U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

Patient Safety and Quality Improvement. Final Rule (Continued)

We further proposed at § 3.206(b)(7)(ii) that the FDA and entities required to report to the FDA may only further disclose patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity and such further disclosures would only be permitted between the FDA, entities required to report to the FDA, their contractors, and the disclosing providers. Thus, for example, the FDA or a drug manufacturer receiving adverse drug event information that is patient safety work product may engage in further communications with the disclosing provider(s), for the purpose of evaluating the quality, safety, or effectiveness of the particular regulated product or activity, or may work with their contractors. Moreover, an entity regulated by the FDA may further disclose the information to the FDA. The proposed provision also would have prohibited contractors receiving patient safety work product under this provision from further disclosing such information, except to the entity from which they received the information.

Finally, we explained that the HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered entities to disclose protected health information concerning FDA-regulated activities and products to persons responsible for collection of information about the quality, safety, and effectiveness of those FDA-regulated activities and products. Therefore, disclosures under this exception of patient safety work product containing protected health information would be permitted under the HIPAA Privacy Rule.

Overview of Public Comments: We received general support in the public comments for the express reference to FDA-regulated entities within this disclosure permission; only one commenter opposed this provision. Some commenters asked that the final rule provide examples of the types of disclosures that might occur to FDA-regulated entities, and one commenter suggested that if such disclosures are permitted, the final rule should include a comprehensive list of acceptable disclosures to these entities. Another commenter noted that if disclosures to FDA-regulated entities are permitted under this disclosure permission, the final rule should limit the use of patient safety work product to the purposes stated in the statute and should prohibit the use of this information for marketing purposes. No commenters identified any unintended consequences of including FDA-regulated entities within the disclosure permission.

Final Rule: The final rule adopts the provisions of the proposed rule at § 3.206(b)(7), including the express reference to FDA-regulated entities. We also modify the title of the provision to reflect that disclosures to such entities are encompassed within the disclosure permission. As explained in the proposed rule, we believe including FDA-regulated entities within the scope of the disclosure permission is consistent with both the rule of construction in the statute which preserves required reporting to the FDA, as well as the goals of the statute which are to improve patient safety. See section 922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6). In addition, the final rule includes modifications to more clearly indicate who can receive patient safety work product under this provision, as well as what further disclosures may be made of such information. Specifically, § 3.206(b)(7)(i) now makes clear that a provider may disclose patient safety work product concerning an FDA-regulated product or activity to the FDA, an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, or a contractor acting on behalf of FDA or such entity for these purposes. Further, § 3.206(b)(7)(ii) clarifies that the FDA, its regulated entity entitled to receive information under this provision, and their contractors may share patient safety work product received under this provision for the purpose of evaluating the quality, safety, or effectiveness of that product or activity among themselves, as well as with the disclosing provider.

We do not include a comprehensive list of acceptable disclosures to FDA-regulated entities as it would be impractical to do so. As we explained in the proposed rule, drug, device, and biological product manufacturers are required to report adverse experiences to the FDA and currently rely on voluntary reports from product users, including providers. Further, the analysis of events by a provider or PSO that constitutes patient safety work product may generate information that should be reported to the FDA or FDA-regulated entity because it relates to the safety or effectiveness of an FDA-regulated product or activity. This provision allows providers to report such information without violating the confidentiality provisions of the statute or rule. However, we emphasize that, despite this disclosure permission, we expect that most reporting to the FDA and its regulated entities will be done with information that is not patient safety work product, as is done today. This disclosure permission is intended to allow for reporting to the FDA or FDA-regulated entity in those special cases where, only after an analysis of patient safety work product, does a provider realize it should make a report. As in the proposed rule, patient safety work product disclosed pursuant to this provision remains privileged and confidential.

Response to Other Public Comments

Comment: Five commenters asked that the final rule allow PSOs as well as providers to disclose or report patient safety work product to the FDA or to an entity that is required to report to the FDA.

Response: We do not modify the provision as there is no statutory authority to allow PSOs to report patient safety work product to the FDA or to an entity required to report to the FDA. However, the statute does permit providers to report patient safety work product to the FDA or to an entity required to report to the FDA.

Comment: One commenter asked for clarification as to whether lot numbers and device identifiers and serial numbers may be reported to the FDA under this disclosure permission.

