[Federal Register: November 21, 2008 (Volume 73, Number 226)] [Rules and Regulations] [Page 70731-70814] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr21no08-16] [[Page 70731]] ----------------------------------------------------------------------- Part III Department of Health and Human Services ----------------------------------------------------------------------- 42 CFR Part 3 Patient Safety and Quality Improvement; Final Rule [[Page 70732]] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES 42 CFR Part 3 RIN 0919-AA01 Patient Safety and Quality Improvement AGENCY: Agency for Healthcare Research and Quality, Office for Civil Rights, Department of Health and Human Services. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Secretary of Health and Human Services is adopting rules to implement certain aspects of the Patient Safety and Quality Improvement Act of 2005, Pub. L. 109-41, 42 U.S.C. 299b-21--b-26 (Patient Safety Act). The final rule establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for the aggregation and analysis of patient safety events. The final rule outlines the requirements that entities must meet to become PSOs and the processes by which the Secretary will review and accept certifications and list PSOs. It also describes the privilege and confidentiality protections for the information that is assembled and developed by providers and PSOs, the exceptions to these privilege and confidentiality protections, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product. DATES: The final rule is effective on January 19, 2009. FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427- 1111 or (866) 403-3697. SUPPLEMENTARY INFORMATION: On February 12, 2008, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the Patient Safety Act. The comment period closed on April 14, 2008. One- hundred-sixty-one comments were received during the comment period. I. Background Statutory Background This final rule establishes the authorities, processes, and rules necessary to implement the Patient Safety Act that amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.\1\ The Patient Safety Act focuses on creating a voluntary program through which health care providers can share information relating to patient safety events with PSOs, with the aim of improving patient safety and the quality of care nationwide. The statute attaches privilege and confidentiality protections to this information, termed ``patient safety work product,'' to encourage providers to share this information without fear of liability and creates PSOs to receive this protected information and analyze patient safety events. These protections will enable all health care providers, including multi-facility health care systems, to share data within a protected legal environment, both within and across states, without the threat that the information will be used against the subject providers. --------------------------------------------------------------------------- \1\ All citations to provisions in the Patient Safety Act will be to the sections in the Public Health Service Act or to its location in the U.S. Code. --------------------------------------------------------------------------- However, we note that section 922(g)(2) of the Public Health Service Act is quite specific that these protections do not relieve a provider from its obligation to comply with other Federal, State, or local laws pertaining to information that is not privileged or confidential under the Patient Safety Act: section 922(g)(5) of the Public Health Service Act states that the Patient Safety Act does not affect any State law requiring a provider to report information that is not patient safety work product. The fact that information is collected, developed, or analyzed under the protections of the Patient Safety Act does not shield a provider from needing to undertake similar activities, if applicable, outside the ambit of the statute, so that the provider can meet its obligations with non-patient safety work product. The Patient Safety Act, while precluding other organizations and entities from requiring providers to provide them with patient safety work product, recognizes that the original records underlying patient safety work product remain available in most instances for the providers to meet these other reporting requirements. We note also that the Patient Safety Act references the Standards for the Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule), 45 CFR parts 160 and 164. Many health care providers participating in this program will be covered entities under the HIPAA Privacy Rule and will be required to comply with the HIPAA Privacy Rule when they disclose patient safety work product that contains protected health information. The Patient Safety Act is clear that it is not intended to interfere with the implementation of any provision of the HIPAA Privacy Rule. See 42 U.S.C. 299b-22(g)(3). The statute also provides that civil money penalties cannot be imposed under both the Patient Safety Act and the HIPAA Privacy Rule for a single violation. See 42 U.S.C. 299b-22(f). In addition, the statute states that PSOs shall be treated as business associates, and patient safety activities are deemed to be health care operations under the HIPAA Privacy Rule. See 42 U.S.C. 299b and 299-22(i). Since patient safety activities are deemed to be health care operations, the HIPAA Privacy Rule does not require covered providers to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. Additionally, as business associates of providers, PSOs must abide by the terms of their HIPAA business associate contracts, which require them to notify the provider of any impermissible use or disclosure of the protected health information of which they are aware. See 45 CFR 164.504(e)(2)(ii)(C). II. Overview of the Proposed and Final Rules A. The Proposed Rule The proposed rule sought to implement the Patient Safety Act to create a voluntary system through which providers could share sensitive information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care. The proposal reflected an approach to the implementation of the Patient Safety Act intended to ensure adequate flexibility within the bounds of the statutory provisions and to encourage providers to participate in this voluntary program. The proposed rule emphasized that this program is not federally funded and will be put into operation by the providers and PSOs that wish to participate with little direct federal involvement. However, the process for certification and listing of PSOs will be implemented and overseen by the Agency for Healthcare Research and Quality (AHRQ), while compliance with the confidentiality provisions will be investigated and enforced by the Office for Civil Rights (OCR). Subpart A of the proposed rule set forth the definitions of essential terms, [[Page 70733]] such as patient safety work product, patient safety evaluation system, and PSO. In order to facilitate the sharing of patient safety work product and the analysis of patient safety events, Subpart B of the proposed rule implemented the statutory requirements for the listing of PSOs, the entities that will offer their expert advice in analyzing the patient safety events and other information they collect or develop to provide feedback and recommendations to providers. The proposed rule established the criteria and set forth a process for certification and listing of PSOs and described how the Secretary would review, accept, condition, deny, or revoke certifications for listing and continued listing of entities as PSOs. Based on the statutory mandates in the Patient Safety Act, Subpart C of the proposed rule set forth the privilege and confidentiality protections that attach to patient safety work product; it also set forth the exceptions to these protections. The proposed rule provided that patient safety work product generally continues to be protected as privileged and confidential following a disclosure and set certain limitations on redisclosure of patient safety work product. Subpart D of the proposed rule established a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting the imposition of a civil money penalty. These provisions were modeled largely on the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D and E. B. The Final Rule We received over 150 comments on the proposed rule from a variety of entities, including small providers and large institutional providers, hospital associations, medical associations, accrediting bodies, medical liability insurers, and state and federal agencies. Many of the commenters expressed support for the proposed rule and the protections it granted to sensitive information related to patient safety events. Based upon the comments received, the final rule adopts most of the provisions of the proposed rule without modification; however, several significant changes to certain provisions of the proposed rule have been made in response to these comments. Changes to Subpart A include the addition of a definition of affiliated provider. The definitions of component organization, parent organization, and provider were modified for clarity, and the definition of disclosure was modified to clarify that the sharing of patient safety work product, between a component PSO and the entity of which it is a part, qualifies as a disclosure, while the sharing of patient safety work product between a physician with staff privileges and the entity with which it holds privileges is not a disclosure. We have also modified the definition of patient safety work product to include information that, while not yet reported to a PSO, is documented as being within a provider's patient safety evaluation system and that will be reported to a PSO. This modification allows for providers to voluntarily remove, and document the removal of, information from the patient safety evaluation system that has not yet been reported to a PSO, in which case, the information is no longer patient safety work product. The most significant modifications to Subpart B include the following. With respect to the listing of PSOs, we have broadened the list of excluded entities at Sec. 3.102(a)(2)(ii), required PSOs at Sec. 3.102(b)(1)(i)(B) to notify reporting providers of inappropriate disclosures or security breaches related to the information they reported, specified compliance with the requirement regarding the collection of patient safety work product in Sec. 3.102(b)(2)(iii), eliminated the requirements for separate information systems and restrictions on shared staff for most component PSOs but added additional restrictions and limitations for PSOs that are components of excluded entities at Sec. 3.102(c), and narrowed and clarified the disclosure requirements that PSOs must file regarding contracting providers with whom they have additional relationships at Sec. 3.102(d)(2). We have modified the security requirement to provide flexibility for PSOs to determine whether to maintain patient safety work product separately from unprotected information. The final rule includes a new expedited revocation process at Sec. 3.108(e) for exceptional circumstances that require prompt action, and eliminates implied voluntary relinquishment, providing instead in Sec. 3.104(e) that a PSO's listing automatically expires at the end of three years, unless it is revoked for cause, voluntarily relinquished, or its certifications for continued listing are approved. Changes to proposed Subpart C include the addition of language in Sec. 3.206(b)(2) that requires a reporter seeking equitable relief to obtain a protective order to protect the confidentiality of patient safety work product during the course of the proceedings. Proposed Sec. 3.206(b)(4) has been amended to allow disclosures of identifiable, non-anonymized patient safety work product among affiliated providers for patient safety activities. In addition, proposed Sec. 3.206(b)(7) has been modified to make clear that the provision permits disclosures to and among FDA, entities required to report to FDA, and their contractors. We also have modified proposed Sec. 3.206(b)(8) to require providers voluntarily disclosing patient safety work product to accrediting bodies either to obtain the agreement of identified non-disclosing providers or to anonymize the information with respect to the non-disclosing providers prior to disclosure. Finally, we modified Sec. Sec. 3.204(c), 3.206(d), and 3.210 to allow disclosures of patient safety work product to or by the Secretary for the purposes of determining compliance with not only the Patient Safety Act, but also the HIPAA Privacy Rule. In Subpart D, we adopt the proposed provisions except, where reference was made in the proposed rule to provisions of the HIPAA Privacy Rule, the final rule includes the text of such provisions for convenience of the reader. We describe more fully these provisions, the comments received, and our responses to these comments below in the section-by-section description of the final rule below. III. Section-by-Section Description of Final Rule and Response to Comments A. Subpart A--General Provisions 1. Section 3.10--Purpose Proposed Rule: Proposed Sec. 3.10 provided that the purpose of proposed Part 3 is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26. Overview of Public Comments: No comments were received pertaining to this section. Final Rule: The Department adopts the proposed provision without modification. 2. Section 3.20--Definitions Proposed Rule: Proposed Sec. 3.20 provided for definitions applicable to Part 3. Some definitions were restatements of the definitions at section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, and other definitions were provided for convenience or to clarify the application and operation of the proposed rule. [[Page 70734]] Overview of Public Comments: With respect to the definitions for AHRQ, ALJ, Board, complainant, component PSO, confidentiality provisions, entity, group health plan, health maintenance organization, HHS, HIPAA Privacy Rule, identifiable patient safety work product, nonidentifiable patient safety work product, OCR, Patient Safety Act, patient safety activities, patient safety organization, person, research, respondent, responsible person, and workforce, we received no comments. We received a number of comments on the various other definitions and these comments will be addressed below in reference to the specific term. Final Rule: The Department adopts the above definitions as proposed. Certain definitions were added for convenience or clarity of the reader. Response to Public Comments Comment: Commenters requested definitions for accrediting body, reporter, redisclosure, impermissible disclosure, use, evaluation and demonstration projects, and legislatively created PSO. Response: The Department does not agree that the additional definitions requested by commenters are necessary. Some definitions requested have generally accepted meanings and we do not believe there is benefit in imposing more limitations on such terms. Some terms such as legislatively created PSO are not used within the final rule. Other terms such as impermissible disclosure, use, and reporter are readily understood from the context of the final rule and do not need definitions. (A) Section 3.20--New Definition of Affiliated Provider Final Rule: The proposed rule did not include a definition for affiliated provider. The Department adopts the term affiliated provider to mean, with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider. The Department includes this term to identify to whom patient safety work product may be disclosed pursuant to a clarification of the disclosure permission for patient safety activities. Overview of Comments: Several commenters were concerned about limitations of disclosures for patient safety activities among providers. Commenters raised concerns that limitations may inhibit the sharing and learning among providers of the analysis of patient safety events. Other commenters viewed the disclosure limitations as restricting a provider's use of its own data. These comments are addressed more fully below as part of the discussion of the patient safety activities disclosure permission. (B) Section 3.20--Definition of Bona Fide Contract Proposed Rule: Proposed Sec. 3.20 provided that bona fide contract would mean a written contract between a provider and a PSO that is executed in good faith or a written agreement between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO. Overview of Public Comments: One comment was received noting that ``good faith'' need not be a part of a bona fide contract. Final Rule: Because meeting the minimum contract requirement is essential for a PSO to remain listed by the Secretary, the Department believes that the requirement that contracts to be entered in good faith should be retained. We also note that Federal, State, local or Tribal providers are free to enter into an agreement with any PSO that would serve their needs; thus, they can enter bona fide contracts with PSOs pursuant to paragraph (1) of the definition, or enter comparable arrangements with a Federal, State, local or Tribal PSO pursuant to paragraph (2). The Department adopts the proposed provision without modification. (C) Section 3.20--Definition of Component Organization Proposed Rule: Proposed Sec. 3.20 provided that component organization would mean an entity that is either: (a) A unit or division of a corporate organization or of a multi-organizational enterprise; or (b) a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations, i.e., its parent organization(s). Because this definition used terms in a manner that was broader than traditional usage, the proposed rule sought comment on whether it was appropriate for purposes of the regulation to consider a subsidiary, an otherwise legally independent entity, as a component organization. With respect to the terms ``owned, managed, or controlled,'' the preamble directed readers to our description of these concepts in our discussion of the term ``parent organization.'' The preamble to the proposed rule discussed the various ways that an organization may be controlled by others. In particular, there was a discussion of multi- organizational enterprises and the variety of management relationships or forms of control that such enterprises can create that might impact component entities. The preamble also discussed the traditional meaning of subsidiaries as being separate legal entities and, therefore, not within the ordinary meaning of the term ``component.'' However, the approach of the proposed rule was to express the Department's intention to encourage all forms of PSO organizational arrangements including the ownership of PSOs as subsidiaries. At the same time, we wanted to be able to accurately determine and to indicate to providers which PSOs should be considered components of other entities and the identity of a component PSO's parent organization. We explained our intent was not to limit our approach to corporate forms of organizations. Overview of Public Comments: The majority of commenters supported our proposal to consider subsidiaries as component organizations for the purposes of this rule. Several commenters sought reassurance that our interpretation does not impose additional legal liability on the parent organization. Concern was expressed that our approach suggested an over-reliance on the corporate model and the definition needed to reflect other types of legally recognized entities. One comment reflected concern that our reference to ``multi-organizational enterprise'' in the definition was unnecessarily confusing because it was not commonly used. Another commenter disagreed with our approach entirely, arguing that the scope of our definition was overly broad and unnecessary. Final Rule: The final rule now defines ``component organization'' to mean an entity that: ``(1) is a unit or division of a legal entity (including a corporation, partnership, or a Federal, State, local or Tribal agency or organization); or (2) Is owned, managed, or controlled by one or more legally separate parent organizations.'' The definition of component organization is intended to be read with a focus on management or control by others as its defining feature. The definition must be read in conjunction with the complementary definition of ``parent organization.'' While our approach remains little changed, we have rearranged and streamlined the text of the definition of component in response to the comments and concerns we received on it. For example, there is no longer an explicit reference in the definition of component to multi-organizational enterprises, which are undertakings with separate corporations or organizations that are integrated in a common business activity. The revised [[Page 70735]] definition, however, is sufficiently broad to apply to components of such enterprises. In response to concerns that the earlier definition was too focused on corporate organizations, we have incorporated an explicit reference to ``other legal entities'' besides corporations. In addition, specific references have been added to more clearly accommodate possible organizational relationships of public agencies, such as the Department of Defense (DoD), Department of Veterans Affairs (VA), the Indian Health Service (IHS), and other State, local, and Tribal organizations that manage or deliver health care services. In the scenario envisioned by the first prong of the definition, the legal entity is a parent organization and the component organization is a unit or division within the parent organization. An underlying assumption of the modified paragraph (1) is that a unit or division of a legal entity may be managed or controlled by one or more parent organizations. Consistent with this paragraph, a component PSO may be managed or controlled by the legal entity of which it is a part or by another unit or division of that entity. It could also be controlled by a legally separate entity under the second paragraph of the definition. The first prong of the definition encompasses a component PSO that is a unit of a governmental agency that is a legal entity. This could include a component organization managed by another division of such a governmental agency, e.g., a health care division of VA or DoD. Thus, a component PSO could be a unit or component of a Federal agency that is a legal entity and it could at the same time be a component of another unit or division of that agency which controls and directs or manages its operation. So too in the private sector, a component PSO could have more than one parent and thus be a component, for example, of a professional society as well as a component of the unit or division of the professional society that controls or manages the PSO. The second prong of the definition addresses a variety of organizational relationships that could arise between component PSOs and legally separate parent organizations that manage or control them. Under paragraph (2), a subsidiary PSO could be managed or controlled by its legally separate parent organization. In addition, we note that a component PSO could be managed or controlled by another unit or division of its legally separate parent, e.g., if this unit or division uses its knowledge and skills to control or manage certain aspects of the component's operations. If that occurs, we would consider the sibling subsidiary that exercises control or management over the PSO as another parent organization of the PSO. Obtaining the identity and contact information of an entity's parent organizations is useful for the purpose of letting providers know who may be managing or controlling a PSO. This information also will be useful in implementing the certification and listing process for PSOs described in the rule which, for instance, excludes any health insurance issuer from becoming a PSO and excludes a component of a health insurance issuer from becoming a PSO. In response to commenters concerned about the legal liability for parent organizations of component PSOs, we note that the preamble to the proposed rule stated as follows: ``We stress that neither the statute nor the proposed regulation imposes any legal responsibilities, obligations, or liability on the organization(s) of which it [the PSO] is a part.'' The Department reaffirms its position. At the same time, we note that the rule, at Sec. 3.402(b), recognizes, provides for, and does not alter the liability of principals based on Federal common law. Response to Other Public Comments Comment: One concern that was expressed by several commenters pertained to whether or not a health system that has a component or subsidiary health insurance issuer, e.g., a group health plan offered to the public, would be precluded from having a component PSO as well. Response: So long as the component health insurance issuer does not come within the definition of a parent organization of the PSO, i.e., own a controlling or majority interest in, manage, or control the health system's component PSO (i.e., the PSO would not be a component of the health insurance issuer), the parent health system could establish a component PSO. Comment: It was asserted that including subsidiaries as components would require a PSO that is not controlled by another parent organization, but itself has a subsidiary, to seek listing as a component PSO. Response: The revised definition of component organization emphasizes that a component is an organization that is controlled by another entity. It is not the Department's intention to require a PSO that is not controlled by another entity to seek listing as a component PSO. For this reason, the fact that a PSO has a subsidiary does not trigger the requirement to seek listing as a component organization. Comment: It was suggested that the inclusion of subsidiaries within the meaning of component would require a health system that wished to create a PSO to create it as a component. Response: There are several issues that a health system needs to consider in determining whether and how to create a PSO, but the inclusion of subsidiary within the meaning of component is not necessarily determinative. The statute requires the improvement of quality and patient safety to be the primary activity of the entity seeking listing. Since few multifaceted health system organizations will meet this requirement, existing organizations will have an incentive to create single-purpose component organizations that clearly meet the requirement. The second issue is whether to create a PSO as an internal component organization or as a separate legal entity. Because the final rule requires each PSO to enter two contracts, provider organizations may find it useful for its component PSO to be a separate legal entity. Otherwise, the component PSO may be precluded from contracting with its parent organization. Comment: There was a request for a definition of ``own'' with a suggestion for reference to Internal Revenue Code 26 I.R.C. Sec. 1563 to clarify its meaning and the meaning of having a controlling interest. This same commenter sought strong separation requirements between a component PSO and any parent organization. Response: We have reviewed the cited regulation but conclude that the approach presented is unlikely to clarify the meaning of ``own'' or ``having a controlling interest'' for purposes of the regulation. Accordingly, the definition of component in the final rule will use the term ``owns,'' but it should be read in conjunction with the phrase ``owns a controlling or majority interest in'' that is used in the related definition of ``parent organization.'' This will indicate that the definition of component uses the term ``owns'' to mean having a sufficient ownership interest to control or manage a PSO. The holder of a controlling or majority interest in the entity seeking to be listed should be identified as a parent organization. Comment: Components of government entities should not be listed as PSOs. Response: The Patient Safety Act specifically permits public sector entities, and components of public sector entities, to seek listing as a PSO. We have incorporated several exclusions, however, of entities with [[Page 70736]] regulatory authority and those administering mandatory state reporting programs because these activities are incompatible with fostering a non-punitive culture of safety among providers. As we explain in Sec. 3.102(a)(2)(ii), we conclude that it is not necessary to exclude components of such entities but have adopted additional restrictions and requirements in Sec. 3.102(c) for such component entities. (D) Section 3.20--Definition of Disclosure Proposed Rule: Proposed Sec. 3.20 provided that disclosure would mean the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding patient safety work product to another person. We did not generally propose to regulate uses of patient safety work product within an entity, i.e., when this information is exchanged or shared among the workforce members of an entity. We believe that regulating uses within providers and PSOs would be unnecessarily intrusive given the voluntary aspect of participation with a PSO. We believe that regulating uses would not further the statutory goal of facilitating the sharing of patient safety work product with PSOs and that sufficient incentives exist for providers and PSOs to prudently manage the internal sharing of sensitive patient safety work product. However, based on the statutory provision, we did propose that we would recognize as a disclosure the sharing of patient safety work product between a component PSO and the organization of which it is a component. Such sharing would, absent the statutory provision and the proposed regulation, be a use within the larger organization because the component PSO is not a separate entity. The Patient Safety Act supports this position by demonstrating a strong desire for the protection of patient safety work product from the rest of the organization of which the PSO is a part. We sought public comment on whether the decision to not regulate uses was appropriate. The proposed rule discussed that sharing patient safety work product with a contractor that is under the direct control of an entity, i.e., a workforce member, would not be a disclosure, but rather a use within the entity. However, sharing patient safety work product with an independent contractor would be a disclosure requiring an applicable disclosure permission. Overview of Public Comments: Some commenters supported the proposed definition of disclosure. No commenters opposed the proposed definition or requested further clarification. Most commenters that responded to the question whether uses of patient safety work product should be regulated supported the decision not to regulate uses. Those commenters agreed that regulating uses would be overly intrusive without significant benefit and that entities are free to enter into agreements with greater protections. Other commenters disagreed with the Department's proposal and stated that regulation of uses would improve confidentiality and thereby increase provider participation. No commenters opposed the proposal that sharing of patient safety work product from a component PSO to the rest of the parent entity of which it is a part would be a disclosure for purposes of enforcement rather than a use internal to the entity. Final Rule: The Department adopts the provision with modifications. In general, the modified definition of disclosure means the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a physician holding privileges with, the entity holding the patient safety work product. Additionally, we have defined as a disclosure the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by a component PSO to another entity or natural person outside the component PSO. We have modified the language for clarity to distinguish the actions that are a disclosure for a natural person and an entity, separately. We have also included language in the definition that makes clear that sharing of patient safety work product from a component PSO to the entity of which it is a part is a disclosure even though the disclosure would be internal to an entity and generally permitted. Finally, we have added language to clearly indicate that the sharing of patient safety work product between a health care provider with privileges and the entity with which it holds privileges does not constitute a disclosure, consistent with the treatment of patient safety work product shared among workforce members. Response to Other Public Comments Comment: Commenters asked that the Department clarify the terms ``disclosure'' and ``use''. Commenters stated that the terms were used interchangeably and this caused confusion. Response: The term ``disclosure'' describes the scope of the confidentiality protections and the manner in which patient safety work product may be shared. ``Disclosure'' is also employed by the Patient Safety Act when describing the assessment of civil money penalties for the failure to maintain confidentiality (see 42 U.S.C. 299b-22(f)(1)). Although the Patient Safety Act employs the term ``use'' in several provisions, we did not interpret those provisions to include a restriction on the use of patient safety work product based on the confidentiality protections. Because the focus of the proposed rule was on disclosures, we did not believe that defining the term ``use'' was helpful; nor did we believe the terms would be confusing. Use of patient safety work product is the sharing within a legal entity, such as between members of the workforce, which is not a disclosure. By contrast, a disclosure is the sharing or release of information outside of the entity for which a specific disclosure permission must be applicable. Comment: One commenter requested clarification regarding the sharing of patient safety work product among legally separate participants that join to form a single joint venture component PSO. Response: The Department distinguishes between the disclosure of patient safety work product between legal entities and the use of patient safety work product internal to a single legal entity. If a component PSO is part of a multi-organizational enterprise, uses of patient safety work product internal to the component PSO are not regulated by this final rule, but sharing of patient safety work product between the component PSO and another entity or with a parent organization are considered disclosures for which a disclosure permission must apply. Comment: One commenter raised concerns that the final rule would restrict a provider's use of its own data and thereby discourage collaboration with other care givers. Response: The Department believes that the final rule balances the interests between the privacy of identified providers, patients and reporters and the need to aggregate and share patient safety work product to improve patient safety among all providers. The final rule does not limit the sharing of patient safety work product within an entity and permits sharing among providers under certain conditions. Affiliated [[Page 70737]] providers may share patient safety work product for patient safety activities and non-affiliated providers may share anonymized patient safety work product. A provider may also share patient safety work product with a health care provider that has privileges to practice at the provider facility. Further, if all identified providers are in agreement regarding the need to share identifiable patient safety work product, each provider may authorize and thereby permit a disclosure. Comment: Several commenters asked whether uses were restricted based upon the purpose for which the patient safety work product is being shared internally. Response: The final rule does not limit the purpose for which patient safety work product may be shared internal to an entity. Entities should consider the extent to which sensitive patient safety work product is available to members of its workforce as a good business practice. (E) Section 3.20--Definition of Entity Proposed Rule: Proposed Sec. 3.20 provided that entity would mean any organization or organizational unit, regardless of whether the entity is public, private, for-profit, or not-for-profit. Overview of Public Comments: One comment was received suggesting that the terms ``governmental'' or ``body politic'' should be added to clarify that the term ``public'' includes Federal, State, or local government as well as public corporations. Final Rule: The term ``public'' has long been used throughout Title 42 of the Code of Federal Regulations as encompassing governmental agencies; therefore we do not believe that the addition is necessary. The Department adopts the proposed provision without modification. (F) Section 3.20--Definition of Health Insurance Issuer Proposed Rule: Proposed Sec. 3.20 provided that health insurance issuer would mean an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2). The definition specifically excluded group health plans from the meaning of the term. Overview of Public Comments: Several commenters expressed concern that the Department needed to be vigilant in its exclusion of health insurance issuers and components of health insurance issuers, urging that HHS clearly define health insurance issuers in the final rule. Another commenter sought clarification regarding risk management service companies, i.e., those that offer professional liability insurance, reinsurance, or consulting services. Final Rule: The Department has reviewed the definition of ``health insurance issuer'' and determined that the definition is clear. Because the reference to group health plans could be a source of confusion, we note that we have defined the term above. Accordingly, the Department adopts the proposed provision without modification. In response to several comments regarding the scope of the term health insurance issuer, the Department has concluded that, for purposes of this rule, risk management service companies, professional liability insurers and reinsurers do not fall within the definition of health insurance issuer. Response to Other Public Comments Comment: One commenter asked if a provider system that was owned as a subsidiary by an HMO could create a component PSO. Response: Section 3.102(a)(2)(i) excludes a health insurance issuer, a unit or division of a health insurance issuer, or an entity that is owned, managed, or controlled by a health insurance issuer from seeking listing as a PSO. In this case, the HMO is considered a health insurance issuer and the provider system would be a component of the health insurance issuer. Under the rule, the HMO and the provider system may not seek listing as a PSO, and the entity created by the provider system could not seek listing as a component PSO if it is owned, managed or controlled by the provider system or the HMO. Comment: One commenting organization requested discussion of what organizational structure might allow a health insurance issuer to participate in the patient safety work of an independent PSO. Response: The statutory exclusion means that the following entities may not seek listing: a health insurance issuer or a component of a health insurance issuer. (G) Section 3.20--Definition of Parent Organization Proposed Rule: Proposed Sec. 3.20 provided that ``parent organization'' would mean an entity, that alone or with others, either owns a provider entity or a component organization, or has the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component organization. The proposed rule did not provide a definition of ``owned'' but provided controlling interest (holding enough stock in an entity to control it) as an example of ownership in the preamble discussion of the term, ``parent organization.'' The proposed rule specifically sought comment on our use of the term ``controlling interest,'' whether it was appropriate, and whether we needed to further define ``owns.'' The remaining terms, ``manage or control,'' were explained in the proposed rule's definition of ``parent organization,'' as having ``the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component organization.'' Overview of Public Comments: We received eight comments on the question of ``controlling interest'' and there was no consensus among the commenters. Four commenters thought our discussion was appropriate. Another agreed with the concept of controlling interest but wanted to limit its application to a provider who reported patient safety work product to the entity. One commenter cautioned that the term ``controlling interest'' was open to various interpretations and the final rule should provide additional guidance. Another commenter suggested ``controlling interest'' was worrisome but did not provide a rationale for this assessment. One commenter supported additional protections, contending that it was appropriate for HHS to pierce the corporate veil when there was fraud or collusion, and recommended the preamble outline situations in which HHS would pierce the corporate veil. We received no negative comments on our proposed interpretation of what it means to manage or control another entity. One commenter suggested that the definition should recognize the significant authority or control of a provider entity or component organization through reserve powers, by agreement, statute, or both. Final Rule: While approximately half of the comments supported our approach, there was not a clear consensus in the comments we reviewed. So the approach we have taken with the definition of ``parent organization'' was to strive for greater clarity, taking into account its interaction with our definition of [[Page 70738]] ``component organization,'' described above. The definition of ``parent organization'' in the final rule retains the basic framework of the proposed rule definition: an organization is a parent if it owns a component organization, has the ability to manage or control a component, or has the authority to review and overrule the component's decisions. The language of the proposed rule used only the term ``own'' while the preamble cited the example of stock ownership. Without further specification, we were concerned that this approach could have been interpreted to mean that an organization owning just a few shares of stock of a component organization would be considered a parent organization. This is not our intent. For clarity, we have modified the text to read ``owns a controlling or majority interest.'' We have also removed the phrase ``alone or with others'' from the first clause. We did so for two reasons. First, it is unnecessary since it does not matter whether ownership is shared with other organizations, as in a joint venture. An entity seeking listing as a PSO will use this definition solely to determine if it has any parent organizations and, if it does, it must seek listing as a component organization and disclose the names and contact information for each of its parent organizations. Second, we have tried to make it as clear as possible that any organization that has controlling ownership interests, or management or control authority over a PSO, should be considered, and reported in accordance with the requirements of Sec. 3.102(c)(1)(i), as a parent organization. For similar reasons, we have removed the reference to provider from the first part of the definition and instead consistently used the term ``component organization'' with respect to each characteristic of a parent organization. We added a second sentence to clarify that a provider could be the component organization in all three descriptive examples given of parental authority. In response to one commenter's concern, we believe that the phrase ``has the authority'' as used in the definition is sufficiently broad to encompass reserve powers. (H) Section 3.20--Definition of Patient Safety Evaluation System Proposed Rule: Proposed Sec. 3.20 provided that patient safety evaluation system would mean the collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system would be the mechanism through which information can be collected, maintained, analyzed, and communicated. The proposed rule discussed that a patient safety evaluation system would not need to be documented because it exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes. The proposed rule provided that formal documentation of a patient safety evaluation system could designate secure physical and electronic space for the conduct of patient safety activities and better delineate various functions of a patient safety evaluation system, such as when and how information would be reported by a provider to a PSO, how feedback concerning patient safety events would be communicated between PSOs and providers, within what space deliberations and analyses of information are conducted, and how protected information would be identified and separated from information collected, maintained, or developed for purposes other than reporting to a PSO. The Department recommended that a provider consider documentation of a patient safety evaluation system to support the identification and protection of patient safety work product. Documentation may provide substantial proof to support claims of privilege and confidentiality and will give notice to, will limit access to, and will create awareness among employees of, the privileged and confidential nature of the information within a patient safety evaluation system which may prevent unintended or impermissible disclosures. We recommended that providers and PSOs consider documenting how information enters the patient safety evaluation system; what processes, activities, physical space(s) and equipment comprise or are used by the patient safety evaluation system; which personnel or categories of personnel need access to patient safety work product to carry out their duties involving operation of, or interaction with, the patient safety evaluation system; the category of patient safety work product to which access is needed and any conditions appropriate to such access; and what procedures the patient safety evaluation system uses to report information to a PSO or disseminate information outside of the patient safety evaluation system. The proposed rule sought comment about whether a patient safety evaluation system should be required to be documented. Overview of Public Comments: Several commenters supported the efforts to enable the patient safety evaluation system to be flexible and scalable to individual provider operations. Most commenters that responded to the question whether a patient safety evaluation system should be documented supported the decision to not require documentation. Commenters stated that requiring documentation would inhibit the flexibility in the design of patient safety evaluation systems and the ability of providers to design systems best suited for their specific practices and settings. Documentation would also be burdensome to providers and should ultimately be left to the discretion of individual providers based on their needs. Other commenters supported a requirement for documentation, suggesting that documentation would go further in ensuring compliance with the confidentiality provisions and the protection of information, thereby encouraging provider participation. Final Rule: The Department adopts the proposed provision without modification. Based on the comments, we have not modified the proposed decision to not require documentation. We have, as described in the definition of patient safety work product below, clarified how documentation of a patient safety evaluation system clearly establishes when information is patient safety work product. We encourage providers to document their patient safety evaluation systems for the benefits mentioned above. We believe documentation is a best practice. Response to Other Public Comments Comment: Two commenters raised concerns about how a patient safety evaluation system operates within a multi-hospital system comprised of a parent corporation and multiple hospitals that are separately incorporated and licensed. One commenter asked whether a parent corporation can establish a single patient safety evaluation system in which all hospitals participate. The other commenter recommended that individual institutional affiliates of a multi-hospital system be part of a single patient safety evaluation system. Response: For a multi-provider entity, the final rule permits either the establishment of a single patient safety evaluation system or permits the sharing of patient safety work product as a patient safety activity among affiliated providers. For example, a hospital chain that operates multiple hospitals may include the parent organization along with each hospital in a single patient [[Page 70739]] safety evaluation system. Thus, each hospital may share patient safety work product with the parent organization and the patient safety evaluation system may exist within the parent organization as well as the individual hospitals. There may be situations where establishing a single patient safety evaluation system may be burdensome or a poor solution to exchanging patient safety work product among member hospitals. To address this concern, we have modified the disclosure permission for patient safety activities to permit affiliated providers to disclose patient safety work product with each other based on commonality of ownership. Comment: One commenter asked how a patient safety evaluation system exists within an institutional provider. Response: A patient safety evaluation system is unique and specific to a provider. The final rule retains a definition of a patient safety evaluation system that is flexible and scalable to meet the specific needs of particular providers. With respect to a single institutional provider, such as a hospital, a provider may establish a patient safety evaluation system that exists only within a particular office or that exists at particular points within the institution. The decisions as to how a patient safety evaluation system operates will depend upon the functions the institutional provider desires the patient safety evaluation system to perform and its tolerances regarding access to the sensitive information contained within the system. Providers should consider how a patient safety evaluation system is constructed, carefully weighing the balance between coordination and fragmentation of a provider's activities. Comment: Some commenters were concerned that the patient safety evaluation system provided a loophole for providers to avoid transparency of operations and hide information about patient safety events. Some commenters suggested that a provider may establish a patient safety evaluation system that is inside of a PSO, thus stashing away harmful documents and information. Response: The Department does not believe that the patient safety evaluation system enables providers to avoid transparency. A patient safety evaluation system provides a protected space for the candid consideration of quality and safety. Nonetheless, the Patient Safety Act and the final rule have carefully assured that information generally available today remains available, such as medical records, original provider documents, and business records. Providers must fulfill external reporting obligations with information that is not patient safety work product. Further, a provider may not maintain a patient safety evaluation system within a PSO. Comment: One commenter asked whether all information in a patient safety evaluation system is protected. Response: Information collected within a patient safety evaluation system that has been collected for the purpose of reporting to a PSO is patient safety work product if documented as collected for reporting to a PSO. This is discussed more fully at the definition of patient safety work product below. Information that is reported to a PSO is also protected, as discussed more fully at the definition of patient safety work product below. Comment: One commenter was concerned that the lack of a framework and too much flexibility may interfere with interoperability and data aggregation at a later date. Response: The Department believes that a patient safety evaluation system must of necessity be flexible and scalable to meet the needs of specific providers and PSOs. Without such flexibility, a provider may not participate, which may, lessen the overall richness of the information that could be obtained about patient safety events. The Department recognizes the value of aggregated data and has, pursuant to the Patient Safety Act, begun the process of identifying standard data reporting terms to facilitate aggregation and interoperability. Further, the Patient Safety Act requires that PSOs, to the extent practical and appropriate, collect patient safety work product in a standardized manner (see 42 U.S.C. 299b-24(b)(1)(F)). The Department hopes that, by permitting the widest range possible of providers to participate in the gathering and analysis of patient safety events, increased participation will generate more data and greater movement towards addressing patient safety issues. Comment: Many commenters encouraged the Department to provide technical assistance to providers and PSOs on the structuring and operation of a patient safety evaluation system. Response: The Department expects to provide such guidance on the operation and activities of patient safety evaluation systems as it determines is necessary. (I) Section 3.20--Definition of Patient Safety Work Product Proposed Rule: Proposed Sec. 3.20 adopted the statutory definition of patient safety work product as defined in the Patient Safety Act. The proposed rule provided that many types of information can become patient safety work product to foster