Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

Parent organization would mean a public or private sector organization that, alone or with others, either owns a provider entity or a component PSO, or has the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component PSO. We have not proposed to define the term "owns." We propose to use the term "own a provider entity" to mean a governmental agency or Tribal entity that controls or manages a provider entity as well as an organization having a controlling interest in a provider entity or a component PSO, for example, owning a majority or more of the stock of the owned entity, and expressly ask for comment on whether our further definition of controlling interest as follows below is appropriate.

Under the proposed regulation, if an entity that seeks to be a PSO has a parent organization, that entity will be required to seek listing as a component PSO and must provide certifications set forth in proposed Sec. 3.102(c), which indicate that the entity maintains patient safety work product separately from the rest of the organization(s) and establishes security measures to maintain the confidentiality of patient safety work product, the entity does not make an unauthorized disclosure of patient safety work product to the rest of the organization(s), and the entity does not create a conflict of interest with the rest of the organization(s).

Traditionally, a parent corporation is defined as a corporation that holds a controlling interest in one or more subsidiaries. By contrast, parent organization, as used in this proposed rule, is a more inclusive term and is not limited to definitions used in corporations law. Accordingly, the proposed definition emphasizes a parent organization's control (or influence) over a PSO that may or may not be based on stock ownership.\13\ Our approach to interpreting the statutory reference in section 924(b)(2) of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to "another organization" in which an entity is a "component" (i.e., a "parent organization") is analogous to the growing attention in both statutory and case law, to the nature and conduct of business organizational relationships, including multi-organizational enterprises. As discussed above in the definition of "component," the emphasis on actual organizational control, rather than the organization's structure, has numerous legal precedents in legislation implementing statutory programs and objectives and courts upholding such programs and objectives.\14\ Therefore, the definition of a "parent organization," as used in the proposed regulation would encompass an affiliated organization that participates in a common enterprise with an entity seeking listing, and that owns, manages or exercises control over the entity seeking to be listed as a PSO. As indicated above, affiliated corporations have been legally defined to mean those who share a corporate parent or are part of a common corporate enterprise.\15\

\13\ Cf. 17 CFR 240.12b-2 (defining "control" broadly as "* * * the power to direct or cause the direction of the management and policies of an * * * [entity] whether through the ownership of voting securities, by contract, or otherwise.")

\14\ Blumberg on Corporate Groups Sec. 13 notes that, where applications for licenses are in a regulated industry, information is required by states about the applicant as well as corporate parents, subsidiaries and affiliates. In the proposed regulation, pursuant to the Patient Safety Act, information about parent organizations with potentially conflicting missions would be obtained to ascertain that component entities seeking to be PSOs have measures in place to protect the confidentiality of patient safety work product and the independent conduct of impartial scientific analyses by PSOs.

\15\ See for example the definition of affiliates in regulations jointly promulgated by the Comptroller of the Currency, the Federal Reserve board, the FDIC, and the Office of Thrift Supervision to implement privacy provisions of Gramm Leach Bliley legislation using provisions of the Fair Credit Reporting Act (dealing with information sharing among affiliates): "any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control with another company." Blumberg, supra note 2, at Sec. 122.09[A] (citing 12 CFR pt.41.3, 12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1) (2004)).

Parent organization is defined to include affiliates primarily in recognition of the prospect that otherwise unrelated organizations might affiliate to jointly establish a PSO. We can foresee such an enterprise because improving patient safety through expert analysis of aggregated patient safety data could logically be a common and efficient objective shared by multiple potential cofounders of a PSO. It is fitting, in our view, that a component entity certify, as we propose in Sec. 3.102(c), that there is "no conflict" between its mission as a PSO and all of the rest of the parent or affiliated organizations that undertake a jointly sponsored PSO enterprise.\16\ Similarly, it is also appropriate that the additional certifications required of component entities in proposed Sec. 3.102(c) regarding separation of patient safety work product and the use of separate staff be required of an entity that has several co-founder parent organizations that exercise ownership, management or control, (i.e. to assure that the intended "firewalls" exist between the component entity and the rest of any affiliated organization that might exercise ownership, management or control over a PSO).

\16\ We note that the certifications from a jointly established PSO could be supported or substantiated with references to protective procedural or policy walls that have been established to preclude a conflict of these organizations' other missions with the scientific analytic mission of the PSO.

