listserv that will provide electronic notice to all subscribers when a notice such as this is posted on the AHRQ PSO Web site. Providers will also be able to sign up on the web site to receive individual emails if their PSO becomes delisted. In this way, we can be assured that notification is sent to, and received by, all interested parties.

(F) Section 3.104(f)-Effective Date of Secretarial Actions

Proposed Rule: The proposed rule in section 3.104(f) states that, unless otherwise specified, the effective date of each action by the Secretary would be specified in the written notice that is sent to the entity. We noted that the Department anticipates sending notices by electronic mail or other electronic means in addition to a hard copy version. We also pointed out that for listing and delisting decisions, the Secretary would specify both an effective time and date for such actions in the written notice to ensure clarity regarding when information received by the entity will be protected as patient safety work product.

Overview of Public Comments: We received no public comments on this subsection.

Final Rule: The final rule incorporates the proposed rule text without modification.

(3) Section 3.106-Security Requirements

Proposed Rule: Section 3.106 of the proposed rule outlined a framework consisting of four categories for the security of patient safety work product that PSOs would consider in developing policies and procedures for the protection of data. Because § 3.106 contains only two subsections and we received few comments, we will discuss both subsections of the rule together.

Section 3.106(a) proposed that the security requirements of this section would apply to each PSO, its workforce members, and its contractors whenever the contractors hold patient safety work product. If contractors cannot meet these security requirements, we proposed that their tasks be performed at locations at which the PSO can meet these requirements. We stated that the rule does not impose these requirements on providers; this Subpart would only apply to PSOs.

Proposed § 3.106(b) would have established a framework consisting of four categories for the security of patient safety work product that a PSO must consider. We proposed that each PSO develop appropriate and scalable standards that are suitable for the size and complexity of its organization.

The four categories of the framework would have included: security management issues (documenting its security requirements, ensuring that its workforce and contractors understand the requirements, and monitoring and improving the effectiveness of its policies and procedures); separation of systems (required physical separation of patient safety work product, appropriate disposal or sanitization of media, and preventing physical access to patient safety work product by unauthorized users or recipients); security control and monitoring controls (ability to identify and authenticate users, an audit capacity to detect unlawful, unauthorized, or inappropriate activities, and controls to preclude unauthorized removal, transmission or disclosures); and policies and procedures for periodic assessment of the effectiveness and weaknesses of its overall approach to security (determine when it needs to undertake risk assessment exercises and specify how it would assess and adjust its procedures to ensure the security of its communications involving patient safety work product to and from providers and other authorized parties).

Overview of Public Comments: There were no public comments that specifically addressed § 3.106(a) of the rule. Commenters focused instead on the overall security framework established by § 3.106(b). The majority of commenters supported the proposed requirements and emphasized the concepts of scalability and flexibility that were reflected in the proposed rule. Two commenters urged the Department to adopt the HIPAA Security Rule instead. Another commenter suggested that the final rule should emphasize the need for PSOs to maintain up-to-date security processes and urged that the final rule specifically recognize that PSOs can include HIPAA Security Rule requirements in their business associate contracts with providers that are covered entities.

While there were few comments overall on this section of the rule, the specific provision that elicited the most concern was the requirement in § 3.106(b)(2) that patient safety work product needed to be maintained securely separate from other systems of records. As discussed above with respect to obligations of component organizations, commenters expressed concern regarding the potential burden of such a requirement and several pointed to the analytic benefits of being able to readily merge data sets for specific analyses. It was recommended that the final rule permit the patient safety work product and non-patient safety work product to be stored in the same database as long as the security requirements are implemented for the database as a whole.

Another commenter pointed to the confusion, inconsistency, and errors that were likely to result from the rule text in which each paragraph began with the words that a PSO "must address" each security issue within the framework while introductory paragraph (b) indicated that PSOs merely needed to "consider" the security framework.

Final Rule: We have modified the text of § 3.106 both to improve its clarity in non-substantive ways and to incorporate several substantive modifications in response to the comments we received. The changes to § 3.106(a) are for clarity. For uniformity and brevity, throughout § 3.106, we have standardized references regarding the application of security requirements to the "receipt, access, and handling" of patient safety work product. The rule text defines "handling" of patient safety work product as including its processing, development, use, maintenance, storage, removal, disclosure, transmission and destruction.

We have incorporated several modifications to the text of § 3.106(b). We have both simplified the text of the opening paragraph of this subsection and substituted the requirement that "PSOs must have written policies and procedures that address" for the language of the proposed rule that stated the "PSO must consider." We agree with the commenter that retention of the proposed rule language would create confusion regarding what is required of a PSO. By retaining the language that permits a PSO to develop specific standards that address the security framework in this section with standards that are appropriate and scalable, we intend to retain flexibility for PSOs to determine how they will address each element of the security framework.

The most significant substantive change in the security framework is in § 3.106(b)(2), which had required the separation of patient safety work product from non-patient safety work product at all times. Based on comments received, we have modified both the title of § 3.106(b)(2) and the text of § 3.106(b)(2)(i). Section 3.106(b)(2) is now entitled "Distinguishing Patient Safety Work Product," rather than "Separation of Systems," and § 3.106(b)(2)(i) recognizes that the security of patient safety work product can be maintained either when patient safety work product is maintained separately from non-patient safety work product or when it is co-located with non-patient safety work product, provided that the patient safety work product is distinguishable. This will ensure that the appropriate form and level of security can be maintained. This change responds to several comments that opposed the absolute requirement for separation in the proposed rule.

While we have, thus, allowed greater procedural flexibility, we caution PSOs to be attentive to ensuring that patient safety work product remains distinguishable at all times if it is not kept separated. To the extent that patient safety work product becomes co-mingled with non- protected information, there is increased risk of impermissible disclosures and violations of the confidentiality requirements of the rule and the Patient Safety Act.

We have also eliminated a reference to a PSO determination of appropriateness that was in the text of the proposed rule in § 3.106(b)(4)(i) as redundant, since the rule permits a PSO to develop appropriate and scalable standards for each element of the security framework, including this element.

Given the strong support for our flexible and scalable framework, we have not adopted recommendations of two commenters to substitute the HIPAA Security Rule for these provisions. We would expect that PSOs that are familiar with, and have existing rules that implement, the HIPAA Security Rule will incorporate those standards as appropriate, when they develop their written policies and procedures to implement security for the patient safety work product they receive, access and handle. The security framework presented here does not impose any limitations on the ability of PSOs to incorporate or address additional security requirements or issues as the PSO determines to be appropriate. The flexible approach we have adopted should minimize the potential for conflict with the requirements of other programs. By taking advantage of this flexibility, and ensuring that its security requirements also address the requirements of the HIPAA Security Rule, a PSO should be able to meet its obligations as a business associate of any provider that is also a "covered entity" under HIPAA regulations.

(4) Section 3.108-Correction of Deficiencies, Revocation and Voluntary Relinquishment

Section 3.108 establishes the processes and procedures related to correction of deficiencies, revocation, and voluntary relinquishment. Section 3.108(a) establishes the processes and procedures for correction of deficiencies by PSOs and, when deficiencies have not been timely corrected, the process leading to a decision by the Secretary to revoke his acceptance of the entity's certification and delist a PSO. Section 3.108(b) sets forth the actions that the Secretary and a PSO must take following a decision by the Secretary to revoke his acceptance of the entity's certification and delist the entity. Section 3.108(c) establishes the process by which an entity can voluntarily relinquish its status as a PSO. Section 3.108(d) requires publication of notices in the Federal Registerwhenever an entity is being removed from listing. New § 3.108 (e) establishes an expedited process for revoking the Secretary's acceptance of the entity's certification under certain circumstances.

(A) Section 3.108(a)-Process for Correction of a Deficiency and Revocation

Proposed Rule: Section 3.108(a) listed in paragraph (a)(1) the circumstances that could lead to revocation and delisting and the remaining subsections set forth our proposed process for correction by a PSO of a deficiency identified by the Secretary and, if the deficiencies are not timely corrected or cannot be "cured," the process that could lead to the revocation and delisting. We review the entirety of § 3.108(a) here.

Once the Secretary believes that a PSO is deficient in meeting its requirements, proposed § 3.108(a)(2) outlined the processes he would follow. First, the Secretary would send a written notice of a preliminary finding of deficiency; the contents of the deficiency notice are specified in the rule. Following receipt of the notice, a PSO would have 14 days to correct the record by submitting evidence that the information on which the preliminary finding had been based was factually incorrect. The Secretary could then withdraw the notice or require the PSO to proceed with correction. The preamble sought comment on whether there should be an expedited revocation process when deficiencies are not, or cannot, be cured. Public comment and the provisions of the final rule are discussed below in new subsection (e), expedited revocation.

Following the correction period, proposed § 3.108(a)(3) would have required the Secretary to determine whether a deficiency has been corrected. The Secretary could determine:

  1. the deficiency is corrected and withdraw the notice of deficiency;
  2. additional time for, or modification of, the required corrective action is warranted; or
  3. the deficiency is not corrected, the PSO has not acted with reasonable diligence or timeliness, and issue a Notice of Proposed Revocation and Delisting.

Section 3.108(a)(4) would have provided an automatic 30 calendar day period, unless waived by the PSO, for it to respond in writing to the proposed revocation and delisting. If a PSO fails to submit a written response, the Secretary would revoke his acceptance of its certification, and delist the entity. After review of the response and other relevant information, § 3.108(a)(5) proposed that the Secretary could affirm, reverse, or modify the notice of proposed revocation and delisting, and notify the PSO in writing of his decision with respect to any revocation of his prior acceptance of its certification and delisting. We noted that the proposed rule did not include an administrative process for appealing the Secretary's decision to revoke his acceptance of the entity's certification and delist a PSO, and specifically sought public comment on our approach.

Overview of Public Comments: Commenters focused on the due process aspects of subsection (a). While most commenters commended the proposed rule for its focus on working with PSOs to resolve deficiencies and its inclusion of due process elements throughout the process, the commenters recommended that the final rule incorporate an additional opportunity for an administrative appeal of a revocation and delisting decision and expressed concern that the final rule should not limit the due process rights and opportunities that had been proposed.

For example, while several commenters endorsed our overall approach, no commenter specifically stated agreement with our decision not to include an administrative appeal mechanism following a decision by the Secretary to revoke his acceptance of the entity's certification and delist a PSO for cause. The eight commenters that specifically addressed the issue recommended inclusion of such a mechanism.

Final Rule: The final rule incorporates only technical modifications to the text of subsection 3.108(a). The deletion of text in § 3.108(a)(1)(ii) is intended to clarify that the basis for revocation and delisting matches our intent in the proposed rule, i.e., the failure to meet the two-contract requirement, not the failure to timely notify the Secretary that the requirement had been met. In addition, we have incorporated a related new § 3.108(e) that establishes a new expedited revocation process to be used in exceptional circumstances.

Despite the strong support by commenters that we incorporate in the final rule an opportunity for an administrative appeal when the Secretary decides to revoke his acceptance of a PSO's certification and delist a PSO for cause, we have not modified the rule. The process described in § 3.108(a) permits an early response to findings of deficiency and where facts cited by the Secretary are correct, the process emphasizes the Department will work with PSOs to correct deficiencies, rather than punishing PSOs for deficiencies. Given the flexibility and extensive nature of the communication and correction opportunities and procedures outlined in 3.108(a), we expect that the revocation process will be utilized rarely, and only after significant efforts have been made to bring a PSO back into compliance. However, if a PSO is not working with us in good faith to correct any remaining deficiencies, there must be a timely finality to the process. For this system to work, providers must have confidence that the Department will act in a timely manner when a PSO chooses not to meet its statutory and regulatory obligations.

Response to Other Public Comments

Comment: One commenter recommended that the rule provide some degree of transparency regarding PSOs that have received notice of deficiencies by posting some limited information about this on the PSO Web site.

Response: The Department gave careful consideration to this comment because of our overall commitment to providing transparency wherever possible. Our conclusion is that we will not post information on deficiencies because of our concern that this will undermine another of our objectives, which is to promote and permit correction of deficiencies in a non-punitive manner. Providers considering entering a contract with a specific PSO are, of course, free to seek information from the PSO regarding whether it has received deficiency notices and is currently under an obligation to take corrective actions.

Comment: Another commenter suggested that the final rule specifically recognize the authority of the Secretary, if warranted by the circumstances that led to the delisting of a PSO, to debar the entity from seeking a new listing for a period of time.

Response: We have not adopted this specific suggestion, but we note that the Secretary is not required to relist an entity automatically. The Secretary can and will take into account the reasons for the revocation and delisting and the entity's compliance with its obligations following revocation and delisting.

Comment: Several commenters suggested that the period of time provided to the PSO to submit a written response to a notice of proposed revocation and delisting should be expanded from 30 days to 45 days.

Response: We have not accepted this recommendation. We recognize the importance of striking a balance between providing an entity sufficient time to respond to such a notice and ensuring that providers can have confidence that the Department will act in a timely manner when a PSO do not meet its obligations. It is important to realize that by the time the PSO receives a notice of proposed revocation and delisting under the process set forth in § 3.108(a)(3), the Department has already worked with the PSO to correct the deficiencies and has indicated remaining problems so the PSO will have reason to anticipate any such notice of proposed revocation in advance of its issuance. Thus the PSO, realistically, will have more than 30 days to prepare its response to a proposed revocation.

Comment: One commenter suggested that, if the Secretary determines that the PSO has conflicts of interest, this should serve as a basis for proceeding directly to revocation.

Response: The Department recognizes the commenter's underlying point that conflicts of interest may, in fact, not be curable and thus, in certain circumstances, may warrant proceeding directly to revocation. To the extent that such a conflict of interest provides a basis for the Secretary determining that continued listing would have serious adverse consequences, we could address it under § 3.108(e), the subsection establishing the new expedited revocation process. We should note that, in crafting that new authority, the Department believed that it had an obligation to establish a process for truly exceptional circumstances. We do not intend to use this authority as a substitute for the normal process established by subsection (a). Thus, if a conflict-of-interest does not raise the prospect of serious adverse consequences for providers or others, it is our intention to use the correction processes of subsection (a).

Comment: Would a provider's patient safety work product be at risk if the Department failed to alert the provider in a timely manner of a deficiency in its PSO?

Response: No. As we pointed out in the preamble discussion of § 3.108 in the proposed rule, the presence of deficiencies or the fact that an entity is undergoing revocation has no impact on the information submitted to the entity by providers until the date and time that an entity is revoked and removed from listing. If the PSO is revoked and delisted for cause, the statute provides an additional 30-day period that begins at the time of delisting during which data reported to the former PSO receives the same protections as patient safety work product.

(B) Section 3.108(b)-Revocation of the Secretary's Acceptance of a PSO's Certification

Proposed Rule: When the Secretary makes a determination to remove the listing of a PSO for cause, proposed § 3.108 (b)(1) required the Secretary to establish, and notify the entity, of the effective date and time of its delisting and inform the entity of its obligations under § § 3.108(b)(2) and 3.108(b)(3).

Section 3.108(b)(2) proposed to implement two statutory provisions. First, the former PSO would be required to notify providers with which it has been working of its removal from listing and confirm to the Secretary within 15 days of the date of revocation and delisting that it has done so. In light of the brief notification period, we sought comment on whether there are other steps the Secretary should take to ensure that affected providers receive timely notice. Second, this subsection would have reaffirmed the continued protection of patient safety work product received while the entity was listed. In addition, any data received by the former PSO from a provider in the 30 days following the date of revocation and delisting would be accorded the same protections as patient safety work product. We noted that this additional period of protection was only for the benefit of providers reporting data; it would not permit a former PSO to continue to generate new patient safety work product.

Section 3.108(b)(3) proposed to implement the statutory requirements regarding the disposition of patient safety work product or data following revocation and delisting of a PSO. The three alternatives provided by the statute are: transfer of the patient safety work product with the approval of the source from which it was received to a PSO which has agreed to accept it; return of the patient safety work product or data to the source from which it was received; or, if return is not practicable, destruction of such work product or data. We noted that the text of the proposed rule refers to the "source" of the patient safety work product or data; this would be a broader formulation than the statutory language and includes individuals. The statute does not establish a time frame for a PSO to comply with disposition requirements; we sought comment on setting a deadline.

Overview of Public Comments: Most commenters addressed the specific questions raised in the proposed rule, although a few commenters raised questions and offered recommendations related to the requirements for disposition of patient safety work product. In response to the Department's question in the proposed rule of whether there were other steps that the Secretary could take to ensure that providers were informed when a PSO to which they reported data was revoked and delisted, many commenters concluded that the statutory requirement for notification by the former PSO was sufficient. Others urged AHRQ to post notices of revocation and delisting on the PSO Web site. Several commenters urged the Secretary to require the former PSO to provide AHRQ with a list of its providers when it submits its required confirmation 15 days after revocation that it has notified providers. Presumably, the intent was to permit the Secretary to follow up with these providers to confirm that they had been notified.

There were only three comments in response to our question in the proposed rule whether it was appropriate to require disposition of patient safety work product that was received from all sources. Two comments supported our interpretation of the statutory requirement. One commenter raised concerns that this requirement could be difficult to accomplish.

Commenters strongly supported inclusion in the final rule of a deadline by which former PSOs needed to complete their disposition of patient safety work product. Some commenters suggested that we follow existing HIPAA guidelines and others suggested that the rule set a deadline, ranging from 90 days to 180 days following the date of revocation. One commenter suggested setting standards linked to the volume of patient safety work product held by the former PSO.

The options for disposition of patient safety work product elicited a number of comments. Some noted the difficulty of returning patient safety work product to its source as the former PSO closes its operations and expressed concern that destruction was not an option until the PSO concluded that returning the work product was not possible. In the view of this commenter, this could lead a PSO to simply abandon the patient safety work product since it may have neither time nor resources to contact the sources of the work product. However, most commenters focused on the importance of identifying ways to avoid destruction of patient safety work product.

Final Rule: Section 3.108(b) has been modified in several ways. The first changes, in § 3.108(b)(1), are technical changes. The first change renames the section to more accurately describe its provisions. The second technical change incorporates two additional cross-references to the ability of the Secretary to revoke his acceptance of a PSO's certifications and delist an entity pursuant to the new expedited revocation process established in § 3.108(e).

We have not imposed any new requirements on the Department in § 3.108(b)(2) to notify providers. Many commenters did not see the need for additional intervention by the Department and several commenters suggested additional steps that we can and will take independent of the rule. For example, AHRQ has already established an email based listserv for individuals interested in electronic alerts regarding the agency's implementation of the Patient Safety Act. Following publication of the final rule, AHRQ will encourage all interested providers and PSOs to add their names to the listserv, which will provide immediate notification when the Secretary takes actions related to the listing and delisting of PSOs or posts significant new information on AHRQ's PSO Web site. Providers will also be able to signup on the Web site to receive individual emails if their PSO becomes delisted.

We have modified § 3.108(b)(2) in another way. This paragraph retains the restatement that was in the proposed rule of the statutory assurances regarding the continued protections for patient safety work product reported to a PSO before the effective date of a revocation and delisting action by the Secretary and the protections for data reported to the former PSO during the 30-day period following the date of delisting. The modification requires the former PSO to include this information in its notices to providers regarding its delisting. We incorporated this modification to better effectuate the statutory purpose by ensuring that the providers contacted by the former PSO are aware of these protections for the data they may still want to report during the 30-day period.

Several commenters sought ways to preserve patient safety work product and data for continued learning. However, the requirements for disposition of patient safety work product and "data" in the final regulation follow the statutory formulation. We note that "data" in this context refers to information submitted to a former PSO in the 30 days following its delisting. Some amount of patient safety work product can be preserved if the PSO shares or discloses this information prior to the effective date of its revocation as permitted by the rule, e.g., to other PSOs in non-identifiable or anonymized form.

We have modified the text of § 3.108(b)(3) in one respect. In response to comments, we require the disposition requirement to be completed within 90 days. Some commenters suggested that we follow existing HIPAA guidelines in establishing deadlines for the disposition of patient safety work product. Neither the HIPAA Privacy Rule nor the HIPAA Security Rule have deadlines for the disposition of protected health information. Providers are, of course, free to establish in their contracts an earlier date for disposition of their patient safety work product or data and may provide prior authorization for transfer to another PSO.

Response to Other Public Comments

Comment: One commenter asked whether the disposition requirement applies to non-identifiable patient safety work product, such as data reported anonymously by hospitals.

Response: The statutory section on disposition of patient safety work product does not make an explicit distinction between disposition of identifiable and non-identifiable patient safety work product and data, nor does the final rule in the disposition requirements. The Department reads this disposition requirement as applying to both identifiable and non-identifiable patient safety work product and data. We note that Subpart C permits disclosure of non-identifiable patient safety work product at any time by a PSO. However, after the date and time that the Secretary sets for revocation and delisting, the former PSO must follow the prescribed disposition requirements. Thus, prior to the effective date and time of a PSO's delisting, the PSO can transfer to another PSO non-identifiable and anonymized patient safety work product, without consent of the source(s) of that information.

