Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

Delisting. In the event that a PSO is delisted for cause under proposed Sec. 3.108(b)(1), a provider may continue to report to that PSO for 30 days after the delisting and the reported information will be patient safety work product. Section 924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1). Information reported to a delisted PSO after the 30-day period will not be patient safety work product. However, after a PSO is delisted, the delisted entity may not continue to generate patient safety work product by developing information for the conduct of patient safety activities or through deliberations and analysis of information. Any patient safety work product held or generated by a PSO prior to its delisting remains protected even after the PSO is delisted. See discussion in the preamble regarding proposed Sec. 3.108(b)(2) for more information.

We note that proposed Sec. 3.108(c) outlines the process for delisting based upon an entity's voluntary relinquishment of its PSO listing. As we discuss in the accompanying preamble, we tentatively conclude that the statutory provision for a 30-day period of continued protection does not apply after delisting due to voluntary relinquishment.

Even though a PSO may not generate new patient safety work product after delisting, it may still have in its possession patient safety work product, which it must keep confidential. The statute establishes requirements, incorporated in proposed Sec. 3.108(b)(2) and (b)(3), that a PSO delisted for cause must meet regarding notification of providers and disposition of patient safety work product. We propose in Sec. 3.108(c) to implement similar notification and disposition measures for a PSO that voluntarily relinquishes its listing. For further discussion of the obligations of a delisted PSO, see proposed Sec. 3.108(b)(2), (b)(3), and (c).

What is not patient safety work product. By law, and as set forth in this proposed rule, patient safety work product does not include a patient's original medical record, billing and discharge information, or any other original patient or provider record; nor does it include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO shall not by reason of its reporting be considered patient safety work product.

The specific examples cited in the Patient Safety Act of what is not patient safety work product--the patient's original medical record, billing and discharge information, or any other original patient record--are illustrative of the types of information that providers routinely assemble, develop, or maintain for purposes and obligations other than those of the Patient Safety Act. The Patient Safety Act also states that information that is collected, maintained, or developed separately, or exists separately from a patient safety evaluation system, is not patient safety work product. Therefore, if records are collected, maintained, or developed for a purpose other than for reporting to a PSO, those records cannot be patient safety work product. However, if, for example, a copy of such record is made for reporting to a PSO, the copy and the fact of reporting become patient safety work product. Thus, a provider could collect incident reports for internal quality assurance purposes, and later, determine that one incident report is relevant to a broader patient safety activity. If the provider then reports a copy of the incident report to a PSO, the copy of the incident report received by the PSO is protected as is the copy of the incident report as reported to the PSO that is maintained by the provider, while the original incident report collected for internal quality assurance purposes is not protected.

The proposed rule sets forth the statutory rule of construction that prohibits construing anything in this Part from limiting (1) the discovery of or admissibility of information that is not patient safety work product in a criminal, civil, or administrative proceeding; (2) the reporting of information that is not patient safety work product to a Federal, State, or local governmental agency for public health surveillance, investigation, or other public health purposes or health oversight purposes; or (3) a provider's recordkeeping obligation with respect to information that is not patient safety work product under Federal, State or local law. Section 921(7)(B)(iii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). Even when laws or regulations require the reporting of the information regarding the type of events also reported to PSOs, the Patient Safety Act does not shield providers from their obligation to comply with such requirements.

As the Patient Safety Act states more than once, these external obligations must be met with information that is not patient safety work product, and, in accordance with the confidentiality provisions, patient safety work product cannot be disclosed for these purposes. We note that the Patient Safety Act clarifies that nothing in this Part prohibits any person from conducting additional analyses for any purpose regardless of whether such additional analysis involves issues identical to or similar to those for which information was reported to or assessed by a PSO or a patient safety evaluation system. Section 922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). A copy of information generated for such purposes may be entered into the provider's patient safety evaluation system for patient safety purposes although the originals of the information generated to meet external obligations do not become patient safety work product.

Thus, information that is collected to comply with external obligations is not patient safety work product. Such activities may include: State incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; or complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage. In addition, the proposed rule does not change the law with respect to an employee's ability to file a complaint with Federal or State authorities regarding quality of care, or with respect to any prohibition on a provider's threatening or carrying out retaliation against an individual for doing so; the filing of any such complaint would not be deemed to be a violation of the Patient Safety Act, unless patient safety work product was improperly disclosed in such filing.

