Patient Safety and Quality Improvement, 8112-8183 [E8-2375]
Download as PDF
8112
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
42 CFR Part 3
RIN 0919–AA01
Patient Safety and Quality
Improvement
Agency for Healthcare Research
and Quality, Office for Civil Rights,
HHS.
ACTION: Notice of proposed rulemaking.
hsrobinson on PROD1PC76 with PROPOSALS2
AGENCY:
SUMMARY: This document proposes
regulations to implement certain aspects
of the Patient Safety and Quality
Improvement Act of 2005 (Patient Safety
Act). The proposed regulations establish
a framework by which hospitals,
doctors, and other health care providers
may voluntarily report information to
Patient Safety Organizations (PSOs), on
a privileged and confidential basis, for
analysis of patient safety events. The
proposed regulations also outline the
requirements that entities must meet to
become PSOs and the processes for the
Secretary to review and accept
certifications and to list PSOs.
In addition, the proposed regulation
establishes the confidentiality
protections for the information that is
assembled and developed by providers
and PSOs, termed ‘‘patient safety work
product’’ by the Patient Safety Act, and
the procedures for the imposition of
civil money penalties for the knowing or
reckless impermissible disclosure of
patient safety work product.
DATES: Comments on the proposed rule
will be considered if we receive them at
the appropriate address, as provided
below, no later than April 14, 2008.
ADDRESSES: Interested persons are
invited to submit written comments by
any of the following methods:
• Federal eRulemaking Portal: https://
www.regulations.gov. Comments should
include agency name and ‘‘RIN 0919–
AA01’’.
• Mail: Center for Quality
Improvement and Patient Safety,
Attention: Patient Safety Act NPRM
Comments, AHRQ, 540 Gaither Road,
Rockville, MD 20850.
• Hand Delivery/Courier: Center for
Quality Improvement and Patient
Safety, Attention: Patient Safety Act
NPRM Comments, Agency for
Healthcare Research and Quality, 540
Gaither Road, Rockville, MD 20850.
Instructions: Because of staff and
resource limitations, we cannot accept
comments by facsimile (FAX)
transmission or electronic mail. For
detailed instructions on submitting
comments and additional information
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
on the rulemaking process, see the
‘‘Public Participation’’ heading of the
SUPPLEMENTARY INFORMATION section of
this document. Comments will be
available for public inspection at the
AHRQ Information Resources Center at
the above-cited address between 8:30
a.m. and 5 p.m. Eastern Time on federal
business days (Monday through Friday).
FOR FURTHER INFORMATION CONTACT:
Susan Grinder, Agency for Healthcare
Research and Quality, 540 Gaither Road,
Rockville, MD 20850, (301) 427–1111 or
(866) 403–3697.
SUPPLEMENTARY INFORMATION:
Public Participation
We welcome comments from the
public on all issues set forth in this
proposed rule to assist us in fully
considering issues and developing
policies. You can assist us by
referencing the RIN number (RIN: 0919–
0AA01) and by preceding your
discussion of any particular provision
with a citation to the section of the
proposed rule being discussed.
A. Inspection of Public Comments
All comments (electronic, mail, and
hand delivery/courier) received in a
timely manner will be available for
public inspection as they are received,
generally beginning approximately 6
weeks after publication of this
document, at the mail address provided
above, Monday through Friday of each
week from 8:30 a.m. to 5 p.m. To
schedule an appointment to view public
comments, call Susan Grinder, (301)
427–1111 or (866) 403–3697.
Comments submitted electronically
will be available for viewing at the
Federal eRulemaking Portal.
B. Electronic Comments
We will consider all electronic
comments that include the full name,
postal address, and affiliation (if
applicable) of the sender and are
submitted through the Federal
eRulemaking Portal identified in the
ADDRESSES section of this preamble.
Copies of electronically submitted
comments will be available for public
inspection as soon as practicable at the
address provided, and subject to the
process described, in the preceding
paragraph.
C. Mailed Comments and Hand
Delivered/Couriered Comments
Mailed comments may be subject to
delivery delays due to security
procedures. Please allow sufficient time
for mailed comments to be timely
received in the event of delivery delays.
Comments mailed to the address
indicated for hand or courier delivery
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
may be delayed and could be
considered late.
D. Copies
To order copies of the Federal
Register containing this document, send
your request to: New Orders,
Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250–7954.
Specify the date of the issue requested
and enclose a check or money order
payable to the Superintendent of
Documents, or enclose your Visa or
Master Card number and expiration
date. Credit card orders can also be
placed by calling the order desk at (202)
512–1800 (or toll-free at 1–866–512–
1800) or by faxing to (202) 512–2250.
The cost for each copy is $10. As an
alternative, you may view and
photocopy the Federal Register
document at most libraries designated
as Federal Depository Libraries and at
many other public and academic
libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is
available from the Federal Register
online database through GPO Access, a
service of the U.S. Government Printing
Office. The Web site address is: https://
www.gpoaccess.gov/nara/.
This document is available
electronically at the following Web site
of the Department of Health and Human
Services (HHS): https://www.ahrq.gov/.
F. Response to Comments
Because of the large number of public
comments we normally receive on
Federal Register documents, we are not
able to acknowledge or respond to them
individually. We will consider all
comments we receive in accordance
with the methods described above and
by the date specified in the DATES
section of this preamble. When we
proceed with a final rule, we will
respond to comments in the preamble to
that rule.
I. Background
A. Purpose and Basis
This proposed rule establishes the
authorities, processes, and rules
necessary to implement the Patient
Safety and Quality Improvement Act of
2005 (Patient Safety Act), (Pub. L. 109–
41), that amended the Public Health
Service Act (42 U.S.C. 299 et seq.) by
inserting new sections 921 through 926,
42 U.S.C. 299b–21 through 299b–26.
Much of the impetus for this
legislation can be traced to the
publication of the landmark report, ‘‘To
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
Err Is Human’’ 1, by the Institute of
Medicine in 1999 (Report). The Report
cited studies that found that at least
44,000 people and potentially as many
as 98,000 people die in U.S. hospitals
each year as a result of preventable
medical errors.2 Based on these studies
and others, the Report estimated that the
total national costs of preventable
adverse events, including lost income,
lost household productivity, permanent
and temporary disability, and health
care costs to be between $17 billion and
$29 billion, of which health care costs
represent one-half.3 One of the main
conclusions was that the majority of
medical errors do not result from
individual recklessness or the actions of
a particular group; rather, most errors
are caused by faulty systems, processes,
and conditions that lead people to make
mistakes or fail to prevent adverse
events.4 Thus, the Report recommended
mistakes can best be prevented by
designing the health care system at all
levels to improve safety—making it
harder to do something wrong and
easier to do something right.5
As compared to other high-risk
industries, the health care system is
behind in its attention to ensuring basic
safety.6 The reasons for this lag are
complex and varied. Providers are often
reluctant to participate in quality review
activities for fear of liability,
professional sanctions, or injury to their
reputations. Traditional state-based
legal protections for such health care
quality improvement activities,
collectively known as peer review
protections, are limited in scope: They
do not exist in all States; typically they
only apply to peer review in hospitals
and do not cover other health care
settings, and seldom enable health care
systems to pool data or share experience
between facilities. If peer review
protected information is transmitted
outside an individual hospital, the peer
review privilege for that information is
generally considered to be waived. This
limits the potential for aggregation of a
sufficient number of patient safety
events to permit the identification of
patterns that could suggest the
underlying causes of risks and hazards
that then can be used to improve patient
safety.
The Report outlined a comprehensive
strategy to improve patient safety by
which public officials, health care
1 Institute of Medicine, ‘‘To Err is Human:
Building a Safer Health System’’, 1999.
2 Id. at 31.
3 Id. at 42.
4 Id. at 49–66.
5 Id.
6 Id. at 75.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
providers, industry, and consumers
could reduce preventable medical
errors. The Report recommended that,
in order to reduce medical errors
appreciably in the U.S., a balance be
struck between regulatory and marketbased initiatives and between the roles
of professionals and organizations. It
recognized a need to enhance
knowledge and tools to improve patient
safety and break down legal and cultural
barriers that impede such improvement.
Drawing upon the broad framework
advanced by the Institute of Medicine,
the Patient Safety Act specifically
addresses a number of these longrecognized impediments to improving
the quality, safety, and outcomes of
health care services. For that reason,
implementation of this proposed rule
can be expected to accelerate the
development of new, voluntary,
provider-driven opportunities for
improvement, increase the willingness
of health care providers to participate in
such efforts, and, most notably, set the
stage for breakthroughs in our
understanding of how best to improve
patient safety.
These outcomes will be advanced, in
large measure, through implementation
of this proposed rule of strong Federal
confidentiality and privilege protections
for information that is patient safety
work product under the Patient Safety
Act. For the first time, there will now be
a uniform set of Federal protections that
will be available in all states and U.S.
territories and that extend to all health
care practitioners and institutional
providers. These protections will enable
all health care providers, including
multi-facility health care systems, to
share data within a protected legal
environment, both within and across
states, without the threat of information
being used against the subject providers.
Pursuant to the Patient Safety Act,
this proposed rule will also encourage
the formation of new organizations with
expertise in patient safety, known as
patient safety organizations (PSOs),
which can provide confidential, expert
advice to health care providers in the
analysis of patient safety events.7 The
7 As we use the term, patient safety event means
an incident that occurred during the delivery of a
health care service and that harmed, or could have
resulted in harm to, a patient. A patient safety event
may include an error of omission or commission,
mistake, or malfunction in a patient care process;
it may also involve an input to such process (such
as a drug or device) or the environment in which
such process occurs. Our use of the term patient
safety event in place of the more limited concept
of medical error to describe the work that providers
and PSOs may undertake reflects the evolution in
the field of patient safety. It is increasingly
recognized that important insights can be derived
from the study of patient care processes and their
organizational context and environment in order to
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
8113
confidentiality and privilege protections
of this statute attach to ‘‘patient safety
work product.’’ This term as defined in
the Patient Safety Act and this proposed
rule means that patient safety
information that is collected or
developed by a provider and reported to
a PSO, or that is developed by a PSO
when conducting defined ‘‘patient
safety activities,’’ or that reveals the
deliberations of a provider or PSO
within a patient safety evaluation
system is protected. Thus, the proposed
rule will enable health care providers to
protect their internal deliberations and
analysis of patient safety information
because this type of information is
patient safety work product.
The statute and the proposed rule
seek to ensure that the confidentiality
provisions (as defined in these proposed
regulations) will be taken seriously by
making breaches of the protections
potentially subject to a civil money
penalty of up to $10,000. The
combination of strong Federal
protections for patient safety work
product and the potential penalties for
violation of these protections should
give providers the assurances they need
to participate in patient safety
improvement initiatives and should
spur the growth of such initiatives.
Patient safety experts have long
recognized that the underlying causes of
risks and hazards in patient care can
best be recognized through the
aggregation of significant numbers of
individual events; in some cases, it may
require the aggregation of thousands of
individual patient safety events before
underlying patterns are apparent. It is
hoped that this proposed rule will foster
routine reporting to PSOs of data on
patient safety events in sufficient
numbers for valid and reliable analyses.
Analysis of such large volumes of
patient safety events is expected to
significantly advance our understanding
of the patterns and commonalities in the
underlying causes of risks and hazards
in the delivery of patient care. These
insights should enable providers to
more effectively and efficiently target
their efforts to improve patient safety.
We recognize that risks and hazards
can occur in a variety of environments,
such as inpatient, outpatient, long-term
prevent harm to patients. We note that patient
safety in the context of this term also encompasses
the safety of a person who is a subject in a research
study conducted by a health care provider. In
addition, the flexible concept of a patient safety
event is applicable in any setting in which health
care is delivered: A health care facility that is
mobile (e.g., ambulance), fixed and free-standing
(e.g., hospital), attached to another entity (e.g.,
school clinic), as well as the patient’s home or
workplace, whether or not a health care provider is
physically present.
E:\FR\FM\12FEP2.SGM
12FEP2
8114
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
care, rehabilitation, research, or other
health care settings. In many of these
settings, patient safety analysis is a
nascent enterprise that will benefit
significantly from the routine, voluntary
reporting and analysis of patient safety
events. Accordingly, we strive in the
proposed rule to avoid imposing
limitations that might preclude
innovative approaches to the
identification of, and elimination of,
risks and hazards in specific settings for
the delivery of care, specific health care
specialties, or in research settings. We
defer to those creating PSOs and the
health care providers that enter ongoing
relationships with them to determine
the scope of patient safety events that
will be addressed.
Finally, we note that the statute is
quite specific that these protections do
not relieve a provider from its obligation
to comply with other legal, regulatory,
accreditation, licensure, or other
accountability requirements that it
would otherwise need to meet. The fact
that information is collected, developed,
or analyzed under the protections of the
Patient Safety Act does not shield a
provider from needing to undertake
similar activities, if applicable, outside
the ambit of the statute, so that the
provider can meet its obligations with
non-patient safety work product. The
Patient Safety Act, while precluding
other organizations and entities from
requiring providers to provide them
with patient safety work product,
recognizes that the data underlying
patient safety work product remains
available in most instances for the
providers to meet these other
information requirements.
In summary, this proposed rule
implements the Patient Safety Act and
facilitates its goals by allowing the
health care industry voluntarily to avail
itself of this framework in the best
manner it determines feasible. At the
same time, it seeks to ensure that those
who do avail themselves of this
framework will be afforded the legal
protections that Congress intended and
that anyone who breaches those
protections will be penalized
commensurately with the violation.
B. Listening Sessions
We held three listening sessions for
the general public (March 8, 13, and 16,
2006) which helped us better
understand the thinking and plans of
interested parties, including providers
considering the use of PSO services and
entities that anticipate establishing
PSOs. As stated in the Federal Register
notice 71 FR 37 (February 24, 2006) that
announced the listening sessions, we do
not regard the presentations or
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
comments made at these sessions as
formal comments and, therefore, they
are not discussed in this document.
C. Comment Period
The comment period is sixty (60) days
following the publication of the
proposed rule.
II. Overview of Proposed Rule
We are proposing a new Part 3 to Title
42 of the Code of Federal Regulations to
implement the Patient Safety Act. As
described above, the Patient Safety Act
is an attempt to address the barriers to
patient safety and health care quality
improvement activities in the U.S. In
implementing the Patient Safety Act,
this proposed rule encourages the
development of provider-driven,
voluntary opportunities for improving
patient safety; this initiative is neither
funded, nor controlled by the Federal
Government.
Under the proposal, a variety of types
of organizations—public, private, forprofit, and not-for-profit—can become
PSOs, and offer their consultative
expertise to providers regarding patient
safety events and quality improvement
initiatives. There will be a process for
certification and listing of PSOs, which
will be implemented by the Agency for
Healthcare Research and Quality
(AHRQ), and providers can work
voluntarily with PSOs to obtain
confidential, expert advice in analyzing
the patient safety event and other
information they collect or develop at
their offices, facilities, or institutions.
PSOs may also provide feedback and
recommendations regarding effective
strategies to improve patient safety as
well as proven approaches for
implementation of such strategies. In
addition, to encourage providers to
undertake patient safety activities, the
regulation is very specific that patient
safety work product is subject to
confidentiality and privilege
protections, and persons that breach the
confidentiality provisions may be
subject to a $10,000 civil money
penalty, to be enforced by the Office for
Civil Rights (OCR).
The provisions of this proposed rule
greatly expand the potential for
participation in patient safety activities.
The proposal, among other things,
enables providers across the health care
industry to report information to a PSO
and obtain the benefit of these new
confidentiality and privilege
protections. This proposal minimizes
the barriers to entry for listing as a PSO
by creating a review process that is both
simple and efficient. As a result, we
expect a broad range of organizations to
seek listing by the Secretary as PSOs.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
Listing will not entitle these entities to
Federal funding or subsidies, but it will
enable these PSOs to offer individual
and institutional providers the benefits
of review and analysis of patient safety
work product that is protected by strong
Federal confidentiality and privilege
protections.
Our proposed regulation will enable
and assist data aggregation by PSOs to
leverage the possibility of learning from
numerous patient safety events across
the health care system and to facilitate
the identification and correction of
systemic and other errors. For example,
PSOs are required to seek contracts with
multiple providers, and proposed
Subpart C permits them, with certain
limitations, to aggregate patient safety
work product from their multiple clients
and with other PSOs. In addition, the
Secretary will implement other
provisions of the Patient Safety Act that,
independent of this proposed rule,
require the Secretary to facilitate the
development of a network of patient
safety databases for the aggregation of
nonidentifiable patient safety work
product and the development of
consistent definitions and common
formats for collecting and reporting
patient safety work product. These
measures will facilitate a new level of
data aggregation that patient safety
experts deem essential to maximize the
benefits of the Patient Safety Act.
The Patient Safety Act gives
considerable attention to the
relationship between it and the
Standards for the Privacy of
Individually Identifiable Health
Information under the Health Insurance
Portability and Accountability Act of
1996 (HIPAA Privacy Rule). We caution
that the opportunity for a provider to
report identifiable patient safety work
product to a PSO does not relieve a
provider that is a HIPAA covered entity
of its obligations under the HIPAA
Privacy Rule. In fact, the Patient Safety
Act indicates that PSOs are deemed to
be business associates of providers that
are HIPAA covered entities. Thus,
providers who are HIPAA covered
entities will need to enter into business
associate agreements with PSOs in
accordance with their HIPAA Privacy
Rule obligations. If such a provider also
chooses to enter a PSO contract, we
believe that such contracts could be
entered into simultaneously as an
agreement for the conduct of patient
safety activities. However, the Patient
Safety Act does not require a provider
to enter a contract with a PSO to receive
the protections of the Patient Safety Act.
Proposed Subpart A, General
Provisions, sets forth the purpose of the
provisions and the definitions
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
applicable to the subparts that follow.
Proposed Subpart B, PSO Requirements
and Agency Procedures, sets forth the
requirements for PSOs and describes
how the Secretary will review, accept,
revoke, and deny certifications for
listing and continued listing of entities
as PSOs and other required
submissions. Proposed Subpart C,
Confidentiality and Privilege
Protections of Patient Safety Work
Product, describes the provisions that
relate to the confidentiality protections
and permissible disclosure exceptions
for patient safety work product.
Proposed Subpart D, Enforcement
Program, includes provisions that relate
to activities for determining compliance,
such as investigations of and
cooperation by providers, PSOs, and
others; the imposition of civil money
penalties; and hearing procedures.
III. Section by Section Description of
the Proposed Rule
A. Subpart A—General Provision
1. Proposed § 3.10—Purpose
The purpose of this proposed Part is
to implement the Patient Safety and
Quality Improvement Act of 2005 (Pub.
L. 109–41), which amended the Public
Health Service Act (42 U.S.C. 299 et
seq.) by inserting new sections 921
through 926, 42 U.S.C. 299b–21 through
299b–26.
hsrobinson on PROD1PC76 with PROPOSALS2
2. Proposed § 3.20—Definitions
Section 921 of the Public Health
Service Act, 42 U.S.C. 299b–21, defines
several terms, and our proposed rules
would, for the most part, restate the law.
In some instances, we propose to clarify
definitions to fit within the proposed
framework. We also propose some new
definitions for convenience and to
clarify the application and operation of
this proposed rule. Moreover, we
reference terms defined under the
HIPAA Privacy Rule for ease of
interpretation and consistency, given
the overlap between the Patient Safety
Act protections of patient-identifiable
patient safety work product (discussed
below) and the HIPAA Privacy Rule.
Proposed § 3.20 would establish the
basic definitions applicable to this
proposed rule, as follows:
AHRQ stands for the Agency for
Healthcare Research and Quality in the
U.S. Department of Health and Human
Services (HHS). This definition is added
for convenience.
ALJ stands for an Administrative Law
Judge at HHS. This definition is added
for convenience in describing the
process for appealing civil money
penalty determinations.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Board would mean the members of
the HHS Departmental Appeals Board.
This definition is added for convenience
in providing for appeals of civil money
penalty determinations.
Bona fide contract would mean (a) a
written contract between a provider and
a PSO that is executed in good faith by
officials authorized to execute such
contract; or (b) a written agreement
(such as a memorandum of
understanding or equivalent recording
of mutual commitments) between a
Federal, State, local, or Tribal provider
and a Federal, State, local, or Tribal PSO
that is executed in good faith by officials
authorized to execute such agreement.
In addition to the primary
interpretation of an enforceable contract
under applicable law as proposed under
paragraph (a) of this definition, we
propose to make the scope of the term
broad enough to encompass agreements
between health care providers and PSOs
that are components of Federal, State,
local or Tribal governments or
government agencies. Such entities
could clearly perform the same data
collection and analytic functions as
performed by other providers and PSOs
that the Patient Safety Act seeks to
foster. Thus, paragraph (b) of the
definition recognizes that certain
government entities may not enter a
formal contract with each other, but
may only make a commitment with
other agencies through the mechanism
of some other type of agreement.
We note that proposed § 3.102(a)(2)
incorporates the statutory restriction
that a health insurance issuer and a
component of a health insurance issuer
may not become a PSO. That section
also proposes to prohibit the listing of
public and private entities that conduct
regulatory oversight of health care
providers, including accreditation and
licensure.
Complainant would mean a person
who files a complaint with the Secretary
pursuant to proposed § 3.306.
Component Organization would mean
an entity that is either: (a) A unit or
division of a corporate organization or
of a multi-organizational enterprise; or
(b) a separate organization, whether
incorporated or not, that is owned,
managed or controlled by one or more
other organizations (i.e., its parent
organization(s)). We discuss our
preliminary interpretation of the terms
‘‘owned,’’ ‘‘managed,’’ or ‘‘controlled’’
in the definition of parent organization.
Multi-organizational enterprise, as used
here, means a common business or
professional undertaking in which
multiple entities participate as well as
governmental agencies or Tribal entities
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
8115
in which there are multiple
components.8
We anticipate that PSOs may be
established by a wide array of healthrelated organizations and quality
improvement enterprises, including
hospitals, nursing homes and health
care provider systems, health care
professional societies, academic and
commercial research organizations,
Federal, State, local, and Tribal
governmental units that are not subject
to the proposed restriction on listing in
proposed § 3.102(a)(2), as well as joint
undertakings by combinations of such
organizations. One effect of defining
component organization as we propose
is that, pursuant to section 924 of the
Patient Safety Act, 42 U.S.C. 299b–24,
all applicant PSOs that fall within the
scope of the definition of component
organization must certify to the
separation of confidential patient safety
work product and staff from the rest of
any organization or multi-organizational
enterprise of which they (in the conduct
of their work) are a part. Component
organizations must also certify that their
stated mission can be accomplished
without conflicting with the rest of their
parent organization(s).
A subsidiary corporation may, in
certain circumstances, be viewed as part
of a multi-organizational enterprise with
its parent corporation and would be so
regarded under the proposed regulation.
Thus, an entity, such as a PSO that is
set up as a subsidiary by a hospital
chain, would be considered a
component of the corporate chain and a
component PSO for purposes of this
proposed rule. Considering a subsidiary
of a corporation to be a ‘‘component’’ of
its parent organization may seem
contrary to the generally understood
separateness of a subsidiary in its
corporate relationship with its parent.9
8 The concept of multi-organizational enterprise
as used in this regulation, in case law, and in a legal
reference works such as Blumberg on Corporate
Groups, § 6.04 (2d ed. 2007 Supplement) refers to
multi-organizational undertakings with separate
corporations or organizations that are integrated in
a common business activity. The component
entities are often, but not necessarily, characterized
by interdependence and some form of common
control, typically by agreement. Blumberg notes
that health care providers increasingly are
integrated in various forms of multi-organizational
enterprises.
9 Corporations are certain types of organizations
that are given legal independence and rights, (e.g.
the right to litigate). Subsidiary corporations are
corporations in which a majority of the shares are
owned by another corporation, known as a parent
corporation. Thus, subsidiaries are independent
corporate entities in a formal legal sense, yet, at the
same time, they are controlled, to some degree, by
their parent by virtue of stock ownership and
control. Both corporations and subsidiaries are legal
constructs designed to foster investment and
E:\FR\FM\12FEP2.SGM
Continued
12FEP2
8116
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
That is, where two corporate entities are
legally separate, one entity would
ordinarily not be considered a
component of the other entity, even
when that other entity has a controlling
interest or exercises some management
control. However, we have preliminarily
determined that viewing a subsidiary
entity that seeks to be a PSO as a
component of its parent organization(s)
would be consistent with the objectives
of the section on certifications required
of component organizations in the
Patient Safety Act and appears to be
consistent with trends in the law
discussed below. We invite comment on
our interpretation.
Corporations law or ‘‘entity law,’’
which emphasizes the separateness and
distinct rights and obligations of a
corporation, has been supplemented by
the development of ‘‘relational law’’
when necessary (e.g., to address
evolving organizational arrangements
such as multi-organizational
enterprises). To determine rights and
obligations in these circumstances,
courts weigh the relationships of
separate corporations that are closely
related by virtue of participating in the
same enterprise, (i.e., a common chain
of economic activity fostering and
characterized by interdependence).10
There has been a growing trend in
various court decisions to attribute legal
responsibilities based on actual
behavior in organizational relationships,
rather than on corporate formalities.
We stress that neither the statute nor
the proposed regulation imposes any
legal responsibilities, obligations, or
liability on the organization(s) of which
a component PSO is a part. The focus
of the Patient Safety Act and the
regulation is principally on the entity
that voluntarily seeks listing by the
Secretary as a PSO.
We note that two of the three
certifications that the Patient Safety Act
and the proposed regulation requires
component entities to make—relating to
the security and confidentiality of
commerce by limiting entrepreneurial risks and
corporate liabilities. In recognition of the legitimate
utility of these objectives, courts have generally
respected the separateness of parent corporations
and subsidiaries, (e.g., courts do not ordinarily
allow the liabilities of a subsidiary to be attributed
to its parent corporation, despite the fact that by
definition, parent corporations have a measure of
control over a subsidiary). However, courts have
looked behind the separate legal identities that
separate parent and subsidiary to impose liability
when individuals in litigation can establish that
actual responsibility rests with a parent corporation
by virtue of the degree and manner in which it has
exercised control over its subsidiary. Under these
circumstances, courts permit ‘‘the corporate veil to
be pierced.’’
10 See Phillip I. Blumberg Et Al., Blumberg On
Corporate Groups §§ 6.01 and 6.02.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
patient safety work product—are
essentially duplicative of attestations
that are required of all entities seeking
listing or continued listing as a PSO
(certifications made under section
924(a)(1)(A) and (a)(2)(A) of the Public
Health Service Act, 42 U.S.C. 299b–
24(a)(1)(A) and (a)(2)(A) with respect to
patient safety activities described in
section 921(5)(E) and (F) of the Public
Health Service Act, 42 U.S.C. 299b–
21(5)(E) and (F)). That is, under the
Patient Safety Act, all PSOs have to
attest that they have in place policies
and procedures to, and actually do,
perform patient safety activities, which
include the maintenance of procedures
to preserve patient safety work product
confidentiality and the provision of
appropriate security measures for
patient safety work product. The
overlapping nature of these
confidentiality and security
requirements on components suggests
heightened congressional concern and
emphasis regarding the need to
maintain a strong ‘‘firewall’’ between a
component PSO and its parent
organization, which might have the
opportunity and potential to access
sensitive patient safety work product
the component PSO assembles,
develops, and maintains. A similar
concern arises in the context of a PSO
that is a unit of a corporate parent, a
subsidiary or an entity affiliated with
other organizations in a multiorganizational enterprise.
Requiring entities seeking listing to
disclose whether they have a parent
organization or are part of a multiorganizational enterprise does not
involve ‘‘piercing the corporate veil’’ as
discussed in the footnote above. The
Department would not be seeking this
information to hold a parent liable for
actions of the PSO, but to ensure full
disclosure to the Department about the
organizational relationships of an entity
seeking to be listed as a PSO.
Accordingly, we propose that an entity
seeking listing as a PSO must do so as
a component organization if it has one
or more parent organizations (as
described here and in the proposed
definition of that term) or is part of a
multi-organizational enterprise, and it
must provide the names of its parent
entities. If it has a parent or several
parent organizations, as defined by the
proposed regulation, the entity seeking
to be listed must provide the additional
certifications mandated by the statute
and by the proposed regulation at
§ 3.102(c) to maintain the separateness
of its patient safety work product from
its parent(s) and from other components
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
or affiliates11 of its parent(s). Such
certifications are consistent with the
above-cited body of case law that
permits and makes inquiries about
organizational relationships and
practices for purposes of carrying out
statutes and statutory objectives.
It may be helpful to illustrate how a
potential applicant for listing should
apply these principles in determining
whether to seek listing as a component
PSO. The fundamental principle is that
if there is a parent organization
relationship present and the entity is
not prohibited from seeking listing by
proposed § 3.102(a)(2), the entity must
seek listing as a component PSO. In
determining whether an entity must
seek listing as a component
organization, we note that it does not
matter whether the entity is a
component of a provider or a nonprovider organization and, if it is a
component of a provider organization,
whether it will undertake patient safety
activities for the parent organization’s
providers or providers that have no
relationship with its parent
organization(s). The focus here is
primarily on establishing the
separateness of the entity’s operation
from any type of parent organization.
Examples of entities that would need to
seek listing as a component organization
include: A division of a provider or nonprovider organization; a subsidiary
entity created by a provider or nonprovider organization; or a joint venture
created by several organizations (which
could include provider organizations,
non-provider organizations, or a mix of
such organizations) where any or all of
the organizations have a measure of
control over the joint venture.
Other examples of entities that would
need to seek listing as a component PSO
include: a division of a nursing home
chain; a subsidiary entity created by a
large academic health center or health
system; or a joint venture created by
several organizations to seek listing as a
PSO where any or all of the
organizations have a measure of control
over the joint venture.
Component PSO would mean a PSO
listed by the Secretary that is a
component organization.
Confidentiality provisions would
mean any requirement or prohibition
concerning confidentiality established
by Sections 921 and 922(b)–(d), (g) and
(i) of the Public Health Service Act, 42
11 Corporate affiliates are commonly controlled
corporations; sharing a corporate parent, they are
sometimes referred to as sister corporations.
Separate corporations that are part of a multiorganizational enterprise are also referred to by the
common terms ‘‘affiliates’’ or ‘‘affiliated
organizations’’.
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
U.S.C. 299b–21 and 299b–22(b)–(d), (g)
and (i), and the proposed provisions, at
§§ 3.206 and 3.208, by which we
propose to implement the prohibition
on disclosure of identifiable patient
safety work product. We proposed to
define this new term to provide an easy
way to reference the provisions in the
Patient Safety Act and in the proposed
rule that implements the confidentiality
protections of the Patient Safety Act for
use in the enforcement and penalty
provisions of this proposed rule. We
found this a useful approach in the
HIPAA Enforcement Rule, where we
defined ‘‘administrative simplification
provision’’ for that purpose. In
determining how to define
‘‘confidentiality provisions’’ that could
be violated, we considered the statutory
enforcement provision at section 922(f)
of the Public Health Service Act, 42
U.S.C. 299b–22(f), which incorporates
by reference section 922(b) and (c).12
Thus, the enforcement authority clearly
implicates sections 922(b) and (c) of the
Patient Safety Act, 42 U.S.C. 299b–22(b)
and (c), which are implemented in
proposed § 3.206. Section 922(d) of the
Patient Safety Act, 42 U.S.C. 299b–
22(d), is entitled the ‘‘Continued
Protection of Information After
Disclosure’’ and sets forth continued
confidentiality protections for patient
safety work product after it has been
disclosed under section 922(c) of the
Public Health Service Act, 42 U.S.C.
299b–22(c), with certain exceptions.
Thus, section 922(d) of the Public
Health Service Act, 42 U.S.C. 299b–
22(d), is a continuation of the
confidentiality protections provided for
in section 922(b) of the Public Health
Service Act, 42 U.S.C. 299b–22(b).
Therefore, we also consider the
continued confidentiality provision at
proposed § 3.208 herein to be one of the
confidentiality provisions. In addition,
our understanding of these provisions is
based on the rule of construction in
section 922(g) of the Public Health
Service Act, 42 U.S.C. 299b–22(g), and
the clarification with respect to HIPAA
12 Section 922(f) of the Public Health Service Act,
42 U.S.C. 299b–22(f), states that ‘‘subject to
paragraphs (2) and (3), a person who discloses
identifiable patient safety work product in knowing
or reckless violation of subsection (b) shall be
subject to a civil money penalty of not more than
$10,000 for each act constituting such violation’’
(emphasis added). Subsection (b) of section 922 of
the Public Health Service Act, 42 U.S.C. 299b–
22(b), is entitled, ‘‘Confidentiality of Patient Safety
Work Product’’ and states, ‘‘Notwithstanding any
other provision of Federal, State, or local law, and
subject to subsection (c), patient safety work
product shall be confidential and shall not be
disclosed’’ (emphasis added). Section 922(c) of the
Public Health Service Act, 42 U.S.C. 299b–22(c), in
turn, contains the exceptions to confidentiality and
privilege protections.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
in section 922(i) of the Public Health
Service Act, 42 U.S.C. 299b–22(i);
accordingly, these provisions are
included in the definition.
In contrast to the confidentiality
provisions, the privilege provisions in
the Patient Safety Act will be enforced
by the tribunals or agencies that are
subject to them; the Patient Safety Act
does not authorize the imposition of
civil money penalties for breach of such
provisions. We note, however, that to
the extent a breach of privilege is also
a breach of confidentiality, the Secretary
would enforce the confidentiality
breach under 42 U.S.C. 299b–22(f).
Disclosure would mean the release,
transfer, provision of access to, or
divulging in any other manner of patient
safety work product by a person holding
patient safety work product to another
person. An impermissible disclosure
(i.e., a disclosure of patient safety work
product in violation of the
confidentiality provisions) is the action
upon which potential liability for a civil
money penalty rests. Generally, if the
person holding patient safety work
product is an entity, disclosure occurs
when the information is shared with
another entity or a natural person
outside the entity. We do not propose to
hold entities liable for uses of the
information within the entity, (i.e.,
when this information is exchanged or
shared among the workforce members of
the entity) except as noted below
concerning component PSOs. If a
natural person holds patient safety work
product, except in the capacity as a
workforce member, a disclosure occurs
whenever exchange occurs to any other
person or entity. In light of this
definition, we note that a disclosure to
a contractor that is under the direct
control of an entity (i.e., a workforce
member) would be a use of the
information within the entity and,
therefore, not a disclosure for which a
permission is needed. However, a
disclosure to an independent contractor
would not be a disclosure to a workforce
member, and thus, would be a
disclosure for purposes of this proposed
rule and the proposed enforcement
provisions under Subpart D.
For component PSOs, we propose to
recognize as a disclosure the sharing or
transfer of patient safety work product
outside of the legal entity, as described
above, and between the component PSO
and the rest of the organization (i.e.,
parent organization) of which the
component PSO is a part. The Patient
Safety Act demonstrates a strong desire
for the separation of patient safety work
product between a component PSO and
the rest of the organization. See section
924(b)(2) of the Public Health Service
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
8117
Act, 42 U.S.C. 299b–24(b)(2). Because
we propose to recognize component
organizations as component PSOs
which exist within, but distinct from, a
single legal entity, and such a
component organization as a component
PSO would be required to certify to
limit access to patient safety work
product under proposed § 3.102(c), the
release, transfer, provision of access to,
or divulging in any other manner of
patient safety work product from a
component PSO to the rest of the
organization will be recognized as a
disclosure for purposes of this proposed
rule and the proposed enforcement
provisions under Subpart D.
We considered whether or not we
should hold entities liable for
disclosures that occur within that entity
(uses) by defining disclosure more
discretely, (i.e., as between persons
within an entity). If we were to define
disclosure in this manner, it may
promote better safeguarding against
inappropriate uses of patient safety
work product by providers and PSOs. It
may also allow better control of uses by
third parties to whom patient safety
work product is disclosed, and it would
create additional enforcement situations
which could lead to additional potential
civil money penalties. We note that
HIPAA authorized the Department to
regulate both the uses and disclosures of
individually identifiable health
information and, thus, the HIPAA
Privacy Rule regulates both the uses and
disclosures of such information by
HIPAA covered entities. See section
264(b) and (c)(1) of HIPAA, Public Law
104–191. The Patient Safety Act, on the
other hand, addresses disclosures and
authorizes the Secretary to penalize
disclosures of patient safety work
product.
Nonetheless, we do not propose to
regulate the use, transfer or sharing by
internal disclosure, of patient safety
work product within a legal entity. We
also decline to propose to regulate uses
because we would consider regulating
uses within providers and PSOs to be
intrusive into their internal affairs. This
would be especially the case given that
this is a voluntary program. Moreover,
we do not believe that regulating uses
would further the statutory goal of
facilitating the sharing of patient safety
work product with PSOs. In other
words, regulating uses would not
advance the ability of any entity to share
patient safety work product for patient
safety activities. Finally, we presume
that there are sufficient incentives in
place for providers and PSOs to
prudently manage the uses of sensitive
patient safety work product.
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8118
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
We are not regulating uses, whether in
a provider, PSO, or any other entity that
obtains patient safety work product.
Because we are not proposing to
regulate uses, there will be no federal
sanction based on use of this
information. If a provider or other entity
wants to limit the uses or further
disclosures (beyond the regulatory
permissions) by a PSO or any future
recipient, a disclosing entity is free to
do so by contract. See section 922(g)(4)
of the Public Health Service Act, 42
U.S.C. 299b–22(g)(4), and proposed
§ 3.206(e). We seek comment about
whether this strikes the right balance.
The proposed definition mirrors the
definition of disclosure used in the
HIPAA Privacy Rule concerning
disclosures of protected health
information. Although we do not
propose to regulate the use of patient
safety work product, HIPAA covered
entities that possess patient safety work
product which contains protected
health information must comply with
the use and disclosure requirements of
the HIPAA Privacy Rule with respect to
the protected health information.
Patient safety work product containing
protected health information could only
be used in accordance with the HIPAA
Privacy Rule use permissions, including
the minimum necessary requirement.
Entity would mean any organization,
regardless of whether the organization is
public, private, for-profit, or not-forprofit. The statute permits any entity to
seek listing as a PSO by the Secretary
except a health insurance issuer and any
component of a health insurance issuer
and § 3.102(a)(2) proposes, in addition,
to prohibit public or private sector
entities that conduct regulatory
oversight of providers.
Group health plan would mean an
employee welfare benefit plan (as
defined in section 3(1) of the Employee
Retirement Income Security Act of 1974
(ERISA) to the extent that the plan
provides medical care (as defined in
paragraph (2) of section 2791(a) of the
Public Health Service Act, 42 U.S.C.
300gg–91(a)(1)) and including items and
services paid for as medical care) to
employees or their dependents (as
defined under the terms of the plan)
directly or through insurance,
reimbursement, or otherwise. Section
2791(b)(2) of the Public Health Service
Act, 42 U.S.C. 300gg–91(b)(2) excludes
group health plans from the defined
class of ‘health insurance issuer.’
Therefore, a group health plan may
establish a PSO unless the plan could be
considered a component of a health
insurance issuer, in which case such a
plan would be precluded from being a
PSO by the Patient Safety Act.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Health insurance issuer would mean
an insurance company, insurance
service, or insurance organization
(including a health maintenance
organization, as defined in 42 U.S.C.
300gg–91(b)(3)) which is licensed to
engage in the business of insurance in
a State and which is subject to State law
which regulates insurance (within the
meaning of 29 U.S.C. 1144(b)(2)). The
term, as defined in the Public Health
Service Act, does not include a group
health plan.
Health maintenance organization
would mean (1) a Federally qualified
health maintenance organization (as
defined in 42 U.S.C. 300e(a)); (2) an
organization recognized under State law
as a health maintenance organization; or
(3) a similar organization regulated
under State law for solvency in the same
manner and to the same extent as such
a health maintenance organization.
Because the ERISA definition relied
upon by the Patient Safety Act includes
health maintenance organizations in the
definition of health insurance issuer, an
HMO may not be, control, or manage the
operation of a PSO.
HHS stands for the United States
Department of Health and Human
Services. This definition is added for
convenience.
HIPAA Privacy Rule would mean the
regulations promulgated under section
264(c) of the Health Insurance
Portability and Accountability Act of
1996 (HIPAA), at 45 CFR Part 160 and
Subparts A and E of Part 164.
Identifiable Patient Safety Work
Product would mean patient safety work
product that:
(1) Is presented in a form and manner
that allows the identification of any
provider that is a subject of the work
product, or any providers that
participate in activities that are a subject
of the work product;
(2) Constitutes individually
identifiable health information as that
term is defined in the HIPAA Privacy
Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner
that allows the identification of an
individual who in good faith reported
information directly to a PSO, or to a
provider with the intention of having
the information reported to a PSO
(‘‘reporter’’).
Identifiable patient safety work
product is not patient safety work
product that meets the nonidentification
standards proposed for ‘‘nonidentifiable
patient safety work product’’.
Nonidentifiable Patient Safety Work
Product would mean patient safety work
product that is not identifiable in
accordance with the nonidentification
standards proposed at § 3.212. Because
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
the privilege and confidentiality
protections of the Patient Safety Act and
this Part do not apply to nonidentifiable
patient safety work product once
disclosed, the restrictions and data
protection rules in this proposed rule
phrased as pertaining to patient safety
work product generally only apply to
identifiable patient safety work product.
OCR stands for the Office for Civil
Rights in HHS. This definition is added
for convenience.
Parent organization would mean a
public or private sector organization
that, alone or with others, either owns
a provider entity or a component PSO,
or has the authority to control or
manage agenda setting, project
management, or day-to-day operations
of the component, or the authority to
review and override decisions of a
component PSO. We have not proposed
to define the term ‘‘owns.’’ We propose
to use the term ‘‘own a provider entity’’
to mean a governmental agency or
Tribal entity that controls or manages a
provider entity as well as an
organization having a controlling
interest in a provider entity or a
component PSO, for example, owning a
majority or more of the stock of the
owned entity, and expressly ask for
comment on whether our further
definition of controlling interest as
follows below is appropriate.
Under the proposed regulation, if an
entity that seeks to be a PSO has a
parent organization, that entity will be
required to seek listing as a component
PSO and must provide certifications set
forth in proposed § 3.102(c), which
indicate that the entity maintains
patient safety work product separately
from the rest of the organization(s) and
establishes security measures to
maintain the confidentiality of patient
safety work product, the entity does not
make an unauthorized disclosure of
patient safety work product to the rest
of the organization(s), and the entity
does not create a conflict of interest
with the rest of the organization(s).
Traditionally, a parent corporation is
defined as a corporation that holds a
controlling interest in one or more
subsidiaries. By contrast, parent
organization, as used in this proposed
rule, is a more inclusive term and is not
limited to definitions used in
corporations law. Accordingly, the
proposed definition emphasizes a
parent organization’s control (or
influence) over a PSO that may or may
not be based on stock ownership.13 Our
13 Cf. 17 CFR 240.12b–2 (defining ‘‘control’’
broadly as ‘‘* * * the power to direct or cause the
direction of the management and policies of an
* * * [entity] whether through the ownership of
voting securities, by contract, or otherwise.’’)
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
approach to interpreting the statutory
reference in section 924(b)(2) of the
Patient Safety Act, 42 U.S.C. 299b–
24(b)(2) to ‘‘another organization’’ in
which an entity is a ‘‘component’’ (i.e.,
a ‘‘parent organization’’) is analogous to
the growing attention in both statutory
and case law, to the nature and conduct
of business organizational relationships,
including multi-organizational
enterprises. As discussed above in the
definition of ‘‘component,’’ the
emphasis on actual organizational
control, rather than the organization’s
structure, has numerous legal
precedents in legislation implementing
statutory programs and objectives and
courts upholding such programs and
objectives.14 Therefore, the definition of
a ‘‘parent organization,’’ as used in the
proposed regulation would encompass
an affiliated organization that
participates in a common enterprise
with an entity seeking listing, and that
owns, manages or exercises control over
the entity seeking to be listed as a PSO.
As indicated above, affiliated
corporations have been legally defined
to mean those who share a corporate
parent or are part of a common
corporate enterprise.15
Parent organization is defined to
include affiliates primarily in
recognition of the prospect that
otherwise unrelated organizations might
affiliate to jointly establish a PSO. We
can foresee such an enterprise because
improving patient safety through expert
analysis of aggregated patient safety data
could logically be a common and
efficient objective shared by multiple
potential cofounders of a PSO. It is
fitting, in our view, that a component
entity certify, as we propose in
§ 3.102(c), that there is ‘‘no conflict’’
between its mission as a PSO and all of
the rest of the parent or affiliated
14 Blumberg on Corporate Groups § 13 notes that,
where applications for licenses are in a regulated
industry, information is required by states about the
applicant as well as corporate parents, subsidiaries
and affiliates. In the proposed regulation, pursuant
to the Patient Safety Act, information about parent
organizations with potentially conflicting missions
would be obtained to ascertain that component
entities seeking to be PSOs have measures in place
to protect the confidentiality of patient safety work
product and the independent conduct of impartial
scientific analyses by PSOs.
15 See for example the definition of affiliates in
regulations jointly promulgated by the Comptroller
of the Currency, the Federal Reserve board, the
FDIC, and the Office of Thrift Supervision to
implement privacy provisions of Gramm Leach
Bliley legislation using provisions of the Fair Credit
Reporting Act (dealing with information sharing
among affiliates): ‘‘any company that is related or
affiliated by common ownership, or affiliated by
corporate control or common corporate control with
another company.’’ Blumberg, supra note 2, at
§ 122.09[A] (citing 12 CFR pt.41.3, 12 CFR
pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR
pt.571.3(1) (2004)).
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
organizations that undertake a jointly
sponsored PSO enterprise.16 Similarly,
it is also appropriate that the additional
certifications required of component
entities in proposed § 3.102(c) regarding
separation of patient safety work
product and the use of separate staff be
required of an entity that has several cofounder parent organizations that
exercise ownership, management or
control, (i.e. to assure that the intended
‘‘firewalls’’ exist between the
component entity and the rest of any
affiliated organization that might
exercise ownership, management or
control over a PSO).
To recap this part of the discussion,
we would consider an entity seeking
listing as a PSO to have a parent
organization, and such entity would
seek listing as a component
organization, under the following
circumstances: (a) The entity is a unit in
a corporate organization or a controlling
interest in the entity is owned by
another corporation; or (b) the entity is
a distinct organizational part of a multiorganizational enterprise and one or
more affiliates in the enterprise own,
manage, or control the entity seeking
listing as a PSO. An example of an
entity described in (b) would be an
entity created by a joint venture in
which the entity would be managed or
controlled by several co-founding parent
organizations.
The definition of provider in the
proposed rule (which will be discussed
below) includes the parent organization
of any provider entity. Correspondingly,
our definition of parent organization
includes any organization that ‘‘owns a
provider entity.’’ This is designed to
provide an option for the holding
company of a corporate health care
system to enter a multi-facility or
system-wide contract with a PSO.
Patient Safety Act would mean the
Patient Safety and Quality Improvement
Act of 2005 (Pub. L. 109–41), which
amended Title IX of the Public Health
Service Act (42 U.S.C. 299 et seq.) by
inserting a new Part C, sections 921
through 926, which are codified at 42
U.S.C. 299b–21 through 299b–26.
Patient safety activities would mean
the following activities carried out by or
on behalf of a PSO or a provider:
(1) Efforts to improve patient safety
and the quality of health care delivery;
(2) The collection and analysis of
patient safety work product;
16 We note that the certifications from a jointly
established PSO could be supported or
substantiated with references to protective
procedural or policy walls that have been
established to preclude a conflict of these
organizations’ other missions with the scientific
analytic mission of the PSO.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
8119
(3) The development and
dissemination of information with
respect to improving patient safety, such
as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety
work product for the purposes of
encouraging a culture of safety and of
providing feedback and assistance to
effectively minimize patient risk;
(5) The maintenance of procedures to
preserve confidentiality with respect to
patient safety work product;
(6) The provision of appropriate
security measures with respect to
patient safety work product;
(7) The utilization of qualified staff;
and
(8) Activities related to the operation
of a patient safety evaluation system and
to the provision of feedback to
participants in a patient safety
evaluation system.
This definition is taken from the
Patient Safety Act. See section 921(5) of
the Public Health Service Act, 42 U.S.C.
299b–21(5). Patient safety activities is
used as a key reference term for other
provisions in the proposed rule and
those provisions provide descriptions
related to patient safety activities. See
proposed requirements for PSOs at
§§ 3.102 and 3.106 and the proposed
confidentiality disclosure permission at
§ 3.206(b)(4).
Patient safety evaluation system
would mean the collection,
management, or analysis of information
for reporting to or by a PSO. The patient
safety evaluation system is a core
concept of the Patient Safety Act
through which information, including
data, reports, memoranda, analyses,
and/or written or oral statements, is
collected, maintained, analyzed, and
communicated. When a provider
engages in patient safety activities for
the purpose of reporting to a PSO or a
PSO engages in these activities with
respect to information for patient safety
purposes, a patient safety evaluation
system exists regardless of whether the
provider or PSO has formally identified
a ‘‘patient safety evaluation system’’.
For example, when a provider collects
information for the purpose of reporting
to a PSO and reports the information to
a PSO to generate patient safety work
product, the provider is collecting and
reporting through its patient safety
evaluation system (see definition of
patient safety work product ). Although
we do not propose to require providers
or PSOs formally to identify or define
their patient safety evaluation system—
because such systems exist by virtue of
the providers or PSOs undertaking
certain patient safety activities—a
patient safety evaluation system can be
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8120
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
formally designated by a provider or
PSO to establish a secure space in
which these activities may take place.
The formal identification or
designation of a patient safety
evaluation system could give structure
to the various functions served by a
patient safety evaluation system. These
possible functions are:
1. For reporting information by a
provider to a PSO in order to generate
patient safety work product and to
protect the fact of reporting such
information to a PSO (see section 921(6)
and (7)(A)(i)(I) of the Public Health
Service Act, 42 U.S.C. 299b–21(6) and
(7)(A)(i)(I));
2. For communicating feedback
concerning patient safety events
between PSOs and providers (see
section 921(5)(H) of the Public Health
Service Act, 42 U.S.C. 299b–21(5)(H));
3. For creating and identifying the
space within which deliberations and
analyses of information and patient
safety work product are conducted (see
section 921(7)(A)(ii) of the Public Health
Service Act, 42 U.S.C. 299b–
21(7)(A)(ii));
4. For separating patient safety work
product and information collected,
maintained, or developed for reporting
to a PSO distinct and apart from
information collected, maintained, or
developed for other purposes (see
section 921(7)(B)(ii) of the Public Health
Service Act, 42 U.S.C. 299b–
21(7)(B)(ii)); and,
5. For identifying patient safety work
product to maintain its privileged status
and confidentiality, and to avoid
impermissible disclosures (see section
922(b) of the Public Health Service Act,
42 U.S.C. 299b–22(b)).
A provider or PSO need not engage in
all of the above-mentioned functions in
order to establish or maintain a patient
safety evaluation system. A patient
safety evaluation system is flexible and
scalable to the individual needs of a
provider or PSO and may be modified
as necessary to support the activities
and level of engagement in the activities
by a particular provider or PSO.
Documentation. Because a patient
safety evaluation system is critical in
identifying and protecting patient safety
work product, we encourage providers
and PSOs to document what constitutes
their patient safety evaluation system.
We recommend that providers and PSOs
consider documenting the following:
• How information enters the patient
safety evaluation system;
• What processes, activities, physical
space(s) and equipment comprise or are
used by the patient safety evaluation
system;
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
• Which personnel or categories of
personnel need access to patient safety
work product to carry out their duties
involving operation of, or interaction
with the patient safety evaluation
system, and for each such person or
category of persons, the category of
patient safety work product to which
access is needed and any conditions
appropriate to such access; and,
• What procedures or mechanisms
the patient safety evaluation system
uses to report information to a PSO or
disseminate information outside of the
patient safety evaluation system.
A documented patient safety
evaluation system, as opposed to an
undocumented or poorly documented
patient safety evaluation system, may
accrue many benefits to the operating
provider or PSO. Providers or PSOs that
have a documented patient safety
evaluation system will have substantial
proof to support claims of privilege and
confidentiality when resisting requests
for production of, or subpoenas for,
information constituting patient safety
work product or when making requests
for protective orders against requests or
subpoenas for such patient safety work
product. Documentation of a patient
safety evaluation system will enable a
provider or PSO to provide supportive
evidence to a court when claiming
privilege protections for patient safety
work product. This may be particularly
critical since the same activities can be
done inside and outside of a patient
safety evaluation system.
A documented and established
patient safety evaluation system also
gives notice to employees of the
privileged and confidential nature of the
information within a patient safety
evaluation system in order to generate
awareness, greater care in handling such
information and more caution to
prevent unintended or impermissible
disclosures of patient safety work
product. For providers with many
employees, an established and
documented patient safety evaluation
system can serve to separate access to
privileged and confidential patient
safety work product from employees
that have no need for patient safety
work product. Documentation can serve
to limit access by non-essential
employees. By limiting who may access
patient safety work product, a provider
may reduce its exposure to the risks of
inappropriate disclosures.
Given all of the benefits,
documentation of a patient safety
evaluation system would be a prudent
business practice. Moreover, as part of
our enforcement program, we would
expect entities to be following sound
business practices in maintaining
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
adequate documentation regarding their
patient safety evaluation systems to
demonstrate their compliance with the
confidentiality provisions. Absent this
type of documentation, it may be
difficult for entities to satisfy the
Secretary that they have met and are in
compliance with their confidentiality
obligations. While we believe it is a
sound and prudent business practice,
we have not required a patient safety
evaluation system to be documented,
and we do not believe it is required by
the Patient Safety Act. We seek
comment as to these issues.
Patient Safety Organization (PSO)
would mean a private or public entity
or component thereof that is listed as a
PSO by the Secretary in accordance
with proposed § 3.102.
Patient Safety Work Product is a
defined term in the Patient Safety Act
that identifies the information to which
the privilege and confidentiality
protections apply. This proposed rule
imports the statutory definition of
patient safety work product specifically
for the purpose of implementing the
confidentiality protections under the
Patient Safety Act. The proposed rule
provides that, with certain exceptions,
patient safety work product would mean
any data, reports, records, memoranda,
analyses (such as root cause analyses),
or written or oral statements (or copies
of any of this material) (A) which could
result in improved patient safety, health
care quality, or health care outcomes
and either (i) is assembled or developed
by a provider for reporting to a PSO and
is reported to a PSO; or (ii) is developed
by a PSO for the conduct of patient
safety activities; or (B) which identifies
or constitutes the deliberations or
analysis of, or identifies the fact of
reporting pursuant to, a patient safety
evaluation system. The proposed rule
excludes from patient safety work
product a patient’s original medical
record, billing and discharge
information, or any other original
patient or provider information and any
information that is collected,
maintained, or developed separately, or
exists separately, from a patient safety
evaluation system. Such separate
information or a copy thereof reported
to a PSO does not by reason of its
reporting become patient safety work
product. The separately collected and
maintained information remains
available, for example, for public health
reporting or disclosures pursuant to
court order. The information contained
in a provider’s or PSO’s patient safety
evaluation system is protected, would
be privileged and confidential, and may
not be disclosed absent a statutory or
regulatory permission.
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
What can become patient safety work
product. The definition of patient safety
work product lists the types of
information that are likely to be
exchanged between a provider and PSO
to generate patient safety work product:
‘‘Any data, reports, records,
memoranda, analyses (such as root
cause analyses), or written or oral
statements’’ (collectively referred to
below as ‘‘information’’ for brevity).
Congress intended the fostering of
robust patient safety evaluation systems
for exchanges between providers and
PSOs. We expect this expansive list will
maximize provider flexibility in
operating its patient safety evaluation
system by enabling the broadest
possible incorporation and protection of
information by providers and PSOs.
In addition, information must be
collected or developed for the purpose
of reporting to a PSO. Records collected
or developed for a purpose other than
for reporting to a PSO, such as to
support internal risk management
activities or to fulfill external reporting
obligations, cannot become patient
safety work product. However, copies of
information collected for another
purpose may become patient safety
work product if, for example, the copies
are made for the purpose of reporting to
a PSO. This issue is discussed more
fully below regarding information that
cannot become patient safety work
product.
When information is reported by a
provider to a PSO or when a PSO
develops information for patient safety
activities, the definition assumes that
the protections apply to information
that ‘‘could result in improved patient
safety, health care quality, or health care
outcomes.’’ This phrase imposes few
practical limits on the type of
information that can be protected since
a broad range of clinical and nonclinical factors could have a beneficial
impact on the safety, quality, or
outcomes of patient care. Because the
Patient Safety Act does not impose a
narrow limitation, such as requiring
information to relate solely, for
example, to particular adverse or
‘‘sentinel’’ incidents or even to the
safety of patient care, we conclude
Congress intended providers to be able
to cast a broad net in their data
gathering and analytic efforts to identify
causal factors or relationships that
might impact patient safety, quality and
outcomes. In addition, we note that the
phrase ‘‘could result in improved’’
requires only potential utility, not
proven utility, thereby allowing more
information to become patient safety
work product.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
How information becomes patient
safety work product. Paragraphs
(1)(i)(A), (1)(i)(B), and (1)(ii) of the
proposed regulatory definition indicate
three ways for information to become
patient safety work product and
therefore subject to the confidentiality
and privilege protections of the Patient
Safety Act.
Information assembled or developed
and reported by providers. By law and
as set forth in our proposal, information
that is assembled or developed by a
provider for the purpose of reporting to
a PSO and is reported to a PSO is
patient safety work product. Section
921(7)(A)(i)(I) of the Public Health
Service Act, 42 U.S.C. 299b–
21(7)(A)(i)(I).
As noted, to become patient safety
work product under this section of the
definition, information must be reported
by a provider to a PSO. For purposes of
paragraph (1)(i)(A) of this definition,
‘‘reporting’’ generally means the actual
transmission or transfer of information,
as described above, to a PSO. We
recognize, however, that requiring the
transmission of every piece of paper or
electronic file to a PSO could impose
significant transmission, management,
and storage burdens on providers and
PSOs. In many cases, providers engaged
in their own investigations may desire
to avoid continued transmission of
additional related information as its
work proceeds.
To alleviate the burden of reporting
every piece of information assembled by
a provider related to a particular patient
safety event, we are interested in public
comment regarding an alternative for
providers that have established
relationships with PSOs. We note that
the reporting and generation of patient
safety work product does not require a
contract or any other relationship for a
PSO to receive reports from a provider,
for a PSO to examine patient safety
work product, or for a PSO to provide
feedback to a provider based upon the
examination of reported information.
Nonetheless, we anticipate that
providers who are committed to patient
safety improvements will establish a
contractual or similar relationship with
a PSO to report and receive feedback
about patient safety incidents and
adverse events. Such a contract or
relationship would provide a basis to
allow providers and PSOs to establish
customized alternative arrangements for
reporting.
