Patient Safety and Quality Improvement Act of 2005-HHS Guidance Regarding Patient Safety Work Product and Providers' External Obligations, 32655-32660 [2016-12312]

Download as PDF Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations disclosure permissions of the Patient Safety Act and Patient Safety Rule. DEPARTMENT OF HEALTH AND HUMAN SERVICES Agency for Healthcare Research and Quality Office for Civil Rights 42 CFR Part 3 Patient Safety and Quality Improvement Act of 2005—HHS Guidance Regarding Patient Safety Work Product and Providers’ External Obligations Agency for Healthcare Research and Quality (AHRQ), Office for Civil Rights (OCR), Department of Health and Human Services (HHS). ACTION: Guidance on Patient Safety and Quality Improvement Act of 2005. AGENCY: This guidance sets forth guidance for patient safety organizations (PSOs) and providers regarding questions that have arisen about the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 299b–21—b–26 (Patient Safety Act), and its implementing regulation, the Patient Safety and Quality Improvement Final Rule, 42 CFR part 3 (Patient Safety Rule). In particular, this Patient Safety and Quality Improvement Act of 2005— Guidance Regarding Patient Safety Work Product and Providers’ External Obligations (Guidance) is intended to clarify what information that a provider creates or assembles can become patient safety work product (PSWP) in response to recurring questions. This Guidance also clarifies how providers can satisfy external obligations related to information collection activities consistent with the Patient Safety Act and Patient Safety Rule. DATES: The Guidance is effective on May 24, 2016. ADDRESSES: The Guidance can be accessed electronically at the following HHS Web site: https://www.pso.ahrq.gov. FOR FURTHER INFORMATION CONTACT: Susan Grinder, Center for Quality Improvement and Patient Safety, AHRQ, 5600 Fishers Lane, Mail Stop 06N100B, Rockville, MD 20857; Telephone (301) 427–1327; Email: Susan.Grinder@ AHRQ.hhs.gov. SUMMARY: SUPPLEMENTARY INFORMATION: mstockstill on DSK3G9T082PROD with RULES Background HHS issued the Patient Safety Rule to implement the Patient Safety Act. AHRQ administers the provisions of the Act and Rule relating to the listing and operation of PSOs. OCR, within HHS, is responsible for interpretation, administration and enforcement of the confidentiality protections and VerDate Sep<11>2014 17:11 May 23, 2016 Jkt 238001 HHS Approach to Patient Safety Act Interpretation The Patient Safety Act is part of a larger framework envisioned by the Institute of Medicine and designed to balance two goals: 1) To improve patient safety and reduce medical errors by creating a ‘‘culture of safety’’ to share and learn from information related to patient safety events, and 2) to promote health care providers’ accountability and transparency through mechanisms such as oversight by regulatory agencies and adjudication in the legal system. As discussed in ‘‘To Err Is Human,’’ in respect to reporting systems, ‘‘they can hold providers accountable for performance or, alternatively, they can provide information that leads to improved safety. Conceptually, these purposes are not incompatible, but in reality, they can prove difficult to satisfy simultaneously.’’ 1 The Patient Safety Act promotes the goal of improving patient safety and reducing medical errors by establishing a system in which health care providers can voluntarily collect and report information related to patient safety, health care quality, and health care outcomes to PSOs. The PSOs aggregate and analyze this information and give feedback to the providers to encourage learning and prevent future errors. The providers are motivated to report such information to PSOs because the Patient Safety Act provides broad privilege and confidentiality protections for information meeting the definition of PSWP, which alleviates concerns about such information being used against a provider, such as in litigation. At the same time, providers are subject to legitimate external obligations regarding certain records about patient safety to ensure their accountability and transparency. For example, the Centers for Medicare & Medicaid Services (CMS) Hospital Condition of Participation (CoP) for Quality Assessment and Performance Improvement require hospitals to track adverse patient events.2 State health care regulatory agencies typically have their own separate requirements for different types of providers, with more than half of the states operating adverse event reporting systems.3 The legal system provides 1 Institute of Medicine, ‘‘To Err Is Human: Building a Safer Health System’’, 1999, page 86. 2 42 CFR 482.21(a)(2). 3 As of November 2014, 26 states and the District of Columbia had adverse event reporting systems, and Texas began implementing a system in January 2015. National Academy for State Health Policy, ‘‘2014 Guide to State Adverse Event Reporting PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 32655 another course to pursue accountability for medical errors. If a patient is injured while under a provider’s care, the tort system offers an avenue to compensate the patient for his injury. However, while a successful medical malpractice claim may help compensate one patient for his specific injury, the general threat of litigation provides a disincentive to providers from voluntarily sharing information about their mistakes. The intent of the system established by the Patient Safety Act is to protect the additional information created through voluntary patient safety activities, not to protect records created through providers’ mandatory information collection activities.4 For example, a provider may have an external obligation to maintain certain records about serious adverse events that result in patient harm. The document the provider prepares to meet its requirement about such adverse events is not PSWP. As such, the Patient Safety Act recognizes the goal of accountability and transparency, and it attempts to balance this goal with that of improving patient safety and reducing medical errors. While Congress was aware of the chilling effect the fear Systems’’, 2015, page 4. For example, Pennsylvania hospitals, ambulatory surgical facilities, birthing centers, nursing homes, and other facilities are required by various state laws to submit reports on ‘‘serious events’’ and ‘‘incidents’’ to the Pennsylvania Patient Safety Reporting System (‘‘PA–PSRS’’). Information submitted to PA–PSRS is confidential under state law. Patient Safety Authority, Pennsylvania Patient Safety Reporting System: PA–PSRS (Pennsylvania Patient Safety Reporting System), https:// patientsafetyauthority.org/PA-PSRS/Pages/ PAPSRS.aspx (last accessed Mar. 4, 2016). In Maine, ‘‘healthcare facilities,’’ which includes hospitals, ambulatory surgical facilities, end-stage renal disease facilities, and intermediate care facilities for individuals who are intellectually disabled, are required to report ‘‘sentinel events’’ and root cause analyses of sentinel events to the Maine Department of Health and Human Services. The healthcare facilities may also voluntarily selfreport ‘‘near miss events.’’ Under state law, the reported information is confidential and privileged. See 10–144 C.M.R. Ch 114, Rules Governing the Reporting of Sentinel Events. In addition or alternative to reporting requirements, some states require providers to maintain certain information. For example, Delaware requires certain facilities that perform invasive medical procedures to report adverse events to the Department of Health and Social Services within 48 business hours of the occurrence and also keep the adverse event reports ‘‘on file at the facility for a minimum of five years.’’ CDR 16–4000–4408 Sections 4.3, 4.4. In Kentucky, hospitals are required to ‘‘establish[], maintain[], and utilize[]’’ administrative reports, including incident investigation reports, ‘‘to guide the operation, measure productivity, and reflect the programs of the facility.’’ 902 KAR 20:016 Section 3(3)(a). 4 See e.g., 42 U.S.C. 299b-21(7)(B)(iii)(II), (III); 42 U.S.C. 299b-22(g)(2), (5) (generally providing that the Patient Safety Act does not affect or limit providers’ obligations to record or report information that is not PSWP to Federal, state, or local governmental agencies). E:\FR\FM\24MYR1.SGM 24MYR1 32656 Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations of being sued had on providers, the Patient Safety Act was not designed to prevent patients who believed they were harmed from obtaining the records about their care that they were able to obtain prior to the enactment of the Patient Safety Act.5 Nor was the Patient Safety Act intended to insulate providers from demonstrating accountability through fulfilling their external obligations.6 Therefore, when interpreting the Patient Safety Act and Patient Safety Rule, HHS does so with the objective of maintaining balance between these two policy goals, consistent with the intent of the Patient Safety Act. How Information Becomes PSWP mstockstill on DSK3G9T082PROD with RULES Both the Notice of Proposed Rulemaking (NPRM) and the Preamble to the Patient Safety Rule (Preamble) discuss the definition of PSWP and provide examples of what information would and would not meet the definition.7 Because there continues to be confusion about this definition, the prior discussion will be reiterated and further clarified here. The definition of PSWP sets forth three basic ways that certain information can become PSWP: (1) The information is prepared by a provider for reporting to a PSO and it is reported to the PSO, (2) the information is developed by a PSO for the conduct of patient safety activities,8 or, (3) the information identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system (PSES).9 The first way— 5 ‘‘It is not the intent of this legislation to establish a legal shield for information that is already currently collected or maintained separate from the new patient safety process, such as a patient’s medical record. That is, information which is currently available to plaintiffs’ attorneys or others will remain available just as it is today.’’ 151 Cong. Rec. S8741 (daily ed. Jul. 22, 2005) (statement of Mr. Enzi, then chairman of the Senate Health, Education, Labor, and Pensions Committee). ‘‘Nor does this bill alter any existing rights or remedies available to injured patients. The bottom line is that this legislation neither strengthens nor weakens the existing system of tort and liability law.’’ Id. (statement of Mr. Jeffords, who reintroduced S. 544, the bill that became the Patient Safety Act). 6 ‘‘This legislation does nothing to reduce or affect other Federal, State or local legal requirements pertaining to health related information.’’ Id. (statement of Mr. Jeffords). 7 73 FR 8120–24, Oct. 5, 2007; 73 FR 70739–44, Nov. 21, 2008. 8 This guidance does not otherwise address the creation of PSWP through development by a PSO. Because external regulatory and oversight reporting obligations are requirements of providers, this guidance does not apply to information developed by a PSO for the conduct of patient safety activities. 9 42 U.S.C. 299b-21(7)(A); 42 CFR 3.20 (paragraph (1) of the definition of PSWP). Patient safety evaluation system ‘‘means the collection, management, or analysis of information for VerDate Sep<11>2014 17:11 May 23, 2016 Jkt 238001 sometimes referred to as the ‘‘reporting pathway’’—is how providers generally create most of their PSWP. According to the Patient Safety Act, in order for information to become PSWP through the reporting pathway, it must be information that could improve patient safety, health care quality, or health care outcomes and be assembled or developed by a provider for reporting to a PSO and be reported to a PSO. Another way of saying that the information is assembled or developed for reporting to a PSO is that the information is prepared for the purpose of reporting it to the PSO.10 Under the Patient Safety Rule, the reporting pathway allows for information that is documented as collected within the provider’s PSES to be PSWP and thus privileged and confidential before it is reported to a PSO. As explained in the Preamble, this interpretation addresses the concerns of significant administrative burden and an indiscriminate race to report information to the PSO if information only became protected after it was reported to a PSO.11 Nevertheless, a provider should only place information in its PSES if it intends to report that information to the PSO.12 Information That Is Not PSWP The definition of PSWP also describes information that is not PSWP. Specifically excluded from the definition of PSWP is, ‘‘a patient’s medical record, billing and discharge information, or any other original patient or provider information.’’ 13 The Patient Safety Act and Rule also exclude from the PSWP definition ‘‘information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.’’ 14 Put another way, information prepared for purposes other reporting to or by a PSO.’’ 42 U.S.C. 299b-21(6); 42 CFR 3.20. 10 See 73 FR 70739, Nov. 21, 2008 (‘‘information may become patient safety work product if it is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO’’). 11 See 73 FR 70741–42, Nov. 21, 2008. 12 Id. (‘‘We note, however, that a provider should not place information into its patient safety evaluation system unless it intends for that information to be reported to the PSO.’’). 13 42 CFR 3.20 (paragraph (2)(i) of the PSWP definition). The Patient Safety Act, at U.S.C. 299b21(7)(B)(i), refers to ‘‘original patient or provider record[s],’’ but the use of ‘‘original patient or provider information’’ in the regulation is intended to be synonymous with the use of ‘‘original patient or provider record’’ in the statute. 14 42 U.S.C. 299b-21(7)(B)(ii); 42 CFR 3.20 (paragraph (2)(i) of the PSWP definition). PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 than reporting to a PSO is not PSWP under the reporting pathway.15 Within the category of information prepared for a purpose other than reporting to a PSO, information that is prepared for external obligations has generated many questions. External obligations include, but are not limited to, mandatory requirements placed upon providers by Federal and state health regulatory agencies.16 Both the NPRM and Preamble clearly state that PSWP cannot be used to satisfy such external obligations. ‘‘As the Patient Safety Act states more than once, these external obligations must be met with information that is not patient safety work product, and, in accordance with the confidentiality provisions, patient safety work product cannot be disclosed for these purposes.’’ 17 In the Preamble, HHS repeatedly stated that PSWP cannot be used to fulfill external obligations.18 Purpose for Which the Information Was Assembled or Developed As such, uncovering the purpose for which information is prepared can be a critical factor in determining whether the information is PSWP. Since some types of information can be PSWP or not depending upon why the information was assembled or developed, it is important for providers to be aware of whether information is prepared for reporting to a PSO. The chart below includes some examples. 15 See 73 FR 70740, Nov. 21, 2008 (‘‘Patient safety work product does not include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. This distinction is made because these and similar records must be maintained by providers for other purposes.’’). 16 Some examples of external obligations include: state incident reporting, adverse drug event reporting to the Food and Drug Administration (FDA), certification or licensing recordkeeping, reporting to the National Practitioner Data Bank, and disclosing information to comply with CMS’ CoPs or conditions for coverage. 