Federal Register: November 21, 2008 (Volume 73, Number 226)
DOCID: fr21no08-16 FR Doc E8-27475
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Western Area Power Administration
CFR Citation: 42 CFR Part 3
RIN ID: RIN 0919-AA01
NOTICE: Part III
DOCID: fr21no08-16
DOCUMENT ACTION: Final rule.
SUBJECT CATEGORY:
Patient Safety and Quality Improvement
DATES: The final rule is effective on January 19, 2009.
DOCUMENT SUMMARY:
The Secretary of Health and Human Services is adopting rules to implement certain aspects of the Patient Safety and Quality Improvement Act of 2005, Pub. L. 10941, 42 U.S.C. 299b21b26 (Patient Safety Act). The final rule establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for the aggregation and analysis of patient safety events.
The final rule outlines the requirements that entities must meet to become PSOs and the processes by which the Secretary will review and accept certifications and list PSOs. It also describes the privilege and confidentiality protections for the information that is assembled and developed by providers and PSOs, the exceptions to these privilege and confidentiality protections, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product.
SUMMARY:
Health and Human Services Department,
SUPPLEMENTAL INFORMATION
On February 12, 2008, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the Patient Safety Act. The comment period closed on April 14, 2008. One hundredsixtyone comments were received during the comment period. I. Background
Statutory Background
This final rule establishes the authorities, processes, and rules
necessary to implement the Patient Safety Act that amended the Public
Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections
921 through 926, 42 U.S.C. 299b21 through 299b26.\1\ The Patient
Safety Act focuses on creating a voluntary program through which health
care providers can share information relating to patient safety events
with PSOs, with the aim of improving patient safety and the quality of
care nationwide. The statute attaches privilege and confidentiality
protections to this information, termed ``patient safety work
product,'' to encourage providers to share this information without
fear of liability and creates PSOs to receive this protected
information and analyze patient safety events. These protections will
enable all health care providers, including multifacility health care
systems, to share data within a protected legal environment, both
within and across states, without the threat that the information will be used against the subject providers.
\1\ All citations to provisions in the Patient Safety Act will
be to the sections in the Public Health Service Act or to its location in the U.S. Code.
However, we note that section 922(g)(2) of the Public Health Service Act is quite specific that these protections do not relieve a provider from its obligation to comply with other Federal, State, or local laws pertaining to information that is not privileged or confidential under the Patient Safety Act: section 922(g)(5) of the Public Health Service Act states that the Patient Safety Act does not affect any State law requiring a provider to report information that is not patient safety work product. The fact that information is collected, developed, or analyzed under the protections of the Patient Safety Act does not shield a provider from needing to undertake similar activities, if applicable, outside the ambit of the statute, so that the provider can meet its obligations with nonpatient safety work product. The Patient Safety Act, while precluding other organizations and entities from requiring providers to provide them with patient safety work product, recognizes that the original records underlying patient safety work product remain available in most instances for the providers to meet these other reporting requirements.
We note also that the Patient Safety Act references the Standards
for the Privacy of Individually Identifiable Health Information under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA
Privacy Rule), 45 CFR parts 160 and 164. Many health care providers
participating in this program will be covered entities under the HIPAA
Privacy Rule and will be required to comply with the HIPAA Privacy Rule
when they disclose patient safety work product that contains protected
health information. The Patient Safety Act is clear that it is not
intended to interfere with the implementation of any provision of the
HIPAA Privacy Rule. See 42 U.S.C. 299b22(g)(3). The statute also
provides that civil money penalties cannot be imposed under both the
Patient Safety Act and the HIPAA Privacy Rule for a single violation.
See 42 U.S.C. 299b22(f). In addition, the statute states that PSOs
shall be treated as business associates, and patient safety activities
are deemed to be health care operations under the HIPAA Privacy Rule.
See 42 U.S.C. 299b and 29922(i). Since patient safety activities are
deemed to be health care operations, the HIPAA Privacy Rule does not
require covered providers to obtain patient authorizations to disclose
patient safety work product containing protected health information to
PSOs. Additionally, as business associates of providers, PSOs must
abide by the terms of their HIPAA business associate contracts, which
require them to notify the provider of any impermissible use or
disclosure of the protected health information of which they are aware. See 45 CFR 164.504(e)(2)(ii)(C).
II. Overview of the Proposed and Final Rules
A. The Proposed Rule
The proposed rule sought to implement the Patient Safety Act to create a voluntary system through which providers could share sensitive information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care. The proposal reflected an approach to the implementation of the Patient Safety Act intended to ensure adequate flexibility within the bounds of the statutory provisions and to encourage providers to participate in this voluntary program. The proposed rule emphasized that this program is not federally funded and will be put into operation by the providers and PSOs that wish to participate with little direct federal involvement. However, the process for certification and listing of PSOs will be implemented and overseen by the Agency for Healthcare Research and Quality (AHRQ), while compliance with the confidentiality provisions will be investigated and enforced by the Office for Civil Rights (OCR).
Subpart A of the proposed rule set forth the definitions of essential terms,
[[Page 70733]]
such as patient safety work product, patient safety evaluation system,
and PSO. In order to facilitate the sharing of patient safety work
product and the analysis of patient safety events, Subpart B of the
proposed rule implemented the statutory requirements for the listing of
PSOs, the entities that will offer their expert advice in analyzing the
patient safety events and other information they collect or develop to
provide feedback and recommendations to providers. The proposed rule
established the criteria and set forth a process for certification and
listing of PSOs and described how the Secretary would review, accept,
condition, deny, or revoke certifications for listing and continued listing of entities as PSOs.
