U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

Patient Safety and Quality Improvement. Final Rule (Continued)

Several commenters responded to the question regarding whether there were any negative implications of limiting redisclosures as outlined in the proposed rule. These commenters supported the limitations on redisclosures of patient safety work product in the proposed rule; we received no comments identifying any negative implications of this limitation. One commenter, however, noted that the redisclosures should be governed by the HIPAA Privacy and Security Rules.

Finally, some commenters sought clarification regarding preemption. Several commenters asked whether the federal patient safety work product protections preempted existing State law that permitted or required disclosure of similar types of records. Other commenters asked whether greater State law protections continue to exist alongside patient safety work product protections, stating that some providers may decide not to participate with a PSO if they would lose existing State law protections.

Final Rule: The final rule generally adopts the proposed provisions, with some modifications as explained below in the specific discussions of the individual disclosure permissions. The disclosure permissions in this section reflect those provided by the statute, and the Secretary has no authority to eliminate or neglect to implement certain of the provisions. Further, the statute provides only limited authority to the Secretary to expand the disclosure permissions. See, for example, section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), providing the Secretary with authority to create permissions for disclosures that the Secretary may determine, by rule or other means, are necessary for business operations and are consistent with the goals of the statute. Thus, the final rule does not create any new, or eliminate any proposed, categories of disclosure permissions.

With respect to those commenters who requested a disclosure permission be added to allow for the disclosure of patient safety work product to federal, state, and local agencies to fulfill mandatory reporting requirements or for oversight purposes, we disagree that such a modification is necessary. The final rule gives providers much flexibility in defining and structuring their patient safety evaluation system, as well as determining what information is to become patient safety work product and, thus, protected from disclosure. Providers can structure their systems in a manner that allows for the use of information that is not patient safety work product to fulfill their mandatory reporting obligations. See the discussion regarding the definition of "patient safety work product" in this preamble for more information. Further, as original medical and other records are expressly excepted from the definition of "patient safety work product," providers always have the option of using those records to generate the reports necessary for their mandatory reporting obligations to federal, state, and local agencies.

With respect to disclosures for emergency circumstances, the Patient Safety Act provides no general exception for such disclosures. However, patient safety work product may be disclosed under § 3.206(b)(10) to law enforcement if the disclosing party reasonably believes the patient safety work product contains information that constitutes a crime. For emergency circumstances that do not rise to the level of criminal conduct, the information necessary to identify and address such emergencies should be readily available and accessible in medical records and other original documents that are not protected as patient safety work product.

The final rule also adopts the redisclosure limitations of the proposed rule. As described above, commenters largely supported, and did not identify negative implications of, these restrictions. We discuss the individual redisclosure limitations below in the specific discussions regarding the disclosure permissions to which they apply. We note that the HIPAA Privacy and Security Rules will govern redisclosures of patient safety work product only to the extent that the redisclosures are made by a HIPAA covered entity and the patient safety work product encompasses protected health information.

In response to the comments and questions regarding preemption, we note that the Patient Safety Act provides that, notwithstanding any other provision of Federal, State, or local law, and subject to the prescribed exceptions, patient safety work product shall be privileged and confidential. See sections 922(a) and (b) of the Public Health Service Act, 42 U.S.C. 299b-22(a) and (b). The statute also provides as rules of construction the following: (1) that the Patient Safety Act does not limit the application of other Federal, State, or local laws that provide greater privilege or confidentiality protections than those provided by the Patient Safety Act; and (2) the Patient Safety Act does not preempt or otherwise affect any State law requiring a provider to report information that is not patient safety work product. See section 922(g) of the Public Health Service Act, 42 U.S.C. 299b-22(g). Thus, the patient safety work product protections provided for under the statute generally preempt State or other laws that would permit or require disclosure of information contained within patient safety work product. However, State laws that provide for greater protection of patient safety work product are not preempted and continue to apply.

Response to Other Public Comments

Comment: Several commenters asked that the final rule discuss redisclosures in more detail and further explain the consequences of redisclosures.