73 FR 8123, Oct. 5, 2007. 17 73 FR 8123, Oct. 5, 2007. 18 See e.g., 73 FR 70740, Nov. 21, 2008 (‘‘. . . external reporting obligations as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system cannot be satisfied with patient safety work product.’’), 70742 (‘‘These external obligations must be met with information that is not patient safety work product and oversight entities continue to have access to this original information in the same manner as such entities have had access prior to the passage of the Patient Safety Act.’’), 70743 (‘‘The final rule is clear that providers must comply with applicable regulatory requirements and that the protection of information as patient safety work product does not relieve a provider of any obligation to maintain information separately.’’). 19 See CMS Pub. 100–07, State Operations Manual, Appendix A, Transmittal 37, page 275 (Oct. 17, 2008) (in providing interpretative guidance on compliance with 42 CFR 482.41(c)(2), stating E:\FR\FM\24MYR1.SGM 24MYR1 Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations 32657 Type of information Not PSWP if prepared . . . Could be PSWP if information is not required for another purpose and is prepared solely for reporting to a PSO, for example . . . Information related to the functioning of medical equipment. For upkeep of equipment (e.g., original equipment maintenance logs), to maintain a warranty, or for an external obligation (e.g., CMS requires some equipment logs 19). To ensure appropriate levels of clinician availability (e.g., routine personnel schedules), or for compliance purposes 20. For internal risk management (claims and liability purposes). Following a patient incident, a provider develops information about possible equipment malfunctions for reporting to a PSO. The PSO can aggregate it with other rare events from other reporting providers to identify risks and hazards. A list of provider staff who were present at the time a patient incident occurred. Written reports 21 of witness accounts of what they observed at the time of a patient incident. Information related to care or treatment provided to the patient. As part of the patient’s original medical record 22. Meeting External Obligations mstockstill on DSK3G9T082PROD with RULES The Patient Safety Act Does Not Relieve a Provider From Its External Obligations As discussed above, the Patient Safety Act does not permit providers to use the privilege and confidentiality protections for PSWP to shield records required by external recordkeeping or reporting requirements. To this end, the Patient Safety Act specifically states that it shall not limit the reporting of non-PSWP ‘‘to a Federal, State, or local governmental agency for public health surveillance, investigation, or other public health purposes or health oversight purposes’’ or a provider’s recordkeeping obligations under Federal, State, or local law.23 It further reinforces that the statute shall not be construed ‘‘to limit, alter or affect the requirements of Federal, State, or local law pertaining to information that is not’’ PSWP or ‘‘as preempting or otherwise affecting any State law requiring a provider to report information that is not’’ PSWP.24 The NPRM explains that ‘‘the statute is quite specific that these protections do not relieve a provider from its obligation to comply with other legal, regulatory, accreditation, licensure, or other accountability requirements that it would otherwise need to meet.’’ 25 It adds that the protected system established by the Patient Safety Act, ‘‘resides alongside but does not replace that survey procedures include reviewing maintenance logs for significant medical equipment). 20 As an example, 42 U.S.C. 1395cc(a)(1)(I)(iii) requires hospitals to maintain an on-call list of physicians available to provide treatment related to individuals with emergency medical conditions. 21 Of note, while a written report of the patient safety incident prepared for reporting to a PSO may be PSWP, individuals who witnessed the event VerDate Sep<11>2014 17:11 May 23, 2016 Jkt 238001 Following the incident, a provider originally assembles the list for reporting to a PSO so the PSO can analyze the levels and types of staff involved in medication errors. The provider originally prepares the written reports for reporting to the PSO so that the richness of the narrative can be mined for contributing factors. The provider documents all patient allergic reactions in the medical record then prepares a list of patients that have exhibited the reaction to determine if newly-instituted procedures for reducing risk were followed specifically for the PSO. The list of patients exhibiting the reaction prepared for reporting to the PSO could be PSWP, but the original patient medical records would not. other information collection activities mandated by laws, regulations, and accrediting and licensing requirements as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system.’’ 26 As further stated in the Preamble, ‘‘nothing in the final rule or the statute relieves a provider from his or her obligation to disclose information from such original records or other information that is not patient safety work product to comply with state reporting or other laws.’’ 27 HHS reiterates that any external reporting or recordkeeping obligations— whether they require a provider to report certain information, maintain specific records, or operate a separate system—cannot be met with PSWP. We also clarify that any information that is prepared to meet any Federal, state, or local health oversight agency requirements is not PSWP. As discussed above, the Patient Safety Act was intended to spur the development of additional information created through voluntary patient safety activities and to provide privilege and confidentiality protections for such new information. It was not intended to protect records generated or maintained as part of providers’ existing mandatory information collection activities.28 As stated in the Preamble, ‘‘The could still potentially disclose or testify about what they observed. 22 There are various requirements regarding what information is required to be in the medical record. For example, CMS’ Hospital CoP for medical record services includes that a hospital’s medical record, ‘‘must contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient’s progress and response to medication and services.’’ 42 CFR 482.24(c). 23 42 U.S.C. 299b–21(7)(B)(iii). PO 00000 Frm 00041 Fmt 4700 Sfmt 4700 Department does not believe that the patient safety evaluation system enables providers to avoid transparency. . . . [T]he Patient Safety Act and the final rule have carefully assured that information generally available today remains available, such as medical records, original provider documents, and business records.’’ 29 HHS believes that most providers that engage with a PSO are doing so to further learning about patient safety and health care quality, consistent with the intent of the Patient Safety Act. Nevertheless, we are concerned about two ways that some providers may be attempting to misuse the Patient Safety Act protections to avoid their external obligations—in particular, to circumvent Federal or state regulatory obligations. First, some providers with recordkeeping or record maintenance requirements appear to be maintaining the required records only in their PSES and then refusing to disclose the records, asserting that the records in their PSES fulfill the applicable regulatory requirements while at the same time maintaining that the records are privileged and confidential PSWP. Second, some providers appear to develop records to meet external obligations outside of the PSES, place a duplicate copy of the required record into the PSES, then destroy the original 24 42 25 73 U.S.C. 299b–22(g). FR 8124, Oct. 5, 2007. 26 Id. 27 73 FR 70786, Nov. 21, 2008. 73 FR 70742, Nov. 21, 2008 (‘‘Even when laws or regulations require the reporting of information regarding the type of events also reported to PSOs, the Patient Safety Act does not shield providers from their obligation to comply with such requirements.’’). 29 73 FR 70739, Nov. 21, 2008. 28 See E:\FR\FM\24MYR1.SGM 24MYR1 32658 Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations outside of the PSES and refuse to disclose the remaining copy of the information, asserting that the copy is confidential and privileged PSWP. The Patient Safety Act was not intended to give providers such methods to evade their regulatory obligations. Here, we clarify HHS’ interpretation of how the Patient Safety Act prohibits providers from using the PSES to protect from disclosure records subject to such external obligations. Original Patient and Provider Records As stated in the Patient Safety Act and Patient Safety Rule, original patient and provider records, such as a patient’s medical record, billing information, and discharge information, are not PSWP.30 We now provide further clarification regarding what constitutes other types of original provider records. HHS interprets ‘‘original provider records’’ to include: (1) Original records (e.g., reports or documents) that are required of a provider to meet any Federal, state, or local public health or health oversight requirement regardless of whether such records are maintained inside or outside of the provider’s PSES; and (2) copies of records residing within the provider’s PSES that were prepared to satisfy a Federal, state, or local public health or health oversight record maintenance requirement, if while the provider is obligated to maintain such information, the information is only maintained by the provider within the PSES (e.g., if the records or documents that were being maintained outside the PSES to fulfill the external obligation were lost or destroyed).31 This interpretation is consistent with Congressional intent in enacting the Patient Safety Act, the text of the statute and the regulation, and HHS’ prior interpretation found in the NPRM and Preamble, all discussed above, supporting that the Patient Safety Act does not allow providers to be shielded from their external obligations.32 30 42 U.S.C. 299b–21(7)(B)(i). an original provider record is destroyed and the same information is maintained within the PSES, a provider may remove the original record from the PSES for the purpose of maintaining the information outside of the PSES. 32 This interpretation of ‘‘original provider records’’ has developed, in part, due to new information about some providers’ apparent attempts to avoid compliance with their external obligations, as discussed above, which has come to the attention of HHS since we initially developed the Patient Safety Act’s implementing regulation. While broadly consistent with prior HHS interpretation that the Patient Safety Act does not provide a way for providers to evade their external obligations, HHS acknowledges that one aspect of this interpretation is different from that previously expressed, with respect to whether copies of nonPSWP in the PSES remain privileged and mstockstill on DSK3G9T082PROD with RULES 31 If VerDate Sep<11>2014 17:11 May 23, 2016 Jkt 238001 To further illustrate what information HHS would consider to be original provider records versus information that could be eligible to be PSWP, consider the following hypothetical examples in scenarios where a provider maintains specific forms regarding adverse events in order to satisfy a federal or state law obligation. 1. The provider only maintains the forms outside of the PSES: The forms are not PSWP. They are not PSWP both because they are an original provider record and because they are maintained separately from the PSES. 2. The provider maintains the original forms outside of the PSES and places duplicate copies in the PSES for reporting to the PSO, so that further analysis using information in the forms can be conducted: The forms outside of the PSES are not PSWP, for the reasons indicated above. The copies in the PSES would be PSWP, provided that: (1) The information otherwise meets the definition of PSWP and (2) the original forms continue to be maintained by the provider outside of the PSES.33 If, while the provider is required to maintain the forms, the forms outside of the PSES become unavailable (e.g., they are lost or destroyed), the duplicate copies of the forms in the provider’s PSES will be ‘‘original provider records’’ that are no longer privileged and confidential PSWP so long as no duplicate copies of the forms are maintained outside of the PSES by the provider.34 3. The provider only maintains the original forms in the PSES: The forms are original provider records and not privileged and confidential PSWP. We note that it would be improper to maintain records collected for external reporting purposes solely within a PSES because this scenario would be a misuse of a PSES. 4. The provider maintains the forms outside of the PSES and within the PSES extracts information from the forms to conduct further analysis: The forms confidential PSWP if the original provider record outside of the PSES is unavailable. See e.g., 73 FR 8124, Oct. 5, 2007 (indicating a copy in the PSES is protected and may not be disclosed when the original record outside of the PSES is unavailable). 33 See 73 FR 70743, Nov. 21, 2008 (‘‘Because information contained in these original records may be valuable to the analysis of a patient safety event, the important information must be allowed to be incorporated into the patient safety work product. However, the original information must be kept and maintained separately to preserve the original records for their intended purposes.’’). 34 The circumstances in which information from a provider’s PSES would not be protected as PSWP in this example are consistent with the statute’s text that states a PSO shall not be compelled to disclose information—unless such information is: Identified, not PSWP, and not reasonably available from another source. See 42 U.S.C. 299b–22(d)(4)(A)(i). PO 00000 Frm 00042 Fmt 4700 Sfmt 4700 outside of the PSES are not PSWP, for the reasons indicated above. The analysis conducted inside the PSES, including the information extracted from the forms, is PSWP. This clarification should not create problems for providers who have appropriately created and retained the original records required to satisfy their external obligations outside of a PSES. Those original records would be available to meet any external reporting requirements or needs.35 In an effort to ensure that there is no need to obtain the copies that exist in the PSES for other purposes, providers should establish a mechanism to indicate where the original records can be located. Additionally, providers should exercise extreme caution before destroying any original records maintained outside of the PSES. A provider that destroys the original source documents upon which PSWP is based is not relieved of its obligations or any applicable consequences that may be imposed by other regulators if they fail to maintain the original records. Copies of PSWP To be clear, the above discussion of copies relates to information that begins as non-PSWP (i.e., original patient or provider records and/or information that was collected, maintained, developed, or exists separately from the PSES). Consistent with the Patient Safety Rule’s definition of PSWP, copies of information initially prepared as PSWP within the PSES are PSWP.36 For example, if a provider originally develops information to improve patient safety in its PSES solely for reporting to the PSO, that information is PSWP. If the provider then makes a copy of this information for the PSO and retains another copy of it in its PSES, both the copy of the information disclosed to the PSO and the copy maintained in the provider’s PSES are PSWP, and thus privileged and confidential under the Patient Safety Rule. 35 We note that this section focuses on requirements to maintain forms in an available fashion. To the extent an obligation only requires reporting and is fully satisfied after that reporting, a provider has fulfilled the reporting requirement, and the provider has no ongoing requirement to maintain the reported information, the subsequent collection of a form in the PSES and reporting to a PSO would protect the later form as PSWP because the external obligation has been fully satisfied. 