Attachment D: 2016 Patient Safety and Quality Improvement Act of 2005 - HHS Guidance Regarding Patient Safety Work Product and Providers’ External Obligations.

Attachment.D.Patient Safety Act.PSWP.Providers.External.Obligations.AHRQ.11.2017.pdf

Patient Safety Organization Certification for Initial Listing and Related Forms, Patient Safety Confidentiality Complaint Form, and Common Formats

Attachment D: 2016 Patient Safety and Quality Improvement Act of 2005 - HHS Guidance Regarding Patient Safety Work Product and Providers’ External Obligations.

OMB: 0935-0143

Document [pdf]
Download: pdf | pdf
Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations
disclosure permissions of the Patient
Safety Act and Patient Safety Rule.

DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Agency for Healthcare Research and
Quality Office for Civil Rights
42 CFR Part 3
Patient Safety and Quality
Improvement Act of 2005—HHS
Guidance Regarding Patient Safety
Work Product and Providers’ External
Obligations
Agency for Healthcare Research
and Quality (AHRQ), Office for Civil
Rights (OCR), Department of Health and
Human Services (HHS).
ACTION: Guidance on Patient Safety and
Quality Improvement Act of 2005.
AGENCY:

This guidance sets forth
guidance for patient safety organizations
(PSOs) and providers regarding
questions that have arisen about the
Patient Safety and Quality Improvement
Act of 2005, 42 U.S.C. 299b–21—b–26
(Patient Safety Act), and its
implementing regulation, the Patient
Safety and Quality Improvement Final
Rule, 42 CFR part 3 (Patient Safety
Rule). In particular, this Patient Safety
and Quality Improvement Act of 2005—
Guidance Regarding Patient Safety Work
Product and Providers’ External
Obligations (Guidance) is intended to
clarify what information that a provider
creates or assembles can become patient
safety work product (PSWP) in response
to recurring questions. This Guidance
also clarifies how providers can satisfy
external obligations related to
information collection activities
consistent with the Patient Safety Act
and Patient Safety Rule.
DATES: The Guidance is effective on
May 24, 2016.
ADDRESSES: The Guidance can be
accessed electronically at the following
HHS Web site: http://www.pso.ahrq.gov.
FOR FURTHER INFORMATION CONTACT:
Susan Grinder, Center for Quality
Improvement and Patient Safety, AHRQ,
5600 Fishers Lane, Mail Stop 06N100B,
Rockville, MD 20857; Telephone (301)
427–1327; Email: Susan.Grinder@
AHRQ.hhs.gov.
SUMMARY:

SUPPLEMENTARY INFORMATION:

mstockstill on DSK3G9T082PROD with RULES

Background
HHS issued the Patient Safety Rule to
implement the Patient Safety Act.
AHRQ administers the provisions of the
Act and Rule relating to the listing and
operation of PSOs. OCR, within HHS, is
responsible for interpretation,
administration and enforcement of the
confidentiality protections and

VerDate Sep<11>2014

17:11 May 23, 2016

Jkt 238001

HHS Approach to Patient Safety Act
Interpretation
The Patient Safety Act is part of a
larger framework envisioned by the
Institute of Medicine and designed to
balance two goals: 1) To improve patient
safety and reduce medical errors by
creating a ‘‘culture of safety’’ to share
and learn from information related to
patient safety events, and 2) to promote
health care providers’ accountability
and transparency through mechanisms
such as oversight by regulatory agencies
and adjudication in the legal system. As
discussed in ‘‘To Err Is Human,’’ in
respect to reporting systems, ‘‘they can
hold providers accountable for
performance or, alternatively, they can
provide information that leads to
improved safety. Conceptually, these
purposes are not incompatible, but in
reality, they can prove difficult to satisfy
simultaneously.’’ 1
The Patient Safety Act promotes the
goal of improving patient safety and
reducing medical errors by establishing
a system in which health care providers
can voluntarily collect and report
information related to patient safety,
health care quality, and health care
outcomes to PSOs. The PSOs aggregate
and analyze this information and give
feedback to the providers to encourage
learning and prevent future errors. The
providers are motivated to report such
information to PSOs because the Patient
Safety Act provides broad privilege and
confidentiality protections for
information meeting the definition of
PSWP, which alleviates concerns about
such information being used against a
provider, such as in litigation.
At the same time, providers are
subject to legitimate external obligations
regarding certain records about patient
safety to ensure their accountability and
transparency. For example, the Centers
for Medicare & Medicaid Services (CMS)
Hospital Condition of Participation
(CoP) for Quality Assessment and
Performance Improvement require
hospitals to track adverse patient
events.2 State health care regulatory
agencies typically have their own
separate requirements for different types
of providers, with more than half of the
states operating adverse event reporting
systems.3 The legal system provides
1 Institute of Medicine, ‘‘To Err Is Human:
Building a Safer Health System’’, 1999, page 86.
2 42 CFR 482.21(a)(2).
3 As of November 2014, 26 states and the District
of Columbia had adverse event reporting systems,
and Texas began implementing a system in January
2015. National Academy for State Health Policy,
‘‘2014 Guide to State Adverse Event Reporting

