Back to Patient Safety Organizations Home
Patient Safety and Quality Improvement. Final Rule (Continued)
There are two changes in the final rule that might increase costs slightly but selectively. The final rule parallels a HIPAA Privacy Rule requirement that business associates of covered entities must notify the covered entity if any of its protected health information has been inappropriately disclosed or its security breached. The final rule requires PSOs to notify the providers that submitted patient safety work product to the PSO if the work product it submitted has been disclosed or its security breached. As we noted in the proposed rule, the vast majority of providers reporting data will be covered entities under HIPAA and will need to include such notification requirements in the business associate agreements they will enter with PSOs. In addition, the HIPAA requirement is likely to apply in many disclosure or security breach situations because most work product is expected to contain protected health information. Nevertheless, this requirement may increase costs to the extent that PSOs receive work product from non-covered entities, although these potential increased costs will be dependent upon the vigilance with which the providers and PSOs meet their confidentiality and security requirements.
With respect to health care providers, the final rule does not impose requirements. The final rule does afford increased flexibility and protections to providers that voluntarily choose to both establish and document a more structured process for working with a PSO, i.e., what the rule terms a patient safety evaluation system, and document the flow of information into and out of the patient safety evaluation system. For providers who choose this option, the information they assemble and develop within their patient safety evaluation system will be accorded privilege and confidentiality, contingent upon the information ultimately being reported to a PSO, from the outset. To the extent that this encourages providers, who would not otherwise have done so, to establish a structured, documented patient safety evaluation system, there would be an increase in costs. As noted above, this should not significantly affect our previous analysis since we assumed all providers working with a PSO would have established a documented patient safety evaluation system.
Taking advantage of this option will also enable health care providers with integrated health information technology systems to avoid the requirement in the proposed rule that they maintain the assembly and development of patient safety work product separately from their routine data collection activities, which would have required a number of providers to establish dual information systems. While we expect that the costs of developing dual information collection systems would exceed the costs of developing and maintaining a structured, documented patient safety evaluation system, we do not estimate any savings because we cannot be clear how many providers would have incurred the dual health information technology systems costs or would have simply chosen to forego participation.
After considering the impact of the increased flexibility in the final rule for PSOs and health care providers, we now expect the implementation costs will be lower than those in our previous analysis.
Final Regulatory Flexibility Analysis
Since formation of a PSO is voluntary, formation is not likely to occur unless the organization believes it is an economically viable endeavor. Furthermore, PSOs are not likely to undertake tasks that will provide insufficient payment to cover their costs. Therefore, the Secretary certifies that the regulation will not impose a significant economic burden on a substantial number of small entities.
Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act requires that a covered agency prepare a budgetary impact statement before promulgating a rule that includes any Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. The Department has determined that this final rule will not impose a mandate that will result in the expenditure by State, Local, and Tribal governments, in the aggregate, or by the private sector, of more than $100 million in any one year.
Paperwork Reduction Act
This final rule adding a new Part 3 to volume 42 of the Code of Federal Regulations contains information collection requirements. This summary includes the estimated costs and assumptions for the paperwork requirements related to the final rule.
With respect to § 3.102 concerning the submission of certifications for initial and continued listing as a PSO, and of updated information, all such information would be submitted on the "Patient Safety Organization: Certification for Initial Listing" form. To maintain its listing, a PSO must also submit a brief attestation, once every 24-month period after its initial date of listing, submitted on the "Attestation Regarding the Two Bona Fide Contracts Requirement" form, stating that it has entered contracts with two providers. We estimate that the final rule will create an average burden of 30 minutes annually for each entity that seeks to become a PSO to complete the necessary certification forms. Table 1 summarizes burden hours.