36 42 CFR 3.20 (paragraph (1) of the PSWP definition) (‘‘Except as provided in paragraph (2) of this definition, patient safety work product means any . . . [information] . . . (or copies of any of this material) . . . .’’). E:\FR\FM\24MYR1.SGM 24MYR1 Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations Separate Systems It has come to HHS’ attention that the discussion in the Preamble regarding whether providers need to maintain multiple systems may have caused some confusion. Some commenters on the NPRM expressed concern that providers would need to maintain two duplicate systems: One PSES for information that the provider assembles or develops for reporting to a PSO and a second system containing the same information if the provider is unsure at the time the information is prepared for reporting to the PSO whether that information may be required in the future to fulfill a state law obligation. In response to this concern, the Preamble discusses a way that the Patient Safety Rule allows for information that was PSWP to no longer be PSWP.37 This process, sometimes referred to as the ‘‘drop out’’ provision, provides that PSWP ‘‘assembled or developed by a provider for reporting to a PSO may be removed from’’ a PSES and no longer be considered PSWP if: ‘‘[t]he information has not yet been reported to a PSO’’ and ‘‘[t]he provider documents the act and date of removal of such information from the’’ PSES.38 Once removed from the PSES following this procedure, the information could be used for other purposes, such as to meet state law obligations. As indicated above, the drop out provision is intended as a safety valve for providers who are unsure at the time that information is being prepared for reporting to the PSO whether similar information would, at a later time, be needed for an external obligation. It provides some flexibility for providers as they work through their various external obligations, as information assembled or developed for reporting to the PSO can reside as PSWP within the provider’s PSES until the provider makes a future determination as to whether that information must be used to meet an external obligation.39 It is intended to be used on a case-by-case basis. Under the drop out provision, if the provider later determines the information within its PSES that had originally been assembled or developed for reporting to a PSO will be instead used for an external obligation, it is e.g., 73 FR 70742, Nov. 21, 2008. CFR 3.20(2)(ii). 39 See 73 FR 70742, Nov. 21, 2008 (Referring to the documentation of date and purpose of collection within a PSES, ‘‘(p)roviders have the flexibility to protect this information as patient safety work product within their patient safety evaluation system while they consider whether the information is needed to meet external reporting obligations. Information can be removed from the patient safety evaluation system before it is reported to a PSO to fulfill external reporting obligations.’’). removed from the PSES and is no longer PSWP. This means it is no longer privileged or confidential under the Patient Safety Act and Patient Safety Rule.40 If the provider instead decides to report the information to a PSO, the information remains PSWP (so long as it meets the requirements for being PSWP, including that it is not an original patient or provider record) and cannot be permissibly disclosed for any reason, except in accordance with the disclosure permissions described in the Patient Safety Act and Patient Safety Rule.41 The Preamble thus explains how the drop out provision eliminates the need for a provider to maintain two systems with duplicate information: A PSES containing PSWP and a separate system containing any of that same information where the provider has yet to determine whether it will be needed in the future for another purpose. Nevertheless, we reemphasize that where records are mandated by a Federal or State law requirement or other external obligation, they are not PSWP. Thus, a provider should maintain at least two systems or spaces: A PSES for PSWP and a separate place where it maintains records for external obligations.42 As discussed above, the Patient Safety Act encourages providers to prepare, analyze, and share information beyond what they are mandated to do. As such, it is expected that most of the information in a PSES would be originally created by providers as part of their voluntary participation with a PSO. Shared Responsibility As described above, the protected system established under the Patient Safety Act works in concert with the external obligations of providers to ensure accountability and transparency while encouraging the improvement of patient safety and reduction of medical errors through a culture of safety. It is the provider’s ultimate responsibility to understand what information is required to meet all of its external obligations. If a provider is uncertain what information is required of it to fulfill an external obligation, the provider should reach out to the external entity to clarify the requirement. HHS has heard anecdotal 37 See mstockstill on DSK3G9T082PROD with RULES 38 42 VerDate Sep<11>2014 17:11 May 23, 2016 Jkt 238001 40 Id. (‘‘Once the information is removed, it is no longer patient safety work product and is no longer subject to the confidentiality provisions.’’). 41 42 U.S.C. 299b–22(c); 42 CFR 3.204(b), 3.206(b). 42 ‘‘The Patient Safety Act establishes a protected space or system that is separate, distinct, and resides alongside but does not replace other information collection activities . . . .’’ 73 FR 70742, Nov. 21, 2008; see also 73 FR 8124, Oct. 5, 2007. PO 00000 Frm 00043 Fmt 4700 Sfmt 4700 32659 reports of providers, PSOs, and regulators working together to ensure that the regulators can obtain the information they need without requesting that providers impermissibly disclose PSWP. HHS encourages such communication. Regulatory agencies and other entities requesting information of providers or PSOs are reminded that, subject to the limited exceptions set forth in the Patient Safety Act and Patient Safety Rule, PSWP is privileged and confidential, and it may not be used to satisfy external obligations. Therefore, such entities should not demand PSWP from providers or PSOs. Some requirements are clear and discrete, which makes it relatively easy for providers to understand what information is mandated, determine what additional information they want to prepare for reporting to a PSO, and to separate the two categories of information. Examples of clear and discrete requirements would include requirements for a provider to fill out a particular form or to provide a document containing specified data points. However, HHS is aware that some requirements are more ambiguous or broad, thus creating uncertainty about the information required to satisfy them. Particularly where laws or regulations may be vague, it is imperative that the regulators work with providers so that the regulators obtain the information they need, and that providers sufficiently understand what is required of them so that they can satisfy their obligations and voluntarily report additional information to a PSO. Where a variety of information could potentially satisfy an external obligation, and where a provider reports similar information to the PSO, the provider may find it helpful to document which information collection activities it does to fulfill its external requirements and which other activities it does in the PSES, to help ensure confidentiality and privilege of the PSWP. Later Developing Requirements As discussed above, providers should work with regulatory bodies and any other entities with which they have obligations to understand in advance the exact information they will need to satisfy their external obligations. That way, providers can plan ahead to create and maintain any information needed to fulfill their obligations separately from their PSES. However, even if providers and regulators cooperate fully, HHS is aware that situations could arise where a provider has collected information for reporting to the PSO and where the E:\FR\FM\24MYR1.SGM 24MYR1 mstockstill on DSK3G9T082PROD with RULES 32660 Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations records at issue were not required by any external obligation at the time they were created, but where a regulator later seeks the same information as part of its oversight or investigatory responsibilities. The information at issue would be PSWP and would be privileged and confidential, but the provider may still have several options to satisfy its obligation. If the information is eligible for the drop out provision (including that the provider has not yet reported the information to a PSO), then the provider may follow the drop out provision discussed above to remove the information from its PSES and report or maintain the information outside of the PSES, to satisfy the regulator’s request. This information is no longer PSWP. If the provider has reported the information to a PSO or the information is otherwise not subject to the drop out provision, the Patient Safety Act and Patient Safety Rule provide several options that the provider may want to consider, which are discussed below. 1. Did the provider mistakenly enter information that is not PSWP into its PSES? The provider may want to first ensure that the information being requested meets the definition of PSWP. If the provider determines that the information now required is not PSWP (e.g., an original patient record was accidentally placed in the PSES), the provider can remove the information from its PSES. If the information does not meet the definition of PSWP, it is not privileged and confidential under the Patient Safety Act, and the Patient Safety Act places no limitations on the provider from further releasing it. If the information is not PSWP and the only copy of the information is in the PSO’s PSES (i.e., the provider did not retain a copy outside of or in its PSES), then the Patient Safety Act places no limitations on the PSO from releasing it back to the provider. 2. Is there a disclosure exception that may be used to permissibly disclose the PSWP? For example: • Can the provider obtain authorization from each identified provider to disclose the information, in accordance with 42 CFR 3.206(b)(3)? • Is the information subject to the disclosure permission to the FDA at 42 CFR 3.206(b)(7)? • Is the information being voluntarily disclosed to an accrediting body, pursuant to 42 CFR 3.206(b)(8)? While these disclosure permissions are available in the limited circumstances described in the Patient Safety Rule, relying upon a disclosure permission should not be a provider’s primary method to meet an external VerDate Sep<11>2014 17:11 May 23, 2016 Jkt 238001 obligation. As stated in the Preamble, with respect to the FDA disclosure permission, ‘‘However, we emphasize that, despite this disclosure permission, we expect that most reporting to the FDA and its regulated entities will be done with information that is not patient safety work product, as is done today. This disclosure permission is intended to allow for reporting to the FDA or FDA-regulated entity in those special cases where, only after an analysis of patient safety work product, does a provider realize it should make a report.’’ 43 44 HHS has the same expectation for other external obligations, as well. 3. Can the provider recreate the information or conduct an identical analysis from non-PSWP outside of the PSES? If a provider is instructed to compile specified information but the provider previously assembled such information within its PSES and reported it to a PSO, this does not prevent a provider from creating the requested information using non-PSWP. As indicated in the NPRM, ‘‘[t]hose who participated in the collection, development, analysis, or review of the missing information or have knowledge of its contents can fully disclose what they know . . .’’ 45 Similarly, although an analysis originally conducted in the PSES cannot become non-PSWP under the drop out provision, if a provider is informed that a certain analysis is needed to meet an external obligation, the Patient Safety Act indicates that a provider could conduct a new analysis with non-PSWP to satisfy this requirement, ‘‘regardless of whether such additional analysis involves issues identical to or similar to those for which information was reported to or assessed by’’ a PSO or PSES.46 Providers are reminded that they should exercise care to ensure that even if the information is not privileged and confidential under the Patient Safety Act or if a permissible disclosure of PSWP has been identified, the intended disclosure of the information is not impermissible under any other law (e.g., the HIPAA Privacy Rule.) 43 73 FR 70782, Nov. 21, 2008. publication of the Patient Safety Rule, HHS issued guidance on meeting mandatory reporting obligations to the FDA. See ‘‘Department of Health and Human Services Guidance Regarding Patient Safety Organizations’ Reporting Obligations and the Patient Safety and Quality Improvement Act of 2005’’ available at www.pso.ahrq.gov. 45 73 FR 8124, Oct. 5, 2007. 46 42 U.S.C. 299b–22(h). 44 Following PO 00000 Frm 00044 Fmt 4700 Sfmt 4700 Dated: May 19, 2016. Andrew Bindman, AHRQ Director. Jocelyn Samuels, Director, OCR. [FR Doc. 2016–12312 Filed 5–20–16; 5:15 pm] BILLING CODE 4160–90–P DEPARTMENT OF HOMELAND SECURITY Federal Emergency Management Agency 44 CFR Part 64 [Docket ID FEMA–2016–0002; Internal Agency Docket No. FEMA–8435] Suspension of Community Eligibility Federal Emergency Management Agency, DHS. ACTION: Final rule. AGENCY: This rule identifies communities where the sale of flood insurance has been authorized under the National Flood Insurance Program (NFIP) that are scheduled for suspension on the effective dates listed within this rule because of noncompliance with the floodplain management requirements of the program. If the Federal Emergency Management Agency (FEMA) receives documentation that the community has adopted the required floodplain management measures prior to the effective suspension date given in this rule, the suspension will not occur and a notice of this will be provided by publication in the Federal Register on a subsequent date. Also, information identifying the current participation status of a community can be obtained from FEMA’s Community Status Book (CSB). The CSB is available at https:// www.fema.gov/fema/csb.shtm. DATES: The effective date of each community’s scheduled suspension is the third date (‘‘Susp.’’) listed in the third column of the following tables. FOR FURTHER INFORMATION CONTACT: If you want to determine whether a particular community was suspended on the suspension date or for further information, contact Patricia Suber, Federal Insurance and Mitigation Administration, Federal Emergency Management Agency, 500 C Street SW., Washington, DC 20472, (202) 646–4149. SUPPLEMENTARY INFORMATION: The NFIP enables property owners to purchase Federal flood insurance that is not otherwise generally available from private insurers. In return, communities agree to adopt and administer local SUMMARY: E:\FR\FM\24MYR1.SGM 24MYR1

