Department of Health and Human Services: Friday, November 21, 2008

Friday,
November 21, 2008
Part III
Department of
Health and Human
Services
42 CFR Part 3
Patient Safety and Quality Improvement;
Final Rule
dwashington3 on PRODPC61 with RULES3
VerDate Aug<31>2005 15:22 Nov 20, 2008 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\21NOR3.SGM 21NOR3
70732 Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations
DEPARTMENT OF HEALTH AND Health Service Act (42 U.S.C. 299 et covered entities under the HIPAA
HUMAN SERVICES seq.) by inserting new sections 921 Privacy Rule and will be required to
through 926, 42 U.S.C. 299b–21 through comply with the HIPAA Privacy Rule
42 CFR Part 3 299b–26.1 The Patient Safety Act when they disclose patient safety work
RIN 0919–AA01 focuses on creating a voluntary program product that contains protected health
through which health care providers can information. The Patient Safety Act is
Patient Safety and Quality share information relating to patient clear that it is not intended to interfere
Improvement safety events with PSOs, with the aim with the implementation of any
of improving patient safety and the provision of the HIPAA Privacy Rule.
AGENCY: Agency for Healthcare Research quality of care nationwide. The statute See 42 U.S.C. 299b–22(g)(3). The statute
and Quality, Office for Civil Rights, attaches privilege and confidentiality also provides that civil money penalties
Department of Health and Human protections to this information, termed cannot be imposed under both the
Services. ‘‘patient safety work product,’’ to Patient Safety Act and the HIPAA
ACTION: Final rule. encourage providers to share this Privacy Rule for a single violation. See
information without fear of liability and 42 U.S.C. 299b–22(f). In addition, the
SUMMARY: The Secretary of Health and creates PSOs to receive this protected statute states that PSOs shall be treated
Human Services is adopting rules to information and analyze patient safety as business associates, and patient
implement certain aspects of the Patient events. These protections will enable all safety activities are deemed to be health
Safety and Quality Improvement Act of health care providers, including multi- care operations under the HIPAA
2005, Pub. L. 109–41, 42 U.S.C. 299b– facility health care systems, to share Privacy Rule. See 42 U.S.C. 299b and
21—b–26 (Patient Safety Act). The final data within a protected legal 299–22(i). Since patient safety activities
rule establishes a framework by which environment, both within and across are deemed to be health care operations,
hospitals, doctors, and other health care states, without the threat that the the HIPAA Privacy Rule does not
providers may voluntarily report information will be used against the require covered providers to obtain
information to Patient Safety subject providers. patient authorizations to disclose
Organizations (PSOs), on a privileged However, we note that section patient safety work product containing
and confidential basis, for the 922(g)(2) of the Public Health Service protected health information to PSOs.
aggregation and analysis of patient Act is quite specific that these Additionally, as business associates of
safety events. protections do not relieve a provider
The final rule outlines the providers, PSOs must abide by the terms
from its obligation to comply with other of their HIPAA business associate
requirements that entities must meet to Federal, State, or local laws pertaining
become PSOs and the processes by contracts, which require them to notify
to information that is not privileged or the provider of any impermissible use or
which the Secretary will review and confidential under the Patient Safety
accept certifications and list PSOs. It disclosure of the protected health
Act: section 922(g)(5) of the Public information of which they are aware.
also describes the privilege and Health Service Act states that the
confidentiality protections for the See 45 CFR 164.504(e)(2)(ii)(C).
Patient Safety Act does not affect any
information that is assembled and State law requiring a provider to report II. Overview of the Proposed and Final
developed by providers and PSOs, the information that is not patient safety Rules
exceptions to these privilege and work product. The fact that information A. The Proposed Rule
confidentiality protections, and the is collected, developed, or analyzed
procedures for the imposition of civil The proposed rule sought to
under the protections of the Patient
money penalties for the knowing or implement the Patient Safety Act to
Safety Act does not shield a provider
reckless impermissible disclosure of create a voluntary system through
from needing to undertake similar
patient safety work product. which providers could share sensitive
activities, if applicable, outside the
DATES: The final rule is effective on information relating to patient safety
ambit of the statute, so that the provider
January 19, 2009. events without fear of liability, which
can meet its obligations with non-
FOR FURTHER INFORMATION CONTACT:
should lead to improvements in patient
patient safety work product. The Patient
Susan Grinder, Agency for Healthcare safety and in the quality of patient care.
Safety Act, while precluding other
Research and Quality, 540 Gaither Road, The proposal reflected an approach to
organizations and entities from
Rockville, MD 20850, (301) 427–1111 or the implementation of the Patient Safety
requiring providers to provide them
(866) 403–3697. Act intended to ensure adequate
with patient safety work product,
flexibility within the bounds of the
SUPPLEMENTARY INFORMATION: On recognizes that the original records
statutory provisions and to encourage
February 12, 2008, the Department of underlying patient safety work product
providers to participate in this
Health and Human Services (HHS) remain available in most instances for
voluntary program. The proposed rule
published a Notice of Proposed the providers to meet these other
emphasized that this program is not
Rulemaking (proposed rule) at 73 FR reporting requirements.
We note also that the Patient Safety federally funded and will be put into
8112 proposing to implement the operation by the providers and PSOs
Patient Safety Act. The comment period Act references the Standards for the
Privacy of Individually Identifiable that wish to participate with little direct
closed on April 14, 2008. One-hundred- federal involvement. However, the
sixty-one comments were received Health Information under the Health
Insurance Portability and process for certification and listing of
during the comment period. PSOs will be implemented and overseen
Accountability Act of 1996 (HIPAA
I. Background Privacy Rule), 45 CFR parts 160 and by the Agency for Healthcare Research
164. Many health care providers and Quality (AHRQ), while compliance
Statutory Background with the confidentiality provisions will
participating in this program will be
This final rule establishes the be investigated and enforced by the
authorities, processes, and rules 1 All citations to provisions in the Patient Safety Office for Civil Rights (OCR).
necessary to implement the Patient Act will be to the sections in the Public Health Subpart A of the proposed rule set
Safety Act that amended the Public Service Act or to its location in the U.S. Code. forth the definitions of essential terms,
Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations 70733
such as patient safety work product, modified for clarity, and the definition proceedings. Proposed § 3.206(b)(4) has
patient safety evaluation system, and of disclosure was modified to clarify been amended to allow disclosures of
PSO. In order to facilitate the sharing of that the sharing of patient safety work identifiable, non-anonymized patient
patient safety work product and the product, between a component PSO and safety work product among affiliated
analysis of patient safety events, the entity of which it is a part, qualifies providers for patient safety activities. In
Subpart B of the proposed rule as a disclosure, while the sharing of addition, proposed § 3.206(b)(7) has
implemented the statutory requirements patient safety work product between a been modified to make clear that the
for the listing of PSOs, the entities that physician with staff privileges and the provision permits disclosures to and
will offer their expert advice in entity with which it holds privileges is among FDA, entities required to report
analyzing the patient safety events and not a disclosure. We have also modified to FDA, and their contractors. We also
other information they collect or the definition of patient safety work have modified proposed § 3.206(b)(8) to
develop to provide feedback and product to include information that, require providers voluntarily disclosing
recommendations to providers. The while not yet reported to a PSO, is patient safety work product to
proposed rule established the criteria documented as being within a accrediting bodies either to obtain the
and set forth a process for certification provider’s patient safety evaluation agreement of identified non-disclosing
and listing of PSOs and described how system and that will be reported to a providers or to anonymize the
the Secretary would review, accept, PSO. This modification allows for information with respect to the non-
condition, deny, or revoke certifications providers to voluntarily remove, and disclosing providers prior to disclosure.
for listing and continued listing of document the removal of, information Finally, we modified §§ 3.204(c),
entities as PSOs. from the patient safety evaluation 3.206(d), and 3.210 to allow disclosures
Based on the statutory mandates in system that has not yet been reported to of patient safety work product to or by
the Patient Safety Act, Subpart C of the a PSO, in which case, the information the Secretary for the purposes of
proposed rule set forth the privilege and is no longer patient safety work product. determining compliance with not only
confidentiality protections that attach to The most significant modifications to the Patient Safety Act, but also the
patient safety work product; it also set Subpart B include the following. With HIPAA Privacy Rule.
forth the exceptions to these respect to the listing of PSOs, we have In Subpart D, we adopt the proposed
protections. The proposed rule provided broadened the list of excluded entities provisions except, where reference was
that patient safety work product at § 3.102(a)(2)(ii), required PSOs at made in the proposed rule to provisions
generally continues to be protected as § 3.102(b)(1)(i)(B) to notify reporting of the HIPAA Privacy Rule, the final
privileged and confidential following a providers of inappropriate disclosures rule includes the text of such provisions
disclosure and set certain limitations on or security breaches related to the for convenience of the reader.
redisclosure of patient safety work information they reported, specified
We describe more fully these
product. compliance with the requirement
Subpart D of the proposed rule provisions, the comments received, and
regarding the collection of patient safety
established a framework to enable the our responses to these comments below
work product in § 3.102(b)(2)(iii),
Secretary to monitor and ensure eliminated the requirements for separate in the section-by-section description of
compliance with this Part, a process for information systems and restrictions on the final rule below.
imposing a civil money penalty for shared staff for most component PSOs III. Section-by-Section Description of
breach of the confidentiality provisions, but added additional restrictions and Final Rule and Response to Comments
and procedures for a hearing contesting limitations for PSOs that are
the imposition of a civil money penalty. components of excluded entities at A. Subpart A—General Provisions
These provisions were modeled largely § 3.102(c), and narrowed and clarified 1. Section 3.10—Purpose
on the HIPAA Enforcement Rule at 45 the disclosure requirements that PSOs
CFR part 160, subparts C, D and E. must file regarding contracting Proposed Rule: Proposed § 3.10
providers with whom they have provided that the purpose of proposed
B. The Final Rule Part 3 is to implement the Patient Safety
additional relationships at § 3.102(d)(2).
We received over 150 comments on We have modified the security and Quality Improvement Act of 2005
the proposed rule from a variety of requirement to provide flexibility for (Pub. L. 109–41), which amended the
entities, including small providers and PSOs to determine whether to maintain Public Health Service Act (42 U.S.C. 299
large institutional providers, hospital patient safety work product separately et seq.) by inserting new sections 921
associations, medical associations, from unprotected information. The final through 926, 42 U.S.C. 299b–21 through
accrediting bodies, medical liability rule includes a new expedited 299b–26.
insurers, and state and federal agencies. revocation process at § 3.108(e) for Overview of Public Comments: No
Many of the commenters expressed exceptional circumstances that require comments were received pertaining to
support for the proposed rule and the prompt action, and eliminates implied this section.
protections it granted to sensitive voluntary relinquishment, providing Final Rule: The Department adopts
information related to patient safety instead in § 3.104(e) that a PSO’s listing the proposed provision without
events. automatically expires at the end of three modification.
Based upon the comments received, years, unless it is revoked for cause, 2. Section 3.20—Definitions
the final rule adopts most of the voluntarily relinquished, or its
provisions of the proposed rule without certifications for continued listing are Proposed Rule: Proposed § 3.20
modification; however, several approved. provided for definitions applicable to
significant changes to certain provisions Changes to proposed Subpart C Part 3. Some definitions were
of the proposed rule have been made in include the addition of language in restatements of the definitions at section
response to these comments. Changes to § 3.206(b)(2) that requires a reporter 921 of the Public Health Service Act, 42
Subpart A include the addition of a seeking equitable relief to obtain a U.S.C. 299b–21, and other definitions
definition of affiliated provider. The protective order to protect the were provided for convenience or to
definitions of component organization, confidentiality of patient safety work clarify the application and operation of
parent organization, and provider were product during the course of the the proposed rule.
Overview of Public Comments: With limitations as restricting a provider’s forms of control that such enterprises
respect to the definitions for AHRQ, use of its own data. These comments are can create that might impact component
ALJ, Board, complainant, component addressed more fully below as part of entities. The preamble also discussed
PSO, confidentiality provisions, entity, the discussion of the patient safety the traditional meaning of subsidiaries
group health plan, health maintenance activities disclosure permission. as being separate legal entities and,
organization, HHS, HIPAA Privacy Rule, therefore, not within the ordinary
(B) Section 3.20—Definition of Bona
identifiable patient safety work product, meaning of the term ‘‘component.’’
Fide Contract
nonidentifiable patient safety work However, the approach of the proposed
product, OCR, Patient Safety Act, Proposed Rule: Proposed § 3.20 rule was to express the Department’s
patient safety activities, patient safety provided that bona fide contract would intention to encourage all forms of PSO
organization, person, research, mean a written contract between a organizational arrangements including
respondent, responsible person, and provider and a PSO that is executed in the ownership of PSOs as subsidiaries.
workforce, we received no comments. good faith or a written agreement At the same time, we wanted to be able
We received a number of comments between a Federal, State, local, or Tribal to accurately determine and to indicate
on the various other definitions and provider and a Federal, State, local, or to providers which PSOs should be
these comments will be addressed Tribal PSO. considered components of other entities
below in reference to the specific term. Overview of Public Comments: One and the identity of a component PSO’s
Final Rule: The Department adopts comment was received noting that parent organization. We explained our
the above definitions as proposed. ‘‘good faith’’ need not be a part of a bona intent was not to limit our approach to
Certain definitions were added for fide contract. corporate forms of organizations.
convenience or clarity of the reader. Final Rule: Because meeting the Overview of Public Comments: The
minimum contract requirement is majority of commenters supported our
Response to Public Comments essential for a PSO to remain listed by proposal to consider subsidiaries as
Comment: Commenters requested the Secretary, the Department believes component organizations for the
definitions for accrediting body, that the requirement that contracts to be purposes of this rule. Several
reporter, redisclosure, impermissible entered in good faith should be retained. commenters sought reassurance that our
disclosure, use, evaluation and We also note that Federal, State, local or interpretation does not impose
demonstration projects, and legislatively Tribal providers are free to enter into an additional legal liability on the parent
created PSO. agreement with any PSO that would organization.
Response: The Department does not serve their needs; thus, they can enter Concern was expressed that our
agree that the additional definitions bona fide contracts with PSOs pursuant approach suggested an over-reliance on
requested by commenters are necessary. to paragraph (1) of the definition, or the corporate model and the definition
Some definitions requested have enter comparable arrangements with a needed to reflect other types of legally
generally accepted meanings and we do Federal, State, local or Tribal PSO recognized entities. One comment
not believe there is benefit in imposing pursuant to paragraph (2). The reflected concern that our reference to
more limitations on such terms. Some Department adopts the proposed ‘‘multi-organizational enterprise’’ in the
terms such as legislatively created PSO provision without modification. definition was unnecessarily confusing
are not used within the final rule. Other because it was not commonly used.
(C) Section 3.20—Definition of
terms such as impermissible disclosure, Another commenter disagreed with our
Component Organization
use, and reporter are readily understood approach entirely, arguing that the
from the context of the final rule and do Proposed Rule: Proposed § 3.20 scope of our definition was overly broad
not need definitions. provided that component organization and unnecessary.
would mean an entity that is either: (a) Final Rule: The final rule now defines
(A) Section 3.20—New Definition of A unit or division of a corporate ‘‘component organization’’ to mean an
Affiliated Provider organization or of a multi-organizational entity that: ‘‘(1) is a unit or division of
Final Rule: The proposed rule did not enterprise; or (b) a separate a legal entity (including a corporation,
include a definition for affiliated organization, whether incorporated or partnership, or a Federal, State, local or
provider. The Department adopts the not, that is owned, managed or Tribal agency or organization); or
term affiliated provider to mean, with controlled by one or more other (2) Is owned, managed, or controlled
respect to a provider, a legally separate organizations, i.e., its parent by one or more legally separate parent
provider that is the parent organization organization(s). Because this definition organizations.’’
of the provider, is under common used terms in a manner that was broader The definition of component
ownership, management, or control than traditional usage, the proposed rule organization is intended to be read with
with the provider, or is owned, sought comment on whether it was a focus on management or control by
managed, or controlled by the provider. appropriate for purposes of the others as its defining feature. The
The Department includes this term to regulation to consider a subsidiary, an definition must be read in conjunction
identify to whom patient safety work otherwise legally independent entity, as with the complementary definition of
product may be disclosed pursuant to a a component organization. ‘‘parent organization.’’ While our
clarification of the disclosure With respect to the terms ‘‘owned, approach remains little changed, we
permission for patient safety activities. managed, or controlled,’’ the preamble have rearranged and streamlined the
Overview of Comments: Several directed readers to our description of text of the definition of component in
commenters were concerned about these concepts in our discussion of the response to the comments and concerns
limitations of disclosures for patient term ‘‘parent organization.’’ The we received on it. For example, there is
safety activities among providers. preamble to the proposed rule discussed no longer an explicit reference in the
Commenters raised concerns that the various ways that an organization definition of component to multi-
limitations may inhibit the sharing and may be controlled by others. In organizational enterprises, which are
learning among providers of the analysis particular, there was a discussion of undertakings with separate corporations
of patient safety events. Other multi-organizational enterprises and the or organizations that are integrated in a
commenters viewed the disclosure variety of management relationships or common business activity. The revised
definition, however, is sufficiently aspects of the component’s operations. requirement to seek listing as a
broad to apply to components of such If that occurs, we would consider the component organization.
enterprises. In response to concerns that sibling subsidiary that exercises control Comment: It was suggested that the
the earlier definition was too focused on or management over the PSO as another inclusion of subsidiaries within the
corporate organizations, we have parent organization of the PSO. meaning of component would require a
incorporated an explicit reference to Obtaining the identity and contact health system that wished to create a
‘‘other legal entities’’ besides information of an entity’s parent PSO to create it as a component.
corporations. In addition, specific organizations is useful for the purpose Response: There are several issues
references have been added to more of letting providers know who may be that a health system needs to consider
clearly accommodate possible managing or controlling a PSO. This in determining whether and how to
organizational relationships of public information also will be useful in create a PSO, but the inclusion of
agencies, such as the Department of implementing the certification and subsidiary within the meaning of
Defense (DoD), Department of Veterans listing process for PSOs described in the component is not necessarily
Affairs (VA), the Indian Health Service rule which, for instance, excludes any determinative. The statute requires the
(IHS), and other State, local, and Tribal health insurance issuer from becoming improvement of quality and patient
organizations that manage or deliver a PSO and excludes a component of a safety to be the primary activity of the
health care services. health insurance issuer from becoming entity seeking listing. Since few
In the scenario envisioned by the first a PSO. multifaceted health system
prong of the definition, the legal entity In response to commenters concerned organizations will meet this
is a parent organization and the about the legal liability for parent requirement, existing organizations will
component organization is a unit or organizations of component PSOs, we have an incentive to create single-
division within the parent organization. note that the preamble to the proposed purpose component organizations that
An underlying assumption of the rule stated as follows: ‘‘We stress that clearly meet the requirement. The
modified paragraph (1) is that a unit or neither the statute nor the proposed second issue is whether to create a PSO
division of a legal entity may be regulation imposes any legal as an internal component organization
managed or controlled by one or more responsibilities, obligations, or liability or as a separate legal entity. Because the
parent organizations. Consistent with on the organization(s) of which it [the final rule requires each PSO to enter two
this paragraph, a component PSO may PSO] is a part.’’ The Department contracts, provider organizations may
be managed or controlled by the legal reaffirms its position. At the same time, find it useful for its component PSO to
entity of which it is a part or by another we note that the rule, at § 3.402(b), be a separate legal entity. Otherwise, the
unit or division of that entity. It could recognizes, provides for, and does not component PSO may be precluded from
also be controlled by a legally separate alter the liability of principals based on contracting with its parent organization.
entity under the second paragraph of the Federal common law. Comment: There was a request for a
definition. definition of ‘‘own’’ with a suggestion
The first prong of the definition Response to Other Public Comments for reference to Internal Revenue Code
encompasses a component PSO that is Comment: One concern that was 26 I.R.C. § 1563 to clarify its meaning
a unit of a governmental agency that is expressed by several commenters and the meaning of having a controlling
a legal entity. This could include a pertained to whether or not a health interest. This same commenter sought
component organization managed by system that has a component or strong separation requirements between
another division of such a governmental subsidiary health insurance issuer, e.g., a component PSO and any parent
agency, e.g., a health care division of VA a group health plan offered to the organization.
or DoD. Thus, a component PSO could public, would be precluded from having Response: We have reviewed the cited
be a unit or component of a Federal a component PSO as well. regulation but conclude that the
agency that is a legal entity and it could Response: So long as the component approach presented is unlikely to clarify
at the same time be a component of health insurance issuer does not come the meaning of ‘‘own’’ or ‘‘having a
another unit or division of that agency within the definition of a parent controlling interest’’ for purposes of the
which controls and directs or manages organization of the PSO, i.e., own a regulation. Accordingly, the definition
its operation. So too in the private controlling or majority interest in, of component in the final rule will use
sector, a component PSO could have manage, or control the health system’s the term ‘‘owns,’’ but it should be read
more than one parent and thus be a component PSO (i.e., the PSO would in conjunction with the phrase ‘‘owns a
component, for example, of a not be a component of the health controlling or majority interest in’’ that
professional society as well as a insurance issuer), the parent health is used in the related definition of
component of the unit or division of the system could establish a component ‘‘parent organization.’’ This will
professional society that controls or PSO. indicate that the definition of
manages the PSO. Comment: It was asserted that component uses the term ‘‘owns’’ to
The second prong of the definition including subsidiaries as components mean having a sufficient ownership
addresses a variety of organizational would require a PSO that is not interest to control or manage a PSO. The
relationships that could arise between controlled by another parent holder of a controlling or majority
component PSOs and legally separate organization, but itself has a subsidiary, interest in the entity seeking to be listed
parent organizations that manage or to seek listing as a component PSO. should be identified as a parent
control them. Under paragraph (2), a Response: The revised definition of organization.
subsidiary PSO could be managed or component organization emphasizes Comment: Components of government
controlled by its legally separate parent that a component is an organization that entities should not be listed as PSOs.
organization. In addition, we note that is controlled by another entity. It is not Response: The Patient Safety Act
a component PSO could be managed or the Department’s intention to require a specifically permits public sector
controlled by another unit or division of PSO that is not controlled by another entities, and components of public
its legally separate parent, e.g., if this entity to seek listing as a component sector entities, to seek listing as a PSO.
unit or division uses its knowledge and PSO. For this reason, the fact that a PSO We have incorporated several
skills to control or manage certain has a subsidiary does not trigger the exclusions, however, of entities with
regulatory authority and those definition of disclosure. No commenters stated that the terms were used
administering mandatory state reporting opposed the proposed definition or interchangeably and this caused
programs because these activities are requested further clarification. confusion.
incompatible with fostering a non- Most commenters that responded to Response: The term ‘‘disclosure’’
punitive culture of safety among the question whether uses of patient describes the scope of the
providers. As we explain in safety work product should be regulated confidentiality protections and the
§ 3.102(a)(2)(ii), we conclude that it is supported the decision not to regulate manner in which patient safety work
not necessary to exclude components of uses. Those commenters agreed that product may be shared. ‘‘Disclosure’’ is
such entities but have adopted regulating uses would be overly also employed by the Patient Safety Act
additional restrictions and requirements intrusive without significant benefit and when describing the assessment of civil
in § 3.102(c) for such component that entities are free to enter into money penalties for the failure to
entities. agreements with greater protections. maintain confidentiality (see 42 U.S.C.