Based on the statutory mandates in the Patient Safety Act, Subpart C of the proposed rule set forth the privilege and confidentiality protections that attach to patient safety work product; it also set forth the exceptions to these protections. The proposed rule provided that patient safety work product generally continues to be protected as privileged and confidential following a disclosure and set certain limitations on redisclosure of patient safety work product.
Subpart D of the proposed rule established a framework to enable the Secretary to monitor and ensure compliance with this Part, a process for imposing a civil money penalty for breach of the confidentiality provisions, and procedures for a hearing contesting the imposition of a civil money penalty. These provisions were modeled largely on the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D and E.
B. The Final Rule
We received over 150 comments on the proposed rule from a variety of entities, including small providers and large institutional providers, hospital associations, medical associations, accrediting bodies, medical liability insurers, and state and federal agencies. Many of the commenters expressed support for the proposed rule and the protections it granted to sensitive information related to patient safety events.
Based upon the comments received, the final rule adopts most of the provisions of the proposed rule without modification; however, several significant changes to certain provisions of the proposed rule have been made in response to these comments. Changes to Subpart A include the addition of a definition of affiliated provider. The definitions of component organization, parent organization, and provider were modified for clarity, and the definition of disclosure was modified to clarify that the sharing of patient safety work product, between a component PSO and the entity of which it is a part, qualifies as a disclosure, while the sharing of patient safety work product between a physician with staff privileges and the entity with which it holds privileges is not a disclosure. We have also modified the definition of patient safety work product to include information that, while not yet reported to a PSO, is documented as being within a provider's patient safety evaluation system and that will be reported to a PSO. This modification allows for providers to voluntarily remove, and document the removal of, information from the patient safety evaluation system that has not yet been reported to a PSO, in which case, the information is no longer patient safety work product.
The most significant modifications to Subpart B include the following. With respect to the listing of PSOs, we have broadened the list of excluded entities at Sec. 3.102(a)(2)(ii), required PSOs at Sec. 3.102(b)(1)(i)(B) to notify reporting providers of inappropriate disclosures or security breaches related to the information they reported, specified compliance with the requirement regarding the collection of patient safety work product in Sec. 3.102(b)(2)(iii), eliminated the requirements for separate information systems and restrictions on shared staff for most component PSOs but added additional restrictions and limitations for PSOs that are components of excluded entities at Sec. 3.102(c), and narrowed and clarified the disclosure requirements that PSOs must file regarding contracting providers with whom they have additional relationships at Sec. 3.102(d)(2). We have modified the security requirement to provide flexibility for PSOs to determine whether to maintain patient safety work product separately from unprotected information. The final rule includes a new expedited revocation process at Sec. 3.108(e) for exceptional circumstances that require prompt action, and eliminates implied voluntary relinquishment, providing instead in Sec. 3.104(e) that a PSO's listing automatically expires at the end of three years, unless it is revoked for cause, voluntarily relinquished, or its certifications for continued listing are approved.
Changes to proposed Subpart C include the addition of language in Sec. 3.206(b)(2) that requires a reporter seeking equitable relief to obtain a protective order to protect the confidentiality of patient safety work product during the course of the proceedings. Proposed Sec. 3.206(b)(4) has been amended to allow disclosures of identifiable, nonanonymized patient safety work product among affiliated providers for patient safety activities. In addition, proposed Sec. 3.206(b)(7) has been modified to make clear that the provision permits disclosures to and among FDA, entities required to report to FDA, and their contractors. We also have modified proposed Sec. 3.206(b)(8) to require providers voluntarily disclosing patient safety work product to accrediting bodies either to obtain the agreement of identified nondisclosing providers or to anonymize the information with respect to the nondisclosing providers prior to disclosure. Finally, we modified Sec. Sec. 3.204(c), 3.206(d), and 3.210 to allow disclosures of patient safety work product to or by the Secretary for the purposes of determining compliance with not only the Patient Safety Act, but also the HIPAA Privacy Rule.
In Subpart D, we adopt the proposed provisions except, where reference was made in the proposed rule to provisions of the HIPAA Privacy Rule, the final rule includes the text of such provisions for convenience of the reader.
We describe more fully these provisions, the comments received, and
our responses to these comments below in the sectionbysection description of the final rule below.
III. SectionbySection Description of Final Rule and Response to Comments
A. Subpart AGeneral Provisions
1. Section 3.10Purpose
Proposed Rule: Proposed Sec. 3.10 provided that the purpose of proposed Part 3 is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 10941), which amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b21 through 299b26.
Overview of Public Comments: No comments were received pertaining to this section.
Final Rule: The Department adopts the proposed provision without modification.
2. Section 3.20Definitions
Proposed Rule: Proposed Sec. 3.20 provided for definitions applicable to Part 3. Some definitions were restatements of the definitions at section 921 of the Public Health Service Act, 42 U.S.C. 299b21, and other definitions were provided for convenience or to clarify the application and operation of the proposed rule. [[Page 70734]]
Overview of Public Comments: With respect to the definitions for AHRQ, ALJ, Board, complainant, component PSO, confidentiality provisions, entity, group health plan, health maintenance organization, HHS, HIPAA Privacy Rule, identifiable patient safety work product, nonidentifiable patient safety work product, OCR, Patient Safety Act, patient safety activities, patient safety organization, person, research, respondent, responsible person, and workforce, we received no comments.
We received a number of comments on the various other definitions and these comments will be addressed below in reference to the specific term.
Final Rule: The Department adopts the above definitions as proposed. Certain definitions were added for convenience or clarity of the reader.
Response to Public Comments
Comment: Commenters requested definitions for accrediting body, reporter, redisclosure, impermissible disclosure, use, evaluation and demonstration projects, and legislatively created PSO.
