Patient Safety and Quality Improvement. Final Rule (Continued)
In addition, with respect to the factors at proposed § 3.408, we specifically sought comment on whether the factors should be expanded to expressly include a factor for persons who self-report disclosures that may potentially violate the confidentiality provisions such that voluntary self-reporting would be a mitigating consideration when assessing a civil money penalty.
Overview of Public Comments: We received no comments opposed to these proposed provisions. With respect to proposed § 3.408, commenters generally supported the list of detailed factors, which may be aggravating or mitigating depending on the context, for use by the Secretary in determining the amount of a civil money penalty. In response to the question in the proposed rule regarding whether the final rule should include a factor for persons who self-report disclosures that may be potential violations, some commenters opposed such an expansion, arguing that such a provision could be viewed as an additional reporting obligation on persons and entities. Several other commenters expressed general support for the consideration of such a mitigating factor in the determination of any penalty, and one commenter specifically recommended expanding the list of factors to include self-reporting.
Final Rule: The final rule adopts the provisions of the proposed rule except, where reference was made in the proposed rule to provisions of the HIPAA Enforcement Rule, the final rule includes the text of such provisions for convenience of the reader. We do not expand the list of factors at § 3.408 to include the fact of self-reporting by a respondent in the final rule. As we noted in the preamble to the proposed rule, while including a factor for voluntary self-reporting may encourage persons to report breaches of confidentiality, particularly those that may otherwise go unnoticed, as well as demonstrate the security practices that led to the discovery of the breach and how the breach was remedied, we agree with those commenters who argued that including such a factor may be viewed incorrectly as an additional and ongoing reporting obligation on providers, PSOs, and others to report every potentially impermissible disclosure. This would unnecessarily increase administrative burden both on the Department and the reporting persons. Additionally, inclusion of such a factor may interfere with contractual relationships between providers and PSOs that address how parties are to deal with breaches.
However, we note that even though we are not expressly including a self-reporting factor in the list at § 3.408, the Secretary retains discretion to consider self-reports on a case-by-case basis under § 3.408(f), which permits the Secretary to consider "such other matters as justice may require" in determining the amount of a civil money penalty.
Response to Other Public Comments
Comment: One commenter supported the knowing or reckless standard for establishing the basis for imposing a civil money penalty for a confidentiality violation but also stated that every effort should be made to reduce the risk of liability and to encourage provider participation. Another commenter supported the Secretary's ability to exercise discretion in determining whether to impose a civil money penalty for a knowing or reckless violation of the confidentiality provisions but also suggested that, in cases where a PSO is compelled to disclose patient safety work product by a court and has, in good faith, attempted to assert the privilege protection, the PSO automatically should be excused from a civil money penalty for the impermissible disclosure of patient safety work product to the court.
Response: We agree that the appropriate basis for imposing a civil money penalty is for knowing or reckless disclosures of identifiable patient safety work product in violation of the confidentiality provisions of the rule and that it is important the Secretary ultimately retain discretion as to whether to impose a penalty pursuant to this standard. This provision is based on section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f). We also agree that provider participation is essential to meeting the overall goal of the statute to improve patient safety and quality of care, and we believe that strong privilege and confidentiality protections for patient safety work product are fundamental to ensuring this participation. As we explained in the preamble to the proposed rule, a civil money penalty under § 3.402 may only be imposed if the Secretary first establishes a wrongful disclosure—that is, the information disclosed was identifiable patient safety work product and the manner of the disclosure does not fit within any permitted exception. The Secretary must then determine whether a person making the disclosure acted "knowingly" or "recklessly." To do so, the Secretary must prove either that: (1) the person making the disclosure knew a disclosure was being made (not that the person knew he or she was disclosing identifiable patient safety work product in violation of the rule or statute); or (2) the person acted recklessly in making the disclosure, that is, the person was aware, or a reasonable person in his or her situation should have been aware, that his or her conduct created a substantial risk of disclosure of information and to disregard such risk constituted a gross deviation from reasonable conduct. For more guidance on this standard or the knowing or reckless standard, see the preamble to the proposed rule at 73 FR 8157-8158. Once a knowing or reckless violation has been established, the Secretary still retains discretion as to whether to impose a penalty for a violation and may elect not to do so. Thus, we believe the standard at § 3.402 of the final rule strikes the right balance in ensuring those who are culpable are subject to penalties, while still encouraging maximum participation by providers.
