Attachment B_Patient Safety and Quality Improvement Rule 2008

Attachment B_Patient Safety and Quality Improvement Rule-2008.pdf

Patient Safety Organization Certification for Initial Listing and Related Forms, Patient Safety Confidentiality Complaint Form, and Common Formats

Attachment B_Patient Safety and Quality Improvement Rule 2008

OMB: 0935-0143

Document [pdf]
Download: pdf | pdf
Friday,
November 21, 2008

Part III

Department of
Health and Human
Services

dwashington3 on PRODPC61 with RULES3

42 CFR Part 3
Patient Safety and Quality Improvement;
Final Rule

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

PO 00000

Frm 00001

Fmt 4717

Sfmt 4717

E:\FR\FM\21NOR3.SGM

21NOR3

70732

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

DEPARTMENT OF HEALTH AND
HUMAN SERVICES
42 CFR Part 3
RIN 0919–AA01

Patient Safety and Quality
Improvement
Agency for Healthcare Research
and Quality, Office for Civil Rights,
Department of Health and Human
Services.
ACTION: Final rule.
AGENCY:

dwashington3 on PRODPC61 with RULES3

SUMMARY: The Secretary of Health and
Human Services is adopting rules to
implement certain aspects of the Patient
Safety and Quality Improvement Act of
2005, Pub. L. 109–41, 42 U.S.C. 299b–
21—b–26 (Patient Safety Act). The final
rule establishes a framework by which
hospitals, doctors, and other health care
providers may voluntarily report
information to Patient Safety
Organizations (PSOs), on a privileged
and confidential basis, for the
aggregation and analysis of patient
safety events.
The final rule outlines the
requirements that entities must meet to
become PSOs and the processes by
which the Secretary will review and
accept certifications and list PSOs. It
also describes the privilege and
confidentiality protections for the
information that is assembled and
developed by providers and PSOs, the
exceptions to these privilege and
confidentiality protections, and the
procedures for the imposition of civil
money penalties for the knowing or
reckless impermissible disclosure of
patient safety work product.
DATES: The final rule is effective on
January 19, 2009.
FOR FURTHER INFORMATION CONTACT:
Susan Grinder, Agency for Healthcare
Research and Quality, 540 Gaither Road,
Rockville, MD 20850, (301) 427–1111 or
(866) 403–3697.
SUPPLEMENTARY INFORMATION: On
February 12, 2008, the Department of
Health and Human Services (HHS)
published a Notice of Proposed
Rulemaking (proposed rule) at 73 FR
8112 proposing to implement the
Patient Safety Act. The comment period
closed on April 14, 2008. One-hundredsixty-one comments were received
during the comment period.

I. Background
Statutory Background
This final rule establishes the
authorities, processes, and rules
necessary to implement the Patient
Safety Act that amended the Public

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Health Service Act (42 U.S.C. 299 et
seq.) by inserting new sections 921
through 926, 42 U.S.C. 299b–21 through
299b–26.1 The Patient Safety Act
focuses on creating a voluntary program
through which health care providers can
share information relating to patient
safety events with PSOs, with the aim
of improving patient safety and the
quality of care nationwide. The statute
attaches privilege and confidentiality
protections to this information, termed
‘‘patient safety work product,’’ to
encourage providers to share this
information without fear of liability and
creates PSOs to receive this protected
information and analyze patient safety
events. These protections will enable all
health care providers, including multifacility health care systems, to share
data within a protected legal
environment, both within and across
states, without the threat that the
information will be used against the
subject providers.
However, we note that section
922(g)(2) of the Public Health Service
Act is quite specific that these
protections do not relieve a provider
from its obligation to comply with other
Federal, State, or local laws pertaining
to information that is not privileged or
confidential under the Patient Safety
Act: section 922(g)(5) of the Public
Health Service Act states that the
Patient Safety Act does not affect any
State law requiring a provider to report
information that is not patient safety
work product. The fact that information
is collected, developed, or analyzed
under the protections of the Patient
Safety Act does not shield a provider
from needing to undertake similar
activities, if applicable, outside the
ambit of the statute, so that the provider
can meet its obligations with nonpatient safety work product. The Patient
Safety Act, while precluding other
organizations and entities from
requiring providers to provide them
with patient safety work product,
recognizes that the original records
underlying patient safety work product
remain available in most instances for
the providers to meet these other
reporting requirements.
We note also that the Patient Safety
Act references the Standards for the
Privacy of Individually Identifiable
Health Information under the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA
Privacy Rule), 45 CFR parts 160 and
164. Many health care providers
participating in this program will be
1 All citations to provisions in the Patient Safety
Act will be to the sections in the Public Health
Service Act or to its location in the U.S. Code.

PO 00000

Frm 00002

Fmt 4701

Sfmt 4700

covered entities under the HIPAA
Privacy Rule and will be required to
comply with the HIPAA Privacy Rule
when they disclose patient safety work
product that contains protected health
information. The Patient Safety Act is
clear that it is not intended to interfere
with the implementation of any
provision of the HIPAA Privacy Rule.
See 42 U.S.C. 299b–22(g)(3). The statute
also provides that civil money penalties
cannot be imposed under both the
Patient Safety Act and the HIPAA
Privacy Rule for a single violation. See
42 U.S.C. 299b–22(f). In addition, the
statute states that PSOs shall be treated
as business associates, and patient
safety activities are deemed to be health
care operations under the HIPAA
Privacy Rule. See 42 U.S.C. 299b and
299–22(i). Since patient safety activities
are deemed to be health care operations,
the HIPAA Privacy Rule does not
require covered providers to obtain
patient authorizations to disclose
patient safety work product containing
protected health information to PSOs.
Additionally, as business associates of
providers, PSOs must abide by the terms
of their HIPAA business associate
contracts, which require them to notify
the provider of any impermissible use or
disclosure of the protected health
information of which they are aware.
See 45 CFR 164.504(e)(2)(ii)(C).
II. Overview of the Proposed and Final
Rules
A. The Proposed Rule
The proposed rule sought to
implement the Patient Safety Act to
create a voluntary system through
which providers could share sensitive
information relating to patient safety
events without fear of liability, which
should lead to improvements in patient
safety and in the quality of patient care.
The proposal reflected an approach to
the implementation of the Patient Safety
Act intended to ensure adequate
flexibility within the bounds of the
statutory provisions and to encourage
providers to participate in this
voluntary program. The proposed rule
emphasized that this program is not
federally funded and will be put into
operation by the providers and PSOs
that wish to participate with little direct
federal involvement. However, the
process for certification and listing of
PSOs will be implemented and overseen
by the Agency for Healthcare Research
and Quality (AHRQ), while compliance
with the confidentiality provisions will
be investigated and enforced by the
Office for Civil Rights (OCR).
Subpart A of the proposed rule set
forth the definitions of essential terms,

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

such as patient safety work product,
patient safety evaluation system, and
PSO. In order to facilitate the sharing of
patient safety work product and the
analysis of patient safety events,
Subpart B of the proposed rule
implemented the statutory requirements
for the listing of PSOs, the entities that
will offer their expert advice in
analyzing the patient safety events and
other information they collect or
develop to provide feedback and
recommendations to providers. The
proposed rule established the criteria
and set forth a process for certification
and listing of PSOs and described how
the Secretary would review, accept,
condition, deny, or revoke certifications
for listing and continued listing of
entities as PSOs.
Based on the statutory mandates in
the Patient Safety Act, Subpart C of the
proposed rule set forth the privilege and
confidentiality protections that attach to
patient safety work product; it also set
forth the exceptions to these
protections. The proposed rule provided
that patient safety work product
generally continues to be protected as
privileged and confidential following a
disclosure and set certain limitations on
redisclosure of patient safety work
product.
Subpart D of the proposed rule
established a framework to enable the
Secretary to monitor and ensure
compliance with this Part, a process for
imposing a civil money penalty for
breach of the confidentiality provisions,
and procedures for a hearing contesting
the imposition of a civil money penalty.
These provisions were modeled largely
on the HIPAA Enforcement Rule at 45
CFR part 160, subparts C, D and E.
B. The Final Rule
We received over 150 comments on
the proposed rule from a variety of
entities, including small providers and
large institutional providers, hospital
associations, medical associations,
accrediting bodies, medical liability
insurers, and state and federal agencies.
Many of the commenters expressed
support for the proposed rule and the
protections it granted to sensitive
information related to patient safety
events.
Based upon the comments received,
the final rule adopts most of the
provisions of the proposed rule without
modification; however, several
significant changes to certain provisions
of the proposed rule have been made in
response to these comments. Changes to
Subpart A include the addition of a
definition of affiliated provider. The
definitions of component organization,
parent organization, and provider were

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

modified for clarity, and the definition
of disclosure was modified to clarify
that the sharing of patient safety work
product, between a component PSO and
the entity of which it is a part, qualifies
as a disclosure, while the sharing of
patient safety work product between a
physician with staff privileges and the
entity with which it holds privileges is
not a disclosure. We have also modified
the definition of patient safety work
product to include information that,
while not yet reported to a PSO, is
documented as being within a
provider’s patient safety evaluation
system and that will be reported to a
PSO. This modification allows for
providers to voluntarily remove, and
document the removal of, information
from the patient safety evaluation
system that has not yet been reported to
a PSO, in which case, the information
is no longer patient safety work product.
The most significant modifications to
Subpart B include the following. With
respect to the listing of PSOs, we have
broadened the list of excluded entities
at § 3.102(a)(2)(ii), required PSOs at
§ 3.102(b)(1)(i)(B) to notify reporting
providers of inappropriate disclosures
or security breaches related to the
information they reported, specified
compliance with the requirement
regarding the collection of patient safety
work product in § 3.102(b)(2)(iii),
eliminated the requirements for separate
information systems and restrictions on
shared staff for most component PSOs
but added additional restrictions and
limitations for PSOs that are
components of excluded entities at
§ 3.102(c), and narrowed and clarified
the disclosure requirements that PSOs
must file regarding contracting
providers with whom they have
additional relationships at § 3.102(d)(2).
We have modified the security
requirement to provide flexibility for
PSOs to determine whether to maintain
patient safety work product separately
from unprotected information. The final
rule includes a new expedited
revocation process at § 3.108(e) for
exceptional circumstances that require
prompt action, and eliminates implied
voluntary relinquishment, providing
instead in § 3.104(e) that a PSO’s listing
automatically expires at the end of three
years, unless it is revoked for cause,
voluntarily relinquished, or its
certifications for continued listing are
approved.
Changes to proposed Subpart C
include the addition of language in
§ 3.206(b)(2) that requires a reporter
seeking equitable relief to obtain a
protective order to protect the
confidentiality of patient safety work
product during the course of the

PO 00000

Frm 00003

Fmt 4701

Sfmt 4700

70733

proceedings. Proposed § 3.206(b)(4) has
been amended to allow disclosures of
identifiable, non-anonymized patient
safety work product among affiliated
providers for patient safety activities. In
addition, proposed § 3.206(b)(7) has
been modified to make clear that the
provision permits disclosures to and
among FDA, entities required to report
to FDA, and their contractors. We also
have modified proposed § 3.206(b)(8) to
require providers voluntarily disclosing
patient safety work product to
accrediting bodies either to obtain the
agreement of identified non-disclosing
providers or to anonymize the
information with respect to the nondisclosing providers prior to disclosure.
Finally, we modified §§ 3.204(c),
3.206(d), and 3.210 to allow disclosures
of patient safety work product to or by
the Secretary for the purposes of
determining compliance with not only
the Patient Safety Act, but also the
HIPAA Privacy Rule.
In Subpart D, we adopt the proposed
provisions except, where reference was
made in the proposed rule to provisions
of the HIPAA Privacy Rule, the final
rule includes the text of such provisions
for convenience of the reader.
We describe more fully these
provisions, the comments received, and
our responses to these comments below
in the section-by-section description of
the final rule below.
III. Section-by-Section Description of
Final Rule and Response to Comments
A. Subpart A—General Provisions
1. Section 3.10—Purpose
Proposed Rule: Proposed § 3.10
provided that the purpose of proposed
Part 3 is to implement the Patient Safety
and Quality Improvement Act of 2005
(Pub. L. 109–41), which amended the
Public Health Service Act (42 U.S.C. 299
et seq.) by inserting new sections 921
through 926, 42 U.S.C. 299b–21 through
299b–26.
Overview of Public Comments: No
comments were received pertaining to
this section.
Final Rule: The Department adopts
the proposed provision without
modification.
2. Section 3.20—Definitions
Proposed Rule: Proposed § 3.20
provided for definitions applicable to
Part 3. Some definitions were
restatements of the definitions at section
921 of the Public Health Service Act, 42
U.S.C. 299b–21, and other definitions
were provided for convenience or to
clarify the application and operation of
the proposed rule.

E:\FR\FM\21NOR3.SGM

21NOR3

70734

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

Overview of Public Comments: With
respect to the definitions for AHRQ,
ALJ, Board, complainant, component
PSO, confidentiality provisions, entity,
group health plan, health maintenance
organization, HHS, HIPAA Privacy Rule,
identifiable patient safety work product,
nonidentifiable patient safety work
product, OCR, Patient Safety Act,
patient safety activities, patient safety
organization, person, research,
respondent, responsible person, and
workforce, we received no comments.
We received a number of comments
on the various other definitions and
these comments will be addressed
below in reference to the specific term.
Final Rule: The Department adopts
the above definitions as proposed.
Certain definitions were added for
convenience or clarity of the reader.

dwashington3 on PRODPC61 with RULES3

Response to Public Comments
Comment: Commenters requested
definitions for accrediting body,
reporter, redisclosure, impermissible
disclosure, use, evaluation and
demonstration projects, and legislatively
created PSO.
Response: The Department does not
agree that the additional definitions
requested by commenters are necessary.
Some definitions requested have
generally accepted meanings and we do
not believe there is benefit in imposing
more limitations on such terms. Some
terms such as legislatively created PSO
are not used within the final rule. Other
terms such as impermissible disclosure,
use, and reporter are readily understood
from the context of the final rule and do
not need definitions.
(A) Section 3.20—New Definition of
Affiliated Provider
Final Rule: The proposed rule did not
include a definition for affiliated
provider. The Department adopts the
term affiliated provider to mean, with
respect to a provider, a legally separate
provider that is the parent organization
of the provider, is under common
ownership, management, or control
with the provider, or is owned,
managed, or controlled by the provider.
The Department includes this term to
identify to whom patient safety work
product may be disclosed pursuant to a
clarification of the disclosure
permission for patient safety activities.
Overview of Comments: Several
commenters were concerned about
limitations of disclosures for patient
safety activities among providers.
Commenters raised concerns that
limitations may inhibit the sharing and
learning among providers of the analysis
of patient safety events. Other
commenters viewed the disclosure

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

limitations as restricting a provider’s
use of its own data. These comments are
addressed more fully below as part of
the discussion of the patient safety
activities disclosure permission.
(B) Section 3.20—Definition of Bona
Fide Contract
Proposed Rule: Proposed § 3.20
provided that bona fide contract would
mean a written contract between a
provider and a PSO that is executed in
good faith or a written agreement
between a Federal, State, local, or Tribal
provider and a Federal, State, local, or
Tribal PSO.
Overview of Public Comments: One
comment was received noting that
‘‘good faith’’ need not be a part of a bona
fide contract.
Final Rule: Because meeting the
minimum contract requirement is
essential for a PSO to remain listed by
the Secretary, the Department believes
that the requirement that contracts to be
entered in good faith should be retained.
We also note that Federal, State, local or
Tribal providers are free to enter into an
agreement with any PSO that would
serve their needs; thus, they can enter
bona fide contracts with PSOs pursuant
to paragraph (1) of the definition, or
enter comparable arrangements with a
Federal, State, local or Tribal PSO
pursuant to paragraph (2). The
Department adopts the proposed
provision without modification.
(C) Section 3.20—Definition of
Component Organization
Proposed Rule: Proposed § 3.20
provided that component organization
would mean an entity that is either: (a)
A unit or division of a corporate
organization or of a multi-organizational
enterprise; or (b) a separate
organization, whether incorporated or
not, that is owned, managed or
controlled by one or more other
organizations, i.e., its parent
organization(s). Because this definition
used terms in a manner that was broader
than traditional usage, the proposed rule
sought comment on whether it was
appropriate for purposes of the
regulation to consider a subsidiary, an
otherwise legally independent entity, as
a component organization.
With respect to the terms ‘‘owned,
managed, or controlled,’’ the preamble
directed readers to our description of
these concepts in our discussion of the
term ‘‘parent organization.’’ The
preamble to the proposed rule discussed
the various ways that an organization
may be controlled by others. In
particular, there was a discussion of
multi-organizational enterprises and the
variety of management relationships or

PO 00000

Frm 00004

Fmt 4701

Sfmt 4700

forms of control that such enterprises
can create that might impact component
entities. The preamble also discussed
the traditional meaning of subsidiaries
as being separate legal entities and,
therefore, not within the ordinary
meaning of the term ‘‘component.’’
However, the approach of the proposed
rule was to express the Department’s
intention to encourage all forms of PSO
organizational arrangements including
the ownership of PSOs as subsidiaries.
At the same time, we wanted to be able
to accurately determine and to indicate
to providers which PSOs should be
considered components of other entities
and the identity of a component PSO’s
parent organization. We explained our
intent was not to limit our approach to
corporate forms of organizations.
Overview of Public Comments: The
majority of commenters supported our
proposal to consider subsidiaries as
component organizations for the
purposes of this rule. Several
commenters sought reassurance that our
interpretation does not impose
additional legal liability on the parent
organization.
Concern was expressed that our
approach suggested an over-reliance on
the corporate model and the definition
needed to reflect other types of legally
recognized entities. One comment
reflected concern that our reference to
‘‘multi-organizational enterprise’’ in the
definition was unnecessarily confusing
because it was not commonly used.
Another commenter disagreed with our
approach entirely, arguing that the
scope of our definition was overly broad
and unnecessary.
Final Rule: The final rule now defines
‘‘component organization’’ to mean an
entity that: ‘‘(1) is a unit or division of
a legal entity (including a corporation,
partnership, or a Federal, State, local or
Tribal agency or organization); or
(2) Is owned, managed, or controlled
by one or more legally separate parent
organizations.’’
The definition of component
organization is intended to be read with
a focus on management or control by
others as its defining feature. The
definition must be read in conjunction
with the complementary definition of
‘‘parent organization.’’ While our
approach remains little changed, we
have rearranged and streamlined the
text of the definition of component in
response to the comments and concerns
we received on it. For example, there is
no longer an explicit reference in the
definition of component to multiorganizational enterprises, which are
undertakings with separate corporations
or organizations that are integrated in a
common business activity. The revised

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
definition, however, is sufficiently
broad to apply to components of such
enterprises. In response to concerns that
the earlier definition was too focused on
corporate organizations, we have
incorporated an explicit reference to
‘‘other legal entities’’ besides
corporations. In addition, specific
references have been added to more
clearly accommodate possible
organizational relationships of public
agencies, such as the Department of
Defense (DoD), Department of Veterans
Affairs (VA), the Indian Health Service
(IHS), and other State, local, and Tribal
organizations that manage or deliver
health care services.
In the scenario envisioned by the first
prong of the definition, the legal entity
is a parent organization and the
component organization is a unit or
division within the parent organization.
An underlying assumption of the
modified paragraph (1) is that a unit or
division of a legal entity may be
managed or controlled by one or more
parent organizations. Consistent with
this paragraph, a component PSO may
be managed or controlled by the legal
entity of which it is a part or by another
unit or division of that entity. It could
also be controlled by a legally separate
entity under the second paragraph of the
definition.
The first prong of the definition
encompasses a component PSO that is
a unit of a governmental agency that is
a legal entity. This could include a
component organization managed by
another division of such a governmental
agency, e.g., a health care division of VA
or DoD. Thus, a component PSO could
be a unit or component of a Federal
agency that is a legal entity and it could
at the same time be a component of
another unit or division of that agency
which controls and directs or manages
its operation. So too in the private
sector, a component PSO could have
more than one parent and thus be a
component, for example, of a
professional society as well as a
component of the unit or division of the
professional society that controls or
manages the PSO.
The second prong of the definition
addresses a variety of organizational
relationships that could arise between
component PSOs and legally separate
parent organizations that manage or
control them. Under paragraph (2), a
subsidiary PSO could be managed or
controlled by its legally separate parent
organization. In addition, we note that
a component PSO could be managed or
controlled by another unit or division of
its legally separate parent, e.g., if this
unit or division uses its knowledge and
skills to control or manage certain

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

aspects of the component’s operations.
If that occurs, we would consider the
sibling subsidiary that exercises control
or management over the PSO as another
parent organization of the PSO.
Obtaining the identity and contact
information of an entity’s parent
organizations is useful for the purpose
of letting providers know who may be
managing or controlling a PSO. This
information also will be useful in
implementing the certification and
listing process for PSOs described in the
rule which, for instance, excludes any
health insurance issuer from becoming
a PSO and excludes a component of a
health insurance issuer from becoming
a PSO.
In response to commenters concerned
about the legal liability for parent
organizations of component PSOs, we
note that the preamble to the proposed
rule stated as follows: ‘‘We stress that
neither the statute nor the proposed
regulation imposes any legal
responsibilities, obligations, or liability
on the organization(s) of which it [the
PSO] is a part.’’ The Department
reaffirms its position. At the same time,
we note that the rule, at § 3.402(b),
recognizes, provides for, and does not
alter the liability of principals based on
Federal common law.
Response to Other Public Comments
Comment: One concern that was
expressed by several commenters
pertained to whether or not a health
system that has a component or
subsidiary health insurance issuer, e.g.,
a group health plan offered to the
public, would be precluded from having
a component PSO as well.
Response: So long as the component
health insurance issuer does not come
within the definition of a parent
organization of the PSO, i.e., own a
controlling or majority interest in,
manage, or control the health system’s
component PSO (i.e., the PSO would
not be a component of the health
insurance issuer), the parent health
system could establish a component
PSO.
Comment: It was asserted that
including subsidiaries as components
would require a PSO that is not
controlled by another parent
organization, but itself has a subsidiary,
to seek listing as a component PSO.
Response: The revised definition of
component organization emphasizes
that a component is an organization that
is controlled by another entity. It is not
the Department’s intention to require a
PSO that is not controlled by another
entity to seek listing as a component
PSO. For this reason, the fact that a PSO
has a subsidiary does not trigger the

PO 00000

Frm 00005

Fmt 4701

Sfmt 4700

70735

requirement to seek listing as a
component organization.
Comment: It was suggested that the
inclusion of subsidiaries within the
meaning of component would require a
health system that wished to create a
PSO to create it as a component.
Response: There are several issues
that a health system needs to consider
in determining whether and how to
create a PSO, but the inclusion of
subsidiary within the meaning of
component is not necessarily
determinative. The statute requires the
improvement of quality and patient
safety to be the primary activity of the
entity seeking listing. Since few
multifaceted health system
organizations will meet this
requirement, existing organizations will
have an incentive to create singlepurpose component organizations that
clearly meet the requirement. The
second issue is whether to create a PSO
as an internal component organization
or as a separate legal entity. Because the
final rule requires each PSO to enter two
contracts, provider organizations may
find it useful for its component PSO to
be a separate legal entity. Otherwise, the
component PSO may be precluded from
contracting with its parent organization.
Comment: There was a request for a
definition of ‘‘own’’ with a suggestion
for reference to Internal Revenue Code
26 I.R.C. § 1563 to clarify its meaning
and the meaning of having a controlling
interest. This same commenter sought
strong separation requirements between
a component PSO and any parent
organization.
Response: We have reviewed the cited
regulation but conclude that the
approach presented is unlikely to clarify
the meaning of ‘‘own’’ or ‘‘having a
controlling interest’’ for purposes of the
regulation. Accordingly, the definition
of component in the final rule will use
the term ‘‘owns,’’ but it should be read
in conjunction with the phrase ‘‘owns a
controlling or majority interest in’’ that
is used in the related definition of
‘‘parent organization.’’ This will
indicate that the definition of
component uses the term ‘‘owns’’ to
mean having a sufficient ownership
interest to control or manage a PSO. The
holder of a controlling or majority
interest in the entity seeking to be listed
should be identified as a parent
organization.
Comment: Components of government
entities should not be listed as PSOs.
Response: The Patient Safety Act
specifically permits public sector
entities, and components of public
sector entities, to seek listing as a PSO.
We have incorporated several
exclusions, however, of entities with

E:\FR\FM\21NOR3.SGM

21NOR3

70736

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

regulatory authority and those
administering mandatory state reporting
programs because these activities are
incompatible with fostering a nonpunitive culture of safety among
providers. As we explain in
§ 3.102(a)(2)(ii), we conclude that it is
not necessary to exclude components of
such entities but have adopted
additional restrictions and requirements
in § 3.102(c) for such component
entities.
(D) Section 3.20—Definition of
Disclosure
Proposed Rule: Proposed § 3.20
provided that disclosure would mean
the release, transfer, provision of access
to, or divulging in any other manner of
patient safety work product by a person
holding patient safety work product to
another person.
We did not generally propose to
regulate uses of patient safety work
product within an entity, i.e., when this
information is exchanged or shared
among the workforce members of an
entity. We believe that regulating uses
within providers and PSOs would be
unnecessarily intrusive given the
voluntary aspect of participation with a
PSO. We believe that regulating uses
would not further the statutory goal of
facilitating the sharing of patient safety
work product with PSOs and that
sufficient incentives exist for providers
and PSOs to prudently manage the
internal sharing of sensitive patient
safety work product. However, based on
the statutory provision, we did propose
that we would recognize as a disclosure
the sharing of patient safety work
product between a component PSO and
the organization of which it is a
component. Such sharing would, absent
the statutory provision and the
proposed regulation, be a use within the
larger organization because the
component PSO is not a separate entity.
The Patient Safety Act supports this
position by demonstrating a strong
desire for the protection of patient safety
work product from the rest of the
organization of which the PSO is a part.
We sought public comment on whether
the decision to not regulate uses was
appropriate.
The proposed rule discussed that
sharing patient safety work product
with a contractor that is under the direct
control of an entity, i.e., a workforce
member, would not be a disclosure, but
rather a use within the entity. However,
sharing patient safety work product
with an independent contractor would
be a disclosure requiring an applicable
disclosure permission.
Overview of Public Comments: Some
commenters supported the proposed

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

definition of disclosure. No commenters
opposed the proposed definition or
requested further clarification.
Most commenters that responded to
the question whether uses of patient
safety work product should be regulated
supported the decision not to regulate
uses. Those commenters agreed that
regulating uses would be overly
intrusive without significant benefit and
that entities are free to enter into
agreements with greater protections.
Other commenters disagreed with the
Department’s proposal and stated that
regulation of uses would improve
confidentiality and thereby increase
provider participation.
No commenters opposed the proposal
that sharing of patient safety work
product from a component PSO to the
rest of the parent entity of which it is
a part would be a disclosure for
purposes of enforcement rather than a
use internal to the entity.
Final Rule: The Department adopts
the provision with modifications. In
general, the modified definition of
disclosure means the release of, transfer
of, provision of access to, or divulging
in any other manner of, patient safety
work product by an entity or natural
person holding the patient safety work
product to another legally separate
entity or natural person, other than a
workforce member of, or a physician
holding privileges with, the entity
holding the patient safety work product.
Additionally, we have defined as a
disclosure the release of, transfer of,
provision of access to, or divulging in
any other manner of, patient safety work
product by a component PSO to another
entity or natural person outside the
component PSO.
We have modified the language for
clarity to distinguish the actions that are
a disclosure for a natural person and an
entity, separately. We have also
included language in the definition that
makes clear that sharing of patient
safety work product from a component
PSO to the entity of which it is a part
is a disclosure even though the
disclosure would be internal to an entity
and generally permitted. Finally, we
have added language to clearly indicate
that the sharing of patient safety work
product between a health care provider
with privileges and the entity with
which it holds privileges does not
constitute a disclosure, consistent with
the treatment of patient safety work
product shared among workforce
members.
Response to Other Public Comments
Comment: Commenters asked that the
Department clarify the terms
‘‘disclosure’’ and ‘‘use’’. Commenters

PO 00000

Frm 00006

Fmt 4701

Sfmt 4700

stated that the terms were used
interchangeably and this caused
confusion.
Response: The term ‘‘disclosure’’
describes the scope of the
confidentiality protections and the
manner in which patient safety work
product may be shared. ‘‘Disclosure’’ is
also employed by the Patient Safety Act
when describing the assessment of civil
money penalties for the failure to
maintain confidentiality (see 42 U.S.C.
299b–22(f)(1)). Although the Patient
Safety Act employs the term ‘‘use’’ in
several provisions, we did not interpret
those provisions to include a restriction
on the use of patient safety work
product based on the confidentiality
protections.
Because the focus of the proposed
rule was on disclosures, we did not
believe that defining the term ‘‘use’’ was
helpful; nor did we believe the terms
would be confusing. Use of patient
safety work product is the sharing
within a legal entity, such as between
members of the workforce, which is not
a disclosure. By contrast, a disclosure is
the sharing or release of information
outside of the entity for which a specific
disclosure permission must be
applicable.
Comment: One commenter requested
clarification regarding the sharing of
patient safety work product among
legally separate participants that join to
form a single joint venture component
PSO.
Response: The Department
distinguishes between the disclosure of
patient safety work product between
legal entities and the use of patient
safety work product internal to a single
legal entity. If a component PSO is part
of a multi-organizational enterprise,
uses of patient safety work product
internal to the component PSO are not
regulated by this final rule, but sharing
of patient safety work product between
the component PSO and another entity
or with a parent organization are
considered disclosures for which a
disclosure permission must apply.
Comment: One commenter raised
concerns that the final rule would
restrict a provider’s use of its own data
and thereby discourage collaboration
with other care givers.
Response: The Department believes
that the final rule balances the interests
between the privacy of identified
providers, patients and reporters and
the need to aggregate and share patient
safety work product to improve patient
safety among all providers. The final
rule does not limit the sharing of patient
safety work product within an entity
and permits sharing among providers
under certain conditions. Affiliated

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
providers may share patient safety work
product for patient safety activities and
non-affiliated providers may share
anonymized patient safety work
product. A provider may also share
patient safety work product with a
health care provider that has privileges
to practice at the provider facility.
Further, if all identified providers are in
agreement regarding the need to share
identifiable patient safety work product,
each provider may authorize and
thereby permit a disclosure.
Comment: Several commenters asked
whether uses were restricted based
upon the purpose for which the patient
safety work product is being shared
internally.
Response: The final rule does not
limit the purpose for which patient
safety work product may be shared
internal to an entity. Entities should
consider the extent to which sensitive
patient safety work product is available
to members of its workforce as a good
business practice.

dwashington3 on PRODPC61 with RULES3

(E) Section 3.20—Definition of Entity
Proposed Rule: Proposed § 3.20
provided that entity would mean any
organization or organizational unit,
regardless of whether the entity is
public, private, for-profit, or not-forprofit.
Overview of Public Comments: One
comment was received suggesting that
the terms ‘‘governmental’’ or ‘‘body
politic’’ should be added to clarify that
the term ‘‘public’’ includes Federal,
State, or local government as well as
public corporations.
Final Rule: The term ‘‘public’’ has
long been used throughout Title 42 of
the Code of Federal Regulations as
encompassing governmental agencies;
therefore we do not believe that the
addition is necessary. The Department
adopts the proposed provision without
modification.
(F) Section 3.20—Definition of Health
Insurance Issuer
Proposed Rule: Proposed § 3.20
provided that health insurance issuer
would mean an insurance company,
insurance service, or insurance
organization (including a health
maintenance organization, as defined in
42 U.S.C. 300gg–91(b)(3)) which is
licensed to engage in the business of
insurance in a State and which is
subject to State law which regulates
insurance (within the meaning of 29
U.S.C. 1144(b)(2). The definition
specifically excluded group health plans
from the meaning of the term.
Overview of Public Comments:
Several commenters expressed concern
that the Department needed to be

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

vigilant in its exclusion of health
insurance issuers and components of
health insurance issuers, urging that
HHS clearly define health insurance
issuers in the final rule. Another
commenter sought clarification
regarding risk management service
companies, i.e., those that offer
professional liability insurance,
reinsurance, or consulting services.
Final Rule: The Department has
reviewed the definition of ‘‘health
insurance issuer’’ and determined that
the definition is clear. Because the
reference to group health plans could be
a source of confusion, we note that we
have defined the term above.
Accordingly, the Department adopts the
proposed provision without
modification.
In response to several comments
regarding the scope of the term health
insurance issuer, the Department has
concluded that, for purposes of this
rule, risk management service
companies, professional liability
insurers and reinsurers do not fall
within the definition of health
insurance issuer.
Response to Other Public Comments
Comment: One commenter asked if a
provider system that was owned as a
subsidiary by an HMO could create a
component PSO.
Response: Section 3.102(a)(2)(i)
excludes a health insurance issuer, a
unit or division of a health insurance
issuer, or an entity that is owned,
managed, or controlled by a health
insurance issuer from seeking listing as
a PSO. In this case, the HMO is
considered a health insurance issuer
and the provider system would be a
component of the health insurance
issuer. Under the rule, the HMO and the
provider system may not seek listing as
a PSO, and the entity created by the
provider system could not seek listing
as a component PSO if it is owned,
managed or controlled by the provider
system or the HMO.
Comment: One commenting
organization requested discussion of
what organizational structure might
allow a health insurance issuer to
participate in the patient safety work of
an independent PSO.
Response: The statutory exclusion
means that the following entities may
not seek listing: a health insurance
issuer or a component of a health
insurance issuer.
(G) Section 3.20—Definition of Parent
Organization
Proposed Rule: Proposed § 3.20
provided that ‘‘parent organization’’
would mean an entity, that alone or

PO 00000

Frm 00007

Fmt 4701

Sfmt 4700

70737

with others, either owns a provider
entity or a component organization, or
has the authority to control or manage
agenda setting, project management, or
day-to-day operations of the component,
or the authority to review and override
decisions of a component organization.
The proposed rule did not provide a
definition of ‘‘owned’’ but provided
controlling interest (holding enough
stock in an entity to control it) as an
example of ownership in the preamble
discussion of the term, ‘‘parent
organization.’’ The proposed rule
specifically sought comment on our use
of the term ‘‘controlling interest,’’
whether it was appropriate, and
whether we needed to further define
‘‘owns.’’ The remaining terms, ‘‘manage
or control,’’ were explained in the
proposed rule’s definition of ‘‘parent
organization,’’ as having ‘‘the authority
to control or manage agenda setting,
project management, or day-to-day
operations of the component, or the
authority to review and override
decisions of a component organization.’’
Overview of Public Comments: We
received eight comments on the
question of ‘‘controlling interest’’ and
there was no consensus among the
commenters. Four commenters thought
our discussion was appropriate.
Another agreed with the concept of
controlling interest but wanted to limit
its application to a provider who
reported patient safety work product to
the entity. One commenter cautioned
that the term ‘‘controlling interest’’ was
open to various interpretations and the
final rule should provide additional
guidance. Another commenter suggested
‘‘controlling interest’’ was worrisome
but did not provide a rationale for this
assessment. One commenter supported
additional protections, contending that
it was appropriate for HHS to pierce the
corporate veil when there was fraud or
collusion, and recommended the
preamble outline situations in which
HHS would pierce the corporate veil.
We received no negative comments on
our proposed interpretation of what it
means to manage or control another
entity. One commenter suggested that
the definition should recognize the
significant authority or control of a
provider entity or component
organization through reserve powers, by
agreement, statute, or both.
Final Rule: While approximately half
of the comments supported our
approach, there was not a clear
consensus in the comments we
reviewed. So the approach we have
taken with the definition of ‘‘parent
organization’’ was to strive for greater
clarity, taking into account its
interaction with our definition of

E:\FR\FM\21NOR3.SGM

21NOR3

70738

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

‘‘component organization,’’ described
above.
The definition of ‘‘parent
organization’’ in the final rule retains
the basic framework of the proposed
rule definition: an organization is a
parent if it owns a component
organization, has the ability to manage
or control a component, or has the
authority to review and overrule the
component’s decisions.
The language of the proposed rule
used only the term ‘‘own’’ while the
preamble cited the example of stock
ownership. Without further
specification, we were concerned that
this approach could have been
interpreted to mean that an organization
owning just a few shares of stock of a
component organization would be
considered a parent organization. This
is not our intent. For clarity, we have
modified the text to read ‘‘owns a
controlling or majority interest.’’
We have also removed the phrase
‘‘alone or with others’’ from the first
clause. We did so for two reasons. First,
it is unnecessary since it does not matter
whether ownership is shared with other
organizations, as in a joint venture. An
entity seeking listing as a PSO will use
this definition solely to determine if it
has any parent organizations and, if it
does, it must seek listing as a
component organization and disclose
the names and contact information for
each of its parent organizations. Second,
we have tried to make it as clear as
possible that any organization that has
controlling ownership interests, or
management or control authority over a
PSO, should be considered, and
reported in accordance with the
requirements of § 3.102(c)(1)(i), as a
parent organization.
For similar reasons, we have removed
the reference to provider from the first
part of the definition and instead
consistently used the term ‘‘component
organization’’ with respect to each
characteristic of a parent organization.
We added a second sentence to clarify
that a provider could be the component
organization in all three descriptive
examples given of parental authority.
In response to one commenter’s
concern, we believe that the phrase ‘‘has
the authority’’ as used in the definition
is sufficiently broad to encompass
reserve powers.
(H) Section 3.20—Definition of Patient
Safety Evaluation System
Proposed Rule: Proposed § 3.20
provided that patient safety evaluation
system would mean the collection,
management, or analysis of information
for reporting to or by a PSO. The patient
safety evaluation system would be the

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

mechanism through which information
can be collected, maintained, analyzed,
and communicated. The proposed rule
discussed that a patient safety
evaluation system would not need to be
documented because it exists whenever
a provider engages in patient safety
activities for the purpose of reporting to
a PSO or a PSO engages in these
activities with respect to information for
patient safety purposes. The proposed
rule provided that formal
documentation of a patient safety
evaluation system could designate
secure physical and electronic space for
the conduct of patient safety activities
and better delineate various functions of
a patient safety evaluation system, such
as when and how information would be
reported by a provider to a PSO, how
feedback concerning patient safety
events would be communicated
between PSOs and providers, within
what space deliberations and analyses
of information are conducted, and how
protected information would be
identified and separated from
information collected, maintained, or
developed for purposes other than
reporting to a PSO.
The Department recommended that a
provider consider documentation of a
patient safety evaluation system to
support the identification and
protection of patient safety work
product. Documentation may provide
substantial proof to support claims of
privilege and confidentiality and will
give notice to, will limit access to, and
will create awareness among employees
of, the privileged and confidential
nature of the information within a
patient safety evaluation system which
may prevent unintended or
impermissible disclosures.
We recommended that providers and
PSOs consider documenting how
information enters the patient safety
evaluation system; what processes,
activities, physical space(s) and
equipment comprise or are used by the
patient safety evaluation system; which
personnel or categories of personnel
need access to patient safety work
product to carry out their duties
involving operation of, or interaction
with, the patient safety evaluation
system; the category of patient safety
work product to which access is needed
and any conditions appropriate to such
access; and what procedures the patient
safety evaluation system uses to report
information to a PSO or disseminate
information outside of the patient safety
evaluation system.
The proposed rule sought comment
about whether a patient safety
evaluation system should be required to
be documented.

PO 00000

Frm 00008

Fmt 4701

Sfmt 4700

Overview of Public Comments:
Several commenters supported the
efforts to enable the patient safety
evaluation system to be flexible and
scalable to individual provider
operations. Most commenters that
responded to the question whether a
patient safety evaluation system should
be documented supported the decision
to not require documentation.
Commenters stated that requiring
documentation would inhibit the
flexibility in the design of patient safety
evaluation systems and the ability of
providers to design systems best suited
for their specific practices and settings.
Documentation would also be
burdensome to providers and should
ultimately be left to the discretion of
individual providers based on their
needs. Other commenters supported a
requirement for documentation,
suggesting that documentation would go
further in ensuring compliance with the
confidentiality provisions and the
protection of information, thereby
encouraging provider participation.
Final Rule: The Department adopts
the proposed provision without
modification. Based on the comments,
we have not modified the proposed
decision to not require documentation.
We have, as described in the definition
of patient safety work product below,
clarified how documentation of a
patient safety evaluation system clearly
establishes when information is patient
safety work product. We encourage
providers to document their patient
safety evaluation systems for the
benefits mentioned above. We believe
documentation is a best practice.
Response to Other Public Comments
Comment: Two commenters raised
concerns about how a patient safety
evaluation system operates within a
multi-hospital system comprised of a
parent corporation and multiple
hospitals that are separately
incorporated and licensed. One
commenter asked whether a parent
corporation can establish a single
patient safety evaluation system in
which all hospitals participate. The
other commenter recommended that
individual institutional affiliates of a
multi-hospital system be part of a single
patient safety evaluation system.
Response: For a multi-provider entity,
the final rule permits either the
establishment of a single patient safety
evaluation system or permits the sharing
of patient safety work product as a
patient safety activity among affiliated
providers. For example, a hospital chain
that operates multiple hospitals may
include the parent organization along
with each hospital in a single patient

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
safety evaluation system. Thus, each
hospital may share patient safety work
product with the parent organization
and the patient safety evaluation system
may exist within the parent organization
as well as the individual hospitals.
There may be situations where
establishing a single patient safety
evaluation system may be burdensome
or a poor solution to exchanging patient
safety work product among member
hospitals. To address this concern, we
have modified the disclosure
permission for patient safety activities
to permit affiliated providers to disclose
patient safety work product with each
other based on commonality of
ownership.
Comment: One commenter asked how
a patient safety evaluation system exists
within an institutional provider.
Response: A patient safety evaluation
system is unique and specific to a
provider. The final rule retains a
definition of a patient safety evaluation
system that is flexible and scalable to
meet the specific needs of particular
providers.
With respect to a single institutional
provider, such as a hospital, a provider
may establish a patient safety evaluation
system that exists only within a
particular office or that exists at
particular points within the institution.
The decisions as to how a patient safety
evaluation system operates will depend
upon the functions the institutional
provider desires the patient safety
evaluation system to perform and its
tolerances regarding access to the
sensitive information contained within
the system. Providers should consider
how a patient safety evaluation system
is constructed, carefully weighing the
balance between coordination and
fragmentation of a provider’s activities.
Comment: Some commenters were
concerned that the patient safety
evaluation system provided a loophole
for providers to avoid transparency of
operations and hide information about
patient safety events. Some commenters
suggested that a provider may establish
a patient safety evaluation system that is
inside of a PSO, thus stashing away
harmful documents and information.
Response: The Department does not
believe that the patient safety evaluation
system enables providers to avoid
transparency. A patient safety
evaluation system provides a protected
space for the candid consideration of
quality and safety. Nonetheless, the
Patient Safety Act and the final rule
have carefully assured that information
generally available today remains
available, such as medical records,
original provider documents, and
business records. Providers must fulfill

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

external reporting obligations with
information that is not patient safety
work product. Further, a provider may
not maintain a patient safety evaluation
system within a PSO.
Comment: One commenter asked
whether all information in a patient
safety evaluation system is protected.
Response: Information collected
within a patient safety evaluation
system that has been collected for the
purpose of reporting to a PSO is patient
safety work product if documented as
collected for reporting to a PSO. This is
discussed more fully at the definition of
patient safety work product below.
Information that is reported to a PSO is
also protected, as discussed more fully
at the definition of patient safety work
product below.
Comment: One commenter was
concerned that the lack of a framework
and too much flexibility may interfere
with interoperability and data
aggregation at a later date.
Response: The Department believes
that a patient safety evaluation system
must of necessity be flexible and
scalable to meet the needs of specific
providers and PSOs. Without such
flexibility, a provider may not
participate, which may, lessen the
overall richness of the information that
could be obtained about patient safety
events. The Department recognizes the
value of aggregated data and has,
pursuant to the Patient Safety Act,
begun the process of identifying
standard data reporting terms to
facilitate aggregation and
interoperability. Further, the Patient
Safety Act requires that PSOs, to the
extent practical and appropriate, collect
patient safety work product in a
standardized manner (see 42 U.S.C.
299b–24(b)(1)(F)). The Department
hopes that, by permitting the widest
range possible of providers to
participate in the gathering and analysis
of patient safety events, increased
participation will generate more data
and greater movement towards
addressing patient safety issues.
Comment: Many commenters
encouraged the Department to provide
technical assistance to providers and
PSOs on the structuring and operation
of a patient safety evaluation system.
Response: The Department expects to
provide such guidance on the operation
and activities of patient safety
evaluation systems as it determines is
necessary.
(I) Section 3.20—Definition of Patient
Safety Work Product
Proposed Rule: Proposed § 3.20
adopted the statutory definition of
patient safety work product as defined

PO 00000

Frm 00009

Fmt 4701

Sfmt 4700

70739

in the Patient Safety Act. The proposed
rule provided that many types of
information can become patient safety
work product to foster robust exchanges
between providers and PSOs. Any
information must be collected or
developed for the purpose of reporting
to a PSO.
Three provisions identified how
information becomes patient safety
work product. First, information may
become patient safety work product if it
is assembled or developed by a provider
for the purpose of reporting to a PSO
and is reported to a PSO. Second,
patient safety work product is
information developed by a PSO for the
conduct of patient safety activities.
Third, patient safety work product is
information that constitutes the
deliberations or analysis of, or identifies
the fact of reporting pursuant to, a
patient safety evaluation system.
The proposed rule provided that
reporting means the actual transmission
or transfer of information to a PSO. We
recognized that requiring the
transmission of every piece of paper or
electronic file to a PSO could impose
significant transmission, management,
and storage burdens on providers and
PSOs. The proposed rule sought
comment on whether alternatives for
actual reporting should be recognized as
sufficient to meet the reporting
requirement. For example, the proposed
rule suggested that a provider that
contracts with a PSO may functionally
report information to a PSO by
providing access and control of
information to a PSO without needing to
physically transmit information. The
proposed rule also sought comment on
whether additional terms and
conditions should be required to permit
functional reporting and whether
functional reporting should be
permitted only after an initial actual
report of information related to an
event.
The proposed rule also sought
comment on whether a short period of
protection for information assembled
but not yet reported is necessary for
flexibility or for providers to efficiently
report information to a PSO. We also
sought comment on an appropriate time
period for such protection and whether
a provider must demonstrate intent to
report in order to obtain protection.
The proposed rule also sought
comment on when a provider could
begin collecting information for the
purpose of reporting to a PSO such that
it is not excluded from becoming patient
safety work product because it was
collected, maintained or developed
separately from a patient safety
evaluation system.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70740

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

The proposed rule indicated that, if a
PSO is delisted for cause, a provider
would be able to continue to report to
that PSO for 30 days after the date of
delisting and the information reported
would be treated as patient safety work
product (section 924(f)(1) of the Public
Health Service Act). However, after
delisting, the proposed rule indicated
that the former PSO may not generate
patient safety work product by
developing information for the conduct
of patient safety activities or through
deliberations and analysis of
information. Even though a PSO may
not generate new patient safety work
product after delisting, it may still
possess patient safety work product,
which must be kept confidential and be
disposed of in accordance with
requirements in Subpart B.
The proposed rule also described
what is not patient safety work product,
such as a patient’s original medical
record, billing and discharge
information, or any other original
patient or provider record. Patient safety
work product does not include
information that is collected,
maintained, or developed separately or
exists separately from, a patient safety
evaluation system. This distinction is
made because these and similar records
must be maintained by providers for
other purposes.
The proposed rule also discussed that
external reporting obligations as well as
voluntary reporting activities that occur
for the purpose of maintaining
accountability in the health care system
cannot be satisfied with patient safety
work product. Thus, information that is
collected to comply with external
obligations is not patient safety work
product. The proposed rule provided
that such activities include: state
incident reporting requirements;
adverse drug event information
reporting to the Food and Drug
Administration (FDA); certification or
licensing records for compliance with
health oversight agency requirements;
reporting to the National Practitioner
Data Bank of physician disciplinary
actions; or complying with required
disclosures by particular providers or
suppliers pursuant to Medicare’s
conditions of participation or conditions
of coverage.
The proposed rule also addressed the
issue that external authorities may seek
information about how effectively a
provider has instituted corrective action
following identification of a threat to the
quality or safety of patient care. The
Patient Safety Act does not relieve a
provider of its responsibility to respond
to such requests for information or to
undertake or provide to external

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

authorities evaluations of the
effectiveness of corrective action, but
the provider must respond with
information that is not patient safety
work product. The proposed rule
provided that recommendations for
changes from the provider’s patient
safety evaluation system or the PSO are
patient safety work product. However,
the actual changes that the provider
implements to improve how it manages
or delivers health care services are not
patient safety work product, and it
would be virtually impossible to keep
such changes confidential.
Overview of Public Comments:
Commenters raised a significant number
of concerns regarding how information
becomes patient safety work product
under particular provisions of the
definition.
Functional Reporting
We received significant feedback from
commenters in support of recognizing
alternative reporting methods. Most
commenters agreed that an alternative
reporting arrangement should be
permitted to promote efficiency and
relieve providers of the burden of
continued transmission. Two
commenters opposed permitting
alternative reporting methods based on
the concern that a shared resource may
confuse clear responsibility for a breach
of information and that a PSO that has
access to a provider information system
may also have access to patient records
and similar information for which
access may not be appropriate.
Most commenters rejected the
suggestion that functional reporting
should be limited to subsequent reports
of information rather than allowing
functional reports for the first report of
an event. Commenters believed that
such a limitation would inhibit
participation and offset the benefits of
allowing functional reporting.
Commenters also believed such a
limitation would create an artificial
distinction between information that is
initially and subsequently reported to a
PSO. Some commenters believed that
details regarding functional reporting
are better left to agreement between the
provider and PSO engaging in
functional reporting. Two commenters
did support restricting functional
reporting to subsequent information, but
did not provide any rationale or concern
to support their comment.
No commenters identified additional
requirements or criteria that should be
imposed beyond a formal contract or
agreement. Thus, the final rule permits
functional reporting.

PO 00000

Frm 00010

Fmt 4701

Sfmt 4700

When Is Information Protected
Commenters raised significant and
substantial concerns regarding when the
protections for patient safety work
product begins, how existing patient
safety processes will occur given the
protections for patient safety work
product, and the likelihood that
providers may need to maintain
separate systems with substantially
duplicate information. A significant
majority of commenters responded to
the concern regarding the status of
information collected, but not yet
reported to a PSO. Most commenters
agreed with concerns raised by the
Department that early protection could
ease the burden on providers,
preventing a race to report to a PSO.
These commenters recommended that
information be protected upon
collection and prior to reporting.
Protection during this time would
permit providers to investigate an event
and conduct preliminary analyses
regarding causes of the event or whether
to report information to a PSO. Many
commenters were concerned that
information related to patient safety
events be protected at the same time the
information is preserved for other uses.
Some providers indicated that if
duplication of information is required,
providers may opt to not participate due
to costs and burdens. Three commenters
indicated that there should be no
protection until information is reported
to a PSO. One commenter was
concerned that early protection may
interfere with State reporting
requirements because information
needed to report to a State may become
protected and unavailable for State
reporting. Another commenter stated
that earlier protection would not
alleviate the concerns regarding
protection prior to reporting.
Commenters provided a wide range of
recommendations in response to when
protection of information should begin
prior to creation of patient safety work
product. Commenters suggested that
information be protected prior to
reporting for as little as 24 hours from
an event up to 12 months. Other
commenters suggested that a timeframe
be reasonable and based upon relevant
factors such as the complexity of facts
and circumstances surrounding an
event.
State Reporting
One of the most significant areas of
comment was how processes to create
patient safety work product may operate
alongside similar processes within a
provider. Commenters were particularly
concerned that information collected for

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
similar purposes, such as for reporting
to a PSO and for reporting to a State
health authority, would need to be
maintained in separate systems, thereby
increasing the burden on providers. The
most significant comments received
related to how information related to
patient safety events may be protected at
the same time the information is
preserved for other uses. Some
providers indicated that if duplication is
required, provider may opt to not
participate due to costs and burdens.

dwashington3 on PRODPC61 with RULES3

Earliest Time for Collection of
Information
Few commenters responded to the
request for comment on the earliest date
information could be collected for
purposes of reporting to a PSO, a
requirement for information to become
patient safety work product. Four
commenters recommended that
information collection be permitted
back to the passage of the Patient Safety
Act. Four commenters recommended
that the earliest date of collection be
dependent upon each provider’s good
faith and intent to collect information
for reporting to a PSO.
Final Rule: The Department adopts
the proposed provision with some
modification.
Functional Reporting
The Department recognizes the
concerns raised by commenters
regarding the functional reporting
proposal, but believes the benefits
outweigh the potential negative
consequences; the relief of burden, and
the flexibility that derives from not
adhering to a narrow reading of the
reporting requirement. First, we
recognize that a provider and PSO
engaging in this alternative method of
reporting have an established
relationship for the reporting of
information and have spent some time
considering how best to achieve a
mutually useful and suitable reporting
relationship. That relationship will
necessitate consideration of what
information is necessary and not
necessary to achieve the purpose of
reporting. Neither a provider nor a PSO
is required to accept an alternative
reporting mechanism. Further,
providers continue to be under the same
obligations to protect patient and other
medical records from inappropriate
access from others, including the PSO,
without exception. Second, such a
relationship should establish clearly the
mechanism for control of information
reported or to which the PSO will have
access, and the scope of PSO authority
to use the information. In addition, the
assessment of liability should be

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

addressed and need be no more
complex than exists in provider settings
today with shared resources and
integrated services.
We agree with commenters that
limitations regarding the initial or
subsequent reporting of information are
better left to the providers and PSOs
engaging in the practice and that
providers and PSOs should be permitted
to design the appropriately flexible
reporting mechanism befitting the
circumstances of their practice setting.
We further agree that additional
limitations on the ability to use
functional reporting are unwarranted,
absent clear identification of risks or
concerns to be addressed by further
limitations.
For these reasons, we clarify that
reporting of information to a PSO for the
purposes of creating patient safety work
product may include authorizing PSO
access, pursuant to a contract or
equivalent agreement between a
provider and a PSO, to specific
information in a patient safety
evaluation system and authority to
process and analyze that information,
e.g., comparable to the authority a PSO
would have if the information were
physically transmitted to the PSO. We
do not believe a formal change in the
regulatory text is necessitated by this
clarification.
When Is Information Protected
The Department recognizes that the
Patient Safety Act’s protections are the
foundation to furthering the overall goal
of the statute to develop a national
system for analyzing and learning from
patient safety events. To encourage
voluntary reporting of patient safety
events by providers, the protections
must be substantial and broad enough
so that providers can participate in the
system without fear of liability or harm
to reputation. Further, we believe the
protections should attach in a manner
that is as administratively flexible as
permitted to accommodate the many
varied business processes and systems
of providers and to not run afoul of the
statute’s express intent to not interfere
with other Federal, State or local
reporting obligations on providers.
The proposed rule required that
information must be reported to a PSO
before the information may become
patient safety work product under the
reporting provision of the definition of
patient safety work product. However,
this standard left information collected,
but not yet reported to a PSO,
unprotected, a cause of significant
commenter concern. This standard also
might encourage providers to race to
report information indiscriminately to

PO 00000

Frm 00011

Fmt 4701

Sfmt 4700

70741

obtain protection in situations where a
report ultimately may be unhelpful,
causing the expenditure of scarce
resources both by a provider and a PSO
to secure the information as patient
safety work product. The proposed rule
also may have caused some providers to
choose between not participating or
developing dual systems for handling
similar information at increased costs.
We believe it is important to address
the shortcomings of a strict reporting
requirement through the following
modification. The final rule provides
that information documented as
collected within a patient safety
evaluation system by a provider shall be
protected as patient safety work
product. A provider would document
that the information was collected for
reporting to a PSO and the date of
collection. The information would
become patient safety work product
upon collection. Additionally, a
provider may document that the same
information is being voluntarily
removed from the patient safety
evaluation system and that the provider
no longer intends to report the
information to a PSO, in which case
there are no protections. If a provider
fails to document this information, the
Department will presume the intent to
report information in the patient safety
evaluation system to the PSO is present,
absent evidence to the contrary.
We believe this modification
addresses the concerns raised by the
commenters. Protection that begins from
the time of collection will encourage
participation by providers without
causing significant administrative
burden. The alternative is a system that
encourages providers to
indiscriminately report information to
PSOs in a race for protection, resulting
in PSOs receiving large volumes of
unimportant information. By offering
providers the ability to examine patient
safety event reports in the patient safety
evaluation system without requiring
that all such information be
immediately reported to a PSO, and by
providing a means to remove such
information from the patient safety
evaluation system and end its status as
patient safety work product, the final
rule permits providers to maximize
organizational and system efficiencies
and lessens the need to maintain
duplicate information for different
needs. Because documentation will be
crucial to the protection of patient safety
work product at collection, providers
are encouraged to document their
patient safety evaluation system. We
note, however, that a provider should
not place information into its patient
safety evaluation system unless it

E:\FR\FM\21NOR3.SGM

21NOR3

70742

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

intends for that information to be
reported to the PSO.
Although this approach substantially
addresses commenter concerns, three
issues do cause concern. First, because
information may be protected back to
the time of collection, providers are no
longer required to promptly report
information to a PSO to ensure
protection. Although we believe this is
an unavoidable result of the
modification, we believe the likely
impact may be rare because providers
are likely to engage PSOs for their
expertise which requires such reporting.
Second, the requirement to document
collection in a patient safety evaluation
system and, potentially, removal from a
patient safety evaluation system could
be burdensome to a provider. However,
we believe these are important
requirements particularly in light of the
enforcement role OCR will play. A
provider will need to substantiate that
information is patient safety work
product, or OCR will be unable to
determine the status of information
potentially leaving sensitive information
unprotected—or subjecting the provider
to penalties for improperly disclosing
patient safety work product. Third, the
ability of a provider to remove
information from a patient safety
evaluation system raises concern that a
provider may circumvent the intent of a
provider employee to obtain protection
for information when reporting to the
provider’s patient safety evaluation
system. For providers that engage in
functional reporting, the concern is
substantially mitigated because, under
functional reporting, information is
reported to a PSO when it is transmitted
to the patient safety evaluation system
to which the PSO has access, and, thus,
protected. Alternatively, a provider
employee may report as permitted
directly to a PSO. Ultimately, this issue
is to be settled between a provider that
wishes to encourage reports that may
not otherwise come to light and its
employees who must be confident that
reporting will not result in adverse
consequences.
For these reasons, the Department
modifies the definition of patient safety
work product to include additional
language in the first provision of the
definition that protects information
based upon reporting to a PSO.
State Reporting
To address commenter concerns about
the duplication of resources for similar
patient safety efforts and the lack of
protection upon collection, we have
clarified the requirements for how
information becomes patient safety
work product when reported to a PSO.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Generally, information may become
patient safety work product when
reported to a PSO. Information may also
become patient safety work product
upon collection within a patient safety
evaluation system. Such information
may be voluntarily removed from a
patient safety evaluation system if it has
not been reported and would no longer
be patient safety work product. As a
result, providers need not maintain
duplicate systems to separate
information to be reported to a PSO
from information that may be required
to fulfill state reporting obligations. All
of this information, collected in one
patient safety evaluation system, is
protected as patient safety work product
unless the provider determines that
certain information must be removed
from the patient safety evaluation
system for reporting to the state. Once
removed from the patient safety
evaluation system, this information is
no longer patient safety work product.
Earliest Time for Collection of
Information
The Department believes that a clear
indication of a specific time when
information may first be collected is
beneficial to providers by reducing the
complexity and ambiguity concerning
when information is protected as patient
safety work product. Although each
provider collecting information for
reporting to a PSO may need to support
the purpose of information collection at
the time of collection, such a standard
may be overly burdensome. The
Department agrees that information may
have been collected for the purpose of
reporting to a PSO beginning from
passage of the Patient Safety Act.
Information that existed prior to the
passage of the Patient Safety Act may be
subsequently collected for reporting to a
PSO, but the original record remains
unprotected. This clarification does not
require any regulatory language change
in the proposed rule.
What Is Not Patient Safety Work
Product
We reaffirm that patient safety work
product does not include a patient’s
original medical record, billing and
discharge information, or any other
original patient or provider record; nor
does it include information that is
collected, maintained, or developed
separately or exists separately from, a
patient safety evaluation system. The
final rule includes the statutory
provision that prohibits construing
anything in this Part from limiting (1)
the discovery of or admissibility of
information that is not patient safety
work product in a criminal, civil, or

