Patient Safety and Quality Improvement. Final Rule (Continued)
New § 3.102(d)(2)(ii) specifies the two required parts of a disclosure statement. The first part must disclose in summary form succinct descriptions of all of the obligations that the PSO has with this provider. The second part must be a related short narrative (we recommend no more than 1,000 words) that addresses the issues described below and is intended to explain the measures taken by the PSO to assure that its analyses and findings are fair and accurate.
We use the term "obligations"—rather than the statutory term "relationships"—in § 3.102(d)(2)(ii) of the rule for the following reason. If a PSO has multiple relationships with a provider, many of these relationships are likely to be both contractual and financial (and may involve other relationships for which the statute requires disclosure). A disclosure statement that was organized by the four types of relationships that require disclosure (subparagraphs (A)—(D) discussed above) would be confusing and difficult to interpret since items in different categories would be related. For example, if the PSO already has a contract with a provider to render a service for which it is paid, we do not see the benefit of having the contract listed in one reporting category and the financial relationship in another reporting category since they are clearly related.
Therefore, in drafting the required disclosure statement, a PSO should address the four statutorily-required disclosures discussed above as aspects of the separate obligations or arrangements that exist between a PSO and the provider with which the PSO is entering or has a Patient Safety Act contract. A PSO should focus on clarity and brevity in explaining each obligation in a single paragraph: a sentence or two describing the nature of the obligation, and the remainder of the paragraph should address each of the four required disclosures that are present and specifically note any of the four that are not.
As we use the term, an obligation is not limited to services that a PSO renders to a provider (such as developing information and undertaking analyses or providing a service or technical assistance). An obligation could also reflect a PSO's relationship with an investor or owner and any arrangement that affects the PSO's independence or involves any of the statutorily-required disclosures described above. In developing its list, a PSO should not combine separate and distinct obligations such as more than one contract, nor should it disaggregate a single obligation. For example, if a PSO undertakes technology assessments and has three separate contracts for different assessments, these would be three separate obligations and should be reported separately. On the other hand, an obligation that has more than one task, such as providing assistance in implementing and evaluating a process improvement, should only be listed once; we are not suggesting that PSOs report separately on the different elements of a single unified project.
To apply these concepts, consider a hospital that was one of five hospitals that invested in the creation of a PSO and the hospital subsequently enters a Patient Safety Act contract with the PSO. If this investment is the only obligation other than the Patient Safety Act contract that exists between the PSO and the provider, the PSO's disclosure statement would include only one obligation and it could be described in a single paragraph. Within that paragraph, the PSO should systematically address the required statutory disclosures or note that they are not present. In addressing financial relationships, the PSO should not include the amount of the investment or specific terms. In this case, the required paragraph would describe the essential nature of the financial relationship, e.g., it is a loan requiring repayment over X years; it is a long-term investment requiring the payment of dividends, etc., whether it was formalized by a contract, whether a reporting relationship exists, e.g., the provider has access to internal quarterly financial statements not available to other providers, and whether the obligation gives the provider any ability to control or manage the PSO's operations, e.g., the provider has a seat on the board or review or veto authority over new clients, specific contracts, budgets, staff hiring, etc.
If the PSO is a subsidiary of a health system, the paragraph could indicate that PSO is a subsidiary of the provider, the provider is the primary source of revenue for the component PSO, the types of internal PSO information to which the provider has access, e.g., all financial, personnel, administrative internal information, and that the provider manages or controls (or has review and approval authority) of day-to-day decision-making, hiring and firing decisions, etc. By incorporating the required statutory disclosures into a succinct discussion of the obligations that a PSO has with this provider, we anticipate that the descriptions will be more comprehensible.
Part II of a disclosure statement must describe why or how the PSO, given the disclosures in part I, can fairly and accurately perform patient safety activities. The PSO must address: the policies and procedures that the PSO has in place to ensure adherence to professional analytic standards and objectivity in the analyses it undertakes; and any other policies, procedures, or agreements that ensure that the PSO can fairly and accurately perform patient safety activities.
Section 3.102(d)(2)(iii) of the rule retains the deadlines for submission of disclosure statements that were included in the proposed rule.
Response to Other Public Comments
Comment: One commenter asked that we exempt a PSO with fewer than 5 clients from releasing the names of its clients.
Response: We note that a PSO never has to reveal the names of its clients (providers) as long as the PSO does not have the other types of relationships described in this subsection with those providers. However, when such relationships are present, the statute does not provide authority for us to create such exceptions.
Comment: One commenter asked that we clarify that the required disclosures can be made in a way that the PSO does not breach the confidentiality requirements that may be a part of another contractual arrangement with a contracting provider.