For example, circumstances where a person who disclosed identifiable patient safety work product in violation of the rule can show he or she did not know and had no reason to know that the information was patient safety work product may warrant discretion by the Secretary. Further, as we stated in the preamble to the proposed rule, the Secretary may exercise discretion and not pursue a civil money penalty against a respondent ordered by a court to produce patient safety work product where the respondent has in good faith undertaken reasonable steps to avoid production and is, nevertheless, compelled to produce the information or be held in contempt of court. We do not, however, agree that an automatic exception from liability for respondents in such circumstances is appropriate or necessary. The Secretary will examine each situation based on the individual circumstances and make an appropriate determination about whether to impose a civil money penalty.
Comment: One commenter asked that the final rule state that inappropriate disclosures to, for example, the media or to the public, would result in civil money penalties.
Response: Section 3.402(a) of the final rule provides that persons who disclose identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions are subject to civil money penalty liability for such violations. This liability would include disclosures to the media or public, to the extent the knowing or reckless standard of § 3.402(a) is met.
Comment: We received two comments stating that the maximum penalty of $10,000 for a single violation is insufficient to serve as a deterrent against impermissible disclosures. In contrast, one commenter expressed concern that the maximum penalty would be far too severe for some small providers and in cases in which the impermissible disclosure was incidental or accidental.
Response: In response to those commenters who believe the penalty amount is not high enough, the $10,000 maximum penalty for each act constituting a violation is prescribed by the statute and thus, cannot be increased by the Secretary in this rule. We expect, however, that there will be cases where multiple related acts are at issue as discrete violations, each of which could result in separate penalties up to $10,000. The preamble to the proposed rule indicated that the Patient Safety Act provides that a person who violates the Patient Safety Act shall be subject to a civil money penalty of "not more than $10,000" for each act constituting such violation. We note that pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Debt Collection Improvement Act of 1996, the Department will be required to adjust this civil money penalty amount based on increases in the consumer price index (CPI). The Department has up to four years to update the civil money penalty amount, and the adjustment will be based on the percent increase in the CPI from the time the Patient Safety Act was enacted, in accordance with the cost-of-living adjustment set forth at the Federal Civil Penalties Inflation Adjustment Act of 1990 § 5, at 28 U.S.C. 2461 note. However, the first adjustment may not exceed ten percent of the penalty. Thus, pursuant to this statute, the $10,000 maximum penalty will be adjusted upwards periodically to account for inflation.
With respect to those commenters who were concerned that the $10,000 penalty may be too severe in certain circumstances, we emphasize that the $10,000 amount is a maximum penalty and the Secretary has discretion to impose penalties that are less than that amount or can elect not to impose a penalty at all for a violation, depending on the circumstances. In particular, § 3.404 provides that the amount of any penalty will be determined using the factors at § 3.408, which include such factors as the nature and circumstances of the violation, the degree of culpability of the respondent including whether the violation was intentional, as well as the financial condition and size of the respondent.
Comment: Several commenters asked for clarification regarding the Secretary's authority to levy separate fines under the Patient Safety Act and HIPAA. Many of these commenters argued that the Secretary should be able to impose penalties under both authorities for the same act to maximize the enforcement tools at his disposal and to effectively penalize bad behavior. In contrast, one commenter supported the statutory mandate that civil money penalties not be imposed under both the Patient Safety Act and HIPAA for a single violation. One commenter asked for clarification as to how civil money penalties may be imposed under both the Patient Safety Act and HIPAA when a PSO is a business associate of a covered entity for HIPAA Privacy Rule purposes.
Response: The final rule at § 3.418 reflects the statutory prohibition against the Secretary imposing civil money penalties under both the Patient Safety Act and HIPAA for a single act that constitutes a violation. As the preamble to the proposed rule explained, Congress recognized that, because patient safety work product includes individually identifiable health information about patients, a HIPAA covered entity making a disclosure of patient safety work product could be liable for a violation under both the Patient Safety Act and HIPAA, and made such penalties mutually exclusive. Thus, in situations in which a single violation could qualify as both a violation of the Patient Safety Act and HIPAA, the Secretary has discretion to impose a civil money penalty under either regulatory scheme, not both. However, as we explained in the proposed rule, we interpreted the Patient Safety Act as only prohibiting the imposition of a civil money penalty under the Patient Safety Act when there has been a civil, as opposed to criminal, penalty imposed under HIPAA for the same act. Therefore, a person could have a civil money penalty imposed under the Patient Safety Act as well as a criminal penalty under HIPAA for the same act.