Other commenters disagreed with the 299b–22(f)(1)). Although the Patient
(D) Section 3.20—Definition of Department’s proposal and stated that Safety Act employs the term ‘‘use’’ in
Disclosure regulation of uses would improve several provisions, we did not interpret
Proposed Rule: Proposed § 3.20 confidentiality and thereby increase those provisions to include a restriction
provided that disclosure would mean provider participation. on the use of patient safety work
the release, transfer, provision of access No commenters opposed the proposal product based on the confidentiality
to, or divulging in any other manner of that sharing of patient safety work protections.
patient safety work product by a person product from a component PSO to the Because the focus of the proposed
holding patient safety work product to rest of the parent entity of which it is rule was on disclosures, we did not
another person. a part would be a disclosure for believe that defining the term ‘‘use’’ was
We did not generally propose to purposes of enforcement rather than a helpful; nor did we believe the terms
regulate uses of patient safety work use internal to the entity. would be confusing. Use of patient
product within an entity, i.e., when this Final Rule: The Department adopts safety work product is the sharing
information is exchanged or shared the provision with modifications. In within a legal entity, such as between
among the workforce members of an general, the modified definition of members of the workforce, which is not
entity. We believe that regulating uses disclosure means the release of, transfer a disclosure. By contrast, a disclosure is
within providers and PSOs would be of, provision of access to, or divulging the sharing or release of information
unnecessarily intrusive given the in any other manner of, patient safety outside of the entity for which a specific
voluntary aspect of participation with a work product by an entity or natural disclosure permission must be
PSO. We believe that regulating uses person holding the patient safety work applicable.
would not further the statutory goal of product to another legally separate Comment: One commenter requested
facilitating the sharing of patient safety entity or natural person, other than a clarification regarding the sharing of
work product with PSOs and that workforce member of, or a physician patient safety work product among
sufficient incentives exist for providers holding privileges with, the entity legally separate participants that join to
and PSOs to prudently manage the holding the patient safety work product. form a single joint venture component
internal sharing of sensitive patient Additionally, we have defined as a PSO.
safety work product. However, based on disclosure the release of, transfer of, Response: The Department
the statutory provision, we did propose provision of access to, or divulging in distinguishes between the disclosure of
that we would recognize as a disclosure any other manner of, patient safety work patient safety work product between
the sharing of patient safety work product by a component PSO to another legal entities and the use of patient
product between a component PSO and entity or natural person outside the safety work product internal to a single
the organization of which it is a component PSO. legal entity. If a component PSO is part
component. Such sharing would, absent We have modified the language for of a multi-organizational enterprise,
the statutory provision and the clarity to distinguish the actions that are uses of patient safety work product
proposed regulation, be a use within the a disclosure for a natural person and an internal to the component PSO are not
larger organization because the entity, separately. We have also regulated by this final rule, but sharing
component PSO is not a separate entity. included language in the definition that of patient safety work product between
The Patient Safety Act supports this makes clear that sharing of patient the component PSO and another entity
position by demonstrating a strong safety work product from a component or with a parent organization are
desire for the protection of patient safety PSO to the entity of which it is a part considered disclosures for which a
work product from the rest of the is a disclosure even though the disclosure permission must apply.
organization of which the PSO is a part. disclosure would be internal to an entity Comment: One commenter raised
We sought public comment on whether and generally permitted. Finally, we concerns that the final rule would
the decision to not regulate uses was have added language to clearly indicate restrict a provider’s use of its own data
appropriate. that the sharing of patient safety work and thereby discourage collaboration
The proposed rule discussed that product between a health care provider with other care givers.
sharing patient safety work product with privileges and the entity with Response: The Department believes
with a contractor that is under the direct which it holds privileges does not that the final rule balances the interests
control of an entity, i.e., a workforce constitute a disclosure, consistent with between the privacy of identified
member, would not be a disclosure, but the treatment of patient safety work providers, patients and reporters and
rather a use within the entity. However, product shared among workforce the need to aggregate and share patient
sharing patient safety work product members. safety work product to improve patient
with an independent contractor would safety among all providers. The final
be a disclosure requiring an applicable Response to Other Public Comments rule does not limit the sharing of patient
disclosure permission. Comment: Commenters asked that the safety work product within an entity
Overview of Public Comments: Some Department clarify the terms and permits sharing among providers
commenters supported the proposed ‘‘disclosure’’ and ‘‘use’’. Commenters under certain conditions. Affiliated
providers may share patient safety work vigilant in its exclusion of health with others, either owns a provider
product for patient safety activities and insurance issuers and components of entity or a component organization, or
non-affiliated providers may share health insurance issuers, urging that has the authority to control or manage
anonymized patient safety work HHS clearly define health insurance agenda setting, project management, or
product. A provider may also share issuers in the final rule. Another day-to-day operations of the component,
patient safety work product with a commenter sought clarification or the authority to review and override
health care provider that has privileges regarding risk management service decisions of a component organization.
to practice at the provider facility. companies, i.e., those that offer The proposed rule did not provide a
Further, if all identified providers are in professional liability insurance, definition of ‘‘owned’’ but provided
agreement regarding the need to share reinsurance, or consulting services. controlling interest (holding enough
identifiable patient safety work product, Final Rule: The Department has stock in an entity to control it) as an
each provider may authorize and reviewed the definition of ‘‘health example of ownership in the preamble
thereby permit a disclosure. insurance issuer’’ and determined that discussion of the term, ‘‘parent
Comment: Several commenters asked the definition is clear. Because the organization.’’ The proposed rule
whether uses were restricted based reference to group health plans could be specifically sought comment on our use
upon the purpose for which the patient a source of confusion, we note that we of the term ‘‘controlling interest,’’
safety work product is being shared have defined the term above. whether it was appropriate, and
internally. Accordingly, the Department adopts the whether we needed to further define
Response: The final rule does not proposed provision without ‘‘owns.’’ The remaining terms, ‘‘manage
limit the purpose for which patient modification. or control,’’ were explained in the
safety work product may be shared In response to several comments proposed rule’s definition of ‘‘parent
internal to an entity. Entities should regarding the scope of the term health organization,’’ as having ‘‘the authority
consider the extent to which sensitive insurance issuer, the Department has to control or manage agenda setting,
patient safety work product is available concluded that, for purposes of this project management, or day-to-day
to members of its workforce as a good rule, risk management service operations of the component, or the
business practice. companies, professional liability authority to review and override
insurers and reinsurers do not fall decisions of a component organization.’’
(E) Section 3.20—Definition of Entity Overview of Public Comments: We
within the definition of health
Proposed Rule: Proposed § 3.20 insurance issuer. received eight comments on the
provided that entity would mean any question of ‘‘controlling interest’’ and
organization or organizational unit, Response to Other Public Comments there was no consensus among the
regardless of whether the entity is Comment: One commenter asked if a commenters. Four commenters thought
public, private, for-profit, or not-for- provider system that was owned as a our discussion was appropriate.
profit. subsidiary by an HMO could create a Another agreed with the concept of
Overview of Public Comments: One component PSO. controlling interest but wanted to limit
comment was received suggesting that Response: Section 3.102(a)(2)(i) its application to a provider who
the terms ‘‘governmental’’ or ‘‘body excludes a health insurance issuer, a reported patient safety work product to
politic’’ should be added to clarify that unit or division of a health insurance the entity. One commenter cautioned
the term ‘‘public’’ includes Federal, issuer, or an entity that is owned, that the term ‘‘controlling interest’’ was
State, or local government as well as managed, or controlled by a health open to various interpretations and the
public corporations. insurance issuer from seeking listing as final rule should provide additional
Final Rule: The term ‘‘public’’ has a PSO. In this case, the HMO is guidance. Another commenter suggested
long been used throughout Title 42 of considered a health insurance issuer ‘‘controlling interest’’ was worrisome
the Code of Federal Regulations as and the provider system would be a but did not provide a rationale for this
encompassing governmental agencies; component of the health insurance assessment. One commenter supported
therefore we do not believe that the issuer. Under the rule, the HMO and the additional protections, contending that
addition is necessary. The Department provider system may not seek listing as it was appropriate for HHS to pierce the
adopts the proposed provision without a PSO, and the entity created by the corporate veil when there was fraud or
modification. provider system could not seek listing collusion, and recommended the
as a component PSO if it is owned, preamble outline situations in which
(F) Section 3.20—Definition of Health
managed or controlled by the provider HHS would pierce the corporate veil.
Insurance Issuer We received no negative comments on
system or the HMO.
Proposed Rule: Proposed § 3.20 Comment: One commenting our proposed interpretation of what it
provided that health insurance issuer organization requested discussion of means to manage or control another
would mean an insurance company, what organizational structure might entity. One commenter suggested that
insurance service, or insurance allow a health insurance issuer to the definition should recognize the
organization (including a health participate in the patient safety work of significant authority or control of a
maintenance organization, as defined in an independent PSO. provider entity or component
42 U.S.C. 300gg–91(b)(3)) which is Response: The statutory exclusion organization through reserve powers, by
licensed to engage in the business of means that the following entities may agreement, statute, or both.
insurance in a State and which is not seek listing: a health insurance Final Rule: While approximately half
subject to State law which regulates issuer or a component of a health of the comments supported our
insurance (within the meaning of 29 insurance issuer. approach, there was not a clear
U.S.C. 1144(b)(2). The definition consensus in the comments we

specifically excluded group health plans (G) Section 3.20—Definition of Parent reviewed. So the approach we have
from the meaning of the term. Organization taken with the definition of ‘‘parent
Overview of Public Comments: Proposed Rule: Proposed § 3.20 organization’’ was to strive for greater
Several commenters expressed concern provided that ‘‘parent organization’’ clarity, taking into account its
that the Department needed to be would mean an entity, that alone or interaction with our definition of
‘‘component organization,’’ described mechanism through which information Overview of Public Comments:
above. can be collected, maintained, analyzed, Several commenters supported the
The definition of ‘‘parent and communicated. The proposed rule efforts to enable the patient safety
organization’’ in the final rule retains discussed that a patient safety evaluation system to be flexible and
the basic framework of the proposed evaluation system would not need to be scalable to individual provider
rule definition: an organization is a documented because it exists whenever operations. Most commenters that
parent if it owns a component a provider engages in patient safety responded to the question whether a
organization, has the ability to manage activities for the purpose of reporting to patient safety evaluation system should
or control a component, or has the a PSO or a PSO engages in these be documented supported the decision
authority to review and overrule the activities with respect to information for to not require documentation.
component’s decisions. patient safety purposes. The proposed Commenters stated that requiring
The language of the proposed rule rule provided that formal documentation would inhibit the
used only the term ‘‘own’’ while the documentation of a patient safety flexibility in the design of patient safety
preamble cited the example of stock evaluation system could designate evaluation systems and the ability of
ownership. Without further secure physical and electronic space for providers to design systems best suited
specification, we were concerned that the conduct of patient safety activities for their specific practices and settings.
this approach could have been and better delineate various functions of Documentation would also be
interpreted to mean that an organization a patient safety evaluation system, such burdensome to providers and should
owning just a few shares of stock of a as when and how information would be ultimately be left to the discretion of
component organization would be reported by a provider to a PSO, how individual providers based on their
considered a parent organization. This feedback concerning patient safety needs. Other commenters supported a
is not our intent. For clarity, we have events would be communicated requirement for documentation,
modified the text to read ‘‘owns a between PSOs and providers, within suggesting that documentation would go
controlling or majority interest.’’ what space deliberations and analyses further in ensuring compliance with the
We have also removed the phrase of information are conducted, and how confidentiality provisions and the
‘‘alone or with others’’ from the first protected information would be protection of information, thereby
clause. We did so for two reasons. First, identified and separated from encouraging provider participation.
it is unnecessary since it does not matter information collected, maintained, or Final Rule: The Department adopts
whether ownership is shared with other developed for purposes other than the proposed provision without
organizations, as in a joint venture. An reporting to a PSO. modification. Based on the comments,
entity seeking listing as a PSO will use The Department recommended that a we have not modified the proposed
this definition solely to determine if it provider consider documentation of a decision to not require documentation.
has any parent organizations and, if it patient safety evaluation system to We have, as described in the definition
does, it must seek listing as a support the identification and of patient safety work product below,
component organization and disclose protection of patient safety work clarified how documentation of a
the names and contact information for product. Documentation may provide patient safety evaluation system clearly
each of its parent organizations. Second, substantial proof to support claims of establishes when information is patient
we have tried to make it as clear as privilege and confidentiality and will safety work product. We encourage
possible that any organization that has give notice to, will limit access to, and providers to document their patient
controlling ownership interests, or will create awareness among employees safety evaluation systems for the
management or control authority over a of, the privileged and confidential benefits mentioned above. We believe
PSO, should be considered, and nature of the information within a documentation is a best practice.
reported in accordance with the patient safety evaluation system which
Response to Other Public Comments
requirements of § 3.102(c)(1)(i), as a may prevent unintended or
parent organization. impermissible disclosures. Comment: Two commenters raised
For similar reasons, we have removed We recommended that providers and concerns about how a patient safety
the reference to provider from the first PSOs consider documenting how evaluation system operates within a
part of the definition and instead information enters the patient safety multi-hospital system comprised of a
consistently used the term ‘‘component evaluation system; what processes, parent corporation and multiple
organization’’ with respect to each activities, physical space(s) and hospitals that are separately
characteristic of a parent organization. equipment comprise or are used by the incorporated and licensed. One
We added a second sentence to clarify patient safety evaluation system; which commenter asked whether a parent
that a provider could be the component personnel or categories of personnel corporation can establish a single
organization in all three descriptive need access to patient safety work patient safety evaluation system in
examples given of parental authority. product to carry out their duties which all hospitals participate. The
In response to one commenter’s involving operation of, or interaction other commenter recommended that
concern, we believe that the phrase ‘‘has with, the patient safety evaluation individual institutional affiliates of a
the authority’’ as used in the definition system; the category of patient safety multi-hospital system be part of a single
is sufficiently broad to encompass work product to which access is needed patient safety evaluation system.
reserve powers. and any conditions appropriate to such Response: For a multi-provider entity,
access; and what procedures the patient the final rule permits either the
(H) Section 3.20—Definition of Patient safety evaluation system uses to report establishment of a single patient safety
Safety Evaluation System information to a PSO or disseminate evaluation system or permits the sharing
Proposed Rule: Proposed § 3.20 information outside of the patient safety of patient safety work product as a
provided that patient safety evaluation evaluation system. patient safety activity among affiliated
system would mean the collection, The proposed rule sought comment providers. For example, a hospital chain
management, or analysis of information about whether a patient safety that operates multiple hospitals may
for reporting to or by a PSO. The patient evaluation system should be required to include the parent organization along
safety evaluation system would be the be documented. with each hospital in a single patient
safety evaluation system. Thus, each external reporting obligations with in the Patient Safety Act. The proposed
hospital may share patient safety work information that is not patient safety rule provided that many types of
product with the parent organization work product. Further, a provider may information can become patient safety
and the patient safety evaluation system not maintain a patient safety evaluation work product to foster robust exchanges
may exist within the parent organization system within a PSO. between providers and PSOs. Any
as well as the individual hospitals. Comment: One commenter asked information must be collected or
There may be situations where whether all information in a patient developed for the purpose of reporting
establishing a single patient safety safety evaluation system is protected. to a PSO.
evaluation system may be burdensome Response: Information collected Three provisions identified how
or a poor solution to exchanging patient within a patient safety evaluation information becomes patient safety
safety work product among member system that has been collected for the work product. First, information may
hospitals. To address this concern, we purpose of reporting to a PSO is patient become patient safety work product if it
have modified the disclosure safety work product if documented as is assembled or developed by a provider
permission for patient safety activities collected for reporting to a PSO. This is for the purpose of reporting to a PSO
to permit affiliated providers to disclose discussed more fully at the definition of and is reported to a PSO. Second,
patient safety work product with each patient safety work product below. patient safety work product is
other based on commonality of Information that is reported to a PSO is information developed by a PSO for the
ownership. also protected, as discussed more fully conduct of patient safety activities.
Comment: One commenter asked how at the definition of patient safety work Third, patient safety work product is
a patient safety evaluation system exists product below. information that constitutes the
within an institutional provider. Comment: One commenter was deliberations or analysis of, or identifies
Response: A patient safety evaluation concerned that the lack of a framework the fact of reporting pursuant to, a
system is unique and specific to a and too much flexibility may interfere patient safety evaluation system.
provider. The final rule retains a with interoperability and data The proposed rule provided that
definition of a patient safety evaluation aggregation at a later date. reporting means the actual transmission
system that is flexible and scalable to Response: The Department believes or transfer of information to a PSO. We
meet the specific needs of particular that a patient safety evaluation system recognized that requiring the
providers. must of necessity be flexible and transmission of every piece of paper or
With respect to a single institutional scalable to meet the needs of specific electronic file to a PSO could impose
provider, such as a hospital, a provider providers and PSOs. Without such significant transmission, management,
may establish a patient safety evaluation flexibility, a provider may not and storage burdens on providers and
system that exists only within a participate, which may, lessen the PSOs. The proposed rule sought
particular office or that exists at overall richness of the information that comment on whether alternatives for
particular points within the institution. could be obtained about patient safety actual reporting should be recognized as
The decisions as to how a patient safety events. The Department recognizes the sufficient to meet the reporting
evaluation system operates will depend value of aggregated data and has, requirement. For example, the proposed
upon the functions the institutional pursuant to the Patient Safety Act, rule suggested that a provider that
provider desires the patient safety begun the process of identifying contracts with a PSO may functionally
evaluation system to perform and its standard data reporting terms to report information to a PSO by
tolerances regarding access to the facilitate aggregation and providing access and control of
sensitive information contained within interoperability. Further, the Patient information to a PSO without needing to
the system. Providers should consider Safety Act requires that PSOs, to the physically transmit information. The
how a patient safety evaluation system extent practical and appropriate, collect proposed rule also sought comment on
is constructed, carefully weighing the patient safety work product in a whether additional terms and
balance between coordination and standardized manner (see 42 U.S.C. conditions should be required to permit
fragmentation of a provider’s activities. 299b–24(b)(1)(F)). The Department functional reporting and whether
Comment: Some commenters were hopes that, by permitting the widest functional reporting should be
concerned that the patient safety range possible of providers to permitted only after an initial actual
evaluation system provided a loophole participate in the gathering and analysis report of information related to an
for providers to avoid transparency of of patient safety events, increased event.
operations and hide information about participation will generate more data The proposed rule also sought
patient safety events. Some commenters and greater movement towards comment on whether a short period of
suggested that a provider may establish addressing patient safety issues. protection for information assembled
a patient safety evaluation system that is Comment: Many commenters but not yet reported is necessary for
inside of a PSO, thus stashing away encouraged the Department to provide flexibility or for providers to efficiently
harmful documents and information. technical assistance to providers and report information to a PSO. We also
Response: The Department does not PSOs on the structuring and operation sought comment on an appropriate time
believe that the patient safety evaluation of a patient safety evaluation system. period for such protection and whether
system enables providers to avoid Response: The Department expects to a provider must demonstrate intent to
transparency. A patient safety provide such guidance on the operation report in order to obtain protection.
evaluation system provides a protected and activities of patient safety The proposed rule also sought
space for the candid consideration of evaluation systems as it determines is comment on when a provider could
quality and safety. Nonetheless, the necessary. begin collecting information for the
Patient Safety Act and the final rule purpose of reporting to a PSO such that
have carefully assured that information (I) Section 3.20—Definition of Patient it is not excluded from becoming patient
generally available today remains Safety Work Product safety work product because it was
available, such as medical records, Proposed Rule: Proposed § 3.20 collected, maintained or developed
original provider documents, and adopted the statutory definition of separately from a patient safety
business records. Providers must fulfill patient safety work product as defined evaluation system.
The proposed rule indicated that, if a authorities evaluations of the When Is Information Protected
PSO is delisted for cause, a provider effectiveness of corrective action, but Commenters raised significant and
would be able to continue to report to the provider must respond with substantial concerns regarding when the
that PSO for 30 days after the date of information that is not patient safety protections for patient safety work
delisting and the information reported work product. The proposed rule product begins, how existing patient
would be treated as patient safety work provided that recommendations for safety processes will occur given the
product (section 924(f)(1) of the Public changes from the provider’s patient protections for patient safety work
Health Service Act). However, after safety evaluation system or the PSO are product, and the likelihood that
delisting, the proposed rule indicated patient safety work product. However, providers may need to maintain
that the former PSO may not generate the actual changes that the provider separate systems with substantially
patient safety work product by implements to improve how it manages duplicate information. A significant
developing information for the conduct or delivers health care services are not majority of commenters responded to
of patient safety activities or through patient safety work product, and it the concern regarding the status of
deliberations and analysis of would be virtually impossible to keep information collected, but not yet
information. Even though a PSO may such changes confidential. reported to a PSO. Most commenters
not generate new patient safety work
Overview of Public Comments: agreed with concerns raised by the
product after delisting, it may still
Commenters raised a significant number Department that early protection could
possess patient safety work product,
of concerns regarding how information ease the burden on providers,
which must be kept confidential and be
becomes patient safety work product preventing a race to report to a PSO.
disposed of in accordance with
under particular provisions of the These commenters recommended that
requirements in Subpart B.
The proposed rule also described definition. information be protected upon
what is not patient safety work product, collection and prior to reporting.