For providers that have established
contracts with PSOs for the review and
receipt of patient safety work product,
we seek comment on whether a provider
should be able to ‘‘report’’ to the PSO
by providing its contracted PSO access
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
8121
to any information it intends to report
(i.e., ‘‘functional reporting’’). For
example, a provider and a PSO may
establish, by contract, that information
put into a database shared by the
provider and the PSO is sufficient to
report information to the PSO in lieu of
the actual transmission requirement. We
believe that functional reporting would
be a valuable mechanism for the
efficient reporting of information from a
provider to a PSO. We are seeking
public comment about what terms and
conditions may be necessary to provide
access to a PSO to be recognized as
functional reporting. We also seek
comment about whether this type of
functional reporting arrangement should
only be available for subsequent related
information once an initial report on a
specific topic or incident has been
transmitted to a PSO.
We do not intend a PSO to have an
unfettered right of access to any
provider information. Providers and
PSOs are free to engage in alternative
reporting arrangements under the
proposed rule, and we solicit comments
on the appropriate lines to be drawn
around the arrangements that should be
recognized under the proposed rule.
However, our proposals should not be
construed to suggest or propose that a
PSO has a superior right to access
information held by a provider based
upon a reporting relationship. If a PSO
believes information reported by a
provider is insufficient, a PSO is free to
request additional information from a
provider or to indicate appropriate
limitations to the conclusions or
analyses based on insufficient or
incomplete information.
We seek public comment on two
additional aspects regarding the timing
of the obligation of a provider to report
to a PSO in order for information to
become protected patient safety work
product and for the confidentiality
protections to attach. The first issue
relates to the timing between assembly
or development of information for
reporting and actual reporting under the
proposed definition of patient safety
work product. As currently proposed,
information assembled or developed by
a provider is not protected until the
moment it is reported, (i.e., transmitted
or transferred to a PSO). We are
considering whether there is a need for
a short period of protection for
information assembled but not yet
reported. We note that in such
situations, a provider creates and
operates a patient safety evaluation
system. (See discussion of the definition
of patient safety evaluation system at
proposed § 3.20.) We further note that
even without such short period of
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8122
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
protection, information assembled or
developed by a provider but not yet
reported may be subject to other
protections in the proposed rule (e.g.,
see section 921(7)(A)(ii) of the Public
Health Service Act, 42 U.S.C. 299b–
21(7)(A)(ii)).
Our intent is not to relieve the
provider of the statutory requirement for
reporting pursuant to section
921(7)(A)(i) of the Public Health Service
Act, 42 U.S.C. 299b–21(7)(A)(i), but to
extend to providers flexibility to
efficiently transmit or transfer
information to a PSO for protection. A
short period of protection for
information assembled but not yet
reported could result in greater
operational efficiency for a provider by
allowing information to be compiled
and reported to a PSO in batches. It
could also alleviate the uncertainty
regarding the status of information that
is assembled, but not yet reported for
administrative reasons. If we do address
this issue in the final rule, we seek
input on the appropriate time period for
such protection and whether a provider
must demonstrate an intent to report in
order to obtain protections. If we do not
address this issue in the final rule, such
information held by a provider would
not be confidential until it is actually
transmitted to a PSO under this prong
of the definition of patient safety work
product.
Second, for information to become
patient safety work product under this
prong of the definition, it must be
assembled or developed for the purpose
of reporting to a PSO and actually
reported. We solicit comment on the
point in time at which it can be
established that information is being
collected for the purpose of reporting to
a PSO such that it is not excluded from
the definition of patient safety work
product as a consequence of it being
collected, maintained or developed
separately from a patient safety
evaluation system. See section
921(7)(B)(ii) of the Public Health Service
Act, 42 U.S.C. 299b–21(7)(B)(ii). To
assemble information with the purpose
of reporting to a PSO, a PSO must
potentially exist, and thus, we believe
that collection efforts cannot predate the
passage of the Patient Safety Act on July
29, 2005.
Information that is developed by a
PSO for the conduct of patient safety
activities. By law and as set forth in our
proposal, information that is developed
by a PSO for patient safety activities is
patient safety work product. Section
921(7)(A)(i)(II) of the Public Health
Service Act, 42 U.S.C. 299b–
21(7)(A)(i)(II). This section of the
definition does not address information
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
discussed in the previous section that is
assembled or developed by a provider
and is reported to a PSO which becomes
patient safety work product under that
section. Rather, this section addresses
other information that a PSO collects for
development from third parties, nonproviders and other PSOs for patient
safety activities.
For example, a PSO may be asked to
assist a provider in analyzing a complex
adverse event that took place. The
initial information from the provider is
protected because it was reported. If the
PSO determines that the information is
insufficient and conducts interviews
with affected patients or collects
additional data, that information is an
example of the type of information that
would be protected under this section of
the definition. Even if the PSO
ultimately decided not to analyze such
information, the fact that the PSO
collected and evaluated the information
is a form of ‘‘development’’
transforming the information into
patient safety work product. Such
patient safety work product would be
subject to confidentiality protections,
and thus, the PSO would need safe
disposal methods for any such
information in accordance with its
confidentiality obligations.
Information that constitutes the
deliberations or analysis of, or identifies
the fact of reporting pursuant to, a
patient safety evaluation system. By law
and as set forth in our proposal,
information that constitutes the
deliberations or analysis of, or identifies
the fact of reporting pursuant to, a
patient safety evaluation system is
patient safety work product. Section
921(7)(A)(ii) of the Public Health
Service Act, 42 U.S.C. 299b–21(7)(A)(ii).
This provision extends patient safety
work product protections to any
information that would identify the fact
of reporting pursuant to a patient safety
evaluation system or that constitutes the
deliberations or analyses that take place
within such a system. The fact of
reporting through a patient safety
evaluation system (e.g., a fax cover
sheet, an e-mail transmitting data, and
an oral transmission of information to a
PSO) is patient safety work product.
With regard to providers,
deliberations and analyses are protected
while they are occurring provided they
are done within a patient safety
evaluation system. We are proposing
that under paragraph (1)(ii) of this
definition, any ‘‘deliberations or
analysis’’ performed within the patient
safety evaluation system becomes
patient safety work product. In other
words, to determine whether
protections apply, the primary question
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
is whether a patient safety evaluation
system, which by law and as set forth
in this proposed rule, is the collection,
management, or analysis of information
for reporting to a PSO, was in existence
at the time of the deliberations and
analysis.
To determine whether a provider had
a patient safety evaluation system at the
time that the deliberations or analysis
took place, we propose to consider
whether a provider had certain indicia
of a patient safety evaluation system,
such as the following: (1) The provider
has a contract with a PSO for the receipt
and review of patient safety work
product that is in effect at the time of
the deliberations and analysis; (2) the
provider has documentation for a
patient safety evaluation system
demonstrating the capacity to report to
a PSO at the time of the deliberations
and analysis; (3) the provider had
reported information to the PSO either
under paragraph (1)(i)(A) of the
proposed definition of patient safety
work product or with respect to
deliberations and analysis; or (4) the
provider has actually reported the
underlying information that was the
basis of the deliberations or analysis to
a PSO. For example, if a provider
claimed protection for information as
the deliberation of a patient safety
evaluation system, and had a contract
with the PSO at the time the
deliberations took place, it would be
reasonable to believe that the
deliberations and analysis were related
to the provider’s PSO reporting
activities. This is not an exclusive list.
We note therefore that a provider may
still be able to show that information
was patient safety work product using
other indications.
We note that the statutory protections
for deliberations and analysis in a
patient safety evaluation system apply
without regard to the status of the
underlying information being
considered (i.e., it does not matter
whether the underlying information
being considered is patient safety work
product or not). A provider can fully
protect internal deliberations in its
patient safety evaluation system over
whether to report information to a PSO.
The deliberations and analysis are
protected, whether the provider chooses
to report the underlying information to
a PSO or not. However, the underlying
information, separate and apart from the
analysis or deliberation, becomes
protected only when reported to a PSO.
See section 921(7)(A)(i)(1) of the Public
Health Service Act, 42 U.S.C. 299b–
21(7)(A)(i)(1).
To illustrate, consider a hospital that
is reviewing a list of all near-misses
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
reported within the past 30 days. The
purpose of the hospital’s review is to
analyze whether to report any or part of
the list to a PSO. The analyses (or any
deliberations the provider undertakes)
are fully protected whether the provider
reports any near-misses or not. The
status of the near-misses list does not
change because the deliberations took
place. The fact that the provider
deliberated over reporting the list does
not constitute reporting and does not
change the protected status of the list.
Separate and apart from the analysis,
this list of near misses is not protected
unless it is reported. By contrast, this
provision fully protects the provider’s
deliberations and analyses in its patient
safety evaluation system regarding the
list.
Delisting. In the event that a PSO is
delisted for cause under proposed
§ 3.108(b)(1), a provider may continue to
report to that PSO for 30 days after the
delisting and the reported information
will be patient safety work product.
Section 924(f)(1) of the Public Health
Service Act, 42 U.S.C. 299b–24(f)(1).
Information reported to a delisted PSO
after the 30-day period will not be
patient safety work product. However,
after a PSO is delisted, the delisted
entity may not continue to generate
patient safety work product by
developing information for the conduct
of patient safety activities or through
deliberations and analysis of
information. Any patient safety work
product held or generated by a PSO
prior to its delisting remains protected
even after the PSO is delisted. See
discussion in the preamble regarding
proposed § 3.108(b)(2) for more
information.
We note that proposed § 3.108(c)
outlines the process for delisting based
upon an entity’s voluntary
relinquishment of its PSO listing. As we
discuss in the accompanying preamble,
we tentatively conclude that the
statutory provision for a 30-day period
of continued protection does not apply
after delisting due to voluntary
relinquishment.
Even though a PSO may not generate
new patient safety work product after
delisting, it may still have in its
possession patient safety work product,
which it must keep confidential. The
statute establishes requirements,
incorporated in proposed § 3.108(b)(2)
and (b)(3), that a PSO delisted for cause
must meet regarding notification of
providers and disposition of patient
safety work product. We propose in
§ 3.108(c) to implement similar
notification and disposition measures
for a PSO that voluntarily relinquishes
its listing. For further discussion of the
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
obligations of a delisted PSO, see
proposed § 3.108(b)(2), (b)(3), and (c).
What is not patient safety work
product. By law, and as set forth in this
proposed rule, patient safety work
product does not include a patient’s
original medical record, billing and
discharge information, or any other
original patient or provider record; nor
does it include information that is
collected, maintained, or developed
separately or exists separately from, a
patient safety evaluation system. Such
separate information or a copy thereof
reported to a PSO shall not by reason of
its reporting be considered patient
safety work product.
The specific examples cited in the
Patient Safety Act of what is not patient
safety work product—the patient’s
original medical record, billing and
discharge information, or any other
original patient record—are illustrative
of the types of information that
providers routinely assemble, develop,
or maintain for purposes and obligations
other than those of the Patient Safety
Act. The Patient Safety Act also states
that information that is collected,
maintained, or developed separately, or
exists separately from a patient safety
evaluation system, is not patient safety
work product. Therefore, if records are
collected, maintained, or developed for
a purpose other than for reporting to a
PSO, those records cannot be patient
safety work product. However, if, for
example, a copy of such record is made
for reporting to a PSO, the copy and the
fact of reporting become patient safety
work product. Thus, a provider could
collect incident reports for internal
quality assurance purposes, and later,
determine that one incident report is
relevant to a broader patient safety
activity. If the provider then reports a
copy of the incident report to a PSO, the
copy of the incident report received by
the PSO is protected as is the copy of
the incident report as reported to the
PSO that is maintained by the provider,
while the original incident report
collected for internal quality assurance
purposes is not protected.
The proposed rule sets forth the
statutory rule of construction that
prohibits construing anything in this
Part from limiting (1) the discovery of or
admissibility of information that is not
patient safety work product in a
criminal, civil, or administrative
proceeding; (2) the reporting of
information that is not patient safety
work product to a Federal, State, or
local governmental agency for public
health surveillance, investigation, or
other public health purposes or health
oversight purposes; or (3) a provider’s
recordkeeping obligation with respect to
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
8123
information that is not patient safety
work product under Federal, State or
local law. Section 921(7)(B)(iii) of the
Public Health Service Act, 42 U.S.C.
299b–21(7)(B)(iii). Even when laws or
regulations require the reporting of the
information regarding the type of events
also reported to PSOs, the Patient Safety
Act does not shield providers from their
obligation to comply with such
requirements.
As the Patient Safety Act states more
than once, these external obligations
must be met with information that is not
patient safety work product, and, in
accordance with the confidentiality
provisions, patient safety work product
cannot be disclosed for these purposes.
We note that the Patient Safety Act
clarifies that nothing in this Part
prohibits any person from conducting
additional analyses for any purpose
regardless of whether such additional
analysis involves issues identical to or
similar to those for which information
was reported to or assessed by a PSO or
a patient safety evaluation system.
Section 922(h) of the Public Health
Service Act, 42 U.S.C. 299b–22(h). A
copy of information generated for such
purposes may be entered into the
provider’s patient safety evaluation
system for patient safety purposes
although the originals of the information
generated to meet external obligations
do not become patient safety work
product.
Thus, information that is collected to
comply with external obligations is not
patient safety work product. Such
activities may include: State incident
reporting requirements; adverse drug
event information reporting to the Food
and Drug Administration (FDA);
certification or licensing records for
compliance with health oversight
agency requirements; reporting to the
National Practitioner Data Bank of
physician disciplinary actions; or
complying with required disclosures by
particular providers or suppliers
pursuant to Medicare’s conditions of
participation or conditions of coverage.
In addition, the proposed rule does not
change the law with respect to an
employee’s ability to file a complaint
with Federal or State authorities
regarding quality of care, or with respect
to any prohibition on a provider’s
threatening or carrying out retaliation
against an individual for doing so; the
filing of any such complaint would not
be deemed to be a violation of the
Patient Safety Act, unless patient safety
work product was improperly disclosed
in such filing.
Health Care Oversight Reporting and
Patient Safety Work Product. The
Patient Safety Act establishes a
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8124
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
protected space or system of protected
information in order to allow frank
discussion about causes and
remediation of threats to patient safety.
As described above, this protected
system is separate, distinct, and resides
alongside but does not replace other
information collection activities
mandated by laws, regulations, and
accrediting and licensing requirements
as well as voluntary reporting activities
that occur for the purpose of
maintaining accountability in the health
care system. Information collection
activities performed by the provider for
purposes other than for reporting to a
PSO by itself do not create patient safety
work product. In anticipation of
questions about how mandatory and
voluntary reporting will continue to be
possible, a brief explanation may be
helpful regarding how this new patient
safety framework would operate in
relation to health care oversight
activities (e.g., public health reporting,
corrective actions, etc.).
Situations may occur when the
original (whether print or electronic) of
information that is not patient safety
work product is needed for a disclosure
outside of the entity but cannot be
located while a copy of the needed
information resides in the patient safety
evaluation system. If the reason for
which the original information is being
sought does not align with one of the
permissible disclosures, discussed in
proposed Subpart C, the protected copy
may not be released. Nevertheless, this
does not preclude efforts to reconstruct
the information outside of the patient
safety evaluation system from
information that is not patient safety
work product. Those who participated
in the collection, development, analysis,
or review of the missing information or
have knowledge of its contents can fully
disclose what they know or reconstruct
an analysis outside of the patient safety
evaluation system.
The issue of how effectively a
provider has instituted corrective action
following identification of a threat to the
quality or safety of patient care might
lead to requests for information from
external authorities. The Patient Safety
Act does not relieve a provider of its
responsibility to respond to such
requests for information or to undertake
or provide to external authorities
evaluations of the effectiveness of
corrective action, but the provider must
respond with information that is not
patient safety work product.
To illustrate the distinction, consider
the following example. We would
expect that a provider’s patient safety
evaluation system or a PSO with which
the provider works may make
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
recommendations from time to time to
the provider for changes it should make
in the way it manages and delivers
health care. The list of
recommendations for changes, whether
they originate from the provider’s
patient safety evaluation system or the
PSO with which it is working, are
always patient safety work product. We
would also note that not all of these
recommendations will address
corrective actions (i.e., correcting a
process, policy, or situation that poses
a threat to patients). It is also possible
that a provider with an exemplary
quality and safety record is seeking
advice on how to perform even better.
Whatever the case, the feedback from
the provider’s patient safety evaluation
system or PSO may not be disclosed to
external authorities unless permitted by
the disclosures specified in Subpart C of
this proposed rule.
The provider may choose to reject the
recommendations it receives or
implement some or all of the proposed
changes. While the recommendations
always remain protected, whether they
are adopted or rejected by a provider,
the actual changes that the provider
implements to improve how it manages
or delivers health care services
(including changes in its organizational
management or its care environments,
structures, and processes) are not
patient safety work product. In a
practical sense, it would be virtually
impossible to keep such changes
confidential in any event, and we stress
that if there is any distinction between
the change that was adopted and the
recommendation that the provider
received, the provider can only describe
the change that was implemented. The
recommendation remains protected.
Thus, if external authorities request a
list of corrective actions that a provider
has implemented, the provider has no
basis for refusing the request. Even
though the actions are based on
protected information, the corrective
actions themselves are not patient safety
work product. On the other hand, if an
external authority asks for a list of the
recommendations that the provider did
not implement or whether and how any
implemented change differed from the
recommendation the provider received,
the provider must refuse the request; the
recommendations themselves remain
protected.
Person would mean a natural person,
trust or estate, partnership, corporation,
professional association or corporation,
or other entity, public or private. We
propose to define ‘‘person’’ because the
Patient Safety Act requires that civil
money penalties be imposed against
‘‘person[s]’’ that violate the
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
confidentiality provisions. However, the
Patient Safety Act does not provide a
definition of ‘‘person’’. The Definition
Act at 1 U.S.C. 1 provides, ‘‘in
determining any Act of Congress, unless
the context indicates otherwise * * *
the words ‘person’ and ‘whoever’
include corporations, companies,
associations, firms, partnerships,
societies, and joint stock companies, as
well as individuals’’ (emphasis added).
The Patient Safety Act indicates that
States and other government entities
may hold patient safety work product
with the protections and liabilities
attached, which is an expansion of the
Definition Act provision. For this
reason, we propose the broader
definition of the term ‘‘person’’. We note
that this proposed approach is
consistent with the HHS Office of
Inspector General (OIG) regulations, 42
CFR 1003.101, and the HIPAA
Enforcement Rule, 45 CFR 160.103.
Provider would mean any individual
or entity licensed or otherwise
authorized under State law to provide
health care services. The list of specific
providers in the proposed rule includes
the following: institutional providers,
such as a hospital, nursing facility,
comprehensive outpatient rehabilitation
facility, home health agency, hospice
program, renal dialysis facility,
ambulatory surgical center, pharmacy,
physician or health care practitioner’s
office (including a group practice), long
term care facility, behavior health
residential treatment facility, clinical
laboratory, or health center; or
individual clinicians, such as a
physician, physician assistant,
registered nurse, nurse practitioner,
clinical nurse specialist, certified
registered nurse anesthetist, certified
nurse midwife, psychologist, certified
social worker, registered dietitian or
nutrition professional, physical or
occupational therapist, pharmacist, or
other individual health care
practitioner. This list is merely
illustrative; an individual or entity that
is not listed here but meets the test of
state licensure or authorization to
provide health care services is a
provider for the purpose of this
proposed rule.
The statute also authorizes the
Secretary to expand the definition of
providers. Under this authority, we
propose to add the following to this list
of providers:
(a) Agencies, organizations, and
individuals within Federal, State, local,
or Tribal governments that deliver
health care, organizations engaged as
contractors by the Federal, State, local
or Tribal governments to deliver health
care, and individual health care
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
practitioners employed or engaged as
contractors by the Federal government
to deliver health care. It appears that all
of these agencies, organizations, and
individuals could participate in, and
could benefit from, working with a PSO.
(b) A corporate parent organization for
one or more entities licensed or
otherwise authorized to provide health
care services under state law. Without
this addition, hospital or other provider
systems that are controlled by a parent
organization that is not recognized as a
provider under State law might be
precluded from entering into systemwide contracts with PSOs. This addition
furthers the goals of the statute to
encourage aggregation of patient safety
data and a coordinated approach for
assessing and improving patient safety.
We particularly seek comments
regarding any concerns or operational
issues that might result from this
addition, and note that a PSO entering
one system-wide contract still needs to
meet the two contract minimum
requirement based on section
924(b)(1)(C) of the Public Health Service
Act, 42 U.S.C. 299b–24(b)(1)(C), and set
out and discussed in proposed
§ 3.102(b). The PSO can do this by
entering into two contracts with
different providers within the system.
(c) A Federal, State, local, or Tribal
government unit that manages or
controls one or more health care
providers described in the definition of
provider at (1)(i) and (2). We propose
this addition to the definition of
‘‘provider’’ for the same reason that we
proposed the addition of parent
organization that has a controlling
interest in one or more entities licensed
or otherwise authorized to provide
health care services under state law.
Research would have the same
meaning as that term is defined in the
HIPAA Privacy Rule at 45 CFR 164.501.
In the HIPAA Privacy Rule, research
means a systematic investigation,
including research development,
testing, and evaluation, designed to
develop or contribute to generalizable
knowledge. This definition is used to
describe the scope of the confidentiality
exception at proposed § 3.206(b)(6). We
propose to use the same definition as in
the HIPAA Privacy Rule to improve the
level of coordination and to reduce the
burden of compliance. At the same time,
if there is a modification to the
definition in the HIPAA Privacy Rule,
the definition herein will automatically
change with such regulatory action.
Respondent would mean a provider,
PSO, or responsible person who is the
subject of a complaint or a compliance
review.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Responsible person would mean a
person, other than a provider or PSO,
who has possession or custody of
identifiable patient safety work product
and is subject to the confidentiality
provisions. We note that because the
Patient Safety Act has continued
confidentiality protection at 42 U.S.C.
299b–22(d), many entities other than
providers and PSOs may be subject to
the confidentiality provisions. Thus, for
example, researchers or law
enforcement officials who obtain patient
safety work product under one of the
exceptions to confidentiality would be
considered a ‘‘responsible person’’.
Workforce would mean employees,
volunteers, trainees, contractors, and
other persons whose conduct, in the
performance of work for a provider, PSO
or responsible person, is under the
direct control of such provider, PSO or
responsible person, whether or not they
are paid by the provider, PSO or
responsible person. We use the term
workforce member in several contexts in
the proposed rule. Importantly, in
proposed § 3.402 where we discuss
principal liability, we propose that an
agent for which a principal may be
liable can be a workforce member. We
have included the term ‘‘contractors’’ in
the definition of workforce member to
clarify that such permitted sharing may
occur with contractors who are under
the direct control of the provider, PSO,
or responsible person. For example, a
patient safety activity disclosure by a
provider to a PSO may be made directly
to the PSO or to a consultant, as a
workforce member, contracted by the
PSO to help it carry out patient safety
activities.
B. Subpart B—PSO Requirements and
Agency Procedures
Proposed Subpart (B) sets forth
requirements for Patient Safety
Organizations (PSOs). This proposed
Subpart specifies the certification and
notification requirements that PSOs
must meet, the actions that the Secretary
may and will take relating to PSOs, the
requirements that PSOs must meet for
the security of patient safety work
product, the processes governing
correction of PSO deficiencies,
revocation, and voluntary
relinquishment, and related
administrative authorities and
implementation responsibilities. The
requirements of this proposed Subpart
would apply to PSOs, their workforce,
a PSO’s contractors when they hold
patient safety work product, and the
Secretary.
This proposed Subpart is intended to
provide the foundation for new,
voluntary opportunities to improve the
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
8125
safety, quality, and outcomes of patient
care. The Patient Safety Act does not
require a provider to contract with a
PSO, and the proposed rule does not
include such a requirement. However,
we expect that most providers will enter
into contracts with PSOs when seeking
the confidentiality and privilege
protections of the statute. Contracts offer
providers greater certainty that a
provider’s claim to these statutory
protections will be sustained, if
challenged. For example, the statutory
definition of patient safety work product
describes the nature and purpose of
information that can be protected, the
circumstances under which
deliberations or analyses are protected,
and the requirement that certain
information be reported to a PSO.
Pursuant to a contractual arrangement,
providers can require and receive
assistance from PSOs to ensure that
these requirements are fully met.
Contracts can provide clear evidence
that a provider is taking all reasonable
measures to operate under the ambit of
the statute in collecting, developing,
and maintaining patient safety work
product. Contracts enable providers to
specify even stronger confidentiality
protections in how they report
information to a PSO or how the PSO
handles and uses the information.
Contracts can also give providers
greater assurance that they will have
access to the expertise of the PSO to
provide feedback regarding their patient
safety events. While some providers
may have patient safety expertise inhouse, a PSO has the potential to offer
providers considerable additional
insight as a result of its expertise and
ability to aggregate and analyze data
from multiple providers and multiple
PSOs. Experience has demonstrated that
such aggregation and analysis of large
volumes of data, such as a PSO has the
ability to do, will often yield insights
into the underlying causes of the
hazards and risks associated with
patient care that are simply not apparent
when these analyses are limited to the
information available from only one
office, clinic, facility, or system.
Pursuant to a contract with a PSO, a
provider may also be able to obtain from
a PSO operational guidance or best
practices with respect to operation of a
patient safety evaluation system. Such a
contract also provides a mechanism for
a provider to control the nature and
extent of a PSO’s aggregation of its data
with those of other providers or PSOs,
and the nature of related analysis and
discussion of such data. A provider can
also require, pursuant to its contract
with a PSO, that the PSO will notify the
provider if improper disclosures are
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8126
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
made of patient safety work product
relating to that provider.
This proposed Subpart enables a
broad variety of health care providers to
work voluntarily with entities that have
certified to the Secretary that they have
the ability and expertise to carry out
broadly defined patient safety activities
of the Patient Safety Act and, therefore,
to serve as consultants to eligible
providers to improve patient care. In
accordance with the Patient Safety Act,
we propose an attestation-based process
for initial and continued listing of an
entity as a PSO. This includes an
attestation-based approach for meeting
the statutory requirement that each PSO,
within 24 months of being listed and in
each sequential 24-month period
thereafter, must have bona fide contracts
with more than one provider for the
receipt and review of patient safety
work product.
This streamlined approach of the
statute and the proposed rule is
intended to encourage the rapid
development of expertise in health care
improvement. This framework allows
the marketplace to be the principal
arbiter of the capabilities of each PSO.
Listing as a PSO by the Secretary does
not entitle an entity to Federal funding.
The financial viability of most PSOs
will derive from their ability to attract
and retain contracts with providers or to
attract financial support from other
organizations, such as charitable
foundations dedicated to health system
improvement. Even when a provider
organization considers establishing a
PSO (what this proposed rule terms a
component PSO) to serve the needs of
its organization, we expect it will weigh
the value of, and the business case for,
such a PSO.
Proposed Subpart B attempts to
minimize regulatory burden while
fostering transparency to enhance the
ability of providers to assess the
strengths and weaknesses of their choice
of PSOs. For example, we encourage,
but do not require, an entity seeking
listing to develop and post on their own
Web sites narrative statements
describing the expertise of the personnel
the entity will have at its disposal, and
outlining the way it will approach its
mission and comply with the statute’s
certification requirements.
We similarly propose to apply
transparency to our implementation of
the statute’s requirement for disclosure
by PSOs of potential conflicts of interest
with their provider clients. While the
statute only requires public release of
the findings of the Secretary after review
of such disclosures, we propose to make
public, consistent with applicable law,
including the Freedom of Information
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Act, a PSO’s disclosure statements as
well. In our view, in addition to having
the benefit of the Secretary’s
determination, a provider, as the
prospective consumer of PSO services,
should be able to make its own
determination regarding the
appropriateness of the relationships that
a PSO has with its other provider clients
and the impact those relationships
might have on its particular needs. For
example, a provider might care if a
PSO—despite the Secretary’s
determination that it had been
established with sufficient operational
and other independence to qualify for
listing as a PSO—was owned, operated,
or managed by the provider’s major
competitor.
The provisions of this proposed
Subpart also emphasize the need for
vigilance in providing security for
patient safety work product. To achieve
the widespread provider participation
intended by this statute, PSOs must
foster and maintain the confidence of
providers in the security of patient
safety work product in which providers
and patients are identified. Therefore,
we propose to require a security
framework, which each PSO must
address with standards it determines
appropriate to the size and complexity
of its organization, pertaining to the
separation of data and systems and to
security management control,
monitoring, and assessment.
The Patient Safety Act recognizes that
PSOs will need to enter business
associate agreements to receive
protected health information from
providers that are covered entities under
the HIPAA Privacy Rule. As a business
associate of such a provider, a PSO will
have to meet certain contractual
requirements on the use and disclosure
of protected health information for
compliance with the HIPAA Privacy
Rule that are in addition to the
requirements set forth in this proposed
rule. Those requirements include the
notification of a covered entity when
protected health information is
inappropriately disclosed in violation of
the HIPAA Privacy Rule.
We do not propose to require
reporting of impermissible disclosures
of other patient safety work product that
does not contain protected health
information. We solicit comments on
whether to parallel the business
associate requirements of the HIPAA
Privacy Rule. Such a requirement, if
implemented, would require a PSO to
notify the organizational source of
patient safety work product if the
information it shared has been
impermissibly used or disclosed. Note
that such reporting requirements could
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
be voluntarily agreed to by contract
between providers and their PSO.
Section 924(b)(2)(A) and (B) of the
Public Health Service Act, 42 U.S.C.
299b–24(b)(2)(A) and (B), suggests
Congressional concern that a strong
firewall must be maintained between a
component PSO and the rest of the
organization(s) of which it is a part. This
proposed subpart proposes specific
safeguards that such component PSOs
must implement to effectively address
those concerns.
As this discussion suggests, in
developing this proposed Subpart, we
have proposed the most specific
requirements in the areas of security
and disclosure of potential conflicts of
interest. We expect to offer technical
assistance and encourage transparency
wherever possible to promote
implementation, compliance, and
correction of deficiencies. At the same
time, this proposed Subpart establishes
processes that will permit the Secretary
promptly to revoke a PSO’s certification
and remove it from listing, if such
action proves necessary.
1. Proposed § 3.102—Process and
Requirements for Initial and Continued
Listing of PSOs
Proposed § 3.102 sets out: The
submissions that the Department, in
carrying out its responsibilities,
proposes to require, consistent with the
Patient Safety Act, for initial and
continued listing as a PSO; the
certifications that all entities must make
as part of the listing process; the
additional certifications that component
organizations must make as part of the
listing process; the requirement for
biennial submission of a certification
that the PSO has entered into the
required number of contracts; and the
circumstances under which a PSO must
submit a disclosure statement regarding
the relationships it has with its
contracting providers.
(A) Proposed § 3.102(a)—Eligibility and
Process for Initial and Continued Listing
In this section, we propose to
establish a streamlined certification
process that minimizes barriers to entry
for a broad variety of entities seeking to
be listed as a PSO. With several
exceptions, any entity—public or
private, for-profit or not-for profit—may
seek initial or continued listing by the
Secretary as a PSO. The statute
precludes a health insurance issuer and
a component of a health insurance
issuer from becoming a PSO (section
924(b)(1)(D) of the Public Health Service
Act, 42 U.S.C. 299b–24(b)(1)(D)).
In addition, we propose to preclude
any other entity, public or private, from
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
seeking listing as a PSO if the entity
conducts regulatory oversight of health
care providers, including accreditation
or licensure. We propose this restriction
for consistency with the statute, which
seeks to foster a ‘‘culture of safety’’ in
which health care providers are
confident that the patient safety events
that they report will be used for learning
and improvement, not oversight,
penalties, or punishment. Listing
organizations with regulatory authority
as PSOs would be likely to undermine
provider confidence that adequate
separation of PSO and regulatory
activities would be maintained.
We note that the Patient Safety Act
permits a component organization of an
entity to seek listing as a PSO if the
component organization establishes a
strong firewall between its activities as
a PSO and the rest of the organization(s)
of which it is a part. As drafted, this
proposed regulation permits a
component organization of an entity
with any degree of regulatory authority
to seek listing as a component PSO. We
have not proposed any restrictions on
such component organizations for
several reasons. First, we expect that the
statutory requirement for a strong
firewall between a component PSO and
its parent organization(s) with respect to
its activities as a PSO and the protected
information it holds will provide
adequate safeguards. Second, providers
will have access to the names of parent
organizations of component PSOs. We
propose in § 3.102(c) that any
component organization must disclose
the name of its parent organization(s)
(see the proposed definitions of
component and parent organizations in
§ 3.20). We intend to make this
information publicly available and
expect to post it on the PSO Web site
we plan to establish (see the preamble
discussion regarding proposed
§ 3.104(d)). This will provide
transparency and enable providers to
determine whether the organizational
affiliation(s) of a component PSO are of
concern. Finally, we believe that
allowing the marketplace to determine
whether a component PSO has
acceptable or unacceptable ties to an
entity with regulatory authority is
consistent with our overall approach to
regulation of PSOs.
At the same time, we recognize that
some organizations exercise a
considerable level of regulatory
oversight over providers and there may
be concerns that such organizations
could circumvent the firewalls proposed
below in § 3.102(c) or might attempt to
require providers to work with a
component PSO that the regulatory
entity creates. Accordingly, we
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
specifically seek comment on the
approach we have proposed and
whether we should consider a broader
restriction on component organizations
of entities that are regulatory. For
example, should components of state
health departments be precluded from
seeking listing because of the broad
authority of such departments to
regulate provider behavior? If a broader
restriction is proposed, we would
especially welcome suggestions on
clear, unambiguous criteria for its
implementation.
We will develop certification forms
for entities seeking initial and continued
listing that contain or restate the
respective certifications described in
proposed § 3.102(b) and § 3.102(c). An
individual with authority to make
commitments on behalf of the entity
seeking listing would be required to
acknowledge each of the certification
requirements, attest that the entity
meets each of the certification
requirements on the form, and provide
contact information for the entity. The
certification form would also require an
attestation that the entity is not subject
to the limitation on listing proposed in
this subsection and an attestation that,
once listed as a PSO, it will notify the
Secretary if it is no longer able to meet
the requirements of proposed § 3.102(b)
and § 3.102(c).
To facilitate the development of a
marketplace for the services of PSOs,
entities are encouraged, but not
required, to develop and post on their
own Web sites narratives that specify
how the entity will approach its
mission, how it will comply with the
certification requirements, and describe
the qualifications of the entity’s
personnel. With appropriate disclaimers
of any implied endorsement, we expect
to post citations or links to the Web sites
of all listed entities on the PSO Web site
that we plan to establish pursuant to
proposed § 3.104(d). We believe that
clear narratives of how PSOs will meet
their statutory and regulatory
responsibilities will help providers,
who are seeking the services of a PSO,
to assess their options. The
Department’s PSO Web site address will
be identified in the final rule and will
be available from AHRQ upon request.
(B) Proposed § 3.102(b)—Fifteen General
Certification Requirements
In accordance with section 924(a) of
the Public Health Service Act, 42 U.S.C.
299b–24(a), the proposed rule would
require all entities seeking initial or
continued listing as a PSO to meet 15
general certification requirements: eight
requirements related to patient safety
activities and seven criteria governing
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
8127
their operation. At initial listing, the
entity would be required to certify that
it has policies and procedures in place
to carry out the eight patient safety
activities defined in the Patient Safety
Act and incorporated in proposed
§ 3.20, and upon listing, would meet the
seven criteria specified in proposed
§ 3.102 (b)(2). Submissions for
continued listing would require
certifications that the PSO is
performing, and will continue to
perform, the eight patient safety
activities and is complying with, and
would continue to comply with, the
seven criteria.
(1) Proposed § 3.102(b)(1)—Required
Certification Regarding Eight Patient
Safety Activities
Proposed § 3.102(b)(1) addresses the
eight required patient safety activities
that are listed in the definition of
patient safety activities at proposed
§ 3.20 (section 921(5) of the Public
Health Service Act, 42 U.S.C. 299b–
21(5)). Because certification relies
primarily upon attestations by entities
seeking listing, rather than submission
and review of documentation, it is
critical that entities seeking listing have
a common and shared understanding of
what each certification requirement
entails. We conclude that five of the
eight required patient safety activities
need no elaboration. These five patient
safety activities include: Efforts to
improve patient safety and quality; the
collection and analysis of patient safety
work product; the development and
dissemination of information with
respect to improving patient safety; the
utilization of patient safety work
product for the purposes of encouraging
a culture of safety and providing
feedback and assistance; and the
utilization of qualified staff.
We address a sixth patient safety
activity, related to the operation of a
patient safety evaluation system, in the
discussion of the definition of that term
in proposed § 3.20. We provide greater
clarity here regarding the actions that an
entity must take to comply with the
remaining two patient safety activities,
which involve the preservation of
confidentiality of patient safety work
product and the provision of
appropriate security measures for
patient safety work product.
We interpret the certification to
preserve confidentiality of patient safety
work product to require conformance
with the confidentiality provisions of
proposed Subpart C as well as the
requirements of the Patient Safety Act.
Certification to provide appropriate
security measures require PSOs, their
workforce members, and their
E:\FR\FM\12FEP2.SGM
12FEP2
8128
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
contractors when they hold patient
safety work product to conform to the
requirements of proposed § 3.106, as
well as the provisions of the Patient
Safety Act.
hsrobinson on PROD1PC76 with PROPOSALS2
(2) Proposed § 3.102(b)(2)—Required
Certification Regarding Seven PSO
Criteria
Proposed § 3.102(b)(2) lists seven
criteria that are drawn from the Patient
Safety Act (section 924(b) of the Public
Health Service Act, 42 U.S.C. 299b–
24(b)), which an entity must meet
during its period of listing. We conclude
that the statutory language for three of
the seven required criteria is clear and
further elaboration is not required.
These three criteria include: The
mission and primary activity of the
entity is patient safety, the entity has
appropriately qualified staff, and the
entity utilizes patient safety work
product for provision of direct feedback
and assistance to providers to effectively
minimize patient risk.
Two of the criteria are addressed
elsewhere in the proposed rule: the
exclusion of health insurance issuer or
components of health insurance issuers
from being PSOs is discussed above in
the context of the definition of that term
in proposed § 3.20 and the requirements
for submitting disclosure statements are
addressed in the preamble discussion
below regarding proposed § 3.102(d)(2)
(the proposed criteria against which the
Secretary will review the disclosure
statements are set forth in § 3.104(c)).
The remaining two PSO criteria—the
minimum contract requirement and the
collection of data in a standardized
manner—are discussed here.
The Minimum Contracts Requirement.
First, we propose to clarify the
requirement in section 924(b)(1)(C) of
the Public Health Service Act, 42 U.S.C.
299b–24(b)(1)(C) that a PSO must enter
into bona fide contracts with more than
one provider for the receipt and review
of patient safety work product within
every 24-month period after the PSO’s
initial date of listing.
We note that the statutory language
establishes four conditions that must be
met for a PSO to be in compliance with
this requirement. We propose to
interpret two of them for purposes of
clarity in the final rule: (1) The PSO
must have contracts with more than one
provider, and (2) the contract period
must be for ‘‘a reasonable period of
time.’’ Most contracts will easily meet
the third requirement: that contracts
must be ‘‘bona fide’’ (our definition is in
proposed § 3.20). Finally, the fourth
requirement, that contracts must involve
the receipt and review of patient safety
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
work product, does not require
elaboration.
We propose that a PSO would meet
the requirement for ‘‘contracts with
more than one provider’’ if it enters a
minimum of two contracts within each
24-month period that begins with its
initial date of listing. We note that the
statutory requirement in section
924(b)(1)(C) of the Public Health Service
Act, 42 U.S.C. 299b–24(b)(1)(C),
unambiguously requires multiple
contracts (i.e., more than one). One
contract with two or more providers
would not fully meet the statute’s
requirement. To illustrate, one contract
with a 50-hospital system would not
meet the requirement; two 25-hospital
contracts with that same hospital system
would meet the requirement. We believe
that the statutory requirement was
intended to encourage PSOs to aggregate
data from multiple providers, in order to
expand the volume of their data, thereby
improving the basis on which patterns
of errors and the causes for those errors
can be identified. This statutory
objective is worth noting as a goal for
PSOs. A PSO can achieve this goal by
aggregating data from multiple
providers or by pooling or comparing
data with other PSOs, subject to
statutory, regulatory, and contractual
limitations.
The statute requires that these
contracts must be ‘‘for a reasonable
period of time.’’ We propose to clarify
in the final rule when a PSO would be
in compliance with this statutory
requirement. The approach could be
time-based (e.g., a specific number of
months), task-based (e.g., the contract
duration is linked to completion of
specific tasks but, under this option, the
final rule would not set a specific time
period), or provide both options. We
seek comments on the operational
implications of these alternative
approaches and the specific standard(s)
for each option that we should consider.
By establishing standard(s) in the final
rule, we intend to create certainty for
contracting providers and PSOs as to
whether the duration requirement has
been met. We note that whatever
requirement is incorporated in the final
rule will apply only to the two required
contracts. A PSO can enter other
contracts, whether time-based or taskbased, without regard to the standard(s)
for the two required contracts.
Apart from the requirements outlined
above, there are no limits on the types
of contracts that a PSO can enter; its
contracts can address all or just one of
the required patient safety activities,
assist providers in addressing all, or just
a specialized range, of patient safety
topics, or the PSO can specialize in
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
assisting specific types of providers,
specialty societies, or provider
membership organizations. Because of
the limits on the extraterritorial
application of U.S. law and the fact that
privilege protections are limited to
courts in the United States (Federal,
State, etc.), the protections in the
proposed rule apply only to protected
data shared between PSOs and
providers within the United States and
its territories; there is only this one
geographical limitation on a PSO’s
operations.
If they choose to do so, providers and
PSOs may enter into contracts that
specify stronger confidentiality
protections than those specified in this
proposed rule and the Patient Safety Act
(section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b–22 (g)(3)).
For example, a provider could choose to
de-identify or anonymize information it
reports to a PSO.
We note that the Secretary proposes to
exercise his authority to extend the
definition of ‘‘provider’’ for the
purposes of this statute to include a
provider’s ‘‘parent organization’’ (both
terms are defined in proposed § 3.20).
This proposed addition is intended to
provide an option for health systems
(e.g., holding companies or a state
system) to enter system-wide contracts
with PSOs if they choose to do so. This
option would not be available in the
absence of this provision because the
parent organizations of many health
care systems are often corporate
management entities or governmental
entities that are not considered licensed
or authorized health care providers
under state law.
Collecting data in a standardized
manner. Section 924(b)(1)(F) of the
Public Health Service Act, 42 U.S.C.
299b–24(b)(1)(F), requires PSOs, to the
extent practical and appropriate, to
collect patient safety work product from
providers in a standardized manner, to
permit valid comparisons of similar
cases among similar providers. One of
the goals of the legislation is to facilitate
a PSO aggregating sufficient data to
identify and to address underlying
causal factors of patient safety problems.
A PSO is more valuable if it is able to
aggregate patient safety work product it
receives directly from multiple
providers, and if it chooses to do so,
aggregate its data with patient safety
work product received from other PSOs
and/or share nonidentifiable patient
safety work product with a network of
patient safety databases described in
section 923 of the Public Health Service
Act, 42 U.S.C. 299b–23. We recognize
that if patient safety work product is not
collected initially using common data
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
elements and consistent definitions, it
may be difficult to aggregate such data
subsequently in order to develop valid
comparisons across providers and
potentially, PSOs. We also recognize,
however, that the providers who work
with PSOs may have varying levels of
sophistication with respect to patient
safety issues and that reporting patient
safety work product to a PSO in a
standardized manner or using
standardized reporting formats may not
be initially practicable for certain
providers or in certain circumstances.
The discussion which follows outlines
the timetable and the process to which
we are committed.
The Secretary intends to provide
ongoing guidance to PSOs on formats
and definitions that would facilitate the
ability of PSOs to aggregate patient
safety work product. We expect to
provide initial guidance beginning with
the most common types of patient safety
events, before the final rule is issued, to
facilitate the ability of PSOs to develop
valid comparisons among providers.
The Department will make such formats
and definitions available for public
comment in a non-regulatory format via
publication in the Federal Register. We
are considering, and we seek comment
on, including a clarification in the final
rule, that compliance with this
certification requirement would mean
that a PSO, to the extent practical and
appropriate, will aggregate patient safety
work product consistent with the
Secretary’s guidance regarding reporting
formats and definitions when such
guidance becomes available.
The process for developing and
maintaining common formats. AHRQ
has established a process to develop
common formats that: (1) Is evidencebased; (2) harmonizes across
governmental health agencies; (3)
incorporates feedback from the public,
professional associations/organizations,
and users; and (4) permits timely
updating of these clinically-sensitive
formats.
In anticipation of the need for
common formats, AHRQ began the
process of developing them in 2005.
That process consists of the following
steps: (1) Develop an inventory of
functioning patient safety reporting
systems to inform the construction of
the common formats (an evidence base).
Included in this inventory, now
numbering 64 systems, are the major
Centers for Disease Control and
Prevention (CDC) and Food and Drug
Administration (FDA) reporting systems
as well as many from the private sector.
(2) Convene an interagency Patient
Safety Work Group (PSWG) to develop
draft formats. Included are major health
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
agencies within the Department—CDC,
Centers for Medicare and Medicaid
Services, FDA, Health Resources and
Services Administration, the Indian
Health Service (IHS), the National
Institutes of Health—as well as the
Department of Defense (DoD) and the
Veterans Administration (VA). (3) Pilot
test draft formats—to be conducted in
February–March of 2008 in DoD, IHS,
and VA facilities. (4) Publish version 0.1
(beta) of the formats in the Federal
Register, along with explanatory
material, and solicit public comment—
planned for July/August 2008. (5) Let a
task order contract (completed) with the
National Quality Forum (NQF) to solicit
input from the private sector regarding
the formats. NQF’s role will be
periodically to solicit input from the
private sector to assist the Department
in updating its versions of the formats.
NQF will begin with version 0.1 (beta)
of the common formats and solicit
public comments (including from
providers, professional organizations,
the general public, and PSOs), triage
them in terms of immediacy of
importance, set priorities, and convene
expert panel(s) to offer advice on
updates to the formats. This process will
be a continuing one, guiding periodic
updates of the common formats. (6)
Accept input from the NQF, revise the
formats in consultation with the PSWG,
and publish subsequent versions in the
Federal Register. Comments will be
accepted at all times from public and
governmental sources, as well as the
NQF, and used in updating of the
formats.
This process ensures
intergovernmental consistency as well
as input from the private sector,
including, most importantly, those who
may use the common formats. This
latter group, the users, will be the most
sensitive to and aware of needed
updates/improvements to the formats.
The PSWG, acting as the fulcrum for
original development and continuing
upgrading/maintenance, assures
consistency of definitions/formats
among government agencies. For
instance, the current draft formats
follow CDC definitions of healthcare
associated infections and FDA
definitions of adverse drug events.
AHRQ has been careful to promote
consensus among Departmental
agencies on all draft common formats
developed to date. The NQF is a
respected private sector organization
that is suited to solicit and analyze
input from the private sector.
We welcome comments on our
proposed approach to meeting statutory
objectives.
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
8129
(C) Proposed § 3.102(c)—Additional
Certifications Required of Component
Organizations
Section 924(b)(2) of the Public Health
Service Act, 42 U.S.C. 299b–24(b)(2)
and the proposed definition of
component organization in proposed
§ 3.20 requires an entity that is a
component of another organization or
multi-organizational enterprise that
seeks initial or continued listing to
certify that it will meet three
requirements in addition to certifying
that it will meet the 15 general
requirements specified in proposed
§ 3.102(b). We have indicated the types
of entities that would be required to
seek listing as a component organization
in our discussion of the proposed
definitions in proposed § 3.20 of the
terms ‘‘component organization’’ and
‘‘parent organization.’’ To be listed as a
component PSO, an entity would also
be required to make three additional
certifications regarding the entity’s
independent operation and separateness
from the larger organization or
enterprise of which it is a part: the
entity would certify to (1) the secure
maintenance of documents and
information separate from the rest of the
organization(s) or enterprise of which it
is a part; (2) the avoidance of
unauthorized disclosures to the
organization(s) or enterprise of which it
is a part; and (3) the absence of a
conflict between its mission and the rest
of the organization(s) or enterprise of
which it is a part. We propose in
§ 3.102(c) specific requirements that
will ensure that such component PSOs
implement the type of safeguards for
patient safety work product that the
three additional statutory certification
requirements for component
organizations are intended to provide.
First, the statute requires a component
PSO to maintain patient safety work
product separate from the rest of the
organization(s) or enterprise of which it
is a part (section 924(b)(2)(A) of the
Public Health Service Act, 42 U.S.C.
299b–24(b)(2)(A)). To ensure
compliance with this statutory
requirement, we considered, but did not
include here, a proposal to prohibit a
component PSO from contracting,
subcontracting, or entering any
agreement with any part of the
organization(s) or enterprise of which it
is a part for the performance of any
work involving the use of patient safety
work product. We seek comment on the
limited exception proposed in § 3.102(c)
here that would permit such contracts
or subcontracts only if they can be
carried out in a manner that is
consistent with the statutory
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8130
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
requirements of this section. This means
that, while a component PSO could
enter such arrangements involving the
use of patient safety work product with
a unit of the organization(s) or
enterprise of which it is a part, the
component PSO would maintain the
patient safety work product and be
responsible for its security (i.e., control
the access and use of it by the
contracting unit). In addition, under our
proposal, while allowing access to the
contracting unit of the identifiable
patient safety work product necessary to
carry out the contractual assignment
would be a permissible disclosure, the
component PSO would remain
responsible for ensuring that the
contracting unit does not violate the
prohibitions related to unauthorized
disclosures required under 924(b)(2)(B)
of the PHS Act, 42 U.S.C. 299b–
24(b)(2)(B), (i.e., disclosures to other
units of the organization or enterprise)
and that there is no conflict between the
mission of the component PSO and the
contracting unit, as required under
924(b)(2)(C) of the PHS Act, 42 U.S.C.
299b–24(b)(2)(C). We invite comment on
whether such a limited exception is
necessary or appropriate and, if so, the
appropriateness of the restrictions we
have proposed.
Second, a component PSO would not
be permitted to have a shared
information system with the rest of the
organization(s) since this might provide
unauthorized access to patient safety
work product. For example, we intend
to prohibit a component PSO from
storing any patient safety work product
in information systems or databases to
which the rest of the organization(s) or
enterprise of which it is a part would
have access or the ability to remove or
transmit a copy. We preliminarily
conclude that most security measures,
such as password protection of the
component PSO’s information, are too
easily circumvented.
Third, the proposed rule provides that
the workforce of the component PSO
must not engage in work for the rest of
the organization(s) if such work could
be informed or influenced by the
individual’s knowledge of identifiable
patient safety work product. For
example, a component PSO could share
accounting or administrative support
staff under our proposal because the
work of these individuals for the rest of
the organization(s) would not be
informed or influenced by their
knowledge of patient safety work
product. By contrast, if the rest of the
organization provides health care
services, a physician who served on a
parent organization’s credentialing,
hiring, or disciplinary committee(s)
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
could not also work for the PSO.
Knowledge of confidential patient safety
work product could influence his or her
decisions regarding credentialing,
hiring, or disciplining of providers who
are identifiable in the patient safety
work product.
We provide one exception to the last
prohibition. It is not our intent to
prohibit a clinician, whose work for the
rest of the organization is solely the
provision of patient care, from
undertaking work for the component
PSO. We see no conflict if the patient
care provided by the clinician is
informed by the clinical insights that
result from his or her work for the
component PSO. If a clinician has
duties beyond patient care, this
exception only applies if the other
duties do not violate the general
prohibition (i.e., that the other duties for
the rest of the organization(s) cannot be
informed by knowledge of patient safety
work product).
As part of the requirement that the
PSO must certify that there is no
conflict between its mission and the rest
of the organization(s), we propose that
the certification form will require the
PSO to provide the name(s) of the
organization(s) or enterprise of which it
is a part (see the discussions of our
definitions of parent and component
organizations in proposed § 3.20).
We have not proposed specific
standards to determine whether
conflicts exist between a PSO and other
components of the organization or
enterprise of which it is a part. We
recognize that some industries and
particular professions, such as the legal
profession through state-based codes of
professional responsibility, have
specific standards or tests for
determining whether a conflict exists.
We request comments on whether the
final rule should include any specific
standards, and, if so, what criteria
should be put in place to determine
whether a conflict exists.
(D) Proposed § 3.102(d)—Required
Notifications
Proposed § 3.102(d) establishes in
regulation two required notifications
that implement two statutory
provisions: a notification to the
Secretary certifying whether the PSO
has met the biennial requirement for
bona fide contracts with more than one
provider (section 924(b)(1)(C) of the
Public Health Service Act, 42 U.S.C.
299b–24(b)(1)(C)); and the submission of
a disclosure statement to the Secretary
whenever a PSO has established specific
types of relationships (discussed below)
with a contracting provider, in
particular where a PSO is not managed
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
or controlled independently from, or if
it does not operate independently from,
a contracting provider (section
924(b)(1)(E) of the Public Health Service
Act, 42 U.S.C. 299b–24(b)(1)(E)).
(1) Proposed § 3.102(d)(1)—Notification
Regarding PSO Compliance With the
Minimum Contract Requirement
Proposed § 3.102(d)(1) requires a PSO
to notify the Secretary whether it has
entered at least two bona fide contracts
that meet the requirements of proposed
§ 3.102(b)(2). The notification
requirement implements the statutory
requirement in section 924(b)(1)(C) of
the Public Health Service Act, 42 U.S.C.
299b–24(b)(1)(C), that a PSO must have
contracts with more than one provider.
Notification to the Secretary will be by
attestation on a certification form
developed pursuant to proposed § 3.112.
Prompt notification of the Secretary that
a PSO has entered two or more contracts
will result in earlier publication of that
information by the Secretary and this
may be to the PSO’s benefit.
We propose that the Secretary receive
initial notification from a PSO no later
than 45 calendar days before the last
day of the period that is 24 months after
the date of its initial listing and 45
calendar days prior to the last day of
every 24-month period thereafter. While
each PSO will have the full statutory
period of 24 months to comply with this
requirement, we propose an earlier date
for notification of the Secretary to
harmonize this notification requirement
with the requirement, established by
section 924(e) of the Public Health
Service Act, 42 U.S.C. 299b–24(e), that
the Secretary provide each PSO with a
period of time to correct a deficiency. If
the Secretary were to provide a period
for correction that begins after the 24month period has ended, the result
would be that some PSOs would be
granted compliance periods that extend
beyond the unambiguous statutory
deadline for compliance. To avoid this
unfair result, we propose that a PSO
certify to the Secretary whether it has
complied with this requirement 45
calendar days in advance of the final
day of its applicable 24-month period.
If a PSO notifies the Secretary that it
cannot certify compliance or fails to
submit the required notification, the
Secretary, pursuant to proposed
§ 3.108(a)(2), will then issue a
preliminary finding of deficiency and
provide a period for correction that
extends until midnight of the last day of
the applicable 24-month assessment
period for the PSO. In this way, the
requirement for an opportunity for
correction can be met without granting
any PSO a period for compliance that
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
exceeds the statutory limit. We invite
comments on alternative approaches to
harmonize these two potentially
conflicting requirements.
We note that contracts that are
entered into after midnight on the last
day of the applicable 24-month period
do not count toward meeting the twocontract requirement for that 24-month
assessment period. If a PSO does not
meet the requirement by midnight of the
last day of the applicable 24-month
assessment period, the Secretary will
issue a notice of revocation and
delisting pursuant to proposed
§ 3.108(a)(3).
(2) Proposed § 3.102(d)(2)—Notification
Regarding PSO’s Relationships With Its
Contracting Providers
Proposed § 3.102(d)(2) establishes the
circumstances under which a PSO must
submit a disclosure statement to the
Secretary regarding its relationship(s)
with any contracting provider(s) and the
deadline for such required submissions.
The purpose of this disclosure
requirement is illuminated by the
statutory obligation of the Secretary, set
forth in section 924(c)(3) of the Public
Health Service Act, 42 U.S.C. 299b–
24(c)(3), to review the disclosure
statements and make public findings
‘‘whether the entity can fairly and
accurately perform the patient safety
activities of a patient safety
organization.’’ To provide the Secretary
with the information necessary to make
such a judgment, section 924(b)(1)(E) of
the Public Health Service Act, 42 U.S.C.
299b–24(b)(1)(E), requires a PSO to fully
disclose information to the Secretary if
the PSO has certain types of
relationships with a contracting
provider and, if applicable, whether the
PSO is not independently managed or
controlled, or if it does not operate
independently from, the contracting
provider.
The statutory requirement for a PSO
to submit a disclosure statement applies
only when a PSO has entered into a
contract with a provider; if there is no
contractual relationship between the
PSO and a provider pursuant to the
Patient Safety Act, a disclosure
statement is not required. Even when a
PSO has entered a contract with a
provider, we propose that a PSO would
need to file a disclosure statement
regarding a contracting provider only
when the circumstances, specified in
section 924(c)(3) of the Public Health
Service Act, 42 U.S.C. 299–24(c)(3), and
discussed here, are present.
A PSO is first required to assess
whether a disclosure statement must be
submitted to the Secretary when the
PSO enters a contract with a provider,
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
but we note that the disclosure
requirement remains in effect during the
entire contract period. Even when a
disclosure statement is not required at
the outset of the contract period, if the
circumstances discussed here arise, a
disclosure statement must be submitted
at that time to the Secretary for review.
With respect to a provider with which
it has entered a contract, a PSO is
required to submit a disclosure
statement to the Secretary only if either
or both of the following circumstances
are present. First, a disclosure statement
must be filed if the PSO has any
financial, reporting, or contractual
relationships with a contracting
provider (other than the contract
entered into pursuant to the Patient
Safety Act). Second, taking into account
all relationships that the PSO has with
that contracting provider, a PSO must
file a disclosure statement if it is not
independently managed or controlled,
or if it does not operate independently
from, the contracting provider.
With respect to financial, reporting or
contractual relationships, the proposed
rule states that contractual relationships
that must be disclosed are not limited to
formal contracts but encompass any oral
or written arrangement that imposes
responsibilities on the PSO. For
example, the provider may already have
a contract or other arrangement with the
PSO for assistance in implementation of
proven patient safety interventions and
is now seeking additional help from the
PSO for the review of patient safety
work product. A financial relationship
involves almost any direct or indirect
ownership or investment relationship
between the PSO and the contracting
provider, shared or common financial
interests, or direct or indirect
compensation arrangement, whether in
cash or in-kind. A reporting relationship
includes a relationship that gives the
provider access to information that the
PSO holds that is not available to other
contracting providers or control,
directly or indirectly, over the work of
the PSO that is not available to other
contracting providers. If any such
relationships are present, the PSO must
file a disclosure statement and describe
fully all of these relationships.
The other circumstance that triggers
the requirement to disclose information
to the Secretary is the provision of the
Patient Safety Act that requires the
entity to fully disclose ‘‘if applicable,
the fact that the entity is not managed,
controlled, and operated independently
from any provider that contracts with
the entity.’’ See section 924(b)(1)(E) of
the Public Health Service Act, 42 U.S.C.
299b–24(b)(1)(E). We propose to
interpret this provision as noted above
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
8131
because we believe that the adverb
‘‘independently’’ modifies all three
verbs—that is, that the entity is required
to disclose when it is not managed
independently from, is not controlled
independently from, or is not operated
independently from, any provider that
contracts with the entity.