PO 00000

Frm 00012

Fmt 4701

Sfmt 4700

administrative proceeding; (2) the
reporting of information that is not
patient safety work product to a Federal,
State, or local governmental agency for
public health surveillance,
investigation, or other public health
purposes or health oversight purposes;
or (3) a provider’s recordkeeping
obligation with respect to information
that is not patient safety work product
under Federal, State or local law.
Section 921(7)(B)(iii) of the Public
Health Service Act, 42 U.S.C. 299b–
21(7)(B)(iii). The final rule does not
limit persons from conducting
additional analyses for any purpose
regardless of whether such additional
analyses involve issues identical to or
similar to those for which information
was reported to or assessed by a PSO or
a patient safety evaluation system.
Section 922(h) of the Public Health
Service Act, 42 U.S.C. 299b–22(h).
Even when laws or regulations require
the reporting of the information
regarding the type of events also
reported to PSOs, the Patient Safety Act
does not shield providers from their
obligation to comply with such
requirements. These external obligations
must be met with information that is not
patient safety work product and
oversight entities continue to have
access to this original information in the
same manner as such entities have had
access prior to the passage of the Patient
Safety Act. Providers should carefully
consider the need for this information to
meet their external reporting or health
oversight obligations, such as for
meeting public health reporting
obligations. Providers have the
flexibility to protect this information as
patient safety work product within their
patient safety evaluation system while
they consider whether the information
is needed to meet external reporting
obligations. Information can be removed
from the patient safety evaluation
system before it is reported to a PSO to
fulfill external reporting obligations.
Once the information is removed, it is
no longer patient safety work product
and is no longer subject to the
confidentiality provisions.
The Patient Safety Act establishes a
protected space or system that is
separate, distinct, and resides alongside
but does not replace other information
collection activities mandated by laws,
regulations, and accrediting and
licensing requirements as well as
voluntary reporting activities that occur
for the purpose of maintaining
accountability in the health care system.
Information is not patient safety work
product if it is collected to comply with
external obligations, such as: state
incident reporting requirements;

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
adverse drug event information
reporting to the Food and Drug
Administration (FDA); certification or
licensing records for compliance with
health oversight agency requirements;
reporting to the National Practitioner
Data Bank of physician disciplinary
actions; complying with required
disclosures by particular providers or
suppliers pursuant to Medicare’s
conditions of participation or conditions
of coverage; or provision of access to
records by Protection and Advocacy
organizations as required by law.

dwashington3 on PRODPC61 with RULES3

Response to Other Public Comments
Comment: One commenter in
responding to questions about timing
and early protection interpreted the
timing concern to be an expiration of an
allowed period of time to report, such
that an event must be reported within a
certain number of days or it may not
become protected.
Response: As noted above, the timing
issues in the final rule relate to when
information may have been collected for
reporting to a PSO. There is no
expiration date for an event that would
prohibit future protection of a report of
it as patient safety work product so long
as the protection of the information is
pursuant to the final rule.
Comment: One commenter suggested
that event registries may seek to become
PSOs because the model is well
positioned to allow for tracking and
identification of patients that require
follow-up.
Response: The Department recognizes
that event registries may have particular
benefits that may be helpful in the
analysis of patient safety events, but we
caution any holder of patient safety
work product that future disclosure of
patient safety work product must be
done pursuant to the disclosure
permissions. Thus, while it may be
appropriate for event registries to
identify and track patients who may
require follow-up care, the final rule
would generally not permit disclosure
of patient safety work product to
patients for such a purpose.
Accordingly, while there may be
benefits to an event registry becoming a
PSO, a registry should take into
consideration the limitations on
disclosure of patient safety work
product, and what impact such limits
would have on its mission, prior to
seeking listing.
Comment: Several commenters sought
clarification whether information
underlying analyses within a patient
safety evaluation system was protected.
One commenter suggested that data
used to conduct an analysis should be

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

protected at the same time as the
analysis.
Response: As indicated in the
definition of patient safety work
product, information that constitutes the
deliberation or analysis within a patient
safety evaluation system is protected.
Information underlying the analysis
may have been either reported to a PSO
and protected or collected in a patient
safety evaluation system. Information
documented as collected within a
patient safety evaluation system is
protected based on the modification to
the definition of patient safety work
product. Thus, information underlying
an analysis may be protected. However,
underlying information that is original
medical records may not be protected if
it is excluded by the definition of
patient safety work product.
Comment: Two commenters raised
concerns that PSOs do not have
discretion regarding the receipt of
unsolicited information reported to
PSOs from providers. One commenter
was concerned about the burden on a
PSO receiving unsolicited reports and
the obligation a PSO may have regarding
unsolicited reports. Another commenter
was concerned that unsolicited reports
may be materially flawed or contain
incorrect information.
Response: The Department does not
agree that this is a major issue for PSOs
or that PSOs need some regulatory
ability to reject reported information. If
a PSO receives information from a
provider that was collected by that
provider for the purposes of sending to
a PSO, then the information is patient
safety work product. PSOs may use or
analyze the information, but must
protect it as patient safety work product
and dispose of the information properly.
However, there is no requirement that a
PSO maintain or analyze the
information. For these reasons, we do
not modify the proposed rule position
regarding these issues.
Comment: Some commenters were
concerned that recommendations of
PSOs may be treated as a standard of
care. Commenters recommended that
recommendations from PSOs be
protected as patient safety work
product.
Response: The Department stated in
the proposed rule that PSO
recommendations are patient safety
work product, but the changes
undertaken by a provider based upon a
PSO’s recommendations are not patient
safety work product. With respect to the
concern that PSO recommendations
may establish a standard of care, the
issue is not within the scope of the
Patient Safety Act and not appropriate
for the regulation to address. Generally,

PO 00000

Frm 00013

Fmt 4701

Sfmt 4700

70743

the establishment of a standard of care
is a function of courts and entities that
have jurisdiction over the issue for
which a standard of care is relevant. The
introduction of patient safety work
product as information that may help
establish a standard of care is highly
unlikely given the limited disclosure
permissions. For these reasons, we make
no modifications in the final rule.
Comment: Several commenters raised
concerns about the distinction between
original documents and copies of
original documents. One commenter
stated that it was an artificial distinction
in an electronic environment.
Response: The Patient Safety Act and
the final rule distinguish certain original
records from information collected for
reporting to a PSO. Because information
contained in these original records may
be valuable to the analysis of a patient
safety event, the important information
must be allowed to be incorporated into
patient safety work product. However,
the original information must be kept
and maintained separately to preserve
the original records for their intended
purposes. If the information were to
become patient safety work product, it
could only be disclosed pursuant to the
confidentiality protections.
Comment: One commenter was
concerned that information collected for
reporting to a PSO may be the same
information providers collect for
reporting to a state regulatory agency.
The commenter suggested that
protections should only attach to
information after state-mandated
reporting requirements have been
fulfilled. The commenter was concerned
that the confidentiality protections may
impede state data collection,
surveillance and enforcement efforts. A
separate commenter requested
clarification that if patient safety work
product is reported under a state
mandated incident reporting system, the
patient safety work product continues to
be protected.
Response: The final rule is clear that
providers must comply with applicable
regulatory requirements and that the
protection of information as patient
safety work product does not relieve a
provider of any obligation to maintain
information separately. The Department
believes that some providers, such as
hospitals, have been operating in similar
circumstances previously when
conducting peer review activities under
state peer review law protections. For
patient safety work product to be
disclosed, even to a State entity, the
discloser must have an applicable
disclosure permission. While the Patient
Safety Act does not preempt state laws
that require providers to report

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70744

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

information that is not patient safety
work product, a State may not require
that patient safety work product be
disclosed.
Comment: One commenter advised
that the final rule should build on
existing infrastructure for reporting and
examination of patient safety events to
minimize duplication of resources and
maximize existing efforts.
Response: The Department has
modified the proposed rule to address
the potential issue of duplicated
resources by allowing providers the
flexibility to collect and review
information within a patient safety
evaluation system to determine if the
information is needed to fulfill external
reporting obligations as addressed
above. The Department recognizes the
high costs of health care, both in dollars
and in the health of individuals. The
final rule establishes a workable and
flexible framework to permit providers
that have mature patient safety efforts to
fully participate as well as for providers
with no patient safety activities to be
encouraged to begin patient safety
efforts.
Comment: One commenter asked
whether multiple PSOs can establish a
single reporting portal for receiving
reports from providers.
Response: The final rule does not
address procedures regarding how a
PSO receives information. Providers
must meet any requirements regarding
sharing information that is protected
health information, such as the HIPAA
Privacy Rule, in any circumstances
when reporting information to a PSO or
joint PSO portal.
Comment: Several commenters asked
whether retrospective analyses could be
included as patient safety work product.
Response: The final rule permits any
data, which is a term that is broadly
defined and would include
retrospective analyses, to become
patient safety work product. The fact
that information was developed prior to
the collection for reporting to a PSO
does not bar a provider from reporting
an analysis to a PSO and creating
patient safety work product. Providers
should be cautioned to consider
whether there are other purposes for
which an analysis may be used to
determine whether protection as patient
safety work product is necessary or
warranted. Further, the definition of
patient safety work product is clear that
information collected for a purpose
other than for reporting to a PSO may
not become patient safety work product
only based upon the reporting of that
information to a PSO. Such information,
particularly information collected or
developed prior to the passage of the

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Patient Safety Act, may become
protected as a copy, but the original
document remains unprotected.
(J) Section 3.20—Definition of Provider
Proposed Rule: Proposed § 3.20 would
have divided the meaning of provider
into three categories. The first paragraph
included ‘‘an individual or entity
licensed or otherwise authorized under
State law to provide health care
services, including’’ and this
introductory language was followed by
a list of institutional health care
providers in subparagraph (1) and a list
of individual health care practitioners in
subparagraph (2). The preamble
indicated that these statutory lists were
illustrative.
Under the Secretary’s authority to
expand the list of providers in the
statutory definition, the proposed rule
would have added two categories to the
list of providers. The second paragraph
would have covered agencies,
organizations, and individuals within
Federal, State, local, or Tribal
governments that deliver health care,
the contractors these entities engage,
and individual health care practitioners
employed or engaged as contractors by
these entities. We included this addition
because public health care entities and
their staff are not always authorized or
licensed by state law to provide their
services and, therefore, might not be
included within the terms of the
original statutory definition.
The third paragraph would have
included a parent organization that has
a controlling interest in one or more
entities described in paragraph (1)(i) of
this definition or a Federal, State, local,
or Tribal government unit that manages
or controls one or more entities
described in (1)(i) or (2) of this
definition. This addition was intended
to permit the parent organization of a
health care provider system to enter a
system-wide contract with a PSO. The
parent of a health system also may not
be licensed or authorized by state law to
provide health care services as required
by the statutory definition.
Overview of Public Comments: There
were a number of comments with
respect to the entities and individuals
that are identified as providers in the
subparagraphs of paragraph (1). For
example, one commenter sought
clarification that ‘‘assisted living
residential care and other community
based care’’ providers are included in
the broader term ‘‘long term care
facilities’’ as identified in the list of
covered providers. A number of other
individual commenters each identified
entities that the Secretary should
include in the definition of providers:

PO 00000

Frm 00014

Fmt 4701

Sfmt 4700

medical product vendors,
pharmaceutical companies, medical
device manufacturers, risk retention
groups, and captive professional
liability insurance companies that are
controlled by risk retention groups.
There was general support for the
inclusion of parent organizations of
private and public sector providers in
paragraph (3), although two commenters
disagreed. One commenter argued that
naming the parent organization as a
provider suggested a ‘‘one size fits all’’
solution and suggested that eligibility
should be linked to whether the parent
organization is involved in the patient
safety evaluation system for its
subsidiaries. Other commenters, while
not objecting, worried that this addition
could open the door for organizations
such as health insurance issuers,
including Health Maintenance
Organizations, regulatory and
accrediting entities to qualify as
component PSOs. One commenter
suggested that by using the phrase
‘‘controlling interest’’ with respect to
private sector parent organizations, the
focus of this part of the proposed
paragraph was inappropriately narrow,
appearing to emphasize a corporate
parent, and that the language needed to
reflect a broader array of potential
parent organizations, such as
partnerships or limited liability
companies.
Several commenters expressed
concern that by encompassing entities
that are not traditionally providers,
under HIPAA or other rules, our
definition of ‘‘provider’’ would lead to
confusion. One commenter suggested it
would be appropriate for the
commentary accompanying the final
rule to address the two terms,
emphasize the differences, and clarify
the obligations.
Final Rule: We have modified the
definition of provider in the final rule
in response to several comments. The
first modification is a non-substantive
substitution of the term behavioral
health for behavior health. In response
to the comments we received and to
ensure clarity, we reiterate what we
stated in the proposed rule that a list
preceded by ‘‘including’’ is an
illustrative list, not an exhaustive list.
In general, the question of whether
any private sector individual or entity,
such as assisted living residential care
and other community-based care
providers, comes within the rule’s
meaning of ‘‘provider’’ is determined by
whether the individual or entity is
licensed or otherwise authorized under
state law to deliver health care services.
We note that paragraphs (2) and (3) of
the definition address public sector

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

providers and parent organizations of
health care providers.
We have not adopted any of the other
recommendations for additions to the
list of providers. The statute provides
confidentiality and privilege protections
for reporting by individuals and entities
that actually provide health care
services to patients. In our view, it was
not intended to apply to those who
manufacture or supply materials used in
treatments or to entities that provide
fiscal or administrative support to those
providing health care services.
With respect to paragraph (3) of the
definition, the use of the term parent
organization here should conform to our
definition of ‘‘parent organization’’
above. Therefore, we have streamlined
the language, deleting unnecessary text
that might suggest that we were
applying a different definition.
The Department does not share the
concerns of commenters that
incorporating a broader definition of
‘‘provider’’ in this rule will cause
confusion in the marketplace, because
its use will be limited. The application
of the term ‘‘provider’’ in this rule is
intended to give the full range of health
care providers the ability to report
information to, and work with, PSOs
and receive confidentiality and privilege
protections as set forth in the Patient
Safety Act and this rule. Although we
appreciate the administrative benefits of
uniformity, and have tried to maximize
the consistency or interoperability of
this rule with the HIPAA Privacy and
Security Rules, it would not be
appropriate in this rule to adhere to any
less inclusive definition of provider
used in other regulations.
We did not condition the designation
of provider status for a parent
organization on its involvement in a
patient safety evaluation system. We
expect that most parent organizations
will, in fact, be a part of a system-wide
patient safety evaluation system if they
choose to pursue PSO services.
However, establishing such a
requirement now, when it is unclear
what types of innovative arrangements
and effective strategies might emerge,
might prove more detrimental than
helpful.
Response to Other Public Comments
Comment: One commenter raised
concerns that paragraph (2) may not
include Indian tribes that operate or
contract for their own health care
systems under the Indian SelfDetermination and Education
Assistance Act (ISDEAA), rather than
relying upon the Indian Health Service.
Response: Tribal organizations
carrying out self-determination

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

contracts or compacts under the
ISDEAA to deliver health care fall
squarely within paragraph (2) of the
definition of provider because they are
organizations engaged as contractors by
the Federal government to deliver
health care. Additionally, the workforce
of a provider covered under the rule, by
definition, includes employees,
volunteers, trainees, contractors, and
other persons, whether or not paid by
the provider, that perform work under
the direct control of that provider.
Federal employees detailed to a tribe or
Tribal organization carrying out an
ISDEAA contract would be covered
under paragraph (2) in the definition of
provider, even if they were not part of
the Tribal organization’s workforce.
Therefore, no change is needed in
response to this comment.
B. Subpart B—PSO Requirements and
Agency Procedures
Proposed Subpart B would have set
forth requirements for Patient Safety
Organizations (PSOs) including the
certification and notification
requirements that PSOs must meet, the
actions that the Secretary may and will
take relating to PSOs, the requirements
that PSOs must meet for the security of
patient safety work product, the
processes governing correction of PSO
deficiencies, revocation, and voluntary
relinquishment, and related
administrative authorities and
implementation responsibilities. The
requirements of the proposed Subpart
would have applied to entities that seek
to be listed as PSOs, PSOs, their
workforce, a PSO’s contractors when
they hold patient safety work product,
and the Secretary.
The proposed rule did not require a
provider to contract with a PSO to
obtain the protections of the Patient
Safety Act; however, we noted that we
anticipate that most providers would
enter into contracts with PSOs when
seeking the confidentiality and privilege
protections of the statute. We proposed
to enable a broad variety of health care
providers to work voluntarily with
entities that would be listed as PSOs by
the Secretary based upon their
certifications that, among other things,
state that they have the ability and
expertise to carry out the broadly
defined patient safety activities of the
Patient Safety Act and, therefore, to
serve as consultants to eligible providers
to improve patient care. In accordance
with the Patient Safety Act, the
proposed rule set out an attestationbased process to qualify for 3-year
renewable periods of listing as a PSO.
Proposed Subpart B attempted to
minimize regulatory burden, while

PO 00000

Frm 00015

Fmt 4701

Sfmt 4700

70745

fostering transparency to enhance the
ability of providers to assess the
strengths and weaknesses of their choice
of PSOs.
We proposed a security framework
pertaining to the separation of data and
systems and to security management,
control, monitoring, and assessment.
Thus, each PSO would address the
framework with standards it determines
appropriate to the size and complexity
of its organization. We proposed
additional requirements to ensure that a
strong firewall would be maintained
between a component PSO and the rest
of the organization(s) of which it is a
part.
We noted that we expect to offer
technical assistance and encourage
transparency wherever possible to
promote implementation, compliance,
and correction of deficiencies. At the
same time, this proposed Subpart
established processes that would permit
the Secretary promptly to revoke a
PSO’s certification and remove it from
listing, if such action proves necessary.
1. Section 3.102—Process and
Requirements for Initial and Continued
Listing of PSOs
Proposed Rule: The proposed rule in
§ 3.102 addressed the eligibility of, and
the processes and requirements for, an
entity seeking a three-year period of
listing by the Secretary as a PSO and
described the timing and requirements
of notifications that a PSO must submit
to the Secretary during its period of
listing. The proposed rule described our
intention to minimize barriers to entry
for entities seeking listing and create
maximum transparency to create a
robust marketplace for PSO services.
The Patient Safety Act set forth limited
prerequisites that must be met to be
listed by the Secretary as a PSO, which
the regulation incorporates. The
Department expects that providers will
be the ultimate arbiters of the quality of
services that an individual PSO
provides.
Overview of Public Comments: The
following discussion focuses on the
broad comments we received
concerning our overall approach to
initial and continued listing of PSOs.
These comments do not address specific
provisions of the proposed rule. Public
comments that address specific
provisions of § 3.102 are addressed in
the individual subsection discussions
that follow. Questions and situationspecific comments are addressed below
under the heading of ‘‘Response to
Other Public Comments.’’
The Department received generally
favorable comment on our proposed
approach in this section, which

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70746

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

emphasizes a streamlined certification
process, and public release of
documentation submitted by PSOs
whenever appropriate. There were,
however, two broad sets of concerns
expressed about our overall approach.
The first concern related to the
potential number of PSOs that might be
listed by the Secretary as a result of the
Department’s proposed ‘‘ease of entry’’
approach. These comments focused on
the importance of PSOs being able to
aggregate significant amounts of data
across multiple providers to develop
meaningful analyses. Noting that patient
safety events are often rare events, one
commenter noted that in some cases it
may be necessary to aggregate data for
an entire state in order to develop
insights regarding the underlying causes
of such events. Another commenter
noted that if every hospital in the state
established its own component PSO, the
potential impact of PSO analyses could
be minimal. Because most PSOs will be
dependent upon revenue from providers
submitting data, one commenter
worried that too many PSOs could also
affect the ability of individual PSOs to
obtain adequate funding to perform
their analytic functions and to
implement potentially costly security
requirements.
These concerns led some commenters
to suggest inclusion in the final rule of
a limitation on the number of PSOs that
the Secretary would list. One
commenter asked whether it would be
possible for the Department to list one
national PSO, noting this could improve
efficiency for providers. Another
commenter suggested listing of 2–4
PSOs per state using a competitive
process or limiting the number of PSOs
by increasing the number of required
provider contracts that each PSO must
have. Most commenters who favored
limiting the number of listed PSOs did
not suggest a specific approach.
A second broad set of
recommendations focused on the need
for periodic or ongoing evaluation of the
effectiveness of PSOs that could be
linked to, or be separate from, the
evaluation of certifications for
continued listing. Some commenters
recommended that the Department
routinely collect information from PSOs
to evaluate whether the individual and
collective work of PSOs is actually
reducing medical errors and improving
the quality of care that is delivered. One
commenter stressed the importance of
establishing in the final rule
expectations related to PSO
performance and demonstrated results
and provided draft language for
inclusion in the final rule.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Final Rule: The Department has not
modified the approach taken in the
proposed rule in response to these
comments. With respect to limiting the
number of PSOs that are listed by the
Secretary, the statutory language is clear
that any entity, public or private, that
can meet the stated requirements is
eligible for listing by the Secretary.
While the Department understands the
concerns of the commenters that a very
large number of PSOs could frustrate the
statutory goal of data aggregation across
multiple providers, we believe that this
scenario is unlikely for several reasons.
First, a provider does not need to
shoulder the financial burden alone to
support a full-time PSO. Providers enjoy
the same protections under the Patient
Safety Act when they contract with an
independent PSO or when they create a
component organization to seek listing
as a PSO. A provider that establishes a
working relationship with a PSO can
have a division of labor between the
analyses that its staff undertakes inhouse within its patient safety
evaluation system and the tasks it
assigns to the PSO. In both
circumstances, the statutory protections
apply. Thus, for a provider, establishing
its own PSO is an option, not a
necessity.
Second, there are important insights
into patient safety that can only be
derived from aggregating data across
multiple providers. Given the low
frequency of some patient safety events,
even larger health systems are likely to
derive additional benefits from working
with PSOs that have multiple and,
potentially, diverse clients.
A final limiting factor is the shortage
of personnel who are well-trained or
experienced in the use of the
methodologies of patient safety
analyses. While the marketplace will
respond to the need for the development
of additional training and certification
programs, the availability of highlyskilled staff will be a constraining factor
initially. In combination, these three
factors should provide a natural
constraint on the number of singleprovider PSOs.
Regarding the other general set of
comments related to the listing process,
the Department has considered these
suggestions and has determined not to
incorporate in the final rule
requirements for an ongoing evaluation
process or the routine collection of data
from PSOs. PSOs are not a Federal
program in the traditional sense. Most
significantly, they are not Federally
funded. Their project goals, priorities,
and the specific analyses that they
undertake are not Federally directed.
The value and impact of an individual

PO 00000

Frm 00016

Fmt 4701

Sfmt 4700

PSO will be determined primarily by
the providers that use its services on an
ongoing basis.
It is unclear at this point how
providers will choose to use PSOs. Only
with experience will it become clear
which analyses a provider will choose
to undertake in its own patient safety
evaluation system and which analyses a
provider will rely upon a PSO to
undertake. The mix and balance of
activities between a provider’s patient
safety evaluation system and its PSO (or
PSOs) will undoubtedly shift over time
as the working relationships between
providers and PSOs evolve toward
greater efficiency. Thus, we remain
convinced that providers are in the best
position to assess the value of a PSO
and its ability to contribute to
improving the quality and safety of
patient care.
Response to Other Public Comments
Comment: While contracts are not
required between PSOs and providers to
obtain protections, the Department
stated that it anticipates most providers
will enter contracts with providers. In
light of this expectation, one commenter
urged the Department to develop and
make available a model contract.
Response: We do not think a model
contract can be developed easily. The
issues that need to be addressed will
vary significantly based upon the nature
of the relationship. Therefore, we do not
expect to be developing and releasing a
model contract.
Comment: One commenter suggested
that the final rule should explain how
AHRQ will publish the results from
which providers and others can evaluate
a PSO before entering a contract.
Response: For the reasons discussed
above, AHRQ will not require or release
PSO-specific performance information.
Comment: One commenter suggested
that AHRQ should ensure that PSOs
should not be able to make commercial
gain from the knowledge it derives as a
PSO.
Response: The statute permits all
types of private and public entities to
seek listing as a PSO; it does not limit
private entities to not-for-profits. The
final rule mirrors that formulation. The
Department concludes that the statute
does not invite us to impose such
restrictions and expects that providers’
decisions will determine the
acceptability of for-profit PSOs.
Comment: One commenter suggested
that providers should only be permitted
to submit data to one PSO.
Response: The Patient Safety Act’s
framework for PSO-provider
relationships is voluntary from a public
policy perspective. In our view, it

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

would be inconsistent with section
922(e)(1)(B) of the Public Health Service
Act for the Department or any entity to
use the authority of law or regulation to
limit or direct provider reporting.
Comment: One commenter suggested
that the final rule should require PSOs
to share aggregated, non-identifiable
patient safety work product with state
regulatory authorities.
Response: The Department does not
agree that it is appropriate to place such
an unfunded mandate upon PSOs.
Comment: One commenter stated that
it is a waste of effort and expense to
create new government entities to work
with providers when current
organizations can do that just as well.
The commenter also asked whether
anyone has estimated the 10-year costs.
Response: As this final rule makes
clear, these entities are not government
entities and will not receive Federal
funding. While we expect
implementation will spur the
development of new entities, we also
expect that existing entities will be able
to expand their current patient safety
improvement efforts if they seek listing
and are able to offer the confidentiality
and privilege protections provided by
the Patient Safety Act. While we have
not done a 10-year cost estimate, our
regulatory impact statement at the end
of the preamble projects net savings of
$76 to $92 million in 2012, depending
upon whether the net present value
discount rate is estimated at 7% or 3%.
(A) Section 3.102(a)—Eligibility and
Process for Listing
Proposed Rule: Section 3.102(a) of the
proposed rule would have provided
that, with several exceptions discussed
below, any entity—public or private,
for-profit or not-for profit—that can
meet the statutory and regulatory
requirements may seek initial or
continued listing by the Secretary as a
PSO. The Department proposed to
establish a streamlined certification
process for entities seeking initial or
continued listing that relied upon
attestations that the entities met
statutory and regulatory requirements.
To foster informed provider choice,
entities were encouraged, but would not
be required, to post narratives on their
respective Web sites that explained how
each entity intended to comply with
these requirements and carry out its
mission.
The proposed rule incorporated a
statutory prohibition that precludes a
health insurance issuer and a
component of a health insurance issuer
from becoming a PSO. The Department
also proposed to exclude any entity,
public or private, that conducts

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

regulatory oversight of health care
providers, which included organizations
that accredit or license providers. We
proposed this restriction for consistency
with the statute, which seeks to foster a
‘‘culture of safety’’ in which health care
providers are confident that the patient
safety events that they report will be
used for learning and improvement, not
oversight, penalties, or punishment. The
proposed rule would permit a
component organization of such an
entity to seek listing as a PSO. To ensure
that providers would know the parent
organizations of such PSOs, we
proposed that certifications include the
name(s) of its parent organization(s),
which the Secretary would release to
the public. We sought comment on
whether we should consider broader
restrictions on eligibility.
The proposed rule would permit a
delisted entity, whether delisted for
cause or because of voluntary
relinquishment of its status,
subsequently to seek a new listing as a
PSO. To ensure that the Secretary would
be able to take into account the history
of such entities, we proposed such
entities submit this information with
their certifications for listing.
Overview of Public Comments: The
Department received generally favorable
comments on our proposal to adopt a
streamlined attestation-based approach
to initial listing of PSOs. A number of
commenters expressed concern about
our attestation-based approach,
however, arguing for a more in-depth
assessment to ensure that an entity had
the capability to carry out its statutory
and regulatory responsibilities and meet
the patient safety objectives of the
statute. Some believed that the private
marketplace is not necessarily wellequipped to judge which organizations
can most effectively meet these
requirements. Arguing that one
misguided or fraudulent organization
could taint the entire enterprise for
years, a few commenters suggested that
we require interested organizations at
initial listing to submit documentation
of their ability to meet their statutory
and regulatory responsibilities.
Most commenters who urged a
stronger approach to the evaluation of
certifications for listing acknowledged
the value of an expedited process for
initial listing and instead focused their
recommendations on the importance of
creating a more rigorous process for
continued listing. A common
recommendation was to require, in
addition to the proposed certifications
for continued listing, that a PSO be
required to submit documentation that
described in detail how it is complying
with the requirements underlying its

PO 00000

Frm 00017

Fmt 4701

Sfmt 4700

70747

certifications and urged the Department
to arrange for independent review of
such documentation, coupled with an
audit process that would ensure
compliance.
The comments we received were
supportive of including a requirement
that entities certify whether there is any
relevant history regarding delisting
about which the Secretary needs to be
aware. Several commenters suggested
that the entity seeking to be relisted
should be required to include reason(s)
for any prior delisting. Another
suggestion was that the Secretary should
have discretion in relisting an entity not
to release the names of officials who had
positions of responsibility in a
previously delisted entity.
The proposed restrictions on
eligibility engendered considerable
comment. With respect to the statutory
restriction on health insurance issuers,
concerns and questions were raised
regarding whether the exclusion applied
to self-insured providers or malpractice
liability insurers and whether health
systems that include a subsidiary that is
a health insurance issuer could establish
a component PSO.
We received a significant level of
comment regarding our proposed
restriction on listing of regulatory
oversight bodies. While the majority of
commenters supported the proposed
exclusion, some commenters took issue
with various aspects of our proposal.
Commenters engaged in accreditation
activities generally criticized our
characterization of these activities as
regulatory. They pointed out that the
proposed rule did not take into account
the distinction between voluntary and
mandatory accreditation and, in their
view, most accreditation was voluntary.
They also noted that accreditation
activities were initially developed to
ensure the quality and safety of patient
care and that accreditation entities,
unlike licensure agencies, have greater
discretion in addressing any problems
that they identify with a provider’s
operations in a non-punitive way. For
these commenters, accreditation
activities were not inconsistent with
fostering a ‘‘culture of safety.’’ By
contrast, most provider comments
supported the exclusion, and singled
out accreditation entities as warranting
exclusion.
State health departments and statecreated entities expressed concern about
an outright prohibition on their being
listed as PSOs, noting that the
prohibition could disrupt effective
patient safety initiatives now underway.
A number of specific state-sanctioned
patient safety initiatives were described
in their submissions. Commenters

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70748

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

pointed to the fact that state health
departments have both regulatory and
non-regulatory elements to their
authority, have routinely demonstrated
that they can effectively keep these
elements separate, and thus, they saw
no reason for the Department to doubt
that state agencies could continue to do
so effectively if they were permitted to
operate PSOs.
Other commenters suggested
extending the prohibition to other types
of entities (such as purchasers of health
care or agents of regulatory entities) and
raised questions regarding the scope of
the exclusion.
We received a significant number of
comments in response to a specific
question raised in the proposed rule
whether the exclusion of regulatory
entities should be extended to
components of such organizations.
Commenters that supported extension of
the prohibition generally argued that the
firewalls that the statute requires a
component PSO to maintain between
itself and its parent organization(s)
could be circumvented, that the
flexibility in the proposed rule to enable
a component PSO to draw upon the
expertise of its parent organization(s)
would be inappropriate in this situation,
and there was a significant possibility
that such a parent organization could
use its position of authority to attempt
to coerce providers into reporting
patient safety work product to its
component PSO.
A majority of commenters, however,
opposed expanding the exclusion to
components of such regulatory
organizations. They contend that the
statutorily required separations between
a component PSO and its parent
organization(s) would provide adequate
protection against improper access and
adverse use of confidential patient
safety work product by the excluded
entities with which such a component
PSO is affiliated. A number of
commenters noted that an expansion of
the exclusion to components of such
entities would have unintended
consequences. For example, an
increasing number of medical specialty
societies operate, or are in the process
of developing, accreditation programs
for their members in response to
growing public and private sector
pressure for quality improvement. These
organizations see the creation of
specialty-specific component PSOs as
an important complement to their other
quality improvement activities.
Similarly, some commenters contend
that widespread patient safety
improvements require coordination and
communication across the public and
private sectors. These commenters

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

argued that a broader exclusion could
both disrupt existing, effective public
sector patient safety initiatives and
preclude opportunities for the public
sector to play a meaningful role.
Many commenters that opposed
extending the exclusion to component
organizations nevertheless suggested
additional restrictions to strengthen the
separation of activities between
component PSOs and these types of
parent organizations. Their suggestions
are discussed below with respect to
§ 3.102(c).
Final Rule: The Department
considered whether to modify the
attestation process either for initial or
continued listing of PSOs or both but
ultimately concluded that streamlined
attestations should be retained for both.
Given the voluntary, unfunded nature of
this initiative and the centrality of the
client-consultant paradigm of providerPSO relationships, an approach that
requires documentation and routine
audits is likely to be costly and
burdensome, both to entities seeking
listing and the Department. More
importantly, such an approach is
unlikely to achieve its intended
objective, for the reasons discussed
below.
There are limitations of a
documentation approach to ensuring the
capabilities and compliance of PSOs
with the requirements for listing, and
such an approach is unlikely to yield
the types of information that providers
will need in selecting a PSO. Consider,
for example, two of these requirements:
the criterion that requires that a PSO
have qualified staff, including licensed
or certified medical professionals, and
the patient safety activity that requires
the provision of feedback to participants
in a (provider’s) patient safety
evaluation system. Documentation,
through submission of resumes or
summaries of the credentials of
professional staff, can demonstrate that
the PSO meets the statutory
requirement. What each provider really
needs to assess, however, is whether the
skill sets of the professional staff
employed by or under contract to the
PSO are an appropriate match for the
specific tasks that led the provider to
seek a PSO’s assistance. Depending
upon the analytic tasks, a provider may
need expertise that is setting-specific,
e.g., nursing homes versus acute care
settings, technology-specific, specialtyspecific, or, may require expertise
outside the traditional scope of health
care. Thus, there is not a single template
against which the expertise of a PSO’s
professional staff can be judged. In
addition, we anticipate that PSOs
seeking additional clients (providers)

PO 00000

Frm 00018

Fmt 4701

Sfmt 4700

will post on their websites, or otherwise
advertise, the names and qualifications
of their top staff experts and
consultants. Their Web site locations
will be on the AHRQ PSO Web site.
Similarly, documentation can
demonstrate that a PSO has provided
feedback to participants in a provider’s
patient safety evaluation system and
thereby met the statutory requirement.
But the most relevant questions are
whether the feedback reflected a valid
analysis of the provider’s patient safety
work product and existing scientific
knowledge, and whether the feedback
was framed in ways that made it
understandable, ‘‘actionable,’’ and
appropriate to the nature of the
provider’s operation. The answers to
these questions cannot be assessed by
the Department readily through the
listing process.
As a result, in many cases, the
provider-client, rather than the
Department, will be better able to
determine whether the outcomes of a
PSO’s conduct of patient safety
activities meet its needs in a meaningful
way. The Department believes that
providers, especially institutional
providers, will have access to the
expertise to make them especially
sophisticated customers for PSO
services. Providers are likely to assess
very carefully the capabilities of a PSO
and will be in a position to request
appropriate documentation, if
necessary, to assess a PSO’s ability to
meet their specific requirements.
Therefore, the Department does not see
a compelling public policy rationale for
substituting its judgment for that of a
provider. Providers can demand
references and evidence of relevant
accomplishments, and effectively
evaluate the adequacy and suitability of
a PSO’s expertise and experience. In
summary, a listing process that imposes
documentation and audit requirements
on each PSO will impose a significant
burden on all parties, but yield only
marginally useful information to
prospective clients.
Accordingly, we believe the approach
outlined in the proposed rule offers a
more efficient and effective approach.
The approach does include authority for
spot-checking compliance outlined in
§ 3.110, responding to complaints or
concerns, and enabling the Secretary, in
making listing decisions (see § 3.104(b)),
to take into consideration the history of
an entity and its key officials and senior
managers. This approach will be
buttressed with a program of technical
assistance for PSOs administered by
AHRQ. In addition, the final rule
incorporates a new expedited revocation
process that can be used when the

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
Secretary determines that there would
be serious adverse consequences if a
PSO were to remain listed. False
statements contained in a PSO’s
submitted certifications can result in a
loss of listing or other possible penalties
under other laws.
For convenience and clarity, we have
restructured § 3.102(a)(1) to provide a
unified list of the certifications and
information that an entity must submit
for listing as a PSO. Sections
3.102(a)(1)(i) through 3.102(a)(1)(vii) set
forth and cross-reference the
requirements of the final rule. Two of
these requirements are new. Section
3.102(a)(1)(iv) cross-references the
additional requirements in
§ 3.102(c)(1)(ii) that components of
entities that are excluded from listing
must meet in order for such components
to be listed. Section 3.102(a)(1)(v)
incorporates our proposal, for which
comments were supportive, to require
disclosure to the Secretary if the entity
seeking listing (under its current name
or another) has ever been denied listing
or delisted or if the officials or senior
managers of the entity now seeking
listing have held comparable positions
in a PSO that the Secretary delisted or
refused to list.
We have not adopted
recommendations that we require
explanations for the historical situations
encompassed by § 3.102(a)(1)(v).
Instead, we require that the name(s) of
any delisted PSO or of any entity that
was denied listing be included with the
certifications. The Department can then
search its records for background
information. In response to concerns
regarding public disclosure of the names
of the officials or senior managers that
would trigger the notification
requirement, we do not require
submission of the names of the
individuals with the certifications. With
respect to the workforce of the entity,
we note that we have narrowed the
requirement in two ways. First, we have
narrowed the focus from ‘‘any’’
employee to officials and senior
managers. Second, the requirement to
disclose only applies when officials or
senior managers of the entity seeking
listing also held comparable positions of
responsibility in the entity that was
delisted or refused listing.
Restructured § 3.102(a)(2) retains the
statutory exclusion from listing of
health insurance issuers and
components of health insurance issuers
in subparagraph (i). For greater clarity,
we have restated the exclusion to reflect
the rule’s definition of component so it
now references: a health insurance
issuer; a unit or division of a health
insurance issuer; or an entity that is

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

owned, managed, or controlled by a
health insurance issuer. New
subparagraph (ii) modifies and restates
the exclusion from listing of any entity
that: (1) Accredits or licenses health
care providers; (2) oversees or enforces
statutory or regulatory requirements
governing the delivery of health care
services; (3) acts as an agent of a
regulatory entity by assisting in the
conduct of that entity’s oversight or
enforcement responsibilities vis-a-vis
the delivery of health care services; or
(4) operates a Federal, State, local or
Tribal patient safety reporting system to
which health care providers (other than
members of the entity’s workforce or
health care providers holding privileges
with the entity) are required to report
information by law or regulation.
In reviewing the comments on the
proposed regulatory exclusion, we did
not find the arguments for narrowing
the prohibition compelling. Almost
every provider group expressed concern
regarding the possible operation of PSOs
by entities that accredit or license
providers as well as possible operation
of PSOs by regulatory entities. We share
their concerns that entities with the
potential to compel or penalize provider
behavior cannot create the ‘‘culture of
safety’’ (which emphasizes
communication and cooperation rather
than a culture of blame and
punishment) that is envisioned by the
statute.
We also concluded that it is difficult
to draw a ‘‘bright-line’’ distinction
between voluntary and mandatory
accreditation as several of the
commenters from accreditation
organizations proposed. While most
accreditation is technically voluntary
from the standpoint of many
accreditation entities, its mandatory
aspect generally derives from
requirements established by, or its use
by, other entities such as payers. Thus,
if we were to incorporate such a
distinction that permitted the listing of
organizations that provide voluntary
accreditation today, its voluntary nature
could disappear over time if other
organizations mandated use of its
accreditation services. Thus, a listed
PSO might need to be delisted at some
point in the future solely because of the
actions of a third party mandating that
organization’s accreditation as a
requirement. Therefore, we have
retained the prohibition on
accreditation and licensure entities and
have not incorporated any distinctions
regarding voluntary versus mandatory
accreditation in the final rule. We have
reformulated the exclusion and no
longer include accreditation or licensure

PO 00000

Frm 00019

Fmt 4701

Sfmt 4700

70749

activities as examples of regulatory
activities.
Similarly, we have retained the broad
exclusion from listing of regulatory
entities, by which we mean public or
private entities that oversee or enforce
statutory or regulatory requirements
governing the delivery of health care
services. Their defining characteristic is
that these entities have the authority to
discipline institutional or individual
providers for the failure to comply with
statutory or regulatory requirements, by
withholding, limiting, or revoking
authority to deliver health care services,
by denying payment for such services,
or through fines or other sanctions.
We consider entities with a mix of
regulatory and non-regulatory authority
and activities also to be appropriately
excluded from being listed. We
acknowledge that health departments
and other entities with regulatory
authority may undertake a mix of
regulatory and non-regulatory functions.
It may also be true, as several comments
reflected, that state health departments
have experience, and a track record, for
maintaining information separately and
securely from the regulatory portions of
their operations when necessary.
However, we note that the final rule
retains the proposed approach not to
regulate uses of patient safety work
product within a PSO. However, the
final rule retains the ability of a state
health department to establish a
component organization that could seek
listing as a PSO, subject to the
additional restrictions discussed in
§ 3.102(c) below. The benefit of this
approach is that providers will have the
reassurance that the penalties under the
Patient Safety Act and the final rule will
apply to any impermissible disclosures
of patient safety work product from
such a PSO to the rest of the state health
department.
We have not included the proposal of
several commenters to exclude
purchasers of health care from becoming
PSOs. Commenters did not suggest a
compelling public policy case for the
exclusion of any particular type of
purchasers. Given the vagueness and
potential scope of such a prohibition,
the potential for unintended
consequences is simply too great to
warrant its inclusion. For example,
health care institutions in their role as
employers can also be considered
purchasers of health care.
We have incorporated two additional
exclusions. First, based upon
recommendation from commenters, we
exclude from listing entities that serve
as the agents of a regulatory entity, e.g.
by conducting site visits or
investigations for the regulatory entity.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70750

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

While we understand that such agents
generally do not take action directly
against providers, their findings or
recommendations serve as the basis for
potential punitive actions against
providers. As a result, we believe that
the rationale we outlined in the
proposed rule regarding the exclusion of
regulatory bodies is also applicable to
agents of regulatory entities helping to
carry out these regulatory functions.
Second, as we considered comments
seeking clarification on the eligibility of
entities that operate certain mandatory
or voluntary patient safety reporting
systems to seek listing as PSOs, we
concluded that mandatory systems, to
which some or all health care providers
are required by law or regulation to
report patient safety information to a
designated entity, were inconsistent
with the voluntary nature of the
activities which the Patient Safety Act
sought to foster. However, this
exclusion does not apply to mandatory
reporting systems operated by Federal,
State, local or Tribal entities if the
reporting requirements only affect their
own workforce as defined in § 3.20 and
health care providers holding privileges
with the entity. The exception is
intended to apply to Federal, State, local
or Tribal health care facilities in which
the reporting requirement applies only
to its workforce and health care
providers holding privileges with the
facility or health care system. This
exception ensures that, with respect to
eligibility for listing as a PSO, entities
that administer an internal patient
safety reporting system within a public
or private section health care facility or
health care system are treated
comparably under the rule and would
be eligible to seek listing as a PSO.
The final rule retains the ability of
components of the four categories of
excluded entities in § 3.102(a)(2)(ii) to
seek listing as a component PSO. After
careful review, the Department
concluded that there was a significant
degree of congruence in the concerns
expressed by both proponents and
opponents of extending the exclusion to
such components. The opponents of
extending the exclusion routinely
suggested that the Department address
their core concerns by adopting
additional protections, rather than the
blunt tool of a broader exclusion. We
have adopted this approach, and we
have incorporated in § 3.102(c)
additional requirements and limitations
for components of excluded entities.
In addition, we have incorporated a
new requirement in § 3.102(a)(3) that
submissions for continued listing must
be received by the Secretary no later
than 75 days before the expiration of a

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

PSO’s three-year period of listing. This
requirement derives from our concern
for protecting providers if a PSO decides
not to seek continued listing and simply
lets its certifications expire at the end of
a three-year period of listing. To
preclude an inadvertent lapse, the
proposed rule included a provision to
send PSOs a notice of imminent
expiration shortly before the end of its
period of listing and sought comment on
posting that notice publicly so that
providers reporting patient safety work
product could take appropriate action.
Section 3.104(e)(2) states that the
Secretary will send a notice of imminent
expiration to a PSO at least 60 days
before its last day of listing if
certifications for continued listing have
not been received. However, the failure
of the Secretary to send this notice does
not relieve the PSO of its
responsibilities regarding continued
listing. The requirement to submit
certifications 75 days in advance is
intended to ensure that such a notice is
not sent or publicly posted until after
the submissions are expected by the
Department.
Response to Other Public Comments
Comment: One commenter urged the
Secretary not to require organizations to
have specific infrastructure and
technology in place before they could be
listed.
Response: The Department has not
proposed any specific infrastructure or
technology requirements. However, the
statute and the final rule require a PSO
at initial listing to certify that it has
policies and procedures in place to
ensure the security of patient safety
work product. The final rule requires
that those policies and procedures be
consistent with the framework
established by § 3.106. The Department
interprets the statute to require a listed
PSO to be able to provide security for
patient safety work product during its
entire period of listing, which includes
its first day of listing.
Comment: Two commenters agreed
that PSOs should be encouraged, but not
required, to post on their Web sites
narrative statements regarding their
capabilities.
Response: The Department continues
to encourage PSOs to develop and post
such narrative statements.
Comment: One commenter suggested
that the listing process should include
an opportunity for the Secretary to
receive public comment before making
a listing decision, especially in the case
of continued listing, when providers
may want to share their experiences
with the Secretary regarding a specific
PSO.

PO 00000

Frm 00020

Fmt 4701

Sfmt 4700

Response: While we expect customer
satisfaction evaluations of PSOs will
develop naturally in the private sector,
the Department has not incorporated
this recommendation in the listing
process. If a provider or any individual
believes that a PSO’s performance is not
in compliance with the requirements of
the rule, this concern can be
communicated to AHRQ at any time.
Improper disclosures may also be
reported to the Office for Civil Rights in
accordance with Subpart D.
Incorporation of a public consultation
process poses a number of
implementation issues. For example, it
could potentially delay a time sensitive
Secretarial determination regarding
continued listing (which must be made
before expiration of a PSO’s current
period of listing) and could require the
Department to assess the validity of
each specific complaint, e.g., the extent
to which dissatisfaction with an
analysis reflects the competence with
which it was performed or a lack of
precision in the assignment to the PSO.
Comment: One commenter suggested
that state-sanctioned patient safety
organizations should be deemed to meet
the requirements for listing.
Response: The Department does not
believe that the Patient Safety Act gives
the Secretary authority to delegate
listing decisions to states. Moreover, the
statute establishes the requirements that
an entity must meet for listing as a PSO;
automatically deeming state-sanctioned
organizations to be PSOs would
inappropriately override federal
statutory requirements and mandate the
Secretary to list PSOs that may not be
in compliance with all the statutory
requirements. Accordingly, the final
rule does not include such a provision.
Comment: Several commenters asked
if the exclusion on health insurance
issuers precludes a self-insured entity
from seeking listing.
Response: The Department has
examined this issue and concluded that
the exclusion of health insurance
issuers does not apply to self-insured
organizations that provide health benefit
plans to their employees. The statutory
exclusion contained in section
924(b)(1)(D) of the Public Health Service
Act incorporates by reference the
definition of health insurance issuer in
section 2971 of the Public Health
Service Act and that definition
explicitly excludes health benefit plans
that a health care provider organization
offers to its employees.
Comment: Several commenters
inquired whether organizations that
provide professional liability insurance
coverage (also referred to as medical
liability insurance or malpractice

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
liability insurance) for health care
providers are covered by the health
insurance issuer exclusion. The
commenters uniformly argued that the
exclusion should not apply. Several
commenters noted their intent to have
their ‘‘captive’’ liability insurer seek
listing as a PSO. Another commenter
sought assurances that if a captive
liability insurer sought listing as a PSO,
the PSO would not be considered a
component of the provider
organizations that owned the liability
insurer.
Response: The Department notes that
there is some ambiguity in the statutory
language but concludes that the health
insurance issuer exclusion does not
apply to such organizations.
While the health insurance issuer
exclusion does not apply, the
Department notes that the statute and
the final rule require that an entity
seeking listing must attest that its
mission and primary activity is the
improvement of patient safety. That test
is readily met when an organization,
such as a captive liability insurer,
creates a component organization since
the creation of a distinct new entity can
be established in a manner that clearly
addresses and meets the ‘‘primary
activity’’ criterion. The Department has
the authority to review all applications,
including those from organizations with
multiple activities, and to look behind
the attestations to determine whether
the applicant meets the ‘‘primary
activity’’ criterion.
We note that a captive entity meets
the definition of a component
organization in this rule. Therefore, if
the captive organization is eligible for
listing because it meets the ‘‘primary
activity’’ criterion, it must seek listing as
a component organization and clearly
would be subject to the requirements on
component PSOs. If the captive
organization does not meet the primary
activity criterion for listing, it is free to
create a component organization to seek
listing. Once again, however, the
additional requirements for a
component PSO apply.
Comment: Several commenters asked
whether the health insurance issuer
exclusion prevents a health system that
has subsidiaries that include providers
and a health insurance issuer, from
establishing a component organization
to seek listing as a PSO.
Response: As described by several
commenters, the PSO and the health
insurance issuer would be affiliates in a
‘‘brother-sister’’ relationship within the
parent organization. As long as the
health insurance issuer does not have
the authority to control or manage the
PSO, the health system is not precluded

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

from having both a health insurance
issuer subsidiary and a component PSO.
Comment: Several commenters raised
questions from different perspectives
regarding situations in which providers
might be required to report data to a
PSO. Some commenters suggested that
the final rule should prohibit a facility
or health care delivery system from
requiring individual clinicians (who are
employed, under contract, or have
privileges at the facility or within the
system) to report data to a specific PSO.
Others raised questions regarding the
eligibility for listing of existing Federal,
state, local or Tribal patient safety
reporting systems that are administered
by an entity without regulatory
authority.
Response: While the Patient Safety
Act does not require any provider to
report data to a PSO, the statute is silent
on whether others (such as institutional
providers or other public entities) can
impose such requirements on providers.
The Department makes a distinction
based upon the source of reporting
requirements and the extent to which
the requirement can be viewed as
consistent with the statutory goal of
fostering a ‘‘culture of safety.’’ Thus, the
Department has declined to include in
the final rule any restriction on the
ability of a multi-facility health care
system to require its facilities to report
to a designated PSO or of a provider
practice, facility, or health care system
to require reporting data to a designated
PSO by those providing health care
services under its aegis, whether as
employees, contractors, or providers
who have been granted privileges to
practice. A patient safety event
reporting requirement as a condition of
employment or practice can be
consistent with the statutory goal of
encouraging institutional or
organizational providers to develop a
protected confidential sphere for
examination of patient safety issues.
While an employer may require its
providers to make reports through its
patient safety evaluation system, section
922(e)(1)(B) prohibits an employer from
taking an adverse employment action
against an individual based upon the
individual’s reporting information in
good faith directly to a PSO.
By contrast, the Department views
mandatory reporting requirements that
are applicable to providers that are not
workforce members and that are based
in law or regulation, regardless of
whether the specific data collected by
these systems is anonymous or
identifiable, as incompatible with the
intent of the Patient Safety Act to foster
voluntary patient safety reporting
activities. In these situations, provider

PO 00000

Frm 00021

Fmt 4701

Sfmt 4700

70751

failure to make legally required reports
can potentially result in a loss of
individual or institutional licensure and
the ability to practice or deliver health
care services. Accordingly, we have
added to the list of entities excluded
from listing in § 3.102(b)(2)(ii) entities
that administer such mandatory patient
safety reporting systems.
A voluntary Federal, state, local, or
Tribal patient safety reporting system
can seek listing as a PSO. This means
that the entity administering the
reporting system does not have statutory
or regulatory authority to require
providers to submit data to the
administering organization, and that
organization is not required by statute or
regulation to make the collected
identifiable data available in ways that
would be incompatible with the
limitations on disclosure discussed in
Subpart C.
Comment: Two commenters
addressed the issue of whether Quality
Improvement Organizations (QIOs),
which are organizations that have
contracts with Medicare and often with
other payers or purchasers to review
compliance with regulatory or
contractual requirements and make
reports that may adversely impact
providers financially, can seek listing as
PSOs.
Response: QIOs are precluded from
seeking listing as PSOs. The final rule
precludes agents of a regulatory entity
from seeking listing and QIOs serve as
agents of Medicare. Some QIOs also
serve in similar capacities as agents of
state regulatory bodies. As noted above,
an agent of a regulator may create a
component organization that would be
eligible to seek listing as a PSO,
provided such a component
organization meets the additional
requirements of § 3.102(c)(1)(ii).
Comment: Several commenters asked
if the proposed exclusions of entities
applied to State Boards of Health,
programs offering providers
certifications, and physician specialty
boards.
Response: With respect to State
Boards of Health, there are two issues
regarding their potential ineligibility for
becoming PSOs. The first, raised by the
commenter, is whether these boards can
be considered regulatory entities and in
most cases they would be. While State
Boards of Health provide leadership and
policy coordination for state health
policies, they generally have the power
to oversee, enforce or administer
regulations governing the delivery of
health care services and would,
therefore, be ineligible to be listed as a
PSO. The second issue is whether such
a board with its multiple

E:\FR\FM\21NOR3.SGM

21NOR3

70752

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

responsibilities could attest that the
conduct of activities to improve patient
safety and health care quality is its
primary activity.
With respect to entities that offer
certifications, physician specialty
boards, or similar activities, we would
use a fact-based approach that assesses
the activities in light of the exclusions
in the rule at § 3.102(a)(2)(ii).
Comment: One commenter questioned
whether the proposed requirement that
a PSO notify the Secretary if it can no
longer meet the requirements for listing
essentially meant that the PSO was
admitting a deficiency.
Response: We expect this requirement
to operate prospectively so that the
Secretary can evaluate whether the
changed circumstances may still be
cured. While it is possible that this
requirement in some situations would
be the equivalent of a PSO admitting a
current, rather than prospective
deficiency, we note two aspects of the
process outlined here. First, the
correction of deficiencies is not a
punitive process. Second, the obligation
to inform the Secretary of changes is a
companion element to the Department’s
approach in listing entities based upon
attestations.
(B) Section 3.102(b)—Fifteen General
PSO Certification Requirements
Proposed Rule: Section 3.102(b) of the
proposed rule incorporated the 15
requirements specified in the Patient
Safety Act that every entity must meet
for listing as a PSO. These 15
requirements are comprised of eight
patient safety activities and seven other
criteria. At initial listing, an entity
would certify that it has policies and
procedures in place to perform the eight
specified patient safety activities and,
upon listing, would comply with the
seven other criteria during its period of
listing. At continued listing, the PSO
would certify that it has performed
during its period of listing, and would
continue to perform, all eight patient
safety activities and that, it has
complied with, and would continue to
comply with, the seven other statutory
criteria during its next period of listing.
We proposed to define the
confidentiality and security
requirements that are part of the patient
safety activities that PSOs must carry
out as requiring compliance with the
confidentiality provisions of Subpart C
and the security measures required by
§ 3.106. We did not propose that, but
sought comment on whether the final
rule should include a requirement that
a PSO inform any provider from which
it received patient safety work product
if there are impermissible disclosures of,

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

or security breaches occur, with respect
to the provider’s patient safety work
product.
A PSO would meet the minimum
contract requirement under the
proposed rule with two contracts, each
with a different provider, at some point
during a PSO’s sequential 24-month
periods of listing. The proposed rule
sought comment on how to interpret the
requirement that the required contracts
must be ‘‘for a reasonable period of
time,’’ asking whether the final rule
should use a standard that was timebased, task-based, or include both
options.
The proposed rule noted that PSOs
are required by the statute, to the extent
practical and appropriate, to collect
patient safety work product from
providers in a standardized manner that
permits valid comparisons of similar
cases among similar providers. We
stated that we were considering
including in the final rule, and sought
comment on, a clarification that
compliance would mean that a PSO, to
the extent practical and appropriate,
will collect patient safety work product
consistent with guidance that the
Secretary is developing regarding
reporting formats and common
definitions when the guidance becomes
available. We also sought comment on
the process for the development of
common formats and definitions.
Overview of Public Comment: Most of
the comments we received on this
subsection focused on the contract
requirement and the specific questions
posed by the proposed rule. Nearly all
of the commenters who addressed the
issue supported the inclusion in the
final rule of a requirement that PSOs
must notify a provider if the work
product submitted by the provider was
inappropriately disclosed or its security
was breached. Those favoring the
inclusion of the requirement cited
concern about the sensitivity of patient
safety work product and the importance
of ensuring that providers know if the
PSO to which they reported data was
living up to its obligations to protect the
security and confidentiality of their
data. They noted that the HIPAA
Privacy and Security Rules will not
always be applicable: That some
providers will not be considered
covered entities and identifiable patient
safety work product may not always
contain protected health information.
Those opposed to the requirement
argued that most patient safety work
product will contain protected health
information and providers reporting to a
PSO are likely to be covered entities.
Thus, the HIPAA Privacy Rule will
cover most situations and, if providers

PO 00000

Frm 00022

Fmt 4701

Sfmt 4700

had additional concerns, they could
address them contractually. It was also
suggested that the preamble to the final
rule should carefully describe a PSO’s
obligations when the HIPAA Privacy
and Security Rules apply and the
requirements to report impermissible
disclosures even when protected health
information is not involved.
With respect to the statutory
requirement for contracts with more
than one provider, several commenters
proposed that one contract with
multiple providers should be deemed to
meet the statutory requirement. These
commenters often argued that it was
inefficient to require a PSO to enter
multiple contracts when the statutory
intent of collecting data from multiple
providers could be met through a single
contract. Several commenters alleged
that the proposed rule did not interpret
the requirement that contracts be
entered with ‘‘different providers’’ and
sought clarification in the final rule.
The vast majority of commenters
opposed including any standard in the
final rule for determining when one of
the required contracts was ‘‘for a
reasonable period of time.’’ Many
argued that this decision should be left
to the marketplace, permitting providers
and PSOs to enter customized
arrangements. A few commenters
supported incorporation of a time-based
standard, ranging from 3–12 months.
One commenter recommended
incorporating both time-based and taskbased standards.
In response to our specific request for
comment on whether the final rule
should reference the Secretary’s
guidance on common formats and
definitions, the vast preponderance of
comments were supportive, with many
detailing reasons why use of common
formats was important. Several
organizations offered caveats to their
support, such as concern that the
development of Secretarial guidance
might slow the process and may further
interfere with innovation. Many
organizations offered suggestions to the
Department such as: Allowing private
sector feedback; harmonizing with other
data reporting requirements; allowing
collection of data in addition to the
common formats, particularly for use at
the local level; and allowing time to
phase in use of common formats.
Virtually all comments were
supportive of the process by which the
Department was developing guidance
on common formats. Many commenters
suggested steps that they wished the
Department to take such as: Greater or
earlier involvement of the private sector;
transparency in the process; acceptance
of comments from outside government;

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
and use of evidence from existing
reporting systems. The process we
outlined for private sector consultation
was viewed positively. We received
several comments and
recommendations related to this process
that were outside the scope of the rule
and, therefore, are not addressed below.
Final Rule: For convenience and
clarity, we have modified the text in the
final rule to separate initial and
continued listing within § 3.102(b)(1),
which states the required certifications
for the eight patient safety activities and
within § 3.102(b)(2), which states the
required certifications for the seven PSO
criteria. This modification does not
reflect a substantive change.
We have incorporated in
§ 3.102(b)(1)(B) of the final rule one
additional requirement, posed as a
question in the proposed rule and
strongly supported by commenters, that
a PSO must inform the provider from
which it received patient safety work
product if the work product submitted
by that provider is inappropriately
disclosed or its security is breached.
The Department recognizes that in
certain cases a PSO may not know the
identity of the provider that submitted
patient safety work product, e.g.,
anonymous submissions, or it might not
be possible to contact the provider, e.g.,
if the provider has gone out of business
or retired. In these cases, the
Department would expect the PSO to be
able to demonstrate, if selected for a
‘‘spot check,’’ that it made a good faith
effort to reach every provider that
submitted the work product subject to
an inappropriate disclosure or a security
breach. We also note that this
requirement only requires the PSO to
contact the provider that submitted the
information; the PSO is not expected to
contact providers or others whose
names are included in the patient safety
work product. As a business associate of
a provider covered by the HIPAA
Privacy Rule, the PSO must abide by its
business associate contract with that
provider, obligating it to notify the
provider if it becomes aware of an
impermissible disclosure of protected
health information. See 45 CFR
164.504(e)(2)(ii)(C). Once the PSO has
informed the provider of the
impermissible disclosure, the HIPAA
Privacy Rule requires the provider to
mitigate the harmful effects of an
impermissible disclosure. See 45 CFR
164.530(f).
We have also incorporated in
§ 3.102(b)(2)(i)(C) a minor modification
in the text of the criterion relating to the
required two contracts. The text in the
proposed rule stated that a PSO ‘‘must
have entered into two bona fide