Comment: One commenter suggested that there may be good business reasons for a former PSO that has been delisted to retain patient safety work product and asked that we provide that option.

Response: The statutory disposition requirement does not permit such an option for an entity that is revoked and delisted for cause, and the final rule mirrors this limitation. A PSO that voluntarily relinquishes its status is required to attest that it has made all reasonable efforts to comply with the disposition requirements.

Comment: One commenter noted that the disposition options appear to be premised on a concept of the source's ownership interest in the patient safety work product provided to the PSO. Noting that as PSOs continue to aggregate data from multiple providers or through the sharing of work product with other PSOs, the commenter asserted that at some point the PSO's work product becomes its own. The question to consider is whether this distinction can be made in applying the disposition requirement.

Response: The Department reads the disposition requirement of the Patient Safety Act to apply to all patient safety work product and data held by an involuntarily delisted former PSO. Most work product created by PSOs will be based upon reports from providers. While the commenter points to repeated aggregation of data from larger and larger numbers of providers as making the linkage to the reporting providers more tenuous, in our view the linkage remains as long as there is information that identifies any source of the data in the analysis. The linkage is only broken when the source(s) is (are) truly non-identifiable. As we noted above, the statute does not make a distinction between identifiable and non-identifiable information, so the disposition requirements apply to both.

Comment: One commenter noted that certain public PSO entities may face conflicts with state laws or regulations that establish requirements for the disposition of information that they hold.

Response: The final rule's requirements for disposition of patient safety work product would preempt conflicting state statutory requirements for disposition of information when it is patient safety work product.

Comment: What are the responsibilities of a contractor holding patient safety work product under contract with a PSO that is revoked and delisted for cause?

Response: The contractor must return the former PSO's patient safety work product that it is holding for disposition as required by the rule.

(C) Section 3.108(c)-Voluntary Relinquishment

Proposed Rule: Section 3.108(c)(1) proposed two circumstances under which a PSO would be considered to have voluntarily relinquished its status as a PSO: when a PSO advises the Secretary in writing that it no longer wishes to be a PSO, and when a PSO permits its three-year period of listing to expire. To ensure that such a lapse is not inadvertent, the proposed rule would require the Secretary to send a notice of imminent expiration 45 calendar days before the expiration of its period of listing.

We proposed in § 3.108(c)(2) that a PSO seeking to relinquish its listing should include in its notification to the Secretary attestations regarding its compliance with the provider notification and patient safety work product disposition requirements, and would have required appropriate contact information for further communications from the Secretary. The Secretary would be authorized by § 3.108(c)(3) to accept or reject the PSO's notification. We sought comment on our preliminary conclusion that, when a PSO voluntarily relinquishes its status, the statutory provisions providing protections for an additional 30 days for data submitted to the former PSO by providers do not apply.

Section 3.108(c)(4) would have enabled the Secretary to determine that implied voluntary relinquishment has taken place when a PSO permits its listing to expire. The Secretary would remove the entity from the list of PSOs at midnight on that day, notify the entity, and request that the entity make reasonable efforts to comply with the provider notification and patient safety work product disposition requirements, and to provide appropriate contact information. Finally, § 3.108(c)(5) proposed that voluntary relinquishment would not constitute a deficiency as referenced in subsection (a).

Overview of Public Comments: Public comment on the proposed provisions for voluntary relinquishment focused primarily on the two questions raised in the proposed rule.

Two commenters agreed with our interpretation that the statute limited the application of the additional protections for data submitted by providers to a former PSO in the 30-day period following the date and time of revocation and delisting to situations in which the PSO had been revoked and delisted for cause. A number of commenters argued for inclusion of a 30-day period of continued reporting for PSOs that voluntarily relinquished their status. They noted the importance of comparability but did not provide a legal rationale for reading the statute differently.

The second question posed by the proposed rule was the appropriateness of paragraph (c)(5) which would eliminate the right to challenge any decision by the Secretary regarding voluntary relinquishment. Several large provider groups supported our position while others argued that a PSO should always have the right to challenge or appeal any decision by the Secretary.

Final Rule: We have modified and narrowed the scope of voluntary relinquishment in the final rule. We have eliminated from this section the application of voluntary relinquishment to situations in which a PSO has let its certifications lapse. As noted above, we have modified § 3.104(e) to make expiration of a PSO's listing automatic in these circumstances. Revised § 3.108(c) provides for voluntary relinquishment in only one circumstance: when a PSO writes the Secretary seeking to relinquish its listing as a PSO.

We have carefully reviewed again the statutory authority that enables PSOs that have their listing revoked for cause to continue to receive data for 30 days following the date and time of revocation and delisting that will be treated as patient safety work product. We reaffirm our interpretation that the statutory authority does not apply to an entity seeking to voluntarily relinquish its status as a PSO. Commenters provided no basis for a different reading of the statute. Accordingly, we have not incorporated any change in the rule.

We have also deleted inappropriate references to "patient safety work product and data" in § 3.108(c)(2) and replaced them with a reference only to patient safety work product. As we noted above, the term "data" in this context refers only to information received by a former PSO in the 30-day period following revocation for cause and is not applicable here. The only other modifications are deletions of text relating to implied voluntary relinquishment and a conforming change in a cross-reference.

We have not accepted the views of commenters supporting appeals of relinquishment determinations by the Secretary in light of our decision to narrow the scope of voluntary relinquishment to situations in which the PSO has requested relinquishment. The comments regarding due process for those who voluntarily relinquish their status would no longer be apt.

(D) Section 3.108(d)-Public Notice of Delisting Regarding Removal From Listing

Proposed Rule: Proposed § 3.108(d) would have incorporated the statutory requirement that the Secretary must publish a notice in the Federal Registerregarding the revocation of acceptance of certification of a PSO and its removal from listing. The proposed rule would have broadened the requirement to include publication of such a notice if delisting results from a determination of voluntary relinquishment.

Overview of Public Comments: We received no comments on this subsection.

Final Rule: We have modified § 3.108(d) in the final rule to reflect our changes to subsection (c) that narrowed the scope of voluntary relinquishment. We also added a new reference that requires the Secretary to publish a notice when a PSO's listing terminates automatically at the end of the statutorily based three-year period, pursuant to § 3.104(e).

(E) Section 3.108(e)-Expedited Revocation

Proposed Rule: The proposed rule did not contain a proposed § 3.108(e). The proposed rule did include in subsection (a) a request for comment about the possible inclusion in the final rule of an expedited revocation process. We noted that, while we anticipate that in the vast majority of circumstances, the PSO's deficiency(ies) can and will be corrected, there may be situations in which a PSO's conduct is so egregious that the Secretary's acceptance of the PSO's certification should be revoked without the opportunity to cure because there is no meaningful cure. We invited comments regarding this approach and how best to characterize the situations in which the opportunity to "cure," e.g., to change policies, practices or procedures, sanction employees, send out correction notices, would not be sufficient, meaningful, or appropriate.

Overview of Public Comments: Several commenters expressed concern, requested that we define the term "egregious," and opposed the elimination of a right for the PSO to respond to the proposed expedited revocation action. One commenter suggested that our proposal was appropriate in situations involving multiple willful violations and in which immediate action is necessary to protect patients and providers from further improper actions by the PSO.

Only one commenter addressed, and opposed, our suggestion that we might eliminate in the final rule the opportunity for a PSO to contest revocation when the entity had verifiably failed to meet the statutory minimum contract requirement.

Final Rule: The Department has modified the rule to include a new § 3.108(e) to provide for expedited revocation in a limited number of circumstances. In deciding to include this new subsection, we considered all of the comments received regarding Subpart B, not only those discussed here. There was a strong overall sentiment that the Secretary must be vigilant in ensuring that PSOs meet their obligations to protect the confidentiality of patient safety work product. These concerns were especially strong in response to our proposal to permit components of excluded entities to seek listing. We also received support for prompt Secretarial action for multiple willful violations and when providers and patients are at risk because of a PSO's actions. Accordingly, we have incorporated an expedited revocation process based around these concerns.

New § 3.108(e)(1) lists three circumstances in which the Secretary may use an expedited process for revocation. The first two circumstances reflect commenter concern regarding excluded entities. The first of these, specified in § 3.108(e)(1)(i), is if the Secretary determines that a PSO is, or is about to become, an entity excluded from listing by § 3.102(a)(2). That section excludes from listing: a health insurance issuer; a unit or division of a health insurance issuer; an entity that is owned, managed or controlled by a health insurance issuer; entities that accredit or license health care providers; entities that oversee or enforce statutory or regulatory requirements governing the delivery of health care services; agents of an entity that oversees or enforces statutory or regulatory requirements governing the delivery of health care services; or entities that operate a Federal, State, Local, or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation.

Because the certifications for listing specifically require an entity to attest that it is not excluded from seeking listing, this situation would mean that the PSO had either filed a false certification, or that the nature of the entity had significantly changed during the course of its listing. An example of an entity "about to become an excluded entity" would be when there is advance notice of a merger of the parent organization of a component PSO with a health insurance issuer. A health insurance issuer is the only excluded entity that may not have a component become a PSO. If the Secretary learns that a PSO is about to become a component of a health insurance issuer, this is one circumstance under which we believe prompt action by the Secretary is essential.

The second circumstance, specified in § 3.108(e)(1)(ii), is when the parent organization of a PSO is an excluded entity and the parent organization uses its authority over providers to require or induce them to use the patient safety services of its component PSO. This was a major concern of commenters in permitting components of accreditation, licensure and regulatory entities to seek listing; the final rule in § 3.102(c) permits such a component to be listed only if it can certify that its parent organization does not impose such requirements on providers. When an excluded entity attempts to require or induce providers to report information to its component PSO, there is reasonable cause for concern regarding the integrity of the firewall between the component PSO and its parent organization. Given the potential harm to providers if their identifiable patient safety work product is made available to the excluded entity, the Department concludes that the need for prompt action is compelling.

The third circumstance specified in § 3.108(e)(1)(iii) of the rule is when the Secretary has determined that the failure to act promptly would lead to serious adverse consequences. We would expect to use this authority sparingly. Despite the confidential and protected nature of patient safety work product, we remain concerned that there can still be serious harm to providers, patients, and reporters named in patient safety work product if a PSO demonstrates reckless or willful misconduct in its protection or use of the work product with which it is entrusted, especially when there is reason to believe there have been repeated deficiencies, or when the PSO engages in fraudulent or illegal conduct. In light of these risks, we believe it is only prudent to give the Secretary the authority to respond promptly to situations where there is a risk of serious adverse harm, even if we cannot adequately foresee all of the specific situations that might require prompt action.

We note that we have accepted the position of another commenter that we not include failure to meet the minimum contract requirement as a basis for expedited revocation. Our intent is to limit expedited revocation to those situations which pose a risk to providers or others.

To accomplish expeditious remedial revocation action, § 3.108(e)(2) waives the procedures in § § 3.108(a) (2) through 3.108(a)(5) for correction of deficiencies, determinations regarding correction of deficiencies, processes related to the opportunity for a written response by the PSO to a notice of proposed revocation and delisting, and final determination by the Secretary regarding revocation and delisting of the PSO. Instead, the provisions of § 3.108(e)(3) apply.

Under § 3.108(e)(3) of the expedited revocation process, the Secretary would issue a notice of deficiency and expedited revocation that identifies the evidence that the circumstances for expedited revocation exist and indicates any corrective action the PSO can take if the Secretary determines that corrective action may resolve the matter so that revocation and delisting could be avoided. Absent evidence of actual receipt of this notice of deficiency and expedited revocation, the Secretary's notice will be deemed to be received five days after it was sent.

In developing this process, we have taken note of commenters' concern that as a general matter, a PSO alleged to be deficient in compliance should have an opportunity to be heard and have provided the PSO with an opportunity to respond as part of the expedited revocation process. The Secretary must receive a response from the PSO within 14 days of actual or constructive receipt of the notice, whichever is longer. In its written response, the PSO can correct the alleged facts or argue the applicability of the legal basis given for expedited revocation and delisting and offer reasons that would support its case for not being delisted.

If the PSO does not submit a written response, the Secretary may revoke and delist the PSO. Provided the PSO responds within the required time, the Secretary may withdraw the notice, grant the PSO with additional time to resolve the matter, or revoke and delist the PSO. If the Secretary decides to revoke and delist the PSO, we note that the requirements of § 3.108(b) discussed above apply. These requirements relate to notification of the providers who have reported patient safety work product to the PSO, disposition of the PSO's patient safety work product and data, and the ability of providers to continue to report data to the former PSO for 30 calendar days following the effective date and time of delisting and have these data protected as patient safety work product.

(5) Section 3.110-Assessment of PSO Compliance

Proposed Rule: Section 3.110 proposed the framework by which the Secretary would assess compliance of PSOs with the requirements of the statute and the rule. This section provided that the Secretary may request information or conduct spot-checks (reviews or site visits to PSOs, announced or unannounced) to assess or verify PSO compliance with the requirements of the statute and this proposed subpart. We noted that we anticipate that such spot checks would involve no more than 5-10% of PSOs in any year. We also noted that this section would reference the Department's overall authority to have access to patient safety work product, if necessary, as part of its implementation and enforcement of the Patient Safety Act.

Overview of Public Comments: There were few comments on this section. Commenters agreed that AHRQ's authority under this section should be limited to PSOs. Several commenters expressed concern about our discussion that we only anticipated spot-checking 5%-10% of PSOs for compliance in any given year. The projected number of spot checks in their view would not be adequate to maintain provider confidence and PSO compliance. Another commenter asked which agency would be delegated the task and identified entities within HHS to which the Secretary should not delegate this responsibility.

Final Rule: We have made no substantive modifications to § 3.110 in the final rule. We note in response to the commenters that urged a higher level of spot checks and inspections that the rule does not limit the ability of the Department to increase the number if warranted. However, we have no basis for assuming that higher levels of spot checks or inspections are warranted in light of the fact that Patient Safety Organizations are not federally funded or controlled and a provider's decision to work with a PSO is voluntary. Therefore, we intend to maintain the approach outlined in the proposed rule. In response to another commenter, the authority to implement Subpart B rests squarely within the authorities to foster patient safety and health care quality improvement of the Agency for Healthcare Research and Quality, and there is no reason to expect it to be delegated to another part of the Department.

(6) Section 3.112-Submissions and Forms

Proposed Rule: Proposed § 3.112 would have provided instructions for obtaining required forms and the submission of materials, would have provided contact information for AHRQ (mailing address, Web site, and email address), and would have authorized the Department to request additional information if a submission is incomplete or additional information is needed to enable the Secretary to make a determination on any submission.

Overview of Public Comments: We received no comments on this section.

Final Rule: We have made no substantive modifications to this section. We have made technical changes and incorporated citations for the AHRQ PSO Web site address and corrected the email address.

(C) Subpart C- Confidentiality and Privilege Protections of Patient Safety Work Product

Proposed Subpart C would have described the general privilege and confidentiality protections for patient safety work product, the permitted disclosures, and the conditions under which the specific protections no longer apply. The proposed Subpart also would have established the conditions under which a provider, PSO, or responsible person must disclose patient safety work product to the Secretary in the course of compliance and enforcement activities, and what the Secretary may do with such information. Moreover, the proposed subpart would have established the standards for nonidentifiable patient safety work product.

Proposed Subpart C sought to balance key objectives of the Patient Safety Act. First, the proposal sought to address provider concerns about the potential for damage from unauthorized release of information, including the potential for the information to serve as a roadmap for provider liability from negative patient outcomes. It also promoted the sharing of information about adverse patient safety events among providers and PSOs for the purpose of learning from those events to improve patient safety and the quality of care. To achieve these objectives, Subpart C proposed that patient safety work product would be privileged and confidential, except in the certain limited circumstances identified by the Patient Safety Act and as needed by the Department to implement and enforce the Patient Safety Act. In addition, proposed Subpart C provided, in accordance with the Patient Safety Act, that patient safety work product that is disclosed generally would continue to be privileged and confidential, subject to the delineated exceptions. Thus, under the proposal, an entity or person receiving patient safety work product only would be able to disclose such information for a purpose permitted by the Patient Safety Act and the proposed rule, or if patient safety work product was no longer confidential because it was nonidentifiable or subject to an exception to confidentiality. Providers, PSOs, and responsible persons who failed to adhere to these confidentiality rules would be subject to enforcement by the Department, including the imposition of civil money penalties, if appropriate, as provided in Subpart D of the proposed rule.

The proposed rule also explained that several provisions of the Patient Safety Act recognize that the patient safety regulatory scheme will exist alongside other requirements for the use and disclosure of protected health information under the HIPAA Privacy Rule. For example, the Patient Safety Act establishes that PSOs will be business associates of providers and the patient safety activities they conduct will be health care operations of the providers, incorporates individually identifiable health information under the HIPAA Privacy Rule as an element of identifiable patient safety work product, and adopts a rule of construction that states the intention not to alter or affect any HIPAA Privacy Rule implementation provision (see section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). As we explained in the proposed rule, we anticipate that most providers reporting to PSOs will be HIPAA covered entities under the HIPAA Privacy Rule, and as such, will be required to recognize and comply with the requirements of the HIPAA Privacy Rule when disclosing identifiable patient safety work product that includes protected health information. As Subpart C addresses disclosure of patient safety work product that may include protected health information, we discuss, where appropriate, the overlap between this rule and the HIPAA Privacy Rule in the preamble description of this Subpart, as we did in the proposed rule.

(1) Section 3.204-Privilege of Patient Safety Work Product

Proposed § 3.204 described the privilege protections of patient safety work product and the exceptions to privilege. As we explained in the proposed rule, the Patient Safety Act does not give authority to the Secretary to enforce breaches of the privilege protections, as it does with respect to breaches of the confidentiality provisions. Rather, we anticipate that the tribunals, agencies or professional disciplinary bodies before whom the proceedings take place and before which patient safety work product is sought, will adjudicate the application of the privilege provisions of the Patient Safety Act at section 922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-22(a)(1)-(5) and the exceptions to privilege at section 922(c) (1) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1). Even though the privilege protections will be enforced through the court systems, and not by the Secretary, we repeat the statutory privilege protections and exceptions in this final rule, as we did in the proposed rule. This is done both for convenience and completeness, as well as because the same exceptions in the privilege provisions are repeated in the confidentiality provisions and the term "disclosure" in the final rule describes both the transfer of patient safety work product pursuant to a privilege exception as well as a confidentiality exception. Thus, a disclosure of patient safety work product that is a violation of privilege may also be a violation of confidentiality, which the Secretary does have authority to enforce and for which he can impose a civil money penalty, if appropriate.

We also proposed to include at § 3.204(c) a regulatory exception to privilege for disclosures to the Secretary for the purpose of enforcing the confidentiality provisions and for making or supporting PSO certification or listing decisions. In the final rule, we adopt this proposed provision but also add language to make clear that the exception also applies to disclosures to the Secretary for HIPAA Privacy Rule enforcement, given the significant overlap with respect to disclosures under the two rules. We discuss that change, as well as the public comments and our responses with respect to the other privilege provisions, below.

(A) Section 3.204(a)-Privilege

Proposed Rule: Proposed § 3.204(a) would have described the general rule that, notwithstanding any other provision of Federal, State, local, or Tribal law, patient safety work product is privileged and shall not be:

  1. subject to Federal, State, local, or Tribal civil, criminal, or administrative subpoena or order, including in a disciplinary proceeding against a provider;
  2. subject to discovery in connection with a Federal, State, local, or Tribal civil, criminal, or administrative proceeding, including a disciplinary proceeding against a provider;
  3. subject to disclosure under the Freedom of Information Act (section 552 of Title 5, United States Code) or similar Federal, State, local, or Tribal law;
  4. admitted as evidence in any Federal, State, local, or Tribal governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or
  5. admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law. The proposed provision generally repeated the statutory language at section 922(a) of the Public Health Service Act, 42 U.S.C. 299b- 22(a) but also clarified that privilege would have applied to protect against use of the information in Tribal courts and administrative proceedings.

Overview of Public Comments: We received no comments opposed to this proposed provision.

Final Rule: The final rule adopts this proposed provision.

Response to Other Public Comments

Comment: Several commenters expressed concern about the lack of detailed explanation and information about the privilege protections as compared to the confidentiality provisions in the proposed rule. Some commenters asked for clarification about how breaches of privilege can be enforced and who can assert privilege protection. Two commenters asked whether hospital peer review committees established under state law qualify as disciplinary bodies for purposes of the privilege protection and if there is a distinction between discipline by a state licensing body and discipline by an internal peer review committee.