robust exchanges between providers and PSOs. Any information must be collected or developed for the purpose of reporting to a PSO. Three provisions identified how information becomes patient safety work product. First, information may become patient safety work product if it is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO. Second, patient safety work product is information developed by a PSO for the conduct of patient safety activities. Third, patient safety work product is information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system. The proposed rule provided that reporting means the actual transmission or transfer of information to a PSO. We recognized that requiring the transmission of every piece of paper or electronic file to a PSO could impose significant transmission, management, and storage burdens on providers and PSOs. The proposed rule sought comment on whether alternatives for actual reporting should be recognized as sufficient to meet the reporting requirement. For example, the proposed rule suggested that a provider that contracts with a PSO may functionally report information to a PSO by providing access and control of information to a PSO without needing to physically transmit information. The proposed rule also sought comment on whether additional terms and conditions should be required to permit functional reporting and whether functional reporting should be permitted only after an initial actual report of information related to an event. The proposed rule also sought comment on whether a short period of protection for information assembled but not yet reported is necessary for flexibility or for providers to efficiently report information to a PSO. We also sought comment on an appropriate time period for such protection and whether a provider must demonstrate intent to report in order to obtain protection. The proposed rule also sought comment on when a provider could begin collecting information for the purpose of reporting to a PSO such that it is not excluded from becoming patient safety work product because it was collected, maintained or developed separately from a patient safety evaluation system. [[Page 70740]] The proposed rule indicated that, if a PSO is delisted for cause, a provider would be able to continue to report to that PSO for 30 days after the date of delisting and the information reported would be treated as patient safety work product (section 924(f)(1) of the Public Health Service Act). However, after delisting, the proposed rule indicated that the former PSO may not generate patient safety work product by developing information for the conduct of patient safety activities or through deliberations and analysis of information. Even though a PSO may not generate new patient safety work product after delisting, it may still possess patient safety work product, which must be kept confidential and be disposed of in accordance with requirements in Subpart B. The proposed rule also described what is not patient safety work product, such as a patient's original medical record, billing and discharge information, or any other original patient or provider record. Patient safety work product does not include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. This distinction is made because these and similar records must be maintained by providers for other purposes. The proposed rule also discussed that external reporting obligations as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system cannot be satisfied with patient safety work product. Thus, information that is collected to comply with external obligations is not patient safety work product. The proposed rule provided that such activities include: state incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; or complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage. The proposed rule also addressed the issue that external authorities may seek information about how effectively a provider has instituted corrective action following identification of a threat to the quality or safety of patient care. The Patient Safety Act does not relieve a provider of its responsibility to respond to such requests for information or to undertake or provide to external authorities evaluations of the effectiveness of corrective action, but the provider must respond with information that is not patient safety work product. The proposed rule provided that recommendations for changes from the provider's patient safety evaluation system or the PSO are patient safety work product. However, the actual changes that the provider implements to improve how it manages or delivers health care services are not patient safety work product, and it would be virtually impossible to keep such changes confidential. Overview of Public Comments: Commenters raised a significant number of concerns regarding how information becomes patient safety work product under particular provisions of the definition. Functional Reporting We received significant feedback from commenters in support of recognizing alternative reporting methods. Most commenters agreed that an alternative reporting arrangement should be permitted to promote efficiency and relieve providers of the burden of continued transmission. Two commenters opposed permitting alternative reporting methods based on the concern that a shared resource may confuse clear responsibility for a breach of information and that a PSO that has access to a provider information system may also have access to patient records and similar information for which access may not be appropriate. Most commenters rejected the suggestion that functional reporting should be limited to subsequent reports of information rather than allowing functional reports for the first report of an event. Commenters believed that such a limitation would inhibit participation and offset the benefits of allowing functional reporting. Commenters also believed such a limitation would create an artificial distinction between information that is initially and subsequently reported to a PSO. Some commenters believed that details regarding functional reporting are better left to agreement between the provider and PSO engaging in functional reporting. Two commenters did support restricting functional reporting to subsequent information, but did not provide any rationale or concern to support their comment. No commenters identified additional requirements or criteria that should be imposed beyond a formal contract or agreement. Thus, the final rule permits functional reporting. When Is Information Protected Commenters raised significant and substantial concerns regarding when the protections for patient safety work product begins, how existing patient safety processes will occur given the protections for patient safety work product, and the likelihood that providers may need to maintain separate systems with substantially duplicate information. A significant majority of commenters responded to the concern regarding the status of information collected, but not yet reported to a PSO. Most commenters agreed with concerns raised by the Department that early protection could ease the burden on providers, preventing a race to report to a PSO. These commenters recommended that information be protected upon collection and prior to reporting. Protection during this time would permit providers to investigate an event and conduct preliminary analyses regarding causes of the event or whether to report information to a PSO. Many commenters were concerned that information related to patient safety events be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication of information is required, providers may opt to not participate due to costs and burdens. Three commenters indicated that there should be no protection until information is reported to a PSO. One commenter was concerned that early protection may interfere with State reporting requirements because information needed to report to a State may become protected and unavailable for State reporting. Another commenter stated that earlier protection would not alleviate the concerns regarding protection prior to reporting. Commenters provided a wide range of recommendations in response to when protection of information should begin prior to creation of patient safety work product. Commenters suggested that information be protected prior to reporting for as little as 24 hours from an event up to 12 months. Other commenters suggested that a timeframe be reasonable and based upon relevant factors such as the complexity of facts and circumstances surrounding an event. State Reporting One of the most significant areas of comment was how processes to create patient safety work product may operate alongside similar processes within a provider. Commenters were particularly concerned that information collected for [[Page 70741]] similar purposes, such as for reporting to a PSO and for reporting to a State health authority, would need to be maintained in separate systems, thereby increasing the burden on providers. The most significant comments received related to how information related to patient safety events may be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication is required, provider may opt to not participate due to costs and burdens. Earliest Time for Collection of Information Few commenters responded to the request for comment on the earliest date information could be collected for purposes of reporting to a PSO, a requirement for information to become patient safety work product. Four commenters recommended that information collection be permitted back to the passage of the Patient Safety Act. Four commenters recommended that the earliest date of collection be dependent upon each provider's good faith and intent to collect information for reporting to a PSO. Final Rule: The Department adopts the proposed provision with some modification. Functional Reporting The Department recognizes the concerns raised by commenters regarding the functional reporting proposal, but believes the benefits outweigh the potential negative consequences; the relief of burden, and the flexibility that derives from not adhering to a narrow reading of the reporting requirement. First, we recognize that a provider and PSO engaging in this alternative method of reporting have an established relationship for the reporting of information and have spent some time considering how best to achieve a mutually useful and suitable reporting relationship. That relationship will necessitate consideration of what information is necessary and not necessary to achieve the purpose of reporting. Neither a provider nor a PSO is required to accept an alternative reporting mechanism. Further, providers continue to be under the same obligations to protect patient and other medical records from inappropriate access from others, including the PSO, without exception. Second, such a relationship should establish clearly the mechanism for control of information reported or to which the PSO will have access, and the scope of PSO authority to use the information. In addition, the assessment of liability should be addressed and need be no more complex than exists in provider settings today with shared resources and integrated services. We agree with commenters that limitations regarding the initial or subsequent reporting of information are better left to the providers and PSOs engaging in the practice and that providers and PSOs should be permitted to design the appropriately flexible reporting mechanism befitting the circumstances of their practice setting. We further agree that additional limitations on the ability to use functional reporting are unwarranted, absent clear identification of risks or concerns to be addressed by further limitations. For these reasons, we clarify that reporting of information to a PSO for the purposes of creating patient safety work product may include authorizing PSO access, pursuant to a contract or equivalent agreement between a provider and a PSO, to specific information in a patient safety evaluation system and authority to process and analyze that information, e.g., comparable to the authority a PSO would have if the information were physically transmitted to the PSO. We do not believe a formal change in the regulatory text is necessitated by this clarification. When Is Information Protected The Department recognizes that the Patient Safety Act's protections are the foundation to furthering the overall goal of the statute to develop a national system for analyzing and learning from patient safety events. To encourage voluntary reporting of patient safety events by providers, the protections must be substantial and broad enough so that providers can participate in the system without fear of liability or harm to reputation. Further, we believe the protections should attach in a manner that is as administratively flexible as permitted to accommodate the many varied business processes and systems of providers and to not run afoul of the statute's express intent to not interfere with other Federal, State or local reporting obligations on providers. The proposed rule required that information must be reported to a PSO before the information may become patient safety work product under the reporting provision of the definition of patient safety work product. However, this standard left information collected, but not yet reported to a PSO, unprotected, a cause of significant commenter concern. This standard also might encourage providers to race to report information indiscriminately to obtain protection in situations where a report ultimately may be unhelpful, causing the expenditure of scarce resources both by a provider and a PSO to secure the information as patient safety work product. The proposed rule also may have caused some providers to choose between not participating or developing dual systems for handling similar information at increased costs. We believe it is important to address the shortcomings of a strict reporting requirement through the following modification. The final rule provides that information documented as collected within a patient safety evaluation system by a provider shall be protected as patient safety work product. A provider would document that the information was collected for reporting to a PSO and the date of collection. The information would become patient safety work product upon collection. Additionally, a provider may document that the same information is being voluntarily removed from the patient safety evaluation system and that the provider no longer intends to report the information to a PSO, in which case there are no protections. If a provider fails to document this information, the Department will presume the intent to report information in the patient safety evaluation system to the PSO is present, absent evidence to the contrary. We believe this modification addresses the concerns raised by the commenters. Protection that begins from the time of collection will encourage participation by providers without causing significant administrative burden. The alternative is a system that encourages providers to indiscriminately report information to PSOs in a race for protection, resulting in PSOs receiving large volumes of unimportant information. By offering providers the ability to examine patient safety event reports in the patient safety evaluation system without requiring that all such information be immediately reported to a PSO, and by providing a means to remove such information from the patient safety evaluation system and end its status as patient safety work product, the final rule permits providers to maximize organizational and system efficiencies and lessens the need to maintain duplicate information for different needs. Because documentation will be crucial to the protection of patient safety work product at collection, providers are encouraged to document their patient safety evaluation system. We note, however, that a provider should not place information into its patient safety evaluation system unless it [[Page 70742]] intends for that information to be reported to the PSO. Although this approach substantially addresses commenter concerns, three issues do cause concern. First, because information may be protected back to the time of collection, providers are no longer required to promptly report information to a PSO to ensure protection. Although we believe this is an unavoidable result of the modification, we believe the likely impact may be rare because providers are likely to engage PSOs for their expertise which requires such reporting. Second, the requirement to document collection in a patient safety evaluation system and, potentially, removal from a patient safety evaluation system could be burdensome to a provider. However, we believe these are important requirements particularly in light of the enforcement role OCR will play. A provider will need to substantiate that information is patient safety work product, or OCR will be unable to determine the status of information potentially leaving sensitive information unprotected--or subjecting the provider to penalties for improperly disclosing patient safety work product. Third, the ability of a provider to remove information from a patient safety evaluation system raises concern that a provider may circumvent the intent of a provider employee to obtain protection for information when reporting to the provider's patient safety evaluation system. For providers that engage in functional reporting, the concern is substantially mitigated because, under functional reporting, information is reported to a PSO when it is transmitted to the patient safety evaluation system to which the PSO has access, and, thus, protected. Alternatively, a provider employee may report as permitted directly to a PSO. Ultimately, this issue is to be settled between a provider that wishes to encourage reports that may not otherwise come to light and its employees who must be confident that reporting will not result in adverse consequences. For these reasons, the Department modifies the definition of patient safety work product to include additional language in the first provision of the definition that protects information based upon reporting to a PSO. State Reporting To address commenter concerns about the duplication of resources for similar patient safety efforts and the lack of protection upon collection, we have clarified the requirements for how information becomes patient safety work product when reported to a PSO. Generally, information may become patient safety work product when reported to a PSO. Information may also become patient safety work product upon collection within a patient safety evaluation system. Such information may be voluntarily removed from a patient safety evaluation system if it has not been reported and would no longer be patient safety work product. As a result, providers need not maintain duplicate systems to separate information to be reported to a PSO from information that may be required to fulfill state reporting obligations. All of this information, collected in one patient safety evaluation system, is protected as patient safety work product unless the provider determines that certain information must be removed from the patient safety evaluation system for reporting to the state. Once removed from the patient safety evaluation system, this information is no longer patient safety work product. Earliest Time for Collection of Information The Department believes that a clear indication of a specific time when information may first be collected is beneficial to providers by reducing the complexity and ambiguity concerning when information is protected as patient safety work product. Although each provider collecting information for reporting to a PSO may need to support the purpose of information collection at the time of collection, such a standard may be overly burdensome. The Department agrees that information may have been collected for the purpose of reporting to a PSO beginning from passage of the Patient Safety Act. Information that existed prior to the passage of the Patient Safety Act may be subsequently collected for reporting to a PSO, but the original record remains unprotected. This clarification does not require any regulatory language change in the proposed rule. What Is Not Patient Safety Work Product We reaffirm that patient safety work product does not include a patient's original medical record, billing and discharge information, or any other original patient or provider record; nor does it include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. The final rule includes the statutory provision that prohibits construing anything in this Part from limiting (1) the discovery of or admissibility of information that is not patient safety work product in a criminal, civil, or administrative proceeding; (2) the reporting of information that is not patient safety work product to a Federal, State, or local governmental agency for public health surveillance, investigation, or other public health purposes or health oversight purposes; or (3) a provider's recordkeeping obligation with respect to information that is not patient safety work product under Federal, State or local law. Section 921(7)(B)(iii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). The final rule does not limit persons from conducting additional analyses for any purpose regardless of whether such additional analyses involve issues identical to or similar to those for which information was reported to or assessed by a PSO or a patient safety evaluation system. Section 922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). Even when laws or regulations require the reporting of the information regarding the type of events also reported to PSOs, the Patient Safety Act does not shield providers from their obligation to comply with such requirements. These external obligations must be met with information that is not patient safety work product and oversight entities continue to have access to this original information in the same manner as such entities have had access prior to the passage of the Patient Safety Act. Providers should carefully consider the need for this information to meet their external reporting or health oversight obligations, such as for meeting public health reporting obligations. Providers have the flexibility to protect this information as patient safety work product within their patient safety evaluation system while they consider whether the information is needed to meet external reporting obligations. Information can be removed from the patient safety evaluation system before it is reported to a PSO to fulfill external reporting obligations. Once the information is removed, it is no longer patient safety work product and is no longer subject to the confidentiality provisions. The Patient Safety Act establishes a protected space or system that is separate, distinct, and resides alongside but does not replace other information collection activities mandated by laws, regulations, and accrediting and licensing requirements as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system. Information is not patient safety work product if it is collected to comply with external obligations, such as: state incident reporting requirements; [[Page 70743]] adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage; or provision of access to records by Protection and Advocacy organizations as required by law. Response to Other Public Comments Comment: One commenter in responding to questions about timing and early protection interpreted the timing concern to be an expiration of an allowed period of time to report, such that an event must be reported within a certain number of days or it may not become protected. Response: As noted above, the timing issues in the final rule relate to when information may have been collected for reporting to a PSO. There is no expiration date for an event that would prohibit future protection of a report of it as patient safety work product so long as the protection of the information is pursuant to the final rule. Comment: One commenter suggested that event registries may seek to become PSOs because the model is well positioned to allow for tracking and identification of patients that require follow-up. Response: The Department recognizes that event registries may have particular benefits that may be helpful in the analysis of patient safety events, but we caution any holder of patient safety work product that future disclosure of patient safety work product must be done pursuant to the disclosure permissions. Thus, while it may be appropriate for event registries to identify and track patients who may require follow-up care, the final rule would generally not permit disclosure of patient safety work product to patients for such a purpose. Accordingly, while there may be benefits to an event registry becoming a PSO, a registry should take into consideration the limitations on disclosure of patient safety work product, and what impact such limits would have on its mission, prior to seeking listing. Comment: Several commenters sought clarification whether information underlying analyses within a patient safety evaluation system was protected. One commenter suggested that data used to conduct an analysis should be protected at the same time as the analysis. Response: As indicated in the definition of patient safety work product, information that constitutes the deliberation or analysis within a patient safety evaluation system is protected. Information underlying the analysis may have been either reported to a PSO and protected or collected in a patient safety evaluation system. Information documented as collected within a patient safety evaluation system is protected based on the modification to the definition of patient safety work product. Thus, information underlying an analysis may be protected. However, underlying information that is original medical records may not be protected if it is excluded by the definition of patient safety work product. Comment: Two commenters raised concerns that PSOs do not have discretion regarding the receipt of unsolicited information reported to PSOs from providers. One commenter was concerned about the burden on a PSO receiving unsolicited reports and the obligation a PSO may have regarding unsolicited reports. Another commenter was concerned that unsolicited reports may be materially flawed or contain incorrect information. Response: The Department does not agree that this is a major issue for PSOs or that PSOs need some regulatory ability to reject reported information. If a PSO receives information from a provider that was collected by that provider for the purposes of sending to a PSO, then the information is patient safety work product. PSOs may use or analyze the information, but must protect it as patient safety work product and dispose of the information properly. However, there is no requirement that a PSO maintain or analyze the information. For these reasons, we do not modify the proposed rule position regarding these issues. Comment: Some commenters were concerned that recommendations of PSOs may be treated as a standard of care. Commenters recommended that recommendations from PSOs be protected as patient safety work product. Response: The Department stated in the proposed rule that PSO recommendations are patient safety work product, but the changes undertaken by a provider based upon a PSO's recommendations are not patient safety work product. With respect to the concern that PSO recommendations may establish a standard of care, the issue is not within the scope of the Patient Safety Act and not appropriate for the regulation to address. Generally, the establishment of a standard of care is a function of courts and entities that have jurisdiction over the issue for which a standard of care is relevant. The introduction of patient safety work product as information that may help establish a standard of care is highly unlikely given the limited disclosure permissions. For these reasons, we make no modifications in the final rule. Comment: Several commenters raised concerns about the distinction between original documents and copies of original documents. One commenter stated that it was an artificial distinction in an electronic environment. Response: The Patient Safety Act and the final rule distinguish certain original records from information collected for reporting to a PSO. Because information contained in these original records may be valuable to the analysis of a patient safety event, the important information must be allowed to be incorporated into patient safety work product. However, the original information must be kept and maintained separately to preserve the original records for their intended purposes. If the information were to become patient safety work product, it could only be disclosed pursuant to the confidentiality protections. Comment: One commenter was concerned that information collected for reporting to a PSO may be the same information providers collect for reporting to a state regulatory agency. The commenter suggested that protections should only attach to information after state-mandated reporting requirements have been fulfilled. The commenter was concerned that the confidentiality protections may impede state data collection, surveillance and enforcement efforts. A separate commenter requested clarification that if patient safety work product is reported under a state mandated incident reporting system, the patient safety work product continues to be protected. Response: The final rule is clear that providers must comply with applicable regulatory requirements and that the protection of information as patient safety work product does not relieve a provider of any obligation to maintain information separately. The Department believes that some providers, such as hospitals, have been operating in similar circumstances previously when conducting peer review activities under state peer review law protections. For patient safety work product to be disclosed, even to a State entity, the discloser must have an applicable disclosure permission. While the Patient Safety Act does not preempt state laws that require providers to report [[Page 70744]] information that is not patient safety work product, a State may not require that patient safety work product be disclosed. Comment: One commenter advised that the final rule should build on existing infrastructure for reporting and examination of patient safety events to minimize duplication of resources and maximize existing efforts. Response: The Department has modified the proposed rule to address the potential issue of duplicated resources by allowing providers the flexibility to collect and review information within a patient safety evaluation system to determine if the information is needed to fulfill external reporting obligations as addressed above. The Department recognizes the high costs of health care, both in dollars and in the health of individuals. The final rule establishes a workable and flexible framework to permit providers that have mature patient safety efforts to fully participate as well as for providers with no patient safety activities to be encouraged to begin patient safety efforts. Comment: One commenter asked whether multiple PSOs can establish a single reporting portal for receiving reports from providers. Response: The final rule does not address procedures regarding how a PSO receives information. Providers must meet any requirements regarding sharing information that is protected health information, such as the HIPAA Privacy Rule, in any circumstances when reporting information to a PSO or joint PSO portal. Comment: Several commenters asked whether retrospective analyses could be included as patient safety work product. Response: The final rule permits any data, which is a term that is broadly defined and would include retrospective analyses, to become patient safety work product. The fact that information was developed prior to the collection for reporting to a PSO does not bar a provider from reporting an analysis to a PSO and creating patient safety work product. Providers should be cautioned to consider whether there are other purposes for which an analysis may be used to determine whether protection as patient safety work product is necessary or warranted. Further, the definition of patient safety work product is clear that information collected for a purpose other than for reporting to a PSO may not become patient safety work product only based upon the reporting of that information to a PSO. Such information, particularly information collected or developed prior to the passage of the Patient Safety Act, may become protected as a copy, but the original document remains unprotected. (J) Section 3.20--Definition of Provider Proposed Rule: Proposed Sec. 3.20 would have divided the meaning of provider into three categories. The first paragraph included ``an individual or entity licensed or otherwise authorized under State law to provide health care services, including'' and this introductory language was followed by a list of institutional health care providers in subparagraph (1) and a list of individual health care practitioners in subparagraph (2). The preamble indicated that these statutory lists were illustrative. Under the Secretary's authority to expand the list of providers in the statutory definition, the proposed rule would have added two categories to the list of providers. The second paragraph would have covered agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, the contractors these entities engage, and individual health care practitioners employed or engaged as contractors by these entities. We included this addition because public health care entities and their staff are not always authorized or licensed by state law to provide their services and, therefore, might not be included within the terms of the original statutory definition. The third paragraph would have included a parent organization that has a controlling interest in one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in (1)(i) or (2) of this definition. This addition was intended to permit the parent organization of a health care provider system to enter a system-wide contract with a PSO. The parent of a health system also may not be licensed or authorized by state law to provide health care services as required by the statutory definition. Overview of Public Comments: There were a number of comments with respect to the entities and individuals that are identified as providers in the subparagraphs of paragraph (1). For example, one commenter sought clarification that ``assisted living residential care and other community based care'' providers are included in the broader term ``long term care facilities'' as identified in the list of covered providers. A number of other individual commenters each identified entities that the Secretary should include in the definition of providers: medical product vendors, pharmaceutical companies, medical device manufacturers, risk retention groups, and captive professional liability insurance companies that are controlled by risk retention groups. There was general support for the inclusion of parent organizations of private and public sector providers in paragraph (3), although two commenters disagreed. One commenter argued that naming the parent organization as a provider suggested a ``one size fits all'' solution and suggested that eligibility should be linked to whether the parent organization is involved in the patient safety evaluation system for its subsidiaries. Other commenters, while not objecting, worried that this addition could open the door for organizations such as health insurance issuers, including Health Maintenance Organizations, regulatory and accrediting entities to qualify as component PSOs. One commenter suggested that by using the phrase ``controlling interest'' with respect to private sector parent organizations, the focus of this part of the proposed paragraph was inappropriately narrow, appearing to emphasize a corporate parent, and that the language needed to reflect a broader array of potential parent organizations, such as partnerships or limited liability companies. Several commenters expressed concern that by encompassing entities that are not traditionally providers, under HIPAA or other rules, our definition of ``provider'' would lead to confusion. One commenter suggested it would be appropriate for the commentary accompanying the final rule to address the two terms, emphasize the differences, and clarify the obligations. Final Rule: We have modified the definition of provider in the final rule in response to several comments. The first modification is a non-substantive substitution of the term behavioral health for behavior health. In response to the comments we received and to ensure clarity, we reiterate what we stated in the proposed rule that a list preceded by ``including'' is an illustrative list, not an exhaustive list. In general, the question of whether any private sector individual or entity, such as assisted living residential care and other community-based care providers, comes within the rule's meaning of ``provider'' is determined by whether the individual or entity is licensed or otherwise authorized under state law to deliver health care services. We note that paragraphs (2) and (3) of the definition address public sector [[Page 70745]] providers and parent organizations of health care providers. We have not adopted any of the other recommendations for additions to the list of providers. The statute provides confidentiality and privilege protections for reporting by individuals and entities that actually provide health care services to patients. In our view, it was not intended to apply to those who manufacture or supply materials used in treatments or to entities that provide fiscal or administrative support to those providing health care services. With respect to paragraph (3) of the definition, the use of the term parent organization here should conform to our definition of ``parent organization'' above. Therefore, we have streamlined the language, deleting unnecessary text that might suggest that we were applying a different definition. The Department does not share the concerns of commenters that incorporating a broader definition of ``provider'' in this rule will cause confusion in the marketplace, because its use will be limited. The application of the term ``provider'' in this rule is intended to give the full range of health care providers the ability to report information to, and work with, PSOs and receive confidentiality and privilege protections as set forth in the Patient Safety Act and this rule. Although we appreciate the administrative benefits of uniformity, and have tried to maximize the consistency or interoperability of this rule with the HIPAA Privacy and Security Rules, it would not be appropriate in this rule to adhere to any less inclusive definition of provider used in other regulations. We did not condition the designation of provider status for a parent organization on its involvement in a patient safety evaluation system. We expect that most parent organizations will, in fact, be a part of a system-wide patient safety evaluation system if they choose to pursue PSO services. However, establishing such a requirement now, when it is unclear what types of innovative arrangements and effective strategies might emerge, might prove more detrimental than helpful. Response to Other Public Comments Comment: One commenter raised concerns that paragraph (2) may not include Indian tribes that operate or contract for their own health care systems under the Indian Self-Determination and Education Assistance Act (ISDEAA), rather than relying upon the Indian Health Service. Response: Tribal organizations carrying out self-determination contracts or compacts under the ISDEAA to deliver health care fall squarely within paragraph (2) of the definition of provider because they are organizations engaged as contractors by the Federal government to deliver health care. Additionally, the workforce of a provider covered under the rule, by definition, includes employees, volunteers, trainees, contractors, and other persons, whether or not paid by the provider, that perform work under the direct control of that provider. Federal employees detailed to a tribe or Tribal organization carrying out an ISDEAA contract would be covered under paragraph (2) in the definition of provider, even if they were not part of the Tribal organization's workforce. Therefore, no change is needed in response to this comment. B. Subpart B--PSO Requirements and Agency Procedures Proposed Subpart B would have set forth requirements for Patient Safety Organizations (PSOs) including the certification and notification requirements that PSOs must meet, the actions that the Secretary may and will take relating to PSOs, the requirements that PSOs must meet for the security of patient safety work product, the processes governing correction of PSO deficiencies, revocation, and voluntary relinquishment, and related administrative authorities and implementation responsibilities. The requirements of the proposed Subpart would have applied to entities that seek to be listed as PSOs, PSOs, their workforce, a PSO's contractors when they hold patient safety work product, and the Secretary. The proposed rule did not require a provider to contract with a PSO to obtain the protections of the Patient Safety Act; however, we noted that we anticipate that most providers would enter into contracts with PSOs when seeking the confidentiality and privilege protections of the statute. We proposed to enable a broad variety of health care providers to work voluntarily with entities that would be listed as PSOs by the Secretary based upon their certifications that, among other things, state that they have the ability and expertise to carry out the broadly defined patient safety activities of the Patient Safety Act and, therefore, to serve as consultants to eligible providers to improve patient care. In accordance with the Patient Safety Act, the proposed rule set out an attestation-based process to qualify for 3-year renewable periods of listing as a PSO. Proposed Subpart B attempted to minimize regulatory burden, while fostering transparency to enhance the ability of providers to assess the strengths and weaknesses of their choice of PSOs. We proposed a security framework pertaining to the separation of data and systems and to security management, control, monitoring, and assessment. Thus, each PSO would address the framework with standards it determines appropriate to the size and complexity of its organization. We proposed additional requirements to ensure that a strong firewall would be maintained between a component PSO and the rest of the organization(s) of which it is a part. We noted that we expect to offer technical assistance and encourage transparency wherever possible to promote implementation, compliance, and correction of deficiencies. At the same time, this proposed Subpart established processes that would permit the Secretary promptly to revoke a PSO's certification and remove it from listing, if such action proves necessary. 1. Section 3.102--Process and Requirements for Initial and Continued Listing of PSOs Proposed Rule: The proposed rule in Sec. 3.102 addressed the eligibility of, and the processes and requirements for, an entity seeking a three-year period of listing by the Secretary as a PSO and described the timing and requirements of notifications that a PSO must submit to the Secretary during its period of listing. The proposed rule described our intention to minimize barriers to entry for entities seeking listing and create maximum transparency to create a robust marketplace for PSO services. The Patient Safety Act set forth limited prerequisites that must be met to be listed by the Secretary as a PSO, which the regulation incorporates. The Department expects that providers will be the ultimate arbiters of the quality of services that an individual PSO provides. Overview of Public Comments: The following discussion focuses on the broad comments we received concerning our overall approach to initial and continued listing of PSOs. These comments do not address specific provisions of the proposed rule. Public comments that address specific provisions of Sec. 3.102 are addressed in the individual subsection discussions that follow. Questions and situation-specific comments are addressed below under the heading of ``Response to Other Public Comments.'' The Department received generally favorable comment on our proposed approach in this section, which [[Page 70746]] emphasizes a streamlined certification process, and public release of documentation submitted by PSOs whenever appropriate. There were, however, two broad sets of concerns expressed about our overall approach. The first concern related to the potential number of PSOs that might be listed by the Secretary as a result of the Department's proposed ``ease of entry'' approach. These comments focused on the importance of PSOs being able to aggregate significant amounts of data across multiple providers to develop meaningful analyses. Noting that patient safety events are often rare events, one commenter noted that in some cases it may be necessary to aggregate data for an entire state in order to develop insights regarding the underlying causes of such events. Another commenter noted that if every hospital in the state established its own component PSO, the potential impact of PSO analyses could be minimal. Because most PSOs will be dependent upon revenue from providers submitting data, one commenter worried that too many PSOs could also affect the ability of individual PSOs to obtain adequate funding to perform their analytic functions and to implement potentially costly security requirements. These concerns led some commenters to suggest inclusion in the final rule of a limitation on the number of PSOs that the Secretary would list. One commenter asked whether it would be possible for the Department to list one national PSO, noting this could improve efficiency for providers. Another commenter suggested listing of 2-4 PSOs per state using a competitive process or limiting the number of PSOs by increasing the number of required provider contracts that each PSO must have. Most commenters who favored limiting the number of listed PSOs did not suggest a specific approach. A second broad set of recommendations focused on the need for periodic or ongoing evaluation of the effectiveness of PSOs that could be linked to, or be separate from, the evaluation of certifications for continued listing. Some commenters recommended that the Department routinely collect information from PSOs to evaluate whether the individual and collective work of PSOs is actually reducing medical errors and improving the quality of care that is delivered. One commenter stressed the importance of establishing in the final rule expectations related to PSO performance and demonstrated results and provided draft language for inclusion in the final rule. Final Rule: The Department has not modified the approach taken in the proposed rule in response to these comments. With respect to limiting the number of PSOs that are listed by the Secretary, the statutory language is clear that any entity, public or private, that can meet the stated requirements is eligible for listing by the Secretary. While the Department understands the concerns of the commenters that a very large number of PSOs could frustrate the statutory goal of data aggregation across multiple providers, we believe that this scenario is unlikely for several reasons. First, a provider does not need to shoulder the financial burden alone to support a full-time PSO. Providers enjoy the same protections under the Patient Safety Act when they contract with an independent PSO or when they create a component organization to seek listing as a PSO. A provider that establishes a working relationship with a PSO can have a division of labor between the analyses that its staff undertakes in- house within its patient safety evaluation system and the tasks it assigns to the PSO. In both circumstances, the statutory protections apply. Thus, for a provider, establishing its own PSO is an option, not a necessity. Second, there are important insights into patient safety that can only be derived from aggregating data across multiple providers. Given the low frequency of some patient safety events, even larger health systems are likely to derive additional benefits from working with PSOs that have multiple and, potentially, diverse clients. A final limiting factor is the shortage of personnel who are well- trained or experienced in the use of the methodologies of patient safety analyses. While the marketplace will respond to the need for the development of additional training and certification programs, the availability of highly-skilled staff will be a constraining factor initially. In combination, these three factors should provide a natural constraint on the number of single-provider PSOs. Regarding the other general set of comments related to the listing process, the Department has considered these suggestions and has determined not to incorporate in the final rule requirements for an ongoing evaluation process or the routine collection of data from PSOs. PSOs are not a Federal program in the traditional sense. Most significantly, they are not Federally funded. Their project goals, priorities, and the specific analyses that they undertake are not Federally directed. The value and impact of an individual PSO will be determined primarily by the providers that use its services on an ongoing basis. It is unclear at this point how providers will choose to use PSOs. Only with experience will it become clear which analyses a provider will choose to undertake in its own patient safety evaluation system and which analyses a provider will rely upon a PSO to undertake. The mix and balance of activities between a provider's patient safety evaluation system and its PSO (or PSOs) will undoubtedly shift over time as the working relationships between providers and PSOs evolve toward greater efficiency. Thus, we remain convinced that providers are in the best position to assess the value of a PSO and its ability to contribute to improving the quality and safety of patient care. Response to Other Public Comments Comment: While contracts are not required between PSOs and providers to obtain protections, the Department stated that it anticipates most providers will enter contracts with providers. In light of this expectation, one commenter urged the Department to develop and make available a model contract. Response: We do not think a model contract can be developed easily. The issues that need to be addressed will vary significantly based upon the nature of the relationship. Therefore, we do not expect to be developing and releasing a model contract. Comment: One commenter suggested that the final rule should explain how AHRQ will publish the results from which providers and others can evaluate a PSO before entering a contract. Response: For the reasons discussed above, AHRQ will not require or release PSO-specific performance information. Comment: One commenter suggested that AHRQ should ensure that PSOs should not be able to make commercial gain from the knowledge it derives as a PSO. Response: The statute permits all types of private and public entities to seek listing as a PSO; it does not limit private entities to not-for-profits. The final rule mirrors that formulation. The Department concludes that the statute does not invite us to impose such restrictions and expects that providers' decisions will determine the acceptability of for-profit PSOs. Comment: One commenter suggested that providers should only be permitted to submit data to one PSO. Response: The Patient Safety Act's framework for PSO-provider relationships is voluntary from a public policy perspective. In our view, it [[Page 70747]] would be inconsistent with section 922(e)(1)(B) of the Public Health Service Act for the Department or any entity to use the authority of law or regulation to limit or direct provider reporting. Comment: One commenter suggested that the final rule should require PSOs to share aggregated, non-identifiable patient safety work product with state regulatory authorities. Response: The Department does not agree that it is appropriate to place such an unfunded mandate upon PSOs. Comment: One commenter stated that it is a waste of effort and expense to create new government entities to work with providers when current organizations can do that just as well. The commenter also asked whether anyone has estimated the 10-year costs. Response: As this final rule makes clear, these entities are not government entities and will not receive Federal funding. While we expect implementation will spur the development of new entities, we also expect that existing entities will be able to expand their current patient safety improvement efforts if they seek listing and are able to offer the confidentiality and privilege protections provided by the Patient Safety Act. While we have not done a 10-year cost estimate, our regulatory impact statement at the end of the preamble projects net savings of $76 to $92 million in 2012, depending upon whether the net present value discount rate is estimated at 7% or 3%. (A) Section 3.102(a)--Eligibility and Process for Listing Proposed Rule: Section 3.102(a) of the proposed rule would have provided that, with several exceptions discussed below, any entity-- public or private, for-profit or not-for profit--that can meet