Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

Furthermore, we propose to limit the accrediting body's permission to further redisclose such patient safety work product. To ensure that any patient safety work product in the hands of an accrediting body that contains provider identifiers of a provider who did not voluntarily disclose to such body, Sec. 3.206(b)(7)(i) proposes that an accrediting body may not further disclose the patient safety work product that was originally voluntarily disclosed. As an alternative to this approach, we could, as proposed in the patient safety activities disclosure, require that information with respect to non-disclosing providers be anonymized. See preamble discussion at proposed Sec. 3.206(b)(4). We seek comments as to whether the problem of information being disclosed non-voluntarily to an accrediting body by non-disclosing providers requires rendering such information anonymized.

The accrediting body takes the patient safety work product subject to the confidentiality protection, and would therefore be subject to civil money penalties for any re-disclosure. The patient safety work product disclosed under this permission in the hands of the accrediting body remains privileged and confidential, in accordance with the continued confidentiality provisions at proposed Sec. 3.208. Thus, it is incumbent upon the accrediting body to handle and maintain the patient safety work product in a way that preserves its confidential status. Such safeguards may include maintaining this information separately from other accrediting information in a confidential file, if the other information is not similarly held confidential.

Additionally, the Patient Safety Act includes strong provisions limiting the disclosure of patient safety work product to accrediting bodies and limiting the actions an accrediting body may take to seek patient safety work product. Proposed Sec. 3.206(b)(8)(ii) provides that an accrediting body may not take an accreditation action against a provider based on that provider's participation, in good faith, in the collection, reporting or development of patient safety work product. Accrediting bodies are also prohibited from requiring a provider to reveal its communications with any PSO, without regard to whether such provider actually reports information to a PSO. Thus, a provider may disclose patient safety work product to an accrediting body voluntarily, but cannot be compelled or required as a condition of accreditation to divulge patient safety work product or communications with a PSO. This subsection is based on the statutory requirements at section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b- 22(d)(4)(B).

Under the HIPAA Privacy Rule, a HIPAA covered entity may disclose protected health information to an accrediting body for the HIPAA covered entity's own health care operations, provided there is a business associate agreement with the accrediting body. Such health care operations include the activity of accreditation for the HIPAA covered entity as well as the accreditation of workforce members. Thus, providers that are HIPAA covered entities or are workforce members of a HIPAA covered entity that hold the protected health information may voluntarily disclose identifiable patient safety work product containing individually identifiable health information to an accrediting body that accredits that provider, provided there is a business associate agreement between the HIPAA covered entity and the accreditation organization.

(9) Proposed Sec. 3.206(b)(9)--Business Operations

Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), gives the Secretary authority to designate additional disclosures as permissible exceptions to the confidentiality protection if such disclosures are necessary for business operations and are consistent with the goals of the Patient Safety Act. Any patient safety work product disclosed pursuant to a business operations exception so designated by the Secretary continues to be confidential and privileged.

We propose to allow disclosures of patient safety work product by a provider or a PSO to professionals such as attorneys and accountants for the business operations purposes of the provider or PSO. A disclosure to an attorney may be necessary when a provider is seeking outside legal advice in defending against a malpractice claim or other litigation, even though the information would not be admissible as part of a legal proceeding. A provider might also need to disclose patient safety work product to an attorney in the case of due diligence related to a merger, sale or acquisition. Similarly, a provider may need to disclose patient safety work product to an accountant who is auditing the books and records of providers and PSOs. In order to ensure that such routine business operations are possible, we propose to allow disclosures by providers and PSOs for business operations to attorneys, accountants, and other professionals. Professionals such as those identified are usually bound by professional ethics to maintain the confidences of their clients. Such contractors may not further disclose patient safety work product, except to the entity from which it received the information. We note that this limitation does not preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures.

We note that if a provider or PSO were to disclose relevant patient safety work product to such professionals, we would rely upon the professional's legal and ethical constraints not to disclose the information for any unauthorized purpose. Our presumption is that professionals are generally subject to a set of governing rules. Nonetheless, we expect that providers and PSOs who disclose privileged and confidential information to attorneys, accountants or other ethically bound professionals for business purposes will engage in the prudent practice of ensuring such information is narrowly used by the contractor solely for the purpose for which it was disclosed and adequately protected from wrongful disclosure.