Response: A redisclosure, or "further disclosure" as described in the regulatory text, of patient safety work product, like a disclosure, is the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person outside the entity holding the patient safety work product. Natural persons or entities who receive patient safety work product generally may further disclose such information pursuant to any of the disclosure permissions in the final rule at §3.206, except where expressly limited pursuant to the provision under which the natural person or entity received the information. These restrictions on further disclosures may be found at §§ 3.206(b)(4)(ii) (disclosure to a contractor of a provider or PSO for patient safety activities), 3.206(b)(7) (disclosure to the Food and Drug Administration (FDA) and entities required to report to FDA), 3.206(b)(8) (voluntary disclosure to an accrediting body), 3.206(b)(9) (business operations), and 3.206(b)(10) (disclosure to law enforcement). These limitations are described more fully below in the discussions concerning the disclosure permissions to which they apply. As with an impermissible disclosure, impermissible redisclosures are subject to enforcement by the Secretary and potential civil money penalties.

Comment: Two commenters asked that we monitor the impact of the rule to ensure that it does not improperly impede the necessary sharing of patient safety work product.

Response: As the rule is implemented, we will monitor its impact and consider whether any concerns that are raised by providers, PSOs, and others should be addressed through future modification to the rule or guidance, as appropriate.

(1) Section 3.206(b)(1)—Criminal Proceedings

Proposed Rule: Proposed § 3.206(b)(1) would have permitted the disclosure of identifiable patient safety work product for use in a criminal proceeding, if a court makes an in camera determination that the identifiable patient safety work product sought for disclosure contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from other sources. See section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). The proposed provision paralleled the exception to privilege at proposed § 3.204(b)(1).

As we explained in the proposed rule, the Patient Safety Act establishes that patient safety work product generally will continue to be privileged and confidential upon disclosure. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1) and § 3.208 of this rule. However, the Patient Safety Act limits the continued protection of patient safety work product disclosed for use in a criminal proceeding pursuant to this provision. In particular, patient safety work product disclosed pursuant to this provision continues to be privileged after disclosure but is no longer confidential. See section 922(d)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(A). We explained that this would mean, for example, that law enforcement personnel who obtain patient safety work product used in a criminal proceeding could further disclose that information because confidentiality protection would not apply; however, law enforcement could not seek to introduce the patient safety work product in another proceeding without a new in camera determination that would have complied with the privilege exception at proposed § 3.204(b)(1).

We also reminded entities that are subject to the HIPAA Privacy Rule that any disclosures pursuant to this provision that encompass protected health information also would need to comply with the HIPAA Privacy Rule's provision at 45 CFR 164.512(e) for disclosures pursuant to judicial proceedings. We explained that we expected court rulings following an in camera determination to be issued as a court order, which would satisfy the HIPAA Privacy Rule's requirements.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: One commenter asked that the final rule make clear that patient safety work product disclosed under this provision continues to be privileged and cannot be used or reused as evidence in any civil proceeding even though the information is no longer confidential.

Response: The final rule makes this clear. See § 3.208(b)(1).

(2) Section 3.206(b)(2)—Equitable Relief for Reporters

Proposed Rule: The Patient Safety Act prohibits a provider from taking an adverse employment action against an individual who, in good faith, reports information to the provider for subsequent reporting to a PSO or to a PSO directly. See section 922(e)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(1). For purposes of this provision, adverse employment actions include loss of employment, failure to promote, or adverse evaluations or decisions regarding credentialing or licensing. See 922(e)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2). The Patient Safety Act provides adversely affected reporters a civil right of action to enjoin such adverse employment actions and obtain other equitable relief, including back pay or reinstatement, to redress the prohibited actions. See 922(f)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4). To effectuate the obtaining of equitable relief under this provision, the Patient Safety Act provides that patient safety work product is not subject to the privilege protections or to the confidentiality protections. Thus, proposed § 3.206(b)(2) would have permitted the disclosure of identifiable patient safety work product by an employee seeking redress for adverse employment actions to the extent that the information is necessary to permit the equitable relief. This proposed provision paralleled the privilege exception to permit equitable relief at proposed § 3.204(b)(2). Also, in accordance with the statute, we proposed that once patient safety work product is disclosed pursuant to this provision, it would have remained subject to confidentiality and privilege protection in the hands of all subsequent holders and could not be further disclosed except as otherwise permitted by the rule.

We also provided guidance with respect to the application of the HIPAA Privacy Rule if a covered entity (or its business associate) was making the disclosure and the patient safety work product included protected health information. In that regard, we explained that, under the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health information is sought to be disclosed in a judicial proceeding via subpoenas and discovery requests without a court order, the disclosing HIPAA covered entity must seek satisfactory assurances that the party requesting the information has made reasonable efforts to provide written notice to the individual who is the subject of the protected health information or to secure a qualified protective order.

