Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

Patient Safety and Quality Improvement. Final Rule (Continued)

New § 3.108(e)(1) lists three circumstances in which the Secretary may use an expedited process for revocation. The first two circumstances reflect commenter concern regarding excluded entities. The first of these, specified in § 3.108(e)(1)(i), is if the Secretary determines that a PSO is, or is about to become, an entity excluded from listing by § 3.102(a)(2). That section excludes from listing: a health insurance issuer; a unit or division of a health insurance issuer; an entity that is owned, managed or controlled by a health insurance issuer; entities that accredit or license health care providers; entities that oversee or enforce statutory or regulatory requirements governing the delivery of health care services; agents of an entity that oversees or enforces statutory or regulatory requirements governing the delivery of health care services; or entities that operate a Federal, State, Local, or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation.

Because the certifications for listing specifically require an entity to attest that it is not excluded from seeking listing, this situation would mean that the PSO had either filed a false certification, or that the nature of the entity had significantly changed during the course of its listing. An example of an entity "about to become an excluded entity" would be when there is advance notice of a merger of the parent organization of a component PSO with a health insurance issuer. A health insurance issuer is the only excluded entity that may not have a component become a PSO. If the Secretary learns that a PSO is about to become a component of a health insurance issuer, this is one circumstance under which we believe prompt action by the Secretary is essential.

The second circumstance, specified in § 3.108(e)(1)(ii), is when the parent organization of a PSO is an excluded entity and the parent organization uses its authority over providers to require or induce them to use the patient safety services of its component PSO. This was a major concern of commenters in permitting components of accreditation, licensure and regulatory entities to seek listing; the final rule in § 3.102(c) permits such a component to be listed only if it can certify that its parent organization does not impose such requirements on providers. When an excluded entity attempts to require or induce providers to report information to its component PSO, there is reasonable cause for concern regarding the integrity of the firewall between the component PSO and its parent organization. Given the potential harm to providers if their identifiable patient safety work product is made available to the excluded entity, the Department concludes that the need for prompt action is compelling.

The third circumstance specified in § 3.108(e)(1)(iii) of the rule is when the Secretary has determined that the failure to act promptly would lead to serious adverse consequences. We would expect to use this authority sparingly. Despite the confidential and protected nature of patient safety work product, we remain concerned that there can still be serious harm to providers, patients, and reporters named in patient safety work product if a PSO demonstrates reckless or willful misconduct in its protection or use of the work product with which it is entrusted, especially when there is reason to believe there have been repeated deficiencies, or when the PSO engages in fraudulent or illegal conduct. In light of these risks, we believe it is only prudent to give the Secretary the authority to respond promptly to situations where there is a risk of serious adverse harm, even if we cannot adequately foresee all of the specific situations that might require prompt action.

We note that we have accepted the position of another commenter that we not include failure to meet the minimum contract requirement as a basis for expedited revocation. Our intent is to limit expedited revocation to those situations which pose a risk to providers or others.

To accomplish expeditious remedial revocation action, § 3.108(e)(2) waives the procedures in §§ 3.108(a)(2) through 3.108(a)(5) for correction of deficiencies, determinations regarding correction of deficiencies, processes related to the opportunity for a written response by the PSO to a notice of proposed revocation and delisting, and final determination by the Secretary regarding revocation and delisting of the PSO. Instead, the provisions of § 3.108(e)(3) apply.

Under § 3.108(e)(3) of the expedited revocation process, the Secretary would issue a notice of deficiency and expedited revocation that identifies the evidence that the circumstances for expedited revocation exist and indicates any corrective action the PSO can take if the Secretary determines that corrective action may resolve the matter so that revocation and delisting could be avoided. Absent evidence of actual receipt of this notice of deficiency and expedited revocation, the Secretary's notice will be deemed to be received five days after it was sent.

In developing this process, we have taken note of commenters' concern that as a general matter, a PSO alleged to be deficient in compliance should have an opportunity to be heard and have provided the PSO with an opportunity to respond as part of the expedited revocation process. The Secretary must receive a response from the PSO within 14 days of actual or constructive receipt of the notice, whichever is longer. In its written response, the PSO can correct the alleged facts or argue the applicability of the legal basis given for expedited revocation and delisting and offer reasons that would support its case for not being delisted.

