Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

III. Section by Section Description of the Proposed Rule

A. Subpart A--General Provision

1. Proposed Sec. 3.10--Purpose

The purpose of this proposed Part is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.

2. Proposed Sec. 3.20--Definitions

Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, defines several terms, and our proposed rules would, for the most part, restate the law. In some instances, we propose to clarify definitions to fit within the proposed framework. We also propose some new definitions for convenience and to clarify the application and operation of this proposed rule. Moreover, we reference terms defined under the HIPAA Privacy Rule for ease of interpretation and consistency, given the overlap between the Patient Safety Act protections of patient-identifiable patient safety work product (discussed below) and the HIPAA Privacy Rule.

Proposed Sec. 3.20 would establish the basic definitions applicable to this proposed rule, as follows:

AHRQ stands for the Agency for Healthcare Research and Quality in the U.S. Department of Health and Human Services (HHS). This definition is added for convenience.

ALJ stands for an Administrative Law Judge at HHS. This definition is added for convenience in describing the process for appealing civil money penalty determinations.

Board would mean the members of the HHS Departmental Appeals Board. This definition is added for convenience in providing for appeals of civil money penalty determinations.

Bona fide contract would mean (a) a written contract between a provider and a PSO that is executed in good faith by officials authorized to execute such contract; or (b) a written agreement (such as a memorandum of understanding or equivalent recording of mutual commitments) between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO that is executed in good faith by officials authorized to execute such agreement.

In addition to the primary interpretation of an enforceable contract under applicable law as proposed under paragraph (a) of this definition, we propose to make the scope of the term broad enough to encompass agreements between health care providers and PSOs that are components of Federal, State, local or Tribal governments or government agencies. Such entities could clearly perform the same data collection and analytic functions as performed by other providers and PSOs that the Patient Safety Act seeks to foster. Thus, paragraph (b) of the definition recognizes that certain government entities may not enter a formal contract with each other, but may only make a commitment with other agencies through the mechanism of some other type of agreement.

We note that proposed Sec. 3.102(a)(2) incorporates the statutory restriction that a health insurance issuer and a component of a health insurance issuer may not become a PSO. That section also proposes to prohibit the listing of public and private entities that conduct regulatory oversight of health care providers, including accreditation and licensure.

Complainant would mean a person who files a complaint with the Secretary pursuant to proposed Sec. 3.306.

Component Organization would mean an entity that is either: (a) A unit or division of a corporate organization or of a multi-organizational enterprise; or (b) a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations (i.e., its parent organization(s)). We discuss our preliminary interpretation of the terms "owned," "managed," or "controlled" in the definition of parent organization. Multi-organizational enterprise, as used here, means a common business or professional undertaking in which multiple entities participate as well as governmental agencies or Tribal entities in which there are multiple components.\8\

\8\ The concept of multi-organizational enterprise as used in this regulation, in case law, and in a legal reference works such as Blumberg on Corporate Groups, Sec. 6.04 (2d ed. 2007 Supplement) refers to multi-organizational undertakings with separate corporations or organizations that are integrated in a common business activity. The component entities are often, but not necessarily, characterized by interdependence and some form of common control, typically by agreement. Blumberg notes that health care providers increasingly are integrated in various forms of multi-organizational enterprises.

We anticipate that PSOs may be established by a wide array of health-related organizations and quality improvement enterprises, including hospitals, nursing homes and health care provider systems, health care professional societies, academic and commercial research organizations, Federal, State, local, and Tribal governmental units that are not subject to the proposed restriction on listing in proposed Sec. 3.102(a)(2), as well as joint undertakings by combinations of such organizations. One effect of defining component organization as we propose is that, pursuant to section 924 of the Patient Safety Act, 42 U.S.C. 299b-24, all applicant PSOs that fall within the scope of the definition of component organization must certify to the separation of confidential patient safety work product and staff from the rest of any organization or multi-organizational enterprise of which they (in the conduct of their work) are a part. Component organizations must also certify that their stated mission can be accomplished without conflicting with the rest of their parent organization(s).

A subsidiary corporation may, in certain circumstances, be viewed as part of a multi-organizational enterprise with its parent corporation and would be so regarded under the proposed regulation. Thus, an entity, such as a PSO that is set up as a subsidiary by a hospital chain, would be considered a component of the corporate chain and a component PSO for purposes of this proposed rule. Considering a subsidiary of a corporation to be a "component" of its parent organization may seem contrary to the generally understood separateness of a subsidiary in its corporate relationship with its parent.\9\

That is, where two corporate entities are legally separate, one entity would ordinarily not be considered a component of the other entity, even when that other entity has a controlling interest or exercises some management control. However, we have preliminarily determined that viewing a subsidiary entity that seeks to be a PSO as a component of its parent organization(s) would be consistent with the objectives of the section on certifications required of component organizations in the Patient Safety Act and appears to be consistent with trends in the law discussed below. We invite comment on our interpretation.