Response: Section 3.206(b)(7) would allow such information contained within patient safety work product to be reported to FDA provided it concerned an FDA-regulated product or activity.

(8) Section 3.206(b)(8)—Voluntary Disclosure to an Accrediting Body

Proposed Rule: Proposed § 3.206(b)(8) would have permitted the voluntary disclosure of identifiable patient safety work product by a provider to an accrediting body that accredits that disclosing provider. See section 922(c)(2)(E) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(E). Patient safety work product disclosed pursuant to this proposed exception would remain privileged and confidential.

This provision would have allowed a provider to disclose patient safety work product that identifies that disclosing provider. Further, the proposed rule would not have required that patient safety work product be nonidentifiable as to nondisclosing providers. The proposed rule specifically sought public comment on whether patient safety work product should be anonymized with respect to nondisclosing providers prior to disclosure to an accrediting body under this provision.

The proposed rule also provided that an accrediting body could not take an accreditation action against a provider based on that provider's participation, in good faith, in the collection, reporting or development of patient safety work product. It also would have prohibited accrediting bodies from requiring a provider to reveal its communications with any PSO.

Overview of Public Comments: Several commenters responded to the question of whether the final rule should require the anonymization of patient safety work product with respect to nondisclosing providers, all of which supported such a requirement. Another commenter noted that the final rule should expressly prohibit accrediting bodies from taking accreditation actions against nondisclosing providers based upon the patient safety work product reported to them by disclosing providers.

Final Rule: In light of the comments received, the final rule modifies the proposed provision at § 3.206(b)(8) to condition the voluntary disclosure by a provider of patient safety work product to an accrediting body that accredits the provider on either: 1) the agreement of the nondisclosing providers to the disclosure; or 2) the anonymization of the patient safety work product with respect to any nondisclosing providers identified in the patient safety work product, by removal of the direct identifiers listed at § 3.206(b)(4)(iv)(A). Direct identifiers of the disclosing providers do not need to be removed. We also note that the final rule does not prescribe the form of the agreement obtained from non-disclosing providers. Providers are free to design their own policies for obtaining such agreements. Some institutional providers may, for example, make it a condition of employment or privileges that providers agree to the disclosure of patient safety work product to accrediting bodies. In addition, unlike the provision at § 3.206(b)(3) of the final rule, with respect to any of the non-disclosing providers identified in the patient safety work product, the disclosing provider need obtain either the provider's agreement or anonymize the provider's information.

Response to Other Public Comments

Comment: Several commenters stated that they did not support this disclosure permission allowing voluntary disclosures of patient safety work product to accrediting bodies due to possible unintended consequences of these disclosures. Another commenter asked that we be aware of punitive actions by regulatory organizations as a result of voluntary disclosures to accrediting bodies and monitor this process carefully for any unintended consequences.

Response: The disclosure permission allowing providers to voluntarily disclose patient safety work product to accrediting bodies is prescribed by the statute and thus, is included in this final rule. However, as described above, the final rule requires either anonymization or agreement with respect to non-disclosing providers as a condition of the disclosure. This provision, along with the express prohibition at § 3.206(b)(8)(iii) on an accrediting body taking an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product should alleviate commenter concerns.

Comment: One commenter asked if the regulation allowed accrediting bodies to disclose patient safety work product to CMS as part a commitment to advise CMS of adverse accreditation decisions.

Response: The final rule prohibits accrediting bodies from further disclosing patient safety work product they have voluntarily received from providers under § 3.206(b)(8).

Comment: One commenter asked if survey and licensure bodies were considered to be accrediting bodies and thus, precluded from taking action against providers who voluntarily submit patient safety work product to them.

Response: Survey and licensure bodies are not accrediting bodies and are not treated as such under this provision. Thus, such entities are not entitled to receive patient safety work product voluntarily from providers under this provision.

Comment: Two commenters expressed concern about this disclosure permission for accrediting bodies that create component PSOs. One commenter stated that allowing accrediting bodies to create component PSOs creates a potential conflict of interest that may adversely affect provider organizations. If an accrediting body's component organization is a PSO, the commenter asked how OCR will determine whether the component organization improperly disclosed information or whether the accrediting body received the information voluntarily from a provider.