Disclosure would be required, for
example, if the contracting provider
created the PSO and exercises a degree
of management or control over the PSO,
such as overseeing the establishment of
its budget or fees, hiring decisions, or
staff assignments. Another example of
such a relationship that would require
disclosure would be the existence of any
form of inter-locking governance
structure. We recognize that contracts,
by their very nature, will enable a
contracting provider to specify tasks
that the PSO undertakes or to direct the
PSO to review specific cases and not
others. These types of requirements
reflect the nature of any contractual
relationship and do not trigger a
requirement to file such a disclosure
statement. The focus of this provision as
indicated in section 924(c)(3) of the
Public Health Service Act, 42 U.S.C.
299b–24(c)(3), and here is on the
exercise of the type of control that could
compromise the ability of the PSO to
fairly and accurately carry out patient
safety activities. If the contracting
provider exercises this type of influence
over the PSO, the PSO must file a
disclosure statement and fully disclose
the nature of the influence exercised by
the contracting provider.
To meet the statutory requirement for
full disclosure, a PSO’s submission
should attempt to put the significance of
the financial, reporting, or contractual
relationship in perspective (e.g., relative
to other sources of PSO revenue or other
types of contractual or reporting
relationships). We would also encourage
PSOs to list any agreements,
stipulations, or procedural safeguards
that might offset the influence of the
provider and that might protect the
ability of the PSO to operate
independently. By doing so, a PSO can
ensure that its disclosure statements
present a full and, if applicable,
balanced picture of the relationships
and degree of independence that exist
between the PSO and its contracting
provider(s).
We propose to require that, whenever
a PSO determines that it must file a
statement based upon these
requirements, the Secretary must
receive the disclosure statement within
45 calendar days. The PSO must make
an initial determination on the date on
which a contract is entered. If the PSO
determines that it must file a disclosure
E:\FR\FM\12FEP2.SGM
12FEP2
8132
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
statement, the Secretary must receive
the disclosure statement no later than 45
days after the date on which the
contract was entered. During the
contract period, the Secretary must
receive a disclosure statement within 45
calendar days of the date on which
either or both of the circumstances
described above arise. If the Secretary
determines, after the applicable 45-day
period, that a required disclosure
statement was not received from a PSO,
the Secretary may issue to the PSO a
notice of a preliminary finding of
deficiency, the first step in the
revocation process established by
proposed § 3.108.
hsrobinson on PROD1PC76 with PROPOSALS2
2. Proposed § 3.104—Secretarial Actions
Proposed § 3.104 describes the actions
that the Secretary may and will take
regarding certification submissions for
listing or continued listing, the required
notification certifying that the PSO has
entered the required minimum of two
contracts, and disclosure statements,
including the criteria that the Secretary
will use in reviewing such statements
and the determinations the Secretary
may make. This proposed section also
outlines the types of information that
the Secretary will make public regarding
PSOs, specifies how, and for what
period of time, the Secretary will list a
PSO whose certification he has accepted
and establishes an effective date for
Secretarial actions under this proposed
subpart. See section 924(c) of the Public
Health Service Act, 42 U.S.C. 299b–
24(c).
(A) Proposed § 3.104(a)—Actions in
Response to Certification Submissions
for Initial and Continued Listing as a
PSO
Proposed § 3.104(a) describes the
actions that the Secretary may and will
take in response to certification for
initial or continued listing as a PSO
(section 924(c)(1)–(2) of the Public
Health Service Act, 42 U.S.C. 299b–
24(c)(1)–(2)), submitted to the Secretary
pursuant to the requirements of
proposed § 3.102. The decision on
whether and how to list an entity as a
PSO will be based upon a determination
of whether the entity meets the
applicable requirements of the Patient
Safety Act and this proposed part. In
most cases, it is anticipated that the
Secretary will either accept the
submission and list the entity or deny
the listing on this basis.
In determining whether to list an
entity as a PSO, the proposed rule
requires the Secretary to consider the
submitted certification and any relevant
history, such as prior actions the
Secretary has taken regarding the entity
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
or PSO including delisting, any history
of or current non-compliance by the
entity or PSO with statutory or
regulatory requirements or requests by
the Secretary, relationships of the entity
or PSO with providers and any findings
by the Secretary in accordance with
proposed § 3.104(c). Initially, the
Secretary will rely solely on the
submitted certification; entities seeking
listing will not have any applicable
history of the type specified for the
Secretary to consider. Even over time,
we anticipate that the Secretary would
normally rely upon the submitted
certification in making a listing
determination.
There may be occasions in future
years when the Secretary may need to
take into account the history of an entity
or PSO in making a determination for
initial or continued listing. Examples of
such situations might include: A PSO
seeking continued listing that has a
history of deficiencies; an entity seeking
initial listing may be a renamed former
PSO whose certifications had been
revoked for cause by the Secretary; or
the leadership of an entity seeking
listing may have played a leadership
role in a former PSO that failed to meet
its obligations to providers during
voluntary relinquishment (see proposed
§ 3.108(c)). In such circumstances, it
may not be prudent for the Secretary to
rely solely upon the certification
submitted by the entity or PSO and this
proposed subsection would enable the
Secretary to seek additional information
or assurances before reaching a
determination on whether to list an
entity. To ensure that the Secretary is
aware of any relevant history before
making a listing determination, without
imposing additional burden on most
entities seeking listing, we propose to
include an attestation on the
certification form that would require
acknowledgement if the entity (under its
current name or another) or any member
of its workforce have been party to a
delisting determination by the
Secretary. We welcome comment on
this proposal, or alternative approaches,
for ensuring that the Secretary can carry
out the requirements of this proposed
section.
The Secretary also has the authority,
under certain circumstances, to
condition the listing of a PSO under
section 924(c)(3) of the Public Health
Service Act, 42 U.S.C. 299b–24(c)(3).
The Secretary may establish conditions
on the listing of a PSO following a
determination, pursuant to proposed
§ 3.104(c), that such conditions are
necessary to ensure that the PSO can
fairly and accurately perform patient
safety activities. A decision to impose
PO 00000
Frm 00022
Fmt 4701
Sfmt 4702
such conditions will typically occur
after the listing of a PSO, when the PSO
submits a disclosure statement about its
relationships with a contracting
provider. It also could occur at the time
of initial or continued listing based
upon a Secretarial review of a disclosure
statement submitted contemporaneously
with the review of an entity’s
certification submission.
The Secretary expects to be able to
conclude review of an application for
initial or continued listing within 30
days of receipt unless additional
information or assurances, as described
above in the paragraph discussing the
history of an entity or PSO, are required,
or the application as initially submitted
is incomplete. The Secretary will notify
each entity that requests listing of the
action taken on its certification
submission for initial or continued
listing. The Secretary will provide
reasons when an entity’s certification is
not accepted and, if the listing is
conditioned based upon a determination
made pursuant to proposed § 3.104(c),
the reasons for imposing conditions.
(B) Proposed § 3.104(b)—Actions
Regarding PSO Compliance With the
Minimum Contract Requirement
Proposed § 3.104(b) sets forth the
required Secretarial action regarding
PSO compliance with the requirement
of the proposed rule for a minimum of
two bona fide contracts. If a PSO attests,
in the notification required by proposed
§ 3.102(d)(1), that it has met the
requirement, the Secretary will
acknowledge in writing receipt of the
attestation and include information on
the list established pursuant to
proposed § 3.104(d) that the PSO has
certified that it has met the requirement.
If the PSO notifies the Secretary that it
has not yet met the requirement, or if
notification is not received from the
PSO by the date required under
proposed § 3.102(d)(1), the Secretary,
pursuant to proposed § 3.108(a)(2), will
issue a notice of a preliminary finding
of deficiency to the PSO and provide an
opportunity for correction that will
extend no later than midnight of the last
day of its applicable 24-month
assessment period. Under this authority,
the Secretary will require notification of
correction and compliance from a PSO
by midnight of the final day of the
applicable 24-month period. If the
deficiency has not been corrected by
that date, the Secretary will issue
promptly a notice of proposed
revocation and delisting pursuant to the
requirements of proposed § 3.108(a)(3).
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
(C) Proposed § 3.104(c)—Actions
Regarding Required Disclosures by
PSOs of Relationships With Contracting
Providers.
Proposed § 3.104(c) establishes
criteria that the Secretary will use to
evaluate a disclosure statement
submitted pursuant to proposed
§ 3.102(d)(2), specifies the
determinations the Secretary may make
based upon evaluation of any disclosure
statement, and proposes public release,
consistent with the Freedom of
Information Act, of disclosure
statements submitted by PSOs as well as
the Secretary’s findings (see section
924(c)(3) of the Public Health Service
Act, 42 U.S.C. 299b–24(c)(3)).
In reviewing disclosure statements
and making public findings, we propose
that the Secretary consider the nature,
significance, and duration of the
relationship between the PSO and the
contracting provider. We seek input on
other appropriate factors to consider.
Following review of the disclosure
statement, the Secretary will make
public findings regarding the ability of
the PSO to carry out fairly and
accurately defined patient safety
activities as required by the Patient
Safety Act. The Secretary may conclude
that the disclosures require no action on
his part or, depending on whether the
entity is listed or seeking listing, may
condition his listing of the PSO,
exercise his authority under proposed
§ 3.104(a) to refuse to list, or exercise his
authority under proposed § 3.108 to
revoke the listing of the entity. The
Secretary will notify each entity of his
findings and decision regarding each
disclosure statement.
This subsection proposes to make this
process transparent, recognizing that
providers seeking to contract with a
PSO may want to make their own
judgments regarding the
appropriateness of the disclosed
relationships. Therefore, with the
exception of information, such as
information that would be exempt from
disclosure under the Freedom of
Information Act, we propose to make
public each disclosure statement
received from a PSO by including it on
the list of PSOs maintained pursuant to
proposed § 3.104(d) and we may post
such statements on the PSO Web site we
plan to establish. Public release of PSO
disclosure statements would be in
addition to the statutory requirement in
section 924(c)(3) of the Public Health
Service Act, 42 U.S.C. 299b–24(c)(3),
that the Secretary’s findings regarding
disclosure statements must be made
public. Greater transparency is intended
to promote more informed decision
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
making by providers, who are the
primary customers for PSO services.
(D) Proposed § 3.104(d)—Maintaining a
List of PSOs
Proposed § 3.104(d) implements the
statutory requirement in section 924(d)
of the Public Health Service Act, 42
U.S.C. 299b–24(d), that the Secretary
compile and maintain a list of those
entities whose PSO certifications have
been accepted in accordance with
proposed § 3.104(a) and which
certifications have not been revoked or
voluntarily relinquished in accordance
with proposed § 3.108(b) or (c). The list
will include contact information for
each PSO, the effective date and time of
listing of the PSO, a copy of each
certification form and disclosure
statement that the Secretary receives
from the entity, and information on
whether the PSO has certified that it has
met the two contract requirement in
each 24-month assessment period. The
list will also include a copy of the
Secretary’s findings regarding any
disclosure statements filed by each PSO,
including whether any conditions have
been placed on the listing of the entity
as a PSO, and other information that
this proposed subpart authorizes the
Secretary to make public. To facilitate
the development of a marketplace for
the services of PSOs, we plan to
establish a PSO Web site (or a future
technological equivalent) and expect to
post the list of PSOs on the PSO Web
site, reserving the right to exclude
information contained in disclosure
statements that would be exempt from
disclosure under the Freedom of
Information Act. We seek comment on
whether there are specific types of
information that the Secretary should
consider posting routinely on this Web
site for the benefit of PSOs, providers,
and other consumers of PSO services.
(E) Proposed § 3.104(e)—Three-Year
Period of Listing
Proposed § 3.104(e) states that, when
the Secretary has accepted certification
submitted for initial or continued
listing, the entity will be listed as a PSO
for a period of three years (section
924(a)(2) of the Public Health Service
Act, 42 U.S.C. 299b–24(a)(2)), unless the
Secretary revokes the listing or the
Secretary determines that the entity has
voluntarily relinquished its status as a
PSO (see proposed § 3.108).
This subsection also provides that the
Secretary will send a written notice of
imminent expiration to a PSO no later
than 45 calendar days before the date on
which the PSO’s three-year period of
listing expires if the Secretary has not
received a certification seeking
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
8133
continued listing. This notice is
intended to ensure that a PSO does not
let its listing lapse inadvertently. We
expect that the Secretary will include in
the notice a date by which the PSO
should submit its certifications to
ensure that the Secretary has sufficient
time to act before the current period of
listing expires.
We are considering including in the
final rule, and seek comment on, a
requirement that the Secretary include
information on the public list of PSOs
maintained pursuant to § 3.104(d), that
identifies the PSOs to which a notice of
imminent expiration has been sent. The
intent of such a requirement would be
to ensure that a provider reporting data
to such a PSO has adequate notice and
time to ascertain, if it chooses to do so,
whether that PSO intends to seek
continued listing and, if not, to make
alternative arrangements for reporting
data to another PSO.
(F) Proposed § 3.104(f)—Effective Date
of Secretarial Actions
Proposed § 3.104(f) states that, unless
otherwise specified, the effective date of
each action by the Secretary pursuant to
this proposed subpart will be specified
in the written notice that is sent to the
entity. To ensure that an entity receives
prompt notification, the Department
anticipates sending such a notice by
electronic mail or other electronic
means in addition to a hard copy
version. We are confident that any
entity seeking listing as a PSO will have
electronic mail capacity. For listing and
delisting, the Secretary will specify both
an effective time and date for such
actions in the written notice. Our intent
is to ensure clarity regarding when the
entity can receive information that will
be protected as patient safety work
product.
3. Proposed § 3.106—Security
Requirements
Proposed § 3.106 identifies the
entities and individuals that are subject
to the security requirements of this
section and establishes the
considerations that entities and
individuals specified in subsection (a)
should address to secure patient safety
work product in their possession. This
section provides a common framework
for compliance with the requirement in
section 921(5)(F) of the Public Health
Service Act, 42 U.S.C. 299b–21(5)(F),
that a PSO provide appropriate security
measures with respect to patient safety
work product. In light of the importance
of data security to those who supply
patient safety work product to any PSO,
maintenance of data security will be a
high and ongoing priority for PSOs.
E:\FR\FM\12FEP2.SGM
12FEP2
8134
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
(A) Proposed § 3.106(a)—Application
Proposed § 3.106(a) states that the
security requirements in proposed
§ 3.106(b) apply to each PSO, its
workforce members, and its contractors
when the contractors hold patient safety
work product. This proposed subsection
applies the requirements at all times
and at any location at which patient
safety work product is held. We expect
that it will be more efficient for most
PSOs to contract for at least a portion of
the expertise they need to carry out
patient safety activities, including the
evaluation of certain types of patient
safety events. In such situations, when
a PSO discloses patient safety work
product to a contractor to assist the PSO
in carrying out patient safety activities
and the contractor maintains such
patient safety work product at locations
other than those controlled by the PSO,
our intent is to ensure that these same
security requirements apply. We
recognize that some contractors that a
PSO chooses to employ may not want
to, or may not have the resources to,
meet these requirements at other
locations. In such circumstances, the
contractors will need to perform their
services at locations at which the PSO
can ensure that these security
requirements can be met.
We note that this regulation does not
impose these requirements on
providers, but agreements between
PSOs and providers may by contract call
for providers to adopt equivalent
standards.
hsrobinson on PROD1PC76 with PROPOSALS2
(B) Proposed § 3.106(b)—Security
Framework
Proposed § 3.106(b) establishes a
framework consisting of four categories
for the security of patient safety work
product that a PSO must consider,
including security management,
separation of systems, security control
and monitoring, and security
assessment.
This framework is consistent with the
standards of the National Institute of
Standards and Technology (NIST) that
federal agencies must follow but this
section does not impose on PSOs the
specific NIST standards that Federal
agencies must meet. We recognize that
it is not likely that PSOs will have the
scale of operation or the resources to
comply with Federal data security
standards. Instead, we propose to
require that each PSO must consider the
four categories of the NIST framework
set forth in this section by developing
appropriate and scalable standards that
are suitable for the size and complexity
of its organization. We seek comment on
the extent to which this proposal
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
adequately and appropriately identifies
the most significant security issues,
with respect to patient safety work
product that PSOs receive, develop, or
maintain, and which PSOs should be
expected to address with due diligence,
and the extent to which our approach
provides PSOs with sufficient flexibility
to develop scalable standards.
(1) Proposed § 3.106(b)(1)—Security
Management
Proposed § 3.106(b)(1) requires the
PSO to approach its security
requirements by: documenting its
security requirements for patient safety
work product; taking steps to ensure
that its workforce and contractors as
specified in proposed § 3.106(a)
understand their responsibilities
regarding patient safety work product
and the confidentiality requirements of
the statute, including the potential
imposition of civil money penalties for
impermissible disclosures; and
monitoring and improving the
effectiveness of its security policies and
procedures.
(2) Proposed § 3.106(b)(2)—Separation
of Systems
Under the statute, to preserve the
confidentiality of patient safety work
product, it is important to maintain a
clear separation between patient safety
work product and information that is
not protected, and a clear separation
between patient safety activities and
other activities. As a result, we have
incorporated requirements in proposed
§ 3.106(b)(2) that PSOs must ensure
such separation. The specific
requirements for which a PSO must
develop appropriate standards include:
maintaining functional and physical
separation of patient safety work
product from other systems of records;
protection of patient safety work
product while it is held by the PSO;
appropriate disposal or sanitization of
media that have contained patient safety
work product; and preventing physical
access to patient safety work product by
unauthorized users or recipients.
(3) Proposed § 3.106(b)(3)—Security
Control and Monitoring
Proposed § 3.106(b)(3) requires that
policies and procedures adopted by a
PSO related to security control and
monitoring must enable the PSO to
identify and authenticate users of
patient safety work product and must
create an audit capacity to detect
unlawful, unauthorized, or
inappropriate activities involving access
to patient safety work product. To
ensure accountability, controls should
be designed to preclude unauthorized
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
removal, transmission or disclosures of
patient safety work product.
(4) Proposed § 3.106(b)(4)—Security
Assessment
Proposed § 3.106(b)(4) requires a PSO
to develop policies and procedures that
permit it to assess periodically the
effectiveness and weaknesses of its
overall approach to security of patient
safety work product. A PSO needs to
determine the frequency of security
assessments, determine when it needs to
undertake a risk assessment exercise so
that the leadership and the workforce of
the PSO are aware of the risks to PSO
assets from security lapses, and specify
how it will assess and adjust its
procedures to ensure the security of its
communications involving patient
safety work product to and from
providers and other authorized parties.
Such communications are potentially
vulnerable weak points for any security
system and require ongoing special
attention by a PSO.
4. Proposed § 3.108—Correction of
Deficiencies, Revocation and Voluntary
Relinquishment
Proposed § 3.108 describes the
process by which PSOs will be given an
opportunity to correct deficiencies, the
process for revocation of acceptance of
the certification submitted by an entity
for cause and its removal from the list
of PSOs, and specifies the
circumstances under which an entity
will be considered to have voluntarily
relinquished its status as a PSO.
This section would establish
procedural opportunities for a PSO to
respond during the process that might
lead to revocation. When the Secretary
identifies a possible deficiency, the PSO
would be given an opportunity to
correct the record if it can demonstrate
that the information regarding a
deficiency is erroneous, and if the
existence of a deficiency is uncontested,
an opportunity to correct it. The PSO is
encouraged to alert the Department if it
faces unanticipated challenges in
correcting the deficiency; we propose
that the Secretary will consider such
information in determining whether the
PSO has acted in good faith, whether
the deadline for corrective action should
be extended, or whether the required
corrective action should be modified. If
the Secretary determines that the PSO
has not timely corrected the deficiency
and issues a notice of proposed
revocation and delisting, the PSO will
be given an automatic right of appeal to
present its case in writing.
If the Secretary makes a decision to
revoke acceptance of the entity’s
certification and remove it from the list
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
of PSOs, this proposed section specifies
the required actions that the Secretary
and the entity must take following such
a decision. The proposed rule
implements the statutory requirements
for the establishment of a limited period
during which providers can continue to
report information to the former PSO
and receive patient safety work product
protections for these data, and
establishes a framework for appropriate
disposition of patient safety work
product or data held by the former PSO.
See section 924(e)–(g) of the Public
Health Service Act, 42 U.S.C. 299b–
24(e)–(g).
This section also describes two
circumstances under which an entity
will be considered to have voluntarily
relinquished its status as a PSO: (1)
Notification of the Secretary in writing
by the PSO of its intent to relinquish its
status voluntarily; and (2) if a PSO lets
its period of listing expire without
submission of a certification for
continued listing that the Secretary has
accepted. In both circumstances, we
propose that such a PSO consult with
the source of the patient safety work
product in its possession to provide
notice of its intention to cease
operations and provide for appropriate
disposition of such patient safety work
product. When the Secretary removes a
PSO from listing as a result of
revocation for cause or voluntarily
relinquishment, the Secretary is
required to provide public notice of the
action.
We note that section 921 of the Public
Health Service Act, 42 U.S.C. 299b–21,
and, therefore, the proposed rule,
defines a PSO as an entity that is listed
by the Secretary pursuant to the
requirements of the statute that are
incorporated into this proposed rule.
This means that an entity remains a PSO
for its three-year period of listing unless
the Secretary removes the entity from
the list of PSOs because he revokes
acceptance of its certification and listing
for cause or because the entity
voluntarily relinquishes its status as
described below. Accordingly, even
when a deficiency is identified publicly
or the proposed requirements of this
section have been initiated, we stress
that an entity remains a PSO until the
date and time at which the Secretary’s
removal of the entity from listing is
effective. Until then, data that is
reported to a listed entity by providers
shall be considered patient safety work
product and the protections accorded
patient safety work product continue to
apply following the delisting of the
PSO.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
(A) Proposed § 3.108(a)—Process for
Correction of a Deficiency and
Revocation
Proposed § 3.108(a) describes the
process by which the Secretary would
provide an opportunity for a PSO to
correct identified deficiencies and, if
not timely corrected or if the
deficiencies cannot be ‘‘cured,’’ the
process that can lead to a determination
by the Secretary to revoke acceptance of
a PSO’s certification. This section
proposes a two-stage process. The first
stage would provide an opportunity to
correct a deficiency. Under the
proposal, when the Secretary identifies
a deficiency, the Secretary would send
the PSO a notice of preliminary
determination of a deficiency. The PSO
would then have an opportunity to
demonstrate that the information on
which the notice was based is incorrect.
The notice would include a timetable
for correction of the deficiency and may
specify the specific corrective action
and the documentation that the
Secretary would need to determine if
the deficiency has been corrected. The
PSO would be encouraged to provide
information for the administrative
record on unexpected challenges in
correcting the deficiency, since the
Secretary has great flexibility to work
with a PSO to facilitate correction of
deficiencies. We anticipate that most
PSO deficiencies would be resolved at
this stage.
Under the proposal, the second stage
would occur when the Secretary would
conclude that a PSO has not timely
corrected a deficiency or has a pattern
of non-compliance and issues the PSO
a notice of proposed revocation and
delisting. Rather than requiring a PSO to
seek an opportunity to appeal, the
proposed rule would provide an
automatic period of 30 days for a PSO
to be heard in writing by submitting a
rebuttal to the findings in the
Secretary’s notice of revocation and
delisting. The Secretary may then
affirm, modify, or reverse the notice of
revocation and delisting.
In light of the procedures in the
proposed rule to ensure due process, we
have not proposed to incorporate any
further internal administrative appeal
process beyond the Secretary’s
determination regarding a notice of
proposed revocation and delisting
pursuant to proposed § 3.108(a)(5). We
invite comments on our proposed
approach.
(1) Proposed § 3.108(a)(1)—
Circumstances Leading to Revocation
Proposed § 3.108(a)(1) lists four
circumstances, each of which is
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
8135
statutorily based, that may lead the
Secretary to revoke acceptance of a
PSO’s certification and delist the entity:
the PSO is not meeting the obligations
to which it certified its compliance as
required by proposed § 3.102; the PSO
has not certified to the Secretary that it
has entered the required minimum of
two contracts within the applicable 24month period pursuant to proposed
§ 3.102(d)(1); the Secretary, after
reviewing a PSO’s disclosure statement
submitted pursuant to proposed
§ 3.102(d)(2), determines that the PSO
cannot fairly and accurately perform its
duties pursuant to proposed § 3.104(c);
or the PSO is not in compliance with
any other provision of the Patient Safety
Act or this proposed part. (See section
924(c) and (e) of the Public Health
Service Act, 42 U.S.C. 299b–24(c) and
(e).)
(2) Proposed § 3.108(a)(2)—Notice of
Preliminary Finding of Deficiency and
Establishment of an Opportunity for
Correction of a Deficiency
Under proposed § 3.108(a)(2), when
the Secretary has reason to believe that
a PSO is not in compliance with the
requirements of the statute and the final
rule, the Secretary would send a written
notice of a preliminary finding of
deficiency to the PSO (see section 924(c)
and (e) of the Public Health Service Act,
42 U.S.C. 299b–24(c) and (e)). The
notice would specifically state the
actions or inactions that describe the
deficiency, outline the evidence that a
deficiency exists, specify the possible
and/or required corrective action(s) that
must be taken, establish an opportunity
for correction and a date by which the
corrective action(s) must be completed,
and, in certain circumstances, specify
the documentation that the PSO would
be required to submit to demonstrate
that the deficiency has been corrected.
We propose that, absent other
evidence of actual receipt, we would
assume that the notice of a preliminary
finding of deficiency has been received
5 calendar days after it was sent. Under
the proposal, if a PSO submits evidence
to the Secretary that demonstrates to the
Secretary that the preliminary finding is
factually incorrect within 14 calendar
days following receipt of this notice, the
preliminary finding of deficiency would
be withdrawn; otherwise, it would be
the basis for a finding of deficiency. We
stress that this would not be an
opportunity to file an appeal regarding
the proposed corrective actions, the
period allotted for correcting the
deficiency, or the time to provide
explanations regarding why a deficiency
exists. This 14-day period would only
ensure that the PSO has an opportunity,
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8136
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
if the information on which the notice
is based is not accurate, to correct the
record immediately. For example, a
notice of a preliminary finding of
deficiency may be based on the fact that
the Secretary has no record that the PSO
has entered the required two contracts.
In this case, if a PSO can attest that it
submitted the certification as required
or can attest that it has entered the
required two contracts consistent with
the requirements of proposed
§ 3.102(d)(1), the Secretary would then
withdraw the notice. If a notice of
deficiency is based on the failure of the
PSO to submit a required disclosure
statement within 45 days, the PSO
might submit evidence that the required
statement had been sent as required. If
the evidence is convincing, the
Secretary would withdraw the notice of
preliminary finding of deficiency. If the
Secretary does not consider the
evidence convincing, the Secretary
would so notify the PSO and the notice
would remain in effect. The PSO would
then need to demonstrate that it has met
the requirements of the notice regarding
correction of the deficiency.
We anticipate that in the vast majority
of circumstances in which the Secretary
believes there is a deficiency, the
deficiency can and will be corrected by
the PSO. In those cases, as discussed
above, the PSO will be given an
opportunity to take the appropriate
action to correct the deficiency, and
avoid revocation and delisting.
However, we can anticipate situations
in which a PSO’s conduct is so
egregious that the Secretary’s
acceptance of the PSO’s certification
should be revoked without the
opportunity to cure because there is no
meaningful cure. An example would be
where a PSO has a policy and practice
of knowingly and inappropriately
selling patient safety work product or
where the PSO is repeatedly deficient
and this conduct continues despite
previous opportunities to cure. We are
considering adding a provision whereby
an opportunity to ‘‘cure’’ would not be
available in this type of situation.
Providing the PSO with an opportunity
for correction, as provided in the Patient
Safety Act, would entail providing an
opportunity to correct the preliminary
factual findings of the Department.
Thus, the PSO would have the chance
to demonstrate that we have the facts
wrong or there are relevant facts we are
overlooking. We invite comments
regarding this approach and how best to
characterize the situations in which the
opportunity to ‘‘cure’’ (e.g., to change
policies, practices or procedures,
sanction employees, send out correction
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
notices) would not be sufficient,
meaningful, or appropriate.
(3) Proposed § 3.108(a)(3)—
Determination of Correction of a
Deficiency
Proposed section § 3.108(a)(3)
addresses the determination of whether
a deficiency has been corrected,
including the time frame for submission
of the required documentation that the
deficiency has been corrected, and the
actions the Secretary may take after
review of the documentation and any
site visit(s) the Secretary deems
necessary or appropriate (see sections
924(c) and (e) of the Public Health
Service Act, 42 U.S.C. 299b–24(c) and
(e)).
Under the proposal, during the period
of correction, we would encourage the
PSO to keep the Department apprised in
writing of its progress, especially with
respect to any challenges it faces in
implementing the required corrective
actions. Such communications would
become part of the administrative
record. Until there is additional
experience with the operational
challenges that PSOs face in
implementing specific types of
corrective actions, such information, if
submitted, would be especially helpful
for ensuring that the time frames and
the corrective actions specified by the
Secretary are reasonable and
appropriate. As noted below, such
information would be considered by the
Secretary in making a determination
regarding a PSO’s compliance with the
correction of a deficiency. Unless the
Secretary specifies a different
submission date, or approves such a
request from the PSO, we propose that
documentation submitted by the PSO to
demonstrate correction of the deficiency
must be received by the Secretary no
later than 5 calendar days after the final
day of the correction period.
Under the proposed rule, in making a
determination, the Secretary would
consider the documentation and other
information submitted by the PSO, the
findings of any site visit that might have
been conducted, recommendations of
program staff, and any other information
available regarding the PSO that the
Secretary deems appropriate. After
completing his review, the Secretary
may make one of the following
determinations: (1) The action(s) taken
by the PSO have corrected any
deficiency, in which case the Secretary
will withdraw the notice of deficiency
and so notify the PSO; (2) the PSO has
acted in good faith to correct the
deficiency but an additional period of
time is necessary to achieve full
compliance and/or the required
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
corrective action specified in the notice
of a preliminary finding of deficiency
needs to be modified in light of the
actions undertaken by the PSO so far, in
which case the Secretary will extend the
period for correction and/or modify the
specific corrective action required; or (3)
the PSO has not completed the
corrective action because it has not
acted with reasonable diligence or
timeliness to ensure that the corrective
action was completed within the
allotted time, in which case the
Secretary will issue to the PSO a notice
of proposed revocation and delisting.
When the Secretary issues a notice of
proposed revocation and delisting, this
notice would include those deficiencies
that have not been timely corrected. The
notice would be accompanied by
information concerning the manner in
which the PSO may exercise its
opportunity to be heard in writing to
respond to the deficiency findings
described in the notice.
(4) Proposed § 3.108(a)(4)—Opportunity
to be Heard in Writing Following a
Notice of Proposed Revocation and
Delisting
Proposed § 3.108(a)(4) sets forth our
approach to meeting the statutory
requirement established in section
924(e) of the Public Health Service Act,
42 U.S.C. 299b–24(e), for a PSO to have
an opportunity to dispute the findings
of deficiency in a notice of proposed
revocation and delisting.
Absent other evidence of actual
receipt, we would assume that the
notice of proposed revocation and
delisting has been received by a PSO
five calendar days after it was sent.
Under the proposed rule, unless a PSO
chooses to waive its right to contest a
notice of proposed revocation and
delisting and so notifies the Secretary, a
PSO would not need to request an
opportunity to appeal a notice of
proposed revocation and delisting. A
PSO would automatically have 30
calendar days, beginning the day the
notice is deemed to be received, to
exercise its opportunity to be heard in
writing. The Secretary would consider,
and include in the administrative
record, any written information
submitted by the PSO within this 30day period that responds to the
deficiency findings in the notice of
proposed revocation and delisting. If a
PSO does not take advantage of the
opportunity to submit a substantive
response in writing within 30 calendar
days of receipt of the notice of proposed
revocation and delisting, the notice
would become final as a matter of law
at midnight of the date specified by the
Secretary in the notice. The Secretary
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
would provide the PSO with policies
and rules of procedures that govern the
form or transmission of the written
response to the notice of proposed
revocation and delisting.
We are considering incorporating in
the final rule an exception to our
proposed policy of automatically
providing a PSO with a 30-day period
in which to submit a written response
to a notice of proposed revocation and
delisting. The one exception we are
considering relates to failure to meet the
requirement for a minimum of two
contracts. The statutory requirement is
unambiguous that this requirement
must be met within every 24-month
period after the initial date of listing of
the PSO. We propose elsewhere that a
PSO submit its notification 45 calendar
days early so that a period for correction
can be established that concludes at
midnight of the last day of the
applicable 24-month period established
by the statute for compliance. The
Secretary would then need to receive
notification from a PSO that this
requirement has been met no later than
midnight of that last day (see proposed
§ 3.102(d)(1) and proposed § 3.104(b)).
Other than verifying that the PSO has
not entered into and reported the
required two bona fide contracts by
midnight on the last day of the
applicable 24-month period, we see no
basis for a written rebuttal of such a
deficiency determination. The language
we are considering, therefore, would
authorize the Secretary, when the basis
for a notice of proposed revocation and
delisting is the failure of a PSO to meet
this very specific requirement, to
proceed to revocation and delisting five
calendar days after the notice of
proposed revocation and delisting
would be deemed to have been received.
(5) Proposed § 3.108(a)(5)—The
Secretary’s Decision Regarding
Revocation
If a written response to the deficiency
findings of a notice of proposed
revocation and delisting is submitted by
a PSO, proposed § 3.108(a)(5) provides
that the Secretary will review the entire
administrative record pertaining to the
notice of proposed revocation and
delisting and any written materials
submitted by the PSO under proposed
§ 3.108(a)(4). The Secretary may affirm,
reverse, or modify the notice of
proposed revocation and delisting. The
Secretary will notify the PSO in writing
of his decision with respect to any
revocation of the acceptance of its
certification and its continued listing as
a PSO. (See section 924(e) of the Public
Health Service Act, 42 U.S.C. 299b–
24(e).)
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
(B) Proposed § 3.108(b)—Revocation of
the Secretary’s Acceptance of a PSO’s
Certification
When the Secretary makes a
determination to remove the listing of a
PSO for cause pursuant to proposed
§ 3.108(a), proposed § 3.108(b) specifies
the actions that the Secretary and the
entity must take, and implements the
protections that the statute affords to
data submitted to such an entity.
(1) Proposed § 3.108(b)(1)—Establishing
Revocation for Cause
Under our proposal, after following
the requirements of proposed § 3.108(a),
if the Secretary determines pursuant to
paragraph (a)(5) of this section that
revocation of the acceptance of a PSO’s
certification is warranted for failure to
comply with the requirements of the
Patient Safety Act, or the regulations
implementing the Patient Safety Act, the
Secretary would establish, and notify
the PSO of, the date and time at which
the Secretary will revoke the acceptance
of its certification and remove the entity
from the list of PSOs. The Secretary may
include information in the notice on the
statutory requirements, incorporated in
proposed § 3.108(b)(2) and § 3.108 (b)(4)
and discussed below, that apply to the
entity following the Secretary’s actions,
and the Secretary would provide public
notice as required by proposed
§ 3.108(d).
(2) Proposed § 3.108(b)(2)—Required
Notification of Providers and Status of
Data
Proposed § 3.108(b)(2) incorporates in
the proposed rule the statutory
requirements that are intended to ensure
that providers receive a reasonable
amount of notice that the PSO with
which they are working is being
removed from the list of PSOs (section
924(e)(2) of the Public Health Service
Act, 42 U.S.C. 299b–24(e)(2)) and to
clarify the status of data submitted by
providers to a PSO whose listing has
been revoked (section 924(f) of the
Public Health Service Act, 42 U.S.C.
299b–24(f)).
As required by the statute, within 15
calendar days of the date established in
the Secretary’s notification of action
under paragraph (b)(1) of this section,
the entity subject to proposed
§ 3.108(b)(1) shall confirm to the
Secretary that it has taken all reasonable
actions to notify each provider whose
patient safety work product has been
collected or analyzed by the PSO that
the entity has been removed from the
list of PSOs. We would recommend, but
do not propose to require, that PSOs
make a priority of notifying providers
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
8137
who report most frequently to the PSO,
especially providers with contracts with
the PSO. These providers would need to
close out any current contract they have
with the PSO, determine if they wish to
enter a contract with another PSO, and
if so, they would need time to identify
another PSO and then negotiate another
contract.
We also recognize that, even when
this statutory notification requirement is
met, the notification period is short.
While we do not have the authority to
require a PSO to undertake notification
of providers more quickly than the
statute specifies, we invite comment on
whether there are any other steps the
Secretary should take to ensure that
affected providers receive timely notice.
We are considering requiring notice by
electronic or priority mail if no notice
has been given at the end of seven days.
Confidentiality and privilege
protections that applied to patient safety
work product while the former PSO was
listed continue to apply after the entity
is removed from listing. Furthermore,
section 924(f)(1) of the Public Health
Service Act, 42 U.S.C. 299b–24(f)(1)
provides that data submitted to an entity
within 30 calendar days of the date on
which acceptance of its certification is
revoked and it is removed from the list
of PSOs, shall have the same status as
data submitted while the entity was still
listed. Thus, data that would otherwise
be patient safety work product had it
been submitted while the PSO was
listed, will be protected as patient safety
work product if submitted during this
30-day period after delisting.
We stress that the statutory language
in section 924(f)(1) of the Public Health
Service Act, 42 U.S.C. 299b–24(f)(1),
pertains only to data submitted to such
an entity within 30 calendar days after
such revocation and removal. This
provision does not enable an entity that
has been removed from listing to
generate patient safety work product on
its own pursuant to section
921(7)(A)(i)(II) of the Public Health
Service Act, 42 U.S.C. 299b–
21(7)(A)(i)(II); the entity loses that
authority on the effective date and time
of the Secretary’s action to remove it
from listing.
(3) Proposed § 3.108(b)(3)—Disposition
of Patient Safety Work Product and Data
Proposed § 3.108(e) incorporates in
the proposed rule statutory
requirements regarding the disposition
of patient safety work product or data
following revocation and delisting of a
PSO (section 924(g) of the Public Health
Service Act, 42 U.S.C. 299b–24(g)). This
proposed subsection would require that
the former PSO provide for the
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8138
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
disposition of patient safety work
product or data in its possession in
accordance with one or more of three
alternatives described in section 924(g)
of the Public Health Service Act, 42
U.S.C. 299b–24(g). The three
alternatives include: transfer of the
patient safety work product with the
approval of the source from which it
was received to a PSO which has agreed
to accept it; return of the patient safety
work product or data to the source from
which it was received; or, if return is
not practicable, destroy such work
product or data.
The text of the proposed rule refers to
the ‘‘source’’ of the patient safety work
product or data that is held by the
former PSO, which is a broader
formulation than the statutory phrase
‘‘received from another entity.’’ While
the statutory requirement encompasses
PSOs as well as institutional providers,
we tentatively conclude that the
underlying intent of this statutory
provision is to require the appropriate
disposition of patient safety work
product from all sources, not merely
institutional sources. We note that the
statute, and therefore the proposed rule,
permits individual providers to report
data to PSOs and individual providers
are able to enter the same type of
ongoing arrangements, or contractual
arrangements, as institutional providers.
Moreover, proposed § 3.108(b)(2) would
require PSOs to notify all providers
(individual as well as institutional
providers) from whom they receive data
about the Secretary’s revocation and
delisting decision. We preliminarily
conclude, therefore, that it is consistent
with the statute that a former PSO
consult with all sources (individuals as
well as entities) regarding the
appropriate disposition of the patient
safety work product or data that they
supplied. Moreover, it is a good
business practice. If workforce members
of a former PSO retain possession of any
patient safety work product, they would
incur obligations and potential liability
if it is impermissibly disclosed. We
welcome comments on our
interpretation.
The statutory provision indicates that
these requirements apply to both patient
safety work product or ’data’ described
in 924(f)(1) of the Public Health Service
Act, 42 U.S.C. 299b–24(f)(1). Subsection
(f)(1), entitled ’new data’ and
incorporated in proposed § 3.108(b)(2),
describes data submitted to an entity
within 30 calendar days after the entity
is removed from listing as a PSO and
provides that this data ‘‘shall have the
same status as data submitted while the
entity was still listed.’’ The proposed
regulation mirrors this formulation.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
While the statute and this proposed
rule would permit destruction of patient
safety work product, we would
encourage entities that have their listing
as a PSO revoked to work with
providers to ensure that patient safety
work product remains available for
aggregation and further analysis
whenever possible, either by returning it
to the provider or, with concurrence of
the provider, transferring it to a PSO
willing to accept it.
The statute does not establish a time
frame for a PSO subject to revocation
and delisting to complete the
disposition of the patient safety work
product or data in its possession. We
invite comment on whether we should
include a date by which this
requirement must be completed (for
example, a specific number of months
after the date of revocation and
delisting).
(C) Proposed § 3.108(c)—Voluntary
Relinquishment
The statute recognizes the right of an
entity to relinquish voluntarily its status
as a PSO, in which case the Secretary
will remove the entity from the list of
PSOs. See section 924(d) of the Public
Health Service Act, 42 U.S.C. 299b–
24(d).
We stress that, if the Secretary
determines that an entity has
relinquished voluntarily its status as a
PSO and removes the entity from listing,
the confidentiality and privilege
protections that applied to patient safety
work product while the former PSO was
listed continue to apply after the entity
is removed from listing.
(1) Proposed § 3.108(c)(1)—
Circumstances Constituting Voluntary
Relinquishment
Proposed § 3.108(c)(1) provides that
an entity would be considered to have
relinquished voluntarily its status as a
PSO under two circumstances: when a
PSO advises the Secretary in writing
that it no longer wishes to be a PSO, and
when a PSO permits its three-year
period of listing to expire without
timely submission of the required
certification to the Secretary for
continued listing. To ensure that such a
lapse is not inadvertent, we provide in
proposed § 3.104(e)(2) that the Secretary
would send a notice of imminent
expiration to any PSO from which the
Secretary has not received a certification
for continued listing by the date that is
45 calendar days before the expiration
of its current period of listing. This
notice is intended to ensure that the
PSO has sufficient time to submit a
certification for continued listing if it
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
chooses to do so and that, if a lapse
occurs, it is not inadvertent.
(2) Proposed § 3.108(c)(2)—Notification
of Voluntary Relinquishment
Proposed § 3.108(c)(2) would require
an entity that seeks to relinquish
voluntarily its status as a PSO to include
attestations in its notice to the Secretary
that it has made all reasonable efforts to
provide for the orderly termination of
the PSO. First, the PSO must attest that
it has made—or will have made within
15 calendar days of the date of this
notification to the Secretary—all
reasonable efforts to notify organizations
or individuals who have submitted data
to the PSO of its intent to cease
operation and to alert providers that
they should cease reporting or
submitting any further information as
quickly as possible.
We preliminarily conclude that, when
a PSO voluntarily relinquishes its
status, data submitted by providers to
the entity after the date on which the
Secretary removes it from listing is not
patient safety work product. The
statutory provision, incorporated in the
proposed rule at § 3.108(b)(2), that
permits providers to submit data to an
entity for an additional 30 days after the
date of its removal from listing applies
only to PSOs for which the Secretary
has revoked acceptance of its
certification for cause. It does not apply
to a PSO that voluntarily relinquishes
its status. We welcome comment on our
interpretation.
Second, the PSO would be required to
attest that, in consultation with the
organizations or individuals who
submitted the patient safety work
product in its possession, it has
established—or will have made all
reasonable efforts within 15 calendar
days of the date of this notification to
establish—a plan for the appropriate
disposition of such work product,
consistent to the extent possible with
the statutory requirements incorporated
in proposed § 3.108(b)(3). Finally, the
individual submitting the notification of
voluntary relinquishment would
provide appropriate contact information
for further communications that the
Secretary deems necessary.
We caution any PSO considering
voluntary relinquishment that its status
remains in effect until the Secretary
removes the entity from listing. The
PSO’s responsibilities, including those
related to the confidentiality and
security of the patient safety work
product or data in its possession, are not
discharged by the decision of a PSO to
cease operations. Accordingly, we urge
PSOs that are experiencing financial
distress or other circumstances that may
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
lead to voluntary relinquishment, to
contact AHRQ program staff as early as
possible so that the PSO’s obligations
can be appropriately discharged.
hsrobinson on PROD1PC76 with PROPOSALS2
(3) Proposed § 3.108(c)(3)—Response to
Notification of Voluntary
Relinquishment
In response to the submission of a
notification of voluntary
relinquishment, proposed § 3.108(c)(3)
provides that the Secretary would
respond in writing and indicate whether
the proposed voluntary relinquishment
is accepted. We anticipate that the
Secretary would normally approve such
requests but the text provides the
Secretary with discretion to accept or
reject such a request from a PSO that
seeks voluntary relinquishment during
or immediately after revocation
proceedings. Our proposal is intended
to recognize that, in certain
circumstances, for example, when the
deficiencies of the PSO are significant or
reflect a pattern of non-compliance with
the Patient Safety Act or the proposed
rule, the Secretary may decide that
giving precedence to the revocation
process may be more appropriate.
(4) Proposed § 3.108(c)(4)—Implied
Voluntary Relinquishment
Proposed § 3.108(c)(4) enables the
Secretary to determine that implied
voluntary relinquishment has taken
place if a PSO permits its period of
listing to expire without receipt and
acceptance by the Secretary of a
certification for continued listing. In our
view, the statute does not permit an
entity to function as a PSO beyond its
3-year period of listing unless it has
submitted, and the Secretary has
accepted, a certification for a 3-year
period of continued listing. To ensure
that such a lapse is not inadvertent, we
propose a requirement in § 3.104(e)(2)
that the Secretary would send a notice
of imminent expiration to any PSO from
which the Secretary has not received the
required certification for continued
listing by the date that is 45 calendar
days prior to the last date of the PSOs
current period of listing. Accordingly,
we propose that the Secretary would
determine that a PSO under these
circumstances has relinquished
voluntarily its status at midnight on the
last day of its current period of listing,
remove the entity from the list of PSOs
at midnight on that day, make
reasonable efforts to notify the entity in
writing of the action taken, and
promptly provide public notice in
accordance with proposed § 3.108(d).
Under the proposed rule, the notice of
delisting would request that the entity
make reasonable efforts to comply with
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
the requirements of proposed
§ 3.108(c)(2). Compliance with these
requirements in this circumstance
would mean that the former PSO would
be required to notify individuals and
organizations that routinely reported
data to the entity during its period of
listing that it has voluntarily
relinquished its status as a PSO and that
they should no longer report or submit
data, and make reasonable efforts to
provide for the disposition of patient
safety work product or data in
consultation with the sources from
which such information was received in
compliance with the statutory
requirements incorporated in proposed
§ 3.108(b)(3)(i)–(iii). The former PSO
would also be expected to provide
appropriate contact information for
further communications from the
Secretary.
We are aware that, if a PSO does not
give appropriate notice to providers
from which it receives data, that it does
not intend to seek continued listing, this
could jeopardize protections for data
that these providers continue to report.
To address this issue, we are seeking
comment in proposed § 3.104(e) on a
proposal that would ensure that
providers have advance notice that a
PSO is approaching the end of its period
of listing but has not yet sought
continued listing.
(5) Proposed § 3.108(c)(5)—NonApplicability of Certain Procedures and
Requirements
Proposed § 3.108(c)(5) provides that
neither a decision by a PSO to notify the
Secretary that it wishes to relinquish
voluntarily its status as a PSO, nor a
situation in which a PSO lets its period
of listing lapse, constitutes a deficiency
as referenced in the discussion
regarding proposed § 3.108(a). As a
result, neither the procedures and
requirements that apply to the Secretary
or a PSO subject to the revocation
process outlined in that proposed
subsection, nor the requirements that
apply to the Secretary or a PSO
following action by the Secretary
pursuant to proposed § 3.108(b)(1),
would apply in cases of voluntary
relinquishment. Adoption of this
proposal would mean that a PSO has no
basis for appealing decisions of the
Secretary in response to a request for
voluntary relinquishment or challenging
its removal from listing if its period of
listing lapses and the Secretary
determines that implied voluntary
relinquishment has occurred. We
specifically welcome comment on this
proposal.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
8139
(D) Proposed § 3.108(d)—Public Notice
of Delisting Regarding Removal From
Listing
Proposed § 3.108(d) incorporates in
the proposed rule the statutory
requirement that the Secretary must
publish a notice in the Federal Register
regarding the revocation of acceptance
of certification of a PSO and its removal
from listing pursuant to proposed
§ 3.108(b)(1) (see section 924(e)(3) of the
Public Health Service Act, 42 U.S.C.
299b–24(e)(3)). This proposal also
would require the Secretary to publish
such a notice if delisting results from a
determination of voluntary
relinquishment pursuant to proposed
§ 3.108(c)(3) or (c)(4). The Secretary
would specify the effective date and
time of the actions in these notices.
5. Proposed § 3.110—Assessment of
PSO Compliance
Proposed § 3.110 provides that the
Secretary may request information or
conduct spot-checks (reviews or site
visits to PSOs that may be
unannounced) to assess or verify PSO
compliance with the requirements of the
statute and this proposed subpart. We
anticipate that such spot checks will
involve no more than 5–10% of PSOs in
any year. The legislative history of
patient safety legislation in the 108th
and 109th Congress suggests that the
Senate Health, Education, Labor and
Pensions (HELP) Committee assumed
that the Secretary had the inherent
authority to undertake inspections as
necessary to ensure that PSOs were
meeting their obligations under the
statute. In fact, in reporting legislation
in 2004, the Senate HELP Committee
justified its proposal for an expedited
process for listing PSOs—that is
substantially the same as the one
incorporated in the Patient Safety Act
that was enacted in 2005 and is
incorporated in this proposed rule—on
the basis that the Secretary could and
would be able to conduct such
inspections.
The ability of the Secretary to
‘‘examine any organization at any time
to see whether it in fact is performing
those required activities’’ the Senate
HELP Committee wrote, enables the
Committee to ‘‘strike the right balance’’
in adopting an expedited process for the
listing of PSOs by the Secretary (Senate
Report 108–196). Accordingly, we
tentatively conclude that this proposed
authority for undertaking inspections on
a spot-check basis is consistent with
Congressional intent and the overall
approach of the proposed rule of using
regulatory authority sparingly.
E:\FR\FM\12FEP2.SGM
12FEP2
8140
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
While patient safety work product
would not be a focus of inspections
conducted under this proposed
authority, we recognize that it may not
be possible to assess a PSO’s
compliance with required patient safety
activities without access to all of a
PSO’s records, including some patient
safety work product. This proposed
section references the broader authority
of the Department to access patient
safety work product as part of its
proposed implementation and
enforcement of the Patient Safety Act.
We also note that the inspection
authority of this proposed subpart is
limited to PSOs and does not extend to
providers.
hsrobinson on PROD1PC76 with PROPOSALS2
6. Proposed § 3.112—Submissions and
Forms
Paragraphs (a) and (b) of proposed
§ 3.112 explain how to obtain forms and
how to submit applications and other
information under the proposed
regulations. Also, to help ensure the
timely resolution of incomplete
submissions, proposed paragraph (c) of
this section would provide for requests
for additional information if a
submission is incomplete or additional
information is needed to enable the
Secretary to make a determination on
the submission.
C. Subpart C—Confidentiality and
Privilege Protections of Patient Safety
Work Product
Proposed Subpart C would establish
the general confidentiality protections
for patient safety work product, the
permitted disclosures, and the
conditions under which the specific
protections no longer apply. The
proposed Subpart also establishes the
conditions under which a provider,
PSO, or responsible person must
disclose patient safety work product to
the Secretary in the course of
compliance activities, and what the
Secretary may do with such
information. Finally, proposed Subpart
C establishes the standards for
nonidentifiable patient safety work
product.
The privilege and confidentiality
protections set forth in this proposed
Subpart apply to the PSO framework
established by the Patient Safety Act
and this proposed Part, which will
involve providers, PSOs, and
responsible persons who possess patient
safety work product. The Patient Safety
Act and this proposed Subpart seek to
balance key objectives. First, it seeks to
address provider concerns about the
potential for damage from unauthorized
release of such information, including
the potential for the information to serve
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
as a roadmap for provider liability from
negative patient outcomes. Second, it
seeks to promote the sharing of
information about adverse patient safety
events among providers and PSOs for
the purpose of learning from those
events to improve patient safety and
creating a culture of safety. To address
these objectives, the Patient Safety Act
established that patient safety work
product would be confidential and
privileged, with certain exceptions.
Thus, the Patient Safety Act allows
sharing of patient safety work product
for certain purposes, including for
patient safety activities, but
simultaneously attaches strict
confidentiality and privilege protections
for that patient safety work product. To
further strengthen the confidentiality
protections, the Patient Safety Act
imposes significant monetary penalties
for violation of the confidentiality
provisions, as set forth in proposed
Subpart D.
Moreover, patient safety work product
that is disclosed generally continues to
be privileged and confidential, that is, it
may only be permissibly disclosed by
the receiving entity or person for a
purpose permitted by the Patient Safety
Act and this proposed Subpart. The
only way that patient safety work
product is no longer confidential is if
the patient safety work product
disclosed is nonidentifiable or when an
exception to continued confidentiality
exists. See section 922(d)(2)(B) of the
Public Health Service Act, 42 U.S.C.
299b–22(d)(2)(B). A person disclosing
such work product outside of these
statutory permissions in violation of the
Patient Safety Act and this proposed
Subpart may be subject to civil money
penalties.
Proposed § 3.204, among other
provisions, provides that patient safety
work product is privileged and
generally shall not be admitted as
evidence in Federal, State, local, or
Tribal civil, criminal or administrative
proceedings and shall not be subject to
a subpoena or order, unless an
exception to the privilege applies; the
exceptions are discussed in proposed
§ 3.204(b). Proposed § 3.206 provides
that patient safety work product is
confidential and shall not be disclosed
except as permitted in accordance with
the disclosures described in proposed
§§ 3.206(b)–(e), 3.208 and 3.210. Under
proposed § 3.208, patient safety work
product continues to be privileged and
confidential after disclosure with
certain exceptions. Under proposed
§ 3.210, providers, PSOs, and
responsible persons must disclose to the
Secretary such patient safety work
product as required by the Secretary for
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
the purposes of investigating or
determining compliance with this
proposed Part, enforcing the
confidentiality provisions, or making
determinations on certifying and listing
PSOs. Proposed § 3.210 also provides
for disclosure to the Secretary. Proposed
§ 3.212 describes the standard for
determining that patient safety work
product is nonidentifiable.
Throughout the proposed rule, the
term patient safety work product means
both identifiable patient safety work
product and nonidentifiable patient
safety work product, unless otherwise
specified. In addition, if a disclosure is
made by or to a workforce member of an
entity, it will be considered a disclosure
by or to the entity itself.
Finally, throughout our discussion we
note the relationship between the
Patient Safety Act and the HIPAA
Privacy Rule. Several provisions of the
Patient Safety Act recognize that the
patient safety regulatory scheme will
exist alongside other requirements for
the use and disclosure of protected
health information under the HIPAA
Privacy Rule. For example, the Patient
Safety Act establishes that PSOs will be
business associates of providers,
incorporates individually identifiable
health information under the HIPAA
Privacy Rule as an element of
identifiable patient safety work product,
and adopts a rule of construction that
states the intention not to alter or affect
any HIPAA Privacy Rule
implementation provision (see section
922(g)(3) of the Public Health Service
Act, 42 U.S.C. 299b–22(g)(3)). We
anticipate that most providers reporting
to PSOs will be HIPAA covered entities
under the HIPAA Privacy Rule, and as
such, will be required to recognize
when requirements of the HIPAA
Privacy Rule apply. Because this
proposed rule focuses on disclosures of
identifiable patient safety work product
which may include protected health
information, we discuss where
appropriate the overlaps between the
proposed Patient Safety Act permitted
disclosures and the existing HIPAA
Privacy Rule use and disclosure
permissions.
1. Proposed § 3.204—Privilege of Patient
Safety Work Product
Proposed § 3.204 describes the
privilege protections of patient safety
work product and when the privilege
protections do not apply. The Patient
Safety Act does not give authority to the
Secretary to enforce breaches of
privilege protections. Rather, we
anticipate that the tribunals, agencies or
professional disciplinary bodies before
whom these proceedings take place will
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
adjudicate the application of privilege
as set forth in section 922(a)(1)–(5) of
the Public Health Service Act, 42 U.S.C.
299b–22(a)(1)–(5). Even though the
privilege protections will be enforced
through the court systems, and not by
the Secretary, we repeat the statutory
privilege provisions and exceptions for
convenience. We note, however, that the
same exceptions are repeated in the
confidentiality context, which the
Secretary does enforce; so these are
repeated at proposed § 3.206 and such
impermissible disclosure may be
penalized under proposed Subpart D.
To determine the permissible scope of
disclosures under the Patient Safety Act,
it is important to understand the
application of the privilege protection
and its exceptions described in
conjunction with the related proposed
confidentiality disclosures. The
admission of patient safety work
product as evidence in a proceeding or
through a subpoena, court order or any
other exception to privilege, whether
permissibly or not, amounts to a
disclosure of that patient safety work
product to all parties receiving or with
access to the patient safety work
product admitted. Thus, we use the
term disclosure to describe the transfer
of patient safety work product pursuant
to an exception to privilege, as well as
to an exception to confidentiality. In
addition, although the Secretary does
not have authority to impose civil
money penalties for violations of the
privilege protection, a violation of
privilege may also be a violation of the
confidentiality provisions. For these
reasons, we include the privilege
language in the proposed implementing
regulations.
Finally, as discussed in proposed
§ 3.204(c), we include a regulatory
exception to privilege for disclosures to
the Secretary for the purpose of
enforcing the confidentiality provisions
and for making or supporting PSO
certification or listing decisions.
(A) Proposed § 3.204(a)—Privilege
Proposed § 3.204(a) would repeat the
statutory language at section 922(a) of
the Public Health Service Act, 42 U.S.C.
299b–22(a), establishing the general
principle that patient safety work
product is privileged and is not subject
to Federal, State or local civil, criminal
or administrative proceedings or orders;
is not subject to disclosure under the
Freedom of Information Act or similar
Federal, State or local laws; and may not
be admitted into evidence in any
Federal, State or local civil, criminal or
administrative proceeding or the
proceedings of a disciplinary body
established or specifically authorized
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
under State law. In addition, we have
clarified that patient safety work
product shall be privileged and not
subject to use in Tribal courts or
administrative proceedings. Because the
Patient Safety Act is a statute of general
applicability, it applies to Indian Tribes.
In addition, the application of the
Federal privilege to Tribal proceedings
implements the strong privilege
protections intended under section 922
of the Public Health Service Act, 42
U.S.C. 299b–22. (See section 922(g)(1)–
(2) of the Public Health Service Act, 42
U.S.C. 299b–22(g)(1)–(2), preserving
more stringent Federal, State, and local
confidentiality laws).
(B) Proposed § 3.204(b)—Exceptions to
Privilege
Proposed § 3.204(b) describes the
exceptions to the privilege protection at
proposed § 3.204(a) that are established
in section 922(c) of the Public Health
Service Act, 42 U.S.C. 299b–22(c), as
added by the Patient Safety Act. When
the conditions set forth in proposed
§ 3.204(b) are met, then privilege does
not apply and would not prevent the
patient safety work product from, for
example, being entered into evidence in
a proceeding or subject to discovery. In
all cases, the exceptions from privilege
are also exceptions from confidentiality.
