Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

Regulatory Flexibility Act Analysis

The Regulatory Flexibility Act requires agencies to analyze regulatory options that would minimize any significant impact of a rule on small entities. Because the Patient Safety Act enables a broad spectrum of entities--public, private, for-profit, and not-for-profit-- to seek certification as a PSO, there may be many different types of organizations interested in becoming certified as a PSO that would be affected by the proposed rule. The proposed rule minimizes possible barriers to entry and creates a review process that is both simple and quick. As a result, AHRQ expects that a broad range of health care provider systems, medical specialty societies, and provider-based membership organizations will seek listing as a PSO by the Secretary.

AHRQ preliminarily determines that the proposed rule does not have a significant impact on small businesses because it does not impose a mandatory regulatory burden, and because the Department has made a significant effort to promulgate regulations that are the minimum necessary to interpret and implement the law. As stated previously, working with PSOs is completely voluntary; the proposed rule provides benefits in the form of legal protections that are expected to outweigh the cost of participation from the perspective of participating providers. AHRQ believes that the proposed rule will not have a significant impact on a substantial number of small entities because the proposed rules do not place small entities at a significant competitive disadvantage to large entities. AHRQ does not anticipate that there will be a disproportional effect on profits, costs, or net revenues for a substantial number of small entities. The proposed rule will not significantly reduce profit for a substantial number of small entities.

Impacts on Small Entities

1. The Need for and the Objectives of the Proposed Rule

The proposed rule establishes the authorities, processes, and requirements necessary to implement the Patient Safety Act, sections 921-926 of the Public Health Service Act, 42 U.S.C. 299b-21 to 299b-26. The proposed rules seek to establish a streamlined process for the Department to accept certification by entities seeking to become PSOs. Under the proposal, PSOs will be available voluntarily to enter into arrangements with health care providers and provide expert advice regarding the causes and prevention of adverse patient safety events. Information collected or developed by a health care provider or PSO, and reported to or by a PSO, that relate to a patient safety event would become privileged and confidential. Related deliberations would also be protected. Persons who breached the confidentiality provisions of the rule could be subject to civil money penalties of up to $10,000.

2. Description and Estimate of the Number of Small Entities Affected

For purposes of the Regulatory Flexibility Act, small entities include small businesses, non-profit organizations, and government jurisdictions. Most hospitals and many other health care providers and suppliers are small entities, either because they are nonprofit organizations or because they generate revenues of $6.5 million to $31.5 million in any one year. Individuals and States are not included in the definition of a small entity. The proposed rule would affect most hospitals, and other health care delivery entities, plus all small entities that are interested in becoming certified PSOs. Based on various stakeholder meetings, AHRQ estimates that approximately 50-100 entities may be interested in becoming listed as PSOs during the first three years following publication of the final rule. This figure is likely to stabilize over time, as some new PSOs form and some existing PSOs cease operations.

3. Impact on Small Entities

AHRQ believes that the proposed rule will not have a significant impact on a substantial number of small provider or PSO entities because the proposed rule does not place a substantial number of small entities at a significant competitive disadvantage to large entities. AHRQ does not anticipate that there will be a disproportional effect on profits, costs, or net revenues for a substantial number of small entities. The proposed rule will not significantly reduce profit for a substantial number of small entities. In fact, when fully implemented, we expect that the benefits and/or provider savings will outweigh the costs.

Compliance requirements for small entities under this proposed rule are the same as those described above for other affected entities. AHRQ has proposed only those regulations that are necessary to comply with provisions and goals of the Patient Safety Act, with the objective of encouraging the maximum participation possible. The proposed rule was written to minimize the regulatory and economic burden on any entity that seeks to be listed as a PSO by the Secretary, regardless of size. It is impossible for AHRQ to develop alternatives to the proposed rule for small entities, as the proposed rule must adhere to statutory requirements. For example, the proposed rule requires confidentiality and privilege protections and places the least amount of regulatory burden on participating players--while simultaneously ensuring that the goals of confidentiality are effectively implemented--with the objective of encouraging the maximum participation possible. In addition, the proposed rule was written recognizing that many providers will be HIPAA covered entities, and many PSOs will be business associates, which entails certain obligations under the HIPAA Privacy Rule. Thus, this proposed rule is coordinated with existing law, to minimize the burden of compliance.

