Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

[Continued from previous section]

2. Proposed Sec. 3.206--Confidentiality of Patient Safety Work Product

Proposed Sec. 3.206 describes the confidentiality protection of patient safety work product as well as exceptions from confidentiality protection. The following discussion generally refers to an act that falls within an exception from confidentiality as a permissible disclosure.

(A) Proposed Sec. 3.206(a)--Confidentiality

Proposed Sec. 3.206(a) would establish the overarching general principle that patient safety work product is confidential and shall not be disclosed. The principle applies to patient safety work product held by anyone. This provision is based on section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b).

(B) Proposed Sec. 3.206(b)--Exceptions to Confidentiality

Proposed Sec. 3.206(b) describes the exceptions to confidentiality, or the permitted disclosures. Certain overarching principles apply to the proposed confidentiality standards. First, we consider these exceptions to be "permissions" to disclose patient safety work product and the holder of the patient safety work product retains full discretion whether or not to disclose. Thus, similar to the disclosures permitted under the HIPAA Privacy Rule, we are defining a uniform federal baseline of protection that is enforceable by federally imposed civil money penalties. We are not encouraging or requiring disclosures, except to the Secretary as provided in this proposed rule. Therefore, a provider, PSO, or responsible person, may create confidentiality policies and procedures with respect to patient safety work product that are more stringent than these proposed rules and are free to otherwise condition the release of patient safety work product that comes within these exceptions by contract, employment relationship, or other means. See, for example, section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4). However, the Secretary will not enforce such policies or private agreements.

Second, when exercising the discretion to disclose patient safety work product, we encourage providers, PSOs, and responsible persons to consider the purposes for which the disclosures are made. Disclosures should be narrow and consistent with the overarching goals of the privilege and confidentiality protections, even though these protections generally continue to apply to patient safety work product after disclosure. We encourage any entity or person making a disclosure to consider both the amount of patient safety work product that is being disclosed, as well as the amount of identifiable information disclosed. Even though not required, entities or persons should attempt to disclose the amount of information commensurate with the purposes for which a disclosure is made. We encourage the disclosure of the least amount of identifiable patient safety work product that is appropriate for the purpose of the disclosure, which might mean the disclosure of less information than all of the information that would be permitted to be disclosed under the confidentiality provisions. We also encourage the removal of identifiable information when feasible regardless of whether protection under this rule continues. While a provider, PSO, or responsible person need not designate a workforce member to determine when a disclosure of patient safety work product is permitted, such a designation may be a best practice to ensure that a disclosure complies with the confidentiality provisions, and contains the least amount of patient safety work product necessary.

Third, we have addressed the scope of redisclosure by persons receiving patient safety work product. Persons receiving patient safety work product would only be allowed to redisclose that information to the extent permitted by the proposed regulation. For example, we propose that accrediting bodies receiving patient safety work product pursuant to the accrediting body disclosure at proposed Sec. 3.206(b)(8) may not further disclose that patient safety work product. We seek public comment on the subject of whether there are any negative implications associated with limiting redisclosures in this way.

Additionally, agencies subject to both the Patient Safety Act and the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when disclosing patient safety work product. Under the Patient Safety Act, see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b- 22(b), if another law, such as the Privacy Act, permits or requires the disclosure of patient safety work product, disclosure of this information would be in violation of the Patient Safety Act unless the Patient Safety Act also permits this disclosure. However, if the Privacy Act prohibits the disclosure of information that is patient safety work product, the permissible disclosure of this information under the Patient Safety Act would be in violation of the Privacy Act. Therefore, for agencies subject to both statutes, patient safety work product must be disclosed in a manner that is permissible under both statutes. The Privacy Act does permit agencies to make disclosures pursuant to established routine uses. See 5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). We recommend that Federal agencies that maintain a Privacy Act system of records containing information that is patient safety work product include routine uses that will permit disclosures allowed by the Patient Safety Act.

Finally, for HIPAA covered entities, when individually identifiable health information is encompassed within the patient safety work product, the disclosure must also comply with the HIPAA Privacy Rule. Thus, for patient safety work product disclosures that contain individually identifiable health information, as defined in 45 CFR 160.103, we note some of the comparable HIPAA Privacy Rule permissions for consideration.