Table 1—TOTAL BURDEN HOURS RELATED TO CERTIFICATION FORMS
[Summary of all burden hours, by provision, for PSOs]
| Provision | Annualized burden hours |
| 3.112 | 30 minutes. |
Under 5 CFR 1320.3(c), a covered collection of information includes the requirement by an agency of a disclosure of information to third parties by means of identical reporting, recordkeeping, or disclosure requirements, imposed on ten or more persons. The final rule reflects the previously established reporting requirements for breach of confidentiality applicable to business associates under HIPAA regulations requiring contracts to contain a provision requiring the business associate (in this case, the PSO) to notify providers of breaches of their identifiable patient data's confidentiality or security. Accordingly, this reporting requirement referenced in the regulation previously met Paperwork Reduction Act review requirements.
The final rule requires in § 3.108(c) that a PSO notify the Secretary if it intends to relinquish voluntarily its status as a PSO. The entity is required to notify the Secretary that it has, or will soon, alert providers and other organizations from which it has received patient safety work product or data of its intention and provide for the appropriate disposition of the data in consultation with each source of patient safety work product or data held by the entity. In addition, the entity is asked to provide the Secretary with current contact information for further communication from the Secretary as the entity ceases operations. The reporting aspect of this requirement is essentially an attestation that is equivalent to the requirements for listing, continued listing, and meeting the minimum contracts requirement. This minimal data requirement would come within 5 CFR 1320.3(h)(1) which provides an exception from PRA requirements for affirmations, certifications, or acknowledgments as long as they entail no burden other than that necessary to identify the respondent, the date, the respondent's address, and the nature of the instrument. In this case, the nature of the instrument is an attestation that the PSO is working with its providers for the orderly cessation of activities. The following other collections of information that are required by the final regulation under § 3.108 are also exempt from PRA requirements pursuant to an exception in 5 CFR 1320.4 for information gathered as part of administrative investigations and actions regarding specific parties: information supplied in response to preliminary agency determinations of PSO deficiencies or in response to proposed revocation and delisting, e.g., information providing the agency with correct facts, reporting corrective actions taken, or appealing proposed agency revocation decisions.
AHRQ and OCR published in the Federal Register their proposed information collection forms on February 20, 2008. Following the first, 60-day comment period, the forms were again published in the Federal Register on April 21, 2008, to begin the second, 30-day comment period. The forms were not changed following the first comment period, and they and the one comment received were sent to OMB, which received them on April 25, 2008. Minor changes to the proposed forms will be necessary to align them with the final rule. AHRQ and OCR will work with OMB to ensure that the forms needed to implement the Patient Safety Act conform to the requirements of the final rule.
Federalism
Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on state and local governments, preempts State law, or otherwise has Federalism implications. The Patient Safety Act upon which the final regulation is based makes patient safety work product confidential and privileged. To the extent this is inconsistent with any state law, including court decisions, the Federal statute preempts such state law or court order. The final rule will not have any greater preemptive effect on state or local governments than that imposed by the statute. While the Patient Safety Act does establish new Federal confidentiality and privilege protections for certain information, these protections only apply when health care providers work with PSOs and new processes, such as patient safety evaluation systems, that do not currently exist. These Federal data protections provide a mechanism for protection of sensitive information that could improve the quality, safety, and outcomes of health care by fostering a non-threatening environment in which information about adverse medical events and near misses can be discussed. It is hoped that confidential analysis of patient safety events will reduce the occurrence of adverse medical events and, thereby, reduce the costs arising from such events, including costs incurred by state and local governments attributable to such events. In addition, the Patient Safety Act and the final rule do not relieve health care providers of their responsibilities to comply with state reporting requirements.
AHRQ, in conjunction with OCR, held three public listening sessions prior to drafting the proposed rule. Representatives of several states participated in these sessions. In particular, states that had begun to collect and analyze patient safety event information spoke about their related experiences and plans. Following publication of the proposed rule, AHRQ consulted with state officials and organizations to review the scope of the proposed rule and to specifically seek input on federalism issues and a proposal in the rule at proposed § 3.102(a)(2) that would limit the ability of public or private sector regulatory entities to seek listing as a PSO. AHRQ received no expressions of concerns regarding the Federalism aspects of the proposed rule although several State health departments and commissions submitted written comments regarding the PSO eligibility criteria in the proposed rule.