Response: Providers are free to choose the PSOs with which they want to work. We expect that any selection by a provider will involve a thorough vetting and consideration of a number of factors, including whether the PSO is a component of an accrediting body and if so, what assurances are in place to protect against improper access by the accrediting body to patient safety work product. Component organizations have clear requirements to maintain patient safety work product separately from parent organizations. Further, the final rule recognizes that a disclosure from a component organization to a parent organization is a disclosure which must be made pursuant to one of the permissions set forth in the statute and here; disclosures for which there is no permission are subject to enforcement by the Department and imposition of civil money penalties, as well as may adversely impact on the PSO's continued listing by the Secretary as a PSO. Should OCR receive a complaint or conduct a compliance review that implicates an impermissible disclosure by a component PSO of an accrediting body, OCR will investigate and review the particular facts and circumstances surrounding the alleged impermissible disclosure, including, if appropriate, whether the accrediting body received the patient safety work product directly from a provider pursuant to § 3.206(b)(8).

Comment: One commenter asked that the final rule allow accrediting bodies to use voluntarily reported patient safety work product in accreditation decisions, or that the final rule give accrediting bodies immunity from liability that might arise from their failure to take this patient safety work product into account in its accreditation decisions. This commenter also stated that, since accrediting bodies cannot take action based on information voluntarily disclosed pursuant to this provision, the final rule should make clear that accrediting bodies cannot be held responsible for decisions that might have been different if the accrediting body had been able to act based on the patient safety work product received.

Response: We clarify that the final rule, as the proposed rule, does not prohibit an accrediting body from using patient safety work product voluntarily reported by a provider pursuant to this provision in its accreditations decisions with respect to that provider. Thus, it is not necessary nor is it appropriate for the Secretary to give accrediting bodies immunity from liability. However, an accrediting body may not require a provider to disclose patient safety work product, or take an accrediting action against a provider who refuses to disclose patient safety work product, to the accrediting body. See section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(4)(B), and § 3.206(b)(8)(iii), which expressly prohibits an accrediting body from taking an accrediting action against a provider based on the good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with the statute.

Comment: One commenter asked if the limitation on redisclosure of voluntarily reported patient safety work product received by an accrediting body applies if the information sent to the accrediting body was not patient safety work product at the time the accrediting body received the information, but was later reported, by the provider to a PSO and became protected.

Response: If the information submitted to an accrediting body was not patient safety work product as defined at § 3.20 at the time it was reported, then § 3.206(b)(8), including the redisclosure limitation, does not apply to such information.

Comment: One commenter asked that the final rule clarify that the disclosure of patient safety work product to an accrediting body is voluntary.

Response: Section 3.208(b)(8) expressly provides only for the voluntary reporting of patient safety work product, provided the conditions are met. We do not see a need for further clarification.

(9) Section 3.206(b)(9)—Business Operations

Proposed Rule: Proposed § 3.206(b)(9) would have allowed disclosures of patient safety work product by a provider or a PSO to professionals such as attorneys and accountants for the business operations purposes of the provider or PSO. See section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F). Under the proposed rule, such contractors could not further disclose patient safety work product, except to the entity from which it received the information. However, the proposed rule made clear that a provider or PSO still would have had the authority to delegate its power to the contractor to make other disclosures. In addition, the proposed rule provided that any patient safety work product disclosed pursuant to this provision continued to be privileged and confidential.

The Patient Safety Act gives the Secretary authority to designate additional exceptions as necessary business operations that are consistent with the goals of the statute. The proposed rule sought public comment regarding whether there are any other consultants or contractors, to whom a business operations disclosure should also be permitted, or whether the Secretary should consider any additional exceptions under this authority. The proposed rule noted that the Secretary would designate additional exceptions only through regulation; however, it asked if other mechanisms for the adoption of business operations exceptions should be adopted or incorporated.

The proposed rule also explained that a business operations designation by the Secretary that enables a HIPAA covered entity to disclose patient safety work product containing protected health information to professionals is permissible as a health care operations disclosure under the HIPAA Privacy Rule. See 45 CFR 164.506. Generally, such professionals will be business associates of the covered entity, which will require that a business associate agreement be in place. See 45 CFR 160.103, 164.502(e), and 164.504(e).