Because patient safety work product is specialized and highly confidential information, we have not conceived of any other third parties to whom it would be appropriate to disclose patient safety work product as a business operations disclosure. Because we are not regulating uses, any business operations need within the entity could occur unimpeded. Although we considered whether to adopt an exception for activities in the operation of a patient safety evaluation system, we believe these activities are within the definition of patient safety activities and, thus, within the confidentiality exception proposed at Sec. 3.206(b)(4). We seek public comment regarding whether there are any other consultants or contractors to whom a business operations disclosure should also be permitted, or whether there are any additional exceptions for the Secretary's consideration under this authority.

Under the HIPAA Privacy Rule, at 45 CFR 164.506, HIPAA covered entities are permitted to disclose protected health information for the HIPAA covered entity's own health care operations. "Health care operations" are certain activities of a HIPAA covered entity that are necessary to run its business and to support the core functions of treatment and payment, including "conducting or arranging for medical review, legal services, and auditing functions * * *." 45 CFR 164.501. Thus, a business operation designation by the Secretary that enables a HIPAA covered entity to disclose patient safety work product containing protected health information to professionals is permissible as health care operations disclosures under the HIPAA Privacy Rule. Generally such professionals would fall within the definition of business associate at 45 CFR 160.103 and would require a business associate agreement.

The Secretary's Business Operations Exception Designation Authority

Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), gives the Secretary broad authority to designate additional exceptions that are necessary for business operations and are consistent with the goals of the Patient Safety Act. At this point, we plan to designate additional exceptions only through regulation. Although the Patient Safety Act establishes that other means are available for adoption by the Secretary, which we interpret as including the publication of letters, notice within the Federal Register or publication on the Department Web site, we believe these methods may not provide for sufficient opportunity for public comment or transparency in the development of other business operations exceptions. Moreover, because an impermissible disclosure that violates a business operations exception can result in a civil money penalty, we believe it is important that any proposed business operations exception be implemented in a way that is unquestionably binding on both the public and the Department. We invite public comments with respect to whether the Secretary should incorporate or preserve other mechanisms for the adoption of business operations exceptions, given that we cannot anticipate all potential business operations needs at this time.

(10) Proposed Sec. 3.206(b)(10)--Disclosure to Law Enforcement

Proposed Sec. 3.206(b)(10) permits the disclosure of identifiable patient safety work product to law enforcement authorities, so long as the person making the disclosure believes--and that belief is reasonable under the circumstances--that the patient safety work product disclosed relates to a crime and is necessary for criminal law enforcement purposes. Under proposed Sec. 3.208, the disclosed patient safety work product would continue to be privileged and confidential.

We view this exception as permitting, for example, a disclosure by a whistleblower who would initiate the disclosure to law enforcement. The focus of this exception is the state of mind of the subject discloser. In making a disclosure, the discloser must reasonably believe that the event constitutes a crime and that the patient safety work product disclosed is necessary for criminal law enforcement purposes. The discloser need not be correct in these determinations, but his beliefs must be objectively reasonable. This standard provides some constraint on the discloser, and further protects against a release merely in response to a request by law enforcement.

Patient safety work product received by law enforcement under this exception continues to be confidential and privileged. The law enforcement entity receiving the patient safety work product may use the patient safety work product to pursue any law enforcement purposes; however, because the patient safety work product disclosed to law enforcement entities under the Patient Safety Act and proposed Sec. 3.206(b)(10) remains privileged and confidential, the law enforcement entity can only disclose such patient safety work product--including in a court proceeding--as permitted by this proposed rule.

We further propose that a law enforcement entity be permitted to redisclose the patient safety work product it receives under this exception to other law enforcement entities as needed for law enforcement activities related to the event that gave rise to the disclosure. We seek comment regarding whether these provisions allow for legitimate law enforcement needs, while ensuring appropriate protections.

We note that disclosure pursuant to this exception does not except patient safety work product from the privilege protection. Thus, patient safety work product cannot be subpoenaed, ordered, or entered into evidence in a criminal or civil proceeding through this exception; nor should a discloser rely solely on a law enforcement agent's statement that such information is necessary for law enforcement purposes. As already discussed, the Patient Safety Act framework permits an exception from privilege protection or law enforcement compulsion only in very narrow circumstances (see above privilege exception discussion). Under section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A), patient safety work product may be disclosed for use in a criminal proceeding, but only after a judge has determined by means of an in camera review that the patient safety work product is material to a criminal proceeding and not reasonably available from any other source. Even after its use in such a criminal proceeding, and the lifting of the confidentiality protections with respect to such patient safety work product, the privilege protection continues. In light of the strict privilege protections for this information, we do not interpret this law enforcement disclosure exception as allowing the disclosure of patient safety work product based on a less compelling request by law enforcement for its release. The decision as to whether a discloser reasonably believes that the patient safety work product is necessary for a law enforcement purpose is the discloser's decision alone, provided that the decision is reasonable.