(1) Proposed Sec. 3.206(b)(1)--Criminal Proceeding

Proposed Sec. 3.206(b)(1) would establish the permitted criminal proceeding disclosure which parallels the privilege exception disclosure for use in a criminal proceeding, proposed Sec. 3.204(b)(1). Proposed Sec. 3.206(b)(1) would permit disclosure of identifiable patient safety work product for use in a criminal proceeding. Prior to a court determining that an exception to privilege applies pursuant to this provision, a court must make an in camera determination that the identifiable patient safety work product sought for disclosure contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from other sources. See section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(A).

After such determinations by a court, the patient safety work product may be permissibly disclosed within the criminal proceeding. This provision and these limitations are based on section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). When considering claims that confidentiality protection has been breached, we intend to defer to, and not review, the court's in camera determinations made in context of determining the privilege exception. The Secretary has not been authorized to enforce the underlying privilege protection or make determinations regarding its applicability. The Secretary's authority is limited to investigating and enforcing violations of the confidentiality protections parallel to this privilege exception at proposed Sec. 3.206(b)(1).

The Patient Safety Act establishes that patient safety work product, once disclosed, will generally continue to be privileged and confidential as discussed in proposed Sec. 3.208. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1). However, the Patient Safety Act limits the continued protection of the specific patient safety work product disclosed for use in a criminal proceeding. Patient safety work product disclosed for use in a criminal proceeding continues to be privileged and cannot be reused as evidence or in any context prohibited by the privilege protection, but is no longer confidential. See section 922(d)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(A). For example, law enforcement personnel who obtain patient safety work product used in a criminal proceeding may further disclose that patient safety work product because the confidentiality protection does not apply. However, if law enforcement sought to enter the information into another criminal proceeding, it would need a new in camera determination for the new criminal proceeding. For a further discussion of continued confidentiality, see discussion of proposed Sec. 3.208 below.

For entities that are subject to the HIPAA Privacy Rule and this Part, disclosures must conform to 45 CFR 164.512(e) of the HIPAA Privacy Rule. We expect that court rulings following an in camera determination would be issued as a court order, which would satisfy the requirements of 45 CFR 164.512(e). So long as such legal process is in compliance with 45 CFR 164.512(e), the disclosure would be permissible under the HIPAA Privacy Rule.

(2) Proposed Sec. 3.206(b)(2)--Equitable Relief for Reporters

Proposed Sec. 3.206(b)(2) would permit the disclosure of identifiable patient safety work product to the extent required to carry out equitable relief as provided for under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). See section 922(c)(1)(B) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(B). This proposed provision parallels the privilege exception to carry out equitable relief at proposed Sec. 3.204(b)(2). The Patient Safety Act permits this disclosure to effectuate the provision that authorizes an employee to seek redress for adverse employment actions for good faith reporting of information to a PSO directly or to a provider with the intended disclosure to a PSO.

The Patient Safety Act prohibits a provider from taking an adverse employment action against an individual who, in good faith, reports information to the provider for subsequent reporting to a PSO, or to a PSO directly. See section 922(e)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(1). Adverse employment actions are described at section 922(e)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2), and include loss of employment, failure to promote, or adverse evaluations or decisions regarding credentialing or licensing. The Patient Safety Act provides adversely affected reporters a civil right of action to enjoin such adverse employment actions and obtain other equitable relief, including back pay or reinstatement, to redress the prohibited actions. As part of that right to seek equitable relief, the Patient Safety Act provides that patient safety work product is not subject to the privilege protections described in section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a), and as similarly described in proposed Sec. 3.204(a), or to the confidentiality protection in section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b), and as similarly described in proposed Sec. 3.206(a), to the extent such patient safety work product is necessary to carry out the equitable relief.

Although such disclosure is excepted from both confidentiality and privilege as to efforts to seek equitable relief, the identifiable patient safety work product remains subject to confidentiality and privilege protection in the hands of all subsequent holders and the protections apply to all subsequent potential disclosures. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1). Thus, even though the reporter is afforded discretion to disclose the relevant patient safety work product to seek and obtain equitable relief, all subsequent holders receiving the patient safety work product from the reporter are bound by the continued privilege and confidentiality protections.

