U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

Patient Safety and Quality Improvement. Final Rule (Continued)

Response: The Patient Safety Act and the final rule distinguish certain original records from information collected for reporting to a PSO. Because information contained in these original records may be valuable to the analysis of a patient safety event, the important information must be allowed to be incorporated into patient safety work product. However, the original information must be kept and maintained separately to preserve the original records for their intended purposes. If the information were to become patient safety work product, it could only be disclosed pursuant to the confidentiality protections.

Comment: One commenter was concerned that information collected for reporting to a PSO may be the same information providers collect for reporting to a state regulatory agency. The commenter suggested that protections should only attach to information after state-mandated reporting requirements have been fulfilled. The commenter was concerned that the confidentiality protections may impede state data collection, surveillance and enforcement efforts. A separate commenter requested clarification that if patient safety work product is reported under a state mandated incident reporting system, the patient safety work product continues to be protected.

Response: The final rule is clear that providers must comply with applicable regulatory requirements and that the protection of information as patient safety work product does not relieve a provider of any obligation to maintain information separately. The Department believes that some providers, such as hospitals, have been operating in similar circumstances previously when conducting peer review activities under state peer review law protections. For patient safety work product to be disclosed, even to a State entity, the discloser must have an applicable disclosure permission. While the Patient Safety Act does not preempt state laws that require providers to report information that is not patient safety work product, a State may not require that patient safety work product be disclosed.

Comment: One commenter advised that the final rule should build on existing infrastructure for reporting and examination of patient safety events to minimize duplication of resources and maximize existing efforts.

Response: The Department has modified the proposed rule to address the potential issue of duplicated resources by allowing providers the flexibility to collect and review information within a patient safety evaluation system to determine if the information is needed to fulfill external reporting obligations as addressed above. The Department recognizes the high costs of health care, both in dollars and in the health of individuals. The final rule establishes a workable and flexible framework to permit providers that have mature patient safety efforts to fully participate as well as for providers with no patient safety activities to be encouraged to begin patient safety efforts.

Comment: One commenter asked whether multiple PSOs can establish a single reporting portal for receiving reports from providers.

Response: The final rule does not address procedures regarding how a PSO receives information. Providers must meet any requirements regarding sharing information that is protected health information, such as the HIPAA Privacy Rule, in any circumstances when reporting information to a PSO or joint PSO portal.

Comment: Several commenters asked whether retrospective analyses could be included as patient safety work product.

Response: The final rule permits any data, which is a term that is broadly defined and would include retrospective analyses, to become patient safety work product. The fact that information was developed prior to the collection for reporting to a PSO does not bar a provider from reporting an analysis to a PSO and creating patient safety work product. Providers should be cautioned to consider whether there are other purposes for which an analysis may be used to determine whether protection as patient safety work product is necessary or warranted. Further, the definition of patient safety work product is clear that information collected for a purpose other than for reporting to a PSO may not become patient safety work product only based upon the reporting of that information to a PSO. Such information, particularly information collected or developed prior to the passage of the Patient Safety Act, may become protected as a copy, but the original document remains unprotected.

(J) § 3.20—Definition of Provider

Proposed Rule: Proposed § 3.20 would have divided the meaning of provider into three categories. The first paragraph included "an individual or entity licensed or otherwise authorized under State law to provide health care services, including" and this introductory language was followed by a list of institutional health care providers in subparagraph (1) and a list of individual health care practitioners in subparagraph (2). The preamble indicated that these statutory lists were illustrative.

Under the Secretary's authority to expand the list of providers in the statutory definition, the proposed rule would have added two categories to the list of providers. The second paragraph would have covered agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, the contractors these entities engage, and individual health care practitioners employed or engaged as contractors by these entities. We included this addition because public health care entities and their staff are not always authorized or licensed by state law to provide their services and, therefore, might not be included within the terms of the original statutory definition.

The third paragraph would have included a parent organization that has a controlling interest in one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in (1)(i) or (2) of this definition. This addition was intended to permit the parent organization of a health care provider system to enter a system-wide contract with a PSO. The parent of a health system also may not be licensed or authorized by state law to provide health care services as required by the statutory definition.

Overview of Public Comments: There were a number of comments with respect to the entities and individuals that are identified as providers in the subparagraphs of paragraph (1). For example, one commenter sought clarification that "assisted living residential care and other community based care" providers are included in the broader term "long term care facilities" as identified in the list of covered providers. A number of other individual commenters each identified entities that the Secretary should include in the definition of providers: medical product vendors, pharmaceutical companies, medical device manufacturers, risk retention groups, and captive professional liability insurance companies that are controlled by risk retention groups.