Return to top

To recap this part of the discussion, we would consider an entity seeking listing as a PSO to have a parent organization, and such entity would seek listing as a component organization, under the following circumstances: (a) The entity is a unit in a corporate organization or a controlling interest in the entity is owned by another corporation; or (b) the entity is a distinct organizational part of a multi- organizational enterprise and one or more affiliates in the enterprise own, manage, or control the entity seeking listing as a PSO. An example of an entity described in (b) would be an entity created by a joint venture in which the entity would be managed or controlled by several co-founding parent organizations.

The definition of provider in the proposed rule (which will be discussed below) includes the parent organization of any provider entity. Correspondingly, our definition of parent organization includes any organization that "owns a provider entity." This is designed to provide an option for the holding company of a corporate health care system to enter a multi-facility or system-wide contract with a PSO.

Patient Safety Act would mean the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b- 21 through 299b-26.

Patient safety activities would mean the following activities carried out by or on behalf of a PSO or a provider:

  1. Efforts to improve patient safety and the quality of health care delivery;
  2. The collection and analysis of patient safety work product;
  3. The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
  4. The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
  5. The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
  6. The provision of appropriate security measures with respect to patient safety work product;
  7. The utilization of qualified staff; and
  8. Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

This definition is taken from the Patient Safety Act. See section 921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient safety activities is used as a key reference term for other provisions in the proposed rule and those provisions provide descriptions related to patient safety activities. See proposed requirements for PSOs at Sec. Sec. 3.102 and 3.106 and the proposed confidentiality disclosure permission at Sec. 3.206(b)(4).

Patient safety evaluation system would mean the collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system is a core concept of the Patient Safety Act through which information, including data, reports, memoranda, analyses, and/or written or oral statements, is collected, maintained, analyzed, and communicated. When a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes, a patient safety evaluation system exists regardless of whether the provider or PSO has formally identified a "patient safety evaluation system". For example, when a provider collects information for the purpose of reporting to a PSO and reports the information to a PSO to generate patient safety work product, the provider is collecting and reporting through its patient safety evaluation system (see definition of patient safety work product ). Although we do not propose to require providers or PSOs formally to identify or define their patient safety evaluation system--because such systems exist by virtue of the providers or PSOs undertaking certain patient safety activities--a patient safety evaluation system can be formally designated by a provider or PSO to establish a secure space in which these activities may take place.

The formal identification or designation of a patient safety evaluation system could give structure to the various functions served by a patient safety evaluation system. These possible functions are:

  1. For reporting information by a provider to a PSO in order to generate patient safety work product and to protect the fact of reporting such information to a PSO (see section 921(6) and (7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-21(6) and (7)(A)(i)(I));
  2. For communicating feedback concerning patient safety events between PSOs and providers (see section 921(5)(H) of the Public Health Service Act, 42 U.S.C. 299b-21(5)(H));
  3. For creating and identifying the space within which deliberations and analyses of information and patient safety work product are conducted (see section 921(7)(A)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(ii));
  4. For separating patient safety work product and information collected, maintained, or developed for reporting to a PSO distinct and apart from information collected, maintained, or developed for other purposes (see section 921(7)(B)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii)); and,
  5. For identifying patient safety work product to maintain its privileged status and confidentiality, and to avoid impermissible disclosures (see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b)).

A provider or PSO need not engage in all of the above-mentioned functions in order to establish or maintain a patient safety evaluation system. A patient safety evaluation system is flexible and scalable to the individual needs of a provider or PSO and may be modified as necessary to support the activities and level of engagement in the activities by a particular provider or PSO.

Documentation. Because a patient safety evaluation system is critical in identifying and protecting patient safety work product, we encourage providers and PSOs to document what constitutes their patient safety evaluation system. We recommend that providers and PSOs consider documenting the following:

How information enters the patient safety evaluation system;

A documented patient safety evaluation system, as opposed to an undocumented or poorly documented patient safety evaluation system, may accrue many benefits to the operating provider or PSO. Providers or PSOs that have a documented patient safety evaluation system will have substantial proof to support claims of privilege and confidentiality when resisting requests for production of, or subpoenas for, information constituting patient safety work product or when making requests for protective orders against requests or subpoenas for such patient safety work product. Documentation of a patient safety evaluation system will enable a provider or PSO to provide supportive evidence to a court when claiming privilege protections for patient safety work product. This may be particularly critical since the same activities can be done inside and outside of a patient safety evaluation system.