the statutory and regulatory requirements may seek initial or continued listing by the Secretary as a PSO. The Department proposed to establish a streamlined certification process for entities seeking initial or continued listing that relied upon attestations that the entities met statutory and regulatory requirements. To foster informed provider choice, entities were encouraged, but would not be required, to post narratives on their respective Web sites that explained how each entity intended to comply with these requirements and carry out its mission. The proposed rule incorporated a statutory prohibition that precludes a health insurance issuer and a component of a health insurance issuer from becoming a PSO. The Department also proposed to exclude any entity, public or private, that conducts regulatory oversight of health care providers, which included organizations that accredit or license providers. We proposed this restriction for consistency with the statute, which seeks to foster a ``culture of safety'' in which health care providers are confident that the patient safety events that they report will be used for learning and improvement, not oversight, penalties, or punishment. The proposed rule would permit a component organization of such an entity to seek listing as a PSO. To ensure that providers would know the parent organizations of such PSOs, we proposed that certifications include the name(s) of its parent organization(s), which the Secretary would release to the public. We sought comment on whether we should consider broader restrictions on eligibility. The proposed rule would permit a delisted entity, whether delisted for cause or because of voluntary relinquishment of its status, subsequently to seek a new listing as a PSO. To ensure that the Secretary would be able to take into account the history of such entities, we proposed such entities submit this information with their certifications for listing. Overview of Public Comments: The Department received generally favorable comments on our proposal to adopt a streamlined attestation- based approach to initial listing of PSOs. A number of commenters expressed concern about our attestation-based approach, however, arguing for a more in-depth assessment to ensure that an entity had the capability to carry out its statutory and regulatory responsibilities and meet the patient safety objectives of the statute. Some believed that the private marketplace is not necessarily well-equipped to judge which organizations can most effectively meet these requirements. Arguing that one misguided or fraudulent organization could taint the entire enterprise for years, a few commenters suggested that we require interested organizations at initial listing to submit documentation of their ability to meet their statutory and regulatory responsibilities. Most commenters who urged a stronger approach to the evaluation of certifications for listing acknowledged the value of an expedited process for initial listing and instead focused their recommendations on the importance of creating a more rigorous process for continued listing. A common recommendation was to require, in addition to the proposed certifications for continued listing, that a PSO be required to submit documentation that described in detail how it is complying with the requirements underlying its certifications and urged the Department to arrange for independent review of such documentation, coupled with an audit process that would ensure compliance. The comments we received were supportive of including a requirement that entities certify whether there is any relevant history regarding delisting about which the Secretary needs to be aware. Several commenters suggested that the entity seeking to be relisted should be required to include reason(s) for any prior delisting. Another suggestion was that the Secretary should have discretion in relisting an entity not to release the names of officials who had positions of responsibility in a previously delisted entity. The proposed restrictions on eligibility engendered considerable comment. With respect to the statutory restriction on health insurance issuers, concerns and questions were raised regarding whether the exclusion applied to self-insured providers or malpractice liability insurers and whether health systems that include a subsidiary that is a health insurance issuer could establish a component PSO. We received a significant level of comment regarding our proposed restriction on listing of regulatory oversight bodies. While the majority of commenters supported the proposed exclusion, some commenters took issue with various aspects of our proposal. Commenters engaged in accreditation activities generally criticized our characterization of these activities as regulatory. They pointed out that the proposed rule did not take into account the distinction between voluntary and mandatory accreditation and, in their view, most accreditation was voluntary. They also noted that accreditation activities were initially developed to ensure the quality and safety of patient care and that accreditation entities, unlike licensure agencies, have greater discretion in addressing any problems that they identify with a provider's operations in a non-punitive way. For these commenters, accreditation activities were not inconsistent with fostering a ``culture of safety.'' By contrast, most provider comments supported the exclusion, and singled out accreditation entities as warranting exclusion. State health departments and state-created entities expressed concern about an outright prohibition on their being listed as PSOs, noting that the prohibition could disrupt effective patient safety initiatives now underway. A number of specific state-sanctioned patient safety initiatives were described in their submissions. Commenters [[Page 70748]] pointed to the fact that state health departments have both regulatory and non-regulatory elements to their authority, have routinely demonstrated that they can effectively keep these elements separate, and thus, they saw no reason for the Department to doubt that state agencies could continue to do so effectively if they were permitted to operate PSOs. Other commenters suggested extending the prohibition to other types of entities (such as purchasers of health care or agents of regulatory entities) and raised questions regarding the scope of the exclusion. We received a significant number of comments in response to a specific question raised in the proposed rule whether the exclusion of regulatory entities should be extended to components of such organizations. Commenters that supported extension of the prohibition generally argued that the firewalls that the statute requires a component PSO to maintain between itself and its parent organization(s) could be circumvented, that the flexibility in the proposed rule to enable a component PSO to draw upon the expertise of its parent organization(s) would be inappropriate in this situation, and there was a significant possibility that such a parent organization could use its position of authority to attempt to coerce providers into reporting patient safety work product to its component PSO. A majority of commenters, however, opposed expanding the exclusion to components of such regulatory organizations. They contend that the statutorily required separations between a component PSO and its parent organization(s) would provide adequate protection against improper access and adverse use of confidential patient safety work product by the excluded entities with which such a component PSO is affiliated. A number of commenters noted that an expansion of the exclusion to components of such entities would have unintended consequences. For example, an increasing number of medical specialty societies operate, or are in the process of developing, accreditation programs for their members in response to growing public and private sector pressure for quality improvement. These organizations see the creation of specialty- specific component PSOs as an important complement to their other quality improvement activities. Similarly, some commenters contend that widespread patient safety improvements require coordination and communication across the public and private sectors. These commenters argued that a broader exclusion could both disrupt existing, effective public sector patient safety initiatives and preclude opportunities for the public sector to play a meaningful role. Many commenters that opposed extending the exclusion to component organizations nevertheless suggested additional restrictions to strengthen the separation of activities between component PSOs and these types of parent organizations. Their suggestions are discussed below with respect to Sec. 3.102(c). Final Rule: The Department considered whether to modify the attestation process either for initial or continued listing of PSOs or both but ultimately concluded that streamlined attestations should be retained for both. Given the voluntary, unfunded nature of this initiative and the centrality of the client-consultant paradigm of provider-PSO relationships, an approach that requires documentation and routine audits is likely to be costly and burdensome, both to entities seeking listing and the Department. More importantly, such an approach is unlikely to achieve its intended objective, for the reasons discussed below. There are limitations of a documentation approach to ensuring the capabilities and compliance of PSOs with the requirements for listing, and such an approach is unlikely to yield the types of information that providers will need in selecting a PSO. Consider, for example, two of these requirements: the criterion that requires that a PSO have qualified staff, including licensed or certified medical professionals, and the patient safety activity that requires the provision of feedback to participants in a (provider's) patient safety evaluation system. Documentation, through submission of resumes or summaries of the credentials of professional staff, can demonstrate that the PSO meets the statutory requirement. What each provider really needs to assess, however, is whether the skill sets of the professional staff employed by or under contract to the PSO are an appropriate match for the specific tasks that led the provider to seek a PSO's assistance. Depending upon the analytic tasks, a provider may need expertise that is setting-specific, e.g., nursing homes versus acute care settings, technology-specific, specialty-specific, or, may require expertise outside the traditional scope of health care. Thus, there is not a single template against which the expertise of a PSO's professional staff can be judged. In addition, we anticipate that PSOs seeking additional clients (providers) will post on their websites, or otherwise advertise, the names and qualifications of their top staff experts and consultants. Their Web site locations will be on the AHRQ PSO Web site. Similarly, documentation can demonstrate that a PSO has provided feedback to participants in a provider's patient safety evaluation system and thereby met the statutory requirement. But the most relevant questions are whether the feedback reflected a valid analysis of the provider's patient safety work product and existing scientific knowledge, and whether the feedback was framed in ways that made it understandable, ``actionable,'' and appropriate to the nature of the provider's operation. The answers to these questions cannot be assessed by the Department readily through the listing process. As a result, in many cases, the provider-client, rather than the Department, will be better able to determine whether the outcomes of a PSO's conduct of patient safety activities meet its needs in a meaningful way. The Department believes that providers, especially institutional providers, will have access to the expertise to make them especially sophisticated customers for PSO services. Providers are likely to assess very carefully the capabilities of a PSO and will be in a position to request appropriate documentation, if necessary, to assess a PSO's ability to meet their specific requirements. Therefore, the Department does not see a compelling public policy rationale for substituting its judgment for that of a provider. Providers can demand references and evidence of relevant accomplishments, and effectively evaluate the adequacy and suitability of a PSO's expertise and experience. In summary, a listing process that imposes documentation and audit requirements on each PSO will impose a significant burden on all parties, but yield only marginally useful information to prospective clients. Accordingly, we believe the approach outlined in the proposed rule offers a more efficient and effective approach. The approach does include authority for spot-checking compliance outlined in Sec. 3.110, responding to complaints or concerns, and enabling the Secretary, in making listing decisions (see Sec. 3.104(b)), to take into consideration the history of an entity and its key officials and senior managers. This approach will be buttressed with a program of technical assistance for PSOs administered by AHRQ. In addition, the final rule incorporates a new expedited revocation process that can be used when the [[Page 70749]] Secretary determines that there would be serious adverse consequences if a PSO were to remain listed. False statements contained in a PSO's submitted certifications can result in a loss of listing or other possible penalties under other laws. For convenience and clarity, we have restructured Sec. 3.102(a)(1) to provide a unified list of the certifications and information that an entity must submit for listing as a PSO. Sections 3.102(a)(1)(i) through 3.102(a)(1)(vii) set forth and cross-reference the requirements of the final rule. Two of these requirements are new. Section 3.102(a)(1)(iv) cross-references the additional requirements in Sec. 3.102(c)(1)(ii) that components of entities that are excluded from listing must meet in order for such components to be listed. Section 3.102(a)(1)(v) incorporates our proposal, for which comments were supportive, to require disclosure to the Secretary if the entity seeking listing (under its current name or another) has ever been denied listing or delisted or if the officials or senior managers of the entity now seeking listing have held comparable positions in a PSO that the Secretary delisted or refused to list. We have not adopted recommendations that we require explanations for the historical situations encompassed by Sec. 3.102(a)(1)(v). Instead, we require that the name(s) of any delisted PSO or of any entity that was denied listing be included with the certifications. The Department can then search its records for background information. In response to concerns regarding public disclosure of the names of the officials or senior managers that would trigger the notification requirement, we do not require submission of the names of the individuals with the certifications. With respect to the workforce of the entity, we note that we have narrowed the requirement in two ways. First, we have narrowed the focus from ``any'' employee to officials and senior managers. Second, the requirement to disclose only applies when officials or senior managers of the entity seeking listing also held comparable positions of responsibility in the entity that was delisted or refused listing. Restructured Sec. 3.102(a)(2) retains the statutory exclusion from listing of health insurance issuers and components of health insurance issuers in subparagraph (i). For greater clarity, we have restated the exclusion to reflect the rule's definition of component so it now references: a health insurance issuer; a unit or division of a health insurance issuer; or an entity that is owned, managed, or controlled by a health insurance issuer. New subparagraph (ii) modifies and restates the exclusion from listing of any entity that: (1) Accredits or licenses health care providers; (2) oversees or enforces statutory or regulatory requirements governing the delivery of health care services; (3) acts as an agent of a regulatory entity by assisting in the conduct of that entity's oversight or enforcement responsibilities vis-a-vis the delivery of health care services; or (4) operates a Federal, State, local or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation. In reviewing the comments on the proposed regulatory exclusion, we did not find the arguments for narrowing the prohibition compelling. Almost every provider group expressed concern regarding the possible operation of PSOs by entities that accredit or license providers as well as possible operation of PSOs by regulatory entities. We share their concerns that entities with the potential to compel or penalize provider behavior cannot create the ``culture of safety'' (which emphasizes communication and cooperation rather than a culture of blame and punishment) that is envisioned by the statute. We also concluded that it is difficult to draw a ``bright-line'' distinction between voluntary and mandatory accreditation as several of the commenters from accreditation organizations proposed. While most accreditation is technically voluntary from the standpoint of many accreditation entities, its mandatory aspect generally derives from requirements established by, or its use by, other entities such as payers. Thus, if we were to incorporate such a distinction that permitted the listing of organizations that provide voluntary accreditation today, its voluntary nature could disappear over time if other organizations mandated use of its accreditation services. Thus, a listed PSO might need to be delisted at some point in the future solely because of the actions of a third party mandating that organization's accreditation as a requirement. Therefore, we have retained the prohibition on accreditation and licensure entities and have not incorporated any distinctions regarding voluntary versus mandatory accreditation in the final rule. We have reformulated the exclusion and no longer include accreditation or licensure activities as examples of regulatory activities. Similarly, we have retained the broad exclusion from listing of regulatory entities, by which we mean public or private entities that oversee or enforce statutory or regulatory requirements governing the delivery of health care services. Their defining characteristic is that these entities have the authority to discipline institutional or individual providers for the failure to comply with statutory or regulatory requirements, by withholding, limiting, or revoking authority to deliver health care services, by denying payment for such services, or through fines or other sanctions. We consider entities with a mix of regulatory and non-regulatory authority and activities also to be appropriately excluded from being listed. We acknowledge that health departments and other entities with regulatory authority may undertake a mix of regulatory and non- regulatory functions. It may also be true, as several comments reflected, that state health departments have experience, and a track record, for maintaining information separately and securely from the regulatory portions of their operations when necessary. However, we note that the final rule retains the proposed approach not to regulate uses of patient safety work product within a PSO. However, the final rule retains the ability of a state health department to establish a component organization that could seek listing as a PSO, subject to the additional restrictions discussed in Sec. 3.102(c) below. The benefit of this approach is that providers will have the reassurance that the penalties under the Patient Safety Act and the final rule will apply to any impermissible disclosures of patient safety work product from such a PSO to the rest of the state health department. We have not included the proposal of several commenters to exclude purchasers of health care from becoming PSOs. Commenters did not suggest a compelling public policy case for the exclusion of any particular type of purchasers. Given the vagueness and potential scope of such a prohibition, the potential for unintended consequences is simply too great to warrant its inclusion. For example, health care institutions in their role as employers can also be considered purchasers of health care. We have incorporated two additional exclusions. First, based upon recommendation from commenters, we exclude from listing entities that serve as the agents of a regulatory entity, e.g. by conducting site visits or investigations for the regulatory entity. [[Page 70750]] While we understand that such agents generally do not take action directly against providers, their findings or recommendations serve as the basis for potential punitive actions against providers. As a result, we believe that the rationale we outlined in the proposed rule regarding the exclusion of regulatory bodies is also applicable to agents of regulatory entities helping to carry out these regulatory functions. Second, as we considered comments seeking clarification on the eligibility of entities that operate certain mandatory or voluntary patient safety reporting systems to seek listing as PSOs, we concluded that mandatory systems, to which some or all health care providers are required by law or regulation to report patient safety information to a designated entity, were inconsistent with the voluntary nature of the activities which the Patient Safety Act sought to foster. However, this exclusion does not apply to mandatory reporting systems operated by Federal, State, local or Tribal entities if the reporting requirements only affect their own workforce as defined in Sec. 3.20 and health care providers holding privileges with the entity. The exception is intended to apply to Federal, State, local or Tribal health care facilities in which the reporting requirement applies only to its workforce and health care providers holding privileges with the facility or health care system. This exception ensures that, with respect to eligibility for listing as a PSO, entities that administer an internal patient safety reporting system within a public or private section health care facility or health care system are treated comparably under the rule and would be eligible to seek listing as a PSO. The final rule retains the ability of components of the four categories of excluded entities in Sec. 3.102(a)(2)(ii) to seek listing as a component PSO. After careful review, the Department concluded that there was a significant degree of congruence in the concerns expressed by both proponents and opponents of extending the exclusion to such components. The opponents of extending the exclusion routinely suggested that the Department address their core concerns by adopting additional protections, rather than the blunt tool of a broader exclusion. We have adopted this approach, and we have incorporated in Sec. 3.102(c) additional requirements and limitations for components of excluded entities. In addition, we have incorporated a new requirement in Sec. 3.102(a)(3) that submissions for continued listing must be received by the Secretary no later than 75 days before the expiration of a PSO's three-year period of listing. This requirement derives from our concern for protecting providers if a PSO decides not to seek continued listing and simply lets its certifications expire at the end of a three-year period of listing. To preclude an inadvertent lapse, the proposed rule included a provision to send PSOs a notice of imminent expiration shortly before the end of its period of listing and sought comment on posting that notice publicly so that providers reporting patient safety work product could take appropriate action. Section 3.104(e)(2) states that the Secretary will send a notice of imminent expiration to a PSO at least 60 days before its last day of listing if certifications for continued listing have not been received. However, the failure of the Secretary to send this notice does not relieve the PSO of its responsibilities regarding continued listing. The requirement to submit certifications 75 days in advance is intended to ensure that such a notice is not sent or publicly posted until after the submissions are expected by the Department. Response to Other Public Comments Comment: One commenter urged the Secretary not to require organizations to have specific infrastructure and technology in place before they could be listed. Response: The Department has not proposed any specific infrastructure or technology requirements. However, the statute and the final rule require a PSO at initial listing to certify that it has policies and procedures in place to ensure the security of patient safety work product. The final rule requires that those policies and procedures be consistent with the framework established by Sec. 3.106. The Department interprets the statute to require a listed PSO to be able to provide security for patient safety work product during its entire period of listing, which includes its first day of listing. Comment: Two commenters agreed that PSOs should be encouraged, but not required, to post on their Web sites narrative statements regarding their capabilities. Response: The Department continues to encourage PSOs to develop and post such narrative statements. Comment: One commenter suggested that the listing process should include an opportunity for the Secretary to receive public comment before making a listing decision, especially in the case of continued listing, when providers may want to share their experiences with the Secretary regarding a specific PSO. Response: While we expect customer satisfaction evaluations of PSOs will develop naturally in the private sector, the Department has not incorporated this recommendation in the listing process. If a provider or any individual believes that a PSO's performance is not in compliance with the requirements of the rule, this concern can be communicated to AHRQ at any time. Improper disclosures may also be reported to the Office for Civil Rights in accordance with Subpart D. Incorporation of a public consultation process poses a number of implementation issues. For example, it could potentially delay a time sensitive Secretarial determination regarding continued listing (which must be made before expiration of a PSO's current period of listing) and could require the Department to assess the validity of each specific complaint, e.g., the extent to which dissatisfaction with an analysis reflects the competence with which it was performed or a lack of precision in the assignment to the PSO. Comment: One commenter suggested that state-sanctioned patient safety organizations should be deemed to meet the requirements for listing. Response: The Department does not believe that the Patient Safety Act gives the Secretary authority to delegate listing decisions to states. Moreover, the statute establishes the requirements that an entity must meet for listing as a PSO; automatically deeming state- sanctioned organizations to be PSOs would inappropriately override federal statutory requirements and mandate the Secretary to list PSOs that may not be in compliance with all the statutory requirements. Accordingly, the final rule does not include such a provision. Comment: Several commenters asked if the exclusion on health insurance issuers precludes a self-insured entity from seeking listing. Response: The Department has examined this issue and concluded that the exclusion of health insurance issuers does not apply to self- insured organizations that provide health benefit plans to their employees. The statutory exclusion contained in section 924(b)(1)(D) of the Public Health Service Act incorporates by reference the definition of health insurance issuer in section 2971 of the Public Health Service Act and that definition explicitly excludes health benefit plans that a health care provider organization offers to its employees. Comment: Several commenters inquired whether organizations that provide professional liability insurance coverage (also referred to as medical liability insurance or malpractice [[Page 70751]] liability insurance) for health care providers are covered by the health insurance issuer exclusion. The commenters uniformly argued that the exclusion should not apply. Several commenters noted their intent to have their ``captive'' liability insurer seek listing as a PSO. Another commenter sought assurances that if a captive liability insurer sought listing as a PSO, the PSO would not be considered a component of the provider organizations that owned the liability insurer. Response: The Department notes that there is some ambiguity in the statutory language but concludes that the health insurance issuer exclusion does not apply to such organizations. While the health insurance issuer exclusion does not apply, the Department notes that the statute and the final rule require that an entity seeking listing must attest that its mission and primary activity is the improvement of patient safety. That test is readily met when an organization, such as a captive liability insurer, creates a component organization since the creation of a distinct new entity can be established in a manner that clearly addresses and meets the ``primary activity'' criterion. The Department has the authority to review all applications, including those from organizations with multiple activities, and to look behind the attestations to determine whether the applicant meets the ``primary activity'' criterion. We note that a captive entity meets the definition of a component organization in this rule. Therefore, if the captive organization is eligible for listing because it meets the ``primary activity'' criterion, it must seek listing as a component organization and clearly would be subject to the requirements on component PSOs. If the captive organization does not meet the primary activity criterion for listing, it is free to create a component organization to seek listing. Once again, however, the additional requirements for a component PSO apply. Comment: Several commenters asked whether the health insurance issuer exclusion prevents a health system that has subsidiaries that include providers and a health insurance issuer, from establishing a component organization to seek listing as a PSO. Response: As described by several commenters, the PSO and the health insurance issuer would be affiliates in a ``brother-sister'' relationship within the parent organization. As long as the health insurance issuer does not have the authority to control or manage the PSO, the health system is not precluded from having both a health insurance issuer subsidiary and a component PSO. Comment: Several commenters raised questions from different perspectives regarding situations in which providers might be required to report data to a PSO. Some commenters suggested that the final rule should prohibit a facility or health care delivery system from requiring individual clinicians (who are employed, under contract, or have privileges at the facility or within the system) to report data to a specific PSO. Others raised questions regarding the eligibility for listing of existing Federal, state, local or Tribal patient safety reporting systems that are administered by an entity without regulatory authority. Response: While the Patient Safety Act does not require any provider to report data to a PSO, the statute is silent on whether others (such as institutional providers or other public entities) can impose such requirements on providers. The Department makes a distinction based upon the source of reporting requirements and the extent to which the requirement can be viewed as consistent with the statutory goal of fostering a ``culture of safety.'' Thus, the Department has declined to include in the final rule any restriction on the ability of a multi-facility health care system to require its facilities to report to a designated PSO or of a provider practice, facility, or health care system to require reporting data to a designated PSO by those providing health care services under its aegis, whether as employees, contractors, or providers who have been granted privileges to practice. A patient safety event reporting requirement as a condition of employment or practice can be consistent with the statutory goal of encouraging institutional or organizational providers to develop a protected confidential sphere for examination of patient safety issues. While an employer may require its providers to make reports through its patient safety evaluation system, section 922(e)(1)(B) prohibits an employer from taking an adverse employment action against an individual based upon the individual's reporting information in good faith directly to a PSO. By contrast, the Department views mandatory reporting requirements that are applicable to providers that are not workforce members and that are based in law or regulation, regardless of whether the specific data collected by these systems is anonymous or identifiable, as incompatible with the intent of the Patient Safety Act to foster voluntary patient safety reporting activities. In these situations, provider failure to make legally required reports can potentially result in a loss of individual or institutional licensure and the ability to practice or deliver health care services. Accordingly, we have added to the list of entities excluded from listing in Sec. 3.102(b)(2)(ii) entities that administer such mandatory patient safety reporting systems. A voluntary Federal, state, local, or Tribal patient safety reporting system can seek listing as a PSO. This means that the entity administering the reporting system does not have statutory or regulatory authority to require providers to submit data to the administering organization, and that organization is not required by statute or regulation to make the collected identifiable data available in ways that would be incompatible with the limitations on disclosure discussed in Subpart C. Comment: Two commenters addressed the issue of whether Quality Improvement Organizations (QIOs), which are organizations that have contracts with Medicare and often with other payers or purchasers to review compliance with regulatory or contractual requirements and make reports that may adversely impact providers financially, can seek listing as PSOs. Response: QIOs are precluded from seeking listing as PSOs. The final rule precludes agents of a regulatory entity from seeking listing and QIOs serve as agents of Medicare. Some QIOs also serve in similar capacities as agents of state regulatory bodies. As noted above, an agent of a regulator may create a component organization that would be eligible to seek listing as a PSO, provided such a component organization meets the additional requirements of Sec. 3.102(c)(1)(ii). Comment: Several commenters asked if the proposed exclusions of entities applied to State Boards of Health, programs offering providers certifications, and physician specialty boards. Response: With respect to State Boards of Health, there are two issues regarding their potential ineligibility for becoming PSOs. The first, raised by the commenter, is whether these boards can be considered regulatory entities and in most cases they would be. While State Boards of Health provide leadership and policy coordination for state health policies, they generally have the power to oversee, enforce or administer regulations governing the delivery of health care services and would, therefore, be ineligible to be listed as a PSO. The second issue is whether such a board with its multiple [[Page 70752]] responsibilities could attest that the conduct of activities to improve patient safety and health care quality is its primary activity. With respect to entities that offer certifications, physician specialty boards, or similar activities, we would use a fact-based approach that assesses the activities in light of the exclusions in the rule at Sec. 3.102(a)(2)(ii). Comment: One commenter questioned whether the proposed requirement that a PSO notify the Secretary if it can no longer meet the requirements for listing essentially meant that the PSO was admitting a deficiency. Response: We expect this requirement to operate prospectively so that the Secretary can evaluate whether the changed circumstances may still be cured. While it is possible that this requirement in some situations would be the equivalent of a PSO admitting a current, rather than prospective deficiency, we note two aspects of the process outlined here. First, the correction of deficiencies is not a punitive process. Second, the obligation to inform the Secretary of changes is a companion element to the Department's approach in listing entities based upon attestations. (B) Section 3.102(b)--Fifteen General PSO Certification Requirements Proposed Rule: Section 3.102(b) of the proposed rule incorporated the 15 requirements specified in the Patient Safety Act that every entity must meet for listing as a PSO. These 15 requirements are comprised of eight patient safety activities and seven other criteria. At initial listing, an entity would certify that it has policies and procedures in place to perform the eight specified patient safety activities and, upon listing, would comply with the seven other criteria during its period of listing. At continued listing, the PSO would certify that it has performed during its period of listing, and would continue to perform, all eight patient safety activities and that, it has complied with, and would continue to comply with, the seven other statutory criteria during its next period of listing. We proposed to define the confidentiality and security requirements that are part of the patient safety activities that PSOs must carry out as requiring compliance with the confidentiality provisions of Subpart C and the security measures required by Sec. 3.106. We did not propose that, but sought comment on whether the final rule should include a requirement that a PSO inform any provider from which it received patient safety work product if there are impermissible disclosures of, or security breaches occur, with respect to the provider's patient safety work product. A PSO would meet the minimum contract requirement under the proposed rule with two contracts, each with a different provider, at some point during a PSO's sequential 24-month periods of listing. The proposed rule sought comment on how to interpret the requirement that the required contracts must be ``for a reasonable period of time,'' asking whether the final rule should use a standard that was time- based, task-based, or include both options. The proposed rule noted that PSOs are required by the statute, to the extent practical and appropriate, to collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers. We stated that we were considering including in the final rule, and sought comment on, a clarification that compliance would mean that a PSO, to the extent practical and appropriate, will collect patient safety work product consistent with guidance that the Secretary is developing regarding reporting formats and common definitions when the guidance becomes available. We also sought comment on the process for the development of common formats and definitions. Overview of Public Comment: Most of the comments we received on this subsection focused on the contract requirement and the specific questions posed by the proposed rule. Nearly all of the commenters who addressed the issue supported the inclusion in the final rule of a requirement that PSOs must notify a provider if the work product submitted by the provider was inappropriately disclosed or its security was breached. Those favoring the inclusion of the requirement cited concern about the sensitivity of patient safety work product and the importance of ensuring that providers know if the PSO to which they reported data was living up to its obligations to protect the security and confidentiality of their data. They noted that the HIPAA Privacy and Security Rules will not always be applicable: That some providers will not be considered covered entities and identifiable patient safety work product may not always contain protected health information. Those opposed to the requirement argued that most patient safety work product will contain protected health information and providers reporting to a PSO are likely to be covered entities. Thus, the HIPAA Privacy Rule will cover most situations and, if providers had additional concerns, they could address them contractually. It was also suggested that the preamble to the final rule should carefully describe a PSO's obligations when the HIPAA Privacy and Security Rules apply and the requirements to report impermissible disclosures even when protected health information is not involved. With respect to the statutory requirement for contracts with more than one provider, several commenters proposed that one contract with multiple providers should be deemed to meet the statutory requirement. These commenters often argued that it was inefficient to require a PSO to enter multiple contracts when the statutory intent of collecting data from multiple providers could be met through a single contract. Several commenters alleged that the proposed rule did not interpret the requirement that contracts be entered with ``different providers'' and sought clarification in the final rule. The vast majority of commenters opposed including any standard in the final rule for determining when one of the required contracts was ``for a reasonable period of time.'' Many argued that this decision should be left to the marketplace, permitting providers and PSOs to enter customized arrangements. A few commenters supported incorporation of a time-based standard, ranging from 3-12 months. One commenter recommended incorporating both time-based and task-based standards. In response to our specific request for comment on whether the final rule should reference the Secretary's guidance on common formats and definitions, the vast preponderance of comments were supportive, with many detailing reasons why use of common formats was important. Several organizations offered caveats to their support, such as concern that the development of Secretarial guidance might slow the process and may further interfere with innovation. Many organizations offered suggestions to the Department such as: Allowing private sector feedback; harmonizing with other data reporting requirements; allowing collection of data in addition to the common formats, particularly for use at the local level; and allowing time to phase in use of common formats. Virtually all comments were supportive of the process by which the Department was developing guidance on common formats. Many commenters suggested steps that they wished the Department to take such as: Greater or earlier involvement of the private sector; transparency in the process; acceptance of comments from outside government; [[Page 70753]] and use of evidence from existing reporting systems. The process we outlined for private sector consultation was viewed positively. We received several comments and recommendations related to this process that were outside the scope of the rule and, therefore, are not addressed below. Final Rule: For convenience and clarity, we have modified the text in the final rule to separate initial and continued listing within Sec. 3.102(b)(1), which states the required certifications for the eight patient safety activities and within Sec. 3.102(b)(2), which states the required certifications for the seven PSO criteria. This modification does not reflect a substantive change. We have incorporated in Sec. 3.102(b)(1)(B) of the final rule one additional requirement, posed as a question in the proposed rule and strongly supported by commenters, that a PSO must inform the provider from which it received patient safety work product if the work product submitted by that provider is inappropriately disclosed or its security is breached. The Department recognizes that in certain cases a PSO may not know the identity of the provider that submitted patient safety work product, e.g., anonymous submissions, or it might not be possible to contact the provider, e.g., if the provider has gone out of business or retired. In these cases, the Department would expect the PSO to be able to demonstrate, if selected for a ``spot check,'' that it made a good faith effort to reach every provider that submitted the work product subject to an inappropriate disclosure or a security breach. We also note that this requirement only requires the PSO to contact the provider that submitted the information; the PSO is not expected to contact providers or others whose names are included in the patient safety work product. As a business associate of a provider covered by the HIPAA Privacy Rule, the PSO must abide by its business associate contract with that provider, obligating it to notify the provider if it becomes aware of an impermissible disclosure of protected health information. See 45 CFR 164.504(e)(2)(ii)(C). Once the PSO has informed the provider of the impermissible disclosure, the HIPAA Privacy Rule requires the provider to mitigate the harmful effects of an impermissible disclosure. See 45 CFR 164.530(f). We have also incorporated in Sec. 3.102(b)(2)(i)(C) a minor modification in the text of the criterion relating to the required two contracts. The text in the proposed rule stated that a PSO ``must have entered into two bona fide contracts'' with different providers; we have deleted the words ``entered into.'' Our intent in the proposed rule text was to encourage PSOs to enter long-term contracts with providers by enabling a multi-year contract to be counted toward the two contract minimum in each of the 24-month periods during which the contract was in effect. By deleting the words ``entered into,'' the text of the final rule more clearly reflects our original intent. We also provide clarification here, which we did not consider necessary to include in the rule text, regarding the obligations of a PSO. The certifications for initial listing regarding patient safety activities track the statute and require a PSO to have policies and procedures in place to perform patient safety activities. At continued listing, PSOs will be expected to have performed all eight patient safety activities. Some of the required patient safety activities must be performed at all times, such as utilizing qualified staff, having effective policies and systems to protect the security and confidentiality of patient safety work product when the PSO receives work product, undertaking efforts to improve the quality and safety of patient care, and developing and disseminating information to improve patient safety. Other required patient safety activities can only be performed when the PSO is working with a provider (such as providing feedback to participants in a patient safety evaluation system) and receiving patient safety work product from providers (such as utilization of patient safety work product to develop a culture of safety). The Department recognizes that, for any given contractual arrangement, providers, not PSOs, will determine the tasks PSOs undertake and for which they will be compensated. Therefore, our approach to assessing compliance will be as follows. If subject to a spot check for compliance, a PSO must be able to demonstrate that it has performed all eight patient safety work products at some point during its three-year period of listing. However, we will expect a PSO to demonstrate that it performs throughout its period of listing the patient safety activities that are not dependent upon a relationship with a provider or receipt of patient safety work product. We will expect compliance with the other patient safety activities consistent with the contracts or agreements that the PSO has with providers. A component PSO that is established by a health care provider, and for which the parent-provider organization is a primary client, would not be dependent on external contracts and would be expected to be in compliance with all eight patient safety activities during its entire period of listing. In response to commenters who sought clarification on what is meant by compliance with the two-contract requirement, we reaffirm that the statutory requirement is clear. There must be two written contracts; a single contract with multiple providers can only be counted as one contract. We interpret the requirement that the contracts must be with ``different'' providers straight-forwardly. The only requirement is that the bona fide contracts must be with individuals or institutions that are providers as defined in the rule. We have imposed no other requirements; the contracts can be with an institutional provider and an individual clinician, or with two entities within the same or different system(s). After careful consideration of the comments we received, the Department has concluded that we will not incorporate an interpretation of the term ``each for a reasonable period of time'' regarding the required contracts. As we noted in the proposed rule, our intent in proposing to interpret the language was to give providers increased certainty that the listing of the PSO to which they are reporting data could not be challenged on the basis that its required contracts were not for a reasonable period of time. However, the provider community opposed interpreting the provision, fearing that it would limit their ability to customize contracts to meet their analytic needs and urged the Department to rely upon the marketplace to interpret this requirement. With no empirical basis for choosing one standard or one time frame over another, and given the inability to anticipate what types of contractual relationships will evolve under the final rule, the Department concluded that incorporating a standard at this time could have unintended negative consequences and has chosen not to do so. As a result, a PSO will be required to have two contracts in effect at some point during each 24-month reporting period established by the statute but the contracts are not required to cover a specific or minimum time period and they are not required to be in effect at the same time. While we received overwhelmingly favorable support for requiring compliance with the Secretary's guidance on common definitions and reporting formats (common formats) for the collection of patient safety work product, we recognize that the Department's efforts to develop [[Page 70754]] guidance will take time. We issued common formats in August 2008 addressing all patient safety events in acute-care hospitals; AHRQ has made the common formats available on its Web site to facilitate their use by providers with varying levels of sophistication as well as by PSOs. The guidance will be expanded over time to other settings of care. Because we anticipate that some PSOs may choose to concentrate their work in areas for which guidance from the Secretary is not yet available, we have modified the text of the rule by incorporating a new paragraph (iii) that interprets compliance in the following way. At initial listing, the requirement will be interpreted as a commitment by the entity seeking listing to adopt the Secretary's recommended formats and definitions by the time it seeks continued listing ``to the extent practical and appropriate.'' During the initial three-year period of listing, AHRQ will not issue a preliminary finding of deficiency to any PSO that has not adopted the Secretary's recommended formats and definitions. At continued listing, a PSO will be required to: (1) Certify that the PSO is using the Secretary's guidance for common formats and definitions; (2) certify that the PSO is using an alternative system of formats and definitions that permits valid comparisons of similar cases among similar providers; or (3) provide a clear explanation for why it is not practical or appropriate for the PSO to comply with options (1) or (2) at this time. The Secretary will consider a PSO to be in compliance if it is using the Secretary's guidance, satisfactorily demonstrates that the alternative system it is using permits valid comparisons of similar cases among similar providers, or satisfactorily demonstrates why neither option is practical or appropriate at this time. An example of a satisfactory justification might be that the PSO specializes in analyses in a specific niche of health care delivery in which there remains significant controversy over relevant reporting formats and definitions and/or the Secretary has not recommended any relevant common formats or definitions. The Secretary, if he determines that the PSO is otherwise eligible for continued listing, but has not satisfactorily demonstrated that it meets one of the three requirements in Sec. 3.102(b)(2)(iii), may exercise his discretion to continue the listing of the PSO and use the process for correction of deficiencies in Sec. 3.108(a) to bring the PSO into compliance after its listing has been continued. We believe this approach effectively balances the statutory goal of promoting the ability to aggregate, and learn from, patient safety work product, while recognizing the statutory caveat that this requirement applies ``to the extent practical and appropriate.'' Our approach ensures that PSOs will take the requirement seriously and that a PSO's statement that it is not ``practical or appropriate'' to comply at this time is well-founded. Response to Other Public Comments. Comment: Several commenters suggested that the final rule include a requirement that entities provide assurances that they are financially viable. Response: The Department has not adopted this proposal. We do not believe that assuring the financial viability