Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

 Back to Patient Safety Organizations Home

Proposed Regulations for Patient Safety Organizations (PSOs) Audio Call Transcript (Continued)

February 29, 2008

Operator:

Yes, sir. Our next question or comment is from the line of Benjamin. Your line is open, sir.

Benjamin:

Yes. Our question is this: is administrative data reporting, such as AHRQ patient's safety indicators, are they going to be considered a work product of the PSO, and more broadly, are there any circumstances where administrative data is considered the work product of a PSO?

Carolyn Clancy:

The law is silent on what kinds of data are used to identify errors, potential issues, or indicators of potential harms. The patient safety indicators are often used by people. One important distinction though, and I do think that this is one that, in a number of ways and areas, people are going to need to wrestle with a little bit, if the information is protected and becomes patient safety work product under an arrangement between providers and patient safety organizations, once protected, it cannot be unmasked. So, by way of example, or to be explicit, there are some states that are requiring public reporting of some of these patient safety indicators. In no way would that be part of the protected information that's protected by a PSO.

Does that help with your question?

Benjamin:

Yes. Thank you.

Return to Top

Operator:

Thank you. Our next question or comment is from the line of Amy. Your line is open.

Amy:

Hi. I'm on the line from the ECRI Institute. My question has to do with disclosure to the secretary of business contracts by noncomponent PSOs, and whether we would be required to disclose to the secretary every business contract with the provider that's seeking PSO services, whether or not the contract is related to PSO activity? And then related to this is, what if a non-PSO related consultation contract, for example, had the confidentiality agreement, must that confidential consultation be disclosed to the secretary?

Carolyn Clancy:

The statute requires full disclosure to the Secretary regarding a PSO's relationships with its contracting providers under two circumstances. One of them, which you mentioned, is when a PSO has any financial reporting or contractual relationship with a provider with which it has entered into a contract under this law. The proposed "reg" is that this requirement applies to relationships that are unrelated to contracts entered into under this statute.

Amy:

Thank you.

Operator:

Thank you. Our next question or comment is from Chris. Your line is open.

Chris:

Hi. This is Chris with the Tennessee Hospital Association. Our question is, we've received some statements that have been attributed to HHS relative to accrediting bodies and regulatory bodies. So, the question is, are accrediting entities and regulatory entities permitted to be a PSO or component PSO?

Carolyn Clancy:

Accrediting bodies themselves cannot be PSOs, but they can create components that could be certified and listed as PSOs.

Chris:

And so, the second piece would be regulatory bodies like State entities?

Carolyn Clancy:

Same thing; same response: in the same way—that some states have already done that now, just under their own State laws.

Operator:

Did that conclude your questions?

Howard Holland:

I think so, Christopher. This is Howard. If you would queue up our next question, please.

Operator:

Yes, sir. Our next question or comment is from Diane. Diane, your line is open.

Diane:

Thank you. My question has to do with component organizations and we wanted to know if a component organization's workforce engages in accreditation, whether an employee that's working for the component can also do work for the parent organization just as long as those employees aren't directly involved in the accreditation?

Carolyn Clancy:

In other words, could an accreditation entity and its component organization that was listed as a PSO share personnel, is that what you're asking?

Diane:

Yes. Yep.

Carolyn Clancy:

In order to reassure providers that their identifiable information will remain protected, the proposed rule proposes to prohibit shared staff if the individuals' work for the parent organization could be informed by their knowledge of identifiable patient safety work product. This prohibition is not limited to accreditation activities, but to any activity of the employee for the parent organization. But again, this is an area where if you have comments, we would welcome them.

Diane:

All right, thank you. And also we had a question about proposed timing. I know it's difficult to anticipate when the final rule will come out, but do you have a best guess?

Carolyn Clancy:

I can tell you that we have an incredibly firm commitment right up to Secretary Levitt himself, to get this out as rapidly as possible.

Diane:

Okay. Thank you very much.

