Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

4. Proposed Sec. 3.210--Required Disclosure of Patient Safety Work Product to the Secretary

We are proposing in Sec. 3.210 that providers, PSOs, and other persons that hold patient safety work product be required to disclose such patient safety work product to the Secretary upon a determination by the Secretary that such patient safety work product is needed for the investigation and enforcement activities related to this Part, or is needed in seeking and imposing civil money penalties. Such patient safety work product disclosed to the Secretary will be excepted from privilege and confidentiality protections insofar as the Secretary has a need to use such patient safety work product for the above purposes which include: accepting, conditioning, or revoking acceptance of PSO certification or in supporting such actions. See proposed Sec. 3.206(d).

5. Proposed Sec. 3.212--Nonidentification of Patient Safety Work Product

Proposed Sec. 3.210 establishes the standard by which patient safety work product will be determined nonidentifiable. For the ease of the reader, we have discussed this standard within the context of proposed Sec. 3.206(b)(5), the confidentiality disclosure exception for nonidentifiable patient safety work product.

D. Subpart D--Enforcement Program

The authority of the Secretary to enforce the confidentiality provisions of the Patient Safety Act is intended to deter impermissible disclosures of patient safety work product. Proposed Subpart D would establish a framework to enable the Secretary to monitor and ensure compliance with this Part, procedures for imposing a civil money penalty for breach of confidentiality, and procedures for a hearing contesting a civil money penalty.

The proposed enforcement program has been designed to provide maximum flexibility to the Secretary in addressing violations of the confidentiality provisions to encourage participation in patient safety activities and achieve the goals of the Patient Safety Act while safeguarding the confidentiality and protected nature of patient safety work product under the Patient Safety Act and this part. Failures to maintain confidentiality may be serious, deleterious and broad-ranging, and, if unpunished, may discourage participation by providers in the PSO voluntary reporting system. The Secretary's enforcement authority will be exercised commensurately to respond to the nature of any such failure and the resulting harm from such failures. The proposed regulations seek to provide the Secretary with reasonable discretion, particularly in areas where the exercise of judgment is called for by the statute or proposed rules, and to avoid being overly prescriptive in areas and causing unintended adverse effects where it would be helpful to gain experience with the practical impact of the proposed rules.

The provisions of section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, apply to the imposition of a civil money penalty under section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), "in the same manner as" they apply to the imposition of civil money penalties under section 1128A itself. Section 1128A(1) of the Social Security Act, 42 U.S.C. 1320a-7a(l), provides that a principal is liable for penalties for the actions of its agents acting within the scope of their agency. Therefore, a provider or PSO will be responsible for the actions of a workforce member when such member discloses patient safety work product in violation of the confidentiality provisions while acting within the scope of the member's agency relationship.

Proposed Sec. Sec. 3.304 through 3.314 are designed to enable the Secretary to assist with, monitor, and investigate alleged failures with respect to compliance with the confidentiality provisions. Proposed Sec. Sec. 3.304 through 3.314 would establish the processes and procedures for the Secretary to provide technical assistance with compliance, for filing complaints with the Secretary, and for investigations and compliance reviews performed by the Secretary. Proposed Sec. Sec. 3.402 through 3.426 would provide the legal basis for imposing a civil money penalty, determining the amount of a civil money penalty, implementing the prohibition on the imposition of a civil money penalty under both HIPAA and the Patient Safety Act, and issuing a notice of proposed determination to impose a civil money penalty and establishing the process that would be relevant subsequent to the issuance of such a notice, whether or not a hearing follows the issuance of the notice of proposed determination. These sections also would contain provisions on the statute of limitations, authority to settle, collection of any penalty imposed for violation of the confidentiality provisions, and public notice of the imposition of such penalties. Finally, proposed Sec. 3.504 addresses the administrative hearing phase of the enforcement process, including provisions for appellate review within HHS of a hearing decision and burden of proof in such proceedings.