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

contracts’’ with different providers; we
have deleted the words ‘‘entered into.’’
Our intent in the proposed rule text was
to encourage PSOs to enter long-term
contracts with providers by enabling a
multi-year contract to be counted
toward the two contract minimum in
each of the 24-month periods during
which the contract was in effect. By
deleting the words ‘‘entered into,’’ the
text of the final rule more clearly
reflects our original intent.
We also provide clarification here,
which we did not consider necessary to
include in the rule text, regarding the
obligations of a PSO. The certifications
for initial listing regarding patient safety
activities track the statute and require a
PSO to have policies and procedures in
place to perform patient safety
activities. At continued listing, PSOs
will be expected to have performed all
eight patient safety activities. Some of
the required patient safety activities
must be performed at all times, such as
utilizing qualified staff, having effective
policies and systems to protect the
security and confidentiality of patient
safety work product when the PSO
receives work product, undertaking
efforts to improve the quality and safety
of patient care, and developing and
disseminating information to improve
patient safety. Other required patient
safety activities can only be performed
when the PSO is working with a
provider (such as providing feedback to
participants in a patient safety
evaluation system) and receiving patient
safety work product from providers
(such as utilization of patient safety
work product to develop a culture of
safety).
The Department recognizes that, for
any given contractual arrangement,
providers, not PSOs, will determine the
tasks PSOs undertake and for which
they will be compensated. Therefore,
our approach to assessing compliance
will be as follows. If subject to a spot
check for compliance, a PSO must be
able to demonstrate that it has
performed all eight patient safety work
products at some point during its threeyear period of listing. However, we will
expect a PSO to demonstrate that it
performs throughout its period of listing
the patient safety activities that are not
dependent upon a relationship with a
provider or receipt of patient safety
work product. We will expect
compliance with the other patient safety
activities consistent with the contracts
or agreements that the PSO has with
providers. A component PSO that is
established by a health care provider,
and for which the parent-provider
organization is a primary client, would
not be dependent on external contracts

PO 00000

Frm 00023

Fmt 4701

Sfmt 4700

70753

and would be expected to be in
compliance with all eight patient safety
activities during its entire period of
listing.
In response to commenters who
sought clarification on what is meant by
compliance with the two-contract
requirement, we reaffirm that the
statutory requirement is clear. There
must be two written contracts; a single
contract with multiple providers can
only be counted as one contract. We
interpret the requirement that the
contracts must be with ‘‘different’’
providers straight-forwardly. The only
requirement is that the bona fide
contracts must be with individuals or
institutions that are providers as defined
in the rule. We have imposed no other
requirements; the contracts can be with
an institutional provider and an
individual clinician, or with two
entities within the same or different
system(s).
After careful consideration of the
comments we received, the Department
has concluded that we will not
incorporate an interpretation of the term
‘‘each for a reasonable period of time’’
regarding the required contracts. As we
noted in the proposed rule, our intent in
proposing to interpret the language was
to give providers increased certainty
that the listing of the PSO to which they
are reporting data could not be
challenged on the basis that its required
contracts were not for a reasonable
period of time. However, the provider
community opposed interpreting the
provision, fearing that it would limit
their ability to customize contracts to
meet their analytic needs and urged the
Department to rely upon the
marketplace to interpret this
requirement. With no empirical basis for
choosing one standard or one time
frame over another, and given the
inability to anticipate what types of
contractual relationships will evolve
under the final rule, the Department
concluded that incorporating a standard
at this time could have unintended
negative consequences and has chosen
not to do so. As a result, a PSO will be
required to have two contracts in effect
at some point during each 24-month
reporting period established by the
statute but the contracts are not required
to cover a specific or minimum time
period and they are not required to be
in effect at the same time.
While we received overwhelmingly
favorable support for requiring
compliance with the Secretary’s
guidance on common definitions and
reporting formats (common formats) for
the collection of patient safety work
product, we recognize that the
Department’s efforts to develop

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70754

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

guidance will take time. We issued
common formats in August 2008
addressing all patient safety events in
acute-care hospitals; AHRQ has made
the common formats available on its
Web site to facilitate their use by
providers with varying levels of
sophistication as well as by PSOs. The
guidance will be expanded over time to
other settings of care. Because we
anticipate that some PSOs may choose
to concentrate their work in areas for
which guidance from the Secretary is
not yet available, we have modified the
text of the rule by incorporating a new
paragraph (iii) that interprets
compliance in the following way.
At initial listing, the requirement will
be interpreted as a commitment by the
entity seeking listing to adopt the
Secretary’s recommended formats and
definitions by the time it seeks
continued listing ‘‘to the extent practical
and appropriate.’’ During the initial
three-year period of listing, AHRQ will
not issue a preliminary finding of
deficiency to any PSO that has not
adopted the Secretary’s recommended
formats and definitions.
At continued listing, a PSO will be
required to: (1) Certify that the PSO is
using the Secretary’s guidance for
common formats and definitions; (2)
certify that the PSO is using an
alternative system of formats and
definitions that permits valid
comparisons of similar cases among
similar providers; or (3) provide a clear
explanation for why it is not practical or
appropriate for the PSO to comply with
options (1) or (2) at this time. The
Secretary will consider a PSO to be in
compliance if it is using the Secretary’s
guidance, satisfactorily demonstrates
that the alternative system it is using
permits valid comparisons of similar
cases among similar providers, or
satisfactorily demonstrates why neither
option is practical or appropriate at this
time. An example of a satisfactory
justification might be that the PSO
specializes in analyses in a specific
niche of health care delivery in which
there remains significant controversy
over relevant reporting formats and
definitions and/or the Secretary has not
recommended any relevant common
formats or definitions. The Secretary, if
he determines that the PSO is otherwise
eligible for continued listing, but has
not satisfactorily demonstrated that it
meets one of the three requirements in
§ 3.102(b)(2)(iii), may exercise his
discretion to continue the listing of the
PSO and use the process for correction
of deficiencies in § 3.108(a) to bring the
PSO into compliance after its listing has
been continued.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

We believe this approach effectively
balances the statutory goal of promoting
the ability to aggregate, and learn from,
patient safety work product, while
recognizing the statutory caveat that this
requirement applies ‘‘to the extent
practical and appropriate.’’ Our
approach ensures that PSOs will take
the requirement seriously and that a
PSO’s statement that it is not ‘‘practical
or appropriate’’ to comply at this time
is well-founded.
Response to Other Public Comments.
Comment: Several commenters
suggested that the final rule include a
requirement that entities provide
assurances that they are financially
viable.
Response: The Department has not
adopted this proposal. We do not
believe that assuring the financial
viability of PSOs is either an authorized
or an appropriate Federal task in
carrying out the Patient Safety Act. The
statutory framework leaves this inquiry
and determination to prospective clients
in the market for PSO services. PSOs
will learn to address this concern
routinely if required by providers to do
so.
Comment: One commenter suggested
that the final rule include a provision to
require PSOs to have policies and
procedures in place to safeguard the
privacy and confidentiality of a staff
member of a PSO, who is identified in
patient safety work product.
Response: The Department agrees that
PSOs should consider and address
issues of confidentiality, including
those of its workforce members.
However, we do not believe it is
appropriate or necessary to mandate
how a PSO addresses this issue.
Comment: Several commenters raised
concerns regarding the statutory
requirement that ‘‘the mission and
primary activity of a PSO must be to
conduct activities that are to improve
patient safety and the quality of health
care delivery’’ might make it difficult for
existing organizations with multiple
activities to qualify for listing. One
commenter suggested that the
requirement be altered so that the
mission and primary activity ‘‘includes’’
quality improvement and patient safety.
Questions were also raised whether
organizations that currently undertake
other activities such as provider
education or other collections and
analyses of clinical data to improve the
quality, safety, and efficiency of health
care would meet the requirement.
Response: It is important to recognize
that the language at issue was
incorporated into the proposed rule
directly from the statute. Accordingly, it

PO 00000

Frm 00024

Fmt 4701

Sfmt 4700

has been retained. We note that this
statutory language imposes a dual
requirement: improvement of patient
safety and the quality of health care
delivery must be reflected in the entity’s
mission and this improvement activity
must constitute the entity’s primary
activity. Since many organizations
could reasonably claim that
improvement of the quality of health
care and patient safety are fundamental
to their missions and even have these
words in their mission statements, the
critical and distinguishing requirement
in this statutorily-based criterion is that
such improvement activities must be the
entity’s primary activity.
While we understand the rationale of
the commenter—many of the
organizations interested in becoming
PSOs will have difficulty attesting that
this is their primary activity—the
Department does not have the authority
to alter this statutory requirement by
making improvement of health care
delivery and patient safety one of any
number of significant activities that an
organization performs. The statute
effectively recognizes this dilemma and
provides an option in this situation. An
entity can create a component
organization, discussed in the next
subsection, to seek listing. Such a new
component created for this exclusive
purpose or with this purpose as its
primary activity would inherently meet
this requirement.
It is likely that some providers will
find it more reassuring to work with a
PSO that is focused solely on the
statutorily mandated objectives. If an
organization with other activities and
personnel is listed in its entirety as a
PSO, it can share a provider’s
identifiable patient safety work product
throughout the legal entity, including
with individuals who are not involved
in the work of the PSO, without
violating the disclosure restrictions of
the statute and without triggering
Federal enforcement action pursuant to
subparts C and D of the rule. We expect
many providers will prefer that their
protected information be closely held.
Thus, existing organizations have other
reasons, in addition to the mission and
primary activity criterion, to consider
the option of establishing a PSO as a
component organization.
In response to an example posed in
two separate comments, if an entity’s
primary activity is the collection and
analysis of clinical data to improve the
quality, safety, and efficiency, the
Department would consider these
activities consistent with the statutory
requirement. Other situations may
warrant discussion with AHRQ staff
during the planning stage of a PSO or

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
at least before submitting certifications
for listing. Another example posed by a
commenter—an entity that provides
general health education to providers—
would appear to require further
discussion. As presented, general health
education would appear to have a link
to, but an inadequate emphasis on, the
analytic focus of a PSO’s mandatory
patient safety and quality improvement
activities. The health education entity
can certainly avail itself of the option to
establish a component organization to
seek listing.
Comment: One commenter asked
what is meant by the concept of carrying
out patient safety activities. Does this
mean that patient safety activities must
be performed and, if so, when?
Response: We note that this obligation
rests with a PSO, not providers. The
requirement means that a PSO must
perform all eight patient safety activities
during its period of listing. We clarify
how the Department will assess PSO
compliance with this requirement in the
discussion of the final rule above.
Comment: One commenter asked if a
PSO could meet the minimum contract
requirement by entering a contract with
a 50-hospital system and one
independent practitioner (either with a
physician or nurse practitioner).
Response: To meet the requirement, a
PSO must have at least two contracts
with different providers. In this case, a
contract with a solo health care
practitioner (such as a physician or a
nurse practitioner) would meet the
requirement for the second contract.
Comment: One commenter asked if a
contract between the parent of a health
system and a PSO is tantamount to
entering a contract with each provider
that comprises the health system.
Response: Such an arrangement does
not meet the requirement; the
requirement focuses on the number of
contracts, not the number of providers
that are involved with any contract. The
rule, based on the terms of section
924(b)(1)(C) of the Public Health Service
Act, requires two contracts.
Comment: Can providers within the
same system count as different
providers for meeting the minimum
contract requirement?
Response: The answer to this question
is yes if the PSO has separate contracts
with at least two different providers.
Whether the providers have a common
organizational affiliation is not relevant.
The only requirements are that the
individuals or facilities must be
providers as defined in § 3.20 of the rule
and that there are at least two contracts
with different providers. Once again, the
focus of the requirement is the number
of contracts.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Comment: A commenter asked if the
establishment of a ‘‘relationship’’ with a
provider is sufficient to meet the
minimum contract requirement.
Response: No. The rule requires two
bona fide contracts, as defined in
section 3.20, meeting the requirements
of the rule.
Comment: One commenter expressed
concern about the ability of his agency
to meet the minimum contract
requirement. His agency administers a
public patient safety reporting system to
which hospitals are required to report
by state law. His concern was that the
hospitals might see no need to enter
contracts with his agency if it were
listed as a PSO.
Response: The modifications to the
final rule in § 3.102(a)(2)(ii) preclude an
entity that manages or operates a
mandatory patient safety reporting
system from seeking listing as a PSO.
Comment: One commenter urged that
the final rule not marginalize State
mandatory reporting systems through
the separation of provider reporting to
PSOs. The commenter recommended
that the final rule permit States to
become listed as PSOs or enter into
collaborative arrangements with PSOs to
share data and staff.
Response: While we believe that an
entity that operates a Federal, state,
local, or Tribal mandatory patient safety
reporting system should not be listed as
a PSO, the rule does permit a
component of such an entity to seek
listing. A PSO that is a component of an
excluded entity is prohibited from
sharing staff with the excluded entity
and has limitations on its ability to
contract with such a parent organization
(see § 3.102(c)(4)). However, the
component PSO could enter into some
types of limited collaboration with an
excluded entity. For example, a PSO
may accept additional data from an
excluded entity for inclusion in its
analyses with the understanding that
the PSO may only share its findings
pursuant to one of the permissible
disclosures in Subpart C, e.g., if the
findings are made non-identifiable. In
addition, other PSOs similarly may
share their nonidentifiable findings with
mandatory state patient safety reporting
systems and to the extent permitted by
state law the state systems might give
data to completely separate PSOs for
analysis and reports in nonidentifiable
terms.
Comment: Several commenters
suggested that excluded entities might
become members of a PSO as long as
they were not vertically linked to the
PSO, although they did not explain
what they meant by the term, members.

PO 00000

Frm 00025

Fmt 4701

Sfmt 4700

70755

Response: It is not clear what the
commenters mean by a ‘‘member’’ of a
PSO in this context. To the extent that
the comments are referring to a possible
joint venture that creates a PSO, there
are few productive roles that an
excluded entity could play. Such
excluded entities could not have or
exercise any level of control over the
activities or operation of a PSO. Thus,
they could not have access to patient
safety work product. As a result, the
potential for involvement of an
excluded entity with a PSO would be
very limited.
We note, however, that a component
of an entity excluded by § 3.102(a)(2)(ii)
can seek listing. These types of
component organizations must meet
additional requirements set forth in
§ 3.102(c)(1).
Comment: One commenter requested
clarification regarding the required
patient safety activity to provide
feedback and assistance to providers to
effectively minimize patient risk.
Response: We recognize that the
performance of some patient safety
activities will be dependent upon a
PSO’s arrangements with its clients. As
we noted in our discussion of the final
rule, we will interpret a PSO to be in
compliance with this requirement if the
feedback and assistance is performed at
some point during the PSO’s period of
listing.
Comment: Two commenters pointed
to the importance of the use of
contracted staff to enable a PSO to carry
out its duties, especially in rural or low
population density areas. In such
circumstances, a PSO needs to draw
upon competencies and skills as needed
and asked that we clarify that such
contractors, whether paid or volunteer,
could enable a PSO to meet the
qualified staff requirement.
Response: The Department assumes
that many PSOs, especially component
PSOs, will use a mix of full-time
personnel and individuals from whom
they seek services as needed, whether
paid or on a volunteer or shared basis.
That is why we have incorporated a
broad definition of ‘‘workforce’’ in the
rule that encompasses employees,
volunteers, trainees, contractors, and
other persons whether or not they are
paid by the PSO. As defined in this rule,
workforce refers to persons whose
performance of activities for the PSO is
under the direct control of the PSO. In
addition, however, a PSO is free to enter
contracts for specific or specialized
services, subject to other requirements
of the rule.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70756

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

(C) Section 3.102(c)—Additional
Certifications Required of Component
Organizations
Proposed Rule: Along with the 15
requirements under subsection (b) that
all PSOs would have to meet, § 3.102(c)
of the proposed rule would require an
entity that is a component of another
organization to make three additional
certifications regarding: (1) The secure
maintenance of patient safety work
product separate from the rest of the
organization(s) of which it is a part; (2)
the avoidance of unauthorized
disclosures of patient safety work
product to the rest of the organization(s)
of which it is a part; and (3) the mission
of the component organization not
creating a conflict of interest with the
rest of the organization(s) of which it is
a part.
We proposed two additional
requirements that would interpret these
statutory provisions: (1) A component
PSO could not have a shared
information system with the rest of the
organization(s) of which it is a part; and
(2) the workforce of the component PSO
could not engage in work for the rest of
the organization(s) if such work could
be informed or influenced by the
individual’s knowledge of identifiable
patient safety work product (except if
the work for the rest of the organization
is solely the provision of patient care).
The proposed rule did not propose an
interpretation, but sought public
comment, on the requirement that a
component organization not create a
conflict of interest with the rest of the
organization(s) of which it is a part.
We proposed, and sought comment
on, a limited option for a component
PSO to take advantage of the expertise
of the rest of its parent organization(s)
to assist the PSO in carrying out patient
safety activities. Under this proposal, a
component PSO could enter into a
written agreement with individuals or
units of the rest of the organization
involving the use of patient safety work
product, subject to specified
requirements.
Overview of Public Comments:
Numerous commenters strongly
disagreed with the Department’s
proposal that PSOs must maintain
separate information systems. These
commenters argued that it would
impose a tremendous financial and
administrative burden to establish
separate information systems. A number
of commenters suggested alternative
approaches that could achieve the same
goal. For example, one commenter
recommended that HHS adopt a nondirective concept of functional
separation and require PSOs to submit

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

with their certifications for listing a
description of how they intend to meet
the requirement for technological and
other controls to ensure that there is an
effective protection against
inappropriate access to the patient
safety work product held by the
component PSO.
There was significant concern with
the proposal to limit the sharing of
employees between the parent
organization(s) and the component PSO
if the employee’s work could be
informed by knowledge of a provider’s
identifiable patient safety work product.
Some commenters argued that the
prohibition was too broad, that it should
be narrowed, or that the standard was
too vague and had the potential for
creating confusion. A number of
commenters recognized the merits of the
intended prohibition but thought that
the proposed rule’s formulation was so
vague that it might limit the ability of
any physician in an academic health
center to assist the component PSO if
the physician supervised and evaluated
interns and residents during their
training, presuming this to be an
unintended result.
Several alternative approaches were
suggested, including: (1) Limit the
prohibition to staff in the parent
organization who would use patient
safety work product for non-patient
safety activities; (2) obtain pledges by
staff not to use patient safety work
product for ‘‘facility administrative
functions;’’ (3) limit the prohibition to
persons with disciplinary/credentialing
functions; (4) require management staff
to sign agreements not to use patient
safety work product in hiring/firing,
credential/privilege decisions; and (5)
permit shared staff for specific types of
entities, such as state hospital
associations, but not others.
Our proposal to provide a limited
option for a component PSO to draw
upon the expertise of its parent
organization(s) to assist the PSO in
carrying out patient safety activities was
well received. Most commenters were
supportive of the flexibility provided by
this provision although one commenter
suggested deleting it. Several
commenters stressed that a ‘‘substantial
firewall’’ should be maintained and that
such contracting should only be allowed
‘‘for clearly defined and limited staff
services.’’ One commenter urged that
such contracts or agreements should be
submitted to the Secretary in advance so
that they ‘‘can be scrutinized by HHS to
assess whether confidentiality or
privilege protections can practically
remain intact.’’
In our discussion regarding entities
excluded from listing in § 3.102(a)(2)(ii),

PO 00000

Frm 00026

Fmt 4701

Sfmt 4700

we noted that a number of commenters
that supported permitting components
of such entities to seek listing,
suggested, nevertheless, that we
establish additional limitations and
requirements. Their suggestions
included requiring that such a
component organization seeking listing
must: Specifically identify its parent
organization as a regulator and specify
the scope of the parent organization’s
regulatory authority; submit to the
Secretary attestations from providers
choosing to report to the PSO that they
have been informed of the scope of
regulatory authority of the parent
organization; and provide assurances to
the Secretary that the parent
organization has no policies that compel
providers to report patient safety work
product to its component PSO. They
also suggested such a PSO not be
permitted to share staff with the parent
organization and not be able to take
advantage of the proposed limited
provision that would permit a
component PSO to contract with its
parent organization for assistance in the
review of patient safety work product.
The proposed rule did not propose an
interpretation but sought comment on
the circumstances under which the
mission of a component PSO could
create a conflict of interest for the rest
of the parent organization(s) of which it
is a part. The recommendations of
commenters reflected a variety of
perspectives: One view was that the rule
should not adopt a general standard; a
component organization should disclose
what it believes may be its conflicts and
that this disclosure should be deemed
sufficient to have cured the conflict;
another said the Department should
undertake case-by-case analysis; and a
third suggested the Department should
adopt guidance, not regulatory language.
Another commenter wrote that there
could be no conflict of interest if the
parent organization is a provider; others
suggested that certain types of parent
organizations posed conflicts of interest,
such as when the parent organization is
an investor-owned hospital or if there
are certain legal relationships which
providers have with a parent
organization or its subsidiaries.
Similarly, one commenter suggested
that not-for-profit status of a PSO should
be an indicator that there is no conflict
of interest. In a parallel vein, another
commenter argued that if the PSO could
use or sell its information for
commercial gain, this was a conflict.
This commenter also argued that if a
PSO could be used to create an oasis
solely for protection of information
reported by the system that created it,
this represented a conflict; the

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
information held by a PSO must be
made available at minimal or no cost for
further aggregation. Another commenter
suggested that a component PSO should
never evaluate patient safety work
product of an affiliated organization; if
it does so, this creates a conflict-ofinterest.
Finally, several commenters also
suggested that there must be no conflict
between patient safety work product
and non-patient safety work product
functions. A similar comment from
another entity argued that a PSO must
certify that members of the component
PSO workforce are not engaged in work
for the parent organization that conflicts
with the mission of the PSO.
Final Rule: After careful consideration
of the extensive number of comments
received regarding component
organizations, the Department has
modified and restructured the text for
§ 3.102(c) in the following ways.
We have restructured § 3.102(c) into
four separate paragraphs. New
§ 3.102(c)(1)(i) lists the provisions with
which different component
organizations must comply. This
subparagraph sets forth the
requirements that all component
organizations must meet. The language
of this subparagraph is retained from the
proposed rule but includes a
requirement that all component
organizations must submit with their
certifications contact information for
their parent organization(s) and provide
an update to the Secretary in a timely
manner if the information changes. This
requirement was proposed in the
preamble but was not incorporated in
the text of the proposed rule. Many of
the commenters noted the importance to
providers of having information
regarding the parent organization of a
component PSO and, therefore, we have
incorporated the provision.
New § 3.102(c)(1)(ii) outlines the
requirements for components of entities
excluded from listing under
§ 3.102(a)(2)(ii) of this section. These
components must meet the
requirements for all component PSOs in
§ 3.102(c)(1)(i) as well as submit the
additional certifications and
information and adhere to the further
limitations set forth in § 3.102(c)(4) that
are discussed below.
New § 3.102(c)(2) restates the three
additional statutory certifications that
must be made by all component
organizations seeking listing. We have
deleted two requirements for
component entities from the text of the
proposed rule that were intended to
interpret these statutory requirements:
the requirement for separate information
systems and the restriction on the use of

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

shared staff. The final rule does not
impose these proposed requirements on
most component organizations.
However, as discussed below regarding
§ 3.102(c)(4), we have retained the
prohibition on shared staff only with
respect to components of entities that
are excluded from listing and, for such
component PSOs, narrowed the
circumstances when contracting with a
parent organization is permissible only
with respect to components of entities
that are excluded from listing.
With respect to separate information
systems, the Department has concluded,
based upon the information that was
included by commenters, that there are
a number of cost-effective alternatives
for achieving the statutory goal of
separate maintenance of patient safety
work product. Accordingly, we have
included new language that requires a
component PSO to ensure that the
information system in which patient
safety work product is maintained must
not permit unauthorized access by any
individuals in, or units of, the rest of the
parent organization(s) of which it is a
part.
Similarly, after careful consideration
of the comments, we have eliminated
the proposed restriction on the use of
shared staff for most component PSOs.
The Department has concluded that
there are significant incentives for
component PSOs and parent
organizations to be very cautious in
their use of shared personnel, protecting
against inappropriate disclosures, and
the disclosure of patient safety work
product. A number of commenters
appeared to appreciate the importance
of maintaining separation between their
patient safety activities and internal
disciplinary, privileges, and
credentialing decisions, which were the
focus of our concern.
Our review has led us to conclude
that the potential negative consequences
for providers, independent of any fear of
Department action, lessens the need for
the rule to address this issue. For
example, institutional providers are
likely to find it difficult to develop
robust reporting systems if the
clinicians on their staff learn or even
suspect that the same individuals
involved in analysis of patient safety
work product play key roles in
administrative decisions that can lead to
adverse personnel decisions. This may
lead to decreased reporting of patient
safety events. The suspicion of
contamination between the processes
could also provide a new basis for
challenging adverse employment
actions, which could require providers
to prove that their actions were not
influenced by inappropriate use of

PO 00000

Frm 00027

Fmt 4701

Sfmt 4700

70757

patient safety work product. Finally,
there is the right of action that the
statute grants to individual providers
who believe and allege that their
employer took an adverse employment
action against them based upon their
providing information to the employer’s
patient safety evaluation system for
reporting to the PSO or based upon their
providing information directly to the
PSO. Given the importance to providers
of maintaining protections for their
work product, we conclude that it is
unlikely that a parent organization will
intentionally jeopardize those
protections. Therefore, we have
eliminated the proposed restriction on
the use of shared staff, except for
components of entities excluded from
listing as discussed below regarding
§ 3.102(c)(4). In its place, we have
restated the statutory requirement that
the component organization (and its
workforce and contractors) may not
make unauthorized disclosures to the
rest of the organization(s) of which the
PSO is a part.
We have retained without change in
§ 3.102(c)(2)(iii) the proposed rule text
prohibiting the pursuit of the mission of
the PSO from creating a conflict of
interest with the rest of the
organization(s) of which it is a part. To
the extent that individuals or units of
the rest of the parent organization(s)
have obligations and responsibilities
that are inconsistent with the ‘‘culture
of safety’’ that the statute seeks to foster,
a component PSO could create a conflict
of interest by sharing identifiable
patient safety work product with them
as shared staff or under a written
agreement pursuant to § 3.102(c)(3),
discussed below. On the other hand, the
component PSO could draw upon the
expertise of these same individuals in
other capacities in which identifiable
work product is not shared and, thereby,
avoid creating conflicts of interest.
Thus, we would interpret permitting the
creation of conflicting situations for staff
or units of the parent organization(s) as
inconsistent with a component PSO’s
attestation.
Section 3.102(c)(3) retains without
substantive change the provision in the
proposed rule to enable a component
PSO, within limits, to take advantage of
the expertise of the rest of the
organization of which it is part. In
response to concerns expressed by some
commenters, we stress the statutory
requirement for the PSO to maintain
patient safety work product separately
from the rest of the organization. In such
circumstances, it cannot be transferred
to individuals or units of the rest of the
organization except as permitted by the
rule. As a practical matter, if the parent

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70758

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

organization is a provider organization
and the component PSO is evaluating
the parent organization’s data, the
parent-provider is likely to have a copy
of all of the data transmitted to the
component PSO.
We do not dismiss the concerns of
commenters that this contracting
authority could be used inappropriately.
We remind each component PSO that
the statute requires it to maintain
patient safety work product separately
from the rest of the organization(s) of
which the component PSO is a part and
prohibits unauthorized disclosures to
the rest of the organization(s) of which
they are a part. Therefore, it may not be
appropriate for its parent organization to
serve as its main provider of analytic or
data services if such arrangements
would effectively confound statutory
intent for a firewall between a
component PSO and the rest of the
organization(s) of which it is a part. The
flexibility provided by the rule to use
in-house expertise is intended to
supplement, not replace, the PSO’s
authority to contract with external
expert individuals and organizations.
Section 3.102(c)(4) incorporates new
requirements, drawn from our review of
public comments, that only apply to
organizations that are components of
entities excluded from listing under
§ 3.102(a)(2)(ii). Thus, these component
organizations have three sets of
requirements to meet: The 15 general
certification requirements in
§§ 3.102(b)(1) and 3.102 (b)(2); the
requirements that all component PSOs
must meet in §§ 3.102(c)(1)(i) and
3.102(c)(2); and the requirements that
are established by § 3.102(c)(4).
Section 3.102(c)(4) establishes a
requirement for additional information
and certifications that must be
submitted with the component
organization’s certifications for listing
and it establishes two additional
restrictions with which a component
organization must comply during its
period of listing. The additional
information and certifications require a
component PSO of an entity described
in § 3.102(a)(2)(ii) to:
1. Describe the parent organization’s
role, and the scope of the parent
organization’s authority, with respect to
the activities which are the basis of the
parent organization’s exclusion from
being listed under § 3.102(a)(2)(ii).
2. Certify that the parent organization
has no policies or procedures that
would require or induce providers to
report patient safety work product to the
component organization once it is listed
as a PSO, and affirm that the component
PSO will notify the Secretary if the
parent organization takes any such

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

actions during its period of listing. An
example of an inducement would be if
a parent organization that accredited or
licensed providers awarded special
scoring consideration to providers
reporting to the parent organization’s
component PSO; additional scoring
consideration for reporting to any PSO,
by contrast, would not violate this
restriction.
3. Certify that the component PSO
will include information on its website
and in any promotional materials for
providers describing the activities
which were the basis of the parent
organization’s exclusion under
§ 3.102(a)(2)(ii).
We have incorporated these
additional requirements for information
and attestations to address widespread
concerns among commenters that an
excluded parent organization might
attempt to compel providers to report
data to its component PSO and
circumvent the firewalls for access to
that data. These extra requirements for
such component PSOs will strengthen
transparency and the additional
statements submitted with the
component organization’s certifications
will be posted on the AHRQ PSO Web
site along with all its other
certifications. Our intent is to ensure
that such a component organization’s
website and its promotional materials
for providers will inform providers
regarding the nature and role of its
parent organization. The rule is
emphatically clear that the Department
will take prompt action to revoke and
delist a component organization whose
excluded parent organization attempts
to compel providers to report data to its
component PSO. New § 3.108(e)(1) lists
specific circumstances, including this
situation, in which revocation and
delisting will take place on an expedited
basis.
During its period of listing, the final
rule also prohibits a PSO that is a
component organization of an entity
excluded from listing to share staff with
the rest of the organization(s) of which
it is a part. Such a component PSO may
enter into contracts or written
agreements with the rest of the
organization(s) under the authority
provided to all component PSOs by
§ 3.102(c)(3) but with one additional
limitation. Such contracts or written
agreements are limited to units or
individuals of the parent organization(s)
whose responsibilities do not involve
the activities that are the basis of the
parent organization’s exclusion under
§ 3.102(a)(2)(ii). If the parent
organization’s sole activity is the reason
for its exclusion, the component
organization could never enter a

PO 00000

Frm 00028

Fmt 4701

Sfmt 4700

contract or written agreement to have
staff from the rest of the organization
assist the PSO in carrying out patient
safety activities. If the parent
organization engages in a mix of
activities, some of which are not a basis
for exclusion from listing, the
component organization will be able to
take advantage of this contracting
option, subject to our caveat above.
Response to Other Public Comments
Comment: One commenter asked us
to confirm that component PSOs can
maintain patient safety work product
behind secure firewalls using existing
information systems.
Response: The modifications we have
adopted and discussed above means
that the final rule permits this approach.
Comment: Several commenters
suggested that it was unrealistic for the
component PSO to maintain patient
safety work product separately from its
parent organization if the parent
organization is a provider reporting data
to the component PSO.
Response: The Patient Safety Act
requires a component PSO maintain
patient safety work product separately
from the rest of the organization(s) of
which it is a part; therefore, we cannot
remove the restriction. While contracts
between a PSO and a provider are likely
to address the extent to which a
provider has access to information held
by a PSO, we caution contracting parties
to be mindful of this statutory
restriction in crafting their contracts.
The requirement for separation does not
mean that the component organization
cannot share information with a parent
organization but any sharing must be
consistent with the permissible
disclosures of this rule.
(D) Section 3.102(d)
Notifications

Required

(1) Section 3.102(d)(1)—Notification
Regarding PSO Compliance With
Minimum Contract Requirement
Proposed Rule: Section 3.102(d)(1) of
the proposed rule would require PSOs
to attest within every 24-month period,
beginning with its initial date of listing,
that the PSO has met the two-contract
requirement. We proposed to require
notification of the Secretary 45 days
before the end of the applicable 24month period. Early notification would
enable the Department to meet another
statutory requirement to provide PSOs
with an opportunity to correct a
deficiency. If the requirement is not yet
met, this would enable the Secretary to
establish an opportunity for correction
that ends at midnight on the last day of
the 24-month period.

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

Overview of Public Comments: The
comments we received endorsed our
proposed approach. One commenter
suggested we should consider requiring
notification 60 days in advance.
Final Rule: We expect that, in most
circumstances, contracts will be the
primary source of revenue for PSOs. In
light of the fact that only two contracts
are required, we do not anticipate that
many PSOs will reach this point in their
period of listing without meeting the
requirement. We have not accepted the
recommendation to require notification
sooner. The Department adopts the
provision as recommended in the
proposed rule without modification.
(2) Section 3.102(d)(2)—Notification
Regarding a PSO’s Relationships With
Its Contracting Providers
Proposed Rule: The proposed rule
incorporated in § 3.102(d)(2) the
statutory requirement that a PSO would
make disclosures to the Secretary
regarding its relationship(s) with any
provider(s) with whom the PSO enters
a contract pursuant to the Patient Safety
Act (Patient Safety Act contract). The
statute requires PSOs to disclose
whether a PSO has any financial,
contractual, or reporting relationships
with this contracting provider and, if
applicable, whether the PSO is not
managed, controlled, or operated
independently of this contracting
provider.
The proposed rule noted that a PSO
would need to make this assessment
when it enters a contract with a
provider and, if disclosures are
required, submit a disclosure statement
within 45 days of the effective date of
the contract. If relationships arise
during the contract period, submission
would be required within 45 days of the
date the relationships are established.
The proposed rule would have
provided guidance on our interpretation
of financial, contractual, and reporting
relationships and emphasized that the
statute required a PSO to ‘‘fully
disclose’’ the relationships. We noted
that disclosure would be required only
when the PSO entered a Patient Safety
Act contract with a provider and there
were relationships that required
disclosure. We also encouraged, but did
not require, PSOs to list any agreements,
stipulations, or procedural safeguards
that might offset the influence of the
provider and that might protect the
ability of the PSO to operate
independently.
Overview of Public Comments:
Commenters expressed concern that the
proposed rule was not sufficiently
specific with respect to the required
disclosure statements. They suggested

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

that the emphasis in the proposed rule
on the statutory requirement for full
disclosure, without a corresponding
discussion of the parameters for the
contents and level of detail of the
statements, raised the prospect that
PSOs would feel compelled to develop
disproportionately detailed information
that might not be germane. One
commenter suggested what was most
important is awareness of the
fundamental relationship(s) that exist,
not the specific details, suggesting that
if the provider in question is the parent
entity of the PSO, it should be sufficient
to know that the parent-provider is the
source of financial support to the PSO,
employs its workforce, and provides
management to its activities.
In addition, there was concern that
since the disclosure statements are
going to be made public, detailed
submissions regarding the financial and
contractual obligations would make it
difficult to maintain the confidentiality
of potentially sensitive business
information. Several commenters noted
that it is not unusual for certain types
of contractual work with commercially
sensitive implications to include
confidentiality agreements and one
commenter suggested that the process
permit a PSO to request that the
Secretary not disclose specific
information under certain
circumstances.
A number of commenters expressed
concern about the potential unintended
consequences of disclosure, especially
with respect to the identity of providers.
One commenter raised concern that the
requirement would lead to
‘‘differential’’ disclosure, by which the
commenter meant that, of the total
number of providers with which a PSO
enters contracts, only those with other
relationships would have their names
disclosed and the other providers would
not have their names made known
through the proposed public release of
disclosure statements by the Secretary.
Final Rule: After careful review of the
comments, the Department has
reconsidered its approach to this
disclosure requirement and has made
modifications to the text that are
incorporated in the final rule. Based
upon this review, we have shifted the
emphasis of the term ‘‘fully disclose’’
from stressing the level of detail that a
PSO must provide in describing each of
the other types of relationships (listed
below) that the PSO has with a
contracting provider to an emphasis on
requiring that the PSO disclose clearly
and concisely every relationship that
requires disclosure. This shift in
emphasis remains consistent with our
overall emphasis on transparency;

PO 00000

Frm 00029

Fmt 4701

Sfmt 4700

70759

without being burdensome, it enables
both the Secretary and providers
considering contracts with a PSO to
request additional information regarding
any relationships of concern. We have
adopted a clearer and narrower
interpretation of the disclosures of
relationships that must be made in view
of concerns expressed by commenters
about the scope of the required reports.
In response to requests for more
guidance on the required submissions,
this final rule calls for a two-part
disclosure statement and describes what
must be included in each part.
These modifications to the final rule
reflect several considerations. The
Department has concluded that the
Patient Safety Act does not provide
incentives for a provider to control or
manipulate the findings of a PSO with
respect to its own patient safety
information. A PSO’s conclusions and
recommendations are patient safety
work product and, whether the PSO is
critical or complimentary of the
provider or the provider agrees or
disagrees with the PSO, the PSO
analysis and guidance remains
confidential and privileged under the
Act, which means that there are
constraints on the ability of a provider
to disclose the PSO’s conclusions and
recommendations. Even when they can
be disclosed, calling the public’s
attention to positive findings is likely to
engender scrutiny of the extent to which
the provider’s relationship with its PSO
is truly an arms-length relationship. In
sum, providers have little to gain under
the statute’s framework from attempting
to control or manipulate the analyses
and findings of a PSO.
At the same time, the Department
expects the statutory disclosure
requirements, coupled with public
release of disclosure statements and the
Secretary’s findings as provided by
§ 3.104(b), will provide important and
useful information to providers seeking
to contract with a PSO. As we pointed
out in the proposed rule, a provider
seeking to contract with a PSO will have
its own standards for what other PSO
relationships it considers to be
acceptable. Therefore, the submission
and public release of this information
should improve the efficiency of the
search process by providers.
In light of these considerations, the
Department has determined that the
most appropriate interpretation of the
statutory requirement to ‘‘fully disclose’’
other relationships is to emphasize the
need to require the disclosure of every
pertinent relationship specified by the
statute. Providers that are considering
entering a contract with a PSO can
determine for themselves if any

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70760

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

disclosed relationships pose concerns. If
so, they can then request further
detailed information as they see fit. This
approach has the further benefit of
limiting the potential for inappropriate
release of proprietary or commercial
information, another matter of concern
to commenters. The Department will
protect confidential commercial
information as permitted by the
Freedom of Information Act and in
accordance with 18 U.S.C. 1905.
Thus, in making his required
determination, the Secretary will both
give great weight to, and hold a PSO
accountable for, its attestation that it
will fully disclose all relationships
required to be reported and whether the
PSO’s operations, management, and
control are not independent of any
provider with whom it has entered a
Patient Safety Act contract. The
Secretary retains the authority to require
an entity to provide more detailed
information if necessary to make his
required determination under 42 U.S.C.
299b–24(c)(3) regarding the ability of
the PSO to fairly and accurately perform
its patient safety activities in light of
any reported relationships.
The final rule retains the general
framework of the proposed rule for a
PSO to use in determining when a
disclosure statement must be submitted.
The two thresholds remain unchanged.
The disclosure requirement only applies
when a PSO has entered a contract that
provides the protections of the Patient
Safety Act, i.e., a Patient Safety Act
contract, and the PSO has other
relationships with that contracting
provider of the types specified below. A
disclosure statement is not required if
the PSO has a Patient Safety contract
with a provider and the relationships
described below are not present, nor is
a disclosure statement required if the
relationships are present but there is no
Patient Safety Act contract.
We have restructured the text in the
final rule. There are now three
paragraphs: A restatement of the
requirement in paragraph (i), a
description of the required content of a
disclosure statement in paragraph (ii),
and the deadlines for submission of
disclosure statements set forth in
paragraph (iii).
Section 3.102(d)(2)(i) contains the
following substantive changes.
Compared with the requirements of the
proposed rule, this paragraph eliminates
the need to submit a disclosure
statement if the PSO’s only other
relationships with this contracting
provider are limited to Patient Safety
Act contracts.
In response to commenters’ questions
and concerns, we have modified the text

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

describing the statutory list of
disclosures: contractual, financial, and
reporting relationships are incorporated
in subparagraphs (A)–(C) and control,
management, and operation of the PSO,
independent from the provider, is
incorporated in subparagraph (D). We
have narrowed the language in
paragraphs (A)–(C) by limiting the
required disclosures to current
contractual, financial, and reporting
relationships and restating the
requirements to emphasize that
disclosure is only required for
relationships other than those in Patient
Safety Act contract(s). We have restated
and streamlined the language of
subparagraph (A) to emphasize
contracts and arrangements that impose
obligations on the PSO.
We have retained the substantive
requirements for financial relationships.
Based upon comments received, we
have determined that if the PSO is a
membership organization, the
Department does not consider dues or
other assessments applied to all
members to constitute a financial
relationship for this purpose. The rule
narrows the scope of subparagraph (C),
where the text narrows the definition of
reporting relationships to those in
which this contracting provider has
access to information about the work
and internal operation of the PSO that
is not available to other contracting
providers. By focusing on this particular
aspect of reporting relationships, we
have tried to make plain that it is not
our intent to collect information
regarding the multiple ordinary types of
reporting relationships that exist
routinely between contracting parties.
We have made the requirement
narrower both for clarity and simplicity.
The deleted reference to control is
addressed by subparagraph (D), which
we have narrowed to simply restate the
statutory language on what must be
disclosed or reported regarding
management, control, and operation
independent of the contracting provider.
We deleted the language requiring a
PSO to assess whether any of the
relationships in what is now
subparagraph (D) might impair its
ability to perform patient safety
activities fairly and accurately because
PSOs will now address these issues in
the required narrative that comprises
the second part of the disclosure
statement, described below.
New § 3.102(d)(2)(ii) specifies the two
required parts of a disclosure statement.
The first part must disclose in summary
form succinct descriptions of all of the
obligations that the PSO has with this
provider. The second part must be a
related short narrative (we recommend

PO 00000

Frm 00030

Fmt 4701

Sfmt 4700

no more than 1,000 words) that
addresses the issues described below
and is intended to explain the measures
taken by the PSO to assure that its
analyses and findings are fair and
accurate.
We use the term ‘‘obligations’’—rather
than the statutory term
‘‘relationships’’—in § 3.102(d)(2)(ii) of
the rule for the following reason. If a
PSO has multiple relationships with a
provider, many of these relationships
are likely to be both contractual and
financial (and may involve other
relationships for which the statute
requires disclosure). A disclosure
statement that was organized by the four
types of relationships that require
disclosure (subparagraphs (A)–(D)
discussed above) would be confusing
and difficult to interpret since items in
different categories would be related.
For example, if the PSO already has a
contract with a provider to render a
service for which it is paid, we do not
see the benefit of having the contract
listed in one reporting category and the
financial relationship in another
reporting category since they are clearly
related.
Therefore, in drafting the required
disclosure statement, a PSO should
address the four statutorily-required
disclosures discussed above as aspects
of the separate obligations or
arrangements that exist between a PSO
and the provider with which the PSO is
entering or has a Patient Safety Act
contract. A PSO should focus on clarity
and brevity in explaining each
obligation in a single paragraph: A
sentence or two describing the nature of
the obligation, and the remainder of the
paragraph should address each of the
four required disclosures that are
present and specifically note any of the
four that are not.
As we use the term, an obligation is
not limited to services that a PSO
renders to a provider (such as
developing information and undertaking
analyses or providing a service or
technical assistance). An obligation
could also reflect a PSO’s relationship
with an investor or owner and any
arrangement that affects the PSO’s
independence or involves any of the
statutorily-required disclosures
described above. In developing its list,
a PSO should not combine separate and
distinct obligations such as more than
one contract, nor should it disaggregate
a single obligation. For example, if a
PSO undertakes technology assessments
and has three separate contracts for
different assessments, these would be
three separate obligations and should be
reported separately. On the other hand,
an obligation that has more than one

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
task, such as providing assistance in
implementing and evaluating a process
improvement, should only be listed
once; we are not suggesting that PSOs
report separately on the different
elements of a single unified project.
To apply these concepts, consider a
hospital that was one of five hospitals
that invested in the creation of a PSO
and the hospital subsequently enters a
Patient Safety Act contract with the
PSO. If this investment is the only
obligation other than the Patient Safety
Act contract that exists between the PSO
and the provider, the PSO’s disclosure
statement would include only one
obligation and it could be described in
a single paragraph. Within that
paragraph, the PSO should
systematically address the required
statutory disclosures or note that they
are not present. In addressing financial
relationships, the PSO should not
include the amount of the investment or
specific terms. In this case, the required
paragraph would describe the essential
nature of the financial relationship, e.g.,
it is a loan requiring repayment over X
years; it is a long-term investment
requiring the payment of dividends,
etc., whether it was formalized by a
contract, whether a reporting
relationship exists, e.g., the provider has
access to internal quarterly financial
statements not available to other
providers, and whether the obligation
gives the provider any ability to control
or manage the PSO’s operations, e.g., the
provider has a seat on the board or
review or veto authority over new
clients, specific contracts, budgets, staff
hiring, etc.
If the PSO is a subsidiary of a health
system, the paragraph could indicate
that PSO is a subsidiary of the provider,
the provider is the primary source of
revenue for the component PSO, the
types of internal PSO information to
which the provider has access, e.g., all
financial, personnel, administrative
internal information, and that the
provider manages or controls (or has
review and approval authority) of dayto-day decision-making, hiring and
firing decisions, etc. By incorporating
the required statutory disclosures into a
succinct discussion of the obligations
that a PSO has with this provider, we
anticipate that the descriptions will be
more comprehensible.
Part II of a disclosure statement must
describe why or how the PSO, given the
disclosures in part I, can fairly and
accurately perform patient safety
activities. The PSO must address: The
policies and procedures that the PSO
has in place to ensure adherence to
professional analytic standards and
objectivity in the analyses it undertakes;

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

and any other policies, procedures, or
agreements that ensure that the PSO can
fairly and accurately perform patient
safety activities.
Section 3.102(d)(2)(iii) of the rule
retains the deadlines for submission of
disclosure statements that were
included in the proposed rule.
Response to Other Public Comments
Comment: One commenter asked that
we exempt a PSO with fewer than 5
clients from releasing the names of its
clients.
Response: We note that a PSO never
has to reveal the names of its clients
(providers) as long as the PSO does not
have the other types of relationships
described in this subsection with those
providers. However, when such
relationships are present, the statute
does not provide authority for us to
create such exceptions.
Comment: One commenter asked that
we clarify that the required disclosures
can be made in a way that the PSO does
not breach the confidentiality
requirements that may be a part of
another contractual arrangement with a
contracting provider.
Response: The Department cannot
make a definitive statement that such
confidentiality agreements can always
be honored; this requires a case-by-case
determination. A PSO is encouraged to
discuss the issue with AHRQ staff
before submitting a disclosure
statement. As noted above, the agency’s
public disclosures are constrained by 18
U.S.C. 1905, but agency officials have
some discretion with respect to
determining what information would be
restricted under that statute. We note
also that the agency has the discretion
to deny Freedom of Information Act
requests for information it regards as
confidential commercial information (5
U.S.C. 552(b)(4)). Agency
determinations will be assisted by
explanations of what is viewed by a
submitter as confidential commercial
information and the reasons why that is
the case.
Comment: One commenter posed a
series of questions related to an entity
that seeks listing that receives general
membership dues or assessments, i.e.,
whether such general dues or
assessments would be considered
financial relationships and, therefore,
require the filing of disclosure
statements. The commenter also asked if
disclosure of such membership dues or
assessments is required under any other
section of the rule.
Response: The Department has
determined that membership dues or
general assessments applied to all
members do not constitute ‘‘financial

PO 00000

Frm 00031

Fmt 4701

Sfmt 4700

70761

relationships’’ between a provider and a
PSO. There is no other section of the
rule that would require disclosure of
membership dues or assessments.
Before seeking listing, however, a
membership organization should
carefully assess whether it meets the
statutory requirement that its primary
activity must be the conduct of activities
to improve patient safety and the quality
of health care delivery.
2. Section 3.104—Secretarial Actions
(A) Section 3.104(a)—Actions in
Response to Certification Submissions
for Initial and Continued Listing as a
PSO
Proposed Rule: Section 3.104(a)
described the actions that the Secretary
could and will take in response to the
certification material submitted for
initial or continued listing as a PSO. We
proposed that, in making a listing
determination, the Secretary would
consider the submitted certifications,
issues related to the history of the
entity, and any findings by the Secretary
regarding disclosure statements. The
proposed rule also included authority
for the Secretary, under certain
circumstances, to condition the listing
of a PSO. We did not propose a deadline
for Secretarial review of certifications
submitted, but noted that we expect the
Secretary to be able to conclude review
within 30 days of receipt unless
additional information or assurances are
required.
Overview of Public Comments: We
received several comments pertaining to
this section. One comment endorsed the
proposed provision. Another requested
that we modify the rule to require
Secretarial action within 60 days. A
third commenter recommended that the
Secretary establish timetables for all
actions and opposed open-ended
timeframes.
Final Rule: We have retained the text
from the proposed rule with two
modifications. The text of
§ 3.104(a)(1)(iii) of the proposed rule
stated that the Secretary may require
conditions for listing as part of his
review of disclosure statements
submitted pursuant to § 3.102(d)(2); that
text has been retained. We also noted in
the preamble discussing proposed
§ 3.104(a) that there may be certain
circumstances in which the Secretary
determines that it would not be prudent
to rely solely on the certifications for
listing submitted by an entity that was
previously revoked and delisted for
cause or previously refused listing by
the Secretary. In such limited
circumstances, we suggested the
Secretary may seek additional

E:\FR\FM\21NOR3.SGM

21NOR3

70762

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

assurances from the PSO that would
increase the Secretary’s confidence that,
despite the history of the entity and its
officers and senior staff, the entity could
now be relied upon to comply with its
statutory and regulatory obligations. To
reflect the potential need for assurances
in such cases, and to better align the text
with the preamble discussion of the
proposed rule, we have modified the
text of § 3.104(a)(1)(iii) to permit the
Secretary to condition the listing of a
PSO in this limited circumstance to
ensure that such a PSO honors the
assurances it makes in seeking listing.
The second change is a conforming
modification to the basis for the
Secretary’s determination in
§ 3.104(a)(2), which specifically
recognizes the right of the Secretary to
take into account any history of or
current non-compliance with
requirements of the rule by officials and
senior managers of the entity. This
change also mirrors the requirement in
§ 3.102(a)(1) that entities seeking listing
inform the Secretary if their officials or
senior managers held comparable
positions in a PSO that was delisted or
with an entity that was denied listing by
the Secretary.
We have not accepted the
commenter’s recommendation to
establish a regulatory deadline of 60
days for Secretarial action. This is a
novel initiative and without a better
sense of the potential issues that may
arise, such as when a delisted PSO seeks
a new listing, we are reluctant to
circumscribe the flexibility that the
statute and the proposed rule provided
the Secretary. In addition, the statute
requires an affirmative acceptance and
listing action by the Secretary. Listing
cannot occur as a result of any failure
to meet a deadline. Accordingly, we
have not adopted the recommendation.
(B) Section 3.104(b)—Actions Regarding
PSO Compliance With the Minimum
Contract Requirement
Proposed Rule: Section 3.104(b) of the
proposed rule stated that, after
reviewing the required notification from
a PSO regarding its compliance with the
minimum contract requirement, the
Secretary would, for a PSO that attests
that it has met the requirement, would
acknowledge in writing receipt of the
attestation and include information on
the list of PSOs. If the PSO notifies the
Secretary that it has not yet met the
requirement, or if notification is not
received from the PSO by the required
date, the proposed rule stated that the
Secretary would promptly issue a notice
of a preliminary finding of deficiency
and provide the PSO an opportunity for
correction that will extend no later than

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

midnight of the last day of its applicable
24-month assessment period. If the
Secretary verifies that the PSO has not
met the requirement by the last day of
the 24-month period, he would issue a
notice of proposed revocation and
delisting.
Overview of Public Comments: We
received no comments on this
subsection.
Final Rule: The final rule incorporates
the substance of the NPRM text without
modification but restructures the text for
clarity. The restructured text clarifies
that the Secretary will only issue a
notice of a preliminary finding of
deficiency after the date on which a
PSO’s notification to the Secretary is
required by § 3.102(d)(1).
(C) Section 3.104(c)—Actions Regarding
Required Disclosures by PSOs of
Relationships With Contracting
Providers
Proposed Rule: Section 3.104(c) of the
proposed rule stated that the Secretary
would evaluate a disclosure statement
submitted by a PSO regarding its
relationships with contracting providers
by considering the nature, significance,
and duration of the relationships
between the PSO and the contracting
provider. We sought public comment on
other appropriate factors to consider.
The statute requires disclosure of the
Secretary’s findings, and we proposed
public release, consistent with the
Freedom of Information Act and 18
U.S.C. 1905, of PSO disclosure
statements as well.
This proposed section also listed the
statutorily permissible actions that the
Secretary could take following his
review: Conclude that the disclosed
relationships require no action on his
part or, depending on whether the entity
is listed or seeking listing, condition his
listing of the PSO, exercise his authority
to refuse to list, or exercise his authority
to revoke the listing of the entity. The
Secretary would notify each entity of his
findings and decisions.
Overview of Public Comments: One
commenter suggested that our proposal
that the Secretary consider the nature,
significance, and duration of the
relationship in evaluating the
relationships had no statutory
foundation. Another commenter
suggested that we take into account
corrective action. Several commenters
proposed that we rely upon the interagency work group that is assisting
AHRQ in developing common formats
and definitions for reporting patient
safety work product to assist in
developing disclosure statements. One
commenter suggested that we create a
‘‘safe harbor’’ for multi-hospital parent

PO 00000

Frm 00032

Fmt 4701

Sfmt 4700

organization systems that contract with
a PSO on behalf of some or all of its
hospitals so that a disclosure statement
would not be required, deeming that the
component PSO of a multi-hospital
organization can perform patient safety
activities fairly and accurately. Another
suggestion was that the Secretary should
adopt a standard requiring that there be
no conflicts of interests.
Final Rule: We have retained much of
the text from the proposed rule but have
modified the paragraph setting forth the
basis for the Secretary’s findings
regarding disclosure statements. In light
of the comments, we have deleted the
reference to ‘‘nature, significance, and
duration’’ as not appropriate in every
circumstance. The modification to the
rule now requires the Secretary to
consider the disclosures made by the
PSO and an explanatory statement from
the PSO making the case for why the
PSO can fairly and accurately perform
patient safety activities.
We have not adopted the other
suggestions. As we discuss above, with
respect to § 3.102(d)(2), we agree with
the commenter that there is little reason
for a provider organization to exert
inappropriate control over its
component PSO. At the same time we
do not believe the statute permits us to
waive Secretarial review under any set
of circumstances.
We do not agree with commenters
that the common formats inter-agency
work group is the appropriate group to
address disclosure statements. At this
time, their informatics and clinical
expertise and responsibilities are not
congruent with assisting in the design or
substantive requirements for disclosure
statements.
(D) Section 3.104(d)—Maintaining a List
of PSOs
Proposed Rule: The proposed rule
sought to incorporate in § 3.104(d) the
statutory requirement that the Secretary
compile and maintain a list of those
entities whose PSO certifications have
been accepted and which certifications
have not been revoked or voluntarily
relinquished. We proposed that the list
would include information related to
certifications for listing, disclosure
statements, compliance with the
minimum contract requirement, and any
other information required by this
Subpart. We noted that we expected to
post this information on the AHRQ PSO
Web site, and sought comment on
whether there are specific types of
information that the Secretary should
consider posting routinely on this Web
site for the benefit of PSOs, providers,
and other consumers of PSO services.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
Overview of Public Comments: In
addition to the list in the proposed rule,
several commenters urged that we post
the contact information for the parent
organizations, subsidiaries, and
affiliates, a list of states in which the
parent organization does business, and
the business objectives of the parent
organizations, and whether each parent
organization is for-profit or not-forprofit.
Two commenters suggested that the
Secretary’s guidance on common
reporting formats and definitions should
be available on the PSO Web site. One
commenter urged that the final rule and
contact information for AHRQ staff
should also be available there. Another
commenter suggested that, since AHRQ
works with PSOs, the value to
prospective providers would be
increased if we posted information on
areas of specialization of individual
PSOs and use the Web site as one tool
for facilitating confirming analyses by
other PSOs of initial work.
Final Rule: The final rule incorporates
the proposed rule text without
modification. We have not modified the
text of the rule because most of the
recommendations relate to information
that AHRQ will be receiving or
producing for PSOs and can be posted
to the Web site without additions or
changes to the rule text.
Recommendations to post information
related to AHRQ staff and the final rule
can be done without regulation as well.
As AHRQ provides technical assistance
to PSOs and works with the provider
community to encourage the use of PSO
services, we expect to publish
information on the Web site that PSOs
and the provider community request. In
addition, the names and contact
information of parent organizations of
component PSOs and other information
submitted at listing will be posted in
accordance with the proposed rule text.
Commenters urged us to post some
information that we have no plans to
collect, and, therefore, we have not
accepted their recommendations. Most
of these recommendations related to the
business objectives, or the for-profit or
not-for-profit status of parent
organizations of component PSOs. In
our view, requiring component
organizations to submit such
information would be burdensome and
unnecessary. Providers will be able to
find that information by using the
published contact information on PSOs
and parent organizations.
(E) Section 3.104(e)—Three-Year Period
of Listing
Proposed Rule: Section 3.104(e)
proposed that listing as a PSO would be

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

for three years, unless the Secretary
revokes the listing or the PSO
voluntarily relinquished its status. We
also proposed that the Secretary would
send a written notice of imminent
expiration to a PSO no later than 45
calendar days before its listing expires
if the Secretary has not received a
certification seeking continued listing.
We sought comment on a requirement
that the Secretary publicly post the
names of PSOs to which a notice of
imminent expiration has been sent.
Overview of Public Comments:
Commenters were virtually unanimous
that, at the time we send a PSO a notice
of imminent expiration, we should post
similar information on the AHRQ PSO
website. Several commenters suggested
that PSOs should be required to notify
providers that the PSO has received a
notice of imminent expiration and
expressing concerns about the time
needed for providers to make alternative
arrangements. One commenter
suggested that notice to providers
should be a part of the contract with the
PSO. Another suggested that the
Department establish an email listserv
that providers could join for alerts such
as this. One commenter opposed public
notice and one expressed conditional
support, provided the Department
ensured the accuracy of the information
on the Web site.
Final Rule: We have modified and
redrafted § 3.104(e) of the final rule. The
final rule retains the proposed provision
that the period of listing will be for
three years, unless revoked or
relinquished. The first modification is
that this section now explicitly provides
for the automatic expiration of a PSO’s
listing at the end of three years, unless
the Secretary approves its certification
for continued listing before the date of
expiration. By incorporating this
modification and making the process
automatic, we have been able to
eliminate the proposal in § 3.108(c) for
a process we termed ‘‘implied voluntary
relinquishment.’’ In comparison with
the proposed rule approach, which
required the Secretary to take
affirmative action to delist a PSO that let
its certifications lapse, this automatic
approach simplifies the administrative
process.
We have modified subparagraph
3.104(e)(2) in two ways. We will send a
PSO a notice of imminent expiration
even earlier—at least 60 days rather
than 45 days—before its certifications
expire. We adopted the earlier
notification date in response to general
concerns reflected in the comments
about the time a provider needed to
make alternative arrangements and to
ensure sufficient time for the Secretary

PO 00000

Frm 00033

Fmt 4701

Sfmt 4700

70763

to review and make a determination
regarding certifications for continued
listing. The second modification
incorporates our proposal to post a
notice on the AHRQ PSO website, for
which commenters expressed strong
support. In combination, we expect
these modifications will provide both
the PSO and the providers from which
it receives data sufficient notice that the
entity’s period of listing is drawing to a
close.
We have not incorporated the
recommendation to require PSOs
receiving the notice to contact all
providers. We expect most providers
and PSOs to take advantage of AHRQ’s
existing listserv that will provide
electronic notice to all subscribers when
a notice such as this is posted on the
AHRQ PSO website. Providers will also
be able to sign up on the web site to
receive individual emails if their PSO
becomes delisted. In this way, we can be
assured that notification is sent to, and
received by, all interested parties.
(F) Section 3.104(f)—Effective Date of
Secretarial Actions
Proposed Rule: The proposed rule in
section 3.104(f) states that, unless
otherwise specified, the effective date of
each action by the Secretary would be
specified in the written notice that is
sent to the entity. We noted that the
Department anticipates sending notices
by electronic mail or other electronic
means in addition to a hard copy
version. We also pointed out that for
listing and delisting decisions, the
Secretary would specify both an
effective time and date for such actions
in the written notice to ensure clarity
regarding when information received by
the entity will be protected as patient
safety work product.
Overview of Public Comments: We
received no public comments on this
subsection.
Final Rule: The final rule incorporates
the proposed rule text without
modification.
3. Section 3.106—Security
Requirements
Proposed Rule: Section 3.106 of the
proposed rule outlined a framework
consisting of four categories for the
security of patient safety work product
that PSOs would consider in developing
policies and procedures for the
protection of data. Because § 3.106
contains only two subsections and we
received few comments, we will discuss
both subsections of the rule together.
Section 3.106(a) proposed that the
security requirements of this section
would apply to each PSO, its workforce
members, and its contractors whenever

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70764

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

the contractors hold patient safety work
product. If contractors cannot meet
these security requirements, we
proposed that their tasks be performed
at locations at which the PSO can meet
these requirements. We stated that the
rule does not impose these requirements
on providers; this Subpart would only
apply to PSOs.
Proposed § 3.106(b) would have
established a framework consisting of
four categories for the security of patient
safety work product that a PSO must
consider. We proposed that each PSO
develop appropriate and scalable
standards that are suitable for the size
and complexity of its organization.
The four categories of the framework
would have included: Security
management issues (documenting its
security requirements, ensuring that its
workforce and contractors understand
the requirements, and monitoring and
improving the effectiveness of its
policies and procedures); separation of
systems (required physical separation of
patient safety work product, appropriate
disposal or sanitization of media, and
preventing physical access to patient
safety work product by unauthorized
users or recipients); security control and
monitoring controls (ability to identify
and authenticate users, an audit
capacity to detect unlawful,
unauthorized, or inappropriate
activities, and controls to preclude
unauthorized removal, transmission or
disclosures); and policies and
procedures for periodic assessment of
the effectiveness and weaknesses of its
overall approach to security (determine
when it needs to undertake risk
assessment exercises and specify how it
would assess and adjust its procedures
to ensure the security of its
communications involving patient
safety work product to and from
providers and other authorized parties).
Overview of Public Comments: There
were no public comments that
specifically addressed § 3.106(a) of the
rule. Commenters focused instead on
the overall security framework
established by § 3.106(b). The majority
of commenters supported the proposed
requirements and emphasized the
concepts of scalability and flexibility
that were reflected in the proposed rule.
Two commenters urged the Department
to adopt the HIPAA Security Rule
instead. Another commenter suggested
that the final rule should emphasize the
need for PSOs to maintain up-to-date
security processes and urged that the
final rule specifically recognize that
PSOs can include HIPAA Security Rule
requirements in their business associate
contracts with providers that are
covered entities.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

While there were few comments
overall on this section of the rule, the
specific provision that elicited the most
concern was the requirement in
§ 3.106(b)(2) that patient safety work
product needed to be maintained
securely separate from other systems of
records. As discussed above with
respect to obligations of component
organizations, commenters expressed
concern regarding the potential burden
of such a requirement and several
pointed to the analytic benefits of being
able to readily merge data sets for
specific analyses. It was recommended
that the final rule permit the patient
safety work product and non-patient
safety work product to be stored in the
same database as long as the security
requirements are implemented for the
database as a whole.
Another commenter pointed to the
confusion, inconsistency, and errors
that were likely to result from the rule
text in which each paragraph began
with the words that a PSO ‘‘must
address’’ each security issue within the
framework while introductory
paragraph (b) indicated that PSOs
merely needed to ‘‘consider’’ the
security framework.
Final Rule: We have modified the text
of § 3.106 both to improve its clarity in
non-substantive ways and to incorporate
several substantive modifications in
response to the comments we received.
The changes to § 3.106(a) are for clarity.
For uniformity and brevity, throughout
§ 3.106, we have standardized
references regarding the application of
security requirements to the ‘‘receipt,
access, and handling’’ of patient safety
work product. The rule text defines
‘‘handling’’ of patient safety work
product as including its processing,
development, use, maintenance, storage,
removal, disclosure, transmission and
destruction.
We have incorporated several
modifications to the text of § 3.106(b).
We have both simplified the text of the
opening paragraph of this subsection
and substituted the requirement that
‘‘PSOs must have written policies and
procedures that address’’ for the
language of the proposed rule that stated
the ‘‘PSO must consider.’’ We agree
with the commenter that retention of the
proposed rule language would create
confusion regarding what is required of
a PSO. By retaining the language that
permits a PSO to develop specific
standards that address the security
framework in this section with
standards that are appropriate and
scalable, we intend to retain flexibility
for PSOs to determine how they will
address each element of the security
framework.

