Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

(D) Proposed Sec. 3.102(d)--Required Notifications

Proposed Sec. 3.102(d) establishes in regulation two required notifications that implement two statutory provisions: a notification to the Secretary certifying whether the PSO has met the biennial requirement for bona fide contracts with more than one provider (section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(C)); and the submission of a disclosure statement to the Secretary whenever a PSO has established specific types of relationships (discussed below) with a contracting provider, in particular where a PSO is not managed or controlled independently from, or if it does not operate independently from, a contracting provider (section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(E)).

(1) Proposed Sec. 3.102(d)(1)--Notification Regarding PSO Compliance With the Minimum Contract Requirement

Proposed Sec. 3.102(d)(1) requires a PSO to notify the Secretary whether it has entered at least two bona fide contracts that meet the requirements of proposed Sec. 3.102(b)(2). The notification requirement implements the statutory requirement in section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(C), that a PSO must have contracts with more than one provider. Notification to the Secretary will be by attestation on a certification form developed pursuant to proposed Sec. 3.112. Prompt notification of the Secretary that a PSO has entered two or more contracts will result in earlier publication of that information by the Secretary and this may be to the PSO's benefit.

We propose that the Secretary receive initial notification from a PSO no later than 45 calendar days before the last day of the period that is 24 months after the date of its initial listing and 45 calendar days prior to the last day of every 24-month period thereafter. While each PSO will have the full statutory period of 24 months to comply with this requirement, we propose an earlier date for notification of the Secretary to harmonize this notification requirement with the requirement, established by section 924(e) of the Public Health Service Act, 42 U.S.C. 299b-24(e), that the Secretary provide each PSO with a period of time to correct a deficiency. If the Secretary were to provide a period for correction that begins after the 24-month period has ended, the result would be that some PSOs would be granted compliance periods that extend beyond the unambiguous statutory deadline for compliance. To avoid this unfair result, we propose that a PSO certify to the Secretary whether it has complied with this requirement 45 calendar days in advance of the final day of its applicable 24-month period.

If a PSO notifies the Secretary that it cannot certify compliance or fails to submit the required notification, the Secretary, pursuant to proposed Sec. 3.108(a)(2), will then issue a preliminary finding of deficiency and provide a period for correction that extends until midnight of the last day of the applicable 24-month assessment period for the PSO. In this way, the requirement for an opportunity for correction can be met without granting any PSO a period for compliance that exceeds the statutory limit. We invite comments on alternative approaches to harmonize these two potentially conflicting requirements.

We note that contracts that are entered into after midnight on the last day of the applicable 24-month period do not count toward meeting the two-contract requirement for that 24-month assessment period. If a PSO does not meet the requirement by midnight of the last day of the applicable 24-month assessment period, the Secretary will issue a notice of revocation and delisting pursuant to proposed Sec. 3.108(a)(3).

(2) Proposed Sec. 3.102(d)(2)--Notification Regarding PSO's Relationships With Its Contracting Providers

Proposed Sec. 3.102(d)(2) establishes the circumstances under which a PSO must submit a disclosure statement to the Secretary regarding its relationship(s) with any contracting provider(s) and the deadline for such required submissions.

The purpose of this disclosure requirement is illuminated by the statutory obligation of the Secretary, set forth in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), to review the disclosure statements and make public findings "whether the entity can fairly and accurately perform the patient safety activities of a patient safety organization." To provide the Secretary with the information necessary to make such a judgment, section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(E), requires a PSO to fully disclose information to the Secretary if the PSO has certain types of relationships with a contracting provider and, if applicable, whether the PSO is not independently managed or controlled, or if it does not operate independently from, the contracting provider.

The statutory requirement for a PSO to submit a disclosure statement applies only when a PSO has entered into a contract with a provider; if there is no contractual relationship between the PSO and a provider pursuant to the Patient Safety Act, a disclosure statement is not required. Even when a PSO has entered a contract with a provider, we propose that a PSO would need to file a disclosure statement regarding a contracting provider only when the circumstances, specified in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299- 24(c)(3), and discussed here, are present.