Overview of Public Comments: Several commenters expressed general support for the business operations disclosures to attorneys, accountants, and other professionals in the proposed rule. We also received several responses to the question asking if the final rule should allow for any additional disclosures under the business operations provision. Three commenters stated that the final rule should not include any additional business operations disclosures. Others asked that the business operations disclosure permission be broad enough to encompass all the activities defined as "health care operations" in the HIPAA Privacy Rule, which would then include disclosures to entities such as photocopy shops, document storage services, shredding companies, IT support companies, and other entities involved in a PSO's management or administration. Other commenters suggested that disclosures of patient safety work product to independent contractors, professional liability insurance companies, captives, and risk retention groups be included as disclosures for business operations under this provision in the final rule.

All commenters responding to the question about how the Secretary should adopt additional business operations stated that additional business operations should be adopted only through the rulemaking process.

Final Rule: The final rule adopts the proposed provision, allowing disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. The final rule allows disclosure of patient safety work product to these professionals who are bound by legal and ethical duties to maintain the confidence of their clients and the confidentiality of client information, including patient safety work product. These professionals will provide a broad array of services to and functions for the providers and PSOs with whom they are contracted and will need access to patient safety work product to perform their duties. We are not persuaded by the comments of a need to expand, at this time, the disclosure permission to encompass other categories of persons or entities. However, as described in the proposed rule, should the Secretary seek in the future to designate additional business operations exceptions to be encompassed within this disclosure permission, he will do so through regulation to provide adequate opportunity for public comment.

With respect to many of the other entities identified by the commenters, we note that, to the extent the services provided by such entities are necessary for the maintenance of patient safety work product or the operation of a patient safety evaluation system, or otherwise support activities included in the definition of "patient safety activities" at § 3.20 of this rule, these disclosures may be made to such contractors pursuant to § 3.206(b)(4)(ii).

Response to Other Public Comments

Comment: Two commenters suggested that the final rule include a requirement for a contract between providers or PSOs and their attorneys, accountants, and other professionals to whom patient safety work product will be disclosed as a business operation.

Response: We do not require a contract as a condition of disclosure in the final rule. However, we agree that a contract between these parties is a prudent business practice and expect that parties will enter into appropriate agreements to ensure patient safety work product remains protected. Further, where HIPAA covered entities are concerned, we note that the HIPAA Privacy Rule requires that such entities have a business associate agreement in place with professionals providing services that require access to protected health information.

(10) Section 3.206(b)(10)—Disclosure to Law Enforcement

Proposed Rule: Proposed § 3.206(b)(10) would have permitted the disclosure of identifiable patient safety work product to law enforcement authorities, so long as the person making the disclosure believes—and that belief is reasonable under the circumstances—that the patient safety work product disclosed relates to a crime and is necessary for criminal law enforcement purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G). The proposed rule provided that patient safety work product disclosed under this provision would remain privileged and confidential.

The proposed rule also provided that the law enforcement entity receiving the patient safety work product could use the patient safety work product to pursue any law enforcement purposes; however, the recipient law enforcement entity could only redisclose the information to other law enforcement authorities as needed for law enforcement activities related to the event that necessitated the original disclosure. The proposed rule sought comment regarding whether these provisions would allow for legitimate law enforcement needs, while ensuring appropriate protections.

Overview of Public Comments: Commenters responding to the question in the proposed rule regarding whether this disclosure permission would allow for legitimate law enforcement needs while ensuring that information remain appropriately protected stated that the proposed disclosure permission was appropriate and did permit legitimate disclosures to law enforcement.

Final Rule: The final rule adopts the proposed provision with slight modification for purposes of clarification only. We add the word "only" to the final rule to clarify that law enforcement receiving patient safety work product pursuant to this exception may only further disclose this information to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the original disclosure.

Response to Other Public Comments

Comment: Two commenters suggested that the statutory standard of reasonable belief was vague and that clarity was needed to reduce the uncertainty of disclosures and to further define what could constitute a reasonable belief. Another commenter noted that the phrase "relates to a crime and is necessary for criminal law enforcement purposes" is too broad and leaves too much discretion to entities such as PSOs.

Response: The final rule provision at § 3.206(b)(10) generally repeats the statutory provision upon which it is based, which provides that the disclosure of patient safety work product be permitted if it relates to the commission of a crime and the person making the disclosure believes, reasonably under the circumstances, that the patient safety work product is necessary for criminal law enforcement purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G).

