Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

Patient Safety and Quality Improvement. Final Rule (Continued)

The first prong of the definition encompasses a component PSO that is a unit of a governmental agency that is a legal entity. This could include a component organization managed by another division of such a governmental agency, e.g., a health care division of VA or DoD. Thus, a component PSO could be a unit or component of a Federal agency that is a legal entity and it could at the same time be a component of another unit or division of that agency which controls and directs or manages its operation. So too in the private sector, a component PSO could have more than one parent and thus be a component, for example, of a professional society as well as a component of the unit or division of the professional society that controls or manages the PSO.

The second prong of the definition addresses a variety of organizational relationships that could arise between component PSOs and legally separate parent organizations that manage or control them. Under paragraph (2), a subsidiary PSO could be managed or controlled by its legally separate parent organization. In addition, we note that a component PSO could be managed or controlled by another unit or division of its legally separate parent, e.g., if this unit or division uses its knowledge and skills to control or manage certain aspects of the component's operations. If that occurs, we would consider the sibling subsidiary that exercises control or management over the PSO as another parent organization of the PSO.

Obtaining the identity and contact information of an entity's parent organizations is useful for the purpose of letting providers know who may be managing or controlling a PSO. This information also will be useful in implementing the certification and listing process for PSOs described in the rule which, for instance, excludes any health insurance issuer from becoming a PSO and excludes a component of a health insurance issuer from becoming a PSO.

In response to commenters concerned about the legal liability for parent organizations of component PSOs, we note that the preamble to the proposed rule stated as follows: "We stress that neither the statute nor the proposed regulation imposes any legal responsibilities, obligations, or liability on the organization(s) of which it [the PSO] is a part." The Department reaffirms its position. At the same time, we note that the rule, at § 3.402(b), recognizes, provides for, and does not alter the liability of principals based on Federal common law.

Response to Other Public Comments

Comment: One concern that was expressed by several commenters pertained to whether or not a health system that has a component or subsidiary health insurance issuer, e.g., a group health plan offered to the public, would be precluded from having a component PSO as well.

Response: So long as the component health insurance issuer does not come within the definition of a parent organization of the PSO, i.e., own a controlling or majority interest in, manage, or control the health system's component PSO (i.e., the PSO would not be a component of the health insurance issuer), the parent health system could establish a component PSO.

Comment: It was asserted that including subsidiaries as components would require a PSO that is not controlled by another parent organization, but itself has a subsidiary, to seek listing as a component PSO.

Response: The revised definition of component organization emphasizes that a component is an organization that is controlled by another entity. It is not the Department's intention to require a PSO that is not controlled by another entity to seek listing as a component PSO. For this reason, the fact that a PSO has a subsidiary does not trigger the requirement to seek listing as a component organization.

Comment: It was suggested that the inclusion of subsidiaries within the meaning of component would require a health system that wished to create a PSO to create it as a component.

Response: There are several issues that a health system needs to consider in determining whether and how to create a PSO, but the inclusion of subsidiary within the meaning of component is not necessarily determinative. The statute requires the improvement of quality and patient safety to be the primary activity of the entity seeking listing. Since few multifaceted health system organizations will meet this requirement, existing organizations will have an incentive to create single-purpose component organizations that clearly meet the requirement. The second issue is whether to create a PSO as an internal component organization or as a separate legal entity. Because the final rule requires each PSO to enter two contracts, provider organizations may find it useful for its component PSO to be a separate legal entity. Otherwise, the component PSO may be precluded from contracting with its parent organization.

Comment: There was a request for a definition of "own" with a suggestion for reference to Internal Revenue Code 26 I.R.C. § 1563 to clarify its meaning and the meaning of having a controlling interest. This same commenter sought strong separation requirements between a component PSO and any parent organization.

Response: We have reviewed the cited regulation but conclude that the approach presented is unlikely to clarify the meaning of "own" or "having a controlling interest" for purposes of the regulation. Accordingly, the definition of component in the final rule will use the term "owns," but it should be read in conjunction with the phrase "owns a controlling or majority interest in" that is used in the related definition of "parent organization." This will indicate that the definition of component uses the term "owns" to mean having a sufficient ownership interest to control or manage a PSO. The holder of a controlling or majority interest in the entity seeking to be listed should be identified as a parent organization.