PO 00000

Frm 00034

Fmt 4701

Sfmt 4700

The most significant substantive
change in the security framework is in
§ 3.106(b)(2), which had required the
separation of patient safety work
product from non-patient safety work
product at all times. Based on comments
received, we have modified both the
title of § 3.106(b)(2) and the text of
§ 3.106(b)(2)(i). Section 3.106(b)(2) is
now entitled ‘‘Distinguishing Patient
Safety Work Product,’’ rather than
‘‘Separation of Systems,’’ and
§ 3.106(b)(2)(i) recognizes that the
security of patient safety work product
can be maintained either when patient
safety work product is maintained
separately from non-patient safety work
product or when it is co-located with
non-patient safety work product,
provided that the patient safety work
product is distinguishable. This will
ensure that the appropriate form and
level of security can be maintained. This
change responds to several comments
that opposed the absolute requirement
for separation in the proposed rule.
While we have, thus, allowed greater
procedural flexibility, we caution PSOs
to be attentive to ensuring that patient
safety work product remains
distinguishable at all times if it is not
kept separated. To the extent that
patient safety work product becomes comingled with non-protected
information, there is increased risk of
impermissible disclosures and
violations of the confidentiality
requirements of the rule and the Patient
Safety Act.
We have also eliminated a reference
to a PSO determination of
appropriateness that was in the text of
the proposed rule in § 3.106(b)(4)(i) as
redundant, since the rule permits a PSO
to develop appropriate and scalable
standards for each element of the
security framework, including this
element.
Given the strong support for our
flexible and scalable framework, we
have not adopted recommendations of
two commenters to substitute the
HIPAA Security Rule for these
provisions. We would expect that PSOs
that are familiar with, and have existing
rules that implement, the HIPAA
Security Rule will incorporate those
standards as appropriate, when they
develop their written policies and
procedures to implement security for
the patient safety work product they
receive, access and handle. The security
framework presented here does not
impose any limitations on the ability of
PSOs to incorporate or address
additional security requirements or
issues as the PSO determines to be
appropriate. The flexible approach we
have adopted should minimize the

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
potential for conflict with the
requirements of other programs. By
taking advantage of this flexibility, and
ensuring that its security requirements
also address the requirements of the
HIPAA Security Rule, a PSO should be
able to meet its obligations as a business
associate of any provider that is also a
‘‘covered entity’’ under HIPAA
regulations.

dwashington3 on PRODPC61 with RULES3

4. Section 3.108—Correction of
Deficiencies, Revocation and Voluntary
Relinquishment
Section 3.108 establishes the
processes and procedures related to
correction of deficiencies, revocation,
and voluntary relinquishment. Section
3.108(a) establishes the processes and
procedures for correction of deficiencies
by PSOs and, when deficiencies have
not been timely corrected, the process
leading to a decision by the Secretary to
revoke his acceptance of the entity’s
certification and delist a PSO. Section
3.108(b) sets forth the actions that the
Secretary and a PSO must take
following a decision by the Secretary to
revoke his acceptance of the entity’s
certification and delist the entity.
Section 3.108(c) establishes the process
by which an entity can voluntarily
relinquish its status as a PSO. Section
3.108(d) requires publication of notices
in the Federal Register whenever an
entity is being removed from listing.
New § 3.108(e) establishes an expedited
process for revoking the Secretary’s
acceptance of the entity’s certification
under certain circumstances.
(A) Section 3.108(a)—Process for
Correction of a Deficiency and
Revocation
Proposed Rule: Section 3.108(a) listed
in paragraph (a)(1) the circumstances
that could lead to revocation and
delisting and the remaining subsections
set forth our proposed process for
correction by a PSO of a deficiency
identified by the Secretary and, if the
deficiencies are not timely corrected or
cannot be ‘‘cured,’’ the process that
could lead to the revocation and
delisting. We review the entirety of
§ 3.108(a) here.
Once the Secretary believes that a
PSO is deficient in meeting its
requirements, proposed § 3.108(a)(2)
outlined the processes he would follow.
First, the Secretary would send a
written notice of a preliminary finding
of deficiency; the contents of the
deficiency notice are specified in the
rule. Following receipt of the notice, a
PSO would have 14 days to correct the
record by submitting evidence that the
information on which the preliminary
finding had been based was factually

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

incorrect. The Secretary could then
withdraw the notice or require the PSO
to proceed with correction. The
preamble sought comment on whether
there should be an expedited revocation
process when deficiencies are not, or
cannot, be cured. Public comment and
the provisions of the final rule are
discussed below in new subsection (e),
expedited revocation.
Following the correction period,
proposed § 3.108(a)(3) would have
required the Secretary to determine
whether a deficiency has been
corrected. The Secretary could
determine: (1) The deficiency is
corrected and withdraw the notice of
deficiency; (2) additional time for, or
modification of, the required corrective
action is warranted; or (3) the deficiency
is not corrected, the PSO has not acted
with reasonable diligence or timeliness,
and issue a Notice of Proposed
Revocation and Delisting.
Section 3.108(a)(4) would have
provided an automatic 30 calendar day
period, unless waived by the PSO, for it
to respond in writing to the proposed
revocation and delisting. If a PSO fails
to submit a written response, the
Secretary would revoke his acceptance
of its certification, and delist the entity.
After review of the response and other
relevant information, § 3.108(a)(5)
proposed that the Secretary could
affirm, reverse, or modify the notice of
proposed revocation and delisting, and
notify the PSO in writing of his decision
with respect to any revocation of his
prior acceptance of its certification and
delisting. We noted that the proposed
rule did not include an administrative
process for appealing the Secretary’s
decision to revoke his acceptance of the
entity’s certification and delist a PSO,
and specifically sought public comment
on our approach.
Overview of Public Comments:
Commenters focused on the due process
aspects of subsection (a). While most
commenters commended the proposed
rule for its focus on working with PSOs
to resolve deficiencies and its inclusion
of due process elements throughout the
process, the commenters recommended
that the final rule incorporate an
additional opportunity for an
administrative appeal of a revocation
and delisting decision and expressed
concern that the final rule should not
limit the due process rights and
opportunities that had been proposed.
For example, while several
commenters endorsed our overall
approach, no commenter specifically
stated agreement with our decision not
to include an administrative appeal
mechanism following a decision by the
Secretary to revoke his acceptance of the

PO 00000

Frm 00035

Fmt 4701

Sfmt 4700

70765

entity’s certification and delist a PSO for
cause. The eight commenters that
specifically addressed the issue
recommended inclusion of such a
mechanism.
Final Rule: The final rule incorporates
only technical modifications to the text
of subsection 3.108(a). The deletion of
text in § 3.108(a)(1)(ii) is intended to
clarify that the basis for revocation and
delisting matches our intent in the
proposed rule, i.e., the failure to meet
the two-contract requirement, not the
failure to timely notify the Secretary
that the requirement had been met. In
addition, we have incorporated a related
new § 3.108(e) that establishes a new
expedited revocation process to be used
in exceptional circumstances.
Despite the strong support by
commenters that we incorporate in the
final rule an opportunity for an
administrative appeal when the
Secretary decides to revoke his
acceptance of a PSO’s certification and
delist a PSO for cause, we have not
modified the rule. The process
described in § 3.108(a) permits an early
response to findings of deficiency and
where facts cited by the Secretary are
correct, the process emphasizes the
Department will work with PSOs to
correct deficiencies, rather than
punishing PSOs for deficiencies. Given
the flexibility and extensive nature of
the communication and correction
opportunities and procedures outlined
in 3.108(a), we expect that the
revocation process will be utilized
rarely, and only after significant efforts
have been made to bring a PSO back
into compliance. However, if a PSO is
not working with us in good faith to
correct any remaining deficiencies,
there must be a timely finality to the
process. For this system to work,
providers must have confidence that the
Department will act in a timely manner
when a PSO chooses not to meet its
statutory and regulatory obligations.
Response to Other Public Comments
Comment: One commenter
recommended that the rule provide
some degree of transparency regarding
PSOs that have received notice of
deficiencies by posting some limited
information about this on the PSO Web
site.
Response: The Department gave
careful consideration to this comment
because of our overall commitment to
providing transparency wherever
possible. Our conclusion is that we will
not post information on deficiencies
because of our concern that this will
undermine another of our objectives,
which is to promote and permit
correction of deficiencies in a non-

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70766

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

punitive manner. Providers considering
entering a contract with a specific PSO
are, of course, free to seek information
from the PSO regarding whether it has
received deficiency notices and is
currently under an obligation to take
corrective actions.
Comment: Another commenter
suggested that the final rule specifically
recognize the authority of the Secretary,
if warranted by the circumstances that
led to the delisting of a PSO, to debar
the entity from seeking a new listing for
a period of time.
Response: We have not adopted this
specific suggestion, but we note that the
Secretary is not required to relist an
entity automatically. The Secretary can
and will take into account the reasons
for the revocation and delisting and the
entity’s compliance with its obligations
following revocation and delisting.
Comment: Several commenters
suggested that the period of time
provided to the PSO to submit a written
response to a notice of proposed
revocation and delisting should be
expanded from 30 days to 45 days.
Response: We have not accepted this
recommendation. We recognize the
importance of striking a balance
between providing an entity sufficient
time to respond to such a notice and
ensuring that providers can have
confidence that the Department will act
in a timely manner when a PSO do not
meet its obligations. It is important to
realize that by the time the PSO receives
a notice of proposed revocation and
delisting under the process set forth in
§ 3.108(a)(3), the Department has
already worked with the PSO to correct
the deficiencies and has indicated
remaining problems so the PSO will
have reason to anticipate any such
notice of proposed revocation in
advance of its issuance. Thus the PSO,
realistically, will have more than 30
days to prepare its response to a
proposed revocation.
Comment: One commenter suggested
that, if the Secretary determines that the
PSO has conflicts of interest, this should
serve as a basis for proceeding directly
to revocation.
Response: The Department recognizes
the commenter’s underlying point that
conflicts of interest may, in fact, not be
curable and thus, in certain
circumstances, may warrant proceeding
directly to revocation. To the extent that
such a conflict of interest provides a
basis for the Secretary determining that
continued listing would have serious
adverse consequences, we could address
it under § 3.108(e), the subsection
establishing the new expedited
revocation process. We should note that,
in crafting that new authority, the

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Department believed that it had an
obligation to establish a process for truly
exceptional circumstances. We do not
intend to use this authority as a
substitute for the normal process
established by subsection (a). Thus, if a
conflict-of-interest does not raise the
prospect of serious adverse
consequences for providers or others, it
is our intention to use the correction
processes of subsection (a).
Comment: Would a provider’s patient
safety work product be at risk if the
Department failed to alert the provider
in a timely manner of a deficiency in its
PSO?
Response: No. As we pointed out in
the preamble discussion of § 3.108 in
the proposed rule, the presence of
deficiencies or the fact that an entity is
undergoing revocation has no impact on
the information submitted to the entity
by providers until the date and time that
an entity is revoked and removed from
listing. If the PSO is revoked and
delisted for cause, the statute provides
an additional 30-day period that begins
at the time of delisting during which
data reported to the former PSO receives
the same protections as patient safety
work product.
(B) Section 3.108(b)—Revocation of the
Secretary’s Acceptance of a PSO’s
Certification
Proposed Rule: When the Secretary
makes a determination to remove the
listing of a PSO for cause, proposed
§ 3.108(b)(1) required the Secretary to
establish, and notify the entity, of the
effective date and time of its delisting
and inform the entity of its obligations
under §§ 3.108(b)(2) and 3.108(b)(3).
Section 3.108(b)(2) proposed to
implement two statutory provisions.
First, the former PSO would be required
to notify providers with which it has
been working of its removal from listing
and confirm to the Secretary within 15
days of the date of revocation and
delisting that it has done so. In light of
the brief notification period, we sought
comment on whether there are other
steps the Secretary should take to
ensure that affected providers receive
timely notice. Second, this subsection
would have reaffirmed the continued
protection of patient safety work
product received while the entity was
listed. In addition, any data received by
the former PSO from a provider in the
30 days following the date of revocation
and delisting would be accorded the
same protections as patient safety work
product. We noted that this additional
period of protection was only for the
benefit of providers reporting data; it
would not permit a former PSO to

PO 00000

Frm 00036

Fmt 4701

Sfmt 4700

continue to generate new patient safety
work product.
Section 3.108(b)(3) proposed to
implement the statutory requirements
regarding the disposition of patient
safety work product or data following
revocation and delisting of a PSO. The
three alternatives provided by the
statute are: Transfer of the patient safety
work product with the approval of the
source from which it was received to a
PSO which has agreed to accept it;
return of the patient safety work product
or data to the source from which it was
received; or, if return is not practicable,
destruction of such work product or
data. We noted that the text of the
proposed rule refers to the ‘‘source’’ of
the patient safety work product or data;
this would be a broader formulation
than the statutory language and includes
individuals. The statute does not
establish a time frame for a PSO to
comply with disposition requirements;
we sought comment on setting a
deadline.
Overview of Public Comments: Most
commenters addressed the specific
questions raised in the proposed rule,
although a few commenters raised
questions and offered recommendations
related to the requirements for
disposition of patient safety work
product. In response to the
Department’s question in the proposed
rule of whether there were other steps
that the Secretary could take to ensure
that providers were informed when a
PSO to which they reported data was
revoked and delisted, many commenters
concluded that the statutory
requirement for notification by the
former PSO was sufficient. Others urged
AHRQ to post notices of revocation and
delisting on the PSO website. Several
commenters urged the Secretary to
require the former PSO to provide
AHRQ with a list of its providers when
it submits its required confirmation 15
days after revocation that it has notified
providers. Presumably, the intent was to
permit the Secretary to follow up with
these providers to confirm that they had
been notified.
There were only three comments in
response to our question in the
proposed rule whether it was
appropriate to require disposition of
patient safety work product that was
received from all sources. Two
comments supported our interpretation
of the statutory requirement. One
commenter raised concerns that this
requirement could be difficult to
accomplish.
Commenters strongly supported
inclusion in the final rule of a deadline
by which former PSOs needed to
complete their disposition of patient

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
safety work product. Some commenters
suggested that we follow existing
HIPAA guidelines and others suggested
that the rule set a deadline, ranging from
90 days to 180 days following the date
of revocation. One commenter suggested
setting standards linked to the volume
of patient safety work product held by
the former PSO.
The options for disposition of patient
safety work product elicited a number of
comments. Some noted the difficulty of
returning patient safety work product to
its source as the former PSO closes its
operations and expressed concern that
destruction was not an option until the
PSO concluded that returning the work
product was not possible. In the view of
this commenter, this could lead a PSO
to simply abandon the patient safety
work product since it may have neither
time nor resources to contact the
sources of the work product. However,
most commenters focused on the
importance of identifying ways to avoid
destruction of patient safety work
product.
Final Rule: Section 3.108(b) has been
modified in several ways. The first
changes, in § 3.108(b)(1), are technical
changes. The first change renames the
section to more accurately describe its
provisions. The second technical change
incorporates two additional crossreferences to the ability of the Secretary
to revoke his acceptance of a PSO’s
certifications and delist an entity
pursuant to the new expedited
revocation process established in
§ 3.108(e).
We have not imposed any new
requirements on the Department in
§ 3.108(b)(2) to notify providers. Many
commenters did not see the need for
additional intervention by the
Department and several commenters
suggested additional steps that we can
and will take independent of the rule.
For example, AHRQ has already
established an e-mail-based listserv for
individuals interested in electronic
alerts regarding the agency’s
implementation of the Patient Safety
Act. Following publication of the final
rule, AHRQ will encourage all
interested providers and PSOs to add
their names to the listserv, which will
provide immediate notification when
the Secretary takes actions related to the
listing and delisting of PSOs or posts
significant new information on AHRQ’s
PSO Web site. Providers will also be
able to signup on the Web site to receive
individual e-mails if their PSO becomes
delisted.
We have modified § 3.108(b)(2) in
another way. This paragraph retains the
restatement that was in the proposed
rule of the statutory assurances

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

regarding the continued protections for
patient safety work product reported to
a PSO before the effective date of a
revocation and delisting action by the
Secretary and the protections for data
reported to the former PSO during the
30-day period following the date of
delisting. The modification requires the
former PSO to include this information
in its notices to providers regarding its
delisting. We incorporated this
modification to better effectuate the
statutory purpose by ensuring that the
providers contacted by the former PSO
are aware of these protections for the
data they may still want to report during
the 30-day period.
Several commenters sought ways to
preserve patient safety work product
and data for continued learning.
However, the requirements for
disposition of patient safety work
product and ‘‘data’’ in the final
regulation follow the statutory
formulation. We note that ‘‘data’’ in this
context refers to information submitted
to a former PSO in the 30 days following
its delisting. Some amount of patient
safety work product can be preserved if
the PSO shares or discloses this
information prior to the effective date of
its revocation as permitted by the rule,
e.g., to other PSOs in non-identifiable or
anonymized form.
We have modified the text of
§ 3.108(b)(3) in one respect. In response
to comments, we require the disposition
requirement to be completed within 90
days. Some commenters suggested that
we follow existing HIPAA guidelines in
establishing deadlines for the
disposition of patient safety work
product. Neither the HIPAA Privacy
Rule nor the HIPAA Security Rule have
deadlines for the disposition of
protected health information. Providers
are, of course, free to establish in their
contracts an earlier date for disposition
of their patient safety work product or
data and may provide prior
authorization for transfer to another
PSO.
Response to Other Public Comments
Comment: One commenter asked
whether the disposition requirement
applies to non-identifiable patient safety
work product, such as data reported
anonymously by hospitals.
Response: The statutory section on
disposition of patient safety work
product does not make an explicit
distinction between disposition of
identifiable and non-identifiable patient
safety work product and data, nor does
the final rule in the disposition
requirements. The Department reads
this disposition requirement as applying
to both identifiable and non-identifiable

PO 00000

Frm 00037

Fmt 4701

Sfmt 4700

70767

patient safety work product and data.
We note that Subpart C permits
disclosure of non-identifiable patient
safety work product at any time by a
PSO. However, after the date and time
that the Secretary sets for revocation
and delisting, the former PSO must
follow the prescribed disposition
requirements. Thus, prior to the
effective date and time of a PSO’s
delisting, the PSO can transfer to
another PSO non-identifiable and
anonymized patient safety work
product, without consent of the
source(s) of that information.
Comment: One commenter suggested
that there may be good business reasons
for a former PSO that has been delisted
to retain patient safety work product
and asked that we provide that option.
Response: The statutory disposition
requirement does not permit such an
option for an entity that is revoked and
delisted for cause, and the final rule
mirrors this limitation. A PSO that
voluntarily relinquishes its status is
required to attest that it has made all
reasonable efforts to comply with the
disposition requirements.
Comment: One commenter noted that
the disposition options appear to be
premised on a concept of the source’s
ownership interest in the patient safety
work product provided to the PSO.
Noting that as PSOs continue to
aggregate data from multiple providers
or through the sharing of work product
with other PSOs, the commenter
asserted that at some point the PSO’s
work product becomes its own. The
question to consider is whether this
distinction can be made in applying the
disposition requirement.
Response: The Department reads the
disposition requirement of the Patient
Safety Act to apply to all patient safety
work product and data held by an
involuntarily delisted former PSO. Most
work product created by PSOs will be
based upon reports from providers.
While the commenter points to repeated
aggregation of data from larger and
larger numbers of providers as making
the linkage to the reporting providers
more tenuous, in our view the linkage
remains as long as there is information
that identifies any source of the data in
the analysis. The linkage is only broken
when the source(s) is (are) truly nonidentifiable. As we noted above, the
statute does not make a distinction
between identifiable and nonidentifiable information, so the
disposition requirements apply to both.
Comment: One commenter noted that
certain public PSO entities may face
conflicts with state laws or regulations
that establish requirements for the

E:\FR\FM\21NOR3.SGM

21NOR3

70768

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

disposition of information that they
hold.
Response: The final rule’s
requirements for disposition of patient
safety work product would preempt
conflicting state statutory requirements
for disposition of information when it is
patient safety work product.
Comment: What are the
responsibilities of a contractor holding
patient safety work product under
contract with a PSO that is revoked and
delisted for cause?
Response: The contractor must return
the former PSO’s patient safety work
product that it is holding for disposition
as required by the rule.
(C) Section 3.108(c)—Voluntary
Relinquishment
Proposed Rule: Section 3.108(c)(1)
proposed two circumstances under
which a PSO would be considered to
have voluntarily relinquished its status
as a PSO: When a PSO advises the
Secretary in writing that it no longer
wishes to be a PSO, and when a PSO
permits its three-year period of listing to
expire. To ensure that such a lapse is
not inadvertent, the proposed rule
would require the Secretary to send a
notice of imminent expiration 45
calendar days before the expiration of
its period of listing.
We proposed in § 3.108(c)(2) that a
PSO seeking to relinquish its listing
should include in its notification to the
Secretary attestations regarding its
compliance with the provider
notification and patient safety work
product disposition requirements, and
would have required appropriate
contact information for further
communications from the Secretary.
The Secretary would be authorized by
§ 3.108(c)(3) to accept or reject the
PSO’s notification. We sought comment
on our preliminary conclusion that,
when a PSO voluntarily relinquishes its
status, the statutory provisions
providing protections for an additional
30 days for data submitted to the former
PSO by providers do not apply.
Section 3.108(c)(4) would have
enabled the Secretary to determine that
implied voluntary relinquishment has
taken place when a PSO permits its
listing to expire. The Secretary would
remove the entity from the list of PSOs
at midnight on that day, notify the
entity, and request that the entity make
reasonable efforts to comply with the
provider notification and patient safety
work product disposition requirements,
and to provide appropriate contact
information. Finally, § 3.108(c)(5)
proposed that voluntary relinquishment
would not constitute a deficiency as
referenced in subsection (a).

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Overview of Public Comments: Public
comment on the proposed provisions for
voluntary relinquishment focused
primarily on the two questions raised in
the proposed rule.
Two commenters agreed with our
interpretation that the statute limited
the application of the additional
protections for data submitted by
providers to a former PSO in the 30-day
period following the date and time of
revocation and delisting to situations in
which the PSO had been revoked and
delisted for cause. A number of
commenters argued for inclusion of a
30-day period of continued reporting for
PSOs that voluntarily relinquished their
status. They noted the importance of
comparability but did not provide a
legal rationale for reading the statute
differently.
The second question posed by the
proposed rule was the appropriateness
of paragraph (c)(5) which would
eliminate the right to challenge any
decision by the Secretary regarding
voluntary relinquishment. Several large
provider groups supported our position
while others argued that a PSO should
always have the right to challenge or
appeal any decision by the Secretary.
Final Rule: We have modified and
narrowed the scope of voluntary
relinquishment in the final rule. We
have eliminated from this section the
application of voluntary relinquishment
to situations in which a PSO has let its
certifications lapse. As noted above, we
have modified § 3.104(e) to make
expiration of a PSO’s listing automatic
in these circumstances. Revised
§ 3.108(c) provides for voluntary
relinquishment in only one
circumstance: When a PSO writes the
Secretary seeking to relinquish its
listing as a PSO.
We have carefully reviewed again the
statutory authority that enables PSOs
that have their listing revoked for cause
to continue to receive data for 30 days
following the date and time of
revocation and delisting that will be
treated as patient safety work product.
We reaffirm our interpretation that the
statutory authority does not apply to an
entity seeking to voluntarily relinquish
its status as a PSO. Commenters
provided no basis for a different reading
of the statute. Accordingly, we have not
incorporated any change in the rule.
We have also deleted inappropriate
references to ‘‘patient safety work
product and data’’ in § 3.108(c)(2) and
replaced them with a reference only to
patient safety work product. As we
noted above, the term ‘‘data’’ in this
context refers only to information
received by a former PSO in the 30-day
period following revocation for cause

PO 00000

Frm 00038

Fmt 4701

Sfmt 4700

and is not applicable here. The only
other modifications are deletions of text
relating to implied voluntary
relinquishment and a conforming
change in a cross-reference.
We have not accepted the views of
commenters supporting appeals of
relinquishment determinations by the
Secretary in light of our decision to
narrow the scope of voluntary
relinquishment to situations in which
the PSO has requested relinquishment.
The comments regarding due process for
those who voluntarily relinquish their
status would no longer be apt.
(D) Section 3.108(d)—Public Notice of
Delisting Regarding Removal From
Listing
Proposed Rule: Proposed § 3.108(d)
would have incorporated the statutory
requirement that the Secretary must
publish a notice in the Federal Register
regarding the revocation of acceptance
of certification of a PSO and its removal
from listing. The proposed rule would
have broadened the requirement to
include publication of such a notice if
delisting results from a determination of
voluntary relinquishment.
Overview of Public Comments: We
received no comments on this
subsection.
Final Rule: We have modified
§ 3.108(d) in the final rule to reflect our
changes to subsection (c) that narrowed
the scope of voluntary relinquishment.
We also added a new reference that
requires the Secretary to publish a
notice when a PSO’s listing terminates
automatically at the end of the
statutorily based three-year period,
pursuant to § 3.104(e).
(E) Section 3.108(e)—Expedited
Revocation
Proposed Rule: The proposed rule did
not contain a proposed § 3.108(e). The
proposed rule did include in subsection
(a) a request for comment about the
possible inclusion in the final rule of an
expedited revocation process. We noted
that, while we anticipate that in the vast
majority of circumstances, the PSO’s
deficiency(ies) can and will be
corrected, there may be situations in
which a PSO’s conduct is so egregious
that the Secretary’s acceptance of the
PSO’s certification should be revoked
without the opportunity to cure because
there is no meaningful cure. We invited
comments regarding this approach and
how best to characterize the situations
in which the opportunity to ‘‘cure,’’ e.g.,
to change policies, practices or
procedures, sanction employees, send
out correction notices, would not be
sufficient, meaningful, or appropriate.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
Overview of Public Comments:
Several commenters expressed concern,
requested that we define the term
‘‘egregious,’’ and opposed the
elimination of a right for the PSO to
respond to the proposed expedited
revocation action. One commenter
suggested that our proposal was
appropriate in situations involving
multiple willful violations and in which
immediate action is necessary to protect
patients and providers from further
improper actions by the PSO.
Only one commenter addressed, and
opposed, our suggestion that we might
eliminate in the final rule the
opportunity for a PSO to contest
revocation when the entity had
verifiably failed to meet the statutory
minimum contract requirement.
Final Rule: The Department has
modified the rule to include a new
§ 3.108(e) to provide for expedited
revocation in a limited number of
circumstances. In deciding to include
this new subsection, we considered all
of the comments received regarding
Subpart B, not only those discussed
here. There was a strong overall
sentiment that the Secretary must be
vigilant in ensuring that PSOs meet
their obligations to protect the
confidentiality of patient safety work
product. These concerns were especially
strong in response to our proposal to
permit components of excluded entities
to seek listing. We also received support
for prompt Secretarial action for
multiple willful violations and when
providers and patients are at risk
because of a PSO’s actions. Accordingly,
we have incorporated an expedited
revocation process based around these
concerns.
New § 3.108(e)(1) lists three
circumstances in which the Secretary
may use an expedited process for
revocation. The first two circumstances
reflect commenter concern regarding
excluded entities. The first of these,
specified in § 3.108(e)(1)(i), is if the
Secretary determines that a PSO is, or is
about to become, an entity excluded
from listing by § 3.102(a)(2). That
section excludes from listing: A health
insurance issuer; a unit or division of a
health insurance issuer; an entity that is
owned, managed or controlled by a
health insurance issuer; entities that
accredit or license health care providers;
entities that oversee or enforce statutory
or regulatory requirements governing
the delivery of health care services;
agents of an entity that oversees or
enforces statutory or regulatory
requirements governing the delivery of
health care services; or entities that
operate a Federal, State, Local, or Tribal
patient safety reporting system to which

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

health care providers (other than
members of the entity’s workforce or
health care providers holding privileges
with the entity) are required to report
information by law or regulation.
Because the certifications for listing
specifically require an entity to attest
that it is not excluded from seeking
listing, this situation would mean that
the PSO had either filed a false
certification, or that the nature of the
entity had significantly changed during
the course of its listing. An example of
an entity ‘‘about to become an excluded
entity’’ would be when there is advance
notice of a merger of the parent
organization of a component PSO with
a health insurance issuer. A health
insurance issuer is the only excluded
entity that may not have a component
become a PSO. If the Secretary learns
that a PSO is about to become a
component of a health insurance issuer,
this is one circumstance under which
we believe prompt action by the
Secretary is essential.
The second circumstance, specified in
§ 3.108(e)(1)(ii), is when the parent
organization of a PSO is an excluded
entity and the parent organization uses
its authority over providers to require or
induce them to use the patient safety
services of its component PSO. This was
a major concern of commenters in
permitting components of accreditation,
licensure and regulatory entities to seek
listing; the final rule in § 3.102(c)
permits such a component to be listed
only if it can certify that its parent
organization does not impose such
requirements on providers. When an
excluded entity attempts to require or
induce providers to report information
to its component PSO, there is
reasonable cause for concern regarding
the integrity of the firewall between the
component PSO and its parent
organization. Given the potential harm
to providers if their identifiable patient
safety work product is made available to
the excluded entity, the Department
concludes that the need for prompt
action is compelling.
The third circumstance specified in
§ 3.108(e)(1)(iii) of the rule is when the
Secretary has determined that the
failure to act promptly would lead to
serious adverse consequences. We
would expect to use this authority
sparingly. Despite the confidential and
protected nature of patient safety work
product, we remain concerned that
there can still be serious harm to
providers, patients, and reporters named
in patient safety work product if a PSO
demonstrates reckless or willful
misconduct in its protection or use of
the work product with which it is
entrusted, especially when there is

PO 00000

Frm 00039

Fmt 4701

Sfmt 4700

70769

reason to believe there have been
repeated deficiencies, or when the PSO
engages in fraudulent or illegal conduct.
In light of these risks, we believe it is
only prudent to give the Secretary the
authority to respond promptly to
situations where there is a risk of
serious adverse harm, even if we cannot
adequately foresee all of the specific
situations that might require prompt
action.
We note that we have accepted the
position of another commenter that we
not include failure to meet the
minimum contract requirement as a
basis for expedited revocation. Our
intent is to limit expedited revocation to
those situations which pose a risk to
providers or others.
To accomplish expeditious remedial
revocation action, § 3.108(e)(2) waives
the procedures in §§ 3.108(a)(2) through
3.108(a)(5) for correction of deficiencies,
determinations regarding correction of
deficiencies, processes related to the
opportunity for a written response by
the PSO to a notice of proposed
revocation and delisting, and final
determination by the Secretary
regarding revocation and delisting of the
PSO. Instead, the provisions of
§ 3.108(e)(3) apply.
Under § 3.108(e)(3) of the expedited
revocation process, the Secretary would
issue a notice of deficiency and
expedited revocation that identifies the
evidence that the circumstances for
expedited revocation exist and indicates
any corrective action the PSO can take
if the Secretary determines that
corrective action may resolve the matter
so that revocation and delisting could be
avoided. Absent evidence of actual
receipt of this notice of deficiency and
expedited revocation, the Secretary’s
notice will be deemed to be received
five days after it was sent.
In developing this process, we have
taken note of commenters’ concern that
as a general matter, a PSO alleged to be
deficient in compliance should have an
opportunity to be heard and have
provided the PSO with an opportunity
to respond as part of the expedited
revocation process. The Secretary must
receive a response from the PSO within
14 days of actual or constructive receipt
of the notice, whichever is longer. In its
written response, the PSO can correct
the alleged facts or argue the
applicability of the legal basis given for
expedited revocation and delisting and
offer reasons that would support its case
for not being delisted.
If the PSO does not submit a written
response, the Secretary may revoke and
delist the PSO. Provided the PSO
responds within the required time, the
Secretary may withdraw the notice,

E:\FR\FM\21NOR3.SGM

21NOR3

70770

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

grant the PSO with additional time to
resolve the matter, or revoke and delist
the PSO. If the Secretary decides to
revoke and delist the PSO, we note that
the requirements of § 3.108(b) discussed
above apply. These requirements relate
to notification of the providers who
have reported patient safety work
product to the PSO, disposition of the
PSO’s patient safety work product and
data, and the ability of providers to
continue to report data to the former
PSO for 30 calendar days following the
effective date and time of delisting and
have these data protected as patient
safety work product.
5. Section 3.110—Assessment of PSO
Compliance
Proposed Rule: Section 3.110
proposed the framework by which the
Secretary would assess compliance of
PSOs with the requirements of the
statute and the rule. This section
provided that the Secretary may request
information or conduct spot-checks
(reviews or site visits to PSOs,
announced or unannounced) to assess
or verify PSO compliance with the
requirements of the statute and this
proposed subpart. We noted that we
anticipate that such spot checks would
involve no more than 5–10% of PSOs in
any year. We also noted that this section
would reference the Department’s
overall authority to have access to
patient safety work product, if
necessary, as part of its implementation
and enforcement of the Patient Safety
Act.
Overview of Public Comments: There
were few comments on this section.
Commenters agreed that AHRQ’s
authority under this section should be
limited to PSOs. Several commenters
expressed concern about our discussion
that we only anticipated spot-checking
5%–10% of PSOs for compliance in any
given year. The projected number of
spot checks in their view would not be
adequate to maintain provider
confidence and PSO compliance.
Another commenter asked which
agency would be delegated the task and
identified entities within HHS to which
the Secretary should not delegate this
responsibility.
Final Rule: We have made no
substantive modifications to § 3.110 in
the final rule. We note in response to
the commenters that urged a higher
level of spot checks and inspections that
the rule does not limit the ability of the
Department to increase the number if
warranted. However, we have no basis
for assuming that higher levels of spot
checks or inspections are warranted in
light of the fact that Patient Safety
Organizations are not federally funded

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

or controlled and a provider’s decision
to work with a PSO is voluntary.
Therefore, we intend to maintain the
approach outlined in the proposed rule.
In response to another commenter, the
authority to implement Subpart B rests
squarely within the authorities to foster
patient safety and health care quality
improvement of the Agency for
Healthcare Research and Quality, and
there is no reason to expect it to be
delegated to another part of the
Department.
6. Section 3.112—Submissions and
Forms
Proposed Rule: Proposed § 3.112
would have provided instructions for
obtaining required forms and the
submission of materials, would have
provided contact information for AHRQ
(mailing address, Web site, and e-mail
address), and would have authorized
the Department to request additional
information if a submission is
incomplete or additional information is
needed to enable the Secretary to make
a determination on any submission.
Overview of Public Comments: We
received no comments on this section.
Final Rule: We have made no
substantive modifications to this
section. We have made technical
changes and incorporated citations for
the AHRQ PSO Web site address and
corrected the e-mail address.
C. Subpart C—Confidentiality and
Privilege Protections of Patient Safety
Work Product
Proposed Subpart C would have
described the general privilege and
confidentiality protections for patient
safety work product, the permitted
disclosures, and the conditions under
which the specific protections no longer
apply. The proposed Subpart also
would have established the conditions
under which a provider, PSO, or
responsible person must disclose
patient safety work product to the
Secretary in the course of compliance
and enforcement activities, and what
the Secretary may do with such
information. Moreover, the proposed
subpart would have established the
standards for nonidentifiable patient
safety work product.
Proposed Subpart C sought to balance
key objectives of the Patient Safety Act.
First, the proposal sought to address
provider concerns about the potential
for damage from unauthorized release of
information, including the potential for
the information to serve as a roadmap
for provider liability from negative
patient outcomes. It also promoted the
sharing of information about adverse
patient safety events among providers

PO 00000

Frm 00040

Fmt 4701

Sfmt 4700

and PSOs for the purpose of learning
from those events to improve patient
safety and the quality of care. To
achieve these objectives, Subpart C
proposed that patient safety work
product would be privileged and
confidential, except in the certain
limited circumstances identified by the
Patient Safety Act and as needed by the
Department to implement and enforce
the Patient Safety Act. In addition,
proposed Subpart C provided, in
accordance with the Patient Safety Act,
that patient safety work product that is
disclosed generally would continue to
be privileged and confidential, subject
to the delineated exceptions. Thus,
under the proposal, an entity or person
receiving patient safety work product
only would be able to disclose such
information for a purpose permitted by
the Patient Safety Act and the proposed
rule, or if patient safety work product
was no longer confidential because it
was nonidentifiable or subject to an
exception to confidentiality. Providers,
PSOs, and responsible persons who
failed to adhere to these confidentiality
rules would be subject to enforcement
by the Department, including the
imposition of civil money penalties, if
appropriate, as provided in Subpart D of
the proposed rule.
The proposed rule also explained that
several provisions of the Patient Safety
Act recognize that the patient safety
regulatory scheme will exist alongside
other requirements for the use and
disclosure of protected health
information under the HIPAA Privacy
Rule. For example, the Patient Safety
Act establishes that PSOs will be
business associates of providers and the
patient safety activities they conduct
will be health care operations of the
providers, incorporates individually
identifiable health information under
the HIPAA Privacy Rule as an element
of identifiable patient safety work
product, and adopts a rule of
construction that states the intention not
to alter or affect any HIPAA Privacy
Rule implementation provision (see
section 922(g)(3) of the Public Health
Service Act, 42 U.S.C. 299b–22(g)(3)).
As we explained in the proposed rule,
we anticipate that most providers
reporting to PSOs will be HIPAA
covered entities under the HIPAA
Privacy Rule, and as such, will be
required to recognize and comply with
the requirements of the HIPAA Privacy
Rule when disclosing identifiable
patient safety work product that
includes protected health information.
As Subpart C addresses disclosure of
patient safety work product that may
include protected health information,

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
we discuss, where appropriate, the
overlap between this rule and the
HIPAA Privacy Rule in the preamble
description of this Subpart, as we did in
the proposed rule.

dwashington3 on PRODPC61 with RULES3

1. Section 3.204—Privilege of Patient
Safety Work Product
Proposed § 3.204 described the
privilege protections of patient safety
work product and the exceptions to
privilege. As we explained in the
proposed rule, the Patient Safety Act
does not give authority to the Secretary
to enforce breaches of the privilege
protections, as it does with respect to
breaches of the confidentiality
provisions. Rather, we anticipate that
the tribunals, agencies or professional
disciplinary bodies before whom the
proceedings take place and before
which patient safety work product is
sought, will adjudicate the application
of the privilege provisions of the Patient
Safety Act at section 922(a)(1)–(5) of the
Public Health Service Act, 42 U.S.C.
299b–22(a)(1)–(5) and the exceptions to
privilege at section 922(c)(1) of the
Public Health Service Act, 42 U.S.C.
299b–22(c)(1). Even though the privilege
protections will be enforced through the
court systems, and not by the Secretary,
we repeat the statutory privilege
protections and exceptions in this final
rule, as we did in the proposed rule.
This is done both for convenience and
completeness, as well as because the
same exceptions in the privilege
provisions are repeated in the
confidentiality provisions and the term
‘‘disclosure’’ in the final rule describes
both the transfer of patient safety work
product pursuant to a privilege
exception as well as a confidentiality
exception. Thus, a disclosure of patient
safety work product that is a violation
of privilege may also be a violation of
confidentiality, which the Secretary
does have authority to enforce and for
which he can impose a civil money
penalty, if appropriate.
We also proposed to include at
§ 3.204(c) a regulatory exception to
privilege for disclosures to the Secretary
for the purpose of enforcing the
confidentiality provisions and for
making or supporting PSO certification
or listing decisions. In the final rule, we
adopt this proposed provision but also
add language to make clear that the
exception also applies to disclosures to
the Secretary for HIPAA Privacy Rule
enforcement, given the significant
overlap with respect to disclosures
under the two rules. We discuss that
change, as well as the public comments
and our responses with respect to the
other privilege provisions, below.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(A) Section 3.204(a)—Privilege
Proposed Rule: Proposed § 3.204(a)
would have described the general rule
that, notwithstanding any other
provision of Federal, State, local, or
Tribal law, patient safety work product
is privileged and shall not be: (1)
Subject to Federal, State, local, or Tribal
civil, criminal, or administrative
subpoena or order, including in a
disciplinary proceeding against a
provider; (2) subject to discovery in
connection with a Federal, State, local,
or Tribal civil, criminal, or
administrative proceeding, including a
disciplinary proceeding against a
provider; (3) subject to disclosure under
the Freedom of Information Act (section
552 of Title 5, United States Code) or
similar Federal, State, local, or Tribal
law; (4) admitted as evidence in any
Federal, State, local, or Tribal
governmental civil proceeding, criminal
proceeding, administrative rulemaking
proceeding, or administrative
adjudicatory proceeding, including any
such proceeding against a provider; or
(5) admitted in a professional
disciplinary proceeding of a
professional disciplinary body
established or specifically authorized
under State law. The proposed
provision generally repeated the
statutory language at section 922(a) of
the Public Health Service Act, 42 U.S.C.
299b–22(a) but also clarified that
privilege would have applied to protect
against use of the information in Tribal
courts and administrative proceedings.
Overview of Public Comments: We
received no comments opposed to this
proposed provision.
Final Rule: The final rule adopts this
proposed provision.
Response to Other Public Comments
Comment: Several commenters
expressed concern about the lack of
detailed explanation and information
about the privilege protections as
compared to the confidentiality
provisions in the proposed rule. Some
commenters asked for clarification
about how breaches of privilege can be
enforced and who can assert privilege
protection. Two commenters asked
whether hospital peer review
committees established under state law
qualify as disciplinary bodies for
purposes of the privilege protection and
if there is a distinction between
discipline by a state licensing body and
discipline by an internal peer review
committee.
Response: The Secretary does not
have the authority to interpret and
enforce the privilege protections of the
statute, and thus, the proposed rule did
not contain a detailed discussion of

PO 00000

Frm 00041

Fmt 4701

Sfmt 4700

70771

these provisions nor can we provide
further explanation or interpretation in
this final rule. Rather, as described
above, the privilege provisions are
included only for convenience and
completeness, and because the privilege
exceptions mirror exceptions to
confidentiality. The privilege
protections attach to patient safety work
product, and we expect that the
privilege of patient safety work product
will be adjudicated and enforced by the
tribunals, agencies or professional
disciplinary bodies before which the
information is sought and before whom
the proceedings take place. A provider
facing an opposing party who seeks to
introduce patient safety work product in
court may seek to enforce the privilege
by filing the appropriate motions with
the court asserting the privilege to
exclude the patient safety work product
from the proceeding.
(B) Section 3.204(b)—Exceptions to
privilege
Proposed Rule: Proposed § 3.204(b)
described the exceptions to privilege
established at section 922(c) of the
Public Health Service Act, 42 U.S.C.
299b–22c, thereby permitting disclosure
of patient safety work product under
such circumstances. In all cases, the
exceptions to privilege were also
proposed as exceptions to
confidentiality at § 3.206(b). Proposed
§ 3.204(b)(1) would have permitted the
disclosure of relevant patient safety
work product for use in a criminal
proceeding after a court makes an in
camera determination that the patient
safety work product contains evidence
of a criminal act, is material to the
proceeding, and is not reasonably
available from any other source.
Proposed § 3.204(b)(2) would have
permitted disclosure of identifiable
patient safety work product to the extent
required to carry out the securing and
provision of equitable relief as provided
under section 922(f)(4)(A) of the Public
Health Service Act, 42 U.S.C. 299b–
22(f)(4)(A). Proposed § 3.204(b)(3)
would have permitted disclosure of
identifiable patient safety work product
when each of the identified providers
authorized the disclosure. Finally,
proposed § 3.204(b)(4) would have
excepted patient safety work product
from privilege when disclosed in
nonidentifiable form.
Overview of Public Comments: Some
commenters expressed concern that
allowing exceptions to privilege may
not adequately protect patient safety
work product.
Final Rule: The final rule adopts the
proposed provisions. The statute
explicitly provides for these limited

E:\FR\FM\21NOR3.SGM

21NOR3

70772

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

exceptions to privilege and thus, they
are included in this final rule.

dwashington3 on PRODPC61 with RULES3

Response to Other Public Comments
Comment: One commenter asked that
the final rule align the privilege
exceptions in § 3.204(b) with the
permitted disclosures to law
enforcement in the HIPAA Privacy Rule
at 45 CFR 164.512(f).
Response: We do not agree that
expanding the exceptions to privilege in
such a manner is appropriate or
prudent. Congress expressly limited the
exceptions to privilege to those we have
repeated in the final rule. As relevant to
law enforcement, the Patient Safety Act
permits an exception from privilege
protection for law enforcement purposes
in only very narrow circumstances—
that is, patient safety work product may
be used in a criminal proceeding, but
only after a judge makes an in camera
determination that the information
contains evidence of a criminal act, is
material to the proceeding, and is not
reasonably available from any other
source. See § 3.204(b)(1). We do not
have authority to further expand or
interpret the exceptions to privilege
provided for in the statute. Further, we
believe strong privilege protections are
essential to ensuring the goals of the
statute are met by encouraging
maximum provider participation in
patient safety reporting. We note that
§ 3.206(c)(10) permits the disclosure of
patient safety work product relating to
an event that either constitutes the
commission of a crime, or for which the
disclosing person reasonably believes
constitutes the commission of a crime,
to law enforcement, provided that the
disclosing person believes, reasonably
under the circumstances, that the
patient safety work product that is
disclosed is necessary for criminal law
enforcement purposes. In other cases
where law enforcement needs access to
information that is contained within
patient safety work product, we
emphasize that the definition of
‘‘patient safety work product’’
specifically excludes a patient’s medical
or billing record or other original patient
information. See § 3.20, paragraph (2)(i)
of the definition of ‘‘patient safety work
product.’’ Thus, such original patient
information remains available to law
enforcement in accordance with the
conditions set out in the HIPAA Privacy
Rule, if applicable.
(C) Section 3.204(c)—Implementation
and Enforcement of the Patient Safety
Act
Proposed Rule: Proposed § 3.204(c)
would have excepted from privilege
disclosures of relevant patient safety

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

work product to or by the Secretary as
needed for investigating or determining
compliance, or seeking or imposing civil
money penalties, with respect to this
rule or for making or supporting PSO
certification or listing decisions under
the Patient Safety Act. We proposed that
these disclosures also be permitted as an
exception to confidentiality at
§ 3.206(d). We explained that, in order
to perform investigations and
compliance reviews to determine
whether a violation occurred, the
Secretary may need to have access to
privileged and confidential patient
safety work product and that we believe
Congress could not have intended the
privilege and confidentiality protections
of the Patient Safety Act to impede such
enforcement by prohibiting access to
necessary information by the Secretary.
Thus, the proposed provision would
have allowed disclosure of patient
safety work product to and by the
Secretary for enforcement purposes,
including the introduction of such
information into ALJ or Board
proceedings, disclosure by the Board to
properly review determinations or to
provide records for court review, as well
as disclosure during investigations by
OCR or activities in reviewing PSO
certifications by AHRQ. Patient safety
work product disclosed under this
proposed exception would have
remained privileged and confidential
pursuant to proposed § 3.208, and
proposed § 3.312 limited the Secretary
to only disclosing identifiable patient
safety work product obtained in
connection with an investigation or
compliance review for enforcement
purposes or as otherwise permitted by
the proposed rule or Patient Safety Act.
We also explained in the preamble to
the proposed rule that the privilege
provisions in the Patient Safety Act
would not bar the Secretary from using
patient safety work product for
compliance and enforcement activities
related to the HIPAA Privacy Rule. This
interpretation was based on the
statutory provision at section 922(g)(3)
of the Public Health Service Act, 42
U.S.C. 299b–22(g)(3), which provides
that the Patient Safety Act does not
affect the implementation of the HIPAA
Privacy Rule.
Overview of Public Comments: We
received one comment in support of and
no comments opposed to this proposed
provision.
Final Rule: The final rule adopts the
proposed provision, but expands it to
expressly provide that patient safety
work product also may be disclosed to
or by the Secretary as needed to
investigate or determine compliance
with or to impose a civil money penalty

PO 00000

Frm 00042

Fmt 4701

Sfmt 4700

under the HIPAA Privacy Rule. This
new language implements the statutory
provision at section 922(g)(3) of the
Public Health Service Act, 42 U.S.C.
299b–22(g)(3), which, as explained
above, makes clear that the Patient
Safety Act is not intended to affect
implementation of the HIPAA Privacy
Rule. Given the significant potential for
an alleged impermissible disclosure to
implicate both this rule’s confidentiality
provisions, as well as the HIPAA
Privacy Rule, the Secretary may require
access to privileged patient safety work
product for purposes of determining
compliance with the HIPAA Privacy
Rule. The Secretary will use such
information consistent with the
statutory prohibition against imposing
civil money penalties under both
authorities for the same act.
With respect to this rule, the
provision, as it did in the proposed rule,
makes clear that privilege does not
apply to patient safety work product
disclosed to or by the Secretary if
needed to investigate or determine
compliance with this rule, or to make or
support decisions with respect to listing
of a PSO. This may include access to
and disclosure of patient safety work
product to enforce the confidentiality
provisions of the rule, to make or
support decisions regarding the
acceptance of certification and listing as
a PSO, or to revoke such acceptance and
to delist a PSO, or to assess or verify
PSO compliance with the rule.
2. Section 3.206—Confidentiality of
Patient Safety Work Product
Proposed § 3.206 described the
confidentiality protection of patient
safety work product, as well as the
exceptions from confidentiality
protection.
(A) Section 3.206(a)—Confidentiality
Proposed Rule: Proposed § 3.206(a)
would have established the general
principle that patient safety work
product is confidential and shall not be
disclosed by anyone holding the patient
safety work product, except as
permitted or required by the rule.
Overview of Public Comments: We
received no comments directly in
reference to this provision.
Final Rule: The final rule adopts this
proposed provision.
(B) Section 3.206(b)—Exceptions to
confidentiality
Proposed Rule: Proposed § 3.206(b)
described the exceptions to
confidentiality, or permitted
disclosures. The preamble to the
proposed rule explained that there were
several overarching principles that

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
applied to these exceptions from
confidentiality. First, these exceptions
were ‘‘permissions’’ to disclose patient
safety work product and the holder of
the information retained full discretion
whether to disclose. Further, as the
proposed rule was a Federal baseline of
protection, a provider, PSO, or
responsible person could impose more
stringent confidentiality policies and
procedures on patient safety work
product and condition the release of
patient safety work product within these
exceptions by contract, employment
relationship, or other means. However,
the Secretary would not enforce such
policies or private agreements. Second,
when exercising discretion to disclose
patient safety work product, we
encouraged providers, PSOs, and
responsible persons to attempt to
disclose the amount of information
commensurate with the purpose of the
disclosure and to disclose the least
amount of identifiable patient safety
work product appropriate for the
disclosure even if that was less than
what would otherwise be permitted by
the rule and regardless of whether the
information continued to be protected
under the rule after the disclosure.
Third, the proposal prohibited persons
receiving patient safety work product
from redisclosing it except as permitted
by the rule, and we requested comment
on whether there were any negative
implications of limiting redisclosures in
such a manner.
We also described how the proposal
would work with respect to entities also
subject to the Privacy Act and/or the
HIPAA Privacy Rule. We explained that
agencies subject to the Patient Safety
Act and the Privacy Act, 5 U.S.C. 552a,
must comply with both statutes when
disclosing patient safety work product.
This means that, for agencies subject to
both laws, a disclosure of patient safety
work product could only be made if
permitted by both laws. The Privacy Act
permits agencies to make disclosures
pursuant to established routine uses.
See 5 U.S.C. 552a(a)(7); 552a(b)(3); and
552a(e)(4)(D). Accordingly, we
recommended that Federal agencies that
maintain a Privacy Act system of
records containing information that is
patient safety work product include
routine uses that will permit the
disclosures allowed by the Patient
Safety Act. For HIPAA covered entities,
we explained that when a patient’s
protected health information is
encompassed within patient safety work
product, any disclosure of such
information also must comply with the
HIPAA Privacy Rule.
Overview of Public Comments: Some
commenters expressed general support

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

for the narrowly drawn exceptions to
confidentiality in the proposed rule,
while one commenter expressed
concern that the exceptions were
unnecessarily complex to accomplish
their purpose. Several commenters
asked that the final rule include
additional exceptions to confidentiality
or disclosure permissions. For example,
some commenters suggested that the
final rule permit the disclosure of
patient safety work product to federal,
state, and local agencies to fulfill
mandatory reporting requirements.
Other commenters suggested an
exception be created to permit the
disclosure of patient safety work
product to state survey agencies,
regulatory bodies, or to any federal or
state agency for oversight purposes.
Another commenter requested that the
final rule include a disclosure
permission for emergency
circumstances similar to the HIPAA
Privacy Rule disclosure at 54 CFR
164.512(j), allowing a PSO to disclose
patient safety work product if it
determines a pattern of harm and that
disclosure is necessary to prevent an
individual from harming a person or the
public. One commenter, however,
believed the proposed rule contained
too many exceptions to confidentiality,
and thus, did not adequately protect
patient safety work product; this
commenter suggested that some
disclosure permissions be eliminated in
the final rule but did not recommend
which ones.
Several commenters responded to the
question regarding whether there were
any negative implications of limiting
redisclosures as outlined in the
proposed rule. These commenters
supported the limitations on
redisclosures of patient safety work
product in the proposed rule; we
received no comments identifying any
negative implications of this limitation.
One commenter, however, noted that
the redisclosures should be governed by
the HIPAA Privacy and Security Rules.
Finally, some commenters sought
clarification regarding preemption.
Several commenters asked whether the
federal patient safety work product
protections preempted existing State
law that permitted or required
disclosure of similar types of records.
Other commenters asked whether
greater State law protections continue to
exist alongside patient safety work
product protections, stating that some
providers may decide not to participate
with a PSO if they would lose existing
State law protections.
Final Rule: The final rule generally
adopts the proposed provisions, with
some modifications as explained below