With respect to the commenter who requested clarification about penalties relating to a PSO that is a business associate of a HIPAA covered entity, we note that it is possible for a civil money penalty to be imposed under both the Patient Safety Act and HIPAA, where such penalty is imposed against different entities. Thus, for example, because a PSO will be a business associate of a covered entity under HIPAA, any violation involving patient safety work product that contains protected health information by the PSO will be a violation of the Patient Safety Act and not HIPAA, since the PSO is not a covered entity. However, if the PSO notifies the covered entity of the impermissible disclosure (as required by the business associate contract under HIPAA), and the covered entity does not take the appropriate steps to mitigate and address the consequences of the impermissible disclosure of protected health information, the covered entity may then be liable for a penalty under HIPAA.
Proposed Rule: Proposed § 3.504 provided the procedures for an administrative hearing to contest a civil money penalty. The proposed section set forth the authority of the ALJ, the rights and burdens of proof of the parties, requirements for the exchange of information and pre-hearing, hearing, and post-hearing processes. This section cross-referenced the relevant provisions of the HIPAA Enforcement Rule extensively. Specifically, §§ 3.504(b), (d), (f)–(g), (i)–(k), (m), (n), (t), (w) and (x) of the proposed rule incorporated unchanged the provisions of the HIPAA Enforcement Rule. Sections 3.504(a), (c), (e), (h), (l), (o)–(s), (u) and (v) of the proposed rule incorporated the HIPAA Enforcement Rule but included technical changes to adapt these provisions to the Patient Safety Act confidentiality provisions. These technical changes addressed the following: (1) proposed §§ 3.504(a) and 3.504 (v) excluded language from 45 CFR 160.504(c) and 160.548(e), respectively, relating to an affirmative defense under 45 CFR 160.410(b)(1), which is a defense unique to HIPAA and not included in the Patient Safety Act; (2) proposed § 3.504(c) excluded the provision at 45 CFR 160.508(c)(5) for remedied violations based on reasonable cause to be insulated from liability for a civil money penalty because there is no such requirement under the Patient Safety Act; (3) proposed § 3.504(e) substituted the term "identifiable patient safety work product" for "individually identifiable health information"; (4) proposed § 3.504(h) excluded the language in 45 CFR 160.518(a) relating to the provision of a statistical expert's report not less than 30 days before a scheduled hearing because we did not propose language permitting use of statistical sampling to estimate the number of violations; (5) proposed § 3.504(o) substituted "a confidentiality provision" for "an administrative simplification provision" in 45 CFR 160.532; (6) proposed § 3.504(p) substituted, for language not relevant to the Patient Safety Act in 45 CFR 160.534(b)(1), new language stating that the respondent has the burden of going forward and the burden of persuasion with respect to any challenge to the amount of a proposed civil money penalty, including any mitigating factors raised, and provided that good cause shown under 45 CFR 160.534(c) may be that identifiable patient safety work product has been introduced into evidence or is expected to be introduced into evidence; (7) proposed § 3.504(s) added language to provide that good cause for making redactions to the record would include the presence of identifiable patient safety work product; and (8) proposed §§ 3.504(l), (q), (r), and (u) substituted citations to subpart D of the Patient Safety rule, as appropriate.
We also explained in the proposed rule that we intended to maintain the alignment between these provisions and the HIPAA Enforcement Rule by incorporating any changes to the HIPAA Enforcement Rule that would become final based on the Department's Notice of Proposed Rulemaking entitled, "Revisions to Procedures for the Departmental Appeals Board and Other Departmental Hearings" (see 72 FR 73708 (December 28, 2007)). That Notice of Proposed Rulemaking proposed to amend the HIPAA Enforcement Rule at 45 CFR 160.508(c) and 160.548, and add a new provision at 160.554, providing that the Secretary may review all ALJ decisions that the Board has declined to review and all Board decisions for error in applying statutes, regulations, or interpretive policy. As of the publication date of this final rule, however, that regulation is not final.
Overview of Public Comments: We received no comments opposed to these provisions.