Operator:

Thank you. Our next question or comment is from Donald—I'm sorry, from Marilyn. Your line is open.

Marilyn:

Thank you. My name is Marilyn Zigmund-Luke and I'm calling with America's Health Insurance Plan. My question is for Dr. Clancy and it goes back to some comments that you made in your introductory remarks. I understand that the marketplace will evaluate the effectiveness of each PSO. I was curious to learn whether AHRQ was going to release any kind of metrics or reports in addition to the reporting you've already mentioned that would help providers and others really evaluate whether a PSO is actually being effective?

Carolyn Clancy:

Not at this time, no.

Marilyn:

Okay. Thank you.

Return to Top

Operator:

Thank you. Our next question or comment is from Donald. Your line is open.

Donald:

Hi. This is Don Tyler for the Society for Pediatric Anesthesia. Will we need IRB [Institutional Review Board] approval to send information into PSOs? I could foresee how a lot of what we're going to send in could be classified as research by the Office for Human Research Protections (OHRP), and since we'll be publishing what we put into this, will we be required to get IRB approval to use this mechanism?

Carolyn Clancy:

I want to be clear on the second part of your question. When you say 'since we'll be publishing this,' you're referring to the circumstance under which a PSO shares deindentified data with AHRQ, is that correct?

Donald:

Yes. Either with AHRQ or sharing the data with providers so that they can make use of the information that the PSO generates.

Carolyn Clancy:

No. The short answer is no. I would think that this would be very consistent with the advice that's posted on OHRP's Web site right now that essentially says that although the area that your question sort of implicitly gets to—the overlap, if you will—between quality improvement and quality improvement research, is a very challenging area to work through and we're struggling with this right now. The guidance from OHRP, right now, on their site, says there is no reason not to be reporting on performance and doing a variety of other things. So, I do not think that would be a concern.

Donald:

Thank you.

Operator:

Thank you. Our next question or comment is from the line of Michael. Your line is open.

Michael:

Yes. Thank you. I have two quick questions. One is about individuals who may be reporting errors as a provider. So, let's say a physician reports an error through the PSO, on the reporting form. Are there indications that you could share this information with possibly another PSO or with FDA, and would the form itself be considered a bona fide agreement or contract under the regulations? And would sharing of that information be permitted as a signed agreement from the provider being an individual and not going through an organization?

Susan McAndrew:

Hi. This is Sue McAndrew. Let me address that question. The statue is very clear in terms of once information is protected as patient safety work product, when it can be disclosed to others. And an informal agreement, whether it's on this form or otherwise, would not permit anyone to share information contrary to those statutory restrictions. And so if the statute and the regulations prohibit a disclosure, that cannot be overridden by agreement.

On the flip side of that however, where a permission to disclose is specified, either in the statute or in the regulations, we do leave it to the parties to agree to less disclosure than the law would otherwise permit. You can always refuse or decline to disclose or share this information and that can be done simply by a unilateral act of not disclosing or it can be a prearranged agreement that we will not be exchanging information or sharing or disclosing information about "X".

Does that help?

Michael:

Yes, because in the proposed regulations, you do say that a provider can authorize disclosure by giving signed permission. So that would cover that?

Susan McAndrew:

Well, there are two things. One of the permissible disclosures is when all identified parties in that protected information have authorized its disclosure, but they all must jointly agree to permit that disclosure. One identifiable party can't make that decision on behalf of everybody that's identified by that work product. Other than that, I believe that what we have referenced in the rule is the ability of the parties to agree that even if the rule would permit a particular disclosure that they are going to be more protective of that data and not allow that information to flow from one party to the other.

Michael:

Okay. The second question is can a pharmaceutical company be considered a provider?

Susan McAndrew:

A pharmaceutical company as opposed to a pharmacy?

Michael:

Yep. Correct. So, a pharmaceutical company that's receiving in a lot of reports on ADEs and wants to share that information with a PSO, would they be considered a provider?