\9\ Corporations are certain types of organizations that are given legal independence and rights, (e.g. the right to litigate). Subsidiary corporations are corporations in which a majority of the shares are owned by another corporation, known as a parent corporation. Thus, subsidiaries are independent corporate entities in a formal legal sense, yet, at the same time, they are controlled, to some degree, by their parent by virtue of stock ownership and control. Both corporations and subsidiaries are legal constructs designed to foster investment and commerce by limiting entrepreneurial risks and corporate liabilities. In recognition of the legitimate utility of these objectives, courts have generally respected the separateness of parent corporations and subsidiaries, (e.g., courts do not ordinarily allow the liabilities of a subsidiary to be attributed to its parent corporation, despite the fact that by definition, parent corporations have a measure of control over a subsidiary). However, courts have looked behind the separate legal identities that separate parent and subsidiary to impose liability when individuals in litigation can establish that actual responsibility rests with a parent corporation by virtue of the degree and manner in which it has exercised control over its subsidiary. Under these circumstances, courts permit "the corporate veil to be pierced."

Corporations law or "entity law," which emphasizes the separateness and distinct rights and obligations of a corporation, has been supplemented by the development of "relational law" when necessary (e.g., to address evolving organizational arrangements such as multi-organizational enterprises). To determine rights and obligations in these circumstances, courts weigh the relationships of separate corporations that are closely related by virtue of participating in the same enterprise, (i.e., a common chain of economic activity fostering and characterized by interdependence).\10\ There has been a growing trend in various court decisions to attribute legal responsibilities based on actual behavior in organizational relationships, rather than on corporate formalities.

\10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate Groups Sec. Sec. 6.01 and 6.02.

We stress that neither the statute nor the proposed regulation imposes any legal responsibilities, obligations, or liability on the organization(s) of which a component PSO is a part. The focus of the Patient Safety Act and the regulation is principally on the entity that voluntarily seeks listing by the Secretary as a PSO.

We note that two of the three certifications that the Patient Safety Act and the proposed regulation requires component entities to make--relating to the security and confidentiality of patient safety work product--are essentially duplicative of attestations that are required of all entities seeking listing or continued listing as a PSO (certifications made under section 924(a)(1)(A) and (a)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A) with respect to patient safety activities described in section 921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b-21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have to attest that they have in place policies and procedures to, and actually do, perform patient safety activities, which include the maintenance of procedures to preserve patient safety work product confidentiality and the provision of appropriate security measures for patient safety work product. The overlapping nature of these confidentiality and security requirements on components suggests heightened congressional concern and emphasis regarding the need to maintain a strong "firewall" between a component PSO and its parent organization, which might have the opportunity and potential to access sensitive patient safety work product the component PSO assembles, develops, and maintains. A similar concern arises in the context of a PSO that is a unit of a corporate parent, a subsidiary or an entity affiliated with other organizations in a multi-organizational enterprise.

Requiring entities seeking listing to disclose whether they have a parent organization or are part of a multi-organizational enterprise does not involve "piercing the corporate veil" as discussed in the footnote above. The Department would not be seeking this information to hold a parent liable for actions of the PSO, but to ensure full disclosure to the Department about the organizational relationships of an entity seeking to be listed as a PSO. Accordingly, we propose that an entity seeking listing as a PSO must do so as a component organization if it has one or more parent organizations (as described here and in the proposed definition of that term) or is part of a multi-organizational enterprise, and it must provide the names of its parent entities. If it has a parent or several parent organizations, as defined by the proposed regulation, the entity seeking to be listed must provide the additional certifications mandated by the statute and by the proposed regulation at Sec. 3.102(c) to maintain the separateness of its patient safety work product from its parent(s) and from other components or affiliates\11\ of its parent(s). Such certifications are consistent with the above-cited body of case law that permits and makes inquiries about organizational relationships and practices for purposes of carrying out statutes and statutory objectives.
---------------------------------------------------------------------------

\11\ Corporate affiliates are commonly controlled corporations; sharing a corporate parent, they are sometimes referred to as sister corporations. Separate corporations that are part of a multi-organizational enterprise are also referred to by the common terms "affiliates" or "affiliated organizations".
---------------------------------------------------------------------------

It may be helpful to illustrate how a potential applicant for listing should apply these principles in determining whether to seek listing as a component PSO. The fundamental principle is that if there is a parent organization relationship present and the entity is not prohibited from seeking listing by proposed Sec. 3.102(a)(2), the entity must seek listing as a component PSO. In determining whether an entity must seek listing as a component organization, we note that it does not matter whether the entity is a component of a provider or a non-provider organization and, if it is a component of a provider organization, whether it will undertake patient safety activities for the parent organization's providers or providers that have no relationship with its parent organization(s). The focus here is primarily on establishing the separateness of the entity's operation from any type of parent organization. Examples of entities that would need to seek listing as a component organization include: A division of a provider or non-provider organization; a subsidiary entity created by a provider or non-provider organization; or a joint venture created by several organizations (which could include provider organizations, non-provider organizations, or a mix of such organizations) where any or all of the organizations have a measure of control over the joint venture.