PO 00000

Frm 00039

Fmt 4700

Sfmt 4700

32655

another course to pursue accountability
for medical errors. If a patient is injured
while under a provider’s care, the tort
system offers an avenue to compensate
the patient for his injury. However,
while a successful medical malpractice
claim may help compensate one patient
for his specific injury, the general threat
of litigation provides a disincentive to
providers from voluntarily sharing
information about their mistakes.
The intent of the system established
by the Patient Safety Act is to protect
the additional information created
through voluntary patient safety
activities, not to protect records created
through providers’ mandatory
information collection activities.4 For
example, a provider may have an
external obligation to maintain certain
records about serious adverse events
that result in patient harm. The
document the provider prepares to meet
its requirement about such adverse
events is not PSWP. As such, the Patient
Safety Act recognizes the goal of
accountability and transparency, and it
attempts to balance this goal with that
of improving patient safety and
reducing medical errors. While Congress
was aware of the chilling effect the fear
Systems’’, 2015, page 4. For example, Pennsylvania
hospitals, ambulatory surgical facilities, birthing
centers, nursing homes, and other facilities are
required by various state laws to submit reports on
‘‘serious events’’ and ‘‘incidents’’ to the
Pennsylvania Patient Safety Reporting System
(‘‘PA–PSRS’’). Information submitted to PA–PSRS
is confidential under state law. Patient Safety
Authority, Pennsylvania Patient Safety Reporting
System: PA–PSRS (Pennsylvania Patient Safety
Reporting System), http://
patientsafetyauthority.org/PA-PSRS/Pages/
PAPSRS.aspx (last accessed Mar. 4, 2016). In
Maine, ‘‘healthcare facilities,’’ which includes
hospitals, ambulatory surgical facilities, end-stage
renal disease facilities, and intermediate care
facilities for individuals who are intellectually
disabled, are required to report ‘‘sentinel events’’
and root cause analyses of sentinel events to the
Maine Department of Health and Human Services.
The healthcare facilities may also voluntarily selfreport ‘‘near miss events.’’ Under state law, the
reported information is confidential and privileged.
See 10–144 C.M.R. Ch 114, Rules Governing the
Reporting of Sentinel Events. In addition or
alternative to reporting requirements, some states
require providers to maintain certain information.
For example, Delaware requires certain facilities
that perform invasive medical procedures to report
adverse events to the Department of Health and
Social Services within 48 business hours of the
occurrence and also keep the adverse event reports
‘‘on file at the facility for a minimum of five years.’’
CDR 16–4000–4408 Sections 4.3, 4.4. In Kentucky,
hospitals are required to ‘‘establish[], maintain[],
and utilize[]’’ administrative reports, including
incident investigation reports, ‘‘to guide the
operation, measure productivity, and reflect the
programs of the facility.’’ 902 KAR 20:016 Section
3(3)(a).
4 See e.g., 42 U.S.C. 299b-21(7)(B)(iii)(II), (III); 42
U.S.C. 299b-22(g)(2), (5) (generally providing that
the Patient Safety Act does not affect or limit
providers’ obligations to record or report
information that is not PSWP to Federal, state, or
local governmental agencies).

E:\FR\FM\24MYR1.SGM

24MYR1

32656

Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations

of being sued had on providers, the
Patient Safety Act was not designed to
prevent patients who believed they were
harmed from obtaining the records
about their care that they were able to
obtain prior to the enactment of the
Patient Safety Act.5 Nor was the Patient
Safety Act intended to insulate
providers from demonstrating
accountability through fulfilling their
external obligations.6 Therefore, when
interpreting the Patient Safety Act and
Patient Safety Rule, HHS does so with
the objective of maintaining balance
between these two policy goals,
consistent with the intent of the Patient
Safety Act.
How Information Becomes PSWP

mstockstill on DSK3G9T082PROD with RULES

Both the Notice of Proposed
Rulemaking (NPRM) and the Preamble
to the Patient Safety Rule (Preamble)
discuss the definition of PSWP and
provide examples of what information
would and would not meet the
definition.7 Because there continues to
be confusion about this definition, the
prior discussion will be reiterated and
further clarified here. The definition of
PSWP sets forth three basic ways that
certain information can become PSWP:
(1) The information is prepared by a
provider for reporting to a PSO and it
is reported to the PSO, (2) the
information is developed by a PSO for
the conduct of patient safety activities,8
or, (3) the information identifies or
constitutes the deliberations or analysis
of, or identifies the fact of reporting
pursuant to, a patient safety evaluation
system (PSES).9 The first way—
5 ‘‘It is not the intent of this legislation to
establish a legal shield for information that is
already currently collected or maintained separate
from the new patient safety process, such as a
patient’s medical record. That is, information which
is currently available to plaintiffs’ attorneys or
others will remain available just as it is today.’’ 151
Cong. Rec. S8741 (daily ed. Jul. 22, 2005) (statement
of Mr. Enzi, then chairman of the Senate Health,
Education, Labor, and Pensions Committee). ‘‘Nor
does this bill alter any existing rights or remedies
available to injured patients. The bottom line is that
this legislation neither strengthens nor weakens the
existing system of tort and liability law.’’ Id.
(statement of Mr. Jeffords, who reintroduced S. 544,
the bill that became the Patient Safety Act).
6 ‘‘This legislation does nothing to reduce or
affect other Federal, State or local legal
requirements pertaining to health related
information.’’ Id. (statement of Mr. Jeffords).
7 73 FR 8120–24, Oct. 5, 2007; 73 FR 70739–44,
Nov. 21, 2008.
8 This guidance does not otherwise address the
creation of PSWP through development by a PSO.
Because external regulatory and oversight reporting
obligations are requirements of providers, this
guidance does not apply to information developed
by a PSO for the conduct of patient safety activities.
9 42 U.S.C. 299b-21(7)(A); 42 CFR 3.20 (paragraph
(1) of the definition of PSWP). Patient safety
evaluation system ‘‘means the collection,
management, or analysis of information for