For proposed § 3.204(b)(1)–(4) and
§ 3.204(c), we discuss the scope of the
applicable confidentiality protection in
proposed § 3.206(b) and § 3.206(d).
(1) Proposed § 3.204(b)(1)—Criminal
Proceedings
Proposed § 3.204(b)(1) would permit
disclosure of identifiable patient safety
work product for use in a criminal
proceeding, as provided in section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A). Such
patient safety work product is not
subject to the privilege prohibitions
described in proposed § 3.204(a) or the
confidentiality protection described in
proposed § 3.206(a). See proposed
§ 3.206(b)(1). Prior to a court
determining that an exception to
privilege applies pursuant to this
provision, a court must make an in
camera determination that the
identifiable patient safety work product
sought for disclosure contains evidence
of a criminal act, is material to the
proceeding, and is not reasonably
available from other sources. See section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A). We
discuss in full the requirements of this
disclosure under the confidentiality
disclosure discussion below.
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
8141
(2) Proposed § 3.204(b)(2)—Equitable
Relief for Reporters
Proposed § 3.204(b)(2) permits the
disclosure of identifiable patient safety
work product to the extent required to
carry out the securing and provision of
specified equitable relief as provided for
under section 922(f)(4)(A) of the Public
Health Service Act, 42 U.S.C. 299b–
22(f)(4)(A). This exception is based on
section 922(c)(1)(B) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(1)(B).
The Patient Safety Act permits this
disclosure as an exception to privilege
and confidentiality to effectuate the
provision that authorizes equitable relief
for an employee who has been subjected
to an adverse employment action for
good faith reporting of information to a
PSO directly or to a provider for the
intended report to a PSO. We discuss in
full the requirements of this disclosure
under the confidentiality disclosure
discussion below.
(3) Proposed § 3.204(b)(3)—Authorized
by Identified Providers
Proposed § 3.204(b)(3) describes when
identifiable patient safety work product
may be excepted from privilege when
each of the providers identified in the
patient safety work product authorizes
the disclosure. This provision is based
on section 922(c)(1)(C) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(1)(C). Such patient safety work
product is also not subject to the
confidentiality protections described in
proposed § 3.206(a). We discuss in full
the requirements of this disclosure
under the confidentiality disclosure
discussion below.
(4) Proposed § 3.2049(b)(4)—
Nonidentifiable Patient Safety Work
Product
Proposed § 3.204(b)(4) permits patient
safety work product to be excepted from
privilege when disclosed in
nonidentifiable form. This provision is
based on section 922(c)(3) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(3). As with other privilege
protections, we expect the tribunals for
which the information is sought to
adjudicate the application of this
exception. We discuss in full the
requirements of this disclosure in the
confidentiality disclosure discussion
below.
(C) Proposed § 3.204(c)—
Implementation and Enforcement of the
Patient Safety Act
Proposed § 3.204(c) excepts from
privilege disclosures of relevant patient
safety work product to or by the
Secretary as needed for investigation or
determining compliance with this Part
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8142
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
or for enforcement of the confidentiality
provisions, or for making or supporting
PSO certification or listing decisions,
under the Patient Safety Act. We
propose that the Secretary may use and
disclose patient safety work product
when pursuing civil money penalties for
impermissible disclosures. This is a
privilege exception in the same manner
as exceptions listed in proposed
§ 3.204(b), but we state it separately to
provide specific emphasis for the
inclusion of this exception to privilege
by the Secretary for enforcement
activities. This information is also a
permissible disclosure under proposed
§ 3.206(d), discussed below.
The Patient Safety Act provides for
broad privilege and confidentiality
protections, as well as the authority for
the Secretary to impose civil money
penalties on persons who knowingly or
recklessly disclose identifiable patient
safety work product in violation of those
protections. However, in order to
perform investigations and compliance
reviews to determine whether a
violation has occurred, the Secretary
may need to have access to privileged
and confidential patient safety work
product.
We believe that Congress could not
have intended that the privilege and
confidentiality protections afforded to
patient safety work product operate to
frustrate the sole enforcement
mechanism Congress provided for the
punishment of impermissible
disclosures and to preclude the
imposition of civil money penalties. As
a matter of public policy, the creation of
a confidentiality protection is
meaningless without the capacity to
enforce a breach of those protections.
For these reasons, we propose a
privilege exception narrowly drawn to
permit the Secretary to perform the
enforcement and operational duties
required by the Patient Safety Act,
which include the submission of patient
safety work product to administrative
law judges (ALJs), the Departmental
Appeals Board (Board), and the courts.
This proposed provision would
permit the disclosure of patient safety
work product to the Secretary or
disclosure by the Secretary so long as
such disclosure is for the purpose of
implementation and enforcement of
these proposed regulations. Such
disclosure would include the
introduction of patient safety work
product into proceedings before ALJs or
the Board under proposed Subpart D by
the Secretary, as well as the disclosure
during investigations by OCR or
activities in reviewing PSO
certifications by AHRQ. Moreover,
disclosures of patient safety work
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
product made to the Board or other
parts of the Department that are
received by workforce members, such as
contractors operating electronic web
portals or mail sorting and paper
scanning services, would be permitted
as a disclosure to the Secretary under
this proposed provision. This provision
would also permit the Board to disclose
any patient safety work product in order
to properly review determinations or to
provide records for court review.
Patient safety work product disclosed
under this exception remains protected
by both privilege and confidentiality
protections as proposed in § 3.208. This
exception does not limit the ability of
the Secretary to disclose patient safety
work product in accordance with the
exceptions under proposed § 3.206(b) or
this Part. Rather, this proposed section
provides a specific permission by which
patient safety work product may be
disclosed to the Secretary and the
Secretary may further disclose such
patient safety work product for
compliance and enforcement purposes.
We believe strongly in the protection
of patient safety work product as
provided in the Patient Safety Act and
the proposed regulation, and seek to
minimize the risk of improper
disclosure of patient safety work
product by using and disclosing patient
safety work product only in limited and
necessary circumstances. We intend that
any disclosure made pursuant to this
proposed provision be limited in the
amount of patient safety work product
disclosed to accomplish the purpose of
implementation, compliance, and
enforcement. Proposed § 3.312 discusses
the limitations on what the Secretary
may do with any patient safety work
product obtained pursuant to an
investigation or compliance review
under proposed Subpart D. As
discussed in the preamble to proposed
§ 3.312, section 922(g)(3) of the Public
Health Service Act, 42 U.S.C. 299b–
22(g)(3), provides that the Patient Safety
Act does not affect the implementation
of the HIPAA confidentiality
regulations. Accordingly, the privilege
provisions in the Patient Safety Act
would not bar the Secretary from
introducing patient safety work product
in a HIPAA enforcement proceeding.
2. Proposed § 3.206—Confidentiality of
Patient Safety Work Product
Proposed § 3.206 describes the
confidentiality protection of patient
safety work product as well as
exceptions from confidentiality
protection. The following discussion
generally refers to an act that falls
within an exception from
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
confidentiality as a permissible
disclosure.
(A) Proposed § 3.206(a)—Confidentiality
Proposed § 3.206(a) would establish
the overarching general principle that
patient safety work product is
confidential and shall not be disclosed.
The principle applies to patient safety
work product held by anyone. This
provision is based on section 922(b) of
the Public Health Service Act, 42 U.S.C.
299b–22(b).
(B) Proposed § 3.206(b)—Exceptions to
Confidentiality
Proposed § 3.206(b) describes the
exceptions to confidentiality, or the
permitted disclosures. Certain
overarching principles apply to the
proposed confidentiality standards.
First, we consider these exceptions to be
‘‘permissions’’ to disclose patient safety
work product and the holder of the
patient safety work product retains full
discretion whether or not to disclose.
Thus, similar to the disclosures
permitted under the HIPAA Privacy
Rule, we are defining a uniform federal
baseline of protection that is enforceable
by federally imposed civil money
penalties. We are not encouraging or
requiring disclosures, except to the
Secretary as provided in this proposed
rule. Therefore, a provider, PSO, or
responsible person, may create
confidentiality policies and procedures
with respect to patient safety work
product that are more stringent than
these proposed rules and are free to
otherwise condition the release of
patient safety work product that comes
within these exceptions by contract,
employment relationship, or other
means. See, for example, section
922(g)(4) of the Public Health Service
Act, 42 U.S.C. 299b–22(g)(4). However,
the Secretary will not enforce such
policies or private agreements.
Second, when exercising the
discretion to disclose patient safety
work product, we encourage providers,
PSOs, and responsible persons to
consider the purposes for which the
disclosures are made. Disclosures
should be narrow and consistent with
the overarching goals of the privilege
and confidentiality protections, even
though these protections generally
continue to apply to patient safety work
product after disclosure. We encourage
any entity or person making a disclosure
to consider both the amount of patient
safety work product that is being
disclosed, as well as the amount of
identifiable information disclosed. Even
though not required, entities or persons
should attempt to disclose the amount
of information commensurate with the
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
purposes for which a disclosure is
made. We encourage the disclosure of
the least amount of identifiable patient
safety work product that is appropriate
for the purpose of the disclosure, which
might mean the disclosure of less
information than all of the information
that would be permitted to be disclosed
under the confidentiality provisions. We
also encourage the removal of
identifiable information when feasible
regardless of whether protection under
this rule continues. While a provider,
PSO, or responsible person need not
designate a workforce member to
determine when a disclosure of patient
safety work product is permitted, such
a designation may be a best practice to
ensure that a disclosure complies with
the confidentiality provisions, and
contains the least amount of patient
safety work product necessary.
Third, we have addressed the scope of
redisclosure by persons receiving
patient safety work product. Persons
receiving patient safety work product
would only be allowed to redisclose that
information to the extent permitted by
the proposed regulation. For example,
we propose that accrediting bodies
receiving patient safety work product
pursuant to the accrediting body
disclosure at proposed § 3.206(b)(8) may
not further disclose that patient safety
work product. We seek public comment
on the subject of whether there are any
negative implications associated with
limiting redisclosures in this way.
Additionally, agencies subject to both
the Patient Safety Act and the Privacy
Act, 5 U.S.C. 552a, must comply with
both statutes when disclosing patient
safety work product. Under the Patient
Safety Act, see section 922(b) of the
Public Health Service Act, 42 U.S.C.
299b–22(b), if another law, such as the
Privacy Act, permits or requires the
disclosure of patient safety work
product, disclosure of this information
would be in violation of the Patient
Safety Act unless the Patient Safety Act
also permits this disclosure. However, if
the Privacy Act prohibits the disclosure
of information that is patient safety
work product, the permissible
disclosure of this information under the
Patient Safety Act would be in violation
of the Privacy Act. Therefore, for
agencies subject to both statutes, patient
safety work product must be disclosed
in a manner that is permissible under
both statutes. The Privacy Act does
permit agencies to make disclosures
pursuant to established routine uses.
See 5 U.S.C. 552a(a)(7); 552a(b)(3); and
552a(e)(4)(D). We recommend that
Federal agencies that maintain a Privacy
Act system of records containing
information that is patient safety work
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
product include routine uses that will
permit disclosures allowed by the
Patient Safety Act.
Finally, for HIPAA covered entities,
when individually identifiable health
information is encompassed within the
patient safety work product, the
disclosure must also comply with the
HIPAA Privacy Rule. Thus, for patient
safety work product disclosures that
contain individually identifiable health
information, as defined in 45 CFR
160.103, we note some of the
comparable HIPAA Privacy Rule
permissions for consideration.
(1) Proposed § 3.206(b)(1)—Criminal
Proceeding
Proposed § 3.206(b)(1) would
establish the permitted criminal
proceeding disclosure which parallels
the privilege exception disclosure for
use in a criminal proceeding, proposed
§ 3.204(b)(1). Proposed § 3.206(b)(1)
would permit disclosure of identifiable
patient safety work product for use in a
criminal proceeding. Prior to a court
determining that an exception to
privilege applies pursuant to this
provision, a court must make an in
camera determination that the
identifiable patient safety work product
sought for disclosure contains evidence
of a criminal act, is material to the
proceeding, and is not reasonably
available from other sources. See section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A).
After such determinations by a court,
the patient safety work product may be
permissibly disclosed within the
criminal proceeding. This provision and
these limitations are based on section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A). When
considering claims that confidentiality
protection has been breached, we intend
to defer to, and not review, the court’s
in camera determinations made in
context of determining the privilege
exception. The Secretary has not been
authorized to enforce the underlying
privilege protection or make
determinations regarding its
applicability. The Secretary’s authority
is limited to investigating and enforcing
violations of the confidentiality
protections parallel to this privilege
exception at proposed § 3.206(b)(1).
The Patient Safety Act establishes that
patient safety work product, once
disclosed, will generally continue to be
privileged and confidential as discussed
in proposed § 3.208. See section
922(d)(1) of the Public Health Service
Act, 42 U.S.C. 299b–22(d)(1). However,
the Patient Safety Act limits the
continued protection of the specific
patient safety work product disclosed
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
8143
for use in a criminal proceeding. Patient
safety work product disclosed for use in
a criminal proceeding continues to be
privileged and cannot be reused as
evidence or in any context prohibited by
the privilege protection, but is no longer
confidential. See section 922(d)(2)(A) of
the Public Health Service Act, 42 U.S.C.
299b–22(d)(2)(A). For example, law
enforcement personnel who obtain
patient safety work product used in a
criminal proceeding may further
disclose that patient safety work
product because the confidentiality
protection does not apply. However, if
law enforcement sought to enter the
information into another criminal
proceeding, it would need a new in
camera determination for the new
criminal proceeding. For a further
discussion of continued confidentiality,
see discussion of proposed § 3.208
below.
For entities that are subject to the
HIPAA Privacy Rule and this Part,
disclosures must conform to 45 CFR
164.512(e) of the HIPAA Privacy Rule.
We expect that court rulings following
an in camera determination would be
issued as a court order, which would
satisfy the requirements of 45 CFR
164.512(e). So long as such legal process
is in compliance with 45 CFR
164.512(e), the disclosure would be
permissible under the HIPAA Privacy
Rule.
(2) Proposed § 3.206(b)(2)—Equitable
Relief for Reporters
Proposed § 3.206(b)(2) would permit
the disclosure of identifiable patient
safety work product to the extent
required to carry out equitable relief as
provided for under section 922(f)(4)(A)
of the Public Health Service Act, 42
U.S.C. 299b–22(f)(4)(A). See section
922(c)(1)(B) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(B). This
proposed provision parallels the
privilege exception to carry out
equitable relief at proposed
§ 3.204(b)(2). The Patient Safety Act
permits this disclosure to effectuate the
provision that authorizes an employee
to seek redress for adverse employment
actions for good faith reporting of
information to a PSO directly or to a
provider with the intended disclosure to
a PSO.
The Patient Safety Act prohibits a
provider from taking an adverse
employment action against an
individual who, in good faith, reports
information to the provider for
subsequent reporting to a PSO, or to a
PSO directly. See section 922(e)(1) of
the Public Health Service Act, 42 U.S.C.
299b–22(e)(1). Adverse employment
actions are described at section 922(e)(2)
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8144
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
of the Public Health Service Act, 42
U.S.C. 299b–22(e)(2), and include loss
of employment, failure to promote, or
adverse evaluations or decisions
regarding credentialing or licensing. The
Patient Safety Act provides adversely
affected reporters a civil right of action
to enjoin such adverse employment
actions and obtain other equitable relief,
including back pay or reinstatement, to
redress the prohibited actions. As part
of that right to seek equitable relief, the
Patient Safety Act provides that patient
safety work product is not subject to the
privilege protections described in
section 922(a) of the Public Health
Service Act, 42 U.S.C. 299b–22(a), and
as similarly described in proposed
§ 3.204(a), or to the confidentiality
protection in section 922(b) of the
Public Health Service Act, 42 U.S.C.
299b–22(b), and as similarly described
in proposed § 3.206(a), to the extent
such patient safety work product is
necessary to carry out the equitable
relief.
Although such disclosure is excepted
from both confidentiality and privilege
as to efforts to seek equitable relief, the
identifiable patient safety work product
remains subject to confidentiality and
privilege protection in the hands of all
subsequent holders and the protections
apply to all subsequent potential
disclosures. See section 922(d)(1) of the
Public Health Service Act, 42 U.S.C.
299b–22(d)(1). Thus, even though the
reporter is afforded discretion to
disclose the relevant patient safety work
product to seek and obtain equitable
relief, all subsequent holders receiving
the patient safety work product from the
reporter are bound by the continued
privilege and confidentiality
protections.
Thus, this provision would allow the
reporter seeking equitable relief from an
adverse employment action to include
patient safety work product in briefs
and in open court. To protect the patient
safety work product as much as possible
in these circumstances, we could
condition the disclosure of identifiable
patient safety work product in these
circumstances on a party’s, most likely
the reporter’s, obtaining of a protective
order in these types of proceedings.
Such a protective order could take many
forms that preserve the confidentiality
of patient safety work product. For
example, it could limit the use of the
information to case preparation, but not
make it evidentiary. Such an order
might prohibit the disclosure of the
patient safety work product in publicly
accessible proceedings and in court
records to prevent liability from moving
to a myriad of unsuspecting parties (for
example, parties in a courtroom may not
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
know that they may be liable for civil
money penalties if they share the
patient safety work product they hear).
We solicit comments on whether a
protective order should be a condition
for this disclosure, imposed by
regulation, or whether instead we
should require a good faith effort to
obtain a protective order as a condition
for this disclosure and use our
enforcement discretion to consider
whether to assess a penalty for anyone
who cannot obtain such an order and
thus breaches the statutory continued
confidentiality protection of this
information. See discussion below at
proposed § 3.402(a).
We also address the intersection of
the HIPAA Privacy Rule herein because
identifiable patient safety work product
may contain individually identifiable
health information and be sought for
disclosure under this exception from a
HIPAA covered entity or that HIPAA
covered entity’s business associate.
Under the HIPAA Privacy Rule at 45
CFR 164.512(e), when protected health
information is sought to be disclosed in
a judicial proceeding via subpoenas and
discovery requests without a court
order, the disclosing HIPAA covered
entity must seek satisfactory assurances
that the party requesting the information
has made reasonable efforts to provide
written notice to the individual who is
the subject of the protected health
information or to secure a qualified
protective order. A protective order that
meets the qualified protective order
under 45 CFR 164.512(e) would be
permissible under the HIPAA Privacy
Rule and render a disclosure under this
exception in compliance with the
HIPAA Privacy Rule.
(3) Proposed § 3.206(b)(3)—Authorized
by Identified Providers
Proposed § 3.206(b)(3) would
establish a permitted disclosure parallel
to the privilege exception at proposed
§ 3.204(b)(3), when each of the
providers identified in the patient safety
work product authorizes the disclosure
in question. This provision is based on
section 922(c)(1)(C) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(1)(C).
In these circumstances, patient safety
work product may be disclosed, not
withstanding the privilege protections
described in proposed § 3.204(a) or the
confidentiality protections described in
proposed § 3.206(a). However, patient
safety work product disclosed under
this exception continues to be
confidential pursuant to the continued
confidentiality provisions at section
922(d)(1) of the Public Health Service
Act, 42 U.S.C. 299b–22(d)(1), and
persons are subject to liability for
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
further disclosures in violation of that
confidentiality.
This exception applies to patient
safety work product that contains
identifiable provider information. Under
the proposed language, each provider
identified in the patient safety work
product sought to be disclosed must
separately authorize the disclosure. For
example, if patient safety work product
sought to be disclosed by an entity or
person pursuant to this exception
describes an incident involving three
physicians, each physician would need
to authorize disclosure of the patient
safety work product, in order for the
entity or person to disclose it. Making
information regarding one provider
nonidentifiable in lieu of obtaining an
authorization is not sufficient.
We considered whether the rule
should allow a provider to nonidentify
the patient safety work product with
respect to a nonauthorizing provider
and disclose the patient safety work
product with respect to the remaining
authorizing providers. However, we
rejected that approach as being
impracticable. In light of the contextual
nonidentification standard proposed in
§ 3.212, it would seem that there would
be very few, if any, situations in which
a nonauthorizing provider could be
nonidentified without also needing to
nonidentify, or nearly so, an authorizing
provider in the same patient safety work
product. Unless we adopt a less
stringent nonidentification standard,
disclosing persons can either totally
nonidentify patient safety work product
and disclose under proposed
§ 3.206(b)(5), or disclose the patient
safety work product only if all identified
providers in patient safety work product
authorize its disclosure.
When all identified providers
authorize the disclosure of patient safety
work product, the Patient Safety Act
permits such disclosure, but remains
silent about the identification of
patients or reporters in such patient
safety work product. As to other persons
that make patient safety work product
identifiable, i.e., patients and reporters,
the Patient Safety Act does not provide
a separate right of authorization.
However, as one of the core principles
underlying the Patient Safety Act is the
protection of the privacy and
confidentiality concerns of certain
persons in connection with specific
patient safety work product (i.e.,
providers, patients and reporters), we
encourage persons disclosing patient
safety work product to exercise
discretion in the scope of patient safety
work product disclosed, even though
neither patient nor reporter
authorization is required. Disclosers are
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
encouraged to consider whether the
disclosure of identifying information
regarding patients and reporters is
necessary to accomplish the particular
purpose of the disclosure. As discussed
below, if the disclosing entity is a
HIPAA covered entity, the HIPAA
Privacy Rule, including the minimum
necessary standard when applicable,
would apply to the disclosure of
protected health information contained
within the patient safety work product.
We seek public comment as to whether
the proposed approach is sufficient to
protect the interests of reporters and
patients identified in the patient safety
work product permitted to be disclosed
pursuant to identifiable provider
authorizations. Does this approach
sufficiently balance the interests of the
patients and reporters and their
confidentiality versus the purposes for
which the providers are authorizing the
disclosures?
The Patient Safety Act does not
specify the form of the authorization by
a provider to come within this
disclosure exception or a timeframe for
recordkeeping. We propose that an
authorization be in writing, be signed by
the authorizing provider, and give
adequate notice to the provider of the
nature and scope of the disclosures
authorized. The content of the
authorization should fairly inform the
provider as to the nature and scope of
the identifiable patient safety work
product to be disclosed to ensure the
provider is making a knowing
authorization. We do not intend that
each authorization identify the specific
patient safety work product to be
disclosed. Such a requirement would be
unworkable in complex health care
arrangements existing today. Rather, an
authorization can be general, (e.g.,
referring to categories of patient safety
work product) and even to patient safety
work product to be created in the future,
so long as the authorization can be
determined to have reasonably informed
the authorizing provider of the scope of
the authorized disclosure. The
authorization requirement also enables
providers to place limits on disclosures
made pursuant to this proposed
exception regarding patient safety work
product identifying the provider. Any
disclosure must be made in accordance
with the terms of the signed
authorization, but we do not require that
any specific terms be included, only
that such terms regarding the scope of
the authorized disclosure of patient
safety work product be adhered to. We
seek public comment on whether a more
stringent standard would be prudent
and workable, such as an authorization
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
process that is disclosure specific (i.e.,
no future application or a one time
disclosure only authorization).
We also propose that any
authorization be maintained by the
disclosing entity or person for a period
of six years from the date of the last
disclosure made in reliance on the
authorization, the limit of time within
which the Secretary must initiate an
enforcement action. While we recognize
that a prudent person disclosing patient
safety work product under this
disclosure will likely maintain records
in order to support a claim that such
disclosure was permissible, nonetheless
we require a six year retention of
authorizations so that, if challenged, the
Secretary may examine authorizations
to determine whether a disclosure was
valid pursuant to this disclosure
provision. While we would not be
monitoring or penalizing a person for
lack of maintenance of an authorization,
the failure to present a valid
authorization will raise significant
concerns regarding the permissibility of
a disclosure pursuant to this
permission.
With respect to compliance with the
HIPAA Privacy Rule for patient safety
work product that contains individually
identifiable health information,
authorization by a provider pursuant to
this permitted disclosure does not
permit a HIPAA covered entity or such
a HIPAA covered entity’s business
associate to release such protected
health information contained in the
patient safety work product under the
HIPAA Privacy Rule. Therefore, either
the individually identifiable health
information must be de-identified or the
release of the individually identifiable
health information must otherwise be
permitted under the HIPAA Privacy
Rule. Because this disclosure does not
limit the purposes for which identifiable
patient safety work product may be
released with the provider’s
authorization, a HIPAA covered entity
would need to review releases on a caseby-case basis to determine if there is an
applicable provision in the HIPAA
Privacy Rule that would otherwise
permit such disclosure.
(4) Proposed § 3.206(b)(4)—Patient
Safety Activities
Section 922(c)(2)(A) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(2)(A), permits the disclosure of
identifiable patient safety work product
for patient safety activities. Proposed
§ 3.206(b)(4) permits the disclosure of
identifiable patient safety work product
for patient safety activities (i) by a
provider to a PSO or by a PSO to that
disclosing provider; or (ii) by a provider
PO 00000
Frm 00035
Fmt 4701
Sfmt 4702
8145
or a PSO to a contractor of the provider
or PSO; or (iii) by a PSO to another PSO
or to another provider that has reported
to the PSO, or by a provider to another
provider, provided, in both cases,
certain direct identifiers are removed.
Patient safety activities are the core
mechanism by which providers may
disclose patient safety work product to
obtain external expertise from PSOs.
PSOs may aggregate information from
multiple providers, and communicate
feedback and analyses to providers.
Ultimately, it is through such
communications that much of the
improvement in patient safety may
occur. Thus, the rule needs to facilitate
the communication between a provider
and one or more PSOs.
To further this essential statutory
purpose, we propose to allow providers
to disclose identifiable patient safety
work product to PSOs; one of the ways
that information can become patient
safety work product is through reporting
of it to a PSO. We also propose to allow
PSOs to reciprocally disclose patient
safety work product back to such
providers for patient safety activities.
This free flow of information will
ensure that the statute’s goals of
collecting, aggregating, and analyzing
patient safety event information as well
as disseminating recommendations for
safety and quality improvements are
achieved. Such a dialogue will allow
both providers and PSOs to take a
shared role in the advancement of
patient safety improvements.
In addition, we recognize that there
may be situations where providers and
PSOs want to engage contractors who
are not agents to carry out patient safety
activities. Thus, the proposal would
allow disclosures by providers to their
contractors who are not workforce
members and by PSOs to their
contractors who are not workforce
members. Contractors may not further
disclose patient safety work product,
except to the entity from which they
first received the information. We note
that this limitation does not preclude a
provider or PSO from exercising its
authority under section 922(g)(4) of the
Public Health Service Act, 42 U.S.C.
299b–22(g)(4), to separately delegate its
power to the contractor to make other
disclosures. Although we do not require
a contract between a provider or PSO
and its contractor, we expect that most
providers and PSOs will engage in
prudent practices when disclosing
confidential patient safety work product
for patient safety activities, (i.e.,
ensuring such information is narrowly
used by the contractor solely for the
purpose for which disclosed and
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8146
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
adequately protected from wrongful
disclosure).
While the permission allows the
necessary communication as between a
single provider and its PSO, such
exchanges may not be sufficient. It is
possible to conceive of meaningful
patient safety activities occurring
between two PSOs or between a PSO
and a provider that is different than the
original reporting provider, or between
two providers. For example, PSOs may
be able to more effectively aggregate
patient safety work product if such
expanded sharing of information is
permitted. Aggregation may help PSOs
pool sufficient information to achieve
contextual nonidentification, in
accordance with § 3.212(a)(ii), but keep
meaningful data in the information
when disclosing to the network of
patient safety databases contemplated in
section 923 of the Public Health Service
Act, 42 U.S.C. 299b–23. Providers may
be able to collaborate and learn more
efficiently about patient safety solutions
if such sharing is permitted. At the same
time, we are concerned that, without
any limitation on such sharing,
providers may be not only reluctant to
disclose patient safety work product,
but also potentially reticent to
participate at all in patient safety
activities, given the sensitive nature of
the information, and the potential lack
of certainty with respect to where the
information might ultimately be
disclosed.
Balancing these concerns, we are
proposing that other than the reporting
relationship between a provider and a
PSO, PSOs be permitted to disclose
patient safety work product to other
PSOs or to other providers that have
reported to the PSO, and providers be
permitted to make disclosures to other
providers, for patient safety activities,
with provider and reporter identifiers in
an anonymized (i.e., with certain direct
identifiers removed, but not
nonidentifiable under the proposed
rule) or encrypted but not fully
nonidentified form. For patient
identifiers, the HIPAA Privacy Rule
limited data set standard would apply.
See 45 CFR 164.514(e). To anonymize
the provider or reporter identifiers in
the patient safety work product, the
disclosing entity must remove the
following direct identifiers of any
providers and of affiliated organizations,
corporate parents, subsidiaries, practice
partners, employers, members of the
workforce, or household members of
such providers: (1) Names; (2) Postal
address information, other than town or
city, State and zip code; (3) Telephone
numbers; (4) Fax numbers; (5)
Electronic mail addresses; (6) Social
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
security numbers or taxpayer
identification numbers; (7) Provider or
practitioner credentialing or DEA
numbers; (8) National provider
identification number; (9) Certificate/
license numbers; (10) Web Universal
Resource Locators (URLs); (11) Internet
Protocol (IP) address numbers; (12)
Biometric identifiers, including finger
and voice prints; and (13) Full face
photographic images and any
comparable images. Removal of such
identifiers may be absolute or may be
done through encryption, provided that
the disclosing entity does not disclose
the key to the encryption or the
mechanism for re-identification.
We have not proposed an unrestricted
disclosure of identifiable patient safety
work product to any person for patient
safety activities. It is our understanding
that disclosures to persons other than
those proposed above do not need
identifiable patient safety work product
and that sufficient information may be
communicated with nonidentifiable
patient safety work product; we seek
comment on this issue. Similarly, we
recognize that nonidentifiable patient
safety work product may have more
limited usefulness due to the removal of
key elements of identification; however,
we have no basis for opening the patient
safety activity disclosure permission
further without specific examples of
beneficial disclosures prohibited by our
proposal.
The exchange of patient safety work
product for patient safety activities
permits extensive sharing among both
providers and PSOs interested in
improving patient safety. As patient
safety work product is disclosed,
however, it continues to be protected by
the confidentiality provisions. The
permission allows continual exchange
of information without breach of
confidentiality. At any time and as
needed, information may be
nonidentified, and the patient safety
activities disclosure may be employed
for this purpose.
Moreover, providers and PSOs are
capable of imposing greater
confidentiality requirements for the
future use and disclosure of the patient
safety work product through private
agreements (see section 922(g)(4) of the
Public Heath Service Act, 42 U.S.C.
299b–22(g)(4)). However, we note that
the government would not be permitted
to apply civil money penalties under
this Part based on a violation of a
private agreement that was not a
violation of the confidentiality
provisions.
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
Compliance With the HIPAA Privacy
Rule
With respect to compliance with the
HIPAA Privacy Rule, the Patient Safety
Act establishes that PSOs shall be
treated as business associates; and
patient safety activities performed by, or
on behalf of, a covered provider by a
PSO are deemed health care operations
as defined by the HIPAA Privacy Rule.
A HIPAA covered entity is permitted to
use or disclose protected health
information as defined at 45 CFR
160.103 without an individual’s
authorization for its own health care
operations and, in certain circumstances
(which would include patient safety
activities), for the health care operations
of another HIPAA covered entity (e.g.,
HIPAA covered provider) under 45 CFR
164.506. To share protected health
information with another HIPAA
covered entity for that entity’s health
care operations, both HIPAA covered
entities must share a patient
relationship with the individual who is
the subject of the protected health
information and the protected health
information that is shared must pertain
to that relationship.
In addition, in cases where providers
and PSOs share anonymized patient
safety work product, providers may
disclose a limited data set of patient
information. Under 45 CFR
164.514(e)(3), a HIPAA covered entity
may use or disclose a limited data set
for the purpose of health care
operations, including patient safety
activities. Such disclosures, however,
must be accompanied by a data use
agreement, ensuring that the limited
data set recipient will only use or
disclose the protected health
information for limited purposes. See 45
CFR 164.514(e)(4).
We seek comment regarding whether
the HIPAA Privacy Rule definition for
health care operations should contain a
specific reference to patient safety
activities conducted pursuant to this
regulatory scheme. A health care
provider that is a HIPAA covered entity
may not disclose identifiable patient
safety work product that is protected
health information to a PSO unless that
PSO is performing patient safety
activities (as a health care operation) for
that provider. Under this exception for
patient safety activities, a health care
provider that is a HIPAA covered entity
may disclose identifiable patient safety
work product that is protected health
information to another provider (1) for
the sending provider’s patient safety
activities; (2) for the patient safety
activities of an organized health care
arrangement (OHCA) (as defined at 45
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
CFR 160.103) if both the sending and
receiving provider participate in the
OHCA; or (3) to another provider for the
receiving provider’s patient safety
activities if the protected health
information relates to a common patient
(including to determine that there is a
common patient). We further seek
comment regarding whether the
provision permitting the disclosure of
protected health information for health
care operations at 45 CFR 164.506
should be modified to conform to the
patient safety work product disclosures
for patient safety activities set forth
herein.
hsrobinson on PROD1PC76 with PROPOSALS2
(5) Proposed § 3.206(b)(5)—Disclosure
of Nonidentifiable Patient Safety Work
Product
Proposed § 3.206(b)(5) permits the
disclosure of nonidentifiable patient
safety work product when the patient
safety work product meets the standard
for nonidentification in proposed
§ 3.212. This implements section
922(c)(2)(B) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(2)(B). Under
proposed § 3.206(b)(5), nonidentifiable
patient safety work product may be
disclosed by any entity or person that
holds the nonidentifiable patient safety
work product without violating the
confidentiality provisions. Moreover,
any provider, PSO or responsible person
may nonidentify patient safety work
product. As described in proposed
§ 3.208(b)(ii), nonidentifiable patient
safety work product, once disclosed,
loses its privilege and confidentiality
protection. Thus, it may be redisclosed
by its recipient without any Patient
Safety Act limitations.
Nonidentification Standard
The nonidentification standard is
proposed at § 3.212. However, we will
discuss that standard at this point in the
preamble due to its connection with the
disclosure permission for
nonidentifiable patient safety work
product at proposed § 3.206(b)(5).
Proposed § 3.212 would establish the
standard by which patient safety work
product will be determined
nonidentifiable. The determination of
what constitutes nonidentifiable patient
safety work product is important
because the standard for
nonidentification effectively creates the
boundary between protected and
unprotected patient safety work
product.
Under the Patient Safety Act and this
Part, identifiable patient safety work
product includes information that
identifies any provider or reporter or
contains individually identifiable health
information under the HIPAA Privacy
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Rule (see 45 CFR 160.103). See section
921(2) of the Public Health Service Act,
42 U.S.C. 299b–21(2). By contrast,
nonidentifiable patient safety work
product does not include information
that permits identification of any
provider, reporter or subject of
individually identifiable health
information. See section 921(3) of the
Public Health Service Act, 42 U.S.C.
299b–21(3).
Because individually identifiable
health information as defined in the
HIPAA Privacy Rule is one element of
identifiable patient safety work product,
the de-identification standard provided
in the HIPAA Privacy Rule applies with
respect to the patient-identifiable
information in the patient safety work
product. Therefore, where patient safety
work product contains individually
identifiable health information, that
information must be de-identified in
accordance with 45 CFR 164.514(a)–(c)
to qualify as nonidentifiable patient
safety work product with respect to
individually identifiable health
information under the Patient Safety
Act.
We propose that patient safety work
product be contextually nonidentifiable
in order to be considered
nonidentifiable for the purposes of this
rule. Contextual nonidentification of
both providers and reporters would
match the standard of de-identification
in the HIPAA Privacy Rule. We are
proposing two methods by which
nonidentification can be accomplished
which are similar to the standards for
de-identification under the HIPAA
Privacy Rule: (1) A statistical method of
nonidentification and (2) the removal of
15 specified categories of direct
identifiers of providers or reporters and
of parties related to the providers and
reporters, including corporate parents,
subsidiaries, practice partners,
employers, workforce members, or
household members, and that the
discloser have no actual knowledge that
the remaining information, alone or in
combination with other information
reasonably available to the intended
recipient, could be used to identify any
provider or reporter (i.e., a contextual
nonidentification standard).
In proposed § 3.212(a)(1), the first
method for rendering patient safety
work product nonidentifiable with
respect to a provider or reporter, we
propose that patient safety work product
can be nonidentified if a person with
appropriate knowledge of and
experience with generally accepted
statistical and scientific principles and
methods for rendering information not
individually identifiable applying such
principles and methods, determines that
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
8147
the risk is very small that the
information could be used, alone or in
combination with other reasonably
available information, by an anticipated
recipient to identify an identified
provider or reporter.
We believe that this method of
nonidentification may sometimes be
preferable to the safeharbor method
proposed in § 3.212(a)(2) discussed
below and may be especially useful
when aggregating data for populating
the network of patient safety databases
referenced in section 923 of the Public
Health Service Act, 42 U.S.C. 299b–23.
Under this proposal, if a statistician
makes a determination as described
above and documents the analysis,
patient safety work product could be
labeled as nonidentifiable even though
it contains detailed clinical information
and some potentially identifiable
information such as zip codes.
In proposed § 3.212(a)(2), the second
method for rendering patient safety
work product nonidentifiable with
respect to a provider or reporter, we
outline a process as a safeharbor
requiring that the disclosing entity
remove a list of specific typical
identifiers and have no actual
knowledge that the information to be
disclosed could be used, alone or in
combination with other information that
is reasonably available to the intended
recipient, to identify the particular
provider or reporter. We have limited
the knowledge component to that which
is known to be reasonably available to
the intended recipient in order to
provide data custodians with a workable
knowledge standard. With the
contextual nonidentification standard in
place, providers will have the most
confidence that their identities will not
be derived from nonidentifiable
information and will be more likely to
participate in the program. Moreover,
requiring that patient safety work
product be contextually nonidentifiable
is consistent with the de-identification
standard for patient identities, as
described above.
We recognize that the more stringent
the nonidentifiable patient safety work
product standard is, the more cost,
burden, and risk of error in
nonidentification there will be to the
disclosing entity. We also acknowledge
that our proposal introduces uncertainty
and subjectivity into the standard,
making it a harder standard to enforce.
The proposed standard may require the
removal of more clinical and
demographic information than would be
removed in the absence of the
contextual nonidentification
requirement, and the resulting
information would likely be less useful
E:\FR\FM\12FEP2.SGM
12FEP2
8148
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
to a recipient. This outcome would
particularly impact the network of
patient safety databases of
nonidentifiable patient safety work
product to be established under section
923 of the Public Health Service Act, 42
U.S.C. 299b–23. In particular, the
information that ultimately resides in
the network may have reduced utility
and a reduced capacity to contribute to
the evaluation of patient safety issues.
To mitigate these concerns, this
standard would work in conjunction
with a separate permission for sharing
identifiable patient safety work product
through the patient safety activities
disclosure. Disclosures as patient safety
activities should enable the aggregation
of sufficient patient safety work product
to allow contextual nonidentification
without the removal of all important
specific clinical and demographic
details. We invite comment on the
proposed standards and approaches. For
example, we are interested in knowing
whether, under a contextual
nonidentification standard, it is possible
to have any geographical identifiers; and
if so, at what level of detail (state,
county, zip code). We are also interested
in public comments regarding whether
there are alternative approaches to
standards for entities determining when
health information can reasonably be
considered nonidentifiable.
Re-identification
We permit a provider, PSO, or other
disclosing entity or person to assign a
code or other means of record
identification to allow information
made nonidentifiable to be re-identified
by the disclosing person, provided
certain conditions that further the goal
of confidentiality are met regarding such
code or other means of record
identification. Further, a discloser may
not release any key or other information
that would enable a recipient to reidentify any provider or reporter or
subject of individual identifiable health
information. We propose to permit a reidentification mechanism to facilitate
follow-up inquiries regarding, and
analysis of, nonidentified patient safety
work product that has been disclosed,
such as from users of the network of
patient safety databases when analyzing
national and regional statistics. Such
keys would not be for the purpose of
permitting re-identification of patient
safety work product obtained through
the network of databases. Rather, such
keys would facilitate the investigation of
data anomalies reported to the network,
correction of nonidentifiable records,
and the potential to avoid duplicate
records when richer information may be
made available due to aggregation.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Finally, with respect to HIPAA
compliance, we note that, because
nonidentified patient safety work
product will, by definition, be deidentified information under the HIPAA
Privacy Rule, a disclosure under
§ 3.206(b)(5) will not violate the HIPAA
Privacy Rule.
(6) Proposed § 3.206(b)(6)—For Research
Proposed § 3.206(b)(6) describes the
disclosure of identifiable patient safety
work product to entities carrying out
research, evaluations, or demonstration
projects that are funded, certified, or
otherwise sanctioned by rule or other
means by the Secretary. This disclosure
is not for general research. Any research
for which patient safety work product is
disclosed under this exception must be
sanctioned by the Secretary. See section
922(c)(2)(C) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(2)(C).
Research that is not sanctioned by the
Secretary is insufficient to be a basis for
the disclosure of patient safety work
product under this exception. Further,
although disclosure can be made for any
research, evaluation, or demonstration
project sanctioned by the Secretary, we
expect that most research that may be
subject to this disclosure permission
will be related to the methodologies,
analytic processes, and interpretation,
feedback and quality improvement
results from PSOs, rather than general
medical, or even health services,
research. Patient safety work product
disclosed for research under this
provision continues to be confidential
and privileged.
Section 922(c)(2)(C) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(2)(C), requires that patient safety
work product which identifies patients
may only be released to the extent that
protected health information would be
disclosable for research purposes under
the HIPAA Privacy Rule. Under 45 CFR
164.512(i), a HIPAA covered entity may
use or disclose protected health
information for research, without the
individual’s authorization, provided
that there is a waiver (or alteration of
waiver) of authorization by either an
Institutional Review Board (IRB) or a
Privacy Board. The IRB/Privacy Board
evaluates the request against various
criteria that measure the privacy risk to
the individuals who are the subjects of
the protected health information.17 The
17 The following are the waiver criteria at 45 CFR
164.512(i)(2)(ii):
(A) The use or disclosure of protected health
information involves no more than a minimal risk
to the privacy of individuals, based on, at least, the
presence of the following elements:
a. An adequate plan to protect the identifiers from
improper use and disclosure;
PO 00000
Frm 00038
Fmt 4701
Sfmt 4702
HIPAA Privacy Rule only operates with
respect to the identifiable health
information of patients when held by a
HIPAA covered entity or its business
associate, and does not address the
rights of individuals who may otherwise
be the subject of the research.
We tentatively conclude that the
language in the Patient Safety Act that
applies the exception ‘‘to the extent that
disclosure of protected health
information would be allowed for
research purposes under the HIPAA
[Privacy Rule]’’ is intended to apply the
HIPAA Privacy Rule research provisions
at 45 CFR 164.512(i) only to HIPAA
covered entities when they release
identifiable patient safety work product
containing protected health information
for research. This interpretation would
result in the HIPAA Privacy Rule
research standards being preserved in
their application to HIPAA covered
entities without burdening non-covered
entities with HIPAA compliance.
We note that our interpretation of
section 922(c)(2)(C) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(2)(C),
is not a bar to the disclosure of
identifiable patient safety work product
by entities or persons that are not
HIPAA covered entities. We further note
that for providers, reporters and other
persons identified in patient safety work
product disclosed for research purposes,
the Common Rule, which is applicable
to research conducted or supported by
the Secretary, and the FDA human
subjects protection regulations will
provide appropriate protections to any
natural persons who would be deemed
subjects of the research.
With regard to research, the
incorporation by reference of the HIPAA
Privacy Rule should provide for the
proper alignment of disclosures for
research purposes. However, the
exception under the Patient Safety Act
also refers to evaluations and
demonstration projects. Some of these
activities may meet the definition of
research under the HIPAA Privacy Rule,
while other activities may not result in
generalizable knowledge, but may
b. An adequate plan to destroy the identifiers at
the earliest opportunity consistent with conduct of
the research, unless there is a health or research
justification for retaining the identifiers or such
retention is otherwise required by law; and
c. Adequate written assurances that the protected
health information will not be reused or disclosed
to any other person or entity, except as required by
law, for authorized oversight of the research study,
or for other research for which the use or disclosure
of protected health information would be permitted
by this subpart;
(B) The research could not practicably be
conducted without the waiver or alteration; and
(C) The research could not practicably be
conducted without access to and use of the
protected health information.
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
nonetheless meet the definition of
health care operations under the HIPAA
Privacy Rule. Where the disclosure of
protected health information for
evaluations and demonstration projects
are permitted as health care operations
under the HIPAA Privacy Rule, HIPAA
covered entities disclosing patient safety
work product that includes protected
health information under this exception
could do so without violation of the
HIPAA Privacy Rule.
(7) Proposed § 3.206(b)(7)—To the Food
and Drug Administration
Section 922(c)(2)(D) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(2)(D) permits the disclosure by a
provider to the FDA with respect to a
product or activity regulated by the
FDA. Proposed § 3.206(b)(7) permits the
disclosing by providers of patient safety
work product concerning products or
activities regulated by the Food and
Drug Administration (FDA) to the FDA
or to an entity required to report to the
FDA concerning the quality, safety, or
effectiveness of an FDA-regulated
product or activity. For example,
hospitals and health care professionals
may disclose patient safety work
product concerning the safety of drugs,
medical devices, biological products,
and dietary supplements, or vaccine and
medical device adverse experiences to
the FDA as part of an FDA monitoring
or alert system. The proposed provision
also permits sharing between the FDA,
entities required to report to the FDA
concerning the quality, safety, or
effectiveness of an FDA-regulated
product or activity, and their contractors
for the same purposes. Patient safety
work product disclosed pursuant to this
disclosure permission continues to be
confidential and privileged.
The FDA has monitoring and alert
systems in place to assure the safety of
FDA regulated products. These systems
rely heavily on voluntary reports from
providers, such as hospitals and health
care professionals. Most reports that
hospitals and health care professionals
make directly to the FDA today
concerning drugs, medical devices,
biological products, and dietary
supplements are voluntary, although
health care professionals are required to
report to the FDA certain vaccine
adverse experiences, and user facilities
such as hospitals must report to FDA
some medical device adverse
experiences. Manufacturers of drugs,
devices, and biological products are
required to report to the FDA
concerning adverse experiences, but the
manufacturers themselves must rely on
information provided voluntarily by
product users, including hospitals and
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
health care professionals. There are
three provisions of the Patient Safety
Act that are implicated for reporting to
the FDA: (1) The disclosure for
reporting to the FDA (section
922(c)(2)(D) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(2)(D)); (2) the
clarification as to what is not patient
safety work product which states that
information ‘‘collected, maintained, or
developed separately, or [that] exists
separately, from a [patient safety
evaluation system]’’ is not patient safety
work product, and which, accordingly,
can be reported for public health
purposes (section 921(7)(B) of the Public
Health Service Act, 42 U.S.C. 299b–
21(7)(B)); and (3) the rule of
construction which preserves required
reporting to the FDA (section 922(g)(6)
of the Public Health Service Act, 42
U.S.C. 299b–22(g)(6)).
The FDA disclosure provision at
proposed § 3.206(b)(7) would be
applicable when patient safety work
product is at issue. For example, the
analysis of events by the provider or
PSO that constitutes patient safety work
product may generate information that
should be reported to the FDA because
it relates to the safety or effectiveness of
an FDA-regulated product or activity.
The exception would allow this patient
safety work product to be disclosed to
the FDA. Privilege and confidentiality
protections would attach to the patient
safety work product disclosed when
received by FDA and continue to apply
to any future disclosures by the FDA.
We tentatively conclude that the
statutory language concerning reporting
‘‘to the FDA’’ includes reporting by the
provider to the persons or entities
regulated by the FDA and that are
required to report to the FDA
concerning the quality, safety, or
effectiveness of an FDA-regulated
product or activity. We propose this
interpretation to allow providers to
report to manufacturers who are
required to report to the FDA, such as
drug manufacturers, without violating
this rule. This interpretation reflects
both the rule of construction which
preserves required reporting to the FDA
and the goals of this statute which are
to improve patient safety.
We further propose at § 3.206(b)(7)(ii)
that the FDA and entities required to
report to the FDA may only further
disclose patient safety work product for
the purpose of evaluating the quality,
safety, or effectiveness of that product or
activity; such further disclosures are
only permitted between the FDA,
entities required to report to the FDA,
their contractors, and disclosing
providers. This permission is crucial to
the effective operation of the FDA’s
PO 00000
Frm 00039
Fmt 4701
Sfmt 4702
8149
activities and to facilitate the purpose
for which the report was made initially.
Thus, the FDA or a drug manufacturer
receiving adverse drug event
information that is patient safety work
product may engage in further
communications with the disclosing
provider(s), for the purpose of
evaluating the quality, safety, or
effectiveness of the particular regulated
product or activity, or may work with
their contractors. Moreover, an entity
regulated by the FDA may further
disclose the information to the FDA;
without this provision, such reporting
would not meet the regulatory intent
that disclosures be to the FDA and a
narrow interpretation could impede the
FDA’s ability to effectuate
improvements through the use of
patient safety work product.
We recognize that there may be
situations where the FDA or entities
required to report to the FDA want to
engage contractors who are not agents
for the purpose of evaluating the
quality, safety, or effectiveness of that
product or activity. Thus, the proposal
would allow disclosures to contractors
who are not workforce members.
Contractors may not further disclose
patient safety work product, except to
the entity from which they first received
the information.
Because Congress did not expressly
include disclosure to FDA-regulated
entities, we seek public comment on our
proposal related to this interpretation of
section 922(c)(2)(D) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(2)(D).
In particular, we question whether this
interpretation will cause any
unintended consequences to disclosing
providers.
The HIPAA Privacy Rule at 45 CFR
164.512(b) permits HIPAA covered
entities to disclose protected health
information concerning FDA-regulated
activities and products to persons
responsible for collection of information
about the quality, safety, and
effectiveness of those FDA-regulated
activities and products. Therefore,
disclosures under this exception of
patient safety work product containing
protected health information would be
permitted under the HIPAA Privacy
Rule.
(8) Proposed § 3.206(b)(8)—Voluntary
Disclosure to an Accrediting Body
Proposed § 3.206(b)(8) permits the
voluntary disclosure of identifiable
patient safety work product by a
provider to an accrediting body that
accredits the disclosing provider.
Voluntary means not compelled, a
disclosure that the provider
affirmatively chose to make. Patient
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8150
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
safety work product disclosed pursuant
to this proposed exception continues to
be privileged and confidential.
Under this proposed disclosure, the
identifiable patient safety work product
that would be permitted to be disclosed
must identify the disclosing provider,
given the Patient Safety Act’s explicit
linkage of the disclosing provider to a
body that accredits that specific
provider in this permitted disclosure.
We believe that the only information
that would be relevant to that provider’s
accreditation would be information
about the disclosing provider (i.e.,
actions or inactions of the disclosing
provider), and not information about the
provider’s colleagues or any other
accredited provider. Thus, a provider
may not use this exception to disclose
patient safety work product that is
unrelated to the actual actions of the
disclosing provider, such as information
about the provider’s colleagues or any
other accredited individual or entity.
An issue arises concerning the
identities of other providers, reporters,
or patients contained within the
disclosed patient safety work product.
We considered whether to require the
patient safety work product to be
nonidentifiable as to providers other
than the disclosing provider, since
incidental disclosures of patient safety
work product identifying other
providers, especially if they were also
accredited by the same accrediting
institution, would not be a voluntary
disclosure by those other providers.
However, we do not believe that such an
approach is necessary.
We understand that most providers
that are accredited are large institutions,
and in general their accreditors seek
vast amounts of data during the
accreditation process, some of which
may include identifiers of practitioners
who work in such institutions. We have
preliminarily concluded that the
disclosure of patient safety work
product including practitioners in such
circumstances will be harmless because,
in many cases, the providers will not be
accredited by the institution’s
accrediting body.
Even in circumstances where a nondisclosing provider identified by a
provider voluntarily disclosing to an
accrediting body is subject to the
accrediting body, we believe the
accrediting body will not use the
information. First, we believe it is
unlikely that a provider may have or
seek to disclose patient safety work
product containing information about
the actions or inactions of a provider
also accredited by the same accrediting
body. Second, even if such a disclosure
occurs, although it may not be voluntary
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
as to the non-disclosing provider, we do
not believe the accrediting body will use
such information to take accrediting
actions against the non-disclosing
provider. We would expect that an
accrediting body may ignore or give
little weight to information about
providers not disclosing information
directly to the accrediting body. Such
second hand information may be
incomplete and incorrect. We anticipate
that accrediting bodies would seek to
obtain information about a provider’s
actions directly from the subject
provider rather than second hand.
Furthermore, we propose to limit the
accrediting body’s permission to further
redisclose such patient safety work
product. To ensure that any patient
safety work product in the hands of an
accrediting body that contains provider
identifiers of a provider who did not
voluntarily disclose to such body,
§ 3.206(b)(7)(i) proposes that an
accrediting body may not further
disclose the patient safety work product
that was originally voluntarily
disclosed. As an alternative to this
approach, we could, as proposed in the
patient safety activities disclosure,
require that information with respect to
non-disclosing providers be
anonymized. See preamble discussion at
proposed § 3.206(b)(4). We seek
comments as to whether the problem of
information being disclosed nonvoluntarily to an accrediting body by
non-disclosing providers requires
rendering such information
anonymized.
The accrediting body takes the patient
safety work product subject to the
confidentiality protection, and would
therefore be subject to civil money
penalties for any re-disclosure. The
patient safety work product disclosed
under this permission in the hands of
the accrediting body remains privileged
and confidential, in accordance with the
continued confidentiality provisions at
proposed § 3.208. Thus, it is incumbent
upon the accrediting body to handle and
maintain the patient safety work
product in a way that preserves its
confidential status. Such safeguards
may include maintaining this
information separately from other
accrediting information in a confidential
file, if the other information is not
similarly held confidential.
Additionally, the Patient Safety Act
includes strong provisions limiting the
disclosure of patient safety work
product to accrediting bodies and
limiting the actions an accrediting body
may take to seek patient safety work
product. Proposed § 3.206(b)(8)(ii)
provides that an accrediting body may
not take an accreditation action against
PO 00000
Frm 00040
Fmt 4701
Sfmt 4702
a provider based on that provider’s
participation, in good faith, in the
collection, reporting or development of
patient safety work product. Accrediting
bodies are also prohibited from
requiring a provider to reveal its
communications with any PSO, without
regard to whether such provider
actually reports information to a PSO.
Thus, a provider may disclose patient
safety work product to an accrediting
body voluntarily, but cannot be
compelled or required as a condition of
accreditation to divulge patient safety
work product or communications with a
PSO. This subsection is based on the
statutory requirements at section
922(d)(4)(B) of the Public Health Service
Act, 42 U.S.C. 299b–22(d)(4)(B).
Under the HIPAA Privacy Rule, a
HIPAA covered entity may disclose
protected health information to an
accrediting body for the HIPAA covered
entity’s own health care operations,
provided there is a business associate
agreement with the accrediting body.
Such health care operations include the
activity of accreditation for the HIPAA
covered entity as well as the
accreditation of workforce members.
Thus, providers that are HIPAA covered
entities or are workforce members of a
HIPAA covered entity that hold the
protected health information may
voluntarily disclose identifiable patient
safety work product containing
individually identifiable health
information to an accrediting body that
accredits that provider, provided there
is a business associate agreement
between the HIPAA covered entity and
the accreditation organization.
(9) Proposed § 3.206(b)(9)—Business
Operations
Section 922(c)(2)(F) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(2)(F), gives the Secretary authority
to designate additional disclosures as
permissible exceptions to the
confidentiality protection if such
disclosures are necessary for business
operations and are consistent with the
goals of the Patient Safety Act. Any
patient safety work product disclosed
pursuant to a business operations
exception so designated by the Secretary
continues to be confidential and
privileged.
We propose to allow disclosures of
patient safety work product by a
provider or a PSO to professionals such
as attorneys and accountants for the
business operations purposes of the
provider or PSO. A disclosure to an
attorney may be necessary when a
provider is seeking outside legal advice
in defending against a malpractice claim
or other litigation, even though the
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
information would not be admissible as
part of a legal proceeding. A provider
might also need to disclose patient
safety work product to an attorney in
the case of due diligence related to a
merger, sale or acquisition. Similarly, a
provider may need to disclose patient
safety work product to an accountant
who is auditing the books and records
of providers and PSOs. In order to
ensure that such routine business
operations are possible, we propose to
allow disclosures by providers and
PSOs for business operations to
attorneys, accountants, and other
professionals. Professionals such as
those identified are usually bound by
professional ethics to maintain the
confidences of their clients. Such
contractors may not further disclose
patient safety work product, except to
the entity from which it received the
information. We note that this limitation
does not preclude a provider or PSO
from exercising its authority under
section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b–22(g)(4), to
separately delegate its power to the
contractor to make other disclosures.
We note that if a provider or PSO
were to disclose relevant patient safety
work product to such professionals, we
would rely upon the professional’s legal
and ethical constraints not to disclose
the information for any unauthorized
purpose. Our presumption is that
professionals are generally subject to a
set of governing rules. Nonetheless, we
expect that providers and PSOs who
disclose privileged and confidential
information to attorneys, accountants or
other ethically bound professionals for
business purposes will engage in the
prudent practice of ensuring such
information is narrowly used by the
contractor solely for the purpose for
which it was disclosed and adequately
protected from wrongful disclosure.
Because patient safety work product
is specialized and highly confidential
information, we have not conceived of
any other third parties to whom it
would be appropriate to disclose patient
safety work product as a business
operations disclosure. Because we are
not regulating uses, any business
operations need within the entity could
occur unimpeded. Although we
considered whether to adopt an
exception for activities in the operation
of a patient safety evaluation system, we
believe these activities are within the
definition of patient safety activities
and, thus, within the confidentiality
exception proposed at § 3.206(b)(4). We
seek public comment regarding whether
there are any other consultants or
contractors to whom a business
operations disclosure should also be
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
permitted, or whether there are any
additional exceptions for the Secretary’s
consideration under this authority.
Under the HIPAA Privacy Rule, at 45
CFR 164.506, HIPAA covered entities
are permitted to disclose protected
health information for the HIPAA
covered entity’s own health care
operations. ‘‘Health care operations’’ are
certain activities of a HIPAA covered
entity that are necessary to run its
business and to support the core
functions of treatment and payment,
including ‘‘conducting or arranging for
medical review, legal services, and
auditing functions * * *.’’ 45 CFR
164.501. Thus, a business operation
designation by the Secretary that
enables a HIPAA covered entity to
disclose patient safety work product
containing protected health information
to professionals is permissible as health
care operations disclosures under the
HIPAA Privacy Rule. Generally such
professionals would fall within the
definition of business associate at 45
CFR 160.103 and would require a
business associate agreement.
The Secretary’s Business Operations
Exception Designation Authority
Section 922(c)(2)(F) of the Public
Health Service Act, 42 U.S.C. 299b–
22(c)(2)(F), gives the Secretary broad
authority to designate additional
exceptions that are necessary for
business operations and are consistent
with the goals of the Patient Safety Act.