Agencies

[Federal Register Volume 81, Number 100 (Tuesday, May 24, 2016)]
[Rules and Regulations]
[Pages 32655-32660]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-12312]



[[Page 32655]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Agency for Healthcare Research and Quality Office for Civil Rights

42 CFR Part 3


Patient Safety and Quality Improvement Act of 2005--HHS Guidance 
Regarding Patient Safety Work Product and Providers' External 
Obligations

AGENCY: Agency for Healthcare Research and Quality (AHRQ), Office for 
Civil Rights (OCR), Department of Health and Human Services (HHS).

ACTION: Guidance on Patient Safety and Quality Improvement Act of 2005.

-----------------------------------------------------------------------

SUMMARY: This guidance sets forth guidance for patient safety 
organizations (PSOs) and providers regarding questions that have arisen 
about the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 
299b-21--b-26 (Patient Safety Act), and its implementing regulation, 
the Patient Safety and Quality Improvement Final Rule, 42 CFR part 3 
(Patient Safety Rule). In particular, this Patient Safety and Quality 
Improvement Act of 2005--Guidance Regarding Patient Safety Work Product 
and Providers' External Obligations (Guidance) is intended to clarify 
what information that a provider creates or assembles can become 
patient safety work product (PSWP) in response to recurring questions. 
This Guidance also clarifies how providers can satisfy external 
obligations related to information collection activities consistent 
with the Patient Safety Act and Patient Safety Rule.