of PSOs is either an authorized or an appropriate Federal task in carrying out the Patient Safety Act. The statutory framework leaves this inquiry and determination to prospective clients in the market for PSO services. PSOs will learn to address this concern routinely if required by providers to do so. Comment: One commenter suggested that the final rule include a provision to require PSOs to have policies and procedures in place to safeguard the privacy and confidentiality of a staff member of a PSO, who is identified in patient safety work product. Response: The Department agrees that PSOs should consider and address issues of confidentiality, including those of its workforce members. However, we do not believe it is appropriate or necessary to mandate how a PSO addresses this issue. Comment: Several commenters raised concerns regarding the statutory requirement that ``the mission and primary activity of a PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery'' might make it difficult for existing organizations with multiple activities to qualify for listing. One commenter suggested that the requirement be altered so that the mission and primary activity ``includes'' quality improvement and patient safety. Questions were also raised whether organizations that currently undertake other activities such as provider education or other collections and analyses of clinical data to improve the quality, safety, and efficiency of health care would meet the requirement. Response: It is important to recognize that the language at issue was incorporated into the proposed rule directly from the statute. Accordingly, it has been retained. We note that this statutory language imposes a dual requirement: improvement of patient safety and the quality of health care delivery must be reflected in the entity's mission and this improvement activity must constitute the entity's primary activity. Since many organizations could reasonably claim that improvement of the quality of health care and patient safety are fundamental to their missions and even have these words in their mission statements, the critical and distinguishing requirement in this statutorily-based criterion is that such improvement activities must be the entity's primary activity. While we understand the rationale of the commenter--many of the organizations interested in becoming PSOs will have difficulty attesting that this is their primary activity--the Department does not have the authority to alter this statutory requirement by making improvement of health care delivery and patient safety one of any number of significant activities that an organization performs. The statute effectively recognizes this dilemma and provides an option in this situation. An entity can create a component organization, discussed in the next subsection, to seek listing. Such a new component created for this exclusive purpose or with this purpose as its primary activity would inherently meet this requirement. It is likely that some providers will find it more reassuring to work with a PSO that is focused solely on the statutorily mandated objectives. If an organization with other activities and personnel is listed in its entirety as a PSO, it can share a provider's identifiable patient safety work product throughout the legal entity, including with individuals who are not involved in the work of the PSO, without violating the disclosure restrictions of the statute and without triggering Federal enforcement action pursuant to subparts C and D of the rule. We expect many providers will prefer that their protected information be closely held. Thus, existing organizations have other reasons, in addition to the mission and primary activity criterion, to consider the option of establishing a PSO as a component organization. In response to an example posed in two separate comments, if an entity's primary activity is the collection and analysis of clinical data to improve the quality, safety, and efficiency, the Department would consider these activities consistent with the statutory requirement. Other situations may warrant discussion with AHRQ staff during the planning stage of a PSO or [[Page 70755]] at least before submitting certifications for listing. Another example posed by a commenter--an entity that provides general health education to providers--would appear to require further discussion. As presented, general health education would appear to have a link to, but an inadequate emphasis on, the analytic focus of a PSO's mandatory patient safety and quality improvement activities. The health education entity can certainly avail itself of the option to establish a component organization to seek listing. Comment: One commenter asked what is meant by the concept of carrying out patient safety activities. Does this mean that patient safety activities must be performed and, if so, when? Response: We note that this obligation rests with a PSO, not providers. The requirement means that a PSO must perform all eight patient safety activities during its period of listing. We clarify how the Department will assess PSO compliance with this requirement in the discussion of the final rule above. Comment: One commenter asked if a PSO could meet the minimum contract requirement by entering a contract with a 50-hospital system and one independent practitioner (either with a physician or nurse practitioner). Response: To meet the requirement, a PSO must have at least two contracts with different providers. In this case, a contract with a solo health care practitioner (such as a physician or a nurse practitioner) would meet the requirement for the second contract. Comment: One commenter asked if a contract between the parent of a health system and a PSO is tantamount to entering a contract with each provider that comprises the health system. Response: Such an arrangement does not meet the requirement; the requirement focuses on the number of contracts, not the number of providers that are involved with any contract. The rule, based on the terms of section 924(b)(1)(C) of the Public Health Service Act, requires two contracts. Comment: Can providers within the same system count as different providers for meeting the minimum contract requirement? Response: The answer to this question is yes if the PSO has separate contracts with at least two different providers. Whether the providers have a common organizational affiliation is not relevant. The only requirements are that the individuals or facilities must be providers as defined in Sec. 3.20 of the rule and that there are at least two contracts with different providers. Once again, the focus of the requirement is the number of contracts. Comment: A commenter asked if the establishment of a ``relationship'' with a provider is sufficient to meet the minimum contract requirement. Response: No. The rule requires two bona fide contracts, as defined in section 3.20, meeting the requirements of the rule. Comment: One commenter expressed concern about the ability of his agency to meet the minimum contract requirement. His agency administers a public patient safety reporting system to which hospitals are required to report by state law. His concern was that the hospitals might see no need to enter contracts with his agency if it were listed as a PSO. Response: The modifications to the final rule in Sec. 3.102(a)(2)(ii) preclude an entity that manages or operates a mandatory patient safety reporting system from seeking listing as a PSO. Comment: One commenter urged that the final rule not marginalize State mandatory reporting systems through the separation of provider reporting to PSOs. The commenter recommended that the final rule permit States to become listed as PSOs or enter into collaborative arrangements with PSOs to share data and staff. Response: While we believe that an entity that operates a Federal, state, local, or Tribal mandatory patient safety reporting system should not be listed as a PSO, the rule does permit a component of such an entity to seek listing. A PSO that is a component of an excluded entity is prohibited from sharing staff with the excluded entity and has limitations on its ability to contract with such a parent organization (see Sec. 3.102(c)(4)). However, the component PSO could enter into some types of limited collaboration with an excluded entity. For example, a PSO may accept additional data from an excluded entity for inclusion in its analyses with the understanding that the PSO may only share its findings pursuant to one of the permissible disclosures in Subpart C, e.g., if the findings are made non-identifiable. In addition, other PSOs similarly may share their nonidentifiable findings with mandatory state patient safety reporting systems and to the extent permitted by state law the state systems might give data to completely separate PSOs for analysis and reports in nonidentifiable terms. Comment: Several commenters suggested that excluded entities might become members of a PSO as long as they were not vertically linked to the PSO, although they did not explain what they meant by the term, members. Response: It is not clear what the commenters mean by a ``member'' of a PSO in this context. To the extent that the comments are referring to a possible joint venture that creates a PSO, there are few productive roles that an excluded entity could play. Such excluded entities could not have or exercise any level of control over the activities or operation of a PSO. Thus, they could not have access to patient safety work product. As a result, the potential for involvement of an excluded entity with a PSO would be very limited. We note, however, that a component of an entity excluded by Sec. 3.102(a)(2)(ii) can seek listing. These types of component organizations must meet additional requirements set forth in Sec. 3.102(c)(1). Comment: One commenter requested clarification regarding the required patient safety activity to provide feedback and assistance to providers to effectively minimize patient risk. Response: We recognize that the performance of some patient safety activities will be dependent upon a PSO's arrangements with its clients. As we noted in our discussion of the final rule, we will interpret a PSO to be in compliance with this requirement if the feedback and assistance is performed at some point during the PSO's period of listing. Comment: Two commenters pointed to the importance of the use of contracted staff to enable a PSO to carry out its duties, especially in rural or low population density areas. In such circumstances, a PSO needs to draw upon competencies and skills as needed and asked that we clarify that such contractors, whether paid or volunteer, could enable a PSO to meet the qualified staff requirement. Response: The Department assumes that many PSOs, especially component PSOs, will use a mix of full-time personnel and individuals from whom they seek services as needed, whether paid or on a volunteer or shared basis. That is why we have incorporated a broad definition of ``workforce'' in the rule that encompasses employees, volunteers, trainees, contractors, and other persons whether or not they are paid by the PSO. As defined in this rule, workforce refers to persons whose performance of activities for the PSO is under the direct control of the PSO. In addition, however, a PSO is free to enter contracts for specific or specialized services, subject to other requirements of the rule. [[Page 70756]] (C) Section 3.102(c)--Additional Certifications Required of Component Organizations Proposed Rule: Along with the 15 requirements under subsection (b) that all PSOs would have to meet, Sec. 3.102(c) of the proposed rule would require an entity that is a component of another organization to make three additional certifications regarding: (1) The secure maintenance of patient safety work product separate from the rest of the organization(s) of which it is a part; (2) the avoidance of unauthorized disclosures of patient safety work product to the rest of the organization(s) of which it is a part; and (3) the mission of the component organization not creating a conflict of interest with the rest of the organization(s) of which it is a part. We proposed two additional requirements that would interpret these statutory provisions: (1) A component PSO could not have a shared information system with the rest of the organization(s) of which it is a part; and (2) the workforce of the component PSO could not engage in work for the rest of the organization(s) if such work could be informed or influenced by the individual's knowledge of identifiable patient safety work product (except if the work for the rest of the organization is solely the provision of patient care). The proposed rule did not propose an interpretation, but sought public comment, on the requirement that a component organization not create a conflict of interest with the rest of the organization(s) of which it is a part. We proposed, and sought comment on, a limited option for a component PSO to take advantage of the expertise of the rest of its parent organization(s) to assist the PSO in carrying out patient safety activities. Under this proposal, a component PSO could enter into a written agreement with individuals or units of the rest of the organization involving the use of patient safety work product, subject to specified requirements. Overview of Public Comments: Numerous commenters strongly disagreed with the Department's proposal that PSOs must maintain separate information systems. These commenters argued that it would impose a tremendous financial and administrative burden to establish separate information systems. A number of commenters suggested alternative approaches that could achieve the same goal. For example, one commenter recommended that HHS adopt a non-directive concept of functional separation and require PSOs to submit with their certifications for listing a description of how they intend to meet the requirement for technological and other controls to ensure that there is an effective protection against inappropriate access to the patient safety work product held by the component PSO. There was significant concern with the proposal to limit the sharing of employees between the parent organization(s) and the component PSO if the employee's work could be informed by knowledge of a provider's identifiable patient safety work product. Some commenters argued that the prohibition was too broad, that it should be narrowed, or that the standard was too vague and had the potential for creating confusion. A number of commenters recognized the merits of the intended prohibition but thought that the proposed rule's formulation was so vague that it might limit the ability of any physician in an academic health center to assist the component PSO if the physician supervised and evaluated interns and residents during their training, presuming this to be an unintended result. Several alternative approaches were suggested, including: (1) Limit the prohibition to staff in the parent organization who would use patient safety work product for non-patient safety activities; (2) obtain pledges by staff not to use patient safety work product for ``facility administrative functions;'' (3) limit the prohibition to persons with disciplinary/credentialing functions; (4) require management staff to sign agreements not to use patient safety work product in hiring/firing, credential/privilege decisions; and (5) permit shared staff for specific types of entities, such as state hospital associations, but not others. Our proposal to provide a limited option for a component PSO to draw upon the expertise of its parent organization(s) to assist the PSO in carrying out patient safety activities was well received. Most commenters were supportive of the flexibility provided by this provision although one commenter suggested deleting it. Several commenters stressed that a ``substantial firewall'' should be maintained and that such contracting should only be allowed ``for clearly defined and limited staff services.'' One commenter urged that such contracts or agreements should be submitted to the Secretary in advance so that they ``can be scrutinized by HHS to assess whether confidentiality or privilege protections can practically remain intact.'' In our discussion regarding entities excluded from listing in Sec. 3.102(a)(2)(ii), we noted that a number of commenters that supported permitting components of such entities to seek listing, suggested, nevertheless, that we establish additional limitations and requirements. Their suggestions included requiring that such a component organization seeking listing must: Specifically identify its parent organization as a regulator and specify the scope of the parent organization's regulatory authority; submit to the Secretary attestations from providers choosing to report to the PSO that they have been informed of the scope of regulatory authority of the parent organization; and provide assurances to the Secretary that the parent organization has no policies that compel providers to report patient safety work product to its component PSO. They also suggested such a PSO not be permitted to share staff with the parent organization and not be able to take advantage of the proposed limited provision that would permit a component PSO to contract with its parent organization for assistance in the review of patient safety work product. The proposed rule did not propose an interpretation but sought comment on the circumstances under which the mission of a component PSO could create a conflict of interest for the rest of the parent organization(s) of which it is a part. The recommendations of commenters reflected a variety of perspectives: One view was that the rule should not adopt a general standard; a component organization should disclose what it believes may be its conflicts and that this disclosure should be deemed sufficient to have cured the conflict; another said the Department should undertake case-by-case analysis; and a third suggested the Department should adopt guidance, not regulatory language. Another commenter wrote that there could be no conflict of interest if the parent organization is a provider; others suggested that certain types of parent organizations posed conflicts of interest, such as when the parent organization is an investor-owned hospital or if there are certain legal relationships which providers have with a parent organization or its subsidiaries. Similarly, one commenter suggested that not-for-profit status of a PSO should be an indicator that there is no conflict of interest. In a parallel vein, another commenter argued that if the PSO could use or sell its information for commercial gain, this was a conflict. This commenter also argued that if a PSO could be used to create an oasis solely for protection of information reported by the system that created it, this represented a conflict; the [[Page 70757]] information held by a PSO must be made available at minimal or no cost for further aggregation. Another commenter suggested that a component PSO should never evaluate patient safety work product of an affiliated organization; if it does so, this creates a conflict-of-interest. Finally, several commenters also suggested that there must be no conflict between patient safety work product and non-patient safety work product functions. A similar comment from another entity argued that a PSO must certify that members of the component PSO workforce are not engaged in work for the parent organization that conflicts with the mission of the PSO. Final Rule: After careful consideration of the extensive number of comments received regarding component organizations, the Department has modified and restructured the text for Sec. 3.102(c) in the following ways. We have restructured Sec. 3.102(c) into four separate paragraphs. New Sec. 3.102(c)(1)(i) lists the provisions with which different component organizations must comply. This subparagraph sets forth the requirements that all component organizations must meet. The language of this subparagraph is retained from the proposed rule but includes a requirement that all component organizations must submit with their certifications contact information for their parent organization(s) and provide an update to the Secretary in a timely manner if the information changes. This requirement was proposed in the preamble but was not incorporated in the text of the proposed rule. Many of the commenters noted the importance to providers of having information regarding the parent organization of a component PSO and, therefore, we have incorporated the provision. New Sec. 3.102(c)(1)(ii) outlines the requirements for components of entities excluded from listing under Sec. 3.102(a)(2)(ii) of this section. These components must meet the requirements for all component PSOs in Sec. 3.102(c)(1)(i) as well as submit the additional certifications and information and adhere to the further limitations set forth in Sec. 3.102(c)(4) that are discussed below. New Sec. 3.102(c)(2) restates the three additional statutory certifications that must be made by all component organizations seeking listing. We have deleted two requirements for component entities from the text of the proposed rule that were intended to interpret these statutory requirements: the requirement for separate information systems and the restriction on the use of shared staff. The final rule does not impose these proposed requirements on most component organizations. However, as discussed below regarding Sec. 3.102(c)(4), we have retained the prohibition on shared staff only with respect to components of entities that are excluded from listing and, for such component PSOs, narrowed the circumstances when contracting with a parent organization is permissible only with respect to components of entities that are excluded from listing. With respect to separate information systems, the Department has concluded, based upon the information that was included by commenters, that there are a number of cost-effective alternatives for achieving the statutory goal of separate maintenance of patient safety work product. Accordingly, we have included new language that requires a component PSO to ensure that the information system in which patient safety work product is maintained must not permit unauthorized access by any individuals in, or units of, the rest of the parent organization(s) of which it is a part. Similarly, after careful consideration of the comments, we have eliminated the proposed restriction on the use of shared staff for most component PSOs. The Department has concluded that there are significant incentives for component PSOs and parent organizations to be very cautious in their use of shared personnel, protecting against inappropriate disclosures, and the disclosure of patient safety work product. A number of commenters appeared to appreciate the importance of maintaining separation between their patient safety activities and internal disciplinary, privileges, and credentialing decisions, which were the focus of our concern. Our review has led us to conclude that the potential negative consequences for providers, independent of any fear of Department action, lessens the need for the rule to address this issue. For example, institutional providers are likely to find it difficult to develop robust reporting systems if the clinicians on their staff learn or even suspect that the same individuals involved in analysis of patient safety work product play key roles in administrative decisions that can lead to adverse personnel decisions. This may lead to decreased reporting of patient safety events. The suspicion of contamination between the processes could also provide a new basis for challenging adverse employment actions, which could require providers to prove that their actions were not influenced by inappropriate use of patient safety work product. Finally, there is the right of action that the statute grants to individual providers who believe and allege that their employer took an adverse employment action against them based upon their providing information to the employer's patient safety evaluation system for reporting to the PSO or based upon their providing information directly to the PSO. Given the importance to providers of maintaining protections for their work product, we conclude that it is unlikely that a parent organization will intentionally jeopardize those protections. Therefore, we have eliminated the proposed restriction on the use of shared staff, except for components of entities excluded from listing as discussed below regarding Sec. 3.102(c)(4). In its place, we have restated the statutory requirement that the component organization (and its workforce and contractors) may not make unauthorized disclosures to the rest of the organization(s) of which the PSO is a part. We have retained without change in Sec. 3.102(c)(2)(iii) the proposed rule text prohibiting the pursuit of the mission of the PSO from creating a conflict of interest with the rest of the organization(s) of which it is a part. To the extent that individuals or units of the rest of the parent organization(s) have obligations and responsibilities that are inconsistent with the ``culture of safety'' that the statute seeks to foster, a component PSO could create a conflict of interest by sharing identifiable patient safety work product with them as shared staff or under a written agreement pursuant to Sec. 3.102(c)(3), discussed below. On the other hand, the component PSO could draw upon the expertise of these same individuals in other capacities in which identifiable work product is not shared and, thereby, avoid creating conflicts of interest. Thus, we would interpret permitting the creation of conflicting situations for staff or units of the parent organization(s) as inconsistent with a component PSO's attestation. Section 3.102(c)(3) retains without substantive change the provision in the proposed rule to enable a component PSO, within limits, to take advantage of the expertise of the rest of the organization of which it is part. In response to concerns expressed by some commenters, we stress the statutory requirement for the PSO to maintain patient safety work product separately from the rest of the organization. In such circumstances, it cannot be transferred to individuals or units of the rest of the organization except as permitted by the rule. As a practical matter, if the parent [[Page 70758]] organization is a provider organization and the component PSO is evaluating the parent organization's data, the parent-provider is likely to have a copy of all of the data transmitted to the component PSO. We do not dismiss the concerns of commenters that this contracting authority could be used inappropriately. We remind each component PSO that the statute requires it to maintain patient safety work product separately from the rest of the organization(s) of which the component PSO is a part and prohibits unauthorized disclosures to the rest of the organization(s) of which they are a part. Therefore, it may not be appropriate for its parent organization to serve as its main provider of analytic or data services if such arrangements would effectively confound statutory intent for a firewall between a component PSO and the rest of the organization(s) of which it is a part. The flexibility provided by the rule to use in-house expertise is intended to supplement, not replace, the PSO's authority to contract with external expert individuals and organizations. Section 3.102(c)(4) incorporates new requirements, drawn from our review of public comments, that only apply to organizations that are components of entities excluded from listing under Sec. 3.102(a)(2)(ii). Thus, these component organizations have three sets of requirements to meet: The 15 general certification requirements in Sec. Sec. 3.102(b)(1) and 3.102 (b)(2); the requirements that all component PSOs must meet in Sec. Sec. 3.102(c)(1)(i) and 3.102(c)(2); and the requirements that are established by Sec. 3.102(c)(4). Section 3.102(c)(4) establishes a requirement for additional information and certifications that must be submitted with the component organization's certifications for listing and it establishes two additional restrictions with which a component organization must comply during its period of listing. The additional information and certifications require a component PSO of an entity described in Sec. 3.102(a)(2)(ii) to: 1. Describe the parent organization's role, and the scope of the parent organization's authority, with respect to the activities which are the basis of the parent organization's exclusion from being listed under Sec. 3.102(a)(2)(ii). 2. Certify that the parent organization has no policies or procedures that would require or induce providers to report patient safety work product to the component organization once it is listed as a PSO, and affirm that the component PSO will notify the Secretary if the parent organization takes any such actions during its period of listing. An example of an inducement would be if a parent organization that accredited or licensed providers awarded special scoring consideration to providers reporting to the parent organization's component PSO; additional scoring consideration for reporting to any PSO, by contrast, would not violate this restriction. 3. Certify that the component PSO will include information on its website and in any promotional materials for providers describing the activities which were the basis of the parent organization's exclusion under Sec. 3.102(a)(2)(ii). We have incorporated these additional requirements for information and attestations to address widespread concerns among commenters that an excluded parent organization might attempt to compel providers to report data to its component PSO and circumvent the firewalls for access to that data. These extra requirements for such component PSOs will strengthen transparency and the additional statements submitted with the component organization's certifications will be posted on the AHRQ PSO Web site along with all its other certifications. Our intent is to ensure that such a component organization's website and its promotional materials for providers will inform providers regarding the nature and role of its parent organization. The rule is emphatically clear that the Department will take prompt action to revoke and delist a component organization whose excluded parent organization attempts to compel providers to report data to its component PSO. New Sec. 3.108(e)(1) lists specific circumstances, including this situation, in which revocation and delisting will take place on an expedited basis. During its period of listing, the final rule also prohibits a PSO that is a component organization of an entity excluded from listing to share staff with the rest of the organization(s) of which it is a part. Such a component PSO may enter into contracts or written agreements with the rest of the organization(s) under the authority provided to all component PSOs by Sec. 3.102(c)(3) but with one additional limitation. Such contracts or written agreements are limited to units or individuals of the parent organization(s) whose responsibilities do not involve the activities that are the basis of the parent organization's exclusion under Sec. 3.102(a)(2)(ii). If the parent organization's sole activity is the reason for its exclusion, the component organization could never enter a contract or written agreement to have staff from the rest of the organization assist the PSO in carrying out patient safety activities. If the parent organization engages in a mix of activities, some of which are not a basis for exclusion from listing, the component organization will be able to take advantage of this contracting option, subject to our caveat above. Response to Other Public Comments Comment: One commenter asked us to confirm that component PSOs can maintain patient safety work product behind secure firewalls using existing information systems. Response: The modifications we have adopted and discussed above means that the final rule permits this approach. Comment: Several commenters suggested that it was unrealistic for the component PSO to maintain patient safety work product separately from its parent organization if the parent organization is a provider reporting data to the component PSO. Response: The Patient Safety Act requires a component PSO maintain patient safety work product separately from the rest of the organization(s) of which it is a part; therefore, we cannot remove the restriction. While contracts between a PSO and a provider are likely to address the extent to which a provider has access to information held by a PSO, we caution contracting parties to be mindful of this statutory restriction in crafting their contracts. The requirement for separation does not mean that the component organization cannot share information with a parent organization but any sharing must be consistent with the permissible disclosures of this rule. (D) Section 3.102(d) Required Notifications (1) Section 3.102(d)(1)--Notification Regarding PSO Compliance With Minimum Contract Requirement Proposed Rule: Section 3.102(d)(1) of the proposed rule would require PSOs to attest within every 24-month period, beginning with its initial date of listing, that the PSO has met the two-contract requirement. We proposed to require notification of the Secretary 45 days before the end of the applicable 24-month period. Early notification would enable the Department to meet another statutory requirement to provide PSOs with an opportunity to correct a deficiency. If the requirement is not yet met, this would enable the Secretary to establish an opportunity for correction that ends at midnight on the last day of the 24-month period. [[Page 70759]] Overview of Public Comments: The comments we received endorsed our proposed approach. One commenter suggested we should consider requiring notification 60 days in advance. Final Rule: We expect that, in most circumstances, contracts will be the primary source of revenue for PSOs. In light of the fact that only two contracts are required, we do not anticipate that many PSOs will reach this point in their period of listing without meeting the requirement. We have not accepted the recommendation to require notification sooner. The Department adopts the provision as recommended in the proposed rule without modification. (2) Section 3.102(d)(2)--Notification Regarding a PSO's Relationships With Its Contracting Providers Proposed Rule: The proposed rule incorporated in Sec. 3.102(d)(2) the statutory requirement that a PSO would make disclosures to the Secretary regarding its relationship(s) with any provider(s) with whom the PSO enters a contract pursuant to the Patient Safety Act (Patient Safety Act contract). The statute requires PSOs to disclose whether a PSO has any financial, contractual, or reporting relationships with this contracting provider and, if applicable, whether the PSO is not managed, controlled, or operated independently of this contracting provider. The proposed rule noted that a PSO would need to make this assessment when it enters a contract with a provider and, if disclosures are required, submit a disclosure statement within 45 days of the effective date of the contract. If relationships arise during the contract period, submission would be required within 45 days of the date the relationships are established. The proposed rule would have provided guidance on our interpretation of financial, contractual, and reporting relationships and emphasized that the statute required a PSO to ``fully disclose'' the relationships. We noted that disclosure would be required only when the PSO entered a Patient Safety Act contract with a provider and there were relationships that required disclosure. We also encouraged, but did not require, PSOs to list any agreements, stipulations, or procedural safeguards that might offset the influence of the provider and that might protect the ability of the PSO to operate independently. Overview of Public Comments: Commenters expressed concern that the proposed rule was not sufficiently specific with respect to the required disclosure statements. They suggested that the emphasis in the proposed rule on the statutory requirement for full disclosure, without a corresponding discussion of the parameters for the contents and level of detail of the statements, raised the prospect that PSOs would feel compelled to develop disproportionately detailed information that might not be germane. One commenter suggested what was most important is awareness of the fundamental relationship(s) that exist, not the specific details, suggesting that if the provider in question is the parent entity of the PSO, it should be sufficient to know that the parent-provider is the source of financial support to the PSO, employs its workforce, and provides management to its activities. In addition, there was concern that since the disclosure statements are going to be made public, detailed submissions regarding the financial and contractual obligations would make it difficult to maintain the confidentiality of potentially sensitive business information. Several commenters noted that it is not unusual for certain types of contractual work with commercially sensitive implications to include confidentiality agreements and one commenter suggested that the process permit a PSO to request that the Secretary not disclose specific information under certain circumstances. A number of commenters expressed concern about the potential unintended consequences of disclosure, especially with respect to the identity of providers. One commenter raised concern that the requirement would lead to ``differential'' disclosure, by which the commenter meant that, of the total number of providers with which a PSO enters contracts, only those with other relationships would have their names disclosed and the other providers would not have their names made known through the proposed public release of disclosure statements by the Secretary. Final Rule: After careful review of the comments, the Department has reconsidered its approach to this disclosure requirement and has made modifications to the text that are incorporated in the final rule. Based upon this review, we have shifted the emphasis of the term ``fully disclose'' from stressing the level of detail that a PSO must provide in describing each of the other types of relationships (listed below) that the PSO has with a contracting provider to an emphasis on requiring that the PSO disclose clearly and concisely every relationship that requires disclosure. This shift in emphasis remains consistent with our overall emphasis on transparency; without being burdensome, it enables both the Secretary and providers considering contracts with a PSO to request additional information regarding any relationships of concern. We have adopted a clearer and narrower interpretation of the disclosures of relationships that must be made in view of concerns expressed by commenters about the scope of the required reports. In response to requests for more guidance on the required submissions, this final rule calls for a two-part disclosure statement and describes what must be included in each part. These modifications to the final rule reflect several considerations. The Department has concluded that the Patient Safety Act does not provide incentives for a provider to control or manipulate the findings of a PSO with respect to its own patient safety information. A PSO's conclusions and recommendations are patient safety work product and, whether the PSO is critical or complimentary of the provider or the provider agrees or disagrees with the PSO, the PSO analysis and guidance remains confidential and privileged under the Act, which means that there are constraints on the ability of a provider to disclose the PSO's conclusions and recommendations. Even when they can be disclosed, calling the public's attention to positive findings is likely to engender scrutiny of the extent to which the provider's relationship with its PSO is truly an arms-length relationship. In sum, providers have little to gain under the statute's framework from attempting to control or manipulate the analyses and findings of a PSO. At the same time, the Department expects the statutory disclosure requirements, coupled with public release of disclosure statements and the Secretary's findings as provided by Sec. 3.104(b), will provide important and useful information to providers seeking to contract with a PSO. As we pointed out in the proposed rule, a provider seeking to contract with a PSO will have its own standards for what other PSO relationships it considers to be acceptable. Therefore, the submission and public release of this information should improve the efficiency of the search process by providers. In light of these considerations, the Department has determined that the most appropriate interpretation of the statutory requirement to ``fully disclose'' other relationships is to emphasize the need to require the disclosure of every pertinent relationship specified by the statute. Providers that are considering entering a contract with a PSO can determine for themselves if any [[Page 70760]] disclosed relationships pose concerns. If so, they can then request further detailed information as they see fit. This approach has the further benefit of limiting the potential for inappropriate release of proprietary or commercial information, another matter of concern to commenters. The Department will protect confidential commercial information as permitted by the Freedom of Information Act and in accordance with 18 U.S.C. 1905. Thus, in making his required determination, the Secretary will both give great weight to, and hold a PSO accountable for, its attestation that it will fully disclose all relationships required to be reported and whether the PSO's operations, management, and control are not independent of any provider with whom it has entered a Patient Safety Act contract. The Secretary retains the authority to require an entity to provide more detailed information if necessary to make his required determination under 42 U.S.C. 299b-24(c)(3) regarding the ability of the PSO to fairly and accurately perform its patient safety activities in light of any reported relationships. The final rule retains the general framework of the proposed rule for a PSO to use in determining when a disclosure statement must be submitted. The two thresholds remain unchanged. The disclosure requirement only applies when a PSO has entered a contract that provides the protections of the Patient Safety Act, i.e., a Patient Safety Act contract, and the PSO has other relationships with that contracting provider of the types specified below. A disclosure statement is not required if the PSO has a Patient Safety contract with a provider and the relationships described below are not present, nor is a disclosure statement required if the relationships are present but there is no Patient Safety Act contract. We have restructured the text in the final rule. There are now three paragraphs: A restatement of the requirement in paragraph (i), a description of the required content of a disclosure statement in paragraph (ii), and the deadlines for submission of disclosure statements set forth in paragraph (iii). Section 3.102(d)(2)(i) contains the following substantive changes. Compared with the requirements of the proposed rule, this paragraph eliminates the need to submit a disclosure statement if the PSO's only other relationships with this contracting provider are limited to Patient Safety Act contracts. In response to commenters' questions and concerns, we have modified the text describing the statutory list of disclosures: contractual, financial, and reporting relationships are incorporated in subparagraphs (A)-(C) and control, management, and operation of the PSO, independent from the provider, is incorporated in subparagraph (D). We have narrowed the language in paragraphs (A)-(C) by limiting the required disclosures to current contractual, financial, and reporting relationships and restating the requirements to emphasize that disclosure is only required for relationships other than those in Patient Safety Act contract(s). We have restated and streamlined the language of subparagraph (A) to emphasize contracts and arrangements that impose obligations on the PSO. We have retained the substantive requirements for financial relationships. Based upon comments received, we have determined that if the PSO is a membership organization, the Department does not consider dues or other assessments applied to all members to constitute a financial relationship for this purpose. The rule narrows the scope of subparagraph (C), where the text narrows the definition of reporting relationships to those in which this contracting provider has access to information about the work and internal operation of the PSO that is not available to other contracting providers. By focusing on this particular aspect of reporting relationships, we have tried to make plain that it is not our intent to collect information regarding the multiple ordinary types of reporting relationships that exist routinely between contracting parties. We have made the requirement narrower both for clarity and simplicity. The deleted reference to control is addressed by subparagraph (D), which we have narrowed to simply restate the statutory language on what must be disclosed or reported regarding management, control, and operation independent of the contracting provider. We deleted the language requiring a PSO to assess whether any of the relationships in what is now subparagraph (D) might impair its ability to perform patient safety activities fairly and accurately because PSOs will now address these issues in the required narrative that comprises the second part of the disclosure statement, described below. New Sec. 3.102(d)(2)(ii) specifies the two required parts of a disclosure statement. The first part must disclose in summary form succinct descriptions of all of the obligations that the PSO has with this provider. The second part must be a related short narrative (we recommend no more than 1,000 words) that addresses the issues described below and is intended to explain the measures taken by the PSO to assure that its analyses and findings are fair and accurate. We use the term ``obligations''--rather than the statutory term ``relationships''--in Sec. 3.102(d)(2)(ii) of the rule for the following reason. If a PSO has multiple relationships with a provider, many of these relationships are likely to be both contractual and financial (and may involve other relationships for which the statute requires disclosure). A disclosure statement that was organized by the four types of relationships that require disclosure (subparagraphs (A)- (D) discussed above) would be confusing and difficult to interpret since items in different categories would be related. For example, if the PSO already has a contract with a provider to render a service for which it is paid, we do not see the benefit of having the contract listed in one reporting category and the financial relationship in another reporting category since they are clearly related. Therefore, in drafting the required disclosure statement, a PSO should address the four statutorily-required disclosures discussed above as aspects of the separate obligations or arrangements that exist between a PSO and the provider with which the PSO is entering or has a Patient Safety Act contract. A PSO should focus on clarity and brevity in explaining each obligation in a single paragraph: A sentence or two describing the nature of the obligation, and the remainder of the paragraph should address each of the four required disclosures that are present and specifically note any of the four that are not. As we use the term, an obligation is not limited to services that a PSO renders to a provider (such as developing information and undertaking analyses or providing a service or technical assistance). An obligation could also reflect a PSO's relationship with an investor or owner and any arrangement that affects the PSO's independence or involves any of the statutorily-required disclosures described above. In developing its list, a PSO should not combine separate and distinct obligations such as more than one contract, nor should it disaggregate a single obligation. For example, if a PSO undertakes technology assessments and has three separate contracts for different assessments, these would be three separate obligations and should be reported separately. On the other hand, an obligation that has more than one [[Page 70761]] task, such as providing assistance in implementing and evaluating a process improvement, should only be listed once; we are not suggesting that PSOs report separately on the different elements of a single unified project. To apply these concepts, consider a hospital that was one of five hospitals that invested in the creation of a PSO and the hospital subsequently enters a Patient Safety Act contract with the PSO. If this investment is the only obligation other than the Patient Safety Act contract that exists between the PSO and the provider, the PSO's disclosure statement would include only one obligation and it could be described in a single paragraph. Within that paragraph, the PSO should systematically address the required statutory disclosures or note that they are not present. In addressing financial relationships, the PSO should not include the amount of the investment or specific terms. In this case, the required paragraph would describe the essential nature of the financial relationship, e.g., it is a loan requiring repayment over X years; it is a long-term investment requiring the payment of dividends, etc., whether it was formalized by a contract, whether a reporting relationship exists, e.g., the provider has access to internal quarterly financial statements not available to other providers, and whether the obligation gives the provider any ability to control or manage the PSO's operations, e.g., the provider has a seat on the board or review or veto authority over new clients, specific contracts, budgets, staff hiring, etc. If the PSO is a subsidiary of a health system, the paragraph could indicate that PSO is a subsidiary of the provider, the provider is the primary source of revenue for the component PSO, the types of internal PSO information to which the provider has access, e.g., all financial, personnel, administrative internal information, and that the provider manages or controls (or has review and approval authority) of day-to- day decision-making, hiring and firing decisions, etc. By incorporating the required statutory disclosures into a succinct discussion of the obligations that a PSO has with this provider, we anticipate that the descriptions will be more comprehensible. Part II of a disclosure statement must describe why or how the PSO, given the disclosures in part I, can fairly and accurately perform patient safety activities. The PSO must address: The policies and procedures that the PSO has in place to ensure adherence to professional analytic standards and objectivity in the analyses it undertakes; and any other policies, procedures, or agreements that ensure that the PSO can fairly and accurately perform patient safety activities. Section 3.102(d)(2)(iii) of the rule retains the deadlines for submission of disclosure statements that were included in the proposed rule. Response to Other Public Comments Comment: One commenter asked that we exempt a PSO with fewer than 5 clients from releasing the names of its clients. Response: We note that a PSO never has to reveal the names of its clients (providers) as long as the PSO does not have the other types of relationships described in this subsection with those providers. However, when such relationships are present, the statute does not provide authority for us to create such exceptions. Comment: One commenter asked that we clarify that the required disclosures can be made in a way that the PSO does not breach the confidentiality requirements that may be a part of another contractual arrangement with a contracting provider. Response: The Department cannot make a definitive statement that such confidentiality agreements can always be honored; this requires a case-by-case determination. A PSO is encouraged to discuss the issue with AHRQ staff before submitting a disclosure statement. As noted above, the agency's public disclosures are constrained by 18 U.S.C. 1905, but agency officials have some discretion with respect to determining what information would be restricted under that statute. We note also that the agency has the discretion to deny Freedom of Information Act requests for information it regards as confidential commercial information (5 U.S.C. 552(b)(4)). Agency determinations will be assisted by explanations of what is viewed by a submitter as confidential commercial information and the reasons why that is the case. Comment: One commenter posed a series of questions related to an entity that seeks listing that receives general membership dues or assessments, i.e., whether such general dues or assessments would be considered financial relationships and, therefore, require the filing of disclosure statements. The commenter also asked if disclosure of such membership dues or assessments is required under any other section of the rule. Response: The Department has determined that membership dues or general assessments applied to all members do not constitute ``financial relationships'' between a provider and a PSO. There is no other section of the rule that would require disclosure of membership dues or assessments. Before seeking listing, however, a membership organization should carefully assess whether it meets the statutory requirement that its primary activity must be the conduct of activities to improve patient safety and the quality of health care delivery. 