U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

Patient Safety and Quality Improvement. Final Rule (Continued)

Comment: One commenter was concerned that the lack of a framework and too much flexibility may interfere with interoperability and data aggregation at a later date.

Response: The Department believes that a patient safety evaluation system must of necessity be flexible and scalable to meet the needs of specific providers and PSOs. Without such flexibility, a provider may not participate, which may, lessen the overall richness of the information that could be obtained about patient safety events. The Department recognizes the value of aggregated data and has, pursuant to the Patient Safety Act, begun the process of identifying standard data reporting terms to facilitate aggregation and interoperability. Further, the Patient Safety Act requires that PSOs, to the extent practical and appropriate, collect patient safety work product in a standardized manner (see 42 U.S.C. 299b-24(b)(1)(F)). The Department hopes that, by permitting the widest range possible of providers to participate in the gathering and analysis of patient safety events, increased participation will generate more data and greater movement towards addressing patient safety issues.

Comment: Many commenters encouraged the Department to provide technical assistance to providers and PSOs on the structuring and operation of a patient safety evaluation system.

Response: The Department expects to provide such guidance on the operation and activities of patient safety evaluation systems as it determines is necessary.

(I) § 3.20—Definition of Patient Safety Work Product

Proposed Rule: Proposed § 3.20 adopted the statutory definition of patient safety work product as defined in the Patient Safety Act. The proposed rule provided that many types of information can become patient safety work product to foster robust exchanges between providers and PSOs. Any information must be collected or developed for the purpose of reporting to a PSO.

Three provisions identified how information becomes patient safety work product. First, information may become patient safety work product if it is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO. Second, patient safety work product is information developed by a PSO for the conduct of patient safety activities. Third, patient safety work product is information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system.

The proposed rule provided that reporting means the actual transmission or transfer of information to a PSO. We recognized that requiring the transmission of every piece of paper or electronic file to a PSO could impose significant transmission, management, and storage burdens on providers and PSOs. The proposed rule sought comment on whether alternatives for actual reporting should be recognized as sufficient to meet the reporting requirement. For example, the proposed rule suggested that a provider that contracts with a PSO may functionally report information to a PSO by providing access and control of information to a PSO without needing to physically transmit information. The proposed rule also sought comment on whether additional terms and conditions should be required to permit functional reporting and whether functional reporting should be permitted only after an initial actual report of information related to an event.

The proposed rule also sought comment on whether a short period of protection for information assembled but not yet reported is necessary for flexibility or for providers to efficiently report information to a PSO. We also sought comment on an appropriate time period for such protection and whether a provider must demonstrate intent to report in order to obtain protection.

The proposed rule also sought comment on when a provider could begin collecting information for the purpose of reporting to a PSO such that it is not excluded from becoming patient safety work product because it was collected, maintained or developed separately from a patient safety evaluation system.

The proposed rule indicated that, if a PSO is delisted for cause, a provider would be able to continue to report to that PSO for 30 days after the date of delisting and the information reported would be treated as patient safety work product (section 924(f)(1) of the Public Health Service Act). However, after delisting, the proposed rule indicated that the former PSO may not generate patient safety work product by developing information for the conduct of patient safety activities or through deliberations and analysis of information. Even though a PSO may not generate new patient safety work product after delisting, it may still possess patient safety work product, which must be kept confidential and be disposed of in accordance with requirements in Subpart B.

The proposed rule also described what is not patient safety work product, such as a patient's original medical record, billing and discharge information, or any other original patient or provider record. Patient safety work product does not include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. This distinction is made because these and similar records must be maintained by providers for other purposes.

The proposed rule also discussed that external reporting obligations as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system cannot be satisfied with patient safety work product. Thus, information that is collected to comply with external obligations is not patient safety work product. The proposed rule provided that such activities include: state incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; or complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage.