Carolyn Clancy:

Thanks for that question. This is Dr. Clancy. The short answer is we—the proposed "reg," does not specify that, but the Secretary has the authority to extend or broaden the definition of provider. So, again, this is an area where an explicit comment would be very helpful.

Michael:

Thank you.

Howard Holland:

This is Howard. Before Christopher, our operator, queues up our next question, I want to note that we are at approximately 5 minutes left on the call time today. We're going to try to move expeditiously through all of the questions that we still have in the queue. We'll attempt to get to as many of those as we can, but I do want to note that we have approximately 5 minutes left. Christopher, if you'd go to our next question.

Operator:

Yes, sir. Our next question is from Bill. Your line is open.

Bill:

Yes. I had a question about the patient safety activities and whether a PSO must meet all eight of the patient safety activities and/or whether there is a need to perform all eight of the patient safety activities.

Carolyn Clancy:

Yes, all eight. That's part of the attestation. Does that help?

Bill:

Well, at one point in the rules, is seemed to imply that you needed to meet all eight, but in another area it seemed to imply you did not need to perform all eight.

Carolyn Clancy:

You need to be able to have specific policies and procedures in place for all eight types of activities when you're initially being listed. And then to be recertified, you would need to be performing all eight activities.

Bill:

Thank you.

Operator:

Thank you. Our next question or comment is from Judith. Your line is open.

Judith:

Thank you. This is Judith Langer. I had a question regarding the business associate provisions applicable to PSOs. In reading the rule, it seemed to me that not all of the HIPAA privacy business associate provisions were applicable to PSOs, and I'm wondering if Ms. McAndrew can provide some insight into the rationale for not imposing all those HIPAA privacy requirements on PSOs.

Susan McAndrew:

Thank you. The statute itself says that PSOs would be treated as business associates of providers. That's assuming the provider itself is a HIPAA covered entity. Even though the relationship between the provider and the PSO is very specialized in this case, we would expect that the standard HIPAA business associate agreement would be in place as between a covered entity and their PSO in order to effectuate the business associate relationship. There may be provisions of that contract that would reflect the nature of the arrangement and so some of the duties may not accrue to a PSO, simply because that's not the function they're performing on behalf of the covered entity.

Judith:

Thank you.

Return to Top

Operator:

Thank you. Our next question or comment is from Shannon. Shannon, your line is open. Shannon, your line is open. Please check your mute button.

Shannon:

Thank you. I just wanted to follow up on an earlier question when you said that you hoped for the final regulations to be done expeditiously. Are we talking weeks, or months?

Carolyn Clancy:

I think I can say expeditiously; we're going to move as rapidly as we can. Clearly, that depends to a very large extent on how many comments and clarifications we need to address and we're going to do the best job we can as rapidly as we can.

Shannon:

Thank you.

Operator:

Thank you. Our next question or comment is from Megan. Megan, your line is open.

Megan:

Hi. My question has to do with the HIPAA implications. One of the goals of the proposed rule is to allow PSOs to share data with other PSOs and to aggregate data from providers, and it seems like this would be difficult to allow PSOs as business associates of covered entities to share data without violating HIPAA, because in most situations the activity won't fall within the health care operations exception, and I was wondering if you could address that.

Susan McAndrew:

Yes. Thank you. This Sue McAndrew again. I think, in fact, there is—I think both aggregations are clearly something that a business associate is allowed to perform on behalf of the covered entity and that aggregation can include—I mean obviously what they're aggregating is the data that they receive from other covered entities or other sources, all pursuant to their business associate agreement with each of those parties. As well, there is room in the HIPAA regulations for health care operations for the sharing of the information, more broadly, for quality purposes.

And the other thing to consider is the extent to which the information that will be flowing pursuant to these patient safety events will actually meet the HIPAA definition of identifiable information. It may be that the information in some cases is totally deindentified. In other cases, sufficient identifiers may be removed to allow the information to be shared as a limited data set or under more relaxed rules, as well as the ability under health care operations and business associate agreement to make the information available fully identifiable.