While the HIPAA Privacy Rule permits disclosures by HIPAA covered entities to law enforcement under a variety of circumstances, few align well with the proposed interpretation of this exception as being limited to disclosures to law enforcement initiated by the HIPAA covered entity. Although there is a very narrow set of HIPAA Privacy Rule permissions under which a HIPAA covered entity as a holder of patient safety work product would be allowed to release patient safety work product that contains protected health information to law enforcement, we note that a HIPAA covered entity would be permitted to de-identify the protected health information, in which case only the Patient Safety Act would apply to the disclosure of the patient safety work product. If the protected health information is needed by law enforcement, the HIPAA Privacy Rule has standards that permit the release of protected health information in response to certain law enforcement processes. If such information is not patient safety work product, it would not be subject to the privilege protections of the Patient Safety Act.

(C) Proposed Sec. 3.206(c)--Safe Harbor

Proposed Sec. 3.206(c) is based on section 922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(H). This provision permits the disclosure of identifiable patient safety work product when that information does not include oral or written materials that either contain an assessment of the quality of care of an identifiable provider or describe or pertain to the actions or failure to act of an identifiable provider. The use of this exception is limited to persons other than PSOs. This provision essentially prohibits the disclosure of a subject provider's identity with information, whether oral or written, that: (1) Assesses that provider's quality of care; or (2) identifies specific acts attributable to such provider. Thus, a permissible disclosure may include a provider's identity, so long as no "quality information" about the subject provider is also disclosed and so long as it does not describe or pertain to an action or failure to act by the subject provider.

We propose that the provider identity element under this exception means the identity of any provider that is a subject of the patient safety work product. In other words, if the patient safety work product does not contain quality information about a particular provider or describe or pertain to any actions or failures to act by the provider, such provider could be identifiable within the patient safety work product disclosed pursuant to this exception. For example, if a nurse reports a patient safety event, but was not otherwise involved in the occurrence of that event, the nurse could be named in the disclosure. Providers that cannot be identified are those about whom the patient safety work product assesses the quality of care or describes or pertains to actions or failures to act of that provider. We propose that the threshold for identification of a provider will be determined in accordance with the nonidentification standard set forth in proposed Sec. 3.210. Thus, confidential patient safety work product disclosed under this exception may identify providers, reporters or patients so long as the provider(s) that are the subject of the actions described are nonidentified.

In general, the determination with respect to the content of quality information is straightforward. We also interpret quality information to include the fact that patient safety work product exists, without the specifics of the patient safety event at issue. For example, if a provider employee discloses to a friend that a particular surgeon had an incident reported to the PSO, without actually describing this incident, the fact that the surgeon was associated with patient safety work product would be a prohibited disclosure.

This is the only exception that defines prohibited conduct, rather than permitted conduct. We recognize that institutional providers, even practitioners offices, are communities unto themselves. We preliminarily interpret this exception as creating a narrow safe harbor for disclosures, possibly inadvertent, which may occur by a provider or other responsible person, when the patient safety work product does not reveal a link between a subject provider and the provider's quality of care or an action or failure to act by that subject provider. By proposing this provision as a safe harbor, we seek to have it available to mitigate harmless errors, rather than as a disclosure permission that may render all other disclosure permissions practically meaningless.

Under the HIPAA Privacy Rule, HIPAA covered entities are broadly permitted to disclose protected health information for the HIPAA covered entity's treatment, payment or health care operations. Otherwise, specific standards are described that limit the use and disclosure of protected health information. If such disclosure is made by a HIPAA covered entity, it is possible that the disclosure of protected health information would be permissible as a health care operation, or as incidental to another permitted disclosure. Nevertheless, examination of whether a HIPAA Privacy Rule standard has been violated will need to be made on a case-by-case basis.

(D) Proposed Sec. 3.206(d)--Implementation and Enforcement of the Patient Safety Act

Proposed Sec. 3.206(d) permits the disclosure of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance with this Part or for enforcement of the confidentiality provisions of this Subpart or in making or supporting PSO certification or listing decisions under the Patient Safety Act and Subpart B of this regulation. This disclosure parallels the privilege exception under proposed Sec. 3.204(c). Patient safety work product disclosed under this exception remains confidential. This exception does not limit the ability of the Secretary to disclose patient safety work product in accordance with the exceptions under proposed Sec. 3.206(b) or this Part. Rather, this proposed section provides a specific permission pursuant to which patient safety work product may be disclosed to the Secretary and the Secretary may further use such disclosed patient safety work product for compliance and enforcement purposes.