If the PSO does not submit a written response, the Secretary may revoke and delist the PSO. Provided the PSO responds within the required time, the Secretary may withdraw the notice, grant the PSO with additional time to resolve the matter, or revoke and delist the PSO. If the Secretary decides to revoke and delist the PSO, we note that the requirements of § 3.108(b) discussed above apply. These requirements relate to notification of the providers who have reported patient safety work product to the PSO, disposition of the PSO's patient safety work product and data, and the ability of providers to continue to report data to the former PSO for 30 calendar days following the effective date and time of delisting and have these data protected as patient safety work product.

5. Section 3.110—Assessment of PSO Compliance

Proposed Rule: Section 3.110 proposed the framework by which the Secretary would assess compliance of PSOs with the requirements of the statute and the rule. This section provided that the Secretary may request information or conduct spot-checks (reviews or site visits to PSOs, announced or unannounced) to assess or verify PSO compliance with the requirements of the statute and this proposed subpart. We noted that we anticipate that such spot checks would involve no more than 5-10% of PSOs in any year. We also noted that this section would reference the Department's overall authority to have access to patient safety work product, if necessary, as part of its implementation and enforcement of the Patient Safety Act.

Overview of Public Comments: There were few comments on this section. Commenters agreed that AHRQ's authority under this section should be limited to PSOs. Several commenters expressed concern about our discussion that we only anticipated spot-checking 5%-10% of PSOs for compliance in any given year. The projected number of spot checks in their view would not be adequate to maintain provider confidence and PSO compliance. Another commenter asked which agency would be delegated the task and identified entities within HHS to which the Secretary should not delegate this responsibility.

Final Rule: We have made no substantive modifications to § 3.110 in the final rule. We note in response to the commenters that urged a higher level of spot checks and inspections that the rule does not limit the ability of the Department to increase the number if warranted. However, we have no basis for assuming that higher levels of spot checks or inspections are warranted in light of the fact that Patient Safety Organizations are not federally funded or controlled and a provider's decision to work with a PSO is voluntary. Therefore, we intend to maintain the approach outlined in the proposed rule. In response to another commenter, the authority to implement Subpart B rests squarely within the authorities to foster patient safety and health care quality improvement of the Agency for Healthcare Research and Quality, and there is no reason to expect it to be delegated to another part of the Department.

6. Section 3.112—Submissions and Forms

Proposed Rule: Proposed § 3.112 would have provided instructions for obtaining required forms and the submission of materials, would have provided contact information for AHRQ (mailing address, Web site, and e-mail address), and would have authorized the Department to request additional information if a submission is incomplete or additional information is needed to enable the Secretary to make a determination on any submission.

Overview of Public Comments: We received no comments on this section.

Final Rule: We have made no substantive modifications to this section. We have made technical changes and incorporated citations for the AHRQ PSO Web site address and corrected the e-mail address.

C. Subpart C—Confidentiality and Privilege Protections of Patient Safety Work Product

Proposed Subpart C would have described the general privilege and confidentiality protections for patient safety work product, the permitted disclosures, and the conditions under which the specific protections no longer apply. The proposed Subpart also would have established the conditions under which a provider, PSO, or responsible person must disclose patient safety work product to the Secretary in the course of compliance and enforcement activities, and what the Secretary may do with such information. Moreover, the proposed subpart would have established the standards for nonidentifiable patient safety work product.

Proposed Subpart C sought to balance key objectives of the Patient Safety Act. First, the proposal sought to address provider concerns about the potential for damage from unauthorized release of information, including the potential for the information to serve as a roadmap for provider liability from negative patient outcomes. It also promoted the sharing of information about adverse patient safety events among providers and PSOs for the purpose of learning from those events to improve patient safety and the quality of care. To achieve these objectives, Subpart C proposed that patient safety work product would be privileged and confidential, except in the certain limited circumstances identified by the Patient Safety Act and as needed by the Department to implement and enforce the Patient Safety Act. In addition, proposed Subpart C provided, in accordance with the Patient Safety Act, that patient safety work product that is disclosed generally would continue to be privileged and confidential, subject to the delineated exceptions. Thus, under the proposal, an entity or person receiving patient safety work product only would be able to disclose such information for a purpose permitted by the Patient Safety Act and the proposed rule, or if patient safety work product was no longer confidential because it was nonidentifiable or subject to an exception to confidentiality. Providers, PSOs, and responsible persons who failed to adhere to these confidentiality rules would be subject to enforcement by the Department, including the imposition of civil money penalties, if appropriate, as provided in Subpart D of the proposed rule.