But we would be very interested. We know in many of these cases these may be complex relationships between these confidentiality protections and the current HIPAA privacy rule, and we would encourage any comment that you have in terms of where you see the two rules not flowing together.

Megan:

Okay. And there had been some mention in the proposed rule of a possible amendment to the HIPAA privacy rule to make sure that the two rules work together better, is that discussion going on still or…

Susan McAndrew:

I mean it is always possible at the end of the day. If we are finding that the rules are somehow at cross-purposes in an unintended way, that either or both could be amended to make sure that the information flows consistently under both laws.

Megan:

Okay. Thank you.

Howard Holland:

This is Howard again. We are going to extend the call another few minutes in an effort to get through a few more questions, but we're anticipating that we may not be able to get through all of them that are in the queue right the moment. So, we do want to alert you to that, but we are going to continue for another few minutes in an effort to get through as many of those as we can. Christopher, would you give us to our next questioner?

Operator:

Yes, sir. Our next question is from Star. Your line is open.

Matt:

Hi. This is Matt, in Star's office. We have been dealing with this issue, struggling with it for last several days like a dog with a bone. Here's the question: Suppose a doctor's facing discipline at the hospital or at the State medical board due to a patient safety event, an adverse event, for example wrong-site surgery: if the event's reported to a PSO, can it not be handled as a disciplinary matter by the hospital or the State medical board? And I refer you to page 8178 of the rules, the proposed rule, section 3.204 a4 and a5, which seem to prohibit such disclosure or use. The question is: How do you engage in reporting that as a quality improvement issue to a PSO, yet engage in disciplinary action against that, for example, physician or nurse? This proposed rule seems to prohibit that dual usage.

Susan McAndrew:

This is Sue McAndrew. Again, this is an area where comments are very welcome on this NPRM. But this is mentioned earlier in terms of a careful consideration of what your intent is with regard to the use of the data and the fact that the law recognizes that information will exist within the organization and that normal business information is not going to be protected even though a copy or portion of that information has been copied and put into the patient safety evaluation structure. Because once that copy or that information is protected under this act, it cannot be used—you cannot—it's privileged information and you cannot introduce it into an administrative proceeding against the doc or the nurse or the employee. And so basing an adverse action on information you cannot use as evidence is probably not the best way to proceed.

In light of that, what an entity will probably need to do is have a separable system for tracking and processing events that may result in adverse actions—adverse employment action against an employee or a certified physician—so that that information is available to the hospital or the employer, should they need it in any litigation.

Matt:

Is it a matter of labeling such that the same information, in other words the same facts, could exist both in what gets reported say, or provided as patient safety work product to a PSO and what gets used in a disciplinary action against that physician?

Susan McAndrew:

Yes. I mean a fact may exist, the medical file will exist, and it will always exist outside of this patient safety evaluation protection. Other records of the hospital will exist separately and outside of this patient safety evaluation structure. Even to the extent that some of that information is copied and reported to the PSO, the fact of that reporting and the copy that is actually reported within the patient safety evaluation system becomes privileged and protected, but that does not change the unprotected status of the original material: the facts, what people know from first hand observation, etc.

Matt:

And finally then, in follow up, so our State medical board, which, in Texas, has full authority to subpoena just about anything within the four walls of the hospital, so that under—and please correct me if I'm wrong or if I'm putting words in your mouth, what you would envision is the State's medical board could continue to subpoena whatever information it wanted, it just could not obtain the—well, what is it that they couldn't obtain, the report to the PSO?

Susan McAndrew:

The actual report to the PSO is privileged.

Matt:

What about patient safety work product?