Thus, this provision would allow the reporter seeking equitable relief from an adverse employment action to include patient safety work product in briefs and in open court. To protect the patient safety work product as much as possible in these circumstances, we could condition the disclosure of identifiable patient safety work product in these circumstances on a party's, most likely the reporter's, obtaining of a protective order in these types of proceedings. Such a protective order could take many forms that preserve the confidentiality of patient safety work product. For example, it could limit the use of the information to case preparation, but not make it evidentiary. Such an order might prohibit the disclosure of the patient safety work product in publicly accessible proceedings and in court records to prevent liability from moving to a myriad of unsuspecting parties (for example, parties in a courtroom may not know that they may be liable for civil money penalties if they share the patient safety work product they hear). We solicit comments on whether a protective order should be a condition for this disclosure, imposed by regulation, or whether instead we should require a good faith effort to obtain a protective order as a condition for this disclosure and use our enforcement discretion to consider whether to assess a penalty for anyone who cannot obtain such an order and thus breaches the statutory continued confidentiality protection of this information. See discussion below at proposed Sec. 3.402(a).

We also address the intersection of the HIPAA Privacy Rule herein because identifiable patient safety work product may contain individually identifiable health information and be sought for disclosure under this exception from a HIPAA covered entity or that HIPAA covered entity's business associate. Under the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health information is sought to be disclosed in a judicial proceeding via subpoenas and discovery requests without a court order, the disclosing HIPAA covered entity must seek satisfactory assurances that the party requesting the information has made reasonable efforts to provide written notice to the individual who is the subject of the protected health information or to secure a qualified protective order. A protective order that meets the qualified protective order under 45 CFR 164.512(e) would be permissible under the HIPAA Privacy Rule and render a disclosure under this exception in compliance with the HIPAA Privacy Rule.

Return to top

(3) Proposed Sec. 3.206(b)(3)--Authorized by Identified Providers

Proposed Sec. 3.206(b)(3) would establish a permitted disclosure parallel to the privilege exception at proposed Sec. 3.204(b)(3), when each of the providers identified in the patient safety work product authorizes the disclosure in question. This provision is based on section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(C). In these circumstances, patient safety work product may be disclosed, not withstanding the privilege protections described in proposed Sec. 3.204(a) or the confidentiality protections described in proposed Sec. 3.206(a). However, patient safety work product disclosed under this exception continues to be confidential pursuant to the continued confidentiality provisions at section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons are subject to liability for further disclosures in violation of that confidentiality.

This exception applies to patient safety work product that contains identifiable provider information. Under the proposed language, each provider identified in the patient safety work product sought to be disclosed must separately authorize the disclosure. For example, if patient safety work product sought to be disclosed by an entity or person pursuant to this exception describes an incident involving three physicians, each physician would need to authorize disclosure of the patient safety work product, in order for the entity or person to disclose it. Making information regarding one provider nonidentifiable in lieu of obtaining an authorization is not sufficient.

We considered whether the rule should allow a provider to nonidentify the patient safety work product with respect to a nonauthorizing provider and disclose the patient safety work product with respect to the remaining authorizing providers. However, we rejected that approach as being impracticable. In light of the contextual nonidentification standard proposed in Sec. 3.212, it would seem that there would be very few, if any, situations in which a nonauthorizing provider could be nonidentified without also needing to nonidentify, or nearly so, an authorizing provider in the same patient safety work product. Unless we adopt a less stringent nonidentification standard, disclosing persons can either totally nonidentify patient safety work product and disclose under proposed Sec. 3.206(b)(5), or disclose the patient safety work product only if all identified providers in patient safety work product authorize its disclosure.

When all identified providers authorize the disclosure of patient safety work product, the Patient Safety Act permits such disclosure, but remains silent about the identification of patients or reporters in such patient safety work product. As to other persons that make patient safety work product identifiable, i.e., patients and reporters, the Patient Safety Act does not provide a separate right of authorization. However, as one of the core principles underlying the Patient Safety Act is the protection of the privacy and confidentiality concerns of certain persons in connection with specific patient safety work product (i.e., providers, patients and reporters), we encourage persons disclosing patient safety work product to exercise discretion in the scope of patient safety work product disclosed, even though neither patient nor reporter authorization is required. Disclosers are encouraged to consider whether the disclosure of identifying information regarding patients and reporters is necessary to accomplish the particular purpose of the disclosure. As discussed below, if the disclosing entity is a HIPAA covered entity, the HIPAA Privacy Rule, including the minimum necessary standard when applicable, would apply to the disclosure of protected health information contained within the patient safety work product. We seek public comment as to whether the proposed approach is sufficient to protect the interests of reporters and patients identified in the patient safety work product permitted to be disclosed pursuant to identifiable provider authorizations. Does this approach sufficiently balance the interests of the patients and reporters and their confidentiality versus the purposes for which the providers are authorizing the disclosures?

