Section 3.106(a)

A PSO must secure patient safety work product in conformance with the security requirements of paragraph (b) of this section. These requirements must be met at all times and at any location at which the PSO, its workforce members, or its contractors receive, access, or handle patient safety work product. Handling patient safety work product includes its processing, development, use, maintenance, storage, removal, disclosure, transmission, and destruction.

Has the PSO established security standards that meet the requirements of this section, including the standards that address all locations at which patient safety work product is held?

Does the PSO have, or expect to have, contracts in place with outside contractors (e.g., consultants and vendors) to whom patient safety work product will be entrusted? If so, has the PSO:

• Established specific security standards that its contractors must meet when they have access to patient safety work product?
• Considered options that do not require the physical transfer of patient safety work product to contractors (such as providing electronic access through a secure network)?
• Reviewed with contractors the protections and security requirements for patient safety work product, including the limitations on further disclosure of patient safety work product (section 3.205(b)(4) of the Patient Safety Rule states that a contractor may not further disclose patient safety work product except to the PSO or provider from which it received the patient safety work product)?
• Defined clearly the permissible tasks for which the contractor may use patient safety work product and specified the individual(s) or unit(s) of the contractor(s) that may have access to patient safety work product?
• Ensured that its contractors or vendors enter written agreements with each member of their workforce (both employees and subcontractors) with access to patient safety work product that require acknowledgement of the protections and limitations regarding its use and disclosure?
• Established processes to monitor the patient safety work product that is in the possession of contractors?

Section 3.106(b)(1)(i)

Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is received, accessed, or handled; and to monitor and improve the effectiveness of such policies and procedures.

Do the PSO's written policies and procedures:

• Establish standards for each element of the security framework in section 3.106(b)?
• Outline the processes by which the PSO (1) decides to disclose patient safety work product, (2) verifies that a proposed disclosure is permissible, (3) ensures that the patient safety work product being disclosed has been appropriately anonymized or rendered contextually nonidentifiable, if required by the rule, and (4) tracks to whom patient safety work product is disclosed and the specific information that was disclosed?
• Address the entire spectrum of data activities from receipt, processing, use, storage, return to providers (if requested), and/or destruction?
• Specify how the PSO will undertake “recovery” from emergencies, system failures, or security breaches?
• Require documenting security breaches and evaluating their causes in an attempt to prevent reoccurrence?

If the PSO (or its parent organization) uses an IT vendor, are there contractual provisions that: (1) ensure that disclosure determinations can only be authorized by the PSO; (2) require prompt notification of the PSO if data system emergencies, failures, or security breaches occur; (3) specify how "recovery" will take place, and (4) provide for evaluation of the causes of data system emergencies, failures, or security breaches?

If the PSO is a component of another entity with which it shares an IT system, has the component PSO:

• Ensured that there can be no unauthorized access by individuals or units of the parent organization(s) (section 3.102(c)(2)(i) of the Patient Safety Rule)?
• Entered into, or required confidentiality agreements, with IT staff of the parent organization(s)?

Note: IT staff of the parent organization(s) may have the ability to access patient safety work product.

Section 3.106(b)(1)(ii)

Training of the PSO workforce and PSO contractors who receive, access, or handle patient safety work product regarding the requirements of the Patient Safety Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.

With respect to staff and contractor training:

• How soon does an individual receive training regarding the confidentiality and security protections for patient safety work product?
• Does the PSO provide inservice (refresher) training? If so, how frequently?
• Is there a process for: (1) reminding departing employees/contractors of their continuing confidentiality obligations regarding patient safety work product to which they had access during their period of employment; (2) retrieving any patient safety work product in their possession; and (3) deactivating their access to patient safety work product?
• Does the training address electronic security (e.g., discuss creating strong passwords, virus/spyware/spam awareness, and security of electronic communications)?

Does the PSO conduct background checks as part of its hiring processes?

If the PSO is a component of one or more parent organization(s), how has the PSO ensured that its workforce and contractors understand that patient safety work product cannot be shared with individuals or units of its parent organization(s) except as authorized by the rule? Specifically:

• Do the PSO's policies prohibit all “shared” staff members from removing patient safety work product from the component PSO and require signed confidentiality agreements that prohibit discussions of patient safety work product with anyone in the parent organization(s)?
• If any individual or unit of the parent organization—other than a “shared” staff member—has access to patient safety work product held by the component PSO, does the PSO have a written agreement meeting the requirements of section 3.102(c)(3) to authorize this access? Go to Table 1, Row #19.
• Has the PSO documented that other members of its workforce (nonshared staff) and its contractor(s) are aware of the prohibition on making unauthorized disclosures of patient safety work product to individuals or units of the PSO's parent organization(s)?

Section 3.106(b)(2)(i)
Maintenance of the security of patient safety work product, whether in electronic or other media, through either physical separation from non-patient safety work product, or if co-located with non-patient safety work product, by making patient safety work product distinguishable so that the appropriate form and level of security can be applied and maintained.

If the PSO undertakes non-Patient Safety Act activities:

• Has the PSO defined the physical and virtual (electronic) space that comprises its patient safety evaluation system?
• Do the PSO's policies require that patient safety activities must be conducted exclusively within its defined patient safety evaluation system?
• Does the PSO restrict access to patient safety work product to members of its staff that work in its patient safety evaluation system? Does the PSO maintain patient safety work product within its patient safety evaluation system? If not, how does the PSO ensure that staff performing non-Patient Safety Act work do not have inappropriate access to its patient safety work product?