Response: The Department does not agree that the additional definitions requested by commenters are necessary. Some definitions requested have generally accepted meanings and we do not believe there is benefit in imposing more limitations on such terms. Some terms such as legislatively created PSO are not used within the final rule. Other terms such as impermissible disclosure, use, and reporter are readily understood from the context of the final rule and do not need definitions.
(A) Section 3.20New Definition of Affiliated Provider
Final Rule: The proposed rule did not include a definition for affiliated provider. The Department adopts the term affiliated provider to mean, with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, managed, or controlled by the provider. The Department includes this term to identify to whom patient safety work product may be disclosed pursuant to a clarification of the disclosure permission for patient safety activities.
Overview of Comments: Several commenters were concerned about limitations of disclosures for patient safety activities among providers. Commenters raised concerns that limitations may inhibit the sharing and learning among providers of the analysis of patient safety events. Other commenters viewed the disclosure limitations as restricting a provider's use of its own data. These comments are addressed more fully below as part of the discussion of the patient safety activities disclosure permission.
(B) Section 3.20Definition of Bona Fide Contract
Proposed Rule: Proposed Sec. 3.20 provided that bona fide contract would mean a written contract between a provider and a PSO that is executed in good faith or a written agreement between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO.
Overview of Public Comments: One comment was received noting that ``good faith'' need not be a part of a bona fide contract.
Final Rule: Because meeting the minimum contract requirement is essential for a PSO to remain listed by the Secretary, the Department believes that the requirement that contracts to be entered in good faith should be retained. We also note that Federal, State, local or Tribal providers are free to enter into an agreement with any PSO that would serve their needs; thus, they can enter bona fide contracts with PSOs pursuant to paragraph (1) of the definition, or enter comparable arrangements with a Federal, State, local or Tribal PSO pursuant to paragraph (2). The Department adopts the proposed provision without modification.
(C) Section 3.20Definition of Component Organization
Proposed Rule: Proposed Sec. 3.20 provided that component organization would mean an entity that is either: (a) A unit or division of a corporate organization or of a multiorganizational enterprise; or (b) a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations, i.e., its parent organization(s). Because this definition used terms in a manner that was broader than traditional usage, the proposed rule sought comment on whether it was appropriate for purposes of the regulation to consider a subsidiary, an otherwise legally independent entity, as a component organization.
With respect to the terms ``owned, managed, or controlled,'' the preamble directed readers to our description of these concepts in our discussion of the term ``parent organization.'' The preamble to the proposed rule discussed the various ways that an organization may be controlled by others. In particular, there was a discussion of multi organizational enterprises and the variety of management relationships or forms of control that such enterprises can create that might impact component entities. The preamble also discussed the traditional meaning of subsidiaries as being separate legal entities and, therefore, not within the ordinary meaning of the term ``component.'' However, the approach of the proposed rule was to express the Department's intention to encourage all forms of PSO organizational arrangements including the ownership of PSOs as subsidiaries. At the same time, we wanted to be able to accurately determine and to indicate to providers which PSOs should be considered components of other entities and the identity of a component PSO's parent organization. We explained our intent was not to limit our approach to corporate forms of organizations.
Overview of Public Comments: The majority of commenters supported our proposal to consider subsidiaries as component organizations for the purposes of this rule. Several commenters sought reassurance that our interpretation does not impose additional legal liability on the parent organization.
Concern was expressed that our approach suggested an overreliance on the corporate model and the definition needed to reflect other types of legally recognized entities. One comment reflected concern that our reference to ``multiorganizational enterprise'' in the definition was unnecessarily confusing because it was not commonly used. Another commenter disagreed with our approach entirely, arguing that the scope of our definition was overly broad and unnecessary.
Final Rule: The final rule now defines ``component organization''
to mean an entity that: ``(1) is a unit or division of a legal entity
(including a corporation, partnership, or a Federal, State, local or Tribal agency or organization); or
(2) Is owned, managed, or controlled by one or more legally separate parent organizations.''
The definition of component organization is intended to be read
with a focus on management or control by others as its defining
feature. The definition must be read in conjunction with the
complementary definition of ``parent organization.'' While our approach
remains little changed, we have rearranged and streamlined the text of
the definition of component in response to the comments and concerns we
received on it. For example, there is no longer an explicit reference
in the definition of component to multiorganizational enterprises,
which are undertakings with separate corporations or organizations that are integrated in a common business activity. The revised
[[Page 70735]]
definition, however, is sufficiently broad to apply to components of
such enterprises. In response to concerns that the earlier definition
was too focused on corporate organizations, we have incorporated an
explicit reference to ``other legal entities'' besides corporations. In
addition, specific references have been added to more clearly
accommodate possible organizational relationships of public agencies,
such as the Department of Defense (DoD), Department of Veterans Affairs
(VA), the Indian Health Service (IHS), and other State, local, and
Tribal organizations that manage or deliver health care services.
In the scenario envisioned by the first prong of the definition, the legal entity is a parent organization and the component organization is a unit or division within the parent organization. An underlying assumption of the modified paragraph (1) is that a unit or division of a legal entity may be managed or controlled by one or more parent organizations. Consistent with this paragraph, a component PSO may be managed or controlled by the legal entity of which it is a part or by another unit or division of that entity. It could also be controlled by a legally separate entity under the second paragraph of the definition.
The first prong of the definition encompasses a component PSO that is a unit of a governmental agency that is a legal entity. This could include a component organization managed by another division of such a governmental agency, e.g., a health care division of VA or DoD. Thus, a component PSO could be a unit or component of a Federal agency that is a legal entity and it could at the same time be a component of another unit or division of that agency which controls and directs or manages its operation. So too in the private sector, a component PSO could have more than one parent and thus be a component, for example, of a professional society as well as a component of the unit or division of the professional society that controls or manages the PSO.