The Patient Safety Act does not specify the form of the authorization by a provider to come within this disclosure exception or a timeframe for recordkeeping. We propose that an authorization be in writing, be signed by the authorizing provider, and give adequate notice to the provider of the nature and scope of the disclosures authorized. The content of the authorization should fairly inform the provider as to the nature and scope of the identifiable patient safety work product to be disclosed to ensure the provider is making a knowing authorization. We do not intend that each authorization identify the specific patient safety work product to be disclosed. Such a requirement would be unworkable in complex health care arrangements existing today. Rather, an authorization can be general, (e.g., referring to categories of patient safety work product) and even to patient safety work product to be created in the future, so long as the authorization can be determined to have reasonably informed the authorizing provider of the scope of the authorized disclosure. The authorization requirement also enables providers to place limits on disclosures made pursuant to this proposed exception regarding patient safety work product identifying the provider. Any disclosure must be made in accordance with the terms of the signed authorization, but we do not require that any specific terms be included, only that such terms regarding the scope of the authorized disclosure of patient safety work product be adhered to. We seek public comment on whether a more stringent standard would be prudent and workable, such as an authorization process that is disclosure specific (i.e., no future application or a one time disclosure only authorization).

We also propose that any authorization be maintained by the disclosing entity or person for a period of six years from the date of the last disclosure made in reliance on the authorization, the limit of time within which the Secretary must initiate an enforcement action. While we recognize that a prudent person disclosing patient safety work product under this disclosure will likely maintain records in order to support a claim that such disclosure was permissible, nonetheless we require a six year retention of authorizations so that, if challenged, the Secretary may examine authorizations to determine whether a disclosure was valid pursuant to this disclosure provision. While we would not be monitoring or penalizing a person for lack of maintenance of an authorization, the failure to present a valid authorization will raise significant concerns regarding the permissibility of a disclosure pursuant to this permission.

With respect to compliance with the HIPAA Privacy Rule for patient safety work product that contains individually identifiable health information, authorization by a provider pursuant to this permitted disclosure does not permit a HIPAA covered entity or such a HIPAA covered entity's business associate to release such protected health information contained in the patient safety work product under the HIPAA Privacy Rule. Therefore, either the individually identifiable health information must be de-identified or the release of the individually identifiable health information must otherwise be permitted under the HIPAA Privacy Rule. Because this disclosure does not limit the purposes for which identifiable patient safety work product may be released with the provider's authorization, a HIPAA covered entity would need to review releases on a case-by-case basis to determine if there is an applicable provision in the HIPAA Privacy Rule that would otherwise permit such disclosure.

(4) Proposed Sec. 3.206(b)(4)--Patient Safety Activities

Section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(A), permits the disclosure of identifiable patient safety work product for patient safety activities. Proposed Sec. 3.206(b)(4) permits the disclosure of identifiable patient safety work product for patient safety activities (i) by a provider to a PSO or by a PSO to that disclosing provider; or (ii) by a provider or a PSO to a contractor of the provider or PSO; or (iii) by a PSO to another PSO or to another provider that has reported to the PSO, or by a provider to another provider, provided, in both cases, certain direct identifiers are removed. Patient safety activities are the core mechanism by which providers may disclose patient safety work product to obtain external expertise from PSOs. PSOs may aggregate information from multiple providers, and communicate feedback and analyses to providers. Ultimately, it is through such communications that much of the improvement in patient safety may occur. Thus, the rule needs to facilitate the communication between a provider and one or more PSOs.

To further this essential statutory purpose, we propose to allow providers to disclose identifiable patient safety work product to PSOs; one of the ways that information can become patient safety work product is through reporting of it to a PSO. We also propose to allow PSOs to reciprocally disclose patient safety work product back to such providers for patient safety activities. This free flow of information will ensure that the statute's goals of collecting, aggregating, and analyzing patient safety event information as well as disseminating recommendations for safety and quality improvements are achieved. Such a dialogue will allow both providers and PSOs to take a shared role in the advancement of patient safety improvements.