Comment: Components of government entities should not be listed as PSOs.

Response: The Patient Safety Act specifically permits public sector entities, and components of public sector entities, to seek listing as a PSO. We have incorporated several exclusions, however, of entities with regulatory authority and those administering mandatory state reporting programs because these activities are incompatible with fostering a non-punitive culture of safety among providers. As we explain in § 3.102(a)(2)(ii), we conclude that it is not necessary to exclude components of such entities but have adopted additional restrictions and requirements in § 3.102(c) for such component entities.

(D) § 3.20—Definition of Disclosure

Proposed Rule: Proposed § 3.20 provided that disclosure would mean the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding patient safety work product to another person.

We did not generally propose to regulate uses of patient safety work product within an entity, i.e., when this information is exchanged or shared among the workforce members of an entity. We believe that regulating uses within providers and PSOs would be unnecessarily intrusive given the voluntary aspect of participation with a PSO. We believe that regulating uses would not further the statutory goal of facilitating the sharing of patient safety work product with PSOs and that sufficient incentives exist for providers and PSOs to prudently manage the internal sharing of sensitive patient safety work product. However, based on the statutory provision, we did propose that we would recognize as a disclosure the sharing of patient safety work product between a component PSO and the organization of which it is a component. Such sharing would, absent the statutory provision and the proposed regulation, be a use within the larger organization because the component PSO is not a separate entity. The Patient Safety Act supports this position by demonstrating a strong desire for the protection of patient safety work product from the rest of the organization of which the PSO is a part. We sought public comment on whether the decision to not regulate uses was appropriate.

The proposed rule discussed that sharing patient safety work product with a contractor that is under the direct control of an entity, i.e., a workforce member, would not be a disclosure, but rather a use within the entity. However, sharing patient safety work product with an independent contractor would be a disclosure requiring an applicable disclosure permission.

Overview of Public Comments: Some commenters supported the proposed definition of disclosure. No commenters opposed the proposed definition or requested further clarification.

Most commenters that responded to the question whether uses of patient safety work product should be regulated supported the decision not to regulate uses. Those commenters agreed that regulating uses would be overly intrusive without significant benefit and that entities are free to enter into agreements with greater protections. Other commenters disagreed with the Department's proposal and stated that regulation of uses would improve confidentiality and thereby increase provider participation.

No commenters opposed the proposal that sharing of patient safety work product from a component PSO to the rest of the parent entity of which it is a part would be a disclosure for purposes of enforcement rather than a use internal to the entity.

Final Rule: The Department adopts the provision with modifications. In general, the modified definition of disclosure means the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a physician holding privileges with, the entity holding the patient safety work product. Additionally, we have defined as a disclosure the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by a component PSO to another entity or natural person outside the component PSO.

We have modified the language for clarity to distinguish the actions that are a disclosure for a natural person and an entity, separately. We have also included language in the definition that makes clear that sharing of patient safety work product from a component PSO to the entity of which it is a part is a disclosure even though the disclosure would be internal to an entity and generally permitted. Finally, we have added language to clearly indicate that the sharing of patient safety work product between a health care provider with privileges and the entity with which it holds privileges does not constitute a disclosure, consistent with the treatment of patient safety work product shared among workforce members.

Response to Other Public Comments

Comment: Commenters asked that the Department clarify the terms "disclosure" and "use." Commenters stated that the terms were used interchangeably and this caused confusion.

Response: The term "disclosure" describes the scope of the confidentiality protections and the manner in which patient safety work product may be shared. "Disclosure" is also employed by the Patient Safety Act when describing the assessment of civil money penalties for the failure to maintain confidentiality (see 42 U.S.C. 299b-22(f)(1)). Although the Patient Safety Act employs the term "use" in several provisions, we did not interpret those provisions to include a restriction on the use of patient safety work product based on the confidentiality protections.

Because the focus of the proposed rule was on disclosures, we did not believe that defining the term "use" was helpful; nor did we believe the terms would be confusing. Use of patient safety work product is the sharing within a legal entity, such as between members of the workforce, which is not a disclosure. By contrast, a disclosure is the sharing or release of information outside of the entity for which a specific disclosure permission must be applicable.