OMB Accounting Statement
The table below summarizes the estimated costs and benefits of implementing the Patient Safety and Quality Improvement Act for the next five years, beginning with January 1, 2009, by which time it is expected that the rule will be effective.
The figures in the table are derived from the regulatory impact analyses outlined above and, more completely, in the February 12, 2008 NPRM published in the Federal Register, on pages 8164 to 8171. As in the previous analyses, the range of benefits derives directly from the range of potentially-avoidable incidents cited (estimated) in IOM Report, To Err Is Human. The range of costs is the same as was included in the NPRM, where minimum and maximum estimates were calculated as 10% above and 10% below the Agency's primary estimate of costs.
All figures are calculated at two discount rates, 7% and 3%, and dollars are held constant at the 2008 level. The discount rates, 3% or 7%, represent two rates of return that might be expected from government investments. The purpose is to project the expected future costs and benefits in today's dollars. (Future dollars will be worth less than today's dollars, barring appropriate investments.) Figures are annualized, that is average-per-year over the five years. The discount rates, 3% or 7%, represent two rates of return that might be expected from government investments. The purpose is to project the expected future costs and benefits in today's dollars. (Future dollars will be worth less than today's dollars, barring appropriate investments.)
| OMB #: | Agency/Program Office: AHRQ | |||
| Rule Title: Patient Safety and Quality Improvement Act |
||||
| RIN #: | Date: 8/25/2008 | |||
| CATEGORY | Primary Estimate (millions) |
Minimum Estimate (millions) |
Maximum Estimate (millions) |
Source Citation (RIA, preamble, etc.) |
| BENEFITS | $145.5 | $107.5 | $183.4 | AHRQ Analysis. |
| Annualized discounted (5 years) |
||||
| @ 7% | $111.5 | $82.4 | $140.5 | |
| @ 3% | $129.4 | $95.7 | $163.2 | |
| COSTS | $144.9 | $130.4 | $159.3 | AHRQ Analysis. |
| Annualized discounted (5 years) |
||||
| @ 7% | $115.5 | $104.0 | $127.1 | |
| @ 3% | $131.1 | $118.0 | $144.2 | |
| Transfers | N/A | |||
| Effects on small businesses | N/A | |||
| Effects on States and tribes | N/A | |||
List of Subjects in 42 CFR Part 3
Administrative practice and procedure, Civil money penalty, Confidentiality, Conflict of interests, Courts, Freedom of information, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Investigations, Law enforcement, Medical research, Organization and functions, Patient, Patient safety, Privacy, Privilege, Public health, Reporting and recordkeeping requirements, Safety, State and local governments, Technical assistance.
For the reasons stated in the preamble, the Department of Health and Human Services amends Title 42 of the Code of Federal Regulations by adding a new part 3 to read as follows:
PART 3—PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK PRODUCT
Subpart A—General Provisions.
Section 3.10—Purpose.
Section 3.20—Definitions.
Subpart B—PSO Requirements and Agency Procedures.
Section 3.102— Process
and requirements for initial and continued listing of PSOs.
Section 3.104—Secretarial
actions.
Section 3.106— Security
requirements.
Section 3.108— Correction
of deficiencies, revocation, and voluntary relinquishment.
Section 3.110— Assessment
of PSO compliance.
Section 3.112— Submissions
and forms.
Subpart C— Confidentiality and Privilege
Protections of Patient Safety Work Product.
Section 3.204—Privilege
of patient safety work product.
Section 3.206—Confidentiality
of patient safety work product.
Section 3.208— Continued
protection of patient safety work product.
Section 3.210— Required
disclosure of patient safety work product to the Secretary.
Section 3.212— Nonidentification
of patient safety work product.
Subpart D— Enforcement Program.