DATES: The Guidance is effective on May 24, 2016.

ADDRESSES: The Guidance can be accessed electronically at the following 
HHS Web site: https://www.pso.ahrq.gov.

FOR FURTHER INFORMATION CONTACT: Susan Grinder, Center for Quality 
Improvement and Patient Safety, AHRQ, 5600 Fishers Lane, Mail Stop 
06N100B, Rockville, MD 20857; Telephone (301) 427-1327; Email: 
Susan.Grinder@AHRQ.hhs.gov.

SUPPLEMENTARY INFORMATION:

Background

    HHS issued the Patient Safety Rule to implement the Patient Safety 
Act. AHRQ administers the provisions of the Act and Rule relating to 
the listing and operation of PSOs. OCR, within HHS, is responsible for 
interpretation, administration and enforcement of the confidentiality 
protections and disclosure permissions of the Patient Safety Act and 
Patient Safety Rule.

HHS Approach to Patient Safety Act Interpretation

    The Patient Safety Act is part of a larger framework envisioned by 
the Institute of Medicine and designed to balance two goals: 1) To 
improve patient safety and reduce medical errors by creating a 
``culture of safety'' to share and learn from information related to 
patient safety events, and 2) to promote health care providers' 
accountability and transparency through mechanisms such as oversight by 
regulatory agencies and adjudication in the legal system. As discussed 
in ``To Err Is Human,'' in respect to reporting systems, ``they can 
hold providers accountable for performance or, alternatively, they can 
provide information that leads to improved safety. Conceptually, these 
purposes are not incompatible, but in reality, they can prove difficult 
to satisfy simultaneously.'' \1\
---------------------------------------------------------------------------

    \1\ Institute of Medicine, ``To Err Is Human: Building a Safer 
Health System'', 1999, page 86.
---------------------------------------------------------------------------

    The Patient Safety Act promotes the goal of improving patient 
safety and reducing medical errors by establishing a system in which 
health care providers can voluntarily collect and report information 
related to patient safety, health care quality, and health care 
outcomes to PSOs. The PSOs aggregate and analyze this information and 
give feedback to the providers to encourage learning and prevent future 
errors. The providers are motivated to report such information to PSOs 
because the Patient Safety Act provides broad privilege and 
confidentiality protections for information meeting the definition of 
PSWP, which alleviates concerns about such information being used 
against a provider, such as in litigation.
    At the same time, providers are subject to legitimate external 
obligations regarding certain records about patient safety to ensure 
their accountability and transparency. For example, the Centers for 
Medicare & Medicaid Services (CMS) Hospital Condition of Participation 
(CoP) for Quality Assessment and Performance Improvement require 
hospitals to track adverse patient events.\2\ State health care 
regulatory agencies typically have their own separate requirements for 
different types of providers, with more than half of the states 
operating adverse event reporting systems.\3\ The legal system provides 
another course to pursue accountability for medical errors. If a 
patient is injured while under a provider's care, the tort system 
offers an avenue to compensate the patient for his injury. However, 
while a successful medical malpractice claim may help compensate one 
patient for his specific injury, the general threat of litigation 
provides a disincentive to providers from voluntarily sharing 
information about their mistakes.
---------------------------------------------------------------------------

    \2\ 42 CFR 482.21(a)(2).
    \3\ As of November 2014, 26 states and the District of Columbia 
had adverse event reporting systems, and Texas began implementing a 
system in January 2015. National Academy for State Health Policy, 
``2014 Guide to State Adverse Event Reporting Systems'', 2015, page 
4. For example, Pennsylvania hospitals, ambulatory surgical 
facilities, birthing centers, nursing homes, and other facilities 
are required by various state laws to submit reports on ``serious 
events'' and ``incidents'' to the Pennsylvania Patient Safety 
Reporting System (``PA-PSRS''). Information submitted to PA-PSRS is 
confidential under state law. Patient Safety Authority, Pennsylvania 
Patient Safety Reporting System: PA-PSRS (Pennsylvania Patient 
Safety Reporting System), https://patientsafetyauthority.org/PA-PSRS/Pages/PAPSRS.aspx (last accessed Mar. 4, 2016). In Maine, 
``healthcare facilities,'' which includes hospitals, ambulatory 
surgical facilities, end-stage renal disease facilities, and 
intermediate care facilities for individuals who are intellectually 
disabled, are required to report ``sentinel events'' and root cause 
analyses of sentinel events to the Maine Department of Health and 
Human Services. The healthcare facilities may also voluntarily self-
report ``near miss events.'' Under state law, the reported 
information is confidential and privileged. See 10-144 C.M.R. Ch 
114, Rules Governing the Reporting of Sentinel Events. In addition 
or alternative to reporting requirements, some states require 
providers to maintain certain information. For example, Delaware 
requires certain facilities that perform invasive medical procedures 
to report adverse events to the Department of Health and Social 
Services within 48 business hours of the occurrence and also keep 
the adverse event reports ``on file at the facility for a minimum of 
five years.'' CDR 16-4000-4408 Sections 4.3, 4.4. In Kentucky, 
hospitals are required to ``establish[], maintain[], and utilize[]'' 
administrative reports, including incident investigation reports, 
``to guide the operation, measure productivity, and reflect the 
programs of the facility.'' 902 KAR 20:016 Section 3(3)(a).
---------------------------------------------------------------------------

    The intent of the system established by the Patient Safety Act is 
to protect the additional information created through voluntary patient 
safety activities, not to protect records created through providers' 
mandatory information collection activities.\4\ For example, a provider 
may have an external obligation to maintain certain records about 
serious adverse events that result in patient harm. The document the 
provider prepares to meet its requirement about such adverse events is 
not PSWP. As such, the Patient Safety Act recognizes the goal of 
accountability and transparency, and it attempts to balance this goal 
with that of improving patient safety and reducing medical errors. 
While Congress was aware of the chilling effect the fear

[[Page 32656]]

of being sued had on providers, the Patient Safety Act was not designed 
to prevent patients who believed they were harmed from obtaining the 
records about their care that they were able to obtain prior to the 
enactment of the Patient Safety Act.\5\ Nor was the Patient Safety Act 
intended to insulate providers from demonstrating accountability 
through fulfilling their external obligations.\6\ Therefore, when 
interpreting the Patient Safety Act and Patient Safety Rule, HHS does 
so with the objective of maintaining balance between these two policy 
goals, consistent with the intent of the Patient Safety Act.
---------------------------------------------------------------------------

    \4\ See e.g., 42 U.S.C. 299b-21(7)(B)(iii)(II), (III); 42 U.S.C. 
299b-22(g)(2), (5) (generally providing that the Patient Safety Act 
does not affect or limit providers' obligations to record or report 
information that is not PSWP to Federal, state, or local 
governmental agencies).
    \5\ ``It is not the intent of this legislation to establish a 
legal shield for information that is already currently collected or 
maintained separate from the new patient safety process, such as a 
patient's medical record. That is, information which is currently 
available to plaintiffs' attorneys or others will remain available 
just as it is today.'' 151 Cong. Rec. S8741 (daily ed. Jul. 22, 
2005) (statement of Mr. Enzi, then chairman of the Senate Health, 
Education, Labor, and Pensions Committee). ``Nor does this bill 
alter any existing rights or remedies available to injured patients. 
The bottom line is that this legislation neither strengthens nor 
weakens the existing system of tort and liability law.'' Id. 
(statement of Mr. Jeffords, who reintroduced S. 544, the bill that 
became the Patient Safety Act).
    \6\ ``This legislation does nothing to reduce or affect other 
Federal, State or local legal requirements pertaining to health 
related information.'' Id. (statement of Mr. Jeffords).
---------------------------------------------------------------------------

How Information Becomes PSWP

    Both the Notice of Proposed Rulemaking (NPRM) and the Preamble to 
the Patient Safety Rule (Preamble) discuss the definition of PSWP and 
provide examples of what information would and would not meet the 
definition.\7\ Because there continues to be confusion about this 
definition, the prior discussion will be reiterated and further 
clarified here. The definition of PSWP sets forth three basic ways that 
certain information can become PSWP: (1) The information is prepared by 
a provider for reporting to a PSO and it is reported to the PSO, (2) 
the information is developed by a PSO for the conduct of patient safety 
activities,\8\ or, (3) the information identifies or constitutes the 
deliberations or analysis of, or identifies the fact of reporting 
pursuant to, a patient safety evaluation system (PSES).\9\ The first 
way--sometimes referred to as the ``reporting pathway''--is how 
providers generally create most of their PSWP. According to the Patient 
Safety Act, in order for information to become PSWP through the 
reporting pathway, it must be information that could improve patient 
safety, health care quality, or health care outcomes and be assembled 
or developed by a provider for reporting to a PSO and be reported to a 
PSO. Another way of saying that the information is assembled or 
developed for reporting to a PSO is that the information is prepared 
for the purpose of reporting it to the PSO.\10\ Under the Patient 
Safety Rule, the reporting pathway allows for information that is 
documented as collected within the provider's PSES to be PSWP and thus 
privileged and confidential before it is reported to a PSO. As 
explained in the Preamble, this interpretation addresses the concerns 
of significant administrative burden and an indiscriminate race to 
report information to the PSO if information only became protected 
after it was reported to a PSO.\11\ Nevertheless, a provider should 
only place information in its PSES if it intends to report that 
information to the PSO.\12\
---------------------------------------------------------------------------

