Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

Compliance With the HIPAA Privacy Rule

With respect to compliance with the HIPAA Privacy Rule, the Patient Safety Act establishes that PSOs shall be treated as business associates; and patient safety activities performed by, or on behalf of, a covered provider by a PSO are deemed health care operations as defined by the HIPAA Privacy Rule. A HIPAA covered entity is permitted to use or disclose protected health information as defined at 45 CFR 160.103 without an individual's authorization for its own health care operations and, in certain circumstances (which would include patient safety activities), for the health care operations of another HIPAA covered entity (e.g., HIPAA covered provider) under 45 CFR 164.506. To share protected health information with another HIPAA covered entity for that entity's health care operations, both HIPAA covered entities must share a patient relationship with the individual who is the subject of the protected health information and the protected health information that is shared must pertain to that relationship.

In addition, in cases where providers and PSOs share anonymized patient safety work product, providers may disclose a limited data set of patient information. Under 45 CFR 164.514(e)(3), a HIPAA covered entity may use or disclose a limited data set for the purpose of health care operations, including patient safety activities. Such disclosures, however, must be accompanied by a data use agreement, ensuring that the limited data set recipient will only use or disclose the protected health information for limited purposes. See 45 CFR 164.514(e)(4).

We seek comment regarding whether the HIPAA Privacy Rule definition for health care operations should contain a specific reference to patient safety activities conducted pursuant to this regulatory scheme. A health care provider that is a HIPAA covered entity may not disclose identifiable patient safety work product that is protected health information to a PSO unless that PSO is performing patient safety activities (as a health care operation) for that provider. Under this exception for patient safety activities, a health care provider that is a HIPAA covered entity may disclose identifiable patient safety work product that is protected health information to another provider (1) for the sending provider's patient safety activities; (2) for the patient safety activities of an organized health care arrangement (OHCA) (as defined at 45 CFR 160.103) if both the sending and receiving provider participate in the OHCA; or (3) to another provider for the receiving provider's patient safety activities if the protected health information relates to a common patient (including to determine that there is a common patient). We further seek comment regarding whether the provision permitting the disclosure of protected health information for health care operations at 45 CFR 164.506 should be modified to conform to the patient safety work product disclosures for patient safety activities set forth herein.

(5) Proposed Sec. 3.206(b)(5)--Disclosure of Nonidentifiable Patient Safety Work Product

Proposed Sec. 3.206(b)(5) permits the disclosure of nonidentifiable patient safety work product when the patient safety work product meets the standard for nonidentification in proposed Sec. 3.212. This implements section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under proposed Sec. 3.206(b)(5), nonidentifiable patient safety work product may be disclosed by any entity or person that holds the nonidentifiable patient safety work product without violating the confidentiality provisions. Moreover, any provider, PSO or responsible person may nonidentify patient safety work product. As described in proposed Sec. 3.208(b)(ii), nonidentifiable patient safety work product, once disclosed, loses its privilege and confidentiality protection. Thus, it may be redisclosed by its recipient without any Patient Safety Act limitations.

Nonidentification Standard

The nonidentification standard is proposed at Sec. 3.212. However, we will discuss that standard at this point in the preamble due to its connection with the disclosure permission for nonidentifiable patient safety work product at proposed Sec. 3.206(b)(5). Proposed Sec. 3.212 would establish the standard by which patient safety work product will be determined nonidentifiable. The determination of what constitutes nonidentifiable patient safety work product is important because the standard for nonidentification effectively creates the boundary between protected and unprotected patient safety work product.

Under the Patient Safety Act and this Part, identifiable patient safety work product includes information that identifies any provider or reporter or contains individually identifiable health information under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2) of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient safety work product does not include information that permits identification of any provider, reporter or subject of individually identifiable health information. See section 921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3). Because individually identifiable health information as defined in the HIPAA Privacy Rule is one element of identifiable patient safety work product, the de-identification standard provided in the HIPAA Privacy Rule applies with respect to the patient-identifiable information in the patient safety work product. Therefore, where patient safety work product contains individually identifiable health information, that information must be de-identified in accordance with 45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work product with respect to individually identifiable health information under the Patient Safety Act.

We propose that patient safety work product be contextually nonidentifiable in order to be considered nonidentifiable for the purposes of this rule. Contextual nonidentification of both providers and reporters would match the standard of de-identification in the HIPAA Privacy Rule. We are proposing two methods by which nonidentification can be accomplished which are similar to the standards for de-identification under the HIPAA Privacy Rule: (1) A statistical method of nonidentification and (2) the removal of 15 specified categories of direct identifiers of providers or reporters and of parties related to the providers and reporters, including corporate parents, subsidiaries, practice partners, employers, workforce members, or household members, and that the discloser have no actual knowledge that the remaining information, alone or in combination with other information reasonably available to the intended recipient, could be used to identify any provider or reporter (i.e., a contextual nonidentification standard).