Generally, proposed Subpart D is based on the HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C, D and E. We have closely followed the HIPAA Enforcement Rule for several reasons. First, because civil money penalties under both the HIPAA Enforcement Rule and Patient Safety Act are based on section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, we believe there is benefit in maintaining a common approach to enforcement and appeals of such civil money penalty determinations. Second, we believe that these procedures set forth in the HIPAA Enforcement Rule, which in turn are based on the procedures established by the OIG, work and satisfactorily address issues raised and addressed in prior rulemakings by the Department and the OIG. We do not reiterate those concerns, or their resolutions, here, but they have informed our decision making on these proposed rules.

Proposed Sec. Sec. 3.504(b)-(d), (f)-(g), (i)-(k), (m), (n), (t), (w) and (x) of the proposed rule are unchanged from, or incorporate the provisions of, the HIPAA Enforcement Rule. For a full discussion of the basis for these proposed sections, please refer to the proposed and final HIPAA Enforcement Rule, published on April 18, 2005, at 70 FR 20224 (proposed) and on February 16, 2006, at 71 FR 8390 (final). Although the preamble discussion of the HIPAA Enforcement Rule pertains to the HIPAA Administrative Simplification provisions, HIPAA covered entities, and protected health information under HIPAA, we believe the same interpretations and analyses are applicable to the Patient Safety Act confidentiality provisions, providers, PSOs, and responsible persons, and patient safety work product.

Proposed Sec. Sec. 3.424 and 3.504(a), (e), (h), (l), (o)-(s), (u) and (v) of the proposed rule also are based on, or incorporate, the HIPAA Enforcement Rule, but include technical changes made in order to adapt these provisions to the Patient Safety Act confidentiality provisions. We discuss these technical changes below but refer to the proposed and final HIPAA Enforcement Rule for a substantive discussion of these proposed sections.

For the above proposed sections, while we have chosen not to repeat our discussion of the rationale for these regulations, we invite comments regarding whether any further substantive or technical changes are needed to adapt these provisions to the Patient Safety Act confidentiality provisions.

The remaining sections in Subpart D of the proposed rule reprint HIPAA Enforcement Rule provisions in their entirety or constitute substantive changes from the analogous provisions of the HIPAA Enforcement Rule. We discuss these proposed sections in full below.

1. Proposed Sec. 3.304--Principles for Achieving Compliance

Proposed Sec. 3.304(a) would establish the principle that the Secretary will seek the cooperation of providers, PSOs, and responsible persons in maintaining and preserving the confidentiality of patient safety work product, relying on the civil money penalty authority when appropriate to remediate violations. Proposed Sec. 3.304(b) provides that the Secretary may provide technical assistance to providers, PSOs, and responsible persons to help them comply with the confidentiality provisions.

We will seek to achieve compliance through technical assistance and outreach so that providers, PSOs, and responsible persons that hold patient safety work product may better understand the requirements of the confidentiality provisions and, thus, may voluntarily comply by preventing breaches. However, we believe that the types of events that are likely to trigger complaints are actual breaches of confidentiality which will need remedial action (such events cannot be mitigated through preventive measures alone). Given the existing framework of peer review systems and other similar processes, we believe that most providers and patient safety experts already have well-established mechanisms for using sensitive information while respecting its confidentiality. Moreover, such persons will have incentives to maintain the confidentiality of patient safety work product each such person possesses in the future. Thus, while there may be situations where an issue may be resolved through technical assistance and corrective action, we anticipate that the resolution of complaints of breaches of confidentiality may warrant imposition of a civil money penalty to deter future non-compliance and similar violations. This Subpart preserves the discretion of the Secretary to enforce confidentiality in the manner that best fits the situation.

The Secretary will exercise discretion in developing a technical assistance program that may include the provision of written material when appropriate to assist persons in achieving compliance. We encourage persons to share "best practices" for the confidential utilization of patient safety work product. However, the absence of technical assistance or guidance may not be raised as a defense to civil money penalty liability.