Health Care Oversight Reporting and Patient Safety Work Product. The Patient Safety Act establishes a protected space or system of protected information in order to allow frank discussion about causes and remediation of threats to patient safety. As described above, this protected system is separate, distinct, and resides alongside but does not replace other information collection activities mandated by laws, regulations, and accrediting and licensing requirements as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system. Information collection activities performed by the provider for purposes other than for reporting to a PSO by itself do not create patient safety work product. In anticipation of questions about how mandatory and voluntary reporting will continue to be possible, a brief explanation may be helpful regarding how this new patient safety framework would operate in relation to health care oversight activities (e.g., public health reporting, corrective actions, etc.).

Situations may occur when the original (whether print or electronic) of information that is not patient safety work product is needed for a disclosure outside of the entity but cannot be located while a copy of the needed information resides in the patient safety evaluation system. If the reason for which the original information is being sought does not align with one of the permissible disclosures, discussed in proposed Subpart C, the protected copy may not be released. Nevertheless, this does not preclude efforts to reconstruct the information outside of the patient safety evaluation system from information that is not patient safety work product. Those who participated in the collection, development, analysis, or review of the missing information or have knowledge of its contents can fully disclose what they know or reconstruct an analysis outside of the patient safety evaluation system.

The issue of how effectively a provider has instituted corrective action following identification of a threat to the quality or safety of patient care might lead to requests for information from external authorities. The Patient Safety Act does not relieve a provider of its responsibility to respond to such requests for information or to undertake or provide to external authorities evaluations of the effectiveness of corrective action, but the provider must respond with information that is not patient safety work product.

To illustrate the distinction, consider the following example. We would expect that a provider's patient safety evaluation system or a PSO with which the provider works may make recommendations from time to time to the provider for changes it should make in the way it manages and delivers health care. The list of recommendations for changes, whether they originate from the provider's patient safety evaluation system or the PSO with which it is working, are always patient safety work product. We would also note that not all of these recommendations will address corrective actions (i.e., correcting a process, policy, or situation that poses a threat to patients). It is also possible that a provider with an exemplary quality and safety record is seeking advice on how to perform even better. Whatever the case, the feedback from the provider's patient safety evaluation system or PSO may not be disclosed to external authorities unless permitted by the disclosures specified in Subpart C of this proposed rule.

The provider may choose to reject the recommendations it receives or implement some or all of the proposed changes. While the recommendations always remain protected, whether they are adopted or rejected by a provider, the actual changes that the provider implements to improve how it manages or delivers health care services (including changes in its organizational management or its care environments, structures, and processes) are not patient safety work product. In a practical sense, it would be virtually impossible to keep such changes confidential in any event, and we stress that if there is any distinction between the change that was adopted and the recommendation that the provider received, the provider can only describe the change that was implemented. The recommendation remains protected. Thus, if external authorities request a list of corrective actions that a provider has implemented, the provider has no basis for refusing the request. Even though the actions are based on protected information, the corrective actions themselves are not patient safety work product. On the other hand, if an external authority asks for a list of the recommendations that the provider did not implement or whether and how any implemented change differed from the recommendation the provider received, the provider must refuse the request; the recommendations themselves remain protected.

Person would mean a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private. We propose to define "person" because the Patient Safety Act requires that civil money penalties be imposed against "person[s]" that violate the confidentiality provisions. However, the Patient Safety Act does not provide a definition of "person". The Definition Act at 1 U.S.C. 1 provides, "in determining any Act of Congress, unless the context indicates otherwise * * * the words `person' and `whoever' include corporations, companies, associations, firms, partnerships, societies, and joint stock companies, as well as individuals" (emphasis added). The Patient Safety Act indicates that States and other government entities may hold patient safety work product with the protections and liabilities attached, which is an expansion of the Definition Act provision. For this reason, we propose the broader definition of the term "person". We note that this proposed approach is consistent with the HHS Office of Inspector General (OIG) regulations, 42 CFR 1003.101, and the HIPAA Enforcement Rule, 45 CFR 160.103.

Provider would mean any individual or entity licensed or otherwise authorized under State law to provide health care services. The list of specific providers in the proposed rule includes the following: institutional providers, such as a hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician or health care practitioner's office (including a group practice), long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or individual clinicians, such as a physician, physician assistant, registered nurse, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietitian or nutrition professional, physical or occupational therapist, pharmacist, or other individual health care practitioner. This list is merely illustrative; an individual or entity that is not listed here but meets the test of state licensure or authorization to provide health care services is a provider for the purpose of this proposed rule.