VerDate Sep<11>2014

17:11 May 23, 2016

Jkt 238001

sometimes referred to as the ‘‘reporting
pathway’’—is how providers generally
create most of their PSWP. According to
the Patient Safety Act, in order for
information to become PSWP through
the reporting pathway, it must be
information that could improve patient
safety, health care quality, or health care
outcomes and be assembled or
developed by a provider for reporting to
a PSO and be reported to a PSO.
Another way of saying that the
information is assembled or developed
for reporting to a PSO is that the
information is prepared for the purpose
of reporting it to the PSO.10 Under the
Patient Safety Rule, the reporting
pathway allows for information that is
documented as collected within the
provider’s PSES to be PSWP and thus
privileged and confidential before it is
reported to a PSO. As explained in the
Preamble, this interpretation addresses
the concerns of significant
administrative burden and an
indiscriminate race to report
information to the PSO if information
only became protected after it was
reported to a PSO.11 Nevertheless, a
provider should only place information
in its PSES if it intends to report that
information to the PSO.12
Information That Is Not PSWP
The definition of PSWP also describes
information that is not PSWP.
Specifically excluded from the
definition of PSWP is, ‘‘a patient’s
medical record, billing and discharge
information, or any other original
patient or provider information.’’ 13 The
Patient Safety Act and Rule also exclude
from the PSWP definition ‘‘information
that is collected, maintained, or
developed separately, or exists
separately, from a patient safety
evaluation system.’’ 14 Put another way,
information prepared for purposes other
reporting to or by a PSO.’’ 42 U.S.C. 299b-21(6); 42
CFR 3.20.
10 See 73 FR 70739, Nov. 21, 2008 (‘‘information
may become patient safety work product if it is
assembled or developed by a provider for the
purpose of reporting to a PSO and is reported to a
PSO’’).
11 See 73 FR 70741–42, Nov. 21, 2008.
12 Id. (‘‘We note, however, that a provider should
not place information into its patient safety
evaluation system unless it intends for that
information to be reported to the PSO.’’).
13 42 CFR 3.20 (paragraph (2)(i) of the PSWP
definition). The Patient Safety Act, at U.S.C. 299b21(7)(B)(i), refers to ‘‘original patient or provider
record[s],’’ but the use of ‘‘original patient or
provider information’’ in the regulation is intended
to be synonymous with the use of ‘‘original patient
or provider record’’ in the statute.
14 42 U.S.C. 299b-21(7)(B)(ii); 42 CFR 3.20
(paragraph (2)(i) of the PSWP definition).

PO 00000

Frm 00040

Fmt 4700

Sfmt 4700

than reporting to a PSO is not PSWP
under the reporting pathway.15
Within the category of information
prepared for a purpose other than
reporting to a PSO, information that is
prepared for external obligations has
generated many questions. External
obligations include, but are not limited
to, mandatory requirements placed
upon providers by Federal and state
health regulatory agencies.16 Both the
NPRM and Preamble clearly state that
PSWP cannot be used to satisfy such
external obligations. ‘‘As the Patient
Safety Act states more than once, these
external obligations must be met with
information that is not patient safety
work product, and, in accordance with
the confidentiality provisions, patient
safety work product cannot be disclosed
for these purposes.’’ 17 In the Preamble,
HHS repeatedly stated that PSWP
cannot be used to fulfill external
obligations.18
Purpose for Which the Information Was
Assembled or Developed
As such, uncovering the purpose for
which information is prepared can be a
critical factor in determining whether
the information is PSWP. Since some
types of information can be PSWP or not
depending upon why the information
was assembled or developed, it is
important for providers to be aware of
whether information is prepared for
reporting to a PSO. The chart below
includes some examples.
15 See 73 FR 70740, Nov. 21, 2008 (‘‘Patient safety
work product does not include information that is
collected, maintained, or developed separately or
exists separately from, a patient safety evaluation
system. This distinction is made because these and
similar records must be maintained by providers for
other purposes.’’).
16 Some examples of external obligations include:
state incident reporting, adverse drug event
reporting to the Food and Drug Administration
(FDA), certification or licensing recordkeeping,
reporting to the National Practitioner Data Bank,
and disclosing information to comply with CMS’
CoPs or conditions for coverage. 73 FR 8123, Oct.
5, 2007.
17 73 FR 8123, Oct. 5, 2007.
18 See e.g., 73 FR 70740, Nov. 21, 2008 (‘‘. . .
external reporting obligations as well as voluntary
reporting activities that occur for the purpose of
maintaining accountability in the health care
system cannot be satisfied with patient safety work
product.’’), 70742 (‘‘These external obligations must
be met with information that is not patient safety
work product and oversight entities continue to
have access to this original information in the same
manner as such entities have had access prior to the
passage of the Patient Safety Act.’’), 70743 (‘‘The
final rule is clear that providers must comply with
applicable regulatory requirements and that the
protection of information as patient safety work
product does not relieve a provider of any
obligation to maintain information separately.’’).
19 See CMS Pub. 100–07, State Operations
Manual, Appendix A, Transmittal 37, page 275
(Oct. 17, 2008) (in providing interpretative guidance
on compliance with 42 CFR 482.41(c)(2), stating

E:\FR\FM\24MYR1.SGM

24MYR1

Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations
Type of information

Not PSWP if prepared . . .