    \7\ 73 FR 8120-24, Oct. 5, 2007; 73 FR 70739-44, Nov. 21, 2008.
    \8\ This guidance does not otherwise address the creation of 
PSWP through development by a PSO. Because external regulatory and 
oversight reporting obligations are requirements of providers, this 
guidance does not apply to information developed by a PSO for the 
conduct of patient safety activities.
    \9\ 42 U.S.C. 299b-21(7)(A); 42 CFR 3.20 (paragraph (1) of the 
definition of PSWP). Patient safety evaluation system ``means the 
collection, management, or analysis of information for reporting to 
or by a PSO.'' 42 U.S.C. 299b-21(6); 42 CFR 3.20.
    \10\ See 73 FR 70739, Nov. 21, 2008 (``information may become 
patient safety work product if it is assembled or developed by a 
provider for the purpose of reporting to a PSO and is reported to a 
PSO'').
    \11\ See 73 FR 70741-42, Nov. 21, 2008.
    \12\ Id. (``We note, however, that a provider should not place 
information into its patient safety evaluation system unless it 
intends for that information to be reported to the PSO.'').
---------------------------------------------------------------------------

Information That Is Not PSWP

    The definition of PSWP also describes information that is not PSWP. 
Specifically excluded from the definition of PSWP is, ``a patient's 
medical record, billing and discharge information, or any other 
original patient or provider information.'' \13\ The Patient Safety Act 
and Rule also exclude from the PSWP definition ``information that is 
collected, maintained, or developed separately, or exists separately, 
from a patient safety evaluation system.'' \14\ Put another way, 
information prepared for purposes other than reporting to a PSO is not 
PSWP under the reporting pathway.\15\
---------------------------------------------------------------------------

    \13\ 42 CFR 3.20 (paragraph (2)(i) of the PSWP definition). The 
Patient Safety Act, at U.S.C. 299b-21(7)(B)(i), refers to ``original 
patient or provider record[s],'' but the use of ``original patient 
or provider information'' in the regulation is intended to be 
synonymous with the use of ``original patient or provider record'' 
in the statute.
    \14\ 42 U.S.C. 299b-21(7)(B)(ii); 42 CFR 3.20 (paragraph (2)(i) 
of the PSWP definition).
    \15\ See 73 FR 70740, Nov. 21, 2008 (``Patient safety work 
product does not include information that is collected, maintained, 
or developed separately or exists separately from, a patient safety 
evaluation system. This distinction is made because these and 
similar records must be maintained by providers for other 
purposes.'').
---------------------------------------------------------------------------

    Within the category of information prepared for a purpose other 
than reporting to a PSO, information that is prepared for external 
obligations has generated many questions. External obligations include, 
but are not limited to, mandatory requirements placed upon providers by 
Federal and state health regulatory agencies.\16\ Both the NPRM and 
Preamble clearly state that PSWP cannot be used to satisfy such 
external obligations. ``As the Patient Safety Act states more than 
once, these external obligations must be met with information that is 
not patient safety work product, and, in accordance with the 
confidentiality provisions, patient safety work product cannot be 
disclosed for these purposes.'' \17\ In the Preamble, HHS repeatedly 
stated that PSWP cannot be used to fulfill external obligations.\18\
---------------------------------------------------------------------------

    \16\ Some examples of external obligations include: state 
incident reporting, adverse drug event reporting to the Food and 
Drug Administration (FDA), certification or licensing recordkeeping, 
reporting to the National Practitioner Data Bank, and disclosing 
information to comply with CMS' CoPs or conditions for coverage. 73 
FR 8123, Oct. 5, 2007.
    \17\ 73 FR 8123, Oct. 5, 2007.
    \18\ See e.g., 73 FR 70740, Nov. 21, 2008 (``. . . external 
reporting obligations as well as voluntary reporting activities that 
occur for the purpose of maintaining accountability in the health 
care system cannot be satisfied with patient safety work 
product.''), 70742 (``These external obligations must be met with 
information that is not patient safety work product and oversight 
entities continue to have access to this original information in the 
same manner as such entities have had access prior to the passage of 
the Patient Safety Act.''), 70743 (``The final rule is clear that 
providers must comply with applicable regulatory requirements and 
that the protection of information as patient safety work product 
does not relieve a provider of any obligation to maintain 
information separately.'').
---------------------------------------------------------------------------

Purpose for Which the Information Was Assembled or Developed

    As such, uncovering the purpose for which information is prepared 
can be a critical factor in determining whether the information is 
PSWP. Since some types of information can be PSWP or not depending upon 
why the information was assembled or developed, it is important for 
providers to be aware of whether information is prepared for reporting 
to a PSO. The chart below includes some examples.
---------------------------------------------------------------------------

    \19\ See CMS Pub. 100-07, State Operations Manual, Appendix A, 
Transmittal 37, page 275 (Oct. 17, 2008) (in providing 
interpretative guidance on compliance with 42 CFR 482.41(c)(2), 
stating that survey procedures include reviewing maintenance logs 
for significant medical equipment).
    \20\ As an example, 42 U.S.C. 1395cc(a)(1)(I)(iii) requires 
hospitals to maintain an on-call list of physicians available to 
provide treatment related to individuals with emergency medical 
conditions.
    \21\ Of note, while a written report of the patient safety 
incident prepared for reporting to a PSO may be PSWP, individuals 
who witnessed the event could still potentially disclose or testify 
about what they observed.
    \22\ There are various requirements regarding what information 
is required to be in the medical record. For example, CMS' Hospital 
CoP for medical record services includes that a hospital's medical 
record, ``must contain information to justify admission and 
continued hospitalization, support the diagnosis, and describe the 
patient's progress and response to medication and services.'' 42 CFR 
482.24(c).

[[Page 32657]]



------------------------------------------------------------------------
                                                      Could be PSWP if
                                                     information is not
                                                    required for another
      Type of information          Not PSWP if         purpose and is
                                  prepared . . .    prepared solely for
                                                    reporting to a PSO,
                                                     for example . . .
------------------------------------------------------------------------
Information related to the      For upkeep of      Following a patient
 functioning of medical          equipment (e.g.,   incident, a provider
 equipment.                      original           develops information
                                 equipment          about possible
                                 maintenance        equipment
                                 logs), to          malfunctions for
                                 maintain a         reporting to a PSO.
                                 warranty, or for   The PSO can
                                 an external        aggregate it with
                                 obligation         other rare events
                                 (e.g., CMS         from other reporting
                                 requires some      providers to
                                 equipment logs     identify risks and
                                 \19\).             hazards.
A list of provider staff who    To ensure          Following the
 were present at the time a      appropriate        incident, a provider
 patient incident occurred.      levels of          originally assembles
                                 clinician          the list for
                                 availability       reporting to a PSO
                                 (e.g., routine     so the PSO can
                                 personnel          analyze the levels
                                 schedules), or     and types of staff
                                 for compliance     involved in
                                 purposes \20\.     medication errors.
Written reports \21\ of         For internal risk  The provider
 witness accounts of what they   management         originally prepares
 observed at the time of a       (claims and        the written reports
 patient incident.               liability          for reporting to the
                                 purposes).         PSO so that the
                                                    richness of the
                                                    narrative can be
                                                    mined for
                                                    contributing
                                                    factors.
Information related to care or  As part of the     The provider
 treatment provided to the       patient's          documents all
 patient.                        original medical   patient allergic
                                 record \22\.       reactions in the
                                                    medical record then
                                                    prepares a list of
                                                    patients that have
                                                    exhibited the
                                                    reaction to
                                                    determine if newly-
                                                    instituted
                                                    procedures for
                                                    reducing risk were
                                                    followed
                                                    specifically for the
                                                    PSO. The list of
                                                    patients exhibiting
                                                    the reaction
                                                    prepared for
                                                    reporting to the PSO
                                                    could be PSWP, but
                                                    the original patient
                                                    medical records
                                                    would not.
------------------------------------------------------------------------

Meeting External Obligations

The Patient Safety Act Does Not Relieve a Provider From Its External 
Obligations

    As discussed above, the Patient Safety Act does not permit 
providers to use the privilege and confidentiality protections for PSWP 
to shield records required by external recordkeeping or reporting 
requirements. To this end, the Patient Safety Act specifically states 
that it shall not limit the reporting of non-PSWP ``to a Federal, 
State, or local governmental agency for public health surveillance, 
investigation, or other public health purposes or health oversight 
purposes'' or a provider's recordkeeping obligations under Federal, 
State, or local law.\23\ It further reinforces that the statute shall 
not be construed ``to limit, alter or affect the requirements of 
Federal, State, or local law pertaining to information that is not'' 
PSWP or ``as preempting or otherwise affecting any State law requiring 
a provider to report information that is not'' PSWP.\24\ The NPRM 
explains that ``the statute is quite specific that these protections do 
not relieve a provider from its obligation to comply with other legal, 
regulatory, accreditation, licensure, or other accountability 
requirements that it would otherwise need to meet.'' \25\ It adds that 
the protected system established by the Patient Safety Act, ``resides 
alongside but does not replace other information collection activities 
mandated by laws, regulations, and accrediting and licensing 
requirements as well as voluntary reporting activities that occur for 
the purpose of maintaining accountability in the health care system.'' 
\26\ As further stated in the Preamble, ``nothing in the final rule or 
the statute relieves a provider from his or her obligation to disclose 
information from such original records or other information that is not 
patient safety work product to comply with state reporting or other 
laws.'' \27\
---------------------------------------------------------------------------

    \23\ 42 U.S.C. 299b-21(7)(B)(iii).
    \24\ 42 U.S.C. 299b-22(g).
    \25\ 73 FR 8124, Oct. 5, 2007.
    \26\ Id.
    \27\ 73 FR 70786, Nov. 21, 2008.
---------------------------------------------------------------------------