The proposed rule also addressed the issue that external authorities may seek information about how effectively a provider has instituted corrective action following identification of a threat to the quality or safety of patient care. The Patient Safety Act does not relieve a provider of its responsibility to respond to such requests for information or to undertake or provide to external authorities evaluations of the effectiveness of corrective action, but the provider must respond with information that is not patient safety work product. The proposed rule provided that recommendations for changes from the provider's patient safety evaluation system or the PSO are patient safety work product. However, the actual changes that the provider implements to improve how it manages or delivers health care services are not patient safety work product, and it would be virtually impossible to keep such changes confidential.

Overview of Public Comments: Commenters raised a significant number of concerns regarding how information becomes patient safety work product under particular provisions of the definition.

Functional Reporting

We received significant feedback from commenters in support of recognizing alternative reporting methods. Most commenters agreed that an alternative reporting arrangement should be permitted to promote efficiency and relieve providers of the burden of continued transmission. Two commenters opposed permitting alternative reporting methods based on the concern that a shared resource may confuse clear responsibility for a breach of information and that a PSO that has access to a provider information system may also have access to patient records and similar information for which access may not be appropriate.

Most commenters rejected the suggestion that functional reporting should be limited to subsequent reports of information rather than allowing functional reports for the first report of an event. Commenters believed that such a limitation would inhibit participation and offset the benefits of allowing functional reporting. Commenters also believed such a limitation would create an artificial distinction between information that is initially and subsequently reported to a PSO. Some commenters believed that details regarding functional reporting are better left to agreement between the provider and PSO engaging in functional reporting. Two commenters did support restricting functional reporting to subsequent information, but did not provide any rationale or concern to support their comment.

No commenters identified additional requirements or criteria that should be imposed beyond a formal contract or agreement. Thus, the final rule permits functional reporting.

When is Information Protected

Commenters raised significant and substantial concerns regarding when the protections for patient safety work product begins, how existing patient safety processes will occur given the protections for patient safety work product, and the likelihood that providers may need to maintain separate systems with substantially duplicate information. A significant majority of commenters responded to the concern regarding the status of information collected, but not yet reported to a PSO. Most commenters agreed with concerns raised by the Department that early protection could ease the burden on providers, preventing a race to report to a PSO. These commenters recommended that information be protected upon collection and prior to reporting. Protection during this time would permit providers to investigate an event and conduct preliminary analyses regarding causes of the event or whether to report information to a PSO. Many commenters were concerned that information related to patient safety events be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication of information is required, providers may opt to not participate due to costs and burdens. Three commenters indicated that there should be no protection until information is reported to a PSO. One commenter was concerned that early protection may interfere with State reporting requirements because information needed to report to a State may become protected and unavailable for State reporting. Another commenter stated that earlier protection would not alleviate the concerns regarding protection prior to reporting.

Commenters provided a wide range of recommendations in response to when protection of information should begin prior to creation of patient safety work product. Commenters suggested that information be protected prior to reporting for as little as 24 hours from an event up to 12 months. Other commenters suggested that a timeframe be reasonable and based upon relevant factors such as the complexity of facts and circumstances surrounding an event.

State Reporting

One of the most significant areas of comment was how processes to create patient safety work product may operate alongside similar processes within a provider. Commenters were particularly concerned that information collected for similar purposes, such as for reporting to a PSO and for reporting to a State health authority, would need to be maintained in separate systems, thereby increasing the burden on providers. The most significant comments received related to how information related to patient safety events may be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication is required, provider may opt to not participate due to costs and burdens.

Earliest Time for Collection of Information

Few commenters responded to the request for comment on the earliest date information could be collected for purposes of reporting to a PSO, a requirement for information to become patient safety work product. Four commenters recommended that information collection be permitted back to the passage of the Patient Safety Act. Four commenters recommended that the earliest date of collection be dependent upon each provider's good faith and intent to collect information for reporting to a PSO.

Final Rule: The Department adopts the proposed provision with some modification.