Other examples of entities that would need to seek listing as a component PSO include: a division of a nursing home chain; a subsidiary entity created by a large academic health center or health system; or a joint venture created by several organizations to seek listing as a PSO where any or all of the organizations have a measure of control over the joint venture.

Component PSO would mean a PSO listed by the Secretary that is a component organization.

Confidentiality provisions would mean any requirement or prohibition concerning confidentiality established by Sections 921 and 922(b)-(d), (g) and (i) of the Public Health Service Act, 42 U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed provisions, at Sec. Sec. 3.206 and 3.208, by which we propose to implement the prohibition on disclosure of identifiable patient safety work product. We proposed to define this new term to provide an easy way to reference the provisions in the Patient Safety Act and in the proposed rule that implements the confidentiality protections of the Patient Safety Act for use in the enforcement and penalty provisions of this proposed rule. We found this a useful approach in the HIPAA Enforcement Rule, where we defined "administrative simplification provision" for that purpose. In determining how to define "confidentiality provisions" that could be violated, we considered the statutory enforcement provision at section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by reference section 922(b) and (c).\12\ Thus, the enforcement authority clearly implicates sections 922(b) and (c) of the Patient Safety Act, 42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec. 3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d), is entitled the "Continued Protection of Information After Disclosure" and sets forth continued confidentiality protections for patient safety work product after it has been disclosed under section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with certain exceptions. Thus, section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality protections provided for in section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued confidentiality provision at proposed Sec. 3.208 herein to be one of the confidentiality provisions. In addition, our understanding of these provisions is based on the rule of construction in section 922(g) of the Public Health Service Act, 42 U.S.C. 299b-22(g), and the clarification with respect to HIPAA in section 922(i) of the Public Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions are included in the definition.

\12\ Section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), states that "subject to paragraphs (2) and (3), a person who discloses identifiable patient safety work product in knowing or reckless violation of subsection (b) shall be subject to a civil money penalty of not more than $10,000 for each act constituting such violation" (emphasis added). Subsection (b) of section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b), is entitled, "Confidentiality of Patient Safety Work Product" and states, "Notwithstanding any other provision of Federal, State, or local law, and subject to subsection (c), patient safety work product shall be confidential and shall not be disclosed" (emphasis added). Section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), in turn, contains the exceptions to confidentiality and privilege protections.

In contrast to the confidentiality provisions, the privilege provisions in the Patient Safety Act will be enforced by the tribunals or agencies that are subject to them; the Patient Safety Act does not authorize the imposition of civil money penalties for breach of such provisions. We note, however, that to the extent a breach of privilege is also a breach of confidentiality, the Secretary would enforce the confidentiality breach under 42 U.S.C. 299b-22(f).

Disclosure would mean the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding patient safety work product to another person. An impermissible disclosure (i.e., a disclosure of patient safety work product in violation of the confidentiality provisions) is the action upon which potential liability for a civil money penalty rests. Generally, if the person holding patient safety work product is an entity, disclosure occurs when the information is shared with another entity or a natural person outside the entity. We do not propose to hold entities liable for uses of the information within the entity, (i.e., when this information is exchanged or shared among the workforce members of the entity) except as noted below concerning component PSOs. If a natural person holds patient safety work product, except in the capacity as a workforce member, a disclosure occurs whenever exchange occurs to any other person or entity. In light of this definition, we note that a disclosure to a contractor that is under the direct control of an entity (i.e., a workforce member) would be a use of the information within the entity and, therefore, not a disclosure for which a permission is needed. However, a disclosure to an independent contractor would not be a disclosure to a workforce member, and thus, would be a disclosure for purposes of this proposed rule and the proposed enforcement provisions under Subpart D.

For component PSOs, we propose to recognize as a disclosure the sharing or transfer of patient safety work product outside of the legal entity, as described above, and between the component PSO and the rest of the organization (i.e., parent organization) of which the component PSO is a part. The Patient Safety Act demonstrates a strong desire for the separation of patient safety work product between a component PSO and the rest of the organization. See section 924(b)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to recognize component organizations as component PSOs which exist within, but distinct from, a single legal entity, and such a component organization as a component PSO would be required to certify to limit access to patient safety work product under proposed Sec. 3.102(c), the release, transfer, provision of access to, or divulging in any other manner of patient safety work product from a component PSO to the rest of the organization will be recognized as a disclosure for purposes of this proposed rule and the proposed enforcement provisions under Subpart D.