PO 00000

Frm 00043

Fmt 4701

Sfmt 4700

70773

in the specific discussions of the
individual disclosure permissions. The
disclosure permissions in this section
reflect those provided by the statute,
and the Secretary has no authority to
eliminate or neglect to implement
certain of the provisions. Further, the
statute provides only limited authority
to the Secretary to expand the
disclosure permissions. See, for
example, section 922(c)(2)(F) of the
Public Health Service Act, 42 U.S.C.
299b–22(c)(2)(F), providing the
Secretary with authority to create
permissions for disclosures that the
Secretary may determine, by rule or
other means, are necessary for business
operations and are consistent with the
goals of the statute. Thus, the final rule
does not create any new, or eliminate
any proposed, categories of disclosure
permissions.
With respect to those commenters
who requested a disclosure permission
be added to allow for the disclosure of
patient safety work product to federal,
state, and local agencies to fulfill
mandatory reporting requirements or for
oversight purposes, we disagree that
such a modification is necessary. The
final rule gives providers much
flexibility in defining and structuring
their patient safety evaluation system, as
well as determining what information is
to become patient safety work product
and, thus, protected from disclosure.
Providers can structure their systems in
a manner that allows for the use of
information that is not patient safety
work product to fulfill their mandatory
reporting obligations. See the discussion
regarding the definition of ‘‘patient
safety work product’’ in this preamble
for more information. Further, as
original medical and other records are
expressly excepted from the definition
of ‘‘patient safety work product,’’
providers always have the option of
using those records to generate the
reports necessary for their mandatory
reporting obligations to federal, state,
and local agencies.
With respect to disclosures for
emergency circumstances, the Patient
Safety Act provides no general
exception for such disclosures.
However, patient safety work product
may be disclosed under § 3.206(b)(10) to
law enforcement if the disclosing party
reasonably believes the patient safety
work product contains information that
constitutes a crime. For emergency
circumstances that do not rise to the
level of criminal conduct, the
information necessary to identify and
address such emergencies should be
readily available and accessible in
medical records and other original

E:\FR\FM\21NOR3.SGM

21NOR3

70774

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

documents that are not protected as
patient safety work product.
The final rule also adopts the
redisclosure limitations of the proposed
rule. As described above, commenters
largely supported, and did not identify
negative implications of, these
restrictions. We discuss the individual
redisclosure limitations below in the
specific discussions regarding the
disclosure permissions to which they
apply. We note that the HIPAA Privacy
and Security Rules will govern
redisclosures of patient safety work
product only to the extent that the
redisclosures are made by a HIPAA
covered entity and the patient safety
work product encompasses protected
health information.
In response to the comments and
questions regarding preemption, we
note that the Patient Safety Act provides
that, notwithstanding any other
provision of Federal, State, or local law,
and subject to the prescribed
exceptions, patient safety work product
shall be privileged and confidential. See
sections 922(a) and (b) of the Public
Health Service Act, 42 U.S.C. 299b–
22(a) and (b). The statute also provides
as rules of construction the following:
(1) that the Patient Safety Act does not
limit the application of other Federal,
State, or local laws that provide greater
privilege or confidentiality protections
than those provided by the Patient
Safety Act; and (2) the Patient Safety
Act does not preempt or otherwise affect
any State law requiring a provider to
report information that is not patient
safety work product. See section 922(g)
of the Public Health Service Act, 42
U.S.C. 299b–22(g). Thus, the patient
safety work product protections
provided for under the statute generally
preempt State or other laws that would
permit or require disclosure of
information contained within patient
safety work product. However, State
laws that provide for greater protection
of patient safety work product are not
preempted and continue to apply.
Response to Other Public Comments
Comment: Several commenters asked
that the final rule discuss redisclosures
in more detail and further explain the
consequences of redisclosures.
Response: A redisclosure, or ‘‘further
disclosure’’ as described in the
regulatory text, of patient safety work
product, like a disclosure, is the release,
transfer, provision of access to, or
divulging in any other manner of patient
safety work product by an entity or
natural person holding the patient safety
work product to another legally separate
entity or natural person outside the
entity holding the patient safety work

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

product. Natural persons or entities who
receive patient safety work product
generally may further disclose such
information pursuant to any of the
disclosure permissions in the final rule
at § 3.206, except where expressly
limited pursuant to the provision under
which the natural person or entity
received the information. These
restrictions on further disclosures may
be found at §§ 3.206(b)(4)(ii) (disclosure
to a contractor of a provider or PSO for
patient safety activities), 3.206(b)(7)
(disclosure to the Food and Drug
Administration (FDA) and entities
required to report to FDA), 3.206(b)(8)
(voluntary disclosure to an accrediting
body), 3.206(b)(9) (business operations),
and 3.206(b)(10) (disclosure to law
enforcement). These limitations are
described more fully below in the
discussions concerning the disclosure
permissions to which they apply. As
with an impermissible disclosure,
impermissible redisclosures are subject
to enforcement by the Secretary and
potential civil money penalties.
Comment: Two commenters asked
that we monitor the impact of the rule
to ensure that it does not improperly
impede the necessary sharing of patient
safety work product.
Response: As the rule is implemented,
we will monitor its impact and consider
whether any concerns that are raised by
providers, PSOs, and others should be
addressed through future modification
to the rule or guidance, as appropriate.
(1) Section 3.206(b)(1)—Criminal
Proceedings
Proposed Rule: Proposed § 3.206(b)(1)
would have permitted the disclosure of
identifiable patient safety work product
for use in a criminal proceeding, if a
court makes an in camera determination
that the identifiable patient safety work
product sought for disclosure contains
evidence of a criminal act, is material to
the proceeding, and is not reasonably
available from other sources. See section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A). The
proposed provision paralleled the
exception to privilege at proposed
§ 3.204(b)(1).
As we explained in the proposed rule,
the Patient Safety Act establishes that
patient safety work product generally
will continue to be privileged and
confidential upon disclosure. See
section 922(d)(1) of the Public Health
Service Act, 42 U.S.C. 299b–22(d)(1)
and § 3.208 of this rule. However, the
Patient Safety Act limits the continued
protection of patient safety work
product disclosed for use in a criminal
proceeding pursuant to this provision.
In particular, patient safety work

PO 00000

Frm 00044

Fmt 4701

Sfmt 4700

product disclosed pursuant to this
provision continues to be privileged
after disclosure but is no longer
confidential. See section 922(d)(2)(A) of
the Public Health Service Act, 42 U.S.C.
299b–22(d)(2)(A). We explained that
this would mean, for example, that law
enforcement personnel who obtain
patient safety work product used in a
criminal proceeding could further
disclose that information because
confidentiality protection would not
apply; however, law enforcement could
not seek to introduce the patient safety
work product in another proceeding
without a new in camera determination
that would have complied with the
privilege exception at proposed
§ 3.204(b)(1).
We also reminded entities that are
subject to the HIPAA Privacy Rule that
any disclosures pursuant to this
provision that encompass protected
health information also would need to
comply with the HIPAA Privacy Rule’s
provision at 45 CFR 164.512(e) for
disclosures pursuant to judicial
proceedings. We explained that we
expected court rulings following an in
camera determination to be issued as a
court order, which would satisfy the
HIPAA Privacy Rule’s requirements.
Overview of Public Comments: We
received no comments opposed to this
provision.
Final Rule: The final rule adopts the
proposed provision.
Response to Other Public Comments
Comment: One commenter asked that
the final rule make clear that patient
safety work product disclosed under
this provision continues to be privileged
and cannot be used or reused as
evidence in any civil proceeding even
though the information is no longer
confidential.
Response: The final rule makes this
clear. See § 3.208(b)(1).
(2) Section 3.206(b)(2)—Equitable Relief
for Reporters
Proposed Rule: The Patient Safety Act
prohibits a provider from taking an
adverse employment action against an
individual who, in good faith, reports
information to the provider for
subsequent reporting to a PSO or to a
PSO directly. See section 922(e)(1) of
the Public Health Service Act, 42 U.S.C.
299b–22(e)(1). For purposes of this
provision, adverse employment actions
include loss of employment, failure to
promote, or adverse evaluations or
decisions regarding credentialing or
licensing. See 922(e)(2) of the Public
Health Service Act, 42 U.S.C. 299b–
22(e)(2). The Patient Safety Act provides
adversely affected reporters a civil right

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
of action to enjoin such adverse
employment actions and obtain other
equitable relief, including back pay or
reinstatement, to redress the prohibited
actions. See 922(f)(4) of the Public
Health Service Act, 42 U.S.C. 299b–
22(f)(4). To effectuate the obtaining of
equitable relief under this provision, the
Patient Safety Act provides that patient
safety work product is not subject to the
privilege protections or to the
confidentiality protections. Thus,
proposed § 3.206(b)(2) would have
permitted the disclosure of identifiable
patient safety work product by an
employee seeking redress for adverse
employment actions to the extent that
the information is necessary to permit
the equitable relief. This proposed
provision paralleled the privilege
exception to permit equitable relief at
proposed § 3.204(b)(2). Also, in
accordance with the statute, we
proposed that once patient safety work
product is disclosed pursuant to this
provision, it would have remained
subject to confidentiality and privilege
protection in the hands of all
subsequent holders and could not be
further disclosed except as otherwise
permitted by the rule.
We also provided guidance with
respect to the application of the HIPAA
Privacy Rule if a covered entity (or its
business associate) was making the
disclosure and the patient safety work
product included protected health
information. In that regard, we
explained that, under the HIPAA
Privacy Rule at 45 CFR 164.512(e),
when protected health information is
sought to be disclosed in a judicial
proceeding via subpoenas and discovery
requests without a court order, the
disclosing HIPAA covered entity must
seek satisfactory assurances that the
party requesting the information has
made reasonable efforts to provide
written notice to the individual who is
the subject of the protected health
information or to secure a qualified
protective order.
Finally, the proposed rule solicited
comments on whether the obtaining of
a protective order should be a condition
of the disclosure under this provision or
whether, instead, the final rule should
require only a good faith effort to obtain
a protective order as a condition of this
disclosure.
Overview of Public Comments: Two
commenters expressed general support
for the proposed provision, stating that
it struck the appropriate balance
between maintaining the confidentiality
and privilege protections on patient
safety work product and allowing
reporters of patient safety work product
to seek redress for adverse employment

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

actions based upon their good faith
reporting of this information to a PSO.
Several commenters responded to the
question posed in the proposed rule
asking whether a protective order
should be a condition of disclosure
under this provision or if a good faith
effort in obtaining a protective order
should be sufficient. All of these
commenters agreed that the obtaining of
a protective order should be a condition
of disclosure of patient safety work
product under this provision.
Final Rule: The final rule adopts the
proposed disclosure permission at
§ 3.206(b)(2) but conditions the
permitted disclosure for equitable relief
on the provision of a protective order by
the court or administrative tribunal to
protect the confidentiality of the patient
safety work product during the course of
the proceeding. Although patient safety
work product remains confidential and
privileged in the hands of all recipients
after disclosure under this provision, we
recognize that the sensitive nature of the
patient safety work product warrants
requiring a protective order as
additional protection on this
information. Because some participants
and observers of a proceeding involving
equitable relief for an adverse
employment action may not be aware
that certain information is protected as
patient safety work product to which
penalties attach for impermissible
disclosures, requiring a protective order
is prudent to ensure that patient safety
work product is adequately protected
and that individuals are put on notice
of its protected status. As we explained
in the proposed rule, such a protective
order could take many forms that
preserve the confidentiality of patient
safety work product. For example, the
order could limit the use of the
information to case preparation, but not
make it evidentiary. Or, the order might
prohibit the disclosure of the patient
safety work product in publicly
accessible proceedings and in court
records to prevent liability from moving
to a myriad of unsuspecting parties.
We recognize that, in some cases, a
reporter seeking equitable relief may be
unable to obtain a protective order from
a court prior to making a necessary
disclosure of patient safety work
product, despite the reporter’s good
faith and diligent effort to obtain one. If
the Secretary receives a complaint that
patient safety work product was
disclosed by a reporter seeking equitable
relief, the Secretary has discretion not to
impose a civil money penalty, if
appropriate. While the final rule
requires a protective order as a
condition of disclosure, it is not the
Secretary’s intent to frustrate the

PO 00000

Frm 00045

Fmt 4701

Sfmt 4700

70775

obtaining of equitable relief provided for
under the statute. Thus, the Secretary
will review the circumstances of such
complaints to determine whether to
exercise his enforcement discretion to
not pursue a civil money penalty.
(3) Section 3.206(b)(3)—Authorized by
Identified Providers
Proposed Rule: Proposed § 3.206(b)(3)
would have permitted a disclosure of
patient safety work product when each
provider identified in the patient safety
work product separately authorized the
disclosure. This provision paralleled the
privilege exception at proposed
§ 3.204(b)(3) and was based on section
922(c)(1)(C) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(C). The
proposed rule explained that patient
safety work product disclosed under
this exception would continue to be
confidential pursuant to the continued
confidentiality provisions at section
922(d)(1) of the Public Health Service
Act, 42 U.S.C. 299b–22(d)(1), and
persons would be subject to liability for
further disclosures in violation of that
confidentiality.
We also explained that it would be
insufficient to make identifiable
information regarding a nonauthorizing
provider nonidentifiable in lieu of
obtaining an authorization. While we
considered such an approach, we
rejected it as impractical given that it
seemed there would be very few, if any,
situations in which a nonauthorizing
provider could be nonidentified without
also needing to nonidentify, or nearly
so, an authorizing provider in the same
patient safety work product.
We encouraged persons disclosing
patient safety work product to exercise
discretion with respect to the scope of
patient safety work product disclosed
and to consider whether identifying
information regarding reporters or
patients was necessary, even though the
statute required neither patient nor
reporter authorization under this
provision. We also explained that, if the
disclosing entity is a HIPAA covered
entity (or business associate), the
HIPAA Privacy Rule, including the
minimum necessary standard when
applicable, would apply to the
disclosure of protected health
information contained within the
patient safety work product. Further, if
the disclosure was not also permitted
under the HIPAA Privacy Rule, the
patient information would need to be
de-identified. We sought public
comment as to whether the proposed
approach was sufficient to protect the
interests of reporters and patients
identified in the patient safety work

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70776

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

product permitted to be disclosed
pursuant to this provision.
While the Patient Safety Act does not
specify the form of the authorization
under this exception, we proposed that
an authorization be in writing, be signed
by the authorizing provider, and contain
sufficient detail to fairly inform the
provider of the nature and scope of the
disclosures being authorized. The
proposed rule would not have required
that any specific terms be included in
the authorization, only that disclosures
be made in accordance with the terms
of the authorization, whatever they may
be. We sought public comment on
whether a more stringent standard
would be prudent and workable, such as
an authorization process that is
disclosure specific.
We also proposed that any
authorization be maintained by the
disclosing entity or person for a period
of six years from the date of the last
disclosure made in reliance on the
authorization, the limit of time within
which the Secretary must initiate an
enforcement action.
Overview of Public Comments:
Several commenters responded that
patients and reporters identified in
patient safety work product are
adequately protected by this regulation
and by the HIPAA Privacy Rule for
covered entities. Some commenters,
however, suggested that the HIPAA
Privacy Rule’s minimum necessary
standard be applied to disclosures
under this provision so that only the
minimum necessary amount of patient
safety work product would be permitted
to be disclosed.
Several commenters also responded to
the question of whether a stricter or
more prescribed standard for the
authorizations should be included in
the final rule, the majority of whom
stated that the authorization
requirements outlined in the proposed
rule were adequate. One commenter
recommended that the final rule not
regulate the terms of the provider
authorization and that such terms be left
to the parties. Another commenter
suggested that provider authorizations
be time-limited, while other
commenters asked for a model
authorization form and that the final
rule provide a process for revocation of
authorizations.
Final Rule: The final rule adopts the
proposed provision. Thus, a provider,
PSO, or responsible person may disclose
identifiable patient safety work product
if a valid authorization is obtained from
each identified provider and the
disclosure is consistent with such
authorization. As in the proposed rule,
such authorizations must be retained by

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

the disclosing entity for six years from
the date of the last disclosure made in
reliance on the authorization and made
available to the Secretary upon request.
Further, as the Department agrees with
those commenters who believed the
specific terms of the provider
authorizations should be left to the
parties, the final rule, as in the proposed
rule, requires only that the authorization
of each of the identified providers be in
writing and signed, and contain
sufficient detail to fairly inform the
provider of the nature and scope of the
disclosures being authorized. Thus, the
parties are free to define their own
specific terms for provider
authorizations, including any time
limitations and to what extent and the
process through which such
authorizations are revocable. Given the
final rule does not prescribe a particular
form or the terms of provider
authorizations under this provision, we
do not believe providing a model
authorization form is appropriate or
feasible.
With respect to patient and reporter
identifiers, we continue to strongly
encourage disclosers to consider how
much patient safety work product is
necessary, and whether patient or
reporter identifiers are necessary, to
accomplish the purpose of the
authorized disclosure. However, this
final rule does not include specific
limitations on the disclosure of patient
and reporter identifiers under this
provision, so long as the disclosure is in
accordance with the terms of the
provider authorizations. In addition, the
HIPAA Privacy Rule, including the
minimum necessary or de-identification
standard, as appropriate, continues to
apply to the disclosure of any protected
health information contained within the
patient safety work product.
Response to Other Public Comments
Comment: One commenter asked for
clarification as to whether state laws
requiring greater protection for patient
safety work product would apply to
disclosures pursuant to this provision.
Response: Section 922(g)(1) of the
Public Health Service Act, 42 U.S.C.
299b–22(g)(1), provides that the Patient
Safety Act does not limit the application
of other Federal, State, or local laws that
provide greater privilege or
confidentiality protections than
provided by the Act. Thus, state laws
providing greater protection for patient
safety work product are not preempted
and would apply to disclosures of
patient safety work product.
Comment: One commenter expressed
concern that this disclosure permission
conflicts with the disclosure permission

PO 00000

Frm 00046

Fmt 4701

Sfmt 4700

for patient safety activities at proposed
§ 3.206(b)(4) because this disclosure
permission does not allow the sharing of
any provider information, even if made
nonidentifiable, unless all providers
identified in the patient safety work
product authorize the disclosure, while
the disclosure permission for patient
safety activities allows the sharing of
provider information between PSOs and
between providers, as long as it is
anonymized.
Response: These disclosure
permissions are separate and
independent of one another and serve
different purposes. Disclosures of
patient safety work product may be
made pursuant to either permission,
provided the relevant conditions are
met.
Comment: One commenter expressed
concern about the disclosure
permission’s prohibition on disclosing
patient safety work product in
nonidentifiable form with respect to a
provider who has not authorized the
disclosure of the information, stating
that this construct would make the
provision difficult to implement.
Response: The final rule adopts the
provisions of the proposed rule and
does not permit patient safety work
product to be disclosed if the
information is rendered nonidentifiable
with respect to a nonauthorizing
provider. As explained above, there are
likely few situations in which a
nonauthorizing provider could be
nonidentified without having to also
nonidentify the authorizing providers in
the patient safety work product to be
disclosed under this provision.
Therefore, allowing nonidentification of
the nonauthorizing provider is
impractical.
Comment: One commenter
recommended that a copy of the
provider authorization be kept in a
patient’s file, if the provider’s
authorized disclosure of patient safety
work product resulted in a disclosure of
the patient’s protected health
information, so that these disclosures
can be tracked and included in an
accounting of disclosures as required by
45 CFR 164.528 of the HIPAA Privacy
Rule.
Response: While the commenter’s
suggestion may assist in complying with
the HIPAA Privacy Rule’s accounting of
disclosures standard, we do not include
such a requirement in the final rule.
Given that the authorizations provided
for under this provision are focused on
the disclosure of the provider’s
identifiable information and that the
specific terms of such authorizations
will vary based on the circumstances of
the disclosure and the parties, it is

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

unlikely that such authorizations will
contain the information necessary for a
HIPAA covered entity to meet its
accounting obligations to the individual
patient. Further, HIPAA covered entities
are free to design and use approaches
for compliance with the HIPAA Privacy
Rule’s accounting standard that are best
suited to their business needs and
information systems.
(4) Section 3.206(b)(4)—Patient Safety
Activities
Proposed Rule: Proposed § 3.206(b)(4)
would have permitted the disclosure of
identifiable patient safety work product
for patient safety activities (i) by a
provider to a PSO or by a PSO to that
disclosing provider; or (ii) by a provider
or a PSO to a contractor of the provider
or PSO; or (iii) by a PSO to another PSO
or to another provider that has reported
to the PSO, or by a provider to another
provider, provided, in both cases,
certain direct identifiers are removed.
This proposed permissible disclosure
provision was based on section
922(c)(2)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(2)(A), which
permits the disclosure of identifiable
patient safety work product for patient
safety activities. The proposed rule
provided that, consistent with the
statute, patient safety work product
would remain privileged and
confidential once disclosed under this
provision.
We explained in the proposed rule
that patient safety activities are the core
mechanism by which providers may
disclose patient safety work product to
obtain external expertise from PSOs and
through which PSOs may aggregate
information from multiple providers,
and communicate feedback and
analyses back to providers. Thus, the
rule needs to facilitate such
communications so that improvements
in patient safety can occur. To realize
this goal, the proposed rule at
§ 3.206(b)(4)(i) would have allowed for
the disclosure of identifiable patient
safety work product reciprocally
between providers and the PSOs to
which they have reported. This would
allow PSOs to collect, aggregate, and
analyze patient safety event information
and disseminate findings and
recommendations for safety and quality
improvements.
The proposed rule at § 3.206(b)(4)(ii)
also would have allowed for disclosures
by providers and PSOs to their
contractors who are not workforce
members, recognizing that there may be
situations where providers and PSOs
want to engage contractors who are not
agents to carry out patient safety
activities. However, to ensure patient

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

safety work product remained
adequately protected in such cases, the
proposed rule would have prohibited
contractors from further disclosing
patient safety work product, except to
the provider or PSO from which they
first received the information. We
explained in the proposed rule that this
limitation would not, however, preclude
a provider or PSO from exercising its
authority under section 922(g)(4) of the
Public Health Service Act, 42 U.S.C.
299b–22(g)(4), to separately delegate its
power to the contractor to make other
disclosures. We also stated that,
although the proposed rule did not
require a contract between the provider
or PSO and the contractor, we fully
expected the parties to engage in
prudent practices to ensure patient
safety work product remained
confidential.
Further, to allow for more effective
aggregation of patient safety work
product, the proposal at § 3.206(b)(4)(iii)
would have allowed PSOs to disclose
patient safety work product to other
PSOs or to other providers that have
reported to the PSO (but not about the
specific event(s) to which the patient
safety work product relates), and
providers to disclose patient safety work
product to other providers, for patient
safety activities, as long as the patient
safety work product was anonymized
through the removal of direct identifiers
of providers and patients. See proposed
§ 3.206(b)(4)(iii)(A). In particular, to
anonymize provider identifiers, the
proposed rule would have required the
removal of the following direct
identifiers of any providers and of
affiliated organizations, corporate
parents, subsidiaries, practice partners,
employers, members of the workforce,
or household members of such
providers: (1) Names; (2) postal address
information, other than town or city,
State and zip code; (3) telephone
numbers; (4) fax numbers; (5) electronic
mail addresses; (6) social security
numbers or taxpayer identification
numbers; (7) provider or practitioner
credentialing or DEA numbers; (8)
national provider identification number;
(9) certificate/license numbers; (10) web
universal resource locators; (11) internet
protocol (IP) address numbers; (12)
biometric identifiers, including finger
and voice prints; and (13) full face
photographic images and any
comparable images. For patient
identifiers, the proposed rule would
have applied the HIPAA Privacy Rule
limited data set standard. See 45 CFR
164.514(e). We explained in the
proposed rule that removal of the
required identifiers could be absolute or

PO 00000

Frm 00047

Fmt 4701

Sfmt 4700

70777

be done through encryption, provided
the disclosing entity did not disclose the
key to the encryption or the mechanism
for re-identification.
Recognizing that fully nonidentifiable
patient safety work product may have
limited usefulness due to the removal of
key elements of identification, the
proposed rule specifically sought public
comment on whether there were any
entities other than providers, PSOs, or
their contractors that would need fully
identifiable or anonymized patient
safety work product for patient safety
activities.
The proposed rule also explained the
intersection with the HIPAA Privacy
Rule with respect to these disclosures,
and noted that, as provided by the
statute, PSOs would be treated as
business associates and patient safety
activities performed by, or on behalf of,
a covered provider by a PSO would be
deemed health care operations as
defined by the HIPAA Privacy Rule. For
a more detailed discussion of the
application of the HIPAA Privacy Rule
with respect to disclosures under this
proposed provision, see the preamble to
the proposed rule at 73 FR 8146–8147.
The proposed rule sought public
comment on whether the HIPAA
Privacy Rule definition of ‘‘health care
operations’’ should be modified to
include a specific reference to patient
safety activities and whether the HIPAA
Privacy Rule disclosure permission for
health care operations should be
modified to include a reference to
patient safety activities.
Overview of Public Comments: The
commenters expressed general support
for the reciprocal disclosure of patient
safety work product between providers
and PSOs for patient safety activities.
Additionally, commenters expressed
general support for the disclosure of
patient safety work product by a PSO or
provider to its contractor to carry out
patient safety activities.
Commenters also generally supported
the proposed permissible disclosure of
patient safety work product between
PSOs for patient safety activities,
between PSOs and other providers that
have reported to that PSO, and between
providers. However, many commenters
expressed concern about the proposed
rule requirement at § 3.206(b)(4)(iii) to
anonymize patient safety work product
prior to disclosure. Some commenters
stated that this requirement
inappropriately limited a PSO’s ability
to share this information with other
PSOs and could prevent PSOs from
being able to identify duplicate reports
of a single event coming from
independent sources in the patient
safety work product received from other

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70778

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

PSOs. One suggested that PSOs be able
to share identifiable patient safety work
product with other PSOs, while another
commenter stated that provider names,
addresses, and phone numbers should
be included in patient safety work
product to permit follow up contact
with the provider and as a way to
identify duplicate adverse event reports.
This commenter suggested that PSOs be
able to contract with other PSOs as their
contractors so that they could share
patient safety information that has not
been anonymized with one another
subject to § 3.206(b)(4)(ii), or
alternatively, that the final rule allow
PSOs to share patient safety work
product identifying providers with other
PSOs if a contract ensuring the
confidentiality of this information is in
place between the PSOs. Other
commenters expressed concern that the
anonymization requirement limited the
ability of providers to use and disclose
patient safety work product to other
providers or students for educational,
academic, or professional purposes.
These commenters feared that the
proposed rule would inhibit providers’
ability to consult with other providers
about patient safety events and
requested clarification from the
Department that the rule would not
prohibit the disclosure of patient safety
work product among physicians and
other health care professionals,
particularly for education purposes or
for preventing or ameliorating harm.
Many commenters also responded to
the question in the proposed rule
regarding whether the patient safety
activities disclosure permission should
be expanded to encompass additional
entities. Commenters identified no
additional entities to include in this
disclosure permission; however, some
commenters suggested that the
Department monitor this provision so
that exceptions for disclosures to
additional entities may be made in the
future if necessary.
Final Rule: The final rule adopts
without modification proposed
§ 3.206(b)(4)(i) and § 3.206(b)(4)(ii),
permitting disclosure of patient safety
work product for patient safety activities
between providers and PSOs, and
between providers or PSOs and their
contractors that undertake patient safety
activities on their behalf. In addition,
the final rule modifies proposed
§ 3.206(b)(4)(iii) with respect to
disclosures to another PSO or provider,
redesignates the provision as
§ 3.206(b)(4)(iv), and adds a new
§ 3.206(b)(4)(iii).
New § 3.206(b)(4)(iii) of the final rule
permits disclosure of identifiable
patient safety work product among

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

affiliated providers for patient safety
activities. Unlike disclosures between
providers in § 3.206(b)(4)(iv), the patient
safety work product disclosed pursuant
to this permission need not be
anonymized prior to disclosure. An
affiliated provider is defined in the final
rule as ‘‘with respect to a provider, a
legally separate provider that is the
parent organization of the provider, is
under common ownership,
management, or control with the
provider, or is owned, managed, or
controlled by the provider.’’ See § 3.20.
This addition to the final rule is
included in recognition that certain
provider entities with a common
corporate affiliation, such as integrated
health systems, may have a need, just as
a single legal entity, to share identifiable
and non-anonymized patient safety
work product among the various
provider affiliates and their parent
organization for patient safety activities
and to facilitate, if desired, one
corporate patient safety evaluation
system. We emphasize that provider
entities can choose not to use this
disclosure mechanism if they believe
that doing so would adversely affect
provider participation, given that
patient safety work product would be
shared more broadly across the affiliated
entities.
The final rule adopts the disclosure
permission for patient safety work
product proposed at § 3.206(b)(4)(iii) in
the proposed rule; however, the final
rule relocates this disclosure permission
to § 3.206(b)(4)(iv) and retitles this
section for clarity. This disclosure
permission requires that patient safety
work product disclosed for patient
safety activities by a PSO to another
PSO or to another provider that has
reported to the PSO or by a provider to
another provider must be anonymized
through the removal of certain providerrelated direct identifiers listed in
§ 3.206(b)(4)(iii)(A), as well as the
removal of patient direct identifiers
pursuant to the HIPAA Privacy Rule’s
limited data set standard at 45 CFR
164.514(e)(2).
Although the final rule includes a
provision for disclosure of fully
identifiable patient safety work product
among affiliated providers, we believe it
is unnecessary to provide a similar
provision that would allow for the
sharing of identifiable and nonanonymized patient safety work product
between PSOs since the final rule
includes multiple avenues for secondary
PSOs, i.e., those PSOs that do not have
the direct reporting relationship with
the provider, to receive provider
identifiable data, if needed. In
particular, the final rule allows: (1) A

PO 00000

Frm 00048

Fmt 4701

Sfmt 4700

PSO receiving patient safety work
product from a provider to contact that
provider and recommend that the
provider also report the patient safety
work product to an additional PSO; (2)
a provider reporting to a PSO to delegate
its authority to the PSO to report its
patient safety work product to an
additional PSO; (3) a PSO to hire
another PSO as a consultant to assist in
the evaluation of patient safety work
product received from a reporting
provider, pursuant to § 3.206(b)(4)(ii);
and (4) a PSO to disclose identifiable
and non-anonymized patient safety
work product to another PSO if it has
obtained authorization to do so from
each provider identified in the patient
safety work product. See § 3.206(b)(3).
To address the concerns of providers
generally that the rule would prohibit
the disclosure of patient safety work
product among physicians and other
health care professionals, particularly
for educational purposes or for
preventing or ameliorating patient harm,
we emphasize that the rule does not
regulate uses of patient safety work
product within a single legal entity.
(However, we note that we have
expressly defined as a disclosure the
sharing of patient safety work product
between a component PSO and the rest
of the legal entity of which it is a part.)
Thus, consistent with this policy,
providers within a single legal entity are
free to discuss and share patient safety
work product in identifiable and nonanonymized form for educational,
academic, or other professional
purposes. We have made this policy
clear in the final rule by modifying the
definition of disclosure to apply only to
the release, transfer, provision of access
to, or divulging in any other manner of
patient safety work product by: (1) an
entity or natural person holding the
patient safety work product to another
legally separate entity or natural person
outside the entity holding the patient
safety work product; or (2) a component
PSO to another entity or natural person
outside the component organization.
Further, as described above, the new
provision at § 3.206(b)(4)(iii) allows the
sharing of fully identifiable patient
safety work product among affiliated
providers. However, if providers wish to
disclose patient safety work product to
other providers outside of their legal
entity or to non-affiliated providers, the
information must be anonymized
subject to § 3.206(b)(4)(iv)(A) and (B) or
disclosed subject to another applicable
disclosure permission.
Response to Other Public Comments
Comment: One commenter asked that
the final rule prohibit the

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
recommendations made by a PSO from
being introduced as evidence of a
standard of care or for other purposes in
a judicial or administrative proceeding.
Response: A recommendation made
by a PSO is patient safety work product
to which the privilege and
confidentiality protections attach.
Therefore, the information can only be
disclosed through an applicable
disclosure permission. However, as we
explained in the proposed rule, while
the recommendations themselves are
protected, the corrective actions
implemented by a provider, even if
based on the protected
recommendations from a PSO, are not
patient safety work product.
Comment: One commenter asked if
permissible disclosures of patient safety
work product for patient safety activities
under this disclosure permission could
include disclosures for credentialing,
disciplinary, and peer review purposes.
Response: The disclosure permission
at § 3.206(b)(4) of the final rule for
patient safety activities does not
encompass the disclosure of patient
safety work product to an external entity
or within an administrative proceeding
for credentialing, disciplinary, or peer
review purposes. However, as explained
above, uses of patient safety work
product within a legal entity are not
regulated and thus, patient safety work
product may be used within an entity
for any purpose, including those
described by the commenter, so long as
such use does not run afoul of the
statutory prohibition on a provider
taking an adverse employment action
against an individual based on the fact
that the individual in good faith
reported information either to the
provider with the intention of having
the information reported to a PSO or
directly to a PSO. (Note, though, that we
have expressly defined as a disclosure
the sharing of patient safety work
product between a component PSO and
the rest of the legal entity of which it is
a part.)
Comment: One commenter suggested
that PSOs should be required to
maintain an accounting of all
disclosures of patient safety work
product containing individually
identifiable health information in
parallel to the HIPAA Privacy Rule
requirement for covered entities. In
order to further protect patient privacy,
this commenter suggested that patients
be made third party beneficiaries of the
contracts between providers and PSOs.
Response: A HIPAA covered entity is
responsible for ensuring that disclosures
of protected health information made by
a PSO, as its business associate, are
included in an accounting of disclosures

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

to the extent such disclosures are
subject to an accounting at 45 CFR
164.528. Further, the HIPAA Privacy
Rule provides that a contract between a
HIPAA covered entity and its business
associate must require the business
associate to make available to the
covered entity the information it needs
to comply with the HIPAA Privacy
Rule’s accounting standard. See 45 CFR
164.504(e). However, we expect that
most permissible disclosures of patient
safety work product that include
protected health information will not be
subject to the HIPAA Privacy Rule’s
accounting requirements. The HIPAA
Privacy Rule’s accounting standard does
not require that disclosures made for
health care operations be included in an
accounting. See 45 CFR 164.528(a)(1)(i).
Thus, because disclosures for patient
safety activities at § 3.206(b)(4), business
operations at § 3.206(b)(9), or
accreditation purposes at § 3.206(b)(8)
will generally be for the provider’s
health care operations, the provider
does not need to account for these
disclosures. Additionally, for
disclosures of patient safety work
product that are subject to the HIPAA
Privacy Rule’s accounting requirement,
such as disclosures to the FDA and
entities required to report to the FDA at
§ 3.206(b)(7), the HIPAA Privacy Rule
offers enough flexibility for a provider
generally to provide an accounting of
those disclosures without revealing the
existence of patient safety work product.
Therefore, we do not believe including
a requirement directly on PSOs with
respect to the HIPAA Privacy Rule’s
accounting standard is needed or
appropriate. Nor do we agree that
contracts between providers and PSOs
should designate individuals as third
party beneficiaries of such contracts. We
believe the HIPAA Privacy Rule’s
existing provisions provide adequate
protections for identifiable patient
information that may be encompassed
within patient safety work product;
however, we also expect PSOs generally
to disclose anonymized and
nonidentifiable patient safety work
product.
Comment: Another commenter
suggested that patient safety work
product should be able to be used and
disclosed in the same circumstances
that protected health information can be
used and disclosed under the HIPAA
Privacy Rule for health care operations.
Response: The final rule does not
regulate ‘‘uses’’ of patient safety work
product within a legal entity; thus, a
provider, PSO, or responsible person
may use patient safety work product for
any purpose within the legal entity,
including those considered ‘‘health care

PO 00000

Frm 00049

Fmt 4701

Sfmt 4700

70779

operations’’ for purposes of the HIPAA
Privacy Rule. With respect to
disclosures, however, we do not agree
that expanding the disclosure
permission in the manner suggested by
the commenter is appropriate. The
disclosure permissions in the final rule
are carefully crafted to balance the need
for the information to remain
confidential with the need to disclose
patient safety work product to effectuate
the goals of the statute or for other
limited purposes provided by the
statute. With respect to disclosures for
patient safety activities, while it is clear
that patient safety activities are health
care operations under the HIPAA
Privacy Rule, only a subset of activities
within the definition of ‘‘health care
operations’’ are relevant to patient
safety.
Comment: One commenter asked for
clarification about whether a provider
can report a single patient safety event
to multiple PSOs.
Response: Providers are free to report
patient safety work product to, and have
relationships with, multiple PSOs.
Comment: A commenter asked that
the final rule explain the process for
disclosing patient safety work product
to the National Patient Safety Databank.
Response: The Department intends to
provide further guidance and
information regarding the creation of
and reporting to and among the network
of patient safety databases, as part of
implementation of section 923 of the
Public Health Service Act, including
information on common formats for
collecting and disclosing
nonidentifiable patient safety work
product for such purposes. The
Department announced the availability
of, and sought comment on, common
formats for common hospital-based
patient safety events in the Federal
Register on August 29, 2008 (http://
www.pso.ahrq.gov/formats/
commonfmt.htm).
Comment: One commenter suggested
that the final rule require providers and
PSOs to have written contracts in place
with contractors who are not their
agents but who will carry out patient
safety activities on their behalf. Another
commenter asked if the final rule will
include a requirement similar to a
business associate contract under the
HIPAA Privacy Rule between PSOs and
its contractors.
Response: The final rule does not
require providers and PSOs to have
written contracts in place with
contractors who are not their agents but
who will carry out patient safety
activities on their behalf. However, we
expect that, in practice, such
relationships will be governed by

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70780

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

contract, but we leave the terms of those
relationships up to the parties. We note,
though, that if a HIPAA covered entity
hires a contractor to conduct patient
safety activities on its behalf, which
requires access to protected health
information, the HIPAA Privacy Rule
would require that a business associate
agreement be in place prior to any
disclosure of such information to the
contractor. See 45 CFR 164.502(e) and
164.504(e).
Comment: Some commenters asked
that the final rule provide clarification
regarding the circumstances under
which PSOs can disclose patient safety
work product to other PSOs to aggregate
this information for patient safety
activities purposes.
Response: Section 3.206(b)(4)(iv) of
the final rule permits such disclosures,
provided the patient safety work
product is anonymized by removal of
the direct identifiers of both providers
and patients. Also, the final rule permits
a PSO to disclose patient safety work
product to another PSO if authorized by
the identified providers as provided in
§ 3.206(b)(3) or in non-identifiable form
in accordance with § 3.206(b)(5).
Finally, a provider reporting to a PSO
may delegate its authority to the PSO to
report its patient safety work product to
an additional PSO, as provided by
§ 3.206(e).
Comment: A commenter suggested
that a data use agreement be required
when any information, including
individually identifiable health
information, is being shared through a
limited data set.
Response: If a HIPAA covered entity
is sharing a limited data set, as defined
by the HIPAA Privacy Rule, the covered
entity must enter into a data use
agreement with the recipient of the
information. See 45 CFR 164.504(e). For
entities that are not covered by the
HIPAA Privacy Rule, the final rule does
not include such a requirement;
however, we encourage such parties to
engage in these and similar practices to
further protect patient safety work
product.
Comment: Two commenters asked for
clarification in the final rule about
whether patient safety work product
disclosed by a provider to a PSO or by
a PSO to a provider can identify other
providers regardless of whether they
have also reported to that PSO. One
commenter asked if the rule requires
that authorization from all the identified
providers is required before this
disclosure can be made.
Response: The final rule at
§ 3.206(b)(4)(i) allows the disclosure of
patient safety work product in
identifiable form reciprocally between

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

the provider and the PSO to which it
reports. This information can contain
information identifying other providers.
If the patient safety work product is
being disclosed between PSOs, between
unaffiliated providers, or between a PSO
and other providers that have reported
to it, then the information must be
anonymized prior to disclosure subject
to § 3.206(b)(4)(iv)(A) and (B). In
addition, if a provider or PSO obtains
authorizations from all providers
identified in the patient safety work
product, or if the patient safety work
product is being shared among affiliated
providers, then such information may
be disclosed in identifiable form under
§ 3.206(b)(3) and 3.206(b)(4)(iii).
Comment: Several commenters
expressed concern about the
anonymization requirement at proposed
§ 3.206(b)(4)(iii)(A) and stated that a
provider may be identifiable even if the
patient safety work product is
anonymized. One commenter suggested
that zip codes should be included in the
list of identifiers that must be removed
from the patient safety work product.
Other commenters felt that the
anonymization standard was too strict.
Response: We believe the
anonymization standard in the final rule
at § 3.206(b)(4)(iv)(A) strikes the
appropriate balance between the need to
protect patient safety work product and
the need for broader sharing of such
information at an aggregate level,
outside of the direct provider and PSO
relationship, to achieve the goals of the
statute and improve patient safety.
Comment: We received several
comments in response to the questions
asked in the proposed rule about
whether the HIPAA Privacy Rule
definition of ‘‘health care operations’’
should include a specific reference to
patient safety activities and whether the
Privacy Rule disclosure permission for
health care operations should be
modified to conform to the disclosure
for patient safety activities. These
commenters expressed overwhelming
support for modifying the HIPAA
Privacy Rule’s definition of ‘‘health care
operations’’ to include such a specific
reference and to aligning the disclosure
permission for health care operations
with that for patient safety activities.
The commenters stated that including
such specific references would make the
intersection of both regulations clear,
and would encourage patient safety
discourse among providers and PSOs.
One commenter stated that there was no
need to modify the definition of ‘‘health
care operations’’ because it already
unambiguously encompassed patient
safety activities. No commenters
suggested that modifications to the

PO 00000

Frm 00050

Fmt 4701

Sfmt 4700

Privacy Rule were necessary to address
any workability issues.
Response: OCR will consider these
comments and will seek opportunity to
address them in regulation or in
guidance.
(5) Section 3.206(b)(5)—Disclosure of
Nonidentifiable Patient Safety Work
Product
Proposed Rule: Proposed § 3.206(b)(5)
would have permitted the disclosure of
nonidentifiable patient safety work
product if the patient safety work
product met the standard for
nonidentification in proposed § 3.212.
See section 922(c)(2)(B) of the Public
Health Service Act, 42 U.S.C. 299b22(c)(2)(B). As described in proposed
§ 3.208(b)(ii), nonidentifiable patient
safety work product, once disclosed,
would no longer be privileged and
confidential and thus, could be
redisclosed by a recipient without any
Patient Safety Act limitations or
liability. Any provider, PSO or
responsible person could nonidentify
patient safety work product. See the
discussion regarding § 3.212 for more
information about the nonidentification
standard.
Overview of Public Comments: We
received no comments opposed to this
proposed provision.
Final Rule: The final rule adopts the
proposed provision.
Response to Other Public Comments
Comment: One commenter asked that
the final rule require data use
agreements for disclosures of
nonidentifiable patient safety work
product in cases where there is a chance
for identification or reidentification of
provider identities.
Response: We emphasize that patient
safety work product is considered
nonidentifiable only if, either: (1) the
statistical method at § 3.212(a)(1) is used
and there is a very small risk that the
information could be used, alone or in
combination with other reasonably
available information, by an anticipated
recipient to identify an identified
provider; or (2) the identifiers listed at
§ 3.212(a)(2) are stripped and the person
making the disclosure does not have
actual knowledge that the remaining
information could be used, alone or in
combination with other information that
is reasonably available to the intended
recipient, to identify a provider. Thus,
the commenter should consider whether
the information about which it is
concerned would be nonidentifiable for
purposes of this rule. Further, while the
final rule does not require that the
disclosure of nonidentifiable patient
safety work product be conditioned on

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

an agreement between the parties to the
disclosure, we note that providers,
PSOs, and responsible persons are free
to contract or enter into agreements that
place further conditions on the release
of patient safety work product,
including in nonidentifiable form, than
required by the final rule. See § 3.206(e).
Comment: Several commenters stated
that identifiable information about
nondisclosing providers should not be
disclosed and that adequate safeguards
should be in place to ensure that
information identifying nondisclosing
providers is not released. These
commenters also suggested that AHRQ
set up a workgroup to evaluate the
standards and approaches set forth in
the proposed rule.
Response: The nonidentification
standard at § 3.212 of the final rule
addresses the commenters’ concern by
requiring either that: (1) a statistician
determine, with respect to information,
that the risk is very small that the
information could be used, alone or in
combination with other reasonably
available information, by an anticipated
recipient to identify an identified
provider; or (2) all of the providerrelated identifiers listed at § 3.212(a)(2)
be removed and the provider, PSO, or
responsible person making the
disclosure not have actual knowledge
that the information could be used,
alone or in combination with other
information that is reasonably available
to the intended recipient, to identify the
particular provider.
(6) Section 3.206(b)(6)—For Research
Proposed Rule: Proposed § 3.206(b)(6)
would have allowed the disclosure of
identifiable patient safety work product
to entities carrying out research,
evaluations, or demonstration projects
that are funded, certified, or otherwise
sanctioned by rule or other means by
the Secretary. See section 922(c)(2)(C) of
the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(C). We explained in the
proposed rule that this disclosure
permission was only for research
sanctioned by the Secretary. We also
explained that we expected that most
research that may be subject to this
disclosure permission would be related
to the methodologies, analytic
processes, and interpretation, feedback
and quality improvement results from
PSOs, rather than general medical, or
even health services, research. Patient
safety work product disclosed for
research under this provision would
continue to be confidential and
privileged.
Section 922(c)(2)(C) of the Public
Health Service Act, 42 U.S.C. 299b22(c)(2)(C), requires that patient safety

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

work product which identifies patients
may only be released to the extent that
protected health information would be
disclosable for research purposes under
the HIPAA Privacy Rule. We interpreted
this provision as requiring HIPAA
covered entities to ensure any
disclosures of patient safety work
product under this provision that also
include protected health information
comply with the HIPAA Privacy Rule’s
research provisions. Accordingly, the
proposal incorporated by reference 45
CFR 164.512(i) of the HIPAA Privacy
Rule, which generally requires a
covered entity to obtain documentation
of a waiver (or alteration of waiver) of
authorization by either an Institutional
Review Board (IRB) or a Privacy Board
prior to using or disclosing protected
health information without the
individual’s authorization.
We noted that our interpretation of
the statute would not impact the
disclosure of identifiable patient safety
work product by entities or persons that
are not HIPAA covered entities. We also
explained that the incorporation by
reference of the HIPAA Privacy Rule
should provide for the proper alignment
of disclosures for research purposes
under the two rules. However, the
exception under the Patient Safety Act
also refers to evaluations and
demonstration projects, some of which
may not meet the definition of research
under the HIPAA Privacy Rule because
they may not result in generalizable
knowledge but rather may fall within
the HIPAA Privacy Rule’s definition of
‘‘health care operations.’’ We stated that,
in such cases, HIPAA covered entities
disclosing patient safety work product
that includes protected health
information under this exception could
do so without violation of the HIPAA
Privacy Rule. See the definition of
‘‘health care operations’’ at 45 CFR
164.501 of the HIPAA Privacy Rule.
Overview of Public Comments: We
received no comments in reference to
this provision.
Final Rule: The final rule adopts the
proposed provision, except that the
specific reference to ‘‘45 CFR
164.512(i)’’ is deleted. We have
included only a general reference to the
HIPAA Privacy Rule in recognition of
the fact that disclosures of patient safety
work product containing protected
health information pursuant to this
provision could be permissible under
the HIPAA Privacy Rule under
provisions other than 45 CFR 164.512(i),
such as, for example, disclosures for
health care operations pursuant to 45
CFR 164.506, or disclosures of a limited
data set for research purposes pursuant
to 45 CFR 164.514(e).

PO 00000

Frm 00051

Fmt 4701

Sfmt 4700

70781

(7) Section 3.206(b)(7)—To the Food
and Drug Administration
Proposed Rule: Section 922(c)(2)(D) of
the Public Health Service Act, 42 U.S.C.
299b-22(c)(2)(D), permits the disclosure
by a provider to the Food and Drug
Administration (FDA) with respect to a
product or activity regulated by the
FDA. Proposed § 3.206(b)(7) would have
implemented this provision by
permitting providers to disclose patient
safety work product concerning
products or activities regulated by the
FDA to the FDA or to an entity required
to report to the FDA concerning the
quality, safety, or effectiveness of an
FDA-regulated product or activity. The
proposed rule also would have
permitted the sharing of patient safety
work product between the FDA, entities
required to report to the FDA, and their
contractors concerning the quality,
safety, or effectiveness of an FDAregulated product or activity. Patient
safety work product disclosed pursuant
to this disclosure permission would
continue to be privileged and
confidential.
We specifically sought public
comment on our interpretation that the
statutory language concerning reporting
‘‘to the FDA’’ included reporting by the
provider to persons or entities regulated
by the FDA and that are required to
report to the FDA concerning the
quality, safety, or effectiveness of an
FDA-regulated product or activity. We
proposed this interpretation to allow
providers to report to entities that are
required to report to the FDA, such as
drug manufacturers, without violating
this rule, and asked if including such
language would bring about any
unintended consequences for providers.
We further proposed at
§ 3.206(b)(7)(ii) that the FDA and
entities required to report to the FDA
may only further disclose patient safety
work product for the purpose of
evaluating the quality, safety, or
effectiveness of that product or activity
and such further disclosures would only
be permitted between the FDA, entities
required to report to the FDA, their
contractors, and the disclosing
providers. Thus, for example, the FDA
or a drug manufacturer receiving
adverse drug event information that is
patient safety work product may engage
in further communications with the
disclosing provider(s), for the purpose
of evaluating the quality, safety, or
effectiveness of the particular regulated
product or activity, or may work with
their contractors. Moreover, an entity
regulated by the FDA may further
disclose the information to the FDA.
The proposed provision also would

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70782

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

have prohibited contractors receiving
patient safety work product under this
provision from further disclosing such
information, except to the entity from
which they received the information.
Finally, we explained that the HIPAA
Privacy Rule at 45 CFR 164.512(b)
permits HIPAA covered entities to
disclose protected health information
concerning FDA-regulated activities and
products to persons responsible for
collection of information about the
quality, safety, and effectiveness of
those FDA-regulated activities and
products. Therefore, disclosures under
this exception of patient safety work
product containing protected health
information would be permitted under
the HIPAA Privacy Rule.
Overview of Public Comments: We
received general support in the public
comments for the express reference to
FDA-regulated entities within this
disclosure permission; only one
commenter opposed this provision.
Some commenters asked that the final
rule provide examples of the types of
disclosures that might occur to FDAregulated entities, and one commenter
suggested that if such disclosures are
permitted, the final rule should include
a comprehensive list of acceptable
disclosures to these entities. Another
commenter noted that if disclosures to
FDA-regulated entities are permitted
under this disclosure permission, the
final rule should limit the use of patient
safety work product to the purposes
stated in the statute and should prohibit
the use of this information for marketing
purposes. No commenters identified any
unintended consequences of including
FDA-regulated entities within the
disclosure permission.
Final Rule: The final rule adopts the
provisions of the proposed rule at
§ 3.206(b)(7), including the express
reference to FDA-regulated entities. We
also modify the title of the provision to
reflect that disclosures to such entities
are encompassed within the disclosure
permission. As explained in the
proposed rule, we believe including
FDA-regulated entities within the scope
of the disclosure permission is
consistent with both the rule of
construction in the statute which
preserves required reporting to the FDA,
as well as the goals of the statute which
are to improve patient safety. See
section 922(g)(6) of the Public Health
Service Act, 42 U.S.C. 299b-22(g)(6). In
addition, the final rule includes
modifications to more clearly indicate
who can receive patient safety work
product under this provision, as well as
what further disclosures may be made of
such information. Specifically,
§ 3.206(b)(7)(i) now makes clear that a

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

provider may disclose patient safety
work product concerning an FDAregulated product or activity to the FDA,
an entity required to report to the FDA
concerning the quality, safety, or
effectiveness of an FDA-regulated
product or activity, or a contractor
acting on behalf of FDA or such entity
for these purposes. Further,
§ 3.206(b)(7)(ii) clarifies that the FDA,
its regulated entity entitled to receive
information under this provision, and
their contractors may share patient
safety work product received under this
provision for the purpose of evaluating
the quality, safety, or effectiveness of
that product or activity among
themselves, as well as with the
disclosing provider.
We do not include a comprehensive
list of acceptable disclosures to FDAregulated entities as it would be
impractical to do so. As we explained in
the proposed rule, drug, device, and
biological product manufacturers are
required to report adverse experiences
to the FDA and currently rely on
voluntary reports from product users,
including providers. Further, the
analysis of events by a provider or PSO
that constitutes patient safety work
product may generate information that
should be reported to the FDA or FDAregulated entity because it relates to the
safety or effectiveness of an FDAregulated product or activity. This
provision allows providers to report
such information without violating the
confidentiality provisions of the statute
or rule. However, we emphasize that,
despite this disclosure permission, we
expect that most reporting to the FDA
and its regulated entities will be done
with information that is not patient
safety work product, as is done today.
This disclosure permission is intended
to allow for reporting to the FDA or
FDA-regulated entity in those special
cases where, only after an analysis of
patient safety work product, does a
provider realize it should make a report.
As in the proposed rule, patient safety
work product disclosed pursuant to this
provision remains privileged and
confidential.
Response to Other Public Comments
Comment: Five commenters asked
that the final rule allow PSOs as well as
providers to disclose or report patient
safety work product to the FDA or to an
entity that is required to report to the
FDA.
Response: We do not modify the
provision as there is no statutory
authority to allow PSOs to report patient
safety work product to the FDA or to an
entity required to report to the FDA.
However, the statute does permit

PO 00000

Frm 00052

Fmt 4701

Sfmt 4700

providers to report patient safety work
product to the FDA or to an entity
required to report to the FDA.
Comment: One commenter asked for
clarification as to whether lot numbers
and device identifiers and serial
numbers may be reported to the FDA
under this disclosure permission.
Response: Section 3.206(b)(7) would
allow such information contained
within patient safety work product to be
reported to FDA provided it concerned
an FDA-regulated product or activity.
(8) Section 3.206(b)(8)—Voluntary
Disclosure to an Accrediting Body
Proposed Rule: Proposed § 3.206(b)(8)
would have permitted the voluntary
disclosure of identifiable patient safety
work product by a provider to an
accrediting body that accredits that
disclosing provider. See section
922(c)(2)(E) of the Public Health Service
Act, 42 U.S.C. 299b-22(c)(2)(E). Patient
safety work product disclosed pursuant
to this proposed exception would
remain privileged and confidential.
This provision would have allowed a
provider to disclose patient safety work
product that identifies that disclosing
provider. Further, the proposed rule
would not have required that patient
safety work product be nonidentifiable
as to nondisclosing providers. The
proposed rule specifically sought public
comment on whether patient safety
work product should be anonymized
with respect to nondisclosing providers
prior to disclosure to an accrediting
body under this provision.
The proposed rule also provided that
an accrediting body could not take an
accreditation action against a provider
based on that provider’s participation,
in good faith, in the collection, reporting
or development of patient safety work
product. It also would have prohibited
accrediting bodies from requiring a
provider to reveal its communications
with any PSO.
Overview of Public Comments:
Several commenters responded to the
question of whether the final rule
should require the anonymization of
patient safety work product with respect
to nondisclosing providers, all of which
supported such a requirement. Another
commenter noted that the final rule
should expressly prohibit accrediting
bodies from taking accreditation actions
against nondisclosing providers based
upon the patient safety work product
reported to them by disclosing
providers.
Final Rule: In light of the comments
received, the final rule modifies the
proposed provision at § 3.206(b)(8) to
condition the voluntary disclosure by a
provider of patient safety work product

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

to an accrediting body that accredits the
provider on either: (1) the agreement of
the nondisclosing providers to the
disclosure; or (2) the anonymization of
the patient safety work product with
respect to any nondisclosing providers
identified in the patient safety work
product, by removal of the direct
identifiers listed at § 3.206(b)(4)(iv)(A).
Direct identifiers of the disclosing
providers do not need to be removed.
We also note that the final rule does not
prescribe the form of the agreement
obtained from non-disclosing providers.
Providers are free to design their own
policies for obtaining such agreements.
Some institutional providers may, for
example, make it a condition of
employment or privileges that providers
agree to the disclosure of patient safety
work product to accrediting bodies. In
addition, unlike the provision at
§ 3.206(b)(3) of the final rule, with
respect to any of the non-disclosing
providers identified in the patient safety
work product, the disclosing provider
need obtain either the provider’s
agreement or anonymize the provider’s
information.
Response to Other Public Comments
Comment: Several commenters stated
that they did not support this disclosure
permission allowing voluntary
disclosures of patient safety work
product to accrediting bodies due to
possible unintended consequences of
these disclosures. Another commenter
asked that we be aware of punitive
actions by regulatory organizations as a
result of voluntary disclosures to
accrediting bodies and monitor this
process carefully for any unintended
consequences.
Response: The disclosure permission
allowing providers to voluntarily
disclose patient safety work product to
accrediting bodies is prescribed by the
statute and thus, is included in this final
rule. However, as described above, the
final rule requires either anonymization
or agreement with respect to nondisclosing providers as a condition of
the disclosure. This provision, along
with the express prohibition at
§ 3.206(b)(8)(iii) on an accrediting body
taking an accrediting action against a
provider based on a good faith
participation of the provider in the
collection, development, reporting, or
maintenance of patient safety work
product should alleviate commenter
concerns.
Comment: One commenter asked if
the regulation allowed accrediting
bodies to disclose patient safety work
product to CMS as part a commitment
to advise CMS of adverse accreditation
decisions.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Response: The final rule prohibits
accrediting bodies from further
disclosing patient safety work product
they have voluntarily received from
providers under § 3.206(b)(8).
Comment: One commenter asked if
survey and licensure bodies were
considered to be accrediting bodies and
thus, precluded from taking action
against providers who voluntarily
submit patient safety work product to
them.
Response: Survey and licensure
bodies are not accrediting bodies and
are not treated as such under this
provision. Thus, such entities are not
entitled to receive patient safety work
product voluntarily from providers
under this provision.
Comment: Two commenters
expressed concern about this disclosure
permission for accrediting bodies that
create component PSOs. One
commenter stated that allowing
accrediting bodies to create component
PSOs creates a potential conflict of
interest that may adversely affect
provider organizations. If an accrediting
body’s component organization is a
PSO, the commenter asked how OCR
will determine whether the component
organization improperly disclosed
information or whether the accrediting
body received the information
voluntarily from a provider.
Response: Providers are free to choose
the PSOs with which they want to work.
We expect that any selection by a
provider will involve a thorough vetting
and consideration of a number of
factors, including whether the PSO is a
component of an accrediting body and
if so, what assurances are in place to
protect against improper access by the
accrediting body to patient safety work
product. Component organizations have
clear requirements to maintain patient
safety work product separately from
parent organizations. Further, the final
rule recognizes that a disclosure from a
component organization to a parent
organization is a disclosure which must
be made pursuant to one of the
permissions set forth in the statute and
here; disclosures for which there is no
permission are subject to enforcement
by the Department and imposition of
civil money penalties, as well as may
adversely impact on the PSO’s
continued listing by the Secretary as a
PSO. Should OCR receive a complaint
or conduct a compliance review that
implicates an impermissible disclosure
by a component PSO of an accrediting
body, OCR will investigate and review
the particular facts and circumstances
surrounding the alleged impermissible
disclosure, including, if appropriate,
whether the accrediting body received

PO 00000

Frm 00053

Fmt 4701

Sfmt 4700

70783

the patient safety work product directly
from a provider pursuant to
§ 3.206(b)(8).
Comment: One commenter asked that
the final rule allow accrediting bodies to
use voluntarily reported patient safety
work product in accreditation decisions,
or that the final rule give accrediting
bodies immunity from liability that
might arise from their failure to take this
patient safety work product into account
in its accreditation decisions. This
commenter also stated that, since
accrediting bodies cannot take action
based on information voluntarily
disclosed pursuant to this provision, the
final rule should make clear that
accrediting bodies cannot be held
responsible for decisions that might
have been different if the accrediting
body had been able to act based on the
patient safety work product received.
Response: We clarify that the final
rule, as the proposed rule, does not
prohibit an accrediting body from using
patient safety work product voluntarily
reported by a provider pursuant to this
provision in its accreditations decisions
with respect to that provider. Thus, it is
not necessary nor is it appropriate for
the Secretary to give accrediting bodies
immunity from liability. However, an
accrediting body may not require a
provider to disclose patient safety work
product, or take an accrediting action
against a provider who refuses to
disclose patient safety work product, to
the accrediting body. See section
922(d)(4)(B) of the Public Health Service
Act, 42 U.S.C. 299b-22(d)(4)(B), and
§ 3.206(b)(8)(iii), which expressly
prohibits an accrediting body from
taking an accrediting action against a
provider based on the good faith
participation of the provider in the
collection, development, reporting, or
maintenance of patient safety work
product in accordance with the statute.
Comment: One commenter asked if
the limitation on redisclosure of
voluntarily reported patient safety work
product received by an accrediting body
applies if the information sent to the
accrediting body was not patient safety
work product at the time the accrediting
body received the information, but was
later reported, by the provider to a PSO
and became protected.
Response: If the information
submitted to an accrediting body was
not patient safety work product as
defined at § 3.20 at the time it was
reported, then § 3.206(b)(8), including
the redisclosure limitation, does not
apply to such information.
Comment: One commenter asked that
the final rule clarify that the disclosure
of patient safety work product to an
accrediting body is voluntary.