Response: The Department cannot make a definitive statement that such confidentiality agreements can always be honored; this requires a case-by-case determination. A PSO is encouraged to discuss the issue with AHRQ staff before submitting a disclosure statement. As noted above, the agency's public disclosures are constrained by 18 U.S.C. 1905, but agency officials have some discretion with respect to determining what information would be restricted under that statute. We note also that the agency has the discretion to deny Freedom of Information Act requests for information it regards as confidential commercial information (5 U.S.C. 552(b)(4)). Agency determinations will be assisted by explanations of what is viewed by a submitter as confidential commercial information and the reasons why that is the case.
Comment: One commenter posed a series of questions related to an entity that seeks listing that receives general membership dues or assessments, i.e., whether such general dues or assessments would be considered financial relationships and, therefore, require the filing of disclosure statements. The commenter also asked if disclosure of such membership dues or assessments is required under any other section of the rule.
Response: The Department has determined that membership dues or general assessments applied to all members do not constitute "financial relationships" between a provider and a PSO. There is no other section of the rule that would require disclosure of membership dues or assessments. Before seeking listing, however, a membership organization should carefully assess whether it meets the statutory requirement that its primary activity must be the conduct of activities to improve patient safety and the quality of health care delivery.
(A) Section 3.104(a)—Actions in Response to Certification Submissions for Initial and Continued Listing as a PSO
Proposed Rule: Section 3.104(a) described the actions that the Secretary could and will take in response to the certification material submitted for initial or continued listing as a PSO. We proposed that, in making a listing determination, the Secretary would consider the submitted certifications, issues related to the history of the entity, and any findings by the Secretary regarding disclosure statements. The proposed rule also included authority for the Secretary, under certain circumstances, to condition the listing of a PSO. We did not propose a deadline for Secretarial review of certifications submitted, but noted that we expect the Secretary to be able to conclude review within 30 days of receipt unless additional information or assurances are required.
Overview of Public Comments: We received several comments pertaining to this section. One comment endorsed the proposed provision. Another requested that we modify the rule to require Secretarial action within 60 days. A third commenter recommended that the Secretary establish timetables for all actions and opposed open-ended timeframes.
Final Rule: We have retained the text from the proposed rule with two modifications. The text of § 3.104(a)(1)(iii) of the proposed rule stated that the Secretary may require conditions for listing as part of his review of disclosure statements submitted pursuant to § 3.102(d)(2); that text has been retained. We also noted in the preamble discussing proposed § 3.104(a) that there may be certain circumstances in which the Secretary determines that it would not be prudent to rely solely on the certifications for listing submitted by an entity that was previously revoked and delisted for cause or previously refused listing by the Secretary. In such limited circumstances, we suggested the Secretary may seek additional assurances from the PSO that would increase the Secretary's confidence that, despite the history of the entity and its officers and senior staff, the entity could now be relied upon to comply with its statutory and regulatory obligations. To reflect the potential need for assurances in such cases, and to better align the text with the preamble discussion of the proposed rule, we have modified the text of § 3.104(a)(1)(iii) to permit the Secretary to condition the listing of a PSO in this limited circumstance to ensure that such a PSO honors the assurances it makes in seeking listing.
The second change is a conforming modification to the basis for the Secretary's determination in § 3.104(a)(2), which specifically recognizes the right of the Secretary to take into account any history of or current non-compliance with requirements of the rule by officials and senior managers of the entity. This change also mirrors the requirement in § 3.102(a)(1) that entities seeking listing inform the Secretary if their officials or senior managers held comparable positions in a PSO that was delisted or with an entity that was denied listing by the Secretary.
We have not accepted the commenter's recommendation to establish a regulatory deadline of 60 days for Secretarial action. This is a novel initiative and without a better sense of the potential issues that may arise, such as when a delisted PSO seeks a new listing, we are reluctant to circumscribe the flexibility that the statute and the proposed rule provided the Secretary. In addition, the statute requires an affirmative acceptance and listing action by the Secretary. Listing cannot occur as a result of any failure to meet a deadline. Accordingly, we have not adopted the recommendation.
(B) Section 3.104(b)—Actions Regarding PSO Compliance With the Minimum Contract Requirement
Proposed Rule: Section 3.104(b) of the proposed rule stated that, after reviewing the required notification from a PSO regarding its compliance with the minimum contract requirement, the Secretary would, for a PSO that attests that it has met the requirement, would acknowledge in writing receipt of the attestation and include information on the list of PSOs. If the PSO notifies the Secretary that it has not yet met the requirement, or if notification is not received from the PSO by the required date, the proposed rule stated that the Secretary would promptly issue a notice of a preliminary finding of deficiency and provide the PSO an opportunity for correction that will extend no later than midnight of the last day of its applicable 24-month assessment period. If the Secretary verifies that the PSO has not met the requirement by the last day of the 24-month period, he would issue a notice of proposed revocation and delisting.