In proposed Sec. 3.212(a)(1), the first method for rendering patient safety work product nonidentifiable with respect to a provider or reporter, we propose that patient safety work product can be nonidentified if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider or reporter.

We believe that this method of nonidentification may sometimes be preferable to the safeharbor method proposed in Sec. 3.212(a)(2) discussed below and may be especially useful when aggregating data for populating the network of patient safety databases referenced in section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Under this proposal, if a statistician makes a determination as described above and documents the analysis, patient safety work product could be labeled as nonidentifiable even though it contains detailed clinical information and some potentially identifiable information such as zip codes.

In proposed Sec. 3.212(a)(2), the second method for rendering patient safety work product nonidentifiable with respect to a provider or reporter, we outline a process as a safeharbor requiring that the disclosing entity remove a list of specific typical identifiers and have no actual knowledge that the information to be disclosed could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter. We have limited the knowledge component to that which is known to be reasonably available to the intended recipient in order to provide data custodians with a workable knowledge standard. With the contextual nonidentification standard in place, providers will have the most confidence that their identities will not be derived from nonidentifiable information and will be more likely to participate in the program. Moreover, requiring that patient safety work product be contextually nonidentifiable is consistent with the de-identification standard for patient identities, as described above.

We recognize that the more stringent the nonidentifiable patient safety work product standard is, the more cost, burden, and risk of error in nonidentification there will be to the disclosing entity. We also acknowledge that our proposal introduces uncertainty and subjectivity into the standard, making it a harder standard to enforce. The proposed standard may require the removal of more clinical and demographic information than would be removed in the absence of the contextual nonidentification requirement, and the resulting information would likely be less useful to a recipient. This outcome would particularly impact the network of patient safety databases of nonidentifiable patient safety work product to be established under section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. In particular, the information that ultimately resides in the network may have reduced utility and a reduced capacity to contribute to the evaluation of patient safety issues.

To mitigate these concerns, this standard would work in conjunction with a separate permission for sharing identifiable patient safety work product through the patient safety activities disclosure. Disclosures as patient safety activities should enable the aggregation of sufficient patient safety work product to allow contextual nonidentification without the removal of all important specific clinical and demographic details. We invite comment on the proposed standards and approaches. For example, we are interested in knowing whether, under a contextual nonidentification standard, it is possible to have any geographical identifiers; and if so, at what level of detail (state, county, zip code). We are also interested in public comments regarding whether there are alternative approaches to standards for entities determining when health information can reasonably be considered nonidentifiable.

Re-identification

We permit a provider, PSO, or other disclosing entity or person to assign a code or other means of record identification to allow information made nonidentifiable to be re-identified by the disclosing person, provided certain conditions that further the goal of confidentiality are met regarding such code or other means of record identification. Further, a discloser may not release any key or other information that would enable a recipient to re-identify any provider or reporter or subject of individual identifiable health information. We propose to permit a re-identification mechanism to facilitate follow-up inquiries regarding, and analysis of, nonidentified patient safety work product that has been disclosed, such as from users of the network of patient safety databases when analyzing national and regional statistics. Such keys would not be for the purpose of permitting re-identification of patient safety work product obtained through the network of databases. Rather, such keys would facilitate the investigation of data anomalies reported to the network, correction of nonidentifiable records, and the potential to avoid duplicate records when richer information may be made available due to aggregation. Finally, with respect to HIPAA compliance, we note that, because nonidentified patient safety work product will, by definition, be de-identified information under the HIPAA Privacy Rule, a disclosure under Sec. 3.206(b)(5) will not violate the HIPAA Privacy Rule.

Return to top

(6) Proposed Sec. 3.206(b)(6)--For Research

Proposed Sec. 3.206(b)(6) describes the disclosure of identifiable patient safety work product to entities carrying out research, evaluations, or demonstration projects that are funded, certified, or otherwise sanctioned by rule or other means by the Secretary. This disclosure is not for general research. Any research for which patient safety work product is disclosed under this exception must be sanctioned by the Secretary. See section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). Research that is not sanctioned by the Secretary is insufficient to be a basis for the disclosure of patient safety work product under this exception. Further, although disclosure can be made for any research, evaluation, or demonstration project sanctioned by the Secretary, we expect that most research that may be subject to this disclosure permission will be related to the methodologies, analytic processes, and interpretation, feedback and quality improvement results from PSOs, rather than general medical, or even health services, research. Patient safety work product disclosed for research under this provision continues to be confidential and privileged.

Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), requires that patient safety work product which identifies patients may only be released to the extent that protected health information would be disclosable for research purposes under the HIPAA Privacy Rule. Under 45 CFR 164.512(i), a HIPAA covered entity may use or disclose protected health information for research, without the individual's authorization, provided that there is a waiver (or alteration of waiver) of authorization by either an Institutional Review Board (IRB) or a Privacy Board. The IRB/Privacy Board evaluates the request against various criteria that measure the privacy risk to the individuals who are the subjects of the protected health information.\17\ The HIPAA Privacy Rule only operates with respect to the identifiable health information of patients when held by a HIPAA covered entity or its business associate, and does not address the rights of individuals who may otherwise be the subject of the research.

\17\ The following are the waiver criteria at 45 CFR 164.512(i)(2)(ii):

(A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

  1. An adequate plan to protect the identifiers from improper use and disclosure;
  2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

(B) The research could not practicably be conducted without the waiver or alteration; and

(C) The research could not practicably be conducted without access to and use of the protected health information.

We tentatively conclude that the language in the Patient Safety Act that applies the exception "to the extent that disclosure of protected health information would be allowed for research purposes under the HIPAA [Privacy Rule]" is intended to apply the HIPAA Privacy Rule research provisions at 45 CFR 164.512(i) only to HIPAA covered entities when they release identifiable patient safety work product containing protected health information for research. This interpretation would result in the HIPAA Privacy Rule research standards being preserved in their application to HIPAA covered entities without burdening non- covered entities with HIPAA compliance.

We note that our interpretation of section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), is not a bar to the disclosure of identifiable patient safety work product by entities or persons that are not HIPAA covered entities. We further note that for providers, reporters and other persons identified in patient safety work product disclosed for research purposes, the Common Rule, which is applicable to research conducted or supported by the Secretary, and the FDA human subjects protection regulations will provide appropriate protections to any natural persons who would be deemed subjects of the research.

With regard to research, the incorporation by reference of the HIPAA Privacy Rule should provide for the proper alignment of disclosures for research purposes. However, the exception under the Patient Safety Act also refers to evaluations and demonstration projects. Some of these activities may meet the definition of research under the HIPAA Privacy Rule, while other activities may not result in generalizable knowledge, but may nonetheless meet the definition of health care operations under the HIPAA Privacy Rule. Where the disclosure of protected health information for evaluations and demonstration projects are permitted as health care operations under the HIPAA Privacy Rule, HIPAA covered entities disclosing patient safety work product that includes protected health information under this exception could do so without violation of the HIPAA Privacy Rule.

(7) Proposed Sec. 3.206(b)(7)--To the Food and Drug Administration

Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D) permits the disclosure by a provider to the FDA with respect to a product or activity regulated by the FDA. Proposed Sec. 3.206(b)(7) permits the disclosing by providers of patient safety work product concerning products or activities regulated by the Food and Drug Administration (FDA) to the FDA or to an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA- regulated product or activity. For example, hospitals and health care professionals may disclose patient safety work product concerning the safety of drugs, medical devices, biological products, and dietary supplements, or vaccine and medical device adverse experiences to the FDA as part of an FDA monitoring or alert system. The proposed provision also permits sharing between the FDA, entities required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, and their contractors for the same purposes. Patient safety work product disclosed pursuant to this disclosure permission continues to be confidential and privileged.

The FDA has monitoring and alert systems in place to assure the safety of FDA regulated products. These systems rely heavily on voluntary reports from providers, such as hospitals and health care professionals. Most reports that hospitals and health care professionals make directly to the FDA today concerning drugs, medical devices, biological products, and dietary supplements are voluntary, although health care professionals are required to report to the FDA certain vaccine adverse experiences, and user facilities such as hospitals must report to FDA some medical device adverse experiences. Manufacturers of drugs, devices, and biological products are required to report to the FDA concerning adverse experiences, but the manufacturers themselves must rely on information provided voluntarily by product users, including hospitals and health care professionals. There are three provisions of the Patient Safety Act that are implicated for reporting to the FDA: (1) The disclosure for reporting to the FDA (section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D)); (2) the clarification as to what is not patient safety work product which states that information "collected, maintained, or developed separately, or [that] exists separately, from a [patient safety evaluation system]" is not patient safety work product, and which, accordingly, can be reported for public health purposes (section 921(7)(B) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)); and (3) the rule of construction which preserves required reporting to the FDA (section 922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6)).

The FDA disclosure provision at proposed Sec. 3.206(b)(7) would be applicable when patient safety work product is at issue. For example, the analysis of events by the provider or PSO that constitutes patient safety work product may generate information that should be reported to the FDA because it relates to the safety or effectiveness of an FDA- regulated product or activity. The exception would allow this patient safety work product to be disclosed to the FDA. Privilege and confidentiality protections would attach to the patient safety work product disclosed when received by FDA and continue to apply to any future disclosures by the FDA.