A documented and established patient safety evaluation system also gives notice to employees of the privileged and confidential nature of the information within a patient safety evaluation system in order to generate awareness, greater care in handling such information and more caution to prevent unintended or impermissible disclosures of patient safety work product. For providers with many employees, an established and documented patient safety evaluation system can serve to separate access to privileged and confidential patient safety work product from employees that have no need for patient safety work product. Documentation can serve to limit access by non-essential employees. By limiting who may access patient safety work product, a provider may reduce its exposure to the risks of inappropriate disclosures.

Given all of the benefits, documentation of a patient safety evaluation system would be a prudent business practice. Moreover, as part of our enforcement program, we would expect entities to be following sound business practices in maintaining adequate documentation regarding their patient safety evaluation systems to demonstrate their compliance with the confidentiality provisions. Absent this type of documentation, it may be difficult for entities to satisfy the Secretary that they have met and are in compliance with their confidentiality obligations. While we believe it is a sound and prudent business practice, we have not required a patient safety evaluation system to be documented, and we do not believe it is required by the Patient Safety Act. We seek comment as to these issues.

Return to top

Patient Safety Organization (PSO) would mean a private or public entity or component thereof that is listed as a PSO by the Secretary in accordance with proposed Sec. 3.102.

Patient Safety Work Product is a defined term in the Patient Safety Act that identifies the information to which the privilege and confidentiality protections apply. This proposed rule imports the statutory definition of patient safety work product specifically for the purpose of implementing the confidentiality protections under the Patient Safety Act. The proposed rule provides that, with certain exceptions, patient safety work product would mean any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material) (A) which could result in improved patient safety, health care quality, or health care outcomes and either (i) is assembled or developed by a provider for reporting to a PSO and is reported to a PSO; or (ii) is developed by a PSO for the conduct of patient safety activities; or (B) which identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system. The proposed rule excludes from patient safety work product a patient's original medical record, billing and discharge information, or any other original patient or provider information and any information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO does not by reason of its reporting become patient safety work product. The separately collected and maintained information remains available, for example, for public health reporting or disclosures pursuant to court order. The information contained in a provider's or PSO's patient safety evaluation system is protected, would be privileged and confidential, and may not be disclosed absent a statutory or regulatory permission.

What can become patient safety work product. The definition of patient safety work product lists the types of information that are likely to be exchanged between a provider and PSO to generate patient safety work product: "Any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements" (collectively referred to below as "information" for brevity). Congress intended the fostering of robust patient safety evaluation systems for exchanges between providers and PSOs. We expect this expansive list will maximize provider flexibility in operating its patient safety evaluation system by enabling the broadest possible incorporation and protection of information by providers and PSOs.

In addition, information must be collected or developed for the purpose of reporting to a PSO. Records collected or developed for a purpose other than for reporting to a PSO, such as to support internal risk management activities or to fulfill external reporting obligations, cannot become patient safety work product. However, copies of information collected for another purpose may become patient safety work product if, for example, the copies are made for the purpose of reporting to a PSO. This issue is discussed more fully below regarding information that cannot become patient safety work product.

When information is reported by a provider to a PSO or when a PSO develops information for patient safety activities, the definition assumes that the protections apply to information that "could result in improved patient safety, health care quality, or health care outcomes." This phrase imposes few practical limits on the type of information that can be protected since a broad range of clinical and non-clinical factors could have a beneficial impact on the safety, quality, or outcomes of patient care. Because the Patient Safety Act does not impose a narrow limitation, such as requiring information to relate solely, for example, to particular adverse or "sentinel" incidents or even to the safety of patient care, we conclude Congress intended providers to be able to cast a broad net in their data gathering and analytic efforts to identify causal factors or relationships that might impact patient safety, quality and outcomes. In addition, we note that the phrase "could result in improved" requires only potential utility, not proven utility, thereby allowing more information to become patient safety work product.

How information becomes patient safety work product. Paragraphs (1)(i)(A), (1)(i)(B), and (1)(ii) of the proposed regulatory definition indicate three ways for information to become patient safety work product and therefore subject to the confidentiality and privilege protections of the Patient Safety Act.