Finally, the proposed rule solicited comments on whether the obtaining of a protective order should be a condition of the disclosure under this provision or whether, instead, the final rule should require only a good faith effort to obtain a protective order as a condition of this disclosure.

Overview of Public Comments: Two commenters expressed general support for the proposed provision, stating that it struck the appropriate balance between maintaining the confidentiality and privilege protections on patient safety work product and allowing reporters of patient safety work product to seek redress for adverse employment actions based upon their good faith reporting of this information to a PSO. Several commenters responded to the question posed in the proposed rule asking whether a protective order should be a condition of disclosure under this provision or if a good faith effort in obtaining a protective order should be sufficient. All of these commenters agreed that the obtaining of a protective order should be a condition of disclosure of patient safety work product under this provision.

Final Rule: The final rule adopts the proposed disclosure permission at § 3.206(b)(2) but conditions the permitted disclosure for equitable relief on the provision of a protective order by the court or administrative tribunal to protect the confidentiality of the patient safety work product during the course of the proceeding. Although patient safety work product remains confidential and privileged in the hands of all recipients after disclosure under this provision, we recognize that the sensitive nature of the patient safety work product warrants requiring a protective order as additional protection on this information. Because some participants and observers of a proceeding involving equitable relief for an adverse employment action may not be aware that certain information is protected as patient safety work product to which penalties attach for impermissible disclosures, requiring a protective order is prudent to ensure that patient safety work product is adequately protected and that individuals are put on notice of its protected status. As we explained in the proposed rule, such a protective order could take many forms that preserve the confidentiality of patient safety work product. For example, the order could limit the use of the information to case preparation, but not make it evidentiary. Or, the order might prohibit the disclosure of the patient safety work product in publicly accessible proceedings and in court records to prevent liability from moving to a myriad of unsuspecting parties.

We recognize that, in some cases, a reporter seeking equitable relief may be unable to obtain a protective order from a court prior to making a necessary disclosure of patient safety work product, despite the reporter's good faith and diligent effort to obtain one. If the Secretary receives a complaint that patient safety work product was disclosed by a reporter seeking equitable relief, the Secretary has discretion not to impose a civil money penalty, if appropriate. While the final rule requires a protective order as a condition of disclosure, it is not the Secretary's intent to frustrate the obtaining of equitable relief provided for under the statute. Thus, the Secretary will review the circumstances of such complaints to determine whether to exercise his enforcement discretion to not pursue a civil money penalty.

(3) Section 3.206(b)(3)—Authorized by Identified Providers

Proposed Rule: Proposed § 3.206(b)(3) would have permitted a disclosure of patient safety work product when each provider identified in the patient safety work product separately authorized the disclosure. This provision paralleled the privilege exception at proposed § 3.204(b)(3) and was based on section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). The proposed rule explained that patient safety work product disclosed under this exception would continue to be confidential pursuant to the continued confidentiality provisions at section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons would be subject to liability for further disclosures in violation of that confidentiality.

We also explained that it would be insufficient to make identifiable information regarding a nonauthorizing provider nonidentifiable in lieu of obtaining an authorization. While we considered such an approach, we rejected it as impractical given that it seemed there would be very few, if any, situations in which a nonauthorizing provider could be nonidentified without also needing to nonidentify, or nearly so, an authorizing provider in the same patient safety work product.

We encouraged persons disclosing patient safety work product to exercise discretion with respect to the scope of patient safety work product disclosed and to consider whether identifying information regarding reporters or patients was necessary, even though the statute required neither patient nor reporter authorization under this provision. We also explained that, if the disclosing entity is a HIPAA covered entity (or business associate), the HIPAA Privacy Rule, including the minimum necessary standard when applicable, would apply to the disclosure of protected health information contained within the patient safety work product. Further, if the disclosure was not also permitted under the HIPAA Privacy Rule, the patient information would need to be de-identified. We sought public comment as to whether the proposed approach was sufficient to protect the interests of reporters and patients identified in the patient safety work product permitted to be disclosed pursuant to this provision.