There was general support for the inclusion of parent organizations of private and public sector providers in paragraph (3), although two commenters disagreed. One commenter argued that naming the parent organization as a provider suggested a "one size fits all" solution and suggested that eligibility should be linked to whether the parent organization is involved in the patient safety evaluation system for its subsidiaries. Other commenters, while not objecting, worried that this addition could open the door for organizations such as health insurance issuers, including Health Maintenance Organizations, regulatory and accrediting entities to qualify as component PSOs. One commenter suggested that by using the phrase "controlling interest" with respect to private sector parent organizations, the focus of this part of the proposed paragraph was inappropriately narrow, appearing to emphasize a corporate parent, and that the language needed to reflect a broader array of potential parent organizations, such as partnerships or limited liability companies.

Several commenters expressed concern that by encompassing entities that are not traditionally providers, under HIPAA or other rules, our definition of "provider" would lead to confusion. One commenter suggested it would be appropriate for the commentary accompanying the final rule to address the two terms, emphasize the differences, and clarify the obligations.

Final Rule: We have modified the definition of provider in the final rule in response to several comments. The first modification is a non-substantive substitution of the term behavioral health for behavior health. In response to the comments we received and to ensure clarity, we reiterate what we stated in the proposed rule that a list preceded by "including" is an illustrative list, not an exhaustive list.

In general, the question of whether any private sector individual or entity, such as assisted living residential care and other community-based care providers, comes within the rule's meaning of "provider" is determined by whether the individual or entity is licensed or otherwise authorized under state law to deliver health care services. We note that paragraphs (2) and (3) of the definition address public sector providers and parent organizations of health care providers.

We have not adopted any of the other recommendations for additions to the list of providers. The statute provides confidentiality and privilege protections for reporting by individuals and entities that actually provide health care services to patients. In our view, it was not intended to apply to those who manufacture or supply materials used in treatments or to entities that provide fiscal or administrative support to those providing health care services.

With respect to paragraph (3) of the definition, the use of the term parent organization here should conform to our definition of "parent organization" above. Therefore, we have streamlined the language, deleting unnecessary text that might suggest that we were applying a different definition.

The Department does not share the concerns of commenters that incorporating a broader definition of "provider" in this rule will cause confusion in the marketplace, because its use will be limited. The application of the term "provider" in this rule is intended to give the full range of health care providers the ability to report information to, and work with, PSOs and receive confidentiality and privilege protections as set forth in the Patient Safety Act and this rule. Although we appreciate the administrative benefits of uniformity, and have tried to maximize the consistency or interoperability of this rule with the HIPAA Privacy and Security Rules, it would not be appropriate in this rule to adhere to any less inclusive definition of provider used in other regulations.

We did not condition the designation of provider status for a parent organization on its involvement in a patient safety evaluation system. We expect that most parent organizations will, in fact, be a part of a system-wide patient safety evaluation system if they choose to pursue PSO services. However, establishing such a requirement now, when it is unclear what types of innovative arrangements and effective strategies might emerge, might prove more detrimental than helpful.

Response to Other Public Comments

Comment: One commenter raised concerns that paragraph (2) may not include Indian tribes that operate or contract for their own health care systems under the Indian Self-Determination and Education Assistance Act (ISDEAA), rather than relying upon the Indian Health Service.

Response: Tribal organizations carrying out self-determination contracts or compacts under the ISDEAA to deliver health care fall squarely within paragraph (2) of the definition of provider because they are organizations engaged as contractors by the Federal government to deliver health care. Additionally, the workforce of a provider covered under the rule, by definition, includes employees, volunteers, trainees, contractors, and other persons, whether or not paid by the provider, that perform work under the direct control of that provider. Federal employees detailed to a tribe or Tribal organization carrying out an ISDEAA contract would be covered under paragraph (2) in the definition of provider, even if they were not part of the Tribal organization's workforce. Therefore, no change is needed in response to this comment.

B. Subpart B—PSO Requirements and Agency Procedures

Proposed Subpart B would have set forth requirements for Patient Safety Organizations (PSOs) including the certification and notification requirements that PSOs must meet, the actions that the Secretary may and will take relating to PSOs, the requirements that PSOs must meet for the security of patient safety work product, the processes governing correction of PSO deficiencies, revocation, and voluntary relinquishment, and related administrative authorities and implementation responsibilities. The requirements of the proposed Subpart would have applied to entities that seek to be listed as PSOs, PSOs, their workforce, a PSO's contractors when they hold patient safety work product, and the Secretary.