The proposed rule also explained that several provisions of the Patient Safety Act recognize that the patient safety regulatory scheme will exist alongside other requirements for the use and disclosure of protected health information under the HIPAA Privacy Rule. For example, the Patient Safety Act establishes that PSOs will be business associates of providers and the patient safety activities they conduct will be health care operations of the providers, incorporates individually identifiable health information under the HIPAA Privacy Rule as an element of identifiable patient safety work product, and adopts a rule of construction that states the intention not to alter or affect any HIPAA Privacy Rule implementation provision (see section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). As we explained in the proposed rule, we anticipate that most providers reporting to PSOs will be HIPAA covered entities under the HIPAA Privacy Rule, and as such, will be required to recognize and comply with the requirements of the HIPAA Privacy Rule when disclosing identifiable patient safety work product that includes protected health information. As Subpart C addresses disclosure of patient safety work product that may include protected health information, we discuss, where appropriate, the overlap between this rule and the HIPAA Privacy Rule in the preamble description of this Subpart, as we did in the proposed rule.

1. Section 3.204—Privilege of Patient Safety Work Product

Proposed § 3.204 described the privilege protections of patient safety work product and the exceptions to privilege. As we explained in the proposed rule, the Patient Safety Act does not give authority to the Secretary to enforce breaches of the privilege protections, as it does with respect to breaches of the confidentiality provisions. Rather, we anticipate that the tribunals, agencies or professional disciplinary bodies before whom the proceedings take place and before which patient safety work product is sought, will adjudicate the application of the privilege provisions of the Patient Safety Act at section 922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-22(a)(1)-(5) and the exceptions to privilege at section 922(c)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1). Even though the privilege protections will be enforced through the court systems, and not by the Secretary, we repeat the statutory privilege protections and exceptions in this final rule, as we did in the proposed rule. This is done both for convenience and completeness, as well as because the same exceptions in the privilege provisions are repeated in the confidentiality provisions and the term "disclosure" in the final rule describes both the transfer of patient safety work product pursuant to a privilege exception as well as a confidentiality exception. Thus, a disclosure of patient safety work product that is a violation of privilege may also be a violation of confidentiality, which the Secretary does have authority to enforce and for which he can impose a civil money penalty, if appropriate.

We also proposed to include at § 3.204(c) a regulatory exception to privilege for disclosures to the Secretary for the purpose of enforcing the confidentiality provisions and for making or supporting PSO certification or listing decisions. In the final rule, we adopt this proposed provision but also add language to make clear that the exception also applies to disclosures to the Secretary for HIPAA Privacy Rule enforcement, given the significant overlap with respect to disclosures under the two rules. We discuss that change, as well as the public comments and our responses with respect to the other privilege provisions, below.

(A) Section 3.204(a)—Privilege

Proposed Rule: Proposed § 3.204(a) would have described the general rule that, notwithstanding any other provision of Federal, State, local, or Tribal law, patient safety work product is privileged and shall not be: (1) subject to Federal, State, local, or Tribal civil, criminal, or administrative subpoena or order, including in a disciplinary proceeding against a provider; (2) subject to discovery in connection with a Federal, State, local, or Tribal civil, criminal, or administrative proceeding, including a disciplinary proceeding against a provider; (3) subject to disclosure under the Freedom of Information Act (section 552 of Title 5, United States Code) or similar Federal, State, local, or Tribal law; (4) admitted as evidence in any Federal, State, local, or Tribal governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or (5) admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law. The proposed provision generally repeated the statutory language at section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a) but also clarified that privilege would have applied to protect against use of the information in Tribal courts and administrative proceedings.

Overview of Public Comments: We received no comments opposed to this proposed provision.

Final Rule: The final rule adopts this proposed provision.

Response to Other Public Comments

Comment: Several commenters expressed concern about the lack of detailed explanation and information about the privilege protections as compared to the confidentiality provisions in the proposed rule. Some commenters asked for clarification about how breaches of privilege can be enforced and who can assert privilege protection. Two commenters asked whether hospital peer review committees established under state law qualify as disciplinary bodies for purposes of the privilege protection and if there is a distinction between discipline by a state licensing body and discipline by an internal peer review committee.

Response: The Secretary does not have the authority to interpret and enforce the privilege protections of the statute, and thus, the proposed rule did not contain a detailed discussion of these provisions nor can we provide further explanation or interpretation in this final rule. Rather, as described above, the privilege provisions are included only for convenience and completeness, and because the privilege exceptions mirror exceptions to confidentiality. The privilege protections attach to patient safety work product, and we expect that the privilege of patient safety work product will be adjudicated and enforced by the tribunals, agencies or professional disciplinary bodies before which the information is sought and before whom the proceedings take place. A provider facing an opposing party who seeks to introduce patient safety work product in court may seek to enforce the privilege by filing the appropriate motions with the court asserting the privilege to exclude the patient safety work product from the proceeding.

