DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 3
Patient Safety and Quality Improvement
AGENCY: Agency for Healthcare Research and Quality, Office for Civil Rights, Department of Health and Human Services.
ACTION: Final rule.
SUMMARY: The Secretary of Health and Human Services is adopting rules to implement certain aspects of the Patient Safety and Quality Improvement Act of 2005, Pub. L. 109-41, 42 U.S.C. 299b-21—b-26 (Patient Safety Act). The Patient Safety and Quality Improvement final rule (Patient Safety Rule) establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for the aggregation and analysis of patient safety events.
The Patient Safety Rule outlines the requirements that entities must meet to become PSOs and the processes by which the Secretary will review and accept certifications and list PSOs. It also describes the privilege and confidentiality protections for the information that is assembled and developed by providers and PSOs, the exceptions to these privilege and confidentiality protections, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product.
DATES: The Patient Safety Rule is effective on January 19, 2009.
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION: On February 12, 2008, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the Patient Safety Act. The comment period closed on April 14, 2008. One-hundred-sixty-one comments were received during the comment period.
[Note: These links take the reader to descriptions of the proposed and final rules. The final rule includes a section-by-section summary of the public comments received regarding the proposed rule and a discussion of the extent to which those comments shaped the provisions of the final rule.]
II. Overview of the Proposed and Final Rules
A. The Proposed Rule
B. The Final Rule
III. Section-by-Section Description of Final Rule and Response to Comments
A. Subpart A—General Provisions
1. Section 3.10—Purpose
2. Section 3.20—Definitions
B. Subpart B—PSO Requirements and Agency Procedures
1. Section 3.102—Process and Requirements for Initial and Continued Listings of PSOs
2. Section 3.104—Secretarial Actions
3. Section 3.106—Security Requirements
4. Section 3.108—Correction of Deficiencies, Revocation and Voluntary Relinquishment
5. Section 3.110—Assessment of PSO Compliance
6. Section 3.112—Submissions and Forms
C. Subpart C—Confidentiality and Privilege Protections of Patient Safety Work Product
1. Section 3.204—Privilege of Patient Safety Work Product
2. Section 3.206—Confidentiality of Patient Safety Work Product
3. Section 3.208—Continued Protection of Patient Safety Work Product
4. Section 3.210—Required Disclosure of Patient Safety Work Product to the Secretary
5. Section 3.212—Nonidentification of Patient Safety Work Product
D. Subpart D—Enforcement Program
1. Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314—Compliance and Investigations
2. Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422, 3.424, 3.426—Civil Money Penalties
3. Section 3.504—Procedures for Hearings
IV. Impact Statement and Other Required Analyses
[Note: The following link includes the complete text of the final rule from Part 3 of Title 42 of the Code of Federal Regulations, which is entitled "Patient Safety Organizations and Patient Safety Work Product."]
This final rule establishes the authorities, processes, and rules necessary to implement the Patient Safety Act that amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.1 The Patient Safety Act focuses on creating a voluntary program through which health care providers can share information relating to patient safety events with PSOs, with the aim of improving patient safety and the quality of care nationwide. The statute attaches privilege and confidentiality protections to this information, termed "patient safety work product," to encourage providers to share this information without fear of liability and creates PSOs to receive this protected information and analyze patient safety events. These protections will enable all health care providers, including multi-facility health care systems, to share data within a protected legal environment, both within and across states, without the threat that the information will be used against the subject providers.
However, we note that section 922(g)(2) of the Public Health Service Act is quite specific that these protections do not relieve a provider from its obligation to comply with other Federal, State, or local laws pertaining to information that is not privileged or confidential under the Patient Safety Act: section 922(g)(5) of the Public Health Service Act states that the Patient Safety Act does not affect any State law requiring a provider to report information that is not patient safety work product. The fact that information is collected, developed, or analyzed under the protections of the Patient Safety Act does not shield a provider from needing to undertake similar activities, if applicable, outside the ambit of the statute, so that the provider can meet its obligations with non-patient safety work product. The Patient Safety Act, while precluding other organizations and entities from requiring providers to provide them with patient safety work product, recognizes that the original records underlying patient safety work product remain available in most instances for the providers to meet these other reporting requirements.