The proposed rule did not require a provider to contract with a PSO to obtain the protections of the Patient Safety Act; however, we noted that we anticipate that most providers would enter into contracts with PSOs when seeking the confidentiality and privilege protections of the statute. We proposed to enable a broad variety of health care providers to work voluntarily with entities that would be listed as PSOs by the Secretary based upon their certifications that, among other things, state that they have the ability and expertise to carry out the broadly defined patient safety activities of the Patient Safety Act and, therefore, to serve as consultants to eligible providers to improve patient care. In accordance with the Patient Safety Act, the proposed rule set out an attestation-based process to qualify for 3-year renewable periods of listing as a PSO. Proposed Subpart B attempted to minimize regulatory burden, while fostering transparency to enhance the ability of providers to assess the strengths and weaknesses of their choice of PSOs.

We proposed a security framework pertaining to the separation of data and systems and to security management, control, monitoring, and assessment. Thus, each PSO would address the framework with standards it determines appropriate to the size and complexity of its organization. We proposed additional requirements to ensure that a strong firewall would be maintained between a component PSO and the rest of the organization(s) of which it is a part.

We noted that we expect to offer technical assistance and encourage transparency wherever possible to promote implementation, compliance, and correction of deficiencies. At the same time, this proposed Subpart established processes that would permit the Secretary promptly to revoke a PSO's certification and remove it from listing, if such action proves necessary.

1. Section 3.102—Process and Requirements for Initial and Continued Listing of PSOs

Proposed Rule: The proposed rule in § 3.102 addressed the eligibility of, and the processes and requirements for, an entity seeking a three-year period of listing by the Secretary as a PSO and described the timing and requirements of notifications that a PSO must submit to the Secretary during its period of listing. The proposed rule described our intention to minimize barriers to entry for entities seeking listing and create maximum transparency to create a robust marketplace for PSO services. The Patient Safety Act set forth limited prerequisites that must be met to be listed by the Secretary as a PSO, which the regulation incorporates. The Department expects that providers will be the ultimate arbiters of the quality of services that an individual PSO provides.

Overview of Public Comments: The following discussion focuses on the broad comments we received concerning our overall approach to initial and continued listing of PSOs. These comments do not address specific provisions of the proposed rule. Public comments that address specific provisions of § 3.102 are addressed in the individual subsection discussions that follow. Questions and situation-specific comments are addressed below under the heading of "Response to Other Public Comments."

The Department received generally favorable comment on our proposed approach in this section, which emphasizes a streamlined certification process, and public release of documentation submitted by PSOs whenever appropriate. There were, however, two broad sets of concerns expressed about our overall approach.

The first concern related to the potential number of PSOs that might be listed by the Secretary as a result of the Department's proposed "ease of entry" approach. These comments focused on the importance of PSOs being able to aggregate significant amounts of data across multiple providers to develop meaningful analyses. Noting that patient safety events are often rare events, one commenter noted that in some cases it may be necessary to aggregate data for an entire state in order to develop insights regarding the underlying causes of such events. Another commenter noted that if every hospital in the state established its own component PSO, the potential impact of PSO analyses could be minimal. Because most PSOs will be dependent upon revenue from providers submitting data, one commenter worried that too many PSOs could also affect the ability of individual PSOs to obtain adequate funding to perform their analytic functions and to implement potentially costly security requirements.

These concerns led some commenters to suggest inclusion in the final rule of a limitation on the number of PSOs that the Secretary would list. One commenter asked whether it would be possible for the Department to list one national PSO, noting this could improve efficiency for providers. Another commenter suggested listing of 2-4 PSOs per state using a competitive process or limiting the number of PSOs by increasing the number of required provider contracts that each PSO must have. Most commenters who favored limiting the number of listed PSOs did not suggest a specific approach.

A second broad set of recommendations focused on the need for periodic or ongoing evaluation of the effectiveness of PSOs that could be linked to, or be separate from, the evaluation of certifications for continued listing. Some commenters recommended that the Department routinely collect information from PSOs to evaluate whether the individual and collective work of PSOs is actually reducing medical errors and improving the quality of care that is delivered. One commenter stressed the importance of establishing in the final rule expectations related to PSO performance and demonstrated results and provided draft language for inclusion in the final rule.