We propose to permit a disclosure of patient safety work product in order to allow the Secretary to obtain such information as is needed to implement and enforce this program, both for the purposes of enforcing the confidentiality of patient safety work product and for the oversight of PSOs. Enforcement of the confidentiality provisions includes the imposition of civil money penalties and adherence to the prohibition against imposing a civil money penalty for a single act that violates both the Patient Safety Act and the HIPAA Privacy Rule. This exception ensures that there will not be a conflict between the confidentiality obligations of a holder of patient safety work product and other provisions that allow the Secretary access to protected information and/or require disclosure to the Secretary for enforcement purposes. See proposed Sec. Sec. 3.110, 3.210, and 3.310. Although the statute does not explicitly address this disclosure, we believe that the authority to disclose to the Secretary for these purposes is inherent in the statute, and that this disclosure is permitted and necessary to meaningfully exercise our authority to enforce against breaches of confidentiality as well as to ensure that PSOs meet their certification attestations if needed. Proposed Sec. 3.312(c) discusses the limitations on what the Secretary may do with any patient safety work product obtained pursuant to an investigation or compliance review regarding an alleged impermissible disclosure.

This proposed provision would permit the disclosure of patient safety work product to the Secretary or disclosure by the Secretary so long as such disclosure is limited to the purpose of implementation and enforcement of these proposed regulations. Such disclosure would include the introduction of patient safety work product into proceedings before ALJs or the Board under proposed Subpart D by the Secretary, as well as the disclosure during investigations by the Secretary, or activities in reviewing PSO certifications by AHRQ. Disclosures of patient safety work product made to the Board or other parts of the Department that are received by workforce members, such as contractors operating electronic web portals or mail sorting and paper scanning services, would be permitted as a disclosure to the Secretary under this proposed provision. This provision would also permit the Board to disclose any patient safety work product in order to properly review determinations or to provide records for court review.

We believe strongly in the protection of patient safety work product as provided in the Patient Safety Act and the proposed regulations, and seek to minimize the risk of improper disclosure of patient safety work product by using and disclosing patient safety work product only in limited and necessary circumstances. With respect to disclosures to an ALJ or the Board, we note that the Board has numerous administrative, technical and physical safeguards available to protect sensitive information. For example, the Board has the authority to: Enter protective orders; hold closed hearings; redact records; anonymize names of cases and parties prior to publishing opinions; and put records under seal. It routinely maintains a controlled environment; trains staff about proper handling of confidential information; flags confidential information in records prior to archiving cases and shreds copies of case files, etc. Most importantly, understanding that any patient safety work product that is used in an enforcement proceeding is sensitive, the Board would seek to include only information in an opinion that is necessary to the decision, and omit any extraneous sensitive information that is not needed for its judgments.

This proposed provision also requires that patient safety work product disclosed to or by the Secretary must be necessary for the purpose for which the disclosure is made. We intend that any disclosure made pursuant to this proposed provision be limited in the amount of patient safety work product disclosed to accomplish the purpose of implementation, compliance, and enforcement. We discuss our anticipated uses and protections further in proposed Subpart D.

(E) Proposed Sec. 3.206(e)--No Limitation on Authority To Limit or Delegate Disclosure or Use

Proposed Sec. 3.206(e) reflects the Patient Safety Act's rule of construction in section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), establishing that a person holding patient safety work product may enter into a contract that requires greater confidentiality protections or may delegate its authority to make a disclosure in accordance with this Subpart. For example, a provider may delegate its permission (which it may have as a provider) to disclose to the FDA under proposed Sec. 3.206(b)(7) to a PSO through a contractual arrangement. In such a case, the PSO would be acting on behalf of the provider in making disclosures to the FDA. Without the delegated permission, it would, in this scenario, be impermissible for the PSO to disclose identifiable patient safety work product to the FDA, and a PSO that made such a disclosure could be subject to a civil money penalty. However, if a delegation of disclosing authority exists, the delegating person would be responsible for the disclosures of the delegee. Thus, in the example above, if the PSO made an impermissible disclosure, the delegating provider could be liable under the principle of principal liability for the acts of its agent. The PSO making the disclosure could also be liable. See discussion in proposed Sec. 3.402(b). Neither the statute nor the proposed rule limits the authority of a provider to place limitations on disclosures or uses. For example, a provider may require that a PSO remove all employee names prior to disclosing any patient safety work product despite such disclosure being permissible under this Subpart with the names included.