The second prong of the definition addresses a variety of organizational relationships that could arise between component PSOs and legally separate parent organizations that manage or control them. Under paragraph (2), a subsidiary PSO could be managed or controlled by its legally separate parent organization. In addition, we note that a component PSO could be managed or controlled by another unit or division of its legally separate parent, e.g., if this unit or division uses its knowledge and skills to control or manage certain aspects of the component's operations. If that occurs, we would consider the sibling subsidiary that exercises control or management over the PSO as another parent organization of the PSO.
Obtaining the identity and contact information of an entity's parent organizations is useful for the purpose of letting providers know who may be managing or controlling a PSO. This information also will be useful in implementing the certification and listing process for PSOs described in the rule which, for instance, excludes any health insurance issuer from becoming a PSO and excludes a component of a health insurance issuer from becoming a PSO.
In response to commenters concerned about the legal liability for parent organizations of component PSOs, we note that the preamble to the proposed rule stated as follows: ``We stress that neither the statute nor the proposed regulation imposes any legal responsibilities, obligations, or liability on the organization(s) of which it [the PSO] is a part.'' The Department reaffirms its position. At the same time, we note that the rule, at Sec. 3.402(b), recognizes, provides for, and does not alter the liability of principals based on Federal common law. Response to Other Public Comments
Comment: One concern that was expressed by several commenters pertained to whether or not a health system that has a component or subsidiary health insurance issuer, e.g., a group health plan offered to the public, would be precluded from having a component PSO as well.
Response: So long as the component health insurance issuer does not come within the definition of a parent organization of the PSO, i.e., own a controlling or majority interest in, manage, or control the health system's component PSO (i.e., the PSO would not be a component of the health insurance issuer), the parent health system could establish a component PSO.
Comment: It was asserted that including subsidiaries as components would require a PSO that is not controlled by another parent organization, but itself has a subsidiary, to seek listing as a component PSO.
Response: The revised definition of component organization emphasizes that a component is an organization that is controlled by another entity. It is not the Department's intention to require a PSO that is not controlled by another entity to seek listing as a component PSO. For this reason, the fact that a PSO has a subsidiary does not trigger the requirement to seek listing as a component organization.
Comment: It was suggested that the inclusion of subsidiaries within the meaning of component would require a health system that wished to create a PSO to create it as a component.
Response: There are several issues that a health system needs to consider in determining whether and how to create a PSO, but the inclusion of subsidiary within the meaning of component is not necessarily determinative. The statute requires the improvement of quality and patient safety to be the primary activity of the entity seeking listing. Since few multifaceted health system organizations will meet this requirement, existing organizations will have an incentive to create singlepurpose component organizations that clearly meet the requirement. The second issue is whether to create a PSO as an internal component organization or as a separate legal entity. Because the final rule requires each PSO to enter two contracts, provider organizations may find it useful for its component PSO to be a separate legal entity. Otherwise, the component PSO may be precluded from contracting with its parent organization.
Comment: There was a request for a definition of ``own'' with a suggestion for reference to Internal Revenue Code 26 I.R.C. Sec. 1563 to clarify its meaning and the meaning of having a controlling interest. This same commenter sought strong separation requirements between a component PSO and any parent organization.
Response: We have reviewed the cited regulation but conclude that the approach presented is unlikely to clarify the meaning of ``own'' or ``having a controlling interest'' for purposes of the regulation. Accordingly, the definition of component in the final rule will use the term ``owns,'' but it should be read in conjunction with the phrase ``owns a controlling or majority interest in'' that is used in the related definition of ``parent organization.'' This will indicate that the definition of component uses the term ``owns'' to mean having a sufficient ownership interest to control or manage a PSO. The holder of a controlling or majority interest in the entity seeking to be listed should be identified as a parent organization.
Comment: Components of government entities should not be listed as PSOs.
Response: The Patient Safety Act specifically permits public sector
entities, and components of public sector entities, to seek listing as
a PSO. We have incorporated several exclusions, however, of entities with
[[Page 70736]]
regulatory authority and those administering mandatory state reporting
programs because these activities are incompatible with fostering a
nonpunitive culture of safety among providers. As we explain in Sec.
3.102(a)(2)(ii), we conclude that it is not necessary to exclude
components of such entities but have adopted additional restrictions
and requirements in Sec. 3.102(c) for such component entities. (D) Section 3.20Definition of Disclosure
Proposed Rule: Proposed Sec. 3.20 provided that disclosure would mean the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding patient safety work product to another person.
We did not generally propose to regulate uses of patient safety work product within an entity, i.e., when this information is exchanged or shared among the workforce members of an entity. We believe that regulating uses within providers and PSOs would be unnecessarily intrusive given the voluntary aspect of participation with a PSO. We believe that regulating uses would not further the statutory goal of facilitating the sharing of patient safety work product with PSOs and that sufficient incentives exist for providers and PSOs to prudently manage the internal sharing of sensitive patient safety work product. However, based on the statutory provision, we did propose that we would recognize as a disclosure the sharing of patient safety work product between a component PSO and the organization of which it is a component. Such sharing would, absent the statutory provision and the proposed regulation, be a use within the larger organization because the component PSO is not a separate entity. The Patient Safety Act supports this position by demonstrating a strong desire for the protection of patient safety work product from the rest of the organization of which the PSO is a part. We sought public comment on whether the decision to not regulate uses was appropriate.
The proposed rule discussed that sharing patient safety work product with a contractor that is under the direct control of an entity, i.e., a workforce member, would not be a disclosure, but rather a use within the entity. However, sharing patient safety work product with an independent contractor would be a disclosure requiring an applicable disclosure permission.