Functional Reporting
such as a patient’s original medical Protection during this time would
record, billing and discharge We received significant feedback from permit providers to investigate an event
information, or any other original commenters in support of recognizing and conduct preliminary analyses
patient or provider record. Patient safety alternative reporting methods. Most regarding causes of the event or whether
work product does not include commenters agreed that an alternative to report information to a PSO. Many
information that is collected, reporting arrangement should be commenters were concerned that
maintained, or developed separately or permitted to promote efficiency and information related to patient safety
exists separately from, a patient safety relieve providers of the burden of events be protected at the same time the
evaluation system. This distinction is continued transmission. Two information is preserved for other uses.
made because these and similar records commenters opposed permitting Some providers indicated that if
must be maintained by providers for alternative reporting methods based on duplication of information is required,
other purposes. the concern that a shared resource may providers may opt to not participate due
The proposed rule also discussed that confuse clear responsibility for a breach to costs and burdens. Three commenters
external reporting obligations as well as of information and that a PSO that has indicated that there should be no
voluntary reporting activities that occur access to a provider information system protection until information is reported
for the purpose of maintaining may also have access to patient records to a PSO. One commenter was
accountability in the health care system and similar information for which concerned that early protection may
cannot be satisfied with patient safety access may not be appropriate. interfere with State reporting
work product. Thus, information that is requirements because information
Most commenters rejected the
collected to comply with external needed to report to a State may become
suggestion that functional reporting
obligations is not patient safety work protected and unavailable for State
should be limited to subsequent reports
product. The proposed rule provided reporting. Another commenter stated
of information rather than allowing
that such activities include: state that earlier protection would not
functional reports for the first report of
incident reporting requirements; alleviate the concerns regarding
an event. Commenters believed that
adverse drug event information protection prior to reporting.
such a limitation would inhibit Commenters provided a wide range of
reporting to the Food and Drug
participation and offset the benefits of recommendations in response to when
Administration (FDA); certification or
allowing functional reporting. protection of information should begin
licensing records for compliance with
Commenters also believed such a prior to creation of patient safety work
health oversight agency requirements;
limitation would create an artificial product. Commenters suggested that
reporting to the National Practitioner
distinction between information that is information be protected prior to
Data Bank of physician disciplinary
actions; or complying with required initially and subsequently reported to a reporting for as little as 24 hours from
disclosures by particular providers or PSO. Some commenters believed that an event up to 12 months. Other
suppliers pursuant to Medicare’s details regarding functional reporting commenters suggested that a timeframe
conditions of participation or conditions are better left to agreement between the be reasonable and based upon relevant
of coverage. provider and PSO engaging in factors such as the complexity of facts
The proposed rule also addressed the functional reporting. Two commenters and circumstances surrounding an
issue that external authorities may seek did support restricting functional event.
information about how effectively a reporting to subsequent information, but
provider has instituted corrective action did not provide any rationale or concern State Reporting
following identification of a threat to the to support their comment. One of the most significant areas of
quality or safety of patient care. The No commenters identified additional comment was how processes to create
Patient Safety Act does not relieve a requirements or criteria that should be patient safety work product may operate
provider of its responsibility to respond imposed beyond a formal contract or alongside similar processes within a
to such requests for information or to agreement. Thus, the final rule permits provider. Commenters were particularly
undertake or provide to external functional reporting. concerned that information collected for
similar purposes, such as for reporting addressed and need be no more obtain protection in situations where a
to a PSO and for reporting to a State complex than exists in provider settings report ultimately may be unhelpful,
health authority, would need to be today with shared resources and causing the expenditure of scarce
maintained in separate systems, thereby integrated services. resources both by a provider and a PSO
increasing the burden on providers. The We agree with commenters that to secure the information as patient
most significant comments received limitations regarding the initial or safety work product. The proposed rule
related to how information related to subsequent reporting of information are also may have caused some providers to
patient safety events may be protected at better left to the providers and PSOs choose between not participating or
the same time the information is engaging in the practice and that developing dual systems for handling
preserved for other uses. Some providers and PSOs should be permitted similar information at increased costs.
providers indicated that if duplication is to design the appropriately flexible We believe it is important to address
required, provider may opt to not reporting mechanism befitting the the shortcomings of a strict reporting
participate due to costs and burdens. circumstances of their practice setting. requirement through the following
We further agree that additional modification. The final rule provides
Earliest Time for Collection of limitations on the ability to use that information documented as
Information functional reporting are unwarranted, collected within a patient safety
Few commenters responded to the absent clear identification of risks or evaluation system by a provider shall be
request for comment on the earliest date concerns to be addressed by further protected as patient safety work
information could be collected for limitations. product. A provider would document
purposes of reporting to a PSO, a For these reasons, we clarify that that the information was collected for
requirement for information to become reporting of information to a PSO for the reporting to a PSO and the date of
patient safety work product. Four purposes of creating patient safety work collection. The information would
commenters recommended that product may include authorizing PSO become patient safety work product
information collection be permitted access, pursuant to a contract or upon collection. Additionally, a
back to the passage of the Patient Safety equivalent agreement between a provider may document that the same
Act. Four commenters recommended provider and a PSO, to specific information is being voluntarily
that the earliest date of collection be information in a patient safety removed from the patient safety
dependent upon each provider’s good evaluation system and authority to evaluation system and that the provider
faith and intent to collect information process and analyze that information, no longer intends to report the
for reporting to a PSO. e.g., comparable to the authority a PSO information to a PSO, in which case
Final Rule: The Department adopts would have if the information were there are no protections. If a provider
the proposed provision with some physically transmitted to the PSO. We fails to document this information, the
modification. do not believe a formal change in the Department will presume the intent to
Functional Reporting regulatory text is necessitated by this report information in the patient safety
clarification. evaluation system to the PSO is present,
The Department recognizes the absent evidence to the contrary.
concerns raised by commenters When Is Information Protected
We believe this modification
regarding the functional reporting The Department recognizes that the addresses the concerns raised by the
proposal, but believes the benefits Patient Safety Act’s protections are the commenters. Protection that begins from
outweigh the potential negative foundation to furthering the overall goal the time of collection will encourage
consequences; the relief of burden, and of the statute to develop a national participation by providers without
the flexibility that derives from not system for analyzing and learning from causing significant administrative
adhering to a narrow reading of the patient safety events. To encourage burden. The alternative is a system that
reporting requirement. First, we voluntary reporting of patient safety encourages providers to
recognize that a provider and PSO events by providers, the protections indiscriminately report information to
engaging in this alternative method of must be substantial and broad enough PSOs in a race for protection, resulting
reporting have an established so that providers can participate in the in PSOs receiving large volumes of
relationship for the reporting of system without fear of liability or harm unimportant information. By offering
information and have spent some time to reputation. Further, we believe the providers the ability to examine patient
considering how best to achieve a protections should attach in a manner safety event reports in the patient safety
mutually useful and suitable reporting that is as administratively flexible as evaluation system without requiring
relationship. That relationship will permitted to accommodate the many that all such information be
necessitate consideration of what varied business processes and systems immediately reported to a PSO, and by
information is necessary and not of providers and to not run afoul of the providing a means to remove such
necessary to achieve the purpose of statute’s express intent to not interfere information from the patient safety
reporting. Neither a provider nor a PSO with other Federal, State or local evaluation system and end its status as
is required to accept an alternative reporting obligations on providers. patient safety work product, the final
reporting mechanism. Further, The proposed rule required that rule permits providers to maximize
providers continue to be under the same information must be reported to a PSO organizational and system efficiencies
obligations to protect patient and other before the information may become and lessens the need to maintain
medical records from inappropriate patient safety work product under the duplicate information for different
access from others, including the PSO, reporting provision of the definition of needs. Because documentation will be
without exception. Second, such a patient safety work product. However, crucial to the protection of patient safety
relationship should establish clearly the this standard left information collected, work product at collection, providers
mechanism for control of information but not yet reported to a PSO, are encouraged to document their
reported or to which the PSO will have unprotected, a cause of significant patient safety evaluation system. We
access, and the scope of PSO authority commenter concern. This standard also note, however, that a provider should
to use the information. In addition, the might encourage providers to race to not place information into its patient
assessment of liability should be report information indiscriminately to safety evaluation system unless it
intends for that information to be Generally, information may become administrative proceeding; (2) the
reported to the PSO. patient safety work product when reporting of information that is not
Although this approach substantially reported to a PSO. Information may also patient safety work product to a Federal,
addresses commenter concerns, three become patient safety work product State, or local governmental agency for
issues do cause concern. First, because upon collection within a patient safety public health surveillance,
information may be protected back to evaluation system. Such information investigation, or other public health
the time of collection, providers are no may be voluntarily removed from a purposes or health oversight purposes;
longer required to promptly report patient safety evaluation system if it has or (3) a provider’s recordkeeping
information to a PSO to ensure not been reported and would no longer obligation with respect to information
protection. Although we believe this is be patient safety work product. As a that is not patient safety work product
an unavoidable result of the result, providers need not maintain under Federal, State or local law.
modification, we believe the likely duplicate systems to separate Section 921(7)(B)(iii) of the Public
impact may be rare because providers information to be reported to a PSO Health Service Act, 42 U.S.C. 299b–
are likely to engage PSOs for their from information that may be required 21(7)(B)(iii). The final rule does not
expertise which requires such reporting. to fulfill state reporting obligations. All limit persons from conducting
Second, the requirement to document of this information, collected in one additional analyses for any purpose
collection in a patient safety evaluation patient safety evaluation system, is regardless of whether such additional
system and, potentially, removal from a protected as patient safety work product analyses involve issues identical to or
patient safety evaluation system could unless the provider determines that similar to those for which information
be burdensome to a provider. However, certain information must be removed was reported to or assessed by a PSO or
we believe these are important from the patient safety evaluation a patient safety evaluation system.
requirements particularly in light of the system for reporting to the state. Once Section 922(h) of the Public Health
enforcement role OCR will play. A removed from the patient safety Service Act, 42 U.S.C. 299b–22(h).
provider will need to substantiate that evaluation system, this information is Even when laws or regulations require
information is patient safety work no longer patient safety work product. the reporting of the information
product, or OCR will be unable to regarding the type of events also
determine the status of information Earliest Time for Collection of reported to PSOs, the Patient Safety Act
potentially leaving sensitive information Information does not shield providers from their
unprotected—or subjecting the provider The Department believes that a clear obligation to comply with such
to penalties for improperly disclosing indication of a specific time when requirements. These external obligations
patient safety work product. Third, the information may first be collected is must be met with information that is not
ability of a provider to remove beneficial to providers by reducing the patient safety work product and
information from a patient safety complexity and ambiguity concerning oversight entities continue to have
evaluation system raises concern that a when information is protected as patient access to this original information in the
provider may circumvent the intent of a safety work product. Although each same manner as such entities have had
provider employee to obtain protection provider collecting information for access prior to the passage of the Patient
for information when reporting to the reporting to a PSO may need to support Safety Act. Providers should carefully
provider’s patient safety evaluation the purpose of information collection at consider the need for this information to
system. For providers that engage in the time of collection, such a standard meet their external reporting or health
functional reporting, the concern is may be overly burdensome. The oversight obligations, such as for
substantially mitigated because, under Department agrees that information may meeting public health reporting
functional reporting, information is have been collected for the purpose of obligations. Providers have the
reported to a PSO when it is transmitted reporting to a PSO beginning from flexibility to protect this information as
to the patient safety evaluation system passage of the Patient Safety Act. patient safety work product within their
to which the PSO has access, and, thus, Information that existed prior to the patient safety evaluation system while
protected. Alternatively, a provider passage of the Patient Safety Act may be they consider whether the information
employee may report as permitted subsequently collected for reporting to a is needed to meet external reporting
directly to a PSO. Ultimately, this issue PSO, but the original record remains obligations. Information can be removed
is to be settled between a provider that unprotected. This clarification does not from the patient safety evaluation
wishes to encourage reports that may require any regulatory language change system before it is reported to a PSO to
not otherwise come to light and its in the proposed rule. fulfill external reporting obligations.
employees who must be confident that Once the information is removed, it is
What Is Not Patient Safety Work
reporting will not result in adverse no longer patient safety work product
Product
consequences. and is no longer subject to the
For these reasons, the Department We reaffirm that patient safety work confidentiality provisions.
modifies the definition of patient safety product does not include a patient’s The Patient Safety Act establishes a
work product to include additional original medical record, billing and protected space or system that is
language in the first provision of the discharge information, or any other separate, distinct, and resides alongside
definition that protects information original patient or provider record; nor but does not replace other information
based upon reporting to a PSO. does it include information that is collection activities mandated by laws,
collected, maintained, or developed regulations, and accrediting and
State Reporting separately or exists separately from, a licensing requirements as well as
To address commenter concerns about patient safety evaluation system. The voluntary reporting activities that occur
the duplication of resources for similar final rule includes the statutory for the purpose of maintaining
patient safety efforts and the lack of provision that prohibits construing accountability in the health care system.
protection upon collection, we have anything in this Part from limiting (1) Information is not patient safety work
clarified the requirements for how the discovery of or admissibility of product if it is collected to comply with
information becomes patient safety information that is not patient safety external obligations, such as: state
work product when reported to a PSO. work product in a criminal, civil, or incident reporting requirements;
adverse drug event information protected at the same time as the the establishment of a standard of care
reporting to the Food and Drug analysis. is a function of courts and entities that
Administration (FDA); certification or Response: As indicated in the have jurisdiction over the issue for
licensing records for compliance with definition of patient safety work which a standard of care is relevant. The
health oversight agency requirements; product, information that constitutes the introduction of patient safety work
reporting to the National Practitioner deliberation or analysis within a patient product as information that may help
Data Bank of physician disciplinary safety evaluation system is protected. establish a standard of care is highly
actions; complying with required Information underlying the analysis unlikely given the limited disclosure
disclosures by particular providers or may have been either reported to a PSO permissions. For these reasons, we make
suppliers pursuant to Medicare’s and protected or collected in a patient no modifications in the final rule.
conditions of participation or conditions safety evaluation system. Information Comment: Several commenters raised
of coverage; or provision of access to documented as collected within a concerns about the distinction between
records by Protection and Advocacy patient safety evaluation system is original documents and copies of
organizations as required by law. protected based on the modification to original documents. One commenter
the definition of patient safety work stated that it was an artificial distinction
Response to Other Public Comments product. Thus, information underlying in an electronic environment.
Comment: One commenter in an analysis may be protected. However, Response: The Patient Safety Act and
responding to questions about timing underlying information that is original the final rule distinguish certain original
and early protection interpreted the medical records may not be protected if records from information collected for
timing concern to be an expiration of an it is excluded by the definition of reporting to a PSO. Because information
allowed period of time to report, such patient safety work product. contained in these original records may
that an event must be reported within a Comment: Two commenters raised be valuable to the analysis of a patient
certain number of days or it may not concerns that PSOs do not have safety event, the important information
become protected. discretion regarding the receipt of must be allowed to be incorporated into
Response: As noted above, the timing unsolicited information reported to patient safety work product. However,
issues in the final rule relate to when PSOs from providers. One commenter the original information must be kept
information may have been collected for was concerned about the burden on a and maintained separately to preserve
reporting to a PSO. There is no PSO receiving unsolicited reports and the original records for their intended
expiration date for an event that would the obligation a PSO may have regarding purposes. If the information were to
unsolicited reports. Another commenter become patient safety work product, it
prohibit future protection of a report of
was concerned that unsolicited reports could only be disclosed pursuant to the
it as patient safety work product so long
may be materially flawed or contain confidentiality protections.
as the protection of the information is Comment: One commenter was
incorrect information.
pursuant to the final rule. Response: The Department does not concerned that information collected for
Comment: One commenter suggested agree that this is a major issue for PSOs reporting to a PSO may be the same
that event registries may seek to become or that PSOs need some regulatory information providers collect for
PSOs because the model is well ability to reject reported information. If reporting to a state regulatory agency.
positioned to allow for tracking and a PSO receives information from a The commenter suggested that
identification of patients that require provider that was collected by that protections should only attach to
follow-up. provider for the purposes of sending to information after state-mandated
Response: The Department recognizes a PSO, then the information is patient reporting requirements have been
that event registries may have particular safety work product. PSOs may use or fulfilled. The commenter was concerned
benefits that may be helpful in the analyze the information, but must that the confidentiality protections may
analysis of patient safety events, but we protect it as patient safety work product impede state data collection,
caution any holder of patient safety and dispose of the information properly. surveillance and enforcement efforts. A
work product that future disclosure of However, there is no requirement that a separate commenter requested
patient safety work product must be PSO maintain or analyze the clarification that if patient safety work
done pursuant to the disclosure information. For these reasons, we do product is reported under a state
permissions. Thus, while it may be not modify the proposed rule position mandated incident reporting system, the
appropriate for event registries to regarding these issues. patient safety work product continues to
identify and track patients who may Comment: Some commenters were be protected.
require follow-up care, the final rule concerned that recommendations of Response: The final rule is clear that
would generally not permit disclosure PSOs may be treated as a standard of providers must comply with applicable
of patient safety work product to care. Commenters recommended that regulatory requirements and that the
patients for such a purpose. recommendations from PSOs be protection of information as patient
Accordingly, while there may be protected as patient safety work safety work product does not relieve a
benefits to an event registry becoming a product. provider of any obligation to maintain
PSO, a registry should take into Response: The Department stated in information separately. The Department
consideration the limitations on the proposed rule that PSO believes that some providers, such as
disclosure of patient safety work recommendations are patient safety hospitals, have been operating in similar
product, and what impact such limits work product, but the changes circumstances previously when
would have on its mission, prior to undertaken by a provider based upon a conducting peer review activities under
seeking listing. PSO’s recommendations are not patient state peer review law protections. For
Comment: Several commenters sought safety work product. With respect to the patient safety work product to be
clarification whether information concern that PSO recommendations disclosed, even to a State entity, the
underlying analyses within a patient may establish a standard of care, the discloser must have an applicable
safety evaluation system was protected. issue is not within the scope of the disclosure permission. While the Patient
One commenter suggested that data Patient Safety Act and not appropriate Safety Act does not preempt state laws
used to conduct an analysis should be for the regulation to address. Generally, that require providers to report
information that is not patient safety Patient Safety Act, may become medical product vendors,
work product, a State may not require protected as a copy, but the original pharmaceutical companies, medical
that patient safety work product be document remains unprotected. device manufacturers, risk retention
disclosed. groups, and captive professional
Comment: One commenter advised (J) Section 3.20—Definition of Provider
liability insurance companies that are
that the final rule should build on Proposed Rule: Proposed § 3.20 would controlled by risk retention groups.
existing infrastructure for reporting and have divided the meaning of provider There was general support for the
examination of patient safety events to into three categories. The first paragraph inclusion of parent organizations of
minimize duplication of resources and included ‘‘an individual or entity private and public sector providers in
maximize existing efforts. licensed or otherwise authorized under paragraph (3), although two commenters
Response: The Department has State law to provide health care disagreed. One commenter argued that
modified the proposed rule to address services, including’’ and this naming the parent organization as a
the potential issue of duplicated introductory language was followed by provider suggested a ‘‘one size fits all’’
resources by allowing providers the a list of institutional health care solution and suggested that eligibility
flexibility to collect and review providers in subparagraph (1) and a list should be linked to whether the parent
information within a patient safety of individual health care practitioners in organization is involved in the patient
evaluation system to determine if the subparagraph (2). The preamble safety evaluation system for its
information is needed to fulfill external indicated that these statutory lists were subsidiaries. Other commenters, while
reporting obligations as addressed illustrative. not objecting, worried that this addition
above. The Department recognizes the Under the Secretary’s authority to could open the door for organizations
high costs of health care, both in dollars expand the list of providers in the such as health insurance issuers,
and in the health of individuals. The statutory definition, the proposed rule including Health Maintenance
final rule establishes a workable and would have added two categories to the Organizations, regulatory and
flexible framework to permit providers list of providers. The second paragraph accrediting entities to qualify as
that have mature patient safety efforts to would have covered agencies, component PSOs. One commenter
fully participate as well as for providers organizations, and individuals within suggested that by using the phrase
with no patient safety activities to be Federal, State, local, or Tribal ‘‘controlling interest’’ with respect to
encouraged to begin patient safety governments that deliver health care, private sector parent organizations, the
efforts. the contractors these entities engage, focus of this part of the proposed
Comment: One commenter asked and individual health care practitioners paragraph was inappropriately narrow,
whether multiple PSOs can establish a employed or engaged as contractors by appearing to emphasize a corporate
single reporting portal for receiving these entities. We included this addition parent, and that the language needed to
reports from providers. because public health care entities and reflect a broader array of potential
Response: The final rule does not their staff are not always authorized or parent organizations, such as
address procedures regarding how a licensed by state law to provide their partnerships or limited liability
PSO receives information. Providers services and, therefore, might not be companies.
must meet any requirements regarding included within the terms of the Several commenters expressed
sharing information that is protected original statutory definition. concern that by encompassing entities
health information, such as the HIPAA The third paragraph would have that are not traditionally providers,
Privacy Rule, in any circumstances included a parent organization that has under HIPAA or other rules, our
when reporting information to a PSO or a controlling interest in one or more definition of ‘‘provider’’ would lead to
joint PSO portal. entities described in paragraph (1)(i) of confusion. One commenter suggested it
Comment: Several commenters asked this definition or a Federal, State, local, would be appropriate for the
whether retrospective analyses could be or Tribal government unit that manages commentary accompanying the final
included as patient safety work product. or controls one or more entities rule to address the two terms,
Response: The final rule permits any described in (1)(i) or (2) of this emphasize the differences, and clarify
data, which is a term that is broadly definition. This addition was intended the obligations.
defined and would include to permit the parent organization of a Final Rule: We have modified the
retrospective analyses, to become health care provider system to enter a definition of provider in the final rule
patient safety work product. The fact system-wide contract with a PSO. The in response to several comments. The
that information was developed prior to parent of a health system also may not first modification is a non-substantive
the collection for reporting to a PSO be licensed or authorized by state law to substitution of the term behavioral
does not bar a provider from reporting provide health care services as required health for behavior health. In response
an analysis to a PSO and creating by the statutory definition. to the comments we received and to
patient safety work product. Providers Overview of Public Comments: There ensure clarity, we reiterate what we
should be cautioned to consider were a number of comments with stated in the proposed rule that a list
whether there are other purposes for respect to the entities and individuals preceded by ‘‘including’’ is an
which an analysis may be used to that are identified as providers in the illustrative list, not an exhaustive list.
determine whether protection as patient subparagraphs of paragraph (1). For In general, the question of whether
safety work product is necessary or example, one commenter sought any private sector individual or entity,
warranted. Further, the definition of clarification that ‘‘assisted living such as assisted living residential care
patient safety work product is clear that residential care and other community and other community-based care
information collected for a purpose based care’’ providers are included in providers, comes within the rule’s
other than for reporting to a PSO may the broader term ‘‘long term care meaning of ‘‘provider’’ is determined by
not become patient safety work product facilities’’ as identified in the list of whether the individual or entity is
only based upon the reporting of that covered providers. A number of other licensed or otherwise authorized under
information to a PSO. Such information, individual commenters each identified state law to deliver health care services.
particularly information collected or entities that the Secretary should We note that paragraphs (2) and (3) of
developed prior to the passage of the include in the definition of providers: the definition address public sector
providers and parent organizations of contracts or compacts under the fostering transparency to enhance the
health care providers. ISDEAA to deliver health care fall ability of providers to assess the
We have not adopted any of the other squarely within paragraph (2) of the strengths and weaknesses of their choice
recommendations for additions to the definition of provider because they are of PSOs.
list of providers. The statute provides organizations engaged as contractors by We proposed a security framework
confidentiality and privilege protections the Federal government to deliver pertaining to the separation of data and
for reporting by individuals and entities health care. Additionally, the workforce systems and to security management,
that actually provide health care of a provider covered under the rule, by control, monitoring, and assessment.
services to patients. In our view, it was definition, includes employees, Thus, each PSO would address the
not intended to apply to those who volunteers, trainees, contractors, and framework with standards it determines
manufacture or supply materials used in other persons, whether or not paid by appropriate to the size and complexity
treatments or to entities that provide the provider, that perform work under of its organization. We proposed
fiscal or administrative support to those the direct control of that provider. additional requirements to ensure that a
providing health care services. Federal employees detailed to a tribe or strong firewall would be maintained
With respect to paragraph (3) of the Tribal organization carrying out an between a component PSO and the rest
definition, the use of the term parent ISDEAA contract would be covered of the organization(s) of which it is a
organization here should conform to our under paragraph (2) in the definition of part.
definition of ‘‘parent organization’’ provider, even if they were not part of We noted that we expect to offer
above. Therefore, we have streamlined the Tribal organization’s workforce. technical assistance and encourage
the language, deleting unnecessary text Therefore, no change is needed in transparency wherever possible to
that might suggest that we were response to this comment. promote implementation, compliance,
applying a different definition. and correction of deficiencies. At the
The Department does not share the B. Subpart B—PSO Requirements and same time, this proposed Subpart
concerns of commenters that Agency Procedures established processes that would permit
incorporating a broader definition of Proposed Subpart B would have set the Secretary promptly to revoke a
‘‘provider’’ in this rule will cause forth requirements for Patient Safety PSO’s certification and remove it from
confusion in the marketplace, because Organizations (PSOs) including the listing, if such action proves necessary.
its use will be limited. The application certification and notification
1. Section 3.102—Process and
of the term ‘‘provider’’ in this rule is requirements that PSOs must meet, the
Requirements for Initial and Continued
intended to give the full range of health actions that the Secretary may and will
Listing of PSOs
care providers the ability to report take relating to PSOs, the requirements
information to, and work with, PSOs that PSOs must meet for the security of Proposed Rule: The proposed rule in
and receive confidentiality and privilege patient safety work product, the § 3.102 addressed the eligibility of, and
protections as set forth in the Patient processes governing correction of PSO the processes and requirements for, an
Safety Act and this rule. Although we deficiencies, revocation, and voluntary entity seeking a three-year period of
appreciate the administrative benefits of relinquishment, and related listing by the Secretary as a PSO and
uniformity, and have tried to maximize administrative authorities and described the timing and requirements
the consistency or interoperability of implementation responsibilities. The of notifications that a PSO must submit
this rule with the HIPAA Privacy and requirements of the proposed Subpart to the Secretary during its period of
Security Rules, it would not be would have applied to entities that seek listing. The proposed rule described our
appropriate in this rule to adhere to any to be listed as PSOs, PSOs, their intention to minimize barriers to entry
less inclusive definition of provider workforce, a PSO’s contractors when for entities seeking listing and create
used in other regulations. they hold patient safety work product, maximum transparency to create a
We did not condition the designation and the Secretary. robust marketplace for PSO services.
of provider status for a parent The proposed rule did not require a The Patient Safety Act set forth limited
organization on its involvement in a provider to contract with a PSO to prerequisites that must be met to be
patient safety evaluation system. We obtain the protections of the Patient listed by the Secretary as a PSO, which
expect that most parent organizations Safety Act; however, we noted that we the regulation incorporates. The
will, in fact, be a part of a system-wide anticipate that most providers would Department expects that providers will
patient safety evaluation system if they enter into contracts with PSOs when be the ultimate arbiters of the quality of
choose to pursue PSO services. seeking the confidentiality and privilege services that an individual PSO
However, establishing such a protections of the statute. We proposed provides.