Response: The Secretary does not have the authority to interpret and enforce the privilege protections of the statute, and thus, the proposed rule did not contain a detailed discussion of these provisions nor can we provide further explanation or interpretation in this final rule. Rather, as described above, the privilege provisions are included only for convenience and completeness, and because the privilege exceptions mirror exceptions to confidentiality. The privilege protections attach to patient safety work product, and we expect that the privilege of patient safety work product will be adjudicated and enforced by the tribunals, agencies or professional disciplinary bodies before which the information is sought and before whom the proceedings take place. A provider facing an opposing party who seeks to introduce patient safety work product in court may seek to enforce the privilege by filing the appropriate motions with the court asserting the privilege to exclude the patient safety work product from the proceeding.

(B) Section 3.204(b)-Exceptions to privilege

Proposed Rule: Proposed § 3.204(b) described the exceptions to privilege established at section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22c, thereby permitting disclosure of patient safety work product under such circumstances. In all cases, the exceptions to privilege were also proposed as exceptions to confidentiality at § 3.206(b). Proposed § 3.204(b)(1) would have permitted the disclosure of relevant patient safety work product for use in a criminal proceeding after a court makes an in camera determination that the patient safety work product contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from any other source. Proposed § 3.204(b)(2) would have permitted disclosure of identifiable patient safety work product to the extent required to carry out the securing and provision of equitable relief as provided under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 299b-22 (f)(4)(A). Proposed § 3.204(b)(3) would have permitted disclosure of identifiable patient safety work product when each of the identified providers authorized the disclosure. Finally, proposed § 3.204(b)(4) would have excepted patient safety work product from privilege when disclosed in nonidentifiable form.

Overview of Public Comments: Some commenters expressed concern that allowing exceptions to privilege may not adequately protect patient safety work product.

Final Rule: The final rule adopts the proposed provisions. The statute explicitly provides for these limited exceptions to privilege and thus, they are included in this final rule.

Response to Other Public Comments

Comment: One commenter asked that the final rule align the privilege exceptions in § 3.204(b) with the permitted disclosures to law enforcement in the HIPAA Privacy Rule at 45 CFR 164.512(f).

Response: We do not agree that expanding the exceptions to privilege in such a manner is appropriate or prudent. Congress expressly limited the exceptions to privilege to those we have repeated in the final rule. As relevant to law enforcement, the Patient Safety Act permits an exception from privilege protection for law enforcement purposes in only very narrow circumstances-that is, patient safety work product may be used in a criminal proceeding, but only after a judge makes anin cameradetermination that the information contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from any other source. See § 3.204(b)(1). We do not have authority to further expand or interpret the exceptions to privilege provided for in the statute. Further, we believe strong privilege protections are essential to ensuring the goals of the statute are met by encouraging maximum provider participation in patient safety reporting. We note that § 3.206(c)(10) permits the disclosure of patient safety work product relating to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, to law enforcement, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes. In other cases where law enforcement needs access to information that is contained within patient safety work product, we emphasize that the definition of "patient safety work product" specifically excludes a patient's medical or billing record or other original patient information. See § 3.20, paragraph (2)(i) of the definition of "patient safety work product." Thus, such original patient information remains available to law enforcement in accordance with the conditions set out in the HIPAA Privacy Rule, if applicable.

(C) Section 3.204(c)-Implementation and Enforcement of the Patient Safety Act

Proposed Rule: Proposed § 3.204(c) would have excepted from privilege disclosures of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance, or seeking or imposing civil money penalties, with respect to this rule or for making or supporting PSO certification or listing decisions under the Patient Safety Act. We proposed that these disclosures also be permitted as an exception to confidentiality at § 3.206(d). We explained that, in order to perform investigations and compliance reviews to determine whether a violation occurred, the Secretary may need to have access to privileged and confidential patient safety work product and that we believe Congress could not have intended the privilege and confidentiality protections of the Patient Safety Act to impede such enforcement by prohibiting access to necessary information by the Secretary. Thus, the proposed provision would have allowed disclosure of patient safety work product to and by the Secretary for enforcement purposes, including the introduction of such information into ALJ or Board proceedings, disclosure by the Board to properly review determinations or to provide records for court review, as well as disclosure during investigations by OCR or activities in reviewing PSO certifications by AHRQ. Patient safety work product disclosed under this proposed exception would have remained privileged and confidential pursuant to proposed § 3.208, and proposed § 3.312 limited the Secretary to only disclosing identifiable patient safety work product obtained in connection with an investigation or compliance review for enforcement purposes or as otherwise permitted by the proposed rule or Patient Safety Act.

We also explained in the preamble to the proposed rule that the privilege provisions in the Patient Safety Act would not bar the Secretary from using patient safety work product for compliance and enforcement activities related to the HIPAA Privacy Rule. This interpretation was based on the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which provides that the Patient Safety Act does not affect the implementation of the HIPAA Privacy Rule.

Overview of Public Comments: We received one comment in support of and no comments opposed to this proposed provision.

Final Rule: The final rule adopts the proposed provision, but expands it to expressly provide that patient safety work product also may be disclosed to or by the Secretary as needed to investigate or determine compliance with or to impose a civil money penalty under the HIPAA Privacy Rule. This new language implements the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which, as explained above, makes clear that the Patient Safety Act is not intended to affect implementation of the HIPAA Privacy Rule. Given the significant potential for an alleged impermissible disclosure to implicate both this rule's confidentiality provisions, as well as the HIPAA Privacy Rule, the Secretary may require access to privileged patient safety work product for purposes of determining compliance with the HIPAA Privacy Rule. The Secretary will use such information consistent with the statutory prohibition against imposing civil money penalties under both authorities for the same act.

With respect to this rule, the provision, as it did in the proposed rule, makes clear that privilege does not apply to patient safety work product disclosed to or by the Secretary if needed to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include access to and disclosure of patient safety work product to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule.

(2) Section 3.206-Confidentiality of Patient Safety Work Product

Proposed § 3.206 described the confidentiality protection of patient safety work product, as well as the exceptions from confidentiality protection.

(A) Section 3.206(a)-Confidentiality

Proposed Rule: Proposed § 3.206(a) would have established the general principle that patient safety work product is confidential and shall not be disclosed by anyone holding the patient safety work product, except as permitted or required by the rule.

Overview of Public Comments: We received no comments directly in reference to this provision.

Final Rule: The final rule adopts this proposed provision.

(B) Section 3.206(b)-Exceptions to Confidentiality

Proposed Rule: Proposed § 3.206(b) described the exceptions to confidentiality, or permitted disclosures. The preamble to the proposed rule explained that there were several overarching principles that applied to these exceptions from confidentiality. First, these exceptions were "permissions" to disclose patient safety work product and the holder of the information retained full discretion whether to disclose. Further, as the proposed rule was a Federal baseline of protection, a provider, PSO, or responsible person could impose more stringent confidentiality policies and procedures on patient safety work product and condition the release of patient safety work product within these exceptions by contract, employment relationship, or other means. However, the Secretary would not enforce such policies or private agreements. Second, when exercising discretion to disclose patient safety work product, we encouraged providers, PSOs, and responsible persons to attempt to disclose the amount of information commensurate with the purpose of the disclosure and to disclose the least amount of identifiable patient safety work product appropriate for the disclosure even if that was less than what would otherwise be permitted by the rule and regardless of whether the information continued to be protected under the rule after the disclosure. Third, the proposal prohibited persons receiving patient safety work product from redisclosing it except as permitted by the rule, and we requested comment on whether there were any negative implications of limiting redisclosures in such a manner.

We also described how the proposal would work with respect to entities also subject to the Privacy Act and/or the HIPAA Privacy Rule. We explained that agencies subject to the Patient Safety Act and the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when disclosing patient safety work product. This means that, for agencies subject to both laws, a disclosure of patient safety work product could only be made if permitted by both laws. The Privacy Act permits agencies to make disclosures pursuant to established routine uses. See 5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). Accordingly, we recommended that Federal agencies that maintain a Privacy Act system of records containing information that is patient safety work product include routine uses that will permit the disclosures allowed by the Patient Safety Act. For HIPAA covered entities, we explained that when a patient's protected health information is encompassed within patient safety work product, any disclosure of such information also must comply with the HIPAA Privacy Rule.

Overview of Public Comments: Some commenters expressed general support for the narrowly drawn exceptions to confidentiality in the proposed rule, while one commenter expressed concern that the exceptions were unnecessarily complex to accomplish their purpose. Several commenters asked that the final rule include additional exceptions to confidentiality or disclosure permissions. For example, some commenters suggested that the final rule permit the disclosure of patient safety work product to federal, state, and local agencies to fulfill mandatory reporting requirements. Other commenters suggested an exception be created to permit the disclosure of patient safety work product to state survey agencies, regulatory bodies, or to any federal or state agency for oversight purposes. Another commenter requested that the final rule include a disclosure permission for emergency circumstances similar to the HIPAA Privacy Rule disclosure at 54 CFR 164.512(j), allowing a PSO to disclose patient safety work product if it determines a pattern of harm and that disclosure is necessary to prevent an individual from harming a person or the public. One commenter, however, believed the proposed rule contained too many exceptions to confidentiality, and thus, did not adequately protect patient safety work product; this commenter suggested that some disclosure permissions be eliminated in the final rule but did not recommend which ones.

Several commenters responded to the question regarding whether there were any negative implications of limiting redisclosures as outlined in the proposed rule. These commenters supported the limitations on redisclosures of patient safety work product in the proposed rule; we received no comments identifying any negative implications of this limitation. One commenter, however, noted that the redisclosures should be governed by the HIPAA Privacy and Security Rules.

Finally, some commenters sought clarification regarding preemption. Several commenters asked whether the federal patient safety work product protections preempted existing State law that permitted or required disclosure of similar types of records. Other commenters asked whether greater State law protections continue to exist alongside patient safety work product protections, stating that some providers may decide not to participate with a PSO if they would lose existing State law protections.

Final Rule: The final rule generally adopts the proposed provisions, with some modifications as explained below in the specific discussions of the individual disclosure permissions. The disclosure permissions in this section reflect those provided by the statute, and the Secretary has no authority to eliminate or neglect to implement certain of the provisions. Further, the statute provides only limited authority to the Secretary to expand the disclosure permissions. See, for example, section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), providing the Secretary with authority to create permissions for disclosures that the Secretary may determine, by rule or other means, are necessary for business operations and are consistent with the goals of the statute. Thus, the final rule does not create any new, or eliminate any proposed, categories of disclosure permissions.

With respect to those commenters who requested a disclosure permission be added to allow for the disclosure of patient safety work product to federal, state, and local agencies to fulfill mandatory reporting requirements or for oversight purposes, we disagree that such a modification is necessary. The final rule gives providers much flexibility in defining and structuring their patient safety evaluation system, as well as determining what information is to become patient safety work product and, thus, protected from disclosure. Providers can structure their systems in a manner that allows for the use of information that is not patient safety work product to fulfill their mandatory reporting obligations. See the discussion regarding the definition of "patient safety work product" in this preamble for more information. Further, as original medical and other records are expressly excepted from the definition of "patient safety work product," providers always have the option of using those records to generate the reports necessary for their mandatory reporting obligations to federal, state, and local agencies.

With respect to disclosures for emergency circumstances, the Patient Safety Act provides no general exception for such disclosures. However, patient safety work product may be disclosed under § 3.206(b)(10) to law enforcement if the disclosing party reasonably believes the patient safety work product contains information that constitutes a crime. For emergency circumstances that do not rise to the level of criminal conduct, the information necessary to identify and address such emergencies should be readily available and accessible in medical records and other original documents that are not protected as patient safety work product.

The final rule also adopts the redisclosure limitations of the proposed rule. As described above, commenters largely supported, and did not identify negative implications of, these restrictions. We discuss the individual redisclosure limitations below in the specific discussions regarding the disclosure permissions to which they apply. We note that the HIPAA Privacy and Security Rules will govern redisclosures of patient safety work product only to the extent that the redisclosures are made by a HIPAA covered entity and the patient safety work product encompasses protected health information.

In response to the comments and questions regarding preemption, we note that the Patient Safety Act provides that, notwithstanding any other provision of Federal, State, or local law, and subject to the prescribed exceptions, patient safety work product shall be privileged and confidential. See sections 922(a) and (b) of the Public Health Service Act, 42 U.S.C. 299b-22(a) and (b). The statute also provides as rules of construction the following:

  1. that the Patient Safety Act does not limit the application of other Federal, State, or local laws that provide greater privilege or confidentiality protections than those provided by the Patient Safety Act; and
  2. the Patient Safety Act does not preempt or otherwise affect any State law requiring a provider to report information that is not patient safety work product. See section 922(g) of the Public Health Service Act, 42 U.S.C. 299b-22(g).

Thus, the patient safety work product protections provided for under the statute generally preempt State or other laws that would permit or require disclosure of information contained within patient safety work product. However, State laws that provide for greater protection of patient safety work product are not preempted and continue to apply.

Response to Other Public Comments

Comment: Several commenters asked that the final rule discuss redisclosures in more detail and further explain the consequences of redisclosures.

Response: A redisclosure, or "further disclosure" as described in the regulatory text, of patient safety work product, like a disclosure, is the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person outside the entity holding the patient safety work product. Natural persons or entities who receive patient safety work product generally may further disclose such information pursuant to any of the disclosure permissions in the final rule at §3.206, except where expressly limited pursuant to the provision under which the natural person or entity received the information. These restrictions on further disclosures may be found at § § 3.206(b)(4)(ii) (disclosure to a contractor of a provider or PSO for patient safety activities), 3.206(b)(7) (disclosure to the Food and Drug Administration (FDA) and entities required to report to FDA), 3.206(b)(8) (voluntary disclosure to an accrediting body), 3.206(b)(9) (business operations), and 3.206(b)(10) (disclosure to law enforcement). These limitations are described more fully below in the discussions concerning the disclosure permissions to which they apply. As with an impermissible disclosure, impermissible redisclosures are subject to enforcement by the Secretary and potential civil money penalties.

Comment: Two commenters asked that we monitor the impact of the rule to ensure that it does not improperly impede the necessary sharing of patient safety work product.

Response: As the rule is implemented, we will monitor its impact and consider whether any concerns that are raised by providers, PSOs, and others should be addressed through future modification to the rule or guidance, as appropriate.

(1) Section 3.206(b)(1)-Criminal Proceedings

Proposed Rule: Proposed § 3.206(b)(1) would have permitted the disclosure of identifiable patient safety work product for use in a criminal proceeding, if a court makes an in camera determination that the identifiable patient safety work product sought for disclosure contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from other sources. See section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). The proposed provision paralleled the exception to privilege at proposed § 3.204(b)(1).

As we explained in the proposed rule, the Patient Safety Act establishes that patient safety work product generally will continue to be privileged and confidential upon disclosure. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1) and § 3.208 of this rule. However, the Patient Safety Act limits the continued protection of patient safety work product disclosed for use in a criminal proceeding pursuant to this provision. In particular, patient safety work product disclosed pursuant to this provision continues to be privileged after disclosure but is no longer confidential. See section 922(d)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(A). We explained that this would mean, for example, that law enforcement personnel who obtain patient safety work product used in a criminal proceeding could further disclose that information because confidentiality protection would not apply; however, law enforcement could not seek to introduce the patient safety work product in another proceeding without a new in camera determination that would have complied with the privilege exception at proposed § 3.204(b)(1).

We also reminded entities that are subject to the HIPAA Privacy Rule that any disclosures pursuant to this provision that encompass protected health information also would need to comply with the HIPAA Privacy Rule's provision at 45 CFR 164.512(e) for disclosures pursuant to judicial proceedings. We explained that we expected court rulings following an in camera determination to be issued as a court order, which would satisfy the HIPAA Privacy Rule's requirements.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: One commenter asked that the final rule make clear that patient safety work product disclosed under this provision continues to be privileged and cannot be used or reused as evidence in any civil proceeding even though the information is no longer confidential.

Response: The final rule makes this clear. See § 3.208(b)(1).

(2) Section 3.206(b)(2)-Equitable Relief for Reporters

Proposed Rule: The Patient Safety Act prohibits a provider from taking an adverse employment action against an individual who, in good faith, reports information to the provider for subsequent reporting to a PSO or to a PSO directly. See section 922(e)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(1). For purposes of this provision, adverse employment actions include loss of employment, failure to promote, or adverse evaluations or decisions regarding credentialing or licensing. See 922(e)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2). The Patient Safety Act provides adversely affected reporters a civil right of action to enjoin such adverse employment actions and obtain other equitable relief, including back pay or reinstatement, to redress the prohibited actions. See 922 (f)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4). To effectuate the obtaining of equitable relief under this provision, the Patient Safety Act provides that patient safety work product is not subject to the privilege protections or to the confidentiality protections. Thus, proposed § 3.206(b)(2) would have permitted the disclosure of identifiable patient safety work product by an employee seeking redress for adverse employment actions to the extent that the information is necessary to permit the equitable relief. This proposed provision paralleled the privilege exception to permit equitable relief at proposed § 3.204(b)(2). Also, in accordance with the statute, we proposed that once patient safety work product is disclosed pursuant to this provision, it would have remained subject to confidentiality and privilege protection in the hands of all subsequent holders and could not be further disclosed except as otherwise permitted by the rule.

We also provided guidance with respect to the application of the HIPAA Privacy Rule if a covered entity (or its business associate) was making the disclosure and the patient safety work product included protected health information. In that regard, we explained that, under the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health information is sought to be disclosed in a judicial proceeding via subpoenas and discovery requests without a court order, the disclosing HIPAA covered entity must seek satisfactory assurances that the party requesting the information has made reasonable efforts to provide written notice to the individual who is the subject of the protected health information or to secure a qualified protective order.

Finally, the proposed rule solicited comments on whether the obtaining of a protective order should be a condition of the disclosure under this provision or whether, instead, the final rule should require only a good faith effort to obtain a protective order as a condition of this disclosure.

Overview of Public Comments: Two commenters expressed general support for the proposed provision, stating that it struck the appropriate balance between maintaining the confidentiality and privilege protections on patient safety work product and allowing reporters of patient safety work product to seek redress for adverse employment actions based upon their good faith reporting of this information to a PSO. Several commenters responded to the question posed in the proposed rule asking whether a protective order should be a condition of disclosure under this provision or if a good faith effort in obtaining a protective order should be sufficient. All of these commenters agreed that the obtaining of a protective order should be a condition of disclosure of patient safety work product under this provision.

Final Rule: The final rule adopts the proposed disclosure permission at § 3.206(b)(2) but conditions the permitted disclosure for equitable relief on the provision of a protective order by the court or administrative tribunal to protect the confidentiality of the patient safety work product during the course of the proceeding. Although patient safety work product remains confidential and privileged in the hands of all recipients after disclosure under this provision, we recognize that the sensitive nature of the patient safety work product warrants requiring a protective order as additional protection on this information. Because some participants and observers of a proceeding involving equitable relief for an adverse employment action may not be aware that certain information is protected as patient safety work product to which penalties attach for impermissible disclosures, requiring a protective order is prudent to ensure that patient safety work product is adequately protected and that individuals are put on notice of its protected status. As we explained in the proposed rule, such a protective order could take many forms that preserve the confidentiality of patient safety work product. For example, the order could limit the use of the information to case preparation, but not make it evidentiary. Or, the order might prohibit the disclosure of the patient safety work product in publicly accessible proceedings and in court records to prevent liability from moving to a myriad of unsuspecting parties.

We recognize that, in some cases, a reporter seeking equitable relief may be unable to obtain a protective order from a court prior to making a necessary disclosure of patient safety work product, despite the reporter's good faith and diligent effort to obtain one. If the Secretary receives a complaint that patient safety work product was disclosed by a reporter seeking equitable relief, the Secretary has discretion not to impose a civil money penalty, if appropriate. While the final rule requires a protective order as a condition of disclosure, it is not the Secretary's intent to frustrate the obtaining of equitable relief provided for under the statute. Thus, the Secretary will review the circumstances of such complaints to determine whether to exercise his enforcement discretion to not pursue a civil money penalty.

(3) Section 3.206(b)(3)-Authorized by Identified Providers

Proposed Rule: Proposed § 3.206(b)(3) would have permitted a disclosure of patient safety work product when each provider identified in the patient safety work product separately authorized the disclosure. This provision paralleled the privilege exception at proposed § 3.204(b)(3) and was based on section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). The proposed rule explained that patient safety work product disclosed under this exception would continue to be confidential pursuant to the continued confidentiality provisions at section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons would be subject to liability for further disclosures in violation of that confidentiality.

We also explained that it would be insufficient to make identifiable information regarding a nonauthorizing provider nonidentifiable in lieu of obtaining an authorization. While we considered such an approach, we rejected it as impractical given that it seemed there would be very few, if any, situations in which a nonauthorizing provider could be nonidentified without also needing to nonidentify, or nearly so, an authorizing provider in the same patient safety work product.