Overview of Public Comments: Some commenters supported the proposed definition of disclosure. No commenters opposed the proposed definition or requested further clarification.
Most commenters that responded to the question whether uses of patient safety work product should be regulated supported the decision not to regulate uses. Those commenters agreed that regulating uses would be overly intrusive without significant benefit and that entities are free to enter into agreements with greater protections. Other commenters disagreed with the Department's proposal and stated that regulation of uses would improve confidentiality and thereby increase provider participation.
No commenters opposed the proposal that sharing of patient safety work product from a component PSO to the rest of the parent entity of which it is a part would be a disclosure for purposes of enforcement rather than a use internal to the entity.
Final Rule: The Department adopts the provision with modifications. In general, the modified definition of disclosure means the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a physician holding privileges with, the entity holding the patient safety work product. Additionally, we have defined as a disclosure the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by a component PSO to another entity or natural person outside the component PSO.
We have modified the language for clarity to distinguish the actions that are a disclosure for a natural person and an entity, separately. We have also included language in the definition that makes clear that sharing of patient safety work product from a component PSO to the entity of which it is a part is a disclosure even though the disclosure would be internal to an entity and generally permitted. Finally, we have added language to clearly indicate that the sharing of patient safety work product between a health care provider with privileges and the entity with which it holds privileges does not constitute a disclosure, consistent with the treatment of patient safety work product shared among workforce members.
Response to Other Public Comments
Comment: Commenters asked that the Department clarify the terms ``disclosure'' and ``use''. Commenters stated that the terms were used interchangeably and this caused confusion.
Response: The term ``disclosure'' describes the scope of the confidentiality protections and the manner in which patient safety work product may be shared. ``Disclosure'' is also employed by the Patient Safety Act when describing the assessment of civil money penalties for the failure to maintain confidentiality (see 42 U.S.C. 299b22(f)(1)). Although the Patient Safety Act employs the term ``use'' in several provisions, we did not interpret those provisions to include a restriction on the use of patient safety work product based on the confidentiality protections.
Because the focus of the proposed rule was on disclosures, we did not believe that defining the term ``use'' was helpful; nor did we believe the terms would be confusing. Use of patient safety work product is the sharing within a legal entity, such as between members of the workforce, which is not a disclosure. By contrast, a disclosure is the sharing or release of information outside of the entity for which a specific disclosure permission must be applicable.
Comment: One commenter requested clarification regarding the sharing of patient safety work product among legally separate participants that join to form a single joint venture component PSO.
Response: The Department distinguishes between the disclosure of patient safety work product between legal entities and the use of patient safety work product internal to a single legal entity. If a component PSO is part of a multiorganizational enterprise, uses of patient safety work product internal to the component PSO are not regulated by this final rule, but sharing of patient safety work product between the component PSO and another entity or with a parent organization are considered disclosures for which a disclosure permission must apply.
Comment: One commenter raised concerns that the final rule would restrict a provider's use of its own data and thereby discourage collaboration with other care givers.
Response: The Department believes that the final rule balances the
interests between the privacy of identified providers, patients and
reporters and the need to aggregate and share patient safety work
product to improve patient safety among all providers. The final rule
does not limit the sharing of patient safety work product within an
entity and permits sharing among providers under certain conditions. Affiliated
[[Page 70737]]
providers may share patient safety work product for patient safety
activities and nonaffiliated providers may share anonymized patient
safety work product. A provider may also share patient safety work
product with a health care provider that has privileges to practice at
the provider facility. Further, if all identified providers are in
agreement regarding the need to share identifiable patient safety work
product, each provider may authorize and thereby permit a disclosure.
Comment: Several commenters asked whether uses were restricted based upon the purpose for which the patient safety work product is being shared internally.
Response: The final rule does not limit the purpose for which patient safety work product may be shared internal to an entity. Entities should consider the extent to which sensitive patient safety work product is available to members of its workforce as a good business practice.
(E) Section 3.20Definition of Entity
Proposed Rule: Proposed Sec. 3.20 provided that entity would mean any organization or organizational unit, regardless of whether the entity is public, private, forprofit, or notforprofit.
Overview of Public Comments: One comment was received suggesting that the terms ``governmental'' or ``body politic'' should be added to clarify that the term ``public'' includes Federal, State, or local government as well as public corporations.
Final Rule: The term ``public'' has long been used throughout Title 42 of the Code of Federal Regulations as encompassing governmental agencies; therefore we do not believe that the addition is necessary. The Department adopts the proposed provision without modification. (F) Section 3.20Definition of Health Insurance Issuer
Proposed Rule: Proposed Sec. 3.20 provided that health insurance issuer would mean an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2). The definition specifically excluded group health plans from the meaning of the term.
Overview of Public Comments: Several commenters expressed concern that the Department needed to be vigilant in its exclusion of health insurance issuers and components of health insurance issuers, urging that HHS clearly define health insurance issuers in the final rule. Another commenter sought clarification regarding risk management service companies, i.e., those that offer professional liability insurance, reinsurance, or consulting services.
Final Rule: The Department has reviewed the definition of ``health insurance issuer'' and determined that the definition is clear. Because the reference to group health plans could be a source of confusion, we note that we have defined the term above. Accordingly, the Department adopts the proposed provision without modification.
In response to several comments regarding the scope of the term health insurance issuer, the Department has concluded that, for purposes of this rule, risk management service companies, professional liability insurers and reinsurers do not fall within the definition of health insurance issuer.
Response to Other Public Comments
Comment: One commenter asked if a provider system that was owned as a subsidiary by an HMO could create a component PSO.