Final Rule: The Department has not modified the approach taken in the proposed rule in response to these comments. With respect to limiting the number of PSOs that are listed by the Secretary, the statutory language is clear that any entity, public or private, that can meet the stated requirements is eligible for listing by the Secretary. While the Department understands the concerns of the commenters that a very large number of PSOs could frustrate the statutory goal of data aggregation across multiple providers, we believe that this scenario is unlikely for several reasons.

First, a provider does not need to shoulder the financial burden alone to support a full-time PSO. Providers enjoy the same protections under the Patient Safety Act when they contract with an independent PSO or when they create a component organization to seek listing as a PSO. A provider that establishes a working relationship with a PSO can have a division of labor between the analyses that its staff undertakes in-house within its patient safety evaluation system and the tasks it assigns to the PSO. In both circumstances, the statutory protections apply. Thus, for a provider, establishing its own PSO is an option, not a necessity.

Second, there are important insights into patient safety that can only be derived from aggregating data across multiple providers. Given the low frequency of some patient safety events, even larger health systems are likely to derive additional benefits from working with PSOs that have multiple and, potentially, diverse clients.

A final limiting factor is the shortage of personnel who are well-trained or experienced in the use of the methodologies of patient safety analyses. While the marketplace will respond to the need for the development of additional training and certification programs, the availability of highly-skilled staff will be a constraining factor initially. In combination, these three factors should provide a natural constraint on the number of single-provider PSOs.

Regarding the other general set of comments related to the listing process, the Department has considered these suggestions and has determined not to incorporate in the final rule requirements for an ongoing evaluation process or the routine collection of data from PSOs. PSOs are not a Federal program in the traditional sense. Most significantly, they are not Federally funded. Their project goals, priorities, and the specific analyses that they undertake are not Federally directed. The value and impact of an individual PSO will be determined primarily by the providers that use its services on an ongoing basis.

It is unclear at this point how providers will choose to use PSOs. Only with experience will it become clear which analyses a provider will choose to undertake in its own patient safety evaluation system and which analyses a provider will rely upon a PSO to undertake. The mix and balance of activities between a provider's patient safety evaluation system and its PSO (or PSOs) will undoubtedly shift over time as the working relationships between providers and PSOs evolve toward greater efficiency. Thus, we remain convinced that providers are in the best position to assess the value of a PSO and its ability to contribute to improving the quality and safety of patient care.

Response to Other Public Comments

Comment: While contracts are not required between PSOs and providers to obtain protections, the Department stated that it anticipates most providers will enter contracts with providers. In light of this expectation, one commenter urged the Department to develop and make available a model contract.

Response: We do not think a model contract can be developed easily. The issues that need to be addressed will vary significantly based upon the nature of the relationship. Therefore, we do not expect to be developing and releasing a model contract.

Comment: One commenter suggested that the final rule should explain how AHRQ will publish the results from which providers and others can evaluate a PSO before entering a contract.

Response: For the reasons discussed above, AHRQ will not require or release PSO-specific performance information.

Comment: One commenter suggested that AHRQ should ensure that PSOs should not be able to make commercial gain from the knowledge it derives as a PSO.

Response: The statute permits all types of private and public entities to seek listing as a PSO; it does not limit private entities to not-for-profits. The final rule mirrors that formulation. The Department concludes that the statute does not invite us to impose such restrictions and expects that providers' decisions will determine the acceptability of for-profit PSOs.

Comment: One commenter suggested that providers should only be permitted to submit data to one PSO.

Response: The Patient Safety Act's framework for PSO-provider relationships is voluntary from a public policy perspective. In our view, it would be inconsistent with section 922(e)(1)(B) of the Public Health Service Act for the Department or any entity to use the authority of law or regulation to limit or direct provider reporting.

Comment: One commenter suggested that the final rule should require PSOs to share aggregated, non-identifiable patient safety work product with state regulatory authorities.

Response: The Department does not agree that it is appropriate to place such an unfunded mandate upon PSOs.

Comment: One commenter stated that it is a waste of effort and expense to create new government entities to work with providers when current organizations can do that just as well. The commenter also asked whether anyone has estimated the 10-year costs.