Susan McAndrew:

That becomes patient safety work product. Information that was in that report is protected from subpoena as patient safety work product. That same information that exists in other reports that were not reported to the PSOs that were part of the original medical record, that were part of a incident report that was provided to some other prong of the organization that is responsible for managing risk management or disciplinary matters, remains outside of the patient safety evaluation system. The purpose of reporting that information to the PSO is solely to have that information evaluated to find out what went wrong and how to fix it and prevent it from happening again. It is not for the purpose of establishing evidence to be used against the parties.

Matt:

Thank you. In conclusion, I do think this is going to present—as this unfolds, we have a difficult set of questions to answer here and it's not totally clear, as least to me, what patient safety work product is and what is usable in a disciplinary action. So, I think you will probably—we'll certainly send in comments and hopefully suggestions for changed wording, but I just would alert you that I would imagine a number of states are going to have the same questions.

Susan McAndrew:

And we'd welcome that. Believe me, this is not an easy question and we welcome your comments.

Matt:

Thank you.

Susan McAndrew:

Thank you.

Howard Holland:

This is Howard. We are going to try to take two or three more questions. Unfortunately, that won't get through everyone that's presently in the queue. We regret that, but we will get through the next several. We'll do as many as we can depending on the length of time required for the responses and we hope that if we're not able to get to your question today, that you will go on the Web site and submit comments and questions there.

Christopher, would you take us to our next questioner?

Return to Top

Operator:

Yes, sir. Our next question or comment is from Kimberly. Your line is open.

Kimberly:

This is Kimberly. Yeah. I wanted to know if you—if it'll be some time before the final regulations are out. Can you recommend as a provider what we could start doing today to get the process rolling? Should we be stamping documents as information to be reported to a PSO in the future?

Carolyn Clancy:

I think at this point I can't tell you what you can or can't do. What I can tell you is it wouldn't have any meaning until the rule is final.

Kimberly:

So there's nothing you can do to date to start setting up your patient evaluation system and processing peer-review documents through that, to be reported to the PSO when the regulations are finalized?

Carolyn Clancy:

Correct.

Kimberly:

It wouldn't—okay. One other additional question. If you are a health system that operates multiple facilities, and you want to establish your own PSO, just in accordance with what you said earlier in answer to an earlier question, if then the recommendations appeal to PSOs, you can just have an agreement to share that information across the system?

Carolyn Clancy:

You're—I'm sorry. I missed part of your question. So, you asked initially if a system wanted to set up its own PSO.

Kimberly:

Right. And so it operates multiple facilities and those facilities are reporting information to the system-established PSO, but you want to share the PSO's recommendations and analysis of the information sent to it by each individual facility, you just, and under the "regs" it seems you have to set up a firewall, but you can have an agreement that says by all parties that you can share that information across the system?

Susan McAndrew:

I mean basically—this is Sue McAndrew. Basically, the sharing, I commend you to the part of the regulation that says how PSOs and providers can share information and feedback for patient safety activities. And certainly as between—you know, it may well depend on how you structure this relationship between all the associated affiliated hospitals and the PSO, whether that operates as one entity. If it operates as independent multiple entities, then it may be that the sharing from the PSO and among the providers directly would need to be in slightly deidentified form. It doesn't have to be totally deidentified.

But, currently, the NPRM does speak to how that sharing can be done as between the PSO and other providers with whom it had a contract or a relationship for handling this information. And, again, this in an area where we would welcome your comments in terms of: does that allow you the information flows that you need to have happen to address your patient safety issues?

Kimberly:

Okay. Thank you.

Howard Holland:

We will take two more questions. Christopher, if you'd take us to our next to last caller.

Operator:

Yes, sir. Our next question or comment is from Allison. You line is open.

Allison:

Hi. Good morning or good afternoon. This Allison Viola from the American Health Information Management Association. I was hoping you could clarify, as I'm a little unclear on the data definitions, how the timing of the release of the data formats will coincide with the actual final role, and will those data definitions be frozen at that time or will they continue to change over time?