Could be PSWP if information is not required for another purpose
and is prepared solely for reporting to a PSO, for example . . .

Information related to the functioning of medical equipment.

For upkeep of equipment (e.g.,
original equipment maintenance
logs), to maintain a warranty, or
for an external obligation (e.g.,
CMS requires some equipment
logs 19).
To ensure appropriate levels of clinician availability (e.g., routine
personnel schedules), or for
compliance purposes 20.
For internal risk management
(claims and liability purposes).

Following a patient incident, a provider develops information about
possible equipment malfunctions for reporting to a PSO. The PSO
can aggregate it with other rare events from other reporting providers to identify risks and hazards.

A list of provider staff who were
present at the time a patient incident occurred.
Written reports 21 of witness accounts of what they observed at
the time of a patient incident.
Information related to care or treatment provided to the patient.

As part of the patient’s original
medical record 22.

Meeting External Obligations
The Patient Safety Act Does Not Relieve
a Provider From Its External Obligations
As discussed above, the Patient Safety
Act does not permit providers to use the
privilege and confidentiality protections
for PSWP to shield records required by
external recordkeeping or reporting
requirements. To this end, the Patient
Safety Act specifically states that it shall
not limit the reporting of non-PSWP ‘‘to
a Federal, State, or local governmental
agency for public health surveillance,
investigation, or other public health
purposes or health oversight purposes’’
or a provider’s recordkeeping
obligations under Federal, State, or local
law.23 It further reinforces that the
statute shall not be construed ‘‘to limit,
alter or affect the requirements of
Federal, State, or local law pertaining to
information that is not’’ PSWP or ‘‘as
preempting or otherwise affecting any
State law requiring a provider to report
information that is not’’ PSWP.24 The
NPRM explains that ‘‘the statute is quite
specific that these protections do not
relieve a provider from its obligation to
comply with other legal, regulatory,
accreditation, licensure, or other
accountability requirements that it
would otherwise need to meet.’’ 25 It
adds that the protected system
established by the Patient Safety Act,
‘‘resides alongside but does not replace

mstockstill on DSK3G9T082PROD with RULES

32657

that survey procedures include reviewing
maintenance logs for significant medical
equipment).
20 As an example, 42 U.S.C. 1395cc(a)(1)(I)(iii)
requires hospitals to maintain an on-call list of
physicians available to provide treatment related to
individuals with emergency medical conditions.
21 Of note, while a written report of the patient
safety incident prepared for reporting to a PSO may
be PSWP, individuals who witnessed the event

VerDate Sep<11>2014

17:11 May 23, 2016

Jkt 238001

Following the incident, a provider originally assembles the list for reporting to a PSO so the PSO can analyze the levels and types of
staff involved in medication errors.
The provider originally prepares the written reports for reporting to
the PSO so that the richness of the narrative can be mined for
contributing factors.
The provider documents all patient allergic reactions in the medical
record then prepares a list of patients that have exhibited the reaction to determine if newly-instituted procedures for reducing risk
were followed specifically for the PSO. The list of patients exhibiting the reaction prepared for reporting to the PSO could be
PSWP, but the original patient medical records would not.

other information collection activities
mandated by laws, regulations, and
accrediting and licensing requirements
as well as voluntary reporting activities
that occur for the purpose of
maintaining accountability in the health
care system.’’ 26 As further stated in the
Preamble, ‘‘nothing in the final rule or
the statute relieves a provider from his
or her obligation to disclose information
from such original records or other
information that is not patient safety
work product to comply with state
reporting or other laws.’’ 27
HHS reiterates that any external
reporting or recordkeeping obligations—
whether they require a provider to
report certain information, maintain
specific records, or operate a separate
system—cannot be met with PSWP. We
also clarify that any information that is
prepared to meet any Federal, state, or
local health oversight agency
requirements is not PSWP. As discussed
above, the Patient Safety Act was
intended to spur the development of
additional information created through
voluntary patient safety activities and to
provide privilege and confidentiality
protections for such new information. It
was not intended to protect records
generated or maintained as part of
providers’ existing mandatory
information collection activities.28 As
stated in the Preamble, ‘‘The
could still potentially disclose or testify about what
they observed.
22 There are various requirements regarding what
information is required to be in the medical record.
For example, CMS’ Hospital CoP for medical record
services includes that a hospital’s medical record,
‘‘must contain information to justify admission and
continued hospitalization, support the diagnosis,
and describe the patient’s progress and response to
medication and services.’’ 42 CFR 482.24(c).
23 42 U.S.C. 299b–21(7)(B)(iii).