Functional Reporting

The Department recognizes the concerns raised by commenters regarding the functional reporting proposal, but believes the benefits outweigh the potential negative consequences; the relief of burden, and the flexibility that derives from not adhering to a narrow reading of the reporting requirement. First, we recognize that a provider and PSO engaging in this alternative method of reporting have an established relationship for the reporting of information and have spent some time considering how best to achieve a mutually useful and suitable reporting relationship. That relationship will necessitate consideration of what information is necessary and not necessary to achieve the purpose of reporting. Neither a provider nor a PSO is required to accept an alternative reporting mechanism. Further, providers continue to be under the same obligations to protect patient and other medical records from inappropriate access from others, including the PSO, without exception. Second, such a relationship should establish clearly the mechanism for control of information reported or to which the PSO will have access, and the scope of PSO authority to use the information. In addition, the assessment of liability should be addressed and need be no more complex than exists in provider settings today with shared resources and integrated services.

We agree with commenters that limitations regarding the initial or subsequent reporting of information are better left to the providers and PSOs engaging in the practice and that providers and PSOs should be permitted to design the appropriately flexible reporting mechanism befitting the circumstances of their practice setting. We further agree that additional limitations on the ability to use functional reporting are unwarranted, absent clear identification of risks or concerns to be addressed by further limitations.

For these reasons, we clarify that reporting of information to a PSO for the purposes of creating patient safety work product may include authorizing PSO access, pursuant to a contract or equivalent agreement between a provider and a PSO, to specific information in a patient safety evaluation system and authority to process and analyze that information, e.g., comparable to the authority a PSO would have if the information were physically transmitted to the PSO. We do not believe a formal change in the regulatory text is necessitated by this clarification.

When is Information Protected

The Department recognizes that the Patient Safety Act's protections are the foundation to furthering the overall goal of the statute to develop a national system for analyzing and learning from patient safety events. To encourage voluntary reporting of patient safety events by providers, the protections must be substantial and broad enough so that providers can participate in the system without fear of liability or harm to reputation. Further, we believe the protections should attach in a manner that is as administratively flexible as permitted to accommodate the many varied business processes and systems of providers and to not run afoul of the statute's express intent to not interfere with other Federal, State or local reporting obligations on providers.

The proposed rule required that information must be reported to a PSO before the information may become patient safety work product under the reporting provision of the definition of patient safety work product. However, this standard left information collected, but not yet reported to a PSO, unprotected, a cause of significant commenter concern. This standard also might encourage providers to race to report information indiscriminately to obtain protection in situations where a report ultimately may be unhelpful, causing the expenditure of scarce resources both by a provider and a PSO to secure the information as patient safety work product. The proposed rule also may have caused some providers to choose between not participating or developing dual systems for handling similar information at increased costs.

We believe it is important to address the shortcomings of a strict reporting requirement through the following modification. The final rule provides that information documented as collected within a patient safety evaluation system by a provider shall be protected as patient safety work product. A provider would document that the information was collected for reporting to a PSO and the date of collection. The information would become patient safety work product upon collection. Additionally, a provider may document that the same information is being voluntarily removed from the patient safety evaluation system and that the provider no longer intends to report the information to a PSO, in which case there are no protections. If a provider fails to document this information, the Department will presume the intent to report information in the patient safety evaluation system to the PSO is present, absent evidence to the contrary.

We believe this modification addresses the concerns raised by the commenters. Protection that begins from the time of collection will encourage participation by providers without causing significant administrative burden. The alternative is a system that encourages providers to indiscriminately report information to PSOs in a race for protection, resulting in PSOs receiving large volumes of unimportant information. By offering providers the ability to examine patient safety event reports in the patient safety evaluation system without requiring that all such information be immediately reported to a PSO, and by providing a means to remove such information from the patient safety evaluation system and end its status as patient safety work product, the final rule permits providers to maximize organizational and system efficiencies and lessens the need to maintain duplicate information for different needs. Because documentation will be crucial to the protection of patient safety work product at collection, providers are encouraged to document their patient safety evaluation system. We note, however, that a provider should not place information into its patient safety evaluation system unless it intends for that information to be reported to the PSO.