Response: Section 3.102(a)(2)(i) excludes a health insurance issuer, a unit or division of a health insurance issuer, or an entity that is owned, managed, or controlled by a health insurance issuer from seeking listing as a PSO. In this case, the HMO is considered a health insurance issuer and the provider system would be a component of the health insurance issuer. Under the rule, the HMO and the provider system may not seek listing as a PSO, and the entity created by the provider system could not seek listing as a component PSO if it is owned, managed or controlled by the provider system or the HMO.
Comment: One commenting organization requested discussion of what organizational structure might allow a health insurance issuer to participate in the patient safety work of an independent PSO.
Response: The statutory exclusion means that the following entities may not seek listing: a health insurance issuer or a component of a health insurance issuer.
(G) Section 3.20Definition of Parent Organization
Proposed Rule: Proposed Sec. 3.20 provided that ``parent organization'' would mean an entity, that alone or with others, either owns a provider entity or a component organization, or has the authority to control or manage agenda setting, project management, or daytoday operations of the component, or the authority to review and override decisions of a component organization. The proposed rule did not provide a definition of ``owned'' but provided controlling interest (holding enough stock in an entity to control it) as an example of ownership in the preamble discussion of the term, ``parent organization.'' The proposed rule specifically sought comment on our use of the term ``controlling interest,'' whether it was appropriate, and whether we needed to further define ``owns.'' The remaining terms, ``manage or control,'' were explained in the proposed rule's definition of ``parent organization,'' as having ``the authority to control or manage agenda setting, project management, or daytoday operations of the component, or the authority to review and override decisions of a component organization.''
Overview of Public Comments: We received eight comments on the question of ``controlling interest'' and there was no consensus among the commenters. Four commenters thought our discussion was appropriate. Another agreed with the concept of controlling interest but wanted to limit its application to a provider who reported patient safety work product to the entity. One commenter cautioned that the term ``controlling interest'' was open to various interpretations and the final rule should provide additional guidance. Another commenter suggested ``controlling interest'' was worrisome but did not provide a rationale for this assessment. One commenter supported additional protections, contending that it was appropriate for HHS to pierce the corporate veil when there was fraud or collusion, and recommended the preamble outline situations in which HHS would pierce the corporate veil.
We received no negative comments on our proposed interpretation of what it means to manage or control another entity. One commenter suggested that the definition should recognize the significant authority or control of a provider entity or component organization through reserve powers, by agreement, statute, or both.
Final Rule: While approximately half of the comments supported our
approach, there was not a clear consensus in the comments we reviewed.
So the approach we have taken with the definition of ``parent
organization'' was to strive for greater clarity, taking into account its interaction with our definition of
[[Page 70738]]
``component organization,'' described above.
The definition of ``parent organization'' in the final rule retains the basic framework of the proposed rule definition: an organization is a parent if it owns a component organization, has the ability to manage or control a component, or has the authority to review and overrule the component's decisions.
The language of the proposed rule used only the term ``own'' while the preamble cited the example of stock ownership. Without further specification, we were concerned that this approach could have been interpreted to mean that an organization owning just a few shares of stock of a component organization would be considered a parent organization. This is not our intent. For clarity, we have modified the text to read ``owns a controlling or majority interest.''
We have also removed the phrase ``alone or with others'' from the
first clause. We did so for two reasons. First, it is unnecessary since it does not matter whether ownership is shared with other
organizations, as in a joint venture. An entity seeking listing as a
PSO will use this definition solely to determine if it has any parent
organizations and, if it does, it must seek listing as a component
organization and disclose the names and contact information for each of
its parent organizations. Second, we have tried to make it as clear as
possible that any organization that has controlling ownership
interests, or management or control authority over a PSO, should be
considered, and reported in accordance with the requirements of Sec. 3.102(c)(1)(i), as a parent organization.
For similar reasons, we have removed the reference to provider from the first part of the definition and instead consistently used the term ``component organization'' with respect to each characteristic of a parent organization. We added a second sentence to clarify that a provider could be the component organization in all three descriptive examples given of parental authority.
In response to one commenter's concern, we believe that the phrase
``has the authority'' as used in the definition is sufficiently broad to encompass reserve powers.
(H) Section 3.20Definition of Patient Safety Evaluation System
Proposed Rule: Proposed Sec. 3.20 provided that patient safety evaluation system would mean the collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system would be the mechanism through which information can be collected, maintained, analyzed, and communicated. The proposed rule discussed that a patient safety evaluation system would not need to be documented because it exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes. The proposed rule provided that formal documentation of a patient safety evaluation system could designate secure physical and electronic space for the conduct of patient safety activities and better delineate various functions of a patient safety evaluation system, such as when and how information would be reported by a provider to a PSO, how feedback concerning patient safety events would be communicated between PSOs and providers, within what space deliberations and analyses of information are conducted, and how protected information would be identified and separated from information collected, maintained, or developed for purposes other than reporting to a PSO.
The Department recommended that a provider consider documentation of a patient safety evaluation system to support the identification and protection of patient safety work product. Documentation may provide substantial proof to support claims of privilege and confidentiality and will give notice to, will limit access to, and will create awareness among employees of, the privileged and confidential nature of the information within a patient safety evaluation system which may prevent unintended or impermissible disclosures.
We recommended that providers and PSOs consider documenting how information enters the patient safety evaluation system; what processes, activities, physical space(s) and equipment comprise or are used by the patient safety evaluation system; which personnel or categories of personnel need access to patient safety work product to carry out their duties involving operation of, or interaction with, the patient safety evaluation system; the category of patient safety work product to which access is needed and any conditions appropriate to such access; and what procedures the patient safety evaluation system uses to report information to a PSO or disseminate information outside of the patient safety evaluation system.