PO 00000

Frm 00041

Fmt 4700

Sfmt 4700

Department does not believe that the
patient safety evaluation system enables
providers to avoid transparency. . . .
[T]he Patient Safety Act and the final
rule have carefully assured that
information generally available today
remains available, such as medical
records, original provider documents,
and business records.’’ 29
HHS believes that most providers that
engage with a PSO are doing so to
further learning about patient safety and
health care quality, consistent with the
intent of the Patient Safety Act.
Nevertheless, we are concerned about
two ways that some providers may be
attempting to misuse the Patient Safety
Act protections to avoid their external
obligations—in particular, to
circumvent Federal or state regulatory
obligations. First, some providers with
recordkeeping or record maintenance
requirements appear to be maintaining
the required records only in their PSES
and then refusing to disclose the
records, asserting that the records in
their PSES fulfill the applicable
regulatory requirements while at the
same time maintaining that the records
are privileged and confidential PSWP.
Second, some providers appear to
develop records to meet external
obligations outside of the PSES, place a
duplicate copy of the required record
into the PSES, then destroy the original
24 42
25 73

U.S.C. 299b–22(g).
FR 8124, Oct. 5, 2007.

26 Id.
27 73

FR 70786, Nov. 21, 2008.
73 FR 70742, Nov. 21, 2008 (‘‘Even when
laws or regulations require the reporting of
information regarding the type of events also
reported to PSOs, the Patient Safety Act does not
shield providers from their obligation to comply
with such requirements.’’).
29 73 FR 70739, Nov. 21, 2008.
28 See

E:\FR\FM\24MYR1.SGM

24MYR1

32658

Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations

outside of the PSES and refuse to
disclose the remaining copy of the
information, asserting that the copy is
confidential and privileged PSWP. The
Patient Safety Act was not intended to
give providers such methods to evade
their regulatory obligations. Here, we
clarify HHS’ interpretation of how the
Patient Safety Act prohibits providers
from using the PSES to protect from
disclosure records subject to such
external obligations.
Original Patient and Provider Records
As stated in the Patient Safety Act and
Patient Safety Rule, original patient and
provider records, such as a patient’s
medical record, billing information, and
discharge information, are not PSWP.30
We now provide further clarification
regarding what constitutes other types
of original provider records. HHS
interprets ‘‘original provider records’’ to
include: (1) Original records (e.g.,
reports or documents) that are required
of a provider to meet any Federal, state,
or local public health or health
oversight requirement regardless of
whether such records are maintained
inside or outside of the provider’s PSES;
and (2) copies of records residing within
the provider’s PSES that were prepared
to satisfy a Federal, state, or local public
health or health oversight record
maintenance requirement, if while the
provider is obligated to maintain such
information, the information is only
maintained by the provider within the
PSES (e.g., if the records or documents
that were being maintained outside the
PSES to fulfill the external obligation
were lost or destroyed).31 This
interpretation is consistent with
Congressional intent in enacting the
Patient Safety Act, the text of the statute
and the regulation, and HHS’ prior
interpretation found in the NPRM and
Preamble, all discussed above,
supporting that the Patient Safety Act
does not allow providers to be shielded
from their external obligations.32
30 42

U.S.C. 299b–21(7)(B)(i).
an original provider record is destroyed and
the same information is maintained within the
PSES, a provider may remove the original record
from the PSES for the purpose of maintaining the
information outside of the PSES.
32 This interpretation of ‘‘original provider
records’’ has developed, in part, due to new
information about some providers’ apparent
attempts to avoid compliance with their external
obligations, as discussed above, which has come to
the attention of HHS since we initially developed
the Patient Safety Act’s implementing regulation.
While broadly consistent with prior HHS
interpretation that the Patient Safety Act does not
provide a way for providers to evade their external
obligations, HHS acknowledges that one aspect of
this interpretation is different from that previously
expressed, with respect to whether copies of nonPSWP in the PSES remain privileged and

mstockstill on DSK3G9T082PROD with RULES

31 If

VerDate Sep<11>2014

17:11 May 23, 2016

Jkt 238001

To further illustrate what information
HHS would consider to be original
provider records versus information that
could be eligible to be PSWP, consider
the following hypothetical examples in
scenarios where a provider maintains
specific forms regarding adverse events
in order to satisfy a federal or state law
obligation.
1. The provider only maintains the
forms outside of the PSES: The forms
are not PSWP. They are not PSWP both
because they are an original provider
record and because they are maintained
separately from the PSES.
2. The provider maintains the original
forms outside of the PSES and places
duplicate copies in the PSES for
reporting to the PSO, so that further
analysis using information in the forms
can be conducted: The forms outside of
the PSES are not PSWP, for the reasons
indicated above. The copies in the PSES
would be PSWP, provided that: (1) The
information otherwise meets the
definition of PSWP and (2) the original
forms continue to be maintained by the
provider outside of the PSES.33 If, while
the provider is required to maintain the
forms, the forms outside of the PSES
become unavailable (e.g., they are lost or
destroyed), the duplicate copies of the
forms in the provider’s PSES will be
‘‘original provider records’’ that are no
longer privileged and confidential
PSWP so long as no duplicate copies of
the forms are maintained outside of the
PSES by the provider.34
3. The provider only maintains the
original forms in the PSES: The forms
are original provider records and not
privileged and confidential PSWP. We
note that it would be improper to
maintain records collected for external
reporting purposes solely within a PSES
because this scenario would be a misuse
of a PSES.
4. The provider maintains the forms
outside of the PSES and within the PSES
extracts information from the forms to
conduct further analysis: The forms
confidential PSWP if the original provider record
outside of the PSES is unavailable. See e.g., 73 FR
8124, Oct. 5, 2007 (indicating a copy in the PSES
is protected and may not be disclosed when the
original record outside of the PSES is unavailable).
33 See 73 FR 70743, Nov. 21, 2008 (‘‘Because
information contained in these original records may
be valuable to the analysis of a patient safety event,
the important information must be allowed to be
incorporated into the patient safety work product.
However, the original information must be kept and
maintained separately to preserve the original
records for their intended purposes.’’).
34 The circumstances in which information from
a provider’s PSES would not be protected as PSWP
in this example are consistent with the statute’s text
that states a PSO shall not be compelled to disclose
information—unless such information is: Identified,
not PSWP, and not reasonably available from
another source. See 42 U.S.C. 299b–22(d)(4)(A)(i).