    HHS reiterates that any external reporting or recordkeeping 
obligations--whether they require a provider to report certain 
information, maintain specific records, or operate a separate system--
cannot be met with PSWP. We also clarify that any information that is 
prepared to meet any Federal, state, or local health oversight agency 
requirements is not PSWP. As discussed above, the Patient Safety Act 
was intended to spur the development of additional information created 
through voluntary patient safety activities and to provide privilege 
and confidentiality protections for such new information. It was not 
intended to protect records generated or maintained as part of 
providers' existing mandatory information collection activities.\28\ As 
stated in the Preamble, ``The Department does not believe that the 
patient safety evaluation system enables providers to avoid 
transparency. . . . [T]he Patient Safety Act and the final rule have 
carefully assured that information generally available today remains 
available, such as medical records, original provider documents, and 
business records.'' \29\
---------------------------------------------------------------------------

    \28\ See 73 FR 70742, Nov. 21, 2008 (``Even when laws or 
regulations require the reporting of information regarding the type 
of events also reported to PSOs, the Patient Safety Act does not 
shield providers from their obligation to comply with such 
requirements.'').
    \29\ 73 FR 70739, Nov. 21, 2008.
---------------------------------------------------------------------------

    HHS believes that most providers that engage with a PSO are doing 
so to further learning about patient safety and health care quality, 
consistent with the intent of the Patient Safety Act. Nevertheless, we 
are concerned about two ways that some providers may be attempting to 
misuse the Patient Safety Act protections to avoid their external 
obligations--in particular, to circumvent Federal or state regulatory 
obligations. First, some providers with recordkeeping or record 
maintenance requirements appear to be maintaining the required records 
only in their PSES and then refusing to disclose the records, asserting 
that the records in their PSES fulfill the applicable regulatory 
requirements while at the same time maintaining that the records are 
privileged and confidential PSWP. Second, some providers appear to 
develop records to meet external obligations outside of the PSES, place 
a duplicate copy of the required record into the PSES, then destroy the 
original

[[Page 32658]]

outside of the PSES and refuse to disclose the remaining copy of the 
information, asserting that the copy is confidential and privileged 
PSWP. The Patient Safety Act was not intended to give providers such 
methods to evade their regulatory obligations. Here, we clarify HHS' 
interpretation of how the Patient Safety Act prohibits providers from 
using the PSES to protect from disclosure records subject to such 
external obligations.

Original Patient and Provider Records

    As stated in the Patient Safety Act and Patient Safety Rule, 
original patient and provider records, such as a patient's medical 
record, billing information, and discharge information, are not 
PSWP.\30\ We now provide further clarification regarding what 
constitutes other types of original provider records. HHS interprets 
``original provider records'' to include: (1) Original records (e.g., 
reports or documents) that are required of a provider to meet any 
Federal, state, or local public health or health oversight requirement 
regardless of whether such records are maintained inside or outside of 
the provider's PSES; and (2) copies of records residing within the 
provider's PSES that were prepared to satisfy a Federal, state, or 
local public health or health oversight record maintenance requirement, 
if while the provider is obligated to maintain such information, the 
information is only maintained by the provider within the PSES (e.g., 
if the records or documents that were being maintained outside the PSES 
to fulfill the external obligation were lost or destroyed).\31\ This 
interpretation is consistent with Congressional intent in enacting the 
Patient Safety Act, the text of the statute and the regulation, and 
HHS' prior interpretation found in the NPRM and Preamble, all discussed 
above, supporting that the Patient Safety Act does not allow providers 
to be shielded from their external obligations.\32\
---------------------------------------------------------------------------

    \30\ 42 U.S.C. 299b-21(7)(B)(i).
    \31\ If an original provider record is destroyed and the same 
information is maintained within the PSES, a provider may remove the 
original record from the PSES for the purpose of maintaining the 
information outside of the PSES.
    \32\ This interpretation of ``original provider records'' has 
developed, in part, due to new information about some providers' 
apparent attempts to avoid compliance with their external 
obligations, as discussed above, which has come to the attention of 
HHS since we initially developed the Patient Safety Act's 
implementing regulation. While broadly consistent with prior HHS 
interpretation that the Patient Safety Act does not provide a way 
for providers to evade their external obligations, HHS acknowledges 
that one aspect of this interpretation is different from that 
previously expressed, with respect to whether copies of non-PSWP in 
the PSES remain privileged and confidential PSWP if the original 
provider record outside of the PSES is unavailable. See e.g., 73 FR 
8124, Oct. 5, 2007 (indicating a copy in the PSES is protected and 
may not be disclosed when the original record outside of the PSES is 
unavailable).
---------------------------------------------------------------------------

    To further illustrate what information HHS would consider to be 
original provider records versus information that could be eligible to 
be PSWP, consider the following hypothetical examples in scenarios 
where a provider maintains specific forms regarding adverse events in 
order to satisfy a federal or state law obligation.
    1. The provider only maintains the forms outside of the PSES: The 
forms are not PSWP. They are not PSWP both because they are an original 
provider record and because they are maintained separately from the 
PSES.
    2. The provider maintains the original forms outside of the PSES 
and places duplicate copies in the PSES for reporting to the PSO, so 
that further analysis using information in the forms can be conducted: 
The forms outside of the PSES are not PSWP, for the reasons indicated 
above. The copies in the PSES would be PSWP, provided that: (1) The 
information otherwise meets the definition of PSWP and (2) the original 
forms continue to be maintained by the provider outside of the 
PSES.\33\ If, while the provider is required to maintain the forms, the 
forms outside of the PSES become unavailable (e.g., they are lost or 
destroyed), the duplicate copies of the forms in the provider's PSES 
will be ``original provider records'' that are no longer privileged and 
confidential PSWP so long as no duplicate copies of the forms are 
maintained outside of the PSES by the provider.\34\
---------------------------------------------------------------------------

    \33\ See 73 FR 70743, Nov. 21, 2008 (``Because information 
contained in these original records may be valuable to the analysis 
of a patient safety event, the important information must be allowed 
to be incorporated into the patient safety work product. However, 
the original information must be kept and maintained separately to 
preserve the original records for their intended purposes.'').
    \34\ The circumstances in which information from a provider's 
PSES would not be protected as PSWP in this example are consistent 
with the statute's text that states a PSO shall not be compelled to 
disclose information--unless such information is: Identified, not 
PSWP, and not reasonably available from another source. See 42 
U.S.C. 299b-22(d)(4)(A)(i).
---------------------------------------------------------------------------

    3. The provider only maintains the original forms in the PSES: The 
forms are original provider records and not privileged and confidential 
PSWP. We note that it would be improper to maintain records collected 
for external reporting purposes solely within a PSES because this 
scenario would be a misuse of a PSES.
    4. The provider maintains the forms outside of the PSES and within 
the PSES extracts information from the forms to conduct further 
analysis: The forms outside of the PSES are not PSWP, for the reasons 
indicated above. The analysis conducted inside the PSES, including the 
information extracted from the forms, is PSWP.
    This clarification should not create problems for providers who 
have appropriately created and retained the original records required 
to satisfy their external obligations outside of a PSES. Those original 
records would be available to meet any external reporting requirements 
or needs.\35\ In an effort to ensure that there is no need to obtain 
the copies that exist in the PSES for other purposes, providers should 
establish a mechanism to indicate where the original records can be 
located. Additionally, providers should exercise extreme caution before 
destroying any original records maintained outside of the PSES. A 
provider that destroys the original source documents upon which PSWP is 
based is not relieved of its obligations or any applicable consequences 
that may be imposed by other regulators if they fail to maintain the 
original records.
---------------------------------------------------------------------------

    \35\ We note that this section focuses on requirements to 
maintain forms in an available fashion. To the extent an obligation 
only requires reporting and is fully satisfied after that reporting, 
a provider has fulfilled the reporting requirement, and the provider 
has no ongoing requirement to maintain the reported information, the 
subsequent collection of a form in the PSES and reporting to a PSO 
would protect the later form as PSWP because the external obligation 
has been fully satisfied.
---------------------------------------------------------------------------

Copies of PSWP

    To be clear, the above discussion of copies relates to information 
that begins as non-PSWP (i.e., original patient or provider records 
and/or information that was collected, maintained, developed, or exists 
separately from the PSES). Consistent with the Patient Safety Rule's 
definition of PSWP, copies of information initially prepared as PSWP 
within the PSES are PSWP.\36\ For example, if a provider originally 
develops information to improve patient safety in its PSES solely for 
reporting to the PSO, that information is PSWP. If the provider then 
makes a copy of this information for the PSO and retains another copy 
of it in its PSES, both the copy of the information disclosed to the 
PSO and the copy maintained in the provider's PSES are PSWP, and thus 
privileged and confidential under the Patient Safety Rule.
---------------------------------------------------------------------------

    \36\ 42 CFR 3.20 (paragraph (1) of the PSWP definition) 
(``Except as provided in paragraph (2) of this definition, patient 
safety work product means any . . . [information] . . . (or copies 
of any of this material) . . . .'').