2. Section 3.104--Secretarial Actions (A) Section 3.104(a)--Actions in Response to Certification Submissions for Initial and Continued Listing as a PSO Proposed Rule: Section 3.104(a) described the actions that the Secretary could and will take in response to the certification material submitted for initial or continued listing as a PSO. We proposed that, in making a listing determination, the Secretary would consider the submitted certifications, issues related to the history of the entity, and any findings by the Secretary regarding disclosure statements. The proposed rule also included authority for the Secretary, under certain circumstances, to condition the listing of a PSO. We did not propose a deadline for Secretarial review of certifications submitted, but noted that we expect the Secretary to be able to conclude review within 30 days of receipt unless additional information or assurances are required. Overview of Public Comments: We received several comments pertaining to this section. One comment endorsed the proposed provision. Another requested that we modify the rule to require Secretarial action within 60 days. A third commenter recommended that the Secretary establish timetables for all actions and opposed open- ended timeframes. Final Rule: We have retained the text from the proposed rule with two modifications. The text of Sec. 3.104(a)(1)(iii) of the proposed rule stated that the Secretary may require conditions for listing as part of his review of disclosure statements submitted pursuant to Sec. 3.102(d)(2); that text has been retained. We also noted in the preamble discussing proposed Sec. 3.104(a) that there may be certain circumstances in which the Secretary determines that it would not be prudent to rely solely on the certifications for listing submitted by an entity that was previously revoked and delisted for cause or previously refused listing by the Secretary. In such limited circumstances, we suggested the Secretary may seek additional [[Page 70762]] assurances from the PSO that would increase the Secretary's confidence that, despite the history of the entity and its officers and senior staff, the entity could now be relied upon to comply with its statutory and regulatory obligations. To reflect the potential need for assurances in such cases, and to better align the text with the preamble discussion of the proposed rule, we have modified the text of Sec. 3.104(a)(1)(iii) to permit the Secretary to condition the listing of a PSO in this limited circumstance to ensure that such a PSO honors the assurances it makes in seeking listing. The second change is a conforming modification to the basis for the Secretary's determination in Sec. 3.104(a)(2), which specifically recognizes the right of the Secretary to take into account any history of or current non-compliance with requirements of the rule by officials and senior managers of the entity. This change also mirrors the requirement in Sec. 3.102(a)(1) that entities seeking listing inform the Secretary if their officials or senior managers held comparable positions in a PSO that was delisted or with an entity that was denied listing by the Secretary. We have not accepted the commenter's recommendation to establish a regulatory deadline of 60 days for Secretarial action. This is a novel initiative and without a better sense of the potential issues that may arise, such as when a delisted PSO seeks a new listing, we are reluctant to circumscribe the flexibility that the statute and the proposed rule provided the Secretary. In addition, the statute requires an affirmative acceptance and listing action by the Secretary. Listing cannot occur as a result of any failure to meet a deadline. Accordingly, we have not adopted the recommendation. (B) Section 3.104(b)--Actions Regarding PSO Compliance With the Minimum Contract Requirement Proposed Rule: Section 3.104(b) of the proposed rule stated that, after reviewing the required notification from a PSO regarding its compliance with the minimum contract requirement, the Secretary would, for a PSO that attests that it has met the requirement, would acknowledge in writing receipt of the attestation and include information on the list of PSOs. If the PSO notifies the Secretary that it has not yet met the requirement, or if notification is not received from the PSO by the required date, the proposed rule stated that the Secretary would promptly issue a notice of a preliminary finding of deficiency and provide the PSO an opportunity for correction that will extend no later than midnight of the last day of its applicable 24- month assessment period. If the Secretary verifies that the PSO has not met the requirement by the last day of the 24-month period, he would issue a notice of proposed revocation and delisting. Overview of Public Comments: We received no comments on this subsection. Final Rule: The final rule incorporates the substance of the NPRM text without modification but restructures the text for clarity. The restructured text clarifies that the Secretary will only issue a notice of a preliminary finding of deficiency after the date on which a PSO's notification to the Secretary is required by Sec. 3.102(d)(1). (C) Section 3.104(c)--Actions Regarding Required Disclosures by PSOs of Relationships With Contracting Providers Proposed Rule: Section 3.104(c) of the proposed rule stated that the Secretary would evaluate a disclosure statement submitted by a PSO regarding its relationships with contracting providers by considering the nature, significance, and duration of the relationships between the PSO and the contracting provider. We sought public comment on other appropriate factors to consider. The statute requires disclosure of the Secretary's findings, and we proposed public release, consistent with the Freedom of Information Act and 18 U.S.C. 1905, of PSO disclosure statements as well. This proposed section also listed the statutorily permissible actions that the Secretary could take following his review: Conclude that the disclosed relationships require no action on his part or, depending on whether the entity is listed or seeking listing, condition his listing of the PSO, exercise his authority to refuse to list, or exercise his authority to revoke the listing of the entity. The Secretary would notify each entity of his findings and decisions. Overview of Public Comments: One commenter suggested that our proposal that the Secretary consider the nature, significance, and duration of the relationship in evaluating the relationships had no statutory foundation. Another commenter suggested that we take into account corrective action. Several commenters proposed that we rely upon the inter-agency work group that is assisting AHRQ in developing common formats and definitions for reporting patient safety work product to assist in developing disclosure statements. One commenter suggested that we create a ``safe harbor'' for multi-hospital parent organization systems that contract with a PSO on behalf of some or all of its hospitals so that a disclosure statement would not be required, deeming that the component PSO of a multi-hospital organization can perform patient safety activities fairly and accurately. Another suggestion was that the Secretary should adopt a standard requiring that there be no conflicts of interests. Final Rule: We have retained much of the text from the proposed rule but have modified the paragraph setting forth the basis for the Secretary's findings regarding disclosure statements. In light of the comments, we have deleted the reference to ``nature, significance, and duration'' as not appropriate in every circumstance. The modification to the rule now requires the Secretary to consider the disclosures made by the PSO and an explanatory statement from the PSO making the case for why the PSO can fairly and accurately perform patient safety activities. We have not adopted the other suggestions. As we discuss above, with respect to Sec. 3.102(d)(2), we agree with the commenter that there is little reason for a provider organization to exert inappropriate control over its component PSO. At the same time we do not believe the statute permits us to waive Secretarial review under any set of circumstances. We do not agree with commenters that the common formats inter- agency work group is the appropriate group to address disclosure statements. At this time, their informatics and clinical expertise and responsibilities are not congruent with assisting in the design or substantive requirements for disclosure statements. (D) Section 3.104(d)--Maintaining a List of PSOs Proposed Rule: The proposed rule sought to incorporate in Sec. 3.104(d) the statutory requirement that the Secretary compile and maintain a list of those entities whose PSO certifications have been accepted and which certifications have not been revoked or voluntarily relinquished. We proposed that the list would include information related to certifications for listing, disclosure statements, compliance with the minimum contract requirement, and any other information required by this Subpart. We noted that we expected to post this information on the AHRQ PSO Web site, and sought comment on whether there are specific types of information that the Secretary should consider posting routinely on this Web site for the benefit of PSOs, providers, and other consumers of PSO services. [[Page 70763]] Overview of Public Comments: In addition to the list in the proposed rule, several commenters urged that we post the contact information for the parent organizations, subsidiaries, and affiliates, a list of states in which the parent organization does business, and the business objectives of the parent organizations, and whether each parent organization is for-profit or not-for-profit. Two commenters suggested that the Secretary's guidance on common reporting formats and definitions should be available on the PSO Web site. One commenter urged that the final rule and contact information for AHRQ staff should also be available there. Another commenter suggested that, since AHRQ works with PSOs, the value to prospective providers would be increased if we posted information on areas of specialization of individual PSOs and use the Web site as one tool for facilitating confirming analyses by other PSOs of initial work. Final Rule: The final rule incorporates the proposed rule text without modification. We have not modified the text of the rule because most of the recommendations relate to information that AHRQ will be receiving or producing for PSOs and can be posted to the Web site without additions or changes to the rule text. Recommendations to post information related to AHRQ staff and the final rule can be done without regulation as well. As AHRQ provides technical assistance to PSOs and works with the provider community to encourage the use of PSO services, we expect to publish information on the Web site that PSOs and the provider community request. In addition, the names and contact information of parent organizations of component PSOs and other information submitted at listing will be posted in accordance with the proposed rule text. Commenters urged us to post some information that we have no plans to collect, and, therefore, we have not accepted their recommendations. Most of these recommendations related to the business objectives, or the for-profit or not-for-profit status of parent organizations of component PSOs. In our view, requiring component organizations to submit such information would be burdensome and unnecessary. Providers will be able to find that information by using the published contact information on PSOs and parent organizations. (E) Section 3.104(e)--Three-Year Period of Listing Proposed Rule: Section 3.104(e) proposed that listing as a PSO would be for three years, unless the Secretary revokes the listing or the PSO voluntarily relinquished its status. We also proposed that the Secretary would send a written notice of imminent expiration to a PSO no later than 45 calendar days before its listing expires if the Secretary has not received a certification seeking continued listing. We sought comment on a requirement that the Secretary publicly post the names of PSOs to which a notice of imminent expiration has been sent. Overview of Public Comments: Commenters were virtually unanimous that, at the time we send a PSO a notice of imminent expiration, we should post similar information on the AHRQ PSO website. Several commenters suggested that PSOs should be required to notify providers that the PSO has received a notice of imminent expiration and expressing concerns about the time needed for providers to make alternative arrangements. One commenter suggested that notice to providers should be a part of the contract with the PSO. Another suggested that the Department establish an email listserv that providers could join for alerts such as this. One commenter opposed public notice and one expressed conditional support, provided the Department ensured the accuracy of the information on the Web site. Final Rule: We have modified and redrafted Sec. 3.104(e) of the final rule. The final rule retains the proposed provision that the period of listing will be for three years, unless revoked or relinquished. The first modification is that this section now explicitly provides for the automatic expiration of a PSO's listing at the end of three years, unless the Secretary approves its certification for continued listing before the date of expiration. By incorporating this modification and making the process automatic, we have been able to eliminate the proposal in Sec. 3.108(c) for a process we termed ``implied voluntary relinquishment.'' In comparison with the proposed rule approach, which required the Secretary to take affirmative action to delist a PSO that let its certifications lapse, this automatic approach simplifies the administrative process. We have modified subparagraph 3.104(e)(2) in two ways. We will send a PSO a notice of imminent expiration even earlier--at least 60 days rather than 45 days--before its certifications expire. We adopted the earlier notification date in response to general concerns reflected in the comments about the time a provider needed to make alternative arrangements and to ensure sufficient time for the Secretary to review and make a determination regarding certifications for continued listing. The second modification incorporates our proposal to post a notice on the AHRQ PSO website, for which commenters expressed strong support. In combination, we expect these modifications will provide both the PSO and the providers from which it receives data sufficient notice that the entity's period of listing is drawing to a close. We have not incorporated the recommendation to require PSOs receiving the notice to contact all providers. We expect most providers and PSOs to take advantage of AHRQ's existing listserv that will provide electronic notice to all subscribers when a notice such as this is posted on the AHRQ PSO website. Providers will also be able to sign up on the web site to receive individual emails if their PSO becomes delisted. In this way, we can be assured that notification is sent to, and received by, all interested parties. (F) Section 3.104(f)--Effective Date of Secretarial Actions Proposed Rule: The proposed rule in section 3.104(f) states that, unless otherwise specified, the effective date of each action by the Secretary would be specified in the written notice that is sent to the entity. We noted that the Department anticipates sending notices by electronic mail or other electronic means in addition to a hard copy version. We also pointed out that for listing and delisting decisions, the Secretary would specify both an effective time and date for such actions in the written notice to ensure clarity regarding when information received by the entity will be protected as patient safety work product. Overview of Public Comments: We received no public comments on this subsection. Final Rule: The final rule incorporates the proposed rule text without modification. 3. Section 3.106--Security Requirements Proposed Rule: Section 3.106 of the proposed rule outlined a framework consisting of four categories for the security of patient safety work product that PSOs would consider in developing policies and procedures for the protection of data. Because Sec. 3.106 contains only two subsections and we received few comments, we will discuss both subsections of the rule together. Section 3.106(a) proposed that the security requirements of this section would apply to each PSO, its workforce members, and its contractors whenever [[Page 70764]] the contractors hold patient safety work product. If contractors cannot meet these security requirements, we proposed that their tasks be performed at locations at which the PSO can meet these requirements. We stated that the rule does not impose these requirements on providers; this Subpart would only apply to PSOs. Proposed Sec. 3.106(b) would have established a framework consisting of four categories for the security of patient safety work product that a PSO must consider. We proposed that each PSO develop appropriate and scalable standards that are suitable for the size and complexity of its organization. The four categories of the framework would have included: Security management issues (documenting its security requirements, ensuring that its workforce and contractors understand the requirements, and monitoring and improving the effectiveness of its policies and procedures); separation of systems (required physical separation of patient safety work product, appropriate disposal or sanitization of media, and preventing physical access to patient safety work product by unauthorized users or recipients); security control and monitoring controls (ability to identify and authenticate users, an audit capacity to detect unlawful, unauthorized, or inappropriate activities, and controls to preclude unauthorized removal, transmission or disclosures); and policies and procedures for periodic assessment of the effectiveness and weaknesses of its overall approach to security (determine when it needs to undertake risk assessment exercises and specify how it would assess and adjust its procedures to ensure the security of its communications involving patient safety work product to and from providers and other authorized parties). Overview of Public Comments: There were no public comments that specifically addressed Sec. 3.106(a) of the rule. Commenters focused instead on the overall security framework established by Sec. 3.106(b). The majority of commenters supported the proposed requirements and emphasized the concepts of scalability and flexibility that were reflected in the proposed rule. Two commenters urged the Department to adopt the HIPAA Security Rule instead. Another commenter suggested that the final rule should emphasize the need for PSOs to maintain up-to-date security processes and urged that the final rule specifically recognize that PSOs can include HIPAA Security Rule requirements in their business associate contracts with providers that are covered entities. While there were few comments overall on this section of the rule, the specific provision that elicited the most concern was the requirement in Sec. 3.106(b)(2) that patient safety work product needed to be maintained securely separate from other systems of records. As discussed above with respect to obligations of component organizations, commenters expressed concern regarding the potential burden of such a requirement and several pointed to the analytic benefits of being able to readily merge data sets for specific analyses. It was recommended that the final rule permit the patient safety work product and non-patient safety work product to be stored in the same database as long as the security requirements are implemented for the database as a whole. Another commenter pointed to the confusion, inconsistency, and errors that were likely to result from the rule text in which each paragraph began with the words that a PSO ``must address'' each security issue within the framework while introductory paragraph (b) indicated that PSOs merely needed to ``consider'' the security framework. Final Rule: We have modified the text of Sec. 3.106 both to improve its clarity in non-substantive ways and to incorporate several substantive modifications in response to the comments we received. The changes to Sec. 3.106(a) are for clarity. For uniformity and brevity, throughout Sec. 3.106, we have standardized references regarding the application of security requirements to the ``receipt, access, and handling'' of patient safety work product. The rule text defines ``handling'' of patient safety work product as including its processing, development, use, maintenance, storage, removal, disclosure, transmission and destruction. We have incorporated several modifications to the text of Sec. 3.106(b). We have both simplified the text of the opening paragraph of this subsection and substituted the requirement that ``PSOs must have written policies and procedures that address'' for the language of the proposed rule that stated the ``PSO must consider.'' We agree with the commenter that retention of the proposed rule language would create confusion regarding what is required of a PSO. By retaining the language that permits a PSO to develop specific standards that address the security framework in this section with standards that are appropriate and scalable, we intend to retain flexibility for PSOs to determine how they will address each element of the security framework. The most significant substantive change in the security framework is in Sec. 3.106(b)(2), which had required the separation of patient safety work product from non-patient safety work product at all times. Based on comments received, we have modified both the title of Sec. 3.106(b)(2) and the text of Sec. 3.106(b)(2)(i). Section 3.106(b)(2) is now entitled ``Distinguishing Patient Safety Work Product,'' rather than ``Separation of Systems,'' and Sec. 3.106(b)(2)(i) recognizes that the security of patient safety work product can be maintained either when patient safety work product is maintained separately from non-patient safety work product or when it is co-located with non- patient safety work product, provided that the patient safety work product is distinguishable. This will ensure that the appropriate form and level of security can be maintained. This change responds to several comments that opposed the absolute requirement for separation in the proposed rule. While we have, thus, allowed greater procedural flexibility, we caution PSOs to be attentive to ensuring that patient safety work product remains distinguishable at all times if it is not kept separated. To the extent that patient safety work product becomes co- mingled with non-protected information, there is increased risk of impermissible disclosures and violations of the confidentiality requirements of the rule and the Patient Safety Act. We have also eliminated a reference to a PSO determination of appropriateness that was in the text of the proposed rule in Sec. 3.106(b)(4)(i) as redundant, since the rule permits a PSO to develop appropriate and scalable standards for each element of the security framework, including this element. Given the strong support for our flexible and scalable framework, we have not adopted recommendations of two commenters to substitute the HIPAA Security Rule for these provisions. We would expect that PSOs that are familiar with, and have existing rules that implement, the HIPAA Security Rule will incorporate those standards as appropriate, when they develop their written policies and procedures to implement security for the patient safety work product they receive, access and handle. The security framework presented here does not impose any limitations on the ability of PSOs to incorporate or address additional security requirements or issues as the PSO determines to be appropriate. The flexible approach we have adopted should minimize the [[Page 70765]] potential for conflict with the requirements of other programs. By taking advantage of this flexibility, and ensuring that its security requirements also address the requirements of the HIPAA Security Rule, a PSO should be able to meet its obligations as a business associate of any provider that is also a ``covered entity'' under HIPAA regulations. 4. Section 3.108--Correction of Deficiencies, Revocation and Voluntary Relinquishment Section 3.108 establishes the processes and procedures related to correction of deficiencies, revocation, and voluntary relinquishment. Section 3.108(a) establishes the processes and procedures for correction of deficiencies by PSOs and, when deficiencies have not been timely corrected, the process leading to a decision by the Secretary to revoke his acceptance of the entity's certification and delist a PSO. Section 3.108(b) sets forth the actions that the Secretary and a PSO must take following a decision by the Secretary to revoke his acceptance of the entity's certification and delist the entity. Section 3.108(c) establishes the process by which an entity can voluntarily relinquish its status as a PSO. Section 3.108(d) requires publication of notices in the Federal Register whenever an entity is being removed from listing. New Sec. 3.108(e) establishes an expedited process for revoking the Secretary's acceptance of the entity's certification under certain circumstances. (A) Section 3.108(a)--Process for Correction of a Deficiency and Revocation Proposed Rule: Section 3.108(a) listed in paragraph (a)(1) the circumstances that could lead to revocation and delisting and the remaining subsections set forth our proposed process for correction by a PSO of a deficiency identified by the Secretary and, if the deficiencies are not timely corrected or cannot be ``cured,'' the process that could lead to the revocation and delisting. We review the entirety of Sec. 3.108(a) here. Once the Secretary believes that a PSO is deficient in meeting its requirements, proposed Sec. 3.108(a)(2) outlined the processes he would follow. First, the Secretary would send a written notice of a preliminary finding of deficiency; the contents of the deficiency notice are specified in the rule. Following receipt of the notice, a PSO would have 14 days to correct the record by submitting evidence that the information on which the preliminary finding had been based was factually incorrect. The Secretary could then withdraw the notice or require the PSO to proceed with correction. The preamble sought comment on whether there should be an expedited revocation process when deficiencies are not, or cannot, be cured. Public comment and the provisions of the final rule are discussed below in new subsection (e), expedited revocation. Following the correction period, proposed Sec. 3.108(a)(3) would have required the Secretary to determine whether a deficiency has been corrected. The Secretary could determine: (1) The deficiency is corrected and withdraw the notice of deficiency; (2) additional time for, or modification of, the required corrective action is warranted; or (3) the deficiency is not corrected, the PSO has not acted with reasonable diligence or timeliness, and issue a Notice of Proposed Revocation and Delisting. Section 3.108(a)(4) would have provided an automatic 30 calendar day period, unless waived by the PSO, for it to respond in writing to the proposed revocation and delisting. If a PSO fails to submit a written response, the Secretary would revoke his acceptance of its certification, and delist the entity. After review of the response and other relevant information, Sec. 3.108(a)(5) proposed that the Secretary could affirm, reverse, or modify the notice of proposed revocation and delisting, and notify the PSO in writing of his decision with respect to any revocation of his prior acceptance of its certification and delisting. We noted that the proposed rule did not include an administrative process for appealing the Secretary's decision to revoke his acceptance of the entity's certification and delist a PSO, and specifically sought public comment on our approach. Overview of Public Comments: Commenters focused on the due process aspects of subsection (a). While most commenters commended the proposed rule for its focus on working with PSOs to resolve deficiencies and its inclusion of due process elements throughout the process, the commenters recommended that the final rule incorporate an additional opportunity for an administrative appeal of a revocation and delisting decision and expressed concern that the final rule should not limit the due process rights and opportunities that had been proposed. For example, while several commenters endorsed our overall approach, no commenter specifically stated agreement with our decision not to include an administrative appeal mechanism following a decision by the Secretary to revoke his acceptance of the entity's certification and delist a PSO for cause. The eight commenters that specifically addressed the issue recommended inclusion of such a mechanism. Final Rule: The final rule incorporates only technical modifications to the text of subsection 3.108(a). The deletion of text in Sec. 3.108(a)(1)(ii) is intended to clarify that the basis for revocation and delisting matches our intent in the proposed rule, i.e., the failure to meet the two-contract requirement, not the failure to timely notify the Secretary that the requirement had been met. In addition, we have incorporated a related new Sec. 3.108(e) that establishes a new expedited revocation process to be used in exceptional circumstances. Despite the strong support by commenters that we incorporate in the final rule an opportunity for an administrative appeal when the Secretary decides to revoke his acceptance of a PSO's certification and delist a PSO for cause, we have not modified the rule. The process described in Sec. 3.108(a) permits an early response to findings of deficiency and where facts cited by the Secretary are correct, the process emphasizes the Department will work with PSOs to correct deficiencies, rather than punishing PSOs for deficiencies. Given the flexibility and extensive nature of the communication and correction opportunities and procedures outlined in 3.108(a), we expect that the revocation process will be utilized rarely, and only after significant efforts have been made to bring a PSO back into compliance. However, if a PSO is not working with us in good faith to correct any remaining deficiencies, there must be a timely finality to the process. For this system to work, providers must have confidence that the Department will act in a timely manner when a PSO chooses not to meet its statutory and regulatory obligations. Response to Other Public Comments Comment: One commenter recommended that the rule provide some degree of transparency regarding PSOs that have received notice of deficiencies by posting some limited information about this on the PSO Web site. Response: The Department gave careful consideration to this comment because of our overall commitment to providing transparency wherever possible. Our conclusion is that we will not post information on deficiencies because of our concern that this will undermine another of our objectives, which is to promote and permit correction of deficiencies in a non- [[Page 70766]] punitive manner. Providers considering entering a contract with a specific PSO are, of course, free to seek information from the PSO regarding whether it has received deficiency notices and is currently under an obligation to take corrective actions. Comment: Another commenter suggested that the final rule specifically recognize the authority of the Secretary, if warranted by the circumstances that led to the delisting of a PSO, to debar the entity from seeking a new listing for a period of time. Response: We have not adopted this specific suggestion, but we note that the Secretary is not required to relist an entity automatically. The Secretary can and will take into account the reasons for the revocation and delisting and the entity's compliance with its obligations following revocation and delisting. Comment: Several commenters suggested that the period of time provided to the PSO to submit a written response to a notice of proposed revocation and delisting should be expanded from 30 days to 45 days. Response: We have not accepted this recommendation. We recognize the importance of striking a balance between providing an entity sufficient time to respond to such a notice and ensuring that providers can have confidence that the Department will act in a timely manner when a PSO do not meet its obligations. It is important to realize that by the time the PSO receives a notice of proposed revocation and delisting under the process set forth in Sec. 3.108(a)(3), the Department has already worked with the PSO to correct the deficiencies and has indicated remaining problems so the PSO will have reason to anticipate any such notice of proposed revocation in advance of its issuance. Thus the PSO, realistically, will have more than 30 days to prepare its response to a proposed revocation. Comment: One commenter suggested that, if the Secretary determines that the PSO has conflicts of interest, this should serve as a basis for proceeding directly to revocation. Response: The Department recognizes the commenter's underlying point that conflicts of interest may, in fact, not be curable and thus, in certain circumstances, may warrant proceeding directly to revocation. To the extent that such a conflict of interest provides a basis for the Secretary determining that continued listing would have serious adverse consequences, we could address it under Sec. 3.108(e), the subsection establishing the new expedited revocation process. We should note that, in crafting that new authority, the Department believed that it had an obligation to establish a process for truly exceptional circumstances. We do not intend to use this authority as a substitute for the normal process established by subsection (a). Thus, if a conflict-of-interest does not raise the prospect of serious adverse consequences for providers or others, it is our intention to use the correction processes of subsection (a). Comment: Would a provider's patient safety work product be at risk if the Department failed to alert the provider in a timely manner of a deficiency in its PSO? Response: No. As we pointed out in the preamble discussion of Sec. 3.108 in the proposed rule, the presence of deficiencies or the fact that an entity is undergoing revocation has no impact on the information submitted to the entity by providers until the date and time that an entity is revoked and removed from listing. If the PSO is revoked and delisted for cause, the statute provides an additional 30- day period that begins at the time of delisting during which data reported to the former PSO receives the same protections as patient safety work product. (B) Section 3.108(b)--Revocation of the Secretary's Acceptance of a PSO's Certification Proposed Rule: When the Secretary makes a determination to remove the listing of a PSO for cause, proposed Sec. 3.108(b)(1) required the Secretary to establish, and notify the entity, of the effective date and time of its delisting and inform the entity of its obligations under Sec. Sec. 3.108(b)(2) and 3.108(b)(3). Section 3.108(b)(2) proposed to implement two statutory provisions. First, the former PSO would be required to notify providers with which it has been working of its removal from listing and confirm to the Secretary within 15 days of the date of revocation and delisting that it has done so. In light of the brief notification period, we sought comment on whether there are other steps the Secretary should take to ensure that affected providers receive timely notice. Second, this subsection would have reaffirmed the continued protection of patient safety work product received while the entity was listed. In addition, any data received by the former PSO from a provider in the 30 days following the date of revocation and delisting would be accorded the same protections as patient safety work product. We noted that this additional period of protection was only for the benefit of providers reporting data; it would not permit a former PSO to continue to generate new patient safety work product. Section 3.108(b)(3) proposed to implement the statutory requirements regarding the disposition of patient safety work product or data following revocation and delisting of a PSO. The three alternatives provided by the statute are: Transfer of the patient safety work product with the approval of the source from which it was received to a PSO which has agreed to accept it; return of the patient safety work product or data to the source from which it was received; or, if return is not practicable, destruction of such work product or data. We noted that the text of the proposed rule refers to the ``source'' of the patient safety work product or data; this would be a broader formulation than the statutory language and includes individuals. The statute does not establish a time frame for a PSO to comply with disposition requirements; we sought comment on setting a deadline. Overview of Public Comments: Most commenters addressed the specific questions raised in the proposed rule, although a few commenters raised questions and offered recommendations related to the requirements for disposition of patient safety work product. In response to the Department's question in the proposed rule of whether there were other steps that the Secretary could take to ensure that providers were informed when a PSO to which they reported data was revoked and delisted, many commenters concluded that the statutory requirement for notification by the former PSO was sufficient. Others urged AHRQ to post notices of revocation and delisting on the PSO website. Several commenters urged the Secretary to require the former PSO to provide AHRQ with a list of its providers when it submits its required confirmation 15 days after revocation that it has notified providers. Presumably, the intent was to permit the Secretary to follow up with these providers to confirm that they had been notified. There were only three comments in response to our question in the proposed rule whether it was appropriate to require disposition of patient safety work product that was received from all sources. Two comments supported our interpretation of the statutory requirement. One commenter raised concerns that this requirement could be difficult to accomplish. Commenters strongly supported inclusion in the final rule of a deadline by which former PSOs needed to complete their disposition of patient [[Page 70767]] safety work product. Some commenters suggested that we follow existing HIPAA guidelines and others suggested that the rule set a deadline, ranging from 90 days to 180 days following the date of revocation. One commenter suggested setting standards linked to the volume of patient safety work product held by the former PSO. The options for disposition of patient safety work product elicited a number of comments. Some noted the difficulty of returning patient safety work product to its source as the former PSO closes its operations and expressed concern that destruction was not an option until the PSO concluded that returning the work product was not possible. In the view of this commenter, this could lead a PSO to simply abandon the patient safety work product since it may have neither time nor resources to contact the sources of the work product. However, most commenters focused on the importance of identifying ways to avoid destruction of patient safety work product. Final Rule: Section 3.108(b) has been modified in several ways. The first changes, in Sec. 3.108(b)(1), are technical changes. The first change renames the section to more accurately describe its provisions. The second technical change incorporates two additional cross- references to the ability of the Secretary to revoke his acceptance of a PSO's certifications and delist an entity pursuant to the new expedited revocation process established in Sec. 3.108(e). We have not imposed any new requirements on the Department in Sec. 3.108(b)(2) to notify providers. Many commenters did not see the need for additional intervention by the Department and several commenters suggested additional steps that we can and will take independent of the rule. For example, AHRQ has already established an e-mail-based listserv for individuals interested in electronic alerts regarding the agency's implementation of the Patient Safety Act. Following publication of the final rule, AHRQ will encourage all interested providers and PSOs to add their names to the listserv, which will provide immediate notification when the Secretary takes actions related to the listing and delisting of PSOs or posts significant new information on AHRQ's PSO Web site. Providers will also be able to signup on the Web site to receive individual e-mails if their PSO becomes delisted. We have modified Sec. 3.108(b)(2) in another way. This paragraph retains the restatement that was in the proposed rule of the statutory assurances regarding the continued protections for patient safety work product reported to a PSO before the effective date of a revocation and delisting action by the Secretary and the protections for data reported to the former PSO during the 30-day period following the date of delisting. The modification requires the former PSO to include this information in its notices to providers regarding its delisting. We incorporated this modification to better effectuate the statutory purpose by ensuring that the providers contacted by the former PSO are aware of these protections for the data they may still want to report during the 30-day period. Several commenters sought ways to preserve patient safety work product and data for continued learning. However, the requirements for disposition of patient safety work product and ``data'' in the final regulation follow the statutory formulation. We note that ``data'' in this context refers to information submitted to a former PSO in the 30 days following its delisting. Some amount of patient safety work product can be preserved if the PSO shares or discloses this information prior to the effective date of its revocation as permitted by the rule, e.g., to other PSOs in non-identifiable or anonymized form. We have modified the text of Sec. 3.108(b)(3) in one respect. In response to comments, we require the disposition requirement to be completed within 90 days. Some commenters suggested that we follow existing HIPAA guidelines in establishing deadlines for the disposition of patient safety work product. Neither the HIPAA Privacy Rule nor the HIPAA Security Rule have deadlines for the disposition of protected health information. Providers are, of course, free to establish in their contracts an earlier date for disposition of their patient safety work product or data and may provide prior authorization for transfer to another PSO. Response to Other Public Comments Comment: One commenter asked whether the disposition requirement applies to non-identifiable patient safety work product, such as data reported anonymously by hospitals. Response: The statutory section on disposition of patient safety work product does not make an explicit distinction between disposition of identifiable and non-identifiable patient safety work product and data, nor does the final rule in the disposition requirements. The Department reads this disposition requirement as applying to both identifiable and non-identifiable patient safety work product and data. We note that Subpart C permits disclosure of non-identifiable patient safety work product at any time by a PSO. However, after the date and time that the Secretary sets for revocation and delisting, the former PSO must follow the prescribed disposition requirements. Thus, prior to the effective date and time of a PSO's delisting, the PSO can transfer to another PSO non-identifiable and anonymized patient safety work product, without consent of the source(s) of that information. Comment: One commenter suggested that there may be good business reasons for a former PSO that has been delisted to retain patient safety work product and asked that we provide that option. Response: The statutory disposition requirement does not permit such an option for an entity that is revoked and delisted for cause, and the final rule mirrors this limitation. A PSO that voluntarily relinquishes its status is required to attest that it has made all reasonable efforts to comply with the disposition requirements. Comment: One commenter noted that the disposition options appear to be premised on a concept of the source's ownership interest in the patient safety work product provided to the PSO. Noting that as PSOs continue to aggregate data from multiple providers or through the sharing of work product with other PSOs, the commenter asserted that at some point the PSO's work product becomes its own. The question to consider is whether this distinction can be made in applying the disposition requirement. Response: The Department reads the disposition requirement of the Patient Safety Act to apply to all patient safety work product and data held by an involuntarily delisted former PSO. Most work product created by PSOs will be based upon reports from providers. While the commenter points to repeated aggregation of data from larger and larger numbers of providers as making the linkage to the reporting providers more tenuous, in our view the linkage remains as long as there is information that identifies any source of the data in the analysis. The linkage is only broken when the source(s) is (are) truly non- identifiable. As we noted above, the statute does not make a distinction between identifiable and non-identifiable information, so the disposition requirements apply to both. Comment: One commenter noted that certain public PSO entities may face conflicts with state laws or regulations that establish requirements for the [[Page 70768]] disposition of information that they hold. Response: The final rule's requirements for disposition of patient safety work product would preempt conflicting state statutory requirements for disposition of information when it is patient safety work product. Comment: What are the responsibilities of a contractor holding patient safety work product under contract with a PSO that is revoked and delisted for cause? Response: The contractor must return the former PSO's patient safety work product that it is holding for disposition as required by the rule. (C) Section 3.108(c)--Voluntary Relinquishment Proposed Rule: Section 3.108(c)(1) proposed two circumstances under which a PSO would be considered to have voluntarily relinquished its status as a PSO: When a PSO advises the Secretary in writing that it no longer wishes to be a PSO, and when a PSO permits its three-year period of listing to expire. To ensure that such a lapse is not inadvertent, the proposed rule would require the Secretary to send a notice of imminent expiration 45 calendar days before the expiration of its period of listing. We proposed in Sec. 3.108(c)(2) that a PSO seeking to relinquish its listing should include in its notification to the Secretary attestations regarding its compliance with the provider notification and patient safety work product disposition requirements, and would have required appropriate contact information for further communications from the Secretary. The Secretary would be authorized by Sec. 3.108(c)(3) to accept or reject the PSO's notification. We sought comment on our preliminary conclusion that, when a PSO voluntarily relinquishes its status, the statutory provisions providing protections for an additional 30 days for data submitted to the former PSO by providers do not apply. Section 3.108(c)(4) would have enabled the Secretary to determine that implied voluntary relinquishment has taken place when a PSO permits its listing to expire. The Secretary would remove the entity from the list of PSOs at midnight on that day, notify the entity, and request that the entity make reasonable efforts to comply with the provider notification and patient safety work product disposition requirements, and to provide appropriate contact information. Finally, Sec. 3.108(c)(5) proposed that voluntary relinquishment would not constitute a deficiency as referenced in subsection (a). Overview of Public Comments: Public comment on the proposed provisions for voluntary relinquishment focused primarily on the two questions raised in the proposed rule. Two commenters agreed with our interpretation that the statute limited the application of the additional protections for data submitted by providers to a former PSO in the 30-day period following the date and time of revocation and delisting to situations in which the PSO had been revoked and delisted for cause. A number of commenters argued for inclusion of a 30-day period of continued reporting for PSOs that voluntarily relinquished their status. They noted the importance of comparability but did not provide a legal rationale for reading the statute differently. The second question posed by the proposed rule was the appropriateness of paragraph (c)(5) which would eliminate the right to challenge any decision by the Secretary regarding voluntary relinquishment. Several large provider groups supported our position while others argued that a PSO should always have the right to challenge or appeal any decision by the Secretary. Final Rule: We have modified and narrowed the scope of voluntary relinquishment in the final rule. We have eliminated from this section the application of voluntary relinquishment to situations in which a PSO has let its certifications lapse. As noted above, we have modified Sec. 3.104(e) to make expiration of a PSO's listing automatic in these circumstances. Revised Sec. 3.108(c) provides for voluntary relinquishment in only one circumstance: When a PSO writes the Secretary seeking to relinquish its listing as a PSO. We have carefully reviewed again the statutory authority that enables PSOs that have their listing revoked for cause to continue to receive data for 30 days following the date and time of revocation and delisting that will be treated as patient safety work product. We reaffirm our interpretation that the statutory authority does not apply to an entity seeking to voluntarily relinquish its status as a PSO. Commenters provided no basis for a different reading of the statute. Accordingly, we have not incorporated any change in the rule. We have also deleted inappropriate references to ``patient safety work product and data'' in Sec. 3.108(c)(2) and replaced them with a reference only to patient safety work product. As we noted above, the term ``data'' in this context refers only to information received by a former PSO in the 30-day period following revocation for cause and is not applicable here. The only other modifications are deletions of text relating to implied voluntary relinquishment and a conforming change in a cross-reference. We have not accepted the views of commenters supporting appeals of relinquishment determinations by the Secretary in light of our decision to narrow the scope of voluntary relinquishment to situations in which the PSO has requested relinquishment. The comments regarding due process for those who voluntarily relinquish their status would no longer be apt. (D) Section 3.108(d)--Public Notice of Delisting Regarding Removal From Listing Proposed Rule: Proposed Sec. 3.108(d) would have incorporated the statutory requirement that the Secretary must publish a notice in the Federal Register regarding the revocation of acceptance of certification of a PSO and its removal from listing. The proposed rule would have broadened the requirement to include publication of such a notice if delisting results from a determination of voluntary relinquishment. Overview of Public Comments: We received no comments on this subsection. Final Rule: We have modified Sec. 3.108(d) in the final rule to reflect our changes to subsection (c) that narrowed the scope of voluntary relinquishment. We also added a new reference that requires the Secretary to publish a notice when a PSO's listing terminates automatically at the end of the statutorily based three-year period, pursuant to Sec. 3.104(e). (E) Section 3.108(e)--Expedited Revocation Proposed Rule: The proposed rule did not contain a proposed Sec. 3.108(e). The proposed rule did include in subsection (a) a request for comment about the possible inclusion in the final rule of an expedited revocation process. We noted that, while we anticipate that in the vast majority of circumstances, the PSO's deficiency(ies) can and will be corrected, there may be situations in which a PSO's conduct is so egregious that the Secretary's acceptance of the PSO's certification should be revoked without the opportunity to cure because there is no meaningful cure. We invited comments regarding this approach and how best to characterize the situations in which the opportunity to ``cure,'' e.g., to change policies, practices or procedures, sanction employees, send out correction notices, would not be sufficient, meaningful, or appropriate. [[Page 70769]] Overview of Public Comments: Several commenters expressed concern, requested that we define the term ``egregious,'' and opposed the elimination of a right for the PSO to respond to the proposed expedited revocation action. One commenter suggested that our proposal was appropriate in situations involving multiple willful violations and in which immediate action is necessary to protect patients and providers from further improper actions by the PSO. Only one commenter addressed, and opposed, our suggestion that we might eliminate in the final rule the opportunity for a PSO to contest revocation when the entity had verifiably failed to meet the statutory minimum contract requirement. Final Rule: The Department has modified the rule to include a new Sec. 3.108(e) to provide for expedited revocation in a limited number of circumstances. In deciding to include this new subsection, we considered all of the comments received regarding Subpart B, not only those discussed here. There was a strong overall sentiment that the Secretary must be vigilant in ensuring that PSOs meet their obligations to protect the confidentiality of patient safety work product. These concerns were especially strong in response to our proposal to permit components of excluded entities to seek listing. We also received support for prompt Secretarial action for multiple willful violations and when providers and patients are at risk because of a PSO's actions. Accordingly, we have incorporated an expedited revocation process based around these concerns. New Sec. 3.108(e)(1) lists three circumstances in which the Secretary may use an expedited process for revocation. The first two circumstances reflect commenter concern regarding excluded entities. The first of these, specified in Sec. 3.108(e)(1)(i), is if the Secretary determines that a PSO is, or is about to become, an entity excluded from listing by Sec. 3.102(a)(2). That section excludes from listing: A health insurance issuer; a unit or division of a health insurance issuer; an entity that is owned, managed or controlled by a health insurance issuer; entities that accredit or license health care providers; entities that oversee or enforce statutory or regulatory requirements governing the delivery of health care services; agents of an entity that oversees or enforces statutory or regulatory requirements governing the delivery of health care services; or entities that operate a Federal, State, Local, or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation. Because the certifications for listing specifically require an entity to attest that it is not excluded from seeking listing, this situation would mean that the PSO had either filed a false certification, or that the nature of the entity had significantly changed during the course of its listing. An example of an entity ``about to become an excluded entity'' would be when there is advance notice of a merger of the parent organization of a component PSO with a health insurance issuer. A health insurance issuer is the only excluded entity that may not have a component become a PSO. If the Secretary learns that a PSO is about to become a component of a health insurance issuer, this is one circumstance under which we believe prompt action by the Secretary is essential. The second circumstance, specified in Sec. 3.108(e)(1)(ii), is when the parent organization of a PSO is an excluded entity and the parent organization uses its authority over providers to require or induce them to use the patient safety services of its component PSO. This was a major concern of commenters in permitting components of accreditation, licensure and regulatory entities to seek listing; the final rule in Sec. 3.102(c) permits such a component to be listed only if it can certify that its parent organization does not impose such requirements on providers. When an excluded entity attempts to require or induce providers to report information to its component PSO, there is reasonable cause for concern regarding the integrity of the firewall between the component PSO and its parent organization. Given the potential harm to providers if their identifiable patient safety work product is made available to the excluded entity, the Department concludes that the need for prompt action is compelling. The third circumstance specified in Sec. 3.108(e)(1)(iii) of the rule is when the Secretary has determined that the failure to act promptly would lead to serious adverse consequences. We would expect to use this authority sparingly. Despite the confidential and protected nature of patient safety work product, we remain concerned that there can still be serious harm to providers, patients, and reporters named in patient safety work product if a PSO demonstrates reckless or willful misconduct in its protection or use of the work product with which it is entrusted, especially when there is reason to believe there have been repeated deficiencies, or when the PSO engages in fraudulent or illegal conduct. In light of these risks, we believe it is only prudent to give the Secretary the authority to respond promptly to situations where there is a risk of serious adverse harm, even if we cannot adequately foresee all of the specific situations that might require prompt action. We note that we have accepted the position of another commenter that we not include failure to meet the minimum contract requirement as a basis for expedited revocation. Our intent is to limit expedited revocation to those situations which pose a risk to providers or others. To accomplish expeditious remedial revocation action, Sec. 3.108(e)(2) waives the procedures in Sec. Sec. 3.108(a)(2) through 3.108(a)(5) for correction of deficiencies, determinations regarding correction of deficiencies, processes related to the opportunity for a written response by the PSO to a notice of proposed revocation and delisting, and final determination by the Secretary regarding revocation and delisting of the PSO. Instead, the provisions of Sec. 3.108(e)(3) apply. Under Sec. 3.108(e)(3) of the expedited revocation process, the Secretary would issue a notice of deficiency and expedited revocation that identifies the evidence that the circumstances for expedited revocation exist and indicates any corrective action the PSO can take if the Secretary determines that corrective action may resolve the matter so that revocation and delisting could be avoided. Absent evidence of actual receipt of this notice of deficiency and expedited revocation, the Secretary's notice will be deemed to be received five days after it was sent. In developing this process, we have taken note of commenters' concern that as a general matter, a PSO alleged to be deficient in compliance should have an opportunity to be heard and have provided the PSO with an opportunity to respond as part of the expedited revocation process. The Secretary must receive a response from the PSO within 14 days of actual or constructive receipt of the notice, whichever is longer. In its written response, the PSO can correct the alleged facts or argue the applicability of the legal basis given for expedited revocation and delisting and offer reasons that would support its case for not being delisted. If the PSO does not submit a written response, the Secretary may revoke and delist the PSO. Provided the PSO responds within the required time, the Secretary may withdraw the notice, [[Page 70770]] grant the PSO with additional time to resolve the matter, or revoke and delist the PSO. If the Secretary decides to revoke and delist the PSO, we note that the requirements of Sec. 3.108(b) discussed above apply. These requirements relate to notification of the providers who have reported patient safety work product to the PSO, disposition of the PSO's patient safety work product and data, and the ability of providers to continue to report data to the former PSO for 30 calendar days following the effective date and time of delisting and have these data protected as patient safety work product. 