AHRQ believes that the proposed rule will not have a significant impact on small providers. The proposed rule does not impose any costs directly on providers, large or small, that choose to work with a PSO. To the extent that providers hold patient safety work product, they must prevent impermissible disclosures; however, the proposed rule does not establish requirements for how providers must meet this requirement.

Finally, it is the statutory and supporting regulatory guarantee of the confidentiality of the reporting of adverse events that will enable PSOs to operate and perform their function. Thus, while the compliance costs in the form of start-up operational costs may be substantial, the benefits that will be generated as a result of these costs will exceed the actual costs, as illustrated in Table 5.

The Secretary certifies that the proposed rule will not have a significant economic impact on a substantial number of small entities.

List of Subjects in 42 CFR Part 3

Administrative practice and procedure, Civil money penalty, Confidentiality, Conflict of interests, Courts, Freedom of information, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Investigations, Law enforcement, Medical research, Organization and functions, Patient, Patient safety, Privacy, Privilege, Public health, Reporting and recordkeeping requirements, Safety, State and local governments, Technical assistance.

For the reasons stated in the preamble, the Department of Health and Human Services proposes to amend Title 42 of the Code of Federal Regulations by adding a new part 3 to read as follows:

PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK PRODUCT

Subpart A--General Provisions

Sec.

3.10 Purpose.

3.20 Definitions.

Subpart B--PSO Requirements and Agency Procedures

3.102 Process and requirements for initial and continued listing of PSOs.

3.104 Secretarial actions.

3.106 Security requirements.

3.108 Correction of deficiencies, revocation, and voluntary relinquishment.

3.110 Assessment of PSO compliance.

3.112 Submissions and forms.

Subpart C--Confidentiality and Privilege Protections of Patient Safety Work Product

3.204 Privilege of Patient Safety Work Product.

3.206 Confidentiality of Patient Safety Work Product.

3.208 Continued protection of Patient Safety Work Product.

3.210 Required disclosure of Patient Safety Work Product to the Secretary

3.212 Nonidentification of Patient Safety Work Product.

Subpart D--Enforcement Program

3.304 Principles for achieving compliance.

3.306 Complaints to the Secretary.

3.308 Compliance reviews.

3.310 Responsibilities of respondents.

3.312 Secretarial action regarding complaints and compliance reviews.

3.314 Investigational subpoenas and inquiries.

3.402 Basis for a civil money penalty.

3.404 Amount of a civil money penalty.

3.408 Factors considered in determining the amount of a civil money penalty.

3.414 Limitations.

3.416 Authority to settle.

3.418 Exclusivity of penalty.

3.420 Notice of proposed determination.

3.422 Failure to request a hearing.

3.424 Collection of penalty. 3.426 Notification of the public and other agencies.

3.504 Procedures for hearings.

Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C. 299c-6

 

Return to top

Subpart A--General Provisions

Sec. 3.10 Purpose.

The purpose of this Part is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.

Sec. 3.20 Definitions.

As used in this Part, the terms listed alphabetically below have the meanings set forth as follows:

AHRQ stands for the Agency for Healthcare Research and Quality in HHS.

ALJ stands for an Administrative Law Judge of HHS.

Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, who issue decisions in panels of three.

Bona fide contract means:

  1. A written contract between a provider and a PSO that is executed in good faith by officials authorized to execute such contract; or
  2. A written agreement (such as a memorandum of understanding or equivalent recording of mutual commitments) between a Federal, State, Local, or Tribal provider and a Federal, State, Local, or Tribal PSO that is executed in good faith by officials authorized to execute such agreement.

Complainant means a person who files a complaint with the Secretary pursuant to Sec. 3.306.