Overview of Public Comments: We received no comments on this subsection.
Final Rule: The final rule incorporates the substance of the NPRM text without modification but restructures the text for clarity. The restructured text clarifies that the Secretary will only issue a notice of a preliminary finding of deficiency after the date on which a PSO's notification to the Secretary is required by § 3.102(d)(1).
(C) Section 3.104(c)—Actions Regarding Required Disclosures by PSOs of Relationships With Contracting Providers
Proposed Rule: Section 3.104(c) of the proposed rule stated that the Secretary would evaluate a disclosure statement submitted by a PSO regarding its relationships with contracting providers by considering the nature, significance, and duration of the relationships between the PSO and the contracting provider. We sought public comment on other appropriate factors to consider. The statute requires disclosure of the Secretary's findings, and we proposed public release, consistent with the Freedom of Information Act and 18 U.S.C. 1905, of PSO disclosure statements as well.
This proposed section also listed the statutorily permissible actions that the Secretary could take following his review: conclude that the disclosed relationships require no action on his part or, depending on whether the entity is listed or seeking listing, condition his listing of the PSO, exercise his authority to refuse to list, or exercise his authority to revoke the listing of the entity. The Secretary would notify each entity of his findings and decisions.
Overview of Public Comments: One commenter suggested that our proposal that the Secretary consider the nature, significance, and duration of the relationship in evaluating the relationships had no statutory foundation. Another commenter suggested that we take into account corrective action. Several commenters proposed that we rely upon the inter-agency work group that is assisting AHRQ in developing common formats and definitions for reporting patient safety work product to assist in developing disclosure statements. One commenter suggested that we create a "safe harbor" for multi-hospital parent organization systems that contract with a PSO on behalf of some or all of its hospitals so that a disclosure statement would not be required, deeming that the component PSO of a multi-hospital organization can perform patient safety activities fairly and accurately. Another suggestion was that the Secretary should adopt a standard requiring that there be no conflicts of interests.
Final Rule: We have retained much of the text from the proposed rule but have modified the paragraph setting forth the basis for the Secretary's findings regarding disclosure statements. In light of the comments, we have deleted the reference to "nature, significance, and duration" as not appropriate in every circumstance. The modification to the rule now requires the Secretary to consider the disclosures made by the PSO and an explanatory statement from the PSO making the case for why the PSO can fairly and accurately perform patient safety activities.
We have not adopted the other suggestions. As we discuss above, with respect to § 3.102(d)(2), we agree with the commenter that there is little reason for a provider organization to exert inappropriate control over its component PSO. At the same time we do not believe the statute permits us to waive Secretarial review under any set of circumstances.
We do not agree with commenters that the common formats inter-agency work group is the appropriate group to address disclosure statements. At this time, their informatics and clinical expertise and responsibilities are not congruent with assisting in the design or substantive requirements for disclosure statements.
(D) Section 3.104(d)—Maintaining a List of PSOs
Proposed Rule: The proposed rule sought to incorporate in § 3.104(d) the statutory requirement that the Secretary compile and maintain a list of those entities whose PSO certifications have been accepted and which certifications have not been revoked or voluntarily relinquished. We proposed that the list would include information related to certifications for listing, disclosure statements, compliance with the minimum contract requirement, and any other information required by this Subpart. We noted that we expected to post this information on the AHRQ PSO Web site, and sought comment on whether there are specific types of information that the Secretary should consider posting routinely on this Web site for the benefit of PSOs, providers, and other consumers of PSO services.
Overview of Public Comments: In addition to the list in the proposed rule, several commenters urged that we post the contact information for the parent organizations, subsidiaries, and affiliates, a list of states in which the parent organization does business, and the business objectives of the parent organizations, and whether each parent organization is for-profit or not-for-profit.
Two commenters suggested that the Secretary's guidance on common reporting formats and definitions should be available on the PSO Web site. One commenter urged that the final rule and contact information for AHRQ staff should also be available there. Another commenter suggested that, since AHRQ works with PSOs, the value to prospective providers would be increased if we posted information on areas of specialization of individual PSOs and use the Web site as one tool for facilitating confirming analyses by other PSOs of initial work.