PO 00000

Frm 00042

Fmt 4700

Sfmt 4700

outside of the PSES are not PSWP, for
the reasons indicated above. The
analysis conducted inside the PSES,
including the information extracted
from the forms, is PSWP.
This clarification should not create
problems for providers who have
appropriately created and retained the
original records required to satisfy their
external obligations outside of a PSES.
Those original records would be
available to meet any external reporting
requirements or needs.35 In an effort to
ensure that there is no need to obtain
the copies that exist in the PSES for
other purposes, providers should
establish a mechanism to indicate where
the original records can be located.
Additionally, providers should exercise
extreme caution before destroying any
original records maintained outside of
the PSES. A provider that destroys the
original source documents upon which
PSWP is based is not relieved of its
obligations or any applicable
consequences that may be imposed by
other regulators if they fail to maintain
the original records.
Copies of PSWP
To be clear, the above discussion of
copies relates to information that begins
as non-PSWP (i.e., original patient or
provider records and/or information
that was collected, maintained,
developed, or exists separately from the
PSES). Consistent with the Patient
Safety Rule’s definition of PSWP, copies
of information initially prepared as
PSWP within the PSES are PSWP.36 For
example, if a provider originally
develops information to improve patient
safety in its PSES solely for reporting to
the PSO, that information is PSWP. If
the provider then makes a copy of this
information for the PSO and retains
another copy of it in its PSES, both the
copy of the information disclosed to the
PSO and the copy maintained in the
provider’s PSES are PSWP, and thus
privileged and confidential under the
Patient Safety Rule.
35 We note that this section focuses on
requirements to maintain forms in an available
fashion. To the extent an obligation only requires
reporting and is fully satisfied after that reporting,
a provider has fulfilled the reporting requirement,
and the provider has no ongoing requirement to
maintain the reported information, the subsequent
collection of a form in the PSES and reporting to
a PSO would protect the later form as PSWP
because the external obligation has been fully
satisfied.
36 42 CFR 3.20 (paragraph (1) of the PSWP
definition) (‘‘Except as provided in paragraph (2) of
this definition, patient safety work product means
any . . . [information] . . . (or copies of any of this
material) . . . .’’).

E:\FR\FM\24MYR1.SGM

24MYR1

Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations
Separate Systems
It has come to HHS’ attention that the
discussion in the Preamble regarding
whether providers need to maintain
multiple systems may have caused some
confusion. Some commenters on the
NPRM expressed concern that providers
would need to maintain two duplicate
systems: One PSES for information that
the provider assembles or develops for
reporting to a PSO and a second system
containing the same information if the
provider is unsure at the time the
information is prepared for reporting to
the PSO whether that information may
be required in the future to fulfill a state
law obligation. In response to this
concern, the Preamble discusses a way
that the Patient Safety Rule allows for
information that was PSWP to no longer
be PSWP.37 This process, sometimes
referred to as the ‘‘drop out’’ provision,
provides that PSWP ‘‘assembled or
developed by a provider for reporting to
a PSO may be removed from’’ a PSES
and no longer be considered PSWP if:
‘‘[t]he information has not yet been
reported to a PSO’’ and ‘‘[t]he provider
documents the act and date of removal
of such information from the’’ PSES.38
Once removed from the PSES following
this procedure, the information could be
used for other purposes, such as to meet
state law obligations.
As indicated above, the drop out
provision is intended as a safety valve
for providers who are unsure at the time
that information is being prepared for
reporting to the PSO whether similar
information would, at a later time, be
needed for an external obligation. It
provides some flexibility for providers
as they work through their various
external obligations, as information
assembled or developed for reporting to
the PSO can reside as PSWP within the
provider’s PSES until the provider
makes a future determination as to
whether that information must be used
to meet an external obligation.39 It is
intended to be used on a case-by-case
basis. Under the drop out provision, if
the provider later determines the
information within its PSES that had
originally been assembled or developed
for reporting to a PSO will be instead
used for an external obligation, it is
e.g., 73 FR 70742, Nov. 21, 2008.
CFR 3.20(2)(ii).
39 See 73 FR 70742, Nov. 21, 2008 (Referring to
the documentation of date and purpose of
collection within a PSES, ‘‘(p)roviders have the
flexibility to protect this information as patient
safety work product within their patient safety
evaluation system while they consider whether the
information is needed to meet external reporting
obligations. Information can be removed from the
patient safety evaluation system before it is reported
to a PSO to fulfill external reporting obligations.’’).