Return to top

3. Proposed Sec. 3.208--Continued Protection of Patient Safety Work Product

Proposed Sec. 3.208 provides that the privilege and confidentiality protections continue to apply to patient safety work product when disclosed and describes the narrow circumstances when the protections terminate. Generally, when identifiable patient safety work product is disclosed, whether pursuant to a permitted exception to privilege and/or confidentiality or disclosed impermissibly, that patient safety work product continues to be privileged and confidential. Any person receiving such patient safety work product receives that patient safety work product pursuant to the privilege and confidentiality protections. The receiving person holds the patient safety work product subject to these protections and is generally bound by the same limitations on disclosure and the potential civil money penalty liability if he or she discloses the patient safety work product in a manner that warrants imposition of a civil money penalty under proposed Subpart D.

An example would be if identifiable patient safety work product is disclosed to a provider's employee for patient safety activities, the identifiable patient safety work product disclosed to the employee would be confidential and the employee would be subject to civil money penalty liability for any knowing or reckless disclosure of the patient safety work product in identifiable form not permitted by the exceptions. Similarly, if confidential patient safety work product is received impermissibly, such as by an unauthorized computer access (i.e., hacker), the impermissible disclosure, even when unintentional, does not terminate the confidentiality. Thus, the hacker may be subject to civil money penalty liability for impermissible disclosures of that information.

We do not require that notification of the privilege and confidentiality of patient safety work product be made with each disclosure. We also note that the Secretary does not have authority to impose a civil money penalty for an impermissible breach of the privilege protection. Rather, any breach of privilege, permissible or not, would encompass a disclosure and concurrent breach of confidentiality, subject to penalty under the CMP provisions of the Patient Safety Act and this proposed rule, unless a confidentiality exception applied. See the discussion above of confidentiality protections at proposed Sec. 3.206 and the discussion of the enforcement provisions at proposed Subpart D.

Nor do we require notification of either the confidentiality of patient safety work product or the fact that patient safety work product is being disclosed. The Secretary's authority to impose a civil money penalty is not dependent upon whether the disclosing entity or person knows that the information being disclosed is patient safety work product or whether patient safety work product is confidential (see discussion under proposed Subpart D). Thus, we do not require that the disclosure of patient safety work product be accompanied by a notice as to either the fact that the information disclosed is patient safety work product or that it is confidential. Labeling does not make information protected patient safety work product, and the failure to label patient safety work product does not remove the protection. However, we do believe that such a notification would be beneficial to the recipient to alert such recipient to the fact that the information received should be held in a confidential manner and that knowing or reckless disclosure in violation of the confidentiality protection may subject a discloser to civil money penalties. Labeling patient safety work product may also make it easier for the provider to establish that such information is privileged patient safety work product. Also, a notification may also be prudent management for providers, PSOs, and responsible persons who could be subject to liability under agency principles for actions of disclosing agents. Moreover, such a notification policy may serve as a mitigating factor under the factors outlined under proposed Subpart D. Similarly, labeling of patient safety work product may be a good practice for the internal management of information by an entity that holds protected patient safety work product.

There are two exceptions to the continued protection of patient safety work product which terminate either the confidentiality or both the privilege and confidentiality under section 922(d)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2). The first exception to continued protection is an exception to continued confidentiality when patient safety work product is disclosed for use in a criminal proceeding, pursuant to proposed Sec. Sec. 3.204(b)(1) and 3.206(b)(1). Proposed Sec. 3.204(b)(1) is an exception to privilege for the particular proceeding at issue and does not permit the use of such patient safety work product in other proceedings or otherwise remove the privilege protection afforded such information. Thus, in the case of a criminal proceeding disclosure, the privilege continues even though the confidentiality terminates. In other words, when a court makes an in camera determination that patient safety work product can be entered into a criminal proceeding, that information remains privileged for any future proceedings, but is no longer confidential and may be further disclosed without restriction.

The second exception to continued protection is when patient safety work product is disclosed in nonidentifiable form, pursuant to proposed Sec. Sec. 3.204(b)(4) and 3.206(b)(5). Under both of these exceptions, the patient safety work product disclosed is no longer confidential, and may be further disclosed without restriction. The termination of the continued protections is based on section 922(d)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2).

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only