requirement now, when it is unclear to enable a broad variety of health care Overview of Public Comments: The
what types of innovative arrangements providers to work voluntarily with following discussion focuses on the
and effective strategies might emerge, entities that would be listed as PSOs by broad comments we received
might prove more detrimental than the Secretary based upon their concerning our overall approach to
helpful. certifications that, among other things, initial and continued listing of PSOs.
state that they have the ability and These comments do not address specific
Response to Other Public Comments expertise to carry out the broadly provisions of the proposed rule. Public
Comment: One commenter raised defined patient safety activities of the comments that address specific
concerns that paragraph (2) may not Patient Safety Act and, therefore, to provisions of § 3.102 are addressed in
include Indian tribes that operate or serve as consultants to eligible providers the individual subsection discussions
contract for their own health care to improve patient care. In accordance that follow. Questions and situation-
systems under the Indian Self- with the Patient Safety Act, the specific comments are addressed below
Determination and Education proposed rule set out an attestation- under the heading of ‘‘Response to
Assistance Act (ISDEAA), rather than based process to qualify for 3-year Other Public Comments.’’
relying upon the Indian Health Service. renewable periods of listing as a PSO. The Department received generally
Response: Tribal organizations Proposed Subpart B attempted to favorable comment on our proposed
carrying out self-determination minimize regulatory burden, while approach in this section, which
emphasizes a streamlined certification Final Rule: The Department has not PSO will be determined primarily by
process, and public release of modified the approach taken in the the providers that use its services on an
documentation submitted by PSOs proposed rule in response to these ongoing basis.
whenever appropriate. There were, comments. With respect to limiting the It is unclear at this point how
however, two broad sets of concerns number of PSOs that are listed by the providers will choose to use PSOs. Only
expressed about our overall approach. Secretary, the statutory language is clear with experience will it become clear
The first concern related to the that any entity, public or private, that which analyses a provider will choose
potential number of PSOs that might be can meet the stated requirements is to undertake in its own patient safety
listed by the Secretary as a result of the eligible for listing by the Secretary. evaluation system and which analyses a
Department’s proposed ‘‘ease of entry’’ While the Department understands the provider will rely upon a PSO to
approach. These comments focused on concerns of the commenters that a very undertake. The mix and balance of
the importance of PSOs being able to large number of PSOs could frustrate the activities between a provider’s patient
aggregate significant amounts of data statutory goal of data aggregation across safety evaluation system and its PSO (or
across multiple providers to develop multiple providers, we believe that this PSOs) will undoubtedly shift over time
meaningful analyses. Noting that patient scenario is unlikely for several reasons. as the working relationships between
safety events are often rare events, one First, a provider does not need to providers and PSOs evolve toward
commenter noted that in some cases it shoulder the financial burden alone to greater efficiency. Thus, we remain
may be necessary to aggregate data for support a full-time PSO. Providers enjoy convinced that providers are in the best
an entire state in order to develop the same protections under the Patient position to assess the value of a PSO
insights regarding the underlying causes Safety Act when they contract with an and its ability to contribute to
of such events. Another commenter independent PSO or when they create a improving the quality and safety of
noted that if every hospital in the state component organization to seek listing patient care.
established its own component PSO, the as a PSO. A provider that establishes a
working relationship with a PSO can Response to Other Public Comments
potential impact of PSO analyses could
be minimal. Because most PSOs will be have a division of labor between the Comment: While contracts are not
dependent upon revenue from providers analyses that its staff undertakes in- required between PSOs and providers to
submitting data, one commenter house within its patient safety obtain protections, the Department
worried that too many PSOs could also evaluation system and the tasks it stated that it anticipates most providers
affect the ability of individual PSOs to assigns to the PSO. In both will enter contracts with providers. In
obtain adequate funding to perform circumstances, the statutory protections light of this expectation, one commenter
their analytic functions and to apply. Thus, for a provider, establishing urged the Department to develop and
its own PSO is an option, not a make available a model contract.
implement potentially costly security
necessity. Response: We do not think a model
requirements.
Second, there are important insights contract can be developed easily. The
These concerns led some commenters into patient safety that can only be issues that need to be addressed will
to suggest inclusion in the final rule of derived from aggregating data across vary significantly based upon the nature
a limitation on the number of PSOs that multiple providers. Given the low of the relationship. Therefore, we do not
the Secretary would list. One frequency of some patient safety events, expect to be developing and releasing a
commenter asked whether it would be even larger health systems are likely to model contract.
possible for the Department to list one derive additional benefits from working Comment: One commenter suggested
national PSO, noting this could improve with PSOs that have multiple and, that the final rule should explain how
efficiency for providers. Another potentially, diverse clients. AHRQ will publish the results from
commenter suggested listing of 2–4 A final limiting factor is the shortage which providers and others can evaluate
PSOs per state using a competitive of personnel who are well-trained or a PSO before entering a contract.
process or limiting the number of PSOs experienced in the use of the Response: For the reasons discussed
by increasing the number of required methodologies of patient safety above, AHRQ will not require or release
provider contracts that each PSO must analyses. While the marketplace will PSO-specific performance information.
have. Most commenters who favored respond to the need for the development Comment: One commenter suggested
limiting the number of listed PSOs did of additional training and certification that AHRQ should ensure that PSOs
not suggest a specific approach. programs, the availability of highly- should not be able to make commercial
A second broad set of skilled staff will be a constraining factor gain from the knowledge it derives as a
recommendations focused on the need initially. In combination, these three PSO.
for periodic or ongoing evaluation of the factors should provide a natural Response: The statute permits all
effectiveness of PSOs that could be constraint on the number of single- types of private and public entities to
linked to, or be separate from, the provider PSOs. seek listing as a PSO; it does not limit
evaluation of certifications for Regarding the other general set of private entities to not-for-profits. The
continued listing. Some commenters comments related to the listing process, final rule mirrors that formulation. The
recommended that the Department the Department has considered these Department concludes that the statute
routinely collect information from PSOs suggestions and has determined not to does not invite us to impose such
to evaluate whether the individual and incorporate in the final rule restrictions and expects that providers’
collective work of PSOs is actually requirements for an ongoing evaluation decisions will determine the
reducing medical errors and improving process or the routine collection of data acceptability of for-profit PSOs.
the quality of care that is delivered. One from PSOs. PSOs are not a Federal Comment: One commenter suggested
commenter stressed the importance of program in the traditional sense. Most that providers should only be permitted
establishing in the final rule significantly, they are not Federally to submit data to one PSO.
expectations related to PSO funded. Their project goals, priorities, Response: The Patient Safety Act’s
performance and demonstrated results and the specific analyses that they framework for PSO-provider
and provided draft language for undertake are not Federally directed. relationships is voluntary from a public
inclusion in the final rule. The value and impact of an individual policy perspective. In our view, it
would be inconsistent with section regulatory oversight of health care certifications and urged the Department
922(e)(1)(B) of the Public Health Service providers, which included organizations to arrange for independent review of
Act for the Department or any entity to that accredit or license providers. We such documentation, coupled with an
use the authority of law or regulation to proposed this restriction for consistency audit process that would ensure
limit or direct provider reporting. with the statute, which seeks to foster a compliance.
Comment: One commenter suggested ‘‘culture of safety’’ in which health care The comments we received were
that the final rule should require PSOs providers are confident that the patient supportive of including a requirement
to share aggregated, non-identifiable safety events that they report will be that entities certify whether there is any
patient safety work product with state used for learning and improvement, not relevant history regarding delisting
regulatory authorities. oversight, penalties, or punishment. The about which the Secretary needs to be
Response: The Department does not proposed rule would permit a aware. Several commenters suggested
agree that it is appropriate to place such component organization of such an that the entity seeking to be relisted
an unfunded mandate upon PSOs. entity to seek listing as a PSO. To ensure should be required to include reason(s)
Comment: One commenter stated that that providers would know the parent for any prior delisting. Another
it is a waste of effort and expense to organizations of such PSOs, we suggestion was that the Secretary should
create new government entities to work proposed that certifications include the have discretion in relisting an entity not
with providers when current name(s) of its parent organization(s), to release the names of officials who had
organizations can do that just as well. which the Secretary would release to positions of responsibility in a
The commenter also asked whether the public. We sought comment on previously delisted entity.
anyone has estimated the 10-year costs. whether we should consider broader The proposed restrictions on
Response: As this final rule makes restrictions on eligibility. eligibility engendered considerable
clear, these entities are not government The proposed rule would permit a comment. With respect to the statutory
entities and will not receive Federal delisted entity, whether delisted for restriction on health insurance issuers,
funding. While we expect cause or because of voluntary concerns and questions were raised
implementation will spur the relinquishment of its status, regarding whether the exclusion applied
development of new entities, we also subsequently to seek a new listing as a to self-insured providers or malpractice
expect that existing entities will be able PSO. To ensure that the Secretary would liability insurers and whether health
to expand their current patient safety be able to take into account the history systems that include a subsidiary that is
improvement efforts if they seek listing of such entities, we proposed such a health insurance issuer could establish
and are able to offer the confidentiality entities submit this information with a component PSO.
and privilege protections provided by their certifications for listing. We received a significant level of
the Patient Safety Act. While we have Overview of Public Comments: The comment regarding our proposed
not done a 10-year cost estimate, our Department received generally favorable restriction on listing of regulatory
regulatory impact statement at the end comments on our proposal to adopt a oversight bodies. While the majority of
of the preamble projects net savings of streamlined attestation-based approach commenters supported the proposed
$76 to $92 million in 2012, depending to initial listing of PSOs. A number of exclusion, some commenters took issue
upon whether the net present value commenters expressed concern about with various aspects of our proposal.
discount rate is estimated at 7% or 3%. our attestation-based approach, Commenters engaged in accreditation
however, arguing for a more in-depth activities generally criticized our
(A) Section 3.102(a)—Eligibility and characterization of these activities as
assessment to ensure that an entity had
Process for Listing regulatory. They pointed out that the
the capability to carry out its statutory
Proposed Rule: Section 3.102(a) of the and regulatory responsibilities and meet proposed rule did not take into account
proposed rule would have provided the patient safety objectives of the the distinction between voluntary and
that, with several exceptions discussed statute. Some believed that the private mandatory accreditation and, in their
below, any entity—public or private, marketplace is not necessarily well- view, most accreditation was voluntary.
for-profit or not-for profit—that can equipped to judge which organizations They also noted that accreditation
meet the statutory and regulatory can most effectively meet these activities were initially developed to
requirements may seek initial or requirements. Arguing that one ensure the quality and safety of patient
continued listing by the Secretary as a misguided or fraudulent organization care and that accreditation entities,
PSO. The Department proposed to could taint the entire enterprise for unlike licensure agencies, have greater
establish a streamlined certification years, a few commenters suggested that discretion in addressing any problems
process for entities seeking initial or we require interested organizations at that they identify with a provider’s
continued listing that relied upon initial listing to submit documentation operations in a non-punitive way. For
attestations that the entities met of their ability to meet their statutory these commenters, accreditation
statutory and regulatory requirements. and regulatory responsibilities. activities were not inconsistent with
To foster informed provider choice, Most commenters who urged a fostering a ‘‘culture of safety.’’ By
entities were encouraged, but would not stronger approach to the evaluation of contrast, most provider comments
be required, to post narratives on their certifications for listing acknowledged supported the exclusion, and singled
respective Web sites that explained how the value of an expedited process for out accreditation entities as warranting
each entity intended to comply with initial listing and instead focused their exclusion.
these requirements and carry out its recommendations on the importance of State health departments and state-
mission. creating a more rigorous process for created entities expressed concern about
The proposed rule incorporated a continued listing. A common an outright prohibition on their being
statutory prohibition that precludes a recommendation was to require, in listed as PSOs, noting that the
health insurance issuer and a addition to the proposed certifications prohibition could disrupt effective
component of a health insurance issuer for continued listing, that a PSO be patient safety initiatives now underway.
from becoming a PSO. The Department required to submit documentation that A number of specific state-sanctioned
also proposed to exclude any entity, described in detail how it is complying patient safety initiatives were described
public or private, that conducts with the requirements underlying its in their submissions. Commenters
pointed to the fact that state health argued that a broader exclusion could will post on their websites, or otherwise
departments have both regulatory and both disrupt existing, effective public advertise, the names and qualifications
non-regulatory elements to their sector patient safety initiatives and of their top staff experts and
authority, have routinely demonstrated preclude opportunities for the public consultants. Their Web site locations
that they can effectively keep these sector to play a meaningful role. will be on the AHRQ PSO Web site.
elements separate, and thus, they saw Many commenters that opposed Similarly, documentation can
no reason for the Department to doubt extending the exclusion to component demonstrate that a PSO has provided
that state agencies could continue to do organizations nevertheless suggested feedback to participants in a provider’s
so effectively if they were permitted to additional restrictions to strengthen the patient safety evaluation system and
operate PSOs. separation of activities between thereby met the statutory requirement.
Other commenters suggested component PSOs and these types of But the most relevant questions are
extending the prohibition to other types parent organizations. Their suggestions whether the feedback reflected a valid
of entities (such as purchasers of health are discussed below with respect to analysis of the provider’s patient safety
care or agents of regulatory entities) and § 3.102(c). work product and existing scientific
raised questions regarding the scope of Final Rule: The Department knowledge, and whether the feedback
the exclusion. considered whether to modify the was framed in ways that made it
We received a significant number of attestation process either for initial or understandable, ‘‘actionable,’’ and
comments in response to a specific continued listing of PSOs or both but appropriate to the nature of the
question raised in the proposed rule ultimately concluded that streamlined provider’s operation. The answers to
whether the exclusion of regulatory attestations should be retained for both. these questions cannot be assessed by
entities should be extended to Given the voluntary, unfunded nature of the Department readily through the
components of such organizations. this initiative and the centrality of the listing process.
Commenters that supported extension of client-consultant paradigm of provider- As a result, in many cases, the
the prohibition generally argued that the PSO relationships, an approach that provider-client, rather than the
firewalls that the statute requires a requires documentation and routine Department, will be better able to
component PSO to maintain between audits is likely to be costly and determine whether the outcomes of a
itself and its parent organization(s) burdensome, both to entities seeking PSO’s conduct of patient safety
could be circumvented, that the listing and the Department. More activities meet its needs in a meaningful
flexibility in the proposed rule to enable importantly, such an approach is way. The Department believes that
a component PSO to draw upon the unlikely to achieve its intended providers, especially institutional
expertise of its parent organization(s) objective, for the reasons discussed providers, will have access to the
would be inappropriate in this situation, below. expertise to make them especially
and there was a significant possibility There are limitations of a sophisticated customers for PSO
that such a parent organization could documentation approach to ensuring the services. Providers are likely to assess
use its position of authority to attempt capabilities and compliance of PSOs very carefully the capabilities of a PSO
to coerce providers into reporting with the requirements for listing, and and will be in a position to request
patient safety work product to its such an approach is unlikely to yield appropriate documentation, if
component PSO. the types of information that providers necessary, to assess a PSO’s ability to
A majority of commenters, however, will need in selecting a PSO. Consider, meet their specific requirements.
opposed expanding the exclusion to for example, two of these requirements: Therefore, the Department does not see
components of such regulatory the criterion that requires that a PSO a compelling public policy rationale for
organizations. They contend that the have qualified staff, including licensed substituting its judgment for that of a
statutorily required separations between or certified medical professionals, and provider. Providers can demand
a component PSO and its parent the patient safety activity that requires references and evidence of relevant
organization(s) would provide adequate the provision of feedback to participants accomplishments, and effectively
protection against improper access and in a (provider’s) patient safety evaluate the adequacy and suitability of
adverse use of confidential patient evaluation system. Documentation, a PSO’s expertise and experience. In
safety work product by the excluded through submission of resumes or summary, a listing process that imposes
entities with which such a component summaries of the credentials of documentation and audit requirements
PSO is affiliated. A number of professional staff, can demonstrate that on each PSO will impose a significant
commenters noted that an expansion of the PSO meets the statutory burden on all parties, but yield only
the exclusion to components of such requirement. What each provider really marginally useful information to
entities would have unintended needs to assess, however, is whether the prospective clients.
consequences. For example, an skill sets of the professional staff Accordingly, we believe the approach
increasing number of medical specialty employed by or under contract to the outlined in the proposed rule offers a
societies operate, or are in the process PSO are an appropriate match for the more efficient and effective approach.
of developing, accreditation programs specific tasks that led the provider to The approach does include authority for
for their members in response to seek a PSO’s assistance. Depending spot-checking compliance outlined in
growing public and private sector upon the analytic tasks, a provider may § 3.110, responding to complaints or
pressure for quality improvement. These need expertise that is setting-specific, concerns, and enabling the Secretary, in
organizations see the creation of e.g., nursing homes versus acute care making listing decisions (see § 3.104(b)),
specialty-specific component PSOs as settings, technology-specific, specialty- to take into consideration the history of
an important complement to their other specific, or, may require expertise an entity and its key officials and senior
quality improvement activities. outside the traditional scope of health managers. This approach will be
Similarly, some commenters contend care. Thus, there is not a single template buttressed with a program of technical
that widespread patient safety against which the expertise of a PSO’s assistance for PSOs administered by
improvements require coordination and professional staff can be judged. In AHRQ. In addition, the final rule
communication across the public and addition, we anticipate that PSOs incorporates a new expedited revocation
private sectors. These commenters seeking additional clients (providers) process that can be used when the
Secretary determines that there would owned, managed, or controlled by a activities as examples of regulatory
be serious adverse consequences if a health insurance issuer. New activities.
PSO were to remain listed. False subparagraph (ii) modifies and restates Similarly, we have retained the broad
statements contained in a PSO’s the exclusion from listing of any entity exclusion from listing of regulatory
submitted certifications can result in a that: (1) Accredits or licenses health entities, by which we mean public or
loss of listing or other possible penalties care providers; (2) oversees or enforces private entities that oversee or enforce
under other laws. statutory or regulatory requirements statutory or regulatory requirements
For convenience and clarity, we have governing the delivery of health care governing the delivery of health care
restructured § 3.102(a)(1) to provide a services; (3) acts as an agent of a services. Their defining characteristic is
unified list of the certifications and regulatory entity by assisting in the that these entities have the authority to
information that an entity must submit conduct of that entity’s oversight or discipline institutional or individual
for listing as a PSO. Sections enforcement responsibilities vis-a-vis providers for the failure to comply with
3.102(a)(1)(i) through 3.102(a)(1)(vii) set the delivery of health care services; or statutory or regulatory requirements, by
forth and cross-reference the (4) operates a Federal, State, local or withholding, limiting, or revoking
requirements of the final rule. Two of Tribal patient safety reporting system to authority to deliver health care services,
these requirements are new. Section which health care providers (other than by denying payment for such services,
3.102(a)(1)(iv) cross-references the members of the entity’s workforce or or through fines or other sanctions.
additional requirements in health care providers holding privileges We consider entities with a mix of
§ 3.102(c)(1)(ii) that components of with the entity) are required to report regulatory and non-regulatory authority
entities that are excluded from listing information by law or regulation. and activities also to be appropriately
must meet in order for such components In reviewing the comments on the excluded from being listed. We
to be listed. Section 3.102(a)(1)(v) acknowledge that health departments
proposed regulatory exclusion, we did
incorporates our proposal, for which and other entities with regulatory
not find the arguments for narrowing
comments were supportive, to require authority may undertake a mix of
the prohibition compelling. Almost
disclosure to the Secretary if the entity regulatory and non-regulatory functions.
every provider group expressed concern
seeking listing (under its current name It may also be true, as several comments
regarding the possible operation of PSOs
or another) has ever been denied listing reflected, that state health departments
by entities that accredit or license
or delisted or if the officials or senior have experience, and a track record, for
providers as well as possible operation
managers of the entity now seeking maintaining information separately and
of PSOs by regulatory entities. We share
listing have held comparable positions securely from the regulatory portions of
their concerns that entities with the
in a PSO that the Secretary delisted or their operations when necessary.
potential to compel or penalize provider However, we note that the final rule
refused to list.
We have not adopted behavior cannot create the ‘‘culture of retains the proposed approach not to
recommendations that we require safety’’ (which emphasizes regulate uses of patient safety work
explanations for the historical situations communication and cooperation rather product within a PSO. However, the
encompassed by § 3.102(a)(1)(v). than a culture of blame and final rule retains the ability of a state
Instead, we require that the name(s) of punishment) that is envisioned by the health department to establish a
any delisted PSO or of any entity that statute. component organization that could seek
was denied listing be included with the We also concluded that it is difficult listing as a PSO, subject to the
certifications. The Department can then to draw a ‘‘bright-line’’ distinction additional restrictions discussed in
search its records for background between voluntary and mandatory § 3.102(c) below. The benefit of this
information. In response to concerns accreditation as several of the approach is that providers will have the
regarding public disclosure of the names commenters from accreditation reassurance that the penalties under the
of the officials or senior managers that organizations proposed. While most Patient Safety Act and the final rule will
would trigger the notification accreditation is technically voluntary apply to any impermissible disclosures
requirement, we do not require from the standpoint of many of patient safety work product from
submission of the names of the accreditation entities, its mandatory such a PSO to the rest of the state health
individuals with the certifications. With aspect generally derives from department.
respect to the workforce of the entity, requirements established by, or its use We have not included the proposal of
we note that we have narrowed the by, other entities such as payers. Thus, several commenters to exclude
requirement in two ways. First, we have if we were to incorporate such a purchasers of health care from becoming
narrowed the focus from ‘‘any’’ distinction that permitted the listing of PSOs. Commenters did not suggest a
employee to officials and senior organizations that provide voluntary compelling public policy case for the
managers. Second, the requirement to accreditation today, its voluntary nature exclusion of any particular type of
disclose only applies when officials or could disappear over time if other purchasers. Given the vagueness and
senior managers of the entity seeking organizations mandated use of its potential scope of such a prohibition,
listing also held comparable positions of accreditation services. Thus, a listed the potential for unintended
responsibility in the entity that was PSO might need to be delisted at some consequences is simply too great to
delisted or refused listing. point in the future solely because of the warrant its inclusion. For example,
Restructured § 3.102(a)(2) retains the actions of a third party mandating that health care institutions in their role as
statutory exclusion from listing of organization’s accreditation as a employers can also be considered
health insurance issuers and requirement. Therefore, we have purchasers of health care.
components of health insurance issuers retained the prohibition on We have incorporated two additional
in subparagraph (i). For greater clarity, accreditation and licensure entities and exclusions. First, based upon
we have restated the exclusion to reflect have not incorporated any distinctions recommendation from commenters, we
the rule’s definition of component so it regarding voluntary versus mandatory exclude from listing entities that serve
now references: a health insurance accreditation in the final rule. We have as the agents of a regulatory entity, e.g.
issuer; a unit or division of a health reformulated the exclusion and no by conducting site visits or
insurance issuer; or an entity that is longer include accreditation or licensure investigations for the regulatory entity.