removed from the PSES and is no longer
PSWP. This means it is no longer
privileged or confidential under the
Patient Safety Act and Patient Safety
Rule.40 If the provider instead decides to
report the information to a PSO, the
information remains PSWP (so long as
it meets the requirements for being
PSWP, including that it is not an
original patient or provider record) and
cannot be permissibly disclosed for any
reason, except in accordance with the
disclosure permissions described in the
Patient Safety Act and Patient Safety
Rule.41 The Preamble thus explains how
the drop out provision eliminates the
need for a provider to maintain two
systems with duplicate information: A
PSES containing PSWP and a separate
system containing any of that same
information where the provider has yet
to determine whether it will be needed
in the future for another purpose.
Nevertheless, we reemphasize that
where records are mandated by a
Federal or State law requirement or
other external obligation, they are not
PSWP. Thus, a provider should
maintain at least two systems or spaces:
A PSES for PSWP and a separate place
where it maintains records for external
obligations.42 As discussed above, the
Patient Safety Act encourages providers
to prepare, analyze, and share
information beyond what they are
mandated to do. As such, it is expected
that most of the information in a PSES
would be originally created by providers
as part of their voluntary participation
with a PSO.
Shared Responsibility
As described above, the protected
system established under the Patient
Safety Act works in concert with the
external obligations of providers to
ensure accountability and transparency
while encouraging the improvement of
patient safety and reduction of medical
errors through a culture of safety. It is
the provider’s ultimate responsibility to
understand what information is
required to meet all of its external
obligations. If a provider is uncertain
what information is required of it to
fulfill an external obligation, the
provider should reach out to the
external entity to clarify the
requirement. HHS has heard anecdotal

37 See

mstockstill on DSK3G9T082PROD with RULES

38 42

VerDate Sep<11>2014

17:11 May 23, 2016

Jkt 238001

40 Id. (‘‘Once the information is removed, it is no
longer patient safety work product and is no longer
subject to the confidentiality provisions.’’).
41 42 U.S.C. 299b–22(c); 42 CFR 3.204(b),
3.206(b).
42 ‘‘The Patient Safety Act establishes a protected
space or system that is separate, distinct, and
resides alongside but does not replace other
information collection activities . . . .’’ 73 FR
70742, Nov. 21, 2008; see also 73 FR 8124, Oct. 5,
2007.

PO 00000

Frm 00043

Fmt 4700

Sfmt 4700

32659

reports of providers, PSOs, and
regulators working together to ensure
that the regulators can obtain the
information they need without
requesting that providers impermissibly
disclose PSWP. HHS encourages such
communication. Regulatory agencies
and other entities requesting
information of providers or PSOs are
reminded that, subject to the limited
exceptions set forth in the Patient Safety
Act and Patient Safety Rule, PSWP is
privileged and confidential, and it may
not be used to satisfy external
obligations. Therefore, such entities
should not demand PSWP from
providers or PSOs.
Some requirements are clear and
discrete, which makes it relatively easy
for providers to understand what
information is mandated, determine
what additional information they want
to prepare for reporting to a PSO, and
to separate the two categories of
information. Examples of clear and
discrete requirements would include
requirements for a provider to fill out a
particular form or to provide a
document containing specified data
points. However, HHS is aware that
some requirements are more ambiguous
or broad, thus creating uncertainty
about the information required to satisfy
them. Particularly where laws or
regulations may be vague, it is
imperative that the regulators work with
providers so that the regulators obtain
the information they need, and that
providers sufficiently understand what
is required of them so that they can
satisfy their obligations and voluntarily
report additional information to a PSO.
Where a variety of information could
potentially satisfy an external
obligation, and where a provider reports
similar information to the PSO, the
provider may find it helpful to
document which information collection
activities it does to fulfill its external
requirements and which other activities
it does in the PSES, to help ensure
confidentiality and privilege of the
PSWP.
Later Developing Requirements
As discussed above, providers should
work with regulatory bodies and any
other entities with which they have
obligations to understand in advance
the exact information they will need to
satisfy their external obligations. That
way, providers can plan ahead to create
and maintain any information needed to
fulfill their obligations separately from
their PSES. However, even if providers
and regulators cooperate fully, HHS is
aware that situations could arise where
a provider has collected information for
reporting to the PSO and where the

E:\FR\FM\24MYR1.SGM

24MYR1

mstockstill on DSK3G9T082PROD with RULES

32660

Federal Register / Vol. 81, No. 100 / Tuesday, May 24, 2016 / Rules and Regulations

records at issue were not required by
any external obligation at the time they
were created, but where a regulator later
seeks the same information as part of its
oversight or investigatory
responsibilities. The information at
issue would be PSWP and would be
privileged and confidential, but the
provider may still have several options
to satisfy its obligation. If the
information is eligible for the drop out
provision (including that the provider
has not yet reported the information to
a PSO), then the provider may follow
the drop out provision discussed above
to remove the information from its PSES
and report or maintain the information
outside of the PSES, to satisfy the
regulator’s request. This information is
no longer PSWP. If the provider has
reported the information to a PSO or the
information is otherwise not subject to
the drop out provision, the Patient
Safety Act and Patient Safety Rule
provide several options that the
provider may want to consider, which
are discussed below.
1. Did the provider mistakenly enter
information that is not PSWP into its
PSES? The provider may want to first
ensure that the information being
requested meets the definition of PSWP.
If the provider determines that the
information now required is not PSWP
(e.g., an original patient record was
accidentally placed in the PSES), the
provider can remove the information
from its PSES. If the information does
not meet the definition of PSWP, it is
not privileged and confidential under
the Patient Safety Act, and the Patient
Safety Act places no limitations on the
provider from further releasing it. If the
information is not PSWP and the only
copy of the information is in the PSO’s
PSES (i.e., the provider did not retain a
copy outside of or in its PSES), then the
Patient Safety Act places no limitations
on the PSO from releasing it back to the
provider.
2. Is there a disclosure exception that
may be used to permissibly disclose the
PSWP? For example:
• Can the provider obtain
authorization from each identified
provider to disclose the information, in
accordance with 42 CFR 3.206(b)(3)?
• Is the information subject to the
disclosure permission to the FDA at 42
CFR 3.206(b)(7)?
• Is the information being voluntarily
disclosed to an accrediting body,
pursuant to 42 CFR 3.206(b)(8)?
While these disclosure permissions
are available in the limited
circumstances described in the Patient
Safety Rule, relying upon a disclosure
permission should not be a provider’s
primary method to meet an external