Final Rule: The final rule incorporates the proposed rule text without modification. We have not modified the text of the rule because most of the recommendations relate to information that AHRQ will be receiving or producing for PSOs and can be posted to the Web site without additions or changes to the rule text. Recommendations to post information related to AHRQ staff and the final rule can be done without regulation as well. As AHRQ provides technical assistance to PSOs and works with the provider community to encourage the use of PSO services, we expect to publish information on the Web site that PSOs and the provider community request. In addition, the names and contact information of parent organizations of component PSOs and other information submitted at listing will be posted in accordance with the proposed rule text.
Commenters urged us to post some information that we have no plans to collect, and, therefore, we have not accepted their recommendations. Most of these recommendations related to the business objectives, or the for-profit or not-for- profit status of parent organizations of component PSOs. In our view, requiring component organizations to submit such information would be burdensome and unnecessary. Providers will be able to find that information by using the published contact information on PSOs and parent organizations.
(E) Section 3.104(e)—Three-Year Period of Listing
Proposed Rule: Section 3.104(e) proposed that listing as a PSO would be for three years, unless the Secretary revokes the listing or the PSO voluntarily relinquished its status. We also proposed that the Secretary would send a written notice of imminent expiration to a PSO no later than 45 calendar days before its listing expires if the Secretary has not received a certification seeking continued listing. We sought comment on a requirement that the Secretary publicly post the names of PSOs to which a notice of imminent expiration has been sent.
Overview of Public Comments: Commenters were virtually unanimous that, at the time we send a PSO a notice of imminent expiration, we should post similar information on the AHRQ PSO Web site. Several commenters suggested that PSOs should be required to notify providers that the PSO has received a notice of imminent expiration and expressing concerns about the time needed for providers to make alternative arrangements. One commenter suggested that notice to providers should be a part of the contract with the PSO. Another suggested that the Department establish an email listserv that providers could join for alerts such as this. One commenter opposed public notice and one expressed conditional support, provided the Department ensured the accuracy of the information on the Web site.
Final Rule: We have modified and redrafted § 3.104(e) of the final rule. The final rule retains the proposed provision that the period of listing will be for three years, unless revoked or relinquished. The first modification is that this section now explicitly provides for the automatic expiration of a PSO's listing at the end of three years, unless the Secretary approves its certification for continued listing before the date of expiration. By incorporating this modification and making the process automatic, we have been able to eliminate the proposal in § 3.108(c) for a process we termed "implied voluntary relinquishment." In comparison with the proposed rule approach, which required the Secretary to take affirmative action to delist a PSO that let its certifications lapse, this automatic approach simplifies the administrative process.
We have modified subparagraph 3.104(e)(2) in two ways. We will send a PSO a notice of imminent expiration even earlier—at least 60 days rather than 45 days—before its certifications expire. We adopted the earlier notification date in response to general concerns reflected in the comments about the time a provider needed to make alternative arrangements and to ensure sufficient time for the Secretary to review and make a determination regarding certifications for continued listing. The second modification incorporates our proposal to post a notice on the AHRQ PSO Web site, for which commenters expressed strong support. In combination, we expect these modifications will provide both the PSO and the providers from which it receives data sufficient notice that the entity's period of listing is drawing to a close.
We have not incorporated the recommendation to require PSOs receiving the notice to contact all providers. We expect most providers and PSOs to take advantage of AHRQ's existing listserv that will provide electronic notice to all subscribers when a notice such as this is posted on the AHRQ PSO Web site. Providers will also be able to sign up on the web site to receive individual emails if their PSO becomes delisted. In this way, we can be assured that notification is sent to, and received by, all interested parties.
(F) Section 3.104(f)—Effective Date of Secretarial Actions
Proposed Rule: The proposed rule in section 3.104(f) states that, unless otherwise specified, the effective date of each action by the Secretary would be specified in the written notice that is sent to the entity. We noted that the Department anticipates sending notices by electronic mail or other electronic means in addition to a hard copy version. We also pointed out that for listing and delisting decisions, the Secretary would specify both an effective time and date for such actions in the written notice to ensure clarity regarding when information received by the entity will be protected as patient safety work product.
Overview of Public Comments: We received no public comments on this subsection.
Final Rule: The final rule incorporates the proposed rule text without modification.
Proposed Rule: Section 3.106 of the proposed rule outlined a framework consisting of four categories for the security of patient safety work product that PSOs would consider in developing policies and procedures for the protection of data. Because § 3.106 contains only two subsections and we received few comments, we will discuss both subsections of the rule together.
Section 3.106(a) proposed that the security requirements of this section would apply to each PSO, its workforce members, and its contractors whenever the contractors hold patient safety work product. If contractors cannot meet these security requirements, we proposed that their tasks be performed at locations at which the PSO can meet these requirements. We stated that the rule does not impose these requirements on providers; this Subpart would only apply to PSOs.