We note also that the Patient Safety Act references the Standards for the Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule), 45 CFR parts 160 and 164. Many health care providers participating in this program will be covered entities under the HIPAA Privacy Rule and will be required to comply with the HIPAA Privacy Rule when they disclose patient safety work product that contains protected health information. The Patient Safety Act is clear that it is not intended to interfere with the implementation of any provision of the HIPAA Privacy Rule. See 42 U.S.C. 299b-22(g)(3). The statute also provides that civil money penalties cannot be imposed under both the Patient Safety Act and the HIPAA Privacy Rule for a single violation. See 42 U.S.C. 299b-22(f). In addition, the statute states that PSOs shall be treated as business associates, and patient safety activities are deemed to be health care operations under the HIPAA Privacy Rule. See 42 U.S.C. 299b and 299-22(i). Since patient safety activities are deemed to be health care operations, the HIPAA Privacy Rule does not require covered providers to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. Additionally, as business associates of providers, PSOs must abide by the terms of their HIPAA business associate contracts, which require them to notify the provider of any impermissible use or disclosure of the protected health information of which they are aware. See 45 CFR 164.504(e)(2)(ii)(C).
The proposed rule sought to implement the Patient Safety Act to create a voluntary system through which providers could share sensitive information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care. The proposal reflected an approach to the implementation of the Patient Safety Act intended to ensure adequate flexibility within the bounds of the statutory provisions and to encourage providers to participate in this voluntary program. The proposed rule emphasized that this program is not federally funded and will be put into operation by the providers and PSOs that wish to participate with little direct federal involvement. However, the process for certification and listing of PSOs will be implemented and overseen by the Agency for Healthcare Research and Quality (AHRQ), while compliance with the confidentiality provisions will be investigated and enforced by the Office for Civil Rights (OCR).
Subpart A of the proposed rule set forth the definitions of essential terms, such as patient safety work product, patient safety evaluation system, and PSO. In order to facilitate the sharing of patient safety work product and the analysis of patient safety events, Subpart B of the proposed rule implemented the statutory requirements for the listing of PSOs, the entities that will offer their expert advice in analyzing the patient safety events and other information they collect or develop to provide feedback and recommendations to providers. The proposed rule established the criteria and set forth a process for certification and listing of PSOs and described how the Secretary would review, accept, condition, deny, or revoke certifications for listing and continued listing of entities as PSOs.
Based on the statutory mandates in the Patient Safety Act, Subpart C of the proposed rule set forth the privilege and confidentiality protections that attach to patient safety work product; it also set forth the exceptions to these protections. The proposed rule provided that patient safety work product generally continues to be protected as privileged and confidential following a disclosure and set certain limitations on redisclosure of patient safety work product.
Subpart D of the proposed rule established a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting the imposition of a civil money penalty. These provisions were modeled largely on the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D and E.
We received over 150 comments on the proposed rule from a variety of entities, including small providers and large institutional providers, hospital associations, medical associations, accrediting bodies, medical liability insurers, and state and federal agencies. Many of the commenters expressed support for the proposed rule and the protections it granted to sensitive information related to patient safety events.
Based upon the comments received, the final rule adopts most of the provisions of the proposed rule without modification; however, several significant changes to certain provisions of the proposed rule have been made in response to these comments. Changes to Subpart A include the addition of a definition of affiliated provider. The definitions of component organization, parent organization, and provider were modified for clarity, and the definition of disclosure was modified to clarify that the sharing of patient safety work product, between a component PSO and the entity of which it is a part, qualifies as a disclosure, while the sharing of patient safety work product between a physician with staff privileges and the entity with which it holds privileges is not a disclosure. We have also modified the definition of patient safety work product to include information that, while not yet reported to a PSO, is documented as being within a provider's patient safety evaluation system and that will be reported to a PSO. This modification allows for providers to voluntarily remove, and document the removal of, information from the patient safety evaluation system that has not yet been reported to a PSO, in which case, the information is no longer patient safety work product.