E:\FR\FM\21NOR3.SGM

21NOR3

70784

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

Response: Section 3.208(b)(8)
expressly provides only for the
voluntary reporting of patient safety
work product, provided the conditions
are met. We do not see a need for further
clarification.
(9) Section 3.206(b)(9)—Business
Operations
Proposed Rule: Proposed § 3.206(b)(9)
would have allowed disclosures of
patient safety work product by a
provider or a PSO to professionals such
as attorneys and accountants for the
business operations purposes of the
provider or PSO. See section
922(c)(2)(F) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(2)(F). Under
the proposed rule, such contractors
could not further disclose patient safety
work product, except to the entity from
which it received the information.
However, the proposed rule made clear
that a provider or PSO still would have
had the authority to delegate its power
to the contractor to make other
disclosures. In addition, the proposed
rule provided that any patient safety
work product disclosed pursuant to this
provision continued to be privileged
and confidential.
The Patient Safety Act gives the
Secretary authority to designate
additional exceptions as necessary
business operations that are consistent
with the goals of the statute. The
proposed rule sought public comment
regarding whether there are any other
consultants or contractors, to whom a
business operations disclosure should
also be permitted, or whether the
Secretary should consider any
additional exceptions under this
authority. The proposed rule noted that
the Secretary would designate
additional exceptions only through
regulation; however, it asked if other
mechanisms for the adoption of
business operations exceptions should
be adopted or incorporated.
The proposed rule also explained that
a business operations designation by the
Secretary that enables a HIPAA covered
entity to disclose patient safety work
product containing protected health
information to professionals is
permissible as a health care operations
disclosure under the HIPAA Privacy
Rule. See 45 CFR 164.506. Generally,
such professionals will be business
associates of the covered entity, which
will require that a business associate
agreement be in place. See 45 CFR
160.103, 164.502(e), and 164.504(e).
Overview of Public Comments:
Several commenters expressed general
support for the business operations
disclosures to attorneys, accountants,
and other professionals in the proposed

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

rule. We also received several responses
to the question asking if the final rule
should allow for any additional
disclosures under the business
operations provision. Three commenters
stated that the final rule should not
include any additional business
operations disclosures. Others asked
that the business operations disclosure
permission be broad enough to
encompass all the activities defined as
‘‘health care operations’’ in the HIPAA
Privacy Rule, which would then include
disclosures to entities such as
photocopy shops, document storage
services, shredding companies, IT
support companies, and other entities
involved in a PSO’s management or
administration. Other commenters
suggested that disclosures of patient
safety work product to independent
contractors, professional liability
insurance companies, captives, and risk
retention groups be included as
disclosures for business operations
under this provision in the final rule.
All commenters responding to the
question about how the Secretary
should adopt additional business
operations stated that additional
business operations should be adopted
only through the rulemaking process.
Final Rule: The final rule adopts the
proposed provision, allowing disclosure
of patient safety work product by a
provider or a PSO for business
operations to attorneys, accountants,
and other professionals. The final rule
allows disclosure of patient safety work
product to these professionals who are
bound by legal and ethical duties to
maintain the confidence of their clients
and the confidentiality of client
information, including patient safety
work product. These professionals will
provide a broad array of services to and
functions for the providers and PSOs
with whom they are contracted and will
need access to patient safety work
product to perform their duties. We are
not persuaded by the comments of a
need to expand, at this time, the
disclosure permission to encompass
other categories of persons or entities.
However, as described in the proposed
rule, should the Secretary seek in the
future to designate additional business
operations exceptions to be
encompassed within this disclosure
permission, he will do so through
regulation to provide adequate
opportunity for public comment.
With respect to many of the other
entities identified by the commenters,
we note that, to the extent the services
provided by such entities are necessary
for the maintenance of patient safety
work product or the operation of a
patient safety evaluation system, or

PO 00000

Frm 00054

Fmt 4701

Sfmt 4700

otherwise support activities included in
the definition of ‘‘patient safety
activities’’ at § 3.20 of this rule, these
disclosures may be made to such
contractors pursuant to § 3.206(b)(4)(ii).
Response to Other Public Comments
Comment: Two commenters suggested
that the final rule include a requirement
for a contract between providers or
PSOs and their attorneys, accountants,
and other professionals to whom patient
safety work product will be disclosed as
a business operation.
Response: We do not require a
contract as a condition of disclosure in
the final rule. However, we agree that a
contract between these parties is a
prudent business practice and expect
that parties will enter into appropriate
agreements to ensure patient safety
work product remains protected.
Further, where HIPAA covered entities
are concerned, we note that the HIPAA
Privacy Rule requires that such entities
have a business associate agreement in
place with professionals providing
services that require access to protected
health information.
(10) Section 3.206(b)(10)—Disclosure to
Law Enforcement
Proposed Rule: Proposed
§ 3.206(b)(10) would have permitted the
disclosure of identifiable patient safety
work product to law enforcement
authorities, so long as the person
making the disclosure believes—and
that belief is reasonable under the
circumstances—that the patient safety
work product disclosed relates to a
crime and is necessary for criminal law
enforcement purposes. See section
922(c)(2)(G) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(2)(G). The
proposed rule provided that patient
safety work product disclosed under
this provision would remain privileged
and confidential.
The proposed rule also provided that
the law enforcement entity receiving the
patient safety work product could use
the patient safety work product to
pursue any law enforcement purposes;
however, the recipient law enforcement
entity could only redisclose the
information to other law enforcement
authorities as needed for law
enforcement activities related to the
event that necessitated the original
disclosure. The proposed rule sought
comment regarding whether these
provisions would allow for legitimate
law enforcement needs, while ensuring
appropriate protections.
Overview of Public Comments:
Commenters responding to the question
in the proposed rule regarding whether
this disclosure permission would allow

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

for legitimate law enforcement needs
while ensuring that information remain
appropriately protected stated that the
proposed disclosure permission was
appropriate and did permit legitimate
disclosures to law enforcement.
Final Rule: The final rule adopts the
proposed provision with slight
modification for purposes of
clarification only. We add the word
‘‘only’’ to the final rule to clarify that
law enforcement receiving patient safety
work product pursuant to this exception
may only further disclose this
information to other law enforcement
authorities as needed for law
enforcement activities related to the
event that gave rise to the original
disclosure.
Response to Other Public Comments
Comment: Two commenters suggested
that the statutory standard of reasonable
belief was vague and that clarity was
needed to reduce the uncertainty of
disclosures and to further define what
could constitute a reasonable belief.
Another commenter noted that the
phrase ‘‘relates to a crime and is
necessary for criminal law enforcement
purposes’’ is too broad and leaves too
much discretion to entities such as
PSOs.
Response: The final rule provision at
§ 3.206(b)(10) generally repeats the
statutory provision upon which it is
based, which provides that the
disclosure of patient safety work
product be permitted if it relates to the
commission of a crime and the person
making the disclosure believes,
reasonably under the circumstances,
that the patient safety work product is
necessary for criminal law enforcement
purposes. See section 922(c)(2)(G) of the
Public Health Service Act, 42 U.S.C.
299b–22(c)(2)(G).
Comment: One commenter expressed
concern regarding the redisclosure of
patient safety work product to law
enforcement under this disclosure
permission. The commenter stated that
there could be successive disclosures of
protected information to law
enforcement without consideration of
whether there is a reasonable belief that
the redisclosure is necessary for
criminal law enforcement purposes.
Another commenter recommended that
this disclosure permission should
expressly prohibit patient safety work
product from being used against
patients who are identified in the
patient safety work product but who are
not the subject of the criminal act for
which the information was originally
disclosed.
Response: We believe § 3.206(b)(10)
addresses the commenters’ concerns by

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

expressly limiting law enforcement’s
redisclosure of patient safety work
product received pursuant to the
provision to other law enforcement
authorities as needed for law
enforcement activities related to the
event that gave rise to the initial
disclosure. Thus, law enforcement is not
permitted to further disclose the patient
safety work product for the enforcement
of a crime unrelated to the crime for
which the patient safety work product
was originally disclosed to the law
enforcement entity.
Comment: One commenter stated that
the proposed rule represented an
expansion of the statutory language
because it allowed persons to disclose
patient safety work product to law
enforcement entities in the absence of
an active law enforcement investigation
and in the absence of a request for this
information by law enforcement.
Response: The statute does not
require that a law enforcement entity be
involved in an active investigation or
that a law enforcement entity request
information prior to a person making a
disclosure of patient safety work
product to a law enforcement entity
pursuant to this disclosure permission.
See 922(c)(2)(G) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(2)(G).
(C) Section 3.206(c)—Safe Harbor
Proposed Rule: Proposed § 3.206(c)
would have prohibited the disclosure of
a subject provider’s identity with
information, whether oral or written,
that: (1) assesses that provider’s quality
of care; or (2) identifies specific acts
attributable to such provider. See
section 922(c)(2)(H) of the Public Health
Service Act, 42 U.S.C. 299b–22(c)(2)(H).
This provision would have been only
applicable to providers. Patient safety
work product disclosed under this
exception could identify providers,
reporters or patients so long as the
provider(s) that were the subject of the
actions described were nonidentified.
The proposed rule would have required
that nonidentification be accomplished
in accordance with the
nonidentification standard set forth in
proposed § 3.212.
Overview of Public Comments: We
received no comments opposed to this
provision.
Final Rule: The final rule adopts the
proposed provision.
Response to Other Public Comments
Comment: Several commenters
suggested that the safe harbor provision
be extended to PSOs as well as
providers. One commenter noted that
there was no reason to exclude PSOs
from this provision and including PSOs

PO 00000

Frm 00055

Fmt 4701

Sfmt 4700

70785

would provide them with the same
leeway for inadvertent disclosures of
patient safety work product as
providers.
Response: The statute expressly limits
the safe harbor provision to providers.
Therefore, we do not have the authority
to extend this provision to PSOs.
(D) Section 3.206(d)—Implementation
and Enforcement of the Patient Safety
Act
Proposed Rule: Proposed § 3.206(d)
would have permitted the disclosure of
relevant patient safety work product to
or by the Secretary as needed for
investigating or determining compliance
with or to seek or impose civil money
penalties with respect to this Part or for
making or supporting PSO certification
or listing decisions, under the Patient
Safety Act. Patient safety work product
disclosed under this exception would
remain confidential.
Overview of Public Comments: We
received no comments in reference to
this provision.
Final Rule: Consistent with the
changes made to § 3.204(c) with respect
to privilege, the final rule adopts the
proposed provision, but expands it to
expressly provide that patient safety
work product also may be disclosed to
or by the Secretary as needed to
investigate or determine compliance
with or to impose a civil money penalty
under the HIPAA Privacy Rule. This
new language implements the statutory
provision at section 922(g)(3) of the
Public Health Service Act, 42 U.S.C.
299b–22(g)(3), which makes clear that
the Patient Safety Act is not intended to
affect implementation of the HIPAA
Privacy Rule. As in the privilege
context, given the significant potential
for an alleged impermissible disclosure
to implicate both this rule’s
confidentiality provisions, as well as the
HIPAA Privacy Rule, the Secretary may
require access to confidential patient
safety work product for purposes of
determining compliance with the
HIPAA Privacy Rule. The Secretary will
use such information consistent with
the statutory prohibition against
imposing civil money penalties under
both authorities for the same act.
With respect to this rule, the final
rule, as in the proposed rule, makes
clear that disclosures of patient safety
work product to or by the Secretary are
permitted to investigate or determine
compliance with this rule, or to make or
support decisions with respect to listing
of a PSO. This may include access to
and disclosure of patient safety work
product to enforce the confidentiality
provisions of the rule, to make or
support decisions regarding the

E:\FR\FM\21NOR3.SGM

21NOR3

70786

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

acceptance of certification and listing as
a PSO, or to revoke such acceptance and
to delist a PSO, or to assess or verify
PSO compliance with the rule.

dwashington3 on PRODPC61 with RULES3

Response to Other Public Comments
Comment: Several commenters asked
the Secretary to use judicious restraint
when requesting patient safety work
product for compliance and
enforcement activities. Some of these
commenters also asked that the
Secretary reserve his full enforcement
power for only the most egregious
violations of the confidentiality
provisions.
Response: We acknowledge the
commenters’ concerns regarding the
disclosure of patient safety work
product for enforcement purposes. As
we explained in the proposed rule, we
strongly believe in the protection of
patient safety work product as provided
by the Patient Safety Act. However,
confidentiality protections are
meaningless without the ability to
enforce breaches of the protections,
investigations of which may require
access to confidential patient safety
work product. Further, § 3.310 of the
final rule provides the Secretary with
authority to obtain access to only that
patient safety work product and other
information that is pertinent to
ascertaining compliance with the rule’s
confidentiality provisions.
Also, as we explained in the proposed
rule, we will seek to minimize the risk
of improper disclosure of patient safety
work product by using and disclosing
patient safety work product only in
limited and necessary circumstances,
and by limiting the amount of patient
safety work product disclosed to that
necessary to accomplish the purpose.
Further, § 3.312 of the final rule
expressly prohibits the Secretary from
disclosing identifiable patient safety
work product obtained by the Secretary
in connection with an investigation or
compliance review except as permitted
by § 3.206(d) for compliance and
enforcement or as otherwise permitted
by the rule or the Patient Safety Act.
See the discussion of the provisions of
Subpart D of the final rule for more
information on how the Secretary may
exercise discretion in enforcement.
(E) Section 3.206(e)—No Limitation on
Authority To Limit or Delegate
Disclosure or use
Proposed Rule: Proposed § 3.206(e)
would have established that a person
holding patient safety work product
may enter into a contract that requires
greater confidentiality protections or
may delegate its authority to make a
disclosure in accordance with this

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

Subpart. Neither the statute nor the
proposed rule limited the authority of a
provider to place limitations on
disclosures or uses.
Overview of Public Comments: We
received no comments opposed to this
provision.
Final Rule: The final rule adopts the
proposed provision.
Response to Other Public Comments
Comment: One commenter suggested
that providers and PSOs should not be
able to enter into agreements that would
prohibit the disclosure of patient safety
work product to report a crime or to
comply with state reporting
requirements.
Response: The Patient Safety Act
expressly provides that it does not
preempt or otherwise affect any State
law requiring a provider to report
information that is not patient safety
work product. See section 922(g)(5) of
the Public Health Service Act, 42 U.S.C.
299b–22(g)(5). Further, patient safety
work product does not include original
medical and other records. Thus,
nothing in the final rule or the statute
relieves a provider from his or her
obligation to disclose information from
such original records or other
information that is not patient safety
work product to comply with state
reporting or other laws. Moreover, the
final rule at § 3.206(b)(10)(i) permits
providers and PSOs to disclose patient
safety work product to report a crime to
a law enforcement authority provided
that the disclosing person reasonably
believes that the patient safety work
product that is disclosed is necessary for
criminal law enforcement purposes.
However, the Department cannot,
through this rule, prevent such
agreements because the Patient Safety
Act, at section 922(g)(4) of the Public
Health Service Act, 42 U.S.C. 299b–
22(g)(4), specifically provides that the
Act cannot be construed ‘‘to limit the
authority of any provider, patient safety
organization, or other entity to enter
into a contract requiring greater
confidentiality’’ than that provided
under the Act.
3. Section 3.208—Continued Protection
of Patient Safety Work Product
Proposed Rule: Proposed § 3.208
provided that the privilege and
confidentiality protections would
continue to apply to patient safety work
product following disclosure and also
described the narrow circumstances
when the protections terminate. See
section 922(d) of the Public Health
Service Act, 42 U.S.C. 299b–22(d). In
particular, the proposed rule would
have provided two exceptions to the
continued protection of patient safety

PO 00000

Frm 00056

Fmt 4701

Sfmt 4700

work product. The first was an
exception to continued confidentiality
protection when patient safety work
product is disclosed for use in a
criminal proceeding, pursuant to
§ 3.206(b)(1). See section 922(d)(2)(A),
42 U.S.C. 299b–22(d)(2)(A). The second
exception to continued protection was
in circumstances where patient safety
work product is disclosed in
nonidentifiable form, pursuant to
§§ 3.204(b)(4) and 3.206(b)(5). See
section 922(d)(2)(B), 42 U.S.C. 299b–
22(d)(2)(B).
The proposed rule would not have
required the labeling of information as
patient safety work product or that
disclosure of patient safety work
product be accompanied by a notice as
to either the fact that the information
disclosed is patient safety work product
or that it is confidential. The proposed
rule did acknowledge that both
practices may be prudent business
practices.
Overview of Public Comments: We
received several comments suggesting
that the final rule require that patient
safety work product be labeled as such
or that a recipient of patient safety work
product be given notice of the protected
status of the information received.
Commenters suggested that putting
recipients of patient safety work product
on notice about the sensitive and
confidential nature of the information
would assure and encourage appropriate
treatment of this information.
Final Rule: The final rule adopts this
proposed provision but does not require
that patient safety work product be
labeled or that disclosing parties
provide recipients of patient safety work
product with notice that they are
receiving protected information. We
believe imposing a labeling or notice
requirement would be overly
burdensome on entities. We do,
however, expect providers, PSOs, and
responsible persons holding patient
safety work product to treat and
safeguard such sensitive information
appropriately and encourage such
persons to consider whether labeling or
notice may be an appropriate safeguard
in certain circumstances. Further, we
note that the final rule provides that
information that is documented as
within a patient safety evaluation
system for reporting to a PSO is patient
safety work product. In addition, the
final rule allows patient safety work
product to be removed from a patient
safety evaluation system and no longer
considered patient safety work product
if it has not yet been reported to a PSO
and its removal is documented. See the
definition of ‘‘patient safety work
product’’ at § 3.20. These

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

documentation provisions may assist in
identifying, and putting persons on
notice as to, what is and is not protected
information.
Response to Other Public Comments
Comment: With respect to
§§ 3.206(b)(2), 3.206(b)(3), 3.206(b)(8),
3.206(b)(9), and 3.206(b)(10),
commenters asked that the final rule
emphasize the fact that subsequent
holders of patient safety work product
are subject to the privilege and
confidentiality provisions when they
receive the patient safety work product
pursuant to a privilege or confidentiality
exception and that this patient safety
work product cannot be subpoenaed,
ordered, or entered into evidence in a
civil or criminal proceeding through any
of these exceptions.
Response: Section 3.208 makes clear
that, with limited exceptions, patient
safety work product continues to be
privileged and confidential upon
disclosure.
Comment: One commenter expressed
concern over the proposed rule’s
statement that an impermissible
disclosure of patient safety work
product, even if unintentional, does not
terminate the confidentiality of the
information and that individuals and
entities receiving this patient safety
work product may be subject to civil
money penalties. The commenter stated
that the applicability of this broad
statement to third and fourth party
recipients of patient safety work product
could violate the First Amendment and
expressed concern with the possibility
that the Secretary would seek to impose
a civil money penalty upon a newspaper
for printing patient safety information.
Response: Section 3.208 implements
the statutory provision that patient
safety work product continues to be
privileged and confidential upon
disclosure, including when in the
possession of the person to whom the
disclosure was made. See section 922(d)
of the Public Health Service Act, 42
U.S.C. 299b–22(d). To encourage
provider reporting of sensitive patient
safety information, Congress saw a need
for strong privilege and confidentiality
protections that continue to apply
downstream even after disclosure,
regardless of who holds the information.
With respect to the commenter’s
concern regarding ‘‘unintentional’’
disclosures, we note that the Secretary
has discretion to elect not to impose
civil money penalties for an
impermissible disclosure of patient
safety work product, in appropriate
circumstances. Thus, if it is determined,
through a complaint investigation or a
compliance review, that an

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

impermissible disclosure of patient
safety work product has been made, the
Secretary will examine each situation
based on the individual circumstances
and make an appropriate determination
about whether to impose a civil money
penalty. See the discussion regarding
Subpart D of this final rule for a more
extensive discussion of the Secretary’s
enforcement discretion. Finally, with
respect to the commenter’s First
Amendment concerns, we do not
believe the confidentiality provisions
afforded to patient safety work product
in the statute and the rule contravene
the First Amendment.
4. Section 3.210—Required Disclosure
of Patient Safety Work Product to the
Secretary
Proposed Rule: Proposed § 3.210
would have required providers, PSOs,
and other persons holding patient safety
work product to disclose such
information to the Secretary upon a
determination by the Secretary that such
patient safety work product is needed
for the investigation and enforcement
activities related to this Part, or is
needed in seeking and imposing civil
money penalties.
Overview of Public Comments: We
received no comments opposed to this
provision.
Final Rule: The final rule adopts the
proposed provision but expands it to
encompass disclosures of patient safety
work product needed for investigation
and enforcement activities with respect
to the HIPAA Privacy Rule, consistent
with changes made to §§ 3.204(c) and
3.206(d). As in the proposed rule, the
final rule makes clear that, with respect
to this rule, providers, PSOs, and
responsible persons must disclose
patient safety work product to the
Secretary upon request when needed to
investigate or determine compliance
with this rule, or to make or support
decisions with respect to listing of a
PSO. This may include disclosure of
patient safety work product to the
Secretary as necessary to enforce the
confidentiality provisions of the rule, to
make or support decisions regarding the
acceptance of certification and listing as
a PSO, or to revoke such acceptance and
to delist a PSO, or to assess or verify
PSO compliance with the rule.
Response to Other Public Comments
Comment: Several commenters
suggested that disclosures to the
Secretary be limited to only the patient
safety work product that is needed for
the Secretary’s activities.
Response: Section 3.210 requires
disclosure of patient safety work
product only in those cases where the

PO 00000

Frm 00057

Fmt 4701

Sfmt 4700

70787

Secretary has determined that such
information is needed for compliance or
enforcement of this rule or the HIPAA
Privacy Rule or for PSO certification or
listing. Further, during an investigation
or compliance review, § 3.310(c)
requires a respondent to provide the
Secretary with access to only that
information, including patient safety
work product, that is pertinent to
ascertaining compliance with this rule.
5. Section 3.212—Nonidentification of
Patient Safety Work Product
Proposed Rule: Proposed § 3.212
would have established the standard by
which patient safety work product
would be rendered nonidentifiable,
implementing section 922(c)(2)(B) of the
Public Health Service Act, 42 U.S.C.
299b–22(c)(2)(B). Under the Patient
Safety Act and this Part, identifiable
patient safety work product includes
information that identifies any provider
or reporter or contains individually
identifiable health information under
the HIPAA Privacy Rule (see 45 CFR
160.103). See section 921(2) of the
Public Health Service Act, 42 U.S.C.
299b–21(2). By contrast, nonidentifiable
patient safety work product does not
include information that permits
identification of any provider, reporter
or subject of individually identifiable
health information. See section 921(3) of
the Public Health Service Act, 42 U.S.C.
299b–21(3).
The proposed rule explained that
because individually identifiable health
information as defined in the HIPAA
Privacy Rule is one element of
identifiable patient safety work product,
the de-identification standard provided
in the HIPAA Privacy Rule would apply
with respect to the patient-identifiable
information in the patient safety work
product. Therefore, where patient safety
work product contained individually
identifiable health information, the
proposal would have required that the
information be de-identified in
accordance with 45 CFR 164.514(a)–(c)
to qualify as nonidentifiable patient
safety work product with respect to
individually identifiable health
information under the Patient Safety
Act.
Further, with respect to providers and
reporters, the proposal imported and
adapted the HIPAA Privacy Rule’s
standards for de-identification. In
particular, the proposal included two
methods by which nonidentification
could be accomplished: (1) A statistical
method of nonidentification and (2) the
removal of 15 specified categories of
direct identifiers of providers or
reporters and of parties related to the
providers and reporters, including

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70788

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

corporate parents, subsidiaries, practice
partners, employers, workforce
members, or household members, and
that the discloser have no actual
knowledge that the remaining
information, alone or in combination
with other information reasonably
available to the intended recipient,
could be used to identify any provider
or reporter, i.e., a contextual
nonidentification standard. In addition,
the proposal would have permitted a
provider, PSO, or other disclosing entity
or person to assign a code or other
means of record identification to allow
information made nonidentifiable to be
re-identified by the disclosing person,
provided certain conditions were met.
The proposal specifically invited
comment on the proposed standards
and approaches and asked whether it
would be possible to include any
geographical identifiers, and if so, at
what level of detail (state, county, zip
code). We also requested comment
regarding whether there were alternative
approaches to standards for entities
determining when health information
could reasonably be considered
nonidentifiable.
Overview of Public Comments: We
received a variety of comments
addressing the nonidentification
standard. One commenter supported the
proposed methodologies for
nonidentification, while several
commenters expressed concern that the
nonidentification standard was too strict
and rendered patient safety work
product useless to its recipients. One
commenter was concerned that
imposing an inflexible, stringent
nonidentification standard would
impede the future disclosures of
aggregated patient safety information
that the commenter currently makes.
Some of these commenters proposed
alternatives to the proposed
nonidentification standard, such as
considering information nonidentified
even if it contains dates of treatment
and geographic identifiers as long as
data of a certain threshold number of
providers was aggregated or eliminating
the nonidentification standard entirely
and applying a less stringent
anonymization standard. In contrast,
several other commenters expressed
concern that the nonidentification
standard was too flexible, was
inadequate to truly nonidentify
information and protect provider
identities, and could be too easily
reverse engineered.
Final Rule: The final rule adopts this
proposed provision with only a minor
technical change to incorporate by
reference the direct identifiers listed at
§ 3.206(b)(4)(iv)(A) of the

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

anonymization standard, as appropriate,
to eliminate unnecessary duplication of
such elements in the regulatory text.
Therefore, persons wishing to
nonidentify patient safety work product
must remove the direct identifiers listed
in the anonymization standard at
§ 3.206(b)(4)(iv)(A)(1) through (13), as
well as any additional geographic
subdivisions smaller than a State that
are not required to be removed by
§ 3.206(b)(4)(A)(2), e.g., town or city, all
elements of dates (except year) that are
directly related to a patient safety
incident or event, and any other unique
identifying number, characteristic, or
code (except as permitted for
reidentification). We were not
persuaded by commenters that changes
to the standard were necessary,
especially given the lack of consensus
among commenters as to whether the
standard was too stringent or not
stringent enough. Further, commenters
did not offer suggestions as to potential
alternative approaches to
nonidentification. Additionally, because
this rule’s nonidentification standard
with respect to providers and reporters
is adapted from the HIPAA Privacy
Rule’s de-identification standard and
with respect to individuals, incorporates
the HIPAA Privacy Rule’s deidentification standard, this approach
minimizes complexity and burden for
entities that are subject to both
regulatory schemes.
Response to Other Public Comments
Comment: One commenter expressed
concern over the possibility that
provider identities could be derived
from nonidentifiable patient safety work
product and asked that the final rule
require a party disclosing identifiable
information to produce evidence, if
challenged, of how the information was
obtained if not via nonidentifiable
patient safety work product. Another
commenter suggested that the final rule
include a provision that prohibits the
use or disclosure of any individually
identifiable information that was
obtained via the use of nonidentifiable
patient safety work product. Finally,
another commenter suggested that keys
to reidentification of nonidentifiable
patient safety work product be protected
from discovery and should be protected
as patient safety work product to
prevent reidentification by unintended
parties.
Response: We believe that the
nonidentification standard in the final
rule, which is based upon the existing
HIPAA Privacy Rule’s de-identification
standard, is appropriate and sufficient
to protect the identities of providers.
With respect to protection of

PO 00000

Frm 00058

Fmt 4701

Sfmt 4700

reidentification keys, we note that
§ 3.212(a)(3) prohibits a provider, PSO,
or responsible party disclosing
nonidentifiable patient safety work
product from also disclosing the
mechanism for reidentification. If a
reidentification key is disclosed along
with patient safety work product that
would otherwise be nonidentifiable,
then such information is identifiable
patient safety work product to which
the privilege and confidentiality
protections attach.
Comment: One commenter asked to
whom must patient safety work product
be made nonidentifiable and if
information is adequately
nonidentifiable despite the ability of a
provider or patient involved in the
event to recognize their case.
Response: Under § 3.212(a)(1), patient
safety work product is rendered
nonidentifiable if a determination is
made, applying generally accepted
statistical and scientific principles, that
the risk is very small that the
information could be used, alone or in
combination with other reasonably
available information, by an anticipated
recipient to identify a provider or
reporter. Similarly, under § 3.212(a)(2),
patient safety work product is rendered
nonidentifiable if the listed identifiers
are stripped and the provider, PSO or
responsible person making the
disclosure does not have actual
knowledge that the information could
be used, alone or in combination with
other information that is reasonably
available to the intended recipient, to
identify the particular provider or
reporter. So long as the remaining
information meets either of these two
standards, such information is
considered nonidentifiable for purposes
of this rule, despite the hypothetical
ability of a provider or patient involved
in the event to recognize their case.
Comment: One commenter asked for
clarification that nonidentification can
be accomplished through either the
statistical method or through the safe
harbor method but that entities are not
required to nonidentify patient safety
work product subject to both methods.
Response: We clarify that either
method may be used to render
information nonidentifiable for
purposes of this rule.
D. Subpart D—Enforcement Program
Subpart D of the final rule establishes
a framework to enable the Secretary to
monitor and ensure compliance with
this Part, a process for imposing a civil
money penalty for breach of the
confidentiality provisions, and
procedures for a hearing contesting a
civil money penalty. The provisions in

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

Subpart D are modeled largely on the
HIPAA Enforcement Rule at 45 CFR Part
160, Subparts C, D and E. This will
maintain a common approach to
enforcement and appeals of civil money
penalty determinations based on section
1128A of the Social Security Act, 42
U.S.C. 1320a–7a, upon which both the
HIPAA and Patient Safety Act penalties
are based, as well as minimize
complexity for entities that are subject
to both regulatory schemes. This
enforcement scheme also provides the
Secretary maximum flexibility to
address confidentiality violations so as
to encourage participation in patient
safety activities and achieve the goals of
the Patient Safety Act.
General Comments: Several
commenters expressed support for the
decision to base this rule’s enforcement
regime on the HIPAA Enforcement Rule
and noted that the HIPAA Enforcement
Rule was properly adapted to the
patient safety context. However, two
commenters expressed concern that
basing the enforcement regime in this
rule on the HIPAA Enforcement Rule
will be insufficient to adequately
address and penalize violations of the
confidentiality provisions because of the
Department’s approach to enforcement
of the HIPAA Privacy Rule. One
commenter argued that this might cause
providers to decide against reporting the
most serious patient safety events, and
therefore, would undermine the purpose
of the statute.
Response to General Comments: The
Department believes that modeling this
rule’s enforcement provisions on the
existing HIPAA Enforcement Rule is
prudent and appropriate. As noted
above, such an approach grants the
Secretary maximum flexibility to
address violations of the confidentiality
provisions, relies on an existing and
established enforcement regime, and
minimizes complexity for entities
subject to both the Patient Safety Act
and HIPAA.
1. Sections 3.304, 3.306, 3.308, 3.310,
3.312, 3.314—Compliance and
Investigations
Proposed Rule: Sections 3.304–3.314
of the proposed rule provided the
framework by which the Secretary
would seek compliance by providers,
PSOs, and responsible persons with the
confidentiality provisions of the rule.
These proposed requirements included:
(1) Provisions for the Secretary to seek
cooperation from these entities in
obtaining compliance and to provide
technical assistance (proposed § 3.304);
(2) procedures for any person who
believes there has been a violation of the
confidentiality provisions to file a

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

complaint with the Secretary and
provisions for the Secretary to
investigate such complaints (proposed
§ 3.306); (3) provisions for the Secretary
to conduct compliance reviews
(proposed § 3.308); (4) provisions
establishing responsibilities of
respondents with respect to cooperating
with the Secretary during investigations
or compliance reviews and providing
access to information necessary and
pertinent to the Secretary determining
compliance (proposed § 3.310); (5)
provisions describing the Secretary’s
course of action during complaints and
compliance reviews, including the
circumstances under which the
Secretary may attempt to resolve
compliance matters by informal means
or issue a notice of proposed
determination, as well as the
circumstances under which the
Secretary may use or disclose
information, including identifiable
patient safety work product, obtained
during an investigation or compliance
review (proposed § 3.312); and (6)
provisions and procedures for the
Secretary to issue subpoenas to require
witness testimony and the production of
evidence and to conduct investigational
inquiries (proposed § 3.314).
Overview of Public Comments: We
received no comments opposed to the
proposed provisions.
Final Rule: The final rule adopts the
provisions of the proposed rule, except,
where reference was made in the
proposed rule to provisions of the
HIPAA Enforcement Rule, the final rule
includes the text of such provisions for
convenience of the reader.
Response to Other Public Comments
Comment: One commenter asked how
and when the Secretary will provide
technical assistance to providers, PSOs,
and responsible persons regarding
compliance with the confidentiality
provisions.
Response: The Secretary intends to
provide technical assistance through a
variety of mechanisms. First, as
authorized by the Patient Safety Act, the
Secretary intends, as practical, to
convene annual meetings for PSOs to
discuss methodology, communication,
data collection, privacy concerns, or
other issues relating to their patient
safety systems. See section 925 of the
Public Health Service Act, 42 U.S.C.
299b–25. Second, the Secretary intends
to exercise his discretion under § 3.304
by, when practicable and appropriate,
providing technical assistance to
affected persons and entities both on an
individual basis when such persons or
entities are involved in complaint
investigations or compliance reviews, as

PO 00000

Frm 00059

Fmt 4701

Sfmt 4700

70789

well as more generally through
published guidance that addresses
common compliance or other questions
about the rule. As we noted in the
preamble to the proposed rule, however,
the absence of technical assistance or
guidance by the Secretary may not be
raised as a defense to civil money
penalty liability. We also encourage
persons participating in patient safety
activities and subject to this rule to
develop and share with others similarly
situated in the industry ‘‘best practices’’
for the confidentiality of patient safety
work product.
Comment: One commenter requested
that the final rule provide additional
detail on the consideration that will go
into the determination of whether to
pursue an investigation or to conduct a
compliance review.
Response: We do not believe that
including additional detail in the final
rule regarding when we will investigate
or conduct compliance reviews is
prudent or feasible. The decision of
whether to conduct an investigation or
compliance review is left to the
discretion of the Secretary and will be
made based on the specific
circumstances of each individual case.
The decision to investigate a complaint
is necessarily fact specific. For example,
some complaints may not allege facts
that fall within the Secretary’s
jurisdiction or that constitute a violation
if true. With respect to compliance
reviews, the Secretary needs to maintain
flexibility to conduct whatever reviews
are necessary to ensure compliance.
Compliance reviews may be initiated
based on, for example, information that
comes to the Department’s attention
outside of the formal complaint process,
or trends the Department is seeing as a
result of its enforcement activities. It
would be premature at this time to
indicate the specific circumstances
under which such reviews may be
conducted, given the absence of any
compliance and enforcement experience
with the rule. Further, making public
the Department’s considerations in this
area may undermine the effectiveness of
such reviews. Thus, we did not propose
and do not include in this final rule
affirmative criteria for conducting
compliance reviews.
Comment: One commenter requested
clarification that the Secretary may only
require respondents to produce records,
books, and accounts that are reasonably
related to an investigation.
Response: Section 3.310(c) of the
proposed rule, which the final rule
adopts, provided that a respondent must
permit the Secretary access to the
information that is pertinent to
ascertaining compliance with the

E:\FR\FM\21NOR3.SGM

21NOR3

70790

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

confidentiality provisions of the rule.
Given this provision in the final rule,
we do not see a need to provide further
clarification.

dwashington3 on PRODPC61 with RULES3

2. Sections 3.402, 3.404, 3.408, 3.414,
3.416, 3.418, 3.420, 3.422, 3.424,
3.426—Civil Money Penalties
Proposed Rule: Sections 3.402–3.426
of the proposed rule provided the
process for the Secretary to impose a
civil money penalty for noncompliance
by a PSO, provider, or responsible
person with the confidentiality
provisions of the rule. These proposed
provisions: (1) Described the basis for
imposing a civil money penalty on a
person who discloses identifiable
patient safety work product in knowing
or reckless violation of the
confidentiality provisions, as well as on
a principal, in accordance with the
federal common law of agency 2, based
on the act of its agent acting within the
scope of the agency (proposed § 3.402);
(2) described how a penalty amount
would be determined, and provided the
statutory cap of any such penalty
(proposed § 3.404); (3) provided the list
of factors the Secretary may consider as
aggravating or mitigating, as
appropriate, in determining the amount
of a civil money penalty, including the
nature and circumstances of the
violation and the degree of culpability
of the respondent (proposed § 3.408); (4)
set forth the 6-year limitations period on
the Secretary initiating an action for
imposition of a civil money penalty
(proposed § 3.414); (5) set out the
Secretary’s authority to settle any issue
or case or to compromise any penalty
(proposed § 3.416); (6) provided that a
civil money penalty imposed under this
rule would be in addition to any other
penalty prescribed by law, except that a
civil money penalty may not be
imposed both under this rule and the
HIPAA Privacy Rule for the same act
(proposed § 3.418); (7) required that the
Secretary provide a respondent with
written notice of his intent to impose a
civil money penalty, prescribe the
contents of such notice, and provide the
respondent with a right to request a
hearing before an ALJ to contest the
proposed penalty (proposed § 3.420); (8)
provided that if the respondent fails to
timely request a hearing and the matter
is not settled by the Secretary, the
Secretary may impose the proposed
penalty (or any lesser penalty) and will
notify the respondent of any penalty
imposed, and that the respondent has
2 For more information and guidance about
violations of the rule attributed to a principal based
on the federal common law of agency, see the
preamble to the proposed rule at 73 FR 8158–8159.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

no right to appeal such penalty
(proposed § 3.422); (9) provided that
once the penalty becomes final, it will
be collected by the Secretary, unless
compromised, and describes the
methods for collection (proposed
§ 3.424); and (10) provided that the
Secretary will notify the public and the
appropriate State or local medical or
professional organizations, appropriate
State agencies administering or
supervising the administration of State
health care programs, appropriate
utilization and quality control peer
review organizations, and appropriate
State or local licensing agencies or
organizations, of a final penalty and the
reason it was imposed (proposed
§ 3.426).
In addition, with respect to the factors
at proposed § 3.408, we specifically
sought comment on whether the factors
should be expanded to expressly
include a factor for persons who selfreport disclosures that may potentially
violate the confidentiality provisions
such that voluntary self-reporting would
be a mitigating consideration when
assessing a civil money penalty.
Overview of Public Comments: We
received no comments opposed to these
proposed provisions. With respect to
proposed § 3.408, commenters generally
supported the list of detailed factors,
which may be aggravating or mitigating
depending on the context, for use by the
Secretary in determining the amount of
a civil money penalty. In response to the
question in the proposed rule regarding
whether the final rule should include a
factor for persons who self-report
disclosures that may be potential
violations, some commenters opposed
such an expansion, arguing that such a
provision could be viewed as an
additional reporting obligation on
persons and entities. Several other
commenters expressed general support
for the consideration of such a
mitigating factor in the determination of
any penalty, and one commenter
specifically recommended expanding
the list of factors to include selfreporting.
Final Rule: The final rule adopts the
provisions of the proposed rule except,
where reference was made in the
proposed rule to provisions of the
HIPAA Enforcement Rule, the final rule
includes the text of such provisions for
convenience of the reader. We do not
expand the list of factors at § 3.408 to
include the fact of self-reporting by a
respondent in the final rule. As we
noted in the preamble to the proposed
rule, while including a factor for
voluntary self-reporting may encourage
persons to report breaches of
confidentiality, particularly those that

PO 00000

Frm 00060

Fmt 4701

Sfmt 4700

may otherwise go unnoticed, as well as
demonstrate the security practices that
led to the discovery of the breach and
how the breach was remedied, we agree
with those commenters who argued that
including such a factor may be viewed
incorrectly as an additional and ongoing
reporting obligation on providers, PSOs,
and others to report every potentially
impermissible disclosure. This would
unnecessarily increase administrative
burden both on the Department and the
reporting persons. Additionally,
inclusion of such a factor may interfere
with contractual relationships between
providers and PSOs that address how
parties are to deal with breaches.
However, we note that even though
we are not expressly including a selfreporting factor in the list at § 3.408, the
Secretary retains discretion to consider
self-reports on a case-by-case basis
under § 3.408(f), which permits the
Secretary to consider ‘‘such other
matters as justice may require’’ in
determining the amount of a civil
money penalty.
Response to Other Public Comments
Comment: One commenter supported
the knowing or reckless standard for
establishing the basis for imposing a
civil money penalty for a confidentiality
violation but also stated that every effort
should be made to reduce the risk of
liability and to encourage provider
participation. Another commenter
supported the Secretary’s ability to
exercise discretion in determining
whether to impose a civil money
penalty for a knowing or reckless
violation of the confidentiality
provisions but also suggested that, in
cases where a PSO is compelled to
disclose patient safety work product by
a court and has, in good faith, attempted
to assert the privilege protection, the
PSO automatically should be excused
from a civil money penalty for the
impermissible disclosure of patient
safety work product to the court.
Response: We agree that the
appropriate basis for imposing a civil
money penalty is for knowing or
reckless disclosures of identifiable
patient safety work product in violation
of the confidentiality provisions of the
rule and that it is important the
Secretary ultimately retain discretion as
to whether to impose a penalty pursuant
to this standard. This provision is based
on section 922(f) of the Public Health
Service Act, 42 U.S.C. 299b–22(f). We
also agree that provider participation is
essential to meeting the overall goal of
the statute to improve patient safety and
quality of care, and we believe that
strong privilege and confidentiality
protections for patient safety work

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
product are fundamental to ensuring
this participation. As we explained in
the preamble to the proposed rule, a
civil money penalty under § 3.402 may
only be imposed if the Secretary first
establishes a wrongful disclosure—that
is, the information disclosed was
identifiable patient safety work product
and the manner of the disclosure does
not fit within any permitted exception.
The Secretary must then determine
whether a person making the disclosure
acted ‘‘knowingly’’ or ‘‘recklessly.’’ To
do so, the Secretary must prove either
that: (1) The person making the
disclosure knew a disclosure was being
made (not that the person knew he or
she was disclosing identifiable patient
safety work product in violation of the
rule or statute); or (2) the person acted
recklessly in making the disclosure, that
is, the person was aware, or a reasonable
person in his or her situation should
have been aware, that his or her conduct
created a substantial risk of disclosure
of information and to disregard such
risk constituted a gross deviation from
reasonable conduct. For more guidance
on this standard or the knowing or
reckless standard, see the preamble to
the proposed rule at 73 FR 8157–8158.
Once a knowing or reckless violation
has been established, the Secretary still
retains discretion as to whether to
impose a penalty for a violation and
may elect not to do so. Thus, we believe
the standard at § 3.402 of the final rule
strikes the right balance in ensuring
those who are culpable are subject to
penalties, while still encouraging
maximum participation by providers.
For example, circumstances where a
person who disclosed identifiable
patient safety work product in violation
of the rule can show he or she did not
know and had no reason to know that
the information was patient safety work
product may warrant discretion by the
Secretary. Further, as we stated in the
preamble to the proposed rule, the
Secretary may exercise discretion and
not pursue a civil money penalty against
a respondent ordered by a court to
produce patient safety work product
where the respondent has in good faith
undertaken reasonable steps to avoid
production and is, nevertheless,
compelled to produce the information
or be held in contempt of court. We do
not, however, agree that an automatic
exception from liability for respondents
in such circumstances is appropriate or
necessary. The Secretary will examine
each situation based on the individual
circumstances and make an appropriate
determination about whether to impose
a civil money penalty.
Comment: One commenter asked that
the final rule state that inappropriate

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

disclosures to, for example, the media or
to the public, would result in civil
money penalties.
Response: Section 3.402(a) of the final
rule provides that persons who disclose
identifiable patient safety work product
in knowing or reckless violation of the
confidentiality provisions are subject to
civil money penalty liability for such
violations. This liability would include
disclosures to the media or public, to
the extent the knowing or reckless
standard of § 3.402(a) is met.
Comment: We received two comments
stating that the maximum penalty of
$10,000 for a single violation is
insufficient to serve as a deterrent
against impermissible disclosures. In
contrast, one commenter expressed
concern that the maximum penalty
would be far too severe for some small
providers and in cases in which the
impermissible disclosure was incidental
or accidental.
Response: In response to those
commenters who believe the penalty
amount is not high enough, the $10,000
maximum penalty for each act
constituting a violation is prescribed by
the statute and thus, cannot be
increased by the Secretary in this rule.
We expect, however, that there will be
cases where multiple related acts are at
issue as discrete violations, each of
which could result in separate penalties
up to $10,000. The preamble to the
proposed rule indicated that the Patient
Safety Act provides that a person who
violates the Patient Safety Act shall be
subject to a civil money penalty of ‘‘not
more than $10,000’’ for each act
constituting such violation. We note
that pursuant to the Federal Civil
Penalties Inflation Adjustment Act of
1990, as amended by the Debt
Collection Improvement Act of 1996,
the Department will be required to
adjust this civil money penalty amount
based on increases in the consumer
price index (CPI). The Department has
up to four years to update the civil
money penalty amount, and the
adjustment will be based on the percent
increase in the CPI from the time the
Patient Safety Act was enacted, in
accordance with the cost-of-living
adjustment set forth at the Federal Civil
Penalties Inflation Adjustment Act of
1990 § 5, at 28 U.S.C. 2461 note.
However, the first adjustment may not
exceed ten percent of the penalty. Thus,
pursuant to this statute, the $10,000
maximum penalty will be adjusted
upwards periodically to account for
inflation.
With respect to those commenters
who were concerned that the $10,000
penalty may be too severe in certain
circumstances, we emphasize that the

PO 00000

Frm 00061

Fmt 4701

Sfmt 4700

70791

$10,000 amount is a maximum penalty
and the Secretary has discretion to
impose penalties that are less than that
amount or can elect not to impose a
penalty at all for a violation, depending
on the circumstances. In particular,
§ 3.404 provides that the amount of any
penalty will be determined using the
factors at § 3.408, which include such
factors as the nature and circumstances
of the violation, the degree of
culpability of the respondent including
whether the violation was intentional,
as well as the financial condition and
size of the respondent.
Comment: Several commenters asked
for clarification regarding the
Secretary’s authority to levy separate
fines under the Patient Safety Act and
HIPAA. Many of these commenters
argued that the Secretary should be able
to impose penalties under both
authorities for the same act to maximize
the enforcement tools at his disposal
and to effectively penalize bad behavior.
In contrast, one commenter supported
the statutory mandate that civil money
penalties not be imposed under both the
Patient Safety Act and HIPAA for a
single violation. One commenter asked
for clarification as to how civil money
penalties may be imposed under both
the Patient Safety Act and HIPAA when
a PSO is a business associate of a
covered entity for HIPAA Privacy Rule
purposes.
Response: The final rule at § 3.418
reflects the statutory prohibition against
the Secretary imposing civil money
penalties under both the Patient Safety
Act and HIPAA for a single act that
constitutes a violation. As the preamble
to the proposed rule explained,
Congress recognized that, because
patient safety work product includes
individually identifiable health
information about patients, a HIPAA
covered entity making a disclosure of
patient safety work product could be
liable for a violation under both the
Patient Safety Act and HIPAA, and
made such penalties mutually
exclusive. Thus, in situations in which
a single violation could qualify as both
a violation of the Patient Safety Act and
HIPAA, the Secretary has discretion to
impose a civil money penalty under
either regulatory scheme, not both.
However, as we explained in the
proposed rule, we interpreted the
Patient Safety Act as only prohibiting
the imposition of a civil money penalty
under the Patient Safety Act when there
has been a civil, as opposed to criminal,
penalty imposed under HIPAA for the
same act. Therefore, a person could
have a civil money penalty imposed
under the Patient Safety Act as well as

E:\FR\FM\21NOR3.SGM

21NOR3

70792

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

a criminal penalty under HIPAA for the
same act.
With respect to the commenter who
requested clarification about penalties
relating to a PSO that is a business
associate of a HIPAA covered entity, we
note that it is possible for a civil money
penalty to be imposed under both the
Patient Safety Act and HIPAA, where
such penalty is imposed against
different entities. Thus, for example,
because a PSO will be a business
associate of a covered entity under
HIPAA, any violation involving patient
safety work product that contains
protected health information by the PSO
will be a violation of the Patient Safety
Act and not HIPAA, since the PSO is
not a covered entity. However, if the
PSO notifies the covered entity of the
impermissible disclosure (as required by
the business associate contract under
HIPAA), and the covered entity does not
take the appropriate steps to mitigate
and address the consequences of the
impermissible disclosure of protected
health information, the covered entity
may then be liable for a penalty under
HIPAA.
3. Section 3.504—Procedures for
Hearings
Proposed Rule: Proposed § 3.504
provided the procedures for an
administrative hearing to contest a civil
money penalty. The proposed section
set forth the authority of the ALJ, the
rights and burdens of proof of the
parties, requirements for the exchange
of information and pre-hearing, hearing,
and post-hearing processes. This section
cross-referenced the relevant provisions
of the HIPAA Enforcement Rule
extensively. Specifically, §§ 3.504(b),
(d), (f)–(g), (i)–(k), (m), (n), (t), (w) and
(x) of the proposed rule incorporated
unchanged the provisions of the HIPAA
Enforcement Rule. Sections 3.504(a), (c),
(e), (h), (l), (o)–(s), (u) and (v) of the
proposed rule incorporated the HIPAA
Enforcement Rule but included
technical changes to adapt these
provisions to the Patient Safety Act
confidentiality provisions. These
technical changes addressed the
following: (1) Proposed §§ 3.504(a) and
3.504 (v) excluded language from 45
CFR 160.504(c) and 160.548(e),
respectively, relating to an affirmative
defense under 45 CFR 160.410(b)(1),
which is a defense unique to HIPAA
and not included in the Patient Safety
Act; (2) proposed § 3.504(c) excluded
the provision at 45 CFR 160.508(c)(5) for
remedied violations based on reasonable
cause to be insulated from liability for
a civil money penalty because there is
no such requirement under the Patient
Safety Act; (3) proposed § 3.504(e)

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

substituted the term ‘‘identifiable
patient safety work product’’ for
‘‘individually identifiable health
information’’; (4) proposed § 3.504(h)
excluded the language in 45 CFR
160.518(a) relating to the provision of a
statistical expert’s report not less than
30 days before a scheduled hearing
because we did not propose language
permitting use of statistical sampling to
estimate the number of violations; (5)
proposed § 3.504(o) substituted ‘‘a
confidentiality provision’’ for ‘‘an
administrative simplification provision’’
in 45 CFR 160.532; (6) proposed
§ 3.504(p) substituted, for language not
relevant to the Patient Safety Act in 45
CFR 160.534(b)(1), new language stating
that the respondent has the burden of
going forward and the burden of
persuasion with respect to any
challenge to the amount of a proposed
civil money penalty, including any
mitigating factors raised, and provided
that good cause shown under 45 CFR
160.534(c) may be that identifiable
patient safety work product has been
introduced into evidence or is expected
to be introduced into evidence; (7)
proposed § 3.504(s) added language to
provide that good cause for making
redactions to the record would include
the presence of identifiable patient
safety work product; and (8) proposed
§§ 3.504(l), (q), (r), and (u) substituted
citations to subpart D of the Patient
Safety rule, as appropriate.
We also explained in the proposed
rule that we intended to maintain the
alignment between these provisions and
the HIPAA Enforcement Rule by
incorporating any changes to the HIPAA
Enforcement Rule that would become
final based on the Department’s Notice
of Proposed Rulemaking entitled,
‘‘Revisions to Procedures for the
Departmental Appeals Board and Other
Departmental Hearings’’ (see 72 FR
73708 (December 28, 2007)). That
Notice of Proposed Rulemaking
proposed to amend the HIPAA
Enforcement Rule at 45 CFR 160.508(c)
and 160.548, and add a new provision
at 160.554, providing that the Secretary
may review all ALJ decisions that the
Board has declined to review and all
Board decisions for error in applying
statutes, regulations, or interpretive
policy. As of the publication date of this
final rule, however, that regulation is
not final.
Overview of Public Comments: We
received no comments opposed to these
provisions.
Final Rule: The final rule adopts the
proposed provisions, except renumbers
them into individual sections and
republishes the referenced provisions of
the HIPAA Enforcement Rule, as

PO 00000

Frm 00062

Fmt 4701

Sfmt 4700

modified by the technical changes
described above to adapt the provisions
to the Patient Safety Act confidentiality
provisions. The final rule includes the
full text of such provisions for
convenience of the reader.
Also, we incorporate one additional
technical change to better adapt the
language to this rule’s confidentiality
provisions, as well as one conforming
change. In particular, at § 3.512(b)(11),
we replace the term ‘‘privacy of’’ with
‘‘confidentiality of’’ in addition to
replacing ‘‘individually identifiable
health information’’ with ‘‘identifiable
patient safety work product.’’ In
addition, at § 3.504(b), we replace the
term ‘‘90 days’’ with ‘‘60 days.’’ We
proposed at § 3.420(a)(6) to include in a
notice of proposed determination a
statement that a respondent must
request a hearing within 60 days or lose
its right to a hearing under § 3.504.
However, we inadvertently omitted
from § 3.504 a conforming change to the
language incorporated from 45 CFR
160.504(b) to change the hearing request
deadline from 90 days to 60 days. Thus,
this change is necessary to align the two
provisions.
Response to Other Public Comments
Comment: One commenter asked that
the final rule clarify the involvement of
the Departmental Appeals Board during
the hearings and appeals processes as
well as whether the Secretary has
authority to review ALJ decisions.
Response: Sections 3.504–3.552 of the
final rule incorporate the provisions of
the HIPAA Enforcement Rule, which lay
out the hearings and appeals process.
The current process provides that any
party, including the Secretary, may
appeal a decision of the ALJ to the
Departmental Appeals Board, as well as
file a reconsideration request with the
Board following any Board decision.
Unless the ALJ decision is timely
appealed, such decision becomes final
and binding on the parties 60 days from
the date of service of the ALJ’s decision.
Comment: One commenter asked that
the final rule provide no restrictions to
full judicial review for appeals and
hearing requests.
Response: Section 3.548(k) provides
respondents the right to petition for
judicial review of the final decision of
the Secretary once all administrative
appeals have been exhausted, that is,
once the Departmental Appeals Board
has rendered a decision on appeal or
reconsideration that has become the
final decision of the Secretary, as
appropriate.
Comment: One commenter suggested
that any time patient safety work
product could be disclosed in an ALJ

E:\FR\FM\21NOR3.SGM

21NOR3

70793

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
proceeding, the proceeding should be
closed to the public.
Response: The final rule at § 3.534(c)
expressly provides that the ALJ may
close a proceeding to the public for good
cause shown, which may include the
potential for patient safety work product
to be introduced as evidence in the
proceeding. We do not see a need to
require that proceedings be closed
under such circumstances but rather
will continue to rely on the experienced
discretion of the ALJ in determining
such matters.
IV. Impact Statement and Other
Required Analyses
Regulatory Impact Analysis
AHRQ has previously analyzed the
potential economic impact of this rule
as part of its February 2008 Notice of
Proposed Rulemaking (proposed rule) as
required by Executive Order 12866
(September 1993, Regulatory Planning
and Review), the Regulatory Flexibility
Act (RFA) (September 16, 1980, Pub. L.
96–354), section 1102(b) of the Social
Security Act, the Unfunded Mandates
Reform Act of 1995 (Pub. L. 104–4), and
Executive Order 13132. This analysis
can be found on pages 8164 to 8171 of
the proposed rule, which was published
in the Federal Register on February 12,
2008.
Executive Order 12866 (as amended
by Executive Order 13258, February
2002, and Executive Order 13422,
January 2007), directs agencies to assess
all costs and benefits of available
regulatory alternatives and, if regulation
is necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,

environmental, public health and safety
effects, distributive impacts, and
equity). A regulatory impact analysis
(RIA) must be prepared for major rules
with economically significant effects
($100 million or more in any 1 year).
Although we cannot determine the
specific economic impact of this final
rule, we believe that the economic
impact may approach $100 million.
HHS has determined that the rule is
‘‘significant’’ because it raises novel
legal and policy issues with the
establishment of a new regulatory
framework, authorized by the Patient
Safety Act, and imposes requirements,
albeit voluntary, on entities that had not
been subject to regulation in this area.
In preparing the regulatory impact
analysis for inclusion in the proposed
rule, AHRQ did not develop an
alternative to the statutorily authorized
voluntary framework. In light of the
approach taken in the proposed rule,
alternatives would have been mandatory
or more proscriptive as well as
inconsistent with statutory intent. The
proposed rule established a system in
which entities would voluntarily seek
designation (or ‘‘listing’’) by the
Secretary as a Patient Safety
Organization (PSO), most PSO
requirements would be met by
attestation and overall compliance
assessed by spot-checks rather than
document submission or routine audits,
and the Department would look to the
marketplace to assess the quality and
value of each PSO. PSOs will not be
Federally funded nor directed; their
funding and activities will be
determined by health care providers
who seek their expert assistance in

identifying the underlying causes of,
and the best strategies for reducing or
eliminating, medical errors. The
proposed rule provided a foundation of
confidentiality and privilege protections
for information developed and
exchanged when health care providers
voluntarily choose to work with a PSO.
We proposed that health care providers
could receive the confidentiality and
privilege protections of the statute by
reporting information to a PSO
occasionally, without entering contracts
or incurring significant costs. Other
health care providers could develop
more costly internal systems that would
serve as the hub of the provider’s
interactions with a PSO with which the
provider had a contractual relationship;
such structured, documented internal
systems with dedicated personnel
would be more costly. To create an
‘‘upper bound’’ on the analyses in the
proposed rule, we assumed that all
providers that would choose to work
with PSOs would follow this more
costly approach. It should be noted that
most hospital providers already have
patient safety reporting activities in
place (98% according to a 2006 AHRQ
survey). While documenting these
activities and, it is hoped, expanding
them through participation with a PSO
will result in increased costs, that
increase will be marginal, not complete,
in the hospital community.
A summary of the AHRQ analysis of
costs and benefits of Patient Safety Act
costs and benefits from the proposed
rule follows below. For a full discussion
of the assumptions underlying these
estimates, please refer to the proposed
rule.

TABLE 3—TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2009–2013
Year
2009

2010

2011

2012

2013

Hospital Penetration Rate ....................................................
Hospital Cost ........................................................................
PSO Cost .............................................................................

10%
$7.5 M
$61.4 M

40%
$30.0 M
$92.1 M

60%
$45.0 M
$122.8 M

75%
$56.2 M
$122.8 M

85%
$63.7 M
$122.8 M

Total cost ......................................................................

$68.9 M

$122.1 M

$167.8 M

$179.0 M

$186.5 M

dwashington3 on PRODPC61 with RULES3

Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112–8183.

Costs for PSO implementation were
calculated by considering two
components: Costs incurred by hospitals
in engaging in PSO activities and costs
of PSOs themselves. It was assumed that
in early years of PSO operation, the
hospital would be the primary site of
PSO-related activity. Hospital costs
were assumed to be incremental, given
that a previously-completed survey
funded by AHRQ revealed that 98% of

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

U.S. hospitals already have adverse
event reporting systems, and virtually
all hospitals have a safety/quality
function. We assumed that PSOs would
be staffed modestly, relying on existing
hospital activities in reporting adverse
events, and that a significant proportion
of PSOs are likely to be component
PSOs, with support and expertise
provided by a parent organization. Our
assumptions were that PSOs will hire

PO 00000

Frm 00063

Fmt 4701

Sfmt 4700

dedicated staff of 1.5 to 4 FTEs,
assuming an average salary rate of $67/
hour. We also estimated that a
significant overhead figure of 100%,
coupled with 20% for General and
Administrative (G&A) expenses, will
cover the appreciable costs anticipated
for legal, security, travel, and
miscellaneous PSO expenses.