The proposed rule sought comment about whether a patient safety evaluation system should be required to be documented.
Overview of Public Comments: Several commenters supported the efforts to enable the patient safety evaluation system to be flexible and scalable to individual provider operations. Most commenters that responded to the question whether a patient safety evaluation system should be documented supported the decision to not require documentation. Commenters stated that requiring documentation would inhibit the flexibility in the design of patient safety evaluation systems and the ability of providers to design systems best suited for their specific practices and settings. Documentation would also be burdensome to providers and should ultimately be left to the discretion of individual providers based on their needs. Other commenters supported a requirement for documentation, suggesting that documentation would go further in ensuring compliance with the confidentiality provisions and the protection of information, thereby encouraging provider participation.
Final Rule: The Department adopts the proposed provision without modification. Based on the comments, we have not modified the proposed decision to not require documentation. We have, as described in the definition of patient safety work product below, clarified how documentation of a patient safety evaluation system clearly establishes when information is patient safety work product. We encourage providers to document their patient safety evaluation systems for the benefits mentioned above. We believe documentation is a best practice. Response to Other Public Comments
Comment: Two commenters raised concerns about how a patient safety evaluation system operates within a multihospital system comprised of a parent corporation and multiple hospitals that are separately incorporated and licensed. One commenter asked whether a parent corporation can establish a single patient safety evaluation system in which all hospitals participate. The other commenter recommended that individual institutional affiliates of a multihospital system be part of a single patient safety evaluation system.
Response: For a multiprovider entity, the final rule permits
either the establishment of a single patient safety evaluation system
or permits the sharing of patient safety work product as a patient
safety activity among affiliated providers. For example, a hospital
chain that operates multiple hospitals may include the parent organization along with each hospital in a single patient
[[Page 70739]]
safety evaluation system. Thus, each hospital may share patient safety
work product with the parent organization and the patient safety
evaluation system may exist within the parent organization as well as the individual hospitals.
There may be situations where establishing a single patient safety evaluation system may be burdensome or a poor solution to exchanging patient safety work product among member hospitals. To address this concern, we have modified the disclosure permission for patient safety activities to permit affiliated providers to disclose patient safety work product with each other based on commonality of ownership.
Comment: One commenter asked how a patient safety evaluation system exists within an institutional provider.
Response: A patient safety evaluation system is unique and specific to a provider. The final rule retains a definition of a patient safety evaluation system that is flexible and scalable to meet the specific needs of particular providers.
With respect to a single institutional provider, such as a hospital, a provider may establish a patient safety evaluation system that exists only within a particular office or that exists at particular points within the institution. The decisions as to how a patient safety evaluation system operates will depend upon the functions the institutional provider desires the patient safety evaluation system to perform and its tolerances regarding access to the sensitive information contained within the system. Providers should consider how a patient safety evaluation system is constructed, carefully weighing the balance between coordination and fragmentation of a provider's activities.
Comment: Some commenters were concerned that the patient safety evaluation system provided a loophole for providers to avoid transparency of operations and hide information about patient safety events. Some commenters suggested that a provider may establish a patient safety evaluation system that is inside of a PSO, thus stashing away harmful documents and information.
Response: The Department does not believe that the patient safety evaluation system enables providers to avoid transparency. A patient safety evaluation system provides a protected space for the candid consideration of quality and safety. Nonetheless, the Patient Safety Act and the final rule have carefully assured that information generally available today remains available, such as medical records, original provider documents, and business records. Providers must fulfill external reporting obligations with information that is not patient safety work product. Further, a provider may not maintain a patient safety evaluation system within a PSO.
Comment: One commenter asked whether all information in a patient safety evaluation system is protected.
Response: Information collected within a patient safety evaluation system that has been collected for the purpose of reporting to a PSO is patient safety work product if documented as collected for reporting to a PSO. This is discussed more fully at the definition of patient safety work product below. Information that is reported to a PSO is also protected, as discussed more fully at the definition of patient safety work product below.
Comment: One commenter was concerned that the lack of a framework and too much flexibility may interfere with interoperability and data aggregation at a later date.
Response: The Department believes that a patient safety evaluation system must of necessity be flexible and scalable to meet the needs of specific providers and PSOs. Without such flexibility, a provider may not participate, which may, lessen the overall richness of the information that could be obtained about patient safety events. The Department recognizes the value of aggregated data and has, pursuant to the Patient Safety Act, begun the process of identifying standard data reporting terms to facilitate aggregation and interoperability. Further, the Patient Safety Act requires that PSOs, to the extent practical and appropriate, collect patient safety work product in a standardized manner (see 42 U.S.C. 299b24(b)(1)(F)). The Department hopes that, by permitting the widest range possible of providers to participate in the gathering and analysis of patient safety events, increased participation will generate more data and greater movement towards addressing patient safety issues.
Comment: Many commenters encouraged the Department to provide technical assistance to providers and PSOs on the structuring and operation of a patient safety evaluation system.
Response: The Department expects to provide such guidance on the operation and activities of patient safety evaluation systems as it determines is necessary.
(I) Section 3.20Definition of Patient Safety Work Product
Proposed Rule: Proposed Sec. 3.20 adopted the statutory definition of patient safety work product as defined in the Patient Safety Act. The proposed rule provided that many types of information can become patient safety work product to foster robust exchanges between providers and PSOs. Any information must be collected or developed for the purpose of reporting to a PSO.
Three provisions identified how information becomes patient safety work product. First, information may become patient safety work product if it is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO. Second, patient safety work product is information developed by a PSO for the conduct of patient safety activities. Third, patient safety work product is information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system.