A PSO is first required to assess whether a disclosure statement must be submitted to the Secretary when the PSO enters a contract with a provider, but we note that the disclosure requirement remains in effect during the entire contract period. Even when a disclosure statement is not required at the outset of the contract period, if the circumstances discussed here arise, a disclosure statement must be submitted at that time to the Secretary for review.

With respect to a provider with which it has entered a contract, a PSO is required to submit a disclosure statement to the Secretary only if either or both of the following circumstances are present. First, a disclosure statement must be filed if the PSO has any financial, reporting, or contractual relationships with a contracting provider (other than the contract entered into pursuant to the Patient Safety Act). Second, taking into account all relationships that the PSO has with that contracting provider, a PSO must file a disclosure statement if it is not independently managed or controlled, or if it does not operate independently from, the contracting provider.

With respect to financial, reporting or contractual relationships, the proposed rule states that contractual relationships that must be disclosed are not limited to formal contracts but encompass any oral or written arrangement that imposes responsibilities on the PSO. For example, the provider may already have a contract or other arrangement with the PSO for assistance in implementation of proven patient safety interventions and is now seeking additional help from the PSO for the review of patient safety work product. A financial relationship involves almost any direct or indirect ownership or investment relationship between the PSO and the contracting provider, shared or common financial interests, or direct or indirect compensation arrangement, whether in cash or in-kind. A reporting relationship includes a relationship that gives the provider access to information that the PSO holds that is not available to other contracting providers or control, directly or indirectly, over the work of the PSO that is not available to other contracting providers. If any such relationships are present, the PSO must file a disclosure statement and describe fully all of these relationships.

The other circumstance that triggers the requirement to disclose information to the Secretary is the provision of the Patient Safety Act that requires the entity to fully disclose "if applicable, the fact that the entity is not managed, controlled, and operated independently from any provider that contracts with the entity." See section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(E). We propose to interpret this provision as noted above because we believe that the adverb "independently" modifies all three verbs--that is, that the entity is required to disclose when it is not managed independently from, is not controlled independently from, or is not operated independently from, any provider that contracts with the entity.

Disclosure would be required, for example, if the contracting provider created the PSO and exercises a degree of management or control over the PSO, such as overseeing the establishment of its budget or fees, hiring decisions, or staff assignments. Another example of such a relationship that would require disclosure would be the existence of any form of inter-locking governance structure. We recognize that contracts, by their very nature, will enable a contracting provider to specify tasks that the PSO undertakes or to direct the PSO to review specific cases and not others. These types of requirements reflect the nature of any contractual relationship and do not trigger a requirement to file such a disclosure statement. The focus of this provision as indicated in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), and here is on the exercise of the type of control that could compromise the ability of the PSO to fairly and accurately carry out patient safety activities. If the contracting provider exercises this type of influence over the PSO, the PSO must file a disclosure statement and fully disclose the nature of the influence exercised by the contracting provider.

To meet the statutory requirement for full disclosure, a PSO's submission should attempt to put the significance of the financial, reporting, or contractual relationship in perspective (e.g., relative to other sources of PSO revenue or other types of contractual or reporting relationships). We would also encourage PSOs to list any agreements, stipulations, or procedural safeguards that might offset the influence of the provider and that might protect the ability of the PSO to operate independently. By doing so, a PSO can ensure that its disclosure statements present a full and, if applicable, balanced picture of the relationships and degree of independence that exist between the PSO and its contracting provider(s).