Response: As this final rule makes clear, these entities are not government entities and will not receive Federal funding. While we expect implementation will spur the development of new entities, we also expect that existing entities will be able to expand their current patient safety improvement efforts if they seek listing and are able to offer the confidentiality and privilege protections provided by the Patient Safety Act. While we have not done a 10-year cost estimate, our regulatory impact statement at the end of the preamble projects net savings of $76 to $92 million in 2012, depending upon whether the net present value discount rate is estimated at 7% or 3%.

(A) Section 3.102(a)—Eligibility and Process for Listing

Proposed Rule: Section 3.102(a) of the proposed rule would have provided that, with several exceptions discussed below, any entity—public or private, for-profit or not-for profit—that can meet the statutory and regulatory requirements may seek initial or continued listing by the Secretary as a PSO. The Department proposed to establish a streamlined certification process for entities seeking initial or continued listing that relied upon attestations that the entities met statutory and regulatory requirements. To foster informed provider choice, entities were encouraged, but would not be required, to post narratives on their respective Web sites that explained how each entity intended to comply with these requirements and carry out its mission.

The proposed rule incorporated a statutory prohibition that precludes a health insurance issuer and a component of a health insurance issuer from becoming a PSO. The Department also proposed to exclude any entity, public or private, that conducts regulatory oversight of health care providers, which included organizations that accredit or license providers. We proposed this restriction for consistency with the statute, which seeks to foster a "culture of safety" in which health care providers are confident that the patient safety events that they report will be used for learning and improvement, not oversight, penalties, or punishment. The proposed rule would permit a component organization of such an entity to seek listing as a PSO. To ensure that providers would know the parent organizations of such PSOs, we proposed that certifications include the name(s) of its parent organization(s), which the Secretary would release to the public. We sought comment on whether we should consider broader restrictions on eligibility.

The proposed rule would permit a delisted entity, whether delisted for cause or because of voluntary relinquishment of its status, subsequently to seek a new listing as a PSO. To ensure that the Secretary would be able to take into account the history of such entities, we proposed such entities submit this information with their certifications for listing.

Overview of Public Comments: The Department received generally favorable comments on our proposal to adopt a streamlined attestation-based approach to initial listing of PSOs. A number of commenters expressed concern about our attestation-based approach, however, arguing for a more in-depth assessment to ensure that an entity had the capability to carry out its statutory and regulatory responsibilities and meet the patient safety objectives of the statute. Some believed that the private marketplace is not necessarily well-equipped to judge which organizations can most effectively meet these requirements. Arguing that one misguided or fraudulent organization could taint the entire enterprise for years, a few commenters suggested that we require interested organizations at initial listing to submit documentation of their ability to meet their statutory and regulatory responsibilities.

Most commenters who urged a stronger approach to the evaluation of certifications for listing acknowledged the value of an expedited process for initial listing and instead focused their recommendations on the importance of creating a more rigorous process for continued listing. A common recommendation was to require, in addition to the proposed certifications for continued listing, that a PSO be required to submit documentation that described in detail how it is complying with the requirements underlying its certifications and urged the Department to arrange for independent review of such documentation, coupled with an audit process that would ensure compliance.

The comments we received were supportive of including a equirement that entities certify whether there is any relevant history regarding delisting about which the Secretary needs to be aware. Several commenters suggested that the entity seeking to be relisted should be required to include reason(s) for any prior delisting. Another suggestion was that the Secretary should have discretion in relisting an entity not to release the names of officials who had positions of responsibility in a previously delisted entity.

The proposed restrictions on eligibility engendered considerable comment. With respect to the statutory restriction on health insurance issuers, concerns and questions were raised regarding whether the exclusion applied to self-insured providers or malpractice liability insurers and whether health systems that include a subsidiary that is a health insurance issuer could establish a component PSO.

We received a significant level of comment regarding our proposed restriction on listing of regulatory oversight bodies. While the majority of commenters supported the proposed exclusion, some commenters took issue with various aspects of our proposal.

Commenters engaged in accreditation activities generally criticized our characterization of these activities as regulatory. They pointed out that the proposed rule did not take into account the distinction between voluntary and mandatory accreditation and, in their view, most accreditation was voluntary. They also noted that accreditation activities were initially developed to ensure the quality and safety of patient care and that accreditation entities, unlike licensure agencies, have greater discretion in addressing any problems that they identify with a provider's operations in a non-punitive way. For these commenters, accreditation activities were not inconsistent with fostering a "culture of safety." By contrast, most provider comments supported the exclusion, and singled out accreditation entities as warranting exclusion.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only