Information assembled or developed and reported by providers. By law and as set forth in our proposal, information that is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO is patient safety work product. Section 921(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b- 21(7)(A)(i)(I).

As noted, to become patient safety work product under this section of the definition, information must be reported by a provider to a PSO. For purposes of paragraph (1)(i)(A) of this definition, "reporting" generally means the actual transmission or transfer of information, as described above, to a PSO. We recognize, however, that requiring the transmission of every piece of paper or electronic file to a PSO could impose significant transmission, management, and storage burdens on providers and PSOs. In many cases, providers engaged in their own investigations may desire to avoid continued transmission of additional related information as its work proceeds.

To alleviate the burden of reporting every piece of information assembled by a provider related to a particular patient safety event, we are interested in public comment regarding an alternative for providers that have established relationships with PSOs. We note that the reporting and generation of patient safety work product does not require a contract or any other relationship for a PSO to receive reports from a provider, for a PSO to examine patient safety work product, or for a PSO to provide feedback to a provider based upon the examination of reported information. Nonetheless, we anticipate that providers who are committed to patient safety improvements will establish a contractual or similar relationship with a PSO to report and receive feedback about patient safety incidents and adverse events. Such a contract or relationship would provide a basis to allow providers and PSOs to establish customized alternative arrangements for reporting.

For providers that have established contracts with PSOs for the review and receipt of patient safety work product, we seek comment on whether a provider should be able to "report" to the PSO by providing its contracted PSO access to any information it intends to report (i.e., "functional reporting"). For example, a provider and a PSO may establish, by contract, that information put into a database shared by the provider and the PSO is sufficient to report information to the PSO in lieu of the actual transmission requirement. We believe that functional reporting would be a valuable mechanism for the efficient reporting of information from a provider to a PSO. We are seeking public comment about what terms and conditions may be necessary to provide access to a PSO to be recognized as functional reporting. We also seek comment about whether this type of functional reporting arrangement should only be available for subsequent related information once an initial report on a specific topic or incident has been transmitted to a PSO.

We do not intend a PSO to have an unfettered right of access to any provider information. Providers and PSOs are free to engage in alternative reporting arrangements under the proposed rule, and we solicit comments on the appropriate lines to be drawn around the arrangements that should be recognized under the proposed rule. However, our proposals should not be construed to suggest or propose that a PSO has a superior right to access information held by a provider based upon a reporting relationship. If a PSO believes information reported by a provider is insufficient, a PSO is free to request additional information from a provider or to indicate appropriate limitations to the conclusions or analyses based on insufficient or incomplete information.

We seek public comment on two additional aspects regarding the timing of the obligation of a provider to report to a PSO in order for information to become protected patient safety work product and for the confidentiality protections to attach. The first issue relates to the timing between assembly or development of information for reporting and actual reporting under the proposed definition of patient safety work product. As currently proposed, information assembled or developed by a provider is not protected until the moment it is reported, (i.e., transmitted or transferred to a PSO). We are considering whether there is a need for a short period of protection for information assembled but not yet reported. We note that in such situations, a provider creates and operates a patient safety evaluation system. (See discussion of the definition of patient safety evaluation system at proposed Sec. 3.20.) We further note that even without such short period of protection, information assembled or developed by a provider but not yet reported may be subject to other protections in the proposed rule (e.g., see section 921(7)(A)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(ii)).

Our intent is not to relieve the provider of the statutory requirement for reporting pursuant to section 921(7)(A)(i) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i), but to extend to providers flexibility to efficiently transmit or transfer information to a PSO for protection. A short period of protection for information assembled but not yet reported could result in greater operational efficiency for a provider by allowing information to be compiled and reported to a PSO in batches. It could also alleviate the uncertainty regarding the status of information that is assembled, but not yet reported for administrative reasons. If we do address this issue in the final rule, we seek input on the appropriate time period for such protection and whether a provider must demonstrate an intent to report in order to obtain protections. If we do not address this issue in the final rule, such information held by a provider would not be confidential until it is actually transmitted to a PSO under this prong of the definition of patient safety work product.

Second, for information to become patient safety work product under this prong of the definition, it must be assembled or developed for the purpose of reporting to a PSO and actually reported. We solicit comment on the point in time at which it can be established that information is being collected for the purpose of reporting to a PSO such that it is not excluded from the definition of patient safety work product as a consequence of it being collected, maintained or developed separately from a patient safety evaluation system. See section 921(7)(B)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii). To assemble information with the purpose of reporting to a PSO, a PSO must potentially exist, and thus, we believe that collection efforts cannot predate the passage of the Patient Safety Act on July 29, 2005.