Proposed § 3.106(b) would have established a framework consisting of four categories for the security of patient safety work product that a PSO must consider. We proposed that each PSO develop appropriate and scalable standards that are suitable for the size and complexity of its organization.
The four categories of the framework would have included: security management issues (documenting its security requirements, ensuring that its workforce and contractors understand the requirements, and monitoring and improving the effectiveness of its policies and procedures); separation of systems (required physical separation of patient safety work product, appropriate disposal or sanitization of media, and preventing physical access to patient safety work product by unauthorized users or recipients); security control and monitoring controls (ability to identify and authenticate users, an audit capacity to detect unlawful, unauthorized, or inappropriate activities, and controls to preclude unauthorized removal, transmission or disclosures); and policies and procedures for periodic assessment of the effectiveness and weaknesses of its overall approach to security (determine when it needs to undertake risk assessment exercises and specify how it would assess and adjust its procedures to ensure the security of its communications involving patient safety work product to and from providers and other authorized parties).
Overview of Public Comments: There were no public comments that specifically addressed § 3.106(a) of the rule. Commenters focused instead on the overall security framework established by § 3.106(b). The majority of commenters supported the proposed requirements and emphasized the concepts of scalability and flexibility that were reflected in the proposed rule. Two commenters urged the Department to adopt the HIPAA Security Rule instead. Another commenter suggested that the final rule should emphasize the need for PSOs to maintain up-to-date security processes and urged that the final rule specifically recognize that PSOs can include HIPAA Security Rule requirements in their business associate contracts with providers that are covered entities.
While there were few comments overall on this section of the rule, the specific provision that elicited the most concern was the requirement in § 3.106(b)(2) that patient safety work product needed to be maintained securely separate from other systems of records. As discussed above with respect to obligations of component organizations, commenters expressed concern regarding the potential burden of such a requirement and several pointed to the analytic benefits of being able to readily merge data sets for specific analyses. It was recommended that the final rule permit the patient safety work product and non-patient safety work product to be stored in the same database as long as the security requirements are implemented for the database as a whole.
Another commenter pointed to the confusion, inconsistency, and errors that were likely to result from the rule text in which each paragraph began with the words that a PSO "must address" each security issue within the framework while introductory paragraph (b) indicated that PSOs merely needed to "consider" the security framework.
Final Rule: We have modified the text of § 3.106 both to improve its clarity in non-substantive ways and to incorporate several substantive modifications in response to the comments we received. The changes to § 3.106(a) are for clarity. For uniformity and brevity, throughout § 3.106, we have standardized references regarding the application of security requirements to the "receipt, access, and handling" of patient safety work product. The rule text defines "handling" of patient safety work product as including its processing, development, use, maintenance, storage, removal, disclosure, transmission and destruction.
We have incorporated several modifications to the text of § 3.106(b). We have both simplified the text of the opening paragraph of this subsection and substituted the requirement that "PSOs must have written policies and procedures that address" for the language of the proposed rule that stated the "PSO must consider." We agree with the commenter that retention of the proposed rule language would create confusion regarding what is required of a PSO. By retaining the language that permits a PSO to develop specific standards that address the security framework in this section with standards that are appropriate and scalable, we intend to retain flexibility for PSOs to determine how they will address each element of the security framework.
The most significant substantive change in the security framework is in § 3.106(b)(2), which had required the separation of patient safety work product from non-patient safety work product at all times. Based on comments received, we have modified both the title of § 3.106(b)(2) and the text of § 3.106(b)(2)(i). Section 3.106(b)(2) is now entitled "Distinguishing Patient Safety Work Product," rather than "Separation of Systems," and § 3.106(b)(2)(i) recognizes that the security of patient safety work product can be maintained either when patient safety work product is maintained separately from non-patient safety work product or when it is co-located with non-patient safety work product, provided that the patient safety work product is distinguishable. This will ensure that the appropriate form and level of security can be maintained. This change responds to several comments that opposed the absolute requirement for separation in the proposed rule.
While we have, thus, allowed greater procedural flexibility, we caution PSOs to be attentive to ensuring that patient safety work product remains distinguishable at all times if it is not kept separated. To the extent that patient safety work product becomes co-mingled with non-protected information, there is increased risk of impermissible disclosures and violations of the confidentiality requirements of the rule and the Patient Safety Act.
We have also eliminated a reference to a PSO determination of appropriateness that was in the text of the proposed rule in § 3.106(b)(4)(i) as redundant, since the rule permits a PSO to develop appropriate and scalable standards for each element of the security framework, including this element.