U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

Patient Safety and Quality Improvement. Final Rule (Continued)

Also, as we explained in the proposed rule, we will seek to minimize the risk of improper disclosure of patient safety work product by using and disclosing patient safety work product only in limited and necessary circumstances, and by limiting the amount of patient safety work product disclosed to that necessary to accomplish the purpose. Further, § 3.312 of the final rule expressly prohibits the Secretary from disclosing identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review except as permitted by § 3.206(d) for compliance and enforcement or as otherwise permitted by the rule or the Patient Safety Act.

See the discussion of the provisions of Subpart D of the final rule for more information on how the Secretary may exercise discretion in enforcement.

(E) Section 3.206(e)—No Limitation on Authority to Limit or Delegate Disclosure or Use

Proposed Rule: Proposed § 3.206(e) would have established that a person holding patient safety work product may enter into a contract that requires greater confidentiality protections or may delegate its authority to make a disclosure in accordance with this Subpart. Neither the statute nor the proposed rule limited the authority of a provider to place limitations on disclosures or uses.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision.

Response to Other Public Comments

Comment: One commenter suggested that providers and PSOs should not be able to enter into agreements that would prohibit the disclosure of patient safety work product to report a crime or to comply with state reporting requirements.

Response: The Patient Safety Act expressly provides that it does not preempt or otherwise affect any State law requiring a provider to report information that is not patient safety work product. See section 922(g)(5) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(5). Further, patient safety work product does not include original medical and other records. Thus, nothing in the final rule or the statute relieves a provider from his or her obligation to disclose information from such original records or other information that is not patient safety work product to comply with state reporting or other laws. Moreover, the final rule at § 3.206(b)(10)(i) permits providers and PSOs to disclose patient safety work product to report a crime to a law enforcement authority provided that the disclosing person reasonably believes that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes. However, the Department cannot, through this rule, prevent such agreements because the Patient Safety Act, at section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), specifically provides that the Act cannot be construed "to limit the authority of any provider, patient safety organization, or other entity to enter into a contract requiring greater confidentiality" than that provided under the Act.

3. Section 3.208—Continued Protection of Patient Safety Work Product

Proposed Rule: Proposed § 3.208 provided that the privilege and confidentiality protections would continue to apply to patient safety work product following disclosure and also described the narrow circumstances when the protections terminate. See section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d). In particular, the proposed rule would have provided two exceptions to the continued protection of patient safety work product. The first was an exception to continued confidentiality protection when patient safety work product is disclosed for use in a criminal proceeding, pursuant to § 3.206(b)(1). See section 922(d)(2)(A), 42 U.S.C. 299b-22(d)(2)(A). The second exception to continued protection was in circumstances where patient safety work product is disclosed in nonidentifiable form, pursuant to §§ 3.204(b)(4) and 3.206(b)(5). See section 922(d)(2)(B), 42 U.S.C. 299b-22(d)(2)(B).

The proposed rule would not have required the labeling of information as patient safety work product or that disclosure of patient safety work product be accompanied by a notice as to either the fact that the information disclosed is patient safety work product or that it is confidential. The proposed rule did acknowledge that both practices may be prudent business practices.

Overview of Public Comments: We received several comments suggesting that the final rule require that patient safety work product be labeled as such or that a recipient of patient safety work product be given notice of the protected status of the information received. Commenters suggested that putting recipients of patient safety work product on notice about the sensitive and confidential nature of the information would assure and encourage appropriate treatment of this information.

Final Rule: The final rule adopts this proposed provision but does not require that patient safety work product be labeled or that disclosing parties provide recipients of patient safety work product with notice that they are receiving protected information. We believe imposing a labeling or notice requirement would be overly burdensome on entities. We do, however, expect providers, PSOs, and responsible persons holding patient safety work product to treat and safeguard such sensitive information appropriately and encourage such persons to consider whether labeling or notice may be an appropriate safeguard in certain circumstances. Further, we note that the final rule provides that information that is documented as within a patient safety evaluation system for reporting to a PSO is patient safety work product. In addition, the final rule allows patient safety work product to be removed from a patient safety evaluation system and no longer considered patient safety work product if it has not yet been reported to a PSO and its removal is documented. See the definition of "patient safety work product" at § 3.20. These documentation provisions may assist in identifying, and putting persons on notice as to, what is and is not protected information.