The most significant modifications to Subpart B include the following. With respect to the listing of PSOs, we have broadened the list of excluded entities at § 3.102(a)(2)(ii), required PSOs at § 3.102(b)(1)(i)(B) to notify reporting providers of inappropriate disclosures or security breaches related to the information they reported, specified compliance with the requirement regarding the collection of patient safety work product in § 3.102(b)(2)(iii), eliminated the requirements for separate information systems and restrictions on shared staff for most component PSOs but added additional restrictions and limitations for PSOs that are components of excluded entities at § 3.102(c), and narrowed and clarified the disclosure requirements that PSOs must file regarding contracting providers with whom they have additional relationships at § 3.102(d)(2). We have modified the security requirement to provide flexibility for PSOs to determine whether to maintain patient safety work product separately from unprotected information. The final rule includes a new expedited revocation process at § 3.108(e) for exceptional circumstances that require prompt action, and eliminates implied voluntary relinquishment, providing instead in § 3.104(e) that a PSO's listing automatically expires at the end of three years, unless it is revoked for cause, voluntarily relinquished, or its certifications for continued listing are approved.
Changes to proposed Subpart C include the addition of language in § 3.206(b)(2) that requires a reporter seeking equitable relief to obtain a protective order to protect the confidentiality of patient safety work product during the course of the proceedings. Proposed § 3.206(b)(4) has been amended to allow disclosures of identifiable, non-anonymized patient safety work product among affiliated providers for patient safety activities. In addition, proposed § 3.206(b)(7) has been modified to make clear that the provision permits disclosures to and among FDA, entities required to report to FDA, and their contractors. We also have modified proposed § 3.206(b)(8) to require providers voluntarily disclosing patient safety work product to accrediting bodies either to obtain the agreement of identified non-disclosing providers or to anonymize the information with respect to the non-disclosing providers prior to disclosure. Finally, we modified §§ 3.204(c), 3.206(d), and 3.210 to allow disclosures of patient safety work product to or by the Secretary for the purposes of determining compliance with not only the Patient Safety Act, but also the HIPAA Privacy Rule.
In Subpart D, we adopt the proposed provisions except, where reference was made in the proposed rule to provisions of the HIPAA Privacy Rule, the final rule includes the text of such provisions for convenience of the reader.
We describe more fully these provisions, the comments received, and our responses to these comments below in the section-by-section description of the final rule below.
Proposed Rule: Proposed § 3.10 provided that the purpose of proposed Part 3 is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Overview of Public Comments: No comments were received pertaining to this section.
Final Rule: The Department adopts the proposed provision without modification.
Proposed Rule: Proposed § 3.20 provided for definitions applicable to Part 3. Some definitions were restatements of the definitions at section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, and other definitions were provided for convenience or to clarify the application and operation of the proposed rule.
Overview of Public Comments: With respect to the definitions for AHRQ, ALJ, Board, complainant, component PSO, confidentiality provisions, entity, group health plan, health maintenance organization, HHS, HIPAA Privacy Rule, identifiable patient safety work product, nonidentifiable patient safety work product, OCR, Patient Safety Act, patient safety activities, patient safety organization, person, research, respondent, responsible person, and workforce, we received no comments.
We received a number of comments on the various other definitions and these comments will be addressed below in reference to the specific term.
Final Rule: The Department adopts the above definitions as proposed. Certain definitions were added for convenience or clarity of the reader.
Response to Public Comments
Comment: Commenters requested definitions for accrediting body, reporter, redisclosure, impermissible disclosure, use, evaluation and demonstration projects, and legislatively created PSO.
Response: The Department does not agree that the additional definitions requested by commenters are necessary. Some definitions requested have generally accepted meanings and we do not believe there is benefit in imposing more limitations on such terms. Some terms such as legislatively created PSO are not used within the final rule. Other terms such as impermissible disclosure, use, and reporter are readily understood from the context of the final rule and do not need definitions.
(A) § 3.20—New Definition of Affiliated Provider
Final Rule: The proposed rule did not include a definition for affiliated provider. The Department adopts the term affiliated provider to mean, with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider. The Department includes this term to identify to whom patient safety work product may be disclosed pursuant to a clarification of the disclosure permission for patient safety activities.
Overview of Comments: Several commenters were concerned about limitations of disclosures for patient safety activities among providers. Commenters raised concerns that limitations may inhibit the sharing and learning among providers of the analysis of patient safety events. Other commenters viewed the disclosure limitations as restricting a provider's use of its own data. These comments are addressed more fully below as part of the discussion of the patient safety activities disclosure permission.