E:\FR\FM\21NOR3.SGM

21NOR3

70794

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

Provider—PSO Costs and Charges
We have not figured into our
calculations any estimates for the price
of PSO services, amounts paid by

hospitals and other health care
providers to PSOs, PSO revenues, or
PSO break-even analyses. We have not
speculated about subsidies or business
models. Regardless of what the costs

and charges are between providers and
PSOs, they will cancel each other out,
as expenses to providers will become
revenue to PSOs.

TABLE 4—TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2009–2013 *
Year
2009
Hospital Penetration Rate ....................................................
Percent Reduction in Adverse Events .................................
Savings ................................................................................

2010

10%
1%
$11.5 M

2011

40%
1.5%
$69 M

2012

60%
2%
$138 M

2013

75%
2.5%
$215.625 M

85%
3%
$293.25 M

* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events
(between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.

TABLE 5—NET BENEFITS: 2009–2013
Year
2009

dwashington3 on PRODPC61 with RULES3

Total Benefits .......................................................................
Total Costs ...........................................................................
Net Benefits .........................................................................
Discounted net present value at 3% ...................................
Discounted net present value at 7% ...................................

The final rule includes several
modifications that could alter the actual
economic impact of the Patient Safety
Act, but AHRQ concludes that these
changes will not exceed the ‘‘upper
bound’’ established in our previous
analysis, and we anticipate that the
actual economic impact may be less.
Several changes incorporated in the
final rule are likely to lower the costs of
implementation. For example, the final
rule has removed a requirement that
PSOs that are components of other
existing organizations must maintain
separate information systems and, for all
but a small category of component
PSOs, we have removed restrictions on
the use of shared staff. As we noted in
our economic analysis, we expect the
most common type of PSO to be ones
that are established by one or more
existing organizations. As commenters
pointed out, personnel costs are likely
to be the most significant cost facing a
PSO, and the ability to share personnel
means that skilled personnel are
available at significantly less cost, and
in some cases at no cost, than the PSO
would pay to hire or externally contract
for personnel. Similarly, the costs and
administrative burdens associated with
the development and maintenance were
a major focus of commenters. These two
changes are likely to have the greatest
impact on reducing costs for PSOs.
There are two changes in the final
rule that might increase costs slightly
but selectively. The final rule parallels
a HIPAA Privacy Rule requirement that

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

$11.5
$68.9
($57.4)
($55.7)
($53.6)

2010
M
M
M
M
M

$69
$122.1
($53.1)
($50.0)
($46.4)

2011
M
M
M
M
M

business associates of covered entities
must notify the covered entity if any of
its protected health information has
been inappropriately disclosed or its
security breached. The final rule
requires PSOs to notify the providers
that submitted patient safety work
product to the PSO if the work product
it submitted has been disclosed or its
security breached. As we noted in the
proposed rule, the vast majority of
providers reporting data will be covered
entities under HIPAA and will need to
include such notification requirements
in the business associate agreements
they will enter with PSOs. In addition,
the HIPAA requirement is likely to
apply in many disclosure or security
breach situations because most work
product is expected to contain protected
health information. Nevertheless, this
requirement may increase costs to the
extent that PSOs receive work product
from non-covered entities, although
these potential increased costs will be
dependent upon the vigilance with
which the providers and PSOs meet
their confidentiality and security
requirements.
With respect to health care providers,
the final rule does not impose
requirements. The final rule does afford
increased flexibility and protections to
providers that voluntarily choose to
both establish and document a more
structured process for working with a
PSO, i.e., what the rule terms a patient
safety evaluation system, and document
the flow of information into and out of

PO 00000

Frm 00064

Fmt 4701

Sfmt 4700

2012

$138
$167.8
($29.8)
($27.3)
($24.3)

M
M
M
M
M

$215.625
$179.0
$36.625
$32.5
$27.9

2013
M
M
M
M
M

$293.25
$186.5
$106.75
$92.1
$76.1

M
M
M
M
M

the patient safety evaluation system. For
providers who choose this option, the
information they assemble and develop
within their patient safety evaluation
system will be accorded privilege and
confidentiality, contingent upon the
information ultimately being reported to
a PSO, from the outset. To the extent
that this encourages providers, who
would not otherwise have done so, to
establish a structured, documented
patient safety evaluation system, there
would be an increase in costs. As noted
above, this should not significantly
affect our previous analysis since we
assumed all providers working with a
PSO would have established a
documented patient safety evaluation
system.
Taking advantage of this option will
also enable health care providers with
integrated health information
technology systems to avoid the
requirement in the proposed rule that
they maintain the assembly and
development of patient safety work
product separately from their routine
data collection activities, which would
have required a number of providers to
establish dual information systems.
While we expect that the costs of
developing dual information collection
systems would exceed the costs of
developing and maintaining a
structured, documented patient safety
evaluation system, we do not estimate
any savings because we cannot be clear
how many providers would have
incurred the dual health information

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
technology systems costs or would have
simply chosen to forego participation.
After considering the impact of the
increased flexibility in the final rule for
PSOs and health care providers, we now
expect the implementation costs will be
lower than those in our previous
analysis.
Final Regulatory Flexibility Analysis
Since formation of a PSO is voluntary,
formation is not likely to occur unless
the organization believes it is an
economically viable endeavor.
Furthermore, PSOs are not likely to
undertake tasks that will provide
insufficient payment to cover their
costs. Therefore, the Secretary certifies
that the regulation will not impose a
significant economic burden on a
substantial number of small entities.
Unfunded Mandates Reform Act
Section 202 of the Unfunded
Mandates Reform Act requires that a
covered agency prepare a budgetary
impact statement before promulgating a
rule that includes any Federal mandate
that may result in the expenditure by
State, local, and Tribal governments, in
the aggregate, or by the private sector, of
$100 million or more in any one year.
The Department has determined that
this final rule will not impose a
mandate that will result in the
expenditure by State, Local, and Tribal
governments, in the aggregate, or by the
private sector, of more than $100
million in any one year.

dwashington3 on PRODPC61 with RULES3

Paperwork Reduction Act
This final rule adding a new Part 3 to
volume 42 of the Code of Federal
Regulations contains information
collection requirements. This summary
includes the estimated costs and
assumptions for the paperwork
requirements related to the final rule.
With respect to § 3.102 concerning the
submission of certifications for initial
and continued listing as a PSO, and of
updated information, all such
information would be submitted on the
‘‘Patient Safety Organization:
Certification for Initial Listing’’ form. To
maintain its listing, a PSO must also
submit a brief attestation, once every 24month period after its initial date of
listing, submitted on the ‘‘Attestation
Regarding the Two Bona Fide Contracts
Requirement’’ form, stating that it has
entered contracts with two providers.
We estimate that the final rule will
create an average burden of 30 minutes
annually for each entity that seeks to
become a PSO to complete the necessary
certification forms. Table 1 summarizes
burden hours.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

TABLE 1—TOTAL BURDEN HOURS
RELATED TO CERTIFICATION FORMS
[Summary of all burden hours, by provision,
for PSOs]
Annualized
burden hours

Provision
3.112 ................................

30 minutes.

Under 5 CFR 1320.3(c), a covered
collection of information includes the
requirement by an agency of a
disclosure of information to third
parties by means of identical reporting,
recordkeeping, or disclosure
requirements, imposed on ten or more
persons. The final rule reflects the
previously established reporting
requirements for breach of
confidentiality applicable to business
associates under HIPAA regulations
requiring contracts to contain a
provision requiring the business
associate (in this case, the PSO) to notify
providers of breaches of their
identifiable patient data’s
confidentiality or security. Accordingly,
this reporting requirement referenced in
the regulation previously met
Paperwork Reduction Act review
requirements.
The final rule requires in § 3.108(c)
that a PSO notify the Secretary if it
intends to relinquish voluntarily its
status as a PSO. The entity is required
to notify the Secretary that it has, or will
soon, alert providers and other
organizations from which it has
received patient safety work product or
data of its intention and provide for the
appropriate disposition of the data in
consultation with each source of patient
safety work product or data held by the
entity. In addition, the entity is asked to
provide the Secretary with current
contact information for further
communication from the Secretary as
the entity ceases operations. The
reporting aspect of this requirement is
essentially an attestation that is
equivalent to the requirements for
listing, continued listing, and meeting
the minimum contracts requirement.
This minimal data requirement would
come within 5 CFR 1320.3(h)(1) which
provides an exception from PRA
requirements for affirmations,
certifications, or acknowledgments as
long as they entail no burden other than
that necessary to identify the
respondent, the date, the respondent’s
address, and the nature of the
instrument. In this case, the nature of
the instrument is an attestation that the
PSO is working with its providers for
the orderly cessation of activities. The
following other collections of
information that are required by the

PO 00000

Frm 00065

Fmt 4701

Sfmt 4700

70795

final regulation under § 3.108 are also
exempt from PRA requirements
pursuant to an exception in 5 CFR
1320.4 for information gathered as part
of administrative investigations and
actions regarding specific parties:
information supplied in response to
preliminary agency determinations of
PSO deficiencies or in response to
proposed revocation and delisting, e.g.,
information providing the agency with
correct facts, reporting corrective
actions taken, or appealing proposed
agency revocation decisions.
AHRQ and OCR published in the
Federal Register their proposed
information collection forms on
February 20, 2008. Following the first,
60-day comment period, the forms were
again published in the Federal Register
on April 21, 2008, to begin the second,
30-day comment period. The forms were
not changed following the first comment
period, and they and the one comment
received were sent to OMB, which
received them on April 25, 2008. Minor
changes to the proposed forms will be
necessary to align them with the final
rule. AHRQ and OCR will work with
OMB to ensure that the forms needed to
implement the Patient Safety Act
conform to the requirements of the final
rule.
Federalism
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a final
rule that imposes substantial direct
requirement costs on state and local
governments, preempts State law, or
otherwise has Federalism implications.
The Patient Safety Act upon which the
final regulation is based makes patient
safety work product confidential and
privileged. To the extent this is
inconsistent with any state law,
including court decisions, the Federal
statute preempts such state law or court
order. The final rule will not have any
greater preemptive effect on state or
local governments than that imposed by
the statute. While the Patient Safety Act
does establish new Federal
confidentiality and privilege protections
for certain information, these
protections only apply when health care
providers work with PSOs and new
processes, such as patient safety
evaluation systems, that do not
currently exist. These Federal data
protections provide a mechanism for
protection of sensitive information that
could improve the quality, safety, and
outcomes of health care by fostering a
non-threatening environment in which
information about adverse medical
events and near misses can be
discussed. It is hoped that confidential

E:\FR\FM\21NOR3.SGM

21NOR3

70796

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

analysis of patient safety events will
reduce the occurrence of adverse
medical events and, thereby, reduce the
costs arising from such events,
including costs incurred by state and
local governments attributable to such
events. In addition, the Patient Safety
Act and the final rule do not relieve
health care providers of their
responsibilities to comply with state
reporting requirements.
AHRQ, in conjunction with OCR, held
three public listening sessions prior to
drafting the proposed rule.
Representatives of several states
participated in these sessions. In
particular, states that had begun to
collect and analyze patient safety event
information spoke about their related
experiences and plans. Following
publication of the proposed rule, AHRQ
consulted with state officials and
organizations to review the scope of the
proposed rule and to specifically seek
input on federalism issues and a
proposal in the rule at proposed
§ 3.102(a)(2) that would limit the ability

of public or private sector regulatory
entities to seek listing as a PSO. AHRQ
received no expressions of concerns
regarding the Federalism aspects of the
proposed rule although several State
health departments and commissions
submitted written comments regarding
the PSO eligibility criteria in the
proposed rule.
OMB Accounting Statement
The table below summarizes the
estimated costs and benefits of
implementing the Patient Safety and
Quality Improvement Act for the next
five years, beginning with January 1,
2009, by which time it is expected that
the rule will be effective.
The figures in the table are derived
from the regulatory impact analyses
outlined above and, more completely, in
the February 12, 2008 NPRM published
in the Federal Register, on pages 8164
to 8171. As in the previous analyses, the
range of benefits derives directly from
the range of potentially-avoidable
incidents cited (estimated) in IOM

OMB #:

Report, To Err Is Human. The range of
costs is the same as was included in the
NPRM, where minimum and maximum
estimates were calculated as 10% above
and 10% below the Agency’s primary
estimate of costs.
All figures are calculated at two
discount rates, 7% and 3%, and dollars
are held constant at the 2008 level. The
discount rates, 3% or 7%, represent two
rates of return that might be expected
from government investments. The
purpose is to project the expected future
costs and benefits in today’s dollars.
(Future dollars will be worth less than
today’s dollars, barring appropriate
investments.) Figures are annualized,
that is average-per-year over the five
years. The discount rates, 3% or 7%,
represent two rates of return that might
be expected from government
investments. The purpose is to project
the expected future costs and benefits in
today’s dollars. (Future dollars will be
worth less than today’s dollars, barring
appropriate investments.)

Agency/Program Office: AHRQ

Rule Title: Patient Safety and Quality Improvement Act
RIN #:

Date: 8/25/2008
CATEGORY

Primary
estimate
(millions)

BENEFITS ....................................................................................................
Annualized discounted (5 years):
@ 7% .....................................................................................................
@ 3% .....................................................................................................
COSTS ..........................................................................................................
Annualized discounted (5 years):
@ 7% .....................................................................................................
@ 3% .....................................................................................................

Minimum
estimate
(millions)

dwashington3 on PRODPC61 with RULES3

Administrative practice and
procedure, Civil money penalty,
Confidentiality, Conflict of interests,
Courts, Freedom of information, Health,
Health care, Health facilities, Health
insurance, Health professions, Health
records, Hospitals, Investigations, Law
enforcement, Medical research,
Organization and functions, Patient,
Patient safety, Privacy, Privilege, Public
health, Reporting and recordkeeping
requirements, Safety, State and local
governments, Technical assistance.
■ For the reasons stated in the preamble,
the Department of Health and Human
Services amends Title 42 of the Code of

$107.5

$183.4

AHRQ Analysis.

111.5
129.4
144.9

82.4
95.7
130.4

140.5
163.2
159.3

AHRQ Analysis.

115.5
131.1

104.0
118.0

127.1
144.2

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

N/A
N/A
N/A

Federal Regulations by adding a new
part 3 to read as follows:
PART 3—PATIENT SAFETY
ORGANIZATIONS AND PATIENT
SAFETY WORK PRODUCT
Subpart A—General Provisions
Sec.
3.10
3.20

Purpose.
Definitions.

Subpart B—PSO Requirements and Agency
Procedures
3.102 Process and requirements for initial
and continued listing of PSOs.
3.104 Secretarial actions.
3.106 Security requirements.

PO 00000

Frm 00066

Fmt 4701

Source citation
(RIA, preamble,
etc.)

$145.5

Transfers .......................................................................................................
Effects on small businesses .........................................................................
Effects on States and tribes .........................................................................

List of Subjects in 42 CFR Part 3

Maximum
estimate
(millions)

Sfmt 4700

3.108 Correction of deficiencies, revocation,
and voluntary relinquishment.
3.110 Assessment of PSO compliance.
3.112 Submissions and forms.
Subpart C—Confidentiality and Privilege
Protections of Patient Safety Work Product
3.204 Privilege of patient safety work
product.
3.206 Confidentiality of patient safety work
product.
3.208 Continued protection of patient safety
work product.
3.210 Required disclosure of patient safety
work product to the Secretary.
3.212 Nonidentification of patient safety
work product.
Subpart D—Enforcement Program
3.304 Principles for achieving compliance.

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
3.306 Complaints to the Secretary.
3.308 Compliance reviews.
3.310 Responsibilities of respondents.
3.312 Secretarial action regarding
complaints and compliance reviews.
3.314 Investigational subpoenas and
inquiries.
3.402 Basis for a civil money penalty.
3.404 Amount of a civil money penalty.
3.408 Factors considered in determining the
amount of a civil money penalty.
3.414 Limitations.
3.416 Authority to settle.
3.418 Exclusivity of penalty.
3.420 Notice of proposed determination.
3.422 Failure to request a hearing.
3.424 Collection of penalty.
3.426 Notification of the public and other
agencies.
3.504 Hearings before an ALJ.
3.506 Rights of the parties.
3.508 Authority of the ALJ.
3.510 Ex parte contacts.
3.512 Prehearing conferences.
3.514 Authority to settle.
3.516 Discovery.
3.518 Exchange of witness lists, witness
statements, and exhibits.
3.520 Subpoenas for attendance at hearing.
3.522 Fees.
3.524 Form, filing, and service of papers.
3.526 Computation of time.
3.528 Motions.
3.530 Sanctions.
3.532 Collateral estoppel.
3.534 The hearing.
3.538 Witnesses.
3.540 Evidence.
3.542 The record.
3.544 Post hearing briefs.
3.546 ALJ’s decision.
3.548 Appeal of the ALJ’s decision.
3.550 Stay of the Secretary’s decision.
3.552 Harmless error.
Authority: 42 U.S.C. 216, 299b–21 through
299b–26; 42 U.S.C. 299c–6.

Subpart A—General Provisions
§ 3.10

Purpose.

The purpose of this Part is to
implement the Patient Safety and
Quality Improvement Act of 2005 (Pub.
L. 109–41), which amended Title IX of
the Public Health Service Act (42 U.S.C.
299 et seq.) by adding sections 921
through 926, 42 U.S.C. 299b–21 through
299b–26.

dwashington3 on PRODPC61 with RULES3

§ 3.20

Definitions.

As used in this Part, the terms listed
alphabetically below have the meanings
set forth as follows:
Affiliated provider means, with
respect to a provider, a legally separate
provider that is the parent organization
of the provider, is under common
ownership, management, or control
with the provider, or is owned,
managed, or controlled by the provider.
AHRQ stands for the Agency for
Healthcare Research and Quality in
HHS.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

ALJ stands for an Administrative Law
Judge of HHS.
Board means the members of the HHS
Departmental Appeals Board, in the
Office of the Secretary, which issues
decisions in panels of three.
Bona fide contract means:
(1) A written contract between a
provider and a PSO that is executed in
good faith by officials authorized to
execute such contract; or
(2) A written agreement (such as a
memorandum of understanding or
equivalent recording of mutual
commitments) between a Federal, State,
local, or Tribal provider and a Federal,
State, local, or Tribal PSO that is
executed in good faith by officials
authorized to execute such agreement.
Complainant means a person who
files a complaint with the Secretary
pursuant to § 3.306.
Component organization means an
entity that:
(1) Is a unit or division of a legal
entity (including a corporation,
partnership, or a Federal, State, local or
Tribal agency or organization); or
(2) Is owned, managed, or controlled
by one or more legally separate parent
organizations.
Component PSO means a PSO listed
by the Secretary that is a component
organization.
Confidentiality provisions means for
purposes of Subparts C and D, any
requirement or prohibition concerning
confidentiality established by sections
921 and 922(b)–(d), (g) and (i) of the
Public Health Service Act, 42 U.S.C.
299b–21, 299b–22(b)–(d), (g) and (i) and
the provisions, at §§ 3.206 and 3.208,
that implement the statutory prohibition
on disclosure of identifiable patient
safety work product.
Disclosure means the release, transfer,
provision of access to, or divulging in
any other manner of patient safety work
product by:
(1) An entity or natural person
holding the patient safety work product
to another legally separate entity or
natural person, other than a workforce
member of, or a health care provider
holding privileges with, the entity
holding the patient safety work product;
or
(2) A component PSO to another
entity or natural person outside the
component PSO and within the legal
entity of which the component PSO is
a part.
Entity means any organization or
organizational unit, regardless of
whether the organization is public,
private, for-profit, or not-for-profit.
Group health plan means an
employee welfare benefit plan (as
defined in section 3(1) of the Employee

PO 00000

Frm 00067

Fmt 4701

Sfmt 4700

70797

Retirement Income Security Act of 1974
(ERISA)) to the extent that the plan
provides medical care (as defined in
paragraph (2) of section 2791(a) of the
Public Health Service Act, including
items and services paid for as medical
care) to employees or their dependents
(as defined under the terms of the plan)
directly or through insurance,
reimbursement, or otherwise.
Health insurance issuer means an
insurance company, insurance service,
or insurance organization (including a
health maintenance organization, as
defined in 42 U.S.C. 300gg–91(b)(3))
which is licensed to engage in the
business of insurance in a State and
which is subject to State law which
regulates insurance (within the meaning
of 29 U.S.C. 1144(b)(2)). This term does
not include a group health plan.
Health maintenance organization
means:
(1) A Federally qualified health
maintenance organization (HMO) (as
defined in 42 U.S.C. 300e(a));
(2) An organization recognized under
State law as a health maintenance
organization; or
(3) A similar organization regulated
under State law for solvency in the same
manner and to the same extent as such
a health maintenance organization.
HHS stands for the United States
Department of Health and Human
Services.
HIPAA Privacy Rule means the
regulations promulgated under section
264(c) of the Health Insurance
Portability and Accountability Act of
1996 (HIPAA), at 45 CFR part 160 and
Subparts A and E of Part 164.
Identifiable patient safety work
product means patient safety work
product that:
(1) Is presented in a form and manner
that allows the identification of any
provider that is a subject of the work
product, or any providers that
participate in, or are responsible for,
activities that are a subject of the work
product;
(2) Constitutes individually
identifiable health information as that
term is defined in the HIPAA Privacy
Rule at 45 CFR 160.103; or
(3) Is presented in a form and manner
that allows the identification of an
individual who in good faith reported
information directly to a PSO or to a
provider with the intention of having
the information reported to a PSO
(‘‘reporter’’).
Nonidentifiable patient safety work
product means patient safety work
product that is not identifiable patient
safety work product in accordance with
the nonidentification standards set forth
at § 3.212.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70798

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

OCR stands for the Office for Civil
Rights in HHS.
Parent organization means an
organization that: owns a controlling
interest or a majority interest in a
component organization; has the
authority to control or manage agenda
setting, project management, or day-today operations; or the authority to
review and override decisions of a
component organization. The
component organization may be a
provider.
Patient Safety Act means the Patient
Safety and Quality Improvement Act of
2005 (Pub. L. 109–41), which amended
Title IX of the Public Health Service Act
(42 U.S.C. 299 et seq.) by inserting a
new Part C, sections 921 through 926,
which are codified at 42 U.S.C. 299b–21
through 299b–26.
Patient safety activities means the
following activities carried out by or on
behalf of a PSO or a provider:
(1) Efforts to improve patient safety
and the quality of health care delivery;
(2) The collection and analysis of
patient safety work product;
(3) The development and
dissemination of information with
respect to improving patient safety, such
as recommendations, protocols, or
information regarding best practices;
(4) The utilization of patient safety
work product for the purposes of
encouraging a culture of safety and of
providing feedback and assistance to
effectively minimize patient risk;
(5) The maintenance of procedures to
preserve confidentiality with respect to
patient safety work product;
(6) The provision of appropriate
security measures with respect to
patient safety work product;
(7) The utilization of qualified staff;
and
(8) Activities related to the operation
of a patient safety evaluation system and
to the provision of feedback to
participants in a patient safety
evaluation system.
Patient safety evaluation system
means the collection, management, or
analysis of information for reporting to
or by a PSO.
Patient safety organization (PSO)
means a private or public entity or
component thereof that is listed as a
PSO by the Secretary in accordance
with Subpart B. A health insurance
issuer or a component organization of a
health insurance issuer may not be a
PSO. See also the exclusions in § 3.102
of this Part.
Patient safety work product:
(1) Except as provided in paragraph
(2) of this definition, patient safety work
product means any data, reports,
records, memoranda, analyses (such as

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

root cause analyses), or written or oral
statements (or copies of any of this
material)
(i) Which could improve patient
safety, health care quality, or health care
outcomes; and
(A) Which are assembled or
developed by a provider for reporting to
a PSO and are reported to a PSO, which
includes information that is
documented as within a patient safety
evaluation system for reporting to a
PSO, and such documentation includes
the date the information entered the
patient safety evaluation system; or
(B) Are developed by a PSO for the
conduct of patient safety activities; or
(ii) Which identify or constitute the
deliberations or analysis of, or identify
the fact of reporting pursuant to, a
patient safety evaluation system.
(2)(i) Patient safety work product does
not include a patient’s medical record,
billing and discharge information, or
any other original patient or provider
information; nor does it include
information that is collected,
maintained, or developed separately, or
exists separately, from a patient safety
evaluation system. Such separate
information or a copy thereof reported
to a PSO shall not by reason of its
reporting be considered patient safety
work product.
(ii) Patient safety work product
assembled or developed by a provider
for reporting to a PSO may be removed
from a patient safety evaluation system
and no longer considered patient safety
work product if:
(A) The information has not yet been
reported to a PSO; and
(B) The provider documents the act
and date of removal of such information
from the patient safety evaluation
system.
(iii) Nothing in this part shall be
construed to limit information that is
not patient safety work product from
being:
(A) Discovered or admitted in a
criminal, civil or administrative
proceeding;
(B) Reported to a Federal, State, local
or Tribal governmental agency for
public health or health oversight
purposes; or
(C) Maintained as part of a provider’s
recordkeeping obligation under Federal,
State, local or Tribal law.
Person means a natural person, trust
or estate, partnership, corporation,
professional association or corporation,
or other entity, public or private.
Provider means:
(1) An individual or entity licensed or
otherwise authorized under State law to
provide health care services,
including—

PO 00000

Frm 00068

Fmt 4701

Sfmt 4700

(i) A hospital, nursing facility,
comprehensive outpatient rehabilitation
facility, home health agency, hospice
program, renal dialysis facility,
ambulatory surgical center, pharmacy,
physician or health care practitioner’s
office (includes a group practice), long
term care facility, behavior health
residential treatment facility, clinical
laboratory, or health center; or
(ii) A physician, physician assistant,
registered nurse, nurse practitioner,
clinical nurse specialist, certified
registered nurse anesthetist, certified
nurse midwife, psychologist, certified
social worker, registered dietitian or
nutrition professional, physical or
occupational therapist, pharmacist, or
other individual health care
practitioner;
(2) Agencies, organizations, and
individuals within Federal, State, local,
or Tribal governments that deliver
health care, organizations engaged as
contractors by the Federal, State, local,
or Tribal governments to deliver health
care, and individual health care
practitioners employed or engaged as
contractors by the Federal State, local,
or Tribal governments to deliver health
care; or
(3) A parent organization of one or
more entities described in paragraph
(1)(i) of this definition or a Federal,
State, local, or Tribal government unit
that manages or controls one or more
entities described in paragraphs (1)(i) or
(2) of this definition.
Research has the same meaning as the
term is defined in the HIPAA Privacy
Rule at 45 CFR 164.501.
Respondent means a provider, PSO,
or responsible person who is the subject
of a complaint or a compliance review.
Responsible person means a person,
other than a provider or a PSO, who has
possession or custody of identifiable
patient safety work product and is
subject to the confidentiality provisions.
Workforce means employees,
volunteers, trainees, contractors, or
other persons whose conduct, in the
performance of work for a provider, PSO
or responsible person, is under the
direct control of such provider, PSO or
responsible person, whether or not they
are paid by the provider, PSO or
responsible person.
Subpart B—PSO Requirements and
Agency Procedures
§ 3.102 Process and requirements for
initial and continued listing of PSOs.

(a) Eligibility and process for initial
and continued listing—(1) Submission
of certification. Any entity, except as
specified in paragraph (a)(2) of this
section, may request from the Secretary

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
an initial or continued listing as a PSO
by submitting a completed certification
form that meets the requirements of this
section, in accordance with § 3.112. An
individual with authority to make
commitments on behalf of the entity
seeking listing will be required to
submit contact information for the
entity and:
(i) Attest that the entity is not subject
to any exclusion in paragraph (a)(2) of
this section;
(ii) Provide certifications that the
entity meets each requirement for PSOs
in paragraph (b) of this section;
(iii) If the entity is a component of
another organization, provide the
additional certifications that the entity
meets the requirements of paragraph
(c)(1)(i) of this section;
(iv) If the entity is a component of an
excluded entity described in paragraph
(a)(2)(ii), provide the additional
certifications and information required
by paragraph (c)(1)(ii) of this section;
(v) Attest that the entity has disclosed
if the Secretary has ever delisted this
entity (under its current name or any
other) or refused to list the entity or
whether any of its officials or senior
managers held comparable positions of
responsibility in an entity that was
denied listing or delisted and, if any of
these circumstances apply, submit with
its certifications and related disclosures,
the name of the entity or entities that
the Secretary declined to list or delisted;
(vi) Attest that the PSO will promptly
notify the Secretary during its period of
listing if it can no longer comply with
any of its attestations and the applicable
requirements in §§ 3.102(b) and 3.102(c)
or if there have been any changes in the
accuracy of the information submitted
for listing, along with the pertinent
changes; and
(vii) Provide other information that
the Secretary determines to be necessary
to make the requested listing
determination.
(2) Exclusion of certain entities. The
following types of entities may not seek
listing as a PSO:
(i) A health insurance issuer; a unit or
division of a health insurance issuer; or
an entity that is owned, managed, or
controlled by a health insurance issuer;
(ii) (A) An entity that accredits or
licenses health care providers;
(B) An entity that oversees or enforces
statutory or regulatory requirements
governing the delivery of health care
services;
(C) An agent of an entity that oversees
or enforces statutory or regulatory
requirements governing the delivery of
health care services; or
(D) An entity that operates a Federal,
state, local or Tribal patient safety

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

reporting system to which health care
providers (other than members of the
entity’s workforce or health care
providers holding privileges with the
entity) are required to report
information by law or regulation.
(iii) A component of an entity listed
in paragraph (a)(2)(ii) may seek listing
as a component PSO subject to the
requirements and restrictions of
paragraph (c)(1)(ii) of this section.
(3) Submission of certification for
continued listing. To facilitate a timely
Secretarial determination regarding
acceptance of its certification for
continued listing, a PSO must submit
the required certification no later than
75 days before the expiration of a PSO’s
three-year period of listing.
(b) Fifteen general PSO certification
requirements. The certifications
submitted to the Secretary in
accordance with paragraph (a)(1)(ii) of
this section must conform to the
following 15 requirements:
(1) Required certification regarding
eight patient safety activities.
(i) Initial listing. An entity seeking
initial listing as a PSO must certify that
it has written policies and procedures in
place to perform each of the eight
patient safety activities, defined in
§ 3.20. With respect to paragraphs (5)
and (6) in the definition of patient safety
activities regarding confidentiality and
security, the policies and procedures
must include and provide for:
(A) Compliance with the
confidentiality provisions of Subpart C
of this part and with appropriate
security measures as required by § 3.106
of this subpart.
(B) Notification of each provider that
submitted patient safety work product
or data as described in § 3.108(b)(2) to
the entity if the submitted work product
or data was subject to an unauthorized
disclosure or its security was breached.
(ii) Continued Listing. A PSO seeking
continued listing must certify that it is
performing, and will continue to
perform, each of the patient safety
activities defined in § 3.20, and is and
will continue to comply with the
requirements of paragraphs (b)(1)(i)(A)
and (B) of this section.
(2) Required certification regarding
seven PSO criteria.
(i) Initial Listing. In its initial
certification submission, an entity must
also certify that, if listed as a PSO, it
will comply with the seven
requirements in paragraphs (b)(2)(i)(A)
through (G) of this section.
(A) The mission and primary activity
of the PSO must be to conduct activities
that are to improve patient safety and
the quality of health care delivery.

PO 00000

Frm 00069

Fmt 4701

Sfmt 4700

70799

(B) The PSO must have appropriately
qualified workforce members, including
licensed or certified medical
professionals.
(C) The PSO, within the 24-month
period that begins on the date of its
initial listing as a PSO, and within each
sequential 24-month period thereafter,
must have 2 bona fide contracts, each of
a reasonable period of time, each with
a different provider for the purpose of
receiving and reviewing patient safety
work product.
(D) The PSO is not a health insurance
issuer, and is not a component of a
health insurance issuer.
(E) The PSO must make disclosures to
the Secretary as required under
§ 3.102(d), in accordance with § 3.112 of
this subpart.
(F) To the extent practical and
appropriate, the PSO must collect
patient safety work product from
providers in a standardized manner that
permits valid comparisons of similar
cases among similar providers.
(G) The PSO must utilize patient
safety work product for the purpose of
providing direct feedback and assistance
to providers to effectively minimize
patient risk.
(ii) Continued Listing. A PSO seeking
continued listing must certify that it is
complying with, and will continue to
comply with, the requirements of
paragraphs (b)(2)(i)(A) through (G) of
this section.
(iii) Compliance with the criterion for
collecting patient safety work product in
a standardized manner to the extent
practical and appropriate. With respect
to paragraph (b)(2)(i)(F) of this section,
the Secretary will assess compliance by
a PSO in the following manner.
(A) A PSO seeking continued listing
must:
(1) Certify that the PSO is using the
Secretary’s published guidance for
common formats and definitions in its
collection of patient safety work product
(option (I));
(2) Certify that the PSO is using an
alternative system of formats and
definitions that permits valid
comparisons of similar cases among
similar providers (option (II)); or
(3) Provide a clear explanation for
why it is not practical or appropriate for
the PSO to comply with options (I) or
(II) at this time.
(B) The Secretary will consider a PSO
to be in compliance if the entity
complies with option (I), satisfactorily
demonstrates that option (II) permits
valid comparisons of similar cases
among similar providers, or
satisfactorily demonstrates that it is not
practical or appropriate for the PSO to

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70800

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

comply with options (I) or (II) at this
time.
(c) Additional certifications required
of component organizations—(1)
Requirements when seeking listing—(i)
Requirements that all component
organizations must meet. In addition to
meeting the 15 general PSO certification
requirements of paragraph (b) of this
section, an entity seeking initial listing
that is a component of another
organization must certify that it will
comply with the requirements of
paragraph (c)(2) of this section. A
component PSO seeking continued
listing must certify that it is complying
with, and will continue to comply with,
the requirements of this same paragraph
(c)(2). At initial and continued listing, a
component entity must attach to its
certifications for listing contact
information for its parent
organization(s).
(ii) Additional requirements and
limitations applicable to components of
entities that are excluded from listing.
In addition to the requirements under
paragraph (c)(1)(i) of this section, a
component of an organization excluded
from listing under paragraph (a)(2)(ii) of
this section must submit the additional
certifications and specified information
for initial and continued listing and
comply with paragraph (c)(4) of this
section.
(2) Required component
certifications—(i) Separation of patient
safety work product. A component PSO
must maintain patient safety work
product separately from the rest of the
parent organization(s) of which it is a
part, and establish appropriate security
measures to maintain the confidentiality
of patient safety work product. The
information system in which the
component PSO maintains patient
safety work product must not permit
unauthorized access by one or more
individuals in, or by units of, the rest of
the parent organization(s) of which it is
a part.
(ii) Nondisclosure of patient safety
work product. A component PSO must
require that members of its workforce
and any other contractor staff not make
unauthorized disclosures of patient
safety work product to the rest of the
parent organization(s) of which it is a
part.
(iii) No conflict of interest. The
pursuit of the mission of a component
PSO must not create a conflict of
interest with the rest of the parent
organization(s) of which it is a part.
(3) Written agreements for assisting a
component PSO in the conduct of
patient safety activities.
Notwithstanding the requirements of
paragraph (c)(2) of this section, a

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

component PSO may provide access to
identifiable patient safety work product
to one or more individuals in, or to one
or more units of, the rest of the parent
organization(s) of which it is a part, if
the component PSO enters into a
written agreement with such
individuals or units which requires that:
(i) The component PSO will only
provide access to identifiable patient
safety work product to enable such
individuals or units to assist the
component PSO in its conduct of
patient safety activities, and
(ii) Such individuals or units that
receive access to identifiable patient
safety work product pursuant to such
written agreement will only use or
disclose such information as specified
by the component PSO to assist the
component PSO in its conduct of
patient safety activities, will take
appropriate security measures to
prevent unauthorized disclosures and
will comply with the other certifications
the component has made pursuant to
paragraph (c)(2) of this section regarding
unauthorized disclosures and
conducting the mission of the PSO
without creating conflicts of interest.
(4) Required attestations, information
and operational limitations for
components of entities excluded from
listing. A component organization of an
entity that is subject to the restrictions
of paragraph (a)(2)(ii) of this section
must:
(i) Submit the following information
with its certifications for listing:
(A) A statement describing its parent
organization’s role, and the scope of the
parent organization’s authority, with
respect to any of the following that
apply: Accreditation or licensure of
health care providers, oversight or
enforcement of statutory or regulatory
requirements governing the delivery of
health care services, serving as an agent
of such a regulatory oversight or
enforcement authority, or administering
a public mandatory patient safety
reporting system;
(B) An attestation that the parent
organization has no policies or
procedures that would require or induce
providers to report patient safety work
product to their component organization
once listed as a PSO and that the
component PSO will notify the
Secretary within 5 calendar days of the
date on which the component
organization has knowledge of the
adoption by the parent organization of
such policies or procedures, and an
acknowledgment that the adoption of
such policies or procedures by the
parent organization during the
component PSO’s period of listing will
result in the Secretary initiating an

PO 00000

Frm 00070

Fmt 4701

Sfmt 4700

expedited revocation process in
accordance with § 3.108(e); and
(C) An attestation that the component
organization will prominently post
notification on its Web site and publish
in any promotional materials for
dissemination to providers, a summary
of the information that is required by
paragraph (c)(4)(i)(A) of this section.
(ii) Comply with the following
requirements during its period of listing:
(A) The component organization may
not share staff with its parent
organization(s).
(B) The component organization may
enter into a written agreement pursuant
to paragraph (c)(3) but such agreements
are limited to units or individuals of the
parent organization(s) whose
responsibilities do not involve the
activities specified in the restrictions in
paragraph (a)(2)(ii) of this section.
(d) Required notifications. Upon
listing, PSOs must meet the following
notification requirements:
(1) Notification regarding PSO
compliance with the minimum contract
requirement. No later than 45 calendar
days prior to the last day of the
pertinent 24-month assessment period,
specified in paragraph (b)(2)(iii)(C) of
this section, the Secretary must receive
from a PSO a certification that states
whether it has met the requirement of
that paragraph regarding two bona fide
contracts, submitted in accordance with
§ 3.112 of this subpart.
(2) Notification regarding a PSO’s
relationships with its contracting
providers.
(i) Requirement. A PSO must file a
disclosure statement regarding a
provider with which it has a contract
that provides the confidentiality and
privilege protections of the Patient
Safety Act (hereinafter referred to as a
Patient Safety Act contract) if the PSO
has any other relationships with this
provider that are described in
paragraphs (d)(2)(i)(A) through (D) of
this section. The PSO must disclose all
such relationships. A disclosure
statement is not required if all of its
other relationships with the provider are
limited to Patient Safety Act contracts.
(A) The provider and PSO have
current contractual relationships, other
than those arising from any Patient
Safety Act contracts, including formal
contracts or agreements that impose
obligations on the PSO.
(B) The provider and PSO have
current financial relationships other
than those arising from any Patient
Safety Act contracts. A financial
relationship may include any direct or
indirect ownership or investment
relationship between the PSO and the
contracting provider, shared or common

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
financial interests or direct or indirect
compensation arrangements whether in
cash or in-kind.
(C) The PSO and provider have
current reporting relationships other
than those arising from any Patient
Safety Act contracts, by which the
provider has access to information
regarding the work and operation of the
PSO that is not available to other
contracting providers.
(D) Taking into account all
relationships that the PSO has with the
provider, the PSO is not independently
managed or controlled, or the PSO does
not operate independently from, the
contracting provider.
(ii) Content. A PSO must submit to
the Secretary the required attestation
form for disclosures with the
information specified below in
accordance with § 3.112 and this
section. The substantive information
that must be included with each
submission has two required parts:
(A) The Required Disclosures. The
first part of the substantive information
must provide a succinct list of
obligations between the PSO and the
contracting provider apart from their
Patient Safety Act contract(s) that create,
or contain, any of the types of
relationships that must be disclosed
based upon the requirements of
paragraphs (d)(2)(i)(A) through (D) of
this section. Each reportable obligation
or discrete set of obligations that the
PSO has with this contracting provider
should be listed only once; noting the
specific aspects of the obligation(s) that
reflect contractual or financial
relationships, involve access to
information that is not available to other
providers, or affect the independence of
PSO operations, management, or
control.
(B) An Explanatory Narrative. The
second required part of the substantive
information must provide a brief
explanatory narrative succinctly
describing: The policies and procedures
that the PSO has in place to ensure
adherence to objectivity and
professionally recognized analytic
standards in the assessments it
undertakes; and any other policies or
procedures, or agreements with this
provider, that the PSO has in place to
ensure that it can fairly and accurately
perform patient safety activities.
(iii) Deadlines for submission. The
Secretary must receive a disclosure
statement within 45 days of the date on
which a PSO enters a contract with a
provider if the circumstances described
in any of the paragraphs (d)(2)(i)(A)
through (D) of this section are met on
the date the contract is entered. During
the contract period, if these

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

circumstances subsequently arise, the
Secretary must receive a disclosure
statement from the PSO within 45 days
of the date that any disclosure
requirement in paragraph (d)(2)(i) of this
section first applies.
§ 3.104

Secretarial actions.

(a) Actions in response to certification
submissions for initial and continued
listing as a PSO. (1) In response to an
initial or continued certification
submission by an entity, pursuant to the
requirements of § 3.102 of this subpart,
the Secretary may—
(i) Accept the certification submission
and list the entity as a PSO, or maintain
the listing of a PSO, if the Secretary
determines that the entity meets the
applicable requirements of the Patient
Safety Act and this subpart;
(ii) Deny acceptance of a certification
submission and, in the case of a
currently listed PSO, remove the entity
from the list if the entity does not meet
the applicable requirements of the
Patient Safety Act and this subpart; or
(iii) Condition the listing of an entity
or the continued listing of a PSO,
following a determination made
pursuant to paragraph (c) of this section
or a determination after review of the
pertinent history of an entity that has
been delisted or refused listing and its
officials and senior managers.
(2) Basis for determination. In making
a determination regarding listing, the
Secretary will consider the certification
submission; any prior actions by the
Secretary regarding the entity or PSO
including delisting; any history of or
current non-compliance by the entity or
the PSO or its officials or senior
managers with statutory or regulatory
requirements or requests from the
Secretary; the relationships of the entity
or PSO with providers; and any findings
made by the Secretary in accordance
with paragraph (c) of this section.
(3) Notification. The Secretary will
notify in writing each entity of action
taken on its certification submission for
initial or continued listing. The
Secretary will provide reasons when an
entity’s certification is conditionally
accepted and the entity is conditionally
listed, when an entity’s certification is
not accepted and the entity is not listed,
or when acceptance of its certification is
revoked and the entity is delisted.
(b) Actions regarding PSO compliance
with the minimum contract
requirement. After the date on which
the Secretary, under § 3.102(d)(1) of this
subpart, must receive notification
regarding compliance of a PSO with the
minimum contract requirement—
(1) If the PSO has met the minimum
contract requirement, the Secretary will

PO 00000

Frm 00071

Fmt 4701

Sfmt 4700

70801

acknowledge in writing receipt of the
notification and add information to the
list established pursuant to paragraph
(d) of this section stating that the PSO
has certified that it has met the
requirement.
(2) If the PSO states that it has not yet
met the minimum contract requirement
by the date specified in § 3.102(d)(1), or
if notice is not received by that date, the
Secretary will issue to the PSO a notice
of a preliminary finding of deficiency as
specified in § 3.108(a)(2) and establish a
period for correction that extends until
midnight of the last day of the PSO’s
applicable 24-month period of
assessment. Thereafter, if the
requirement has not been met, the
Secretary will provide the PSO a written
notice of proposed revocation and
delisting in accordance with
§ 3.108(a)(3).
(c) Actions regarding required
disclosures by PSOs of relationships
with contracting providers. The
Secretary will review and make findings
regarding each disclosure statement
submitted by a PSO, pursuant to
§ 3.102(d)(2), regarding its relationships
with contracting provider(s), determine
whether such findings warrant action
regarding the listing of the PSO in
accordance with paragraph (c)(2) of this
section, and make the findings public.
(1) Basis of findings regarding PSO
disclosure statements. In reviewing
disclosure statements, submitted
pursuant to § 3.102(d)(2) of this subpart,
the Secretary will consider the disclosed
relationship(s) between the PSO and the
contracting provider and the statements
and material submitted by the PSO
describing the policies and procedures
that the PSO has in place to determine
whether the PSO can fairly and
accurately perform the required patient
safety activities.
(2) Determination by the Secretary.
Based on the Secretary’s review and
findings, he may choose to take any of
the following actions:
(i) For an entity seeking an initial or
continued listing, the Secretary may list
or continue the listing of an entity
without conditions, list the entity
subject to conditions, or deny the
entity’s certification for initial or
continued listing; or
(ii) For a listed PSO, the Secretary
may determine that the entity will
remain listed without conditions,
continue the entity’s listing subject to
conditions, or remove the entity from
the list of PSOs.
(3) Release of disclosure statements
and Secretarial findings. (i) Subject to
paragraph (c)(3)(ii) of this section, the
Secretary will make disclosure
statements available to the public along

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70802

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

with related findings that are made
available in accordance with paragraph
(c) of this section.
(ii) The Secretary may withhold
information that is exempt from public
disclosure under the Freedom of
Information Act, e.g., trade secrets or
confidential commercial information
that are subject to the restrictions of 18
U.S.C. 1905.
(d) Maintaining a list of PSOs. The
Secretary will compile and maintain a
publicly available list of entities whose
certifications as PSOs have been
accepted. The list will include contact
information for each entity, a copy of all
certification forms and disclosure
statements submitted by each entity in
accordance with paragraph (c)(3)(ii) of
this section, the effective date of the
PSO’s listing, and information on
whether a PSO has certified that it has
met the two contract requirement. The
list also will include a copy of the
Secretary’s findings regarding each
disclosure statement submitted by an
entity, information describing any
related conditions that have been placed
by the Secretary on the listing of an
entity as a PSO, and other information
that this Subpart states may be made
public. AHRQ may maintain a PSO
website (or a comparable future form of
public notice) and may post the list on
this website.
(e) Three-year period of listing. (1)
The three-year period of listing of a PSO
will automatically expire at midnight of
the last day of this period, unless the
listing had been revoked or relinquished
earlier in accordance with § 3.108 of this
subpart, or if, prior to this automatic
expiration, the PSO seeks a new threeyear listing, in accordance with § 3.102,
and the Secretary accepts the PSO’s
certification for a new three-year listing,
in accordance with § 3.104(a).
(2) The Secretary plans to send a
written notice of imminent expiration to
a PSO at least 60 calendar days prior to
the date on which its three-year period
of listing expires if the Secretary has not
yet received a certification for continued
listing. The Secretary plans to indicate,
on the AHRQ PSO website, the PSOs
from whom certifications for continued
listing have not been timely received.
(f) Effective dates of Secretarial
actions. Unless otherwise stated, the
effective date of each action by the
Secretary pursuant to this subpart will
be specified in the written notice of
such action that is sent to the entity.
When the Secretary sends a notice that
addresses acceptance or revocation of an
entity’s certifications or voluntary
relinquishment by an entity of its status
as a PSO, the notice will specify the

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

effective date and time of listing or
delisting.
§ 3.106

Security requirements.

(a) Application. A PSO must secure
patient safety work product in
conformance with the security
requirements of paragraph (b) of this
section. These requirements must be
met at all times and at any location at
which the PSO, its workforce members,
or its contractors receive, access, or
handle patient safety work product.
Handling patient safety work product
includes its processing, development,
use, maintenance, storage, removal,
disclosure, transmission and
destruction.
(b) Security framework. A PSO must
have written policies and procedures
that address each of the considerations
specified in this subsection. In
addressing the framework that follows,
the PSO may develop appropriate and
scalable security standards, policies,
and procedures that are suitable for the
size and complexity of its organization.
(1) Security management. A PSO must
address:
(i) Maintenance and effective
implementation of written policies and
procedures that conform to the
requirements of this section to protect
the confidentiality, integrity, and
availability of the patient safety work
product that is received, accessed, or
handled; and to monitor and improve
the effectiveness of such policies and
procedures, and
(ii) Training of the PSO workforce and
PSO contractors who receive, access, or
handle patient safety work product
regarding the requirements of the
Patient Safety Act, this Part, and the
PSO’s policies and procedures regarding
the confidentiality and security of
patient safety work product.
(2) Distinguishing patient safety work
product. A PSO must address:
(i) Maintenance of the security of
patient safety work product, whether in
electronic or other media, through either
physical separation from non-patient
safety work product, or if co-located
with non-patient safety work product,
by making patient safety work product
distinguishable so that the appropriate
form and level of security can be
applied and maintained;
(ii) Protection of the media, whether
in electronic, paper, or other media or
format, that contain patient safety work
product, limiting access to authorized
users, and sanitizing and destroying
such media before their disposal or
release for reuse; and
(iii) Physical and environmental
protection, to control and limit physical
and virtual access to places and

PO 00000

Frm 00072

Fmt 4701

Sfmt 4700

equipment where patient safety work
product is received, accessed, or
handled.
(3) Security control and monitoring. A
PSO must address:
(i) Identification of those authorized
to receive, access, or handle patient
safety work product and an audit
capacity to detect unlawful,
unauthorized, or inappropriate receipt,
access, or handling of patient safety
work product, and
(ii) Methods to prevent unauthorized
receipt, access, or handling of patient
safety work product.
(4) Security assessment. A PSO must
address:
(i) Periodic assessments of security
risks and controls to establish if its
controls are effective, to correct any
deficiency identified, and to reduce or
eliminate any vulnerabilities.
(ii) System and communications
protection, to monitor, control, and
protect PSO receipt, access, or handling
of patient safety work product with
particular attention to the transmission
of patient safety work product to and
from providers, other PSOs, contractors
or any other responsible persons.
§ 3.108 Correction of deficiencies,
revocation, and voluntary relinquishment.

(a) Process for correction of a
deficiency and revocation—(1)
Circumstances leading to revocation.
The Secretary may revoke his
acceptance of an entity’s certification
(‘‘revocation’’) and delist the entity as a
PSO if he determines—
(i) The PSO is not fulfilling the
certifications made to the Secretary as
required by § 3.102;
(ii) The PSO has not met the two
contract requirement, as required by
§ 3.102(d)(1);
(iii) Based on a PSO’s disclosures
made pursuant to § 3.102(d)(2) , that the
entity cannot fairly and accurately
perform the patient safety activities of a
PSO with a public finding to that effect;
or
(iv) The PSO is not in compliance
with any other provision of the Patient
Safety Act or this Part.
(2) Notice of preliminary finding of
deficiency and establishment of an
opportunity for correction of a
deficiency. (i) Except as provided by
paragraph (e) of this section, if the
Secretary determines that a PSO is not
in compliance with its obligations under
the Patient Safety Act or this Subpart,
the Secretary must send a PSO written
notice of the preliminary finding of
deficiency. The notice must state the
actions or inactions that encompass the
deficiency finding, outline the evidence
that the deficiency exists, specify the

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
possible and/or required corrective
actions that must be taken, and establish
a date by which the deficiency must be
corrected. The Secretary may specify in
the notice the form of documentation
required to demonstrate that the
deficiency has been corrected.
(ii) The notice of a preliminary
finding of deficiency is presumed
received five days after it is sent, absent
evidence of the actual receipt date. If a
PSO does not submit evidence to the
Secretary within 14 calendar days of
actual or constructive receipt of such
notice, whichever is longer, which
demonstrates that the preliminary
finding is factually incorrect, the
preliminary finding will be the basis for
a finding of deficiency.
(3) Determination of correction of a
deficiency. (i) Unless the Secretary
specifies another date, the Secretary
must receive documentation to
demonstrate that the PSO has corrected
any deficiency cited in the preliminary
finding of deficiency no later than five
calendar days following the last day of
the correction period that is specified by
the Secretary in such notice.
(ii) In making a determination
regarding the correction of any
deficiency, the Secretary will consider
the documentation submitted by the
PSO, any assessments under § 3.110,
recommendations of program staff, and
any other information available
regarding the PSO that the Secretary
deems appropriate and relevant to the
PSO’s implementation of the terms of its
certification.
(iii) After completing his review, the
Secretary may make one of the
following determinations:
(A) The action(s) taken by the PSO
have corrected any deficiency, in which
case the Secretary will withdraw the
notice of deficiency and so notify the
PSO;
(B) The PSO has acted in good faith
to correct the deficiency, but the
Secretary finds an additional period of
time is necessary to achieve full
compliance and/or the required
corrective action specified in the notice
of a preliminary finding of deficiency
needs to be modified in light of the
experience of the PSO in attempting to
implement the corrective action, in
which case the Secretary will extend the
period for correction and/or modify the
specific corrective action required; or
(C) The PSO has not completed the
corrective action because it has not
acted with reasonable diligence or speed
to ensure that the corrective action was
completed within the allotted time, in
which case the Secretary will issue to
the PSO a notice of proposed revocation
and delisting.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(iv) When the Secretary issues a
written notice of proposed revocation
and delisting, the notice will specify the
deficiencies that have not been timely
corrected and will detail the manner in
which the PSO may exercise its
opportunity to be heard in writing to
respond to the deficiencies specified in
the notice.
(4) Opportunity to be heard in writing
following a notice of proposed
revocation and delisting. The Secretary
will afford a PSO an opportunity to be
heard in writing, as specified in
paragraph (a)(4)(i) of this section, to
provide a substantive response to the
deficiency finding(s) set forth in the
notice of proposed revocation and
delisting.
(i) The notice of proposed revocation
and delisting is presumed received five
days after it is sent, absent evidence of
actual receipt. The Secretary will
provide a PSO with a period of time,
beginning with the date of receipt of the
notice of proposed revocation and
delisting of which there is evidence, or
the presumed date of receipt if there is
no evidence of earlier receipt, and
ending at midnight 30 calendar days
thereafter, during which the PSO may
submit a substantive response to the
deficiency findings in writing.
(ii) The Secretary will provide to the
PSO any rules of procedure governing
the form or transmission of the written
response to the notice of proposed
revocation and delisting. Such rules
may also be posted on the AHRQ PSO
Web site or published in the Federal
Register.
(iii) If a PSO does not submit a written
response to the deficiency finding(s)
within 30 calendar days of receipt of the
notice of proposed revocation and
delisting, the notice of proposed
revocation becomes final as a matter of
law and the basis for Secretarial action
under paragraph (b)(1) of this section.
(5) The Secretary’s decision regarding
revocation. The Secretary will review
the entire administrative record
pertaining to a notice of proposed
revocation and delisting and any written
materials submitted by the PSO under
paragraph (a)(4) of this section. The
Secretary may affirm, reverse, or modify
the notice of proposed revocation and
delisting and will make a determination
with respect to the continued listing of
the PSO.
(b) Revocation of the Secretary’s
acceptance of a PSO’s certifications—(1)
Establishing the date and time of
revocation and delisting. When the
Secretary concludes, in accordance with
a decision made under paragraphs
(a)(5), (e)(3)(iii) or (e)(3)(iv)(C) of this
section, that revocation of the

PO 00000

Frm 00073

Fmt 4701

Sfmt 4700

70803

acceptance of a PSO’s certification is
warranted for its failure to comply with
requirements of the Patient Safety Act or
of this Part, the Secretary will establish
the effective time and date for such
prompt revocation and removal of the
entity from the list of PSOs, so notify
the PSO in writing, and provide the
relevant public notice required by
§ 3.108(d) of this subpart.
(2) Required notification of providers
and status of data. (i) Upon being
notified of the Secretary’s action
pursuant to paragraph (b)(1) of this
section, the former PSO will take all
reasonable actions to notify each
provider, whose patient safety work
product it collected or analyzed, of the
Secretary’s action(s) and the following
statutory information: Confidentiality
and privilege protections that applied to
patient safety work product while the
former PSO was listed continue to apply
after the entity is removed from listing.
Data submitted by providers to the
former PSO for 30 calendar days
following the date and time on which
the entity was removed from the list of
PSOs pursuant to paragraph (b)(1) of
this section will have the same status as
data submitted while the entity was still
listed.
(ii) Within 15 days of being notified
of the Secretary’s action pursuant to
paragraph (b)(1) of this section, the
former PSO shall submit to the
Secretary confirmation that it has taken
the actions in paragraph (b)(2)(i) of this
section.
(3) Disposition of patient safety work
product and data. Within 90 days
following the effective date of
revocation and delisting pursuant to
paragraph (b)(1) of this section, the
former PSO will take one or more of the
following measures in regard to patient
safety work product and data described
in paragraph (b)(2)(i) of this section:
(i) Transfer such patient safety work
product or data, with the approval of the
source from which it was received, to a
PSO that has agreed to receive such
patient safety work product or data;
(ii) Return such work product or data
to the source from which it was
submitted; or
(iii) If returning such patient safety
work product or data to its source is not
practicable, destroy such patient safety
work product or data.
(c) Voluntary relinquishment—(1)
Circumstances constituting voluntary
relinquishment. A PSO will be
considered to have voluntarily
relinquished its status as a PSO if the
Secretary accepts a notification from a
PSO that it wishes to relinquish
voluntarily its listing as a PSO.

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70804

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

(2) Notification of voluntary
relinquishment. A PSO’s notification of
voluntary relinquishment to the
Secretary must include the following:
(i) An attestation that all reasonable
efforts have been made, or will have
been made by a PSO within 15 calendar
days of this statement, to notify the
sources from which it received patient
safety work product of the PSO’s
intention to cease PSO operations and
activities, to relinquish voluntarily its
status as a PSO, to request that these
other entities cease reporting or
submitting any further information to
the PSO as soon as possible, and inform
them that any information reported after
the effective date and time of delisting
that the Secretary sets pursuant to
paragraph (c)(3) of this section will not
be protected as patient safety work
product under the Patient Safety Act.
(ii) An attestation that the entity has
established a plan, or within 15
calendar days of this statement, will
have made all reasonable efforts to
establish a plan, in consultation with
the sources from which it received
patient safety work product, that
provides for the disposition of the
patient safety work product held by the
PSO consistent with, to the extent
practicable, the statutory options for
disposition of patient safety work
product as set out in paragraph (b)(3) of
this section; and
(iii) Appropriate contact information
for further communications from the
Secretary.
(3) Response to notification of
voluntary relinquishment. (i) After a
PSO provides the notification required
by paragraph (c)(2) of this section, the
Secretary will respond in writing to the
entity indicating whether the proposed
voluntary relinquishment of its PSO
status is accepted. If the voluntary
relinquishment is accepted, the
Secretary’s response will indicate an
effective date and time for the entity’s
removal from the list of PSOs and will
provide public notice of the voluntary
relinquishment and the effective date
and time of the delisting, in accordance
with § 3.108(d) of this subpart.
(ii) If the Secretary receives a
notification of voluntary relinquishment
during or immediately after revocation
proceedings for cause under paragraphs
(a)(4) and (a)(5) of this section, the
Secretary, as a matter of discretion, may
accept voluntary relinquishment in
accordance with the preceding
paragraph or decide not to accept the
entity’s proposed voluntary
relinquishment and proceed with the
revocation for cause and delisting
pursuant to paragraph (b)(1) of this
section.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(4) Non-applicability of certain
procedures and requirements. (i) A
decision by the Secretary to accept a
request by a PSO to relinquish
voluntarily its status as a PSO pursuant
to paragraph (c)(2) of this section does
not constitute a determination of a
deficiency in PSO compliance with the
Patient Safety Act or with this Subpart.
(ii) The procedures and requirements
of § 3.108(a) of this subpart regarding
deficiencies including the opportunity
to correct deficiencies and to be heard
in writing, and the procedures and
requirements of § 3.108(b) are not
applicable to determinations of the
Secretary made pursuant to this
subsection.
(d) Public notice of delisting regarding
removal from listing. If the Secretary
removes an entity from the list of PSOs
following revocation of acceptance of
the entity’s certification pursuant to
§ 3.108(b)(1), voluntary relinquishment
pursuant to § 3.108(c)(3), or expiration
of an entity’s period of listing pursuant
to § 3.104(e)(1), the Secretary will
promptly publish in the Federal
Register and on the AHRQ PSO website,
or in a comparable future form of public
notice, a notice of the actions taken and
the effective dates.
(e) Expedited revocation and
delisting—(1) Basis for expedited
revocation. Notwithstanding any other
provision of this section, the Secretary
may use the expedited revocation
process described in paragraph (e)(3) of
this section if he determines—
(i) The PSO is not in compliance with
this Part because it is or is about to
become an entity described in
§ 3.102(a)(2).
(ii) The parent organization of the
PSO is an entity described in
§ 3.102(a)(2) and requires or induces
health care providers to report patient
safety work product to its component
PSO; or
(iii) The circumstances for revocation
in paragraph (a)(1) of this section exist,
and the Secretary has determined that
there would be serious adverse
consequences if the PSO were to remain
listed.
(2) Applicable provisions. If the
Secretary uses the expedited revocation
process described in paragraph (e)(3) of
this section, the procedures in
paragraphs (a)(2) through (5) of this
section shall not apply and paragraph
(a)(1) and paragraphs (b) and (d) of this
section shall apply.
(3) Expedited revocation process. (i)
The Secretary must send the PSO a
written notice of deficiency that:
(A) Identifies the evidence that the
circumstances for revocation and
delisting under paragraph (a)(1) of this

PO 00000

Frm 00074

Fmt 4701

Sfmt 4700

section exist, and any corrective action
that the PSO must take if the Secretary
determines that corrective action may
resolve the matter so that the entity
would not be delisted; and
(B) Provides an opportunity for the
PSO to respond in writing to correct the
facts or the legal bases for delisting
found in the notice, and to offer any
other grounds for its not being delisted.
(ii) The notice of deficiency will be
presumed to be received five days after
it is sent, absent evidence of the actual
receipt date.
(iii) If the PSO does not submit a
written response to the Secretary within
14 calendar days of actual or
constructive receipt of such notice,
whichever is longer, the Secretary may
revoke his acceptance of the PSO’s
certifications and remove the entity
from the list of PSOs.
(iv) If the PSO responds in writing
within the required 14-day time period,
the Secretary may take any of the
following actions:
(A) Withdraw the notice of deficiency;
(B) Provide the PSO with more time
to resolve the matter to the Secretary’s
satisfaction; or
(C) Revoke his acceptance of the
PSO’s certifications and remove the
entity from the list of PSOs.
§ 3.110

Assessment of PSO compliance.