Comment: One commenter requested clarification regarding the sharing of patient safety work product among legally separate participants that join to form a single joint venture component PSO.

Response: The Department distinguishes between the disclosure of patient safety work product between legal entities and the use of patient safety work product internal to a single legal entity. If a component PSO is part of a multi-organizational enterprise, uses of patient safety work product internal to the component PSO are not regulated by this final rule, but sharing of patient safety work product between the component PSO and another entity or with a parent organization are considered disclosures for which a disclosure permission must apply.

Comment: One commenter raised concerns that the final rule would restrict a provider's use of its own data and thereby discourage collaboration with other care givers.

Response: The Department believes that the final rule balances the interests between the privacy of identified providers, patients and reporters and the need to aggregate and share patient safety work product to improve patient safety among all providers. The final rule does not limit the sharing of patient safety work product within an entity and permits sharing among providers under certain conditions. Affiliated providers may share patient safety work product for patient safety activities and non-affiliated providers may share anonymized patient safety work product. A provider may also share patient safety work product with a health care provider that has privileges to practice at the provider facility. Further, if all identified providers are in agreement regarding the need to share identifiable patient safety work product, each provider may authorize and thereby permit a disclosure.

Comment: Several commenters asked whether uses were restricted based upon the purpose for which the patient safety work product is being shared internally.

Response: The final rule does not limit the purpose for which patient safety work product may be shared internal to an entity. Entities should consider the extent to which sensitive patient safety work product is available to members of its workforce as a good business practice.

(E) § 3.20—Definition of Entity

Proposed Rule: Proposed § 3.20 provided that entity would mean any organization or organizational unit, regardless of whether the entity is public, private, for-profit, or not-for-profit.

Overview of Public Comments: One comment was received suggesting that the terms "governmental" or "body politic" should be added to clarify that the term "public" includes Federal, State, or local government as well as public corporations.

Final Rule: The term "public" has long been used throughout Title 42 of the Code of Federal Regulations as encompassing governmental agencies; therefore we do not believe that the addition is necessary. The Department adopts the proposed provision without modification.

(F) § 3.20—Definition of Health Insurance Issuer

Proposed Rule: Proposed § 3.20 provided that health insurance issuer would mean an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2). The definition specifically excluded group health plans from the meaning of the term.

Overview of Public Comments: Several commenters expressed concern that the Department needed to be vigilant in its exclusion of health insurance issuers and components of health insurance issuers, urging that HHS clearly define health insurance issuers in the final rule. Another commenter sought clarification regarding risk management service companies, i.e., those that offer professional liability insurance, reinsurance, or consulting services.

Final Rule: The Department has reviewed the definition of "health insurance issuer" and determined that the definition is clear. Because the reference to group health plans could be a source of confusion, we note that we have defined the term above. Accordingly, the Department adopts the proposed provision without modification.

In response to several comments regarding the scope of the term health insurance issuer, the Department has concluded that, for purposes of this rule, risk management service companies, professional liability insurers and reinsurers do not fall within the definition of health insurance issuer.

Response to Other Public Comments

Comment: One commenter asked if a provider system that was owned as a subsidiary by an HMO could create a component PSO.

Response: Section 3.102(a)(2)(i) excludes a health insurance issuer, a unit or division of a health insurance issuer, or an entity that is owned, managed, or controlled by a health insurance issuer from seeking listing as a PSO. In this case, the HMO is considered a health insurance issuer and the provider system would be a component of the health insurance issuer. Under the rule, the HMO and the provider system may not seek listing as a PSO, and the entity created by the provider system could not seek listing as a component PSO if it is owned, managed or controlled by the provider system or the HMO.

Comment: One commenting organization requested discussion of what organizational structure might allow a health insurance issuer to participate in the patient safety work of an independent PSO.

Response: The statutory exclusion means that the following entities may not seek listing: a health insurance issuer or a component of a health insurance issuer.