---------------------------------------------------------------------------

[[Page 32659]]

Separate Systems

    It has come to HHS' attention that the discussion in the Preamble 
regarding whether providers need to maintain multiple systems may have 
caused some confusion. Some commenters on the NPRM expressed concern 
that providers would need to maintain two duplicate systems: One PSES 
for information that the provider assembles or develops for reporting 
to a PSO and a second system containing the same information if the 
provider is unsure at the time the information is prepared for 
reporting to the PSO whether that information may be required in the 
future to fulfill a state law obligation. In response to this concern, 
the Preamble discusses a way that the Patient Safety Rule allows for 
information that was PSWP to no longer be PSWP.\37\ This process, 
sometimes referred to as the ``drop out'' provision, provides that PSWP 
``assembled or developed by a provider for reporting to a PSO may be 
removed from'' a PSES and no longer be considered PSWP if: ``[t]he 
information has not yet been reported to a PSO'' and ``[t]he provider 
documents the act and date of removal of such information from the'' 
PSES.\38\ Once removed from the PSES following this procedure, the 
information could be used for other purposes, such as to meet state law 
obligations.
---------------------------------------------------------------------------

    \37\ See e.g., 73 FR 70742, Nov. 21, 2008.
    \38\ 42 CFR 3.20(2)(ii).
---------------------------------------------------------------------------

    As indicated above, the drop out provision is intended as a safety 
valve for providers who are unsure at the time that information is 
being prepared for reporting to the PSO whether similar information 
would, at a later time, be needed for an external obligation. It 
provides some flexibility for providers as they work through their 
various external obligations, as information assembled or developed for 
reporting to the PSO can reside as PSWP within the provider's PSES 
until the provider makes a future determination as to whether that 
information must be used to meet an external obligation.\39\ It is 
intended to be used on a case-by-case basis. Under the drop out 
provision, if the provider later determines the information within its 
PSES that had originally been assembled or developed for reporting to a 
PSO will be instead used for an external obligation, it is removed from 
the PSES and is no longer PSWP. This means it is no longer privileged 
or confidential under the Patient Safety Act and Patient Safety 
Rule.\40\ If the provider instead decides to report the information to 
a PSO, the information remains PSWP (so long as it meets the 
requirements for being PSWP, including that it is not an original 
patient or provider record) and cannot be permissibly disclosed for any 
reason, except in accordance with the disclosure permissions described 
in the Patient Safety Act and Patient Safety Rule.\41\ The Preamble 
thus explains how the drop out provision eliminates the need for a 
provider to maintain two systems with duplicate information: A PSES 
containing PSWP and a separate system containing any of that same 
information where the provider has yet to determine whether it will be 
needed in the future for another purpose.
---------------------------------------------------------------------------

    \39\ See 73 FR 70742, Nov. 21, 2008 (Referring to the 
documentation of date and purpose of collection within a PSES, 
``(p)roviders have the flexibility to protect this information as 
patient safety work product within their patient safety evaluation 
system while they consider whether the information is needed to meet 
external reporting obligations. Information can be removed from the 
patient safety evaluation system before it is reported to a PSO to 
fulfill external reporting obligations.'').
    \40\ Id. (``Once the information is removed, it is no longer 
patient safety work product and is no longer subject to the 
confidentiality provisions.'').
    \41\ 42 U.S.C. 299b-22(c); 42 CFR 3.204(b), 3.206(b).
---------------------------------------------------------------------------

    Nevertheless, we reemphasize that where records are mandated by a 
Federal or State law requirement or other external obligation, they are 
not PSWP. Thus, a provider should maintain at least two systems or 
spaces: A PSES for PSWP and a separate place where it maintains records 
for external obligations.\42\ As discussed above, the Patient Safety 
Act encourages providers to prepare, analyze, and share information 
beyond what they are mandated to do. As such, it is expected that most 
of the information in a PSES would be originally created by providers 
as part of their voluntary participation with a PSO.
---------------------------------------------------------------------------

    \42\ ``The Patient Safety Act establishes a protected space or 
system that is separate, distinct, and resides alongside but does 
not replace other information collection activities . . . .'' 73 FR 
70742, Nov. 21, 2008; see also 73 FR 8124, Oct. 5, 2007.
---------------------------------------------------------------------------

Shared Responsibility

    As described above, the protected system established under the 
Patient Safety Act works in concert with the external obligations of 
providers to ensure accountability and transparency while encouraging 
the improvement of patient safety and reduction of medical errors 
through a culture of safety. It is the provider's ultimate 
responsibility to understand what information is required to meet all 
of its external obligations. If a provider is uncertain what 
information is required of it to fulfill an external obligation, the 
provider should reach out to the external entity to clarify the 
requirement. HHS has heard anecdotal reports of providers, PSOs, and 
regulators working together to ensure that the regulators can obtain 
the information they need without requesting that providers 
impermissibly disclose PSWP. HHS encourages such communication. 
Regulatory agencies and other entities requesting information of 
providers or PSOs are reminded that, subject to the limited exceptions 
set forth in the Patient Safety Act and Patient Safety Rule, PSWP is 
privileged and confidential, and it may not be used to satisfy external 
obligations. Therefore, such entities should not demand PSWP from 
providers or PSOs.
    Some requirements are clear and discrete, which makes it relatively 
easy for providers to understand what information is mandated, 
determine what additional information they want to prepare for 
reporting to a PSO, and to separate the two categories of information. 
Examples of clear and discrete requirements would include requirements 
for a provider to fill out a particular form or to provide a document 
containing specified data points. However, HHS is aware that some 
requirements are more ambiguous or broad, thus creating uncertainty 
about the information required to satisfy them. Particularly where laws 
or regulations may be vague, it is imperative that the regulators work 
with providers so that the regulators obtain the information they need, 
and that providers sufficiently understand what is required of them so 
that they can satisfy their obligations and voluntarily report 
additional information to a PSO. Where a variety of information could 
potentially satisfy an external obligation, and where a provider 
reports similar information to the PSO, the provider may find it 
helpful to document which information collection activities it does to 
fulfill its external requirements and which other activities it does in 
the PSES, to help ensure confidentiality and privilege of the PSWP.

Later Developing Requirements

    As discussed above, providers should work with regulatory bodies 
and any other entities with which they have obligations to understand 
in advance the exact information they will need to satisfy their 
external obligations. That way, providers can plan ahead to create and 
maintain any information needed to fulfill their obligations separately 
from their PSES. However, even if providers and regulators cooperate 
fully, HHS is aware that situations could arise where a provider has 
collected information for reporting to the PSO and where the

[[Page 32660]]

records at issue were not required by any external obligation at the 
time they were created, but where a regulator later seeks the same 
information as part of its oversight or investigatory responsibilities. 
The information at issue would be PSWP and would be privileged and 
confidential, but the provider may still have several options to 
satisfy its obligation. If the information is eligible for the drop out 
provision (including that the provider has not yet reported the 
information to a PSO), then the provider may follow the drop out 
provision discussed above to remove the information from its PSES and 
report or maintain the information outside of the PSES, to satisfy the 
regulator's request. This information is no longer PSWP. If the 
provider has reported the information to a PSO or the information is 
otherwise not subject to the drop out provision, the Patient Safety Act 
and Patient Safety Rule provide several options that the provider may 
want to consider, which are discussed below.
    1. Did the provider mistakenly enter information that is not PSWP 
into its PSES? The provider may want to first ensure that the 
information being requested meets the definition of PSWP. If the 
provider determines that the information now required is not PSWP 
(e.g., an original patient record was accidentally placed in the PSES), 
the provider can remove the information from its PSES. If the 
information does not meet the definition of PSWP, it is not privileged 
and confidential under the Patient Safety Act, and the Patient Safety 
Act places no limitations on the provider from further releasing it. If 
the information is not PSWP and the only copy of the information is in 
the PSO's PSES (i.e., the provider did not retain a copy outside of or 
in its PSES), then the Patient Safety Act places no limitations on the 
PSO from releasing it back to the provider.
    2. Is there a disclosure exception that may be used to permissibly 
disclose the PSWP? For example:
     Can the provider obtain authorization from each identified 
provider to disclose the information, in accordance with 42 CFR 
3.206(b)(3)?
     Is the information subject to the disclosure permission to 
the FDA at 42 CFR 3.206(b)(7)?
     Is the information being voluntarily disclosed to an 
accrediting body, pursuant to 42 CFR 3.206(b)(8)?
    While these disclosure permissions are available in the limited 
circumstances described in the Patient Safety Rule, relying upon a 
disclosure permission should not be a provider's primary method to meet 
an external obligation. As stated in the Preamble, with respect to the 
FDA disclosure permission, ``However, we emphasize that, despite this 
disclosure permission, we expect that most reporting to the FDA and its 
regulated entities will be done with information that is not patient 
safety work product, as is done today. This disclosure permission is 
intended to allow for reporting to the FDA or FDA-regulated entity in 
those special cases where, only after an analysis of patient safety 
work product, does a provider realize it should make a report.'' 
43 44 HHS has the same expectation for other external 
obligations, as well.
---------------------------------------------------------------------------

    \43\ 73 FR 70782, Nov. 21, 2008.
    \44\ Following publication of the Patient Safety Rule, HHS 
issued guidance on meeting mandatory reporting obligations to the 
FDA. See ``Department of Health and Human Services Guidance 
Regarding Patient Safety Organizations' Reporting Obligations and 
the Patient Safety and Quality Improvement Act of 2005'' available 
at www.pso.ahrq.gov.
---------------------------------------------------------------------------

    3. Can the provider recreate the information or conduct an 
identical analysis from non-PSWP outside of the PSES? If a provider is 
instructed to compile specified information but the provider previously 
assembled such information within its PSES and reported it to a PSO, 
this does not prevent a provider from creating the requested 
information using non-PSWP. As indicated in the NPRM, ``[t]hose who 
participated in the collection, development, analysis, or review of the 
missing information or have knowledge of its contents can fully 
disclose what they know . . .'' \45\ Similarly, although an analysis 
originally conducted in the PSES cannot become non-PSWP under the drop 
out provision, if a provider is informed that a certain analysis is 
needed to meet an external obligation, the Patient Safety Act indicates 
that a provider could conduct a new analysis with non-PSWP to satisfy 
this requirement, ``regardless of whether such additional analysis 
involves issues identical to or similar to those for which information 
was reported to or assessed by'' a PSO or PSES.\46\
---------------------------------------------------------------------------

    \45\ 73 FR 8124, Oct. 5, 2007.
    \46\ 42 U.S.C. 299b-22(h).
---------------------------------------------------------------------------

    Providers are reminded that they should exercise care to ensure 
that even if the information is not privileged and confidential under 
the Patient Safety Act or if a permissible disclosure of PSWP has been 
identified, the intended disclosure of the information is not 
impermissible under any other law (e.g., the HIPAA Privacy Rule.)

    Dated: May 19, 2016.
Andrew Bindman,
AHRQ Director.
Jocelyn Samuels,
Director, OCR.
[FR Doc. 2016-12312 Filed 5-20-16; 5:15 pm]
 BILLING CODE 4160-90-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.