Final Rule: The final rule adopts the proposed provisions, except renumbers them into individual sections and republishes the referenced provisions of the HIPAA Enforcement Rule, as modified by the technical changes described above to adapt the provisions to the Patient Safety Act confidentiality provisions. The final rule includes the full text of such provisions for convenience of the reader.
Also, we incorporate one additional technical change to better adapt the language to this rule's confidentiality provisions, as well as one conforming change. In particular, at § 3.512(b)(11), we replace the term "privacy of" with "confidentiality of" in addition to replacing "individually identifiable health information" with "identifiable patient safety work product." In addition, at § 3.504(b), we replace the term "90 days" with "60 days." We proposed at § 3.420(a)(6) to include in a notice of proposed determination a statement that a respondent must request a hearing within 60 days or lose its right to a hearing under § 3.504. However, we inadvertently omitted from § 3.504 a conforming change to the language incorporated from 45 CFR 160.504(b) to change the hearing request deadline from 90 days to 60 days. Thus, this change is necessary to align the two provisions.
Response to Other Public Comments
Comment: One commenter asked that the final rule clarify the involvement of the Departmental Appeals Board during the hearings and appeals processes as well as whether the Secretary has authority to review ALJ decisions.
Response: Sections 3.504-3.552 of the final rule incorporate the provisions of the HIPAA Enforcement Rule, which lay out the hearings and appeals process. The current process provides that any party, including the Secretary, may appeal a decision of the ALJ to the Departmental Appeals Board, as well as file a reconsideration request with the Board following any Board decision. Unless the ALJ decision is timely appealed, such decision becomes final and binding on the parties 60 days from the date of service of the ALJ's decision.
Comment: One commenter asked that the final rule provide no restrictions to full judicial review for appeals and hearing requests.
Response: Section 3.548(k) provides respondents the right to petition for judicial review of the final decision of the Secretary once all administrative appeals have been exhausted, that is, once the Departmental Appeals Board has rendered a decision on appeal or reconsideration that has become the final decision of the Secretary, as appropriate.
Comment: One commenter suggested that any time patient safety work product could be disclosed in an ALJ proceeding, the proceeding should be closed to the public.
Response: The final rule at § 3.534(c) expressly provides that the ALJ may close a proceeding to the public for good cause shown, which may include the potential for patient safety work product to be introduced as evidence in the proceeding. We do not see a need to require that proceedings be closed under such circumstances but rather will continue to rely on the experienced discretion of the ALJ in determining such matters.
Regulatory Impact Analysis
AHRQ has previously analyzed the potential economic impact of this rule as part of its February 2008 Notice of Proposed Rulemaking (proposed rule) as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132. This analysis can be found on pages 8164 to 8171 of the proposed rule, which was published in the Federal Register on February 12, 2008.
Executive Order 12866 (as amended by Executive Order 13258, February 2002, and Executive Order 13422, January 2007), directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). Although we cannot determine the specific economic impact of this final rule, we believe that the economic impact may approach $100 million. HHS has determined that the rule is "significant" because it raises novel legal and policy issues with the establishment of a new regulatory framework, authorized by the Patient Safety Act, and imposes requirements, albeit voluntary, on entities that had not been subject to regulation in this area.
In preparing the regulatory impact analysis for inclusion in the proposed rule, AHRQ did not develop an alternative to the statutorily authorized voluntary framework. In light of the approach taken in the proposed rule, alternatives would have been mandatory or more proscriptive as well as inconsistent with statutory intent. The proposed rule established a system in which entities would voluntarily seek designation (or "listing") by the Secretary as a Patient Safety Organization (PSO), most PSO requirements would be met by attestation and overall compliance assessed by spot-checks rather than document submission or routine audits, and the Department would look to the marketplace to assess the quality and value of each PSO. PSOs will not be Federally funded nor directed; their funding and activities will be determined by health care providers who seek their expert assistance in identifying the underlying causes of, and the best strategies for reducing or eliminating, medical errors. The proposed rule provided a foundation of confidentiality and privilege protections for information developed and exchanged when health care providers voluntarily choose to work with a PSO. We proposed that health care providers could receive the confidentiality and privilege protections of the statute by reporting information to a PSO occasionally, without entering contracts or incurring significant costs. Other health care providers could develop more costly internal systems that would serve as the hub of the provider's interactions with a PSO with which the provider had a contractual relationship; such structured, documented internal systems with dedicated personnel would be more costly. To create an "upper bound" on the analyses in the proposed rule, we assumed that all providers that would choose to work with PSOs would follow this more costly approach. It should be noted that most hospital providers already have patient safety reporting activities in place (98% according to a 2006 AHRQ survey). While documenting these activities and, it is hoped, expanding them through participation with a PSO will result in increased costs, that increase will be marginal, not complete, in the hospital community.