At this point, we plan to designate
additional exceptions only through
regulation. Although the Patient Safety
Act establishes that other means are
available for adoption by the Secretary,
which we interpret as including the
publication of letters, notice within the
Federal Register or publication on the
Department Web site, we believe these
methods may not provide for sufficient
opportunity for public comment or
transparency in the development of
other business operations exceptions.
Moreover, because an impermissible
disclosure that violates a business
operations exception can result in a
civil money penalty, we believe it is
important that any proposed business
operations exception be implemented in
a way that is unquestionably binding on
both the public and the Department. We
invite public comments with respect to
whether the Secretary should
incorporate or preserve other
mechanisms for the adoption of
business operations exceptions, given
that we cannot anticipate all potential
business operations needs at this time.
PO 00000
Frm 00041
Fmt 4701
Sfmt 4702
8151
(10) Proposed § 3.206(b)(10)—Disclosure
to Law Enforcement
Proposed § 3.206(b)(10) permits the
disclosure of identifiable patient safety
work product to law enforcement
authorities, so long as the person
making the disclosure believes—and
that belief is reasonable under the
circumstances—that the patient safety
work product disclosed relates to a
crime and is necessary for criminal law
enforcement purposes. Under proposed
§ 3.208, the disclosed patient safety
work product would continue to be
privileged and confidential.
We view this exception as permitting,
for example, a disclosure by a
whistleblower who would initiate the
disclosure to law enforcement. The
focus of this exception is the state of
mind of the subject discloser. In making
a disclosure, the discloser must
reasonably believe that the event
constitutes a crime and that the patient
safety work product disclosed is
necessary for criminal law enforcement
purposes. The discloser need not be
correct in these determinations, but his
beliefs must be objectively reasonable.
This standard provides some constraint
on the discloser, and further protects
against a release merely in response to
a request by law enforcement.
Patient safety work product received
by law enforcement under this
exception continues to be confidential
and privileged. The law enforcement
entity receiving the patient safety work
product may use the patient safety work
product to pursue any law enforcement
purposes; however, because the patient
safety work product disclosed to law
enforcement entities under the Patient
Safety Act and proposed § 3.206(b)(10)
remains privileged and confidential, the
law enforcement entity can only
disclose such patient safety work
product—including in a court
proceeding—as permitted by this
proposed rule.
We further propose that a law
enforcement entity be permitted to
redisclose the patient safety work
product it receives under this exception
to other law enforcement entities as
needed for law enforcement activities
related to the event that gave rise to the
disclosure. We seek comment regarding
whether these provisions allow for
legitimate law enforcement needs, while
ensuring appropriate protections.
We note that disclosure pursuant to
this exception does not except patient
safety work product from the privilege
protection. Thus, patient safety work
product cannot be subpoenaed, ordered,
or entered into evidence in a criminal or
civil proceeding through this exception;
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8152
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
nor should a discloser rely solely on a
law enforcement agent’s statement that
such information is necessary for law
enforcement purposes. As already
discussed, the Patient Safety Act
framework permits an exception from
privilege protection or law enforcement
compulsion only in very narrow
circumstances (see above privilege
exception discussion). Under section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A), patient
safety work product may be disclosed
for use in a criminal proceeding, but
only after a judge has determined by
means of an in camera review that the
patient safety work product is material
to a criminal proceeding and not
reasonably available from any other
source. Even after its use in such a
criminal proceeding, and the lifting of
the confidentiality protections with
respect to such patient safety work
product, the privilege protection
continues. In light of the strict privilege
protections for this information, we do
not interpret this law enforcement
disclosure exception as allowing the
disclosure of patient safety work
product based on a less compelling
request by law enforcement for its
release. The decision as to whether a
discloser reasonably believes that the
patient safety work product is necessary
for a law enforcement purpose is the
discloser’s decision alone, provided that
the decision is reasonable.
While the HIPAA Privacy Rule
permits disclosures by HIPAA covered
entities to law enforcement under a
variety of circumstances, few align well
with the proposed interpretation of this
exception as being limited to
disclosures to law enforcement initiated
by the HIPAA covered entity. Although
there is a very narrow set of HIPAA
Privacy Rule permissions under which
a HIPAA covered entity as a holder of
patient safety work product would be
allowed to release patient safety work
product that contains protected health
information to law enforcement, we
note that a HIPAA covered entity would
be permitted to de-identify the protected
health information, in which case only
the Patient Safety Act would apply to
the disclosure of the patient safety work
product. If the protected health
information is needed by law
enforcement, the HIPAA Privacy Rule
has standards that permit the release of
protected health information in
response to certain law enforcement
processes. If such information is not
patient safety work product, it would
not be subject to the privilege
protections of the Patient Safety Act.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
(C) Proposed § 3.206(c)—Safe Harbor
Proposed § 3.206(c) is based on
section 922(c)(2)(H) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(2)(H).
This provision permits the disclosure of
identifiable patient safety work product
when that information does not include
oral or written materials that either
contain an assessment of the quality of
care of an identifiable provider or
describe or pertain to the actions or
failure to act of an identifiable provider.
The use of this exception is limited to
persons other than PSOs. This provision
essentially prohibits the disclosure of a
subject provider’s identity with
information, whether oral or written,
that: (1) Assesses that provider’s quality
of care; or (2) identifies specific acts
attributable to such provider. Thus, a
permissible disclosure may include a
provider’s identity, so long as no
‘‘quality information’’ about the subject
provider is also disclosed and so long as
it does not describe or pertain to an
action or failure to act by the subject
provider.
We propose that the provider identity
element under this exception means the
identity of any provider that is a subject
of the patient safety work product. In
other words, if the patient safety work
product does not contain quality
information about a particular provider
or describe or pertain to any actions or
failures to act by the provider, such
provider could be identifiable within
the patient safety work product
disclosed pursuant to this exception.
For example, if a nurse reports a patient
safety event, but was not otherwise
involved in the occurrence of that event,
the nurse could be named in the
disclosure. Providers that cannot be
identified are those about whom the
patient safety work product assesses the
quality of care or describes or pertains
to actions or failures to act of that
provider. We propose that the threshold
for identification of a provider will be
determined in accordance with the
nonidentification standard set forth in
proposed § 3.210. Thus, confidential
patient safety work product disclosed
under this exception may identify
providers, reporters or patients so long
as the provider(s) that are the subject of
the actions described are nonidentified.
In general, the determination with
respect to the content of quality
information is straightforward. We also
interpret quality information to include
the fact that patient safety work product
exists, without the specifics of the
patient safety event at issue. For
example, if a provider employee
discloses to a friend that a particular
surgeon had an incident reported to the
PO 00000
Frm 00042
Fmt 4701
Sfmt 4702
PSO, without actually describing this
incident, the fact that the surgeon was
associated with patient safety work
product would be a prohibited
disclosure.
This is the only exception that defines
prohibited conduct, rather than
permitted conduct. We recognize that
institutional providers, even
practitioners offices, are communities
unto themselves. We preliminarily
interpret this exception as creating a
narrow safe harbor for disclosures,
possibly inadvertent, which may occur
by a provider or other responsible
person, when the patient safety work
product does not reveal a link between
a subject provider and the provider’s
quality of care or an action or failure to
act by that subject provider. By
proposing this provision as a safe
harbor, we seek to have it available to
mitigate harmless errors, rather than as
a disclosure permission that may render
all other disclosure permissions
practically meaningless.
Under the HIPAA Privacy Rule,
HIPAA covered entities are broadly
permitted to disclose protected health
information for the HIPAA covered
entity’s treatment, payment or health
care operations. Otherwise, specific
standards are described that limit the
use and disclosure of protected health
information. If such disclosure is made
by a HIPAA covered entity, it is possible
that the disclosure of protected health
information would be permissible as a
health care operation, or as incidental to
another permitted disclosure.
Nevertheless, examination of whether a
HIPAA Privacy Rule standard has been
violated will need to be made on a caseby-case basis.
(D) Proposed § 3.206(d)—
Implementation and Enforcement of the
Patient Safety Act
Proposed § 3.206(d) permits the
disclosure of relevant patient safety
work product to or by the Secretary as
needed for investigating or determining
compliance with this Part or for
enforcement of the confidentiality
provisions of this Subpart or in making
or supporting PSO certification or
listing decisions under the Patient
Safety Act and Subpart B of this
regulation. This disclosure parallels the
privilege exception under proposed
§ 3.204(c). Patient safety work product
disclosed under this exception remains
confidential. This exception does not
limit the ability of the Secretary to
disclose patient safety work product in
accordance with the exceptions under
proposed § 3.206(b) or this Part. Rather,
this proposed section provides a
specific permission pursuant to which
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
patient safety work product may be
disclosed to the Secretary and the
Secretary may further use such
disclosed patient safety work product
for compliance and enforcement
purposes.
We propose to permit a disclosure of
patient safety work product in order to
allow the Secretary to obtain such
information as is needed to implement
and enforce this program, both for the
purposes of enforcing the
confidentiality of patient safety work
product and for the oversight of PSOs.
Enforcement of the confidentiality
provisions includes the imposition of
civil money penalties and adherence to
the prohibition against imposing a civil
money penalty for a single act that
violates both the Patient Safety Act and
the HIPAA Privacy Rule. This exception
ensures that there will not be a conflict
between the confidentiality obligations
of a holder of patient safety work
product and other provisions that allow
the Secretary access to protected
information and/or require disclosure to
the Secretary for enforcement purposes.
See proposed §§ 3.110, 3.210, and 3.310.
Although the statute does not explicitly
address this disclosure, we believe that
the authority to disclose to the Secretary
for these purposes is inherent in the
statute, and that this disclosure is
permitted and necessary to
meaningfully exercise our authority to
enforce against breaches of
confidentiality as well as to ensure that
PSOs meet their certification
attestations if needed. Proposed
§ 3.312(c) discusses the limitations on
what the Secretary may do with any
patient safety work product obtained
pursuant to an investigation or
compliance review regarding an alleged
impermissible disclosure.
This proposed provision would
permit the disclosure of patient safety
work product to the Secretary or
disclosure by the Secretary so long as
such disclosure is limited to the
purpose of implementation and
enforcement of these proposed
regulations. Such disclosure would
include the introduction of patient
safety work product into proceedings
before ALJs or the Board under
proposed Subpart D by the Secretary, as
well as the disclosure during
investigations by the Secretary, or
activities in reviewing PSO
certifications by AHRQ. Disclosures of
patient safety work product made to the
Board or other parts of the Department
that are received by workforce members,
such as contractors operating electronic
web portals or mail sorting and paper
scanning services, would be permitted
as a disclosure to the Secretary under
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
this proposed provision. This provision
would also permit the Board to disclose
any patient safety work product in order
to properly review determinations or to
provide records for court review.
We believe strongly in the protection
of patient safety work product as
provided in the Patient Safety Act and
the proposed regulations, and seek to
minimize the risk of improper
disclosure of patient safety work
product by using and disclosing patient
safety work product only in limited and
necessary circumstances. With respect
to disclosures to an ALJ or the Board,
we note that the Board has numerous
administrative, technical and physical
safeguards available to protect sensitive
information. For example, the Board has
the authority to: Enter protective orders;
hold closed hearings; redact records;
anonymize names of cases and parties
prior to publishing opinions; and put
records under seal. It routinely
maintains a controlled environment;
trains staff about proper handling of
confidential information; flags
confidential information in records
prior to archiving cases and shreds
copies of case files, etc. Most
importantly, understanding that any
patient safety work product that is used
in an enforcement proceeding is
sensitive, the Board would seek to
include only information in an opinion
that is necessary to the decision, and
omit any extraneous sensitive
information that is not needed for its
judgments.
This proposed provision also requires
that patient safety work product
disclosed to or by the Secretary must be
necessary for the purpose for which the
disclosure is made. We intend that any
disclosure made pursuant to this
proposed provision be limited in the
amount of patient safety work product
disclosed to accomplish the purpose of
implementation, compliance, and
enforcement. We discuss our
anticipated uses and protections further
in proposed Subpart D.
(E) Proposed § 3.206(e)—No Limitation
on Authority To Limit or Delegate
Disclosure or Use
Proposed § 3.206(e) reflects the
Patient Safety Act’s rule of construction
in section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b–22(g)(4),
establishing that a person holding
patient safety work product may enter
into a contract that requires greater
confidentiality protections or may
delegate its authority to make a
disclosure in accordance with this
Subpart. For example, a provider may
delegate its permission (which it may
have as a provider) to disclose to the
PO 00000
Frm 00043
Fmt 4701
Sfmt 4702
8153
FDA under proposed § 3.206(b)(7) to a
PSO through a contractual arrangement.
In such a case, the PSO would be acting
on behalf of the provider in making
disclosures to the FDA. Without the
delegated permission, it would, in this
scenario, be impermissible for the PSO
to disclose identifiable patient safety
work product to the FDA, and a PSO
that made such a disclosure could be
subject to a civil money penalty.
However, if a delegation of disclosing
authority exists, the delegating person
would be responsible for the disclosures
of the delegee. Thus, in the example
above, if the PSO made an
impermissible disclosure, the delegating
provider could be liable under the
principle of principal liability for the
acts of its agent. The PSO making the
disclosure could also be liable. See
discussion in proposed § 3.402(b).
Neither the statute nor the proposed
rule limits the authority of a provider to
place limitations on disclosures or uses.
For example, a provider may require
that a PSO remove all employee names
prior to disclosing any patient safety
work product despite such disclosure
being permissible under this Subpart
with the names included.
3. Proposed § 3.208—Continued
Protection of Patient Safety Work
Product
Proposed § 3.208 provides that the
privilege and confidentiality protections
continue to apply to patient safety work
product when disclosed and describes
the narrow circumstances when the
protections terminate. Generally, when
identifiable patient safety work product
is disclosed, whether pursuant to a
permitted exception to privilege and/or
confidentiality or disclosed
impermissibly, that patient safety work
product continues to be privileged and
confidential. Any person receiving such
patient safety work product receives
that patient safety work product
pursuant to the privilege and
confidentiality protections. The
receiving person holds the patient safety
work product subject to these
protections and is generally bound by
the same limitations on disclosure and
the potential civil money penalty
liability if he or she discloses the patient
safety work product in a manner that
warrants imposition of a civil money
penalty under proposed Subpart D.
An example would be if identifiable
patient safety work product is disclosed
to a provider’s employee for patient
safety activities, the identifiable patient
safety work product disclosed to the
employee would be confidential and the
employee would be subject to civil
money penalty liability for any knowing
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8154
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
or reckless disclosure of the patient
safety work product in identifiable form
not permitted by the exceptions.
Similarly, if confidential patient safety
work product is received impermissibly,
such as by an unauthorized computer
access (i.e., hacker), the impermissible
disclosure, even when unintentional,
does not terminate the confidentiality.
Thus, the hacker may be subject to civil
money penalty liability for
impermissible disclosures of that
information.
We do not require that notification of
the privilege and confidentiality of
patient safety work product be made
with each disclosure. We also note that
the Secretary does not have authority to
impose a civil money penalty for an
impermissible breach of the privilege
protection. Rather, any breach of
privilege, permissible or not, would
encompass a disclosure and concurrent
breach of confidentiality, subject to
penalty under the CMP provisions of the
Patient Safety Act and this proposed
rule, unless a confidentiality exception
applied. See the discussion above of
confidentiality protections at proposed
§ 3.206 and the discussion of the
enforcement provisions at proposed
Subpart D.
Nor do we require notification of
either the confidentiality of patient
safety work product or the fact that
patient safety work product is being
disclosed. The Secretary’s authority to
impose a civil money penalty is not
dependent upon whether the disclosing
entity or person knows that the
information being disclosed is patient
safety work product or whether patient
safety work product is confidential (see
discussion under proposed Subpart D).
Thus, we do not require that the
disclosure of patient safety work
product be accompanied by a notice as
to either the fact that the information
disclosed is patient safety work product
or that it is confidential. Labeling does
not make information protected patient
safety work product, and the failure to
label patient safety work product does
not remove the protection. However, we
do believe that such a notification
would be beneficial to the recipient to
alert such recipient to the fact that the
information received should be held in
a confidential manner and that knowing
or reckless disclosure in violation of the
confidentiality protection may subject a
discloser to civil money penalties.
Labeling patient safety work product
may also make it easier for the provider
to establish that such information is
privileged patient safety work product.
Also, a notification may also be prudent
management for providers, PSOs, and
responsible persons who could be
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
subject to liability under agency
principles for actions of disclosing
agents. Moreover, such a notification
policy may serve as a mitigating factor
under the factors outlined under
proposed Subpart D. Similarly, labeling
of patient safety work product may be
a good practice for the internal
management of information by an entity
that holds protected patient safety work
product.
There are two exceptions to the
continued protection of patient safety
work product which terminate either
the confidentiality or both the privilege
and confidentiality under section
922(d)(2) of the Public Health Service
Act, 42 U.S.C. 299b–22(d)(2). The first
exception to continued protection is an
exception to continued confidentiality
when patient safety work product is
disclosed for use in a criminal
proceeding, pursuant to proposed
§§ 3.204(b)(1) and 3.206(b)(1). Proposed
§ 3.204(b)(1) is an exception to privilege
for the particular proceeding at issue
and does not permit the use of such
patient safety work product in other
proceedings or otherwise remove the
privilege protection afforded such
information. Thus, in the case of a
criminal proceeding disclosure, the
privilege continues even though the
confidentiality terminates. In other
words, when a court makes an in
camera determination that patient safety
work product can be entered into a
criminal proceeding, that information
remains privileged for any future
proceedings, but is no longer
confidential and may be further
disclosed without restriction.
The second exception to continued
protection is when patient safety work
product is disclosed in nonidentifiable
form, pursuant to proposed
§§ 3.204(b)(4) and 3.206(b)(5). Under
both of these exceptions, the patient
safety work product disclosed is no
longer confidential, and may be further
disclosed without restriction. The
termination of the continued protections
is based on section 922(d)(2) of the
Public Health Service Act, 42 U.S.C.
299b–22(d)(2).
4. Proposed § 3.210—Required
Disclosure of Patient Safety Work
Product to the Secretary
We are proposing in § 3.210 that
providers, PSOs, and other persons that
hold patient safety work product be
required to disclose such patient safety
work product to the Secretary upon a
determination by the Secretary that such
patient safety work product is needed
for the investigation and enforcement
activities related to this Part, or is
needed in seeking and imposing civil
PO 00000
Frm 00044
Fmt 4701
Sfmt 4702
money penalties. Such patient safety
work product disclosed to the Secretary
will be excepted from privilege and
confidentiality protections insofar as the
Secretary has a need to use such patient
safety work product for the above
purposes which include: accepting,
conditioning, or revoking acceptance of
PSO certification or in supporting such
actions. See proposed § 3.206(d).
5. Proposed § 3.212—Nonidentification
of Patient Safety Work Product
Proposed § 3.210 establishes the
standard by which patient safety work
product will be determined
nonidentifiable. For the ease of the
reader, we have discussed this standard
within the context of proposed
§ 3.206(b)(5), the confidentiality
disclosure exception for nonidentifiable
patient safety work product.
D. Subpart D—Enforcement Program
The authority of the Secretary to
enforce the confidentiality provisions of
the Patient Safety Act is intended to
deter impermissible disclosures of
patient safety work product. Proposed
Subpart D would establish a framework
to enable the Secretary to monitor and
ensure compliance with this Part,
procedures for imposing a civil money
penalty for breach of confidentiality,
and procedures for a hearing contesting
a civil money penalty.
The proposed enforcement program
has been designed to provide maximum
flexibility to the Secretary in addressing
violations of the confidentiality
provisions to encourage participation in
patient safety activities and achieve the
goals of the Patient Safety Act while
safeguarding the confidentiality and
protected nature of patient safety work
product under the Patient Safety Act
and this part. Failures to maintain
confidentiality may be serious,
deleterious and broad-ranging, and, if
unpunished, may discourage
participation by providers in the PSO
voluntary reporting system. The
Secretary’s enforcement authority will
be exercised commensurately to
respond to the nature of any such failure
and the resulting harm from such
failures. The proposed regulations seek
to provide the Secretary with reasonable
discretion, particularly in areas where
the exercise of judgment is called for by
the statute or proposed rules, and to
avoid being overly prescriptive in areas
and causing unintended adverse effects
where it would be helpful to gain
experience with the practical impact of
the proposed rules.
The provisions of section 1128A of
the Social Security Act, 42 U.S.C.
1320a–7a, apply to the imposition of a
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
civil money penalty under section 922(f)
of the Public Health Service Act, 42
U.S.C. 299b–22(f), ‘‘in the same manner
as’’ they apply to the imposition of civil
money penalties under section 1128A
itself. Section 1128A(1) of the Social
Security Act, 42 U.S.C. 1320a–7a(l),
provides that a principal is liable for
penalties for the actions of its agents
acting within the scope of their agency.
Therefore, a provider or PSO will be
responsible for the actions of a
workforce member when such member
discloses patient safety work product in
violation of the confidentiality
provisions while acting within the
scope of the member’s agency
relationship.
Proposed §§ 3.304 through 3.314 are
designed to enable the Secretary to
assist with, monitor, and investigate
alleged failures with respect to
compliance with the confidentiality
provisions. Proposed §§ 3.304 through
3.314 would establish the processes and
procedures for the Secretary to provide
technical assistance with compliance,
for filing complaints with the Secretary,
and for investigations and compliance
reviews performed by the Secretary.
Proposed §§ 3.402 through 3.426 would
provide the legal basis for imposing a
civil money penalty, determining the
amount of a civil money penalty,
implementing the prohibition on the
imposition of a civil money penalty
under both HIPAA and the Patient
Safety Act, and issuing a notice of
proposed determination to impose a
civil money penalty and establishing the
process that would be relevant
subsequent to the issuance of such a
notice, whether or not a hearing follows
the issuance of the notice of proposed
determination. These sections also
would contain provisions on the statute
of limitations, authority to settle,
collection of any penalty imposed for
violation of the confidentiality
provisions, and public notice of the
imposition of such penalties. Finally,
proposed § 3.504 addresses the
administrative hearing phase of the
enforcement process, including
provisions for appellate review within
HHS of a hearing decision and burden
of proof in such proceedings.
Generally, proposed Subpart D is
based on the HIPAA Enforcement Rule,
45 CFR Part 160, Subparts C, D and E.
We have closely followed the HIPAA
Enforcement Rule for several reasons.
First, because civil money penalties
under both the HIPAA Enforcement
Rule and Patient Safety Act are based on
section 1128A of the Social Security
Act, 42 U.S.C. 1320a–7a, we believe
there is benefit in maintaining a
common approach to enforcement and
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
appeals of such civil money penalty
determinations. Second, we believe that
these procedures set forth in the HIPAA
Enforcement Rule, which in turn are
based on the procedures established by
the OIG, work and satisfactorily address
issues raised and addressed in prior
rulemakings by the Department and the
OIG. We do not reiterate those concerns,
or their resolutions, here, but they have
informed our decision making on these
proposed rules.
Proposed §§ 3.504(b)–(d), (f)–(g), (i)–
(k), (m), (n), (t), (w) and (x) of the
proposed rule are unchanged from, or
incorporate the provisions of, the
HIPAA Enforcement Rule. For a full
discussion of the basis for these
proposed sections, please refer to the
proposed and final HIPAA Enforcement
Rule, published on April 18, 2005, at 70
FR 20224 (proposed) and on February
16, 2006, at 71 FR 8390 (final). Although
the preamble discussion of the HIPAA
Enforcement Rule pertains to the HIPAA
Administrative Simplification
provisions, HIPAA covered entities, and
protected health information under
HIPAA, we believe the same
interpretations and analyses are
applicable to the Patient Safety Act
confidentiality provisions, providers,
PSOs, and responsible persons, and
patient safety work product.
Proposed §§ 3.424 and 3.504(a), (e),
(h), (l), (o)–(s), (u) and (v) of the
proposed rule also are based on, or
incorporate, the HIPAA Enforcement
Rule, but include technical changes
made in order to adapt these provisions
to the Patient Safety Act confidentiality
provisions. We discuss these technical
changes below but refer to the proposed
and final HIPAA Enforcement Rule for
a substantive discussion of these
proposed sections.
For the above proposed sections,
while we have chosen not to repeat our
discussion of the rationale for these
regulations, we invite comments
regarding whether any further
substantive or technical changes are
needed to adapt these provisions to the
Patient Safety Act confidentiality
provisions.
The remaining sections in Subpart D
of the proposed rule reprint HIPAA
Enforcement Rule provisions in their
entirety or constitute substantive
changes from the analogous provisions
of the HIPAA Enforcement Rule. We
discuss these proposed sections in full
below.
1. Proposed § 3.304—Principles for
Achieving Compliance
Proposed § 3.304(a) would establish
the principle that the Secretary will seek
the cooperation of providers, PSOs, and
PO 00000
Frm 00045
Fmt 4701
Sfmt 4702
8155
responsible persons in maintaining and
preserving the confidentiality of patient
safety work product, relying on the civil
money penalty authority when
appropriate to remediate violations.
Proposed § 3.304(b) provides that the
Secretary may provide technical
assistance to providers, PSOs, and
responsible persons to help them
comply with the confidentiality
provisions.
We will seek to achieve compliance
through technical assistance and
outreach so that providers, PSOs, and
responsible persons that hold patient
safety work product may better
understand the requirements of the
confidentiality provisions and, thus,
may voluntarily comply by preventing
breaches. However, we believe that the
types of events that are likely to trigger
complaints are actual breaches of
confidentiality which will need
remedial action (such events cannot be
mitigated through preventive measures
alone). Given the existing framework of
peer review systems and other similar
processes, we believe that most
providers and patient safety experts
already have well-established
mechanisms for using sensitive
information while respecting its
confidentiality. Moreover, such persons
will have incentives to maintain the
confidentiality of patient safety work
product each such person possesses in
the future. Thus, while there may be
situations where an issue may be
resolved through technical assistance
and corrective action, we anticipate that
the resolution of complaints of breaches
of confidentiality may warrant
imposition of a civil money penalty to
deter future non-compliance and similar
violations. This Subpart preserves the
discretion of the Secretary to enforce
confidentiality in the manner that best
fits the situation.
The Secretary will exercise discretion
in developing a technical assistance
program that may include the provision
of written material when appropriate to
assist persons in achieving compliance.
We encourage persons to share ‘‘best
practices’’ for the confidential
utilization of patient safety work
product. However, the absence of
technical assistance or guidance may
not be raised as a defense to civil money
penalty liability.
2. Proposed § 3.306—Complaints to the
Secretary
We are proposing in § 3.306 that any
person may file a complaint with the
Secretary if the person believes that a
provider, PSO or responsible person has
disclosed patient safety work product in
violation of the confidentiality
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8156
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
provisions. A complaint-driven process
would provide helpful information
about the handling and disclosure of
patient safety work product and could
serve to identify particularly
troublesome compliance problems on an
early basis.
The procedures proposed in this
section are modeled on those used for
the HIPAA Enforcement Rule. We
would require: complaints to be in
writing; complainants to identify the
person(s), and describe the acts, alleged
to be out of compliance; and that the
complainant file such complaint within
180 days of when the complainant knew
or should have known that the act
complained of occurred, unless this
time limit is waived by the Secretary for
good cause shown. We have tried to
keep the requirements for filing
complaints as minimal as possible to
facilitate use of this process. The
Secretary would also attempt to keep
the identity of complainants
confidential, if possible. However, we
recognize that it could be necessary to
disclose the identity of a complainant in
order to investigate the substance of the
complaint, and the rules proposed
below would permit such disclosures.
For the same reason that the HIPAA
Enforcement Rule adopted the ‘‘known
or should have known’’ standard for
filing a complaint, we require that
complaints be filed within 180 days of
when the complainant knew or should
have known that the violation
complained of occurred unless this time
limit is waived by the Secretary for good
cause shown. We believe that an
investigation of a complaint is likely to
be most effective if persons can be
interviewed and documents reviewed as
close to the time of the alleged violation
as possible. Requiring that complaints
generally be filed within a certain
period of time increases the likelihood
that the Secretary will be able to obtain
necessary and reliable information in
order to investigate allegations.
Moreover, we are taking this approach
in order to encourage complainants to
file complaints as soon as possible. By
receiving complaints in a timely
fashion, we can, if such complaints
prove valid, reduce the harm caused by
the violation.
In most cases, we expect that the
providers, PSOs, responsible persons,
and/or their employees will be aware of
disclosures of patient safety work
product. Nevertheless, other persons
may become aware of the wrongful
disclosure of patient safety work
product as well. For these reasons, we
do not limit who may file a complaint.
We will accept complaints alleging
violations from any person.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Once a complaint is received, the
Secretary will notify the provider, PSO,
or responsible person(s) against whom
the complaint has been filed (i.e., the
respondent), investigate and seek
resolution to any violations based on the
circumstances of the violation, in
accordance with the principles for
achieving compliance. In enforcing the
confidentiality provisions of the Patient
Safety Act, the Secretary will generally
inform the respondent of the nature of
any complaints received against the
respondent. The Secretary will also
generally afford the entity an
opportunity to share information with
the Secretary that may result in an early
resolution.
3. Proposed § 3.308—Compliance
Reviews
We are proposing in § 3.308 that the
Secretary could conduct compliance
reviews to determine whether a
provider, PSO, or responsible person is
in compliance. A compliance review
could be based on information
indicating a possible violation of the
confidentiality provisions even though a
formal complaint has not been filed. As
is the case with a complaint
investigation, a compliance review may
examine the policies, practices or
procedures of a respondent and may
result in voluntary compliance or in a
finding of a violation or no violation
finding.
We believe the Secretary’s ability to
conduct compliance reviews should be
flexible and unobstructed by limitations
or required links to ongoing
investigations. We do not establish any
affirmative criteria for the conduct of a
compliance review. Compliance reviews
may be undertaken without regard to
ongoing investigations or prior conduct.
We recognize that cooperating with
compliance reviews may create some
burden and expense. However, the
Secretary needs to maintain the
flexibility to conduct whatever reviews
are necessary to ensure compliance with
the rule.
We note that, at least in the short
term, HHS will be taking a case-based,
complaint-driven approach to
investigations and enforcement, rather
than focusing resources on compliance
reviews unrelated to any information or
allegations of confidentiality violations.
4. Proposed § 3.310—Responsibilities of
Respondents
Proposed § 3.310 establishes certain
obligations for respondents that would
be necessary to enable the Secretary to
carry out the statutory role to determine
their compliance with the requirements
of the confidentiality provisions.
PO 00000
Frm 00046
Fmt 4701
Sfmt 4702
Respondents would be required to
maintain records as proposed in this
proposed rule, participate as required in
investigations and compliance reviews,
and provide information to the
Secretary upon demand. Respondents
would also be required to disclose
patient safety work product to the
Secretary for investigations and
compliance activities. We interpret the
enforcement provision at section 922(f)
of the Patient Safety Act, 42 U.S.C.
299b–22(f), to allow for such disclosure
to the Secretary for the purpose of
enforcing the confidentiality provisions.
Proposed § 3.310(b) would require
cooperation by respondents with
investigations as well as compliance
reviews.
Proposed § 3.310(c) would provide
that the Secretary must be provided
access to a respondent’s facilities,
books, records, accounts, and other
sources of information, including
patient safety work product. Ordinarily,
the Secretary will provide notice
requesting access during normal
business hours. However, if exigent
circumstances exist, such as where
documents might be hidden or
destroyed, the Secretary may require
access at any time and without notice.
The Secretary will consider alternative
approaches, such as subpoenas or
search warrants, in seeking information
from respondents that are not providers,
PSOs, or a member of their workforce.
5. Proposed § 3.312—Secretarial Action
Regarding Complaints and Compliance
Reviews
Proposed § 3.312(a) provides that, if a
complaint investigation or compliance
review indicates noncompliance, the
Secretary may attempt to resolve the
matter by informal means. If the
Secretary determines that the matter
cannot be resolved by informal means,
the Secretary will issue findings to the
respondent and, if applicable, the
complainant.
Proposed § 3.312(a)(1) provides that,
where noncompliance is indicated, the
Secretary could seek to reach a
resolution of the matter satisfactory to
the Secretary by informal means.
Informal means would include
demonstrated compliance or a
completed corrective action plan or
other agreement. Under this provision,
entering into a corrective action plan or
other agreement would not, in and of
itself, resolve the noncompliance;
rather, the full performance by the
respondent of its obligations under the
corrective action plan or other
agreement would be necessary to
resolve the noncompliance.
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
Proposed §§ 3.312(a)(2) and (3)
address what notifications would be
provided by the Secretary where
noncompliance is indicated, based on
an investigation or compliance review.
Notification under these paragraphs
would not be required where the only
contacts made were with the
complainant to determine whether the
complaint warrants investigation.
Section 3.312(a)(2) proposes written
notice to the respondent and, if the
matter arose from a complaint, the
complainant, where the matter is
resolved by informal means. If the
matter is not resolved by informal
means, proposed § 3.312(a)(3)(i) would
require the Secretary to so inform the
respondent and provide the respondent
30 days in which to raise any mitigating
factors the Secretary should consider in
imposing a civil money penalty. Section
3.312(a)(3)(ii) proposes that, where a
matter is not resolved by informal
means and the Secretary decides that
imposition of a civil money penalty is
warranted based upon a response from
the respondent or expiration of the 30
day response time limit, the formal
finding would be contained in the
notice of proposed determination issued
under proposed § 3.420.
Proposed § 3.312(b) provides that, if
the Secretary finds, after an
investigation or compliance review, no
further action is warranted, the
Secretary will so inform the respondent
and, if the matter arose from a
complaint, the complainant. This
section does not apply where no
investigation or compliance review has
been initiated, such as where a
complaint has been dismissed due to
lack of jurisdiction.
Proposed § 3.312(c) addresses how the
Secretary will handle information
obtained during the course of an
investigation or compliance review.
Under proposed § 3.312(c)(1),
identifiable patient safety work product
obtained by the Secretary in connection
with an investigation or compliance
review under this Part remains subject
to the privilege and confidentiality
protections and will not be disclosed
except in accordance with proposed
§ 3.206(d), if necessary for ascertaining
or enforcing compliance with this part,
or as permitted by this Part or the
Patient Safety Act. In other words, the
Secretary, as with any other entity or
person, would receive patient safety
work product subject to the
confidentiality and privilege
requirements and protections. The
proposed rule strikes a balance between
these protections and enforcement,
providing that the Secretary would not
disclose such patient safety work
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
product, except as may be necessary to
enable the Secretary to ascertain
compliance with this Part, in
enforcement proceedings, or as
otherwise permitted by this Part. We
note that, pursuant to section 922(g)(3)
of the Public Health Service Act, 42
U.S.C. 299b–22(g)(3), as added by the
Patient Safety Act, the Patient Safety
Act does not affect the implementation
of the HIPAA confidentiality regulations
(known as the HIPAA Privacy Rule).
Accordingly, we propose that the
Secretary may use patient safety work
product obtained in connection with an
investigation hereunder to enforce the
HIPAA confidentiality regulations.
Proposed § 3.312(c)(2) provides that,
except for patient safety work product,
testimony and other evidence obtained
in connection with an investigation or
compliance review may be used by HHS
in any of its activities and may be used
or offered into evidence in any
administrative or judicial proceeding.
Such information would include that
which is obtained from investigational
subpoenas and inquiries under
proposed § 3.314. The Department
generally seeks to protect the privacy of
individuals to the fullest extent
possible, while permitting the exchange
of records required to fulfill its
administrative and programmatic
responsibilities. The Freedom of
Information Act, 5 U.S.C. 552, and the
HHS implementing regulation, 45 CFR
Part 5, provide substantial protection for
records about individuals where
disclosure would constitute an
unwarranted invasion of their personal
privacy. Moreover, in enforcing the
Patient Safety Act and its implementing
regulations, OCR plans to continue its
current practice of protecting its
complaint files from disclosure. These
files, thus, would constitute
investigatory records compiled for law
enforcement purposes, one of the
exemptions to disclosure under the
Freedom of Information Act. In the case
of patient safety work product that is
not otherwise subject to a statutory
exception permitting disclosure, the
Patient Safety Act prohibits the
disclosure of such information in
response to a Freedom of Information
Act request. See section 922(a)(3) of the
Public Health Service Act, 42 U.S.C.
299b–22(a)(3).
The Secretary continues to be subject
to the existing HIPAA Enforcement Rule
with respect to the use and disclosure
of protected health information received
by the Secretary in connection with a
HIPAA Privacy Rule investigation or
compliance review (see 45 CFR
160.310(c)(3)); these proposed
PO 00000
Frm 00047
Fmt 4701
Sfmt 4702
8157
provisions do not modify those
regulations.
6. Proposed § 3.314—Investigational
Subpoenas and Inquiries
Proposed § 3.314 provides procedures
for the issuance of subpoenas to require
the attendance and testimony of
witnesses and the production of any
other evidence, including patient safety
work product, during an investigation or
compliance review. We propose to issue
subpoenas in the same manner as 45
CFR 160.314(a)(1)–(5) of the HIPAA
Enforcement Rule, except that the term
‘‘this part’’ shall refer to 42 CFR Part 3.
The language modification is necessary
to reference the appropriate authority.
We also propose that the Secretary is
permitted to conduct investigational
inquiries in the same manner as the
provisions of 45 CFR 160.314(b)(1)–(9)
of the HIPAA Enforcement Rule. The
referenced provisions describe the
manner in which investigational
inquiries will be conducted.
7. Proposed § 3.402—Basis for a Civil
Money Penalty
Under proposed § 3.402, a person who
discloses identifiable patient safety
work product in knowing or reckless
violation of the confidentiality
provisions shall be subject to a civil
money penalty of not more than $10,000
for each act constituting a violation. See
section 922(f)(1) of the Public Health
Service Act, 42 U.S.C. 299b–22(f)(1).
(A) Proposed § 3.402(a)—General Rule
Proposed § 3.402(a) would allow the
Secretary to impose a civil money
penalty on any person which the
Secretary determines has knowingly or
recklessly violated the confidentiality
provisions. This provision is based on
the language in section 922(f) of the
Public Health Service Act, 42 U.S.C.
299b–22(f), that ‘‘a person who discloses
identifiable patient safety work product
in knowing or reckless violation of
subsection (b) shall be subject to a civil
money penalty of not more than $10,000
for each act constituting such
violation.’’
A civil money penalty may only be
imposed if the Secretary first establishes
a wrongful disclosure (i.e., (1) the
information disclosed was identifiable
patient safety work product; (2) the
information was disclosed; and (3) the
manner of the disclosure does not fit
within any permitted exception). If a
wrongful disclosure is established, the
Secretary must then determine whether
the person making the disclosure acted
‘‘knowingly’’ or ‘‘recklessly.’’
The applicable law on the issue of
‘‘knowing’’ provides that ‘‘unless the
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8158
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
text of the statute dictates a different
result, the term ‘knowingly’ merely
requires proof of knowledge of the facts
that constitute the offense [rather than]
a culpable state of mind or [] knowledge
of the law.’’ Bryan v. United States, 524
U.S. 184 (1998) (emphasis added).
Applying this meaning in the context of
the Patient Safety Act, the Secretary
would not need to prove that the person
making the disclosure knew the law
(i.e., knew that the disclosed
information constituted identifiable
patient safety work product or that such
disclosure did not meet one of the
standards for a permissive disclosure in
the Patient Safety Act). Rather, the
Secretary would only need to show that
the person knew a disclosure was being
made. Although knowledge that
disclosed information is patient safety
work product is not required,
circumstances in which a person can
show no such knowledge and no reason
to know such knowledge may warrant
discretion by the Secretary. By contrast,
as a person’s opportunity for knowledge
and disregard of that opportunity
increases, the Secretary’s compulsion to
exercise discretion not to impose a
penalty declines.
Where a ‘‘knowing’’ violation cannot
be established, the Secretary can still
impose a civil money penalty by
showing that the person was reckless in
making the disclosure of identifiable
patient safety work product. A person
acts recklessly if they are aware, or a
reasonable person in their situation
should be aware, that their conduct
creates a substantial risk of disclosure of
information and to disregard such risk
constitutes a gross deviation from
reasonable conduct. A ‘‘substantial risk’’
represents a significant threshold, more
than the mere possibility of disclosure
of patient safety work product. Whether
a risk is ‘‘substantial’’ is a fact-specific
inquiry. Additionally, whether a
reasonable person in the situation
should know of a risk is based on
context. For example, an employee
whose job duties regularly involve
working with sensitive patient
information may be expected to know of
disclosure risks of which other types of
employees may reasonably be unaware.
Finally, the disregarding of the risk
must be a gross deviation from
reasonable conduct. This gross
deviation standard is commonly used to
describe reckless conduct. See, e.g.,
Model Penal Code § 2A1.4(2006),
definition of ‘‘reckless’’ for purposes of
involuntary manslaughter; Black’s Law
Dictionary (8th ed., 2004). This does not
mean that the conduct itself must be a
gross deviation from reasonable
conduct. Rather, the standard is whether
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
the disregarding of the risk was a gross
deviation (i.e., whether a reasonable
person who is aware of the substantial
risk of making an impermissible
disclosure would find going forward
despite the risk to be grossly
unreasonable). Thus, disclosures that
violate this Part and occur because an
individual acted despite knowing of, or
having reason to know of, a grossly
unreasonable risk of disclosure are
punishable by civil money penalty,
regardless of whether such conduct may
otherwise be widespread in the
industry.
An example of a reckless disclosure of
identifiable patient safety work product
would be leaving a laptop unattended in
a public area and accessible to
unauthorized persons with identifiable
patient safety work product displayed
on the laptop screen. Such a situation
would be reckless because it would
create a substantial risk of disclosure of
the information displayed on the laptop
screen. If a person did not remove the
identifiable patient safety work product
from the laptop screen or take other
measures to prevent the public view of
the laptop screen, then leaving the
laptop unattended would be a disregard
for the substantial risk of disclosure that
would be a gross deviation from
reasonable conduct. Under these
circumstances, the person leaving the
laptop unattended could be liable for a
civil money penalty.
The use of the term ‘‘shall be subject
to’’ in section 922(f) of the Public Health
Service Act, 42 U.S.C. 299b–22(f),
conveys authority to the Secretary to
exercise discretion as to whether to
impose a penalty for a knowing or
reckless violation of the confidentiality
provisions. Based on the nature and
circumstances of a violation and
whether such violation was done in a
knowing or reckless manner, the
Secretary may impose a civil money
penalty, require a corrective action plan,
or seek voluntary compliance with these
regulations.
Even in cases that constitute
violations of the confidentiality
provisions, the Secretary may exercise
discretion. For example, in a situation
where a provider makes a good faith
attempt to assert the patient safety work
product privilege, but is nevertheless
ordered by a court to make a disclosure,
and the provider does so, the Secretary
could elect not to impose a civil money
penalty. Thus, for example, it is not the
Secretary’s intention to impose a civil
money penalty on a provider ordered by
a court to produce patient safety work
product where the provider has
deliberately and in good faith
undertaken reasonable steps to avoid
PO 00000
Frm 00048
Fmt 4701
Sfmt 4702
such production and is, nevertheless,
faced with compelled production or
being held in contempt of court.
Similarly, an individual may
innocently come into possession of
information, unaware of the fact that the
information is patient safety work
product, and may innocently share the
information in a manner not permitted
by the confidentiality provisions. In
such circumstances, the Secretary
would look at the facts and
circumstances of the case and could
elect not to impose a penalty. Relevant
facts and circumstances might include
the individual’s relationship with the
source of the information (e.g., whether
the information originated with a health
care provider or a patient safety
organization for which the individual
was employed); whether, and the extent
to which, the individual had a basis to
know the information was patient safety
work product or to know that the
information was confidential; to whom
the information was disclosed; and the
intent of the individual in making the
disclosure.
(B) Proposed § 3.402(b)—Violations
Attributed to a Principal
The proposed rule includes a
provision, at proposed § 3.402(b), that
addresses the liability of a principal for
a violation by a principal’s agent.
Proposed § 3.402(b) adopts the principle
that the federal common law of agency
applies when addressing the liability of
a principal for the acts of his or her
agent. Under this principle, a provider,
PSO or responsible person generally can
be held liable for a violation based on
the actions of any agent, including an
employee or other workforce member,
acting within the scope of the agency or
employment. This liability is separate
from the underlying liability attributable
to the agent and could result in a
separate and exclusive civil money
penalty. In other words, a principal may
be liable for a $10,000 civil money
penalty and an agent may be liable for
a separate $10,000 civil money penalty
arising from the same act that is a
violation.
Section 922(f)(2) of the Public Health
Service Act, 42 U.S.C. 299b–22(f)(2),
provides that ‘‘the provisions of section
1128A * * * shall apply to civil money
penalties under this subsection [of the
Patient Safety Act] in the same manner
as such provisions apply to a penalty or
proceeding under section 1128A.’’
Section 1128A(l) of the Social Security
Act, 42 U.S.C. 1320a–7a(l), establishes
that ‘‘a principal is liable for penalties
* * * under this section for the actions
of the principal’s agents acting within
the scope of the agency.’’ This is similar
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
to the traditional rule of agency in
which principals are vicariously liable
for the acts of their agents acting within
the scope of their authority. See Meyer
v. Holley, 537 U.S. 280 (2003).
Therefore, a provider, PSO or
responsible person generally will be
responsible for the actions of its
workforce members within the scope of
agency, such as where an employee
discloses confidential patient safety
work product in violation of the
confidentiality provisions during the
course of his or her employment.
The determination of whether or not
a principal is responsible for a violation
would be based on two fact-dependent
determinations. First, the Secretary
must find that a principal-agent
relationship exists between the person
doing the violative act and the
principal. If a principal-agent
relationship is established, then a
second determination, whether the act
in violation of the confidentiality
provisions was within the scope of the
agency, must be made. The
determination as to whether an agent’s
conduct is outside the scope of the
agency will be dependent upon the
application of the federal common law
of agency to the facts.
The purpose of applying the federal
common law of agency to determine
when a provider, PSO, or responsible
person is vicariously liable for the acts
of its agents is to achieve nationwide
uniformity in the implementation of the
confidentiality provisions and
nationwide consistency in the
enforcement of these rules by OCR.
Reliance on State law could introduce
inconsistency in the implementation of
the patient safety work product
confidentiality provisions by persons or
entities in different States.
Federal Common Law of Agency
A principal’s liability for the actions
of its agents is generally governed by
State law. However, the U.S. Supreme
Court has provided that the federal
common law of agency may be applied
where there is a strong governmental
interest in nationwide uniformity and a
predictable standard, and when the
federal rule in question is interpreting a
federal statute. Burlington Indus. v.
Ellerth, 524 U.S. 742 (1998).
The confidentiality and enforcement
provisions of this regulation interpret a
federal statute, the Patient Safety Act.
Under the Patient Safety Act, there is a
strong interest in nationwide uniformity
in the confidentiality provisions and
how those provisions are enforced. The
fundamental goal of the Patient Safety
Act is to promote the examination and
correction of patient safety events in
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
order to improve patient safety and
create a culture of patient safety in the
health care system. Therefore, it is
essential for the Secretary to apply one
consistent body of law regardless of
where an agent is employed, an alleged
violation occurred, or an action is
brought. The same considerations
support a strong federal interest in the
predictable operation of the
confidentiality provisions, to ensure
that persons using patient safety work
product can do so consistently so as to
facilitate the appropriate exchange of
information. Thus, the tests for
application of the federal common law
of agency are met.
Where the federal common law of
agency applies, the courts often look to
the Restatement (Second) of Agency
(1958) (Restatement) as a basis for
explaining the common law’s
application. While the determination of
whether an agent is acting within the
scope of its authority must be decided
on a case-by-case basis, the Restatement
provides guidelines for this
determination. Section 229 of the
Restatement provides:
(1) To be within the scope of the
employment, conduct must be of the
same general nature as that authorized,
or incidental to the conduct authorized.
(2) In determining whether or not the
conduct, although not authorized, is
nevertheless so similar to or incidental
to the conduct authorized as to be
within the scope of employment, the
following matters of fact are to be
considered;
(a) Whether or not the act is one
commonly done by such servants;
(b) The time, place and purpose of the
act;
(c) The previous relations between the
master and the servant;
(d) The extent to which the business
of the master is apportioned between
different servants;
(e) Whether or not the act is outside
the enterprise of the master or, if within
the enterprise, has not been entrusted to
any servant;
(f) Whether or not the master has
reason to expect that such an act will be
done;
(g) The similarity in quality of the act
done to the act authorized;
(h) Whether or not the instrumentality
by which the harm is done has been
furnished by the master to the servant;
(i) The extent of departure from the
normal method of accomplishing an
authorized result; and
(j) Whether or not the act is seriously
criminal.
In some cases, under federal agency
law, a principal may be liable for an
agent’s acts even if the agent acts
PO 00000
Frm 00049
Fmt 4701
Sfmt 4702
8159
outside the scope of its authority.
Restatement (Second) of Agency section
219 (1958). However, proposed
§ 3.402(b) would follow section
1128A(l) of the Social Security Act, 42
U.S.C. 1320a–7a(l), which limits
liability for the actions of an agent to
those actions that are within the scope
of the agency.
Agents
Various categories of persons may be
agents of a provider, PSO, or responsible
person. These persons include
workforce members. We propose a
slightly expanded definition of
‘‘workforce’’ from the term defined in
the HIPAA Privacy Rule. The proposed
definition of ‘‘workforce’’ includes
employees, volunteers, trainees,
contractors, and other persons whose
conduct, in the performance of work for
a provider, PSO or responsible person,
is under the direct control of such
principal, whether or not they are paid
by the principal. Because of the ‘‘direct
control’’ language of the proposed rule,
we believe that all workforce members,
including those who are not employees,
are agents of a principal. Under the
proposed rule, a principal could be
liable for a violation based on an act that
is a violation by any workforce member
acting within the scope of employment
or agency. The determinative issue is
whether a person is sufficiently under
the control of a person or entity and
acting within the scope of the agency.
Proposed § 3.402(b) creates a
presumption that a workforce member is
an agent of an employer.
8. Proposed § 3.404—Amount of Civil
Money Penalty
Proposed § 3.404, the amount of the
civil money penalty, is determined in
accordance with section 922(f) of the
Public Health Service Act, 42 U.S.C.
299b–22(f), and the provisions of this
Part. Section 922(f)(1) of the Public
Health Service Act, 42 U.S.C. 299b–
22(f)(1), establishes a maximum penalty
amount for violations of ‘‘not more than
$10,000’’ per person for each violation.
The statutory cap is reflected in
proposed § 3.404(b).
The statute establishes only maximum
penalty amounts, so the Secretary has
the discretion to impose penalties that
are less than the statutory maximum.
This proposed regulation would not
establish minimum penalties. Under
proposed § 3.404(a), the penalty amount
would be determined using the factors
set forth in proposed § 3.408, subject to
the statutory maximum reflected in
proposed § 3.404(b).
As stated in the discussion under
proposed § 3.402(b), a principal can be
E:\FR\FM\12FEP2.SGM
12FEP2
8160
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
held liable for the acts of its agent acting
within the scope of the agency. Read
together, with proposed § 3.404(b), if a
principal and an agent are determined
to be liable for a single act that is a
violation, the Secretary may impose a
penalty of up to $10,000 against each
separately. That is, the $10,000 limit
applies to each person separately, not
the act that was a violation. Thus, in the
circumstance where an agent and a
principal are determined to have
violated the confidentiality provisions,
the Secretary may impose a civil money
penalty of up to $10,000 against the
agent and a civil money penalty of up
to $10,000 against the principal, for a
total of $20,000 for a single act that is
a violation.
hsrobinson on PROD1PC76 with PROPOSALS2
9. Proposed § 3.408—Factors
Considered in Determining the Amount
of a Civil Money Penalty
Section 1128A(d) of the Social
Security Act, 42 U.S.C. 1320a-7a(d),
made applicable to the imposition of
civil money penalties by section
922(f)(2) of the Public Health Service
Act, 42 U.S.C. 299b–22(f)(2), requires
that, in determining the amount of ‘‘any
penalty,’’ the Secretary shall take into
account: (1) The nature of the claims
and the circumstances under which
they were presented, (2) the degree of
culpability, history of prior offenses,
and financial condition of the person
presenting the claims, and (3) such
other matters as justice may require.
This language establishes factors to be
considered in determining the amount
of a civil money penalty.
This approach is taken in other
regulations that cross-reference section
1128A of the Social Security Act, 42
U.S.C. 1320a–7a, which rely on these
factors for purposes of determining civil
money penalty amounts. See, for
example, 45 CFR 160.408. The factors
listed in section 1128A(d) of the Social
Security Act, 42 U.S.C. 1320a–7a(d),
were drafted to apply to violations
involving claims for payment under
federally funded health programs.
Because Patient Safety Act violations
will not be about specific claims, we
propose to tailor the section 1128A(d)
factors to violations of the
confidentiality provisions and further
particularize the statutory factors by
providing discrete criteria, as done in
the HIPAA Enforcement Rule and the
OIG regulations that implement section
1128A of the Social Security Act, 42
U.S.C. 1320a–7a. Consistent with these
other regulations, and to provide more
guidance to providers, PSOs, and
responsible persons as to the factors that
would be used in calculating civil
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
money penalties, we propose the
following detailed factors:
(1) The nature of the violation.
(2) The circumstances and
consequences of the violation, including
the time period during which the
violation occurred; and whether the
violation caused physical or financial
harm or reputational damage.
(3) The degree of culpability of the
respondent, including whether the
violation was intentional, and whether
the violation was beyond the direct
control of the respondent.
(4) Any history of prior compliance
with the confidentiality provisions,
including violations, by the respondent,
and whether the current violation is the
same as or similar to prior violation(s),
whether and to what extent the
respondent has attempted to correct
previous violations, how the respondent
has responded to technical assistance
from the Secretary provided in the
context of a compliance effort, and how
the respondent has responded to prior
complaints.
(5) The financial condition of the
respondent, including whether the
respondent had financial difficulties
that affected its ability to comply,
whether the imposition of a civil money
penalty would jeopardize the ability of
the respondent to continue to provide
health care or patient safety activities,
and the size of the respondent.
(6) Such other matters as justice may
require.
For further discussion of these factors,
please see the preambles to the Interim
Final Rule and the Final Rule for the
HIPAA Enforcement Rule at 70 FR
20235–36, Apr. 18, 2005, and 71 FR
8407–09, Feb. 16, 2006. Meeting certain
conditions, such as financial condition,
is a fact-specific determination based
upon the individual circumstances of
the situation presented.
We seek comments regarding whether
the above list of factors should be
expanded to expressly include a factor
for persons who self-report disclosures
that may potentially violate the
confidentiality provisions such that
voluntary self-reporting would be a
mitigating consideration when assessing
a civil money penalty. Voluntary selfreporting may encourage persons to
report breaches of confidentiality,
particularly breaches that may
otherwise go unnoticed, and to
demonstrate the security practices that
led to the discovery of the breach and
how the breach has been remedied.
However, including self-reporting as a
factor may be viewed incorrectly as an
additional reporting obligation to report
every potentially impermissible
disclosure, thereby, unnecessarily
PO 00000
Frm 00050
Fmt 4701
Sfmt 4702
increasing administrative burdens on
the Department and the individuals or
entities making the self-reporting, or it
may interfere with obligations to
identified persons, particularly when a
negotiated, contractual relationship
between a provider and a PSO exists
that addresses how the parties are to
deal with breaches.
Respondents are responsible for
raising any issues that pertain to any of
the factors to the Secretary within 30
days after receiving notice from the
Secretary that informal resolution
attempts have not resolved the issue in
accordance with proposed
§ 3.312(a)(3)(i). The Secretary is under
no obligation to affirmatively raise any
mitigating factor if a respondent fails to
identify the issue. See proposed
§ 3.504(p).
In many regulations that implement
section 1128A of the Social Security
Act, 42 U.S.C. 1320a–7a, the statutory
factors and/or the discrete criteria are
designated as either aggravating or
mitigating. For example, at 42 CFR
1003.106(b)(3) of the OIG regulations,
‘‘history of prior offenses’’ is listed as an
aggravating factor and is applicable as a
factor to a narrow range of prohibited
conduct. However, because proposed
§ 3.408 will apply to a variety of persons
and circumstances, we propose that
factors may be aggravating or mitigating,
depending on the context. For example,
the factor ‘‘time period during which
the violation(s) occurred’’ could be an
aggravating factor if the respondent’s
violation went undetected for a long
period of time or undetected actions
resulted in multiple violations, but
could be a mitigating factor if a violation
was detected and corrected quickly.
This approach is consistent with other
regulations implementing section 1128A
of the Social Security Act, 42 U.S.C.
1320a–7a. See, for example, 45 CFR
160.408.
We propose to leave to the Secretary’s
discretion the decision regarding when
aggravating and mitigating factors will
be taken into account in determining the
amount of a civil money penalty. The
facts of each violation will drive the
determination of whether a particular
factor is aggravating or mitigating.
10. Proposed § 3.414—Limitations
Proposed § 3.414 sets forth the 6-year
limitations period on initiating an
action for imposition of a civil money
penalty provided for by section
1128A(c)(1) of the Social Security Act,
42 U.S.C. 1320a–7a(c)(1). We propose
the date of the occurrence of the
violation be the date from which the
limitation period begins.
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
11. Proposed § 3.416—Authority to
Settle
Proposed § 3.416 states the authority
of the Secretary to settle any issue or
case or to compromise any penalty
during the process addressed in this
Part, including cases that are in hearing.
The first sentence of section 1128A(f) of
the Social Security Act, 42 U.S.C.
1320a–7a(f), made applicable by section
922(f)(2) of the Public Health Service
Act, 42 U.S.C. 299b–22(f)(2), states, in
part, ‘‘civil money penalties * * *
imposed under this section may be
compromised by the Secretary.’’ This
authority to settle is the same as that set
forth in 45 CFR 160.416 of the HIPAA
Enforcement Rule.
hsrobinson on PROD1PC76 with PROPOSALS2
12. Proposed § 3.418—Exclusivity of
Penalty
Proposed § 3.418 makes clear that,
except as noted below, penalties
imposed under this Part are not
intended to be exclusive where a
violation under this Part may also be a
violation of, and subject the respondent
to, penalties under another federal or
State law. This provision is modeled on
42 CFR 1003.108 of the OIG regulations.
Proposed § 3.418(b) repeats the
statutory prohibition against imposing a
penalty under both the Patient Safety
Act and under HIPAA for a single act or
omission that constitutes a violation of
both the Patient Safety Act and HIPAA.
Congress recognized that there could be
overlap between the confidentiality
provisions and the HIPAA Privacy Rule.
Because identifiable patient safety work
product includes individually
identifiable health information as
defined under the HIPAA Privacy Rule,
HIPAA covered entities could be liable
for violations of the HIPAA Privacy Rule
based upon a single disclosure of
identifiable patient safety work product.
We tentatively interpret the Patient
Safety Act as only prohibiting the
imposition of a civil money penalty
under the Patient Safety Act when there
have been civil, as opposed to criminal,
penalties imposed on the respondent
under the HIPAA Privacy Rule for the
same single act or omission. In other
words, a person could have a civil
money penalty imposed against him
under the Patient Safety Act as well as
a criminal penalty under HIPAA for the
same act or omission. However, an act
that amounts to a civil violation of both
the confidentiality provisions and the
HIPAA Privacy Rule would be
enforceable under either authority, but
not both.