(G) § 3.20—Definition of Parent Organization

Proposed Rule: Proposed § 3.20 provided that "parent organization" would mean an entity, that alone or with others, either owns a provider entity or a component organization, or has the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component organization. The proposed rule did not provide a definition of "owned" but provided controlling interest (holding enough stock in an entity to control it) as an example of ownership in the preamble discussion of the term, "parent organization." The proposed rule specifically sought comment on our use of the term "controlling interest," whether it was appropriate, and whether we needed to further define "owns." The remaining terms, "manage or control," were explained in the proposed rule's definition of "parent organization," as having "the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component organization."

Overview of Public Comments: We received eight comments on the question of "controlling interest" and there was no consensus among the commenters. Four commenters thought our discussion was appropriate. Another agreed with the concept of controlling interest but wanted to limit its application to a provider who reported patient safety work product to the entity. One commenter cautioned that the term "controlling interest" was open to various interpretations and the final rule should provide additional guidance. Another commenter suggested "controlling interest" was worrisome but did not provide a rationale for this assessment. One commenter supported additional protections, contending that it was appropriate for HHS to pierce the corporate veil when there was fraud or collusion, and recommended the preamble outline situations in which HHS would pierce the corporate veil.

We received no negative comments on our proposed interpretation of what it means to manage or control another entity. One commenter suggested that the definition should recognize the significant authority or control of a provider entity or component organization through reserve powers, by agreement, statute, or both.

Final Rule: While approximately half of the comments supported our approach, there was not a clear consensus in the comments we reviewed. So the approach we have taken with the definition of "parent organization" was to strive for greater clarity, taking into account its interaction with our definition of "component organization," described above.

The definition of "parent organization" in the final rule retains the basic framework of the proposed rule definition: an organization is a parent if it owns a component organization, has the ability to manage or control a component, or has the authority to review and overrule the component's decisions.

The language of the proposed rule used only the term "own" while the preamble cited the example of stock ownership. Without further specification, we were concerned that this approach could have been interpreted to mean that an organization owning just a few shares of stock of a component organization would be considered a parent organization. This is not our intent. For clarity, we have modified the text to read "owns a controlling or majority interest."

We have also removed the phrase "alone or with others" from the first clause. We did so for two reasons. First, it is unnecessary since it does not matter whether ownership is shared with other organizations, as in a joint venture. An entity seeking listing as a PSO will use this definition solely to determine if it has any parent organizations and, if it does, it must seek listing as a component organization and disclose the names and contact information for each of its parent organizations. Second, we have tried to make it as clear as possible that any organization that has controlling ownership interests, or management or control authority over a PSO, should be considered, and reported in accordance with the requirements of § 3.102(c)(1)(i), as a parent organization.

For similar reasons, we have removed the reference to provider from the first part of the definition and instead consistently used the term "component organization" with respect to each characteristic of a parent organization. We added a second sentence to clarify that a provider could be the component organization in all three descriptive examples given of parental authority.

In response to one commenter's concern, we believe that the phrase "has the authority" as used in the definition is sufficiently broad to encompass reserve powers.

(H) § 3.20—Definition of Patient Safety Evaluation System

Proposed Rule: Proposed § 3.20 provided that patient safety evaluation system would mean the collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system would be the mechanism through which information can be collected, maintained, analyzed, and communicated. The proposed rule discussed that a patient safety evaluation system would not need to be documented because it exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes. The proposed rule provided that formal documentation of a patient safety evaluation system could designate secure physical and electronic space for the conduct of patient safety activities and better delineate various functions of a patient safety evaluation system, such as when and how information would be reported by a provider to a PSO, how feedback concerning patient safety events would be communicated between PSOs and providers, within what space deliberations and analyses of information are conducted, and how protected information would be identified and separated from information collected, maintained, or developed for purposes other than reporting to a PSO.

The Department recommended that a provider consider documentation of a patient safety evaluation system to support the identification and protection of patient safety work product. Documentation may provide substantial proof to support claims of privilege and confidentiality and will give notice to, will limit access to, and will create awareness among employees of, the privileged and confidential nature of the information within a patient safety evaluation system which may prevent unintended or impermissible disclosures.