Section 3.304—Principles
for achieving compliance.
Section 3.306— Complaints
to the Secretary.
Section 3.308—Compliance reviews.
Section 3.310—Responsibilities
of respondents.
Section 3.312—Secretarial
action regarding complaints and compliance reviews.
Section 3.314—Investigational
subpoenas and inquiries.
Section 3.402—Basis for
a civil money penalty.
Section 3.404—Amount of
a civil money penalty.
Section 3.408— Factors
considered in determining the amount of a civil money penalty.
Section 3.414—Limitations.
Section 3.416—Authority
to settle.
Section 3.418— Exclusivity
of penalty.
Section 3.420— Notice
of proposed determination.
Section 3.422—Failure
to request a hearing.
Section 3.424—Collection
of penalty.
Section 3.426—Notification
of the public and other agencies.
Section 3.504—Hearings
before an ALJ.
Section 3.506—Rights
of the parties.
Section 3.508—Authority
of the ALJ.
Section 3.510—Ex parte
contacts.
Section 3.512—Prehearing
conferences.
Section 3.514—Authority
to settle.
Section 3.516—Discovery.
Section 3.518—Exchange
of witness lists, witness statements, and exhibits.
Section 3.520—Subpoenas
for attendance at hearing.
Section 3.522—Fees.
Section 3.524— Form,
filing, and service of papers.
Section 3.526— Computation
of time.
Section 3.528—Motions.
Section 3.530—Sanctions.
Section 3.532—Collateral
estoppel.
Section 3.534—The hearing.
Section 3.538—Witnesses.
Section 3.540—Evidence.
Section 3.542—The record.
Section 3.544—Post hearing
briefs.
Section 3.546—ALJ's
decision.
Section 3.548—Appeal
of the ALJ's decision.
Section 3.550—Stay of
the Secretary's decision.
Section 3.552—Harmless
error.
Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C. 299c-6.
Subpart A—General Provisions
§ 3.10 Purpose.
The purpose of this Part is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
§ 3.20 Definitions.
As used in this Part, the terms listed alphabetically below have the meanings set forth as follows:
Affiliated provider means, with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider.
AHRQ stands for the Agency for Healthcare Research and Quality in HHS.
ALJ stands for an Administrative Law Judge of HHS.
Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, which issues decisions in panels of three.
Bona fide contract means:
(1) A written contract between a provider and a PSO that is executed in good faith by officials authorized to execute such contract; or
(2) A written agreement (such as a memorandum of understanding or equivalent recording of mutual commitments) between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO that is executed in good faith by officials authorized to execute such agreement.
Complainant means a person who files a complaint with the Secretary pursuant to § 3.306.
Component organization means an entity that:
(1) Is a unit or division of a legal entity (including a corporation, partnership, or a Federal, State, local or Tribal agency or organization); or
(2) Is owned, managed, or controlled by one or more legally separate parent organizations.
Component PSO means a PSO listed by the Secretary that is a component organization.
Confidentiality provisions means for purposes of Subparts C and D, any requirement or prohibition concerning confidentiality established by sections 921 and 922(b)-(d), (g) and (i) of the Public Health Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the provisions, at §§ 3.206 and 3.208, that implement the statutory prohibition on disclosure of identifiable patient safety work product.
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by:
(1) An entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a health care provider holding privileges with, the entity holding the patient safety work product; or
(2) A component PSO to another entity or natural person outside the component PSO and within the legal entity of which the component PSO is a part.
Entity means any organization or organizational unit, regardless of whether the organization is public, private, for-profit, or not-for-profit.
Group health plan means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income Security Act of 1974 (ERISA)) to the extent that the plan provides medical care (as defined in paragraph (2) of section 2791(a) of the Public Health Service Act, including items and services paid for as medical care) to employees or their dependents (as defined under the terms of the plan) directly or through insurance, reimbursement, or otherwise.
Health insurance issuer means an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2)). This term does not include a group health plan.