While we understand that such agents PSO’s three-year period of listing. This Response: While we expect customer
generally do not take action directly requirement derives from our concern satisfaction evaluations of PSOs will
against providers, their findings or for protecting providers if a PSO decides develop naturally in the private sector,
recommendations serve as the basis for not to seek continued listing and simply the Department has not incorporated
potential punitive actions against lets its certifications expire at the end of this recommendation in the listing
providers. As a result, we believe that a three-year period of listing. To process. If a provider or any individual
the rationale we outlined in the preclude an inadvertent lapse, the believes that a PSO’s performance is not
proposed rule regarding the exclusion of proposed rule included a provision to in compliance with the requirements of
regulatory bodies is also applicable to send PSOs a notice of imminent the rule, this concern can be
agents of regulatory entities helping to expiration shortly before the end of its communicated to AHRQ at any time.
carry out these regulatory functions. period of listing and sought comment on Improper disclosures may also be
Second, as we considered comments posting that notice publicly so that reported to the Office for Civil Rights in
seeking clarification on the eligibility of providers reporting patient safety work accordance with Subpart D.
entities that operate certain mandatory product could take appropriate action. Incorporation of a public consultation
or voluntary patient safety reporting Section 3.104(e)(2) states that the process poses a number of
systems to seek listing as PSOs, we Secretary will send a notice of imminent implementation issues. For example, it
concluded that mandatory systems, to expiration to a PSO at least 60 days could potentially delay a time sensitive
which some or all health care providers before its last day of listing if Secretarial determination regarding
are required by law or regulation to certifications for continued listing have continued listing (which must be made
report patient safety information to a not been received. However, the failure before expiration of a PSO’s current
designated entity, were inconsistent of the Secretary to send this notice does period of listing) and could require the
with the voluntary nature of the not relieve the PSO of its Department to assess the validity of
activities which the Patient Safety Act responsibilities regarding continued each specific complaint, e.g., the extent
sought to foster. However, this listing. The requirement to submit to which dissatisfaction with an
exclusion does not apply to mandatory certifications 75 days in advance is analysis reflects the competence with
reporting systems operated by Federal, intended to ensure that such a notice is which it was performed or a lack of
State, local or Tribal entities if the not sent or publicly posted until after precision in the assignment to the PSO.
reporting requirements only affect their the submissions are expected by the Comment: One commenter suggested
own workforce as defined in § 3.20 and Department. that state-sanctioned patient safety
health care providers holding privileges organizations should be deemed to meet
with the entity. The exception is Response to Other Public Comments the requirements for listing.
intended to apply to Federal, State, local Comment: One commenter urged the Response: The Department does not
or Tribal health care facilities in which Secretary not to require organizations to believe that the Patient Safety Act gives
the reporting requirement applies only have specific infrastructure and the Secretary authority to delegate
to its workforce and health care technology in place before they could be listing decisions to states. Moreover, the
providers holding privileges with the listed. statute establishes the requirements that
facility or health care system. This Response: The Department has not an entity must meet for listing as a PSO;
exception ensures that, with respect to proposed any specific infrastructure or automatically deeming state-sanctioned
eligibility for listing as a PSO, entities technology requirements. However, the organizations to be PSOs would
that administer an internal patient statute and the final rule require a PSO inappropriately override federal
safety reporting system within a public at initial listing to certify that it has statutory requirements and mandate the
or private section health care facility or policies and procedures in place to Secretary to list PSOs that may not be
health care system are treated ensure the security of patient safety in compliance with all the statutory
comparably under the rule and would work product. The final rule requires requirements. Accordingly, the final
be eligible to seek listing as a PSO. that those policies and procedures be rule does not include such a provision.
The final rule retains the ability of consistent with the framework Comment: Several commenters asked
components of the four categories of established by § 3.106. The Department if the exclusion on health insurance
excluded entities in § 3.102(a)(2)(ii) to interprets the statute to require a listed issuers precludes a self-insured entity
seek listing as a component PSO. After PSO to be able to provide security for from seeking listing.
careful review, the Department patient safety work product during its Response: The Department has
concluded that there was a significant entire period of listing, which includes examined this issue and concluded that
degree of congruence in the concerns its first day of listing. the exclusion of health insurance
expressed by both proponents and Comment: Two commenters agreed issuers does not apply to self-insured
opponents of extending the exclusion to that PSOs should be encouraged, but not organizations that provide health benefit
such components. The opponents of required, to post on their Web sites plans to their employees. The statutory
extending the exclusion routinely narrative statements regarding their exclusion contained in section
suggested that the Department address capabilities. 924(b)(1)(D) of the Public Health Service
their core concerns by adopting Response: The Department continues Act incorporates by reference the
additional protections, rather than the to encourage PSOs to develop and post definition of health insurance issuer in
blunt tool of a broader exclusion. We such narrative statements. section 2971 of the Public Health
have adopted this approach, and we Comment: One commenter suggested Service Act and that definition
have incorporated in § 3.102(c) that the listing process should include explicitly excludes health benefit plans
additional requirements and limitations an opportunity for the Secretary to that a health care provider organization
for components of excluded entities. receive public comment before making offers to its employees.
In addition, we have incorporated a a listing decision, especially in the case Comment: Several commenters
new requirement in § 3.102(a)(3) that of continued listing, when providers inquired whether organizations that
submissions for continued listing must may want to share their experiences provide professional liability insurance
be received by the Secretary no later with the Secretary regarding a specific coverage (also referred to as medical
than 75 days before the expiration of a PSO. liability insurance or malpractice
liability insurance) for health care from having both a health insurance failure to make legally required reports
providers are covered by the health issuer subsidiary and a component PSO. can potentially result in a loss of
insurance issuer exclusion. The Comment: Several commenters raised individual or institutional licensure and
commenters uniformly argued that the questions from different perspectives the ability to practice or deliver health
exclusion should not apply. Several regarding situations in which providers care services. Accordingly, we have
commenters noted their intent to have might be required to report data to a added to the list of entities excluded
their ‘‘captive’’ liability insurer seek PSO. Some commenters suggested that from listing in § 3.102(b)(2)(ii) entities
listing as a PSO. Another commenter the final rule should prohibit a facility that administer such mandatory patient
sought assurances that if a captive or health care delivery system from safety reporting systems.
liability insurer sought listing as a PSO, requiring individual clinicians (who are A voluntary Federal, state, local, or
the PSO would not be considered a employed, under contract, or have Tribal patient safety reporting system
component of the provider privileges at the facility or within the can seek listing as a PSO. This means
organizations that owned the liability system) to report data to a specific PSO. that the entity administering the
insurer. Others raised questions regarding the reporting system does not have statutory
Response: The Department notes that eligibility for listing of existing Federal, or regulatory authority to require
there is some ambiguity in the statutory state, local or Tribal patient safety providers to submit data to the
language but concludes that the health reporting systems that are administered administering organization, and that
insurance issuer exclusion does not by an entity without regulatory organization is not required by statute or
apply to such organizations. authority. regulation to make the collected
While the health insurance issuer Response: While the Patient Safety identifiable data available in ways that
exclusion does not apply, the Act does not require any provider to would be incompatible with the
Department notes that the statute and report data to a PSO, the statute is silent limitations on disclosure discussed in
the final rule require that an entity on whether others (such as institutional Subpart C.
seeking listing must attest that its providers or other public entities) can Comment: Two commenters
mission and primary activity is the impose such requirements on providers. addressed the issue of whether Quality
improvement of patient safety. That test The Department makes a distinction Improvement Organizations (QIOs),
is readily met when an organization, based upon the source of reporting which are organizations that have
such as a captive liability insurer, requirements and the extent to which contracts with Medicare and often with
creates a component organization since the requirement can be viewed as other payers or purchasers to review
the creation of a distinct new entity can consistent with the statutory goal of compliance with regulatory or
be established in a manner that clearly fostering a ‘‘culture of safety.’’ Thus, the contractual requirements and make
addresses and meets the ‘‘primary Department has declined to include in reports that may adversely impact
activity’’ criterion. The Department has the final rule any restriction on the providers financially, can seek listing as
the authority to review all applications, ability of a multi-facility health care PSOs.
including those from organizations with system to require its facilities to report Response: QIOs are precluded from
multiple activities, and to look behind to a designated PSO or of a provider seeking listing as PSOs. The final rule
the attestations to determine whether practice, facility, or health care system precludes agents of a regulatory entity
the applicant meets the ‘‘primary to require reporting data to a designated from seeking listing and QIOs serve as
activity’’ criterion. PSO by those providing health care agents of Medicare. Some QIOs also
We note that a captive entity meets services under its aegis, whether as serve in similar capacities as agents of
the definition of a component employees, contractors, or providers state regulatory bodies. As noted above,
organization in this rule. Therefore, if who have been granted privileges to an agent of a regulator may create a
the captive organization is eligible for practice. A patient safety event component organization that would be
listing because it meets the ‘‘primary reporting requirement as a condition of eligible to seek listing as a PSO,
activity’’ criterion, it must seek listing as employment or practice can be provided such a component
a component organization and clearly consistent with the statutory goal of organization meets the additional
would be subject to the requirements on encouraging institutional or requirements of § 3.102(c)(1)(ii).
component PSOs. If the captive organizational providers to develop a Comment: Several commenters asked
organization does not meet the primary protected confidential sphere for if the proposed exclusions of entities
activity criterion for listing, it is free to examination of patient safety issues. applied to State Boards of Health,
create a component organization to seek While an employer may require its programs offering providers
listing. Once again, however, the providers to make reports through its certifications, and physician specialty
additional requirements for a patient safety evaluation system, section boards.
component PSO apply. 922(e)(1)(B) prohibits an employer from Response: With respect to State
Comment: Several commenters asked taking an adverse employment action Boards of Health, there are two issues
whether the health insurance issuer against an individual based upon the regarding their potential ineligibility for
exclusion prevents a health system that individual’s reporting information in becoming PSOs. The first, raised by the
has subsidiaries that include providers good faith directly to a PSO. commenter, is whether these boards can
and a health insurance issuer, from By contrast, the Department views be considered regulatory entities and in
establishing a component organization mandatory reporting requirements that most cases they would be. While State
to seek listing as a PSO. are applicable to providers that are not Boards of Health provide leadership and
Response: As described by several workforce members and that are based policy coordination for state health
commenters, the PSO and the health in law or regulation, regardless of policies, they generally have the power
insurance issuer would be affiliates in a whether the specific data collected by to oversee, enforce or administer
‘‘brother-sister’’ relationship within the these systems is anonymous or regulations governing the delivery of
parent organization. As long as the identifiable, as incompatible with the health care services and would,
health insurance issuer does not have intent of the Patient Safety Act to foster therefore, be ineligible to be listed as a
the authority to control or manage the voluntary patient safety reporting PSO. The second issue is whether such
PSO, the health system is not precluded activities. In these situations, provider a board with its multiple
responsibilities could attest that the or security breaches occur, with respect had additional concerns, they could
conduct of activities to improve patient to the provider’s patient safety work address them contractually. It was also
safety and health care quality is its product. suggested that the preamble to the final
primary activity. A PSO would meet the minimum rule should carefully describe a PSO’s
With respect to entities that offer contract requirement under the obligations when the HIPAA Privacy
certifications, physician specialty proposed rule with two contracts, each and Security Rules apply and the
boards, or similar activities, we would with a different provider, at some point requirements to report impermissible
use a fact-based approach that assesses during a PSO’s sequential 24-month disclosures even when protected health
the activities in light of the exclusions periods of listing. The proposed rule information is not involved.
in the rule at § 3.102(a)(2)(ii). sought comment on how to interpret the With respect to the statutory
Comment: One commenter questioned requirement that the required contracts requirement for contracts with more
whether the proposed requirement that must be ‘‘for a reasonable period of than one provider, several commenters
a PSO notify the Secretary if it can no time,’’ asking whether the final rule proposed that one contract with
longer meet the requirements for listing should use a standard that was time- multiple providers should be deemed to
essentially meant that the PSO was based, task-based, or include both meet the statutory requirement. These
admitting a deficiency. options. commenters often argued that it was
Response: We expect this requirement The proposed rule noted that PSOs inefficient to require a PSO to enter
to operate prospectively so that the are required by the statute, to the extent multiple contracts when the statutory
Secretary can evaluate whether the practical and appropriate, to collect intent of collecting data from multiple
changed circumstances may still be patient safety work product from providers could be met through a single
cured. While it is possible that this providers in a standardized manner that contract. Several commenters alleged
requirement in some situations would permits valid comparisons of similar that the proposed rule did not interpret
be the equivalent of a PSO admitting a cases among similar providers. We the requirement that contracts be
current, rather than prospective stated that we were considering entered with ‘‘different providers’’ and
deficiency, we note two aspects of the including in the final rule, and sought sought clarification in the final rule.
process outlined here. First, the comment on, a clarification that The vast majority of commenters
correction of deficiencies is not a compliance would mean that a PSO, to opposed including any standard in the
punitive process. Second, the obligation the extent practical and appropriate, final rule for determining when one of
to inform the Secretary of changes is a will collect patient safety work product the required contracts was ‘‘for a
companion element to the Department’s consistent with guidance that the reasonable period of time.’’ Many
approach in listing entities based upon Secretary is developing regarding argued that this decision should be left
attestations. reporting formats and common to the marketplace, permitting providers
(B) Section 3.102(b)—Fifteen General definitions when the guidance becomes and PSOs to enter customized
PSO Certification Requirements available. We also sought comment on arrangements. A few commenters
the process for the development of supported incorporation of a time-based
Proposed Rule: Section 3.102(b) of the common formats and definitions. standard, ranging from 3–12 months.
proposed rule incorporated the 15 Overview of Public Comment: Most of One commenter recommended
requirements specified in the Patient the comments we received on this incorporating both time-based and task-
Safety Act that every entity must meet subsection focused on the contract based standards.
for listing as a PSO. These 15 requirement and the specific questions In response to our specific request for
requirements are comprised of eight posed by the proposed rule. Nearly all comment on whether the final rule
patient safety activities and seven other of the commenters who addressed the should reference the Secretary’s
criteria. At initial listing, an entity issue supported the inclusion in the guidance on common formats and
would certify that it has policies and final rule of a requirement that PSOs definitions, the vast preponderance of
procedures in place to perform the eight must notify a provider if the work comments were supportive, with many
specified patient safety activities and, product submitted by the provider was detailing reasons why use of common
upon listing, would comply with the inappropriately disclosed or its security formats was important. Several
seven other criteria during its period of was breached. Those favoring the organizations offered caveats to their
listing. At continued listing, the PSO inclusion of the requirement cited support, such as concern that the
would certify that it has performed concern about the sensitivity of patient development of Secretarial guidance
during its period of listing, and would safety work product and the importance might slow the process and may further
continue to perform, all eight patient of ensuring that providers know if the interfere with innovation. Many
safety activities and that, it has PSO to which they reported data was organizations offered suggestions to the
complied with, and would continue to living up to its obligations to protect the Department such as: Allowing private
comply with, the seven other statutory security and confidentiality of their sector feedback; harmonizing with other
criteria during its next period of listing. data. They noted that the HIPAA data reporting requirements; allowing
We proposed to define the Privacy and Security Rules will not collection of data in addition to the
confidentiality and security always be applicable: That some common formats, particularly for use at
requirements that are part of the patient providers will not be considered the local level; and allowing time to
safety activities that PSOs must carry covered entities and identifiable patient phase in use of common formats.
out as requiring compliance with the safety work product may not always Virtually all comments were
confidentiality provisions of Subpart C contain protected health information. supportive of the process by which the
and the security measures required by Those opposed to the requirement Department was developing guidance
§ 3.106. We did not propose that, but argued that most patient safety work on common formats. Many commenters
sought comment on whether the final product will contain protected health suggested steps that they wished the
rule should include a requirement that information and providers reporting to a Department to take such as: Greater or
a PSO inform any provider from which PSO are likely to be covered entities. earlier involvement of the private sector;
it received patient safety work product Thus, the HIPAA Privacy Rule will transparency in the process; acceptance
if there are impermissible disclosures of, cover most situations and, if providers of comments from outside government;
and use of evidence from existing contracts’’ with different providers; we and would be expected to be in
reporting systems. The process we have deleted the words ‘‘entered into.’’ compliance with all eight patient safety
outlined for private sector consultation Our intent in the proposed rule text was activities during its entire period of
was viewed positively. We received to encourage PSOs to enter long-term listing.
several comments and contracts with providers by enabling a In response to commenters who
recommendations related to this process multi-year contract to be counted sought clarification on what is meant by
that were outside the scope of the rule toward the two contract minimum in compliance with the two-contract
and, therefore, are not addressed below. each of the 24-month periods during requirement, we reaffirm that the
Final Rule: For convenience and which the contract was in effect. By statutory requirement is clear. There
clarity, we have modified the text in the deleting the words ‘‘entered into,’’ the must be two written contracts; a single
final rule to separate initial and text of the final rule more clearly contract with multiple providers can
continued listing within § 3.102(b)(1), reflects our original intent. only be counted as one contract. We
which states the required certifications We also provide clarification here, interpret the requirement that the
for the eight patient safety activities and which we did not consider necessary to contracts must be with ‘‘different’’
within § 3.102(b)(2), which states the include in the rule text, regarding the providers straight-forwardly. The only
required certifications for the seven PSO obligations of a PSO. The certifications requirement is that the bona fide
criteria. This modification does not for initial listing regarding patient safety contracts must be with individuals or
reflect a substantive change. activities track the statute and require a institutions that are providers as defined
We have incorporated in PSO to have policies and procedures in in the rule. We have imposed no other
§ 3.102(b)(1)(B) of the final rule one place to perform patient safety requirements; the contracts can be with
additional requirement, posed as a activities. At continued listing, PSOs an institutional provider and an
question in the proposed rule and will be expected to have performed all individual clinician, or with two
strongly supported by commenters, that eight patient safety activities. Some of entities within the same or different
a PSO must inform the provider from the required patient safety activities system(s).
which it received patient safety work must be performed at all times, such as After careful consideration of the
product if the work product submitted utilizing qualified staff, having effective comments we received, the Department
by that provider is inappropriately policies and systems to protect the has concluded that we will not
disclosed or its security is breached. security and confidentiality of patient incorporate an interpretation of the term
The Department recognizes that in safety work product when the PSO ‘‘each for a reasonable period of time’’
certain cases a PSO may not know the receives work product, undertaking regarding the required contracts. As we
identity of the provider that submitted efforts to improve the quality and safety noted in the proposed rule, our intent in
patient safety work product, e.g., of patient care, and developing and proposing to interpret the language was
anonymous submissions, or it might not disseminating information to improve to give providers increased certainty
be possible to contact the provider, e.g., patient safety. Other required patient that the listing of the PSO to which they
if the provider has gone out of business safety activities can only be performed are reporting data could not be
or retired. In these cases, the when the PSO is working with a challenged on the basis that its required
Department would expect the PSO to be provider (such as providing feedback to contracts were not for a reasonable
able to demonstrate, if selected for a participants in a patient safety period of time. However, the provider
‘‘spot check,’’ that it made a good faith evaluation system) and receiving patient community opposed interpreting the
effort to reach every provider that safety work product from providers provision, fearing that it would limit
submitted the work product subject to (such as utilization of patient safety their ability to customize contracts to
an inappropriate disclosure or a security work product to develop a culture of meet their analytic needs and urged the
breach. We also note that this safety). Department to rely upon the
requirement only requires the PSO to The Department recognizes that, for marketplace to interpret this
contact the provider that submitted the any given contractual arrangement, requirement. With no empirical basis for
information; the PSO is not expected to providers, not PSOs, will determine the choosing one standard or one time
contact providers or others whose tasks PSOs undertake and for which frame over another, and given the
names are included in the patient safety they will be compensated. Therefore, inability to anticipate what types of
work product. As a business associate of our approach to assessing compliance contractual relationships will evolve
a provider covered by the HIPAA will be as follows. If subject to a spot under the final rule, the Department
Privacy Rule, the PSO must abide by its check for compliance, a PSO must be concluded that incorporating a standard
business associate contract with that able to demonstrate that it has at this time could have unintended
provider, obligating it to notify the performed all eight patient safety work negative consequences and has chosen
provider if it becomes aware of an products at some point during its three- not to do so. As a result, a PSO will be
impermissible disclosure of protected year period of listing. However, we will required to have two contracts in effect
health information. See 45 CFR expect a PSO to demonstrate that it at some point during each 24-month
164.504(e)(2)(ii)(C). Once the PSO has performs throughout its period of listing reporting period established by the
informed the provider of the the patient safety activities that are not statute but the contracts are not required
impermissible disclosure, the HIPAA dependent upon a relationship with a to cover a specific or minimum time
Privacy Rule requires the provider to provider or receipt of patient safety period and they are not required to be
mitigate the harmful effects of an work product. We will expect in effect at the same time.
impermissible disclosure. See 45 CFR compliance with the other patient safety While we received overwhelmingly
164.530(f). activities consistent with the contracts favorable support for requiring
We have also incorporated in or agreements that the PSO has with compliance with the Secretary’s
§ 3.102(b)(2)(i)(C) a minor modification providers. A component PSO that is guidance on common definitions and
in the text of the criterion relating to the established by a health care provider, reporting formats (common formats) for
required two contracts. The text in the and for which the parent-provider the collection of patient safety work
proposed rule stated that a PSO ‘‘must organization is a primary client, would product, we recognize that the
have entered into two bona fide not be dependent on external contracts Department’s efforts to develop
guidance will take time. We issued We believe this approach effectively has been retained. We note that this
common formats in August 2008 balances the statutory goal of promoting statutory language imposes a dual
addressing all patient safety events in the ability to aggregate, and learn from, requirement: improvement of patient
acute-care hospitals; AHRQ has made patient safety work product, while safety and the quality of health care
the common formats available on its recognizing the statutory caveat that this delivery must be reflected in the entity’s
Web site to facilitate their use by requirement applies ‘‘to the extent mission and this improvement activity
providers with varying levels of practical and appropriate.’’ Our must constitute the entity’s primary
sophistication as well as by PSOs. The approach ensures that PSOs will take activity. Since many organizations
guidance will be expanded over time to the requirement seriously and that a could reasonably claim that
other settings of care. Because we PSO’s statement that it is not ‘‘practical improvement of the quality of health
anticipate that some PSOs may choose or appropriate’’ to comply at this time care and patient safety are fundamental
to concentrate their work in areas for is well-founded. to their missions and even have these
which guidance from the Secretary is words in their mission statements, the
Response to Other Public Comments.
not yet available, we have modified the critical and distinguishing requirement
text of the rule by incorporating a new Comment: Several commenters in this statutorily-based criterion is that
paragraph (iii) that interprets suggested that the final rule include a such improvement activities must be the
compliance in the following way. requirement that entities provide entity’s primary activity.