Component organization means an entity that is either:

  1. A unit or division of a corporate organization or of a multi- organizational enterprise; or
  2. A separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organization(s), i.e., its parent organization(s).

Component PSO means a PSO listed by the Secretary that is a component organization.

Confidentiality provisions means for purposes of Subparts C and D, any requirement or prohibition concerning confidentiality established by section 921 and 922(b), (d), (g) and (i) of the Public Health Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the provisions, at Sec. Sec. 3.206 and 3.208, that implement the statutory prohibition on disclosure of identifiable patient safety work product.

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding the patient safety work product to another.

Entity means any organization or organizational unit, regardless of whether the organization is public, private, for-profit, or not-for- profit.

Group health plan means employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income Security Act of 1974 (ERISA)) to the extent that the plan provides medical care (as defined in paragraph (2) of section 2791(a) of the Public Health Service Act, including items and services paid for as medical care) to employees or their dependents (as defined under the terms of the plan) directly or through insurance, reimbursement, or otherwise.

Health insurance issuer means an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2)). The term does not include a group health plan.

Health maintenance organization means:

  1. A Federally qualified health maintenance organization (HMO) (as defined in 42 U.S.C. 300e(a)),
  2. An organization recognized under State law as a health maintenance organization, or
  3. A similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization.

HHS stands for the United States Department of Health and Human Services.

HIPAA Privacy Rule means the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.

Identifiable patient safety work product means patient safety work product that:

  1. Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in, or are responsible for, activities that are a subject of the work product;
  2. Constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
  3. Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO or to a provider with the intention of having the information reported to a PSO ("reporter").

Nonidentifiable patient safety work product means patient safety work product that is not identifiable patient safety work product in accordance with the nonidentification standards set forth at Sec. 3.212.

OCR stands for the Office for Civil Rights in HHS.

Parent organization means an entity that, alone or with others, either owns a provider entity or a component organization, or has the authority to control or manage agenda setting, project management, or day-to-day operations, or the authority to review and override decisions of a component organization.

Patient Safety Act means the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-21 through 299b-26.

Patient safety activities means the following activities carried out by or on behalf of a PSO or a provider:

  1. Efforts to improve patient safety and the quality of health care delivery;
  2. The collection and analysis of patient safety work product;
  3. The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
  4. The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
  5. The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
  6. The provision of appropriate security measures with respect to patient safety work product;
  7. The utilization of qualified staff; and
  8. Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

Patient safety evaluation system means the collection, management, or analysis of information for reporting to or by a PSO.

Patient safety organization (PSO) means a private or public entity or component thereof that currently is listed as a PSO by the Secretary in accordance with Subpart B. A health insurance issuer or a component organization of a health insurance issuer may not be a PSO. See also the exclusion in proposed Sec. 3.102 of this Part.

Patient safety work product (PSWP).

  1. Except as provided in paragraph (2) of this definition, patient safety work product means any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material)
    1.  
      1. Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or
      2. Are developed by a PSO for the conduct of patient safety activities; and which could improve patient safety, health care quality, or health care outcomes; or
    2. Which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.
  2.  
    1. Patient safety work product does not include a patient's medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO shall not by reason of its reporting be considered patient safety work product.
    2. Nothing in this part shall be construed to limit information that is not patient safety work product from being:
      1. Discovered or admitted in a criminal, civil or administrative proceeding;
      2. Reported to a Federal, State, local or tribal governmental agency for public health or health oversight purposes; or
      3. Maintained as part of a provider's recordkeeping obligation under Federal, State, local or tribal law.

Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

Provider means:

  1. An individual or entity licensed or otherwise authorized under State law to provide health care services, including—
    1. A hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician or health care practitioner's office (includes a group practice), long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or
    2. A physician, physician assistant, registered nurse, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietitian or nutrition professional, physical or occupational therapist, pharmacist, or other individual health care practitioner;
  2. Agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, organizations engaged as contractors by the Federal, State, local, or Tribal governments to deliver health care, and individual health care practitioners employed or engaged as contractors by the Federal State, local, or Tribal governments to deliver health care; or
  3. A parent organization that has a controlling interest in one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in (1)(i) or (2) of this definition.