5. Section 3.110--Assessment of PSO Compliance Proposed Rule: Section 3.110 proposed the framework by which the Secretary would assess compliance of PSOs with the requirements of the statute and the rule. This section provided that the Secretary may request information or conduct spot-checks (reviews or site visits to PSOs, announced or unannounced) to assess or verify PSO compliance with the requirements of the statute and this proposed subpart. We noted that we anticipate that such spot checks would involve no more than 5- 10% of PSOs in any year. We also noted that this section would reference the Department's overall authority to have access to patient safety work product, if necessary, as part of its implementation and enforcement of the Patient Safety Act. Overview of Public Comments: There were few comments on this section. Commenters agreed that AHRQ's authority under this section should be limited to PSOs. Several commenters expressed concern about our discussion that we only anticipated spot-checking 5%-10% of PSOs for compliance in any given year. The projected number of spot checks in their view would not be adequate to maintain provider confidence and PSO compliance. Another commenter asked which agency would be delegated the task and identified entities within HHS to which the Secretary should not delegate this responsibility. Final Rule: We have made no substantive modifications to Sec. 3.110 in the final rule. We note in response to the commenters that urged a higher level of spot checks and inspections that the rule does not limit the ability of the Department to increase the number if warranted. However, we have no basis for assuming that higher levels of spot checks or inspections are warranted in light of the fact that Patient Safety Organizations are not federally funded or controlled and a provider's decision to work with a PSO is voluntary. Therefore, we intend to maintain the approach outlined in the proposed rule. In response to another commenter, the authority to implement Subpart B rests squarely within the authorities to foster patient safety and health care quality improvement of the Agency for Healthcare Research and Quality, and there is no reason to expect it to be delegated to another part of the Department. 6. Section 3.112--Submissions and Forms Proposed Rule: Proposed Sec. 3.112 would have provided instructions for obtaining required forms and the submission of materials, would have provided contact information for AHRQ (mailing address, Web site, and e-mail address), and would have authorized the Department to request additional information if a submission is incomplete or additional information is needed to enable the Secretary to make a determination on any submission. Overview of Public Comments: We received no comments on this section. Final Rule: We have made no substantive modifications to this section. We have made technical changes and incorporated citations for the AHRQ PSO Web site address and corrected the e-mail address. C. Subpart C--Confidentiality and Privilege Protections of Patient Safety Work Product Proposed Subpart C would have described the general privilege and confidentiality protections for patient safety work product, the permitted disclosures, and the conditions under which the specific protections no longer apply. The proposed Subpart also would have established the conditions under which a provider, PSO, or responsible person must disclose patient safety work product to the Secretary in the course of compliance and enforcement activities, and what the Secretary may do with such information. Moreover, the proposed subpart would have established the standards for nonidentifiable patient safety work product. Proposed Subpart C sought to balance key objectives of the Patient Safety Act. First, the proposal sought to address provider concerns about the potential for damage from unauthorized release of information, including the potential for the information to serve as a roadmap for provider liability from negative patient outcomes. It also promoted the sharing of information about adverse patient safety events among providers and PSOs for the purpose of learning from those events to improve patient safety and the quality of care. To achieve these objectives, Subpart C proposed that patient safety work product would be privileged and confidential, except in the certain limited circumstances identified by the Patient Safety Act and as needed by the Department to implement and enforce the Patient Safety Act. In addition, proposed Subpart C provided, in accordance with the Patient Safety Act, that patient safety work product that is disclosed generally would continue to be privileged and confidential, subject to the delineated exceptions. Thus, under the proposal, an entity or person receiving patient safety work product only would be able to disclose such information for a purpose permitted by the Patient Safety Act and the proposed rule, or if patient safety work product was no longer confidential because it was nonidentifiable or subject to an exception to confidentiality. Providers, PSOs, and responsible persons who failed to adhere to these confidentiality rules would be subject to enforcement by the Department, including the imposition of civil money penalties, if appropriate, as provided in Subpart D of the proposed rule. The proposed rule also explained that several provisions of the Patient Safety Act recognize that the patient safety regulatory scheme will exist alongside other requirements for the use and disclosure of protected health information under the HIPAA Privacy Rule. For example, the Patient Safety Act establishes that PSOs will be business associates of providers and the patient safety activities they conduct will be health care operations of the providers, incorporates individually identifiable health information under the HIPAA Privacy Rule as an element of identifiable patient safety work product, and adopts a rule of construction that states the intention not to alter or affect any HIPAA Privacy Rule implementation provision (see section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). As we explained in the proposed rule, we anticipate that most providers reporting to PSOs will be HIPAA covered entities under the HIPAA Privacy Rule, and as such, will be required to recognize and comply with the requirements of the HIPAA Privacy Rule when disclosing identifiable patient safety work product that includes protected health information. As Subpart C addresses disclosure of patient safety work product that may include protected health information, [[Page 70771]] we discuss, where appropriate, the overlap between this rule and the HIPAA Privacy Rule in the preamble description of this Subpart, as we did in the proposed rule. 1. Section 3.204--Privilege of Patient Safety Work Product Proposed Sec. 3.204 described the privilege protections of patient safety work product and the exceptions to privilege. As we explained in the proposed rule, the Patient Safety Act does not give authority to the Secretary to enforce breaches of the privilege protections, as it does with respect to breaches of the confidentiality provisions. Rather, we anticipate that the tribunals, agencies or professional disciplinary bodies before whom the proceedings take place and before which patient safety work product is sought, will adjudicate the application of the privilege provisions of the Patient Safety Act at section 922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b- 22(a)(1)-(5) and the exceptions to privilege at section 922(c)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1). Even though the privilege protections will be enforced through the court systems, and not by the Secretary, we repeat the statutory privilege protections and exceptions in this final rule, as we did in the proposed rule. This is done both for convenience and completeness, as well as because the same exceptions in the privilege provisions are repeated in the confidentiality provisions and the term ``disclosure'' in the final rule describes both the transfer of patient safety work product pursuant to a privilege exception as well as a confidentiality exception. Thus, a disclosure of patient safety work product that is a violation of privilege may also be a violation of confidentiality, which the Secretary does have authority to enforce and for which he can impose a civil money penalty, if appropriate. We also proposed to include at Sec. 3.204(c) a regulatory exception to privilege for disclosures to the Secretary for the purpose of enforcing the confidentiality provisions and for making or supporting PSO certification or listing decisions. In the final rule, we adopt this proposed provision but also add language to make clear that the exception also applies to disclosures to the Secretary for HIPAA Privacy Rule enforcement, given the significant overlap with respect to disclosures under the two rules. We discuss that change, as well as the public comments and our responses with respect to the other privilege provisions, below. (A) Section 3.204(a)--Privilege Proposed Rule: Proposed Sec. 3.204(a) would have described the general rule that, notwithstanding any other provision of Federal, State, local, or Tribal law, patient safety work product is privileged and shall not be: (1) Subject to Federal, State, local, or Tribal civil, criminal, or administrative subpoena or order, including in a disciplinary proceeding against a provider; (2) subject to discovery in connection with a Federal, State, local, or Tribal civil, criminal, or administrative proceeding, including a disciplinary proceeding against a provider; (3) subject to disclosure under the Freedom of Information Act (section 552 of Title 5, United States Code) or similar Federal, State, local, or Tribal law; (4) admitted as evidence in any Federal, State, local, or Tribal governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or (5) admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law. The proposed provision generally repeated the statutory language at section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a) but also clarified that privilege would have applied to protect against use of the information in Tribal courts and administrative proceedings. Overview of Public Comments: We received no comments opposed to this proposed provision. Final Rule: The final rule adopts this proposed provision. Response to Other Public Comments Comment: Several commenters expressed concern about the lack of detailed explanation and information about the privilege protections as compared to the confidentiality provisions in the proposed rule. Some commenters asked for clarification about how breaches of privilege can be enforced and who can assert privilege protection. Two commenters asked whether hospital peer review committees established under state law qualify as disciplinary bodies for purposes of the privilege protection and if there is a distinction between discipline by a state licensing body and discipline by an internal peer review committee. Response: The Secretary does not have the authority to interpret and enforce the privilege protections of the statute, and thus, the proposed rule did not contain a detailed discussion of these provisions nor can we provide further explanation or interpretation in this final rule. Rather, as described above, the privilege provisions are included only for convenience and completeness, and because the privilege exceptions mirror exceptions to confidentiality. The privilege protections attach to patient safety work product, and we expect that the privilege of patient safety work product will be adjudicated and enforced by the tribunals, agencies or professional disciplinary bodies before which the information is sought and before whom the proceedings take place. A provider facing an opposing party who seeks to introduce patient safety work product in court may seek to enforce the privilege by filing the appropriate motions with the court asserting the privilege to exclude the patient safety work product from the proceeding. (B) Section 3.204(b)--Exceptions to privilege Proposed Rule: Proposed Sec. 3.204(b) described the exceptions to privilege established at section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22c, thereby permitting disclosure of patient safety work product under such circumstances. In all cases, the exceptions to privilege were also proposed as exceptions to confidentiality at Sec. 3.206(b). Proposed Sec. 3.204(b)(1) would have permitted the disclosure of relevant patient safety work product for use in a criminal proceeding after a court makes an in camera determination that the patient safety work product contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from any other source. Proposed Sec. 3.204(b)(2) would have permitted disclosure of identifiable patient safety work product to the extent required to carry out the securing and provision of equitable relief as provided under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). Proposed Sec. 3.204(b)(3) would have permitted disclosure of identifiable patient safety work product when each of the identified providers authorized the disclosure. Finally, proposed Sec. 3.204(b)(4) would have excepted patient safety work product from privilege when disclosed in nonidentifiable form. Overview of Public Comments: Some commenters expressed concern that allowing exceptions to privilege may not adequately protect patient safety work product. Final Rule: The final rule adopts the proposed provisions. The statute explicitly provides for these limited [[Page 70772]] exceptions to privilege and thus, they are included in this final rule. Response to Other Public Comments Comment: One commenter asked that the final rule align the privilege exceptions in Sec. 3.204(b) with the permitted disclosures to law enforcement in the HIPAA Privacy Rule at 45 CFR 164.512(f). Response: We do not agree that expanding the exceptions to privilege in such a manner is appropriate or prudent. Congress expressly limited the exceptions to privilege to those we have repeated in the final rule. As relevant to law enforcement, the Patient Safety Act permits an exception from privilege protection for law enforcement purposes in only very narrow circumstances--that is, patient safety work product may be used in a criminal proceeding, but only after a judge makes an in camera determination that the information contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from any other source. See Sec. 3.204(b)(1). We do not have authority to further expand or interpret the exceptions to privilege provided for in the statute. Further, we believe strong privilege protections are essential to ensuring the goals of the statute are met by encouraging maximum provider participation in patient safety reporting. We note that Sec. 3.206(c)(10) permits the disclosure of patient safety work product relating to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, to law enforcement, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes. In other cases where law enforcement needs access to information that is contained within patient safety work product, we emphasize that the definition of ``patient safety work product'' specifically excludes a patient's medical or billing record or other original patient information. See Sec. 3.20, paragraph (2)(i) of the definition of ``patient safety work product.'' Thus, such original patient information remains available to law enforcement in accordance with the conditions set out in the HIPAA Privacy Rule, if applicable. (C) Section 3.204(c)--Implementation and Enforcement of the Patient Safety Act Proposed Rule: Proposed Sec. 3.204(c) would have excepted from privilege disclosures of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance, or seeking or imposing civil money penalties, with respect to this rule or for making or supporting PSO certification or listing decisions under the Patient Safety Act. We proposed that these disclosures also be permitted as an exception to confidentiality at Sec. 3.206(d). We explained that, in order to perform investigations and compliance reviews to determine whether a violation occurred, the Secretary may need to have access to privileged and confidential patient safety work product and that we believe Congress could not have intended the privilege and confidentiality protections of the Patient Safety Act to impede such enforcement by prohibiting access to necessary information by the Secretary. Thus, the proposed provision would have allowed disclosure of patient safety work product to and by the Secretary for enforcement purposes, including the introduction of such information into ALJ or Board proceedings, disclosure by the Board to properly review determinations or to provide records for court review, as well as disclosure during investigations by OCR or activities in reviewing PSO certifications by AHRQ. Patient safety work product disclosed under this proposed exception would have remained privileged and confidential pursuant to proposed Sec. 3.208, and proposed Sec. 3.312 limited the Secretary to only disclosing identifiable patient safety work product obtained in connection with an investigation or compliance review for enforcement purposes or as otherwise permitted by the proposed rule or Patient Safety Act. We also explained in the preamble to the proposed rule that the privilege provisions in the Patient Safety Act would not bar the Secretary from using patient safety work product for compliance and enforcement activities related to the HIPAA Privacy Rule. This interpretation was based on the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which provides that the Patient Safety Act does not affect the implementation of the HIPAA Privacy Rule. Overview of Public Comments: We received one comment in support of and no comments opposed to this proposed provision. Final Rule: The final rule adopts the proposed provision, but expands it to expressly provide that patient safety work product also may be disclosed to or by the Secretary as needed to investigate or determine compliance with or to impose a civil money penalty under the HIPAA Privacy Rule. This new language implements the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which, as explained above, makes clear that the Patient Safety Act is not intended to affect implementation of the HIPAA Privacy Rule. Given the significant potential for an alleged impermissible disclosure to implicate both this rule's confidentiality provisions, as well as the HIPAA Privacy Rule, the Secretary may require access to privileged patient safety work product for purposes of determining compliance with the HIPAA Privacy Rule. The Secretary will use such information consistent with the statutory prohibition against imposing civil money penalties under both authorities for the same act. With respect to this rule, the provision, as it did in the proposed rule, makes clear that privilege does not apply to patient safety work product disclosed to or by the Secretary if needed to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include access to and disclosure of patient safety work product to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule. 2. Section 3.206--Confidentiality of Patient Safety Work Product Proposed Sec. 3.206 described the confidentiality protection of patient safety work product, as well as the exceptions from confidentiality protection. (A) Section 3.206(a)--Confidentiality Proposed Rule: Proposed Sec. 3.206(a) would have established the general principle that patient safety work product is confidential and shall not be disclosed by anyone holding the patient safety work product, except as permitted or required by the rule. Overview of Public Comments: We received no comments directly in reference to this provision. Final Rule: The final rule adopts this proposed provision. (B) Section 3.206(b)--Exceptions to confidentiality Proposed Rule: Proposed Sec. 3.206(b) described the exceptions to confidentiality, or permitted disclosures. The preamble to the proposed rule explained that there were several overarching principles that [[Page 70773]] applied to these exceptions from confidentiality. First, these exceptions were ``permissions'' to disclose patient safety work product and the holder of the information retained full discretion whether to disclose. Further, as the proposed rule was a Federal baseline of protection, a provider, PSO, or responsible person could impose more stringent confidentiality policies and procedures on patient safety work product and condition the release of patient safety work product within these exceptions by contract, employment relationship, or other means. However, the Secretary would not enforce such policies or private agreements. Second, when exercising discretion to disclose patient safety work product, we encouraged providers, PSOs, and responsible persons to attempt to disclose the amount of information commensurate with the purpose of the disclosure and to disclose the least amount of identifiable patient safety work product appropriate for the disclosure even if that was less than what would otherwise be permitted by the rule and regardless of whether the information continued to be protected under the rule after the disclosure. Third, the proposal prohibited persons receiving patient safety work product from redisclosing it except as permitted by the rule, and we requested comment on whether there were any negative implications of limiting redisclosures in such a manner. We also described how the proposal would work with respect to entities also subject to the Privacy Act and/or the HIPAA Privacy Rule. We explained that agencies subject to the Patient Safety Act and the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when disclosing patient safety work product. This means that, for agencies subject to both laws, a disclosure of patient safety work product could only be made if permitted by both laws. The Privacy Act permits agencies to make disclosures pursuant to established routine uses. See 5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). Accordingly, we recommended that Federal agencies that maintain a Privacy Act system of records containing information that is patient safety work product include routine uses that will permit the disclosures allowed by the Patient Safety Act. For HIPAA covered entities, we explained that when a patient's protected health information is encompassed within patient safety work product, any disclosure of such information also must comply with the HIPAA Privacy Rule. Overview of Public Comments: Some commenters expressed general support for the narrowly drawn exceptions to confidentiality in the proposed rule, while one commenter expressed concern that the exceptions were unnecessarily complex to accomplish their purpose. Several commenters asked that the final rule include additional exceptions to confidentiality or disclosure permissions. For example, some commenters suggested that the final rule permit the disclosure of patient safety work product to federal, state, and local agencies to fulfill mandatory reporting requirements. Other commenters suggested an exception be created to permit the disclosure of patient safety work product to state survey agencies, regulatory bodies, or to any federal or state agency for oversight purposes. Another commenter requested that the final rule include a disclosure permission for emergency circumstances similar to the HIPAA Privacy Rule disclosure at 54 CFR 164.512(j), allowing a PSO to disclose patient safety work product if it determines a pattern of harm and that disclosure is necessary to prevent an individual from harming a person or the public. One commenter, however, believed the proposed rule contained too many exceptions to confidentiality, and thus, did not adequately protect patient safety work product; this commenter suggested that some disclosure permissions be eliminated in the final rule but did not recommend which ones. Several commenters responded to the question regarding whether there were any negative implications of limiting redisclosures as outlined in the proposed rule. These commenters supported the limitations on redisclosures of patient safety work product in the proposed rule; we received no comments identifying any negative implications of this limitation. One commenter, however, noted that the redisclosures should be governed by the HIPAA Privacy and Security Rules. Finally, some commenters sought clarification regarding preemption. Several commenters asked whether the federal patient safety work product protections preempted existing State law that permitted or required disclosure of similar types of records. Other commenters asked whether greater State law protections continue to exist alongside patient safety work product protections, stating that some providers may decide not to participate with a PSO if they would lose existing State law protections. Final Rule: The final rule generally adopts the proposed provisions, with some modifications as explained below in the specific discussions of the individual disclosure permissions. The disclosure permissions in this section reflect those provided by the statute, and the Secretary has no authority to eliminate or neglect to implement certain of the provisions. Further, the statute provides only limited authority to the Secretary to expand the disclosure permissions. See, for example, section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), providing the Secretary with authority to create permissions for disclosures that the Secretary may determine, by rule or other means, are necessary for business operations and are consistent with the goals of the statute. Thus, the final rule does not create any new, or eliminate any proposed, categories of disclosure permissions. With respect to those commenters who requested a disclosure permission be added to allow for the disclosure of patient safety work product to federal, state, and local agencies to fulfill mandatory reporting requirements or for oversight purposes, we disagree that such a modification is necessary. The final rule gives providers much flexibility in defining and structuring their patient safety evaluation system, as well as determining what information is to become patient safety work product and, thus, protected from disclosure. Providers can structure their systems in a manner that allows for the use of information that is not patient safety work product to fulfill their mandatory reporting obligations. See the discussion regarding the definition of ``patient safety work product'' in this preamble for more information. Further, as original medical and other records are expressly excepted from the definition of ``patient safety work product,'' providers always have the option of using those records to generate the reports necessary for their mandatory reporting obligations to federal, state, and local agencies. With respect to disclosures for emergency circumstances, the Patient Safety Act provides no general exception for such disclosures. However, patient safety work product may be disclosed under Sec. 3.206(b)(10) to law enforcement if the disclosing party reasonably believes the patient safety work product contains information that constitutes a crime. For emergency circumstances that do not rise to the level of criminal conduct, the information necessary to identify and address such emergencies should be readily available and accessible in medical records and other original [[Page 70774]] documents that are not protected as patient safety work product. The final rule also adopts the redisclosure limitations of the proposed rule. As described above, commenters largely supported, and did not identify negative implications of, these restrictions. We discuss the individual redisclosure limitations below in the specific discussions regarding the disclosure permissions to which they apply. We note that the HIPAA Privacy and Security Rules will govern redisclosures of patient safety work product only to the extent that the redisclosures are made by a HIPAA covered entity and the patient safety work product encompasses protected health information. In response to the comments and questions regarding preemption, we note that the Patient Safety Act provides that, notwithstanding any other provision of Federal, State, or local law, and subject to the prescribed exceptions, patient safety work product shall be privileged and confidential. See sections 922(a) and (b) of the Public Health Service Act, 42 U.S.C. 299b-22(a) and (b). The statute also provides as rules of construction the following: (1) that the Patient Safety Act does not limit the application of other Federal, State, or local laws that provide greater privilege or confidentiality protections than those provided by the Patient Safety Act; and (2) the Patient Safety Act does not preempt or otherwise affect any State law requiring a provider to report information that is not patient safety work product. See section 922(g) of the Public Health Service Act, 42 U.S.C. 299b- 22(g). Thus, the patient safety work product protections provided for under the statute generally preempt State or other laws that would permit or require disclosure of information contained within patient safety work product. However, State laws that provide for greater protection of patient safety work product are not preempted and continue to apply. Response to Other Public Comments Comment: Several commenters asked that the final rule discuss redisclosures in more detail and further explain the consequences of redisclosures. Response: A redisclosure, or ``further disclosure'' as described in the regulatory text, of patient safety work product, like a disclosure, is the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person outside the entity holding the patient safety work product. Natural persons or entities who receive patient safety work product generally may further disclose such information pursuant to any of the disclosure permissions in the final rule at Sec. 3.206, except where expressly limited pursuant to the provision under which the natural person or entity received the information. These restrictions on further disclosures may be found at Sec. Sec. 3.206(b)(4)(ii) (disclosure to a contractor of a provider or PSO for patient safety activities), 3.206(b)(7) (disclosure to the Food and Drug Administration (FDA) and entities required to report to FDA), 3.206(b)(8) (voluntary disclosure to an accrediting body), 3.206(b)(9) (business operations), and 3.206(b)(10) (disclosure to law enforcement). These limitations are described more fully below in the discussions concerning the disclosure permissions to which they apply. As with an impermissible disclosure, impermissible redisclosures are subject to enforcement by the Secretary and potential civil money penalties. Comment: Two commenters asked that we monitor the impact of the rule to ensure that it does not improperly impede the necessary sharing of patient safety work product. Response: As the rule is implemented, we will monitor its impact and consider whether any concerns that are raised by providers, PSOs, and others should be addressed through future modification to the rule or guidance, as appropriate. (1) Section 3.206(b)(1)--Criminal Proceedings Proposed Rule: Proposed Sec. 3.206(b)(1) would have permitted the disclosure of identifiable patient safety work product for use in a criminal proceeding, if a court makes an in camera determination that the identifiable patient safety work product sought for disclosure contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from other sources. See section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(A). The proposed provision paralleled the exception to privilege at proposed Sec. 3.204(b)(1). As we explained in the proposed rule, the Patient Safety Act establishes that patient safety work product generally will continue to be privileged and confidential upon disclosure. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1) and Sec. 3.208 of this rule. However, the Patient Safety Act limits the continued protection of patient safety work product disclosed for use in a criminal proceeding pursuant to this provision. In particular, patient safety work product disclosed pursuant to this provision continues to be privileged after disclosure but is no longer confidential. See section 922(d)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(A). We explained that this would mean, for example, that law enforcement personnel who obtain patient safety work product used in a criminal proceeding could further disclose that information because confidentiality protection would not apply; however, law enforcement could not seek to introduce the patient safety work product in another proceeding without a new in camera determination that would have complied with the privilege exception at proposed Sec. 3.204(b)(1). We also reminded entities that are subject to the HIPAA Privacy Rule that any disclosures pursuant to this provision that encompass protected health information also would need to comply with the HIPAA Privacy Rule's provision at 45 CFR 164.512(e) for disclosures pursuant to judicial proceedings. We explained that we expected court rulings following an in camera determination to be issued as a court order, which would satisfy the HIPAA Privacy Rule's requirements. Overview of Public Comments: We received no comments opposed to this provision. Final Rule: The final rule adopts the proposed provision. Response to Other Public Comments Comment: One commenter asked that the final rule make clear that patient safety work product disclosed under this provision continues to be privileged and cannot be used or reused as evidence in any civil proceeding even though the information is no longer confidential. Response: The final rule makes this clear. See Sec. 3.208(b)(1). (2) Section 3.206(b)(2)--Equitable Relief for Reporters Proposed Rule: The Patient Safety Act prohibits a provider from taking an adverse employment action against an individual who, in good faith, reports information to the provider for subsequent reporting to a PSO or to a PSO directly. See section 922(e)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(1). For purposes of this provision, adverse employment actions include loss of employment, failure to promote, or adverse evaluations or decisions regarding credentialing or licensing. See 922(e)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2). The Patient Safety Act provides adversely affected reporters a civil right [[Page 70775]] of action to enjoin such adverse employment actions and obtain other equitable relief, including back pay or reinstatement, to redress the prohibited actions. See 922(f)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4). To effectuate the obtaining of equitable relief under this provision, the Patient Safety Act provides that patient safety work product is not subject to the privilege protections or to the confidentiality protections. Thus, proposed Sec. 3.206(b)(2) would have permitted the disclosure of identifiable patient safety work product by an employee seeking redress for adverse employment actions to the extent that the information is necessary to permit the equitable relief. This proposed provision paralleled the privilege exception to permit equitable relief at proposed Sec. 3.204(b)(2). Also, in accordance with the statute, we proposed that once patient safety work product is disclosed pursuant to this provision, it would have remained subject to confidentiality and privilege protection in the hands of all subsequent holders and could not be further disclosed except as otherwise permitted by the rule. We also provided guidance with respect to the application of the HIPAA Privacy Rule if a covered entity (or its business associate) was making the disclosure and the patient safety work product included protected health information. In that regard, we explained that, under the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health information is sought to be disclosed in a judicial proceeding via subpoenas and discovery requests without a court order, the disclosing HIPAA covered entity must seek satisfactory assurances that the party requesting the information has made reasonable efforts to provide written notice to the individual who is the subject of the protected health information or to secure a qualified protective order. Finally, the proposed rule solicited comments on whether the obtaining of a protective order should be a condition of the disclosure under this provision or whether, instead, the final rule should require only a good faith effort to obtain a protective order as a condition of this disclosure. Overview of Public Comments: Two commenters expressed general support for the proposed provision, stating that it struck the appropriate balance between maintaining the confidentiality and privilege protections on patient safety work product and allowing reporters of patient safety work product to seek redress for adverse employment actions based upon their good faith reporting of this information to a PSO. Several commenters responded to the question posed in the proposed rule asking whether a protective order should be a condition of disclosure under this provision or if a good faith effort in obtaining a protective order should be sufficient. All of these commenters agreed that the obtaining of a protective order should be a condition of disclosure of patient safety work product under this provision. Final Rule: The final rule adopts the proposed disclosure permission at Sec. 3.206(b)(2) but conditions the permitted disclosure for equitable relief on the provision of a protective order by the court or administrative tribunal to protect the confidentiality of the patient safety work product during the course of the proceeding. Although patient safety work product remains confidential and privileged in the hands of all recipients after disclosure under this provision, we recognize that the sensitive nature of the patient safety work product warrants requiring a protective order as additional protection on this information. Because some participants and observers of a proceeding involving equitable relief for an adverse employment action may not be aware that certain information is protected as patient safety work product to which penalties attach for impermissible disclosures, requiring a protective order is prudent to ensure that patient safety work product is adequately protected and that individuals are put on notice of its protected status. As we explained in the proposed rule, such a protective order could take many forms that preserve the confidentiality of patient safety work product. For example, the order could limit the use of the information to case preparation, but not make it evidentiary. Or, the order might prohibit the disclosure of the patient safety work product in publicly accessible proceedings and in court records to prevent liability from moving to a myriad of unsuspecting parties. We recognize that, in some cases, a reporter seeking equitable relief may be unable to obtain a protective order from a court prior to making a necessary disclosure of patient safety work product, despite the reporter's good faith and diligent effort to obtain one. If the Secretary receives a complaint that patient safety work product was disclosed by a reporter seeking equitable relief, the Secretary has discretion not to impose a civil money penalty, if appropriate. While the final rule requires a protective order as a condition of disclosure, it is not the Secretary's intent to frustrate the obtaining of equitable relief provided for under the statute. Thus, the Secretary will review the circumstances of such complaints to determine whether to exercise his enforcement discretion to not pursue a civil money penalty. (3) Section 3.206(b)(3)--Authorized by Identified Providers Proposed Rule: Proposed Sec. 3.206(b)(3) would have permitted a disclosure of patient safety work product when each provider identified in the patient safety work product separately authorized the disclosure. This provision paralleled the privilege exception at proposed Sec. 3.204(b)(3) and was based on section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). The proposed rule explained that patient safety work product disclosed under this exception would continue to be confidential pursuant to the continued confidentiality provisions at section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons would be subject to liability for further disclosures in violation of that confidentiality. We also explained that it would be insufficient to make identifiable information regarding a nonauthorizing provider nonidentifiable in lieu of obtaining an authorization. While we considered such an approach, we rejected it as impractical given that it seemed there would be very few, if any, situations in which a nonauthorizing provider could be nonidentified without also needing to nonidentify, or nearly so, an authorizing provider in the same patient safety work product. We encouraged persons disclosing patient safety work product to exercise discretion with respect to the scope of patient safety work product disclosed and to consider whether identifying information regarding reporters or patients was necessary, even though the statute required neither patient nor reporter authorization under this provision. We also explained that, if the disclosing entity is a HIPAA covered entity (or business associate), the HIPAA Privacy Rule, including the minimum necessary standard when applicable, would apply to the disclosure of protected health information contained within the patient safety work product. Further, if the disclosure was not also permitted under the HIPAA Privacy Rule, the patient information would need to be de-identified. We sought public comment as to whether the proposed approach was sufficient to protect the interests of reporters and patients identified in the patient safety work [[Page 70776]] product permitted to be disclosed pursuant to this provision. While the Patient Safety Act does not specify the form of the authorization under this exception, we proposed that an authorization be in writing, be signed by the authorizing provider, and contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized. The proposed rule would not have required that any specific terms be included in the authorization, only that disclosures be made in accordance with the terms of the authorization, whatever they may be. We sought public comment on whether a more stringent standard would be prudent and workable, such as an authorization process that is disclosure specific. We also proposed that any authorization be maintained by the disclosing entity or person for a period of six years from the date of the last disclosure made in reliance on the authorization, the limit of time within which the Secretary must initiate an enforcement action. Overview of Public Comments: Several commenters responded that patients and reporters identified in patient safety work product are adequately protected by this regulation and by the HIPAA Privacy Rule for covered entities. Some commenters, however, suggested that the HIPAA Privacy Rule's minimum necessary standard be applied to disclosures under this provision so that only the minimum necessary amount of patient safety work product would be permitted to be disclosed. Several commenters also responded to the question of whether a stricter or more prescribed standard for the authorizations should be included in the final rule, the majority of whom stated that the authorization requirements outlined in the proposed rule were adequate. One commenter recommended that the final rule not regulate the terms of the provider authorization and that such terms be left to the parties. Another commenter suggested that provider authorizations be time- limited, while other commenters asked for a model authorization form and that the final rule provide a process for revocation of authorizations. Final Rule: The final rule adopts the proposed provision. Thus, a provider, PSO, or responsible person may disclose identifiable patient safety work product if a valid authorization is obtained from each identified provider and the disclosure is consistent with such authorization. As in the proposed rule, such authorizations must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request. Further, as the Department agrees with those commenters who believed the specific terms of the provider authorizations should be left to the parties, the final rule, as in the proposed rule, requires only that the authorization of each of the identified providers be in writing and signed, and contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized. Thus, the parties are free to define their own specific terms for provider authorizations, including any time limitations and to what extent and the process through which such authorizations are revocable. Given the final rule does not prescribe a particular form or the terms of provider authorizations under this provision, we do not believe providing a model authorization form is appropriate or feasible. With respect to patient and reporter identifiers, we continue to strongly encourage disclosers to consider how much patient safety work product is necessary, and whether patient or reporter identifiers are necessary, to accomplish the purpose of the authorized disclosure. However, this final rule does not include specific limitations on the disclosure of patient and reporter identifiers under this provision, so long as the disclosure is in accordance with the terms of the provider authorizations. In addition, the HIPAA Privacy Rule, including the minimum necessary or de-identification standard, as appropriate, continues to apply to the disclosure of any protected health information contained within the patient safety