We propose to require that, whenever a PSO determines that it must file a statement based upon these requirements, the Secretary must receive the disclosure statement within 45 calendar days. The PSO must make an initial determination on the date on which a contract is entered. If the PSO determines that it must file a disclosure statement, the Secretary must receive the disclosure statement no later than 45 days after the date on which the contract was entered. During the contract period, the Secretary must receive a disclosure statement within 45 calendar days of the date on which either or both of the circumstances described above arise. If the Secretary determines, after the applicable 45-day period, that a required disclosure statement was not received from a PSO, the Secretary may issue to the PSO a notice of a preliminary finding of deficiency, the first step in the revocation process established by proposed Sec. 3.108.

2. Proposed Sec. 3.104--Secretarial Actions

Proposed Sec. 3.104 describes the actions that the Secretary may and will take regarding certification submissions for listing or continued listing, the required notification certifying that the PSO has entered the required minimum of two contracts, and disclosure statements, including the criteria that the Secretary will use in reviewing such statements and the determinations the Secretary may make. This proposed section also outlines the types of information that the Secretary will make public regarding PSOs, specifies how, and for what period of time, the Secretary will list a PSO whose certification he has accepted and establishes an effective date for Secretarial actions under this proposed subpart. See section 924(c) of the Public Health Service Act, 42 U.S.C. 299b-24(c).

(A) Proposed Sec. 3.104(a)--Actions in Response to Certification Submissions for Initial and Continued Listing as a PSO

Proposed Sec. 3.104(a) describes the actions that the Secretary may and will take in response to certification for initial or continued listing as a PSO (section 924(c)(1)-(2) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(1)-(2)), submitted to the Secretary pursuant to the requirements of proposed Sec. 3.102. The decision on whether and how to list an entity as a PSO will be based upon a determination of whether the entity meets the applicable requirements of the Patient Safety Act and this proposed part. In most cases, it is anticipated that the Secretary will either accept the submission and list the entity or deny the listing on this basis.

In determining whether to list an entity as a PSO, the proposed rule requires the Secretary to consider the submitted certification and any relevant history, such as prior actions the Secretary has taken regarding the entity or PSO including delisting, any history of or current non-compliance by the entity or PSO with statutory or regulatory requirements or requests by the Secretary, relationships of the entity or PSO with providers and any findings by the Secretary in accordance with proposed Sec. 3.104(c). Initially, the Secretary will rely solely on the submitted certification; entities seeking listing will not have any applicable history of the type specified for the Secretary to consider. Even over time, we anticipate that the Secretary would normally rely upon the submitted certification in making a listing determination.

There may be occasions in future years when the Secretary may need to take into account the history of an entity or PSO in making a determination for initial or continued listing. Examples of such situations might include: A PSO seeking continued listing that has a history of deficiencies; an entity seeking initial listing may be a renamed former PSO whose certifications had been revoked for cause by the Secretary; or the leadership of an entity seeking listing may have played a leadership role in a former PSO that failed to meet its obligations to providers during voluntary relinquishment (see proposed Sec. 3.108(c)). In such circumstances, it may not be prudent for the Secretary to rely solely upon the certification submitted by the entity or PSO and this proposed subsection would enable the Secretary to seek additional information or assurances before reaching a determination on whether to list an entity. To ensure that the Secretary is aware of any relevant history before making a listing determination, without imposing additional burden on most entities seeking listing, we propose to include an attestation on the certification form that would require acknowledgement if the entity (under its current name or another) or any member of its workforce have been party to a delisting determination by the Secretary. We welcome comment on this proposal, or alternative approaches, for ensuring that the Secretary can carry out the requirements of this proposed section.

The Secretary also has the authority, under certain circumstances, to condition the listing of a PSO under section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3). The Secretary may establish conditions on the listing of a PSO following a determination, pursuant to proposed Sec. 3.104(c), that such conditions are necessary to ensure that the PSO can fairly and accurately perform patient safety activities. A decision to impose such conditions will typically occur after the listing of a PSO, when the PSO submits a disclosure statement about its relationships with a contracting provider. It also could occur at the time of initial or continued listing based upon a Secretarial review of a disclosure statement submitted contemporaneously with the review of an entity's certification submission.