Return to top

2. Proposed Sec. 3.306--Complaints to the Secretary

We are proposing in Sec. 3.306 that any person may file a complaint with the Secretary if the person believes that a provider, PSO or responsible person has disclosed patient safety work product in violation of the confidentiality provisions. A complaint-driven process would provide helpful information about the handling and disclosure of patient safety work product and could serve to identify particularly troublesome compliance problems on an early basis.

The procedures proposed in this section are modeled on those used for the HIPAA Enforcement Rule. We would require: complaints to be in writing; complainants to identify the person(s), and describe the acts, alleged to be out of compliance; and that the complainant file such complaint within 180 days of when the complainant knew or should have known that the act complained of occurred, unless this time limit is waived by the Secretary for good cause shown. We have tried to keep the requirements for filing complaints as minimal as possible to facilitate use of this process. The Secretary would also attempt to keep the identity of complainants confidential, if possible. However, we recognize that it could be necessary to disclose the identity of a complainant in order to investigate the substance of the complaint, and the rules proposed below would permit such disclosures.

For the same reason that the HIPAA Enforcement Rule adopted the "known or should have known" standard for filing a complaint, we require that complaints be filed within 180 days of when the complainant knew or should have known that the violation complained of occurred unless this time limit is waived by the Secretary for good cause shown. We believe that an investigation of a complaint is likely to be most effective if persons can be interviewed and documents reviewed as close to the time of the alleged violation as possible. Requiring that complaints generally be filed within a certain period of time increases the likelihood that the Secretary will be able to obtain necessary and reliable information in order to investigate allegations. Moreover, we are taking this approach in order to encourage complainants to file complaints as soon as possible. By receiving complaints in a timely fashion, we can, if such complaints prove valid, reduce the harm caused by the violation.

In most cases, we expect that the providers, PSOs, responsible persons, and/or their employees will be aware of disclosures of patient safety work product. Nevertheless, other persons may become aware of the wrongful disclosure of patient safety work product as well. For these reasons, we do not limit who may file a complaint. We will accept complaints alleging violations from any person.

Once a complaint is received, the Secretary will notify the provider, PSO, or responsible person(s) against whom the complaint has been filed (i.e., the respondent), investigate and seek resolution to any violations based on the circumstances of the violation, in accordance with the principles for achieving compliance. In enforcing the confidentiality provisions of the Patient Safety Act, the Secretary will generally inform the respondent of the nature of any complaints received against the respondent. The Secretary will also generally afford the entity an opportunity to share information with the Secretary that may result in an early resolution.

3. Proposed Sec. 3.308--Compliance Reviews

We are proposing in Sec. 3.308 that the Secretary could conduct compliance reviews to determine whether a provider, PSO, or responsible person is in compliance. A compliance review could be based on information indicating a possible violation of the confidentiality provisions even though a formal complaint has not been filed. As is the case with a complaint investigation, a compliance review may examine the policies, practices or procedures of a respondent and may result in voluntary compliance or in a finding of a violation or no violation finding.

We believe the Secretary's ability to conduct compliance reviews should be flexible and unobstructed by limitations or required links to ongoing investigations. We do not establish any affirmative criteria for the conduct of a compliance review. Compliance reviews may be undertaken without regard to ongoing investigations or prior conduct. We recognize that cooperating with compliance reviews may create some burden and expense. However, the Secretary needs to maintain the flexibility to conduct whatever reviews are necessary to ensure compliance with the rule.

We note that, at least in the short term, HHS will be taking a case-based, complaint-driven approach to investigations and enforcement, rather than focusing resources on compliance reviews unrelated to any information or allegations of confidentiality violations.