Carolyn Clancy:

Thank you. This is Dr. Clancy. We expect the timing will work out very well, because we're going to be disseminating those via the Federal Register in July or August of '08. The closing date for comments on this rule is April 14, 2008. So, if there's a gap in time, we would expect that it would be very, very modest at best. In the event that we were to have the final rule ready before those data definitions are actually available, some would speculate that we won't be quite that rapid. But I'm not going to be more specific than that, as I have not been in response to other questions.

We anticipate, though, that the data definitions will be an iterative process, so the first group of common formats, as we've been calling them and as they're labeled in the bill itself, will address some of the leading areas, but we also expect that we will be enhancing and adding to that list over time. We're going to be working with the National Quality Forum for subsequent iterations of that process.

Allison:

Okay. Thank you.

Howard Holland:

And Christopher, our last caller?

Operator:

Yes, sir. Our final question or comment is from Robert. Your line is open.

Robert:

Yes. This follows up on a previous question. I note that on HIPAA, I believe there were exceptions to the privacy deidentification elements, such as for law enforcement agencies. Are there explicit exceptions on the patient safety organizations that are similar to those?

Susan McAndrew:

This is Sue McAndrew. Can you repeat the last part of your question?

Robert:

Well, yes. I was saying that under the HIPAA privacy rules where you have various deidentification elements on patient data, exceptions are made for various bodies such as law enforcement agencies who might need the data for legitimate law enforcement purposes. Are there similar exceptions made under the patient safety rules?

Susan McAndrew:

Okay. To clarify, I think what you're talking about is the fact that under HIPAA there are specific permissions, which allow you, with or without individual's written authorization, to release their information to certain parties.

Robert:

That's right.

Susan McAndrew:

And otherwise the information needs to be deidentified in order for it to be releasable. Essentially, those same principals, although in a much more limited form, exist in the patient safety statute. And that the statute, like the HIPAA rules, would allow information that has been—I think the term in the patient safety statute is "nonidentifiable information," to be released in any case.

Then, even identifiable—a patient safety work product is permitted to be disclosed in specific cases and those are specified both in the statute and have a comparable listing in the NPRM. So, I commend you to that list to find out what the nature of those permissions is and, again, many of them, like HIPAA, come with additional qualifications on them. But, there is a comparable—I mean there is permission to disclose for law enforcement purposes. There are also permissions that go to certain criminal and civil proceedings, but in a much more limited form than exist in HIPAA. There's a research exclusion and other than that, there's the kind of written—everyone can agree in writing to release the information.

Robert:

Okay. Thank you.

Susan McAndrew:

Okay?

Robert:

Yes. Thank you. Will there also be a list made public of PSOs as they come to be accepted once the final rule is out?

Carolyn Clancy:

Yes, absolutely.

Howard Holland:

With that, I'd like to just look towards Sue and Carolyn and ask if either of them has any final comments that they'd like to make.

Carolyn Clancy:

The only final—this is Dr. Clancy. The only final comment I would make is to thank all of you for making the time and simply to reiterate that we welcome comments and questions. The 47 specific questions that we articulated in the proposed rule are areas where we are explicitly seeking comment, but there may be other areas as well. We will take all of them into consideration and any verbal discussion here today is background only. It will not be explicitly considered unless it is submitted in written form or electronically. And, again, the Web site address is http://pso.ahrq.gov.

Susan McAndrew:

This is Sue McAndrew and, again, just to thank you all for your participation. Your questions were very valuable and I hope that you were able to learn from one another and we do look forward to your formal comments. Thank you very much.

Howard Holland:

With that, we will draw the call to a conclusion. Just a last note: that the deadline for submission of comments is April 14, and information, as Carolyn mentioned, is available to do that on the Web site.

Thank you all very much for your participation.

Operator:

Again, ladies and gentlemen, this does conclude the conference for today. We do once again, thank you for your participation. You may all disconnect at this time. Good day. Presenters, please hold your lines.

Return to Previous Section
Return to Overview Page
Return to PSO Home Page

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only