Research has the same meaning as the term is defined in the HIPAA Privacy Rule at 45 CFR 164.501.

Respondent means a provider, PSO, or responsible person who is the subject of a complaint or a compliance review.

Responsible person means a person, other than a provider or a PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions.

Workforce means employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person.

Return to top

Subpart B--PSO Requirements and Agency Procedures



Sec. 3.102 Process and requirements for initial and continued listing of PSOs.

  1. Eligibility and process for initial and continued listing.
    1. Submission of Certification. Any entity, except as specified in paragraph (a)(2) of this section, may request from the Secretary an initial or continued listing as a PSO by submitting a completed certification form that meets the requirements of this section, in accordance with the submission requirements at Sec. 3.112. An individual with authority to make commitments on behalf of the entity seeking listing will be required to acknowledge each of the certification requirements, attest that the entity meets each requirement, provide contact information for the entity, and certify that the PSO will promptly notify the Secretary during its period of listing if it can no longer comply with any of the criteria in this section.
    2. Restrictions on certain entities. Entities that may not seek listing as a PSO include: health insurance issuers or components of health insurance issuers. Any other entity, public or private, that conducts regulatory oversight of health care providers, such as accreditation or licensure, may not seek listing, except that a component of such an entity may seek listing as a component PSO. An applicant completing the required certification forms described in paragraph (a)(1) of this section will be required to attest that the entity is not subject to the restrictions of this paragraph.
  2. Fifteen general PSO certification requirements. The certifications submitted to the Secretary in accordance with paragraph (a)(1) of this section must conform to the following 15 requirements:
    1. Required certification regarding eight patient safety activities. An entity seeking initial listing as a PSO must certify that it has written policies and procedures in place to perform each of the eight patient safety activities, defined in Sec. 3.20. Such policies and procedures will provide for compliance with the confidentiality provisions of subpart C of this part and the appropriate security measures required by Sec. 3.106 of this subpart. A PSO seeking continued listing must certify that it is performing, and will continue to perform, each of the patient safety activities, and is and will continue to comply with subpart C of this part and the security requirements referenced in the preceding sentence.
    2. Required certification regarding seven PSO criteria. In its initial certification submission, an entity must also certify that it will comply with the additional seven requirements in paragraphs (b)(2)(i) through (b)(2)(vii) of this section. A PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of this paragraph.
      1. The mission and primary activity of a PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery.
      2. The PSO must have appropriately qualified workforce members, including licensed or certified medical professionals.
      3. The PSO, within the 24-month period that begins on the date of its initial listing as a PSO, and within each sequential 24-month period thereafter, must have entered into 2 bona fide contracts, each of a reasonable period of time, each with a different provider for the purpose of receiving and reviewing patient safety work product.
      4. The PSO is not a health insurance issuer, and is not a component of a health insurance issuer.
      5. The PSO must make disclosures to the Secretary as required under Sec. 3.102(d), in accordance with Sec. 3.112 of this subpart.
      6. To the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.
      7. The PSO must utilize patient safety work product for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.
  3. Additional certifications required of component organizations. In addition to meeting the 15 general PSO certification requirements of paragraph (b) of this section, an entity seeking initial listing that is a component of another organization or enterprise must certify that it will comply with the requirements of paragraphs (c)(1) through (c)(3) of this section. A component PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of this paragraph.
    1. Separation of patient safety work product.
      1. A component PSO must:
        1. Maintain patient safety work product separately from the rest of the parent organization(s) of which it is a part; and
        2. Not have a shared information system that could permit access to its patient safety work product to an individual(s) in, or unit(s) of, the rest of the parent organization(s) of which it is a part.
      2. Notwithstanding the requirements of paragraph (c)(1)(i) of this section, a component PSO may provide access to identifiable patient safety work product to an individual(s) in, or a unit(s) of, the rest of the parent organization(s) of which it is a part if the component PSO enters into a written agreement with such individuals or units that requires that:
        1. The component PSO will only provide access to identifiable patient safety work product to enable such individuals or units to assist the component PSO in its conduct of patient safety activities, and
        2. Such individuals or units that receive access to identifiable patient safety work product pursuant to such written agreement will only use or disclose such information as specified by the component PSO to assist the component PSO in its conduct of patient safety activities, will take appropriate security measures to prevent unauthorized disclosures and will comply with the other certifications the component has made pursuant to paragraphs (c)(2) and (c)(3) of this section regarding unauthorized disclosures and conflicts with the mission of the component PSO.
    2. Nondisclosure of patient safety work product. A component PSO must require that members of its workforce and any other contractor staff, or individuals in, or units of, its parent organization(s) that receive access in accordance with paragraph (c)(1)(ii) of this section to its identifiable patient safety work product, not be engaged in work for the parent organization(s) of which it is a part, if the work could be informed or influenced by such individuals' knowledge of identifiable patient safety work product, except for individuals whose other work for the rest of the parent organization(s) is solely the provision of clinical care.
    3. No conflict of interest. The pursuit of the mission of a component PSO must not create a conflict of interest with the rest of the parent organization(s) of which it is a part.
  4. Required notifications. PSOs must meet the following notification requirements:
    1. Notification regarding PSO compliance with the minimum contract requirement. No later than 45 calendar days prior to the last day of the applicable 24-month assessment period, specified in paragraph (b)(2)(iii) of this section, the Secretary must receive from a PSO a certification that states whether it has met the requirement of that paragraph regarding two bona fide contracts, in accordance with Sec. 3.112 of this subpart.
    2. Notification regarding a PSO's relationships with its contracting providers. A PSO must submit to the Secretary a disclosure statement, in accordance with Sec. 3.112 of this subpart, regarding its relationships with each provider with which the PSO has a contract pursuant to the Patient Safety Act if the circumstances described in either paragraph (d)(2)(i) or (d)(2)(ii) of this section are applicable. The Secretary must receive a disclosure statement within 45 days of the date on which a PSO enters a contract with a provider if the circumstances are met on the date the contract is entered. During the contract period, if a PSO subsequently enters one or more relationships with a contracting provider that create the circumstances described in paragraph (d)(2)(i) of this section or a provider exerts any control over the PSO of the type described in paragraph (d)(2)(ii) of this section, the Secretary must receive a disclosure statement from the PSO within 45 days of the date that the PSO entered each new relationship or of the date on which the provider imposed control of the type described in paragraph (d)(2)(ii).
      1. Taking into account all relationships that the PSO has with the provider, other than the bona fide contract entered into pursuant to the Patient Safety Act, the PSO must fully disclose any other contractual, financial, or reporting relationships described below that it has with that provider.
        1. Contractual relationships which are not limited to relationships based on formal contracts but also encompass relationships based on any oral or written agreement or any arrangement that imposes responsibilities on the PSO.
        2. Financial relationships including any direct or indirect ownership or investment relationship between the PSO and the contracting provider, shared or common financial interests or direct or indirect compensation arrangement, whether in cash or in-kind.
        3. Reporting relationships including any relationship that gives the provider access to information or control, directly or indirectly, over the work of the PSO that is not available to other contracting providers.
      2. Taking into account all relationships that the PSO has with the provider, the PSO must fully disclose if it is not independently managed or controlled, or if it does not operate independently from, the contracting provider. In particular, the PSO must further disclose whether the contracting provider has exercised or imposed any type of management control that could limit the PSO's ability to fairly and accurately perform patient safety activities and fully describe such control(s).
      3. PSOs may also describe or include in their disclosure statements, as applicable, any agreements, stipulations, or procedural safeguards that have been created to protect the ability of the PSO to operate independently or information that indicates the limited impact or insignificance of its financial, reporting, or contractual relationships with a contracting provider.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only