The Secretary expects to be able to conclude review of an application for initial or continued listing within 30 days of receipt unless additional information or assurances, as described above in the paragraph discussing the history of an entity or PSO, are required, or the application as initially submitted is incomplete. The Secretary will notify each entity that requests listing of the action taken on its certification submission for initial or continued listing. The Secretary will provide reasons when an entity's certification is not accepted and, if the listing is conditioned based upon a determination made pursuant to proposed Sec. 3.104(c), the reasons for imposing conditions.

(B) Proposed Sec. 3.104(b)--Actions Regarding PSO Compliance With the Minimum Contract Requirement

Proposed Sec. 3.104(b) sets forth the required Secretarial action regarding PSO compliance with the requirement of the proposed rule for a minimum of two bona fide contracts. If a PSO attests, in the notification required by proposed Sec. 3.102(d)(1), that it has met the requirement, the Secretary will acknowledge in writing receipt of the attestation and include information on the list established pursuant to proposed Sec. 3.104(d) that the PSO has certified that it has met the requirement. If the PSO notifies the Secretary that it has not yet met the requirement, or if notification is not received from the PSO by the date required under proposed Sec. 3.102(d)(1), the Secretary, pursuant to proposed Sec. 3.108(a)(2), will issue a notice of a preliminary finding of deficiency to the PSO and provide an opportunity for correction that will extend no later than midnight of the last day of its applicable 24-month assessment period. Under this authority, the Secretary will require notification of correction and compliance from a PSO by midnight of the final day of the applicable 24-month period. If the deficiency has not been corrected by that date, the Secretary will issue promptly a notice of proposed revocation and delisting pursuant to the requirements of proposed Sec. 3.108(a)(3).

(C) Proposed Sec. 3.104(c)--Actions Regarding Required Disclosures by PSOs of Relationships With Contracting Providers.

Proposed Sec. 3.104(c) establishes criteria that the Secretary will use to evaluate a disclosure statement submitted pursuant to proposed Sec. 3.102(d)(2), specifies the determinations the Secretary may make based upon evaluation of any disclosure statement, and proposes public release, consistent with the Freedom of Information Act, of disclosure statements submitted by PSOs as well as the Secretary's findings (see section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3)).

In reviewing disclosure statements and making public findings, we propose that the Secretary consider the nature, significance, and duration of the relationship between the PSO and the contracting provider. We seek input on other appropriate factors to consider. Following review of the disclosure statement, the Secretary will make public findings regarding the ability of the PSO to carry out fairly and accurately defined patient safety activities as required by the Patient Safety Act. The Secretary may conclude that the disclosures require no action on his part or, depending on whether the entity is listed or seeking listing, may condition his listing of the PSO, exercise his authority under proposed Sec. 3.104(a) to refuse to list, or exercise his authority under proposed Sec. 3.108 to revoke the listing of the entity. The Secretary will notify each entity of his findings and decision regarding each disclosure statement.

This subsection proposes to make this process transparent, recognizing that providers seeking to contract with a PSO may want to make their own judgments regarding the appropriateness of the disclosed relationships. Therefore, with the exception of information, such as information that would be exempt from disclosure under the Freedom of Information Act, we propose to make public each disclosure statement received from a PSO by including it on the list of PSOs maintained pursuant to proposed Sec. 3.104(d) and we may post such statements on the PSO Web site we plan to establish. Public release of PSO disclosure statements would be in addition to the statutory requirement in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), that the Secretary's findings regarding disclosure statements must be made public. Greater transparency is intended to promote more informed decision making by providers, who are the primary customers for PSO services.