Although this approach substantially addresses commenter concerns, three issues do cause concern. First, because information may be protected back to the time of collection, providers are no longer required to promptly report information to a PSO to ensure protection. Although we believe this is an unavoidable result of the modification, we believe the likely impact may be rare because providers are likely to engage PSOs for their expertise which requires such reporting. Second, the requirement to document collection in a patient safety evaluation system and, potentially, removal from a patient safety evaluation system could be burdensome to a provider. However, we believe these are important requirements particularly in light of the enforcement role OCR will play. A provider will need to substantiate that information is patient safety work product, or OCR will be unable to determine the status of information potentially leaving sensitive information unprotected—or subjecting the provider to penalties for improperly disclosing patient safety work product. Third, the ability of a provider to remove information from a patient safety evaluation system raises concern that a provider may circumvent the intent of a provider employee to obtain protection for information when reporting to the provider's patient safety evaluation system. For providers that engage in functional reporting, the concern is substantially mitigated because, under functional reporting, information is reported to a PSO when it is transmitted to the patient safety evaluation system to which the PSO has access, and, thus, protected. Alternatively, a provider employee may report as permitted directly to a PSO. Ultimately, this issue is to be settled between a provider that wishes to encourage reports that may not otherwise come to light and its employees who must be confident that reporting will not result in adverse consequences.

For these reasons, the Department modifies the definition of patient safety work product to include additional language in the first provision of the definition that protects information based upon reporting to a PSO.

State Reporting

To address commenter concerns about the duplication of resources for similar patient safety efforts and the lack of protection upon collection, we have clarified the requirements for how information becomes patient safety work product when reported to a PSO. Generally, information may become patient safety work product when reported to a PSO. Information may also become patient safety work product upon collection within a patient safety evaluation system. Such information may be voluntarily removed from a patient safety evaluation system if it has not been reported and would no longer be patient safety work product. As a result, providers need not maintain duplicate systems to separate information to be reported to a PSO from information that may be required to fulfill state reporting obligations. All of this information, collected in one patient safety evaluation system, is protected as patient safety work product unless the provider determines that certain information must be removed from the patient safety evaluation system for reporting to the state. Once removed from the patient safety evaluation system, this information is no longer patient safety work product.

Earliest Time for Collection of Information

The Department believes that a clear indication of a specific time when information may first be collected is beneficial to providers by reducing the complexity and ambiguity concerning when information is protected as patient safety work product. Although each provider collecting information for reporting to a PSO may need to support the purpose of information collection at the time of collection, such a standard may be overly burdensome. The Department agrees that information may have been collected for the purpose of reporting to a PSO beginning from passage of the Patient Safety Act. Information that existed prior to the passage of the Patient Safety Act may be subsequently collected for reporting to a PSO, but the original record remains unprotected. This clarification does not require any regulatory language change in the proposed rule.

What is Not Patient Safety Work Product

We reaffirm that patient safety work product does not include a patient's original medical record, billing and discharge information, or any other original patient or provider record; nor does it include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. The final rule includes the statutory provision that prohibits construing anything in this Part from limiting (1) the discovery of or admissibility of information that is not patient safety work product in a criminal, civil, or administrative proceeding; (2) the reporting of information that is not patient safety work product to a Federal, State, or local governmental agency for public health surveillance, investigation, or other public health purposes or health oversight purposes; or (3) a provider's recordkeeping obligation with respect to information that is not patient safety work product under Federal, State or local law. ection 921(7)(B)(iii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). The final rule does not limit persons from conducting additional analyses for any purpose regardless of whether such additional analyses involve issues identical to or similar to those for which information was reported to or assessed by a PSO or a patient safety evaluation system. Section 922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h).

Even when laws or regulations require the reporting of the information regarding the type of events also reported to PSOs, the Patient Safety Act does not shield providers from their obligation to comply with such requirements. These external obligations must be met with information that is not patient safety work product and oversight entities continue to have access to this original information in the same manner as such entities have had access prior to the passage of the Patient Safety Act. Providers should carefully consider the need for this information to meet their external reporting or health oversight obligations, such as for meeting public health reporting obligations. Providers have the flexibility to protect this information as patient safety work product within their patient safety evaluation system while they consider whether the information is needed to meet external reporting obligations. Information can be removed from the patient safety evaluation system before it is reported to a PSO to fulfill external reporting obligations. Once the information is removed, it is no longer patient safety work product and is no longer subject to the confidentiality provisions.