If the PSO undertakes only patient safety activities, has the PSO specified whether its patient safety evaluation system encompasses the entire PSO?

How do the PSO's policies and procedures ensure that:

• Patient safety work product submitted by a provider is always distinguishable from non-patient safety work product? Note: If its listing is revoked, a PSO must be able to return to a provider its patient safety work product. If the PSO merges patient safety work product with non-patient safety work product files, and the patient safety work product cannot be separated from the non-patient safety work product, then the entire merged file that is held by the PSO is patient safety work product.
• Patient safety work product is always maintained at the appropriate level of security?

Section 3.106(b)(2)(ii)
Protection of the media, whether in electronic, paper, or other media or format, that contain patient safety work product, limiting access to authorized users, and sanitizing and destroying such media before their disposal or release for reuse.

Do the PSO's policies and procedures:

• Permit patient safety work product to be used off-site by its workforce, contractors, or vendors? If so, how does the PSO provide for the encryption of patient safety work product in any electronic storage device for transfer or use offsite (e.g., laptops, portable hard drives)? If not, how does the PSO ensure the protection of patient safety work product?
• Prohibit the use of wireless access to patient safety work product that is not encrypted?
• Provide for the complete sanitation of equipment and media that contained patient safety work product when it is being taken out of service? If the PSO is not using hard drive erasure software, how will it ensure complete sanitation?
• Ensure an appropriate level of security/strength for passwords of authorized users? How frequently are the passwords changed?

Section 3.106(b)(2)(iii)
Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is received, accessed, or handled.

Does the PSO have:

• A physical security plan to prevent unauthorized external access to the portion of the facility in which patient safety work product is handled (as defined in section 3.106(a))? For example, do the PSO's offices or facilities have guards, video surveillance, timed locks, etc.?
• Controls to prevent unauthorized physical access, tampering, and theft of patient safety work product within the facility? These could include locked doors, signs warning of restricted areas, surveillance cameras, alarms, and identification numbers and security cables on computers.
• An individual who is responsible for maintaining physical and/or electronic security (i.e., responsible for administering access keys or user logins/passwords)?
• Policies and procedures for how this security will be maintained (e.g., new hire review, periodic, recurring access level review, timeframe for removal of terminated employees)?
• Additional security measures in place to protect workstations with patient safety work product, such as using privacy screens, enabling password protected screen savers or an automatic logoff functionality for inactive workstations?
• Records of when maintenance workers who are not part of the PSO's workforce (e.g., plumber, electrician, painter, facility staff) have access to locations in which patient safety work product is maintained?

Has the PSO adopted safeguards against the potential threat of electronic intrusion? For example, does the PSO have—

• Hardware firewalls to prevent intrusion from hackers or malicious software? If not, does the PSO take other steps to preclude external intrusion (e.g., maintaining patient safety work product on computers that are not connected to the internet)?
• Does the PSO have port restrictions for wired jacks that connect to a network to ensure users cannot plug home/unmanaged/inappropriate devices into a network that may contain patient safety work product?

Section 3.106(b)(3)(i)
Identification of those authorized to receive, access, or handle patient safety work product and an audit capacity to detect unlawful, unauthorized, or inappropriate receipt, access, or handling of patient safety work product.

Is the PSO able to:

• Authenticate authorized users (internally) and authorized recipients externally (e.g., contractor staff, providers, etc.) submitting patient safety work product to the PSO?
• Track access by authorized users?
• Determine if patient safety work product has been received, accessed, or handled by an unauthorized user?

Section 3.106(b)(3)(ii)
Methods to prevent unauthorized receipt, access, or handling of patient safety work product.

In addition to the questions posed elsewhere in this table—

• Is it possible to access patient safety work product from outside the PSO's facility? If so, what types of security are required to obtain access?
• Are there policies and procedures in place for monitoring server logs to review unauthorized attempts at access to the information system(s) containing patient safety work product?

Section 3.106(b)(4)(i)
Periodic assessments of security risks and controls to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.

Did the PSO conduct a risk assessment before developing its security standards? Did any such risk assessment meet prevailing industry standards or practices? What did the PSO determine were its principal points of vulnerability for the protection of patient safety work product and how do its security standards address those major vulnerabilities?

If the PSO did not conduct a risk assessment before developing its security plan for patient safety work product, how did the PSO determine that the standards it adopted were adequate and reasonable?

Has the PSO established a schedule for periodic risk analyses? If so, on what basis did the PSO establish the frequency with which it will conduct risk analyses?

Section 3.106(b)(4)(ii)
System and communications protection to monitor, control, and protect PSO receipt, access, or handling of patient safety work product with particular attention to the transmission of patient safety work product to and from providers, other PSOs, contractors or any other responsible persons.

How has the PSO addressed the vulnerabilities that exist when patient safety work product is transmitted? For example:

• How does the PSO ensure the secure transportation and/or transmission to the PSO of patient safety work product to and from health care providers?
• How does the PSO ensure secure communications with its reporting providers (all such communications are patient safety work product)? Do the PSO's policies address using secure email, avoiding discussion of patient safety work product when using cell phones that may be easily compromised, avoiding the use of unsecure fax machines, etc.?