(D) Proposed Sec. 3.104(d)--Maintaining a List of PSOs

Proposed Sec. 3.104(d) implements the statutory requirement in section 924(d) of the Public Health Service Act, 42 U.S.C. 299b-24(d), that the Secretary compile and maintain a list of those entities whose PSO certifications have been accepted in accordance with proposed Sec. 3.104(a) and which certifications have not been revoked or voluntarily relinquished in accordance with proposed Sec. 3.108(b) or (c). The list will include contact information for each PSO, the effective date and time of listing of the PSO, a copy of each certification form and disclosure statement that the Secretary receives from the entity, and information on whether the PSO has certified that it has met the two contract requirement in each 24-month assessment period. The list will also include a copy of the Secretary's findings regarding any disclosure statements filed by each PSO, including whether any conditions have been placed on the listing of the entity as a PSO, and other information that this proposed subpart authorizes the Secretary to make public. To facilitate the development of a marketplace for the services of PSOs, we plan to establish a PSO Web site (or a future technological equivalent) and expect to post the list of PSOs on the PSO Web site, reserving the right to exclude information contained in disclosure statements that would be exempt from disclosure under the Freedom of Information Act. We seek comment on whether there are specific types of information that the Secretary should consider posting routinely on this Web site for the benefit of PSOs, providers, and other consumers of PSO services.

(E) Proposed Sec. 3.104(e)--Three-Year Period of Listing

Proposed Sec. 3.104(e) states that, when the Secretary has accepted certification submitted for initial or continued listing, the entity will be listed as a PSO for a period of three years (section 924(a)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(2)), unless the Secretary revokes the listing or the Secretary determines that the entity has voluntarily relinquished its status as a PSO (see proposed Sec. 3.108).

This subsection also provides that the Secretary will send a written notice of imminent expiration to a PSO no later than 45 calendar days before the date on which the PSO's three-year period of listing expires if the Secretary has not received a certification seeking continued listing. This notice is intended to ensure that a PSO does not let its listing lapse inadvertently. We expect that the Secretary will include in the notice a date by which the PSO should submit its certifications to ensure that the Secretary has sufficient time to act before the current period of listing expires.

We are considering including in the final rule, and seek comment on, a requirement that the Secretary include information on the public list of PSOs maintained pursuant to Sec. 3.104(d), that identifies the PSOs to which a notice of imminent expiration has been sent. The intent of such a requirement would be to ensure that a provider reporting data to such a PSO has adequate notice and time to ascertain, if it chooses to do so, whether that PSO intends to seek continued listing and, if not, to make alternative arrangements for reporting data to another PSO.

(F) Proposed Sec. 3.104(f)--Effective Date of Secretarial Actions

Proposed Sec. 3.104(f) states that, unless otherwise specified, the effective date of each action by the Secretary pursuant to this proposed subpart will be specified in the written notice that is sent to the entity. To ensure that an entity receives prompt notification, the Department anticipates sending such a notice by electronic mail or other electronic means in addition to a hard copy version. We are confident that any entity seeking listing as a PSO will have electronic mail capacity. For listing and delisting, the Secretary will specify both an effective time and date for such actions in the written notice. Our intent is to ensure clarity regarding when the entity can receive information that will be protected as patient safety work product.

Return to top

3. Proposed Sec. 3.106--Security Requirements

Proposed Sec. 3.106 identifies the entities and individuals that are subject to the security requirements of this section and establishes the considerations that entities and individuals specified in subsection (a) should address to secure patient safety work product in their possession. This section provides a common framework for compliance with the requirement in section 921(5)(F) of the Public Health Service Act, 42 U.S.C. 299b-21(5)(F), that a PSO provide appropriate security measures with respect to patient safety work product. In light of the importance of data security to those who supply patient safety work product to any PSO, maintenance of data security will be a high and ongoing priority for PSOs.