We recommended that providers and PSOs consider documenting how information enters the patient safety evaluation system; what processes, activities, physical space(s) and equipment comprise or are used by the patient safety evaluation system; which personnel or categories of personnel need access to patient safety work product to carry out their duties involving operation of, or interaction with, the patient safety evaluation system; the category of patient safety work product to which access is needed and any conditions appropriate to such access; and what procedures the patient safety evaluation system uses to report information to a PSO or disseminate information outside of the patient safety evaluation system.

The proposed rule sought comment about whether a patient safety evaluation system should be required to be documented.

Overview of Public Comments: Several commenters supported the efforts to enable the patient safety evaluation system to be flexible and scalable to individual provider operations. Most commenters that responded to the question whether a patient safety evaluation system should be documented supported the decision to not require documentation. Commenters stated that requiring documentation would inhibit the flexibility in the design of patient safety evaluation systems and the ability of providers to design systems best suited for their specific practices and settings. Documentation would also be burdensome to providers and should ultimately be left to the discretion of individual providers based on their needs. Other commenters supported a requirement for documentation, suggesting that documentation would go further in ensuring compliance with the confidentiality provisions and the protection of information, thereby encouraging provider participation.

Final Rule: The Department adopts the proposed provision without modification. Based on the comments, we have not modified the proposed decision to not require documentation. We have, as described in the definition of patient safety work product below, clarified how documentation of a patient safety evaluation system clearly establishes when information is patient safety work product. We encourage providers to document their patient safety evaluation systems for the benefits mentioned above. We believe documentation is a best practice.

Response to Other Public Comments

Comment: Two commenters raised concerns about how a patient safety evaluation system operates within a multi-hospital system comprised of a parent corporation and multiple hospitals that are separately incorporated and licensed. One commenter asked whether a parent corporation can establish a single patient safety evaluation system in which all hospitals participate. The other commenter recommended that individual institutional affiliates of a multi-hospital system be part of a single patient safety evaluation system.

Response: For a multi-provider entity, the final rule permits either the establishment of a single patient safety evaluation system or permits the sharing of patient safety work product as a patient safety activity among affiliated providers. For example, a hospital chain that operates multiple hospitals may include the parent organization along with each hospital in a single patient safety evaluation system. Thus, each hospital may share patient safety work product with the parent organization and the patient safety evaluation system may exist within the parent organization as well as the individual hospitals.

There may be situations where establishing a single patient safety evaluation system may be burdensome or a poor solution to exchanging patient safety work product among member hospitals. To address this concern, we have modified the disclosure permission for patient safety activities to permit affiliated providers to disclose patient safety work product with each other based on commonality of ownership.

Comment: One commenter asked how a patient safety evaluation system exists within an institutional provider.

Response: A patient safety evaluation system is unique and specific to a provider. The final rule retains a definition of a patient safety evaluation system that is flexible and scalable to meet the specific needs of particular providers.

With respect to a single institutional provider, such as a hospital, a provider may establish a patient safety evaluation system that exists only within a particular office or that exists at particular points within the institution. The decisions as to how a patient safety evaluation system operates will depend upon the functions the institutional provider desires the patient safety evaluation system to perform and its tolerances regarding access to the sensitive information contained within the system. Providers should consider how a patient safety evaluation system is constructed, carefully weighing the balance between coordination and fragmentation of a provider's activities.

Comment: Some commenters were concerned that the patient safety evaluation system provided a loophole for providers to avoid transparency of operations and hide information about patient safety events. Some commenters suggested that a provider may establish a patient safety evaluation system that is inside of a PSO, thus stashing away harmful documents and information.

Response: The Department does not believe that the patient safety evaluation system enables providers to avoid transparency. A patient safety evaluation system provides a protected space for the candid consideration of quality and safety. Nonetheless, the Patient Safety Act and the final rule have carefully assured that information generally available today remains available, such as medical records, original provider documents, and business records. Providers must fulfill external reporting obligations with information that is not patient safety work product. Further, a provider may not maintain a patient safety evaluation system within a PSO.

Comment: One commenter asked whether all information in a patient safety evaluation system is protected.

Response: Information collected within a patient safety evaluation system that has been collected for the purpose of reporting to a PSO is patient safety work product if documented as collected for reporting to a PSO. This is discussed more fully at the definition of patient safety work product below. Information that is reported to a PSO is also protected, as discussed more fully at the definition of patient safety work product below.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only