We encouraged persons disclosing patient safety work product to exercise discretion with respect to the scope of patient safety work product disclosed and to consider whether identifying information regarding reporters or patients was necessary, even though the statute required neither patient nor reporter authorization under this provision. We also explained that, if the disclosing entity is a HIPAA covered entity (or business associate), the HIPAA Privacy Rule, including the minimum necessary standard when applicable, would apply to the disclosure of protected health information contained within the patient safety work product. Further, if the disclosure was not also permitted under the HIPAA Privacy Rule, the patient information would need to be de-identified. We sought public comment as to whether the proposed approach was sufficient to protect the interests of reporters and patients identified in the patient safety work product permitted to be disclosed pursuant to this provision.

While the Patient Safety Act does not specify the form of the authorization under this exception, we proposed that an authorization be in writing, be signed by the authorizing provider, and contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized. The proposed rule would not have required that any specific terms be included in the authorization, only that disclosures be made in accordance with the terms of the authorization, whatever they may be. We sought public comment on whether a more stringent standard would be prudent and workable, such as an authorization process that is disclosure specific.

We also proposed that any authorization be maintained by the disclosing entity or person for a period of six years from the date of the last disclosure made in reliance on the authorization, the limit of time within which the Secretary must initiate an enforcement action.

Overview of Public Comments: Several commenters responded that patients and reporters identified in patient safety work product are adequately protected by this regulation and by the HIPAA Privacy Rule for covered entities. Some commenters, however, suggested that the HIPAA Privacy Rule's minimum necessary standard be applied to disclosures under this provision so that only the minimum necessary amount of patient safety work product would be permitted to be disclosed.

Several commenters also responded to the question of whether a stricter or more prescribed standard for the authorizations should be included in the final rule, the majority of whom stated that the authorization requirements outlined in the proposed rule were adequate. One commenter recommended that the final rule not regulate the terms of the provider authorization and that such terms be left to the parties. Another commenter suggested that provider authorizations be time-limited, while other commenters asked for a model authorization form and that the final rule provide a process for revocation of authorizations.

Final Rule: The final rule adopts the proposed provision. Thus, a provider, PSO, or responsible person may disclose identifiable patient safety work product if a valid authorization is obtained from each identified provider and the disclosure is consistent with such authorization. As in the proposed rule, such authorizations must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request. Further, as the Department agrees with those commenters who believed the specific terms of the provider authorizations should be left to the parties, the final rule, as in the proposed rule, requires only that the authorization of each of the identified providers be in writing and signed, and contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized. Thus, the parties are free to define their own specific terms for provider authorizations, including any time limitations and to what extent and the process through which such authorizations are revocable. Given the final rule does not prescribe a particular form or the terms of provider authorizations under this provision, we do not believe providing a model authorization form is appropriate or feasible.

With respect to patient and reporter identifiers, we continue to strongly encourage disclosers to consider how much patient safety work product is necessary, and whether patient or reporter identifiers are necessary, to accomplish the purpose of the authorized disclosure. However, this final rule does not include specific limitations on the disclosure of patient and reporter identifiers under this provision, so long as the disclosure is in accordance with the terms of the provider authorizations. In addition, the HIPAA Privacy Rule, including the minimum necessary or de-identification standard, as appropriate, continues to apply to the disclosure of any protected health information contained within the patient safety work product.

Response to Other Public Comments

Comment: One commenter asked for clarification as to whether state laws requiring greater protection for patient safety work product would apply to disclosures pursuant to this provision.

Response: Section 922(g)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(1), provides that the Patient Safety Act does not limit the application of other Federal, State, or local laws that provide greater privilege or confidentiality protections than provided by the Act. Thus, state laws providing greater protection for patient safety work product are not preempted and would apply to disclosures of patient safety work product.

Comment: One commenter expressed concern that this disclosure permission conflicts with the disclosure permission for patient safety activities at proposed § 3.206(b)(4) because this disclosure permission does not allow the sharing of any provider information, even if made nonidentifiable, unless all providers identified in the patient safety work product authorize the disclosure, while the disclosure permission for patient safety activities allows the sharing of provider information between PSOs and between providers, as long as it is anonymized.

Response: These disclosure permissions are separate and independent of one another and serve different purposes. Disclosures of patient safety work product may be made pursuant to either permission, provided the relevant conditions are met.

Comment: One commenter expressed concern about the disclosure permission's prohibition on disclosing patient safety work product in nonidentifiable form with respect to a provider who has not authorized the disclosure of the information, stating that this construct would make the provision difficult to implement.

Response: The final rule adopts the provisions of the proposed rule and does not permit patient safety work product to be disclosed if the information is rendered nonidentifiable with respect to a nonauthorizing provider. As explained above, there are likely few situations in which a nonauthorizing provider could be nonidentified without having to also nonidentify the authorizing providers in the patient safety work product to be disclosed under this provision. Therefore, allowing nonidentification of the nonauthorizing provider is impractical.

Comment: One commenter recommended that a copy of the provider authorization be kept in a patient's file, if the provider's authorized disclosure of patient safety work product resulted in a disclosure of the patient's protected health information, so that these disclosures can be tracked and included in an accounting of disclosures as required by 45 CFR 164.528 of the HIPAA Privacy Rule.

Response: While the commenter's suggestion may assist in complying with the HIPAA Privacy Rule's accounting of disclosures standard, we do not include such a requirement in the final rule. Given that the authorizations provided for under this provision are focused on the disclosure of the provider's identifiable information and that the specific terms of such authorizations will vary based on the circumstances of the disclosure and the parties, it is unlikely that such authorizations will contain the information necessary for a HIPAA covered entity to meet its accounting obligations to the individual patient. Further, HIPAA covered entities are free to design and use approaches for compliance with the HIPAA Privacy Rule's accounting standard that are best suited to their business needs and information systems.

(4) Section 3.206(b)(4)-Patient Safety Activities

Proposed Rule: Proposed § 3.206(b)(4) would have permitted the disclosure of identifiable patient safety work product for patient safety activities (i) by a provider to a PSO or by a PSO to that disclosing provider; or (ii) by a provider or a PSO to a contractor of the provider or PSO; or (iii) by a PSO to another PSO or to another provider that has reported to the PSO, or by a provider to another provider, provided, in both cases, certain direct identifiers are removed. This proposed permissible disclosure provision was based on section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(A), which permits the disclosure of identifiable patient safety work product for patient safety activities. The proposed rule provided that, consistent with the statute, patient safety work product would remain privileged and confidential once disclosed under this provision.

We explained in the proposed rule that patient safety activities are the core mechanism by which providers may disclose patient safety work product to obtain external expertise from PSOs and through which PSOs may aggregate information from multiple providers, and communicate feedback and analyses back to providers. Thus, the rule needs to facilitate such communications so that improvements in patient safety can occur. To realize this goal, the proposed rule at § 3.206(b)(4)(i) would have allowed for the disclosure of identifiable patient safety work product reciprocally between providers and the PSOs to which they have reported. This would allow PSOs to collect, aggregate, and analyze patient safety event information and disseminate findings and recommendations for safety and quality improvements.

The proposed rule at § 3.206(b)(4)(ii) also would have allowed for disclosures by providers and PSOs to their contractors who are not workforce members, recognizing that there may be situations where providers and PSOs want to engage contractors who are not agents to carry out patient safety activities. However, to ensure patient safety work product remained adequately protected in such cases, the proposed rule would have prohibited contractors from further disclosing patient safety work product, except to the provider or PSO from which they first received the information. We explained in the proposed rule that this limitation would not, however, preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures. We also stated that, although the proposed rule did not require a contract between the provider or PSO and the contractor, we fully expected the parties to engage in prudent practices to ensure patient safety work product remained confidential.

Further, to allow for more effective aggregation of patient safety work product, the proposal at § 3.206 (b)(4)(iii) would have allowed PSOs to disclose patient safety work product to other PSOs or to other providers that have reported to the PSO (but not about the specific event(s) to which the patient safety work product relates), and providers to disclose patient safety work product to other providers, for patient safety activities, as long as the patient safety work product was anonymized through the removal of direct identifiers of providers and patients. See proposed § 3.206(b)(4)(iii)(A). In particular, to anonymize provider identifiers, the proposed rule would have required the removal of the following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers:

  1. names;
  2. postal address information, other than town or city, State and zip code;
  3. telephone numbers;
  4. fax numbers;
  5. electronic mail addresses;
  6. social security numbers or taxpayer identification numbers;
  7. provider or practitioner credentialing or DEA numbers;
  8. national provider identification number;
  9. certificate/license numbers;
  10. web universal resource locators;
  11. internet protocol (IP) address numbers;
  12. biometric identifiers, including finger and voice prints; and
  13. full face photographic images and any comparable images.

For patient identifiers, the proposed rule would have applied the HIPAA Privacy Rule limited data set standard. See 45 CFR 164.514(e). We explained in the proposed rule that removal of the required identifiers could be absolute or be done through encryption, provided the disclosing entity did not disclose the key to the encryption or the mechanism for re-identification.

Recognizing that fully nonidentifiable patient safety work product may have limited usefulness due to the removal of key elements of identification, the proposed rule specifically sought public comment on whether there were any entities other than providers, PSOs, or their contractors that would need fully identifiable or anonymized patient safety work product for patient safety activities.

The proposed rule also explained the intersection with the HIPAA Privacy Rule with respect to these disclosures, and noted that, as provided by the statute, PSOs would be treated as business associates and patient safety activities performed by, or on behalf of, a covered provider by a PSO would be deemed health care operations as defined by the HIPAA Privacy Rule. For a more detailed discussion of the application of the HIPAA Privacy Rule with respect to disclosures under this proposed provision, see the preamble to the proposed rule at 73 FR 8146-8147. The proposed rule sought public comment on whether the HIPAA Privacy Rule definition of "health care operations" should be modified to include a specific reference to patient safety activities and whether the HIPAA Privacy Rule disclosure permission for health care operations should be modified to include a reference to patient safety activities.

Overview of Public Comments: The commenters expressed general support for the reciprocal disclosure of patient safety work product between providers and PSOs for patient safety activities. Additionally, commenters expressed general support for the disclosure of patient safety work product by a PSO or provider to its contractor to carry out patient safety activities.

Commenters also generally supported the proposed permissible disclosure of patient safety work product between PSOs for patient safety activities, between PSOs and other providers that have reported to that PSO, and between providers. However, many commenters expressed concern about the proposed rule requirement at § 3.206(b)(4)(iii) to anonymize patient safety work product prior to disclosure. Some commenters stated that this requirement inappropriately limited a PSO's ability to share this information with other PSOs and could prevent PSOs from being able to identify duplicate reports of a single event coming from independent sources in the patient safety work product received from other PSOs. One suggested that PSOs be able to share identifiable patient safety work product with other PSOs, while another commenter stated that provider names, addresses, and phone numbers should be included in patient safety work product to permit follow up contact with the provider and as a way to identify duplicate adverse event reports. This commenter suggested that PSOs be able to contract with other PSOs as their contractors so that they could share patient safety information that has not been anonymized with one another subject to § 3.206(b)(4)(ii), or alternatively, that the final rule allow PSOs to share patient safety work product identifying providers with other PSOs if a contract ensuring the confidentiality of this information is in place between the PSOs. Other commenters expressed concern that the anonymization requirement limited the ability of providers to use and disclose patient safety work product to other providers or students for educational, academic, or professional purposes. These commenters feared that the proposed rule would inhibit providers' ability to consult with other providers about patient safety events and requested clarification from the Department that the rule would not prohibit the disclosure of patient safety work product among physicians and other health care professionals, particularly for education purposes or for preventing or ameliorating harm.

Many commenters also responded to the question in the proposed rule regarding whether the patient safety activities disclosure permission should be expanded to encompass additional entities. Commenters identified no additional entities to include in this disclosure permission; however, some commenters suggested that the Department monitor this provision so that exceptions for disclosures to additional entities may be made in the future if necessary.

Final Rule: The final rule adopts without modification proposed § 3.206(b)(4)(i) and § 3.206(b)(4)(ii), permitting disclosure of patient safety work product for patient safety activities between providers and PSOs, and between providers or PSOs and their contractors that undertake patient safety activities on their behalf. In addition, the final rule modifies proposed § 3.206(b)(4)(iii) with respect to disclosures to another PSO or provider, redesignates the provision as § 3.206(b)(4)(iv), and adds a new § 3.206(b)(4) (iii).

New § 3.206(b)(4)(iii) of the final rule permits disclosure of identifiable patient safety work product among affiliated providers for patient safety activities. Unlike disclosures between providers in § 3.206(b) (4)(iv), the patient safety work product disclosed pursuant to this permission need not be anonymized prior to disclosure. An affiliated provider is defined in the final rule as "with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider." See § 3.20. This addition to the final rule is included in recognition that certain provider entities with a common corporate affiliation, such as integrated health systems, may have a need, just as a single legal entity, to share identifiable and non-anonymized patient safety work product among the various provider affiliates and their parent organization for patient safety activities and to facilitate, if desired, one corporate patient safety evaluation system. We emphasize that provider entities can choose not to use this disclosure mechanism if they believe that doing so would adversely affect provider participation, given that patient safety work product would be shared more broadly across the affiliated entities.

The final rule adopts the disclosure permission for patient safety work product proposed at §3.206(b)(4) (iii) in the proposed rule; however, the final rule relocates this disclosure permission to § 3.206(b)(4)(iv) and retitles this section for clarity. This disclosure permission requires that patient safety work product disclosed for patient safety activities by a PSO to another PSO or to another provider that has reported to the PSO or by a provider to another provider must be anonymized through the removal of certain provider- related direct identifiers listed in §3.206(b)(4)(iii)(A), as well as the removal of patient direct identifiers pursuant to the HIPAA Privacy Rule's limited data set standard at 45 CFR 164.514(e)(2).

Although the final rule includes a provision for disclosure of fully identifiable patient safety work product among affiliated providers, we believe it is unnecessary to provide a similar provision that would allow for the sharing of identifiable and non-anonymized patient safety work product between PSOs since the final rule includes multiple avenues for secondary PSOs, i.e., those PSOs that do not have the direct reporting relationship with the provider, to receive provider identifiable data, if needed. In particular, the final rule allows:

  1. a PSO receiving patient safety work product from a provider to contact that provider and recommend that the provider also report the patient safety work product to an additional PSO;
  2. a provider reporting to a PSO to delegate its authority to the PSO to report its patient safety work product to an additional PSO;
  3. a PSO to hire another PSO as a consultant to assist in the evaluation of patient safety work product received from a reporting provider, pursuant to § 3.206(b)(4)(ii); and
  4. a PSO to disclose identifiable and non-anonymized patient safety work product to another PSO if it has obtained authorization to do so from each provider identified in the patient safety work product. See § 3.206(b)(3).

To address the concerns of providers generally that the rule would prohibit the disclosure of patient safety work product among physicians and other health care professionals, particularly for educational purposes or for preventing or ameliorating patient harm, we emphasize that the rule does not regulate uses of patient safety work product within a single legal entity. (However, we note that we have expressly defined as a disclosure the sharing of patient safety work product between a component PSO and the rest of the legal entity of which it is a part.) Thus, consistent with this policy, providers within a single legal entity are free to discuss and share patient safety work product in identifiable and non-anonymized form for educational, academic, or other professional purposes. We have made this policy clear in the final rule by modifying the definition of disclosure to apply only to the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by:

  1. an entity or natural person holding the patient safety work product to another legally separate entity or natural person outside the entity holding the patient safety work product; or
  2. a component PSO to another entity or natural person outside the component organization. urther, as described above, the new provision at § 3.206(b)(4)(iii) allows the sharing of fully identifiable patient safety work product among affiliated providers. However, if providers wish to disclose patient safety work product to other providers outside of their legal entity or to non-affiliated providers, the information must be anonymized subject to § 3.206(b)(4)(iv)(A) and (B) or disclosed subject to another applicable disclosure permission.

Response to Other Public Comments

Comment: One commenter asked that the final rule prohibit the recommendations made by a PSO from being introduced as evidence of a standard of care or for other purposes in a judicial or administrative proceeding.

Response: A recommendation made by a PSO is patient safety work product to which the privilege and confidentiality protections attach. Therefore, the information can only be disclosed through an applicable disclosure permission. However, as we explained in the proposed rule, while the recommendations themselves are protected, the corrective actions implemented by a provider, even if based on the protected recommendations from a PSO, are not patient safety work product.

Comment: One commenter asked if permissible disclosures of patient safety work product for patient safety activities under this disclosure permission could include disclosures for credentialing, disciplinary, and peer review purposes.

Response: The disclosure permission at § 3.206(b)(4) of the final rule for patient safety activities does not encompass the disclosure of patient safety work product to an external entity or within an administrative proceeding for credentialing, disciplinary, or peer review purposes. However, as explained above, uses of patient safety work product within a legal entity are not regulated and thus, patient safety work product may be used within an entity for any purpose, including those described by the commenter, so long as such use does not run afoul of the statutory prohibition on a provider taking an adverse employment action against an individual based on the fact that the individual in good faith reported information either to the provider with the intention of having the information reported to a PSO or directly to a PSO. (Note, though, that we have expressly defined as a disclosure the sharing of patient safety work product between a component PSO and the rest of the legal entity of which it is a part.)

Comment: One commenter suggested that PSOs should be required to maintain an accounting of all disclosures of patient safety work product containing individually identifiable health information in parallel to the HIPAA Privacy Rule requirement for covered entities. In order to further protect patient privacy, this commenter suggested that patients be made third party beneficiaries of the contracts between providers and PSOs.

Response: A HIPAA covered entity is responsible for ensuring that disclosures of protected health information made by a PSO, as its business associate, are included in an accounting of disclosures to the extent such disclosures are subject to an accounting at 45 CFR 164.528. Further, the HIPAA Privacy Rule provides that a contract between a HIPAA covered entity and its business associate must require the business associate to make available to the covered entity the information it needs to comply with the HIPAA Privacy Rule's accounting standard. See 45 CFR 164.504(e). However, we expect that most permissible disclosures of patient safety work product that include protected health information will not be subject to the HIPAA Privacy Rule's accounting requirements. The HIPAA Privacy Rule's accounting standard does not require that disclosures made for health care operations be included in an accounting. See 45 CFR. 164.528(a)(1)(i). Thus, because disclosures for patient safety activities at § 3.206(b)(4), business operations at § 3.206(b)(9), or accreditation purposes at § 3.206(b)(8) will generally be for the provider's health care operations, the provider does not need to account for these disclosures. Additionally, for disclosures of patient safety work product that are subject to the HIPAA Privacy Rule's accounting requirement, such as disclosures to the FDA and entities required to report to the FDA at § 3.206(b)(7), the HIPAA Privacy Rule offers enough flexibility for a provider generally to provide an accounting of those disclosures without revealing the existence of patient safety work product. Therefore, we do not believe including a requirement directly on PSOs with respect to the HIPAA Privacy Rule's accounting standard is needed or appropriate. Nor do we agree that contracts between providers and PSOs should designate individuals as third party beneficiaries of such contracts. We believe the HIPAA Privacy Rule's existing provisions provide adequate protections for identifiable patient information that may be encompassed within patient safety work product; however, we also expect PSOs generally to disclose anonymized and nonidentifiable patient safety work product.

Comment: Another commenter suggested that patient safety work product should be able to be used and disclosed in the same circumstances that protected health information can be used and disclosed under the HIPAA Privacy Rule for health care operations.

Response: The final rule does not regulate "uses" of patient safety work product within a legal entity; thus, a provider, PSO, or responsible person may use patient safety work product for any purpose within the legal entity, including those considered "health care operations" for purposes of the HIPAA Privacy Rule. With respect to disclosures, however, we do not agree that expanding the disclosure permission in the manner suggested by the commenter is appropriate. The disclosure permissions in the final rule are carefully crafted to balance the need for the information to remain confidential with the need to disclose patient safety work product to effectuate the goals of the statute or for other limited purposes provided by the statute. With respect to disclosures for patient safety activities, while it is clear that patient safety activities are health care operations under the HIPAA Privacy Rule, only a subset of activities within the definition of "health care operations" are relevant to patient safety.

Comment: One commenter asked for clarification about whether a provider can report a single patient safety event to multiple PSOs.

Response: Providers are free to report patient safety work product to, and have relationships with, multiple PSOs.

Comment: A commenter asked that the final rule explain the process for disclosing patient safety work product to the National Patient Safety Databank.

Response: The Department intends to provide further guidance and information regarding the creation of and reporting to and among the network of patient safety databases, as part of implementation of section 923 of the Public Health Service Act, including information on common formats for collecting and disclosing nonidentifiable patient safety work product for such purposes. The Department announced the availability of, and sought comment on, common formats for common hospital-based patient safety events in the Federal Register on August 29, 2008.