Return to top

We considered whether or not we should hold entities liable for disclosures that occur within that entity (uses) by defining disclosure more discretely, (i.e., as between persons within an entity). If we were to define disclosure in this manner, it may promote better safeguarding against inappropriate uses of patient safety work product by providers and PSOs. It may also allow better control of uses by third parties to whom patient safety work product is disclosed, and it would create additional enforcement situations which could lead to additional potential civil money penalties. We note that HIPAA authorized the Department to regulate both the uses and disclosures of individually identifiable health information and, thus, the HIPAA Privacy Rule regulates both the uses and disclosures of such information by HIPAA covered entities. See section 264(b) and (c)(1) of HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand, addresses disclosures and authorizes the Secretary to penalize disclosures of patient safety work product.

Nonetheless, we do not propose to regulate the use, transfer or sharing by internal disclosure, of patient safety work product within a legal entity. We also decline to propose to regulate uses because we would consider regulating uses within providers and PSOs to be intrusive into their internal affairs. This would be especially the case given that this is a voluntary program. Moreover, we do not believe that regulating uses would further the statutory goal of facilitating the sharing of patient safety work product with PSOs. In other words, regulating uses would not advance the ability of any entity to share patient safety work product for patient safety activities. Finally, we presume that there are sufficient incentives in place for providers and PSOs to prudently manage the uses of sensitive patient safety work product.

We are not regulating uses, whether in a provider, PSO, or any other entity that obtains patient safety work product. Because we are not proposing to regulate uses, there will be no federal sanction based on use of this information. If a provider or other entity wants to limit the uses or further disclosures (beyond the regulatory permissions) by a PSO or any future recipient, a disclosing entity is free to do so by contract. See section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec. 3.206(e). We seek comment about whether this strikes the right balance. The proposed definition mirrors the definition of disclosure used in the HIPAA Privacy Rule concerning disclosures of protected health information. Although we do not propose to regulate the use of patient safety work product, HIPAA covered entities that possess patient safety work product which contains protected health information must comply with the use and disclosure requirements of the HIPAA Privacy Rule with respect to the protected health information. Patient safety work product containing protected health information could only be used in accordance with the HIPAA Privacy Rule use permissions, including the minimum necessary requirement.

Entity would mean any organization, regardless of whether the organization is public, private, for-profit, or not-for-profit. The statute permits any entity to seek listing as a PSO by the Secretary except a health insurance issuer and any component of a health insurance issuer and Sec. 3.102(a)(2) proposes, in addition, to prohibit public or private sector entities that conduct regulatory oversight of providers.

Group health plan would mean an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income Security Act of 1974 (ERISA) to the extent that the plan provides medical care (as defined in paragraph (2) of section 2791(a) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services paid for as medical care) to employees or their dependents (as defined under the terms of the plan) directly or through insurance, reimbursement, or otherwise. Section 2791(b)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from the defined class of `health insurance issuer.' Therefore, a group health plan may establish a PSO unless the plan could be considered a component of a health insurance issuer, in which case such a plan would be precluded from being a PSO by the Patient Safety Act.

Health insurance issuer would mean an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2)). The term, as defined in the Public Health Service Act, does not include a group health plan.

Health maintenance organization would mean (1) a Federally qualified health maintenance organization (as defined in 42 U.S.C. 300e(a)); (2) an organization recognized under State law as a health maintenance organization; or (3) a similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization. Because the ERISA definition relied upon by the Patient Safety Act includes health maintenance organizations in the definition of health insurance issuer, an HMO may not be, control, or manage the operation of a PSO.

HHS stands for the United States Department of Health and Human Services. This definition is added for convenience.

HIPAA Privacy Rule would mean the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.

Identifiable Patient Safety Work Product would mean patient safety work product that:

  1. Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in activities that are a subject of the work product;
  2. Constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
  3. Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO, or to a provider with the intention of having the information reported to a PSO ("reporter").

Identifiable patient safety work product is not patient safety work product that meets the nonidentification standards proposed for "nonidentifiable patient safety work product".

Nonidentifiable Patient Safety Work Product would mean patient safety work product that is not identifiable in accordance with the nonidentification standards proposed at Sec. 3.212. Because the privilege and confidentiality protections of the Patient Safety Act and this Part do not apply to nonidentifiable patient safety work product once disclosed, the restrictions and data protection rules in this proposed rule phrased as pertaining to patient safety work product generally only apply to identifiable patient safety work product.

OCR stands for the Office for Civil Rights in HHS. This definition is added for convenience.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only