We tentatively conclude that the statutory language concerning reporting "to the FDA" includes reporting by the provider to the persons or entities regulated by the FDA and that are required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. We propose this interpretation to allow providers to report to manufacturers who are required to report to the FDA, such as drug manufacturers, without violating this rule. This interpretation reflects both the rule of construction which preserves required reporting to the FDA and the goals of this statute which are to improve patient safety.

We further propose at Sec. 3.206(b)(7)(ii) that the FDA and entities required to report to the FDA may only further disclose patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity; such further disclosures are only permitted between the FDA, entities required to report to the FDA, their contractors, and disclosing providers. This permission is crucial to the effective operation of the FDA's activities and to facilitate the purpose for which the report was made initially. Thus, the FDA or a drug manufacturer receiving adverse drug event information that is patient safety work product may engage in further communications with the disclosing provider(s), for the purpose of evaluating the quality, safety, or effectiveness of the particular regulated product or activity, or may work with their contractors. Moreover, an entity regulated by the FDA may further disclose the information to the FDA; without this provision, such reporting would not meet the regulatory intent that disclosures be to the FDA and a narrow interpretation could impede the FDA's ability to effectuate improvements through the use of patient safety work product.

We recognize that there may be situations where the FDA or entities required to report to the FDA want to engage contractors who are not agents for the purpose of evaluating the quality, safety, or effectiveness of that product or activity. Thus, the proposal would allow disclosures to contractors who are not workforce members. Contractors may not further disclose patient safety work product, except to the entity from which they first received the information.

Because Congress did not expressly include disclosure to FDA- regulated entities, we seek public comment on our proposal related to this interpretation of section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D). In particular, we question whether this interpretation will cause any unintended consequences to disclosing providers.

The HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered entities to disclose protected health information concerning FDA- regulated activities and products to persons responsible for collection of information about the quality, safety, and effectiveness of those FDA-regulated activities and products. Therefore, disclosures under this exception of patient safety work product containing protected health information would be permitted under the HIPAA Privacy Rule.

(8) Proposed Sec. 3.206(b)(8)--Voluntary Disclosure to an Accrediting Body

Proposed Sec. 3.206(b)(8) permits the voluntary disclosure of identifiable patient safety work product by a provider to an accrediting body that accredits the disclosing provider. Voluntary means not compelled, a disclosure that the provider affirmatively chose to make. Patient safety work product disclosed pursuant to this proposed exception continues to be privileged and confidential.

Under this proposed disclosure, the identifiable patient safety work product that would be permitted to be disclosed must identify the disclosing provider, given the Patient Safety Act's explicit linkage of the disclosing provider to a body that accredits that specific provider in this permitted disclosure. We believe that the only information that would be relevant to that provider's accreditation would be information about the disclosing provider (i.e., actions or inactions of the disclosing provider), and not information about the provider's colleagues or any other accredited provider. Thus, a provider may not use this exception to disclose patient safety work product that is unrelated to the actual actions of the disclosing provider, such as information about the provider's colleagues or any other accredited individual or entity.

An issue arises concerning the identities of other providers, reporters, or patients contained within the disclosed patient safety work product. We considered whether to require the patient safety work product to be nonidentifiable as to providers other than the disclosing provider, since incidental disclosures of patient safety work product identifying other providers, especially if they were also accredited by the same accrediting institution, would not be a voluntary disclosure by those other providers. However, we do not believe that such an approach is necessary.

We understand that most providers that are accredited are large institutions, and in general their accreditors seek vast amounts of data during the accreditation process, some of which may include identifiers of practitioners who work in such institutions. We have preliminarily concluded that the disclosure of patient safety work product including practitioners in such circumstances will be harmless because, in many cases, the providers will not be accredited by the institution's accrediting body.

Even in circumstances where a non-disclosing provider identified by a provider voluntarily disclosing to an accrediting body is subject to the accrediting body, we believe the accrediting body will not use the information. First, we believe it is unlikely that a provider may have or seek to disclose patient safety work product containing information about the actions or inactions of a provider also accredited by the same accrediting body. Second, even if such a disclosure occurs, although it may not be voluntary as to the non-disclosing provider, we do not believe the accrediting body will use such information to take accrediting actions against the non-disclosing provider. We would expect that an accrediting body may ignore or give little weight to information about providers not disclosing information directly to the accrediting body. Such second hand information may be incomplete and incorrect. We anticipate that accrediting bodies would seek to obtain information about a provider's actions directly from the subject provider rather than second hand.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only