The Secretary may request
information or conduct announced or
unannounced reviews of, or site visits
to, PSOs, to assess or verify PSO
compliance with the requirements of
this subpart and for these purposes will
be allowed to inspect the physical or
virtual sites maintained or controlled by
the PSO. The Secretary will be allowed
to inspect and/or be given or sent copies
of any PSO records deemed necessary
and requested by the Secretary to
implement the provisions of this
subpart. Such PSO records may include
patient safety work product in
accordance with § 3.206(d) of this part.
§ 3.112

Submissions and forms.

(a) Forms referred to in this subpart
may be obtained on the PSO Web site
(http://www.pso.ahrq.gov) maintained
for the Secretary by AHRQ or a
successor agency or on successor
publication technology or by requesting
them in writing by e-mail at
pso@ahrq.hhs.gov, or by mail from the
Agency for Healthcare Research and
Quality, CQuIPS, PSO Liaison, 540
Gaither Road, Rockville, MD 20850. A
form (including any required
attachments) must be submitted in
accordance with the accompanying
instructions.

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
(b) Information submitted to AHRQ in
writing, but not required to be on or
attached to a form, and requests for
information from AHRQ, may be
submitted by mail or other delivery to
the Agency for Healthcare Research and
Quality, CQuIPS, PSO Liaison, 540
Gaither Road, Rockville, MD 20850, by
facsimile at (301) 427–1341, or by e-mail
at pso@ahrq.hhs.gov.
(c) If a submission to the Secretary is
incomplete or additional information is
needed to allow a determination to be
made under this subpart, the submitter
will be notified if any additional
information is required.
Subpart C—Confidentiality and
Privilege Protections of Patient Safety
Work Product

dwashington3 on PRODPC61 with RULES3

§ 3.204 Privilege of patient safety work
product.

(a) Privilege. Notwithstanding any
other provision of Federal, State, local,
or Tribal law and subject to paragraph
(b) of this section and § 3.208 of this
subpart, patient safety work product
shall be privileged and shall not be:
(1) Subject to a Federal, State, local,
or Tribal civil, criminal, or
administrative subpoena or order,
including in a Federal, State, local, or
Tribal civil or administrative
disciplinary proceeding against a
provider;
(2) Subject to discovery in connection
with a Federal, State, local, or Tribal
civil, criminal, or administrative
proceeding, including in a Federal,
State, local, or Tribal civil or
administrative disciplinary proceeding
against a provider;
(3) Subject to disclosure pursuant to
section 552 of Title 5, United States
Code (commonly known as the Freedom
of Information Act) or any other similar
Federal, State, local, or Tribal law;
(4) Admitted as evidence in any
Federal, State, local, or Tribal
governmental civil proceeding, criminal
proceeding, administrative rulemaking
proceeding, or administrative
adjudicatory proceeding, including any
such proceeding against a provider; or
(5) Admitted in a professional
disciplinary proceeding of a
professional disciplinary body
established or specifically authorized
under State law.
(b) Exceptions to privilege. Privilege
shall not apply to (and shall not be
construed to prohibit) one or more of
the following disclosures:
(1) Disclosure of relevant patient
safety work product for use in a
criminal proceeding, subject to the
conditions at § 3.206(b)(1) of this
subpart.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(2) Disclosure to the extent required to
permit equitable relief subject to the
conditions at § 3.206(b)(2) of this
subpart.
(3) Disclosure pursuant to provider
authorizations subject to the conditions
at § 3.206(b)(3) of this subpart.
(4) Disclosure of non-identifiable
patient safety work product subject to
the conditions at § 3.206(b)(5) of this
subpart.
(c) Implementation and enforcement
by the Secretary. Privilege shall not
apply to (and shall not be construed to
prohibit) disclosures of relevant patient
safety work product to or by the
Secretary if such patient safety work
product is needed to investigate or
determine compliance, or to seek or
impose civil money penalties, with
respect to this part or the HIPAA
Privacy Rule, or to make or support
decisions with respect to listing of a
PSO.
§ 3.206 Confidentiality of patient safety
work product.

(a) Confidentiality. Subject to
paragraphs (b) through (e) of this
section, and §§ 3.208 and 3.210 of this
subpart, patient safety work product
shall be confidential and shall not be
disclosed.
(b) Exceptions to confidentiality. The
confidentiality provisions shall not
apply to (and shall not be construed to
prohibit) one or more of the following
disclosures:
(1) Disclosure in criminal
proceedings. Disclosure of relevant
patient safety work product for use in a
criminal proceeding, but only after a
court makes an in-camera determination
that:
(i) Such patient safety work product
contains evidence of a criminal act;
(ii) Such patient safety work product
is material to the proceeding; and
(iii) Such patient safety work product
is not reasonably available from any
other source.
(2) Disclosure to permit equitable
relief for reporters. Disclosure of patient
safety work product to the extent
required to permit equitable relief under
section 922 (f)(4)(A) of the Public Health
Service Act, provided the court or
administrative tribunal has issued a
protective order to protect the
confidentiality of the patient safety
work product in the course of the
proceeding.
(3) Disclosure authorized by identified
providers. (i) Disclosure of identifiable
patient safety work product consistent
with a valid authorization if such
authorization is obtained from each
provider identified in such work

PO 00000

Frm 00075

Fmt 4701

Sfmt 4700

70805

product prior to disclosure. A valid
authorization must:
(A) Be in writing and signed by the
provider from whom authorization is
sought; and
(B) Contain sufficient detail to fairly
inform the provider of the nature and
scope of the disclosures being
authorized;
(ii) A valid authorization must be
retained by the disclosing entity for six
years from the date of the last disclosure
made in reliance on the authorization
and made available to the Secretary
upon request.
(4) Disclosure for patient safety
activities—(i) Disclosure between a
provider and a PSO. Disclosure of
patient safety work product for patient
safety activities by a provider to a PSO
or by a PSO to that disclosing provider.
(ii) Disclosure to a contractor of a
provider or a PSO. A provider or a PSO
may disclose patient safety work
product for patient safety activities to an
entity with which it has contracted to
undertake patient safety activities on its
behalf. A contractor receiving patient
safety work product for patient safety
activities may not further disclose
patient safety work product, except to
the provider or PSO with which it is
contracted.
(iii) Disclosure among affiliated
providers. Disclosure of patient safety
work product for patient safety activities
by a provider to an affiliated provider.
(iv) Disclosure to another PSO or
provider. Disclosure of patient safety
work product for patient safety activities
by a PSO to another PSO or to another
provider that has reported to the PSO,
or, except as otherwise permitted in
paragraph (b)(4)(iii) of this section, by a
provider to another provider, provided:
(A) The following direct identifiers of
any providers and of affiliated
organizations, corporate parents,
subsidiaries, practice partners,
employers, members of the workforce,
or household members of such
providers are removed:
(1) Names;
(2) Postal address information, other
than town or city, State and zip code;
(3) Telephone numbers;
(4) Fax numbers;
(5) Electronic mail addresses;
(6) Social security numbers or
taxpayer identification numbers;
(7) Provider or practitioner
credentialing or DEA numbers;
(8) National provider identification
number;
(9) Certificate/license numbers;
(10) Web Universal Resource Locators
(URLs);
(11) Internet Protocol (IP) address
numbers;

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

70806

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

(12) Biometric identifiers, including
finger and voice prints; and
(13) Full face photographic images
and any comparable images; and
(B) With respect to any individually
identifiable health information in such
patient safety work product, the direct
identifiers listed at 45 CFR 164.514(e)(2)
have been removed.
(5) Disclosure of nonidentifiable
patient safety work product. Disclosure
of nonidentifiable patient safety work
product when patient safety work
product meets the standard for
nonidentification in accordance with
§ 3.212 of this subpart.
(6) Disclosure for research. (i)
Disclosure of patient safety work
product to persons carrying out
research, evaluation or demonstration
projects authorized, funded, certified, or
otherwise sanctioned by rule or other
means by the Secretary, for the purpose
of conducting research.
(ii) If the patient safety work product
disclosed pursuant to paragraph (b)(6)(i)
of this section is by a HIPAA covered
entity as defined at 45 CFR 160.103 and
contains protected health information as
defined by the HIPAA Privacy Rule at
45 CFR 160.103, such patient safety
work product may only be disclosed
under this exception in the same
manner as would be permitted under
the HIPAA Privacy Rule.
(7) Disclosure to the Food and Drug
Administration (FDA) and entities
required to report to FDA. (i) Disclosure
by a provider of patient safety work
product concerning an FDA-regulated
product or activity to the FDA, an entity
required to report to the FDA
concerning the quality, safety, or
effectiveness of an FDA-regulated
product or activity, or a contractor
acting on behalf of FDA or such entity
for these purposes.
(ii) Any person permitted to receive
patient safety work product pursuant to
paragraph (b)(7)(i) of this section may
only further disclose such patient safety
work product for the purpose of
evaluating the quality, safety, or
effectiveness of that product or activity
to another such person or the disclosing
provider.
(8) Voluntary disclosure to an
accrediting body. (i) Voluntary
disclosure by a provider of patient
safety work product to an accrediting
body that accredits that provider,
provided, with respect to any identified
provider other than the provider making
the disclosure:
(A) The provider agrees to the
disclosure; or
(B) The identifiers at
§ 3.206(b)(4)(iv)(A) are removed.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(ii) An accrediting body may not
further disclose patient safety work
product it receives pursuant to
paragraph (b)(8)(i) of this section.
(iii) An accrediting body may not take
an accrediting action against a provider
based on a good faith participation of
the provider in the collection,
development, reporting, or maintenance
of patient safety work product in
accordance with this Part. An
accrediting body may not require a
provider to reveal its communications
with any PSO.
(9) Disclosure for business operations.
(i) Disclosure of patient safety work
product by a provider or a PSO for
business operations to attorneys,
accountants, and other professionals.
Such contractors may not further
disclose patient safety work product,
except to the entity from which they
received the information.
(ii) Disclosure of patient safety work
product for such other business
operations that the Secretary may
prescribe by regulation as consistent
with the goals of this part.
(10) Disclosure to law enforcement. (i)
Disclosure of patient safety work
product to an appropriate law
enforcement authority relating to an
event that either constitutes the
commission of a crime, or for which the
disclosing person reasonably believes
constitutes the commission of a crime,
provided that the disclosing person
believes, reasonably under the
circumstances, that the patient safety
work product that is disclosed is
necessary for criminal law enforcement
purposes.
(ii) Law enforcement personnel
receiving patient safety work product
pursuant to paragraph (b)(10)(i) of this
section only may disclose that patient
safety work product to other law
enforcement authorities as needed for
law enforcement activities related to the
event that gave rise to the disclosure
under paragraph (b)(10)(i) of this
section.
(c) Safe harbor. A provider or
responsible person, but not a PSO, is not
considered to have violated the
requirements of this subpart if a member
of its workforce discloses patient safety
work product, provided that the
disclosure does not include materials,
including oral statements, that:
(1) Assess the quality of care of an
identifiable provider; or
(2) Describe or pertain to one or more
actions or failures to act by an
identifiable provider.
(d) Implementation and enforcement
by the Secretary. The confidentiality
provisions shall not apply to (and shall
not be construed to prohibit) disclosures

PO 00000

Frm 00076

Fmt 4701

Sfmt 4700

of relevant patient safety work product
to or by the Secretary if such patient
safety work product is needed to
investigate or determine compliance or
to seek or impose civil money penalties,
with respect to this part or the HIPAA
Privacy Rule, or to make or support
decisions with respect to listing of a
PSO.
(e) No limitation on authority to limit
or delegate disclosure or use. Nothing in
subpart C of this part shall be construed
to limit the authority of any person to
enter into a contract requiring greater
confidentiality or delegating authority to
make a disclosure or use in accordance
with this subpart.
§ 3.208 Continued protection of patient
safety work product.

(a) Except as provided in paragraph
(b) of this section, patient safety work
product disclosed in accordance with
this subpart, or disclosed
impermissibly, shall continue to be
privileged and confidential.
(b)(1) Patient safety work product
disclosed for use in a criminal
proceeding pursuant to section
922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A), and/or
pursuant to § 3.206(b)(1) of this subpart
continues to be privileged, but is no
longer confidential.
(2) Non-identifiable patient safety
work product that is disclosed is no
longer privileged or confidential and not
subject to the regulations under this
part.
(3) Paragraph (b) of this section
applies only to the specific patient
safety work product disclosed.
§ 3.210 Required disclosure of patient
safety work product to the Secretary.

Notwithstanding any other provision
in this part, providers, PSOs, and
responsible persons must disclose
patient safety work product upon
request by the Secretary when the
Secretary determines such patient safety
work product is needed to investigate or
determine compliance or to seek or
impose civil money penalties, with
respect to this part or the HIPAA
Privacy Rule, or to make or support
decisions with respect to listing of a
PSO.
§ 3.212 Nonidentification of patient safety
work product.

(a) Patient safety work product is
nonidentifiable with respect to a
particular identified provider or a
particular identified reporter if:
(1) A person with appropriate
knowledge of and experience with
generally accepted statistical and
scientific principles and methods for

E:\FR\FM\21NOR3.SGM

21NOR3

dwashington3 on PRODPC61 with RULES3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
rendering information not individually
identifiable:
(i) Applying such principles and
methods, determines that the risk is
very small that the information could be
used, alone or in combination with
other reasonably available information,
by an anticipated recipient to identify
an identified provider or reporter; and
(ii) Documents the methods and
results of the analysis that justify such
determination; or
(2)(i) The following identifiers of such
provider or reporter and of affiliated
organizations, corporate parents,
subsidiaries, practice partners,
employers, members of the workforce,
or household members of such
providers or reporters are removed:
(A) The direct identifiers listed at
§ 3.206(b)(4)(iv)(A)(1) through (13) of
this subpart;
(B) Geographic subdivisions smaller
than a State, including street address,
city, county, precinct, zip code and
equivalent geocodes, except for the
initial three digits of a zip code if,
according to the current publicly
available data from the Bureau of the
Census, the geographic unit formed by
combining all zip codes with the same
three initial digits contains more than
20,000 people;
(C) All elements of dates (except year)
for dates directly related to a patient
safety incident or event; and
(D) Any other unique identifying
number, characteristic, or code except
as permitted for re-identification; and
(ii) The provider, PSO or responsible
person making the disclosure does not
have actual knowledge that the
information could be used, alone or in
combination with other information that
is reasonably available to the intended
recipient, to identify the particular
provider or reporter.
(3) Re-identification. A provider, PSO,
or responsible person may assign a code
or other means of record identification
to allow information made
nonidentifiable under this section to be
re-identified by such provider, PSO, or
responsible person, provided that:
(i) The code or other means of record
identification is not derived from or
related to information about the
provider or reporter and is not
otherwise capable of being translated so
as to identify the provider or reporter;
and
(ii) The provider, PSO, or responsible
person does not use or disclose the code
or other means of record identification
for any other purpose, and does not
disclose the mechanism for reidentification.
(b) Patient safety work product is nonidentifiable with respect to a particular

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

patient only if the individually
identifiable health information
regarding that patient is de-identified in
accordance with the HIPAA Privacy
Rule standard and implementation
specifications for the de-identification at
45 CFR 164.514(a) through (c).
Subpart D—Enforcement Program
§ 3.304 Principles for achieving
compliance.

(a) Cooperation. The Secretary will, to
the extent practicable, seek the
cooperation of providers, PSOs, and
responsible persons in obtaining
compliance with the applicable
confidentiality provisions.
(b) Assistance. The Secretary may
provide technical assistance to
providers, PSOs, and responsible
persons to help them comply
voluntarily with the applicable
confidentiality provisions.
§ 3.306

Complaints to the Secretary.

(a) Right to file a complaint. A person
who believes that patient safety work
product has been disclosed in violation
of the confidentiality provisions may
file a complaint with the Secretary.
(b) Requirements for filing
complaints. Complaints under this
section must meet the following
requirements:
(1) A complaint must be filed in
writing, either on paper or
electronically.
(2) A complaint must name the person
that is the subject of the complaint and
describe the act(s) believed to be in
violation of the applicable
confidentiality provision(s).
(3) A complaint must be filed within
180 days of when the complainant knew
or should have known that the act
complained of occurred, unless this
time limit is waived by the Secretary for
good cause shown.
(4) The Secretary may prescribe
additional procedures for the filing of
complaints, as well as the place and
manner of filing, by notice in the
Federal Register.
(c) Investigation. The Secretary may
investigate complaints filed under this
section. Such investigation may include
a review of the pertinent policies,
procedures, or practices of the
respondent and of the circumstances
regarding any alleged violation. At the
time of initial written communication
with the respondent about the
complaint, the Secretary will describe
the act(s) that are the basis of the
complaint.
§ 3.308

Compliance reviews.

The Secretary may conduct
compliance reviews to determine

PO 00000

Frm 00077

Fmt 4701

Sfmt 4700

70807

whether a respondent is complying with
the applicable confidentiality
provisions.
§ 3.310

Responsibilities of respondents.

(a) Provide records and compliance
reports. A respondent must keep such
records and submit such compliance
reports, in such time and manner and
containing such information, as the
Secretary may determine to be necessary
to enable the Secretary to ascertain
whether the respondent has complied or
is complying with the applicable
confidentiality provisions.
(b) Cooperate with complaint
investigations and compliance reviews.
A respondent must cooperate with the
Secretary, if the Secretary undertakes an
investigation or compliance review of
the policies, procedures, or practices of
the respondent to determine whether it
is complying with the applicable
confidentiality provisions.
(c) Permit access to information. (1) A
respondent must permit access by the
Secretary during normal business hours
to its facilities, books, records, accounts,
and other sources of information,
including patient safety work product,
that are pertinent to ascertaining
compliance with the applicable
confidentiality provisions. If the
Secretary determines that exigent
circumstances exist, such as when
documents may be hidden or destroyed,
a respondent must permit access by the
Secretary at any time and without
notice.
(2) If any information required of a
respondent under this section is in the
exclusive possession of any other
agency, institution, or person, and the
other agency, institution, or person fails
or refuses to furnish the information, the
respondent must so certify and set forth
what efforts it has made to obtain the
information.
§ 3.312 Secretarial action regarding
complaints and compliance reviews.

(a) Resolution when noncompliance is
indicated. (1) If an investigation of a
complaint pursuant to § 3.306 of this
subpart or a compliance review
pursuant to § 3.308 of this subpart
indicates noncompliance, the Secretary
may attempt to reach a resolution of the
matter satisfactory to the Secretary by
informal means. Informal means may
include demonstrated compliance or a
completed corrective action plan or
other agreement.
(2) If the matter is resolved by
informal means, the Secretary will so
inform the respondent and, if the matter
arose from a complaint, the
complainant, in writing.

E:\FR\FM\21NOR3.SGM

21NOR3

70808

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

(3) If the matter is not resolved by
informal means, the Secretary will—
(i) So inform the respondent and
provide the respondent an opportunity
to submit written evidence of any
mitigating factors. The respondent must
submit any evidence to the Secretary
within 30 days (computed in the same
manner as prescribed under § 3.526 of
this subpart) of receipt of such
notification; and
(ii) If, following action pursuant to
paragraph (a)(3)(i) of this section, the
Secretary decides that a civil money
penalty should be imposed, inform the
respondent of such finding in a notice
of proposed determination in
accordance with § 3.420 of this subpart.
(b) Resolution when no violation is
found. If, after an investigation pursuant
to § 3.306 of this subpart or a
compliance review pursuant to § 3.308
of this subpart, the Secretary determines
that further action is not warranted, the
Secretary will so inform the respondent
and, if the matter arose from a
complaint, the complainant, in writing.
(c) Uses and disclosures of
information obtained. (1) Identifiable
patient safety work product obtained by
the Secretary in connection with an
investigation or compliance review
under this subpart will not be disclosed
by the Secretary, except in accordance
with § 3.206(d) of this subpart, or if
otherwise permitted by this part or the
Patient Safety Act.
(2) Except as provided for in
paragraph (c)(1) of this section,
information, including testimony and
other evidence, obtained by the
Secretary in connection with an
investigation or compliance review
under this subpart may be used by HHS
in any of its activities and may be used
or offered into evidence in any
administrative or judicial proceeding.

dwashington3 on PRODPC61 with RULES3

§ 3.314 Investigational subpoenas and
inquiries.

(a) The Secretary may issue
subpoenas in accordance with 42 U.S.C.
405(d) and (e), and 1320a–7a(j), to
require the attendance and testimony of
witnesses and the production of any
other evidence including patient safety
work product during an investigation or
compliance review pursuant to this part.
(1) A subpoena issued under this
paragraph must—
(i) State the name of the person
(including the entity, if applicable) to
whom the subpoena is addressed;
(ii) State the statutory authority for
the subpoena;
(iii) Indicate the date, time, and place
that the testimony will take place;

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(iv) Include a reasonably specific
description of any documents or items
required to be produced; and
(v) If the subpoena is addressed to an
entity, describe with reasonable
particularity the subject matter on
which testimony is required. In that
event, the entity must designate one or
more natural persons who will testify on
its behalf, and must state as to each such
person that person’s name and address
and the matters on which he or she will
testify. The designated person must
testify as to matters known or
reasonably available to the entity.
(2) A subpoena under this section
must be served by—
(i) Delivering a copy to the natural
person named in the subpoena or to the
entity named in the subpoena at its last
principal place of business; or
(ii) Registered or certified mail
addressed to the natural person at his or
her last known dwelling place or to the
entity at its last known principal place
of business.
(3) A verified return by the natural
person serving the subpoena setting
forth the manner of service or, in the
case of service by registered or certified
mail, the signed return post office
receipt, constitutes proof of service.
(4) Witnesses are entitled to the same
fees and mileage as witnesses in the
district courts of the United States (28
U.S.C. 1821 and 1825). Fees need not be
paid at the time the subpoena is served.
(5) A subpoena under this section is
enforceable through the district court of
the United States for the district where
the subpoenaed natural person resides
or is found or where the entity transacts
business.
(b) Investigational inquiries are nonpublic investigational proceedings
conducted by the Secretary.
(1) Testimony at investigational
inquiries will be taken under oath or
affirmation.
(2) Attendance of non-witnesses is
discretionary with the Secretary, except
that a witness is entitled to be
accompanied, represented, and advised
by an attorney.
(3) Representatives of the Secretary
are entitled to attend and ask questions.
(4) A witness will have the
opportunity to clarify his or her answers
on the record following questioning by
the Secretary.
(5) Any claim of privilege must be
asserted by the witness on the record.
(6) Objections must be asserted on the
record. Errors of any kind that might be
corrected if promptly presented will be
deemed to be waived unless reasonable
objection is made at the investigational
inquiry. Except where the objection is
on the grounds of privilege, the question

PO 00000

Frm 00078

Fmt 4701

Sfmt 4700

will be answered on the record, subject
to objection.
(7) If a witness refuses to answer any
question not privileged or to produce
requested documents or items, or
engages in conduct likely to delay or
obstruct the investigational inquiry, the
Secretary may seek enforcement of the
subpoena under paragraph (a)(5) of this
section.
(8) The proceedings will be recorded
and transcribed. The witness is entitled
to a copy of the transcript, upon
payment of prescribed costs, except
that, for good cause, the witness may be
limited to inspection of the official
transcript of his or her testimony.
(9)(i) The transcript will be submitted
to the witness for signature.
(A) Where the witness will be
provided a copy of the transcript, the
transcript will be submitted to the
witness for signature. The witness may
submit to the Secretary written
proposed corrections to the transcript,
with such corrections attached to the
transcript. If the witness does not return
a signed copy of the transcript or
proposed corrections within 30 days
(computed in the same manner as
prescribed under § 3.526 of this part) of
its being submitted to him or her for
signature, the witness will be deemed to
have agreed that the transcript is true
and accurate.
(B) Where, as provided in paragraph
(b)(8) of this section, the witness is
limited to inspecting the transcript, the
witness will have the opportunity at the
time of inspection to propose
corrections to the transcript, with
corrections attached to the transcript.
The witness will also have the
opportunity to sign the transcript. If the
witness does not sign the transcript or
offer corrections within 30 days
(computed in the same manner as
prescribed under § 3.526 of this part) of
receipt of notice of the opportunity to
inspect the transcript, the witness will
be deemed to have agreed that the
transcript is true and accurate.
(ii) The Secretary’s proposed
corrections to the record of transcript
will be attached to the transcript.
§ 3.402

Basis for a civil money penalty.

(a) General rule. A person who
discloses identifiable patient safety
work product in knowing or reckless
violation of the confidentiality
provisions shall be subject to a civil
money penalty for each act constituting
such violation.
(b) Violation attributed to a principal.
A principal is independently liable, in
accordance with the federal common
law of agency, for a civil money penalty
based on the act of the principal’s agent,

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
including a workforce member, acting
within the scope of the agency if such
act could give rise to a civil money
penalty in accordance with § 3.402(a) of
this subpart.
§ 3.404

Amount of a civil money penalty.

(a) The amount of a civil money
penalty will be determined in
accordance with paragraph (b) of this
section and § 3.408 of this subpart.
(b) The Secretary may impose a civil
money penalty in the amount of not
more than $10,000.

dwashington3 on PRODPC61 with RULES3

§ 3.408 Factors considered in determining
the amount of a civil money penalty.

In determining the amount of any
civil money penalty, the Secretary may
consider as aggravating or mitigating
factors, as appropriate, any of the
following:
(a) The nature of the violation.
(b) The circumstances, including the
consequences, of the violation,
including:
(1) The time period during which the
violation(s) occurred; and
(2) Whether the violation caused
physical or financial harm or
reputational damage;
(c) The degree of culpability of the
respondent, including:
(1) Whether the violation was
intentional; and
(2) Whether the violation was beyond
the direct control of the respondent.
(d) Any history of prior compliance
with the Patient Safety Act, including
violations, by the respondent, including:
(1) Whether the current violation is
the same or similar to prior violation(s);
(2) Whether and to what extent the
respondent has attempted to correct
previous violations;
(3) How the respondent has
responded to technical assistance from
the Secretary provided in the context of
a compliance effort; and
(4) How the respondent has
responded to prior complaints.
(e) The financial condition of the
respondent, including:
(1) Whether the respondent had
financial difficulties that affected its
ability to comply;
(2) Whether the imposition of a civil
money penalty would jeopardize the
ability of the respondent to continue to
provide health care or patient safety
activities; and
(3) The size of the respondent.
(f) Such other matters as justice may
require.
§ 3.414

Limitations.

No action under this subpart may be
entertained unless commenced by the
Secretary, in accordance with § 3.420 of

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

this subpart, within 6 years from the
date of the occurrence of the violation.
§ 3.416

Authority to settle.

Nothing in this subpart limits the
authority of the Secretary to settle any
issue or case or to compromise any
penalty.
§ 3.418

Exclusivity of penalty.

(a) Except as otherwise provided by
paragraph (b) of this section, a penalty
imposed under this part is in addition
to any other penalty prescribed by law.
(b) Civil money penalties shall not be
imposed both under this part and under
the HIPAA Privacy Rule (45 CFR parts
160 and 164).
§ 3.420

Notice of proposed determination.

(a) If a penalty is proposed in
accordance with this part, the Secretary
must deliver, or send by certified mail
with return receipt requested, to the
respondent, written notice of the
Secretary’s intent to impose a penalty.
This notice of proposed determination
must include:
(1) Reference to the statutory basis for
the penalty;
(2) A description of the findings of
fact regarding the violations with
respect to which the penalty is
proposed;
(3) The reason(s) why the violation(s)
subject(s) the respondent to a penalty;
(4) The amount of the proposed
penalty;
(5) Any factors described in § 3.408 of
this subpart that were considered in
determining the amount of the proposed
penalty; and
(6) Instructions for responding to the
notice, including a statement of the
respondent’s right to a hearing, a
statement that failure to request a
hearing within 60 days permits the
imposition of the proposed penalty
without the right to a hearing under
§ 3.504 of this subpart or a right of
appeal under § 3.548 of this subpart,
and the address to which the hearing
request must be sent.
(b) The respondent may request a
hearing before an ALJ on the proposed
penalty by filing a request in accordance
with § 3.504 of this subpart.
§ 3.422

Failure to request a hearing.

If the respondent does not request a
hearing within the time prescribed by
§ 3.504 of this subpart and the matter is
not settled pursuant to § 3.416 of this
subpart, the Secretary may impose the
proposed penalty or any lesser penalty
permitted by sections 921 through 926
of the Public Health Service Act, 42
U.S.C. 299b–21 through 299b–26. The
Secretary will notify the respondent by

PO 00000

Frm 00079

Fmt 4701

Sfmt 4700

70809

certified mail, return receipt requested,
of any penalty that has been imposed
and of the means by which the
respondent may satisfy the penalty, and
the penalty is final on receipt of the
notice. The respondent has no right to
appeal a penalty under § 3.548 of this
subpart with respect to which the
respondent has not timely requested a
hearing.
§ 3.424

Collection of penalty.

(a) Once a determination of the
Secretary to impose a penalty has
become final, the penalty will be
collected by the Secretary, subject to the
first sentence of 42 U.S.C. 1320a–7a(f).
(b) The penalty may be recovered in
a civil action brought in the United
States district court for the district
where the respondent resides, is found,
or is located.
(c) The amount of a penalty, when
finally determined, or the amount
agreed upon in compromise, may be
deducted from any sum then or later
owing by the United States, or by a State
agency, to the respondent.
(d) Matters that were raised or that
could have been raised in a hearing
before an ALJ, or in an appeal under 42
U.S.C. 1320a–7a(e), may not be raised as
a defense in a civil action by the United
States to collect a penalty under this
part.
§ 3.426 Notification of the public and other
agencies.

Whenever a proposed penalty
becomes final, the Secretary will notify,
in such manner as the Secretary deems
appropriate, the public and the
following organizations and entities
thereof and the reason it was imposed:
The appropriate State or local medical
or professional organization, the
appropriate State agency or agencies
administering or supervising the
administration of State health care
programs (as defined in 42 U.S.C.
1320a–7(h)), the appropriate utilization
and quality control peer review
organization, and the appropriate State
or local licensing agency or organization
(including the agency specified in 42
U.S.C. 1395aa(a), 1396a(a)(33)).
§ 3.504

Hearings before an ALJ.

(a) A respondent may request a
hearing before an ALJ. The parties to the
hearing proceeding consist of—
(1) The respondent; and
(2) The officer(s) or employee(s) of
HHS to whom the enforcement
authority involved has been delegated.
(b) The request for a hearing must be
made in writing signed by the
respondent or by the respondent’s
attorney and sent by certified mail,

E:\FR\FM\21NOR3.SGM

21NOR3

70810

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

return receipt requested, to the address
specified in the notice of proposed
determination. The request for a hearing
must be mailed within 60 days after
notice of the proposed determination is
received by the respondent. For
purposes of this section, the
respondent’s date of receipt of the
notice of proposed determination is
presumed to be 5 days after the date of
the notice unless the respondent makes
a reasonable showing to the contrary to
the ALJ.
(c) The request for a hearing must
clearly and directly admit, deny, or
explain each of the findings of fact
contained in the notice of proposed
determination with regard to which the
respondent has any knowledge. If the
respondent has no knowledge of a
particular finding of fact and so states,
the finding shall be deemed denied. The
request for a hearing must also state the
circumstances or arguments that the
respondent alleges constitute the
grounds for any defense and the factual
and legal basis for opposing the penalty.
(d) The ALJ must dismiss a hearing
request where—
(1) On motion of the Secretary, the
ALJ determines that the respondent’s
hearing request is not timely filed as
required by paragraph (b) or does not
meet the requirements of paragraph (c)
of this section;
(2) The respondent withdraws the
request for a hearing;
(3) The respondent abandons the
request for a hearing; or
(4) The respondent’s hearing request
fails to raise any issue that may properly
be addressed in a hearing.

dwashington3 on PRODPC61 with RULES3

§ 3.506

Rights of the parties.

(a) Except as otherwise limited by this
subpart, each party may—
(1) Be accompanied, represented, and
advised by an attorney;
(2) Participate in any conference held
by the ALJ;
(3) Conduct discovery of documents
as permitted by this subpart;
(4) Agree to stipulations of fact or law
that will be made part of the record;
(5) Present evidence relevant to the
issues at the hearing;
(6) Present and cross-examine
witnesses;
(7) Present oral arguments at the
hearing as permitted by the ALJ; and
(8) Submit written briefs and
proposed findings of fact and
conclusions of law after the hearing.
(b) A party may appear in person or
by a representative. Natural persons
who appear as an attorney or other
representative must conform to the
standards of conduct and ethics
required of practitioners before the
courts of the United States.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(c) Fees for any services performed on
behalf of a party by an attorney are not
subject to the provisions of 42 U.S.C.
406, which authorizes the Secretary to
specify or limit their fees.
§ 3.508

Authority of the ALJ.

(a) The ALJ must conduct a fair and
impartial hearing, avoid delay, maintain
order, and ensure that a record of the
proceeding is made.
(b) The ALJ may—
(1) Set and change the date, time and
place of the hearing upon reasonable
notice to the parties;
(2) Continue or recess the hearing in
whole or in part for a reasonable period
of time;
(3) Hold conferences to identify or
simplify the issues, or to consider other
matters that may aid in the expeditious
disposition of the proceeding;
(4) Administer oaths and affirmations;
(5) Issue subpoenas requiring the
attendance of witnesses at hearings and
the production of documents at or in
relation to hearings;
(6) Rule on motions and other
procedural matters;
(7) Regulate the scope and timing of
documentary discovery as permitted by
this subpart;
(8) Regulate the course of the hearing
and the conduct of representatives,
parties, and witnesses;
(9) Examine witnesses;
(10) Receive, rule on, exclude, or limit
evidence;
(11) Upon motion of a party, take
official notice of facts;
(12) Conduct any conference,
argument or hearing in person or, upon
agreement of the parties, by telephone;
and
(13) Upon motion of a party, decide
cases, in whole or in part, by summary
judgment where there is no disputed
issue of material fact. A summary
judgment decision constitutes a hearing
on the record for the purposes of this
subpart.
(c) The ALJ—
(1) May not find invalid or refuse to
follow Federal statutes, regulations, or
Secretarial delegations of authority and
must give deference to published
guidance to the extent not inconsistent
with statute or regulation;
(2) May not enter an order in the
nature of a directed verdict;
(3) May not compel settlement
negotiations; or
(4) May not enjoin any act of the
Secretary.
§ 3.510

Ex parte contacts.

No party or person (except employees
of the ALJ’s office) may communicate in
any way with the ALJ on any matter at

PO 00000

Frm 00080

Fmt 4701

Sfmt 4700

issue in a case, unless on notice and
opportunity for both parties to
participate. This provision does not
prohibit a party or person from
inquiring about the status of a case or
asking routine questions concerning
administrative functions or procedures.
§ 3.512

Prehearing conferences.

(a) The ALJ must schedule at least one
prehearing conference, and may
schedule additional prehearing
conferences as appropriate, upon
reasonable notice, which may not be
less than 14 business days, to the
parties.
(b) The ALJ may use prehearing
conferences to discuss the following—
(1) Simplification of the issues;
(2) The necessity or desirability of
amendments to the pleadings, including
the need for a more definite statement;
(3) Stipulations and admissions of fact
or as to the contents and authenticity of
documents;
(4) Whether the parties can agree to
submission of the case on a stipulated
record;
(5) Whether a party chooses to waive
appearance at an oral hearing and to
submit only documentary evidence
(subject to the objection of the other
party) and written argument;
(6) Limitation of the number of
witnesses;
(7) Scheduling dates for the exchange
of witness lists and of proposed
exhibits;
(8) Discovery of documents as
permitted by this subpart;
(9) The time and place for the hearing;
(10) The potential for the settlement
of the case by the parties; and
(11) Other matters as may tend to
encourage the fair, just and expeditious
disposition of the proceedings,
including the protection of
confidentiality of identifiable patient
safety work product that may be
submitted into evidence or otherwise
used in the proceeding, if appropriate.
(c) The ALJ must issue an order
containing the matters agreed upon by
the parties or ordered by the ALJ at a
prehearing conference.
§ 3.514

Authority to settle.

The Secretary has exclusive authority
to settle any issue or case without the
consent of the ALJ.
§ 3.516

Discovery.

(a) A party may make a request to
another party for production of
documents for inspection and copying
that are relevant and material to the
issues before the ALJ.
(b) For the purpose of this section, the
term ‘‘documents’’ includes

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
information, reports, answers, records,
accounts, papers and other data and
documentary evidence. Nothing
contained in this section may be
interpreted to require the creation of a
document, except that requested data
stored in an electronic data storage
system must be produced in a form
accessible to the requesting party.
(c) Requests for documents, requests
for admissions, written interrogatories,
depositions and any forms of discovery,
other than those permitted under
paragraph (a) of this section, are not
authorized.
(d) This section may not be construed
to require the disclosure of interview
reports or statements obtained by any
party, or on behalf of any party, of
persons who will not be called as
witnesses by that party, or analyses and
summaries prepared in conjunction
with the investigation or litigation of the
case, or any otherwise privileged
documents.
(e)(1) When a request for production
of documents has been received, within
30 days the party receiving that request
must either fully respond to the request,
or state that the request is being objected
to and the reasons for that objection. If
objection is made to part of an item or
category, the part must be specified.
Upon receiving any objections, the party
seeking production may then, within 30
days or any other time frame set by the
ALJ, file a motion for an order
compelling discovery. The party
receiving a request for production may
also file a motion for protective order
any time before the date the production
is due.
(2) The ALJ may grant a motion for
protective order or deny a motion for an
order compelling discovery if the ALJ
finds that the discovery sought—
(i) Is irrelevant;
(ii) Is unduly costly or burdensome;
(iii) Will unduly delay the
proceeding; or
(iv) Seeks privileged information.
(3) The ALJ may extend any of the
time frames set forth in paragraph (e)(1)
of this section.
(4) The burden of showing that
discovery should be allowed is on the
party seeking discovery.

dwashington3 on PRODPC61 with RULES3

§ 3.518 Exchange of witness lists, witness
statements, and exhibits.

(a) The parties must exchange witness
lists, copies of prior written statements
of proposed witnesses, and copies of
proposed hearing exhibits, including
copies of any written statements that the
party intends to offer in lieu of live
testimony in accordance with § 3.538,
not more than 60, and not less than 15,
days before the scheduled hearing.

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

(b)(1) If, at any time, a party objects
to the proposed admission of evidence
not exchanged in accordance with
paragraph (a) of this section, the ALJ
must determine whether the failure to
comply with paragraph (a) of this
section should result in the exclusion of
that evidence.
(2) Unless the ALJ finds that
extraordinary circumstances justified
the failure timely to exchange the
information listed under paragraph (a)
of this section, the ALJ must exclude
from the party’s case-in-chief—
(i) The testimony of any witness
whose name does not appear on the
witness list; and
(ii) Any exhibit not provided to the
opposing party as specified in paragraph
(a) of this section.
(3) If the ALJ finds that extraordinary
circumstances existed, the ALJ must
then determine whether the admission
of that evidence would cause substantial
prejudice to the objecting party.
(i) If the ALJ finds that there is no
substantial prejudice, the evidence may
be admitted.
(ii) If the ALJ finds that there is
substantial prejudice, the ALJ may
exclude the evidence, or, if he or she
does not exclude the evidence, must
postpone the hearing for such time as is
necessary for the objecting party to
prepare and respond to the evidence,
unless the objecting party waives
postponement.
(c) Unless the other party objects
within a reasonable period of time
before the hearing, documents
exchanged in accordance with
paragraph (a) of this section will be
deemed to be authentic for the purpose
of admissibility at the hearing.
§ 3.520 Subpoenas for attendance at
hearing.

(a) A party wishing to procure the
appearance and testimony of any person
at the hearing may make a motion
requesting the ALJ to issue a subpoena
if the appearance and testimony are
reasonably necessary for the
presentation of a party’s case.
(b) A subpoena requiring the
attendance of a person in accordance
with paragraph (a) of this section may
also require the person (whether or not
the person is a party) to produce
relevant and material evidence at or
before the hearing.
(c) When a subpoena is served by a
respondent on a particular employee or
official or particular office of HHS, the
Secretary may comply by designating
any knowledgeable HHS representative
to appear and testify.
(d) A party seeking a subpoena must
file a written motion not less than 30

PO 00000

Frm 00081

Fmt 4701

Sfmt 4700

70811

days before the date fixed for the
hearing, unless otherwise allowed by
the ALJ for good cause shown. That
motion must—
(1) Specify any evidence to be
produced;
(2) Designate the witnesses; and
(3) Describe the address and location
with sufficient particularity to permit
those witnesses to be found.
(e) The subpoena must specify the
time and place at which the witness is
to appear and any evidence the witness
is to produce.
(f) Within 15 days after the written
motion requesting issuance of a
subpoena is served, any party may file
an opposition or other response.
(g) If the motion requesting issuance
of a subpoena is granted, the party
seeking the subpoena must serve it by
delivery to the person named, or by
certified mail addressed to that person
at the person’s last dwelling place or
principal place of business.
(h) The person to whom the subpoena
is directed may file with the ALJ a
motion to quash the subpoena within 10
days after service.
(i) The exclusive remedy for
contumacy by, or refusal to obey a
subpoena duly served upon, any person
is specified in 42 U.S.C. 405(e).
§ 3.522

Fees.

The party requesting a subpoena must
pay the cost of the fees and mileage of
any witness subpoenaed in the amounts
that would be payable to a witness in a
proceeding in United States District
Court. A check for witness fees and
mileage must accompany the subpoena
when served, except that, when a
subpoena is issued on behalf of the
Secretary, a check for witness fees and
mileage need not accompany the
subpoena.
§ 3.524

Form, filing, and service of papers.

(a) Forms. (1) Unless the ALJ directs
the parties to do otherwise, documents
filed with the ALJ must include an
original and two copies.
(2) Every pleading and paper filed in
the proceeding must contain a caption
setting forth the title of the action, the
case number, and a designation of the
paper, such as motion to quash
subpoena.
(3) Every pleading and paper must be
signed by and must contain the address
and telephone number of the party or
the person on whose behalf the paper
was filed, or his or her representative.
(4) Papers are considered filed when
they are mailed.
(b) Service. A party filing a document
with the ALJ or the Board must, at the
time of filing, serve a copy of the

E:\FR\FM\21NOR3.SGM

21NOR3

70812

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

document on the other party. Service
upon any party of any document must
be made by delivering a copy, or placing
a copy of the document in the United
States mail, postage prepaid and
addressed, or with a private delivery
service, to the party’s last known
address. When a party is represented by
an attorney, service must be made upon
the attorney in lieu of the party.
(c) Proof of service. A certificate of the
natural person serving the document by
personal delivery or by mail, setting
forth the manner of service, constitutes
proof of service.
§ 3.526

Computation of time.

(a) In computing any period of time
under this subpart or in an order issued
thereunder, the time begins with the day
following the act, event or default, and
includes the last day of the period
unless it is a Saturday, Sunday, or legal
holiday observed by the Federal
Government, in which event it includes
the next business day.
(b) When the period of time allowed
is less than 7 days, intermediate
Saturdays, Sundays, and legal holidays
observed by the Federal Government
must be excluded from the computation.
(c) Where a document has been served
or issued by placing it in the mail, an
additional 5 days must be added to the
time permitted for any response. This
paragraph does not apply to requests for
hearing under § 3.504.

dwashington3 on PRODPC61 with RULES3

§ 3.528

Motions.

(a) An application to the ALJ for an
order or ruling must be by motion.
Motions must state the relief sought, the
authority relied upon and the facts
alleged, and must be filed with the ALJ
and served on all other parties.
(b) Except for motions made during a
prehearing conference or at the hearing,
all motions must be in writing. The ALJ
may require that oral motions be
reduced to writing.
(c) Within 10 days after a written
motion is served, or such other time as
may be fixed by the ALJ, any party may
file a response to the motion.
(d) The ALJ may not grant a written
motion before the time for filing
responses has expired, except upon
consent of the parties or following a
hearing on the motion, but may overrule
or deny the motion without awaiting a
response.
(e) The ALJ must make a reasonable
effort to dispose of all outstanding
motions before the beginning of the
hearing.
§ 3.530

Sanctions.

The ALJ may sanction a person,
including any party or attorney, for

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

failing to comply with an order or
procedure, for failing to defend an
action or for other misconduct that
interferes with the speedy, orderly or
fair conduct of the hearing. The
sanctions must reasonably relate to the
severity and nature of the failure or
misconduct. The sanctions may
include—
(a) In the case of refusal to provide or
permit discovery under the terms of this
part, drawing negative factual inferences
or treating the refusal as an admission
by deeming the matter, or certain facts,
to be established;
(b) Prohibiting a party from
introducing certain evidence or
otherwise supporting a particular claim
or defense;
(c) Striking pleadings, in whole or in
part;
(d) Staying the proceedings;
(e) Dismissal of the action;
(f) Entering a decision by default;
(g) Ordering the party or attorney to
pay the attorney’s fees and other costs
caused by the failure or misconduct;
and
(h) Refusing to consider any motion or
other action that is not filed in a timely
manner.
§ 3.532

Collateral estoppel.

When a final determination that the
respondent violated a confidentiality
provision has been rendered in any
proceeding in which the respondent
was a party and had an opportunity to
be heard, the respondent is bound by
that determination in any proceeding
under this part.
§ 3.534

The hearing.

(a) The ALJ must conduct a hearing
on the record in order to determine
whether the respondent should be
found liable under this part.
(b)(1) The respondent has the burden
of going forward and the burden of
persuasion with respect to any
challenge to the amount of a proposed
penalty pursuant to §§ 3.404 and 3.408,
including any factors raised as
mitigating factors.
(2) The Secretary has the burden of
going forward and the burden of
persuasion with respect to all other
issues, including issues of liability and
the existence of any factors considered
as aggravating factors in determining the
amount of the proposed penalty.
(3) The burden of persuasion will be
judged by a preponderance of the
evidence.
(c) The hearing must be open to the
public unless otherwise ordered by the
ALJ for good cause shown, which may
be that identifiable patient safety work
product has been introduced into

PO 00000

Frm 00082

Fmt 4701

Sfmt 4700

evidence or is expected to be introduced
into evidence.
(d)(1) Subject to the 15-day rule under
§ 3.518(a) and the admissibility of
evidence under § 3.540, either party
may introduce, during its case in chief,
items or information that arose or
became known after the date of the
issuance of the notice of proposed
determination or the request for hearing,
as applicable. Such items and
information may not be admitted into
evidence, if introduced—
(i) By the Secretary, unless they are
material and relevant to the acts or
omissions with respect to which the
penalty is proposed in the notice of
proposed determination pursuant to
§ 3.420 of this part, including
circumstances that may increase
penalties; or
(ii) By the respondent, unless they are
material and relevant to an admission,
denial or explanation of a finding of fact
in the notice of proposed determination
under § 3.420 of this part, or to a
specific circumstance or argument
expressly stated in the request for
hearing under § 3.504, including
circumstances that may reduce
penalties.
(2) After both parties have presented
their cases, evidence may be admitted in
rebuttal even if not previously
exchanged in accordance with § 3.518.
§ 3.538

Witnesses.

(a) Except as provided in paragraph
(b) of this section, testimony at the
hearing must be given orally by
witnesses under oath or affirmation.
(b) At the discretion of the ALJ,
testimony of witnesses other than the
testimony of expert witnesses may be
admitted in the form of a written
statement. The ALJ may, at his or her
discretion, admit prior sworn testimony
of experts that has been subject to
adverse examination, such as a
deposition or trial testimony. Any such
written statement must be provided to
the other party, along with the last
known address of the witness, in a
manner that allows sufficient time for
the other party to subpoena the witness
for cross-examination at the hearing.
Prior written statements of witnesses
proposed to testify at the hearing must
be exchanged as provided in § 3.518.
(c) The ALJ must exercise reasonable
control over the mode and order of
interrogating witnesses and presenting
evidence so as to:
(1) Make the interrogation and
presentation effective for the
ascertainment of the truth;
(2) Avoid repetition or needless
consumption of time; and

E:\FR\FM\21NOR3.SGM

21NOR3

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
(3) Protect witnesses from harassment
or undue embarrassment.
(d) The ALJ must permit the parties to
conduct cross-examination of witnesses
as may be required for a full and true
disclosure of the facts.
(e) The ALJ may order witnesses
excluded so that they cannot hear the
testimony of other witnesses, except
that the ALJ may not order to be
excluded—
(1) A party who is a natural person;
(2) In the case of a party that is not
a natural person, the officer or employee
of the party appearing for the entity pro
se or designated as the party’s
representative; or
(3) A natural person whose presence
is shown by a party to be essential to the
presentation of its case, including a
person engaged in assisting the attorney
for the Secretary.

dwashington3 on PRODPC61 with RULES3

§ 3.540

Evidence.

(a) The ALJ must determine the
admissibility of evidence.
(b) Except as provided in this subpart,
the ALJ is not bound by the Federal
Rules of Evidence. However, the ALJ
may apply the Federal Rules of
Evidence where appropriate, for
example, to exclude unreliable
evidence.
(c) The ALJ must exclude irrelevant or
immaterial evidence.
(d) Although relevant, evidence may
be excluded if its probative value is
substantially outweighed by the danger
of unfair prejudice, confusion of the
issues, or by considerations of undue
delay or needless presentation of
cumulative evidence.
(e) Although relevant, evidence must
be excluded if it is privileged under
Federal law.
(f) Evidence concerning offers of
compromise or settlement is
inadmissible to the extent provided in
Rule 408 of the Federal Rules of
Evidence.
(g) Evidence of crimes, wrongs, or acts
other than those at issue in the instant
case is admissible in order to show
motive, opportunity, intent, knowledge,
preparation, identity, lack of mistake, or
existence of a scheme. This evidence is
admissible regardless of whether the
crimes, wrongs, or acts occurred during
the statute of limitations period
applicable to the acts or omissions that
constitute the basis for liability in the
case and regardless of whether they
were referenced in the Secretary’s notice
of proposed determination under
§ 3.420.
(h) The ALJ must permit the parties to
introduce rebuttal witnesses and
evidence.
(i) All documents and other evidence
offered or taken for the record must be

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

open to examination by both parties,
unless otherwise ordered by the ALJ for
good cause shown.
§ 3.542

The record.

(a) The hearing must be recorded and
transcribed. Transcripts may be
obtained following the hearing from the
ALJ. A party that requests a transcript of
hearing proceedings must pay the cost
of preparing the transcript unless, for
good cause shown by the party, the
payment is waived by the ALJ or the
Board, as appropriate.
(b) The transcript of the testimony,
exhibits, and other evidence admitted at
the hearing, and all papers and requests
filed in the proceeding constitute the
record for decision by the ALJ and the
Secretary.
(c) The record may be inspected and
copied (upon payment of a reasonable
fee) by any person, unless otherwise
ordered by the ALJ for good cause
shown, which may include the presence
in the record of identifiable patient
safety work product.
(d) For good cause, which may
include the presence in the record of
identifiable patient safety work product,
the ALJ may order appropriate
redactions made to the record.
§ 3.544

Post hearing briefs.

The ALJ may require the parties to file
post-hearing briefs. In any event, any
party may file a post-hearing brief. The
ALJ must fix the time for filing the
briefs. The time for filing may not
exceed 60 days from the date the parties
receive the transcript of the hearing or,
if applicable, the stipulated record. The
briefs may be accompanied by proposed
findings of fact and conclusions of law.
The ALJ may permit the parties to file
reply briefs.
§ 3.546

ALJ’s decision.

(a) The ALJ must issue a decision,
based only on the record, which must
contain findings of fact and conclusions
of law.
(b) The ALJ may affirm, increase, or
reduce the penalties imposed by the
Secretary.
(c) The ALJ must issue the decision to
both parties within 60 days after the
time for submission of post-hearing
briefs and reply briefs, if permitted, has
expired. If the ALJ fails to meet the
deadline contained in this paragraph, he
or she must notify the parties of the
reason for the delay and set a new
deadline.
(d) Unless the decision of the ALJ is
timely appealed as provided for in
§ 3.548, the decision of the ALJ will be
final and binding on the parties 60 days
from the date of service of the ALJ’s
decision.

PO 00000

Frm 00083

Fmt 4701

Sfmt 4700

§ 3.548

70813

Appeal of the ALJ’s decision.

(a) Any party may appeal the decision
of the ALJ to the Board by filing a notice
of appeal with the Board within 30 days
of the date of service of the ALJ
decision. The Board may extend the
initial 30 day period for a period of time
not to exceed 30 days if a party files
with the Board a request for an
extension within the initial 30 day
period and shows good cause.
(b) If a party files a timely notice of
appeal with the Board, the ALJ must
forward the record of the proceeding to
the Board.
(c) A notice of appeal must be
accompanied by a written brief
specifying exceptions to the initial
decision and reasons supporting the
exceptions. Any party may file a brief in
opposition to the exceptions, which
may raise any relevant issue not
addressed in the exceptions, within 30
days of receiving the notice of appeal
and the accompanying brief. The Board
may permit the parties to file reply
briefs.
(d) There is no right to appear
personally before the Board or to appeal
to the Board any interlocutory ruling by
the ALJ.
(e) The Board may not consider any
issue not raised in the parties’ briefs,
nor any issue in the briefs that could
have been raised before the ALJ but was
not.
(f) If any party demonstrates to the
satisfaction of the Board that additional
evidence not presented at such hearing
is relevant and material and that there
were reasonable grounds for the failure
to adduce such evidence at the hearing,
the Board may remand the matter to the
ALJ for consideration of such additional
evidence.
(g) The Board may decline to review
the case, or may affirm, increase,
reduce, reverse or remand any penalty
determined by the ALJ.
(h) The standard of review on a
disputed issue of fact is whether the
initial decision of the ALJ is supported
by substantial evidence on the whole
record. The standard of review on a
disputed issue of law is whether the
decision is erroneous.
(i) Within 60 days after the time for
submission of briefs and reply briefs, if
permitted, has expired, the Board must
serve on each party to the appeal a copy
of the Board’s decision and a statement
describing the right of any respondent
who is penalized to seek judicial
review.
(j)(1) The Board’s decision under
paragraph (i) of this section, including
a decision to decline review of the
initial decision, becomes the final
decision of the Secretary 60 days after

E:\FR\FM\21NOR3.SGM

21NOR3

70814

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

dwashington3 on PRODPC61 with RULES3

the date of service of the Board’s
decision, except with respect to a
decision to remand to the ALJ or if
reconsideration is requested under this
paragraph.
(2) The Board will reconsider its
decision only if it determines that the
decision contains a clear error of fact or
error of law. New evidence will not be
a basis for reconsideration unless the
party demonstrates that the evidence is
newly discovered and was not
previously available.
(3) A party may file a motion for
reconsideration with the Board before
the date the decision becomes final
under paragraph (j)(1) of this section. A
motion for reconsideration must be
accompanied by a written brief
specifying any alleged error of fact or
law and, if the party is relying on
additional evidence, explaining why the
evidence was not previously available.
Any party may file a brief in opposition
within 15 days of receiving the motion
for reconsideration and the
accompanying brief unless this time
limit is extended by the Board for good
cause shown. Reply briefs are not
permitted.
(4) The Board must rule on the motion
for reconsideration not later than 30
days from the date the opposition brief
is due. If the Board denies the motion,
the decision issued under paragraph (i)
of this section becomes the final
decision of the Secretary on the date of
service of the ruling. If the Board grants
the motion, the Board will issue a
reconsidered decision, after such

VerDate Aug<31>2005

15:22 Nov 20, 2008

Jkt 217001

procedures as the Board determines
necessary to address the effect of any
error. The Board’s decision on
reconsideration becomes the final
decision of the Secretary on the date of
service of the decision, except with
respect to a decision to remand to the
ALJ.
(5) If service of a ruling or decision
issued under this section is by mail, the
date of service will be deemed to be 5
days from the date of mailing.
(k)(1) A respondent’s petition for
judicial review must be filed within 60
days of the date on which the decision
of the Board becomes the final decision
of the Secretary under paragraph (j) of
this section.
(2) In compliance with 28 U.S.C.
2112(a), a copy of any petition for
judicial review filed in any U.S. Court
of Appeals challenging the final
decision of the Secretary must be sent
by certified mail, return receipt
requested, to the General Counsel of
HHS. The petition copy must be a copy
showing that it has been time-stamped
by the clerk of the court when the
original was filed with the court.
(3) If the General Counsel of HHS
received two or more petitions within
10 days after the final decision of the
Secretary, the General Counsel will
notify the U.S. Judicial Panel on
Multidistrict Litigation of any petitions
that were received within the 10 day
period.
§ 3.550

Stay of the Secretary’s decision.

(a) Pending judicial review, the
respondent may file a request for stay of

PO 00000

Frm 00084

Fmt 4701

Sfmt 4700

the effective date of any penalty with
the ALJ. The request must be
accompanied by a copy of the notice of
appeal filed with the Federal court. The
filing of the request automatically stays
the effective date of the penalty until
such time as the ALJ rules upon the
request.
(b) The ALJ may not grant a
respondent’s request for stay of any
penalty unless the respondent posts a
bond or provides other adequate
security.
(c) The ALJ must rule upon a
respondent’s request for stay within 10
days of receipt.
§ 3.552

Harmless error.

No error in either the admission or the
exclusion of evidence, and no error or
defect in any ruling or order or in any
act done or omitted by the ALJ or by any
of the parties is ground for vacating,
modifying or otherwise disturbing an
otherwise appropriate ruling or order or
act, unless refusal to take such action
appears to the ALJ or the Board
inconsistent with substantial justice.
The ALJ and the Board at every stage of
the proceeding must disregard any error
or defect in the proceeding that does not
affect the substantial rights of the
parties.
Dated: September 2, 2008.
Michael O. Leavitt,
Secretary.
[FR Doc. E8–27475 Filed 11–20–08; 8:45 am]
BILLING CODE 4150–28–P

E:\FR\FM\21NOR3.SGM

21NOR3


File Typeapplication/pdf
File TitlePatient Safety and Quality Improvement: Final Rule
SubjectExtracted Pages
AuthorU.S. Government Printing Office
File Modified2010-09-02
File Created2009-02-02

© 2024 OMB.report | Privacy Policy