VerDate Sep<11>2014

17:11 May 23, 2016

Jkt 238001

obligation. As stated in the Preamble,
with respect to the FDA disclosure
permission, ‘‘However, we emphasize
that, despite this disclosure permission,
we expect that most reporting to the
FDA and its regulated entities will be
done with information that is not
patient safety work product, as is done
today. This disclosure permission is
intended to allow for reporting to the
FDA or FDA-regulated entity in those
special cases where, only after an
analysis of patient safety work product,
does a provider realize it should make
a report.’’ 43 44 HHS has the same
expectation for other external
obligations, as well.
3. Can the provider recreate the
information or conduct an identical
analysis from non-PSWP outside of the
PSES? If a provider is instructed to
compile specified information but the
provider previously assembled such
information within its PSES and
reported it to a PSO, this does not
prevent a provider from creating the
requested information using non-PSWP.
As indicated in the NPRM, ‘‘[t]hose who
participated in the collection,
development, analysis, or review of the
missing information or have knowledge
of its contents can fully disclose what
they know . . .’’ 45 Similarly, although
an analysis originally conducted in the
PSES cannot become non-PSWP under
the drop out provision, if a provider is
informed that a certain analysis is
needed to meet an external obligation,
the Patient Safety Act indicates that a
provider could conduct a new analysis
with non-PSWP to satisfy this
requirement, ‘‘regardless of whether
such additional analysis involves issues
identical to or similar to those for which
information was reported to or assessed
by’’ a PSO or PSES.46
Providers are reminded that they
should exercise care to ensure that even
if the information is not privileged and
confidential under the Patient Safety
Act or if a permissible disclosure of
PSWP has been identified, the intended
disclosure of the information is not
impermissible under any other law (e.g.,
the HIPAA Privacy Rule.)
43 73

FR 70782, Nov. 21, 2008.
publication of the Patient Safety
Rule, HHS issued guidance on meeting mandatory
reporting obligations to the FDA. See ‘‘Department
of Health and Human Services Guidance Regarding
Patient Safety Organizations’ Reporting Obligations
and the Patient Safety and Quality Improvement
Act of 2005’’ available at www.pso.ahrq.gov.
45 73 FR 8124, Oct. 5, 2007.
46 42 U.S.C. 299b–22(h).
44 Following

PO 00000

Frm 00044

Fmt 4700

Sfmt 4700

Dated: May 19, 2016.
Andrew Bindman,
AHRQ Director.
Jocelyn Samuels,
Director, OCR.
[FR Doc. 2016–12312 Filed 5–20–16; 5:15 pm]
BILLING CODE 4160–90–P

DEPARTMENT OF HOMELAND
SECURITY
Federal Emergency Management
Agency
44 CFR Part 64
[Docket ID FEMA–2016–0002; Internal
Agency Docket No. FEMA–8435]

Suspension of Community Eligibility
Federal Emergency
Management Agency, DHS.
ACTION: Final rule.
AGENCY:

This rule identifies
communities where the sale of flood
insurance has been authorized under
the National Flood Insurance Program
(NFIP) that are scheduled for
suspension on the effective dates listed
within this rule because of
noncompliance with the floodplain
management requirements of the
program. If the Federal Emergency
Management Agency (FEMA) receives
documentation that the community has
adopted the required floodplain
management measures prior to the
effective suspension date given in this
rule, the suspension will not occur and
a notice of this will be provided by
publication in the Federal Register on a
subsequent date. Also, information
identifying the current participation
status of a community can be obtained
from FEMA’s Community Status Book
(CSB). The CSB is available at http://
www.fema.gov/fema/csb.shtm.
DATES: The effective date of each
community’s scheduled suspension is
the third date (‘‘Susp.’’) listed in the
third column of the following tables.
FOR FURTHER INFORMATION CONTACT: If
you want to determine whether a
particular community was suspended
on the suspension date or for further
information, contact Patricia Suber,
Federal Insurance and Mitigation
Administration, Federal Emergency
Management Agency, 500 C Street SW.,
Washington, DC 20472, (202) 646–4149.
SUPPLEMENTARY INFORMATION: The NFIP
enables property owners to purchase
Federal flood insurance that is not
otherwise generally available from
private insurers. In return, communities
agree to adopt and administer local
SUMMARY:

E:\FR\FM\24MYR1.SGM

24MYR1


File Typeapplication/pdf
File Modified2016-05-24
File Created2016-05-24

© 2024 OMB.report | Privacy Policy