In addition, we recognize that there may be situations where providers and PSOs want to engage contractors who are not agents to carry out patient safety activities. Thus, the proposal would allow disclosures by providers to their contractors who are not workforce members and by PSOs to their contractors who are not workforce members. Contractors may not further disclose patient safety work product, except to the entity from which they first received the information. We note that this limitation does not preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures. Although we do not require a contract between a provider or PSO and its contractor, we expect that most providers and PSOs will engage in prudent practices when disclosing confidential patient safety work product for patient safety activities, (i.e., ensuring such information is narrowly used by the contractor solely for the purpose for which disclosed and adequately protected from wrongful disclosure).

While the permission allows the necessary communication as between a single provider and its PSO, such exchanges may not be sufficient. It is possible to conceive of meaningful patient safety activities occurring between two PSOs or between a PSO and a provider that is different than the original reporting provider, or between two providers. For example, PSOs may be able to more effectively aggregate patient safety work product if such expanded sharing of information is permitted. Aggregation may help PSOs pool sufficient information to achieve contextual nonidentification, in accordance with Sec. 3.212(a)(ii), but keep meaningful data in the information when disclosing to the network of patient safety databases contemplated in section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Providers may be able to collaborate and learn more efficiently about patient safety solutions if such sharing is permitted. At the same time, we are concerned that, without any limitation on such sharing, providers may be not only reluctant to disclose patient safety work product, but also potentially reticent to participate at all in patient safety activities, given the sensitive nature of the information, and the potential lack of certainty with respect to where the information might ultimately be disclosed.

Balancing these concerns, we are proposing that other than the reporting relationship between a provider and a PSO, PSOs be permitted to disclose patient safety work product to other PSOs or to other providers that have reported to the PSO, and providers be permitted to make disclosures to other providers, for patient safety activities, with provider and reporter identifiers in an anonymized (i.e., with certain direct identifiers removed, but not nonidentifiable under the proposed rule) or encrypted but not fully nonidentified form. For patient identifiers, the HIPAA Privacy Rule limited data set standard would apply. See 45 CFR 164.514(e). To anonymize the provider or reporter identifiers in the patient safety work product, the disclosing entity must remove the following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers: (1) Names; (2) Postal address information, other than town or city, State and zip code; (3) Telephone numbers; (4) Fax numbers; (5) Electronic mail addresses; (6) Social security numbers or taxpayer identification numbers; (7) Provider or practitioner credentialing or DEA numbers; (8) National provider identification number; (9) Certificate/license numbers; (10) Web Universal Resource Locators (URLs); (11) Internet Protocol (IP) address numbers; (12) Biometric identifiers, including finger and voice prints; and (13) Full face photographic images and any comparable images. Removal of such identifiers may be absolute or may be done through encryption, provided that the disclosing entity does not disclose the key to the encryption or the mechanism for re-identification.

We have not proposed an unrestricted disclosure of identifiable patient safety work product to any person for patient safety activities. It is our understanding that disclosures to persons other than those proposed above do not need identifiable patient safety work product and that sufficient information may be communicated with nonidentifiable patient safety work product; we seek comment on this issue. Similarly, we recognize that nonidentifiable patient safety work product may have more limited usefulness due to the removal of key elements of identification; however, we have no basis for opening the patient safety activity disclosure permission further without specific examples of beneficial disclosures prohibited by our proposal.

The exchange of patient safety work product for patient safety activities permits extensive sharing among both providers and PSOs interested in improving patient safety. As patient safety work product is disclosed, however, it continues to be protected by the confidentiality provisions. The permission allows continual exchange of information without breach of confidentiality. At any time and as needed, information may be nonidentified, and the patient safety activities disclosure may be employed for this purpose.

Moreover, providers and PSOs are capable of imposing greater confidentiality requirements for the future use and disclosure of the patient safety work product through private agreements (see section 922(g)(4) of the Public Heath Service Act, 42 U.S.C. 299b-22(g)(4)). However, we note that the government would not be permitted to apply civil money penalties under this Part based on a violation of a private agreement that was not a violation of the confidentiality provisions.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only