(A) Proposed Sec. 3.106(a)--Application

Proposed Sec. 3.106(a) states that the security requirements in proposed Sec. 3.106(b) apply to each PSO, its workforce members, and its contractors when the contractors hold patient safety work product. This proposed subsection applies the requirements at all times and at any location at which patient safety work product is held. We expect that it will be more efficient for most PSOs to contract for at least a portion of the expertise they need to carry out patient safety activities, including the evaluation of certain types of patient safety events. In such situations, when a PSO discloses patient safety work product to a contractor to assist the PSO in carrying out patient safety activities and the contractor maintains such patient safety work product at locations other than those controlled by the PSO, our intent is to ensure that these same security requirements apply. We recognize that some contractors that a PSO chooses to employ may not want to, or may not have the resources to, meet these requirements at other locations. In such circumstances, the contractors will need to perform their services at locations at which the PSO can ensure that these security requirements can be met.

We note that this regulation does not impose these requirements on providers, but agreements between PSOs and providers may by contract call for providers to adopt equivalent standards.

(B) Proposed Sec. 3.106(b)--Security Framework

Proposed Sec. 3.106(b) establishes a framework consisting of four categories for the security of patient safety work product that a PSO must consider, including security management, separation of systems, security control and monitoring, and security assessment.

This framework is consistent with the standards of the National Institute of Standards and Technology (NIST) that federal agencies must follow but this section does not impose on PSOs the specific NIST standards that Federal agencies must meet. We recognize that it is not likely that PSOs will have the scale of operation or the resources to comply with Federal data security standards. Instead, we propose to require that each PSO must consider the four categories of the NIST framework set forth in this section by developing appropriate and scalable standards that are suitable for the size and complexity of its organization. We seek comment on the extent to which this proposal adequately and appropriately identifies the most significant security issues, with respect to patient safety work product that PSOs receive, develop, or maintain, and which PSOs should be expected to address with due diligence, and the extent to which our approach provides PSOs with sufficient flexibility to develop scalable standards.

(1) Proposed Sec. 3.106(b)(1)--Security Management

Proposed Sec. 3.106(b)(1) requires the PSO to approach its security requirements by: documenting its security requirements for patient safety work product; taking steps to ensure that its workforce and contractors as specified in proposed Sec. 3.106(a) understand their responsibilities regarding patient safety work product and the confidentiality requirements of the statute, including the potential imposition of civil money penalties for impermissible disclosures; and monitoring and improving the effectiveness of its security policies and procedures.

(2) Proposed Sec. 3.106(b)(2)--Separation of Systems

Under the statute, to preserve the confidentiality of patient safety work product, it is important to maintain a clear separation between patient safety work product and information that is not protected, and a clear separation between patient safety activities and other activities. As a result, we have incorporated requirements in proposed Sec. 3.106(b)(2) that PSOs must ensure such separation. The specific requirements for which a PSO must develop appropriate standards include: maintaining functional and physical separation of patient safety work product from other systems of records; protection of patient safety work product while it is held by the PSO; appropriate disposal or sanitization of media that have contained patient safety work product; and preventing physical access to patient safety work product by unauthorized users or recipients.

(3) Proposed Sec. 3.106(b)(3)--Security Control and Monitoring

Proposed Sec. 3.106(b)(3) requires that policies and procedures adopted by a PSO related to security control and monitoring must enable the PSO to identify and authenticate users of patient safety work product and must create an audit capacity to detect unlawful, unauthorized, or inappropriate activities involving access to patient safety work product. To ensure accountability, controls should be designed to preclude unauthorized removal, transmission or disclosures of patient safety work product.

(4) Proposed Sec. 3.106(b)(4)--Security Assessment

Proposed Sec. 3.106(b)(4) requires a PSO to develop policies and procedures that permit it to assess periodically the effectiveness and weaknesses of its overall approach to security of patient safety work product. A PSO needs to determine the frequency of security assessments, determine when it needs to undertake a risk assessment exercise so that the leadership and the workforce of the PSO are aware of the risks to PSO assets from security lapses, and specify how it will assess and adjust its procedures to ensure the security of its communications involving patient safety work product to and from providers and other authorized parties. Such communications are potentially vulnerable weak points for any security system and require ongoing special attention by a PSO.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only