The decision regarding which statute
applies to a particular situation will be
made based upon the facts of individual
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
situations. HIPAA covered entities that
seek to disclose confidential patient
safety work product that contains
protected health information must know
when such disclosure is permissible
under both statutes.
13. Proposed § 3.420—Notice of
Proposed Determination
Proposed § 3.420 sets forth the
requirements for the notice to a
respondent sent when the Secretary
proposes a penalty under this Part. This
notice implements the requirement for
notice contained in section 1128A(c)(1)
of the Social Security Act, 42 U.S.C.
1320a–7a(c)(1). These requirements are
substantially the same as those in the
HIPAA Enforcement Rule at 45 CFR
160.420, except for the removal of
provisions related to statistical
sampling.
The notice provided for in this section
must be given whenever a civil money
penalty is proposed. The proposed
requirements of this section serve to
inform any person under investigation
of the basis for the Secretary’s proposed
civil money penalty determination.
These requirements include the
statutory basis for a penalty, a
description of the findings of fact
regarding the violation, the reasons the
violation causes liability, the amount of
the proposed penalty, factors considered
under proposed § 3.408 in determining
the amount of the penalty, and
instructions for responding to the
notice, including the right to a hearing.
At this point in the process, the
Secretary may also send a notice of
proposed determination to a principal
based upon liability for a violation
under proposed § 3.402(b).
14. Proposed § 3.422—Failure To
Request a Hearing
Under proposed § 3.422, when a
respondent does not timely request a
hearing on a proposed civil money
penalty, the Secretary may impose the
civil money penalty or any less severe
civil money penalty permitted by
section 1128A(d)(5) of the Social
Security Act, 42 U.S.C. 1320a–7a(d)(5).
Once the time has expired for the
respondent to file for an appeal, the
Secretary will decide whether to impose
the civil money penalty and provide
notice to the respondent of the civil
money penalty. If the Secretary does
pursue a civil money penalty, the civil
money penalty is final, and the
respondent has no right to appeal a civil
money penalty imposed under these
circumstances. This section is similar to
45 CFR 160.422 of the HIPAA
Enforcement Rule.
PO 00000
Frm 00051
Fmt 4701
Sfmt 4702
8161
For purposes of determining when
subsequent actions may commence,
such as collection of an imposed civil
money penalty, we propose that the
penalty be final upon receipt of a
penalty notice sent by certified mail
return receipt requested.
15. Proposed § 3.424—Collection of
Penalty
Proposed § 3.424 provides that once a
determination to impose a civil money
penalty has become final, the civil
money penalty must be collected by the
Secretary, unless compromised, and
prescribes the methods for collection.
We propose that civil money penalties
be collected as set forth under the
HIPAA Enforcement Rule at 45 CFR
160.424, except that the term ‘‘this part’’
shall refer to 42 CFR Part 3. The
modification is made for the provision
to refer to the appropriate authority.
16. Proposed § 3.426—Notification of
the Public and Other Agencies
Proposed § 3.426 would implement
section 1128A(h) of the Social Security
Act, 42 U.S.C. 1320a–7a(h). When a
civil money penalty proposed by the
Secretary becomes final, section
1128A(h) of the Social Security Act, 42
U.S.C. 1320a–7a(h), directs the
Secretary to notify appropriate State or
local agencies, organizations, and
associations and to provide the reasons
for the civil money penalty. We propose
to add the public generally as a group
that may receive notice, in order to
make the information available to
anyone who must make decisions with
respect to persons that have had a civil
money penalty imposed for violation of
the confidentiality provisions. For
instance, knowledge of the imposition
of a civil money penalty for violation of
the Patient Safety Act could be
important to hospitals, other health care
organizations, health care consumers, as
well as to current and future business
partners throughout the industry.
The basis for this public notice
portion lies in the Freedom of
Information Act, 5 U.S.C. 552. The
Freedom of Information Act requires
final opinions and orders made in
adjudication cases to be made available
for public inspection and copying. See
5 U.S.C. 552(a)(2)(A). While it is true
that section 1128A(h) of the Social
Security Act, 42 U.S.C. 1320a–7a(h),
does not require that such notice be
given to the public, neither does it
prohibit such wider dissemination of
that information, and nothing in section
1128A(h) of the Social Security Act, 42
U.S.C. 1320a–7a(h), suggests that it
modifies the Secretary’s obligations
under the Freedom of Information Act.
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8162
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
The Freedom of Information Act
requires making final orders or opinions
available for public inspection and
copying by ‘‘computer
telecommunication * * * or other
electronic means,’’ which would
encompass a display on the
Department’s Web site. See 5 U.S.C.
552(a)(2).
A civil money penalty is considered
to be final, for purposes of notification,
when it is a final agency action (i.e., the
time for administrative appeal has run
or the adverse administrative finding
has otherwise become final). The final
opinion or order that is subject to the
notification provisions of this section is
the notice of proposed determination, if
a request for hearing is not timely filed,
the decision of the ALJ, if that is not
appealed, or the final decision of the
Board.
Currently final decisions of the ALJs
and the Board are made public via the
Board’s Web site. See https://
www.hhs.gov/dab/search.html. Such
postings, however, would not include
penalties that become final because a
request for hearing was not filed under
proposed § 3.504(a). Under proposed
§ 3.426, notices of proposed
determination under proposed § 3.420
that become final because a hearing has
not been timely requested, would also
be made available for public inspection
and copying as final orders, with
appropriate redaction of any patient
safety work product or other
confidential information, via OCR’s Web
site. See the OCR patient safety Web site
at https://www.hhs.gov/ocr/PSQIA. By
making the entire final opinion or order
available to the public, the facts
underlying the penalty determination
and the law applied to those facts will
be apparent. Given that information, the
public may discern the nature and
extent of the violation as well as the
basis for imposition of the civil money
penalty.
The regulatory language would
provide for notification in such manner
as the Secretary deems appropriate.
Posting to a Department Web site and/
or the periodic publication of a notice
in the Federal Register are among the
methods which the Secretary is
considering using for the efficient
dissemination of such information.
These methods would avoid the need
for the Secretary to determine which
entities, among a potentially large
universe, should be notified and would
also permit the general public served by
providers, PSOs, and responsible
persons upon whom civil money
penalties have been imposed—as well
as their business partners—to be
apprised of this fact, where that
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
information is of interest to them. While
the Secretary could provide notice to
individual agencies where desired, the
Secretary could, at his option, use a
single public method of notice, such as
posting to a Department Web site, to
satisfy the obligation to notify the
specified agencies and the public.
17. Proposed § 3.504—Procedures for
Hearings
Proposed § 3.504 is a compilation of
procedures related to administrative
hearings on civil money penalties
imposed by the Secretary. The proposed
section sets forth the authority of the
ALJ, the rights and burdens of proof of
the parties, requirements for the
exchange of information and prehearing, hearing, and post-hearing
processes. These individual sections are
described in greater detail below.
This proposed section crossreferences the HIPAA Enforcement Rule
extensively due to the similar nature of
the enforcement and appeal procedures,
the nature of the issues and substance
presented, and the parties most affected
by these proposed regulations. We
intend that the provisions of the HIPAA
Enforcement Rule will be applied to the
imposition of civil money penalties
under this Subpart in the same manner
as they are applied to violations of the
HIPAA administrative simplification
provisions, subject to any modifications
set forth in proposed § 3.504. We believe
the best and most efficient manner of
achieving this result is through
explicitly referencing and adopting the
relevant provisions of the HIPAA
Enforcement Rule. Where modifications
are necessary to address the differences
between the appeals of determinations
under the HIPAA Enforcement Rule and
the Patient Safety Act, we have made
specific exceptions that we discuss
below.
We note that the recently published
Notice of Proposed Rulemaking entitled
‘‘Revisions to Procedures for the
Departmental Appeals Board and Other
Departmental Hearings’’ (see 72 FR
73708 (December 28, 2007)) proposes to
modify the HIPAA Enforcement Rule,
which we reference extensively in this
proposed rule. Our intent for the patient
safety regulations would be to maintain
the alignment between the patient safety
enforcement process and the HIPAA
Enforcement Rule, as stated previously.
Should the amendments to the HIPAA
Enforcement Rule become final based
on that Notice of Proposed Rulemaking,
our intent would be to incorporate those
changes in any final rulemaking here.
That Notice of Proposed Rulemaking
proposes to amend 45 CFR 160.508(c)
and 45 CFR 160.548, and to add a new
PO 00000
Frm 00052
Fmt 4701
Sfmt 4702
provision, 45 CFR 160.554, providing
that the Secretary may review all ALJ
decisions that the Board has declined to
review and all Board decisions for error
in applying statutes, regulations or
interpretive policy.
18. Proposed § 3.504(a)—Hearings
Before an ALJ
Proposed § 3.504(a) provides the time
and manner in which a hearing must be
requested, or dismissed when not timely
requested. This proposed section
applies the same regulations as the
HIPAA Enforcement Rule cited at 45
CFR 160.504(a)–(d), except that the
language in paragraph (c) of 45 CFR
160.504 following and including
‘‘except that’’ does not apply. The
excluded provision refers to the ability
of respondents to raise an affirmative
defense under 45 CFR 160.410(b)(1) for
which we have not adopted a
comparable provision because the
provision implements a statutory
defense unique to HIPAA.
19. Proposed § 3.504(b)—Rights of the
Parties
Proposed § 3.504(b) provides that the
rights of the parties not specifically
provided elsewhere in this Part shall be
the same as those provided in 45 CFR
160.506 of the HIPAA Enforcement
Rule.
20. Proposed § 3.504(c)—Authority of
the ALJ
Proposed § 3.504(c) provides that the
general guidelines and authority of the
ALJ shall be the same as provided in the
HIPAA Enforcement Rule at 45 CFR
160.508(a)–(c)(4). We exclude the
provision at 45 CFR 160.508(c)(5)
because there is no requirement under
the Patient Safety Act for remedied
violations based on reasonable cause to
be insulated from liability for a civil
money penalty.
21. Proposed § 3.504(d)—Ex parte
Contacts
Proposed § 3.504(d) is designed to
ensure the fairness of the hearing by
prohibiting ex-parte contacts with the
ALJ on matters at issue. We propose to
incorporate the same restrictions as
provided for in the HIPAA Enforcement
Rule at 45 CFR 160.510.
22. Proposed § 3.504(e)—Prehearing
Conferences
Proposed § 3.504(e) adopts the same
provisions as govern prehearing
conferences in the HIPAA Enforcement
Rule at 45 CFR 160.512, except that the
term ‘‘identifiable patient safety work
product’’ is substituted for
‘‘individually identifiable health
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
information.’’ Under this proposed
provision, the ALJ is required to
schedule at least one prehearing
conference, in order to narrow the
issues to be addressed at the hearing
and, thus, expedite the formal hearing
process, and to prescribe a timeframe for
prehearings.
23. Proposed § 3.504(f)—Authority To
Settle
Proposed § 3.504(f) adopts 45 CFR
160.514 of the HIPAA Enforcement
Rule. This proposal provides that the
Secretary has exclusive authority to
settle any issue or case at any time and
need not obtain the consent of the ALJ.
hsrobinson on PROD1PC76 with PROPOSALS2
24. Proposed § 3.504(g)—Discovery
We propose in § 3.504(g) to adopt the
discovery procedures as provided for in
the HIPAA Enforcement Rule at 45 CFR
160.516. These provisions allow limited
discovery in the form of the production
for inspection and copying of
documents that are relevant and
material to the issues before the ALJ.
These provisions do not authorize other
forms of discovery, such as depositions
and interrogatories.
Although the adoption of 45 CFR
160.516 would permit parties to raise
claims of privilege and permit an ALJ to
deny a motion to compel privileged
information, a respondent could not
claim privilege, and an ALJ could not
deny a motion to compel, if the
Secretary seeks patient safety work
product relevant to the alleged
confidentiality violation because the
patient safety work product would not
be privileged under proposed § 3.204(c).
Under this proposal, a respondent
concerned with potential public access
to patient safety work product may raise
the issue before the ALJ and seek a
protective order. The ALJ may, for good
cause shown, order appropriate
redactions made to the record after
hearing. See proposed § 3.504(s).
25. Proposed § 3.504(h)—Exchange of
Witness Lists, Witness Statements, and
Exhibits
Proposed § 3.504(h) provides for the
prehearing exchange of certain
documents, including witness lists,
copies of prior statements of witnesses,
and copies of hearing exhibits. We
propose that the requirements set forth
in 45 CFR 160.518 of the HIPAA
Enforcement Rule shall apply, except
that the language in paragraph (a) of 45
CFR 160.518 following and including
‘‘except that’’ shall not apply. We
exclude the provisions relating to the
provision of a statistical expert’s report
not less than 30 days before a scheduled
hearing because we do not propose
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
language permitting the use of statistical
sampling to estimate the number of
violations.
26. Proposed § 3.504(i)—Subpoenas for
Attendance at Hearing
Proposed § 3.504(i) provides
procedures for the ALJ to issue
subpoenas for witnesses to appear at a
hearing and for parties and prospective
witnesses to contest such subpoenas.
We propose to adopt the same
regulations as provided at 45 CFR
160.520 of the HIPAA Enforcement
Rule.
27. Proposed § 3.504(j)—Fees
Proposed § 3.504(j) provides for the
payment of witness fees by the party
requesting a subpoena. We propose that
the fees requirements be the same as
those provided in 45 CFR 160.522 of the
HIPAA Enforcement Rule.
28. Proposed § 3.504(k)—Form, Filing
and Service of Papers
Proposed § 3.504(k) provides
requirements for documents filed with
the ALJ. We propose to adopt the
requirements of 45 CFR 160.524 of the
HIPAA Enforcement Rule.
29. Proposed § 3.504(l)—Computation of
Time
Proposed § 3.504(l) provides the
method for computing time periods
under this Part. We propose to adopt the
requirements of 45 CFR 160.526 of the
HIPAA Enforcement Rule, except the
term ‘‘this subpart’’ shall refer to 42 CFR
Part 3, Subpart D and the citation
‘‘§ 3.504(a) of 42 CFR Part 3’’ shall be
substituted for the citation ‘‘§ 160.504.’’
30. Proposed § 3.504(m)—Motions
Proposed § 3.504(m) provides
requirements for the content of motions
and the time allowed for responses. We
propose to adopt the requirements of 45
CFR 160.528 of the HIPAA Enforcement
Rule.
31. Proposed § 3.504(n)—Sanctions
Proposed § 3.504(n) provides the
sanctions an ALJ may impose on parties
and their representatives for failing to
comply with an order or procedure,
failing to defend an action, or other
misconduct. We propose to adopt the
provisions of 45 CFR 160.530 of the
HIPAA Enforcement Rule.
32. Proposed § 3.504(o)—Collateral
Estoppel
Proposed § 3.504(o) would adopt the
doctrine of collateral estoppel with
respect to a final decision of an
administrative agency. Collateral
estoppel means that determinations
PO 00000
Frm 00053
Fmt 4701
Sfmt 4702
8163
made with respect to issues litigated
and determined in a proceeding
between two parties will bind the
respective parties in later disputes
concerning the same issues and parties.
We propose to adopt the provisions of
45 CFR 160.532 of the HIPAA
Enforcement Rule, except that the term
‘‘a confidentiality provision’’ shall be
substituted for the term ‘‘an
administrative simplification
provision’’.
33. Proposed § 3.504(p)—The Hearing
Proposed § 3.504(p) provides for a
public hearing on the record, the burden
of proof at the hearing and the
admission of rebuttal evidence. We
propose to adopt the provisions of 45
CFR 160.534 of the HIPAA Enforcement
Rule, except the following text shall be
substituted for § 160.534(b)(1): ‘‘The
respondent has the burden of going
forward and the burden of persuasion
with respect to any challenge to the
amount of a proposed penalty pursuant
to §§ 3.404–3.408 of 42 CFR Part 3,
including any factors raised as
mitigating factors.’’ We propose to adopt
this new language for § 160.534(b)(1)
because references to affirmative
defenses in the excluded text are not
applicable in the context of the Patient
Safety Act as such defenses are under
the HIPAA Enforcement Rule; nor does
the Patient Safety Act include
provisions for the waiver or reduction of
a civil money penalty in accordance
with 45 CFR 160.412.
45 CFR 160.534(c) states that the
hearing must be open to the public
unless otherwise ordered by the ALJ for
good cause shown. In proposed
§ 3.504(p) of this Subpart, we propose
that good cause shown under 45 CFR
160.534(c) may be that identifiable
patient safety work product has been
introduced into evidence or is expected
to be introduced into evidence.
Protecting patient safety work product is
important and is an issue about which
all parties and the ALJ should be
concerned.
34. Proposed § 3.504(q)—Witnesses
Under proposed § 3.504(q), the ALJ
may allow oral testimony to be admitted
or provided in the form of a written
statement or deposition so long as the
opposing party has a sufficient
opportunity to subpoena the person
whose statement is being offered. We
propose to adopt the provisions of 45
CFR 160.538 of the HIPAA Enforcement
Rule, except that the citation ‘‘§ 3.504(h)
of 42 CFR Part 3’’ shall be substituted
for the citation ‘‘§ 160.518.’’
E:\FR\FM\12FEP2.SGM
12FEP2
8164
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
35. Proposed § 3.504(r)—Evidence
Proposed § 3.504(r) would provide
guidelines for the acceptance of
evidence in hearings. We propose to
adopt the provisions of 45 CFR 160.540
of the HIPAA Enforcement Rule, except
that the citation ‘‘§ 3.420 of 42 CFR Part
3’’ shall be substituted for the citation
‘‘§ 160.420 of this part’’.
In the same manner as the exception
to privilege for enforcement activities
under § 3.204(c) applies to proposed
§ 3.504(g), the exception to privilege
applies under proposed § 3.504(r) as
well. Although the adoption of 45 CFR
160.540(e) would permit parties to raise
claims of privilege and permit an ALJ to
exclude from evidence privileged
information, a respondent could not
claim privilege and an ALJ could not
exclude identifiable patient safety work
product if the Secretary seeks to
introduce that patient safety work
product because disclosure of the
patient safety work product would not
be a violation of the privilege and
confidentiality provisions under
proposed § 3.204(c).
36. Proposed § 3.504(s)—The Record
Proposed § 3.504(s) provides for
recording and transcription of the
hearing, and for the record to be
available for inspection and copying by
any person. We propose to adopt the
provisions at 45 CFR 160.542 of the
HIPAA Enforcement Rule. We also
propose to provide that good cause for
making appropriate redactions includes
the presence of identifiable patient
safety work product in the record.
37. Proposed § 3.504(t)—Post-Hearing
Briefs
Proposed § 3.504(t) provides that the
ALJ has the discretion to order posthearing briefs, although the parties may
file post-hearing briefs in any event if
they desire. We propose to adopt the
provisions of 45 CFR 160.544 of the
HIPAA Enforcement Rule.
hsrobinson on PROD1PC76 with PROPOSALS2
38. Proposed § 3.504(u)—ALJ’s Decision
Proposed § 3.504(u) provides that not
later than 60 days after the filing of posthearing briefs, the ALJ shall serve on the
parties a decision making specific
findings of fact and conclusions of law.
The ALJ’s decision is the final decision
of the Secretary, and will be final and
binding on the parties 60 days from the
date of service of the ALJ decision,
unless it is timely appealed by either
party. We propose to adopt the
provisions of 45 CFR 160.546 of the
HIPAA Enforcement Rule, except the
citation ‘‘§ 3.504(v) of 42 CFR Part 3’’
shall be substituted for ‘‘§ 160.548.’’
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
39. Proposed § 3.504(v)—Appeal of the
ALJ’s Decision
Proposed § 3.504(v) provides for
manner and time for review of an ALJ’s
decision regarding penalties imposed
under this Part and subsequent judicial
review. We propose to adopt the same
provisions as 45 CFR 160.548 of the
HIPAA Enforcement Rule, except the
following language in paragraph (e) of
45 CFR 160.548 shall not apply: ‘‘Except
for an affirmative defense under
§ 160.410(b)(1) of this part.’’ We exclude
this language because the Patient Safety
Act does not provide for affirmative
defenses in the same manner as HIPAA.
40. Proposed § 3.504(w)—Stay of the
Secretary’s Decision
Proposed § 3.504(w) provides that a
respondent may request a stay of the
effective date of a penalty pending
judicial review. We propose to adopt the
provisions of 45 CFR 160.550 of the
HIPAA Enforcement Rule to govern this
process.
41. Proposed § 3.504(x)—Harmless Error
Proposed § 3.504(x) adopts the
‘‘harmless error’’ standard as expressed
in the HIPAA Enforcement Rule at 45
CFR 160.522. This proposed rule
provides that the ALJ and the Board at
every stage of the proceeding will
disregard any error or defect in the
proceeding that does not affect the
substantial rights of the parties.
IV. Impact Statement and Other
Required Analyses
Unfunded Mandates Reform Act
Section 202 of the Unfunded
Mandates Reform Act requires that a
covered agency prepare a budgetary
impact statement before promulgating a
rule that includes any Federal mandate
that may result in the expenditure by
State, local, and Tribal governments, in
the aggregate, or by the private sector, of
$100 million or more in any one year.
The Department has determined that
this proposed rule would not impose a
mandate that will result in the
expenditure by State, Local, and Tribal
governments, in the aggregate, or by the
private sector, of more than $100
million in any one year.
Paperwork Reduction Act
This notice of proposed rulemaking
adding a new Part 3 to volume 42 of the
Code of Federal Regulations contains
information collection requirements.
This summary includes the estimated
costs and assumptions for the
paperwork requirements related to this
proposed rule. A copy of the
information collection request will be
PO 00000
Frm 00054
Fmt 4701
Sfmt 4702
available on the PSO Web site
(www.pso.ahrq.gov) and can be obtained
in hardcopy by contacting Susan
Grinder at the Center for Quality
Improvement and Patient Safety, AHRQ,
(301) 427–1111 (o); (301) 427–1341
(fax). These paperwork requirements
have been submitted to the Office of
Management and Budget for review
under number xxxx–xxxx as required by
44 U.S.C. 3507(a)(1)(c) of the Paperwork
Reduction Act of 1995, as amended
(PRA). Respondents are not required to
respond to any collection of information
unless it displays a current valid OMB
control number.
With respect to proposed § 3.102
concerning the submission of
certifications for initial and continued
listing as a PSO, and of updated
information, all such information would
be submitted on Form SF–XXXX. To
maintain its listing, a PSO must also
submit a brief attestation, once every 24month period after its initial date of
listing, submitted on Form SF–XXXX,
stating that it has entered contracts with
two providers. We estimate that the
proposed rule would create an average
burden of 30 minutes annually for each
entity that seeks to become a PSO to
complete the necessary certification
forms. Table 1 summarizes burden
hours.
TABLE 1.—TOTAL BURDEN HOURS
RELATED TO CERTIFICATION FORMS
[Summary of all burden hours, by Provision,
for PSOs]
Provision
3.112 ..............
Annualized burden hours
30 minutes.
HHS is working with OMB to obtain
approval of the associated burden in
accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C.
3507(d)) before the effective date of the
final rule. Comments on this proposed
information collection should be
directed to Susan Grinder, by sending
an e-mail to Psosupport@ahrq.hhs.gov
or sending a fax to (301) 427–1341.
Under 5 CFR 1320.3(c), a covered
collection of information includes the
requirement by an agency of a
disclosure of information to third
parties by means of identical reporting,
recordkeeping, or disclosure
requirements, imposed on ten or more
persons. The proposed rule reflects the
previously established reporting
requirements for breach of
confidentiality applicable to business
associates under HIPAA regulations
requiring contracts top contain a
provision requiring the business
associate (in this case, the PSO) to notify
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
providers of breaches of their
identifiable patient data’s
confidentiality or security. Accordingly,
this reporting requirement referenced in
the regulation previously met
Paperwork Reduction Act review
requirements.
The proposed rule requires in
proposed § 3.108(c) that a PSO notify
the Secretary if it intends to relinquish
voluntarily its status as a PSO. The
entity would be required to notify the
Secretary that it has, or will soon, alert
providers and other organizations from
which it has received patient safety
work product or data of its intention
and provide for the appropriate
disposition of the data in consultation
with each source of patient safety work
product or data held by the entity. In
addition, the entity is asked to provide
the Secretary with current contact
information for further communication
from the Secretary as the entity ceases
operations. The reporting aspect of this
requirement is essentially an attestation
that is equivalent to the requirements
for listing, continued listing, and
meeting the minimum contracts
requirement. This minimal data
requirement would come within 5 CFR
1320.3(h)(1) which provides an
exception from PRA requirements for
affirmations, certifications, or
acknowledgments as long as they entail
no burden other than that necessary to
identify the respondent, the date, the
respondent’s address, and the nature of
the instrument. In this case, the nature
of the instrument would be an
attestation that the PSO is working with
its providers for the orderly cessation of
activities. The following other
collections of information that would be
required by the proposed regulation
under proposed § 3.108 are also exempt
from PRA requirements pursuant to an
exception in 5 CFR 1320.4 for
information gathered as part of
administrative investigations and
actions regarding specific parties:
information supplied in response to
preliminary agency determinations of
PSO deficiencies or in response to
proposed revocation and delisting (e.g.,
information providing the agency with
correct facts, reporting corrective
actions taken, or appealing proposed
agency revocation decisions).
Federalism
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a
proposed rule (and subsequent final
rule) that imposes substantial direct
requirement costs on state and local
governments, preempts State law, or
otherwise has Federalism implications.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
8165
The Patient Safety Act upon which the
proposed regulation is based makes
patient safety work product confidential
and privileged. To the extent this would
not be consistent with any state law,
including court decisions, the Federal
statute would preempt such state law or
court order. The proposed rule (and
subsequent final rule) will not have any
greater preemptive effect on state or
local governments than that imposed by
the statute. While the Patient Safety Act
does establish new Federal
confidentiality and privilege protections
for certain information, these
protections only apply when health care
providers work with PSOs and new
processes, such as patient safety
evaluation systems, that do not
currently exist. These Federal data
protections provide a mechanism for
protection of sensitive information that
could improve the quality, safety, and
outcomes of health care by fostering a
non-threatening environment in which
information about adverse medical
events and near misses can be
discussed. It is hoped that confidential
analysis of patient safety events will
reduce the occurrence of adverse
medical events and, thereby, reduce the
costs arising from such events,
including costs incurred by state and
local governments attributable to such
events.
AHRQ, in conjunction with OCR, held
three public listening sessions prior to
drafting the proposed rule.
Representatives of several states
participated in these sessions. In
particular, states that had begun to
collect and analyze patient safety event
information spoke about their related
experiences and plans. Following
publication of the NPRM, AHRQ will
consult with appropriate state officials
and organizations to review the scope of
the proposed rule and to specifically
seek input on federalism issues and a
proposal in the rule at proposed
§ 3.102(a)(2) that would limit the ability
of public or private sector regulatory
entities to seek listing as a PSO.
Regulatory Impact Analysis
Under Executive Order 12866 (58 FR
51735, October 4, 1993), Federal
Agencies must determine whether a
regulatory action is ‘‘significant’’ and,
therefore, subject to OMB review and
the requirements of the Executive Order.
Executive Order 12866 defines
‘‘significant regulatory action’’ as one
that is likely to result in a rule that may:
1. Have an annual effect on the
economy of $100 million or more or
adversely affect in a material way the
economy, a sector of the economy,
productivity, competition, jobs, the
environment, public health or safety, or
state, local, or tribal government or
communities.
2. Create a serious inconsistency or
otherwise interfere with an action taken
or planned by another agency.
3. Materially alter the budgetary
impact of entitlements, grants, user fees,
or loan programs or the rights and
obligations of recipients thereof.
4. Raise novel legal or policy issues
arising out of legal mandates, the
President’s priorities, or the principles
set forth in the Executive Order.
AHRQ has accordingly examined the
impact of the proposed rule under
Executive Order 12866, the Regulatory
Flexibility Act (5 U.S.C. 601–612), and
the Unfunded Mandates Reform Act of
1995 (Pub. L. 104–4). Executive Order
12866 directs agencies to assess all costs
and benefits of available regulatory
alternatives and, when regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety,
and other advantages; distributive
impacts; and equity). A regulatory
impact analysis must be prepared for
major rules with economically
significant effects ($100 million or more
in any one year). In the course of
developing the proposed rule, AHRQ
has considered the rule’s costs and
benefits, as mandated by Executive
Order 12866. Although we cannot
determine with precision the aggregate
economic impact of the proposed rule,
we believe that the impact may
approach $100 million or more
annually. HHS has determined that the
proposed rule is ‘‘significant’’ also
because it raises novel legal and policy
issues with the establishment of a new
regulatory framework, authorized by the
Patient Safety Act, and imposes
requirements, albeit voluntary, on
entities that had not previously been
subject to regulation in this area.
Consequently, as required under
Executive Order 12866, AHRQ
conducted an analysis of the economic
impact of the proposed rule.
Background
The Patient Safety Act establishes a
framework for health care providers
voluntarily to report information on the
safety, quality, and outcomes of patient
care that to PSOs listed by HHS. The
main objectives of the Patient Safety Act
are to: (1) Encourage health care
providers to collect and examine patient
safety events more freely and
consistently than they do now, (2)
encourage many provider arrangements
or contracts with expert PSOs to receive,
aggregate, and analyze data on patient
PO 00000
Frm 00055
Fmt 4701
Sfmt 4702
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8166
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
safety events so that PSOs may provide
feedback and assistance to the provider
to improve patient safety and (3) allow
the providers to improve the quality of
care delivered and reduce patient risk.
The Patient Safety Act provides
privilege from legal discovery for
patient safety work product, as well as
confidentiality protections in order to
foster a culture of patient safety. The
Patient Safety Act does not contain
mandatory reporting requirements. It
does, however, require information
submissions by entities that voluntarily
seek to be recognized, (i.e., listed) as
PSOs by the Secretary.
The cost of an adverse patient safety
event can be very high in terms of
human life, and it also often carries a
significant financial cost. The Institute
of Medicine report, To Err is Human:
Building a Safer Health Care System,
estimates that adverse events cost the
United States approximately $37.6
billion to $50 billion each year. ‘‘Total
national costs (lost income, lost
household production, disability, and
health care costs) of preventable adverse
events (medical errors resulting in
injury) are estimated to be between $17
billion and $29 billion, of which health
care costs represent over one-half.’’ 18
The proposed rule was written to
minimize the regulatory and economic
burden on an entity that seeks
certification as a PSO in order to collect,
aggregate, and analyze confidential
information reported by health care
providers. Collecting, aggregating, and
analyzing information on adverse events
will allow problems to be identified,
addressed, and eventually prevented.
This, in turn, will help improve patient
safety and the quality of care, while also
reducing medical costs. The following
analysis of costs and benefits—both
quantitative and qualitative—includes
estimates based on the best available
health care data and demonstrates that
the benefits of the proposed regulation
justify the costs involved in its
implementation.
The economic impact of an alternative
to the proposed rule is not discussed in
the following analysis because an
alternative to the statutorily authorized
voluntary framework is the existence of
no new program, which would produce
no economic change or have no
economic impact, or—alternatively—a
mandatory regulatory program for all
health care providers, which is not
authorized by the Patient Safety Act and
which is necessarily not a realistic
18 Corrigan, J. M., Donaldson, M. S., Kohn, L. T.,
McKay, T., Pike, K. C., for the Committee on
Quality of Health Care in America. To Err is
Human: Building a Safer Health System.
Washington, DC.: National Academy Press; 2000.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
alternative and would likely be much
more expensive. (A guiding principle of
those drafting the regulation was to
minimize the economic and regulatory
burden on those entities seeking to be
PSOs and providers choosing to work
with PSOs, within the limits of the
Patient Safety Act. Hence this proposed
rule represents the Department’s best
effort at minimal impact while still
meeting statutory provisions.)
AHRQ has relied on key findings from
the literature to provide baseline
measures for estimating the likely costs
and benefits of the proposed rule. We
believe that the costs of becoming a PSO
(i.e., the costs of applying to be listed by
the Secretary) will be relatively small,
and the costs of operating a PSO will be
small, in relation to the possible cost
savings that will be derived from
reducing the number of preventable
adverse medical events each year.
The direct costs to individual
providers of working with PSOs will
vary considerably. For an institutional
or individual provider that chooses to
report readily accessible information to
a PSO occasionally, costs may be
negligible. The proposed rule does not
require a provider to enter into a
contract with a PSO, establish internal
reporting or analytic systems, or meet
specific security requirements for
patient safety work product. A
provider’s costs will derive from its own
choice whether to undertake and, if so,
whether to conduct or contract for data
collection, information development, or
analytic functions. Such decisions will
be based on the provider’s assessment of
the cost and benefits it expects to incur
and achieve. As we discuss below,
hospitals in particular have developed,
and can be expected to take advantage
of the protections afforded by the
Patient Safety Act by expanding data
collection, information development,
and analytic functions at their
institutions. We anticipate that many
providers will choose to enter into
contracts with PSOs voluntarily. If
providers choose to report data
routinely to a PSO, a contract will be a
good business practice. It provides
greater assurance that a provider can
demonstrate, if its claims of protections
are challenged, that it is operating in
full compliance with the statute. It
enables the provider to exert greater
control over the use and sharing of its
data and, in the case of a provider that
is a covered entity under the HIPAA
Privacy Rule, the provider will need to
enter a business associate agreement
with a PSO for compliance with that
regulation if the reported data includes
protected health information.
PO 00000
Frm 00056
Fmt 4701
Sfmt 4702
The following cost estimates represent
an effort to develop an ‘‘upper bound’’
on the cost impact of the proposed rule
by assuming that providers choosing to
work with PSOs will follow best
business practices, take full advantage
of the Patient Safety Act’s protections,
and develop robust internal reporting
and analytic systems, rather than
meeting the minimal requirements of
the proposed rule. The cost estimates
below are based on existing hospitalbased activities for reporting patient
safety events, which are likely to be
similar to most events that a PSO will
analyze (namely quality and safety
activities within hospitals). While the
Patient Safety Act is not limited to
hospitals, AHRQ has received
indications from various stakeholder
groups that hospital providers will be
the predominant provider type initially
interested in working with PSOs.
Affected Entities
To date, AHRQ has no hard
information on the exact number of
interested parties that may wish to
become a PSO. AHRQ estimates,
however, that 50 to 100 entities may
request to become a listed PSO by the
Secretary during the first three years
after publication of the final rule. AHRQ
anticipates a gradual increase in the
number of entities seeking listing as a
PSO and estimates that roughly 50
entities will seek PSO certification
during Year 1, 25 entities during Year 2,
and an additional 25 entities during
Year 3, totaling 100 PSOs by the end of
Year 3. After Year 3, we anticipate that
the number of PSOs will remain about
constant, with the number of new
entrants roughly equivalent to the
number of PSOs that cease to operate.
Healthcare providers, especially
hospitals, currently assume some level
of burden to collect, develop, and
analyze patient safety event information
similar to the information that will be
reported to PSOs. We note that most
institutional providers (especially larger
ones) already do some of this data
gathering. AHRQ anticipates that
entities that currently operate internal
patient safety event reporting systems
either may be interested in: (1)
Establishing a component organization
to seek certification as a PSO; or (2)
contracting with a PSO. Using data from
the 2004 American Hospital
Association, AHRQ conducted an
analysis of the burden hours and likely
costs associated with reporting patient
safety event information to a PSO. See
below.
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
Costs
The proposed rule enables providers
to receive Federal protections for
information on patient safety events that
the providers choose to collect, analyze,
and report in conformity with the
requirements of the Patient Safety Act
and the proposed rule. The proposed
rule, consistent with the Patient Safety
Act, does not require any entity to seek
listing as a PSO and does not require
any provider to work with a PSO. While
all holders of patient safety work
product must avoid impermissible
disclosures of patient safety work
product, we do not impose any specific
requirements that holders must meet to
comply with this obligation. The
requirements of the proposed rule apply
only to entities that choose to seek
listing by the Secretary as a PSO.
Similarly, the proposed rule does not
impose requirements on States or
private sector entities (including small
businesses) that would result in
additional spending, that is, the
government is not imposing any direct
costs on States or the private sector.
The Patient Safety Act, and therefore,
the proposed rule, does impose
obligations on entities that are listed by
the Secretary as PSOs. Every PSO must
carry out eight patient safety activities
and comply with seven statutory criteria
during its period of listing, including
requirements related to the provision of
security for patient safety work product,
the ability to receive and analyze data
from providers and assist them in
implementing system improvements to
mitigate or eliminate potential risk or
harm to patients from the delivery of
health care services.19 Because this is a
new, untested, and voluntary
initiative—coupled with the fact that
PSOs currently do not exist—AHRQ
does not have data on PSO fees, income,
or expenses to estimate the precise
monetized and non-monetized costs and
benefits of the proposed rule. The
following estimates reflect the cost of all
incremental activities required (or
contemplated) by the proposed rule.
For entities that seek to be listed as a
PSO by the Secretary, AHRQ assumes
that most of the total costs incurred will
be for the establishment of a new
organizational structure. AHRQ expects
such costs to vary considerably based on
the types of entities that request PSO
listing (e.g., size; geographic location;
setting; academic, professional, or
business affiliation; and whether or not
19 These 15 requirements from the Patient Safety
Act are discussed in proposed § 3.102(b). The eight
patient safety activities are defined in proposed
§ 3.20 and the seven criteria are specified in
proposed § 3.102(b)(2).
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
the entity is a component of a parent
organization). It is anticipated that the
proposed rule’s cost to a PSO will likely
be highest in the first year due to startup and initial operational costs and
establishment of policies and
procedures for complying with PSO
regulations. PSO operational costs will
include the hiring of qualified staff,
setting up data collection and reporting
systems, establishing policies and
procedures for ensuring data security
and confidentiality, maintaining a
patient safety evaluation system as
required by the Patient Safety Act, and
receiving and generating patient safety
work product. The fact that PSOs are
new entities for which there are no
existing financial data means that
estimates of the cost or charges for PSO
services are a matter of speculation at
this time. Additionally, the degree to
which PSOs will exercise market power,
what services they will offer, and the
impact of a competitive environment is
not yet known. Based on discussions
with stakeholder groups, we believe that
there will be a number of business
models that emerge for PSOs. We
anticipate that many PSOs will be
components of existing organizations,
which will likely subsidize the
operations of their component PSOs for
some time. Despite these limitations,
AHRQ believes it can construct
reasonable estimates of the costs and
benefits of the Patient Safety Act. See
‘‘Provider—PSO Costs and Charges’’ for
an explanation of why the abovementioned uncertainties do not
preclude AHRQ from calculating overall
costs, benefits, and net benefits of the
Patient Safety Act.
As noted above, the proposed rule
does not require providers to establish
internal reporting or analytic systems.
AHRQ expects, however, that many
providers will do so in order to take full
advantage of the protections of the
Patient Safety Act. As a result, our
estimates reflect an upper bound on the
potential costs associated with
implementation by assuming that all
providers that choose to participate will
establish robust internal reporting and
analytic systems.
AHRQ recognizes that many state
governments, public and private health
care purchasers, and private accrediting
and certifying organizations already
employ voluntary and/or mandatory
patient safety event reporting systems.
As health care organizations
increasingly focus on the monitoring of
adverse events, the use of voluntary
reporting systems to detect, evaluate,
and track such events has also
increased. Preliminary findings from
AHRQ’s Adverse Event Reporting
PO 00000
Frm 00057
Fmt 4701
Sfmt 4702
8167
Survey, conducted by the RAND
Corporation (RAND) and the Joint
Commission on Accreditation of
Healthcare Organizations (JCAHO),
show that 98 percent of hospitals are
already reporting adverse medical
events.20 This survey was administered
to a representative sample of 2,000
hospitals, with an 81 percent response
rate. Thus, it is anticipated that the
associated costs of the proposed rule for
hospitals with existing patient safety
event reporting systems will be very
minimal, because the majority of these
organizations already have the
institutional infrastructure and
operations to carry out the data
collection activities of the proposed
rule. AHRQ assumes that the estimated
2 percent of hospitals that currently
have no reporting system are unlikely to
initiate a new reporting system based on
the proposed rule, at least in the first
year that PSOs are operational.
Hospital Costs
We extrapolated findings from the
RAND–JCAHO survey in order to
calculate the burden hours and
monetized costs associated with the
proposed rule, using data from the
American Hospital Association’s 2004 21
annual survey of hospitals in the United
States 22 to estimate the number of
hospitals nationwide. This figure served
as the denominator in our analysis. We
acknowledge that, over time, not all
providers working with PSOs will be
hospitals; however, it is reasonable to
use hospitals as a basis for our initial
estimates, given the preliminary
indications that hospitals will be the
predominant, if not exclusive, providers
submitting information to PSOs during
the early years in which PSOs are
operational.
Based on American Hospital
Association data, there are 5,759
registered U.S. hospitals—including
community hospitals, Federal hospitals,
non-Federal psychiatric hospitals, nonFederal long-term care hospitals, and
hospital units of institutions—in which
there are 955,768 staffed operational
beds. Based on the RAND–JCAHO
finding regarding event reporting in
hospitals, AHRQ calculates that 98
percent of the 5,759 hospitals (5,644
hospitals with 936,653 staffed beds)
20 RAND and Joint Commission on Accreditation
of Healthcare Organizations. Survey on Hospital
Adverse Event Reporting Systems: Briefing on
Baseline Data. August 16, 2006 Briefing.
21 American Hospital Association. Fast Facts on
U.S. Hospitals from AHA Hospital Statistics.
November 14, 2005. Available at: https://
www.aha.org/aha/resource_center/fastfacts/
fast_facts_US_hospitals.html. Web Page.
22 The 2005 survey results will likely be release
in November 2006.
E:\FR\FM\12FEP2.SGM
12FEP2
8168
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
already have, and are supporting the
costs of, a centralized patient safety
event reporting system.
AHRQ assumed that an institution
will report an average of one patient
safety event (including no harm events
and close calls) per bed per month.
Based on this assumption, AHRQ
estimates that all hospitals nationwide
are currently completing a total of
11,239,832 patient safety event reports
per year. Based on the assumption that
it takes 15 minutes to complete each
patient safety event report, we estimate
that hospitals are already spending
2,809,958 hours per year on this
activity. At a Full-Time Equivalent
(FTE) rate of $80 per hour, we estimate
that all hospitals nationwide are
currently spending approximately
$224,796,634 per year on patient safety
event reporting activities.
AHRQ estimates that, once collected,
it will take an additional five minutes
for hospital staff to submit patient safety
event information to a PSO. We,
therefore, estimate that the total burden
hours for all hospitals nationwide to
submit patient safety event information
to a PSO totals 936,653 hours annually
with an associated cost of $74,932,211
based on the assumption that all
hospitals nationwide reported all
possible patient safety events (using the
heuristic of one event per bed per
month).
During the first year following
publication of the final rule PSOs will
be forming themselves into
organizations and engaging in startup
activities. We assume that there will be
a gradual increase in the number of
entities seeking listing as PSOs,
beginning with a 10 percent
participation rate. We assume as many
as 25 percent of hospitals may enter into
arrangements with PSOs by the end of
the first year; however, the overall
effective participation rate will only
average 10 percent. This assumption
translates to 93,665 hours of additional
burden for hospitals to report patient
safety event information to PSOs with
an estimated cost of $7,493,221.
Assuming a 40 percent participation
rate of all hospitals nationwide during
the second year that PSOs are
operational, there would be 374,660
burden hours with an estimated cost of
$29,972,884. Assuming there is 60
percent participation rate of all
hospitals nationwide during the third
year that PSOs are operational, there
would be 561,990 burden hours
nationwide with an estimated cost of
$44,959,326. (See Table 1).
In summary, the direct costs—which
would be voluntarily incurred if all
hospitals nationwide that choose to
work with PSOs during the first five
years also chose to establish systematic
reporting systems—are projected to
range from approximately $7.5 million
to nearly $63.7 million in any single
year, based on 10 percent to 85 percent
participation rate among hospitals.
These cost estimates may be high if
provider institutions, such as hospitals,
do not submit all the patient safety data
they collect to a PSO. If only a fraction
of the data is reported to a PSO, the cost
estimates and burden will be
proportionately reduced.
TABLE 1.—ESTIMATED HOSPITALS COSTS TO SUBMIT INFORMATION TO PSOS: 2008–2012
Year
2008
2009
2010
2011
Hospital Penetration Rate ..................................................................................
Hospital Cost ......................................................................................................
10% .........
$7.5 M .....
40% .........
$30.0 M ...
60% .........
$45.0 M ...
75% .........
$56.2 M ...
PSO Costs
A second category of costs, in
addition to incremental costs borne by
hospitals, is that of the PSOs
themselves. PSO cost estimates are
based on estimates of organizational and
consulting capabilities and statutory
requirements. We followed the standard
accounting format for calculating
‘‘independent government cost
estimates,’’ although the categories did
not seem entirely appropriate for the
private sector. In order to estimate PSO
costs over a five-year period, we made
several assumptions about the size and
operations of new PSOs. Specifically,
we assumed that PSOs would be staffed
modestly, relying on existing hospital
activities in reporting adverse events,
and that a significant proportion of
PSOs are likely to be component PSOs,
with support and expertise provided by
a parent organization. Our assumptions
are that PSOs will hire dedicated staff
of from 1.5 to 4 FTEs, assuming an
average salary rate of $67/hour. We
estimate that a significant overhead
figure of 100%, coupled with 20% for
General and Administrative (G&A)
expenses, will cover the appreciable
2012
85%.
$63.7 M.
costs anticipated for legal, security,
travel, and miscellaneous PSO
expenses.
Although we believe that the above
estimates may be conservative, we also
believe that PSOs will become more
effective over time without increasing
staff size. Finally, we estimate that the
number of PSOs will increase from 50
to 100 during the first three years in
which the Secretary lists PSOs and
remain at 100 PSOs in subsequent years.
Table 2 summarizes PSO operational
costs for the first five years based on
these estimates.
TABLE 2.—TOTAL PSO OPERATIONAL COSTS: 2008–2012
2008
2009
2010
2011
2012
Number of PSOs ................................................................................................
PSO Cost ...........................................................................................................
hsrobinson on PROD1PC76 with PROPOSALS2
Year
50 ............
$61.4 M ...
75 .............
$92.1 M ...
100 ..........
$122.8 M
100 ...........
$122.8 M
100.
$122.8 M.
Table 3 presents the total estimated
incremental costs related to
implementation of the Patient Safety
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Act, based on new activities on the part
of hospitals and the formation of new
entities, PSOs, from 2008–2012.
PO 00000
Frm 00058
Fmt 4701
Sfmt 4702
Estimates for total Patient Safety Act
costs are $80 million in Year 1,
increasing to $186.5 million in Year 5.
E:\FR\FM\12FEP2.SGM
12FEP2
8169
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
TABLE 3.—TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2008–2012
Year
2008
2009
2010
2011
2012
Hospital Penetration Rate ..................................................................................
Hospital Cost ......................................................................................................
PSO Cost ...........................................................................................................
10% .........
$7.5 M .....
$61.4 M ...
40% .........
$30.0 M ...
$92.1 M ...
60% .........
$45.0 M ...
$122.8 M
75% .........
$56.2 M ...
$122.8 M
85%.
$63.7 M.
$122.8 M.
Total Cost ...................................................................................................
$68.9 M ...
$122.1 M
$167.8 M
$179.0 M
$186.5 M.
hsrobinson on PROD1PC76 with PROPOSALS2
Provider—PSO Costs and Charges
We have not figured into our
calculations any estimates for the price
of PSO services, amounts paid by
hospitals and other health care
providers to PSOs, PSO revenues, or
PSO break-even analyses. We have not
speculated about subsidies or business
models. Regardless of what the costs
and charges are between providers and
PSOs, they will cancel each other out,
as expenses to providers will become
revenue to PSOs.
Benefits
The primary benefit of the proposed
rule is to provide the foundation for
new, voluntary opportunities for health
care providers to improve the safety,
quality, and outcomes of patient care.
The non-monetized benefits to public
health from the proposed rule are clear,
translating to improvements in patient
safety, although such benefits are
intangible and difficult to quantify, not
only in monetary terms but also with
respect to outcome measures such as
years added or years with improved
quality-of-life. Although AHRQ is
unable to quantify the net benefits of
this proposed rule precisely, it believes
firmly that the proposed rule will be
effective in addressing costly medical
care problems in the health system that
adversely affect patients, their families,
their employees, and society in general.
Finally, estimating the impact of the
proposed rule in terms of measurable
monetized and non-monetized benefits
is a challenge due to a lack of baseline
data on the incidence and prevalence of
patient safety events themselves. In fact,
one of the intended benefits of the
Patient Safety Act is to provide more
objective data in this important area,
which will begin to allow tracking of
improvement.
AHRQ has relied on key findings from
the medical professional literature to
provide a qualitative description of the
scope of the problem. The Institute of
Medicine reports that 44,000 to 98,000
people die in hospitals each year as a
result of adverse events.23 The Harvard
Medical Practice Study found a rate of
23 Institute of Medicine, ‘‘To Err Is Human:
Building a Safer Health System’’, 1999.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
3.7 adverse events per 100 hospital
admissions.24 Similar results were
found in a replication of this study in
Colorado and Utah; adverse events were
reported at a rate of 2.9 per 100
admissions.25 Adverse events do not
occur only in hospitals; they also occur
in physician’s offices, nursing homes,
pharmacies, urgent care centers,
ambulatory care settings, and care
delivered in the home.
The importance of evaluating the
incidence and cost of adverse events
cannot be underestimated. They are not
only related to possible morbidity and
mortality, but also impose a significant
economic burden on both society and
the individual (patient, family, health
care workers) in terms of consumption
of health care resources and lost
productivity, and in many cases
avoidable pain and suffering. However,
to prevent adverse events, it may take
many years for the proposed rule to
achieve its full beneficial effects, and it
will remain a challenge to track the
effect of the proposed rule on the
patient population and society,
generally.
It may be possible to measure
improvements in patient safety in
general descriptive terms regarding
improved health outcomes. However, it
is more difficult to translate such
improvements to direct monetary
savings or outcome measures that can be
integrated into a single numerical index
(e.g., units of health improvement, years
of life gained). By analyzing patient
safety event information, PSOs will be
able to identify patterns of failures in
the health care system and propose
measures to eliminate patient safety
risks and hazards as a means to improve
patient outcomes. As more information
is learned about patient safety events
through data collection by the PSOs, the
care delivery environment can be
redesigned to prevent adverse events in
the future. However, PSOs will not have
24 Brennan TA, Leape LL, Laird NM, et al.
Incidence of Adverse Events and Negligence in
Hospitalized Patients. New England Journal of
Medicine. 1991. 324: 370–76.
25 Thomas EJ, Studdert DM, Burstin HR, et al.
Incidence and Types of Adverse Events and
Negligent Care in Utah and Colorado. Medical Care.
2000. 38: 261–71.
PO 00000
Frm 00059
Fmt 4701
Sfmt 4702
the necessary authority to implement
recommended changes to improve
patient safety in providers’ health care
delivery organizations. It will be up to
the providers themselves to bring about
the changes that will result in a
reduction in adverse events and a
resultant improvement in the quality of
care delivered.
The submission of more
comprehensive information by health
care providers regarding patient risks
and hazards will likely increase the
understanding of the factors that
contribute to events that adversely affect
patients. The expected benefit of this
information would be improvements in
patient safety event reports and
analyses, which would translate to
better patient outcomes and possible
economic savings attributable to the
more efficient use of health care
services. Due to the uncertainty of the
benefits and costs associated with the
proposed rule as delineated above, it is
then possible only to make general
estimates of the monetary values of
expected improvements in patient
outcomes, that is, savings to the
healthcare system.
We can estimate monetized benefits
by referring to the Institute of Medicine
report, To Err Is Human,26 which
estimates total national costs of
preventable adverse events to be
between $17 billion and $29 billion, of
which direct health care costs represent
over one-half (totaling between $8.5
billion and $14.5 billion). Based on the
assumption that PSOs may be able to
reduce the preventable adverse events
by between one percent and three
percent within their first five years of
operation, this reduction would amount
to be between $85 million—$145
million in savings at the 1 percent level
if the whole nation were affected, and
$255 million—$435 million at the 3
percent level, if the whole nation were
affected. Applying a median figure from
the Institute of Medicine range to PSOs,
based on an increasing impact from
1%–3% as it grows over the first five
26 Corrigan, J. M., Donaldson, M. S., Kohn, L. T.,
McKay, T., Pike, K. C., for the Committee on
Quality of Health Care in America. To Err Is
Human: Building a Safer Health System.
Washington, DC: National Academy Press; 2000.
E:\FR\FM\12FEP2.SGM
12FEP2
8170
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
years, we see progressively growing
savings as shown in Table 4. It should
be noted that we are estimating savings
by assuming a percentage reduction of
adverse events from the overall
occurrence rate delineated by the
Institute of Medicine report. We are not
tying the estimated reduction to those
events specifically reported to PSOs.
Events that have already occurred do
not represent a potential for savings.
The presumption behind the estimated
savings is that the reporting, analysis,
and institution of ameliorating policies
and procedures will result in fewer
adverse events going forward because of
such PSO activities.
TABLE 4.—TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2008–2012 *
Year
2008
2009
2010
2011
2012
Hospital Penetration Rate ..............................................................................
Percent Reduction in Adverse Events ...........................................................
Savings ...........................................................................................................
10% .........
1% ...........
$11.5 M ...
40% .........
1.5% ........
$69 M ......
60% .........
2% ...........
$138 M ....
75% .............
2.5% ............
$215.625 M
85%.
3%.
$293.25 M.
* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events
(between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.
It is assumed that when the proposed
rule is implemented, it will have a
beneficial effect on patient outcomes.
Eliminating adverse events would help
to ensure the greatest value possible
from the billions of dollars spent on
medical care in the United States.27
AHRQ concludes that the potential
benefits of the Patient Safety Act—
which encourages hospitals, doctors,
and other health care providers to work
voluntarily with PSOs by reporting of
health care errors and enabling PSOs to
analyze them to improve health care
quality and safety—would justify the
costs of the proposed rule.
During the first five operational years
of PSOs, we calculated the net benefits
based on total costs and benefits. (See
Table 5.) We estimate that costs of
implementing the Patient Safety Act
will reach break-even after 2010 and
provide progressively greater benefits
thereafter.
TABLE 5.—NET BENEFITS: 2008–2012
Year
2008
2009
2010
2011
Total Benefits ...................................................................................
Total Costs .......................................................................................
Net Benefits .....................................................................................
Discounted net present value at 3% ...............................................
Discounted net present value at 7% ...............................................
$11.5 M .......
$68.9 M .......
($57.4) M .....
($55.7) M .....
($53.6) M .....
$69 M ..........
$122.1 M .....
($53.1) M .....
($50.0) M .....
($46.4) M .....
$138 M ........
$167.8 M .....
($29.8) M .....
($27.3) M .....
($24.3) M .....
$215.625 M
$179.0 M .....
$36.625 M ...
$32.5 M .......
$27.9 M .......
hsrobinson on PROD1PC76 with PROPOSALS2
Confidentiality Rule
The confidentiality provisions are
included in the Patient Safety Act to
encourage provider participation.
Without such protections, providers
will be reluctant to participate in the
expanded reporting and analysis of
patient safety events, and low
participation will severely inhibit the
opportunity to reap the benefits from
efforts to improve patient safety. The
proposed rule requires any holder of
patient safety work product to maintain
its confidentiality but, with the
exception of PSOs, the appropriate
security measures are left to the holder’s
discretion. Proposed § 3.106 establishes
a security framework that PSOs must
address but, even then, PSOs are given
discretion to establish the specific
security standards most appropriate to
their organization. Violation of the
confidentiality provisions under the
proposed rule creates a risk of liability
for a substantial civil money penalty. If
a person makes a knowing or reckless
disclosure in violation of the
confidentiality provisions, that person
27 Corrigan, J. M., Donaldson, M. S., Kohn, L. T.,
McKay, T., Pike, K. C., for the Committee on
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
will be subject to the enforcement
process, and subject to costs including
participation in an investigation and
payment of a civil money penalty, if
imposed.
While participating providers may
incur some costs associated with
maintaining the confidentiality of
patient safety work product (e.g.,
developing policies/procedures to keep
information confidential, safeguarding
the information, training staff, etc.),
those activities and associated costs are
not required by the proposed rule and
are likely minimal in light of existing
procedures to meet existing
requirements on providers to maintain
sensitive information as confidential.
We are proposing a scheme that places
the least possible amount of regulatory
burden on participants while
simultaneously ensuring that the
confidentiality provisions are effectively
implemented and balanced with the
objective of encouraging the maximum
amount of participation possible. We
were mindful of not placing
unnecessary regulatory requirements on
participating entities because this is a
Quality of Health Care in America. To Err Is
PO 00000
Frm 00060
Fmt 4701
Sfmt 4702
2012
$293.25 M.
$186.5 M.
$106.75 M.
$92.1 M.
$76.1 M.
voluntary initiative, and we did not
want entities interested in participating
to forego participation because of
concerns about the associated risk of
liability for civil money penalties.
Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act
requires agencies to analyze regulatory
options that would minimize any
significant impact of a rule on small
entities. Because the Patient Safety Act
enables a broad spectrum of entities—
public, private, for-profit, and not-forprofit—to seek certification as a PSO,
there may be many different types of
organizations interested in becoming
certified as a PSO that would be affected
by the proposed rule. The proposed rule
minimizes possible barriers to entry and
creates a review process that is both
simple and quick. As a result, AHRQ
expects that a broad range of health care
provider systems, medical specialty
societies, and provider-based
membership organizations will seek
listing as a PSO by the Secretary.
AHRQ preliminarily determines that
the proposed rule does not have a
Human: Building a Safer Health System.
Washington, DC: National Academy Press; 2000.
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
significant impact on small businesses
because it does not impose a mandatory
regulatory burden, and because the
Department has made a significant effort
to promulgate regulations that are the
minimum necessary to interpret and
implement the law. As stated
previously, working with PSOs is
completely voluntary; the proposed rule
provides benefits in the form of legal
protections that are expected to
outweigh the cost of participation from
the perspective of participating
providers. AHRQ believes that the
proposed rule will not have a significant
impact on a substantial number of small
entities because the proposed rules do
not place small entities at a significant
competitive disadvantage to large
entities. AHRQ does not anticipate that
there will be a disproportional effect on
profits, costs, or net revenues for a
substantial number of small entities.
The proposed rule will not significantly
reduce profit for a substantial number of
small entities.
Impacts on Small Entities
1. The Need for and the Objectives of
the Proposed Rule
The proposed rule establishes the
authorities, processes, and requirements
necessary to implement the Patient
Safety Act, sections 921–926 of the
Public Health Service Act, 42 U.S.C.
299b–21 to 299b–26. The proposed rules
seek to establish a streamlined process
for the Department to accept
certification by entities seeking to
become PSOs. Under the proposal, PSOs
will be available voluntarily to enter
into arrangements with health care
providers and provide expert advice
regarding the causes and prevention of
adverse patient safety events.
Information collected or developed by a
health care provider or PSO, and
reported to or by a PSO, that relate to
a patient safety event would become
privileged and confidential. Related
deliberations would also be protected.