(B) Section 3.204(b)—Exceptions to privilege

Proposed Rule: Proposed § 3.204(b) described the exceptions to privilege established at section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22c, thereby permitting disclosure of patient safety work product under such circumstances. In all cases, the exceptions to privilege were also proposed as exceptions to confidentiality at § 3.206(b). Proposed § 3.204(b)(1) would have permitted the disclosure of relevant patient safety work product for use in a criminal proceeding after a court makes an in camera determination that the patient safety work product contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from any other source. Proposed § 3.204(b)(2) would have permitted disclosure of identifiable patient safety work product to the extent required to carry out the securing and provision of equitable relief as provided under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). Proposed § 3.204(b)(3) would have permitted disclosure of identifiable patient safety work product when each of the identified providers authorized the disclosure. Finally, proposed § 3.204(b)(4) would have excepted patient safety work product from privilege when disclosed in nonidentifiable form.

Overview of Public Comments: Some commenters expressed concern that allowing exceptions to privilege may not adequately protect patient safety work product.

Final Rule: The final rule adopts the proposed provisions. The statute explicitly provides for these limited exceptions to privilege and thus, they are included in this final rule.

Response to Other Public Comments

Comment: One commenter asked that the final rule align the privilege exceptions in § 3.204(b) with the permitted disclosures to law enforcement in the HIPAA Privacy Rule at 45 CFR 164.512(f).

Response: We do not agree that expanding the exceptions to privilege in such a manner is appropriate or prudent. Congress expressly limited the exceptions to privilege to those we have repeated in the final rule. As relevant to law enforcement, the Patient Safety Act permits an exception from privilege protection for law enforcement purposes in only very narrow circumstances—that is, patient safety work product may be used in a criminal proceeding, but only after a judge makes an in camera determination that the information contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from any other source. See § 3.204(b)(1). We do not have authority to further expand or interpret the exceptions to privilege provided for in the statute. Further, we believe strong privilege protections are essential to ensuring the goals of the statute are met by encouraging maximum provider participation in patient safety reporting. We note that § 3.206(c)(10) permits the disclosure of patient safety work product relating to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, to law enforcement, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes. In other cases where law enforcement needs access to information that is contained within patient safety work product, we emphasize that the definition of "patient safety work product" specifically excludes a patient's medical or billing record or other original patient information. See § 3.20, paragraph (2)(i) of the definition of "patient safety work product." Thus, such original patient information remains available to law enforcement in accordance with the conditions set out in the HIPAA Privacy Rule, if applicable.

(C) Section 3.204(c)—Implementation and Enforcement of the Patient Safety Act

Proposed Rule: Proposed § 3.204(c) would have excepted from privilege disclosures of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance, or seeking or imposing civil money penalties, with respect to this rule or for making or supporting PSO certification or listing decisions under the Patient Safety Act. We proposed that these disclosures also be permitted as an exception to confidentiality at § 3.206(d). We explained that, in order to perform investigations and compliance reviews to determine whether a violation occurred, the Secretary may need to have access to privileged and confidential patient safety work product and that we believe Congress could not have intended the privilege and confidentiality protections of the Patient Safety Act to impede such enforcement by prohibiting access to necessary information by the Secretary. Thus, the proposed provision would have allowed disclosure of patient safety work product to and by the Secretary for enforcement purposes, including the introduction of such information into ALJ or Board proceedings, disclosure by the Board to properly review determinations or to provide records for court review, as well as disclosure during investigations by OCR or activities in reviewing PSO certifications by AHRQ. Patient safety work product disclosed under this proposed exception would have remained privileged and confidential pursuant to proposed § 3.208, and proposed § 3.312 limited the Secretary to only disclosing identifiable patient safety work product obtained in connection with an investigation or compliance review for enforcement purposes or as otherwise permitted by the proposed rule or Patient Safety Act.

We also explained in the preamble to the proposed rule that the privilege provisions in the Patient Safety Act would not bar the Secretary from using patient safety work product for compliance and enforcement activities related to the HIPAA Privacy Rule. This interpretation was based on the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which provides that the Patient Safety Act does not affect the implementation of the HIPAA Privacy Rule.

Overview of Public Comments: We received one comment in support of and no comments opposed to this proposed provision.