The statute also authorizes the Secretary to expand the definition of providers. Under this authority, we propose to add the following to this list of providers:

  1. Agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, organizations engaged as contractors by the Federal, State, local or Tribal governments to deliver health care, and individual health care practitioners employed or engaged as contractors by the Federal government to deliver health care. It appears that all of these agencies, organizations, and individuals could participate in, and could benefit from, working with a PSO.
  2. A corporate parent organization for one or more entities licensed or otherwise authorized to provide health care services under state law. Without this addition, hospital or other provider systems that are controlled by a parent organization that is not recognized as a provider under State law might be precluded from entering into system-wide contracts with PSOs. This addition furthers the goals of the statute to encourage aggregation of patient safety data and a coordinated approach for assessing and improving patient safety. We particularly seek comments regarding any concerns or operational issues that might result from this addition, and note that a PSO entering one system-wide contract still needs to meet the two contract minimum requirement based on section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C), and set out and discussed in proposed Sec. 3.102(b). The PSO can do this by entering into two contracts with different providers within the system.
  3. A Federal, State, local, or Tribal government unit that manages or controls one or more health care providers described in the definition of provider at (1)(i) and (2). We propose this addition to the definition of "provider" for the same reason that we proposed the addition of parent organization that has a controlling interest in one or more entities licensed or otherwise authorized to provide health care services under state law.

Research would have the same meaning as that term is defined in the HIPAA Privacy Rule at 45 CFR 164.501. In the HIPAA Privacy Rule, research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This definition is used to describe the scope of the confidentiality exception at proposed Sec. 3.206(b)(6). We propose to use the same definition as in the HIPAA Privacy Rule to improve the level of coordination and to reduce the burden of compliance. At the same time, if there is a modification to the definition in the HIPAA Privacy Rule, the definition herein will automatically change with such regulatory action.

Respondent would mean a provider, PSO, or responsible person who is the subject of a complaint or a compliance review.

Responsible person would mean a person, other than a provider or PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions. We note that because the Patient Safety Act has continued confidentiality protection at 42 U.S.C. 299b-22(d), many entities other than providers and PSOs may be subject to the confidentiality provisions. Thus, for example, researchers or law enforcement officials who obtain patient safety work product under one of the exceptions to confidentiality would be considered a "responsible person".

Workforce would mean employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person. We use the term workforce member in several contexts in the proposed rule. Importantly, in proposed Sec. 3.402 where we discuss principal liability, we propose that an agent for which a principal may be liable can be a workforce member. We have included the term "contractors" in the definition of workforce member to clarify that such permitted sharing may occur with contractors who are under the direct control of the provider, PSO, or responsible person. For example, a patient safety activity disclosure by a provider to a PSO may be made directly to the PSO or to a consultant, as a workforce member, contracted by the PSO to help it carry out patient safety activities.

Return to top

B. Subpart B--PSO Requirements and Agency Procedures

Proposed Subpart (B) sets forth requirements for Patient Safety Organizations (PSOs). This proposed Subpart specifies the certification and notification requirements that PSOs must meet, the actions that the Secretary may and will take relating to PSOs, the requirements that PSOs must meet for the security of patient safety work product, the processes governing correction of PSO deficiencies, revocation, and voluntary relinquishment, and related administrative authorities and implementation responsibilities. The requirements of this proposed Subpart would apply to PSOs, their workforce, a PSO's contractors when they hold patient safety work product, and the Secretary.

This proposed Subpart is intended to provide the foundation for new, voluntary opportunities to improve the safety, quality, and outcomes of patient care. The Patient Safety Act does not require a provider to contract with a PSO, and the proposed rule does not include such a requirement. However, we expect that most providers will enter into contracts with PSOs when seeking the confidentiality and privilege protections of the statute. Contracts offer providers greater certainty that a provider's claim to these statutory protections will be sustained, if challenged. For example, the statutory definition of patient safety work product describes the nature and purpose of information that can be protected, the circumstances under which deliberations or analyses are protected, and the requirement that certain information be reported to a PSO. Pursuant to a contractual arrangement, providers can require and receive assistance from PSOs to ensure that these requirements are fully met. Contracts can provide clear evidence that a provider is taking all reasonable measures to operate under the ambit of the statute in collecting, developing, and maintaining patient safety work product. Contracts enable providers to specify even stronger confidentiality protections in how they report information to a PSO or how the PSO handles and uses the information.

Contracts can also give providers greater assurance that they will have access to the expertise of the PSO to provide feedback regarding their patient safety events. While some providers may have patient safety expertise in-house, a PSO has the potential to offer providers considerable additional insight as a result of its expertise and ability to aggregate and analyze data from multiple providers and multiple PSOs. Experience has demonstrated that such aggregation and analysis of large volumes of data, such as a PSO has the ability to do, will often yield insights into the underlying causes of the hazards and risks associated with patient care that are simply not apparent when these analyses are limited to the information available from only one office, clinic, facility, or system.