The Patient Safety Act establishes a protected space or system that is separate, distinct, and resides alongside but does not replace other information collection activities mandated by laws, regulations, and accrediting and licensing requirements as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system. Information is not patient safety work product if it is collected to comply with external obligations, such as: state incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage; or provision of access to records by Protection and Advocacy organizations as required by law.

Response to Other Public Comments

Comment: One commenter in responding to questions about timing and early protection interpreted the timing concern to be an expiration of an allowed period of time to report, such that an event must be reported within a certain number of days or it may not become protected.

Response: As noted above, the timing issues in the final rule relate to when information may have been collected for reporting to a PSO. There is no expiration date for an event that would prohibit future protection of a report of it as patient safety work product so long as the protection of the information is pursuant to the final rule.

Comment: One commenter suggested that event registries may seek to become PSOs because the model is well positioned to allow for tracking and identification of patients that require follow-up.

Response: The Department recognizes that event registries may have particular benefits that may be helpful in the analysis of patient safety events, but we caution any holder of patient safety work product that future disclosure of patient safety work product must be done pursuant to the disclosure permissions. Thus, while it may be appropriate for event registries to identify and track patients who may require follow-up care, the final rule would generally not permit disclosure of patient safety work product to patients for such a purpose. Accordingly, while there may be benefits to an event registry becoming a PSO, a registry should take into consideration the limitations on disclosure of patient safety work product, and what impact such limits would have on its mission, prior to seeking listing.

Comment: Several commenters sought clarification whether information underlying analyses within a patient safety evaluation system was protected. One commenter suggested that data used to conduct an analysis should be protected at the same time as the analysis.

Response: As indicated in the definition of patient safety work product, information that constitutes the deliberation or analysis within a patient safety evaluation system is protected. Information underlying the analysis may have been either reported to a PSO and protected or collected in a patient safety evaluation system. Information documented as collected within a patient safety evaluation system is protected based on the modification to the definition of patient safety work product. Thus, information underlying an analysis may be protected. However, underlying information that is original medical records may not be protected if it is excluded by the definition of patient safety work product.

Comment: Two commenters raised concerns that PSOs do not have discretion regarding the receipt of unsolicited information reported to PSOs from providers. One commenter was concerned about the burden on a PSO receiving unsolicited reports and the obligation a PSO may have regarding unsolicited reports. Another commenter was concerned that unsolicited reports may be materially flawed or contain incorrect information.

Response: The Department does not agree that this is a major issue for PSOs or that PSOs need some regulatory ability to reject reported information. If a PSO receives information from a provider that was collected by that provider for the purposes of sending to a PSO, then the information is patient safety work product. PSOs may use or analyze the information, but must protect it as patient safety work product and dispose of the information properly. However, there is no requirement that a PSO maintain or analyze the information. For these reasons, we do not modify the proposed rule position regarding these issues.

Comment: Some commenters were concerned that recommendations of PSOs may be treated as a standard of care. Commenters recommended that recommendations from PSOs be protected as patient safety work product.

Response: The Department stated in the proposed rule that PSO recommendations are patient safety work product, but the changes undertaken by a provider based upon a PSO's recommendations are not patient safety work product. With respect to the concern that PSO recommendations may establish a standard of care, the issue is not within the scope of the Patient Safety Act and not appropriate for the regulation to address. Generally, the establishment of a standard of care is a function of courts and entities that have jurisdiction over the issue for which a standard of care is relevant. The introduction of patient safety work product as information that may help establish a standard of care is highly unlikely given the limited disclosure permissions. For these reasons, we make no modifications in the final rule.

Comment: Several commenters raised concerns about the distinction between original documents and copies of original documents. One commenter stated that it was an artificial distinction in an electronic environment.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only