At initial listing, the requirement will assurances that they are financially While we understand the rationale of
viable. the commenter—many of the
be interpreted as a commitment by the
Response: The Department has not organizations interested in becoming
entity seeking listing to adopt the
adopted this proposal. We do not PSOs will have difficulty attesting that
Secretary’s recommended formats and believe that assuring the financial
definitions by the time it seeks this is their primary activity—the
viability of PSOs is either an authorized Department does not have the authority
continued listing ‘‘to the extent practical or an appropriate Federal task in
and appropriate.’’ During the initial to alter this statutory requirement by
carrying out the Patient Safety Act. The making improvement of health care
three-year period of listing, AHRQ will statutory framework leaves this inquiry
not issue a preliminary finding of delivery and patient safety one of any
and determination to prospective clients number of significant activities that an
deficiency to any PSO that has not in the market for PSO services. PSOs
adopted the Secretary’s recommended organization performs. The statute
will learn to address this concern effectively recognizes this dilemma and
formats and definitions. routinely if required by providers to do provides an option in this situation. An
At continued listing, a PSO will be so. entity can create a component
required to: (1) Certify that the PSO is Comment: One commenter suggested organization, discussed in the next
using the Secretary’s guidance for that the final rule include a provision to subsection, to seek listing. Such a new
common formats and definitions; (2) require PSOs to have policies and component created for this exclusive
certify that the PSO is using an procedures in place to safeguard the purpose or with this purpose as its
alternative system of formats and privacy and confidentiality of a staff primary activity would inherently meet
definitions that permits valid member of a PSO, who is identified in this requirement.
comparisons of similar cases among patient safety work product. It is likely that some providers will
similar providers; or (3) provide a clear Response: The Department agrees that find it more reassuring to work with a
explanation for why it is not practical or PSOs should consider and address PSO that is focused solely on the
appropriate for the PSO to comply with issues of confidentiality, including statutorily mandated objectives. If an
options (1) or (2) at this time. The those of its workforce members. organization with other activities and
Secretary will consider a PSO to be in However, we do not believe it is personnel is listed in its entirety as a
compliance if it is using the Secretary’s appropriate or necessary to mandate PSO, it can share a provider’s
guidance, satisfactorily demonstrates how a PSO addresses this issue. identifiable patient safety work product
that the alternative system it is using Comment: Several commenters raised throughout the legal entity, including
permits valid comparisons of similar concerns regarding the statutory with individuals who are not involved
cases among similar providers, or requirement that ‘‘the mission and in the work of the PSO, without
satisfactorily demonstrates why neither primary activity of a PSO must be to violating the disclosure restrictions of
option is practical or appropriate at this conduct activities that are to improve the statute and without triggering
time. An example of a satisfactory patient safety and the quality of health Federal enforcement action pursuant to
justification might be that the PSO care delivery’’ might make it difficult for subparts C and D of the rule. We expect
specializes in analyses in a specific existing organizations with multiple many providers will prefer that their
niche of health care delivery in which activities to qualify for listing. One protected information be closely held.
there remains significant controversy commenter suggested that the Thus, existing organizations have other
over relevant reporting formats and requirement be altered so that the reasons, in addition to the mission and
definitions and/or the Secretary has not mission and primary activity ‘‘includes’’ primary activity criterion, to consider
recommended any relevant common quality improvement and patient safety. the option of establishing a PSO as a
formats or definitions. The Secretary, if Questions were also raised whether component organization.
he determines that the PSO is otherwise organizations that currently undertake In response to an example posed in
eligible for continued listing, but has other activities such as provider two separate comments, if an entity’s
not satisfactorily demonstrated that it education or other collections and primary activity is the collection and
meets one of the three requirements in analyses of clinical data to improve the analysis of clinical data to improve the
§ 3.102(b)(2)(iii), may exercise his quality, safety, and efficiency of health quality, safety, and efficiency, the
discretion to continue the listing of the care would meet the requirement. Department would consider these
PSO and use the process for correction Response: It is important to recognize activities consistent with the statutory
of deficiencies in § 3.108(a) to bring the that the language at issue was requirement. Other situations may
PSO into compliance after its listing has incorporated into the proposed rule warrant discussion with AHRQ staff
been continued. directly from the statute. Accordingly, it during the planning stage of a PSO or
at least before submitting certifications Comment: A commenter asked if the Response: It is not clear what the
for listing. Another example posed by a establishment of a ‘‘relationship’’ with a commenters mean by a ‘‘member’’ of a
commenter—an entity that provides provider is sufficient to meet the PSO in this context. To the extent that
general health education to providers— minimum contract requirement. the comments are referring to a possible
would appear to require further Response: No. The rule requires two joint venture that creates a PSO, there
discussion. As presented, general health bona fide contracts, as defined in are few productive roles that an
education would appear to have a link section 3.20, meeting the requirements excluded entity could play. Such
to, but an inadequate emphasis on, the of the rule. excluded entities could not have or
analytic focus of a PSO’s mandatory Comment: One commenter expressed exercise any level of control over the
patient safety and quality improvement concern about the ability of his agency activities or operation of a PSO. Thus,
activities. The health education entity to meet the minimum contract they could not have access to patient
can certainly avail itself of the option to requirement. His agency administers a safety work product. As a result, the
establish a component organization to public patient safety reporting system to potential for involvement of an
seek listing. which hospitals are required to report excluded entity with a PSO would be
Comment: One commenter asked by state law. His concern was that the very limited.
what is meant by the concept of carrying hospitals might see no need to enter
out patient safety activities. Does this We note, however, that a component
contracts with his agency if it were of an entity excluded by § 3.102(a)(2)(ii)
mean that patient safety activities must listed as a PSO.
be performed and, if so, when? can seek listing. These types of
Response: The modifications to the component organizations must meet
Response: We note that this obligation final rule in § 3.102(a)(2)(ii) preclude an
rests with a PSO, not providers. The additional requirements set forth in
entity that manages or operates a § 3.102(c)(1).
requirement means that a PSO must mandatory patient safety reporting
perform all eight patient safety activities system from seeking listing as a PSO. Comment: One commenter requested
during its period of listing. We clarify clarification regarding the required
Comment: One commenter urged that
how the Department will assess PSO patient safety activity to provide
the final rule not marginalize State
compliance with this requirement in the feedback and assistance to providers to
mandatory reporting systems through
discussion of the final rule above. effectively minimize patient risk.
the separation of provider reporting to
Comment: One commenter asked if a
PSOs. The commenter recommended Response: We recognize that the
PSO could meet the minimum contract
that the final rule permit States to performance of some patient safety
requirement by entering a contract with
become listed as PSOs or enter into activities will be dependent upon a
a 50-hospital system and one
collaborative arrangements with PSOs to PSO’s arrangements with its clients. As
independent practitioner (either with a
share data and staff. we noted in our discussion of the final
physician or nurse practitioner).
Response: To meet the requirement, a Response: While we believe that an rule, we will interpret a PSO to be in
PSO must have at least two contracts entity that operates a Federal, state, compliance with this requirement if the
with different providers. In this case, a local, or Tribal mandatory patient safety feedback and assistance is performed at
contract with a solo health care reporting system should not be listed as some point during the PSO’s period of
practitioner (such as a physician or a a PSO, the rule does permit a listing.
nurse practitioner) would meet the component of such an entity to seek Comment: Two commenters pointed
requirement for the second contract. listing. A PSO that is a component of an to the importance of the use of
Comment: One commenter asked if a excluded entity is prohibited from contracted staff to enable a PSO to carry
contract between the parent of a health sharing staff with the excluded entity
out its duties, especially in rural or low
system and a PSO is tantamount to and has limitations on its ability to
population density areas. In such
entering a contract with each provider contract with such a parent organization
circumstances, a PSO needs to draw
that comprises the health system. (see § 3.102(c)(4)). However, the
upon competencies and skills as needed
Response: Such an arrangement does component PSO could enter into some
and asked that we clarify that such
not meet the requirement; the types of limited collaboration with an
contractors, whether paid or volunteer,
requirement focuses on the number of excluded entity. For example, a PSO
could enable a PSO to meet the
contracts, not the number of providers may accept additional data from an
qualified staff requirement.
that are involved with any contract. The excluded entity for inclusion in its
rule, based on the terms of section analyses with the understanding that Response: The Department assumes
924(b)(1)(C) of the Public Health Service the PSO may only share its findings that many PSOs, especially component
Act, requires two contracts. pursuant to one of the permissible PSOs, will use a mix of full-time
Comment: Can providers within the disclosures in Subpart C, e.g., if the personnel and individuals from whom
same system count as different findings are made non-identifiable. In they seek services as needed, whether
providers for meeting the minimum addition, other PSOs similarly may paid or on a volunteer or shared basis.
contract requirement? share their nonidentifiable findings with That is why we have incorporated a
Response: The answer to this question mandatory state patient safety reporting broad definition of ‘‘workforce’’ in the
is yes if the PSO has separate contracts systems and to the extent permitted by rule that encompasses employees,
with at least two different providers. state law the state systems might give volunteers, trainees, contractors, and
Whether the providers have a common data to completely separate PSOs for other persons whether or not they are
organizational affiliation is not relevant. analysis and reports in nonidentifiable paid by the PSO. As defined in this rule,
The only requirements are that the terms. workforce refers to persons whose
individuals or facilities must be Comment: Several commenters performance of activities for the PSO is
providers as defined in § 3.20 of the rule suggested that excluded entities might under the direct control of the PSO. In
and that there are at least two contracts become members of a PSO as long as addition, however, a PSO is free to enter
with different providers. Once again, the they were not vertically linked to the contracts for specific or specialized
focus of the requirement is the number PSO, although they did not explain services, subject to other requirements
of contracts. what they meant by the term, members. of the rule.
(C) Section 3.102(c)—Additional with their certifications for listing a we noted that a number of commenters
Certifications Required of Component description of how they intend to meet that supported permitting components
Organizations the requirement for technological and of such entities to seek listing,
Proposed Rule: Along with the 15 other controls to ensure that there is an suggested, nevertheless, that we
requirements under subsection (b) that effective protection against establish additional limitations and
all PSOs would have to meet, § 3.102(c) inappropriate access to the patient requirements. Their suggestions
of the proposed rule would require an safety work product held by the included requiring that such a
entity that is a component of another component PSO. component organization seeking listing
There was significant concern with must: Specifically identify its parent
organization to make three additional
the proposal to limit the sharing of organization as a regulator and specify
certifications regarding: (1) The secure
employees between the parent the scope of the parent organization’s
maintenance of patient safety work
organization(s) and the component PSO regulatory authority; submit to the
product separate from the rest of the
if the employee’s work could be Secretary attestations from providers
organization(s) of which it is a part; (2) informed by knowledge of a provider’s choosing to report to the PSO that they
the avoidance of unauthorized identifiable patient safety work product. have been informed of the scope of
disclosures of patient safety work Some commenters argued that the regulatory authority of the parent
product to the rest of the organization(s) prohibition was too broad, that it should organization; and provide assurances to
of which it is a part; and (3) the mission be narrowed, or that the standard was the Secretary that the parent
of the component organization not too vague and had the potential for organization has no policies that compel
creating a conflict of interest with the creating confusion. A number of providers to report patient safety work
rest of the organization(s) of which it is commenters recognized the merits of the product to its component PSO. They
a part. intended prohibition but thought that also suggested such a PSO not be
We proposed two additional the proposed rule’s formulation was so permitted to share staff with the parent
requirements that would interpret these vague that it might limit the ability of organization and not be able to take
statutory provisions: (1) A component any physician in an academic health advantage of the proposed limited
PSO could not have a shared center to assist the component PSO if provision that would permit a
information system with the rest of the the physician supervised and evaluated component PSO to contract with its
organization(s) of which it is a part; and interns and residents during their parent organization for assistance in the
(2) the workforce of the component PSO training, presuming this to be an review of patient safety work product.
could not engage in work for the rest of unintended result. The proposed rule did not propose an
the organization(s) if such work could Several alternative approaches were interpretation but sought comment on
be informed or influenced by the suggested, including: (1) Limit the the circumstances under which the
individual’s knowledge of identifiable prohibition to staff in the parent mission of a component PSO could
patient safety work product (except if organization who would use patient create a conflict of interest for the rest
the work for the rest of the organization safety work product for non-patient of the parent organization(s) of which it
is solely the provision of patient care). safety activities; (2) obtain pledges by is a part. The recommendations of
The proposed rule did not propose an staff not to use patient safety work commenters reflected a variety of
interpretation, but sought public product for ‘‘facility administrative perspectives: One view was that the rule
comment, on the requirement that a functions;’’ (3) limit the prohibition to should not adopt a general standard; a
component organization not create a persons with disciplinary/credentialing component organization should disclose
conflict of interest with the rest of the functions; (4) require management staff what it believes may be its conflicts and
organization(s) of which it is a part. to sign agreements not to use patient that this disclosure should be deemed
We proposed, and sought comment safety work product in hiring/firing, sufficient to have cured the conflict;
on, a limited option for a component credential/privilege decisions; and (5) another said the Department should
PSO to take advantage of the expertise permit shared staff for specific types of undertake case-by-case analysis; and a
of the rest of its parent organization(s) entities, such as state hospital third suggested the Department should
to assist the PSO in carrying out patient associations, but not others. adopt guidance, not regulatory language.
safety activities. Under this proposal, a Our proposal to provide a limited Another commenter wrote that there
component PSO could enter into a option for a component PSO to draw could be no conflict of interest if the
written agreement with individuals or upon the expertise of its parent parent organization is a provider; others
units of the rest of the organization organization(s) to assist the PSO in suggested that certain types of parent
involving the use of patient safety work carrying out patient safety activities was organizations posed conflicts of interest,
product, subject to specified well received. Most commenters were such as when the parent organization is
requirements. supportive of the flexibility provided by an investor-owned hospital or if there
Overview of Public Comments: this provision although one commenter are certain legal relationships which
Numerous commenters strongly suggested deleting it. Several providers have with a parent
disagreed with the Department’s commenters stressed that a ‘‘substantial organization or its subsidiaries.
proposal that PSOs must maintain firewall’’ should be maintained and that Similarly, one commenter suggested
separate information systems. These such contracting should only be allowed that not-for-profit status of a PSO should
commenters argued that it would ‘‘for clearly defined and limited staff be an indicator that there is no conflict
impose a tremendous financial and services.’’ One commenter urged that of interest. In a parallel vein, another
administrative burden to establish such contracts or agreements should be commenter argued that if the PSO could
separate information systems. A number submitted to the Secretary in advance so use or sell its information for
of commenters suggested alternative that they ‘‘can be scrutinized by HHS to commercial gain, this was a conflict.
approaches that could achieve the same assess whether confidentiality or This commenter also argued that if a
goal. For example, one commenter privilege protections can practically PSO could be used to create an oasis
recommended that HHS adopt a non- remain intact.’’ solely for protection of information
directive concept of functional In our discussion regarding entities reported by the system that created it,
separation and require PSOs to submit excluded from listing in § 3.102(a)(2)(ii), this represented a conflict; the
information held by a PSO must be shared staff. The final rule does not patient safety work product. Finally,
made available at minimal or no cost for impose these proposed requirements on there is the right of action that the
further aggregation. Another commenter most component organizations. statute grants to individual providers
suggested that a component PSO should However, as discussed below regarding who believe and allege that their
never evaluate patient safety work § 3.102(c)(4), we have retained the employer took an adverse employment
product of an affiliated organization; if prohibition on shared staff only with action against them based upon their
it does so, this creates a conflict-of- respect to components of entities that providing information to the employer’s
interest. are excluded from listing and, for such patient safety evaluation system for
Finally, several commenters also component PSOs, narrowed the reporting to the PSO or based upon their
suggested that there must be no conflict circumstances when contracting with a providing information directly to the
between patient safety work product parent organization is permissible only PSO. Given the importance to providers
and non-patient safety work product with respect to components of entities of maintaining protections for their
functions. A similar comment from that are excluded from listing. work product, we conclude that it is
another entity argued that a PSO must With respect to separate information unlikely that a parent organization will
certify that members of the component systems, the Department has concluded, intentionally jeopardize those
PSO workforce are not engaged in work based upon the information that was protections. Therefore, we have
for the parent organization that conflicts included by commenters, that there are eliminated the proposed restriction on
with the mission of the PSO. a number of cost-effective alternatives the use of shared staff, except for
Final Rule: After careful consideration for achieving the statutory goal of components of entities excluded from
of the extensive number of comments separate maintenance of patient safety listing as discussed below regarding
received regarding component work product. Accordingly, we have § 3.102(c)(4). In its place, we have
organizations, the Department has included new language that requires a restated the statutory requirement that
modified and restructured the text for component PSO to ensure that the the component organization (and its
§ 3.102(c) in the following ways. information system in which patient workforce and contractors) may not
We have restructured § 3.102(c) into safety work product is maintained must make unauthorized disclosures to the
four separate paragraphs. New not permit unauthorized access by any rest of the organization(s) of which the
§ 3.102(c)(1)(i) lists the provisions with individuals in, or units of, the rest of the PSO is a part.
which different component parent organization(s) of which it is a We have retained without change in
organizations must comply. This part. § 3.102(c)(2)(iii) the proposed rule text
subparagraph sets forth the Similarly, after careful consideration prohibiting the pursuit of the mission of
requirements that all component of the comments, we have eliminated the PSO from creating a conflict of
organizations must meet. The language the proposed restriction on the use of interest with the rest of the
of this subparagraph is retained from the shared staff for most component PSOs. organization(s) of which it is a part. To
proposed rule but includes a The Department has concluded that the extent that individuals or units of
requirement that all component there are significant incentives for the rest of the parent organization(s)
organizations must submit with their component PSOs and parent have obligations and responsibilities
certifications contact information for organizations to be very cautious in that are inconsistent with the ‘‘culture
their parent organization(s) and provide their use of shared personnel, protecting of safety’’ that the statute seeks to foster,
an update to the Secretary in a timely against inappropriate disclosures, and a component PSO could create a conflict
manner if the information changes. This the disclosure of patient safety work of interest by sharing identifiable
requirement was proposed in the product. A number of commenters patient safety work product with them
preamble but was not incorporated in appeared to appreciate the importance as shared staff or under a written
the text of the proposed rule. Many of of maintaining separation between their agreement pursuant to § 3.102(c)(3),
the commenters noted the importance to patient safety activities and internal discussed below. On the other hand, the
providers of having information disciplinary, privileges, and component PSO could draw upon the
regarding the parent organization of a credentialing decisions, which were the expertise of these same individuals in
component PSO and, therefore, we have focus of our concern. other capacities in which identifiable
incorporated the provision. Our review has led us to conclude work product is not shared and, thereby,
New § 3.102(c)(1)(ii) outlines the that the potential negative consequences avoid creating conflicts of interest.
requirements for components of entities for providers, independent of any fear of Thus, we would interpret permitting the
excluded from listing under Department action, lessens the need for creation of conflicting situations for staff
§ 3.102(a)(2)(ii) of this section. These the rule to address this issue. For or units of the parent organization(s) as
components must meet the example, institutional providers are inconsistent with a component PSO’s
requirements for all component PSOs in likely to find it difficult to develop attestation.
§ 3.102(c)(1)(i) as well as submit the robust reporting systems if the Section 3.102(c)(3) retains without
additional certifications and clinicians on their staff learn or even substantive change the provision in the
information and adhere to the further suspect that the same individuals proposed rule to enable a component
limitations set forth in § 3.102(c)(4) that involved in analysis of patient safety PSO, within limits, to take advantage of
are discussed below. work product play key roles in the expertise of the rest of the
New § 3.102(c)(2) restates the three administrative decisions that can lead to organization of which it is part. In
additional statutory certifications that adverse personnel decisions. This may response to concerns expressed by some
must be made by all component lead to decreased reporting of patient commenters, we stress the statutory
organizations seeking listing. We have safety events. The suspicion of requirement for the PSO to maintain
deleted two requirements for contamination between the processes patient safety work product separately
component entities from the text of the could also provide a new basis for from the rest of the organization. In such
proposed rule that were intended to challenging adverse employment circumstances, it cannot be transferred
interpret these statutory requirements: actions, which could require providers to individuals or units of the rest of the
the requirement for separate information to prove that their actions were not organization except as permitted by the
systems and the restriction on the use of influenced by inappropriate use of rule. As a practical matter, if the parent
organization is a provider organization actions during its period of listing. An contract or written agreement to have
and the component PSO is evaluating example of an inducement would be if staff from the rest of the organization
the parent organization’s data, the a parent organization that accredited or assist the PSO in carrying out patient
parent-provider is likely to have a copy licensed providers awarded special safety activities. If the parent
of all of the data transmitted to the scoring consideration to providers organization engages in a mix of
component PSO. reporting to the parent organization’s activities, some of which are not a basis
We do not dismiss the concerns of component PSO; additional scoring for exclusion from listing, the
commenters that this contracting consideration for reporting to any PSO, component organization will be able to
authority could be used inappropriately. by contrast, would not violate this take advantage of this contracting
We remind each component PSO that restriction. option, subject to our caveat above.
the statute requires it to maintain 3. Certify that the component PSO
patient safety work product separately will include information on its website Response to Other Public Comments
from the rest of the organization(s) of and in any promotional materials for Comment: One commenter asked us
which the component PSO is a part and providers describing the activities to confirm that component PSOs can
prohibits unauthorized disclosures to which were the basis of the parent maintain patient safety work product
the rest of the organization(s) of which organization’s exclusion under behind secure firewalls using existing
they are a part. Therefore, it may not be § 3.102(a)(2)(ii). information systems.
appropriate for its parent organization to We have incorporated these Response: The modifications we have
serve as its main provider of analytic or additional requirements for information adopted and discussed above means
data services if such arrangements and attestations to address widespread that the final rule permits this approach.
would effectively confound statutory concerns among commenters that an Comment: Several commenters
intent for a firewall between a excluded parent organization might suggested that it was unrealistic for the
component PSO and the rest of the attempt to compel providers to report component PSO to maintain patient
organization(s) of which it is a part. The data to its component PSO and safety work product separately from its
flexibility provided by the rule to use circumvent the firewalls for access to parent organization if the parent
in-house expertise is intended to that data. These extra requirements for organization is a provider reporting data
supplement, not replace, the PSO’s such component PSOs will strengthen to the component PSO.
authority to contract with external transparency and the additional Response: The Patient Safety Act
expert individuals and organizations. statements submitted with the requires a component PSO maintain
Section 3.102(c)(4) incorporates new component organization’s certifications patient safety work product separately
requirements, drawn from our review of will be posted on the AHRQ PSO Web from the rest of the organization(s) of
public comments, that only apply to site along with all its other which it is a part; therefore, we cannot
organizations that are components of certifications. Our intent is to ensure remove the restriction. While contracts
entities excluded from listing under that such a component organization’s between a PSO and a provider are likely
§ 3.102(a)(2)(ii). Thus, these component website and its promotional materials to address the extent to which a
organizations have three sets of for providers will inform providers provider has access to information held
requirements to meet: The 15 general regarding the nature and role of its by a PSO, we caution contracting parties
certification requirements in parent organization. The rule is to be mindful of this statutory
§§ 3.102(b)(1) and 3.102 (b)(2); the emphatically clear that the Department restriction in crafting their contracts.
requirements that all component PSOs will take prompt action to revoke and The requirement for separation does not
must meet in §§ 3.102(c)(1)(i) and delist a component organization whose mean that the component organization
3.102(c)(2); and the requirements that excluded parent organization attempts cannot share information with a parent
are established by § 3.102(c)(4). to compel providers to report data to its
organization but any sharing must be
Section 3.102(c)(4) establishes a component PSO. New § 3.108(e)(1) lists
consistent with the permissible
requirement for additional information specific circumstances, including this
disclosures of this rule.
and certifications that must be situation, in which revocation and
submitted with the component delisting will take place on an expedited (D) Section 3.102(d) Required
organization’s certifications for listing basis. Notifications
and it establishes two additional During its period of listing, the final
(1) Section 3.102(d)(1)—Notification
restrictions with which a component rule also prohibits a PSO that is a
Regarding PSO Compliance With
organization must comply during its component organization of an entity
Minimum Contract Requirement
period of listing. The additional excluded from listing to share staff with
information and certifications require a the rest of the organization(s) of which Proposed Rule: Section 3.102(d)(1) of
component PSO of an entity described it is a part. Such a component PSO may the proposed rule would require PSOs
in § 3.102(a)(2)(ii) to: enter into contracts or written to attest within every 24-month period,
1. Describe the parent organization’s agreements with the rest of the beginning with its initial date of listing,
role, and the scope of the parent organization(s) under the authority that the PSO has met the two-contract
organization’s authority, with respect to provided to all component PSOs by requirement. We proposed to require
the activities which are the basis of the § 3.102(c)(3) but with one additional notification of the Secretary 45 days
parent organization’s exclusion from limitation. Such contracts or written before the end of the applicable 24-
being listed under § 3.102(a)(2)(ii). agreements are limited to units or month period. Early notification would
2. Certify that the parent organization individuals of the parent organization(s) enable the Department to meet another
has no policies or procedures that whose responsibilities do not involve statutory requirement to provide PSOs
would require or induce providers to the activities that are the basis of the with an opportunity to correct a
report patient safety work product to the parent organization’s exclusion under deficiency. If the requirement is not yet
component organization once it is listed § 3.102(a)(2)(ii). If the parent met, this would enable the Secretary to
as a PSO, and affirm that the component organization’s sole activity is the reason establish an opportunity for correction
PSO will notify the Secretary if the for its exclusion, the component that ends at midnight on the last day of
parent organization takes any such organization could never enter a the 24-month period.