Pursuant to a contract with a PSO, a provider may also be able to obtain from a PSO operational guidance or best practices with respect to operation of a patient safety evaluation system. Such a contract also provides a mechanism for a provider to control the nature and extent of a PSO's aggregation of its data with those of other providers or PSOs, and the nature of related analysis and discussion of such data. A provider can also require, pursuant to its contract with a PSO, that the PSO will notify the provider if improper disclosures are made of patient safety work product relating to that provider.

This proposed Subpart enables a broad variety of health care providers to work voluntarily with entities that have certified to the Secretary that they have the ability and expertise to carry out broadly defined patient safety activities of the Patient Safety Act and, therefore, to serve as consultants to eligible providers to improve patient care. In accordance with the Patient Safety Act, we propose an attestation-based process for initial and continued listing of an entity as a PSO. This includes an attestation-based approach for meeting the statutory requirement that each PSO, within 24 months of being listed and in each sequential 24-month period thereafter, must have bona fide contracts with more than one provider for the receipt and review of patient safety work product.

This streamlined approach of the statute and the proposed rule is intended to encourage the rapid development of expertise in health care improvement. This framework allows the marketplace to be the principal arbiter of the capabilities of each PSO. Listing as a PSO by the Secretary does not entitle an entity to Federal funding. The financial viability of most PSOs will derive from their ability to attract and retain contracts with providers or to attract financial support from other organizations, such as charitable foundations dedicated to health system improvement. Even when a provider organization considers establishing a PSO (what this proposed rule terms a component PSO) to serve the needs of its organization, we expect it will weigh the value of, and the business case for, such a PSO.

Proposed Subpart B attempts to minimize regulatory burden while fostering transparency to enhance the ability of providers to assess the strengths and weaknesses of their choice of PSOs. For example, we encourage, but do not require, an entity seeking listing to develop and post on their own Web sites narrative statements describing the expertise of the personnel the entity will have at its disposal, and outlining the way it will approach its mission and comply with the statute's certification requirements.

We similarly propose to apply transparency to our implementation of the statute's requirement for disclosure by PSOs of potential conflicts of interest with their provider clients. While the statute only requires public release of the findings of the Secretary after review of such disclosures, we propose to make public, consistent with applicable law, including the Freedom of Information Act, a PSO's disclosure statements as well. In our view, in addition to having the benefit of the Secretary's determination, a provider, as the prospective consumer of PSO services, should be able to make its own determination regarding the appropriateness of the relationships that a PSO has with its other provider clients and the impact those relationships might have on its particular needs. For example, a provider might care if a PSO--despite the Secretary's determination that it had been established with sufficient operational and other independence to qualify for listing as a PSO--was owned, operated, or managed by the provider's major competitor.

The provisions of this proposed Subpart also emphasize the need for vigilance in providing security for patient safety work product. To achieve the widespread provider participation intended by this statute, PSOs must foster and maintain the confidence of providers in the security of patient safety work product in which providers and patients are identified. Therefore, we propose to require a security framework, which each PSO must address with standards it determines appropriate to the size and complexity of its organization, pertaining to the separation of data and systems and to security management control, monitoring, and assessment.

The Patient Safety Act recognizes that PSOs will need to enter business associate agreements to receive protected health information from providers that are covered entities under the HIPAA Privacy Rule. As a business associate of such a provider, a PSO will have to meet certain contractual requirements on the use and disclosure of protected health information for compliance with the HIPAA Privacy Rule that are in addition to the requirements set forth in this proposed rule. Those requirements include the notification of a covered entity when protected health information is inappropriately disclosed in violation of the HIPAA Privacy Rule.

We do not propose to require reporting of impermissible disclosures of other patient safety work product that does not contain protected health information. We solicit comments on whether to parallel the business associate requirements of the HIPAA Privacy Rule. Such a requirement, if implemented, would require a PSO to notify the organizational source of patient safety work product if the information it shared has been impermissibly used or disclosed. Note that such reporting requirements could be voluntarily agreed to by contract between providers and their PSO.

Section 924(b)(2)(A) and (B) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(2)(A) and (B), suggests Congressional concern that a strong firewall must be maintained between a component PSO and the rest of the organization(s) of which it is a part. This proposed subpart proposes specific safeguards that such component PSOs must implement to effectively address those concerns.

As this discussion suggests, in developing this proposed Subpart, we have proposed the most specific requirements in the areas of security and disclosure of potential conflicts of interest. We expect to offer technical assistance and encourage transparency wherever possible to promote implementation, compliance, and correction of deficiencies. At the same time, this proposed Subpart establishes processes that will permit the Secretary promptly to revoke a PSO's certification and remove it from listing, if such action proves necessary.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only