Final Rule: The final rule adopts the proposed provision, but expands it to expressly provide that patient safety work product also may be disclosed to or by the Secretary as needed to investigate or determine compliance with or to impose a civil money penalty under the HIPAA Privacy Rule. This new language implements the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which, as explained above, makes clear that the Patient Safety Act is not intended to affect implementation of the HIPAA Privacy Rule. Given the significant potential for an alleged impermissible disclosure to implicate both this rule's confidentiality provisions, as well as the HIPAA Privacy Rule, the Secretary may require access to privileged patient safety work product for purposes of determining compliance with the HIPAA Privacy Rule. The Secretary will use such information consistent with the statutory prohibition against imposing civil money penalties under both authorities for the same act.

With respect to this rule, the provision, as it did in the proposed rule, makes clear that privilege does not apply to patient safety work product disclosed to or by the Secretary if needed to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include access to and disclosure of patient safety work product to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule.

2. Section 3.206—Confidentiality of Patient Safety Work Product

Proposed § 3.206 described the confidentiality protection of patient safety work product, as well as the exceptions from confidentiality protection.

(A) Section 3.206(a)—Confidentiality

Proposed Rule: Proposed § 3.206(a) would have established the general principle that patient safety work product is confidential and shall not be disclosed by anyone holding the patient safety work product, except as permitted or required by the rule.

Overview of Public Comments: We received no comments directly in reference to this provision.

Final Rule: The final rule adopts this proposed provision.

(B) Section 3.206(b)—Exceptions to Confidentiality

Proposed Rule: Proposed § 3.206(b) described the exceptions to confidentiality, or permitted disclosures. The preamble to the proposed rule explained that there were several overarching principles that applied to these exceptions from confidentiality. First, these exceptions were "permissions" to disclose patient safety work product and the holder of the information retained full discretion whether to disclose. Further, as the proposed rule was a Federal baseline of protection, a provider, PSO, or responsible person could impose more stringent confidentiality policies and procedures on patient safety work product and condition the release of patient safety work product within these exceptions by contract, employment relationship, or other means. However, the Secretary would not enforce such policies or private agreements. Second, when exercising discretion to disclose patient safety work product, we encouraged providers, PSOs, and responsible persons to attempt to disclose the amount of information commensurate with the purpose of the disclosure and to disclose the least amount of identifiable patient safety work product appropriate for the disclosure even if that was less than what would otherwise be permitted by the rule and regardless of whether the information continued to be protected under the rule after the disclosure. Third, the proposal prohibited persons receiving patient safety work product from redisclosing it except as permitted by the rule, and we requested comment on whether there were any negative implications of limiting redisclosures in such a manner.

We also described how the proposal would work with respect to entities also subject to the Privacy Act and/or the HIPAA Privacy Rule. We explained that agencies subject to the Patient Safety Act and the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when disclosing patient safety work product. This means that, for agencies subject to both laws, a disclosure of patient safety work product could only be made if permitted by both laws. The Privacy Act permits agencies to make disclosures pursuant to established routine uses. See 5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). Accordingly, we recommended that Federal agencies that maintain a Privacy Act system of records containing information that is patient safety work product include routine uses that will permit the disclosures allowed by the Patient Safety Act. For HIPAA covered entities, we explained that when a patient's protected health information is encompassed within patient safety work product, any disclosure of such information also must comply with the HIPAA Privacy Rule.

Overview of Public Comments: Some commenters expressed general support for the narrowly drawn exceptions to confidentiality in the proposed rule, while one commenter expressed concern that the exceptions were unnecessarily complex to accomplish their purpose. Several commenters asked that the final rule include additional exceptions to confidentiality or disclosure permissions. For example, some commenters suggested that the final rule permit the disclosure of patient safety work product to federal, state, and local agencies to fulfill mandatory reporting requirements. Other commenters suggested an exception be created to permit the disclosure of patient safety work product to state survey agencies, regulatory bodies, or to any federal or state agency for oversight purposes. Another commenter requested that the final rule include a disclosure permission for emergency circumstances similar to the HIPAA Privacy Rule disclosure at 54 CFR 164.512(j), allowing a PSO to disclose patient safety work product if it determines a pattern of harm and that disclosure is necessary to prevent an individual from harming a person or the public. One commenter, however, believed the proposed rule contained too many exceptions to confidentiality, and thus, did not adequately protect patient safety work product; this commenter suggested that some disclosure permissions be eliminated in the final rule but did not recommend which ones.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only