4. Proposed Sec. 3.310--Responsibilities of Respondents

Proposed Sec. 3.310 establishes certain obligations for respondents that would be necessary to enable the Secretary to carry out the statutory role to determine their compliance with the requirements of the confidentiality provisions. Respondents would be required to maintain records as proposed in this proposed rule, participate as required in investigations and compliance reviews, and provide information to the Secretary upon demand. Respondents would also be required to disclose patient safety work product to the Secretary for investigations and compliance activities. We interpret the enforcement provision at section 922(f) of the Patient Safety Act, 42 U.S.C. 299b-22(f), to allow for such disclosure to the Secretary for the purpose of enforcing the confidentiality provisions.

Proposed Sec. 3.310(b) would require cooperation by respondents with investigations as well as compliance reviews.

Proposed Sec. 3.310(c) would provide that the Secretary must be provided access to a respondent's facilities, books, records, accounts, and other sources of information, including patient safety work product. Ordinarily, the Secretary will provide notice requesting access during normal business hours. However, if exigent circumstances exist, such as where documents might be hidden or destroyed, the Secretary may require access at any time and without notice. The Secretary will consider alternative approaches, such as subpoenas or search warrants, in seeking information from respondents that are not providers, PSOs, or a member of their workforce.

5. Proposed Sec. 3.312--Secretarial Action Regarding Complaints and Compliance Reviews

Proposed Sec. 3.312(a) provides that, if a complaint investigation or compliance review indicates noncompliance, the Secretary may attempt to resolve the matter by informal means. If the Secretary determines that the matter cannot be resolved by informal means, the Secretary will issue findings to the respondent and, if applicable, the complainant.

Proposed Sec. 3.312(a)(1) provides that, where noncompliance is indicated, the Secretary could seek to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means would include demonstrated compliance or a completed corrective action plan or other agreement. Under this provision, entering into a corrective action plan or other agreement would not, in and of itself, resolve the noncompliance; rather, the full performance by the respondent of its obligations under the corrective action plan or other agreement would be necessary to resolve the noncompliance.

Proposed Sec. Sec. 3.312(a)(2) and (3) address what notifications would be provided by the Secretary where noncompliance is indicated, based on an investigation or compliance review. Notification under these paragraphs would not be required where the only contacts made were with the complainant to determine whether the complaint warrants investigation. Section 3.312(a)(2) proposes written notice to the respondent and, if the matter arose from a complaint, the complainant, where the matter is resolved by informal means. If the matter is not resolved by informal means, proposed Sec. 3.312(a)(3)(i) would require the Secretary to so inform the respondent and provide the respondent 30 days in which to raise any mitigating factors the Secretary should consider in imposing a civil money penalty. Section 3.312(a)(3)(ii) proposes that, where a matter is not resolved by informal means and the Secretary decides that imposition of a civil money penalty is warranted based upon a response from the respondent or expiration of the 30 day response time limit, the formal finding would be contained in the notice of proposed determination issued under proposed Sec. 3.420.

Proposed Sec. 3.312(b) provides that, if the Secretary finds, after an investigation or compliance review, no further action is warranted, the Secretary will so inform the respondent and, if the matter arose from a complaint, the complainant. This section does not apply where no investigation or compliance review has been initiated, such as where a complaint has been dismissed due to lack of jurisdiction.

Proposed Sec. 3.312(c) addresses how the Secretary will handle information obtained during the course of an investigation or compliance review. Under proposed Sec. 3.312(c)(1), identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review under this Part remains subject to the privilege and confidentiality protections and will not be disclosed except in accordance with proposed Sec. 3.206(d), if necessary for ascertaining or enforcing compliance with this part, or as permitted by this Part or the Patient Safety Act. In other words, the Secretary, as with any other entity or person, would receive patient safety work product subject to the confidentiality and privilege requirements and protections. The proposed rule strikes a balance between these protections and enforcement, providing that the Secretary would not disclose such patient safety work product, except as may be necessary to enable the Secretary to ascertain compliance with this Part, in enforcement proceedings, or as otherwise permitted by this Part. We note that, pursuant to section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), as added by the Patient Safety Act, the Patient Safety Act does not affect the implementation of the HIPAA confidentiality regulations (known as the HIPAA Privacy Rule). Accordingly, we propose that the Secretary may use patient safety work product obtained in connection with an investigation hereunder to enforce the HIPAA confidentiality regulations.