Overview of Public Comments: The that the emphasis in the proposed rule without being burdensome, it enables
comments we received endorsed our on the statutory requirement for full both the Secretary and providers
proposed approach. One commenter disclosure, without a corresponding considering contracts with a PSO to
suggested we should consider requiring discussion of the parameters for the request additional information regarding
notification 60 days in advance. contents and level of detail of the any relationships of concern. We have
Final Rule: We expect that, in most statements, raised the prospect that adopted a clearer and narrower
circumstances, contracts will be the PSOs would feel compelled to develop interpretation of the disclosures of
primary source of revenue for PSOs. In disproportionately detailed information relationships that must be made in view
light of the fact that only two contracts that might not be germane. One of concerns expressed by commenters
are required, we do not anticipate that commenter suggested what was most about the scope of the required reports.
many PSOs will reach this point in their important is awareness of the In response to requests for more
period of listing without meeting the fundamental relationship(s) that exist, guidance on the required submissions,
requirement. We have not accepted the not the specific details, suggesting that this final rule calls for a two-part
recommendation to require notification if the provider in question is the parent disclosure statement and describes what
sooner. The Department adopts the entity of the PSO, it should be sufficient must be included in each part.
provision as recommended in the to know that the parent-provider is the These modifications to the final rule
proposed rule without modification. source of financial support to the PSO, reflect several considerations. The
employs its workforce, and provides Department has concluded that the
(2) Section 3.102(d)(2)—Notification
management to its activities. Patient Safety Act does not provide
Regarding a PSO’s Relationships With
In addition, there was concern that incentives for a provider to control or
Its Contracting Providers
since the disclosure statements are manipulate the findings of a PSO with
Proposed Rule: The proposed rule going to be made public, detailed respect to its own patient safety
incorporated in § 3.102(d)(2) the submissions regarding the financial and information. A PSO’s conclusions and
statutory requirement that a PSO would contractual obligations would make it recommendations are patient safety
make disclosures to the Secretary difficult to maintain the confidentiality work product and, whether the PSO is
regarding its relationship(s) with any of potentially sensitive business critical or complimentary of the
provider(s) with whom the PSO enters information. Several commenters noted provider or the provider agrees or
a contract pursuant to the Patient Safety that it is not unusual for certain types disagrees with the PSO, the PSO
Act (Patient Safety Act contract). The of contractual work with commercially analysis and guidance remains
statute requires PSOs to disclose sensitive implications to include confidential and privileged under the
whether a PSO has any financial, confidentiality agreements and one Act, which means that there are
contractual, or reporting relationships commenter suggested that the process constraints on the ability of a provider
with this contracting provider and, if permit a PSO to request that the to disclose the PSO’s conclusions and
applicable, whether the PSO is not Secretary not disclose specific recommendations. Even when they can
managed, controlled, or operated information under certain be disclosed, calling the public’s
independently of this contracting circumstances. attention to positive findings is likely to
provider. A number of commenters expressed engender scrutiny of the extent to which
The proposed rule noted that a PSO concern about the potential unintended the provider’s relationship with its PSO
would need to make this assessment consequences of disclosure, especially is truly an arms-length relationship. In
when it enters a contract with a with respect to the identity of providers. sum, providers have little to gain under
provider and, if disclosures are One commenter raised concern that the the statute’s framework from attempting
required, submit a disclosure statement requirement would lead to to control or manipulate the analyses
within 45 days of the effective date of ‘‘differential’’ disclosure, by which the and findings of a PSO.
the contract. If relationships arise commenter meant that, of the total At the same time, the Department
during the contract period, submission number of providers with which a PSO expects the statutory disclosure
would be required within 45 days of the enters contracts, only those with other requirements, coupled with public
date the relationships are established. relationships would have their names release of disclosure statements and the
The proposed rule would have disclosed and the other providers would Secretary’s findings as provided by
provided guidance on our interpretation not have their names made known § 3.104(b), will provide important and
of financial, contractual, and reporting through the proposed public release of useful information to providers seeking
relationships and emphasized that the disclosure statements by the Secretary. to contract with a PSO. As we pointed
statute required a PSO to ‘‘fully Final Rule: After careful review of the out in the proposed rule, a provider
disclose’’ the relationships. We noted comments, the Department has seeking to contract with a PSO will have
that disclosure would be required only reconsidered its approach to this its own standards for what other PSO
when the PSO entered a Patient Safety disclosure requirement and has made relationships it considers to be
Act contract with a provider and there modifications to the text that are acceptable. Therefore, the submission
were relationships that required incorporated in the final rule. Based and public release of this information
disclosure. We also encouraged, but did upon this review, we have shifted the should improve the efficiency of the
not require, PSOs to list any agreements, emphasis of the term ‘‘fully disclose’’ search process by providers.
stipulations, or procedural safeguards from stressing the level of detail that a In light of these considerations, the
that might offset the influence of the PSO must provide in describing each of Department has determined that the
provider and that might protect the the other types of relationships (listed most appropriate interpretation of the
ability of the PSO to operate below) that the PSO has with a statutory requirement to ‘‘fully disclose’’
independently. contracting provider to an emphasis on other relationships is to emphasize the

Overview of Public Comments: requiring that the PSO disclose clearly need to require the disclosure of every
Commenters expressed concern that the and concisely every relationship that pertinent relationship specified by the
proposed rule was not sufficiently requires disclosure. This shift in statute. Providers that are considering
specific with respect to the required emphasis remains consistent with our entering a contract with a PSO can
disclosure statements. They suggested overall emphasis on transparency; determine for themselves if any
disclosed relationships pose concerns. If describing the statutory list of no more than 1,000 words) that
so, they can then request further disclosures: contractual, financial, and addresses the issues described below
detailed information as they see fit. This reporting relationships are incorporated and is intended to explain the measures
approach has the further benefit of in subparagraphs (A)–(C) and control, taken by the PSO to assure that its
limiting the potential for inappropriate management, and operation of the PSO, analyses and findings are fair and
release of proprietary or commercial independent from the provider, is accurate.
information, another matter of concern incorporated in subparagraph (D). We We use the term ‘‘obligations’’—rather
to commenters. The Department will have narrowed the language in than the statutory term
protect confidential commercial paragraphs (A)–(C) by limiting the ‘‘relationships’’—in § 3.102(d)(2)(ii) of
information as permitted by the required disclosures to current the rule for the following reason. If a
Freedom of Information Act and in contractual, financial, and reporting PSO has multiple relationships with a
accordance with 18 U.S.C. 1905. relationships and restating the provider, many of these relationships
Thus, in making his required requirements to emphasize that are likely to be both contractual and
determination, the Secretary will both disclosure is only required for financial (and may involve other
give great weight to, and hold a PSO relationships other than those in Patient relationships for which the statute
accountable for, its attestation that it Safety Act contract(s). We have restated requires disclosure). A disclosure
will fully disclose all relationships and streamlined the language of statement that was organized by the four
required to be reported and whether the subparagraph (A) to emphasize types of relationships that require
PSO’s operations, management, and contracts and arrangements that impose disclosure (subparagraphs (A)–(D)
control are not independent of any obligations on the PSO. discussed above) would be confusing
provider with whom it has entered a We have retained the substantive and difficult to interpret since items in
Patient Safety Act contract. The requirements for financial relationships. different categories would be related.
Secretary retains the authority to require Based upon comments received, we For example, if the PSO already has a
an entity to provide more detailed have determined that if the PSO is a contract with a provider to render a
information if necessary to make his membership organization, the service for which it is paid, we do not
required determination under 42 U.S.C. Department does not consider dues or see the benefit of having the contract
299b–24(c)(3) regarding the ability of other assessments applied to all listed in one reporting category and the
the PSO to fairly and accurately perform members to constitute a financial financial relationship in another
its patient safety activities in light of relationship for this purpose. The rule reporting category since they are clearly
any reported relationships. narrows the scope of subparagraph (C), related.
The final rule retains the general where the text narrows the definition of Therefore, in drafting the required
framework of the proposed rule for a reporting relationships to those in disclosure statement, a PSO should
PSO to use in determining when a which this contracting provider has address the four statutorily-required
disclosure statement must be submitted. access to information about the work disclosures discussed above as aspects
The two thresholds remain unchanged. and internal operation of the PSO that of the separate obligations or
The disclosure requirement only applies is not available to other contracting arrangements that exist between a PSO
when a PSO has entered a contract that providers. By focusing on this particular and the provider with which the PSO is
provides the protections of the Patient aspect of reporting relationships, we entering or has a Patient Safety Act
Safety Act, i.e., a Patient Safety Act have tried to make plain that it is not contract. A PSO should focus on clarity
contract, and the PSO has other our intent to collect information and brevity in explaining each
relationships with that contracting regarding the multiple ordinary types of obligation in a single paragraph: A
provider of the types specified below. A reporting relationships that exist sentence or two describing the nature of
disclosure statement is not required if routinely between contracting parties. the obligation, and the remainder of the
the PSO has a Patient Safety contract We have made the requirement paragraph should address each of the
with a provider and the relationships narrower both for clarity and simplicity. four required disclosures that are
described below are not present, nor is The deleted reference to control is present and specifically note any of the
a disclosure statement required if the addressed by subparagraph (D), which four that are not.
relationships are present but there is no we have narrowed to simply restate the As we use the term, an obligation is
Patient Safety Act contract. statutory language on what must be not limited to services that a PSO
We have restructured the text in the disclosed or reported regarding renders to a provider (such as
final rule. There are now three management, control, and operation developing information and undertaking
paragraphs: A restatement of the independent of the contracting provider. analyses or providing a service or
requirement in paragraph (i), a We deleted the language requiring a technical assistance). An obligation
description of the required content of a PSO to assess whether any of the could also reflect a PSO’s relationship
disclosure statement in paragraph (ii), relationships in what is now with an investor or owner and any
and the deadlines for submission of subparagraph (D) might impair its arrangement that affects the PSO’s
disclosure statements set forth in ability to perform patient safety independence or involves any of the
paragraph (iii). activities fairly and accurately because statutorily-required disclosures
Section 3.102(d)(2)(i) contains the PSOs will now address these issues in described above. In developing its list,
following substantive changes. the required narrative that comprises a PSO should not combine separate and
Compared with the requirements of the the second part of the disclosure distinct obligations such as more than
proposed rule, this paragraph eliminates statement, described below. one contract, nor should it disaggregate
the need to submit a disclosure New § 3.102(d)(2)(ii) specifies the two a single obligation. For example, if a
statement if the PSO’s only other required parts of a disclosure statement. PSO undertakes technology assessments
relationships with this contracting The first part must disclose in summary and has three separate contracts for
provider are limited to Patient Safety form succinct descriptions of all of the different assessments, these would be
Act contracts. obligations that the PSO has with this three separate obligations and should be
In response to commenters’ questions provider. The second part must be a reported separately. On the other hand,
and concerns, we have modified the text related short narrative (we recommend an obligation that has more than one
task, such as providing assistance in and any other policies, procedures, or relationships’’ between a provider and a
implementing and evaluating a process agreements that ensure that the PSO can PSO. There is no other section of the
improvement, should only be listed fairly and accurately perform patient rule that would require disclosure of
once; we are not suggesting that PSOs safety activities. membership dues or assessments.
report separately on the different Section 3.102(d)(2)(iii) of the rule Before seeking listing, however, a
elements of a single unified project. retains the deadlines for submission of membership organization should
To apply these concepts, consider a disclosure statements that were carefully assess whether it meets the
hospital that was one of five hospitals included in the proposed rule. statutory requirement that its primary
that invested in the creation of a PSO activity must be the conduct of activities
and the hospital subsequently enters a to improve patient safety and the quality
Patient Safety Act contract with the Comment: One commenter asked that of health care delivery.
PSO. If this investment is the only we exempt a PSO with fewer than 5
obligation other than the Patient Safety clients from releasing the names of its 2. Section 3.104—Secretarial Actions
Act contract that exists between the PSO clients. (A) Section 3.104(a)—Actions in
and the provider, the PSO’s disclosure Response: We note that a PSO never Response to Certification Submissions
statement would include only one has to reveal the names of its clients for Initial and Continued Listing as a
obligation and it could be described in (providers) as long as the PSO does not PSO
a single paragraph. Within that have the other types of relationships
described in this subsection with those Proposed Rule: Section 3.104(a)
paragraph, the PSO should
providers. However, when such described the actions that the Secretary
systematically address the required
relationships are present, the statute could and will take in response to the
statutory disclosures or note that they
does not provide authority for us to certification material submitted for
are not present. In addressing financial
create such exceptions. initial or continued listing as a PSO. We
relationships, the PSO should not
include the amount of the investment or Comment: One commenter asked that proposed that, in making a listing
specific terms. In this case, the required we clarify that the required disclosures determination, the Secretary would
paragraph would describe the essential can be made in a way that the PSO does consider the submitted certifications,
nature of the financial relationship, e.g., not breach the confidentiality issues related to the history of the
it is a loan requiring repayment over X requirements that may be a part of entity, and any findings by the Secretary
years; it is a long-term investment another contractual arrangement with a regarding disclosure statements. The
requiring the payment of dividends, contracting provider. proposed rule also included authority
etc., whether it was formalized by a Response: The Department cannot for the Secretary, under certain
contract, whether a reporting make a definitive statement that such circumstances, to condition the listing
relationship exists, e.g., the provider has confidentiality agreements can always of a PSO. We did not propose a deadline
access to internal quarterly financial be honored; this requires a case-by-case for Secretarial review of certifications
statements not available to other determination. A PSO is encouraged to submitted, but noted that we expect the
providers, and whether the obligation discuss the issue with AHRQ staff Secretary to be able to conclude review
gives the provider any ability to control before submitting a disclosure within 30 days of receipt unless
or manage the PSO’s operations, e.g., the statement. As noted above, the agency’s additional information or assurances are
provider has a seat on the board or public disclosures are constrained by 18 required.
review or veto authority over new U.S.C. 1905, but agency officials have Overview of Public Comments: We
clients, specific contracts, budgets, staff some discretion with respect to received several comments pertaining to
hiring, etc. determining what information would be this section. One comment endorsed the
If the PSO is a subsidiary of a health restricted under that statute. We note proposed provision. Another requested
system, the paragraph could indicate also that the agency has the discretion that we modify the rule to require
that PSO is a subsidiary of the provider, to deny Freedom of Information Act Secretarial action within 60 days. A
the provider is the primary source of requests for information it regards as third commenter recommended that the
revenue for the component PSO, the confidential commercial information (5 Secretary establish timetables for all
types of internal PSO information to U.S.C. 552(b)(4)). Agency actions and opposed open-ended
which the provider has access, e.g., all determinations will be assisted by timeframes.
financial, personnel, administrative explanations of what is viewed by a Final Rule: We have retained the text
internal information, and that the submitter as confidential commercial from the proposed rule with two
provider manages or controls (or has information and the reasons why that is modifications. The text of
review and approval authority) of day- the case. § 3.104(a)(1)(iii) of the proposed rule
to-day decision-making, hiring and Comment: One commenter posed a stated that the Secretary may require
firing decisions, etc. By incorporating series of questions related to an entity conditions for listing as part of his
the required statutory disclosures into a that seeks listing that receives general review of disclosure statements
succinct discussion of the obligations membership dues or assessments, i.e., submitted pursuant to § 3.102(d)(2); that
that a PSO has with this provider, we whether such general dues or text has been retained. We also noted in
anticipate that the descriptions will be assessments would be considered the preamble discussing proposed
more comprehensible. financial relationships and, therefore, § 3.104(a) that there may be certain
Part II of a disclosure statement must require the filing of disclosure circumstances in which the Secretary
describe why or how the PSO, given the statements. The commenter also asked if determines that it would not be prudent
disclosures in part I, can fairly and disclosure of such membership dues or to rely solely on the certifications for
accurately perform patient safety assessments is required under any other listing submitted by an entity that was
activities. The PSO must address: The section of the rule. previously revoked and delisted for
policies and procedures that the PSO Response: The Department has cause or previously refused listing by
has in place to ensure adherence to determined that membership dues or the Secretary. In such limited
professional analytic standards and general assessments applied to all circumstances, we suggested the
objectivity in the analyses it undertakes; members do not constitute ‘‘financial Secretary may seek additional
assurances from the PSO that would midnight of the last day of its applicable organization systems that contract with
increase the Secretary’s confidence that, 24-month assessment period. If the a PSO on behalf of some or all of its
despite the history of the entity and its Secretary verifies that the PSO has not hospitals so that a disclosure statement
officers and senior staff, the entity could met the requirement by the last day of would not be required, deeming that the
now be relied upon to comply with its the 24-month period, he would issue a component PSO of a multi-hospital
statutory and regulatory obligations. To notice of proposed revocation and organization can perform patient safety
reflect the potential need for assurances delisting. activities fairly and accurately. Another
in such cases, and to better align the text Overview of Public Comments: We suggestion was that the Secretary should
with the preamble discussion of the received no comments on this adopt a standard requiring that there be
proposed rule, we have modified the subsection. no conflicts of interests.
text of § 3.104(a)(1)(iii) to permit the Final Rule: The final rule incorporates Final Rule: We have retained much of
Secretary to condition the listing of a the substance of the NPRM text without the text from the proposed rule but have
PSO in this limited circumstance to modification but restructures the text for modified the paragraph setting forth the
ensure that such a PSO honors the clarity. The restructured text clarifies basis for the Secretary’s findings
assurances it makes in seeking listing. that the Secretary will only issue a regarding disclosure statements. In light
The second change is a conforming notice of a preliminary finding of of the comments, we have deleted the
modification to the basis for the deficiency after the date on which a reference to ‘‘nature, significance, and
Secretary’s determination in PSO’s notification to the Secretary is duration’’ as not appropriate in every
§ 3.104(a)(2), which specifically required by § 3.102(d)(1). circumstance. The modification to the
recognizes the right of the Secretary to (C) Section 3.104(c)—Actions Regarding rule now requires the Secretary to
take into account any history of or Required Disclosures by PSOs of consider the disclosures made by the
current non-compliance with Relationships With Contracting PSO and an explanatory statement from
requirements of the rule by officials and Providers the PSO making the case for why the
senior managers of the entity. This PSO can fairly and accurately perform
change also mirrors the requirement in Proposed Rule: Section 3.104(c) of the
proposed rule stated that the Secretary patient safety activities.
§ 3.102(a)(1) that entities seeking listing
would evaluate a disclosure statement We have not adopted the other
inform the Secretary if their officials or
submitted by a PSO regarding its suggestions. As we discuss above, with
senior managers held comparable
relationships with contracting providers respect to § 3.102(d)(2), we agree with
positions in a PSO that was delisted or
by considering the nature, significance, the commenter that there is little reason
with an entity that was denied listing by
and duration of the relationships for a provider organization to exert
the Secretary.
We have not accepted the between the PSO and the contracting inappropriate control over its
commenter’s recommendation to provider. We sought public comment on component PSO. At the same time we
establish a regulatory deadline of 60 other appropriate factors to consider. do not believe the statute permits us to
days for Secretarial action. This is a The statute requires disclosure of the waive Secretarial review under any set
novel initiative and without a better Secretary’s findings, and we proposed of circumstances.
sense of the potential issues that may public release, consistent with the We do not agree with commenters
arise, such as when a delisted PSO seeks Freedom of Information Act and 18 that the common formats inter-agency
a new listing, we are reluctant to U.S.C. 1905, of PSO disclosure work group is the appropriate group to
circumscribe the flexibility that the statements as well. address disclosure statements. At this
statute and the proposed rule provided This proposed section also listed the time, their informatics and clinical
the Secretary. In addition, the statute statutorily permissible actions that the expertise and responsibilities are not
requires an affirmative acceptance and Secretary could take following his congruent with assisting in the design or
listing action by the Secretary. Listing review: Conclude that the disclosed substantive requirements for disclosure
cannot occur as a result of any failure relationships require no action on his statements.
to meet a deadline. Accordingly, we part or, depending on whether the entity (D) Section 3.104(d)—Maintaining a List
have not adopted the recommendation. is listed or seeking listing, condition his of PSOs
listing of the PSO, exercise his authority
(B) Section 3.104(b)—Actions Regarding to refuse to list, or exercise his authority Proposed Rule: The proposed rule
PSO Compliance With the Minimum to revoke the listing of the entity. The sought to incorporate in § 3.104(d) the
Contract Requirement Secretary would notify each entity of his statutory requirement that the Secretary
Proposed Rule: Section 3.104(b) of the findings and decisions. compile and maintain a list of those
proposed rule stated that, after Overview of Public Comments: One entities whose PSO certifications have
reviewing the required notification from commenter suggested that our proposal been accepted and which certifications
a PSO regarding its compliance with the that the Secretary consider the nature, have not been revoked or voluntarily
minimum contract requirement, the significance, and duration of the relinquished. We proposed that the list
Secretary would, for a PSO that attests relationship in evaluating the would include information related to
that it has met the requirement, would relationships had no statutory certifications for listing, disclosure
acknowledge in writing receipt of the foundation. Another commenter statements, compliance with the
attestation and include information on suggested that we take into account minimum contract requirement, and any
the list of PSOs. If the PSO notifies the corrective action. Several commenters other information required by this
Secretary that it has not yet met the proposed that we rely upon the inter- Subpart. We noted that we expected to
requirement, or if notification is not agency work group that is assisting post this information on the AHRQ PSO
received from the PSO by the required AHRQ in developing common formats Web site, and sought comment on
date, the proposed rule stated that the and definitions for reporting patient whether there are specific types of
Secretary would promptly issue a notice safety work product to assist in information that the Secretary should
of a preliminary finding of deficiency developing disclosure statements. One consider posting routinely on this Web
and provide the PSO an opportunity for commenter suggested that we create a site for the benefit of PSOs, providers,
correction that will extend no later than ‘‘safe harbor’’ for multi-hospital parent and other consumers of PSO services.
Overview of Public Comments: In for three years, unless the Secretary to review and make a determination
addition to the list in the proposed rule, revokes the listing or the PSO regarding certifications for continued
several commenters urged that we post voluntarily relinquished its status. We listing. The second modification
the contact information for the parent also proposed that the Secretary would incorporates our proposal to post a
organizations, subsidiaries, and send a written notice of imminent notice on the AHRQ PSO website, for
affiliates, a list of states in which the expiration to a PSO no later than 45 which commenters expressed strong
parent organization does business, and calendar days before its listing expires support. In combination, we expect
the business objectives of the parent if the Secretary has not received a these modifications will provide both
organizations, and whether each parent certification seeking continued listing. the PSO and the providers from which
organization is for-profit or not-for- We sought comment on a requirement it receives data sufficient notice that the
profit. that the Secretary publicly post the entity’s period of listing is drawing to a
Two commenters suggested that the names of PSOs to which a notice of close.
Secretary’s guidance on common imminent expiration has been sent. We have not incorporated the
reporting formats and definitions should Overview of Public Comments: recommendation to require PSOs
be available on the PSO Web site. One Commenters were virtually unanimous receiving the notice to contact all
commenter urged that the final rule and that, at the time we send a PSO a notice providers. We expect most providers
contact information for AHRQ staff of imminent expiration, we should post and PSOs to take advantage of AHRQ’s
should also be available there. Another similar information on the AHRQ PSO existing listserv that will provide
commenter suggested that, since AHRQ website. Several commenters suggested electronic notice to all subscribers when
works with PSOs, the value to that PSOs should be required to notify a notice such as this is posted on the
prospective providers would be providers that the PSO has received a AHRQ PSO website. Providers will also
increased if we posted information on notice of imminent expiration and be able to sign up on the web site to
areas of specialization of individual expressing concerns about the time receive individual emails if their PSO
PSOs and use the Web site as one tool needed for providers to make alternative becomes delisted. In this way, we can be
for facilitating confirming analyses by arrangements. One commenter assured that notification is sent to, and
other PSOs of initial work. suggested that notice to providers received by, all interested parties.