Comment: One commenter suggested that the final rule require providers and PSOs to have written contracts in place with contractors who are not their agents but who will carry out patient safety activities on their behalf. Another commenter asked if the final rule will include a requirement similar to a business associate contract under the HIPAA Privacy Rule between PSOs and its contractors.

Response: The final rule does not require providers and PSOs to have written contracts in place with contractors who are not their agents but who will carry out patient safety activities on their behalf. However, we expect that, in practice, such relationships will be governed by contract, but we leave the terms of those relationships up to the parties. We note, though, that if a HIPAA covered entity hires a contractor to conduct patient safety activities on its behalf, which requires access to protected health information, the HIPAA Privacy Rule would require that a business associate agreement be in place prior to any disclosure of such information to the contractor. See 45 CFR 164.502(e) and 164.504(e).

Comment: Some commenters asked that the final rule provide clarification regarding the circumstances under which PSOs can disclose patient safety work product to other PSOs to aggregate this information for patient safety activities purposes.

Response: Section 3.206(b)(4)(iv) of the final rule permits such disclosures, provided the patient safety work product is anonymized by removal of the direct identifiers of both providers and patients. Also, the final rule permits a PSO to disclose patient safety work product to another PSO if authorized by the identified providers as provided in § 3.206(b)(3) or in non-identifiable form in accordance with § 3.206(b) (5). Finally, a provider reporting to a PSO may delegate its authority to the PSO to report its patient safety work product to an additional PSO, as provided by § 3.206(e).

Comment: A commenter suggested that a data use agreement be required when any information, including individually identifiable health information, is being shared through a limited data set.

Response: If a HIPAA covered entity is sharing a limited data set, as defined by the HIPAA Privacy Rule, the covered entity must enter into a data use agreement with the recipient of the information. See 45 CFR 164.504(e). For entities that are not covered by the HIPAA Privacy Rule, the final rule does not include such a requirement; however, we encourage such parties to engage in these and similar practices to further protect patient safety work product.

Comment: Two commenters asked for clarification in the final rule about whether patient safety work product disclosed by a provider to a PSO or by a PSO to a provider can identify other providers regardless of whether they have also reported to that PSO. One commenter asked if the rule requires that authorization from all the identified providers is required before this disclosure can be made.

Response: The final rule at §3.206(b)(4)(i) allows the disclosure of patient safety work product in identifiable form reciprocally between the provider and the PSO to which it reports. This information can contain information identifying other providers. If the patient safety work product is being disclosed between PSOs, between unaffiliated providers, or between a PSO and other providers that have reported to it, then the information must be anonymized prior to disclosure subject to § 3.206(b)(4)(iv)(A) and (B). In addition, if a provider or PSO obtains authorizations from all providers identified in the patient safety work product, or if the patient safety work product is being shared among affiliated providers, then such information may be disclosed in identifiable form under § 3.206(b)(3) and 3.206(b)(4)(iii).

Comment: Several commenters expressed concern about the anonymization requirement at proposed §3.206(b) (4)(iii)(A) and stated that a provider may be identifiable even if the patient safety work product is anonymized. One commenter suggested that zip codes should be included in the list of identifiers that must be removed from the patient safety work product. Other commenters felt that the anonymization standard was too strict.

Response: We believe the anonymization standard in the final rule at § 3.206(b)(4)(iv)(A) strikes the appropriate balance between the need to protect patient safety work product and the need for broader sharing of such information at an aggregate level, outside of the direct provider and PSO relationship, to achieve the goals of the statute and improve patient safety.

Comment: We received several comments in response to the questions asked in the proposed rule about whether the HIPAA Privacy Rule definition of "health care operations" should include a specific reference to patient safety activities and whether the Privacy Rule disclosure permission for health care operations should be modified to conform to the disclosure for patient safety activities. These commenters expressed overwhelming support for modifying the HIPAA Privacy Rule's definition of "health care operations" to include such a specific reference and to aligning the disclosure permission for health care operations with that for patient safety activities. The commenters stated that including such specific references would make the intersection of both regulations clear, and would encourage patient safety discourse among providers and PSOs. One commenter stated that there was no need to modify the definition of "health care operations" because it already unambiguously encompassed patient safety activities. No commenters suggested that modifications to the Privacy Rule were necessary to address any workability issues.

Response: OCR will consider these comments and will seek opportunity to address them in regulation or in guidance.

(5) Section 3.206(b)(5)-Disclosure of Nonidentifiable Patient Safety Work Product

Proposed Rule: Proposed § 3.206(b)(5) would have permitted the disclosure of nonidentifiable patient safety work product if the patient safety work product met the standard for nonidentification in proposed § 3.212. See section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). As described in proposed § 3.208(b)(ii), nonidentifiable patient safety work product, once disclosed, would no longer be privileged and confidential and thus, could be redisclosed by a recipient without any Patient Safety Act limitations or liability. Any provider, PSO or responsible person could nonidentify patient safety work product. See the discussion regarding § 3.212 for more information about the nonidentification standard.

Overview of Public Comments: We received no comments opposed to this proposed provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: One commenter asked that the final rule require data use agreements for disclosures of nonidentifiable patient safety work product in cases where there is a chance for identification or reidentification of provider identities.

Response: We emphasize that patient safety work product is considered nonidentifiable only if, either:

  1. the statistical method at § 3.212(a)(1) is used and there is a very small risk that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider; or
  2. the identifiers listed at § 3.212(a)(2) are stripped and the person making the disclosure does not have actual knowledge that the remaining information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify a provider.

Thus, the commenter should consider whether the information about which it is concerned would be nonidentifiable for purposes of this rule. Further, while the final rule does not require that the disclosure of nonidentifiable patient safety work product be conditioned on an agreement between the parties to the disclosure, we note that providers, PSOs, and responsible persons are free to contract or enter into agreements that place further conditions on the release of patient safety work product, including in nonidentifiable form, than required by the final rule. See § 3.206(e).

Comment: Several commenters stated that identifiable information about nondisclosing providers should not be disclosed and that adequate safeguards should be in place to ensure that information identifying nondisclosing providers is not released. These commenters also suggested that AHRQ set up a workgroup to evaluate the standards and approaches set forth in the proposed rule.

Response: The nonidentification standard at § 3.212 of the final rule addresses the commenters' concern by requiring either that:

  1. a statistician determine, with respect to information, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider; or
  2. all of the provider-related identifiers listed at § 3.212(a)(2) be removed and the provider, PSO, or responsible person making the disclosure not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider.

(6) Section 3.206(b)(6)-For Research

Proposed Rule: Proposed § 3.206(b)(6) would have allowed the disclosure of identifiable patient safety work product to entities carrying out research, evaluations, or demonstration projects that are funded, certified, or otherwise sanctioned by rule or other means by the Secretary. See section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). We explained in the proposed rule that this disclosure permission was only for research sanctioned by the Secretary. We also explained that we expected that most research that may be subject to this disclosure permission would be related to the methodologies, analytic processes, and interpretation, feedback and quality improvement results from PSOs, rather than general medical, or even health services, research. Patient safety work product disclosed for research under this provision would continue to be confidential and privileged.

Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), requires that patient safety work product which identifies patients may only be released to the extent that protected health information would be disclosable for research purposes under the HIPAA Privacy Rule. We interpreted this provision as requiring HIPAA covered entities to ensure any disclosures of patient safety work product under this provision that also include protected health information comply with the HIPAA Privacy Rule's research provisions. Accordingly, the proposal incorporated by reference 45 CFR 164.512(i) of the HIPAA Privacy Rule, which generally requires a covered entity to obtain documentation of a waiver (or alteration of waiver) of authorization by either an Institutional Review Board (IRB) or a Privacy Board prior to using or disclosing protected health information without the individual's authorization.

We noted that our interpretation of the statute would not impact the disclosure of identifiable patient safety work product by entities or persons that are not HIPAA covered entities. We also explained that the incorporation by reference of the HIPAA Privacy Rule should provide for the proper alignment of disclosures for research purposes under the two rules. However, the exception under the Patient Safety Act also refers to evaluations and demonstration projects, some of which may not meet the definition of research under the HIPAA Privacy Rule because they may not result in generalizable knowledge but rather may fall within the HIPAA Privacy Rule's definition of "health care operations." We stated that, in such cases, HIPAA covered entities disclosing patient safety work product that includes protected health information under this exception could do so without violation of the HIPAA Privacy Rule. See the definition of "health care operations" at 45 CFR 164.501 of the HIPAA Privacy Rule.

Overview of Public Comments: We received no comments in reference to this provision.

Final Rule: The final rule adopts the proposed provision, except that the specific reference to "45 CFR 164.512(i)" is deleted. We have included only a general reference to the HIPAA Privacy Rule in recognition of the fact that disclosures of patient safety work product containing protected health information pursuant to this provision could be permissible under the HIPAA Privacy Rule under provisions other than 45 CFR 164.512 (i), such as, for example, disclosures for health care operations pursuant to 45 CFR 164.506, or disclosures of a limited data set for research purposes pursuant to 45 CFR 164.514(e).

(7) Section 3.206(b)(7)-To the Food and Drug Administration

Proposed Rule: Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D), permits the disclosure by a provider to the Food and Drug Administration (FDA) with respect to a product or activity regulated by the FDA. Proposed § 3.206 (b)(7) would have implemented this provision by permitting providers to disclose patient safety work product concerning products or activities regulated by the FDA to the FDA or to an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA- regulated product or activity. The proposed rule also would have permitted the sharing of patient safety work product between the FDA, entities required to report to the FDA, and their contractors concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. Patient safety work product disclosed pursuant to this disclosure permission would continue to be privileged and confidential.

We specifically sought public comment on our interpretation that the statutory language concerning reporting "to the FDA" included reporting by the provider to persons or entities regulated by the FDA and that are required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. We proposed this interpretation to allow providers to report to entities that are required to report to the FDA, such as drug manufacturers, without violating this rule, and asked if including such language would bring about any unintended consequences for providers.

We further proposed at § 3.206(b)(7)(ii) that the FDA and entities required to report to the FDA may only further disclose patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity and such further disclosures would only be permitted between the FDA, entities required to report to the FDA, their contractors, and the disclosing providers. Thus, for example, the FDA or a drug manufacturer receiving adverse drug event information that is patient safety work product may engage in further communications with the disclosing provider(s), for the purpose of evaluating the quality, safety, or effectiveness of the particular regulated product or activity, or may work with their contractors. Moreover, an entity regulated by the FDA may further disclose the information to the FDA. The proposed provision also would have prohibited contractors receiving patient safety work product under this provision from further disclosing such information, except to the entity from which they received the information.

Finally, we explained that the HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered entities to disclose protected health information concerning FDA-regulated activities and products to persons responsible for collection of information about the quality, safety, and effectiveness of those FDA-regulated activities and products. Therefore, disclosures under this exception of patient safety work product containing protected health information would be permitted under the HIPAA Privacy Rule.

Overview of Public Comments: We received general support in the public comments for the express reference to FDA- regulated entities within this disclosure permission; only one commenter opposed this provision. Some commenters asked that the final rule provide examples of the types of disclosures that might occur to FDA- regulated entities, and one commenter suggested that if such disclosures are permitted, the final rule should include a comprehensive list of acceptable disclosures to these entities. Another commenter noted that if disclosures to FDA-regulated entities are permitted under this disclosure permission, the final rule should limit the use of patient safety work product to the purposes stated in the statute and should prohibit the use of this information for marketing purposes. No commenters identified any unintended consequences of including FDA-regulated entities within the disclosure permission.

Final Rule: The final rule adopts the provisions of the proposed rule at § 3.206(b)(7), including the express reference to FDA-regulated entities. We also modify the title of the provision to reflect that disclosures to such entities are encompassed within the disclosure permission. As explained in the proposed rule, we believe including FDA-regulated entities within the scope of the disclosure permission is consistent with both the rule of construction in the statute which preserves required reporting to the FDA, as well as the goals of the statute which are to improve patient safety. See section 922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6). In addition, the final rule includes modifications to more clearly indicate who can receive patient safety work product under this provision, as well as what further disclosures may be made of such information. Specifically, § 3.206(b)(7)(i) now makes clear that a provider may disclose patient safety work product concerning an FDA-regulated product or activity to the FDA, an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, or a contractor acting on behalf of FDA or such entity for these purposes. Further, § 3.206(b)(7)(ii) clarifies that the FDA, its regulated entity entitled to receive information under this provision, and their contractors may share patient safety work product received under this provision for the purpose of evaluating the quality, safety, or effectiveness of that product or activity among themselves, as well as with the disclosing provider.

We do not include a comprehensive list of acceptable disclosures to FDA-regulated entities as it would be impractical to do so. As we explained in the proposed rule, drug, device, and biological product manufacturers are required to report adverse experiences to the FDA and currently rely on voluntary reports from product users, including providers. Further, the analysis of events by a provider or PSO that constitutes patient safety work product may generate information that should be reported to the FDA or FDA- regulated entity because it relates to the safety or effectiveness of an FDA-regulated product or activity. This provision allows providers to report such information without violating the confidentiality provisions of the statute or rule. However, we emphasize that, despite this disclosure permission, we expect that most reporting to the FDA and its regulated entities will be done with information that is not patient safety work product, as is done today. This disclosure permission is intended to allow for reporting to the FDA or FDA- regulated entity in those special cases where, only after an analysis of patient safety work product, does a provider realize it should make a report. As in the proposed rule, patient safety work product disclosed pursuant to this provision remains privileged and confidential.

Response to Other Public Comments

Comment: Five commenters asked that the final rule allow PSOs as well as providers to disclose or report patient safety work product to the FDA or to an entity that is required to report to the FDA.

Response: We do not modify the provision as there is no statutory authority to allow PSOs to report patient safety work product to the FDA or to an entity required to report to the FDA. However, the statute does permit providers to report patient safety work product to the FDA or to an entity required to report to the FDA.

Comment: One commenter asked for clarification as to whether lot numbers and device identifiers and serial numbers may be reported to the FDA under this disclosure permission.

Response: Section 3.206(b)(7) would allow such information contained within patient safety work product to be reported to FDA provided it concerned an FDA-regulated product or activity.

(8) Section 3.206(b)(8)-Voluntary Disclosure to an Accrediting Body

Proposed Rule: Proposed § 3.206(b)(8) would have permitted the voluntary disclosure of identifiable patient safety work product by a provider to an accrediting body that accredits that disclosing provider. See section 922(c)(2)(E) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(E). Patient safety work product disclosed pursuant to this proposed exception would remain privileged and confidential.

This provision would have allowed a provider to disclose patient safety work product that identifies that disclosing provider. Further, the proposed rule would not have required that patient safety work product be nonidentifiable as to nondisclosing providers. The proposed rule specifically sought public comment on whether patient safety work product should be anonymized with respect to nondisclosing providers prior to disclosure to an accrediting body under this provision.

The proposed rule also provided that an accrediting body could not take an accreditation action against a provider based on that provider's participation, in good faith, in the collection, reporting or development of patient safety work product. It also would have prohibited accrediting bodies from requiring a provider to reveal its communications with any PSO.

Overview of Public Comments: Several commenters responded to the question of whether the final rule should require the anonymization of patient safety work product with respect to nondisclosing providers, all of which supported such a requirement. Another commenter noted that the final rule should expressly prohibit accrediting bodies from taking accreditation actions against nondisclosing providers based upon the patient safety work product reported to them by disclosing providers.

Final Rule: In light of the comments received, the final rule modifies the proposed provision at § 3.206 (b)(8) to condition the voluntary disclosure by a provider of patient safety work product to an accrediting body that accredits the provider on either:

  1. the agreement of the nondisclosing providers to the disclosure; or
  2. the anonymization of the patient safety work product with respect to any nondisclosing providers identified in the patient safety work product, by removal of the direct identifiers listed at § 3.206(b)(4) (iv)(A).

Direct identifiers of the disclosing providers do not need to be removed. We also note that the final rule does not prescribe the form of the agreement obtained from non-disclosing providers. Providers are free to design their own policies for obtaining such agreements. Some institutional providers may, for example, make it a condition of employment or privileges that providers agree to the disclosure of patient safety work product to accrediting bodies. In addition, unlike the provision at § 3.206(b)(3) of the final rule, with respect to any of the non-disclosing providers identified in the patient safety work product, the disclosing provider need obtain either the provider's agreement or anonymize the provider's information.

Response to Other Public Comments

Comment: Several commenters stated that they did not support this disclosure permission allowing voluntary disclosures of patient safety work product to accrediting bodies due to possible unintended consequences of these disclosures. Another commenter asked that we be aware of punitive actions by regulatory organizations as a result of voluntary disclosures to accrediting bodies and monitor this process carefully for any unintended consequences.

Response: The disclosure permission allowing providers to voluntarily disclose patient safety work product to accrediting bodies is prescribed by the statute and thus, is included in this final rule. However, as described above, the final rule requires either anonymization or agreement with respect to non-disclosing providers as a condition of the disclosure. This provision, along with the express prohibition at § 3.206(b) (8)(iii) on an accrediting body taking an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product should alleviate commenter concerns.

Comment: One commenter asked if the regulation allowed accrediting bodies to disclose patient safety work product to CMS as part a commitment to advise CMS of adverse accreditation decisions.

Response: The final rule prohibits accrediting bodies from further disclosing patient safety work product they have voluntarily received from providers under § 3.206(b)(8).

Comment: One commenter asked if survey and licensure bodies were considered to be accrediting bodies and thus, precluded from taking action against providers who voluntarily submit patient safety work product to them.

Response: Survey and licensure bodies are not accrediting bodies and are not treated as such under this provision. Thus, such entities are not entitled to receive patient safety work product voluntarily from providers under this provision.

Comment: Two commenters expressed concern about this disclosure permission for accrediting bodies that create component PSOs. One commenter stated that allowing accrediting bodies to create component PSOs creates a potential conflict of interest that may adversely affect provider organizations. If an accrediting body's component organization is a PSO, the commenter asked how OCR will determine whether the component organization improperly disclosed information or whether the accrediting body received the information voluntarily from a provider.

Response: Providers are free to choose the PSOs with which they want to work. We expect that any selection by a provider will involve a thorough vetting and consideration of a number of factors, including whether the PSO is a component of an accrediting body and if so, what assurances are in place to protect against improper access by the accrediting body to patient safety work product. Component organizations have clear requirements to maintain patient safety work product separately from parent organizations. Further, the final rule recognizes that a disclosure from a component organization to a parent organization is a disclosure which must be made pursuant to one of the permissions set forth in the statute and here; disclosures for which there is no permission are subject to enforcement by the Department and imposition of civil money penalties, as well as may adversely impact on the PSO's continued listing by the Secretary as a PSO. Should OCR receive a complaint or conduct a compliance review that implicates an impermissible disclosure by a component PSO of an accrediting body, OCR will investigate and review the particular facts and circumstances surrounding the alleged impermissible disclosure, including, if appropriate, whether the accrediting body received the patient safety work product directly from a provider pursuant to § 3.206(b)(8).

Comment: One commenter asked that the final rule allow accrediting bodies to use voluntarily reported patient safety work product in accreditation decisions, or that the final rule give accrediting bodies immunity from liability that might arise from their failure to take this patient safety work product into account in its accreditation decisions. This commenter also stated that, since accrediting bodies cannot take action based on information voluntarily disclosed pursuant to this provision, the final rule should make clear that accrediting bodies cannot be held responsible for decisions that might have been different if the accrediting body had been able to act based on the patient safety work product received.

Response: We clarify that the final rule, as the proposed rule, does not prohibit an accrediting body from using patient safety work product voluntarily reported by a provider pursuant to this provision in its accreditations decisions with respect to that provider. Thus, it is not necessary nor is it appropriate for the Secretary to give accrediting bodies immunity from liability. However, an accrediting body may not require a provider to disclose patient safety work product, or take an accrediting action against a provider who refuses to disclose patient safety work product, to the accrediting body. See section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(4)(B), and § 3.206(b)(8)(iii), which expressly prohibits an accrediting body from taking an accrediting action against a provider based on the good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with the statute.

Comment: One commenter asked if the limitation on redisclosure of voluntarily reported patient safety work product received by an accrediting body applies if the information sent to the accrediting body was not patient safety work product at the time the accrediting body received the information, but was later reported, by the provider to a PSO and became protected.

Response: If the information submitted to an accrediting body was not patient safety work product as defined at § 3.20 at the time it was reported, then § 3.206(b)(8), including the redisclosure limitation, does not apply to such information.

Comment: One commenter asked that the final rule clarify that the disclosure of patient safety work product to an accrediting body is voluntary.