Proposed Sec. 3.312(c)(2) provides that, except for patient safety work product, testimony and other evidence obtained in connection with an investigation or compliance review may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding. Such information would include that which is obtained from investigational subpoenas and inquiries under proposed Sec. 3.314. The Department generally seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and programmatic responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR Part 5, provide substantial protection for records about individuals where disclosure would constitute an unwarranted invasion of their personal privacy. Moreover, in enforcing the Patient Safety Act and its implementing regulations, OCR plans to continue its current practice of protecting its complaint files from disclosure. These files, thus, would constitute investigatory records compiled for law enforcement purposes, one of the exemptions to disclosure under the Freedom of Information Act. In the case of patient safety work product that is not otherwise subject to a statutory exception permitting disclosure, the Patient Safety Act prohibits the disclosure of such information in response to a Freedom of Information Act request. See section 922(a)(3) of the Public Health Service Act, 42 U.S.C. 299b- 22(a)(3).

The Secretary continues to be subject to the existing HIPAA Enforcement Rule with respect to the use and disclosure of protected health information received by the Secretary in connection with a HIPAA Privacy Rule investigation or compliance review (see 45 CFR 160.310(c)(3)); these proposed provisions do not modify those regulations.

Return to top

6. Proposed Sec. 3.314--Investigational Subpoenas and Inquiries

Proposed Sec. 3.314 provides procedures for the issuance of subpoenas to require the attendance and testimony of witnesses and the production of any other evidence, including patient safety work product, during an investigation or compliance review. We propose to issue subpoenas in the same manner as 45 CFR 160.314(a)(1)-(5) of the HIPAA Enforcement Rule, except that the term "this part" shall refer to 42 CFR Part 3. The language modification is necessary to reference the appropriate authority.

We also propose that the Secretary is permitted to conduct investigational inquiries in the same manner as the provisions of 45 CFR 160.314(b)(1)-(9) of the HIPAA Enforcement Rule. The referenced provisions describe the manner in which investigational inquiries will be conducted.

7. Proposed Sec. 3.402--Basis for a Civil Money Penalty

Under proposed Sec. 3.402, a person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions shall be subject to a civil money penalty of not more than $10,000 for each act constituting a violation. See section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b- 22(f)(1).

(A) Proposed Sec. 3.402(a)--General Rule

Proposed Sec. 3.402(a) would allow the Secretary to impose a civil money penalty on any person which the Secretary determines has knowingly or recklessly violated the confidentiality provisions. This provision is based on the language in section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), that "a person who discloses identifiable patient safety work product in knowing or reckless violation of subsection (b) shall be subject to a civil money penalty of not more than $10,000 for each act constituting such violation." A civil money penalty may only be imposed if the Secretary first establishes a wrongful disclosure (i.e., (1) the information disclosed was identifiable patient safety work product; (2) the information was disclosed; and (3) the manner of the disclosure does not fit within any permitted exception). If a wrongful disclosure is established, the Secretary must then determine whether the person making the disclosure acted "knowingly" or "recklessly."

The applicable law on the issue of "knowing" provides that "unless the text of the statute dictates a different result, the term `knowingly' merely requires proof of knowledge of the facts that constitute the offense [rather than] a culpable state of mind or [] knowledge of the law." Bryan v. United States, 524 U.S. 184 (1998) (emphasis added). Applying this meaning in the context of the Patient Safety Act, the Secretary would not need to prove that the person making the disclosure knew the law (i.e., knew that the disclosed information constituted identifiable patient safety work product or that such disclosure did not meet one of the standards for a permissive disclosure in the Patient Safety Act). Rather, the Secretary would only need to show that the person knew a disclosure was being made. Although knowledge that disclosed information is patient safety work product is not required, circumstances in which a person can show no such knowledge and no reason to know such knowledge may warrant discretion by the Secretary. By contrast, as a person's opportunity for knowledge and disregard of that opportunity increases, the Secretary's compulsion to exercise discretion not to impose a penalty declines.