While the Patient Safety Act does not specify the form of the authorization under this exception, we proposed that an authorization be in writing, be signed by the authorizing provider, and contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized. The proposed rule would not have required that any specific terms be included in the authorization, only that disclosures be made in accordance with the terms of the authorization, whatever they may be. We sought public comment on whether a more stringent standard would be prudent and workable, such as an authorization process that is disclosure specific.

We also proposed that any authorization be maintained by the disclosing entity or person for a period of six years from the date of the last disclosure made in reliance on the authorization, the limit of time within which the Secretary must initiate an enforcement action.

Overview of Public Comments: Several commenters responded that patients and reporters identified in patient safety work product are adequately protected by this regulation and by the HIPAA Privacy Rule for covered entities. Some commenters, however, suggested that the HIPAA Privacy Rule's minimum necessary standard be applied to disclosures under this provision so that only the minimum necessary amount of patient safety work product would be permitted to be disclosed.

Several commenters also responded to the question of whether a stricter or more prescribed standard for the authorizations should be included in the final rule, the majority of whom stated that the authorization requirements outlined in the proposed rule were adequate. One commenter recommended that the final rule not regulate the terms of the provider authorization and that such terms be left to the parties. Another commenter suggested that provider authorizations be time-limited, while other commenters asked for a model authorization form and that the final rule provide a process for revocation of authorizations.

Final Rule: The final rule adopts the proposed provision. Thus, a provider, PSO, or responsible person may disclose identifiable patient safety work product if a valid authorization is obtained from each identified provider and the disclosure is consistent with such authorization. As in the proposed rule, such authorizations must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request. Further, as the Department agrees with those commenters who believed the specific terms of the provider authorizations should be left to the parties, the final rule, as in the proposed rule, requires only that the authorization of each of the identified providers be in writing and signed, and contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized. Thus, the parties are free to define their own specific terms for provider authorizations, including any time limitations and to what extent and the process through which such authorizations are revocable. Given the final rule does not prescribe a particular form or the terms of provider authorizations under this provision, we do not believe providing a model authorization form is appropriate or feasible.

With respect to patient and reporter identifiers, we continue to strongly encourage disclosers to consider how much patient safety work product is necessary, and whether patient or reporter identifiers are necessary, to accomplish the purpose of the authorized disclosure. However, this final rule does not include specific limitations on the disclosure of patient and reporter identifiers under this provision, so long as the disclosure is in accordance with the terms of the provider authorizations. In addition, the HIPAA Privacy Rule, including the minimum necessary or de-identification standard, as appropriate, continues to apply to the disclosure of any protected health information contained within the patient safety work product.

Response to Other Public Comments

Comment: One commenter asked for clarification as to whether state laws requiring greater protection for patient safety work product would apply to disclosures pursuant to this provision.

Response: Section 922(g)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(1), provides that the Patient Safety Act does not limit the application of other Federal, State, or local laws that provide greater privilege or confidentiality protections than provided by the Act. Thus, state laws providing greater protection for patient safety work product are not preempted and would apply to disclosures of patient safety work product.

Comment: One commenter expressed concern that this disclosure permission conflicts with the disclosure permission for patient safety activities at proposed § 3.206(b)(4) because this disclosure permission does not allow the sharing of any provider information, even if made nonidentifiable, unless all providers identified in the patient safety work product authorize the disclosure, while the disclosure permission for patient safety activities allows the sharing of provider information between PSOs and between providers, as long as it is anonymized.

Response: These disclosure permissions are separate and independent of one another and serve different purposes. Disclosures of patient safety work product may be made pursuant to either permission, provided the relevant conditions are met.

Comment: One commenter expressed concern about the disclosure permission's prohibition on disclosing patient safety work product in nonidentifiable form with respect to a provider who has not authorized the disclosure of the information, stating that this construct would make the provision difficult to implement.

Response: The final rule adopts the provisions of the proposed rule and does not permit patient safety work product to be disclosed if the information is rendered nonidentifiable with respect to a nonauthorizing provider. As explained above, there are likely few situations in which a nonauthorizing provider could be nonidentified without having to also nonidentify the authorizing providers in the patient safety work product to be disclosed under this provision. Therefore, allowing nonidentification of the nonauthorizing provider is impractical.