Response to Other Public Comments

Comment: With respect to §§ 3.206(b)(2), 3.206(b)(3), 3.206(b)(8), 3.206(b)(9), and 3.206(b)(10), commenters asked that the final rule emphasize the fact that subsequent holders of patient safety work product are subject to the privilege and confidentiality provisions when they receive the patient safety work product pursuant to a privilege or confidentiality exception and that this patient safety work product cannot be subpoenaed, ordered, or entered into evidence in a civil or criminal proceeding through any of these exceptions.

Response: Section 3.208 makes clear that, with limited exceptions, patient safety work product continues to be privileged and confidential upon disclosure.

Comment: One commenter expressed concern over the proposed rule's statement that an impermissible disclosure of patient safety work product, even if unintentional, does not terminate the confidentiality of the information and that individuals and entities receiving this patient safety work product may be subject to civil money penalties. The commenter stated that the applicability of this broad statement to third and fourth party recipients of patient safety work product could violate the First Amendment and expressed concern with the possibility that the Secretary would seek to impose a civil money penalty upon a newspaper for printing patient safety information.

Response: Section 3.208 implements the statutory provision that patient safety work product continues to be privileged and confidential upon disclosure, including when in the possession of the person to whom the disclosure was made. See section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d). To encourage provider reporting of sensitive patient safety information, Congress saw a need for strong privilege and confidentiality protections that continue to apply downstream even after disclosure, regardless of who holds the information. With respect to the commenter's concern regarding "unintentional" disclosures, we note that the Secretary has discretion to elect not to impose civil money penalties for an impermissible disclosure of patient safety work product, in appropriate circumstances. Thus, if it is determined, through a complaint investigation or a compliance review, that an impermissible disclosure of patient safety work product has been made, the Secretary will examine each situation based on the individual circumstances and make an appropriate determination about whether to impose a civil money penalty. See the discussion regarding Subpart D of this final rule for a more extensive discussion of the Secretary's enforcement discretion. Finally, with respect to the commenter's First Amendment concerns, we do not believe the confidentiality provisions afforded to patient safety work product in the statute and the rule contravene the First Amendment.

4. Section 3.210—Required Disclosure of Patient Safety Work Product to the Secretary

Proposed Rule: Proposed § 3.210 would have required providers, PSOs, and other persons holding patient safety work product to disclose such information to the Secretary upon a determination by the Secretary that such patient safety work product is needed for the investigation and enforcement activities related to this Part, or is needed in seeking and imposing civil money penalties.

Overview of Public Comments: We received no comments opposed to this provision.

Final Rule: The final rule adopts the proposed provision but expands it to encompass disclosures of patient safety work product needed for investigation and enforcement activities with respect to the HIPAA Privacy Rule, consistent with changes made to §§ 3.204(c) and 3.206(d). As in the proposed rule, the final rule makes clear that, with respect to this rule, providers, PSOs, and responsible persons must disclose patient safety work product to the Secretary upon request when needed to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include disclosure of patient safety work product to the Secretary as necessary to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule.

Response to Other Public Comments

Comment: Several commenters suggested that disclosures to the Secretary be limited to only the patient safety work product that is needed for the Secretary's activities.

Response: Section 3.210 requires disclosure of patient safety work product only in those cases where the Secretary has determined that such information is needed for compliance or enforcement of this rule or the HIPAA Privacy Rule or for PSO certification or listing. Further, during an investigation or compliance review, § 3.310(c) requires a respondent to provide the Secretary with access to only that information, including patient safety work product, that is pertinent to ascertaining compliance with this rule.

5. Section 3.212—Nonidentification of Patient Safety Work Product

Proposed Rule: Proposed § 3.212 would have established the standard by which patient safety work product would be rendered nonidentifiable, implementing section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under the Patient Safety Act and this Part, identifiable patient safety work product includes information that identifies any provider or reporter or contains individually identifiable health information under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2) of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient safety work product does not include information that permits identification of any provider, reporter or subject of individually identifiable health information. See section 921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3).

The proposed rule explained that because individually identifiable health information as defined in the HIPAA Privacy Rule is one element of identifiable patient safety work product, the de-identification standard provided in the HIPAA Privacy Rule would apply with respect to the patient-identifiable information in the patient safety work product. Therefore, where patient safety work product contained individually identifiable health information, the proposal would have required that the information be de-identified in accordance with 45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work product with respect to individually identifiable health information under the Patient Safety Act.