Response: Section 3.208(b)(8) expressly provides only for the voluntary reporting of patient safety work product, provided the conditions are met. We do not see a need for further clarification.

(9) Section 3.206(b)(9)-Business Operations

Proposed Rule: Proposed § 3.206(b)(9) would have allowed disclosures of patient safety work product by a provider or a PSO to professionals such as attorneys and accountants for the business operations purposes of the provider or PSO. See section 922(c)(2) (F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F). Under the proposed rule, such contractors could not further disclose patient safety work product, except to the entity from which it received the information. However, the proposed rule made clear that a provider or PSO still would have had the authority to delegate its power to the contractor to make other disclosures. In addition, the proposed rule provided that any patient safety work product disclosed pursuant to this provision continued to be privileged and confidential.

The Patient Safety Act gives the Secretary authority to designate additional exceptions as necessary business operations that are consistent with the goals of the statute. The proposed rule sought public comment regarding whether there are any other consultants or contractors, to whom a business operations disclosure should also be permitted, or whether the Secretary should consider any additional exceptions under this authority. The proposed rule noted that the Secretary would designate additional exceptions only through regulation; however, it asked if other mechanisms for the adoption of business operations exceptions should be adopted or incorporated.

The proposed rule also explained that a business operations designation by the Secretary that enables a HIPAA covered entity to disclose patient safety work product containing protected health information to professionals is permissible as a health care operations disclosure under the HIPAA Privacy Rule. See 45 CFR 164.506. Generally, such professionals will be business associates of the covered entity, which will require that a business associate agreement be in place. See 45 CFR 160.103, 164.502(e), and 164.504(e).

Overview of Public Comments: Several commenters expressed general support for the business operations disclosures to attorneys, accountants, and other professionals in the proposed rule. We also received several responses to the question asking if the final rule should allow for any additional disclosures under the business operations provision. Three commenters stated that the final rule should not include any additional business operations disclosures. Others asked that the business operations disclosure permission be broad enough to encompass all the activities defined as "health care operations" in the HIPAA Privacy Rule, which would then include disclosures to entities such as photocopy shops, document storage services, shredding companies, IT support companies, and other entities involved in a PSO's management or administration. Other commenters suggested that disclosures of patient safety work product to independent contractors, professional liability insurance companies, captives, and risk retention groups be included as disclosures for business operations under this provision in the final rule.

All commenters responding to the question about how the Secretary should adopt additional business operations stated that additional business operations should be adopted only through the rulemaking process.

Final Rule: The final rule adopts the proposed provision, allowing disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. The final rule allows disclosure of patient safety work product to these professionals who are bound by legal and ethical duties to maintain the confidence of their clients and the confidentiality of client information, including patient safety work product. These professionals will provide a broad array of services to and functions for the providers and PSOs with whom they are contracted and will need access to patient safety work product to perform their duties. We are not persuaded by the comments of a need to expand, at this time, the disclosure permission to encompass other categories of persons or entities. However, as described in the proposed rule, should the Secretary seek in the future to designate additional business operations exceptions to be encompassed within this disclosure permission, he will do so through regulation to provide adequate opportunity for public comment.

With respect to many of the other entities identified by the commenters, we note that, to the extent the services provided by such entities are necessary for the maintenance of patient safety work product or the operation of a patient safety evaluation system, or otherwise support activities included in the definition of "patient safety activities" at § 3.20 of this rule, these disclosures may be made to such contractors pursuant to § 3.206(b)(4)(ii).

Response to Other Public Comments

Comment: Two commenters suggested that the final rule include a requirement for a contract between providers or PSOs and their attorneys, accountants, and other professionals to whom patient safety work product will be disclosed as a business operation.

Response: We do not require a contract as a condition of disclosure in the final rule. However, we agree that a contract between these parties is a prudent business practice and expect that parties will enter into appropriate agreements to ensure patient safety work product remains protected. Further, where HIPAA covered entities are concerned, we note that the HIPAA Privacy Rule requires that such entities have a business associate agreement in place with professionals providing services that require access to protected health information.

(10) Section 3.206(b)(10)-Disclosure to Law Enforcement

Proposed Rule: Proposed § 3.206(b)(10) would have permitted the disclosure of identifiable patient safety work product to law enforcement authorities, so long as the person making the disclosure believes-and that belief is reasonable under the circumstances-that the patient safety work product disclosed relates to a crime and is necessary for criminal law enforcement purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G). The proposed rule provided that patient safety work product disclosed under this provision would remain privileged and confidential.

The proposed rule also provided that the law enforcement entity receiving the patient safety work product could use the patient safety work product to pursue any law enforcement purposes; however, the recipient law enforcement entity could only redisclose the information to other law enforcement authorities as needed for law enforcement activities related to the event that necessitated the original disclosure. The proposed rule sought comment regarding whether these provisions would allow for legitimate law enforcement needs, while ensuring appropriate protections.

Overview of Public Comments: Commenters responding to the question in the proposed rule regarding whether this disclosure permission would allow for legitimate law enforcement needs while ensuring that information remain appropriately protected stated that the proposed disclosure permission was appropriate and did permit legitimate disclosures to law enforcement.

Final Rule: The final rule adopts the proposed provision with slight modification for purposes of clarification only. We add the word "only" to the final rule to clarify that law enforcement receiving patient safety work product pursuant to this exception may only further disclose this information to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the original disclosure.

Response to Other Public Comments

Comment: Two commenters suggested that the statutory standard of reasonable belief was vague and that clarity was needed to reduce the uncertainty of disclosures and to further define what could constitute a reasonable belief. Another commenter noted that the phrase "relates to a crime and is necessary for criminal law enforcement purposes" is too broad and leaves too much discretion to entities such as PSOs.

Response: The final rule provision at § 3.206(b)(10) generally repeats the statutory provision upon which it is based, which provides that the disclosure of patient safety work product be permitted if it relates to the commission of a crime and the person making the disclosure believes, reasonably under the circumstances, that the patient safety work product is necessary for criminal law enforcement purposes. See section 922(c) (2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G).

Comment: One commenter expressed concern regarding the redisclosure of patient safety work product to law enforcement under this disclosure permission. The commenter stated that there could be successive disclosures of protected information to law enforcement without consideration of whether there is a reasonable belief that the redisclosure is necessary for criminal law enforcement purposes. Another commenter recommended that this disclosure permission should expressly prohibit patient safety work product from being used against patients who are identified in the patient safety work product but who are not the subject of the criminal act for which the information was originally disclosed.

Response: We believe § 3.206(b)(10) addresses the commenters' concerns by expressly limiting law enforcement's redisclosure of patient safety work product received pursuant to the provision to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the initial disclosure. Thus, law enforcement is not permitted to further disclose the patient safety work product for the enforcement of a crime unrelated to the crime for which the patient safety work product was originally disclosed to the law enforcement entity.

Comment: One commenter stated that the proposed rule represented an expansion of the statutory language because it allowed persons to disclose patient safety work product to law enforcement entities in the absence of an active law enforcement investigation and in the absence of a request for this information by law enforcement.

Response: The statute does not require that a law enforcement entity be involved in an active investigation or that a law enforcement entity request information prior to a person making a disclosure of patient safety work product to a law enforcement entity pursuant to this disclosure permission. See 922(c) (2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G).

(C) Section 3.206(c)-Safe Harbor

Proposed Rule: Proposed § 3.206(c) would have prohibited the disclosure of a subject provider's identity with information, whether oral or written, that:

  1. assesses that provider's quality of care; or
  2. identifies specific acts attributable to such provider. See section 922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(2)(H).

This provision would have been only applicable to providers. Patient safety work product disclosed under this exception could identify providers, reporters or patients so long as the provider(s) that were the subject of the actions described were nonidentified. The proposed rule would have required that nonidentification be accomplished in accordance with the nonidentification standard set forth in proposed § 3.212.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: Several commenters suggested that the safe harbor provision be extended to PSOs as well as providers. One commenter noted that there was no reason to exclude PSOs from this provision and including PSOs would provide them with the same leeway for inadvertent disclosures of patient safety work product as providers.

Response: The statute expressly limits the safe harbor provision to providers. Therefore, we do not have the authority to extend this provision to PSOs.

(D) Section 3.206(d)-Implementation and Enforcement of the Patient Safety Act

Proposed Rule: Proposed § 3.206(d) would have permitted the disclosure of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance with or to seek or impose civil money penalties with respect to this Part or for making or supporting PSO certification or listing decisions, under the Patient Safety Act. Patient safety work product disclosed under this exception would remain confidential.

Overview of Public Comments: We received no comments in reference to this provision.

Final Rule: Consistent with the changes made to § 3.204(c) with respect to privilege, the final rule adopts the proposed provision, but expands it to expressly provide that patient safety work product also may be disclosed to or by the Secretary as needed to investigate or determine compliance with or to impose a civil money penalty under the HIPAA Privacy Rule. This new language implements the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which makes clear that the Patient Safety Act is not intended to affect implementation of the HIPAA Privacy Rule. As in the privilege context, given the significant potential for an alleged impermissible disclosure to implicate both this rule's confidentiality provisions, as well as the HIPAA Privacy Rule, the Secretary may require access to confidential patient safety work product for purposes of determining compliance with the HIPAA Privacy Rule. The Secretary will use such information consistent with the statutory prohibition against imposing civil money penalties under both authorities for the same act.

With respect to this rule, the final rule, as in the proposed rule, makes clear that disclosures of patient safety work product to or by the Secretary are permitted to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include access to and disclosure of patient safety work product to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule.

Response to Other Public Comments

Comment: Several commenters asked the Secretary to use judicious restraint when requesting patient safety work product for compliance and enforcement activities. Some of these commenters also asked that the Secretary reserve his full enforcement power for only the most egregious violations of the confidentiality provisions.

Response: We acknowledge the commenters' concerns regarding the disclosure of patient safety work product for enforcement purposes. As we explained in the proposed rule, we strongly believe in the protection of patient safety work product as provided by the Patient Safety Act. However, confidentiality protections are meaningless without the ability to enforce breaches of the protections, investigations of which may require access to confidential patient safety work product. Further, § 3.310 of the final rule provides the Secretary with authority to obtain access to only that patient safety work product and other information that is pertinent to ascertaining compliance with the rule's confidentiality provisions.

Also, as we explained in the proposed rule, we will seek to minimize the risk of improper disclosure of patient safety work product by using and disclosing patient safety work product only in limited and necessary circumstances, and by limiting the amount of patient safety work product disclosed to that necessary to accomplish the purpose. Further, § 3.312 of the final rule expressly prohibits the Secretary from disclosing identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review except as permitted by § 3.206(d) for compliance and enforcement or as otherwise permitted by the rule or the Patient Safety Act.

See the discussion of the provisions of Subpart D of the final rule for more information on how the Secretary may exercise discretion in enforcement.

(E) Section 3.206(e)-No Limitation on Authority to Limit or Delegate Disclosure or Use

Proposed Rule: Proposed § 3.206(e) would have established that a person holding patient safety work product may enter into a contract that requires greater confidentiality protections or may delegate its authority to make a disclosure in accordance with this Subpart. Neither the statute nor the proposed rule limited the authority of a provider to place limitations on disclosures or uses.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: One commenter suggested that providers and PSOs should not be able to enter into agreements that would prohibit the disclosure of patient safety work product to report a crime or to comply with state reporting requirements.

Response: The Patient Safety Act expressly provides that it does not preempt or otherwise affect any State law requiring a provider to report information that is not patient safety work product. See section 922(g)(5) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(5). Further, patient safety work product does not include original medical and other records. Thus, nothing in the final rule or the statute relieves a provider from his or her obligation to disclose information from such original records or other information that is not patient safety work product to comply with state reporting or other laws. Moreover, the final rule at § 3.206(b)(10)(i) permits providers and PSOs to disclose patient safety work product to report a crime to a law enforcement authority provided that the disclosing person reasonably believes that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes. However, the Department cannot, through this rule, prevent such agreements because the Patient Safety Act, at section 922 (g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), specifically provides that the Act cannot be construed "to limit the authority of any provider, patient safety organization, or other entity to enter into a contract requiring greater confidentiality" than that provided under the Act.

(3) Section 3.208-Continued Protection of Patient Safety Work Product

Proposed Rule: Proposed § 3.208 provided that the privilege and confidentiality protections would continue to apply to patient safety work product following disclosure and also described the narrow circumstances when the protections terminate. See section 922 (d) of the Public Health Service Act, 42 U.S.C. 299b-22(d). In particular, the proposed rule would have provided two exceptions to the continued protection of patient safety work product. The first was an exception to continued confidentiality protection when patient safety work product is disclosed for use in a criminal proceeding, pursuant to § 3.206(b)(1). See section 922(d)(2) (A), 42 U.S.C. 299b-22(d)(2)(A). The second exception to continued protection was in circumstances where patient safety work product is disclosed in nonidentifiable form, pursuant to § § 3.204(b)(4) and 3.206(b) (5). See section 922(d)(2)(B), 42 U.S.C. 299b-22(d)(2)(B).

The proposed rule would not have required the labeling of information as patient safety work product or that disclosure of patient safety work product be accompanied by a notice as to either the fact that the information disclosed is patient safety work product or that it is confidential. The proposed rule did acknowledge that both practices may be prudent business practices.

Overview of Public Comments: We received several comments suggesting that the final rule require that patient safety work product be labeled as such or that a recipient of patient safety work product be given notice of the protected status of the information received. Commenters suggested that putting recipients of patient safety work product on notice about the sensitive and confidential nature of the information would assure and encourage appropriate treatment of this information.

Final Rule: The final rule adopts this proposed provision but does not require that patient safety work product be labeled or that disclosing parties provide recipients of patient safety work product with notice that they are receiving protected information. We believe imposing a labeling or notice requirement would be overly burdensome on entities. We do, however, expect providers, PSOs, and responsible persons holding patient safety work product to treat and safeguard such sensitive information appropriately and encourage such persons to consider whether labeling or notice may be an appropriate safeguard in certain circumstances. Further, we note that the final rule provides that information that is documented as within a patient safety evaluation system for reporting to a PSO is patient safety work product. In addition, the final rule allows patient safety work product to be removed from a patient safety evaluation system and no longer considered patient safety work product if it has not yet been reported to a PSO and its removal is documented. See the definition of "patient safety work product" at § 3.20. These documentation provisions may assist in identifying, and putting persons on notice as to, what is and is not protected information.

Response to Other Public Comments

Comment: With respect to § § 3.206(b)(2), 3.206(b)(3), 3.206(b)(8), 3.206(b)(9), and 3.206(b)(10), commenters asked that the final rule emphasize the fact that subsequent holders of patient safety work product are subject to the privilege and confidentiality provisions when they receive the patient safety work product pursuant to a privilege or confidentiality exception and that this patient safety work product cannot be subpoenaed, ordered, or entered into evidence in a civil or criminal proceeding through any of these exceptions.

Response: Section 3.208 makes clear that, with limited exceptions, patient safety work product continues to be privileged and confidential upon disclosure.

Comment: One commenter expressed concern over the proposed rule's statement that an impermissible disclosure of patient safety work product, even if unintentional, does not terminate the confidentiality of the information and that individuals and entities receiving this patient safety work product may be subject to civil money penalties. The commenter stated that the applicability of this broad statement to third and fourth party recipients of patient safety work product could violate the First Amendment and expressed concern with the possibility that the Secretary would seek to impose a civil money penalty upon a newspaper for printing patient safety information.

Response: Section 3.208 implements the statutory provision that patient safety work product continues to be privileged and confidential upon disclosure, including when in the possession of the person to whom the disclosure was made. See section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d). To encourage provider reporting of sensitive patient safety information, Congress saw a need for strong privilege and confidentiality protections that continue to apply downstream even after disclosure, regardless of who holds the information. With respect to the commenter's concern regarding "unintentional" disclosures, we note that the Secretary has discretion to elect not to impose civil money penalties for an impermissible disclosure of patient safety work product, in appropriate circumstances. Thus, if it is determined, through a complaint investigation or a compliance review, that an impermissible disclosure of patient safety work product has been made, the Secretary will examine each situation based on the individual circumstances and make an appropriate determination about whether to impose a civil money penalty. See the discussion regarding Subpart D of this final rule for a more extensive discussion of the Secretary's enforcement discretion. Finally, with respect to the commenter's First Amendment concerns, we do not believe the confidentiality provisions afforded to patient safety work product in the statute and the rule contravene the First Amendment.

(4) Section 3.210-Required Disclosure of Patient Safety Work Product to the Secretary

Proposed Rule: Proposed § 3.210 would have required providers, PSOs, and other persons holding patient safety work product to disclose such information to the Secretary upon a determination by the Secretary that such patient safety work product is needed for the investigation and enforcement activities related to this Part, or is needed in seeking and imposing civil money penalties.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision but expands it to encompass disclosures of patient safety work product needed for investigation and enforcement activities with respect to the HIPAA Privacy Rule, consistent with changes made to § § 3.204(c) and 3.206(d). As in the proposed rule, the final rule makes clear that, with respect to this rule, providers, PSOs, and responsible persons must disclose patient safety work product to the Secretary upon request when needed to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include disclosure of patient safety work product to the Secretary as necessary to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule.

Response to Other Public Comments

Comment: Several commenters suggested that disclosures to the Secretary be limited to only the patient safety work product that is needed for the Secretary's activities.

Response: Section 3.210 requires disclosure of patient safety work product only in those cases where the Secretary has determined that such information is needed for compliance or enforcement of this rule or the HIPAA Privacy Rule or for PSO certification or listing. Further, during an investigation or compliance review, § 3.310(c) requires a respondent to provide the Secretary with access to only that information, including patient safety work product, that is pertinent to ascertaining compliance with this rule.

(5) Section 3.212-Nonidentification of Patient Safety Work Product

Proposed Rule: Proposed § 3.212 would have established the standard by which patient safety work product would be rendered nonidentifiable, implementing section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under the Patient Safety Act and this Part, identifiable patient safety work product includes information that identifies any provider or reporter or contains individually identifiable health information under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2) of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient safety work product does not include information that permits identification of any provider, reporter or subject of individually identifiable health information. See section 921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3).

The proposed rule explained that because individually identifiable health information as defined in the HIPAA Privacy Rule is one element of identifiable patient safety work product, the de-identification standard provided in the HIPAA Privacy Rule would apply with respect to the patient-identifiable information in the patient safety work product. Therefore, where patient safety work product contained individually identifiable health information, the proposal would have required that the information be de-identified in accordance with 45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work product with respect to individually identifiable health information under the Patient Safety Act.

Further, with respect to providers and reporters, the proposal imported and adapted the HIPAA Privacy Rule's standards for de-identification. In particular, the proposal included two methods by which nonidentification could be accomplished:

  1. a statistical method of nonidentification and
  2. the removal of 15 specified categories of direct identifiers of providers or reporters and of parties related to the providers and reporters, including corporate parents, subsidiaries, practice partners, employers, workforce members, or household members, and that the discloser have no actual knowledge that the remaining information, alone or in combination with other information reasonably available to the intended recipient, could be used to identify any provider or reporter, i.e., a contextual nonidentification standard.

In addition, the proposal would have permitted a provider, PSO, or other disclosing entity or person to assign a code or other means of record identification to allow information made nonidentifiable to be re- identified by the disclosing person, provided certain conditions were met.

The proposal specifically invited comment on the proposed standards and approaches and asked whether it would be possible to include any geographical identifiers, and if so, at what level of detail (state, county, zip code). We also requested comment regarding whether there were alternative approaches to standards for entities determining when health information could reasonably be considered nonidentifiable.

Overview of Public Comments: We received a variety of comments addressing the nonidentification standard. One commenter supported the proposed methodologies for nonidentification, while several commenters expressed concern that the nonidentification standard was too strict and rendered patient safety work product useless to its recipients. One commenter was concerned that imposing an inflexible, stringent nonidentification standard would impede the future disclosures of aggregated patient safety information that the commenter currently makes. Some of these commenters proposed alternatives to the proposed nonidentification standard, such as considering information nonidentified even if it contains dates of treatment and geographic identifiers as long as data of a certain threshold number of providers was aggregated or eliminating the nonidentification standard entirely and applying a less stringent anonymization standard. In contrast, several other commenters expressed concern that the nonidentification standard was too flexible, was inadequate to truly nonidentify information and protect provider identities, and could be too easily reverse engineered.