Health maintenance organization means:
(1) A Federally qualified health maintenance organization (HMO) (as defined in 42 U.S.C. 300e(a));
(2) An organization recognized under State law as a health maintenance organization; or
(3) A similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization.
HHS stands for the United States Department of Health and Human Services.
HIPAA Privacy Rule means the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.
Identifiable patient safety work product means patient safety work product that:
(1) Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in, or are responsible for, activities that are a subject of the work product;
(2) Constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO or to a provider with the intention of having the information reported to a PSO ("reporter").
Nonidentifiable patient safety work product means patient safety work product that is not identifiable patient safety work product in accordance with the nonidentification standards set forth at § 3.212.
OCR stands for the Office for Civil Rights in HHS.
Parent organization means an organization that: owns a controlling interest or a majority interest in a component organization; has the authority to control or manage agenda setting, project management, or day-to-day operations; or the authority to review and override decisions of a component organization. The component organization may be a provider.
Patient Safety Act means the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-21 through 299b-26.
Patient safety activities means the following activities carried out by or on behalf of a PSO or a provider:
(1) Efforts to improve patient safety and the quality of health care delivery;
(2) The collection and analysis of patient safety work product;
(3) The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
(4) The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
(5) The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
(6) The provision of appropriate security measures with respect to patient safety work product;
(7) The utilization of qualified staff; and
(8) Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.
Patient safety evaluation system means the collection, management, or analysis of information for reporting to or by a PSO.
Patient safety organization (PSO) means a private or public entity or component thereof that is listed as a PSO by the Secretary in accordance with Subpart B. A health insurance issuer or a component organization of a health insurance issuer may not be a PSO. See also the exclusions in § 3.102 of this Part.
Patient safety work product:
(1) Except as provided in paragraph (2) of this definition, patient safety work product means any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material)
(i) Which could improve patient safety, health care quality, or health care outcomes; and
(A) Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO, which includes information that is documented as within a patient safety evaluation system for reporting to a PSO, and such documentation includes the date the information entered the patient safety evaluation system; or
(B) Are developed by a PSO for the conduct of patient safety activities; or
(ii) Which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.
(2)(i) Patient safety work product does not include a patient's medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO shall not by reason of its reporting be considered patient safety work product.
(ii) Patient safety work product assembled or developed by a provider for reporting to a PSO may be removed from a patient safety evaluation system and no longer considered patient safety work product if:
(A) The information has not yet been reported to a PSO; and
(B) The provider documents the act and date of removal of such information from the patient safety evaluation system.
(iii) Nothing in this part shall be construed to limit information that is not patient safety work product from being:
(A) Discovered or admitted in a criminal, civil or administrative proceeding;
(B) Reported to a Federal, State, local or Tribal governmental agency for public health or health oversight purposes; or
(C) Maintained as part of a provider's recordkeeping obligation under Federal, State, local or Tribal law.
Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.
Provider means:
(1) An individual or entity licensed or otherwise authorized under State law to provide health care services, including—
(i) A hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician or health care practitioner's office (includes a group practice), long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or
(ii) A physician, physician assistant, registered nurse, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietitian or nutrition professional, physical or occupational therapist, pharmacist, or other individual health care practitioner;
(2) Agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, organizations engaged as contractors by the Federal, State, local, or Tribal governments to deliver health care, and individual health care practitioners employed or engaged as contractors by the Federal State, local, or Tribal governments to deliver health care; or
(3) A parent organization of one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in paragraphs (1)(i) or (2) of this definition.
Research has the same meaning as the term is defined in the HIPAA Privacy Rule at 45 CFR 164.501.
Respondent means a provider, PSO, or responsible person who is the subject of a complaint or a compliance review.
Responsible person means a person, other than a provider or a PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions.
Workforce means employees, volunteers, trainees, contractors, or other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person.
Return to Table of Contents
Return to Previous Section
Continue to Next Section
540 Gaither Road Rockville, MD 20850