Further, with respect to providers and reporters, the proposal imported and adapted the HIPAA Privacy Rule's standards for de-identification. In particular, the proposal included two methods by which nonidentification could be accomplished: (1) a statistical method of nonidentification and (2) the removal of 15 specified categories of direct identifiers of providers or reporters and of parties related to the providers and reporters, including corporate parents, subsidiaries, practice partners, employers, workforce members, or household members, and that the discloser have no actual knowledge that the remaining information, alone or in combination with other information reasonably available to the intended recipient, could be used to identify any provider or reporter, i.e., a contextual nonidentification standard. In addition, the proposal would have permitted a provider, PSO, or other disclosing entity or person to assign a code or other means of record identification to allow information made nonidentifiable to be re-identified by the disclosing person, provided certain conditions were met.

The proposal specifically invited comment on the proposed standards and approaches and asked whether it would be possible to include any geographical identifiers, and if so, at what level of detail (state, county, zip code). We also requested comment regarding whether there were alternative approaches to standards for entities determining when health information could reasonably be considered nonidentifiable.

Overview of Public Comments: We received a variety of comments addressing the nonidentification standard. One commenter supported the proposed methodologies for nonidentification, while several commenters expressed concern that the nonidentification standard was too strict and rendered patient safety work product useless to its recipients. One commenter was concerned that imposing an inflexible, stringent nonidentification standard would impede the future disclosures of aggregated patient safety information that the commenter currently makes. Some of these commenters proposed alternatives to the proposed nonidentification standard, such as considering information nonidentified even if it contains dates of treatment and geographic identifiers as long as data of a certain threshold number of providers was aggregated or eliminating the nonidentification standard entirely and applying a less stringent anonymization standard. In contrast, several other commenters expressed concern that the nonidentification standard was too flexible, was inadequate to truly nonidentify information and protect provider identities, and could be too easily reverse engineered.

Final Rule: The final rule adopts this proposed provision with only a minor technical change to incorporate by reference the direct identifiers listed at § 3.206(b)(4)(iv)(A) of the anonymization standard, as appropriate, to eliminate unnecessary duplication of such elements in the regulatory text. Therefore, persons wishing to nonidentify patient safety work product must remove the direct identifiers listed in the anonymization standard at § 3.206(b)(4)(iv)(A)(1) through (13), as well as any additional geographic subdivisions smaller than a State that are not required to be removed by § 3.206(b)(4)(A)(2), e.g., town or city, all elements of dates (except year) that are directly related to a patient safety incident or event, and any other unique identifying number, characteristic, or code (except as permitted for reidentification). We were not persuaded by commenters that changes to the standard were necessary, especially given the lack of consensus among commenters as to whether the standard was too stringent or not stringent enough. Further, commenters did not offer suggestions as to potential alternative approaches to nonidentification. Additionally, because this rule's nonidentification standard with respect to providers and reporters is adapted from the HIPAA Privacy Rule's de-identification standard and with respect to individuals, incorporates the HIPAA Privacy Rule's de-identification standard, this approach minimizes complexity and burden for entities that are subject to both regulatory schemes.

Response to Other Public Comments

Comment: One commenter expressed concern over the possibility that provider identities could be derived from nonidentifiable patient safety work product and asked that the final rule require a party disclosing identifiable information to produce evidence, if challenged, of how the information was obtained if not via nonidentifiable patient safety work product. Another commenter suggested that the final rule include a provision that prohibits the use or disclosure of any individually identifiable information that was obtained via the use of nonidentifiable patient safety work product. Finally, another commenter suggested that keys to reidentification of nonidentifiable patient safety work product be protected from discovery and should be protected as patient safety work product to prevent reidentification by unintended parties.

Response: We believe that the nonidentification standard in the final rule, which is based upon the existing HIPAA Privacy Rule's de-identification standard, is appropriate and sufficient to protect the identities of providers. With respect to protection of reidentification keys, we note that § 3.212(a)(3) prohibits a provider, PSO, or responsible party disclosing nonidentifiable patient safety work product from also disclosing the mechanism for reidentification. If a reidentification key is disclosed along with patient safety work product that would otherwise be nonidentifiable, then such information is identifiable patient safety work product to which the privilege and confidentiality protections attach.

Comment: One commenter asked to whom must patient safety work product be made nonidentifiable and if information is adequately nonidentifiable despite the ability of a provider or patient involved in the event to recognize their case.