The proposed rule provided that reporting means the actual transmission or transfer of information to a PSO. We recognized that requiring the transmission of every piece of paper or electronic file to a PSO could impose significant transmission, management, and storage burdens on providers and PSOs. The proposed rule sought comment on whether alternatives for actual reporting should be recognized as sufficient to meet the reporting requirement. For example, the proposed rule suggested that a provider that contracts with a PSO may functionally report information to a PSO by providing access and control of information to a PSO without needing to physically transmit information. The proposed rule also sought comment on whether additional terms and conditions should be required to permit functional reporting and whether functional reporting should be permitted only after an initial actual report of information related to an event.
The proposed rule also sought comment on whether a short period of protection for information assembled but not yet reported is necessary for flexibility or for providers to efficiently report information to a PSO. We also sought comment on an appropriate time period for such protection and whether a provider must demonstrate intent to report in order to obtain protection.
The proposed rule also sought comment on when a provider could begin collecting information for the purpose of reporting to a PSO such that it is not excluded from becoming patient safety work product because it was collected, maintained or developed separately from a patient safety evaluation system.
[[Page 70740]]
The proposed rule indicated that, if a PSO is delisted for cause, a provider would be able to continue to report to that PSO for 30 days after the date of delisting and the information reported would be treated as patient safety work product (section 924(f)(1) of the Public Health Service Act). However, after delisting, the proposed rule indicated that the former PSO may not generate patient safety work product by developing information for the conduct of patient safety activities or through deliberations and analysis of information. Even though a PSO may not generate new patient safety work product after delisting, it may still possess patient safety work product, which must be kept confidential and be disposed of in accordance with requirements in Subpart B.
The proposed rule also described what is not patient safety work product, such as a patient's original medical record, billing and discharge information, or any other original patient or provider record. Patient safety work product does not include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. This distinction is made because these and similar records must be maintained by providers for other purposes.
The proposed rule also discussed that external reporting obligations as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system cannot be satisfied with patient safety work product. Thus, information that is collected to comply with external obligations is not patient safety work product. The proposed rule provided that such activities include: state incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; or complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage.
The proposed rule also addressed the issue that external authorities may seek information about how effectively a provider has instituted corrective action following identification of a threat to the quality or safety of patient care. The Patient Safety Act does not relieve a provider of its responsibility to respond to such requests for information or to undertake or provide to external authorities evaluations of the effectiveness of corrective action, but the provider must respond with information that is not patient safety work product. The proposed rule provided that recommendations for changes from the provider's patient safety evaluation system or the PSO are patient safety work product. However, the actual changes that the provider implements to improve how it manages or delivers health care services are not patient safety work product, and it would be virtually impossible to keep such changes confidential.
Overview of Public Comments: Commenters raised a significant number of concerns regarding how information becomes patient safety work product under particular provisions of the definition.
Functional Reporting
We received significant feedback from commenters in support of recognizing alternative reporting methods. Most commenters agreed that an alternative reporting arrangement should be permitted to promote efficiency and relieve providers of the burden of continued transmission. Two commenters opposed permitting alternative reporting methods based on the concern that a shared resource may confuse clear responsibility for a breach of information and that a PSO that has access to a provider information system may also have access to patient records and similar information for which access may not be appropriate.
Most commenters rejected the suggestion that functional reporting should be limited to subsequent reports of information rather than allowing functional reports for the first report of an event. Commenters believed that such a limitation would inhibit participation and offset the benefits of allowing functional reporting. Commenters also believed such a limitation would create an artificial distinction between information that is initially and subsequently reported to a PSO. Some commenters believed that details regarding functional reporting are better left to agreement between the provider and PSO engaging in functional reporting. Two commenters did support restricting functional reporting to subsequent information, but did not provide any rationale or concern to support their comment.
No commenters identified additional requirements or criteria that should be imposed beyond a formal contract or agreement. Thus, the final rule permits functional reporting.
When Is Information Protected
Commenters raised significant and substantial concerns regarding when the protections for patient safety work product begins, how existing patient safety processes will occur given the protections for patient safety work product, and the likelihood that providers may need to maintain separate systems with substantially duplicate information. A significant majority of commenters responded to the concern regarding the status of information collected, but not yet reported to a PSO. Most commenters agreed with concerns raised by the Department that early protection could ease the burden on providers, preventing a race to report to a PSO. These commenters recommended that information be protected upon collection and prior to reporting. Protection during this time would permit providers to investigate an event and conduct preliminary analyses regarding causes of the event or whether to report information to a PSO. Many commenters were concerned that information related to patient safety events be protected at the same time the information is preserved for other uses. Some providers indicated that if duplication of information is required, providers may opt to not participate due to costs and burdens. Three commenters indicated that there should be no protection until information is reported to a PSO. One commenter was concerned that early protection may interfere with State reporting requirements because information needed to report to a State may become protected and unavailable for State reporting. Another commenter stated that earlier protection would not alleviate the concerns regarding protection prior to reporting.
Commenters provided a wide range of recommendations in response to when protection of information should begin prior to creation of patient safety work product. Commenters suggested that information be protected prior to reporting for as little as 24 hours from an event up to 12 months. Other commenters suggested that a timeframe be reasonable and based upon relevant factors such as the complexity of facts and circumstances surrounding an event.
State Reporting
One of the most significant areas of comment was how processes to
create patient safety work product may operate alongside similar
processes within a provider. Commenters were particularly concerned that information collected for
[[Page 70741]]
similar purposes, such as for reporting to a PSO and for reporting to a
State health authority, would need to be maintained in separate
systems, thereby increasing the burden on provi
FOR FURTHER INFORMATION CONTACT
Susan Grinder, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427 1111 or (866) 4033697.