(B) § 3.20—Definition of Bona Fide Contract
Proposed Rule: Proposed § 3.20 provided that bona fide contract would mean a written contract between a provider and a PSO that is executed in good faith or a written agreement between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO.
Overview of Public Comments: One comment was received noting that "good faith" need not be a part of a bona fide contract.
Final Rule: Because meeting the minimum contract requirement is essential for a PSO to remain listed by the Secretary, the Department believes that the requirement that contracts to be entered in good faith should be retained. We also note that Federal, State, local or Tribal providers are free to enter into an agreement with any PSO that would serve their needs; thus, they can enter bona fide contracts with PSOs pursuant to paragraph (1) of the definition, or enter comparable arrangements with a Federal, State, local or Tribal PSO pursuant to paragraph (2). The Department adopts the proposed provision without modification.
(C) § 3.20—Definition of Component Organization
Proposed Rule: Proposed § 3.20 provided that component organization would mean an entity that is either: (a) a unit or division of a corporate organization or of a multi-organizational enterprise; or (b) a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations, i.e., its parent organization(s). Because this definition used terms in a manner that was broader than traditional usage, the proposed rule sought comment on whether it was appropriate for purposes of the regulation to consider a subsidiary, an otherwise legally independent entity, as a component organization.
With respect to the terms "owned, managed, or controlled," the preamble directed readers to our description of these concepts in our discussion of the term "parent organization." The preamble to the proposed rule discussed the various ways that an organization may be controlled by others. In particular, there was a discussion of multi-organizational enterprises and the variety of management relationships or forms of control that such enterprises can create that might impact component entities. The preamble also discussed the traditional meaning of subsidiaries as being separate legal entities and, therefore, not within the ordinary meaning of the term "component." However, the approach of the proposed rule was to express the Department's intention to encourage all forms of PSO organizational arrangements including the ownership of PSOs as subsidiaries. At the same time, we wanted to be able to accurately determine and to indicate to providers which PSOs should be considered components of other entities and the identity of a component PSO's parent organization. We explained our intent was not to limit our approach to corporate forms of organizations.
Overview of Public Comments: The majority of commenters supported our proposal to consider subsidiaries as component organizations for the purposes of this rule. Several commenters sought reassurance that our interpretation does not impose additional legal liability on the parent organization.
Concern was expressed that our approach suggested an over-reliance on the corporate model and the definition needed to reflect other types of legally recognized entities. One comment reflected concern that our reference to "multi-organizational enterprise" in the definition was unnecessarily confusing because it was not commonly used. Another commenter disagreed with our approach entirely, arguing that the scope of our definition was overly broad and unnecessary.
Final Rule: The final rule now defines "component organization" to mean an entity that:
"(1) Is a unit or division of a legal entity (including a corporation, partnership, or a Federal, State, local or Tribal agency or organization); or
(2) Is owned, managed, or controlled by one or more legally separate parent organizations."
The definition of component organization is intended to be read with a focus on management or control by others as its defining feature. The definition must be read in conjunction with the complementary definition of "parent organization." While our approach remains little changed, we have rearranged and streamlined the text of the definition of component in response to the comments and concerns we received on it. For example, there is no longer an explicit reference in the definition of component to multi-organizational enterprises, which are undertakings with separate corporations or organizations that are integrated in a common business activity. The revised definition, however, is sufficiently broad to apply to components of such enterprises. In response to concerns that the earlier definition was too focused on corporate organizations, we have incorporated an explicit reference to "other legal entities" besides corporations. In addition, specific references have been added to more clearly accommodate possible organizational relationships of public agencies, such as the Department of Defense (DoD), Department of Veterans Affairs (VA), the Indian Health Service (IHS), and other State, local, and Tribal organizations that manage or deliver health care services.
In the scenario envisioned by the first prong of the definition, the legal entity is a parent organization and the component organization is a unit or division within the parent organization. An underlying assumption of the modified paragraph (1) is that a unit or division of a legal entity may be managed or controlled by one or more parent organizations. Consistent with this paragraph, a component PSO may be managed or controlled by the legal entity of which it is a part or by another unit or division of that entity. It could also be controlled by a legally separate entity under the second paragraph of the definition.