Comment: One commenter recommended that a copy of the provider authorization be kept in a patient's file, if the provider's authorized disclosure of patient safety work product resulted in a disclosure of the patient's protected health information, so that these disclosures can be tracked and included in an accounting of disclosures as required by 45 CFR 164.528 of the HIPAA Privacy Rule.

Response: While the commenter's suggestion may assist in complying with the HIPAA Privacy Rule's accounting of disclosures standard, we do not include such a requirement in the final rule. Given that the authorizations provided for under this provision are focused on the disclosure of the provider's identifiable information and that the specific terms of such authorizations will vary based on the circumstances of the disclosure and the parties, it is unlikely that such authorizations will contain the information necessary for a HIPAA covered entity to meet its accounting obligations to the individual patient. Further, HIPAA covered entities are free to design and use approaches for compliance with the HIPAA Privacy Rule's accounting standard that are best suited to their business needs and information systems.

(4) Section 3.206(b)(4)—Patient Safety Activities

Proposed Rule: Proposed § 3.206(b)(4) would have permitted the disclosure of identifiable patient safety work product for patient safety activities (i) by a provider to a PSO or by a PSO to that disclosing provider; or (ii) by a provider or a PSO to a contractor of the provider or PSO; or (iii) by a PSO to another PSO or to another provider that has reported to the PSO, or by a provider to another provider, provided, in both cases, certain direct identifiers are removed. This proposed permissible disclosure provision was based on section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(A), which permits the disclosure of identifiable patient safety work product for patient safety activities. The proposed rule provided that, consistent with the statute, patient safety work product would remain privileged and confidential once disclosed under this provision.

We explained in the proposed rule that patient safety activities are the core mechanism by which providers may disclose patient safety work product to obtain external expertise from PSOs and through which PSOs may aggregate information from multiple providers, and communicate feedback and analyses back to providers. Thus, the rule needs to facilitate such communications so that improvements in patient safety can occur. To realize this goal, the proposed rule at § 3.206(b)(4)(i) would have allowed for the disclosure of identifiable patient safety work product reciprocally between providers and the PSOs to which they have reported. This would allow PSOs to collect, aggregate, and analyze patient safety event information and disseminate findings and recommendations for safety and quality improvements.

The proposed rule at § 3.206(b)(4)(ii) also would have allowed for disclosures by providers and PSOs to their contractors who are not workforce members, recognizing that there may be situations where providers and PSOs want to engage contractors who are not agents to carry out patient safety activities. However, to ensure patient safety work product remained adequately protected in such cases, the proposed rule would have prohibited contractors from further disclosing patient safety work product, except to the provider or PSO from which they first received the information. We explained in the proposed rule that this limitation would not, however, preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures. We also stated that, although the proposed rule did not require a contract between the provider or PSO and the contractor, we fully expected the parties to engage in prudent practices to ensure patient safety work product remained confidential.

Further, to allow for more effective aggregation of patient safety work product, the proposal at § 3.206(b)(4)(iii) would have allowed PSOs to disclose patient safety work product to other PSOs or to other providers that have reported to the PSO (but not about the specific event(s) to which the patient safety work product relates), and providers to disclose patient safety work product to other providers, for patient safety activities, as long as the patient safety work product was anonymized through the removal of direct identifiers of providers and patients. See proposed § 3.206(b)(4)(iii)(A). In particular, to anonymize provider identifiers, the proposed rule would have required the removal of the following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers: (1) names; (2) postal address information, other than town or city, State and zip code; (3) telephone numbers; (4) fax numbers; (5) electronic mail addresses; (6) social security numbers or taxpayer identification numbers; (7) provider or practitioner credentialing or DEA numbers; (8) national provider identification number; (9) certificate/license numbers; (10) web universal resource locators; (11) internet protocol (IP) address numbers; (12) biometric identifiers, including finger and voice prints; and (13) full face photographic images and any comparable images. For patient identifiers, the proposed rule would have applied the HIPAA Privacy Rule limited data set standard. See 45 CFR 164.514(e). We explained in the proposed rule that removal of the required identifiers could be absolute or be done through encryption, provided the disclosing entity did not disclose the key to the encryption or the mechanism for re-identification. Recognizing that fully nonidentifiable patient safety work product may have limited usefulness due to the removal of key elements of identification, the proposed rule specifically sought public comment on whether there were any entities other than providers, PSOs, or their contractors that would need fully identifiable or anonymized patient safety work product for patient safety activities.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only