Final Rule: The final rule adopts this proposed provision with only a minor technical change to incorporate by reference the direct identifiers listed at § 3.206(b)(4)(iv)(A) of the anonymization standard, as appropriate, to eliminate unnecessary duplication of such elements in the regulatory text. Therefore, persons wishing to nonidentify patient safety work product must remove the direct identifiers listed in the anonymization standard at § 3.206(b)(4)(iv)(A)(1) through (13), as well as any additional geographic subdivisions smaller than a State that are not required to be removed by § 3.206(b)(4)(A)(2), e.g., town or city, all elements of dates (except year) that are directly related to a patient safety incident or event, and any other unique identifying number, characteristic, or code (except as permitted for reidentification). We were not persuaded by commenters that changes to the standard were necessary, especially given the lack of consensus among commenters as to whether the standard was too stringent or not stringent enough. Further, commenters did not offer suggestions as to potential alternative approaches to nonidentification. Additionally, because this rule's nonidentification standard with respect to providers and reporters is adapted from the HIPAA Privacy Rule's de-identification standard and with respect to individuals, incorporates the HIPAA Privacy Rule's de-identification standard, this approach minimizes complexity and burden for entities that are subject to both regulatory schemes.

Response to Other Public Comments

Comment: One commenter expressed concern over the possibility that provider identities could be derived from nonidentifiable patient safety work product and asked that the final rule require a party disclosing identifiable information to produce evidence, if challenged, of how the information was obtained if not via nonidentifiable patient safety work product. Another commenter suggested that the final rule include a provision that prohibits the use or disclosure of any individually identifiable information that was obtained via the use of nonidentifiable patient safety work product. Finally, another commenter suggested that keys to reidentification of nonidentifiable patient safety work product be protected from discovery and should be protected as patient safety work product to prevent reidentification by unintended parties.

Response: We believe that the nonidentification standard in the final rule, which is based upon the existing HIPAA Privacy Rule's de-identification standard, is appropriate and sufficient to protect the identities of providers. With respect to protection of reidentification keys, we note that § 3.212(a)(3) prohibits a provider, PSO, or responsible party disclosing nonidentifiable patient safety work product from also disclosing the mechanism for reidentification. If a reidentification key is disclosed along with patient safety work product that would otherwise be nonidentifiable, then such information is identifiable patient safety work product to which the privilege and confidentiality protections attach.

Comment: One commenter asked to whom must patient safety work product be made nonidentifiable and if information is adequately nonidentifiable despite the ability of a provider or patient involved in the event to recognize their case.

Response: Under § 3.212(a)(1), patient safety work product is rendered nonidentifiable if a determination is made, applying generally accepted statistical and scientific principles, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify a provider or reporter. Similarly, under § 3.212(a)(2), patient safety work product is rendered nonidentifiable if the listed identifiers are stripped and the provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter. So long as the remaining information meets either of these two standards, such information is considered nonidentifiable for purposes of this rule, despite the hypothetical ability of a provider or patient involved in the event to recognize their case.

Comment: One commenter asked for clarification that nonidentification can be accomplished through either the statistical method or through the safe harbor method but that entities are not required to nonidentify patient safety work product subject to both methods.

Response: We clarify that either method may be used to render information nonidentifiable for purposes of this rule.

(D) Subpart D-Enforcement Program

Subpart D of the final rule establishes a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting a civil money penalty. The provisions in Subpart D are modeled largely on the HIPAA Enforcement Rule at 45 CFR Part 160, Subparts C, D and E. This will maintain a common approach to enforcement and appeals of civil money penalty determinations based on section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, upon which both the HIPAA and Patient Safety Act penalties are based, as well as minimize complexity for entities that are subject to both regulatory schemes. This enforcement scheme also provides the Secretary maximum flexibility to address confidentiality violations so as to encourage participation in patient safety activities and achieve the goals of the Patient Safety Act.

General Comments: Several commenters expressed support for the decision to base this rule's enforcement regime on the HIPAA Enforcement Rule and noted that the HIPAA Enforcement Rule was properly adapted to the patient safety context. However, two commenters expressed concern that basing the enforcement regime in this rule on the HIPAA Enforcement Rule will be insufficient to adequately address and penalize violations of the confidentiality provisions because of the Department's approach to enforcement of the HIPAA Privacy Rule. One commenter argued that this might cause providers to decide against reporting the most serious patient safety events, and therefore, would undermine the purpose of the statute.

Response to General Comments: The Department believes that modeling this rule's enforcement provisions on the existing HIPAA Enforcement Rule is prudent and appropriate. As noted above, such an approach grants the Secretary maximum flexibility to address violations of the confidentiality provisions, relies on an existing and established enforcement regime, and minimizes complexity for entities subject to both the Patient Safety Act and HIPAA.

(1) Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314-Compliance and Investigations

Proposed Rule: Sections 3.304-3.314 of the proposed rule provided the framework by which the Secretary would seek compliance by providers, PSOs, and responsible persons with the confidentiality provisions of the rule. These proposed requirements included:

  1. provisions for the Secretary to seek cooperation from these entities in obtaining compliance and to provide technical assistance (proposed § 3.304);
  2. procedures for any person who believes there has been a violation of the confidentiality provisions to file a complaint with the Secretary and provisions for the Secretary to investigate such complaints (proposed § 3.306);
  3. provisions for the Secretary to conduct compliance reviews (proposed § 3.308);
  4. provisions establishing responsibilities of respondents with respect to cooperating with the Secretary during investigations or compliance reviews and providing access to information necessary and pertinent to the Secretary determining compliance (proposed § 3.310);
  5. provisions describing the Secretary's course of action during complaints and compliance reviews, including the circumstances under which the Secretary may attempt to resolve compliance matters by informal means or issue a notice of proposed determination, as well as the circumstances under which the Secretary may use or disclose information, including identifiable patient safety work product, obtained during an investigation or compliance review (proposed § 3.312); and
  6. provisions and procedures for the Secretary to issue subpoenas to require witness testimony and the production of evidence and to conduct investigational inquiries (proposed § 3.314).

Overview of Public Comments: We received no comments opposed to the proposed provisions.

Final Rule: The final rule adopts the provisions of the proposed rule, except, where reference was made in the proposed rule to provisions of the HIPAA Enforcement Rule, the final rule includes the text of such provisions for convenience of the reader.

Response to Other Public Comments

Comment: One commenter asked how and when the Secretary will provide technical assistance to providers, PSOs, and responsible persons regarding compliance with the confidentiality provisions.

Response: The Secretary intends to provide technical assistance through a variety of mechanisms. First, as authorized by the Patient Safety Act, the Secretary intends, as practical, to convene annual meetings for PSOs to discuss methodology, communication, data collection, privacy concerns, or other issues relating to their patient safety systems. See section 925 of the Public Health Service Act, 42 U.S.C. 299b-25. Second, the Secretary intends to exercise his discretion under § 3.304 by, when practicable and appropriate, providing technical assistance to affected persons and entities both on an individual basis when such persons or entities are involved in complaint investigations or compliance reviews, as well as more generally through published guidance that addresses common compliance or other questions about the rule. As we noted in the preamble to the proposed rule, however, the absence of technical assistance or guidance by the Secretary may not be raised as a defense to civil money penalty liability. We also encourage persons participating in patient safety activities and subject to this rule to develop and share with others similarly situated in the industry "best practices" for the confidentiality of patient safety work product.

Comment: One commenter requested that the final rule provide additional detail on the consideration that will go into the determination of whether to pursue an investigation or to conduct a compliance review.

Response: We do not believe that including additional detail in the final rule regarding when we will investigate or conduct compliance reviews is prudent or feasible. The decision of whether to conduct an investigation or compliance review is left to the discretion of the Secretary and will be made based on the specific circumstances of each individual case. The decision to investigate a complaint is necessarily fact specific. For example, some complaints may not allege facts that fall within the Secretary's jurisdiction or that constitute a violation if true. With respect to compliance reviews, the Secretary needs to maintain flexibility to conduct whatever reviews are necessary to ensure compliance. Compliance reviews may be initiated based on, for example, information that comes to the Department's attention outside of the formal complaint process, or trends the Department is seeing as a result of its enforcement activities. It would be premature at this time to indicate the specific circumstances under which such reviews may be conducted, given the absence of any compliance and enforcement experience with the rule. Further, making public the Department's considerations in this area may undermine the effectiveness of such reviews. Thus, we did not propose and do not include in this final rule affirmative criteria for conducting compliance reviews.

Comment: One commenter requested clarification that the Secretary may only require respondents to produce records, books, and accounts that are reasonably related to an investigation.

Response: Section 3.310(c) of the proposed rule, which the final rule adopts, provided that a respondent must permit the Secretary access to the information that is pertinent to ascertaining compliance with the confidentiality provisions of the rule. Given this provision in the final rule, we do not see a need to provide further clarification.

(2) Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422, 3.424, 3.426-Civil Money Penalties

Proposed Rule: Sections 3.402-3.426 of the proposed rule provided the process for the Secretary to impose a civil money penalty for noncompliance by a PSO, provider, or responsible person with the confidentiality provisions of the rule. These proposed provisions:

  1. described the basis for imposing a civil money penalty on a person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions, as well as on a principal, in accordance with the federal common law of agency2, based on the act of its agent acting within the scope of the agency (proposed § 3.402);
  2. described how a penalty amount would be determined, and provided the statutory cap of any such penalty (proposed § 3.404);
  3. provided the list of factors the Secretary may consider as aggravating or mitigating, as appropriate, in determining the amount of a civil money penalty, including the nature and circumstances of the violation and the degree of culpability of the respondent (proposed § 3.408);
  4. set forth the 6-year limitations period on the Secretary initiating an action for imposition of a civil money penalty (proposed § 3.414);
  5. set out the Secretary's authority to settle any issue or case or to compromise any penalty (proposed § 3.416);
  6. provided that a civil money penalty imposed under this rule would be in addition to any other penalty prescribed by law, except that a civil money penalty may not be imposed both under this rule and the HIPAA Privacy Rule for the same act (proposed § 3.418);
  7. required that the Secretary provide a respondent with written notice of his intent to impose a civil money penalty, prescribe the contents of such notice, and provide the respondent with a right to request a hearing before an ALJ to contest the proposed penalty (proposed § 3.420);
  8. provided that if the respondent fails to timely request a hearing and the matter is not settled by the Secretary, the Secretary may impose the proposed penalty (or any lesser penalty) and will notify the respondent of any penalty imposed, and that the respondent has no right to appeal such penalty (proposed § 3.422);
  9. provided that once the penalty becomes final, it will be collected by the Secretary, unless compromised, and describes the methods for collection (proposed § 3.424); and
  10. provided that the Secretary will notify the public and the appropriate State or local medical or professional organizations, appropriate State agencies administering or supervising the administration of State health care programs, appropriate utilization and quality control peer review organizations, and appropriate State or local licensing agencies or organizations, of a final penalty and the reason it was imposed (proposed § 3.426).

2 For more information and guidance about violations of the rule attributed to a principal based on the federal common law of agency, see the preamble to the proposed rule at 73 FR 8158- 8159.

In addition, with respect to the factors at proposed § 3.408, we specifically sought comment on whether the factors should be expanded to expressly include a factor for persons who self-report disclosures that may potentially violate the confidentiality provisions such that voluntary self-reporting would be a mitigating consideration when assessing a civil money penalty.

Overview of Public Comments: We received no comments opposed to these proposed provisions. With respect to proposed § 3.408, commenters generally supported the list of detailed factors, which may be aggravating or mitigating depending on the context, for use by the Secretary in determining the amount of a civil money penalty. In response to the question in the proposed rule regarding whether the final rule should include a factor for persons who self-report disclosures that may be potential violations, some commenters opposed such an expansion, arguing that such a provision could be viewed as an additional reporting obligation on persons and entities. Several other commenters expressed general support for the consideration of such a mitigating factor in the determination of any penalty, and one commenter specifically recommended expanding the list of factors to include self-reporting.

Final Rule: The final rule adopts the provisions of the proposed rule except, where reference was made in the proposed rule to provisions of the HIPAA Enforcement Rule, the final rule includes the text of such provisions for convenience of the reader. We do not expand the list of factors at § 3.408 to include the fact of self-reporting by a respondent in the final rule. As we noted in the preamble to the proposed rule, while including a factor for voluntary self-reporting may encourage persons to report breaches of confidentiality, particularly those that may otherwise go unnoticed, as well as demonstrate the security practices that led to the discovery of the breach and how the breach was remedied, we agree with those commenters who argued that including such a factor may be viewed incorrectly as an additional and ongoing reporting obligation on providers, PSOs, and others to report every potentially impermissible disclosure. This would unnecessarily increase administrative burden both on the Department and the reporting persons. Additionally, inclusion of such a factor may interfere with contractual relationships between providers and PSOs that address how parties are to deal with breaches.

However, we note that even though we are not expressly including a self-reporting factor in the list at § 3.408, the Secretary retains discretion to consider self-reports on a case-by-case basis under § 3.408(f), which permits the Secretary to consider "such other matters as justice may require" in determining the amount of a civil money penalty.

Response to Other Public Comments

Comment: One commenter supported the knowing or reckless standard for establishing the basis for imposing a civil money penalty for a confidentiality violation but also stated that every effort should be made to reduce the risk of liability and to encourage provider participation. Another commenter supported the Secretary's ability to exercise discretion in determining whether to impose a civil money penalty for a knowing or reckless violation of the confidentiality provisions but also suggested that, in cases where a PSO is compelled to disclose patient safety work product by a court and has, in good faith, attempted to assert the privilege protection, the PSO automatically should be excused from a civil money penalty for the impermissible disclosure of patient safety work product to the court.

Response: We agree that the appropriate basis for imposing a civil money penalty is for knowing or reckless disclosures of identifiable patient safety work product in violation of the confidentiality provisions of the rule and that it is important the Secretary ultimately retain discretion as to whether to impose a penalty pursuant to this standard. This provision is based on section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f). We also agree that provider participation is essential to meeting the overall goal of the statute to improve patient safety and quality of care, and we believe that strong privilege and confidentiality protections for patient safety work product are fundamental to ensuring this participation. As we explained in the preamble to the proposed rule, a civil money penalty under § 3.402 may only be imposed if the Secretary first establishes a wrongful disclosure-that is, the information disclosed was identifiable patient safety work product and the manner of the disclosure does not fit within any permitted exception. The Secretary must then determine whether a person making the disclosure acted "knowingly" or "recklessly." To do so, the Secretary must prove either that:

  1. the person making the disclosure knew a disclosure was being made (not that the person knew he or she was disclosing identifiable patient safety work product in violation of the rule or statute); or
  2. the person acted recklessly in making the disclosure, that is, the person was aware, or a reasonable person in his or her situation should have been aware, that his or her conduct created a substantial risk of disclosure of information and to disregard such risk constituted a gross deviation from reasonable conduct.

For more guidance on this standard or the knowing or reckless standard, see the preamble to the proposed rule at 73 FR 8157-8158. Once a knowing or reckless violation has been established, the Secretary still retains discretion as to whether to impose a penalty for a violation and may elect not to do so. Thus, we believe the standard at § 3.402 of the final rule strikes the right balance in ensuring those who are culpable are subject to penalties, while still encouraging maximum participation by providers.

For example, circumstances where a person who disclosed identifiable patient safety work product in violation of the rule can show he or she did not know and had no reason to know that the information was patient safety work product may warrant discretion by the Secretary. Further, as we stated in the preamble to the proposed rule, the Secretary may exercise discretion and not pursue a civil money penalty against a respondent ordered by a court to produce patient safety work product where the respondent has in good faith undertaken reasonable steps to avoid production and is, nevertheless, compelled to produce the information or be held in contempt of court. We do not, however, agree that an automatic exception from liability for respondents in such circumstances is appropriate or necessary. The Secretary will examine each situation based on the individual circumstances and make an appropriate determination about whether to impose a civil money penalty.

Comment: One commenter asked that the final rule state that inappropriate disclosures to, for example, the media or to the public, would result in civil money penalties.

Response: Section 3.402(a) of the final rule provides that persons who disclose identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions are subject to civil money penalty liability for such violations. This liability would include disclosures to the media or public, to the extent the knowing or reckless standard of § 3.402(a) is met.

Comment: We received two comments stating that the maximum penalty of $10,000 for a single violation is insufficient to serve as a deterrent against impermissible disclosures. In contrast, one commenter expressed concern that the maximum penalty would be far too severe for some small providers and in cases in which the impermissible disclosure was incidental or accidental.

Response: In response to those commenters who believe the penalty amount is not high enough, the $10,000 maximum penalty for each act constituting a violation is prescribed by the statute and thus, cannot be increased by the Secretary in this rule. We expect, however, that there will be cases where multiple related acts are at issue as discrete violations, each of which could result in separate penalties up to $10,000. The preamble to the proposed rule indicated that the Patient Safety Act provides that a person who violates the Patient Safety Act shall be subject to a civil money penalty of "not more than $10,000" for each act constituting such violation. We note that pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Debt Collection Improvement Act of 1996, the Department will be required to adjust this civil money penalty amount based on increases in the consumer price index (CPI). The Department has up to four years to update the civil money penalty amount, and the adjustment will be based on the percent increase in the CPI from the time the Patient Safety Act was enacted, in accordance with the cost-of-living adjustment set forth at the Federal Civil Penalties Inflation Adjustment Act of 1990 § 5, at 28 U.S.C. 2461 note. However, the first adjustment may not exceed ten percent of the penalty. Thus, pursuant to this statute, the $10,000 maximum penalty will be adjusted upwards periodically to account for inflation.

With respect to those commenters who were concerned that the $10,000 penalty may be too severe in certain circumstances, we emphasize that the $10,000 amount is a maximum penalty and the Secretary has discretion to impose penalties that are less than that amount or can elect not to impose a penalty at all for a violation, depending on the circumstances. In particular, § 3.404 provides that the amount of any penalty will be determined using the factors at § 3.408, which include such factors as the nature and circumstances of the violation, the degree of culpability of the respondent including whether the violation was intentional, as well as the financial condition and size of the respondent.

Comment: Several commenters asked for clarification regarding the Secretary's authority to levy separate fines under the Patient Safety Act and HIPAA. Many of these commenters argued that the Secretary should be able to impose penalties under both authorities for the same act to maximize the enforcement tools at his disposal and to effectively penalize bad behavior. In contrast, one commenter supported the statutory mandate that civil money penalties not be imposed under both the Patient Safety Act and HIPAA for a single violation. One commenter asked for clarification as to how civil money penalties may be imposed under both the Patient Safety Act and HIPAA when a PSO is a business associate of a covered entity for HIPAA Privacy Rule purposes.

Response: The final rule at § 3.418 reflects the statutory prohibition against the Secretary imposing civil money penalties under both the Patient Safety Act and HIPAA for a single act that constitutes a violation. As the preamble to the proposed rule explained, Congress recognized that, because patient safety work product includes individually identifiable health information about patients, a HIPAA covered entity making a disclosure of patient safety work product could be liable for a violation under both the Patient Safety Act and HIPAA, and made such penalties mutually exclusive. Thus, in situations in which a single violation could qualify as both a violation of the Patient Safety Act and HIPAA, the Secretary has discretion to impose a civil money penalty under either regulatory scheme, not both. However, as we explained in the proposed rule, we interpreted the Patient Safety Act as only prohibiting the imposition of a civil money penalty under the Patient Safety Act when there has been a civil, as opposed to criminal, penalty imposed under HIPAA for the same act. Therefore, a person could have a civil money penalty imposed under the Patient Safety Act as well as a criminal penalty under HIPAA for the same act.

With respect to the commenter who requested clarification about penalties relating to a PSO that is a business associate of a HIPAA covered entity, we note that it is possible for a civil money penalty to be imposed under both the Patient Safety Act and HIPAA, where such penalty is imposed against different entities. Thus, for example, because a PSO will be a business associate of a covered entity under HIPAA, any violation involving patient safety work product that contains protected health information by the PSO will be a violation of the Patient Safety Act and not HIPAA, since the PSO is not a covered entity. However, if the PSO notifies the covered entity of the impermissible disclosure (as required by the business associate contract under HIPAA), and the covered entity does not take the appropriate steps to mitigate and address the consequences of the impermissible disclosure of protected health information, the covered entity may then be liable for a penalty under HIPAA.