Persons who breached the
confidentiality provisions of the rule
could be subject to civil money
penalties of up to $10,000.
hsrobinson on PROD1PC76 with PROPOSALS2
2. Description and Estimate of the
Number of Small Entities Affected
For purposes of the Regulatory
Flexibility Act, small entities include
small businesses, non-profit
organizations, and government
jurisdictions. Most hospitals and many
other health care providers and
suppliers are small entities, either
because they are nonprofit organizations
or because they generate revenues of
$6.5 million to $31.5 million in any one
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
year. Individuals and States are not
included in the definition of a small
entity. The proposed rule would affect
most hospitals, and other health care
delivery entities, plus all small entities
that are interested in becoming certified
PSOs. Based on various stakeholder
meetings, AHRQ estimates that
approximately 50–100 entities may be
interested in becoming listed as PSOs
during the first three years following
publication of the final rule. This figure
is likely to stabilize over time, as some
new PSOs form and some existing PSOs
cease operations.
3. Impact on Small Entities
AHRQ believes that the proposed rule
will not have a significant impact on a
substantial number of small provider or
PSO entities because the proposed rule
does not place a substantial number of
small entities at a significant
competitive disadvantage to large
entities. AHRQ does not anticipate that
there will be a disproportional effect on
profits, costs, or net revenues for a
substantial number of small entities.
The proposed rule will not significantly
reduce profit for a substantial number of
small entities. In fact, when fully
implemented, we expect that the
benefits and/or provider savings will
outweigh the costs.
Compliance requirements for small
entities under this proposed rule are the
same as those described above for other
affected entities. AHRQ has proposed
only those regulations that are necessary
to comply with provisions and goals of
the Patient Safety Act, with the
objective of encouraging the maximum
participation possible. The proposed
rule was written to minimize the
regulatory and economic burden on any
entity that seeks to be listed as a PSO
by the Secretary, regardless of size. It is
impossible for AHRQ to develop
alternatives to the proposed rule for
small entities, as the proposed rule must
adhere to statutory requirements. For
example, the proposed rule requires
confidentiality and privilege protections
and places the least amount of
regulatory burden on participating
players—while simultaneously ensuring
that the goals of confidentiality are
effectively implemented—with the
objective of encouraging the maximum
participation possible. In addition, the
proposed rule was written recognizing
that many providers will be HIPAA
covered entities, and many PSOs will be
business associates, which entails
certain obligations under the HIPAA
Privacy Rule. Thus, this proposed rule
is coordinated with existing law, to
minimize the burden of compliance.
PO 00000
Frm 00061
Fmt 4701
Sfmt 4702
8171
AHRQ believes that the proposed rule
will not have a significant impact on
small providers. The proposed rule does
not impose any costs directly on
providers, large or small, that choose to
work with a PSO. To the extent that
providers hold patient safety work
product, they must prevent
impermissible disclosures; however, the
proposed rule does not establish
requirements for how providers must
meet this requirement.
Finally, it is the statutory and
supporting regulatory guarantee of the
confidentiality of the reporting of
adverse events that will enable PSOs to
operate and perform their function.
Thus, while the compliance costs in the
form of start-up operational costs may
be substantial, the benefits that will be
generated as a result of these costs will
exceed the actual costs, as illustrated in
Table 5.
The Secretary certifies that the
proposed rule will not have a significant
economic impact on a substantial
number of small entities.
List of Subjects in 42 CFR Part 3
Administrative practice and
procedure, Civil money penalty,
Confidentiality, Conflict of interests,
Courts, Freedom of information, Health,
Health care, Health facilities, Health
insurance, Health professions, Health
records, Hospitals, Investigations, Law
enforcement, Medical research,
Organization and functions, Patient,
Patient safety, Privacy, Privilege, Public
health, Reporting and recordkeeping
requirements, Safety, State and local
governments, Technical assistance.
For the reasons stated in the
preamble, the Department of Health and
Human Services proposes to amend
Title 42 of the Code of Federal
Regulations by adding a new part 3 to
read as follows:
PART 3—PATIENT SAFETY
ORGANIZATIONS AND PATIENT
SAFETY WORK PRODUCT
Subpart A—General Provisions
Sec.
3.10
3.20
Purpose.
Definitions.
Subpart B—PSO Requirements and Agency
Procedures
3.102 Process and requirements for initial
and continued listing of PSOs.
3.104 Secretarial actions.
3.106 Security requirements.
3.108 Correction of deficiencies, revocation,
and voluntary relinquishment.
3.110 Assessment of PSO compliance.
3.112 Submissions and forms.
E:\FR\FM\12FEP2.SGM
12FEP2
8172
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
Subpart C—Confidentiality and Privilege
Protections of Patient Safety Work Product
3.204 Privilege of Patient Safety Work
Product.
3.206 Confidentiality of Patient Safety Work
Product.
3.208 Continued protection of Patient
Safety Work Product.
3.210 Required disclosure of Patient Safety
Work Product to the Secretary
3.212 Nonidentification of Patient Safety
Work Product.
Subpart D—Enforcement Program
3.304 Principles for achieving compliance.
3.306 Complaints to the Secretary.
3.308 Compliance reviews.
3.310 Responsibilities of respondents.
3.312 Secretarial action regarding
complaints and compliance reviews.
3.314 Investigational subpoenas and
inquiries.
3.402 Basis for a civil money penalty.
3.404 Amount of a civil money penalty.
3.408 Factors considered in determining the
amount of a civil money penalty.
3.414 Limitations.
3.416 Authority to settle.
3.418 Exclusivity of penalty.
3.420 Notice of proposed determination.
3.422 Failure to request a hearing.
3.424 Collection of penalty.
3.426 Notification of the public and other
agencies.
3.504 Procedures for hearings.
Authority: 42 U.S.C. 216, 299b–21 through
299b–26; 42 U.S.C. 299c–6
Subpart A—General Provisions
§ 3.10
Purpose.
The purpose of this Part is to
implement the Patient Safety and
Quality Improvement Act of 2005 (Pub.
L. 109–41), which amended Title IX of
the Public Health Service Act (42 U.S.C.
299 et seq.) by adding sections 921
through 926, 42 U.S.C. 299b–21 through
299b–26.
hsrobinson on PROD1PC76 with PROPOSALS2
§ 3.20
Definitions.
As used in this Part, the terms listed
alphabetically below have the meanings
set forth as follows:
AHRQ stands for the Agency for
Healthcare Research and Quality in
HHS.
ALJ stands for an Administrative Law
Judge of HHS.
Board means the members of the HHS
Departmental Appeals Board, in the
Office of the Secretary, who issue
decisions in panels of three.
Bona fide contract means:
(1) A written contract between a
provider and a PSO that is executed in
good faith by officials authorized to
execute such contract; or
(2) A written agreement (such as a
memorandum of understanding or
equivalent recording of mutual
commitments) between a Federal, State,
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Local, or Tribal provider and a Federal,
State, Local, or Tribal PSO that is
executed in good faith by officials
authorized to execute such agreement.
Complainant means a person who
files a complaint with the Secretary
pursuant to § 3.306.
Component organization means an
entity that is either:
(1) A unit or division of a corporate
organization or of a multi-organizational
enterprise; or
(2) A separate organization, whether
incorporated or not, that is owned,
managed or controlled by one or more
other organization(s), i.e., its parent
organization(s).
Component PSO means a PSO listed
by the Secretary that is a component
organization.
Confidentiality provisions means for
purposes of Subparts C and D, any
requirement or prohibition concerning
confidentiality established by section
921 and 922(b), (d), (g) and (i) of the
Public Health Service Act, 42 U.S.C.
299b–21, 299b–22(b)–(d), (g) and (i) and
the provisions, at §§ 3.206 and 3.208,
that implement the statutory prohibition
on disclosure of identifiable patient
safety work product.
Disclosure means the release, transfer,
provision of access to, or divulging in
any other manner of patient safety work
product by a person holding the patient
safety work product to another.
Entity means any organization or
organizational unit, regardless of
whether the organization is public,
private, for-profit, or not-for-profit.
Group health plan means employee
welfare benefit plan (as defined in
section 3(1) of the Employee Retirement
Income Security Act of 1974 (ERISA)) to
the extent that the plan provides
medical care (as defined in paragraph
(2) of section 2791(a) of the Public
Health Service Act, including items and
services paid for as medical care) to
employees or their dependents (as
defined under the terms of the plan)
directly or through insurance,
reimbursement, or otherwise.
Health insurance issuer means an
insurance company, insurance service,
or insurance organization (including a
health maintenance organization, as
defined in 42 U.S.C. 300gg–91(b)(3))
which is licensed to engage in the
business of insurance in a State and
which is subject to State law which
regulates insurance (within the meaning
of 29 U.S.C. 1144(b)(2)). The term does
not include a group health plan.
Health maintenance organization
means:
(1) A Federally qualified health
maintenance organization (HMO) (as
defined in 42 U.S.C. 300e(a)),
PO 00000
Frm 00062
Fmt 4701
Sfmt 4702
(2) An organization recognized under
State law as a health maintenance
organization, or
(3) A similar organization regulated
under State law for solvency in the same
manner and to the same extent as such
a health maintenance organization.
HHS stands for the United States
Department of Health and Human
Services.
HIPAA Privacy Rule means the
regulations promulgated under section
264(c) of the Health Insurance
Portability and Accountability Act of
1996 (HIPAA), at 45 CFR Part 160 and
Subparts A and E of Part 164.
Identifiable patient safety work
product means patient safety work
product that:
(1) Is presented in a form and manner
that allows the identification of any
provider that is a subject of the work
product, or any providers that
participate in, or are responsible for,
activities that are a subject of the work
product;
(2) Constitutes individually
identifiable health information as that
term is defined in the HIPAA Privacy
Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner
that allows the identification of an
individual who in good faith reported
information directly to a PSO or to a
provider with the intention of having
the information reported to a PSO
(‘‘reporter’’).
Nonidentifiable patient safety work
product means patient safety work
product that is not identifiable patient
safety work product in accordance with
the nonidentification standards set forth
at § 3.212.
OCR stands for the Office for Civil
Rights in HHS.
Parent organization means an entity
that, alone or with others, either owns
a provider entity or a component
organization, or has the authority to
control or manage agenda setting,
project management, or day-to-day
operations, or the authority to review
and override decisions of a component
organization.
Patient Safety Act means the Patient
Safety and Quality Improvement Act of
2005 (Pub. L. 109–41), which amended
Title IX of the Public Health Service Act
(42 U.S.C. 299 et seq.) by inserting a
new Part C, sections 921 through 926,
which are codified at 42 U.S.C. 299b–21
through 299b–26.
Patient safety activities means the
following activities carried out by or on
behalf of a PSO or a provider:
(1) Efforts to improve patient safety
and the quality of health care delivery;
(2) The collection and analysis of
patient safety work product;
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
(3) The development and
dissemination of information with
respect to improving patient safety, such
as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety
work product for the purposes of
encouraging a culture of safety and of
providing feedback and assistance to
effectively minimize patient risk;
(5) The maintenance of procedures to
preserve confidentiality with respect to
patient safety work product;
(6) The provision of appropriate
security measures with respect to
patient safety work product;
(7) The utilization of qualified staff;
and
(8) Activities related to the operation
of a patient safety evaluation system and
to the provision of feedback to
participants in a patient safety
evaluation system.
Patient safety evaluation system
means the collection, management, or
analysis of information for reporting to
or by a PSO.
Patient safety organization (PSO)
means a private or public entity or
component thereof that currently is
listed as a PSO by the Secretary in
accordance with Subpart B. A health
insurance issuer or a component
organization of a health insurance issuer
may not be a PSO. See also the
exclusion in proposed § 3.102 of this
Part.
Patient safety work product (PSWP).
(1) Except as provided in paragraph
(2) of this definition, patient safety work
product means any data, reports,
records, memoranda, analyses (such as
root cause analyses), or written or oral
statements (or copies of any of this
material)
(i)(A) Which are assembled or
developed by a provider for reporting to
a PSO and are reported to a PSO; or
(B) Are developed by a PSO for the
conduct of patient safety activities; and
which could improve patient safety,
health care quality, or health care
outcomes; or
(ii) Which identify or constitute the
deliberations or analysis of, or identify
the fact of reporting pursuant to, a
patient safety evaluation system.
(2)(i) Patient safety work product does
not include a patient’s medical record,
billing and discharge information, or
any other original patient or provider
information; nor does it include
information that is collected,
maintained, or developed separately, or
exists separately, from a patient safety
evaluation system. Such separate
information or a copy thereof reported
to a PSO shall not by reason of its
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
reporting be considered patient safety
work product.
(ii) Nothing in this part shall be
construed to limit information that is
not patient safety work product from
being:
(A) Discovered or admitted in a
criminal, civil or administrative
proceeding;
(B) Reported to a Federal, State, local
or tribal governmental agency for public
health or health oversight purposes; or
(C) Maintained as part of a provider’s
recordkeeping obligation under Federal,
State, local or tribal law.
Person means a natural person, trust
or estate, partnership, corporation,
professional association or corporation,
or other entity, public or private.
Provider means:
(1) An individual or entity licensed or
otherwise authorized under State law to
provide health care services,
including—
(i) A hospital, nursing facility,
comprehensive outpatient rehabilitation
facility, home health agency, hospice
program, renal dialysis facility,
ambulatory surgical center, pharmacy,
physician or health care practitioner’s
office (includes a group practice), long
term care facility, behavior health
residential treatment facility, clinical
laboratory, or health center; or
(ii) A physician, physician assistant,
registered nurse, nurse practitioner,
clinical nurse specialist, certified
registered nurse anesthetist, certified
nurse midwife, psychologist, certified
social worker, registered dietitian or
nutrition professional, physical or
occupational therapist, pharmacist, or
other individual health care
practitioner;
(2) Agencies, organizations, and
individuals within Federal, State, local,
or Tribal governments that deliver
health care, organizations engaged as
contractors by the Federal, State, local,
or Tribal governments to deliver health
care, and individual health care
practitioners employed or engaged as
contractors by the Federal State, local,
or Tribal governments to deliver health
care; or
(3) A parent organization that has a
controlling interest in one or more
entities described in paragraph (1)(i) of
this definition or a Federal, State, local,
or Tribal government unit that manages
or controls one or more entities
described in (1)(i) or (2) of this
definition.
Research has the same meaning as the
term is defined in the HIPAA Privacy
Rule at 45 CFR 164.501.
Respondent means a provider, PSO,
or responsible person who is the subject
of a complaint or a compliance review.
PO 00000
Frm 00063
Fmt 4701
Sfmt 4702
8173
Responsible person means a person,
other than a provider or a PSO, who has
possession or custody of identifiable
patient safety work product and is
subject to the confidentiality provisions.
Workforce means employees,
volunteers, trainees, contractors, and
other persons whose conduct, in the
performance of work for a provider, PSO
or responsible person, is under the
direct control of such provider, PSO or
responsible person, whether or not they
are paid by the provider, PSO or
responsible person.
Subpart B—PSO Requirements and
Agency Procedures
§ 3.102 Process and requirements for
initial and continued listing of PSOs.
(a) Eligibility and process for initial
and continued listing.
(1) Submission of Certification. Any
entity, except as specified in paragraph
(a)(2) of this section, may request from
the Secretary an initial or continued
listing as a PSO by submitting a
completed certification form that meets
the requirements of this section, in
accordance with the submission
requirements at § 3.112. An individual
with authority to make commitments on
behalf of the entity seeking listing will
be required to acknowledge each of the
certification requirements, attest that the
entity meets each requirement, provide
contact information for the entity, and
certify that the PSO will promptly notify
the Secretary during its period of listing
if it can no longer comply with any of
the criteria in this section.
(2) Restrictions on certain entities.
Entities that may not seek listing as a
PSO include: health insurance issuers or
components of health insurance issuers.
Any other entity, public or private, that
conducts regulatory oversight of health
care providers, such as accreditation or
licensure, may not seek listing, except
that a component of such an entity may
seek listing as a component PSO. An
applicant completing the required
certification forms described in
paragraph (a)(1) of this section will be
required to attest that the entity is not
subject to the restrictions of this
paragraph.
(b) Fifteen general PSO certification
requirements. The certifications
submitted to the Secretary in
accordance with paragraph (a)(1) of this
section must conform to the following
15 requirements:
(1) Required certification regarding
eight patient safety activities. An entity
seeking initial listing as a PSO must
certify that it has written policies and
procedures in place to perform each of
the eight patient safety activities,
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
8174
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
defined in § 3.20. Such policies and
procedures will provide for compliance
with the confidentiality provisions of
subpart C of this part and the
appropriate security measures required
by § 3.106 of this subpart. A PSO
seeking continued listing must certify
that it is performing, and will continue
to perform, each of the patient safety
activities, and is and will continue to
comply with subpart C of this part and
the security requirements referenced in
the preceding sentence.
(2) Required certification regarding
seven PSO criteria. In its initial
certification submission, an entity must
also certify that it will comply with the
additional seven requirements in
paragraphs (b)(2)(i) through (b)(2)(vii) of
this section. A PSO seeking continued
listing must certify that it is complying
with, and will continue to comply with,
the requirements of this paragraph.
(i) The mission and primary activity
of a PSO must be to conduct activities
that are to improve patient safety and
the quality of health care delivery.
(ii) The PSO must have appropriately
qualified workforce members, including
licensed or certified medical
professionals.
(iii) The PSO, within the 24-month
period that begins on the date of its
initial listing as a PSO, and within each
sequential 24-month period thereafter,
must have entered into 2 bona fide
contracts, each of a reasonable period of
time, each with a different provider for
the purpose of receiving and reviewing
patient safety work product.
(iv) The PSO is not a health insurance
issuer, and is not a component of a
health insurance issuer.
(v) The PSO must make disclosures to
the Secretary as required under
§ 3.102(d), in accordance with § 3.112 of
this subpart.
(vi) To the extent practical and
appropriate, the PSO must collect
patient safety work product from
providers in a standardized manner that
permits valid comparisons of similar
cases among similar providers.
(vii) The PSO must utilize patient
safety work product for the purpose of
providing direct feedback and assistance
to providers to effectively minimize
patient risk.
(c) Additional certifications required
of component organizations. In addition
to meeting the 15 general PSO
certification requirements of paragraph
(b) of this section, an entity seeking
initial listing that is a component of
another organization or enterprise must
certify that it will comply with the
requirements of paragraphs (c)(1)
through (c)(3) of this section. A
component PSO seeking continued
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
listing must certify that it is complying
with, and will continue to comply with,
the requirements of this paragraph.
(1) Separation of patient safety work
product.
(i) A component PSO must:
(A) Maintain patient safety work
product separately from the rest of the
parent organization(s) of which it is a
part; and
(B) Not have a shared information
system that could permit access to its
patient safety work product to an
individual(s) in, or unit(s) of, the rest of
the parent organization(s) of which it is
a part.
(ii) Notwithstanding the requirements
of paragraph (c)(1)(i) of this section, a
component PSO may provide access to
identifiable patient safety work product
to an individual(s) in, or a unit(s) of, the
rest of the parent organization(s) of
which it is a part if the component PSO
enters into a written agreement with
such individuals or units that requires
that:
(A) The component PSO will only
provide access to identifiable patient
safety work product to enable such
individuals or units to assist the
component PSO in its conduct of
patient safety activities, and
(B) Such individuals or units that
receive access to identifiable patient
safety work product pursuant to such
written agreement will only use or
disclose such information as specified
by the component PSO to assist the
component PSO in its conduct of
patient safety activities, will take
appropriate security measures to
prevent unauthorized disclosures and
will comply with the other certifications
the component has made pursuant to
paragraphs (c)(2) and (c)(3) of this
section regarding unauthorized
disclosures and conflicts with the
mission of the component PSO.
(2) Nondisclosure of patient safety
work product. A component PSO must
require that members of its workforce
and any other contractor staff, or
individuals in, or units of, its parent
organization(s) that receive access in
accordance with paragraph (c)(1)(ii) of
this section to its identifiable patient
safety work product, not be engaged in
work for the parent organization(s) of
which it is a part, if the work could be
informed or influenced by such
individuals’ knowledge of identifiable
patient safety work product, except for
individuals whose other work for the
rest of the parent organization(s) is
solely the provision of clinical care.
(3) No conflict of interest. The pursuit
of the mission of a component PSO
must not create a conflict of interest
PO 00000
Frm 00064
Fmt 4701
Sfmt 4702
with the rest of the parent
organization(s) of which it is a part.
(d) Required notifications. PSOs must
meet the following notification
requirements:
(1) Notification regarding PSO
compliance with the minimum contract
requirement. No later than 45 calendar
days prior to the last day of the
applicable 24-month assessment period,
specified in paragraph (b)(2)(iii) of this
section, the Secretary must receive from
a PSO a certification that states whether
it has met the requirement of that
paragraph regarding two bona fide
contracts, in accordance with § 3.112 of
this subpart.
(2) Notification regarding a PSO’s
relationships with its contracting
providers. A PSO must submit to the
Secretary a disclosure statement, in
accordance with § 3.112 of this subpart,
regarding its relationships with each
provider with which the PSO has a
contract pursuant to the Patient Safety
Act if the circumstances described in
either paragraph (d)(2)(i) or (d)(2)(ii) of
this section are applicable. The
Secretary must receive a disclosure
statement within 45 days of the date on
which a PSO enters a contract with a
provider if the circumstances are met on
the date the contract is entered. During
the contract period, if a PSO
subsequently enters one or more
relationships with a contracting
provider that create the circumstances
described in paragraph (d)(2)(i) of this
section or a provider exerts any control
over the PSO of the type described in
paragraph (d)(2)(ii) of this section, the
Secretary must receive a disclosure
statement from the PSO within 45 days
of the date that the PSO entered each
new relationship or of the date on
which the provider imposed control of
the type described in paragraph
(d)(2)(ii).
(i) Taking into account all
relationships that the PSO has with the
provider, other than the bona fide
contract entered into pursuant to the
Patient Safety Act, the PSO must fully
disclose any other contractual, financial,
or reporting relationships described
below that it has with that provider.
(A) Contractual relationships which
are not limited to relationships based on
formal contracts but also encompass
relationships based on any oral or
written agreement or any arrangement
that imposes responsibilities on the
PSO.
(B) Financial relationships including
any direct or indirect ownership or
investment relationship between the
PSO and the contracting provider,
shared or common financial interests or
direct or indirect compensation
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
arrangement, whether in cash or inkind.
(C) Reporting relationships including
any relationship that gives the provider
access to information or control, directly
or indirectly, over the work of the PSO
that is not available to other contracting
providers.
(ii) Taking into account all
relationships that the PSO has with the
provider, the PSO must fully disclose if
it is not independently managed or
controlled, or if it does not operate
independently from, the contracting
provider. In particular, the PSO must
further disclose whether the contracting
provider has exercised or imposed any
type of management control that could
limit the PSO’s ability to fairly and
accurately perform patient safety
activities and fully describe such
control(s).
(iii) PSOs may also describe or
include in their disclosure statements,
as applicable, any agreements,
stipulations, or procedural safeguards
that have been created to protect the
ability of the PSO to operate
independently or information that
indicates the limited impact or
insignificance of its financial, reporting,
or contractual relationships with a
contracting provider.
hsrobinson on PROD1PC76 with PROPOSALS2
§ 3.104
Secretarial actions.
(a) Actions in response to certification
submissions for initial and continued
listing as a PSO. (1) In response to an
initial or continued certification
submission by an entity, pursuant to the
requirements of § 3.102 of this subpart,
the Secretary may—
(i) Accept the certification submission
and list the entity as a PSO, or maintain
the listing of a PSO, if the Secretary
determines that the entity meets the
applicable requirements of the Patient
Safety Act and this subpart;
(ii) Deny acceptance of a certification
submission and, in the case of a
currently listed PSO, remove the entity
from the list if the entity does not meet
the applicable requirements of the
Patient Safety Act and this subpart; or
(iii) Condition the listing of an entity,
or continued listing of a PSO, following
a determination made pursuant to
paragraph (c) of this section.
(2) Basis of determination. In making
a determination regarding listing, the
Secretary will consider the certification
submission; any prior actions by the
Secretary regarding the entity or PSO
including delisting; any history of or
current non-compliance by the entity or
the PSO with statutory or regulatory
requirements or requests from the
Secretary; the relationships of the entity
or PSO with providers; and any findings
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
made by the Secretary in accordance
with paragraph (c) of this section.
(3) Notification. The Secretary will
notify in writing each entity of action
taken on its certification submission for
initial or continued listing. The
Secretary will provide reasons when an
entity’s certification is conditionally
accepted and the entity is conditionally
listed, when an entity’s certification is
not accepted and the entity is not listed,
or when acceptance of its certification is
revoked and the entity is delisted.
(b) Actions regarding PSO compliance
with the minimum contract
requirement. When the Secretary
receives notification required by
§ 3.102(d)(1) of this subpart that the PSO
has met the minimum contract
requirement, the Secretary will
acknowledge in writing receipt of the
notification and add information to the
list established pursuant to paragraph
(d) of this section stating that the PSO
has certified that it has met the
requirement. If the PSO states that it has
not yet met the minimum contract
requirement, or if notice is not received
by the date specified in § 3.102(d)(1) of
this subpart, the Secretary will issue to
the PSO a notice of a preliminary
finding of deficiency as specified in
§ 3.108(a)(2) and establish a period for
correction that extends until midnight
of the last day of the PSO’s applicable
24-month period of assessment.
Immediately thereafter, if the
requirement has not been met, the
Secretary will provide the PSO a written
notice of proposed revocation and
delisting in accordance with
§ 3.108(a)(3) of this subpart.
(c) Actions regarding required
disclosures by PSOs of relationships
with contracting providers. The
Secretary will review and make findings
regarding each disclosure statement
submitted by a PSO, pursuant to
§ 3.102(d)(2) of this subpart, regarding
its relationships with contracting
provider(s), determine whether such
findings warrant action regarding the
listing of the PSO, and make the
findings public.
(1) Basis of findings regarding PSO
disclosure statements. In reviewing
disclosure statements, submitted
pursuant to § 3.102(d)(2) of this subpart,
the Secretary will consider the nature,
significance, and duration of the
disclosed relationship(s) between the
PSO and the contracting provider and
will determine whether the PSO can
fairly and accurately perform the
required patient safety activities.
(2) Determination by the Secretary.
Based on the Secretary’s review and
findings, he may choose to take any of
the following actions:
PO 00000
Frm 00065
Fmt 4701
Sfmt 4702
8175
(i) For an entity seeking an initial or
continued listing, the Secretary may list
or continue the listing of an entity
without conditions, list the entity
subject to conditions, or deny the
entity’s certification for initial or
continued listing; or
(ii) For a listed PSO, the Secretary
may determine that the entity will
remain listed without conditions,
continue the entity’s listing subject to
conditions, or remove the entity from
listing.
(3) Release of disclosure statements
and Secretarial findings.
(i) Subject to paragraph (c)(3)(ii) of
this section, the Secretary will make
disclosure statements available to the
public along with related findings that
are made available in accordance with
paragraph (c) of this section.
(ii) The Secretary may withhold
information that is exempt from public
disclosure under the Freedom of
Information Act.
(d) Maintaining a list of PSOs. The
Secretary will compile and maintain a
publicly available list of entities whose
certifications as PSOs have been
accepted. The list will include contact
information for each entity, a copy of all
certification forms and disclosure
statements submitted by each entity, the
effective date of the PSO’s listing, and
information on whether a PSO has
certified that it has met the two-contract
requirement. The list also will include
a copy of the Secretary’s findings
regarding each disclosure statement
submitted by an entity, information
describing any related conditions that
have been placed by the Secretary on
the listing of an entity as a PSO, and
other information that this Subpart
states may be made public. AHRQ will
establish a PSO Web site (or a
comparable future form of public notice)
and may post the list on this Web site.
(e) Three-year period of listing. (1)
The period of listing of a PSO will be
for a three-year period, unless the listing
is revoked or relinquished prior to the
expiration of the three-year period, in
accordance with § 3.108 of this subpart.
(2) The Secretary will send a written
notice of imminent expiration to a PSO
at least 45 calendar days prior to the
date on which its three-year period of
listing expires if the Secretary has not
received a certification for continued
listing.
(f) Effective dates of Secretarial
actions. Unless otherwise stated, the
effective date of each action by the
Secretary pursuant to this subpart will
be specified in the written notice of
such action that is sent to the entity.
When the Secretary sends a notice that
addresses acceptance or revocation of an
E:\FR\FM\12FEP2.SGM
12FEP2
8176
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
entity’s certifications or voluntary
relinquishment by an entity of its status
as a PSO, the notice will specify the
effective date and time of listing or
delisting.
hsrobinson on PROD1PC76 with PROPOSALS2
§ 3.106
Security requirements.
(a) Application. A PSO must provide
security for patient safety work product
that conforms to the security
requirements of paragraph (b) of this
section. These requirements must be
met at all times and at any location at
which the PSO, its workforce members,
or its contractors hold patient safety
work product.
(b) Security framework. PSOs must
consider the following framework for
the security of patient safety work
product. The framework includes four
elements: security management,
separation of systems, security
monitoring and control, and system
assessment. To address the four
elements of this framework, a PSO must
develop appropriate and scalable
security standards, policies, and
procedures that are suitable for the size
and complexity of its organization.
(1) Security management. A PSO must
address:
(i) Maintenance and effective
implementation of written policies and
procedures that conform to the
requirements of this section to protect
the confidentiality, integrity, and
availability of the patient safety work
product that is processed, stored, and
transmitted; and to monitor and
improve the effectiveness of such
policies and procedures, and
(ii) Training of the PSO workforce and
PSO contractors who access or hold
patient safety work product regarding
the requirements of the Patient Safety
Act, this Part, and the PSO’s policies
and procedures regarding the
confidentiality and security of patient
safety work product.
(2) Separation of Systems. A PSO
must address:
(i) Maintenance of patient safety work
product, whether in electronic or other
media, physically and functionally
separate from any other system of
records;
(ii) Protection of the media, whether
in electronic, paper, or other format,
that contain patient safety work
product, limiting access to authorized
users, and sanitizing and destroying
such media before disposal or release
for reuse; and
(iii) Physical and environmental
protection, to control and limit physical
and virtual access to places and
equipment where patient safety work
product is stored or used.
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
(3) Security control and monitoring. A
PSO must address:
(i) Identification of those authorized
to have access to patient safety work
product and an audit capacity to detect
unlawful, unauthorized, or
inappropriate access to patient safety
work product, and
(ii) Measures to prevent unauthorized
removal, transmission or disclosure of
patient safety work product.
(4) Security assessment. A PSO must
address:
(i) Periodic assessments of security
risks and controls, as determined
appropriate by the PSO, to establish if
its controls are effective, to correct any
deficiency identified, and to reduce or
eliminate any vulnerabilities.
(ii) System and communications
protection, to monitor, control, and
protect PSO uses, communications, and
transmissions involving patient safety
work product to and from providers and
any other responsible persons.
§ 3.108 Correction of deficiencies,
revocation, and voluntary relinquishment.
(a) Process for correction of a
deficiency and revocation—(1)
Circumstances leading to revocation.
The Secretary may revoke his
acceptance of an entity’s certification
and delist the entity as a PSO if he
determines—
(i) The PSO is not fulfilling the
certifications it made to the Secretary
that are set forth in § 3.102 of this
subpart;
(ii) The PSO has not timely notified
the Secretary that it has met the two
contract requirement, as required by
§ 3.102(d)(1) of this subpart;
(iii) The Secretary, based on a PSO’s
disclosures made pursuant to
§ 3.102(d)(2) of this subpart, makes a
public finding that the entity cannot
fairly and accurately perform the patient
safety activities of a PSO; or
(iv) The PSO is not in compliance
with any other provision of the Patient
Safety Act or this Part.
(2) Notice of preliminary finding of
deficiency and establishment of an
opportunity for correction of a
deficiency. (i) If the Secretary
determines that a PSO is not in
compliance with its obligations under
the Patient Safety Act or this Subpart,
the Secretary must send a PSO written
notice of the preliminary finding of
deficiency. The notice must state the
actions or inactions that encompass the
deficiency finding, outline the evidence
that the deficiency exists, specify the
possible and/or required corrective
actions that must be taken, and establish
a date by which the deficiency must be
corrected. The Secretary may specify in
PO 00000
Frm 00066
Fmt 4701
Sfmt 4702
the notice the level of documentation
required to demonstrate that the
deficiency has been corrected.
(ii) The notice of a preliminary
finding of deficiency is presumed
received five days after it is sent, absent
evidence of the actual receipt date. If a
PSO does not submit evidence to the
Secretary within 14 calendar days of
actual or constructive receipt of such
notice, whichever is longer, which
demonstrates that the preliminary
finding is factually incorrect, the
preliminary finding will be the basis for
a finding of deficiency.
(3) Determination of correction of a
deficiency. (i) Unless the Secretary
specifies another date, the Secretary
must receive documentation to
demonstrate that the PSO has corrected
the deficiency no later than five
calendar days following the last day of
the correction period, that is specified
by the Secretary in the notice of
preliminary finding of deficiency.
(ii) In making a determination
regarding the correction of any
deficiency, the Secretary will consider
the documentation submitted by the
PSO, the findings of any site visit that
he determines is necessary or
appropriate, recommendations of
program staff, and any other information
available regarding the PSO that the
Secretary deems appropriate and
relevant to the PSO’s implementation of
the terms of its certification.
(iii) After completing his review, the
Secretary may make one of the
following determinations:
(A) The action(s) taken by the PSO
have corrected any deficiency, in which
case the Secretary will withdraw the
notice of deficiency and so notify the
PSO;
(B) The PSO has acted in good faith
to correct the deficiency but the
Secretary finds an additional period of
time is necessary to achieve full
compliance and/or the required
corrective action specified in the notice
of a preliminary finding of deficiency
needs to be modified in light of the
experience of the PSO in attempting to
implement the corrective action, in
which case the Secretary will extend the
period for correction and/or modify the
specific corrective action required; or
(C) The PSO has not completed the
corrective action because it has not
acted with reasonable diligence or speed
to ensure that the corrective action was
completed within the allotted time, in
which case the Secretary will issue to
the PSO a notice of proposed revocation
and delisting.
(iv) When the Secretary issues a
written notice of proposed revocation
and delisting, the notice will specify the
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
deficiencies that have not been timely
corrected and will detail the manner in
which the PSO may exercise its
opportunity to be heard in writing to
respond to the deficiencies specified in
the notice.
(4) Opportunity to be heard in writing
following a notice of proposed
revocation and delisting. The Secretary
will afford a PSO an opportunity to be
heard in writing, as specified in
paragraph (a)(4)(i) of this section, to
provide a substantive response to the
deficiency finding(s) set forth in the
notice of proposed revocation and
delisting.
(i) The notice of proposed revocation
and delisting is presumed received five
days after it is sent, absent evidence of
actual receipt. The Secretary will
provide a PSO with a period of time,
beginning with the date of receipt of the
notice of proposed revocation and
delisting of which there is evidence, or
the presumed date of receipt if there is
no evidence of earlier receipt, and
ending at midnight 30 calendar days
thereafter, during which the PSO can
submit a substantive response to the
deficiency findings in writing.
(ii) The Secretary will provide to the
PSO rules of procedure governing the
form or transmission of the written
response to the notice of proposed
revocation and delisting. The Rules may
also be posted on the AHRQ PSO Web
site or published in the Federal
Register.
(iii) If a PSO does not submit a written
response to the deficiency finding(s)
within 30 calendar days of receipt of the
notice of proposed revocation and
delisting, the notice of proposed
revocation becomes final as a matter of
law and the basis for Secretarial action
under paragraph (b)(1) of this section.
(5) The Secretary’s decision regarding
revocation. The Secretary will review
the entire administrative record
pertaining to a notice of proposed
revocation and delisting and any written
materials submitted by the PSO under
paragraph (a)(4) of this section. The
Secretary may affirm, reverse, or modify
the notice of proposed revocation and
delisting and will make a determination
with respect to the continued listing of
the PSO.
(b) Revocation of the Secretary’s
acceptance of a PSO’s certifications—(1)
Establishing revocation for cause. When
the Secretary concludes, in accordance
with a decision made under paragraph
(a)(5) of this section, that revocation of
the acceptance of a PSO’s certification is
warranted for its failure to comply with
requirements of the Patient Safety Act or
of this Subpart, the Secretary will
establish the time and date for the
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
prompt revocation and removal of the
entity from the list of PSOs, so notify
the PSO in writing, and provide the
relevant public notice required by
§ 3.108(d) of this subpart.
(2) Required notification of providers
and status of data. Within 15 days of
being notified of the Secretary’s action
pursuant to paragraph (b)(1) of this
section, an entity subject to paragraph
(b)(1) of this section will submit to the
Secretary confirmation that it has taken
all reasonable actions to notify each
provider, whose patient safety work
product it collected or analyzed, of the
Secretary’s action(s). Confidentiality
and privilege protections that applied to
patient safety work product while the
former PSO was listed continue to apply
after the entity is removed from listing.
Data submitted by providers to the
former PSO within 30 calendar days of
the date on which it is removed from
the list of PSOs pursuant to paragraph
(b)(1) of this section will have the same
status as data submitted while the entity
was still listed.
(3) Disposition of patient safety work
product and data. Following revocation
and delisting pursuant to paragraph
(b)(1) of this section, the former PSO
will take one or more of the following
measures:
(i) Transfer such patient safety work
product or data, with the approval of the
source from which it was received, to a
PSO that has agreed to receive such
patient safety work product or data;
(ii) Return such work product or data
to the source from which it was
submitted; or
(iii) If returning such patient safety
work product or data to its source is not
practicable, destroy such patient safety
work product or data.
(c) Voluntary relinquishment—(1)
Circumstances constituting voluntary
relinquishment. A PSO will be
considered to have voluntarily
relinquished its status as a PSO if the
Secretary accepts a notification from a
PSO that it wishes to relinquish
voluntarily its listing as a PSO or the
Secretary determines that an implied
voluntary relinquishment has taken
place because the period of listing of a
PSO has expired without receipt of a
timely submission of certifications for
continued listing.
(2) Notification of voluntary
relinquishment. A PSO’s notification of
voluntary relinquishment to the
Secretary must include the following:
(i) An attestation that all reasonable
efforts have been made, or will have
been made by a PSO within 15 calendar
days of this statement, to notify the
sources from which it received patient
safety work product or data of the PSO’s
PO 00000
Frm 00067
Fmt 4701
Sfmt 4702
8177
intention to cease operations, to
relinquish voluntarily its status as a
PSO, to request that these other entities
cease reporting or submitting any
further information to the PSO as soon
as possible, and inform them that any
data submitted after the effective date
and time of delisting, that the Secretary
sets pursuant to paragraph (c)(3) of this
section, will not be protected as patient
safety work product under the Patient
Safety Act based upon such
submissions;
(ii) An attestation that the entity has
established a plan, or within 15
calendar days of this statement, will
have made all reasonable efforts to
establish a plan, in consultation with
the sources from which it received
patient safety work product or data, that
provides for the disposition of such
patient safety work product or data
consistent with, to the extent
practicable, the statutory options for
disposition of patient safety work
product or data as set out in paragraphs
(b)(3)(i) through (iii) of this section; and
(iii) Appropriate contact information
for further communications from the
Secretary.
(3) Response to notification of
voluntary relinquishment. (i) After a
PSO provides the notification required
by paragraph (c)(2) of this section, the
Secretary will respond in writing to the
entity indicating whether the proposed
voluntary relinquishment of its PSO
status is accepted. If the voluntary
relinquishment is accepted, the
Secretary’s response will indicate an
effective date and time for the entity’s
removal from the list of PSOs and will
provide public notice of the delisting, in
accordance with § 3.108(d) of this
subpart.
(ii) If the Secretary receives a
notification of voluntary relinquishment
during or immediately after revocation
proceedings for cause under paragraphs
(a)(4) and (a)(5) of this section, the
Secretary, as a matter of discretion, may
accept voluntary relinquishment in
accordance with the preceding
paragraph or decide not to accept the
entity’s proposed voluntary
relinquishment and proceed with the
revocation for cause and delisting
pursuant to paragraph (b)(1) of this
section.
(4) Implied voluntary relinquishment.
(i) If the period of listing of a PSO lapses
without timely receipt and acceptance
by the Secretary of a certification
seeking continued listing or timely
receipt of a notification of voluntary
relinquishment of its PSO status in
accordance with paragraph (c)(2) of this
section, the Secretary will determine
that voluntary relinquishment has
E:\FR\FM\12FEP2.SGM
12FEP2
8178
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
occurred and will remove the entity
from the list of PSOs effective as of
midnight on the last day of its three-year
period of listing. The Secretary will take
reasonable measures to notify the entity
of its delisting and will provide public
notice of the delisting in accordance
with § 3.108(d) of this subpart.
(ii) The Secretary will request in the
notice to the entity that it make
reasonable efforts to comply with the
requirements of paragraph (c)(2) of this
section with respect to notification,
appropriate disposition of patient safety
work product, and the provision of
contact information to the Secretary.
(5) Non-applicability of certain
procedures and requirements. (i) A
decision by the Secretary to accept a
request by a PSO to relinquish
voluntarily its status as a PSO pursuant
to paragraph (c)(2) of this section or a
decision that voluntary relinquishment
has occurred pursuant to paragraph
(c)(4) of this section does not constitute
a determination of a deficiency in PSO
compliance with the Patient Safety Act
or with this Subpart and no opportunity
for corrective action by the PSO is
required.
(ii) The procedures and requirements
of § 3.108(a) of this subpart regarding
deficiencies including the opportunity
to be heard in writing, and those that are
based upon determinations of the
Secretary pursuant to § 3.108(b)(1) of
this subpart are not applicable to
determinations of the Secretary made
pursuant to paragraph (c) of this section.
(d) Public notice of delisting regarding
removal from listing. If the Secretary
removes an entity from the list of PSOs
following revocation of acceptance of
the entity’s certification pursuant to
§ 3.108(b)(1) of this subpart or following
a determination of voluntary
relinquishment pursuant to § 3.108(c)(3)
or (c)(4) of this subpart, the Secretary
will promptly publish in the Federal
Register and on the AHRQ PSO Web
site, or in a comparable future form of
public notice, established pursuant to
§ 3.104(d) of this subpart, a notice of the
actions taken and the effective dates.
hsrobinson on PROD1PC76 with PROPOSALS2
§ 3.110
Assessment of PSO compliance.
The Secretary may request
information or conduct announced or
unannounced reviews of or site visits to
PSOs, to assess or verify PSO
compliance with the requirements of
this subpart and for these purposes will
be allowed to inspect the physical or
virtual sites maintained or controlled by
the PSO. The Secretary will be allowed
to inspect and/or be given or sent copies
of any PSO records deemed necessary
and requested by the Secretary to
implement the provisions of this
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
subpart. Such PSO records may include
patient safety work product in
accordance with § 3.206(d) of this
subpart.
§ 3.112
Submissions and forms.
(a) Forms referred to in this subpart
may be obtained on the AHRQ PSO Web
site or a comparable future form of
public notice or by requesting them in
writing by e-mail at
psimplement@ahrq.hhs.gov, or by mail
from the Agency for Healthcare
Research and Quality, CQuIPS, PSO
Liaison, 540 Gaither Road, Rockville,
MD 20850. A form (including any
required attachments) must be
submitted in accordance with the
accompanying instructions.
(b) Information submitted to AHRQ in
writing, but not required to be on a
form, and requests for information from
AHRQ, may be submitted by mail or
other delivery to the Agency for
Healthcare Research and Quality,
CQuIPS, PSO Liaison, 540 Gaither Road,
Rockville, MD 20850, by facsimile at
(301) 427–1341, or by e-mail at
psimplement@ahrq.hhs.gov.
(c) If a submission to the Secretary is
incomplete or additional information is
needed to allow a determination to be
made under this subpart, the submitter
will be notified if any additional
information is required.
Subpart C—Confidentiality and
Privilege Protections of Patient Safety
Work Product
§ 3.204 Privilege of Patient Safety Work
Product
(a) Privilege. Notwithstanding any
other provision of Federal, State, local,
or tribal law and subject to paragraph (b)
of this section and § 3.208 of this
subpart, patient safety work product
shall be privileged and shall not be:
(1) Subject to a Federal, State, local,
or tribal civil, criminal, or
administrative subpoena or order,
including in a Federal, State, local, or
tribal civil or administrative
disciplinary proceeding against a
provider;
(2) Subject to discovery in connection
with a Federal, State, local, or tribal
civil, criminal, or administrative
proceeding, including in a Federal,
State, local, or tribal civil or
administrative disciplinary proceeding
against a provider;
(3) Subject to disclosure pursuant to
section 552 of Title 5, United States
Code (commonly known as the Freedom
of Information Act) or any other similar
Federal, State, local, or tribal law;
(4) Admitted as evidence in any
Federal, State, local, or tribal
PO 00000
Frm 00068
Fmt 4701
Sfmt 4702
governmental civil proceeding, criminal
proceeding, administrative rulemaking
proceeding, or administrative
adjudicatory proceeding, including any
such proceeding against a provider; or
(5) Admitted in a professional
disciplinary proceeding of a
professional disciplinary body
established or specifically authorized
under State law.
(b) Exceptions to privilege. Privilege
shall not apply to (and shall not be
construed to prohibit) one or more of
the following disclosures:
(1) Disclosure of relevant patient
safety work product for use in a
criminal proceeding, subject to the
conditions at § 3.206(b)(1) of this
subpart.
(2) Disclosure to the extent required to
permit equitable relief subject to the
conditions at § 3.206(b)(2) of this
subpart.
(3) Disclosure pursuant to provider
authorizations subject to the conditions
at § 3.206(b)(3) of this subpart.
(4) Disclosure of non-identifiable
patient safety work product subject to
the conditions at § 3.206(b)(5) of this
subpart.
(c) Implementation and Enforcement
of the Patient Safety Act. Privilege shall
not apply to (and shall not be construed
to prohibit) disclosures of relevant
patient safety work product to or by the
Secretary if such patient safety work
product is needed to investigate or
determine compliance with this part or
is needed in seeking or imposing civil
money penalties, or in making or
supporting PSO certification or listing
decisions, under the Patient Safety Act.
§ 3.206 Confidentiality of Patient Safety
Work Product.
(a) Confidentiality. Subject to
paragraphs (b) through (e) of this
section, and §§ 3.208 and 3.210 of this
subpart, patient safety work product
shall be confidential and shall not be
disclosed.
(b) Exceptions to confidentiality. The
confidentiality provisions shall not
apply to (and shall not be construed to
prohibit) one or more of the following
disclosures:
(1) Criminal proceedings. Disclosure
of relevant patient safety work product
for use in a criminal proceeding, but
only after a court makes an in camera
determination that:
(i) Such patient safety work product
contains evidence of a criminal act;
(ii) Such patient safety work product
is material to the proceeding; and
(iii) Such patient safety work product
is not reasonably available from any
other source.
(2) Equitable relief for reporters.
Disclosure of patient safety work
E:\FR\FM\12FEP2.SGM
12FEP2
hsrobinson on PROD1PC76 with PROPOSALS2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
product to the extent required to permit
equitable relief under section 922
(f)(4)(A) of the Public Health Service
Act.
(3) Authorized by identified providers.
(i) Disclosure of identifiable patient
safety work product consistent with a
valid authorization if such authorization
is obtained from each provider
identified in such work product prior to
disclosure. A valid authorization must:
(A) Be in writing and signed by the
provider from whom authorization is
sought; and
(B) Contain sufficient detail to fairly
inform the provider of the nature and
scope of the disclosures being
authorized;
(ii) A valid authorization must be
retained by the disclosing entity for six
years from the date of the last disclosure
made in reliance on the authorization
and made available to the Secretary
upon request.
(4) Patient safety activities—(i)
Disclosure between a provider and a
PSO. Disclosure of patient safety work
product for patient safety activities by a
provider to a PSO or by a PSO to that
disclosing provider.
(ii) Disclosure to a contractor of a
provider or a PSO. A provider or a PSO
may disclose patient safety work
product for patient safety activities to an
entity with which it has contracted to
undertake patient safety activities on its
behalf. A contractor receiving patient
safety work product for patient safety
activities may not further disclose
patient safety work product, except to
the entity with which it is contracted.
(iii) Disclosure by a PSO to another
PSO or by a provider to another
provider. Disclosure of patient safety
work product for patient safety activities
by a PSO to another PSO or to another
provider that has reported to the PSO,
or by a provider to another provider,
provided:
(A) The following direct identifiers of
any providers and of affiliated
organizations, corporate parents,
subsidiaries, practice partners,
employers, members of the workforce,
or household members of such
providers are removed:
(1) Names;
(2) Postal address information, other
than town or city, State and zip code;
(3) Telephone numbers;
(4) Fax numbers;
(5) Electronic mail addresses;
(6) Social security numbers or
taxpayer identification numbers;
(7) Provider or practitioner
credentialing or DEA numbers;
(8) National provider identification
number;
(9) Certificate/license numbers;
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
(10) Web Universal Resource Locators
(URLs);
(11) Internet Protocol (IP) address
numbers;
(12) Biometric identifiers, including
finger and voice prints; and
(13) Full face photographic images
and any comparable images; and
(B) With respect to any individually
identifiable health information in such
patient safety work product, the direct
identifiers listed at 45 CFR 164.514(e)(2)
have been removed.
(5) Disclosure of nonidentifiable
patient safety work product. Disclosure
of nonidentifiable patient safety work
product when patient safety work
product meets the standard for
nonidentification in accordance with
§ 3.212 of this subpart.
(6) For research. (i) Disclosure of
patient safety work product to persons
carrying out research, evaluation or
demonstration projects authorized,
funded, certified, or otherwise
sanctioned by rule or other means by
the Secretary, for the purpose of
conducting research.
(ii) If the patient safety work product
disclosed pursuant to paragraph (b)(6)(i)
of this section is by a HIPAA covered
entity as defined at 45 CFR 160.103 and
contains protected health information as
defined by the HIPAA Privacy Rule at
45 CFR 160.103, such patient safety
work product may only be disclosed
under this exception in the same
manner as would be permitted under
the HIPAA Privacy Rule at 45 CFR
164.512(i).
(7) To the Food and Drug
Administration (FDA).
(i) Disclosure by a provider of patient
safety work product concerning an FDAregulated product or activity to the FDA
or to an entity required to report to the
FDA concerning the quality, safety, or
effectiveness of an FDA-regulated
product or activity.
(ii) The FDA and any entity receiving
patient safety work product pursuant to
paragraph (b)(7)(i) of this section may
only further disclose such patient safety
work product for the purpose of
evaluating the quality, safety, or
effectiveness of that product or activity
between each other, their contractors,
and the disclosing provider. A
contractor receiving patient safety work
product pursuant to this paragraph may
not further disclose patient safety work
product, except to the entity from which
it received the patient safety work
product.
(8) Voluntary disclosure to an
accrediting body.
(i) Voluntary disclosure by a provider
of patient safety work product that
identifies that provider to an accrediting
PO 00000
Frm 00069
Fmt 4701
Sfmt 4702
8179
body that accredits that provider. Such
accrediting body may not further
disclose such patient safety work
product.
(ii) An accrediting body may not take
an accrediting action against a provider
based on a good faith participation of
the provider in the collection,
development, reporting, or maintenance
of patient safety work product in
accordance with this Part. An
accrediting body may not require a
provider to reveal its communications
with any PSO.
(9) Business operations. (i) Disclosure
of patient safety work product by a
provider or a PSO for business
operations to attorneys, accountants,
and other professionals. Such
contractors may not further disclose
patient safety work product, except to
the entity from which they received the
information.
(ii) Disclosure of patient safety work
product for such other business
operations that the Secretary may
prescribe by regulation as consistent
with the goals of this part.
(10) Disclosure to law enforcement.
(i) Disclosure of patient safety work
product to an appropriate law
enforcement authority relating to an
event that either constitutes the
commission of a crime, or for which the
disclosing person reasonably believes
constitutes the commission of a crime,
provided that the disclosing person
believes, reasonably under the
circumstances, that the patient safety
work product that is disclosed is
necessary for criminal law enforcement
purposes.
(ii) Law enforcement personnel
receiving patient safety work product
pursuant to paragraph (b)(10)(i) of this
section may disclose that patient safety
work product to other law enforcement
authorities as needed for law
enforcement activities related to the
event that gave rise to the disclosure
under paragraph (b)(10)(i) of this
section.
(c) Safe harbor. A provider or
responsible person, but not a PSO, is not
considered to have violated the
requirements of this subpart if a member
of its workforce discloses patient safety
work product, provided that the
disclosure does not include materials,
including oral statements, that:
(1) Assess the quality of care of an
identifiable provider; or
(2) Describe or pertain to one or more
actions or failures to act by an
identifiable provider.
(d) Implementation and Enforcement
of the Patient Safety Act. The
confidentiality provisions shall not
apply to (and shall not be construed to
E:\FR\FM\12FEP2.SGM
12FEP2
8180
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
prohibit) disclosures of relevant patient
safety work product to or by the
Secretary if such patient safety work
product is needed to investigate or
determine compliance with this part or
is needed in seeking and imposing civil
money penalties, or in making or
supporting PSO certification or listing
decisions, under the Patient Safety Act.
(e) No limitation on authority to limit
or delegate disclosure or use. Nothing in
subpart C of this part shall be construed
to limit the authority of any person to
enter into a contract requiring greater
confidentiality or delegating authority to
make a disclosure or use in accordance
with this subpart.
§ 3.208 Continued protection of Patient
Safety Work Product.
(a) Except as provided in paragraph
(b) of this section, patient safety work
product disclosed in accordance with
this subpart, or disclosed
impermissibly, shall continue to be
privileged and confidential.
(b)(1) Patient safety work product
disclosed for use in a criminal
proceeding pursuant to section
922(c)(1)(A) of the Public Health Service
Act and/or pursuant to § 3.206(b)(1) of
this subpart continues to be privileged,
but is no longer confidential.
(2) Non-identifiable patient safety
work product that is disclosed is no
longer privileged or confidential and not
subject to the regulations under this
part.
(3) Paragraph (b) of this section
applies only to the specific patient
safety work product disclosed.
§ 3.210 Required disclosure of Patient
Safety Work Product to the Secretary.
Providers, PSOs, and responsible
persons must disclose patient safety
work product upon request by the
Secretary when the Secretary
determines such patient safety work
product is needed to investigate or
determine compliance with this part or
is needed in seeking and imposing civil
money penalties or making
determinations on certifying and listing
PSOs.
hsrobinson on PROD1PC76 with PROPOSALS2
§ 3.212 Nonidentification of Patient Safety
Work Product.
(a) Patient safety work product is
nonidentifiable with respect to a
particular identified provider or a
particular identified reporter if:
(1) A person with appropriate
knowledge of and experience with
generally accepted statistical and
scientific principles and methods for
rendering information not individually
identifiable:
(i) Applying such principles and
methods, determines that the risk is
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
very small that the information could be
used, alone or in combination with
other reasonably available information,
by an anticipated recipient to identify
an identified provider or reporter; and
(ii) Documents the methods and
results of the analysis that justify such
determination; or
(2)(i) The following identifiers of such
provider or reporter and of affiliated
organizations, corporate parents,
subsidiaries, practice partners,
employers, members of the workforce,
or household members of such
providers or reporters are removed:
(A) Names;
(B) Geographic subdivisions smaller
than a State, including street address,
city, county, precinct, zip code and
equivalent geocodes, except for the
initial three digits of a zip code if,
according to the current publicly
available data from the Bureau of the
Census, the geographic unit formed by
combining all zip codes with the same
three initial digits contains more than
20,000 people;
(C) All elements of dates (except year)
for dates directly related to a patient
safety incident or event;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers or
taxpayer identification numbers;
(H) Provider or practitioner
credentialing or DEA numbers;
(I) National provider identification
number;
(J) Certificate/license numbers;
(K) Web Universal Resource Locators
(URLs);
(L) Internet Protocol (IP) address
numbers;
(M) Biometric identifiers, including
finger and voice prints;
(N) Full face photographic images and
any comparable images; and,
(O) Any other unique identifying
number, characteristic, or code except
as permitted for re-identification; and
(ii) The provider, PSO or responsible
person making the disclosure does not
have actual knowledge that the
information could be used, alone or in
combination with other information that
is reasonably available to the intended
recipient, to identify the particular
provider or reporter.
(3) Re-identification. A provider, PSO,
or responsible person may assign a code
or other means of record identification
to allow information made
nonidentifiable under this section to be
re-identified by such provider, PSO, or
responsible person, provided that:
(i) The code or other means of record
identification is not derived from or
related to information about the
PO 00000
Frm 00070
Fmt 4701
Sfmt 4702
provider or reporter and is not
otherwise capable of being translated so
as to identify the provider or reporter;
and
(ii) The provider, PSO, or responsible
person does not use or disclose the code
or other means of record identification
for any other purpose, and does not
disclose the mechanism for reidentification.
(b) Patient safety work product is nonidentifiable with respect a particular
patient only if the individually
identifiable health information
regarding that patient is de-identified in
accordance with the HIPAA Privacy
Rule standard and implementation
specifications for the de-identification at
45 CFR 164.514 (a) through (c).
Subpart D—Enforcement Program
§ 3.304 Principles for achieving
compliance.
(a) Cooperation. The Secretary will, to
the extent practicable, seek the
cooperation of providers, PSOs, and
responsible persons in obtaining
compliance with the applicable
confidentiality provisions.
(b) Assistance. The Secretary may
provide technical assistance to
providers, PSOs, and responsible
persons to help them comply
voluntarily with the applicable
confidentiality provisions.
§ 3.306
Complaints to the Secretary.
(a) Right to file a complaint. A person
who believes that patient safety work
product has been disclosed in violation
of the confidentiality provisions may
file a complaint with the Secretary.
(b) Requirements for filing
complaints. Complaints under this
section must meet the following
requirements:
(1) A complaint must be filed in
writing, either on paper or
electronically.
(2) A complaint must name the person
that is the subject of the complaint and
describe the act(s) believed to be in
violation of the applicable
confidentiality provision(s).
(3) A complaint must be filed within
180 days of when the complainant knew
or should have known that the act
complained of occurred, unless this
time limit is waived by the Secretary for
good cause shown.
(4) The Secretary may prescribe
additional procedures for the filing of
complaints, as well as the place and
manner of filing, by notice in the
Federal Register.
(c) Investigation. The Secretary may
investigate complaints filed under this
section. Such investigation may include
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
a review of the pertinent policies,
procedures, or practices of the
respondent and of the circumstances
regarding any alleged violation. At the
time of initial written communication
with the respondent about the
complaint, the Secretary will describe
the act(s) that are the basis of the
complaint.
§ 3.308
Compliance reviews.
The Secretary may conduct
compliance reviews to determine
whether a respondent is complying with
the applicable confidentiality
provisions.
§ 3.310
Responsibilities of respondents.
hsrobinson on PROD1PC76 with PROPOSALS2
(a) Provide records and compliance
reports. A respondent must keep such
records and submit such compliance
reports, in such time and manner and
containing such information, as the
Secretary may determine to be necessary
to enable the Secretary to ascertain
whether the respondent has complied or
is complying with the applicable
confidentiality provisions.
(b) Cooperate with complaint
investigations and compliance reviews.
A respondent must cooperate with the
Secretary, if the Secretary undertakes an
investigation or compliance review of
the policies, procedures, or practices of
the respondent to determine whether it
is complying with the applicable
confidentiality provisions.