Response: Under § 3.212(a)(1), patient safety work product is rendered nonidentifiable if a determination is made, applying generally accepted statistical and scientific principles, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify a provider or reporter. Similarly, under § 3.212(a)(2), patient safety work product is rendered nonidentifiable if the listed identifiers are stripped and the provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter. So long as the remaining information meets either of these two standards, such information is considered nonidentifiable for purposes of this rule, despite the hypothetical ability of a provider or patient involved in the event to recognize their case.

Comment: One commenter asked for clarification that nonidentification can be accomplished through either the statistical method or through the safe harbor method but that entities are not required to nonidentify patient safety work product subject to both methods.

Response: We clarify that either method may be used to render information nonidentifiable for purposes of this rule.

D. Subpart D—Enforcement Program

Subpart D of the final rule establishes a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting a civil money penalty. The provisions in Subpart D are modeled largely on the HIPAA Enforcement Rule at 45 CFR Part 160, Subparts C, D and E. This will maintain a common approach to enforcement and appeals of civil money penalty determinations based on section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, upon which both the HIPAA and Patient Safety Act penalties are based, as well as minimize complexity for entities that are subject to both regulatory schemes. This enforcement scheme also provides the Secretary maximum flexibility to address confidentiality violations so as to encourage participation in patient safety activities and achieve the goals of the Patient Safety Act.

General Comments: Several commenters expressed support for the decision to base this rule's enforcement regime on the HIPAA Enforcement Rule and noted that the HIPAA Enforcement Rule was properly adapted to the patient safety context. However, two commenters expressed concern that basing the enforcement regime in this rule on the HIPAA Enforcement Rule will be insufficient to adequately address and penalize violations of the confidentiality provisions because of the Department's approach to enforcement of the HIPAA Privacy Rule. One commenter argued that this might cause providers to decide against reporting the most serious patient safety events, and therefore, would undermine the purpose of the statute.

Response to General Comments: The Department believes that modeling this rule's enforcement provisions on the existing HIPAA Enforcement Rule is prudent and appropriate. As noted above, such an approach grants the Secretary maximum flexibility to address violations of the confidentiality provisions, relies on an existing and established enforcement regime, and minimizes complexity for entities subject to both the Patient Safety Act and HIPAA.

1. Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314—Compliance and Investigations

Proposed Rule: Sections 3.304—3.314 of the proposed rule provided the framework by which the Secretary would seek compliance by providers, PSOs, and responsible persons with the confidentiality provisions of the rule. These proposed requirements included: (1) provisions for the Secretary to seek cooperation from these entities in obtaining compliance and to provide technical assistance (proposed § 3.304); (2) procedures for any person who believes there has been a violation of the confidentiality provisions to file a complaint with the Secretary and provisions for the Secretary to investigate such complaints (proposed § 3.306); (3) provisions for the Secretary to conduct compliance reviews (proposed § 3.308); (4) provisions establishing responsibilities of respondents with respect to cooperating with the Secretary during investigations or compliance reviews and providing access to information necessary and pertinent to the Secretary determining compliance (proposed § 3.310); (5) provisions describing the Secretary's course of action during complaints and compliance reviews, including the circumstances under which the Secretary may attempt to resolve compliance matters by informal means or issue a notice of proposed determination, as well as the circumstances under which the Secretary may use or disclose information, including identifiable patient safety work product, obtained during an investigation or compliance review (proposed § 3.312); and (6) provisions and procedures for the Secretary to issue subpoenas to require witness testimony and the production of evidence and to conduct investigational inquiries (proposed § 3.314).

Overview of Public Comments: We received no comments opposed to the proposed provisions.

Final Rule: The final rule adopts the provisions of the proposed rule, except, where reference was made in the proposed rule to provisions of the HIPAA Enforcement Rule, the final rule includes the text of such provisions for convenience of the reader.

Response to Other Public Comments

Comment: One commenter asked how and when the Secretary will provide technical assistance to providers, PSOs, and responsible persons regarding compliance with the confidentiality provisions.