work product. Response to Other Public Comments Comment: One commenter asked for clarification as to whether state laws requiring greater protection for patient safety work product would apply to disclosures pursuant to this provision. Response: Section 922(g)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(1), provides that the Patient Safety Act does not limit the application of other Federal, State, or local laws that provide greater privilege or confidentiality protections than provided by the Act. Thus, state laws providing greater protection for patient safety work product are not preempted and would apply to disclosures of patient safety work product. Comment: One commenter expressed concern that this disclosure permission conflicts with the disclosure permission for patient safety activities at proposed Sec. 3.206(b)(4) because this disclosure permission does not allow the sharing of any provider information, even if made nonidentifiable, unless all providers identified in the patient safety work product authorize the disclosure, while the disclosure permission for patient safety activities allows the sharing of provider information between PSOs and between providers, as long as it is anonymized. Response: These disclosure permissions are separate and independent of one another and serve different purposes. Disclosures of patient safety work product may be made pursuant to either permission, provided the relevant conditions are met. Comment: One commenter expressed concern about the disclosure permission's prohibition on disclosing patient safety work product in nonidentifiable form with respect to a provider who has not authorized the disclosure of the information, stating that this construct would make the provision difficult to implement. Response: The final rule adopts the provisions of the proposed rule and does not permit patient safety work product to be disclosed if the information is rendered nonidentifiable with respect to a nonauthorizing provider. As explained above, there are likely few situations in which a nonauthorizing provider could be nonidentified without having to also nonidentify the authorizing providers in the patient safety work product to be disclosed under this provision. Therefore, allowing nonidentification of the nonauthorizing provider is impractical. Comment: One commenter recommended that a copy of the provider authorization be kept in a patient's file, if the provider's authorized disclosure of patient safety work product resulted in a disclosure of the patient's protected health information, so that these disclosures can be tracked and included in an accounting of disclosures as required by 45 CFR 164.528 of the HIPAA Privacy Rule. Response: While the commenter's suggestion may assist in complying with the HIPAA Privacy Rule's accounting of disclosures standard, we do not include such a requirement in the final rule. Given that the authorizations provided for under this provision are focused on the disclosure of the provider's identifiable information and that the specific terms of such authorizations will vary based on the circumstances of the disclosure and the parties, it is [[Page 70777]] unlikely that such authorizations will contain the information necessary for a HIPAA covered entity to meet its accounting obligations to the individual patient. Further, HIPAA covered entities are free to design and use approaches for compliance with the HIPAA Privacy Rule's accounting standard that are best suited to their business needs and information systems. (4) Section 3.206(b)(4)--Patient Safety Activities Proposed Rule: Proposed Sec. 3.206(b)(4) would have permitted the disclosure of identifiable patient safety work product for patient safety activities (i) by a provider to a PSO or by a PSO to that disclosing provider; or (ii) by a provider or a PSO to a contractor of the provider or PSO; or (iii) by a PSO to another PSO or to another provider that has reported to the PSO, or by a provider to another provider, provided, in both cases, certain direct identifiers are removed. This proposed permissible disclosure provision was based on section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(2)(A), which permits the disclosure of identifiable patient safety work product for patient safety activities. The proposed rule provided that, consistent with the statute, patient safety work product would remain privileged and confidential once disclosed under this provision. We explained in the proposed rule that patient safety activities are the core mechanism by which providers may disclose patient safety work product to obtain external expertise from PSOs and through which PSOs may aggregate information from multiple providers, and communicate feedback and analyses back to providers. Thus, the rule needs to facilitate such communications so that improvements in patient safety can occur. To realize this goal, the proposed rule at Sec. 3.206(b)(4)(i) would have allowed for the disclosure of identifiable patient safety work product reciprocally between providers and the PSOs to which they have reported. This would allow PSOs to collect, aggregate, and analyze patient safety event information and disseminate findings and recommendations for safety and quality improvements. The proposed rule at Sec. 3.206(b)(4)(ii) also would have allowed for disclosures by providers and PSOs to their contractors who are not workforce members, recognizing that there may be situations where providers and PSOs want to engage contractors who are not agents to carry out patient safety activities. However, to ensure patient safety work product remained adequately protected in such cases, the proposed rule would have prohibited contractors from further disclosing patient safety work product, except to the provider or PSO from which they first received the information. We explained in the proposed rule that this limitation would not, however, preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures. We also stated that, although the proposed rule did not require a contract between the provider or PSO and the contractor, we fully expected the parties to engage in prudent practices to ensure patient safety work product remained confidential. Further, to allow for more effective aggregation of patient safety work product, the proposal at Sec. 3.206(b)(4)(iii) would have allowed PSOs to disclose patient safety work product to other PSOs or to other providers that have reported to the PSO (but not about the specific event(s) to which the patient safety work product relates), and providers to disclose patient safety work product to other providers, for patient safety activities, as long as the patient safety work product was anonymized through the removal of direct identifiers of providers and patients. See proposed Sec. 3.206(b)(4)(iii)(A). In particular, to anonymize provider identifiers, the proposed rule would have required the removal of the following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers: (1) Names; (2) postal address information, other than town or city, State and zip code; (3) telephone numbers; (4) fax numbers; (5) electronic mail addresses; (6) social security numbers or taxpayer identification numbers; (7) provider or practitioner credentialing or DEA numbers; (8) national provider identification number; (9) certificate/license numbers; (10) web universal resource locators; (11) internet protocol (IP) address numbers; (12) biometric identifiers, including finger and voice prints; and (13) full face photographic images and any comparable images. For patient identifiers, the proposed rule would have applied the HIPAA Privacy Rule limited data set standard. See 45 CFR 164.514(e). We explained in the proposed rule that removal of the required identifiers could be absolute or be done through encryption, provided the disclosing entity did not disclose the key to the encryption or the mechanism for re-identification. Recognizing that fully nonidentifiable patient safety work product may have limited usefulness due to the removal of key elements of identification, the proposed rule specifically sought public comment on whether there were any entities other than providers, PSOs, or their contractors that would need fully identifiable or anonymized patient safety work product for patient safety activities. The proposed rule also explained the intersection with the HIPAA Privacy Rule with respect to these disclosures, and noted that, as provided by the statute, PSOs would be treated as business associates and patient safety activities performed by, or on behalf of, a covered provider by a PSO would be deemed health care operations as defined by the HIPAA Privacy Rule. For a more detailed discussion of the application of the HIPAA Privacy Rule with respect to disclosures under this proposed provision, see the preamble to the proposed rule at 73 FR 8146-8147. The proposed rule sought public comment on whether the HIPAA Privacy Rule definition of ``health care operations'' should be modified to include a specific reference to patient safety activities and whether the HIPAA Privacy Rule disclosure permission for health care operations should be modified to include a reference to patient safety activities. Overview of Public Comments: The commenters expressed general support for the reciprocal disclosure of patient safety work product between providers and PSOs for patient safety activities. Additionally, commenters expressed general support for the disclosure of patient safety work product by a PSO or provider to its contractor to carry out patient safety activities. Commenters also generally supported the proposed permissible disclosure of patient safety work product between PSOs for patient safety activities, between PSOs and other providers that have reported to that PSO, and between providers. However, many commenters expressed concern about the proposed rule requirement at Sec. 3.206(b)(4)(iii) to anonymize patient safety work product prior to disclosure. Some commenters stated that this requirement inappropriately limited a PSO's ability to share this information with other PSOs and could prevent PSOs from being able to identify duplicate reports of a single event coming from independent sources in the patient safety work product received from other [[Page 70778]] PSOs. One suggested that PSOs be able to share identifiable patient safety work product with other PSOs, while another commenter stated that provider names, addresses, and phone numbers should be included in patient safety work product to permit follow up contact with the provider and as a way to identify duplicate adverse event reports. This commenter suggested that PSOs be able to contract with other PSOs as their contractors so that they could share patient safety information that has not been anonymized with one another subject to Sec. 3.206(b)(4)(ii), or alternatively, that the final rule allow PSOs to share patient safety work product identifying providers with other PSOs if a contract ensuring the confidentiality of this information is in place between the PSOs. Other commenters expressed concern that the anonymization requirement limited the ability of providers to use and disclose patient safety work product to other providers or students for educational, academic, or professional purposes. These commenters feared that the proposed rule would inhibit providers' ability to consult with other providers about patient safety events and requested clarification from the Department that the rule would not prohibit the disclosure of patient safety work product among physicians and other health care professionals, particularly for education purposes or for preventing or ameliorating harm. Many commenters also responded to the question in the proposed rule regarding whether the patient safety activities disclosure permission should be expanded to encompass additional entities. Commenters identified no additional entities to include in this disclosure permission; however, some commenters suggested that the Department monitor this provision so that exceptions for disclosures to additional entities may be made in the future if necessary. Final Rule: The final rule adopts without modification proposed Sec. 3.206(b)(4)(i) and Sec. 3.206(b)(4)(ii), permitting disclosure of patient safety work product for patient safety activities between providers and PSOs, and between providers or PSOs and their contractors that undertake patient safety activities on their behalf. In addition, the final rule modifies proposed Sec. 3.206(b)(4)(iii) with respect to disclosures to another PSO or provider, redesignates the provision as Sec. 3.206(b)(4)(iv), and adds a new Sec. 3.206(b)(4)(iii). New Sec. 3.206(b)(4)(iii) of the final rule permits disclosure of identifiable patient safety work product among affiliated providers for patient safety activities. Unlike disclosures between providers in Sec. 3.206(b)(4)(iv), the patient safety work product disclosed pursuant to this permission need not be anonymized prior to disclosure. An affiliated provider is defined in the final rule as ``with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider.'' See Sec. 3.20. This addition to the final rule is included in recognition that certain provider entities with a common corporate affiliation, such as integrated health systems, may have a need, just as a single legal entity, to share identifiable and non-anonymized patient safety work product among the various provider affiliates and their parent organization for patient safety activities and to facilitate, if desired, one corporate patient safety evaluation system. We emphasize that provider entities can choose not to use this disclosure mechanism if they believe that doing so would adversely affect provider participation, given that patient safety work product would be shared more broadly across the affiliated entities. The final rule adopts the disclosure permission for patient safety work product proposed at Sec. 3.206(b)(4)(iii) in the proposed rule; however, the final rule relocates this disclosure permission to Sec. 3.206(b)(4)(iv) and retitles this section for clarity. This disclosure permission requires that patient safety work product disclosed for patient safety activities by a PSO to another PSO or to another provider that has reported to the PSO or by a provider to another provider must be anonymized through the removal of certain provider- related direct identifiers listed in Sec. 3.206(b)(4)(iii)(A), as well as the removal of patient direct identifiers pursuant to the HIPAA Privacy Rule's limited data set standard at 45 CFR 164.514(e)(2). Although the final rule includes a provision for disclosure of fully identifiable patient safety work product among affiliated providers, we believe it is unnecessary to provide a similar provision that would allow for the sharing of identifiable and non-anonymized patient safety work product between PSOs since the final rule includes multiple avenues for secondary PSOs, i.e., those PSOs that do not have the direct reporting relationship with the provider, to receive provider identifiable data, if needed. In particular, the final rule allows: (1) A PSO receiving patient safety work product from a provider to contact that provider and recommend that the provider also report the patient safety work product to an additional PSO; (2) a provider reporting to a PSO to delegate its authority to the PSO to report its patient safety work product to an additional PSO; (3) a PSO to hire another PSO as a consultant to assist in the evaluation of patient safety work product received from a reporting provider, pursuant to Sec. 3.206(b)(4)(ii); and (4) a PSO to disclose identifiable and non- anonymized patient safety work product to another PSO if it has obtained authorization to do so from each provider identified in the patient safety work product. See Sec. 3.206(b)(3). To address the concerns of providers generally that the rule would prohibit the disclosure of patient safety work product among physicians and other health care professionals, particularly for educational purposes or for preventing or ameliorating patient harm, we emphasize that the rule does not regulate uses of patient safety work product within a single legal entity. (However, we note that we have expressly defined as a disclosure the sharing of patient safety work product between a component PSO and the rest of the legal entity of which it is a part.) Thus, consistent with this policy, providers within a single legal entity are free to discuss and share patient safety work product in identifiable and non-anonymized form for educational, academic, or other professional purposes. We have made this policy clear in the final rule by modifying the definition of disclosure to apply only to the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by: (1) an entity or natural person holding the patient safety work product to another legally separate entity or natural person outside the entity holding the patient safety work product; or (2) a component PSO to another entity or natural person outside the component organization. Further, as described above, the new provision at Sec. 3.206(b)(4)(iii) allows the sharing of fully identifiable patient safety work product among affiliated providers. However, if providers wish to disclose patient safety work product to other providers outside of their legal entity or to non-affiliated providers, the information must be anonymized subject to Sec. 3.206(b)(4)(iv)(A) and (B) or disclosed subject to another applicable disclosure permission. Response to Other Public Comments Comment: One commenter asked that the final rule prohibit the [[Page 70779]] recommendations made by a PSO from being introduced as evidence of a standard of care or for other purposes in a judicial or administrative proceeding. Response: A recommendation made by a PSO is patient safety work product to which the privilege and confidentiality protections attach. Therefore, the information can only be disclosed through an applicable disclosure permission. However, as we explained in the proposed rule, while the recommendations themselves are protected, the corrective actions implemented by a provider, even if based on the protected recommendations from a PSO, are not patient safety work product. Comment: One commenter asked if permissible disclosures of patient safety work product for patient safety activities under this disclosure permission could include disclosures for credentialing, disciplinary, and peer review purposes. Response: The disclosure permission at Sec. 3.206(b)(4) of the final rule for patient safety activities does not encompass the disclosure of patient safety work product to an external entity or within an administrative proceeding for credentialing, disciplinary, or peer review purposes. However, as explained above, uses of patient safety work product within a legal entity are not regulated and thus, patient safety work product may be used within an entity for any purpose, including those described by the commenter, so long as such use does not run afoul of the statutory prohibition on a provider taking an adverse employment action against an individual based on the fact that the individual in good faith reported information either to the provider with the intention of having the information reported to a PSO or directly to a PSO. (Note, though, that we have expressly defined as a disclosure the sharing of patient safety work product between a component PSO and the rest of the legal entity of which it is a part.) Comment: One commenter suggested that PSOs should be required to maintain an accounting of all disclosures of patient safety work product containing individually identifiable health information in parallel to the HIPAA Privacy Rule requirement for covered entities. In order to further protect patient privacy, this commenter suggested that patients be made third party beneficiaries of the contracts between providers and PSOs. Response: A HIPAA covered entity is responsible for ensuring that disclosures of protected health information made by a PSO, as its business associate, are included in an accounting of disclosures to the extent such disclosures are subject to an accounting at 45 CFR 164.528. Further, the HIPAA Privacy Rule provides that a contract between a HIPAA covered entity and its business associate must require the business associate to make available to the covered entity the information it needs to comply with the HIPAA Privacy Rule's accounting standard. See 45 CFR 164.504(e). However, we expect that most permissible disclosures of patient safety work product that include protected health information will not be subject to the HIPAA Privacy Rule's accounting requirements. The HIPAA Privacy Rule's accounting standard does not require that disclosures made for health care operations be included in an accounting. See 45 CFR 164.528(a)(1)(i). Thus, because disclosures for patient safety activities at Sec. 3.206(b)(4), business operations at Sec. 3.206(b)(9), or accreditation purposes at Sec. 3.206(b)(8) will generally be for the provider's health care operations, the provider does not need to account for these disclosures. Additionally, for disclosures of patient safety work product that are subject to the HIPAA Privacy Rule's accounting requirement, such as disclosures to the FDA and entities required to report to the FDA at Sec. 3.206(b)(7), the HIPAA Privacy Rule offers enough flexibility for a provider generally to provide an accounting of those disclosures without revealing the existence of patient safety work product. Therefore, we do not believe including a requirement directly on PSOs with respect to the HIPAA Privacy Rule's accounting standard is needed or appropriate. Nor do we agree that contracts between providers and PSOs should designate individuals as third party beneficiaries of such contracts. We believe the HIPAA Privacy Rule's existing provisions provide adequate protections for identifiable patient information that may be encompassed within patient safety work product; however, we also expect PSOs generally to disclose anonymized and nonidentifiable patient safety work product. Comment: Another commenter suggested that patient safety work product should be able to be used and disclosed in the same circumstances that protected health information can be used and disclosed under the HIPAA Privacy Rule for health care operations. Response: The final rule does not regulate ``uses'' of patient safety work product within a legal entity; thus, a provider, PSO, or responsible person may use patient safety work product for any purpose within the legal entity, including those considered ``health care operations'' for purposes of the HIPAA Privacy Rule. With respect to disclosures, however, we do not agree that expanding the disclosure permission in the manner suggested by the commenter is appropriate. The disclosure permissions in the final rule are carefully crafted to balance the need for the information to remain confidential with the need to disclose patient safety work product to effectuate the goals of the statute or for other limited purposes provided by the statute. With respect to disclosures for patient safety activities, while it is clear that patient safety activities are health care operations under the HIPAA Privacy Rule, only a subset of activities within the definition of ``health care operations'' are relevant to patient safety. Comment: One commenter asked for clarification about whether a provider can report a single patient safety event to multiple PSOs. Response: Providers are free to report patient safety work product to, and have relationships with, multiple PSOs. Comment: A commenter asked that the final rule explain the process for disclosing patient safety work product to the National Patient Safety Databank. Response: The Department intends to provide further guidance and information regarding the creation of and reporting to and among the network of patient safety databases, as part of implementation of section 923 of the Public Health Service Act, including information on common formats for collecting and disclosing nonidentifiable patient safety work product for such purposes. The Department announced the availability of, and sought comment on, common formats for common hospital-based patient safety events in the Federal Register on August 29, 2008 (http://www.pso.ahrq.gov/formats/commonfmt.htm). Comment: One commenter suggested that the final rule require providers and PSOs to have written contracts in place with contractors who are not their agents but who will carry out patient safety activities on their behalf. Another commenter asked if the final rule will include a requirement similar to a business associate contract under the HIPAA Privacy Rule between PSOs and its contractors. Response: The final rule does not require providers and PSOs to have written contracts in place with contractors who are not their agents but who will carry out patient safety activities on their behalf. However, we expect that, in practice, such relationships will be governed by [[Page 70780]] contract, but we leave the terms of those relationships up to the parties. We note, though, that if a HIPAA covered entity hires a contractor to conduct patient safety activities on its behalf, which requires access to protected health information, the HIPAA Privacy Rule would require that a business associate agreement be in place prior to any disclosure of such information to the contractor. See 45 CFR 164.502(e) and 164.504(e). Comment: Some commenters asked that the final rule provide clarification regarding the circumstances under which PSOs can disclose patient safety work product to other PSOs to aggregate this information for patient safety activities purposes. Response: Section 3.206(b)(4)(iv) of the final rule permits such disclosures, provided the patient safety work product is anonymized by removal of the direct identifiers of both providers and patients. Also, the final rule permits a PSO to disclose patient safety work product to another PSO if authorized by the identified providers as provided in Sec. 3.206(b)(3) or in non-identifiable form in accordance with Sec. 3.206(b)(5). Finally, a provider reporting to a PSO may delegate its authority to the PSO to report its patient safety work product to an additional PSO, as provided by Sec. 3.206(e). Comment: A commenter suggested that a data use agreement be required when any information, including individually identifiable health information, is being shared through a limited data set. Response: If a HIPAA covered entity is sharing a limited data set, as defined by the HIPAA Privacy Rule, the covered entity must enter into a data use agreement with the recipient of the information. See 45 CFR 164.504(e). For entities that are not covered by the HIPAA Privacy Rule, the final rule does not include such a requirement; however, we encourage such parties to engage in these and similar practices to further protect patient safety work product. Comment: Two commenters asked for clarification in the final rule about whether patient safety work product disclosed by a provider to a PSO or by a PSO to a provider can identify other providers regardless of whether they have also reported to that PSO. One commenter asked if the rule requires that authorization from all the identified providers is required before this disclosure can be made. Response: The final rule at Sec. 3.206(b)(4)(i) allows the disclosure of patient safety work product in identifiable form reciprocally between the provider and the PSO to which it reports. This information can contain information identifying other providers. If the patient safety work product is being disclosed between PSOs, between unaffiliated providers, or between a PSO and other providers that have reported to it, then the information must be anonymized prior to disclosure subject to Sec. 3.206(b)(4)(iv)(A) and (B). In addition, if a provider or PSO obtains authorizations from all providers identified in the patient safety work product, or if the patient safety work product is being shared among affiliated providers, then such information may be disclosed in identifiable form under Sec. 3.206(b)(3) and 3.206(b)(4)(iii). Comment: Several commenters expressed concern about the anonymization requirement at proposed Sec. 3.206(b)(4)(iii)(A) and stated that a provider may be identifiable even if the patient safety work product is anonymized. One commenter suggested that zip codes should be included in the list of identifiers that must be removed from the patient safety work product. Other commenters felt that the anonymization standard was too strict. Response: We believe the anonymization standard in the final rule at Sec. 3.206(b)(4)(iv)(A) strikes the appropriate balance between the need to protect patient safety work product and the need for broader sharing of such information at an aggregate level, outside of the direct provider and PSO relationship, to achieve the goals of the statute and improve patient safety. Comment: We received several comments in response to the questions asked in the proposed rule about whether the HIPAA Privacy Rule definition of ``health care operations'' should include a specific reference to patient safety activities and whether the Privacy Rule disclosure permission for health care operations should be modified to conform to the disclosure for patient safety activities. These commenters expressed overwhelming support for modifying the HIPAA Privacy Rule's definition of ``health care operations'' to include such a specific reference and to aligning the disclosure permission for health care operations with that for patient safety activities. The commenters stated that including such specific references would make the intersection of both regulations clear, and would encourage patient safety discourse among providers and PSOs. One commenter stated that there was no need to modify the definition of ``health care operations'' because it already unambiguously encompassed patient safety activities. No commenters suggested that modifications to the Privacy Rule were necessary to address any workability issues. Response: OCR will consider these comments and will seek opportunity to address them in regulation or in guidance. (5) Section 3.206(b)(5)--Disclosure of Nonidentifiable Patient Safety Work Product Proposed Rule: Proposed Sec. 3.206(b)(5) would have permitted the disclosure of nonidentifiable patient safety work product if the patient safety work product met the standard for nonidentification in proposed Sec. 3.212. See section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). As described in proposed Sec. 3.208(b)(ii), nonidentifiable patient safety work product, once disclosed, would no longer be privileged and confidential and thus, could be redisclosed by a recipient without any Patient Safety Act limitations or liability. Any provider, PSO or responsible person could nonidentify patient safety work product. See the discussion regarding Sec. 3.212 for more information about the nonidentification standard. Overview of Public Comments: We received no comments opposed to this proposed provision. Final Rule: The final rule adopts the proposed provision. Response to Other Public Comments Comment: One commenter asked that the final rule require data use agreements for disclosures of nonidentifiable patient safety work product in cases where there is a chance for identification or reidentification of provider identities. Response: We emphasize that patient safety work product is considered nonidentifiable only if, either: (1) the statistical method at Sec. 3.212(a)(1) is used and there is a very small risk that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider; or (2) the identifiers listed at Sec. 3.212(a)(2) are stripped and the person making the disclosure does not have actual knowledge that the remaining information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify a provider. Thus, the commenter should consider whether the information about which it is concerned would be nonidentifiable for purposes of this rule. Further, while the final rule does not require that the disclosure of nonidentifiable patient safety work product be conditioned on [[Page 70781]] an agreement between the parties to the disclosure, we note that providers, PSOs, and responsible persons are free to contract or enter into agreements that place further conditions on the release of patient safety work product, including in nonidentifiable form, than required by the final rule. See Sec. 3.206(e). Comment: Several commenters stated that identifiable information about nondisclosing providers should not be disclosed and that adequate safeguards should be in place to ensure that information identifying nondisclosing providers is not released. These commenters also suggested that AHRQ set up a workgroup to evaluate the standards and approaches set forth in the proposed rule. Response: The nonidentification standard at Sec. 3.212 of the final rule addresses the commenters' concern by requiring either that: (1) a statistician determine, with respect to information, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider; or (2) all of the provider-related identifiers listed at Sec. 3.212(a)(2) be removed and the provider, PSO, or responsible person making the disclosure not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider. (6) Section 3.206(b)(6)--For Research Proposed Rule: Proposed Sec. 3.206(b)(6) would have allowed the disclosure of identifiable patient safety work product to entities carrying out research, evaluations, or demonstration projects that are funded, certified, or otherwise sanctioned by rule or other means by the Secretary. See section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). We explained in the proposed rule that this disclosure permission was only for research sanctioned by the Secretary. We also explained that we expected that most research that may be subject to this disclosure permission would be related to the methodologies, analytic processes, and interpretation, feedback and quality improvement results from PSOs, rather than general medical, or even health services, research. Patient safety work product disclosed for research under this provision would continue to be confidential and privileged. Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), requires that patient safety work product which identifies patients may only be released to the extent that protected health information would be disclosable for research purposes under the HIPAA Privacy Rule. We interpreted this provision as requiring HIPAA covered entities to ensure any disclosures of patient safety work product under this provision that also include protected health information comply with the HIPAA Privacy Rule's research provisions. Accordingly, the proposal incorporated by reference 45 CFR 164.512(i) of the HIPAA Privacy Rule, which generally requires a covered entity to obtain documentation of a waiver (or alteration of waiver) of authorization by either an Institutional Review Board (IRB) or a Privacy Board prior to using or disclosing protected health information without the individual's authorization. We noted that our interpretation of the statute would not impact the disclosure of identifiable patient safety work product by entities or persons that are not HIPAA covered entities. We also explained that the incorporation by reference of the HIPAA Privacy Rule should provide for the proper alignment of disclosures for research purposes under the two rules. However, the exception under the Patient Safety Act also refers to evaluations and demonstration projects, some of which may not meet the definition of research under the HIPAA Privacy Rule because they may not result in generalizable knowledge but rather may fall within the HIPAA Privacy Rule's definition of ``health care operations.'' We stated that, in such cases, HIPAA covered entities disclosing patient safety work product that includes protected health information under this exception could do so without violation of the HIPAA Privacy Rule. See the definition of ``health care operations'' at 45 CFR 164.501 of the HIPAA Privacy Rule. Overview of Public Comments: We received no comments in reference to this provision. Final Rule: The final rule adopts the proposed provision, except that the specific reference to ``45 CFR 164.512(i)'' is deleted. We have included only a general reference to the HIPAA Privacy Rule in recognition of the fact that disclosures of patient safety work product containing protected health information pursuant to this provision could be permissible under the HIPAA Privacy Rule under provisions other than 45 CFR 164.512(i), such as, for example, disclosures for health care operations pursuant to 45 CFR 164.506, or disclosures of a limited data set for research purposes pursuant to 45 CFR 164.514(e). (7) Section 3.206(b)(7)--To the Food and Drug Administration Proposed Rule: Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D), permits the disclosure by a provider to the Food and Drug Administration (FDA) with respect to a product or activity regulated by the FDA. Proposed Sec. 3.206(b)(7) would have implemented this provision by permitting providers to disclose patient safety work product concerning products or activities regulated by the FDA to the FDA or to an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. The proposed rule also would have permitted the sharing of patient safety work product between the FDA, entities required to report to the FDA, and their contractors concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. Patient safety work product disclosed pursuant to this disclosure permission would continue to be privileged and confidential. We specifically sought public comment on our interpretation that the statutory language concerning reporting ``to the FDA'' included reporting by the provider to persons or entities regulated by the FDA and that are required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. We proposed this interpretation to allow providers to report to entities that are required to report to the FDA, such as drug manufacturers, without violating this rule, and asked if including such language would bring about any unintended consequences for providers. We further proposed at Sec. 3.206(b)(7)(ii) that the FDA and entities required to report to the FDA may only further disclose patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity and such further disclosures would only be permitted between the FDA, entities required to report to the FDA, their contractors, and the disclosing providers. Thus, for example, the FDA or a drug manufacturer receiving adverse drug event information that is patient safety work product may engage in further communications with the disclosing provider(s), for the purpose of evaluating the quality, safety, or effectiveness of the particular regulated product or activity, or may work with their contractors. Moreover, an entity regulated by the FDA may further disclose the information to the FDA. The proposed provision also would [[Page 70782]] have prohibited contractors receiving patient safety work product under this provision from further disclosing such information, except to the entity from which they received the information. Finally, we explained that the HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered entities to disclose protected health information concerning FDA-regulated activities and products to persons responsible for collection of information about the quality, safety, and effectiveness of those FDA-regulated activities and products. Therefore, disclosures under this exception of patient safety work product containing protected health information would be permitted under the HIPAA Privacy Rule. Overview of Public Comments: We received general support in the public comments for the express reference to FDA-regulated entities within this disclosure permission; only one commenter opposed this provision. Some commenters asked that the final rule provide examples of the types of disclosures that might occur to FDA-regulated entities, and one commenter suggested that if such disclosures are permitted, the final rule should include a comprehensive list of acceptable disclosures to these entities. Another commenter noted that if disclosures to FDA-regulated entities are permitted under this disclosure permission, the final rule should limit the use of patient safety work product to the purposes stated in the statute and should prohibit the use of this information for marketing purposes. No commenters identified any unintended consequences of including FDA- regulated entities within the disclosure permission. Final Rule: The final rule adopts the provisions of the proposed rule at Sec. 3.206(b)(7), including the express reference to FDA- regulated entities. We also modify the title of the provision to reflect that disclosures to such entities are encompassed within the disclosure permission. As explained in the proposed rule, we believe including FDA-regulated entities within the scope of the disclosure permission is consistent with both the rule of construction in the statute which preserves required reporting to the FDA, as well as the goals of the statute which are to improve patient safety. See section 922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6). In addition, the final rule includes modifications to more clearly indicate who can receive patient safety work product under this provision, as well as what further disclosures may be made of such information. Specifically, Sec. 3.206(b)(7)(i) now makes clear that a provider may disclose patient safety work product concerning an FDA- regulated product or activity to the FDA, an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA- regulated product or activity, or a contractor acting on behalf of FDA or such entity for these purposes. Further, Sec. 3.206(b)(7)(ii) clarifies that the FDA, its regulated entity entitled to receive information under this provision, and their contractors may share patient safety work product received under this provision for the purpose of evaluating the quality, safety, or effectiveness of that product or activity among themselves, as well as with the disclosing provider. We do not include a comprehensive list of acceptable disclosures to FDA-regulated entities as it would be impractical to do so. As we explained in the proposed rule, drug, device, and biological product manufacturers are required to report adverse experiences to the FDA and currently rely on voluntary reports from product users, including providers. Further, the analysis of events by a provider or PSO that constitutes patient safety work product may generate information that should be reported to the FDA or FDA-regulated entity because it relates to the safety or effectiveness of an FDA-regulated product or activity. This provision allows providers to report such information without violating the confidentiality provisions of the statute or rule. However, we emphasize that, despite this disclosure permission, we expect that most reporting to the FDA and its regulated entities will be done with information that is not patient safety work product, as is done today. This disclosure permission is intended to allow for reporting to the FDA or FDA-regulated entity in those special cases where, only after an analysis of patient safety work product, does a provider realize it should make a report. As in the proposed rule, patient safety work product disclosed pursuant to this provision remains privileged and confidential. Response to Other Public Comments Comment: Five commenters asked that the final rule allow PSOs as well as providers to disclose or report patient safety work product to the FDA or to an entity that is required to report to the FDA. Response: We do not modify the provision as there is no statutory authority to allow PSOs to report patient safety work product to the FDA or to an entity required to report to the FDA. However, the statute does permit providers to report patient safety work product to the FDA or to an entity required to report to the FDA. Comment: One commenter asked for clarification as to whether lot numbers and device identifiers and serial numbers may be reported to the FDA under this disclosure permission. Response: Section 3.206(b)(7) would allow such information contained within patient safety work product to be reported to FDA provided it concerned an FDA-regulated product or activity. (8) Section 3.206(b)(8)--Voluntary Disclosure to an Accrediting Body Proposed Rule: Proposed Sec. 3.206(b)(8) would have permitted the voluntary disclosure of identifiable patient safety work product by a provider to an accrediting body that accredits that disclosing provider. See section 922(c)(2)(E) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(E). Patient safety work product disclosed pursuant to this proposed exception would remain privileged and confidential. This provision would have allowed a provider to disclose patient safety work product that identifies that disclosing provider. Further, the proposed rule would not have required that patient safety work product be nonidentifiable as to nondisclosing providers. The proposed rule specifically sought public comment on whether patient safety work product should be anonymized with respect to nondisclosing providers prior to disclosure to an accrediting body under this provision. The proposed rule also provided that an accrediting body could not take an accreditation action against a provider based on that provider's participation, in good faith, in the collection, reporting or development of patient safety work product. It also would have prohibited accrediting bodies from requiring a provider to reveal its communications with any PSO. Overview of Public Comments: Several commenters responded to the question of whether the final rule should require the anonymization of patient safety work product with respect to nondisclosing providers, all of which supported such a requirement. Another commenter noted that the final rule should expressly prohibit accrediting bodies from taking accreditation actions against nondisclosing providers based upon the patient safety work product reported to them by disclosing providers. Final Rule: In light of the comments received, the final rule modifies the proposed provision at Sec. 3.206(b)(8) to condition the voluntary disclosure by a provider of patient safety work product [[Page 70783]] to an accrediting body that accredits the provider on either: (1) the agreement of the nondisclosing providers to the disclosure; or (2) the anonymization of the patient safety work product with respect to any nondisclosing providers identified in the patient safety work product, by removal of the direct identifiers listed at Sec. 3.206(b)(4)(iv)(A). Direct identifiers of the disclosing providers do not need to be removed. We also note that the final rule does not prescribe the form of the agreement obtained from non-disclosing providers. Providers are free to design their own policies for obtaining such agreements. Some institutional providers may, for example, make it a condition of employment or privileges that providers agree to the disclosure of patient safety work product to accrediting bodies. In addition, unlike the provision at Sec. 3.206(b)(3) of the final rule, with respect to any of the non-disclosing providers identified in the patient safety work product, the disclosing provider need obtain either the provider's agreement or anonymize the provider's information. Response to Other Public Comments Comment: Several commenters stated that they did not support this disclosure permission allowing voluntary disclosures of patient safety work product to accrediting bodies due to possible unintended consequences of these disclosures. Another commenter asked that we be aware of punitive actions by regulatory organizations as a result of voluntary disclosures to accrediting bodies and monitor this process carefully for any unintended consequences. Response: The disclosure permission allowing providers to voluntarily disclose patient safety work product to accrediting bodies is prescribed by the statute and thus, is included in this final rule. However, as described above, the final rule requires either anonymization or agreement with respect to non-disclosing providers as a condition of the disclosure. This provision, along with the express prohibition at Sec. 3.206(b)(8)(iii) on an accrediting body taking an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product should alleviate commenter concerns. Comment: One commenter asked if the regulation allowed accrediting bodies to disclose patient safety work product to CMS as part a commitment to advise CMS of adverse accreditation decisions. Response: The final rule prohibits accrediting bodies from further disclosing patient safety work product they have voluntarily received from providers under Sec. 3.206(b)(8). Comment: One commenter asked if survey and licensure bodies were considered to be accrediting bodies and thus, precluded from taking action against providers who voluntarily submit patient safety work product to them. Response: Survey and licensure bodies are not accrediting bodies and are not treated as such under this provision. Thus, such entities are not entitled to receive patient safety work product voluntarily from providers under this provision. Comment: Two commenters expressed concern about this disclosure permission for accrediting bodies that create component PSOs. One commenter stated that allowing accrediting bodies to create component PSOs creates a potential conflict of interest that may adversely affect provider organizations. If an accrediting body's component organization is a PSO, the commenter asked how OCR will determine whether the component organization improperly disclosed information or whether the accrediting body received the information voluntarily from a provider. Response: Providers are free to choose the PSOs with which they want to work. We expect that any selection by a provider will involve a thorough vetting and consideration of a number of factors, including whether the PSO is a component of an accrediting body and if so, what assurances are in place to protect against improper access by the accrediting body to patient safety work product. Component organizations have clear requirements to maintain patient safety work product separately from parent organizations. Further, the final rule recognizes that a disclosure from a component organization to a parent organization is a disclosure which must be made pursuant to one of the permissions set forth in the statute and here; disclosures for which there is no permission are subject to enforcement by the Department and imposition of civil money penalties, as well as may adversely impact on the PSO's continued listing by the Secretary as a PSO. Should OCR receive a complaint or conduct a compliance review that implicates an impermissible disclosure by a component PSO of an accrediting body, OCR will investigate and review the particular facts and circumstances surrounding the alleged impermissible disclosure, including, if appropriate, whether the accrediting body received the patient safety work product directly from a provider pursuant to Sec. 3.206(b)(8). Comment: One commenter asked that the final rule allow accrediting bodies to use voluntarily reported patient safety work product in accreditation decisions, or that the final rule give accrediting bodies immunity from liability that might arise from their failure to take this patient safety work product into account in its accreditation decisions. This commenter also stated that, since accrediting bodies cannot take action based on information voluntarily disclosed pursuant to this provision, the final rule should make clear that accrediting bodies cannot be held responsible for decisions that might have been different if the accrediting body had been able to act based on the patient safety work product received. Response: We clarify that the final rule, as the proposed rule, does not prohibit an accrediting body from using patient safety work product voluntarily reported by a provider pursuant to this provision in its accreditations decisions with respect to that provider. Thus, it is not necessary nor is it appropriate for the Secretary to give accrediting bodies immunity from liability. However, an accrediting body may not require a provider to disclose patient safety work product, or take an accrediting action against a provider who refuses to disclose patient safety work product, to the accrediting body. See section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b- 22(d)(4)(B), and Sec. 3.206(b)(8)(iii), which expressly prohibits an accrediting body from taking an accrediting action against a provider based on the good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with the statute. Comment: One commenter asked if the limitation on redisclosure of voluntarily reported patient safety work product received by an accrediting body applies if the information sent to the accrediting body was not patient safety work product at the time the accrediting body received the information, but was later reported, by the provider to a PSO and became protected. Response: If the information submitted to an accrediting body was not patient safety work product as defined at Sec. 3.20 at the time it was reported, then Sec. 3.206(b)(8), including the redisclosure limitation, does not apply to such information. Comment: One commenter asked that the final rule clarify that the disclosure of patient safety work product to an accrediting