Information that is developed by a PSO for the conduct of patient safety activities. By law and as set forth in our proposal, information that is developed by a PSO for patient safety activities is patient safety work product. Section 921(7)(A)(i)(II) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II). This section of the definition does not address information discussed in the previous section that is assembled or developed by a provider and is reported to a PSO which becomes patient safety work product under that section. Rather, this section addresses other information that a PSO collects for development from third parties, non-providers and other PSOs for patient safety activities.

For example, a PSO may be asked to assist a provider in analyzing a complex adverse event that took place. The initial information from the provider is protected because it was reported. If the PSO determines that the information is insufficient and conducts interviews with affected patients or collects additional data, that information is an example of the type of information that would be protected under this section of the definition. Even if the PSO ultimately decided not to analyze such information, the fact that the PSO collected and evaluated the information is a form of "development" transforming the information into patient safety work product. Such patient safety work product would be subject to confidentiality protections, and thus, the PSO would need safe disposal methods for any such information in accordance with its confidentiality obligations.

Information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system. By law and as set forth in our proposal, information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system is patient safety work product. Section 921(7)(A)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(ii). This provision extends patient safety work product protections to any information that would identify the fact of reporting pursuant to a patient safety evaluation system or that constitutes the deliberations or analyses that take place within such a system. The fact of reporting through a patient safety evaluation system (e.g., a fax cover sheet, an e-mail transmitting data, and an oral transmission of information to a PSO) is patient safety work product.

With regard to providers, deliberations and analyses are protected while they are occurring provided they are done within a patient safety evaluation system. We are proposing that under paragraph (1)(ii) of this definition, any "deliberations or analysis" performed within the patient safety evaluation system becomes patient safety work product. In other words, to determine whether protections apply, the primary question is whether a patient safety evaluation system, which by law and as set forth in this proposed rule, is the collection, management, or analysis of information for reporting to a PSO, was in existence at the time of the deliberations and analysis.

To determine whether a provider had a patient safety evaluation system at the time that the deliberations or analysis took place, we propose to consider whether a provider had certain indicia of a patient safety evaluation system, such as the following: (1) The provider has a contract with a PSO for the receipt and review of patient safety work product that is in effect at the time of the deliberations and analysis; (2) the provider has documentation for a patient safety evaluation system demonstrating the capacity to report to a PSO at the time of the deliberations and analysis; (3) the provider had reported information to the PSO either under paragraph (1)(i)(A) of the proposed definition of patient safety work product or with respect to deliberations and analysis; or (4) the provider has actually reported the underlying information that was the basis of the deliberations or analysis to a PSO. For example, if a provider claimed protection for information as the deliberation of a patient safety evaluation system, and had a contract with the PSO at the time the deliberations took place, it would be reasonable to believe that the deliberations and analysis were related to the provider's PSO reporting activities. This is not an exclusive list. We note therefore that a provider may still be able to show that information was patient safety work product using other indications.

We note that the statutory protections for deliberations and analysis in a patient safety evaluation system apply without regard to the status of the underlying information being considered (i.e., it does not matter whether the underlying information being considered is patient safety work product or not). A provider can fully protect internal deliberations in its patient safety evaluation system over whether to report information to a PSO. The deliberations and analysis are protected, whether the provider chooses to report the underlying information to a PSO or not. However, the underlying information, separate and apart from the analysis or deliberation, becomes protected only when reported to a PSO. See section 921(7)(A)(i)(1) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(1).

To illustrate, consider a hospital that is reviewing a list of all near-misses reported within the past 30 days. The purpose of the hospital's review is to analyze whether to report any or part of the list to a PSO. The analyses (or any deliberations the provider undertakes) are fully protected whether the provider reports any near-misses or not. The status of the near-misses list does not change because the deliberations took place. The fact that the provider deliberated over reporting the list does not constitute reporting and does not change the protected status of the list. Separate and apart from the analysis, this list of near misses is not protected unless it is reported. By contrast, this provision fully protects the provider's deliberations and analyses in its patient safety evaluation system regarding the list.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only