Where a "knowing" violation cannot be established, the Secretary can still impose a civil money penalty by showing that the person was reckless in making the disclosure of identifiable patient safety work product. A person acts recklessly if they are aware, or a reasonable person in their situation should be aware, that their conduct creates a substantial risk of disclosure of information and to disregard such risk constitutes a gross deviation from reasonable conduct. A "substantial risk" represents a significant threshold, more than the mere possibility of disclosure of patient safety work product. Whether a risk is "substantial" is a fact-specific inquiry. Additionally, whether a reasonable person in the situation should know of a risk is based on context. For example, an employee whose job duties regularly involve working with sensitive patient information may be expected to know of disclosure risks of which other types of employees may reasonably be unaware.

Finally, the disregarding of the risk must be a gross deviation from reasonable conduct. This gross deviation standard is commonly used to describe reckless conduct. See, e.g., Model Penal Code Sec. 2A1.4(2006), definition of "reckless" for purposes of involuntary manslaughter; Black's Law Dictionary (8th ed., 2004). This does not mean that the conduct itself must be a gross deviation from reasonable conduct. Rather, the standard is whether the disregarding of the risk was a gross deviation (i.e., whether a reasonable person who is aware of the substantial risk of making an impermissible disclosure would find going forward despite the risk to be grossly unreasonable). Thus, disclosures that violate this Part and occur because an individual acted despite knowing of, or having reason to know of, a grossly unreasonable risk of disclosure are punishable by civil money penalty, regardless of whether such conduct may otherwise be widespread in the industry.

An example of a reckless disclosure of identifiable patient safety work product would be leaving a laptop unattended in a public area and accessible to unauthorized persons with identifiable patient safety work product displayed on the laptop screen. Such a situation would be reckless because it would create a substantial risk of disclosure of the information displayed on the laptop screen. If a person did not remove the identifiable patient safety work product from the laptop screen or take other measures to prevent the public view of the laptop screen, then leaving the laptop unattended would be a disregard for the substantial risk of disclosure that would be a gross deviation from reasonable conduct. Under these circumstances, the person leaving the laptop unattended could be liable for a civil money penalty.

The use of the term "shall be subject to" in section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), conveys authority to the Secretary to exercise discretion as to whether to impose a penalty for a knowing or reckless violation of the confidentiality provisions. Based on the nature and circumstances of a violation and whether such violation was done in a knowing or reckless manner, the Secretary may impose a civil money penalty, require a corrective action plan, or seek voluntary compliance with these regulations.

Even in cases that constitute violations of the confidentiality provisions, the Secretary may exercise discretion. For example, in a situation where a provider makes a good faith attempt to assert the patient safety work product privilege, but is nevertheless ordered by a court to make a disclosure, and the provider does so, the Secretary could elect not to impose a civil money penalty. Thus, for example, it is not the Secretary's intention to impose a civil money penalty on a provider ordered by a court to produce patient safety work product where the provider has deliberately and in good faith undertaken reasonable steps to avoid such production and is, nevertheless, faced with compelled production or being held in contempt of court.

Similarly, an individual may innocently come into possession of information, unaware of the fact that the information is patient safety work product, and may innocently share the information in a manner not permitted by the confidentiality provisions. In such circumstances, the Secretary would look at the facts and circumstances of the case and could elect not to impose a penalty. Relevant facts and circumstances might include the individual's relationship with the source of the information (e.g., whether the information originated with a health care provider or a patient safety organization for which the individual was employed); whether, and the extent to which, the individual had a basis to know the information was patient safety work product or to know that the information was confidential; to whom the information was disclosed; and the intent of the individual in making the disclosure.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only