A summary of the AHRQ analysis of costs and benefits of Patient Safety Act costs and benefits from the proposed rule follows below. For a full discussion of the assumptions underlying these estimates, please refer to the proposed rule.
Table 3—TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2009–2013
|Hospital Penetration Rate||10%||40%||60%||75%||85%|
|Hospital Cost||$ 7.5 M||$ 30.0 M||$ 45.0 M||$ 56.2 M||$ 63.7 M|
|PSO Cost||$61.4 M||$ 92.1M||$122.8 M||$122.8 M||$122.8 M|
|Total Cost||$68.9 M||$122.1 M||$167.8 M||$179.0 M||$186.5 M|
Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112-8183.
Costs for PSO implementation were calculated by considering two components: costs incurred by hospitals in engaging in PSO activities and costs of PSOs themselves. It was assumed that in early years of PSO operation, the hospital would be the primary site of PSO-related activity. Hospital costs were assumed to be incremental, given that a previously-completed survey funded by AHRQ revealed that 98% of U.S. hospitals already have adverse event reporting systems, and virtually all hospitals have a safety/quality function. We assumed that PSOs would be staffed modestly, relying on existing hospital activities in reporting adverse events, and that a significant proportion of PSOs are likely to be component PSOs, with support and expertise provided by a parent organization. Our assumptions were that PSOs will hire dedicated staff of 1.5 to 4 FTEs, assuming an average salary rate of $67/hour. We also estimated that a significant overhead figure of 100%, coupled with 20% for General and Administrative (G&A) expenses, will cover the appreciable costs anticipated for legal, security, travel, and miscellaneous PSO expenses.
Provider—PSO Costs and Charges
We have not figured into our calculations any estimates for the price of PSO services, amounts paid by hospitals and other health care providers to PSOs, PSO revenues, or PSO break-even analyses. We have not speculated about subsidies or business models. Regardless of what the costs and charges are between providers and PSOs, they will cancel each other out, as expenses to providers will become revenue to PSOs.
Table 4—TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2009–2013*
|Hospital Penetration Rate||10%||40%||60%||75%||85%|
|Percent Reduction in Adverse Events||1%||1.5%||2%||2.5%||3%|
|Savings||$11.5 M||$69 M||$138 M||$215.625 M||$293.25 M|
*Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.
Table 5—NET BENEFITS: 2009–2013
|Total Benefits||$11.5 M||$69 M||$138 M||$215.625 M||$293.25 M|
|Total Costs||$68.9 M||$122.1 M||$167.8 M||$179.0 M||$186.5 M|
|Net Benefits||($57.4) M||($53.1) M||($29.8) M||$36.625 M||$106.75 M|
|Discounted net present value at 3%||($55.7) M||($50.0) M||($27.3) M||$32.5 M||$92.1 M|
|Discounted net present value at 7%||($53.6) M||($46.4) M||($24.3) M||$27.9 M||$76.1 M|
The final rule includes several modifications that could alter the actual economic impact of the Patient Safety Act, but AHRQ concludes that these changes will not exceed the "upper bound" established in our previous analysis, and we anticipate that the actual economic impact may be less. Several changes incorporated in the final rule are likely to lower the costs of implementation. For example, the final rule has removed a requirement that PSOs that are components of other existing organizations must maintain separate information systems and, for all but a small category of component PSOs, we have removed restrictions on the use of shared staff. As we noted in our economic analysis, we expect the most common type of PSO to be ones that are established by one or more existing organizations. As commenters pointed out, personnel costs are likely to be the most significant cost facing a PSO, and the ability to share personnel means that skilled personnel are available at significantly less cost, and in some cases at no cost, than the PSO would pay to hire or externally contract for personnel. Similarly, the costs and administrative burdens associated with the development and maintenance were a major focus of commenters. These two changes are likely to have the greatest impact on reducing costs for PSOs.