Comment: One commenter expressed concern regarding the redisclosure of patient safety work product to law enforcement under this disclosure permission. The commenter stated that there could be successive disclosures of protected information to law enforcement without consideration of whether there is a reasonable belief that the redisclosure is necessary for criminal law enforcement purposes. Another commenter recommended that this disclosure permission should expressly prohibit patient safety work product from being used against patients who are identified in the patient safety work product but who are not the subject of the criminal act for which the information was originally disclosed.

Response: We believe § 3.206(b)(10) addresses the commenters' concerns by expressly limiting law enforcement's redisclosure of patient safety work product received pursuant to the provision to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the initial disclosure. Thus, law enforcement is not permitted to further disclose the patient safety work product for the enforcement of a crime unrelated to the crime for which the patient safety work product was originally disclosed to the law enforcement entity.

Comment: One commenter stated that the proposed rule represented an expansion of the statutory language because it allowed persons to disclose patient safety work product to law enforcement entities in the absence of an active law enforcement investigation and in the absence of a request for this information by law enforcement.

Response: The statute does not require that a law enforcement entity be involved in an active investigation or that a law enforcement entity request information prior to a person making a disclosure of patient safety work product to a law enforcement entity pursuant to this disclosure permission. See 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G).

(C) Section 3.206(c)—Safe Harbor

Proposed Rule: Proposed § 3.206(c) would have prohibited the disclosure of a subject provider's identity with information, whether oral or written, that: (1) assesses that provider's quality of care; or (2) identifies specific acts attributable to such provider. See section 922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(H). This provision would have been only applicable to providers. Patient safety work product disclosed under this exception could identify providers, reporters or patients so long as the provider(s) that were the subject of the actions described were nonidentified. The proposed rule would have required that nonidentification be accomplished in accordance with the nonidentification standard set forth in proposed § 3.212.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: Several commenters suggested that the safe harbor provision be extended to PSOs as well as providers. One commenter noted that there was no reason to exclude PSOs from this provision and including PSOs would provide them with the same leeway for inadvertent disclosures of patient safety work product as providers.

Response: The statute expressly limits the safe harbor provision to providers. Therefore, we do not have the authority to extend this provision to PSOs.

(D) Section 3.206(d)—Implementation and Enforcement of the Patient Safety Act

Proposed Rule: Proposed § 3.206(d) would have permitted the disclosure of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance with or to seek or impose civil money penalties with respect to this Part or for making or supporting PSO certification or listing decisions, under the Patient Safety Act. Patient safety work product disclosed under this exception would remain confidential.

Overview of Public Comments: We received no comments in reference to this provision.

Final Rule: Consistent with the changes made to § 3.204(c) with respect to privilege, the final rule adopts the proposed provision, but expands it to expressly provide that patient safety work product also may be disclosed to or by the Secretary as needed to investigate or determine compliance with or to impose a civil money penalty under the HIPAA Privacy Rule. This new language implements the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which makes clear that the Patient Safety Act is not intended to affect implementation of the HIPAA Privacy Rule. As in the privilege context, given the significant potential for an alleged impermissible disclosure to implicate both this rule's confidentiality provisions, as well as the HIPAA Privacy Rule, the Secretary may require access to confidential patient safety work product for purposes of determining compliance with the HIPAA Privacy Rule. The Secretary will use such information consistent with the statutory prohibition against imposing civil money penalties under both authorities for the same act.

With respect to this rule, the final rule, as in the proposed rule, makes clear that disclosures of patient safety work product to or by the Secretary are permitted to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include access to and disclosure of patient safety work product to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule.

Response to Other Public Comments

Comment: Several commenters asked the Secretary to use judicious restraint when requesting patient safety work product for compliance and enforcement activities. Some of these commenters also asked that the Secretary reserve his full enforcement power for only the most egregious violations of the confidentiality provisions.

Response: We acknowledge the commenters' concerns regarding the disclosure of patient safety work product for enforcement purposes. As we explained in the proposed rule, we strongly believe in the protection of patient safety work product as provided by the Patient Safety Act. However, confidentiality protections are meaningless without the ability to enforce breaches of the protections, investigations of which may require access to confidential patient safety work product. Further, § 3.310 of the final rule provides the Secretary with authority to obtain access to only that patient safety work product and other information that is pertinent to ascertaining compliance with the rule's confidentiality provisions.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only