body is voluntary. [[Page 70784]] Response: Section 3.208(b)(8) expressly provides only for the voluntary reporting of patient safety work product, provided the conditions are met. We do not see a need for further clarification. (9) Section 3.206(b)(9)--Business Operations Proposed Rule: Proposed Sec. 3.206(b)(9) would have allowed disclosures of patient safety work product by a provider or a PSO to professionals such as attorneys and accountants for the business operations purposes of the provider or PSO. See section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F). Under the proposed rule, such contractors could not further disclose patient safety work product, except to the entity from which it received the information. However, the proposed rule made clear that a provider or PSO still would have had the authority to delegate its power to the contractor to make other disclosures. In addition, the proposed rule provided that any patient safety work product disclosed pursuant to this provision continued to be privileged and confidential. The Patient Safety Act gives the Secretary authority to designate additional exceptions as necessary business operations that are consistent with the goals of the statute. The proposed rule sought public comment regarding whether there are any other consultants or contractors, to whom a business operations disclosure should also be permitted, or whether the Secretary should consider any additional exceptions under this authority. The proposed rule noted that the Secretary would designate additional exceptions only through regulation; however, it asked if other mechanisms for the adoption of business operations exceptions should be adopted or incorporated. The proposed rule also explained that a business operations designation by the Secretary that enables a HIPAA covered entity to disclose patient safety work product containing protected health information to professionals is permissible as a health care operations disclosure under the HIPAA Privacy Rule. See 45 CFR 164.506. Generally, such professionals will be business associates of the covered entity, which will require that a business associate agreement be in place. See 45 CFR 160.103, 164.502(e), and 164.504(e). Overview of Public Comments: Several commenters expressed general support for the business operations disclosures to attorneys, accountants, and other professionals in the proposed rule. We also received several responses to the question asking if the final rule should allow for any additional disclosures under the business operations provision. Three commenters stated that the final rule should not include any additional business operations disclosures. Others asked that the business operations disclosure permission be broad enough to encompass all the activities defined as ``health care operations'' in the HIPAA Privacy Rule, which would then include disclosures to entities such as photocopy shops, document storage services, shredding companies, IT support companies, and other entities involved in a PSO's management or administration. Other commenters suggested that disclosures of patient safety work product to independent contractors, professional liability insurance companies, captives, and risk retention groups be included as disclosures for business operations under this provision in the final rule. All commenters responding to the question about how the Secretary should adopt additional business operations stated that additional business operations should be adopted only through the rulemaking process. Final Rule: The final rule adopts the proposed provision, allowing disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. The final rule allows disclosure of patient safety work product to these professionals who are bound by legal and ethical duties to maintain the confidence of their clients and the confidentiality of client information, including patient safety work product. These professionals will provide a broad array of services to and functions for the providers and PSOs with whom they are contracted and will need access to patient safety work product to perform their duties. We are not persuaded by the comments of a need to expand, at this time, the disclosure permission to encompass other categories of persons or entities. However, as described in the proposed rule, should the Secretary seek in the future to designate additional business operations exceptions to be encompassed within this disclosure permission, he will do so through regulation to provide adequate opportunity for public comment. With respect to many of the other entities identified by the commenters, we note that, to the extent the services provided by such entities are necessary for the maintenance of patient safety work product or the operation of a patient safety evaluation system, or otherwise support activities included in the definition of ``patient safety activities'' at Sec. 3.20 of this rule, these disclosures may be made to such contractors pursuant to Sec. 3.206(b)(4)(ii). Response to Other Public Comments Comment: Two commenters suggested that the final rule include a requirement for a contract between providers or PSOs and their attorneys, accountants, and other professionals to whom patient safety work product will be disclosed as a business operation. Response: We do not require a contract as a condition of disclosure in the final rule. However, we agree that a contract between these parties is a prudent business practice and expect that parties will enter into appropriate agreements to ensure patient safety work product remains protected. Further, where HIPAA covered entities are concerned, we note that the HIPAA Privacy Rule requires that such entities have a business associate agreement in place with professionals providing services that require access to protected health information. (10) Section 3.206(b)(10)--Disclosure to Law Enforcement Proposed Rule: Proposed Sec. 3.206(b)(10) would have permitted the disclosure of identifiable patient safety work product to law enforcement authorities, so long as the person making the disclosure believes--and that belief is reasonable under the circumstances--that the patient safety work product disclosed relates to a crime and is necessary for criminal law enforcement purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(2)(G). The proposed rule provided that patient safety work product disclosed under this provision would remain privileged and confidential. The proposed rule also provided that the law enforcement entity receiving the patient safety work product could use the patient safety work product to pursue any law enforcement purposes; however, the recipient law enforcement entity could only redisclose the information to other law enforcement authorities as needed for law enforcement activities related to the event that necessitated the original disclosure. The proposed rule sought comment regarding whether these provisions would allow for legitimate law enforcement needs, while ensuring appropriate protections. Overview of Public Comments: Commenters responding to the question in the proposed rule regarding whether this disclosure permission would allow [[Page 70785]] for legitimate law enforcement needs while ensuring that information remain appropriately protected stated that the proposed disclosure permission was appropriate and did permit legitimate disclosures to law enforcement. Final Rule: The final rule adopts the proposed provision with slight modification for purposes of clarification only. We add the word ``only'' to the final rule to clarify that law enforcement receiving patient safety work product pursuant to this exception may only further disclose this information to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the original disclosure. Response to Other Public Comments Comment: Two commenters suggested that the statutory standard of reasonable belief was vague and that clarity was needed to reduce the uncertainty of disclosures and to further define what could constitute a reasonable belief. Another commenter noted that the phrase ``relates to a crime and is necessary for criminal law enforcement purposes'' is too broad and leaves too much discretion to entities such as PSOs. Response: The final rule provision at Sec. 3.206(b)(10) generally repeats the statutory provision upon which it is based, which provides that the disclosure of patient safety work product be permitted if it relates to the commission of a crime and the person making the disclosure believes, reasonably under the circumstances, that the patient safety work product is necessary for criminal law enforcement purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G). Comment: One commenter expressed concern regarding the redisclosure of patient safety work product to law enforcement under this disclosure permission. The commenter stated that there could be successive disclosures of protected information to law enforcement without consideration of whether there is a reasonable belief that the redisclosure is necessary for criminal law enforcement purposes. Another commenter recommended that this disclosure permission should expressly prohibit patient safety work product from being used against patients who are identified in the patient safety work product but who are not the subject of the criminal act for which the information was originally disclosed. Response: We believe Sec. 3.206(b)(10) addresses the commenters' concerns by expressly limiting law enforcement's redisclosure of patient safety work product received pursuant to the provision to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the initial disclosure. Thus, law enforcement is not permitted to further disclose the patient safety work product for the enforcement of a crime unrelated to the crime for which the patient safety work product was originally disclosed to the law enforcement entity. Comment: One commenter stated that the proposed rule represented an expansion of the statutory language because it allowed persons to disclose patient safety work product to law enforcement entities in the absence of an active law enforcement investigation and in the absence of a request for this information by law enforcement. Response: The statute does not require that a law enforcement entity be involved in an active investigation or that a law enforcement entity request information prior to a person making a disclosure of patient safety work product to a law enforcement entity pursuant to this disclosure permission. See 922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(G). (C) Section 3.206(c)--Safe Harbor Proposed Rule: Proposed Sec. 3.206(c) would have prohibited the disclosure of a subject provider's identity with information, whether oral or written, that: (1) assesses that provider's quality of care; or (2) identifies specific acts attributable to such provider. See section 922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(2)(H). This provision would have been only applicable to providers. Patient safety work product disclosed under this exception could identify providers, reporters or patients so long as the provider(s) that were the subject of the actions described were nonidentified. The proposed rule would have required that nonidentification be accomplished in accordance with the nonidentification standard set forth in proposed Sec. 3.212. Overview of Public Comments: We received no comments opposed to this provision. Final Rule: The final rule adopts the proposed provision. Response to Other Public Comments Comment: Several commenters suggested that the safe harbor provision be extended to PSOs as well as providers. One commenter noted that there was no reason to exclude PSOs from this provision and including PSOs would provide them with the same leeway for inadvertent disclosures of patient safety work product as providers. Response: The statute expressly limits the safe harbor provision to providers. Therefore, we do not have the authority to extend this provision to PSOs. (D) Section 3.206(d)--Implementation and Enforcement of the Patient Safety Act Proposed Rule: Proposed Sec. 3.206(d) would have permitted the disclosure of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance with or to seek or impose civil money penalties with respect to this Part or for making or supporting PSO certification or listing decisions, under the Patient Safety Act. Patient safety work product disclosed under this exception would remain confidential. Overview of Public Comments: We received no comments in reference to this provision. Final Rule: Consistent with the changes made to Sec. 3.204(c) with respect to privilege, the final rule adopts the proposed provision, but expands it to expressly provide that patient safety work product also may be disclosed to or by the Secretary as needed to investigate or determine compliance with or to impose a civil money penalty under the HIPAA Privacy Rule. This new language implements the statutory provision at section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), which makes clear that the Patient Safety Act is not intended to affect implementation of the HIPAA Privacy Rule. As in the privilege context, given the significant potential for an alleged impermissible disclosure to implicate both this rule's confidentiality provisions, as well as the HIPAA Privacy Rule, the Secretary may require access to confidential patient safety work product for purposes of determining compliance with the HIPAA Privacy Rule. The Secretary will use such information consistent with the statutory prohibition against imposing civil money penalties under both authorities for the same act. With respect to this rule, the final rule, as in the proposed rule, makes clear that disclosures of patient safety work product to or by the Secretary are permitted to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include access to and disclosure of patient safety work product to enforce the confidentiality provisions of the rule, to make or support decisions regarding the [[Page 70786]] acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule. Response to Other Public Comments Comment: Several commenters asked the Secretary to use judicious restraint when requesting patient safety work product for compliance and enforcement activities. Some of these commenters also asked that the Secretary reserve his full enforcement power for only the most egregious violations of the confidentiality provisions. Response: We acknowledge the commenters' concerns regarding the disclosure of patient safety work product for enforcement purposes. As we explained in the proposed rule, we strongly believe in the protection of patient safety work product as provided by the Patient Safety Act. However, confidentiality protections are meaningless without the ability to enforce breaches of the protections, investigations of which may require access to confidential patient safety work product. Further, Sec. 3.310 of the final rule provides the Secretary with authority to obtain access to only that patient safety work product and other information that is pertinent to ascertaining compliance with the rule's confidentiality provisions. Also, as we explained in the proposed rule, we will seek to minimize the risk of improper disclosure of patient safety work product by using and disclosing patient safety work product only in limited and necessary circumstances, and by limiting the amount of patient safety work product disclosed to that necessary to accomplish the purpose. Further, Sec. 3.312 of the final rule expressly prohibits the Secretary from disclosing identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review except as permitted by Sec. 3.206(d) for compliance and enforcement or as otherwise permitted by the rule or the Patient Safety Act. See the discussion of the provisions of Subpart D of the final rule for more information on how the Secretary may exercise discretion in enforcement. (E) Section 3.206(e)--No Limitation on Authority To Limit or Delegate Disclosure or use Proposed Rule: Proposed Sec. 3.206(e) would have established that a person holding patient safety work product may enter into a contract that requires greater confidentiality protections or may delegate its authority to make a disclosure in accordance with this Subpart. Neither the statute nor the proposed rule limited the authority of a provider to place limitations on disclosures or uses. Overview of Public Comments: We received no comments opposed to this provision. Final Rule: The final rule adopts the proposed provision. Response to Other Public Comments Comment: One commenter suggested that providers and PSOs should not be able to enter into agreements that would prohibit the disclosure of patient safety work product to report a crime or to comply with state reporting requirements. Response: The Patient Safety Act expressly provides that it does not preempt or otherwise affect any State law requiring a provider to report information that is not patient safety work product. See section 922(g)(5) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(5). Further, patient safety work product does not include original medical and other records. Thus, nothing in the final rule or the statute relieves a provider from his or her obligation to disclose information from such original records or other information that is not patient safety work product to comply with state reporting or other laws. Moreover, the final rule at Sec. 3.206(b)(10)(i) permits providers and PSOs to disclose patient safety work product to report a crime to a law enforcement authority provided that the disclosing person reasonably believes that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes. However, the Department cannot, through this rule, prevent such agreements because the Patient Safety Act, at section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), specifically provides that the Act cannot be construed ``to limit the authority of any provider, patient safety organization, or other entity to enter into a contract requiring greater confidentiality'' than that provided under the Act. 3. Section 3.208--Continued Protection of Patient Safety Work Product Proposed Rule: Proposed Sec. 3.208 provided that the privilege and confidentiality protections would continue to apply to patient safety work product following disclosure and also described the narrow circumstances when the protections terminate. See section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d). In particular, the proposed rule would have provided two exceptions to the continued protection of patient safety work product. The first was an exception to continued confidentiality protection when patient safety work product is disclosed for use in a criminal proceeding, pursuant to Sec. 3.206(b)(1). See section 922(d)(2)(A), 42 U.S.C. 299b- 22(d)(2)(A). The second exception to continued protection was in circumstances where patient safety work product is disclosed in nonidentifiable form, pursuant to Sec. Sec. 3.204(b)(4) and 3.206(b)(5). See section 922(d)(2)(B), 42 U.S.C. 299b-22(d)(2)(B). The proposed rule would not have required the labeling of information as patient safety work product or that disclosure of patient safety work product be accompanied by a notice as to either the fact that the information disclosed is patient safety work product or that it is confidential. The proposed rule did acknowledge that both practices may be prudent business practices. Overview of Public Comments: We received several comments suggesting that the final rule require that patient safety work product be labeled as such or that a recipient of patient safety work product be given notice of the protected status of the information received. Commenters suggested that putting recipients of patient safety work product on notice about the sensitive and confidential nature of the information would assure and encourage appropriate treatment of this information. Final Rule: The final rule adopts this proposed provision but does not require that patient safety work product be labeled or that disclosing parties provide recipients of patient safety work product with notice that they are receiving protected information. We believe imposing a labeling or notice requirement would be overly burdensome on entities. We do, however, expect providers, PSOs, and responsible persons holding patient safety work product to treat and safeguard such sensitive information appropriately and encourage such persons to consider whether labeling or notice may be an appropriate safeguard in certain circumstances. Further, we note that the final rule provides that information that is documented as within a patient safety evaluation system for reporting to a PSO is patient safety work product. In addition, the final rule allows patient safety work product to be removed from a patient safety evaluation system and no longer considered patient safety work product if it has not yet been reported to a PSO and its removal is documented. See the definition of ``patient safety work product'' at Sec. 3.20. These [[Page 70787]] documentation provisions may assist in identifying, and putting persons on notice as to, what is and is not protected information. Response to Other Public Comments Comment: With respect to Sec. Sec. 3.206(b)(2), 3.206(b)(3), 3.206(b)(8), 3.206(b)(9), and 3.206(b)(10), commenters asked that the final rule emphasize the fact that subsequent holders of patient safety work product are subject to the privilege and confidentiality provisions when they receive the patient safety work product pursuant to a privilege or confidentiality exception and that this patient safety work product cannot be subpoenaed, ordered, or entered into evidence in a civil or criminal proceeding through any of these exceptions. Response: Section 3.208 makes clear that, with limited exceptions, patient safety work product continues to be privileged and confidential upon disclosure. Comment: One commenter expressed concern over the proposed rule's statement that an impermissible disclosure of patient safety work product, even if unintentional, does not terminate the confidentiality of the information and that individuals and entities receiving this patient safety work product may be subject to civil money penalties. The commenter stated that the applicability of this broad statement to third and fourth party recipients of patient safety work product could violate the First Amendment and expressed concern with the possibility that the Secretary would seek to impose a civil money penalty upon a newspaper for printing patient safety information. Response: Section 3.208 implements the statutory provision that patient safety work product continues to be privileged and confidential upon disclosure, including when in the possession of the person to whom the disclosure was made. See section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d). To encourage provider reporting of sensitive patient safety information, Congress saw a need for strong privilege and confidentiality protections that continue to apply downstream even after disclosure, regardless of who holds the information. With respect to the commenter's concern regarding ``unintentional'' disclosures, we note that the Secretary has discretion to elect not to impose civil money penalties for an impermissible disclosure of patient safety work product, in appropriate circumstances. Thus, if it is determined, through a complaint investigation or a compliance review, that an impermissible disclosure of patient safety work product has been made, the Secretary will examine each situation based on the individual circumstances and make an appropriate determination about whether to impose a civil money penalty. See the discussion regarding Subpart D of this final rule for a more extensive discussion of the Secretary's enforcement discretion. Finally, with respect to the commenter's First Amendment concerns, we do not believe the confidentiality provisions afforded to patient safety work product in the statute and the rule contravene the First Amendment. 4. Section 3.210--Required Disclosure of Patient Safety Work Product to the Secretary Proposed Rule: Proposed Sec. 3.210 would have required providers, PSOs, and other persons holding patient safety work product to disclose such information to the Secretary upon a determination by the Secretary that such patient safety work product is needed for the investigation and enforcement activities related to this Part, or is needed in seeking and imposing civil money penalties. Overview of Public Comments: We received no comments opposed to this provision. Final Rule: The final rule adopts the proposed provision but expands it to encompass disclosures of patient safety work product needed for investigation and enforcement activities with respect to the HIPAA Privacy Rule, consistent with changes made to Sec. Sec. 3.204(c) and 3.206(d). As in the proposed rule, the final rule makes clear that, with respect to this rule, providers, PSOs, and responsible persons must disclose patient safety work product to the Secretary upon request when needed to investigate or determine compliance with this rule, or to make or support decisions with respect to listing of a PSO. This may include disclosure of patient safety work product to the Secretary as necessary to enforce the confidentiality provisions of the rule, to make or support decisions regarding the acceptance of certification and listing as a PSO, or to revoke such acceptance and to delist a PSO, or to assess or verify PSO compliance with the rule. Response to Other Public Comments Comment: Several commenters suggested that disclosures to the Secretary be limited to only the patient safety work product that is needed for the Secretary's activities. Response: Section 3.210 requires disclosure of patient safety work product only in those cases where the Secretary has determined that such information is needed for compliance or enforcement of this rule or the HIPAA Privacy Rule or for PSO certification or listing. Further, during an investigation or compliance review, Sec. 3.310(c) requires a respondent to provide the Secretary with access to only that information, including patient safety work product, that is pertinent to ascertaining compliance with this rule. 5. Section 3.212--Nonidentification of Patient Safety Work Product Proposed Rule: Proposed Sec. 3.212 would have established the standard by which patient safety work product would be rendered nonidentifiable, implementing section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under the Patient Safety Act and this Part, identifiable patient safety work product includes information that identifies any provider or reporter or contains individually identifiable health information under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2) of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient safety work product does not include information that permits identification of any provider, reporter or subject of individually identifiable health information. See section 921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3). The proposed rule explained that because individually identifiable health information as defined in the HIPAA Privacy Rule is one element of identifiable patient safety work product, the de-identification standard provided in the HIPAA Privacy Rule would apply with respect to the patient-identifiable information in the patient safety work product. Therefore, where patient safety work product contained individually identifiable health information, the proposal would have required that the information be de-identified in accordance with 45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work product with respect to individually identifiable health information under the Patient Safety Act. Further, with respect to providers and reporters, the proposal imported and adapted the HIPAA Privacy Rule's standards for de- identification. In particular, the proposal included two methods by which nonidentification could be accomplished: (1) A statistical method of nonidentification and (2) the removal of 15 specified categories of direct identifiers of providers or reporters and of parties related to the providers and reporters, including [[Page 70788]] corporate parents, subsidiaries, practice partners, employers, workforce members, or household members, and that the discloser have no actual knowledge that the remaining information, alone or in combination with other information reasonably available to the intended recipient, could be used to identify any provider or reporter, i.e., a contextual nonidentification standard. In addition, the proposal would have permitted a provider, PSO, or other disclosing entity or person to assign a code or other means of record identification to allow information made nonidentifiable to be re-identified by the disclosing person, provided certain conditions were met. The proposal specifically invited comment on the proposed standards and approaches and asked whether it would be possible to include any geographical identifiers, and if so, at what level of detail (state, county, zip code). We also requested comment regarding whether there were alternative approaches to standards for entities determining when health information could reasonably be considered nonidentifiable. Overview of Public Comments: We received a variety of comments addressing the nonidentification standard. One commenter supported the proposed methodologies for nonidentification, while several commenters expressed concern that the nonidentification standard was too strict and rendered patient safety work product useless to its recipients. One commenter was concerned that imposing an inflexible, stringent nonidentification standard would impede the future disclosures of aggregated patient safety information that the commenter currently makes. Some of these commenters proposed alternatives to the proposed nonidentification standard, such as considering information nonidentified even if it contains dates of treatment and geographic identifiers as long as data of a certain threshold number of providers was aggregated or eliminating the nonidentification standard entirely and applying a less stringent anonymization standard. In contrast, several other commenters expressed concern that the nonidentification standard was too flexible, was inadequate to truly nonidentify information and protect provider identities, and could be too easily reverse engineered. Final Rule: The final rule adopts this proposed provision with only a minor technical change to incorporate by reference the direct identifiers listed at Sec. 3.206(b)(4)(iv)(A) of the anonymization standard, as appropriate, to eliminate unnecessary duplication of such elements in the regulatory text. Therefore, persons wishing to nonidentify patient safety work product must remove the direct identifiers listed in the anonymization standard at Sec. 3.206(b)(4)(iv)(A)(1) through (13), as well as any additional geographic subdivisions smaller than a State that are not required to be removed by Sec. 3.206(b)(4)(A)(2), e.g., town or city, all elements of dates (except year) that are directly related to a patient safety incident or event, and any other unique identifying number, characteristic, or code (except as permitted for reidentification). We were not persuaded by commenters that changes to the standard were necessary, especially given the lack of consensus among commenters as to whether the standard was too stringent or not stringent enough. Further, commenters did not offer suggestions as to potential alternative approaches to nonidentification. Additionally, because this rule's nonidentification standard with respect to providers and reporters is adapted from the HIPAA Privacy Rule's de-identification standard and with respect to individuals, incorporates the HIPAA Privacy Rule's de-identification standard, this approach minimizes complexity and burden for entities that are subject to both regulatory schemes. Response to Other Public Comments Comment: One commenter expressed concern over the possibility that provider identities could be derived from nonidentifiable patient safety work product and asked that the final rule require a party disclosing identifiable information to produce evidence, if challenged, of how the information was obtained if not via nonidentifiable patient safety work product. Another commenter suggested that the final rule include a provision that prohibits the use or disclosure of any individually identifiable information that was obtained via the use of nonidentifiable patient safety work product. Finally, another commenter suggested that keys to reidentification of nonidentifiable patient safety work product be protected from discovery and should be protected as patient safety work product to prevent reidentification by unintended parties. Response: We believe that the nonidentification standard in the final rule, which is based upon the existing HIPAA Privacy Rule's de- identification standard, is appropriate and sufficient to protect the identities of providers. With respect to protection of reidentification keys, we note that Sec. 3.212(a)(3) prohibits a provider, PSO, or responsible party disclosing nonidentifiable patient safety work product from also disclosing the mechanism for reidentification. If a reidentification key is disclosed along with patient safety work product that would otherwise be nonidentifiable, then such information is identifiable patient safety work product to which the privilege and confidentiality protections attach. Comment: One commenter asked to whom must patient safety work product be made nonidentifiable and if information is adequately nonidentifiable despite the ability of a provider or patient involved in the event to recognize their case. Response: Under Sec. 3.212(a)(1), patient safety work product is rendered nonidentifiable if a determination is made, applying generally accepted statistical and scientific principles, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify a provider or reporter. Similarly, under Sec. 3.212(a)(2), patient safety work product is rendered nonidentifiable if the listed identifiers are stripped and the provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter. So long as the remaining information meets either of these two standards, such information is considered nonidentifiable for purposes of this rule, despite the hypothetical ability of a provider or patient involved in the event to recognize their case. Comment: One commenter asked for clarification that nonidentification can be accomplished through either the statistical method or through the safe harbor method but that entities are not required to nonidentify patient safety work product subject to both methods. Response: We clarify that either method may be used to render information nonidentifiable for purposes of this rule. D. Subpart D--Enforcement Program Subpart D of the final rule establishes a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting a civil money penalty. The provisions in [[Page 70789]] Subpart D are modeled largely on the HIPAA Enforcement Rule at 45 CFR Part 160, Subparts C, D and E. This will maintain a common approach to enforcement and appeals of civil money penalty determinations based on section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, upon which both the HIPAA and Patient Safety Act penalties are based, as well as minimize complexity for entities that are subject to both regulatory schemes. This enforcement scheme also provides the Secretary maximum flexibility to address confidentiality violations so as to encourage participation in patient safety activities and achieve the goals of the Patient Safety Act. General Comments: Several commenters expressed support for the decision to base this rule's enforcement regime on the HIPAA Enforcement Rule and noted that the HIPAA Enforcement Rule was properly adapted to the patient safety context. However, two commenters expressed concern that basing the enforcement regime in this rule on the HIPAA Enforcement Rule will be insufficient to adequately address and penalize violations of the confidentiality provisions because of the Department's approach to enforcement of the HIPAA Privacy Rule. One commenter argued that this might cause providers to decide against reporting the most serious patient safety events, and therefore, would undermine the purpose of the statute. Response to General Comments: The Department believes that modeling this rule's enforcement provisions on the existing HIPAA Enforcement Rule is prudent and appropriate. As noted above, such an approach grants the Secretary maximum flexibility to address violations of the confidentiality provisions, relies on an existing and established enforcement regime, and minimizes complexity for entities subject to both the Patient Safety Act and HIPAA. 1. Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314--Compliance and Investigations Proposed Rule: Sections 3.304-3.314 of the proposed rule provided the framework by which the Secretary would seek compliance by providers, PSOs, and responsible persons with the confidentiality provisions of the rule. These proposed requirements included: (1) Provisions for the Secretary to seek cooperation from these entities in obtaining compliance and to provide technical assistance (proposed Sec. 3.304); (2) procedures for any person who believes there has been a violation of the confidentiality provisions to file a complaint with the Secretary and provisions for the Secretary to investigate such complaints (proposed Sec. 3.306); (3) provisions for the Secretary to conduct compliance reviews (proposed Sec. 3.308); (4) provisions establishing responsibilities of respondents with respect to cooperating with the Secretary during investigations or compliance reviews and providing access to information necessary and pertinent to the Secretary determining compliance (proposed Sec. 3.310); (5) provisions describing the Secretary's course of action during complaints and compliance reviews, including the circumstances under which the Secretary may attempt to resolve compliance matters by informal means or issue a notice of proposed determination, as well as the circumstances under which the Secretary may use or disclose information, including identifiable patient safety work product, obtained during an investigation or compliance review (proposed Sec. 3.312); and (6) provisions and procedures for the Secretary to issue subpoenas to require witness testimony and the production of evidence and to conduct investigational inquiries (proposed Sec. 3.314). Overview of Public Comments: We received no comments opposed to the proposed provisions. Final Rule: The final rule adopts the provisions of the proposed rule, except, where reference was made in the proposed rule to provisions of the HIPAA Enforcement Rule, the final rule includes the text of such provisions for convenience of the reader. Response to Other Public Comments Comment: One commenter asked how and when the Secretary will provide technical assistance to providers, PSOs, and responsible persons regarding compliance with the confidentiality provisions. Response: The Secretary intends to provide technical assistance through a variety of mechanisms. First, as authorized by the Patient Safety Act, the Secretary intends, as practical, to convene annual meetings for PSOs to discuss methodology, communication, data collection, privacy concerns, or other issues relating to their patient safety systems. See section 925 of the Public Health Service Act, 42 U.S.C. 299b-25. Second, the Secretary intends to exercise his discretion under Sec. 3.304 by, when practicable and appropriate, providing technical assistance to affected persons and entities both on an individual basis when such persons or entities are involved in complaint investigations or compliance reviews, as well as more generally through published guidance that addresses common compliance or other questions about the rule. As we noted in the preamble to the proposed rule, however, the absence of technical assistance or guidance by the Secretary may not be raised as a defense to civil money penalty liability. We also encourage persons participating in patient safety activities and subject to this rule to develop and share with others similarly situated in the industry ``best practices'' for the confidentiality of patient safety work product. Comment: One commenter requested that the final rule provide additional detail on the consideration that will go into the determination of whether to pursue an investigation or to conduct a compliance review. Response: We do not believe that including additional detail in the final rule regarding when we will investigate or conduct compliance reviews is prudent or feasible. The decision of whether to conduct an investigation or compliance review is left to the discretion of the Secretary and will be made based on the specific circumstances of each individual case. The decision to investigate a complaint is necessarily fact specific. For example, some complaints may not allege facts that fall within the Secretary's jurisdiction or that constitute a violation if true. With respect to compliance reviews, the Secretary needs to maintain flexibility to conduct whatever reviews are necessary to ensure compliance. Compliance reviews may be initiated based on, for example, information that comes to the Department's attention outside of the formal complaint process, or trends the Department is seeing as a result of its enforcement activities. It would be premature at this time to indicate the specific circumstances under which such reviews may be conducted, given the absence of any compliance and enforcement experience with the rule. Further, making public the Department's considerations in this area may undermine the effectiveness of such reviews. Thus, we did not propose and do not include in this final rule affirmative criteria for conducting compliance reviews. Comment: One commenter requested clarification that the Secretary may only require respondents to produce records, books, and accounts that are reasonably related to an investigation. Response: Section 3.310(c) of the proposed rule, which the final rule adopts, provided that a respondent must permit the Secretary access to the information that is pertinent to ascertaining compliance with the [[Page 70790]] confidentiality provisions of the rule. Given this provision in the final rule, we do not see a need to provide further clarification. 2. Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422, 3.424, 3.426--Civil Money Penalties Proposed Rule: Sections 3.402-3.426 of the proposed rule provided the process for the Secretary to impose a civil money penalty for noncompliance by a PSO, provider, or responsible person with the confidentiality provisions of the rule. These proposed provisions: (1) Described the basis for imposing a civil money penalty on a person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions, as well as on a principal, in accordance with the federal common law of agency \2\, based on the act of its agent acting within the scope of the agency (proposed Sec. 3.402); (2) described how a penalty amount would be determined, and provided the statutory cap of any such penalty (proposed Sec. 3.404); (3) provided the list of factors the Secretary may consider as aggravating or mitigating, as appropriate, in determining the amount of a civil money penalty, including the nature and circumstances of the violation and the degree of culpability of the respondent (proposed Sec. 3.408); (4) set forth the 6-year limitations period on the Secretary initiating an action for imposition of a civil money penalty (proposed Sec. 3.414); (5) set out the Secretary's authority to settle any issue or case or to compromise any penalty (proposed Sec. 3.416); (6) provided that a civil money penalty imposed under this rule would be in addition to any other penalty prescribed by law, except that a civil money penalty may not be imposed both under this rule and the HIPAA Privacy Rule for the same act (proposed Sec. 3.418); (7) required that the Secretary provide a respondent with written notice of his intent to impose a civil money penalty, prescribe the contents of such notice, and provide the respondent with a right to request a hearing before an ALJ to contest the proposed penalty (proposed Sec. 3.420); (8) provided that if the respondent fails to timely request a hearing and the matter is not settled by the Secretary, the Secretary may impose the proposed penalty (or any lesser penalty) and will notify the respondent of any penalty imposed, and that the respondent has no right to appeal such penalty (proposed Sec. 3.422); (9) provided that once the penalty becomes final, it will be collected by the Secretary, unless compromised, and describes the methods for collection (proposed Sec. 3.424); and (10) provided that the Secretary will notify the public and the appropriate State or local medical or professional organizations, appropriate State agencies administering or supervising the administration of State health care programs, appropriate utilization and quality control peer review organizations, and appropriate State or local licensing agencies or organizations, of a final penalty and the reason it was imposed (proposed Sec. 3.426). --------------------------------------------------------------------------- \2\ For more information and guidance about violations of the rule attributed to a principal based on the federal common law of agency, see the preamble to the proposed rule at 73 FR 8158-8159. --------------------------------------------------------------------------- In addition, with respect to the factors at proposed Sec. 3.408, we specifically sought comment on whether the factors should be expanded to expressly include a factor for persons who self-report disclosures that may potentially violate the confidentiality provisions such that voluntary self-reporting would be a mitigating consideration when assessing a civil money penalty. Overview of Public Comments: We received no comments opposed to these proposed provisions. With respect to proposed Sec. 3.408, commenters generally supported the list of detailed factors, which may be aggravating or mitigating depending on the context, for use by the Secretary in determining the amount of a civil money penalty. In response to the question in the proposed rule regarding whether the final rule should include a factor for persons who self-report disclosures that may be potential violations, some commenters opposed such an expansion, arguing that such a provision could be viewed as an additional reporting obligation on persons and entities. Several other commenters expressed general support for the consideration of such a mitigating factor in the determination of any penalty, and one commenter specifically recommended expanding the list of factors to include self-reporting. Final Rule: The final rule adopts the provisions of the proposed rule except, where reference was made in the proposed rule to provisions of the HIPAA Enforcement Rule, the final rule includes the text of such provisions for convenience of the reader. We do not expand the list of factors at Sec. 3.408 to include the fact of self- reporting by a respondent in the final rule. As we noted in the preamble to the proposed rule, while including a factor for voluntary self-reporting may encourage persons to report breaches of confidentiality, particularly those that may otherwise go unnoticed, as well as demonstrate the security practices that led to the discovery of the breach and how the breach was remedied, we agree with those commenters who argued that including such a factor may be viewed incorrectly as an additional and ongoing reporting obligation on providers, PSOs, and others to report every potentially impermissible disclosure. This would unnecessarily increase administrative burden both on the Department and the reporting persons. Additionally, inclusion of such a factor may interfere with contractual relationships between providers and PSOs that address how parties are to deal with breaches. However, we note that even though we are not expressly including a self-reporting factor in the list at Sec. 3.408, the Secretary retains discretion to consider self-reports on a case-by-case basis under Sec. 3.408(f), which permits the Secretary to consider ``such other matters as justice may require'' in determining the amount of a civil money penalty. Response to Other Public Comments Comment: One commenter supported the knowing or reckless standard for establishing the basis for imposing a civil money penalty for a confidentiality violation but also stated that every effort should be made to reduce the risk of liability and to encourage provider participation. Another commenter supported the Secretary's ability to exercise discretion in determining whether to impose a civil money penalty for a knowing or reckless violation of the confidentiality provisions but also suggested that, in cases where a PSO is compelled to disclose patient safety work product by a court and has, in good faith, attempted to assert the privilege protection, the PSO automatically should be excused from a civil money penalty for the impermissible disclosure of patient safety work product to the court. Response: We agree that the appropriate basis for imposing a civil money penalty is for knowing or reckless disclosures of identifiable patient safety work product in violation of the confidentiality provisions of the rule and that it is important the Secretary ultimately retain discretion as to whether to impose a penalty pursuant to this standard. This provision is based on section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f). We also agree that provider participation is essential to meeting the overall goal of the statute to improve patient safety and quality of care, and we believe that strong privilege and confidentiality protections for patient safety work [[Page 70791]] product are fundamental to ensuring this participation. As we explained in the preamble to the proposed rule, a civil money penalty under Sec. 3.402 may only be imposed if the Secretary first establishes a wrongful disclosure--that is, the information disclosed was identifiable patient safety work product and the manner of the disclosure does not fit within any permitted exception. The Secretary must then determine whether a person making the disclosure acted ``knowingly'' or ``recklessly.'' To do so, the Secretary must prove either that: (1) The person making the disclosure knew a disclosure was being made (not that the person knew he or she was disclosing identifiable patient safety work product in violation of the rule or statute); or (2) the person acted recklessly in making the disclosure, that is, the person was aware, or a reasonable person in his or her situation should have been aware, that his or her conduct created a substantial risk of disclosure of information and to disregard such risk constituted a gross deviation from reasonable conduct. For more guidance on this standard or the knowing or reckless standard, see the preamble to the proposed rule at 73 FR 8157-8158. Once a knowing or reckless violation has been established, the Secretary still retains discretion as to whether to impose a penalty for a violation and may elect not to do so. Thus, we believe the standard at Sec. 3.402 of the final rule strikes the right balance in ensuring those who are culpable are subject to penalties, while still encouraging maximum participation by providers. For example, circumstances where a person who disclosed identifiable patient safety work product in violation of the rule can show he or she did not know and had no reason to know that the information was patient safety work product may warrant discretion by the Secretary. Further, as we stated in the preamble to the proposed rule, the Secretary may exercise discretion and not pursue a civil money penalty against a respondent ordered by a court to produce patient safety work product where the respondent has in good faith undertaken reasonable steps to avoid production and is, nevertheless, compelled to produce the information or be held in contempt of court. We do not, however, agree that an automatic exception from liability for respondents in such circumstances is appropriate or necessary. The Secretary will examine each situation based on the individual circumstances and make an appropriate determination about whether to impose a civil money penalty. Comment: One commenter asked that the final rule state that inappropriate disclosures to, for example, the media or to the public, would result in civil money penalties. Response: Section 3.402(a) of the final rule provides that persons who disclose identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions are subject to civil money penalty liability for such violations. This liability would include disclosures to the media or public, to the extent the knowing or reckless standard of Sec. 3.402(a) is met. Comment: We received two comments stating that the maximum penalty of $10,000 for a single violation is insufficient to serve as a deterrent against impermissible disclosures. In contrast, one commenter expressed concern that the maximum penalty would be far too severe for some small providers and in cases in which the impermissible disclosure was incidental or accidental. Response: In response to those commenters who believe the penalty amount is not high enough, the $10,000 maximum penalty for each act constituting a violation is prescribed by the statute and thus, cannot be increased by the Secret