(3) § 3.504-Procedures for Hearings

Proposed Rule: Proposed § 3.504 provided the procedures for an administrative hearing to contest a civil money penalty. The proposed section set forth the authority of the ALJ, the rights and burdens of proof of the parties, requirements for the exchange of information and pre-hearing, hearing, and post-hearing processes. This section cross-referenced the relevant provisions of the HIPAA Enforcement Rule extensively. Specifically, § § 3.504(b), (d), (f)-(g), (i)-(k), (m), (n), (t), (w) and (x) of the proposed rule incorporated unchanged the provisions of the HIPAA Enforcement Rule. Sections 3.504(a), (c), (e), (h), (l), (o)-(s), (u) and (v) of the proposed rule incorporated the HIPAA Enforcement Rule but included technical changes to adapt these provisions to the Patient Safety Act confidentiality provisions. These technical changes addressed the following:

  1. proposed § § 3.504(a) and 3.504 (v) excluded language from 45 CFR 160.504(c) and 160.548(e), respectively, relating to an affirmative defense under 45 CFR 160.410(b)(1), which is a defense unique to HIPAA and not included in the Patient Safety Act;
  2. proposed § 3.504(c) excluded the provision at 45 CFR 160.508(c)(5) for remedied violations based on reasonable cause to be insulated from liability for a civil money penalty because there is no such requirement under the Patient Safety Act;
  3. proposed § 3.504(e) substituted the term "identifiable patient safety work product" for "individually identifiable health information";
  4. proposed § 3.504(h) excluded the language in 45 CFR 160.518(a) relating to the provision of a statistical expert's report not less than 30 days before a scheduled hearing because we did not propose language permitting use of statistical sampling to estimate the number of violations;
  5. proposed § 3.504(o) substituted "a confidentiality provision" for "an administrative simplification provision" in 45 CFR 160.532;
  6. proposed § 3.504(p) substituted, for language not relevant to the Patient Safety Act in 45 CFR 160.534(b)(1), new language stating that the respondent has the burden of going forward and the burden of persuasion with respect to any challenge to the amount of a proposed civil money penalty, including any mitigating factors raised, and provided that good cause shown under 45 CFR 160.534(c) may be that identifiable patient safety work product has been introduced into evidence or is expected to be introduced into evidence;
  7. proposed § 3.504(s) added language to provide that good cause for making redactions to the record would include the presence of identifiable patient safety work product; and
  8. proposed § § 3.504(l), (q), (r), and (u) substituted citations to subpart D of the Patient Safety rule, as appropriate.

We also explained in the proposed rule that we intended to maintain the alignment between these provisions and the HIPAA Enforcement Rule by incorporating any changes to the HIPAA Enforcement Rule that would become final based on the Department's Notice of Proposed Rulemaking entitled, "Revisions to Procedures for the Departmental Appeals Board and Other Departmental Hearings" (see 72 FR 73708 (December 28, 2007)). That Notice of Proposed Rulemaking proposed to amend the HIPAA Enforcement Rule at 45 CFR 160.508(c) and 160.548, and add a new provision at 160.554, providing that the Secretary may review all ALJ decisions that the Board has declined to review and all Board decisions for error in applying statutes, regulations, or interpretive policy. As of the publication date of this final rule, however, that regulation is not final.

Overview of Public Comments: We received no comments opposed to these provisions.

Final Rule: The final rule adopts the proposed provisions, except renumbers them into individual sections and republishes the referenced provisions of the HIPAA Enforcement Rule, as modified by the technical changes described above to adapt the provisions to the Patient Safety Act confidentiality provisions. The final rule includes the full text of such provisions for convenience of the reader.

Also, we incorporate one additional technical change to better adapt the language to this rule's confidentiality provisions, as well as one conforming change. In particular, at § 3.512(b)(11), we replace the term "privacy of" with "confidentiality of" in addition to replacing "individually identifiable health information" with "identifiable patient safety work product." In addition, at § 3.504(b), we replace the term "90 days" with "60 days." We proposed at § 3.420(a)(6) to include in a notice of proposed determination a statement that a respondent must request a hearing within 60 days or lose its right to a hearing under § 3.504. However, we inadvertently omitted from § 3.504 a conforming change to the language incorporated from 45 CFR 160.504(b) to change the hearing request deadline from 90 days to 60 days. Thus, this change is necessary to align the two provisions.

Response to Other Public Comments

Comment: One commenter asked that the final rule clarify the involvement of the Departmental Appeals Board during the hearings and appeals processes as well as whether the Secretary has authority to review ALJ decisions.

Response: Sections 3.504-3.552 of the final rule incorporate the provisions of the HIPAA Enforcement Rule, which lay out the hearings and appeals process. The current process provides that any party, including the Secretary, may appeal a decision of the ALJ to the Departmental Appeals Board, as well as file a reconsideration request with the Board following any Board decision. Unless the ALJ decision is timely appealed, such decision becomes final and binding on the parties 60 days from the date of service of the ALJ's decision.

Comment: One commenter asked that the final rule provide no restrictions to full judicial review for appeals and hearing requests.

Response: Section 3.548(k) provides respondents the right to petition for judicial review of the final decision of the Secretary once all administrative appeals have been exhausted, that is, once the Departmental Appeals Board has rendered a decision on appeal or reconsideration that has become the final decision of the Secretary, as appropriate.

Comment: One commenter suggested that any time patient safety work product could be disclosed in an ALJ proceeding, the proceeding should be closed to the public.

Response: The final rule at § 3.534(c) expressly provides that the ALJ may close a proceeding to the public for good cause shown, which may include the potential for patient safety work product to be introduced as evidence in the proceeding. We do not see a need to require that proceedings be closed under such circumstances but rather will continue to rely on the experienced discretion of the ALJ in determining such matters.

(IV) Impact Statement and Other Required Analyses

Regulatory Impact Analysis

AHRQ has previously analyzed the potential economic impact of this rule as part of its February 2008 Notice of Proposed Rulemaking (proposed rule) as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132. This analysis can be found on pages 8164 to 8171 of the proposed rule, which was published in the Federal Register on February 12, 2008.

Executive Order 12866 (as amended by Executive Order 13258, February 2002, and Executive Order 13422, January 2007), directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). Although we cannot determine the specific economic impact of this final rule, we believe that the economic impact may approach $100 million. HHS has determined that the rule is "significant" because it raises novel legal and policy issues with the establishment of a new regulatory framework, authorized by the Patient Safety Act, and imposes requirements, albeit voluntary, on entities that had not been subject to regulation in this area.

In preparing the regulatory impact analysis for inclusion in the proposed rule, AHRQ did not develop an alternative to the statutorily authorized voluntary framework. In light of the approach taken in the proposed rule, alternatives would have been mandatory or more proscriptive as well as inconsistent with statutory intent. The proposed rule established a system in which entities would voluntarily seek designation (or "listing") by the Secretary as a Patient Safety Organization (PSO), most PSO requirements would be met by attestation and overall compliance assessed by spot-checks rather than document submission or routine audits, and the Department would look to the marketplace to assess the quality and value of each PSO. PSOs will not be Federally funded nor directed; their funding and activities will be determined by health care providers who seek their expert assistance in identifying the underlying causes of, and the best strategies for reducing or eliminating, medical errors. The proposed rule provided a foundation of confidentiality and privilege protections for information developed and exchanged when health care providers voluntarily choose to work with a PSO. We proposed that health care providers could receive the confidentiality and privilege protections of the statute by reporting information to a PSO occasionally, without entering contracts or incurring significant costs. Other health care providers could develop more costly internal systems that would serve as the hub of the provider's interactions with a PSO with which the provider had a contractual relationship; such structured, documented internal systems with dedicated personnel would be more costly. To create an "upper bound" on the analyses in the proposed rule, we assumed that all providers that would choose to work with PSOs would follow this more costly approach. It should be noted that most hospital providers already have patient safety reporting activities in place (98% according to a 2006 AHRQ survey). While documenting these activities and, it is hoped, expanding them through participation with a PSO will result in increased costs, that increase will be marginal, not complete, in the hospital community.

A summary of the AHRQ analysis of costs and benefits of Patient Safety Act costs and benefits from the proposed rule follows below. For a full discussion of the assumptions underlying these estimates, please refer to the proposed rule.

Table 3-TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2009-2013

Year 2009 2010 2011 2012 2013
Hospital Penetration Rate 10% 40% 60% 75% 85%
Hospital Cost $7.5 M $30.0 M $45.0 M $56.2 M $63.7 M
PSO Cost $61.4 M $92.1M $122.8 M $122.8 M $122.8 M
Total Cost $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M

Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112- 8183.

Costs for PSO implementation were calculated by considering two components: costs incurred by hospitals in engaging in PSO activities and costs of PSOs themselves. It was assumed that in early years of PSO operation, the hospital would be the primary site of PSO-related activity. Hospital costs were assumed to be incremental, given that a previously-completed survey funded by AHRQ revealed that 98% of U.S. hospitals already have adverse event reporting systems, and virtually all hospitals have a safety/quality function. We assumed that PSOs would be staffed modestly, relying on existing hospital activities in reporting adverse events, and that a significant proportion of PSOs are likely to be component PSOs, with support and expertise provided by a parent organization. Our assumptions were that PSOs will hire dedicated staff of 1.5 to 4 FTEs, assuming an average salary rate of $67/hour. We also estimated that a significant overhead figure of 100%, coupled with 20% for General and Administrative (G&A) expenses, will cover the appreciable costs anticipated for legal, security, travel, and miscellaneous PSO expenses.

Provider-PSO Costs and Charges

We have not figured into our calculations any estimates for the price of PSO services, amounts paid by hospitals and other health care providers to PSOs, PSO revenues, or PSO break-even analyses. We have not speculated about subsidies or business models. Regardless of what the costs and charges are between providers and PSOs, they will cancel each other out, as expenses to providers will become revenue to PSOs.

Table 4-TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2009-2013*

Year 2009 2010 2011 2012 2013

Hospital Penetration Rate

10% 40% 60% 75% 85%
Percent Reduction in Adverse Events 1% 1.5% 2% 2.5% 3%
Savings $11.5M $69M $138M $215.625M $293.25M

*Source: Baseline figures from IOM Report,To Err Is Human, on total national health care costs associated with preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.

Table 5-NET BENEFITS: 2009-2013

Year 2009 2010 2011 2012 2013
Total Benefits $11.5 M $69 M $138 M $215.625 M $293.25 M
Total Costs $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M
Net Benefits ($57.4) M ($53.1) M ($29.8) M $36.625 M $106.75 M
Discounted net present value at 3% ($55.7) M ($50.0) M ($27.3) M $32.5 M $92.1 M
Discounted net present value at 7% ($53.6) M ($46.4) M ($24.3) M $27.9 M $76.1 M

The final rule includes several modifications that could alter the actual economic impact of the Patient Safety Act, but AHRQ concludes that these changes will not exceed the "upper bound" established in our previous analysis, and we anticipate that the actual economic impact may be less. Several changes incorporated in the final rule are likely to lower the costs of implementation. For example, the final rule has removed a requirement that PSOs that are components of other existing organizations must maintain separate information systems and, for all but a small category of component PSOs, we have removed restrictions on the use of shared staff. As we noted in our economic analysis, we expect the most common type of PSO to be ones that are established by one or more existing organizations. As commenters pointed out, personnel costs are likely to be the most significant cost facing a PSO, and the ability to share personnel means that skilled personnel are available at significantly less cost, and in some cases at no cost, than the PSO would pay to hire or externally contract for personnel. Similarly, the costs and administrative burdens associated with the development and maintenance were a major focus of commenters. These two changes are likely to have the greatest impact on reducing costs for PSOs.

There are two changes in the final rule that might increase costs slightly but selectively. The final rule parallels a HIPAA Privacy Rule requirement that business associates of covered entities must notify the covered entity if any of its protected health information has been inappropriately disclosed or its security breached. The final rule requires PSOs to notify the providers that submitted patient safety work product to the PSO if the work product it submitted has been disclosed or its security breached. As we noted in the proposed rule, the vast majority of providers reporting data will be covered entities under HIPAA and will need to include such notification requirements in the business associate agreements they will enter with PSOs. In addition, the HIPAA requirement is likely to apply in many disclosure or security breach situations because most work product is expected to contain protected health information. Nevertheless, this requirement may increase costs to the extent that PSOs receive work product from non-covered entities, although these potential increased costs will be dependent upon the vigilance with which the providers and PSOs meet their confidentiality and security requirements.

With respect to health care providers, the final rule does not impose requirements. The final rule does afford increased flexibility and protections to providers that voluntarily choose to both establish and document a more structured process for working with a PSO, i.e., what the rule terms a patient safety evaluation system, and document the flow of information into and out of the patient safety evaluation system. For providers who choose this option, the information they assemble and develop within their patient safety evaluation system will be accorded privilege and confidentiality, contingent upon the information ultimately being reported to a PSO, from the outset. To the extent that this encourages providers, who would not otherwise have done so, to establish a structured, documented patient safety evaluation system, there would be an increase in costs. As noted above, this should not significantly affect our previous analysis since we assumed all providers working with a PSO would have established a documented patient safety evaluation system.

Taking advantage of this option will also enable health care providers with integrated health information technology systems to avoid the requirement in the proposed rule that they maintain the assembly and development of patient safety work product separately from their routine data collection activities, which would have required a number of providers to establish dual information systems. While we expect that the costs of developing dual information collection systems would exceed the costs of developing and maintaining a structured, documented patient safety evaluation system, we do not estimate any savings because we cannot be clear how many providers would have incurred the dual health information technology systems costs or would have simply chosen to forego participation.

After considering the impact of the increased flexibility in the final rule for PSOs and health care providers, we now expect the implementation costs will be lower than those in our previous analysis.

Final Regulatory Flexibility Analysis

Since formation of a PSO is voluntary, formation is not likely to occur unless the organization believes it is an economically viable endeavor. Furthermore, PSOs are not likely to undertake tasks that will provide insufficient payment to cover their costs. Therefore, the Secretary certifies that the regulation will not impose a significant economic burden on a substantial number of small entities.

Unfunded Mandates Reform Act

Section 202 of the Unfunded Mandates Reform Act requires that a covered agency prepare a budgetary impact statement before promulgating a rule that includes any Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. The Department has determined that this final rule will not impose a mandate that will result in the expenditure by State, Local, and Tribal governments, in the aggregate, or by the private sector, of more than $100 million in any one year.

Paperwork Reduction Act

This final rule adding a new Part 3 to volume 42 of the Code of Federal Regulations contains information collection requirements. This summary includes the estimated costs and assumptions for the paperwork requirements related to the final rule.

With respect to § 3.102 concerning the submission of certifications for initial and continued listing as a PSO, and of updated information, all such information would be submitted on the "Patient Safety Organization: Certification for Initial Listing" form. To maintain its listing, a PSO must also submit a brief attestation, once every 24-month period after its initial date of listing, submitted on the "Attestation Regarding the Two Bona Fide Contracts Requirement" form, stating that it has entered contracts with two providers. We estimate that the final rule will create an average burden of 30 minutes annually for each entity that seeks to become a PSO to complete the necessary certification forms. Table 1 summarizes burden hours.

Table 1-TOTAL BURDEN HOURS RELATED TO CERTIFICATION FORMS
[Summary of all burden hours, by provision, for PSOs]

Provision Annualized burden hours
3.112 30 minutes.

Under 5 CFR 1320.3(c), a covered collection of information includes the requirement by an agency of a disclosure of information to third parties by means of identical reporting, recordkeeping, or disclosure requirements, imposed on ten or more persons. The final rule reflects the previously established reporting requirements for breach of confidentiality applicable to business associates under HIPAA regulations requiring contracts to contain a provision requiring the business associate (in this case, the PSO) to notify providers of breaches of their identifiable patient data's confidentiality or security. Accordingly, this reporting requirement referenced in the regulation previously met Paperwork Reduction Act review requirements.

The final rule requires in § 3.108(c) that a PSO notify the Secretary if it intends to relinquish voluntarily its status as a PSO. The entity is required to notify the Secretary that it has, or will soon, alert providers and other organizations from which it has received patient safety work product or data of its intention and provide for the appropriate disposition of the data in consultation with each source of patient safety work product or data held by the entity. In addition, the entity is asked to provide the Secretary with current contact information for further communication from the Secretary as the entity ceases operations. The reporting aspect of this requirement is essentially an attestation that is equivalent to the requirements for listing, continued listing, and meeting the minimum contracts requirement. This minimal data requirement would come within 5 CFR 1320.3(h)(1) which provides an exception from PRA requirements for affirmations, certifications, or acknowledgments as long as they entail no burden other than that necessary to identify the respondent, the date, the respondent's address, and the nature of the instrument. In this case, the nature of the instrument is an attestation that the PSO is working with its providers for the orderly cessation of activities. The following other collections of information that are required by the final regulation under § 3.108 are also exempt from PRA requirements pursuant to an exception in 5 CFR 1320.4 for information gathered as part of administrative investigations and actions regarding specific parties: information supplied in response to preliminary agency determinations of PSO deficiencies or in response to proposed revocation and delisting, e.g., information providing the agency with correct facts, reporting corrective actions taken, or appealing proposed agency revocation decisions.

AHRQ and OCR published in the Federal Registertheir proposed information collection forms on February 20, 2008. Following the first, 60-day comment period, the forms were again published in the Federal Registeron April 21, 2008, to begin the second, 30-day comment period. The forms were not changed following the first comment period, and they and the one comment received were sent to OMB, which received them on April 25, 2008. Minor changes to the proposed forms will be necessary to align them with the final rule. AHRQ and OCR will work with OMB to ensure that the forms needed to implement the Patient Safety Act conform to the requirements of the final rule.

Federalism

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on state and local governments, preempts State law, or otherwise has Federalism implications. The Patient Safety Act upon which the final regulation is based makes patient safety work product confidential and privileged. To the extent this is inconsistent with any state law, including court decisions, the Federal statute preempts such state law or court order. The final rule will not have any greater preemptive effect on state or local governments than that imposed by the statute. While the Patient Safety Act does establish new Federal confidentiality and privilege protections for certain information, these protections only apply when health care providers work with PSOs and new processes, such as patient safety evaluation systems, that do not currently exist. These Federal data protections provide a mechanism for protection of sensitive information that could improve the quality, safety, and outcomes of health care by fostering a non-threatening environment in which information about adverse medical events and near misses can be discussed. It is hoped that confidential analysis of patient safety events will reduce the occurrence of adverse medical events and, thereby, reduce the costs arising from such events, including costs incurred by state and local governments attributable to such events. In addition, the Patient Safety Act and the final rule do not relieve health care providers of their responsibilities to comply with state reporting requirements.

AHRQ, in conjunction with OCR, held three public listening sessions prior to drafting the proposed rule. Representatives of several states participated in these sessions. In particular, states that had begun to collect and analyze patient safety event information spoke about their related experiences and plans. Following publication of the proposed rule, AHRQ consulted with state officials and organizations to review the scope of the proposed rule and to specifically seek input on federalism issues and a proposal in the rule at proposed § 3.102(a)(2) that would limit the ability of public or private sector regulatory entities to seek listing as a PSO. AHRQ received no expressions of concerns regarding the Federalism aspects of the proposed rule although several State health departments and commissions submitted written comments regarding the PSO eligibility criteria in the proposed rule.

OMB Accounting Statement

The table below summarizes the estimated costs and benefits of implementing the Patient Safety and Quality Improvement Act for the next five years, beginning with January 1, 2009, by which time it is expected that the rule will be effective.

The figures in the table are derived from the regulatory impact analyses outlined above and, more completely, in the February 12, 2008 NPRM published in the Federal Register, on pages 8164 to 8171. As in the previous analyses, the range of benefits derives directly from the range of potentially-avoidable incidents cited (estimated) in IOM Report,To Err Is Human. The range of costs is the same as was included in the NPRM, where minimum and maximum estimates were calculated as 10% above and 10% below the Agency's primary estimate of costs.

All figures are calculated at two discount rates, 7% and 3%, and dollars are held constant at the 2008 level. The discount rates, 3% or 7%, represent two rates of return that might be expected from government investments. The purpose is to project the expected future costs and benefits in today's dollars. (Future dollars will be worth less than today's dollars, barring appropriate investments.) Figures are annualized, that is average-per-year over the five years. The discount rates, 3% or 7%, represent two rates of return that might be expected from government investments. The purpose is to project the expected future costs and benefits in today's dollars. (Future dollars will be worth less than today's dollars, barring appropriate investments.)

OMB #: Agency/Program Office: AHRQ      
Rule Title: Patient Safety and Quality Improvement Act        
RIN #: Date: 8/25/2008      
         
CATEGORY Primary Estimate (millions) Minimum Estimate (millions) Maximum Estimate (millions) Source Citation (RIA, preamble, etc.)
BENEFITS $145.5 $107.5 $183.4 AHRQ Analysis.

Annualized discounted 5 years)

       
@ 7% $111.5 $82.4 $140.5  
@ 3% $129.4 $95.7 $163.2  
         

COSTS

$144.9 $130.4 $159.3 AHRQ Analysis.
Annualized discounted (5 years)        
@ 7% $115.5 $104.0 $127.1  
@ 3% $131.1 $118.0 $144.2  
Transfers N/A
Effects on small businesses N/A
Effects on States and tribes N/A
List of Subjects in 42 CFR Part 3

Administrative practice and procedure, Civil money penalty, Confidentiality, Conflict of interests, Courts, Freedom of information, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Investigations, Law enforcement, Medical research, Organization and functions, Patient, Patient safety, Privacy, Privilege, Public health, Reporting and recordkeeping requirements, Safety, State and local governments, Technical assistance.