Response: The Secretary intends to provide technical assistance through a variety of mechanisms. First, as authorized by the Patient Safety Act, the Secretary intends, as practical, to convene annual meetings for PSOs to discuss methodology, communication, data collection, privacy concerns, or other issues relating to their patient safety systems. See section 925 of the Public Health Service Act, 42 U.S.C. 299b-25. Second, the Secretary intends to exercise his discretion under § 3.304 by, when practicable and appropriate, providing technical assistance to affected persons and entities both on an individual basis when such persons or entities are involved in complaint investigations or compliance reviews, as well as more generally through published guidance that addresses common compliance or other questions about the rule. As we noted in the preamble to the proposed rule, however, the absence of technical assistance or guidance by the Secretary may not be raised as a defense to civil money penalty liability. We also encourage persons participating in patient safety activities and subject to this rule to develop and share with others similarly situated in the industry "best practices" for the confidentiality of patient safety work product.

Comment: One commenter requested that the final rule provide additional detail on the consideration that will go into the determination of whether to pursue an investigation or to conduct a compliance review.

Response: We do not believe that including additional detail in the final rule regarding when we will investigate or conduct compliance reviews is prudent or feasible. The decision of whether to conduct an investigation or compliance review is left to the discretion of the Secretary and will be made based on the specific circumstances of each individual case. The decision to investigate a complaint is necessarily fact specific. For example, some complaints may not allege facts that fall within the Secretary's jurisdiction or that constitute a violation if true. With respect to compliance reviews, the Secretary needs to maintain flexibility to conduct whatever reviews are necessary to ensure compliance. Compliance reviews may be initiated based on, for example, information that comes to the Department's attention outside of the formal complaint process, or trends the Department is seeing as a result of its enforcement activities. It would be premature at this time to indicate the specific circumstances under which such reviews may be conducted, given the absence of any compliance and enforcement experience with the rule. Further, making public the Department's considerations in this area may undermine the effectiveness of such reviews. Thus, we did not propose and do not include in this final rule affirmative criteria for conducting compliance reviews.

Comment: One commenter requested clarification that the Secretary may only require respondents to produce records, books, and accounts that are reasonably related to an investigation.

Response: Section 3.310(c) of the proposed rule, which the final rule adopts, provided that a respondent must permit the Secretary access to the information that is pertinent to ascertaining compliance with the confidentiality provisions of the rule. Given this provision in the final rule, we do not see a need to provide further clarification.

2. Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422, 3.424, 3.426—Civil Money Penalties

Proposed Rule: Sections 3.402–3.426 of the proposed rule provided the process for the Secretary to impose a civil money penalty for noncompliance by a PSO, provider, or responsible person with the confidentiality provisions of the rule. These proposed provisions: (1) described the basis for imposing a civil money penalty on a person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions, as well as on a principal, in accordance with the federal common law of agency2, based on the act of its agent acting within the scope of the agency (proposed § 3.402); (2) described how a penalty amount would be determined, and provided the statutory cap of any such penalty (proposed § 3.404); (3) provided the list of factors the Secretary may consider as aggravating or mitigating, as appropriate, in determining the amount of a civil money penalty, including the nature and circumstances of the violation and the degree of culpability of the respondent (proposed § 3.408); (4) set forth the 6-year limitations period on the Secretary initiating an action for imposition of a civil money penalty (proposed § 3.414); (5) set out the Secretary's authority to settle any issue or case or to compromise any penalty (proposed § 3.416); (6) provided that a civil money penalty imposed under this rule would be in addition to any other penalty prescribed by law, except that a civil money penalty may not be imposed both under this rule and the HIPAA Privacy Rule for the same act (proposed § 3.418); (7) required that the Secretary provide a respondent with written notice of his intent to impose a civil money penalty, prescribe the contents of such notice, and provide the respondent with a right to request a hearing before an ALJ to contest the proposed penalty (proposed § 3.420); (8) provided that if the respondent fails to timely request a hearing and the matter is not settled by the Secretary, the Secretary may impose the proposed penalty (or any lesser penalty) and will notify the respondent of any penalty imposed, and that the respondent has no right to appeal such penalty (proposed § 3.422); (9) provided that once the penalty becomes final, it will be collected by the Secretary, unless compromised, and describes the methods for collection (proposed § 3.424); and (10) provided that the Secretary will notify the public and the appropriate State or local medical or professional organizations, appropriate State agencies administering or supervising the administration of State health care programs, appropriate utilization and quality control peer review organizations, and appropriate State or local licensing agencies or organizations, of a final penalty and the reason it was imposed (proposed § 3.426).

2. For more information and guidance about violations of the rule attributed to a principal based on the federal common law of agency, see the preamble to the proposed rule at 73 FR 8158-8159.

Return to Table of Contents
Return to Previous Section
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only