(c) Permit access to information. (1) A
respondent must permit access by the
Secretary during normal business hours
to its facilities, books, records, accounts,
and other sources of information,
including patient safety work product,
that are pertinent to ascertaining
compliance with the applicable
confidentiality provisions. If the
Secretary determines that exigent
circumstances exist, such as when
documents may be hidden or destroyed,
a respondent must permit access by the
Secretary at any time and without
notice.
(2) If any information required of a
respondent under this section is in the
exclusive possession of any other
agency, institution, or person, and the
other agency, institution, or person fails
or refuses to furnish the information, the
respondent must so certify and set forth
what efforts it has made to obtain the
information.
§ 3.312 Secretarial action regarding
complaints and compliance reviews.
(a) Resolution when noncompliance is
indicated. (1) If an investigation of a
complaint pursuant to § 3.306 of this
subpart or a compliance review
pursuant to § 3.308 of this subpart
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
indicates noncompliance, the Secretary
may attempt to reach a resolution of the
matter satisfactory to the Secretary by
informal means. Informal means may
include demonstrated compliance or a
completed corrective action plan or
other agreement.
(2) If the matter is resolved by
informal means, the Secretary will so
inform the respondent and, if the matter
arose from a complaint, the
complainant, in writing.
(3) If the matter is not resolved by
informal means, the Secretary will—
(i) So inform the respondent and
provide the respondent an opportunity
to submit written evidence of any
mitigating factors. The respondent must
submit any evidence to the Secretary
within 30 days (computed in the same
manner as prescribed under § 3.504(l) of
this subpart) of receipt of such
notification; and
(ii) If, following action pursuant to
paragraph (a)(3)(i) of this section, the
Secretary decides that a civil money
penalty should be imposed, inform the
respondent of such finding in a notice
of proposed determination in
accordance with § 3.420 of this subpart.
(b) Resolution when no violation is
found. If, after an investigation pursuant
to § 3.306 of this subpart or a
compliance review pursuant to § 3.308
of this subpart, the Secretary determines
that further action is not warranted, the
Secretary will so inform the respondent
and, if the matter arose from a
complaint, the complainant, in writing.
(c) Uses and disclosures of
information obtained. (1) Identifiable
patient safety work product obtained by
the Secretary in connection with an
investigation or compliance review
under this subpart will not be disclosed
by the Secretary, except in accordance
with § 3.206(d) of this subpart, or if
otherwise permitted by this part or the
Patient Safety Act.
(2) Except as provided for in
paragraph (c)(1) of this section,
information, including testimony and
other evidence, obtained by the
Secretary in connection with an
investigation or compliance review
under this subpart may be used by HHS
in any of its activities and may be used
or offered into evidence in any
administrative or judicial proceeding.
§ 3.314 Investigational subpoenas and
inquiries.
(a) The Secretary may issue
subpoenas in accordance with 42 U.S.C.
405(d) and (e), and 1320a–7a(j), to
require the attendance and testimony of
witnesses and the production of any
other evidence including patient safety
work product during an investigation or
PO 00000
Frm 00071
Fmt 4701
Sfmt 4702
8181
compliance review pursuant to this part.
The Secretary will issue and serve
subpoenas pursuant to this subpart in
accordance with 45 CFR 160.314(a)(1)
through (5), except the term ‘‘this part’’
shall refer to 42 CFR part 3.
(b) Investigational inquiries are nonpublic investigational proceedings
conducted by the Secretary. The
Secretary will conduct investigational
proceedings in accordance with 45 CFR
160.314(b)(1) through (9).
§ 3.402
Basis for a civil money penalty.
(a) General rule. A person who
discloses identifiable patient safety
work product in knowing or reckless
violation of the confidentiality
provisions shall be subject to a civil
money penalty for each act constituting
such violation.
(b) Violation attributed to a principal.
A principal is independently liable, in
accordance with the federal common
law of agency, for a civil money penalty
based on the act of the principal’s agent,
including a workforce member, acting
within the scope of the agency if such
act could give rise to a civil money
penalty in accordance with § 3.402(a) of
this subpart.
§ 3.404
Amount of a civil money penalty.
(a) The amount of a civil money
penalty will be determined in
accordance with paragraph (b) of this
section and § 3.408 of this subpart.
(b) The Secretary may impose a civil
money penalty in the amount of not
more than $10,000.
§ 3.408 Factors considered in determining
the amount of a civil money penalty.
In determining the amount of any
civil money penalty, the Secretary may
consider as aggravating or mitigating
factors, as appropriate, any of the
following:
(a) The nature of the violation.
(b) The circumstances, including the
consequences, of the violation,
including:
(1) The time period during which the
violation(s) occurred; and
(2) Whether the violation caused
physical or financial harm or
reputational damage;
(c) The degree of culpability of the
respondent, including:
(1) Whether the violation was
intentional; and
(2) Whether the violation was beyond
the direct control of the respondent.
(d) Any history of prior compliance
with the Patient Safety Act, including
violations, by the respondent, including:
(1) Whether the current violation is
the same or similar to prior violation(s);
E:\FR\FM\12FEP2.SGM
12FEP2
8182
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
(2) Whether and to what extent the
respondent has attempted to correct
previous violations;
(3) How the respondent has
responded to technical assistance from
the Secretary provided in the context of
a compliance effort; and
(4) How the respondent has
responded to prior complaints.
(e) The financial condition of the
respondent, including:
(1) Whether the respondent had
financial difficulties that affected its
ability to comply;
(2) Whether the imposition of a civil
money penalty would jeopardize the
ability of the respondent to continue to
provide health care or patient safety
activities; and
(3) The size of the respondent.
(f) Such other matters as justice may
require.
(6) Instructions for responding to the
notice, including a statement of the
respondent’s right to a hearing, a
statement that failure to request a
hearing within 60 days permits the
imposition of the proposed penalty
without the right to a hearing under
§ 3.504 of this subpart or a right of
appeal under § 3.504(v) of this subpart,
and the address to which the hearing
request must be sent.
(b) The respondent may request a
hearing before an ALJ on the proposed
penalty by filing a request in accordance
with § 3.504 of this subpart.
§ 3.422
Failure to request a hearing.
Nothing in this subpart limits the
authority of the Secretary to settle any
issue or case or to compromise any
penalty.
If the respondent does not request a
hearing within the time prescribed by
§ 3.504 of this subpart and the matter is
not settled pursuant to § 3.416 of this
subpart, the Secretary may impose the
proposed penalty or any lesser penalty
permitted by 42 U.S.C. 299b–21 through
299b–26. The Secretary will notify the
respondent by certified mail, return
receipt requested, of any penalty that
has been imposed and of the means by
which the respondent may satisfy the
penalty, and the penalty is final on
receipt of the notice. The respondent
has no right to appeal a penalty under
§ 3.504(v) of this subpart with respect to
which the respondent has not timely
requested a hearing.
§ 3.418
§ 3.424
§ 3.414
Limitations.
No action under this subpart may be
entertained unless commenced by the
Secretary, in accordance with § 3.420 of
this subpart, within 6 years from the
date of the occurrence of the violation.
§ 3.416
Authority to settle.
Exclusivity of penalty.
(a) Except as otherwise provided by
paragraph (b) of this section, a penalty
imposed under this part is in addition
to any other penalty prescribed by law.
(b) Civil money penalties shall not be
imposed both under this part and under
the HIPAA Privacy Rule (45 CFR parts
160 and 164).
hsrobinson on PROD1PC76 with PROPOSALS2
§ 3.420
Notice of proposed determination.
(a) If a penalty is proposed in
accordance with this part, the Secretary
must deliver, or send by certified mail
with return receipt requested, to the
respondent, written notice of the
Secretary’s intent to impose a penalty.
This notice of proposed determination
must include:
(1) Reference to the statutory basis for
the penalty;
(2) A description of the findings of
fact regarding the violations with
respect to which the penalty is
proposed;
(3) The reason(s) why the violation(s)
subject(s) the respondent to a penalty;
(4) The amount of the proposed
penalty;
(5) Any factors described in § 3.408 of
this subpart that were considered in
determining the amount of the proposed
penalty; and
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
Collection of penalty.
Once a determination of the Secretary
to impose a penalty has become final,
the penalty will be collected by the
Secretary in accordance with 45 CFR
160.424, except the term ‘‘this part’’
shall refer to 42 CFR Part 3.
§ 3.426 Notification of the public and other
agencies.
Whenever a proposed penalty
becomes final, the Secretary will notify,
in such manner as the Secretary deems
appropriate, the public and the
following organizations and entities
thereof and the reason it was imposed:
The appropriate State or local medical
or professional organization, the
appropriate State agency or agencies
administering or supervising the
administration of State health care
programs (as defined in 42 U.S.C.
1320a–7(h)), the appropriate utilization
and quality control peer review
organization, and the appropriate State
or local licensing agency or organization
(including the agency specified in 42
U.S.C. 1395aa(a), 1396a(a)(33)).
§ 3.504
Procedures for hearings.
(a) Hearings before an ALJ. A
respondent may request a hearing before
an ALJ. Hearings must be requested in
accordance with 45 CFR 160.504(a)
PO 00000
Frm 00072
Fmt 4701
Sfmt 4702
through (c), except the language in
paragraph (c) following and including
‘‘except that’’ shall not apply. The ALJ
must dismiss a hearing request in
accordance with 45 CFR 160.504(d).
(b) Rights of the parties. The hearing
rights of the parties will be determined
in accordance with 45 CFR 160.506.
(c) Authority of the ALJ. The ALJ will
conduct a fair and impartial hearing in
accordance with 45 CFR 160.508(a)
through (c)(4).
(d) Ex parte contacts. Ex parte
contacts are prohibited in accordance
with 45 CFR 160.510.
(e) Prehearing conferences. Prehearing
conferences will be conducted in
accordance with 45 CFR 160.512, except
the term ‘‘identifiable patient safety
work product’’ shall apply in place of
the term ‘‘individually identifiable
health information.’’
(f) Authority to settle. The Secretary
has authority to settle issues in
accordance with 45 CFR 160.514.
(g) Discovery. Discovery will proceed
in accordance with 45 CFR 160.516.
(h) Exchange of witness lists, witness
statements, and exhibits. The parties
will exchange hearing material in
accordance with 45 CFR 160.518, except
the language in paragraph (a) following
and including ‘‘except that’’ shall not
apply.
(i) Subpoenas for attendance at
hearing. The ALJ will issue a subpoena
for the appearance and testimony of any
person at the hearing in accordance
with 45 CFR 160.520.
(j) Fees. Fees and mileage for
subpoenaed witnesses will be paid in
accordance with 45 CFR 160.522.
(k) Form, filing, and service of papers.
Hearing documents will be filed and
serviced in accordance with 45 CFR
160.524.
(l) Computation of time. Computation
of time shall be in accordance with 45
CFR 160.526, except the term ‘‘this
subpart’’ shall refer to 42 CFR part 3,
Subpart D, and the citation ‘‘§ 3.504(a)
of 42 CFR part 3’’ shall apply in place
of the citation ‘‘§ 160.504.’’
(m) Motions. Procedures for the filing
and disposition of motions will be in
accordance with 45 CFR 160.528.
(n) Sanctions. The ALJ may sanction
a person in accordance with authorities
at 45 CFR 160.530.
(o) Collateral estoppel. Collateral
estoppel will apply to hearings
conducted pursuant to this subpart in
accordance with 45 CFR 160.532, except
the term ‘‘a confidentiality provision’’
shall apply in place of the term ‘‘an
administrative simplification
provision.’’
(p) The hearing. Hearings will be
conducted in accordance with 45 CFR
E:\FR\FM\12FEP2.SGM
12FEP2
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / Proposed Rules
hsrobinson on PROD1PC76 with PROPOSALS2
160.534, except the following text shall
apply in place of § 160.534(b)(1): ‘‘The
respondent has the burden of going
forward and the burden of persuasion
with respect to any challenge to the
amount of a proposed penalty pursuant
to §§ 3.404–3.408 of 42 CFR part 3,
including any factors raised as
mitigating factors.’’ Good cause shown
under 45 CFR 160.534(c) may be that
identifiable patient safety work product
has been introduced into evidence or is
expected to be introduced into
evidence.
(q) Witnesses. The testimony of
witnesses will be handled in accordance
with 45 CFR 160.538, except that the
citation ‘‘§ 3.504(h) of 42 CFR part 3’’
shall apply in place of the citation
‘‘§ 160.518.’’
VerDate Aug<31>2005
17:10 Feb 11, 2008
Jkt 214001
(r) Evidence. The ALJ will determine
the admissibility of evidence in
accordance with 45 CFR 160.540, except
that the citation ‘‘§ 3.420 of 42 CFR part
3’’ shall apply in place of the citation
‘‘§ 160.420 of this part.’’
(s) The record. The record of the
hearing will be created and made
available in accordance with 45 CFR
160.542. Good cause under 45 CFR
160.542(c) through (d) may include the
presence in the record of identifiable
patient safety work product.
(t) Post hearing briefs. Post-hearing
briefs, if required by the ALJ, will be
filed in accordance with 45 CFR
160.544.
(u) ALJ’s decision. The ALJ will issue
a decision in accordance with 45 CFR
160.546, except the citation ‘‘§ 3.504(v)
of 42 CFR part 3’’ shall apply in place
of ‘‘§ 160.548.’’
PO 00000
Frm 00073
Fmt 4701
Sfmt 4702
8183
(v) Appeal of the ALJ’s decision. Any
party may appeal the decision of the
ALJ in accordance with 45 CFR 160.548,
except the following language in
paragraph (e) shall not apply: ‘‘Except
for an affirmative defense under
§ 160.410(b)(1) of this part.’’
(w) Stay of the Secretary’s decision.
Pending judicial review, a stay of the
Secretary’s decision may be requested in
accordance with 45 CFR 160.550.
(x) Harmless error. Harmless errors
will be handled in accordance with 45
CFR 160.552.
Dated: October 5, 2007.
Michael O. Levitt,
Secretary.
[FR Doc. E8–2375 Filed 2–11–08; 8:45 am]
BILLING CODE 4153–01–P
E:\FR\FM\12FEP2.SGM
12FEP2
Agencies
[Federal Register Volume 73, Number 29 (Tuesday, February 12, 2008)]
[Proposed Rules]
[Pages 8112-8183]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-2375]
[[Page 8111]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 3
Patient Safety and Quality Improvement; Proposed Rule
Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 /
Proposed Rules
[[Page 8112]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 3
RIN 0919-AA01
Patient Safety and Quality Improvement
AGENCY: Agency for Healthcare Research and Quality, Office for Civil
Rights, HHS.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: This document proposes regulations to implement certain
aspects of the Patient Safety and Quality Improvement Act of 2005
(Patient Safety Act). The proposed regulations establish a framework by
which hospitals, doctors, and other health care providers may
voluntarily report information to Patient Safety Organizations (PSOs),
on a privileged and confidential basis, for analysis of patient safety
events. The proposed regulations also outline the requirements that
entities must meet to become PSOs and the processes for the Secretary
to review and accept certifications and to list PSOs.
In addition, the proposed regulation establishes the
confidentiality protections for the information that is assembled and
developed by providers and PSOs, termed ``patient safety work product''
by the Patient Safety Act, and the procedures for the imposition of
civil money penalties for the knowing or reckless impermissible
disclosure of patient safety work product.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than April
14, 2008.
ADDRESSES: Interested persons are invited to submit written comments by
any of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Comments should include agency name and ``RIN 0919-AA01''.
Mail: Center for Quality Improvement and Patient Safety,
Attention: Patient Safety Act NPRM Comments, AHRQ, 540 Gaither Road,
Rockville, MD 20850.
Hand Delivery/Courier: Center for Quality Improvement and
Patient Safety, Attention: Patient Safety Act NPRM Comments, Agency for
Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850.
Instructions: Because of staff and resource limitations, we cannot
accept comments by facsimile (FAX) transmission or electronic mail. For
detailed instructions on submitting comments and additional information
on the rulemaking process, see the ``Public Participation'' heading of
the SUPPLEMENTARY INFORMATION section of this document. Comments will
be available for public inspection at the AHRQ Information Resources
Center at the above-cited address between 8:30 a.m. and 5 p.m. Eastern
Time on federal business days (Monday through Friday).
FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare
Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-
1111 or (866) 403-3697.
SUPPLEMENTARY INFORMATION:
Public Participation
We welcome comments from the public on all issues set forth in this
proposed rule to assist us in fully considering issues and developing
policies. You can assist us by referencing the RIN number (RIN: 0919-
0AA01) and by preceding your discussion of any particular provision
with a citation to the section of the proposed rule being discussed.
A. Inspection of Public Comments
All comments (electronic, mail, and hand delivery/courier) received
in a timely manner will be available for public inspection as they are
received, generally beginning approximately 6 weeks after publication
of this document, at the mail address provided above, Monday through
Friday of each week from 8:30 a.m. to 5 p.m. To schedule an appointment
to view public comments, call Susan Grinder, (301) 427-1111 or (866)
403-3697.
Comments submitted electronically will be available for viewing at
the Federal eRulemaking Portal.
B. Electronic Comments
We will consider all electronic comments that include the full
name, postal address, and affiliation (if applicable) of the sender and
are submitted through the Federal eRulemaking Portal identified in the
ADDRESSES section of this preamble. Copies of electronically submitted
comments will be available for public inspection as soon as practicable
at the address provided, and subject to the process described, in the
preceding paragraph.
C. Mailed Comments and Hand Delivered/Couriered Comments
Mailed comments may be subject to delivery delays due to security
procedures. Please allow sufficient time for mailed comments to be
timely received in the event of delivery delays. Comments mailed to the
address indicated for hand or courier delivery may be delayed and could
be considered late.
D. Copies
To order copies of the Federal Register containing this document,
send your request to: New Orders, Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue
requested and enclose a check or money order payable to the
Superintendent of Documents, or enclose your Visa or Master Card number
and expiration date. Credit card orders can also be placed by calling
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by
faxing to (202) 512-2250. The cost for each copy is $10. As an
alternative, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. The Web site address is: https://
www.gpoaccess.gov/nara/. This document is available
electronically at the following Web site of the Department of Health
and Human Services (HHS): https://www.ahrq.gov/.
F. Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
in accordance with the methods described above and by the date
specified in the DATES section of this preamble. When we proceed with a
final rule, we will respond to comments in the preamble to that rule.
I. Background
A. Purpose and Basis
This proposed rule establishes the authorities, processes, and
rules necessary to implement the Patient Safety and Quality Improvement
Act of 2005 (Patient Safety Act), (Pub. L. 109-41), that amended the
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
Much of the impetus for this legislation can be traced to the
publication of the landmark report, ``To
[[Page 8113]]
Err Is Human'' \1\, by the Institute of Medicine in 1999 (Report). The
Report cited studies that found that at least 44,000 people and
potentially as many as 98,000 people die in U.S. hospitals each year as
a result of preventable medical errors.\2\ Based on these studies and
others, the Report estimated that the total national costs of
preventable adverse events, including lost income, lost household
productivity, permanent and temporary disability, and health care costs
to be between $17 billion and $29 billion, of which health care costs
represent one-half.\3\ One of the main conclusions was that the
majority of medical errors do not result from individual recklessness
or the actions of a particular group; rather, most errors are caused by
faulty systems, processes, and conditions that lead people to make
mistakes or fail to prevent adverse events.\4\ Thus, the Report
recommended mistakes can best be prevented by designing the health care
system at all levels to improve safety--making it harder to do
something wrong and easier to do something right.\5\
---------------------------------------------------------------------------
\1\ Institute of Medicine, ``To Err is Human: Building a Safer
Health System'', 1999.
\2\ Id. at 31.
\3\ Id. at 42.
\4\ Id. at 49-66.
\5\ Id.
---------------------------------------------------------------------------
As compared to other high-risk industries, the health care system
is behind in its attention to ensuring basic safety.\6\ The reasons for
this lag are complex and varied. Providers are often reluctant to
participate in quality review activities for fear of liability,
professional sanctions, or injury to their reputations. Traditional
state-based legal protections for such health care quality improvement
activities, collectively known as peer review protections, are limited
in scope: They do not exist in all States; typically they only apply to
peer review in hospitals and do not cover other health care settings,
and seldom enable health care systems to pool data or share experience
between facilities. If peer review protected information is transmitted
outside an individual hospital, the peer review privilege for that
information is generally considered to be waived. This limits the
potential for aggregation of a sufficient number of patient safety
events to permit the identification of patterns that could suggest the
underlying causes of risks and hazards that then can be used to improve
patient safety.
---------------------------------------------------------------------------
\6\ Id. at 75.
---------------------------------------------------------------------------
The Report outlined a comprehensive strategy to improve patient
safety by which public officials, health care providers, industry, and
consumers could reduce preventable medical errors. The Report
recommended that, in order to reduce medical errors appreciably in the
U.S., a balance be struck between regulatory and market-based
initiatives and between the roles of professionals and organizations.
It recognized a need to enhance knowledge and tools to improve patient
safety and break down legal and cultural barriers that impede such
improvement.
Drawing upon the broad framework advanced by the Institute of
Medicine, the Patient Safety Act specifically addresses a number of
these long-recognized impediments to improving the quality, safety, and
outcomes of health care services. For that reason, implementation of
this proposed rule can be expected to accelerate the development of
new, voluntary, provider-driven opportunities for improvement, increase
the willingness of health care providers to participate in such
efforts, and, most notably, set the stage for breakthroughs in our
understanding of how best to improve patient safety.
These outcomes will be advanced, in large measure, through
implementation of this proposed rule of strong Federal confidentiality
and privilege protections for information that is patient safety work
product under the Patient Safety Act. For the first time, there will
now be a uniform set of Federal protections that will be available in
all states and U.S. territories and that extend to all health care
practitioners and institutional providers. These protections will
enable all health care providers, including multi-facility health care
systems, to share data within a protected legal environment, both
within and across states, without the threat of information being used
against the subject providers.
Pursuant to the Patient Safety Act, this proposed rule will also
encourage the formation of new organizations with expertise in patient
safety, known as patient safety organizations (PSOs), which can provide
confidential, expert advice to health care providers in the analysis of
patient safety events.\7\ The confidentiality and privilege protections
of this statute attach to ``patient safety work product.'' This term as
defined in the Patient Safety Act and this proposed rule means that
patient safety information that is collected or developed by a provider
and reported to a PSO, or that is developed by a PSO when conducting
defined ``patient safety activities,'' or that reveals the
deliberations of a provider or PSO within a patient safety evaluation
system is protected. Thus, the proposed rule will enable health care
providers to protect their internal deliberations and analysis of
patient safety information because this type of information is patient
safety work product.
---------------------------------------------------------------------------
\7\ As we use the term, patient safety event means an incident
that occurred during the delivery of a health care service and that
harmed, or could have resulted in harm to, a patient. A patient
safety event may include an error of omission or commission,
mistake, or malfunction in a patient care process; it may also
involve an input to such process (such as a drug or device) or the
environment in which such process occurs. Our use of the term
patient safety event in place of the more limited concept of medical
error to describe the work that providers and PSOs may undertake
reflects the evolution in the field of patient safety. It is
increasingly recognized that important insights can be derived from
the study of patient care processes and their organizational context
and environment in order to prevent harm to patients. We note that
patient safety in the context of this term also encompasses the
safety of a person who is a subject in a research study conducted by
a health care provider. In addition, the flexible concept of a
patient safety event is applicable in any setting in which health
care is delivered: A health care facility that is mobile (e.g.,
ambulance), fixed and free-standing (e.g., hospital), attached to
another entity (e.g., school clinic), as well as the patient's home
or workplace, whether or not a health care provider is physically
present.
---------------------------------------------------------------------------
The statute and the proposed rule seek to ensure that the
confidentiality provisions (as defined in these proposed regulations)
will be taken seriously by making breaches of the protections
potentially subject to a civil money penalty of up to $10,000. The
combination of strong Federal protections for patient safety work
product and the potential penalties for violation of these protections
should give providers the assurances they need to participate in
patient safety improvement initiatives and should spur the growth of
such initiatives.
Patient safety experts have long recognized that the underlying
causes of risks and hazards in patient care can best be recognized
through the aggregation of significant numbers of individual events; in
some cases, it may require the aggregation of thousands of individual
patient safety events before underlying patterns are apparent. It is
hoped that this proposed rule will foster routine reporting to PSOs of
data on patient safety events in sufficient numbers for valid and
reliable analyses. Analysis of such large volumes of patient safety
events is expected to significantly advance our understanding of the
patterns and commonalities in the underlying causes of risks and
hazards in the delivery of patient care. These insights should enable
providers to more effectively and efficiently target their efforts to
improve patient safety.
We recognize that risks and hazards can occur in a variety of
environments, such as inpatient, outpatient, long-term
[[Page 8114]]
care, rehabilitation, research, or other health care settings. In many
of these settings, patient safety analysis is a nascent enterprise that
will benefit significantly from the routine, voluntary reporting and
analysis of patient safety events. Accordingly, we strive in the
proposed rule to avoid imposing limitations that might preclude
innovative approaches to the identification of, and elimination of,
risks and hazards in specific settings for the delivery of care,
specific health care specialties, or in research settings. We defer to
those creating PSOs and the health care providers that enter ongoing
relationships with them to determine the scope of patient safety events
that will be addressed.
Finally, we note that the statute is quite specific that these
protections do not relieve a provider from its obligation to comply
with other legal, regulatory, accreditation, licensure, or other
accountability requirements that it would otherwise need to meet. The
fact that information is collected, developed, or analyzed under the
protections of the Patient Safety Act does not shield a provider from
needing to undertake similar activities, if applicable, outside the
ambit of the statute, so that the provider can meet its obligations
with non-patient safety work product. The Patient Safety Act, while
precluding other organizations and entities from requiring providers to
provide them with patient safety work product, recognizes that the data
underlying patient safety work product remains available in most
instances for the providers to meet these other information
requirements.
In summary, this proposed rule implements the Patient Safety Act
and facilitates its goals by allowing the health care industry
voluntarily to avail itself of this framework in the best manner it
determines feasible. At the same time, it seeks to ensure that those
who do avail themselves of this framework will be afforded the legal
protections that Congress intended and that anyone who breaches those
protections will be penalized commensurately with the violation.
B. Listening Sessions
We held three listening sessions for the general public (March 8,
13, and 16, 2006) which helped us better understand the thinking and
plans of interested parties, including providers considering the use of
PSO services and entities that anticipate establishing PSOs. As stated
in the Federal Register notice 71 FR 37 (February 24, 2006) that
announced the listening sessions, we do not regard the presentations or
comments made at these sessions as formal comments and, therefore, they
are not discussed in this document.
C. Comment Period
The comment period is sixty (60) days following the publication of
the proposed rule.
II. Overview of Proposed Rule
We are proposing a new Part 3 to Title 42 of the Code of Federal
Regulations to implement the Patient Safety Act. As described above,
the Patient Safety Act is an attempt to address the barriers to patient
safety and health care quality improvement activities in the U.S. In
implementing the Patient Safety Act, this proposed rule encourages the
development of provider-driven, voluntary opportunities for improving
patient safety; this initiative is neither funded, nor controlled by
the Federal Government.
Under the proposal, a variety of types of organizations--public,
private, for-profit, and not-for-profit--can become PSOs, and offer
their consultative expertise to providers regarding patient safety
events and quality improvement initiatives. There will be a process for
certification and listing of PSOs, which will be implemented by the
Agency for Healthcare Research and Quality (AHRQ), and providers can
work voluntarily with PSOs to obtain confidential, expert advice in
analyzing the patient safety event and other information they collect
or develop at their offices, facilities, or institutions. PSOs may also
provide feedback and recommendations regarding effective strategies to
improve patient safety as well as proven approaches for implementation
of such strategies. In addition, to encourage providers to undertake
patient safety activities, the regulation is very specific that patient
safety work product is subject to confidentiality and privilege
protections, and persons that breach the confidentiality provisions may
be subject to a $10,000 civil money penalty, to be enforced by the
Office for Civil Rights (OCR).
The provisions of this proposed rule greatly expand the potential
for participation in patient safety activities. The proposal, among
other things, enables providers across the health care industry to
report information to a PSO and obtain the benefit of these new
confidentiality and privilege protections. This proposal minimizes the
barriers to entry for listing as a PSO by creating a review process
that is both simple and efficient. As a result, we expect a broad range
of organizations to seek listing by the Secretary as PSOs. Listing will
not entitle these entities to Federal funding or subsidies, but it will
enable these PSOs to offer individual and institutional providers the
benefits of review and analysis of patient safety work product that is
protected by strong Federal confidentiality and privilege protections.
Our proposed regulation will enable and assist data aggregation by
PSOs to leverage the possibility of learning from numerous patient
safety events across the health care system and to facilitate the
identification and correction of systemic and other errors. For
example, PSOs are required to seek contracts with multiple providers,
and proposed Subpart C permits them, with certain limitations, to
aggregate patient safety work product from their multiple clients and
with other PSOs. In addition, the Secretary will implement other
provisions of the Patient Safety Act that, independent of this proposed
rule, require the Secretary to facilitate the development of a network
of patient safety databases for the aggregation of nonidentifiable
patient safety work product and the development of consistent
definitions and common formats for collecting and reporting patient
safety work product. These measures will facilitate a new level of data
aggregation that patient safety experts deem essential to maximize the
benefits of the Patient Safety Act.
The Patient Safety Act gives considerable attention to the
relationship between it and the Standards for the Privacy of
Individually Identifiable Health Information under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA Privacy Rule). We
caution that the opportunity for a provider to report identifiable
patient safety work product to a PSO does not relieve a provider that
is a HIPAA covered entity of its obligations under the HIPAA Privacy
Rule. In fact, the Patient Safety Act indicates that PSOs are deemed to
be business associates of providers that are HIPAA covered entities.
Thus, providers who are HIPAA covered entities will need to enter into
business associate agreements with PSOs in accordance with their HIPAA
Privacy Rule obligations. If such a provider also chooses to enter a
PSO contract, we believe that such contracts could be entered into
simultaneously as an agreement for the conduct of patient safety
activities. However, the Patient Safety Act does not require a provider
to enter a contract with a PSO to receive the protections of the
Patient Safety Act.
Proposed Subpart A, General Provisions, sets forth the purpose of
the provisions and the definitions
[[Page 8115]]
applicable to the subparts that follow. Proposed Subpart B, PSO
Requirements and Agency Procedures, sets forth the requirements for
PSOs and describes how the Secretary will review, accept, revoke, and
deny certifications for listing and continued listing of entities as
PSOs and other required submissions. Proposed Subpart C,
Confidentiality and Privilege Protections of Patient Safety Work
Product, describes the provisions that relate to the confidentiality
protections and permissible disclosure exceptions for patient safety
work product. Proposed Subpart D, Enforcement Program, includes
provisions that relate to activities for determining compliance, such
as investigations of and cooperation by providers, PSOs, and others;
the imposition of civil money penalties; and hearing procedures.
III. Section by Section Description of the Proposed Rule
A. Subpart A--General Provision
1. Proposed Sec. 3.10--Purpose
The purpose of this proposed Part is to implement the Patient
Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which
amended the Public Health Service Act (42 U.S.C. 299 et seq.) by
inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-
26.
2. Proposed Sec. 3.20--Definitions
Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21,
defines several terms, and our proposed rules would, for the most part,
restate the law. In some instances, we propose to clarify definitions
to fit within the proposed framework. We also propose some new
definitions for convenience and to clarify the application and
operation of this proposed rule. Moreover, we reference terms defined
under the HIPAA Privacy Rule for ease of interpretation and
consistency, given the overlap between the Patient Safety Act
protections of patient-identifiable patient safety work product
(discussed below) and the HIPAA Privacy Rule.
Proposed Sec. 3.20 would establish the basic definitions
applicable to this proposed rule, as follows:
AHRQ stands for the Agency for Healthcare Research and Quality in
the U.S. Department of Health and Human Services (HHS). This definition
is added for convenience.
ALJ stands for an Administrative Law Judge at HHS. This definition
is added for convenience in describing the process for appealing civil
money penalty determinations.
Board would mean the members of the HHS Departmental Appeals Board.
This definition is added for convenience in providing for appeals of
civil money penalty determinations.
Bona fide contract would mean (a) a written contract between a
provider and a PSO that is executed in good faith by officials
authorized to execute such contract; or (b) a written agreement (such
as a memorandum of understanding or equivalent recording of mutual
commitments) between a Federal, State, local, or Tribal provider and a
Federal, State, local, or Tribal PSO that is executed in good faith by
officials authorized to execute such agreement.
In addition to the primary interpretation of an enforceable
contract under applicable law as proposed under paragraph (a) of this
definition, we propose to make the scope of the term broad enough to
encompass agreements between health care providers and PSOs that are
components of Federal, State, local or Tribal governments or government
agencies. Such entities could clearly perform the same data collection
and analytic functions as performed by other providers and PSOs that
the Patient Safety Act seeks to foster. Thus, paragraph (b) of the
definition recognizes that certain government entities may not enter a
formal contract with each other, but may only make a commitment with
other agencies through the mechanism of some other type of agreement.
We note that proposed Sec. 3.102(a)(2) incorporates the statutory
restriction that a health insurance issuer and a component of a health
insurance issuer may not become a PSO. That section also proposes to
prohibit the listing of public and private entities that conduct
regulatory oversight of health care providers, including accreditation
and licensure.
Complainant would mean a person who files a complaint with the
Secretary pursuant to proposed Sec. 3.306.
Component Organization would mean an entity that is either: (a) A
unit or division of a corporate organization or of a multi-
organizational enterprise; or (b) a separate organization, whether
incorporated or not, that is owned, managed or controlled by one or
more other organizations (i.e., its parent organization(s)). We discuss
our preliminary interpretation of the terms ``owned,'' ``managed,'' or
``controlled'' in the definition of parent organization. Multi-
organizational enterprise, as used here, means a common business or
professional undertaking in which multiple entities participate as well
as governmental agencies or Tribal entities in which there are multiple
components.\8\
---------------------------------------------------------------------------
\8\ The concept of multi-organizational enterprise as used in
this regulation, in case law, and in a legal reference works such as
Blumberg on Corporate Groups, Sec. 6.04 (2d ed. 2007 Supplement)
refers to multi-organizational undertakings with separate
corporations or organizations that are integrated in a common
business activity. The component entities are often, but not
necessarily, characterized by interdependence and some form of
common control, typically by agreement. Blumberg notes that health
care providers increasingly are integrated in various forms of
multi-organizational enterprises.
---------------------------------------------------------------------------
We anticipate that PSOs may be established by a wide array of
health-related organizations and quality improvement enterprises,
including hospitals, nursing homes and health care provider systems,
health care professional societies, academic and commercial research
organizations, Federal, State, local, and Tribal governmental units
that are not subject to the proposed restriction on listing in proposed
Sec. 3.102(a)(2), as well as joint undertakings by combinations of
such organizations. One effect of defining component organization as we
propose is that, pursuant to section 924 of the Patient Safety Act, 42
U.S.C. 299b-24, all applicant PSOs that fall within the scope of the
definition of component organization must certify to the separation of
confidential patient safety work product and staff from the rest of any
organization or multi-organizational enterprise of which they (in the
conduct of their work) are a part. Component organizations must also
certify that their stated mission can be accomplished without
conflicting with the rest of their parent organization(s).
A subsidiary corporation may, in certain circumstances, be viewed
as part of a multi-organizational enterprise with its parent
corporation and would be so regarded under the proposed regulation.
Thus, an entity, such as a PSO that is set up as a subsidiary by a
hospital chain, would be considered a component of the corporate chain
and a component PSO for purposes of this proposed rule. Considering a
subsidiary of a corporation to be a ``component'' of its parent
organization may seem contrary to the generally understood separateness
of a subsidiary in its corporate relationship with its parent.\9\
[[Page 8116]]
That is, where two corporate entities are legally separate, one entity
would ordinarily not be considered a component of the other entity,
even when that other entity has a controlling interest or exercises
some management control. However, we have preliminarily determined that
viewing a subsidiary entity that seeks to be a PSO as a component of
its parent organization(s) would be consistent with the objectives of
the section on certifications required of component organizations in
the Patient Safety Act and appears to be consistent with trends in the
law discussed below. We invite comment on our interpretation.
---------------------------------------------------------------------------
\9\ Corporations are certain types of organizations that are
given legal independence and rights, (e.g. the right to litigate).
Subsidiary corporations are corporations in which a majority of the
shares are owned by another corporation, known as a parent
corporation. Thus, subsidiaries are independent corporate entities
in a formal legal sense, yet, at the same time, they are controlled,
to some degree, by their parent by virtue of stock ownership and
control. Both corporations and subsidiaries are legal constructs
designed to foster investment and commerce by limiting
entrepreneurial risks and corporate liabilities. In recognition of
the legitimate utility of these objectives, courts have generally
respected the separateness of parent corporations and subsidiaries,
(e.g., courts do not ordinarily allow the liabilities of a
subsidiary to be attributed to its parent corporation, despite the
fact that by definition, parent corporations have a measure of
control over a subsidiary). However, courts have looked behind the
separate legal identities that separate parent and subsidiary to
impose liability when individuals in litigation can establish that
actual responsibility rests with a parent corporation by virtue of
the degree and manner in which it has exercised control over its
subsidiary. Under these circumstances, courts permit ``the corporate
veil to be pierced.''
---------------------------------------------------------------------------
Corporations law or ``entity law,'' which emphasizes the
separateness and distinct rights and obligations of a corporation, has
been supplemented by the development of ``relational law'' when
necessary (e.g., to address evolving organizational arrangements such
as multi-organizational enterprises). To determine rights and
obligations in these circumstances, courts weigh the relationships of
separate corporations that are closely related by virtue of
participating in the same enterprise, (i.e., a common chain of economic
activity fostering and characterized by interdependence).\10\ There has
been a growing trend in various court decisions to attribute legal
responsibilities based on actual behavior in organizational
relationships, rather than on corporate formalities.
---------------------------------------------------------------------------
\10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate
Groups Sec. Sec. 6.01 and 6.02.
---------------------------------------------------------------------------
We stress that neither the statute nor the proposed regulation
imposes any legal responsibilities, obligations, or liability on the
organization(s) of which a component PSO is a part. The focus of the
Patient Safety Act and the regulation is principally on the entity that
voluntarily seeks listing by the Secretary as a PSO.
We note that two of the three certifications that the Patient
Safety Act and the proposed regulation requires component entities to
make--relating to the security and confidentiality of patient safety
work product--are essentially duplicative of attestations that are
required of all entities seeking listing or continued listing as a PSO
(certifications made under section 924(a)(1)(A) and (a)(2)(A) of the
Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A)
with respect to patient safety activities described in section
921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b-
21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have
to attest that they have in place policies and procedures to, and
actually do, perform patient safety activities, which include the
maintenance of procedures to preserve patient safety work product
confidentiality and the provision of appropriate security measures for
patient safety work product. The overlapping nature of these
confidentiality and security requirements on components suggests
heightened congressional concern and emphasis regarding the need to
maintain a strong ``firewall'' between a component PSO and its parent
organization, which might have the opportunity and potential to access
sensitive patient safety work product the component PSO assembles,
develops, and maintains. A similar concern arises in the context of a
PSO that is a unit of a corporate parent, a subsidiary or an entity
affiliated with other organizations in a multi-organizational
enterprise.
Requiring entities seeking listing to disclose whether they have a
parent organization or are part of a multi-organizational enterprise
does not involve ``piercing the corporate veil'' as discussed in the
footnote above. The Department would not be seeking this information to
hold a parent liable for actions of the PSO, but to ensure full
disclosure to the Department about the organizational relationships of
an entity seeking to be listed as a PSO. Accordingly, we propose that
an entity seeking listing as a PSO must do so as a component
organization if it has one or more parent organizations (as described
here and in the proposed definition of that term) or is part of a
multi-organizational enterprise, and it must provide the names of its
parent entities. If it has a parent or several parent organizations, as
defined by the proposed regulation, the entity seeking to be listed
must provide the additional certifications mandated by the statute and
by the proposed regulation at Sec. 3.102(c) to maintain the
separateness of its patient safety work product from its parent(s) and
from other components or affiliates\11\ of its parent(s). Such
certifications are consistent with the above-cited body of case law
that permits and makes inquiries about organizational relationships and
practices for purposes of carrying out statutes and statutory
objectives.
---------------------------------------------------------------------------
\11\ Corporate affiliates are commonly controlled corporations;
sharing a corporate parent, they are sometimes referred to as sister
corporations. Separate corporations that are part of a multi-
organizational enterprise are also referred to by the common terms
``affiliates'' or ``affiliated organizations''.
---------------------------------------------------------------------------
It may be helpful to illustrate how a potential applicant for
listing should apply these principles in determining whether to seek
listing as a component PSO. The fundamental principle is that if there
is a parent organization relationship present and the entity is not
prohibited from seeking listing by proposed Sec. 3.102(a)(2), the
entity must seek listing as a component PSO. In determining whether an
entity must seek listing as a component organization, we note that it
does not matter whether the entity is a component of a provider or a
non-provider organization and, if it is a component of a provider
organization, whether it will undertake patient safety activities for
the parent organization's providers or providers that have no
relationship with its parent organization(s). The focus here is
primarily on establishing the separateness of the entity's operation
from any type of parent organization. Examples of entities that would
need to seek listing as a component organization include: A division of
a provider or non-provider organization; a subsidiary entity created by
a provider or non-provider organization; or a joint venture created by
several organizations (which could include provider organizations, non-
provider organizations, or a mix of such organizations) where any or
all of the organizations have a measure of control over the joint
venture.
Other examples of entities that would need to seek listing as a
component PSO include: a division of a nursing home chain; a subsidiary
entity created by a large academic health center or health system; or a
joint venture created by several organizations to seek listing as a PSO
where any or all of the organizations have a measure of control over
the joint venture.
Component PSO would mean a PSO listed by the Secretary that is a
component organization.
Confidentiality provisions would mean any requirement or
prohibition concerning confidentiality established by Sections 921 and
922(b)-(d), (g) and (i) of the Public Health Service Act, 42
[[Page 8117]]
U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed
provisions, at Sec. Sec. 3.206 and 3.208, by which we propose to
implement the prohibition on disclosure of identifiable patient safety
work product. We proposed to define this new term to provide an easy
way to reference the provisions in the Patient Safety Act and in the
proposed rule that implements the confidentiality protections of the
Patient Safety Act for use in the enforcement and penalty provisions of
this proposed rule. We found this a useful approach in the HIPAA
Enforcement Rule, where we defined ``administrative simplification
provision'' for that purpose. In determining how to define
``confidentiality provisions'' that could be violated, we considered
the statutory enforcement provision at section 922(f) of the Public
Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by
reference section 922(b) and (c).\12\ Thus, the enforcement authority
clearly implicates sections 922(b) and (c) of the Patient Safety Act,
42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec.
3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d),
is entitled the ``Continued Protection of Information After
Disclosure'' and sets forth continued confidentiality protections for
patient safety work product after it has been disclosed under section
922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with
certain exceptions. Thus, section 922(d) of the Public Health Service
Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality
protections provided for in section 922(b) of the Public Health Service
Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued
confidentiality provision at proposed Sec. 3.208 herein to be one of
the confidentiality provisions. In addition, our understanding of these
provisions is based on the rule of construction in section 922(g) of
the Public Health Service Act, 42 U.S.C. 299b-22(g), and the
clarification with respect to HIPAA in section 922(i) of the Public
Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions
are included in the definition.
---------------------------------------------------------------------------
\12\ Section 922(f) of the Public Health Service Act, 42 U.S.C.
299b-22(f), states that ``subject to paragraphs (2) and (3), a
person who discloses identifiable patient safety work product in
knowing or reckless violation of subsection (b) shall be subject to
a civil money penalty of not more than $10,000 for each act
constituting such violation'' (emphasis added). Subsection (b) of
section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b),
is entitled, ``Confidentiality of Patient Safety Work Product'' and
states, ``Notwithstanding any other provision of Federal, State, or
local law, and subject to subsection (c), patient safety work
product shall be confidential and shall not be disclosed'' (emphasis
added). Section 922(c) of the Public Health Service Act, 42 U.S.C.
299b-22(c), in turn, contains the exceptions to confidentiality and
privilege protections.
---------------------------------------------------------------------------
In contrast to the confidentiality provisions, the privilege
provisions in the Patient Safety Act will be enforced by the tribunals
or agencies that are subject to them; the Patient Safety Act does not
authorize the imposition of civil money penalties for breach of such
provisions. We note, however, that to the extent a breach of privilege
is also a breach of confidentiality, the Secretary would enforce the
confidentiality breach under 42 U.S.C. 299b-22(f).
Disclosure would mean the release, transfer, provision of access
to, or divulging in any other manner of patient safety work product by
a person holding patient safety work product to another person. An
impermissible disclosure (i.e., a disclosure of patient safety work
product in violation of the confidentiality provisions) is the action
upon which potential liability for a civil money penalty rests.
Generally, if the person holding patient safety work product is an
entity, disclosure occurs when the information is shared with another
entity or a natural person outside the entity. We do not propose to
hold entities liable for uses of the information within the entity,
(i.e., when this information is exchanged or shared among the workforce
members of the entity) except as noted below concerning component PSOs.
If a natural person holds patient safety work product, except in the
capacity as a workforce member, a disclosure occurs whenever exchange
occurs to any other person or entity. In light of this definition, we
note that a disclosure to a contractor that is under the direct control
of an entity (i.e., a workforce member) would be a use of the
information within the entity and, therefore, not a disclosure for
which a permission is needed. However, a disclosure to an independent
contractor would not be a disclosure to a workforce member, and thus,
would be a disclosure for purposes of this proposed rule and the
proposed enforcement provisions under Subpart D.
For component PSOs, we propose to recognize as a disclosure the
sharing or transfer of patient safety work product outside of the legal
entity, as described above, and between the component PSO and the rest
of the organization (i.e., parent organization) of which the component
PSO is a part. The Patient Safety Act demonstrates a strong desire for
the separation of patient safety work product between a component PSO
and the rest of the organization. See section 924(b)(2) of the Public
Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to
recognize component organizations as component PSOs which exist within,
but distinct from, a single legal entity, and such a component
organization as a component PSO would be required to certify to limit
access to patient safety work product under proposed Sec. 3.102(c),
the release, transfer, provision of access to, or divulging in any
other manner of patient safety work product from a component PSO to the
rest of the organization will be recognized as a disclosure for
purposes of this proposed rule and the proposed enforcement provisions
under Subpart D.
We considered whether or not we should hold entities liable for
disclosures that occur within that entity (uses) by defining disclosure
more discretely, (i.e., as between persons within an entity). If we
were to define disclosure in this manner, it may promote better
safeguarding against inappropriate uses of patient safety work product
by providers and PSOs. It may also allow better control of uses by
third parties to whom patient safety work product is disclosed, and it
would create additional enforcement situations which could lead to
additional potential civil money penalties. We note that HIPAA
authorized the Department to regulate both the uses and disclosures of
individually identifiable health information and, thus, the HIPAA
Privacy Rule regulates both the uses and disclosures of such
information by HIPAA covered entities. See section 264(b) and (c)(1) of
HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand,
addresses disclosures and authorizes the Secretary to penalize
disclosures of patient safety work product.
Nonetheless, we do not propose to regulate the use, transfer or
sharing by internal disclosure, of patient safety work product within a
legal entity. We also decline to propose to regulate uses because we
would consider regulating uses within providers and PSOs to be
intrusive into their internal affairs. This would be especially the
case given that this is a voluntary program. Moreover, we do not
believe that regulating uses would further the statutory goal of
facilitating the sharing of patient safety work product with PSOs. In
other words, regulating uses would not advance the ability of any
entity to share patient safety work product for patient safety
activities. Finally, we presume that there are sufficient incentives in
place for providers and PSOs to prudently manage the uses of sensitive
patient safety work product.
[[Page 8118]]
We are not regulating uses, whether in a provider, PSO, or any
other entity that obtains patient safety work product. Because we are
not proposing to regulate uses, there will be no federal sanction based
on use of this information. If a provider or other entity wants to
limit the uses or further disclosures (beyond the regulatory
permissions) by a PSO or any future recipient, a disclosing entity is
free to do so by contract. See section 922(g)(4) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec. 3.206(e). We
seek comment about whether this strikes the right balance.
The proposed definition mirrors the definition of disclosure used
in the HIPAA Privacy Rule concerning disclosures of protected health
information. Although we do not propose to regulate the use of patient
safety work product, HIPAA covered entities that possess patient safety
work product which contains protected health information must comply
with the use and disclosure requirements of the HIPAA Privacy Rule with
respect to the protected health information. Patient safety work
product containing protected health information could only be used in
accordance with the HIPAA Privacy Rule use permissions, including the
minimum necessary requirement.
Entity would mean any organization, regardless of whether the
organization is public, private, for-profit, or not-for-profit. The
statute permits any entity to seek listing as a PSO by the Secretary
except a health insurance issuer and any component of a health
insurance issuer and Sec. 3.102(a)(2) proposes, in addition, to
prohibit public or private sector entities that conduct regulatory
oversight of providers.
Group health plan would mean an employee welfare benefit plan (as
defined in section 3(1) of the Employee Retirement Income Security Act
of 1974 (ERISA) to the extent that the plan provides medical care (as
defined in paragraph (2) of section 2791(a) of the Public Health
Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services
paid for as medical care) to employees or their dependents (as defined
under the terms of the plan) directly or through insurance,
reimbursement, or otherwise. Section 2791(b)(2) of the Public Health
Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from
the defined class of `health insurance issuer.' Therefore, a group
health plan may establish a PSO unless the plan could be considered a
component of a health insurance issuer, in which case such a plan would
be precluded from being a PSO by the Patient Safety Act.
Health insurance issuer would mean an insurance company, insurance
service, or insurance organization (including a health maintenance
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed
to engage in the business of insurance in a State and which is subject
to State law which regulates insurance (within the meaning of 29 U.S.C.
1144(b)(2)). The term, as defined in the Public Health Service Act,
does not include a group health plan.
Health maintenance organization would mean (1) a Federally
qualified health maintenance organization (as defined in 42 U.S.C.
300e(a)); (2) an organization recognized under State law as a health
maintenance organization; or (3) a similar organization regulated under
State law for solvency in the same manner and to the same extent as
such a health maintenance organization. Because the ERISA definition
relied upon by the Patient Safety Act includes health maintenance
organizations in the definition of health insurance issuer, an HMO may
not be, control, or manage the operation of a PSO.
HHS stands for the United States Department of Health and Human
Services. This definition is added for convenience.
HIPAA Privacy Rule would mean the regulations promulgated under
section 264(c) of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part
164.
Identifiable Patient Safety Work Product would mean patient safety
work product that:
(1) Is presented in a form and manner that allows the
identification of any provider that is a subject of the work product,
or any providers that participate in activities that are a subject of
the work product;
(2) Constitutes individually identifiable health information as
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner that allows the
identification of an individual who in good faith reported information
directly to a PSO, or to a provider with the intention of having the
information reported to a PSO (``reporter'').
Identifiable patient safety work product is not patient safety work
product that meets the nonidentification standards proposed for
``nonidentifiable patient safety work product''.
Nonidentifiable Patient Safety Work Product would mean patient
safety work product that is not identifiable in accordance with the
nonidentification standards proposed at Sec. 3.212. Because the
privilege and confidentiality protections of the Patient Safety Act and
this Part do not apply to nonidentifiable patient safety work product
once disclosed, the restrictions and data protection rules in this
proposed rule phrased as pertaining to patient safety work product
generally only apply to identifiable patient safety work product.
OCR stands for the Office for Civil Rights in HHS. This definition
is added for convenience.
Parent organization would mean a public or private sector
organization that, alone or with others, either owns a provider entity
or a component PSO, or has the authority to control or manage agenda
setting, project management, or day-to-day operations of the component,
or the authority to review and override decisions of a component PSO.
We have not proposed to define the term ``owns.'' We propose to use the
term ``own a provider entity'' to mean a governmental agency or Tribal
entity that controls or manages a provider entity as well as an
organization having a controlling interest in a provider entity or a
component PSO, for example, owning a majority or more of the stock of
the owned entity, and expressly ask for comment on whether our further
definition of controlling interest as follows below is appropriate.
Under the proposed regulation, if an entity that seeks to be a PSO
has a parent organization, that entity will be required to seek listing
as a component PSO and must provide certifications set forth in
proposed Sec. 3.102(c), which indicate that the entity maintains
patient safety work product separately from the rest of the
organization(s) and establishes security measures to maintain the
confidentiality of patient safety work product, the entity does not
make an unauthorized disclosure of patient safety work product to the
rest of the organization(s), and the entity does not create a conflict
of interest with the rest of the organization(s).
Traditionally, a parent corporation is defined as a corporation
that holds a controlling interest in one or more subsidiaries. By
contrast, parent organization, as used in this proposed rule, is a more
inclusive term and is not limited to definitions used in corporations
law. Accordingly, the proposed definition emphasizes a parent
organization's control (or influence) over a PSO that may or may not be
based on stock ownership.\13\ Our
[[Page 8119]]
approach to interpreting the statutory reference in section 924(b)(2)
of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to ``another
organization'' in which an entity is a ``component'' (i.e., a ``parent
organization'') is analogous to the growing attention in both statutory
and case law, to the nature and conduct of business organizational
relationships, including multi-organizational enterprises. As discussed
above in the definition of ``component,'' the emphasis on actual
organizational control, rather than the organization's structure, has
numerous legal precedents in legislation implementing statutory
programs and objectives and courts upholding such programs and
objectives.\14\ Therefore, the definition of a ``parent organization,''
as used in the proposed regulation would encompass an affiliated
organization that participates in a common enterprise with an entity
seeking listing, and that owns, manages or exercises control over the
entity seeking to be listed as a PSO. As indicated above, affiliated
corporations have been legally defined to mean those who share a
corporate parent or are part of a common corporate enterprise.\15\
---------------------------------------------------------------------------
\13\ Cf. 17 CFR 240.12b-2 (defining ``control'' broadly as ``* *
* the power to direct or cause the direction of the management and
policies of an * * * [entity] whether through the ownership of
voting securities, by contract, or otherwise.'')
\14\ Blumberg on Corporate Groups Sec. 13 notes that, where
applications for licenses are in a regulated industry, information
is required by states about the applicant as well as corporate
parents, subsidiaries and affiliates. In the proposed regulation,
pursuant to the Patient Safety Act, information about parent
organizations with potentially conflicting missions would be
obtained to ascertain that component entities seeking to be PSOs
have measures in place to protect the confidentiality of patient
safety work product and the independent conduct of impartial
scientific analyses by PSOs.
\15\ See for example the definition of affiliates in regulations
jointly promulgated by the Comptroller of the Currency, the Federal
Reserve board, the FDIC, and the Office of Thrift Supervision to
implement privacy provisions of Gramm Leach Bliley legislation using
provisions of the Fair Credit Reporting Act (dealing with
information sharing among affiliates): ``any company that is related
or affiliated by common ownership, or affiliated by corporate
control or common corporate control with another company.''
Blumberg, supra note 2, at Sec. 122.09[A] (citing 12 CFR pt.41.3,
12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1)
(2004)).
---------------------------------------------------------------------------
Parent organization is defined to include affiliates primarily in
recognition of the prospect that otherwise unrelated organizations
might affiliate to jointly establish a PSO. We can foresee such an
enterprise because improving patient safety through expert analysis of
aggregated patient safety data could logically be a common and
efficient objective shared by multiple potential cofounders of a PSO.
It is fitting, in our view, that a component entity certify, as we
propose in Sec. 3.102(c), that there is ``no conflict'' between its
mission as a PSO and all of the rest of the parent or affiliated
organizations that undertake a jointly sponsored PSO enterprise.\16\
Similarly, it is also appropriate that the additional certifications
required of component entities in proposed Sec. 3.102(c) regarding
separation of patient safety work product and the use of separate staff
be required of an entity that has several co-founder parent
organizations that exercise ownership, management or control, (i.e. to
assure that the intended ``firewalls'' exist between the component
entity and the rest of any affiliated organization that might exercise
ownership, management or control over a PSO).
---------------------------------------------------------------------------
\16\ We note that the certifications from a jointly established
PSO could be supported or substantiated with references to
protective procedural or policy walls that have been established to
preclude a conflict of these organizations' other missions with the
scientific analytic mission of the PSO.
---------------------------------------------------------------------------
To recap this part of the discussion, we would consider an entity
seeking listing as a PSO to have a parent organization, and such entity
would seek listing as a component organization, under the following
circumstances: (a) The entity is a unit in a corporate organization or
a controlling interest in the entity is owned by another corporation;
or (b) the entity is a distinct organizational part of a multi-
organizational enterprise and one or more affiliates in the enterprise
own, manage, or control the entity seeking listing as a PSO. An example
of an entity described in (b) would be an entity created by a joint
venture in which the entity would be managed or controlled by several
co-founding parent organizations.
The definition of provider in the proposed rule (which will be
discussed below) includes the parent organization of any provider
entity. Correspondingly, our definition of parent organization includes
any organization that ``owns a provider entity.'' This is designed to
provide an option for the holding company of a corporate health care
system to enter a multi-facility or system-wide contract with a PSO.
Patient Safety Act would mean the Patient Safety and Quality
Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new
Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-
21 through 299b-26.
Patient safety activities would mean the following activities
carried out by or on behalf of a PSO or a provider:
(1) Efforts to improve patient safety and the quality of health
care delivery;
(2) The collection and analysis of patient safety work product;
(3) The development and dissemination of information with respect
to improving patient safety, such as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety work product for the purposes
of encouraging a culture of safety and of providing feedback and
assistance to effectively minimize patient risk;
(5) The maintenance of procedures to preserve confidentiality with
respect to patient safety work product;
(6) The provision of appropriate security measures with respect to
patient safety work product;
(7) The utilization of qualified staff; and
(8) Activities related to the operation of a patient safety
evaluation system and to the provision of feedback to participants in a
patient safety evaluation system.
This definition is taken from the Patient Safety Act. See section
921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient
safety activities is used as a key reference term for other provisions
in the proposed rule and those provisions provide descriptions related
to patient safety activities. See proposed requirements for PSOs at
Sec. Sec. 3.102 and 3.106 and the proposed confidentiality disclosure
permission at Sec. 3.206(b)(4).
Patient safety evaluation system would mean the collection,
management, or analysis of information for reporting to or by a PSO.
The patient safety evaluation system is a core concept of the Patient
Safety Act through which information, including data, reports,
memoranda, analyses, and/or written or oral statements, is collected,
maintained, analyzed, and communicated. When a provider engages in
patient safety activities for the purpose of reporting to a PSO or a
PSO engages in these activities with respect to information for patient
safety purposes, a patient safety evaluation system exists regardless
of whether the provider or PSO has formally identified a ``patient
safety evaluation system''. For example, when a provider collects
information for the purpose of reporting to a PSO and reports the
information to a PSO to generate patient safety work product, the
provider is collecting and reporting through its patient safety
evaluation system (see definition of patient safety work product ).
Although we do not propose to require providers or PSOs formally to
identify or define their patient safety evaluation system--because such
systems exist by virtue of the providers or PSOs undertaking certain
patient safety activities--a patient safety evaluation system can be
[[Page 8120]]
formally designated by a provider or PSO to establish a secure space in
which these activities may take place.
The formal identification or designation of a patient safety
evaluation system could gi