Final Rule: The final rule incorporates should be a part of the contract with the
the proposed rule text without PSO. Another suggested that the (F) Section 3.104(f)—Effective Date of
modification. We have not modified the Department establish an email listserv Secretarial Actions
text of the rule because most of the that providers could join for alerts such Proposed Rule: The proposed rule in
recommendations relate to information as this. One commenter opposed public section 3.104(f) states that, unless
that AHRQ will be receiving or notice and one expressed conditional otherwise specified, the effective date of
producing for PSOs and can be posted support, provided the Department each action by the Secretary would be
to the Web site without additions or ensured the accuracy of the information specified in the written notice that is
changes to the rule text. on the Web site. sent to the entity. We noted that the
Recommendations to post information Final Rule: We have modified and Department anticipates sending notices
related to AHRQ staff and the final rule redrafted § 3.104(e) of the final rule. The by electronic mail or other electronic
can be done without regulation as well. final rule retains the proposed provision means in addition to a hard copy
As AHRQ provides technical assistance that the period of listing will be for version. We also pointed out that for
to PSOs and works with the provider three years, unless revoked or listing and delisting decisions, the
community to encourage the use of PSO relinquished. The first modification is Secretary would specify both an
services, we expect to publish that this section now explicitly provides effective time and date for such actions
information on the Web site that PSOs for the automatic expiration of a PSO’s in the written notice to ensure clarity
and the provider community request. In listing at the end of three years, unless regarding when information received by
addition, the names and contact the Secretary approves its certification the entity will be protected as patient
information of parent organizations of for continued listing before the date of safety work product.
component PSOs and other information expiration. By incorporating this Overview of Public Comments: We
submitted at listing will be posted in modification and making the process received no public comments on this
accordance with the proposed rule text. automatic, we have been able to subsection.
Commenters urged us to post some eliminate the proposal in § 3.108(c) for Final Rule: The final rule incorporates
information that we have no plans to a process we termed ‘‘implied voluntary the proposed rule text without
collect, and, therefore, we have not relinquishment.’’ In comparison with modification.
accepted their recommendations. Most the proposed rule approach, which
of these recommendations related to the required the Secretary to take 3. Section 3.106—Security
business objectives, or the for-profit or affirmative action to delist a PSO that let Requirements
not-for-profit status of parent its certifications lapse, this automatic Proposed Rule: Section 3.106 of the
organizations of component PSOs. In approach simplifies the administrative proposed rule outlined a framework
our view, requiring component process. consisting of four categories for the
organizations to submit such We have modified subparagraph security of patient safety work product
information would be burdensome and 3.104(e)(2) in two ways. We will send a that PSOs would consider in developing
unnecessary. Providers will be able to PSO a notice of imminent expiration policies and procedures for the
find that information by using the even earlier—at least 60 days rather protection of data. Because § 3.106
published contact information on PSOs than 45 days—before its certifications contains only two subsections and we
and parent organizations. expire. We adopted the earlier received few comments, we will discuss
notification date in response to general both subsections of the rule together.
(E) Section 3.104(e)—Three-Year Period concerns reflected in the comments Section 3.106(a) proposed that the
of Listing about the time a provider needed to security requirements of this section
Proposed Rule: Section 3.104(e) make alternative arrangements and to would apply to each PSO, its workforce
proposed that listing as a PSO would be ensure sufficient time for the Secretary members, and its contractors whenever
the contractors hold patient safety work While there were few comments The most significant substantive
product. If contractors cannot meet overall on this section of the rule, the change in the security framework is in
these security requirements, we specific provision that elicited the most § 3.106(b)(2), which had required the
proposed that their tasks be performed concern was the requirement in separation of patient safety work
at locations at which the PSO can meet § 3.106(b)(2) that patient safety work product from non-patient safety work
these requirements. We stated that the product needed to be maintained product at all times. Based on comments
rule does not impose these requirements securely separate from other systems of received, we have modified both the
on providers; this Subpart would only records. As discussed above with title of § 3.106(b)(2) and the text of
apply to PSOs. respect to obligations of component § 3.106(b)(2)(i). Section 3.106(b)(2) is
Proposed § 3.106(b) would have organizations, commenters expressed now entitled ‘‘Distinguishing Patient
established a framework consisting of concern regarding the potential burden Safety Work Product,’’ rather than
four categories for the security of patient of such a requirement and several ‘‘Separation of Systems,’’ and
safety work product that a PSO must pointed to the analytic benefits of being § 3.106(b)(2)(i) recognizes that the
consider. We proposed that each PSO able to readily merge data sets for security of patient safety work product
develop appropriate and scalable specific analyses. It was recommended can be maintained either when patient
standards that are suitable for the size that the final rule permit the patient safety work product is maintained
and complexity of its organization. safety work product and non-patient separately from non-patient safety work
The four categories of the framework safety work product to be stored in the product or when it is co-located with
would have included: Security same database as long as the security non-patient safety work product,
management issues (documenting its requirements are implemented for the provided that the patient safety work
security requirements, ensuring that its database as a whole. product is distinguishable. This will
workforce and contractors understand Another commenter pointed to the ensure that the appropriate form and
the requirements, and monitoring and confusion, inconsistency, and errors level of security can be maintained. This
improving the effectiveness of its that were likely to result from the rule change responds to several comments
policies and procedures); separation of text in which each paragraph began that opposed the absolute requirement
systems (required physical separation of with the words that a PSO ‘‘must for separation in the proposed rule.
patient safety work product, appropriate address’’ each security issue within the While we have, thus, allowed greater
disposal or sanitization of media, and framework while introductory procedural flexibility, we caution PSOs
preventing physical access to patient paragraph (b) indicated that PSOs to be attentive to ensuring that patient
safety work product by unauthorized merely needed to ‘‘consider’’ the safety work product remains
users or recipients); security control and security framework. distinguishable at all times if it is not
monitoring controls (ability to identify Final Rule: We have modified the text kept separated. To the extent that
and authenticate users, an audit of § 3.106 both to improve its clarity in patient safety work product becomes co-
capacity to detect unlawful, non-substantive ways and to incorporate mingled with non-protected
unauthorized, or inappropriate several substantive modifications in information, there is increased risk of
activities, and controls to preclude response to the comments we received. impermissible disclosures and
unauthorized removal, transmission or The changes to § 3.106(a) are for clarity. violations of the confidentiality
disclosures); and policies and For uniformity and brevity, throughout requirements of the rule and the Patient
procedures for periodic assessment of § 3.106, we have standardized Safety Act.
the effectiveness and weaknesses of its references regarding the application of We have also eliminated a reference
overall approach to security (determine security requirements to the ‘‘receipt, to a PSO determination of
when it needs to undertake risk access, and handling’’ of patient safety appropriateness that was in the text of
assessment exercises and specify how it work product. The rule text defines the proposed rule in § 3.106(b)(4)(i) as
would assess and adjust its procedures ‘‘handling’’ of patient safety work redundant, since the rule permits a PSO
to ensure the security of its product as including its processing, to develop appropriate and scalable
communications involving patient development, use, maintenance, storage, standards for each element of the
safety work product to and from removal, disclosure, transmission and security framework, including this
providers and other authorized parties). destruction. element.
Overview of Public Comments: There We have incorporated several Given the strong support for our
were no public comments that modifications to the text of § 3.106(b). flexible and scalable framework, we
specifically addressed § 3.106(a) of the We have both simplified the text of the have not adopted recommendations of
rule. Commenters focused instead on opening paragraph of this subsection two commenters to substitute the
the overall security framework and substituted the requirement that HIPAA Security Rule for these
established by § 3.106(b). The majority ‘‘PSOs must have written policies and provisions. We would expect that PSOs
of commenters supported the proposed procedures that address’’ for the that are familiar with, and have existing
requirements and emphasized the language of the proposed rule that stated rules that implement, the HIPAA
concepts of scalability and flexibility the ‘‘PSO must consider.’’ We agree Security Rule will incorporate those
that were reflected in the proposed rule. with the commenter that retention of the standards as appropriate, when they
Two commenters urged the Department proposed rule language would create develop their written policies and
to adopt the HIPAA Security Rule confusion regarding what is required of procedures to implement security for
instead. Another commenter suggested a PSO. By retaining the language that the patient safety work product they
that the final rule should emphasize the permits a PSO to develop specific receive, access and handle. The security
need for PSOs to maintain up-to-date standards that address the security framework presented here does not
security processes and urged that the framework in this section with impose any limitations on the ability of
final rule specifically recognize that standards that are appropriate and PSOs to incorporate or address
PSOs can include HIPAA Security Rule scalable, we intend to retain flexibility additional security requirements or
requirements in their business associate for PSOs to determine how they will issues as the PSO determines to be
contracts with providers that are address each element of the security appropriate. The flexible approach we
covered entities. framework. have adopted should minimize the
potential for conflict with the incorrect. The Secretary could then entity’s certification and delist a PSO for
requirements of other programs. By withdraw the notice or require the PSO cause. The eight commenters that
taking advantage of this flexibility, and to proceed with correction. The specifically addressed the issue
ensuring that its security requirements preamble sought comment on whether recommended inclusion of such a
also address the requirements of the there should be an expedited revocation mechanism.
HIPAA Security Rule, a PSO should be process when deficiencies are not, or Final Rule: The final rule incorporates
able to meet its obligations as a business cannot, be cured. Public comment and only technical modifications to the text
associate of any provider that is also a the provisions of the final rule are of subsection 3.108(a). The deletion of
‘‘covered entity’’ under HIPAA discussed below in new subsection (e), text in § 3.108(a)(1)(ii) is intended to
regulations. expedited revocation. clarify that the basis for revocation and
Following the correction period, delisting matches our intent in the
4. Section 3.108—Correction of proposed § 3.108(a)(3) would have proposed rule, i.e., the failure to meet
Deficiencies, Revocation and Voluntary required the Secretary to determine the two-contract requirement, not the
Relinquishment whether a deficiency has been failure to timely notify the Secretary
Section 3.108 establishes the corrected. The Secretary could that the requirement had been met. In
processes and procedures related to determine: (1) The deficiency is addition, we have incorporated a related
correction of deficiencies, revocation, corrected and withdraw the notice of new § 3.108(e) that establishes a new
and voluntary relinquishment. Section deficiency; (2) additional time for, or expedited revocation process to be used
3.108(a) establishes the processes and modification of, the required corrective in exceptional circumstances.
procedures for correction of deficiencies action is warranted; or (3) the deficiency Despite the strong support by
by PSOs and, when deficiencies have is not corrected, the PSO has not acted commenters that we incorporate in the
not been timely corrected, the process with reasonable diligence or timeliness, final rule an opportunity for an
leading to a decision by the Secretary to and issue a Notice of Proposed administrative appeal when the
revoke his acceptance of the entity’s Revocation and Delisting. Secretary decides to revoke his
certification and delist a PSO. Section Section 3.108(a)(4) would have acceptance of a PSO’s certification and
3.108(b) sets forth the actions that the provided an automatic 30 calendar day delist a PSO for cause, we have not
Secretary and a PSO must take period, unless waived by the PSO, for it modified the rule. The process
following a decision by the Secretary to to respond in writing to the proposed described in § 3.108(a) permits an early
revoke his acceptance of the entity’s revocation and delisting. If a PSO fails response to findings of deficiency and
certification and delist the entity. to submit a written response, the where facts cited by the Secretary are
Section 3.108(c) establishes the process Secretary would revoke his acceptance correct, the process emphasizes the
by which an entity can voluntarily of its certification, and delist the entity. Department will work with PSOs to
relinquish its status as a PSO. Section After review of the response and other correct deficiencies, rather than
3.108(d) requires publication of notices relevant information, § 3.108(a)(5) punishing PSOs for deficiencies. Given
in the Federal Register whenever an proposed that the Secretary could the flexibility and extensive nature of
entity is being removed from listing. affirm, reverse, or modify the notice of the communication and correction
New § 3.108(e) establishes an expedited proposed revocation and delisting, and opportunities and procedures outlined
process for revoking the Secretary’s notify the PSO in writing of his decision in 3.108(a), we expect that the
acceptance of the entity’s certification with respect to any revocation of his revocation process will be utilized
under certain circumstances. prior acceptance of its certification and rarely, and only after significant efforts
delisting. We noted that the proposed have been made to bring a PSO back
(A) Section 3.108(a)—Process for
rule did not include an administrative into compliance. However, if a PSO is
Correction of a Deficiency and
process for appealing the Secretary’s not working with us in good faith to
Revocation
decision to revoke his acceptance of the correct any remaining deficiencies,
Proposed Rule: Section 3.108(a) listed entity’s certification and delist a PSO, there must be a timely finality to the
in paragraph (a)(1) the circumstances and specifically sought public comment process. For this system to work,
that could lead to revocation and on our approach. providers must have confidence that the
delisting and the remaining subsections Overview of Public Comments: Department will act in a timely manner
set forth our proposed process for Commenters focused on the due process when a PSO chooses not to meet its
correction by a PSO of a deficiency aspects of subsection (a). While most statutory and regulatory obligations.
identified by the Secretary and, if the commenters commended the proposed
deficiencies are not timely corrected or rule for its focus on working with PSOs Response to Other Public Comments
cannot be ‘‘cured,’’ the process that to resolve deficiencies and its inclusion Comment: One commenter
could lead to the revocation and of due process elements throughout the recommended that the rule provide
delisting. We review the entirety of process, the commenters recommended some degree of transparency regarding
§ 3.108(a) here. that the final rule incorporate an PSOs that have received notice of
Once the Secretary believes that a additional opportunity for an deficiencies by posting some limited
PSO is deficient in meeting its administrative appeal of a revocation information about this on the PSO Web
requirements, proposed § 3.108(a)(2) and delisting decision and expressed site.
outlined the processes he would follow. concern that the final rule should not Response: The Department gave
First, the Secretary would send a limit the due process rights and careful consideration to this comment
written notice of a preliminary finding opportunities that had been proposed. because of our overall commitment to
of deficiency; the contents of the For example, while several providing transparency wherever
deficiency notice are specified in the commenters endorsed our overall possible. Our conclusion is that we will
rule. Following receipt of the notice, a approach, no commenter specifically not post information on deficiencies
PSO would have 14 days to correct the stated agreement with our decision not because of our concern that this will
record by submitting evidence that the to include an administrative appeal undermine another of our objectives,
information on which the preliminary mechanism following a decision by the which is to promote and permit
finding had been based was factually Secretary to revoke his acceptance of the correction of deficiencies in a non-
punitive manner. Providers considering Department believed that it had an continue to generate new patient safety
entering a contract with a specific PSO obligation to establish a process for truly work product.
are, of course, free to seek information exceptional circumstances. We do not Section 3.108(b)(3) proposed to
from the PSO regarding whether it has intend to use this authority as a implement the statutory requirements
received deficiency notices and is substitute for the normal process regarding the disposition of patient
currently under an obligation to take established by subsection (a). Thus, if a safety work product or data following
corrective actions. conflict-of-interest does not raise the revocation and delisting of a PSO. The
Comment: Another commenter prospect of serious adverse three alternatives provided by the
suggested that the final rule specifically consequences for providers or others, it statute are: Transfer of the patient safety
recognize the authority of the Secretary, is our intention to use the correction work product with the approval of the
if warranted by the circumstances that processes of subsection (a). source from which it was received to a
led to the delisting of a PSO, to debar Comment: Would a provider’s patient PSO which has agreed to accept it;
the entity from seeking a new listing for safety work product be at risk if the return of the patient safety work product
a period of time. Department failed to alert the provider or data to the source from which it was
Response: We have not adopted this in a timely manner of a deficiency in its received; or, if return is not practicable,
specific suggestion, but we note that the PSO? destruction of such work product or
Secretary is not required to relist an data. We noted that the text of the
Response: No. As we pointed out in
entity automatically. The Secretary can proposed rule refers to the ‘‘source’’ of
the preamble discussion of § 3.108 in
and will take into account the reasons the patient safety work product or data;
the proposed rule, the presence of
for the revocation and delisting and the this would be a broader formulation
deficiencies or the fact that an entity is
entity’s compliance with its obligations than the statutory language and includes
undergoing revocation has no impact on
following revocation and delisting. individuals. The statute does not
Comment: Several commenters the information submitted to the entity
establish a time frame for a PSO to
suggested that the period of time by providers until the date and time that
comply with disposition requirements;
provided to the PSO to submit a written an entity is revoked and removed from
we sought comment on setting a
response to a notice of proposed listing. If the PSO is revoked and
deadline.
revocation and delisting should be delisted for cause, the statute provides Overview of Public Comments: Most
expanded from 30 days to 45 days. an additional 30-day period that begins commenters addressed the specific
Response: We have not accepted this at the time of delisting during which questions raised in the proposed rule,
recommendation. We recognize the data reported to the former PSO receives although a few commenters raised
importance of striking a balance the same protections as patient safety questions and offered recommendations
between providing an entity sufficient work product. related to the requirements for
time to respond to such a notice and (B) Section 3.108(b)—Revocation of the disposition of patient safety work
ensuring that providers can have Secretary’s Acceptance of a PSO’s product. In response to the
confidence that the Department will act Certification Department’s question in the proposed
in a timely manner when a PSO do not rule of whether there were other steps
meet its obligations. It is important to Proposed Rule: When the Secretary that the Secretary could take to ensure
realize that by the time the PSO receives makes a determination to remove the that providers were informed when a
a notice of proposed revocation and listing of a PSO for cause, proposed PSO to which they reported data was
delisting under the process set forth in § 3.108(b)(1) required the Secretary to revoked and delisted, many commenters
§ 3.108(a)(3), the Department has establish, and notify the entity, of the concluded that the statutory
already worked with the PSO to correct effective date and time of its delisting requirement for notification by the
the deficiencies and has indicated and inform the entity of its obligations former PSO was sufficient. Others urged
remaining problems so the PSO will under §§ 3.108(b)(2) and 3.108(b)(3). AHRQ to post notices of revocation and
have reason to anticipate any such Section 3.108(b)(2) proposed to delisting on the PSO website. Several
notice of proposed revocation in implement two statutory provisions. commenters urged the Secretary to
advance of its issuance. Thus the PSO, First, the former PSO would be required require the former PSO to provide
realistically, will have more than 30 to notify providers with which it has AHRQ with a list of its providers when
days to prepare its response to a been working of its removal from listing it submits its required confirmation 15
proposed revocation. and confirm to the Secretary within 15 days after revocation that it has notified
Comment: One commenter suggested days of the date of revocation and providers. Presumably, the intent was to
that, if the Secretary determines that the delisting that it has done so. In light of permit the Secretary to follow up with
PSO has conflicts of interest, this should the brief notification period, we sought these providers to confirm that they had
serve as a basis for proceeding directly comment on whether there are other been notified.
to revocation. steps the Secretary should take to There were only three comments in
Response: The Department recognizes ensure that affected providers receive response to our question in the
the commenter’s underlying point that timely notice. Second, this subsection proposed rule whether it was
conflicts of interest may, in fact, not be would have reaffirmed the continued appropriate to require disposition of
curable and thus, in certain protection of patient safety work patient safety work product that was
circumstances, may warrant proceeding product received while the entity was received from all sources. Two
directly to revocation. To the extent that listed. In addition, any data received by comments supported our interpretation
such a conflict of interest provides a the former PSO from a provider in the of the statutory requirement. One
basis for the Secretary determining that 30 days following the date of revocation commenter raised concerns that this
continued listing would have serious and delisting would be accorded the requirement could be difficult to
adverse consequences, we could address same protections as patient safety work accomplish.
it under § 3.108(e), the subsection product. We noted that this additional Commenters strongly supported
establishing the new expedited period of protection was only for the inclusion in the final rule of a deadline
revocation process. We should note that, benefit of providers reporting data; it by which former PSOs needed to
in crafting that new authority, the would not permit a former PSO to complete their disposition of patient
safety work product. Some commenters regarding the continued protections for patient safety work product and data.
suggested that we follow existing patient safety work product reported to We note that Subpart C permits
HIPAA guidelines and others suggested a PSO before the effective date of a disclosure of non-identifiable patient
that the rule set a deadline, ranging from revocation and delisting action by the safety work product at any time by a
90 days to 180 days following the date Secretary and the protections for data PSO. However, after the date and time
of revocation. One commenter suggested reported to the former PSO during the that the Secretary sets for revocation
setting standards linked to the volume 30-day period following the date of and delisting, the former PSO must
of patient safety work product held by delisting. The modification requires the follow the prescribed disposition
the former PSO. former PSO to include this information requirements. Thus, prior to the
The options for disposition of patient in its notices to providers regarding its effective date and time of a PSO’s
safety work product elicited a number of delisting. We incorporated this delisting, the PSO can transfer to
comments. Some noted the difficulty of modification to better effectuate the another PSO non-identifiable and
returning patient safety work product to statutory purpose by ensuring that the anonymized patient safety work
its source as the former PSO closes its providers contacted by the former PSO product, without consent of the
operations and expressed concern that are aware of these protections for the source(s) of that information.
destruction was not an option until the data they may still want to report during Comment: One commenter suggested
PSO concluded that returning the work the 30-day period. that there may be good business reasons
product was not possible. In the view of Several commenters sought ways to for a former PSO that has been delisted
this commenter, this could lead a PSO preserve patient safety work product to retain patient safety work product
to simply abandon the patient safety and data for continued learning. and asked that we provide that option.
work product since it may have neither However, the requirements for Response: The statutory disposition
time nor resources to contact the disposition of patient safety work requirement does not permit such an
sources of the work product. However, product and ‘‘data’’ in the final option for an entity that is revoked and
most commenters focused on the regulation follow the statutory delisted for cause, and the final rule
importance of identifying ways to avoid formulation. We note that ‘‘data’’ in this mirrors this limitation. A PSO that
destruction of patient safety work context refers to information submitted voluntarily relinquishes its status is
product. to a former PSO in the 30 days following required to attest that it has made all
Final Rule: Section 3.108(b) has been its delisting. Some amount of patient reasonable efforts to comply with the
modified in several ways. The first safety work product can be preserved if disposition requirements.
changes, in § 3.108(b)(1), are technical the PSO shares or discloses this
changes. The first change renames the Comment: One commenter noted that
information prior to the effective date of
section to more accurately describe its the disposition options appear to be
its revocation as permitted by the rule,
provisions. The second technical change premised on a concept of the source’s
e.g., to other PSOs in non-identifiable or
incorporates two additional cross- ownership interest in the patient safety
anonymized form.
references to the ability of the Secretary We have modified the text of work product provided to the PSO.
to revoke his acceptance of a PSO’s § 3.108(b)(3) in one respect. In response Noting that as PSOs continue to
certifications and delist an entity to comments, we require the disposition aggregate data from multiple providers
pursuant to the new expedited requirement to be completed within 90 or through the sharing of work product
revocation process established in days. Some commenters suggested that with other PSOs, the commenter
§ 3.108(e). we follow existing HIPAA guidelines in asserted that at some point the PSO’s
We have not imposed any new establishing deadlines for the work product becomes its own. The
requirements on the Department in disposition of patient safety work question to consider is whether this
§ 3.108(b)(2) to notify providers. Many product. Neither the HIPAA Privacy distinction can be made in applying the
commenters did not see the need for Rule nor the HIPAA Security Rule have disposition requirement.
additional intervention by the deadlines for the disposition of Response: The Department reads the
Department and several commenters protected health information. Providers disposition requirement of the Patient
suggested additional steps that we can are, of course, free to establish in their Safety Act to apply to all patient safety
and will take independent of the rule. contracts an earlier date for disposition work product and data held by an
For example, AHRQ has already of their patient safety work product or involuntarily delisted former PSO. Most
established an e-mail-based listserv for data and may provide prior work product created by PSOs will be
individuals interested in electronic authorization for transfer to another based upon reports from providers.
alerts regarding the agency’s PSO. While the commenter points to repeated
implementation of the Patient Safety aggregation of data from larger and
Act. Following publication of the final Response to Other Public Comments larger numbers of providers as making
rule, AHRQ will encourage all Comment: One commenter asked the linkage to the reporting providers
interested providers and PSOs to add whether the disposition requirement more tenuous, in our view the linkage
their names to the listserv, which will applies to non-identifiable patient safety remains as long as there is information
provide immediate notification when work product, such as data reported that identifies any source of the data in
the Secretary takes actions related to the anonymously by hospitals. the analysis. The linkage is only broken
listing and delisting of PSOs or posts Response: The statutory section on when the source(s) is (are) truly non-
significant new information on AHRQ’s disposition of patient safety work identifiable. As we noted above, the
PSO Web site. Providers will also be product does not make an explicit statute does not make a distinction
able to signup on the Web site to receive distinction between disposition of between identifiable and non-
individual e-mails if their PSO becomes identifiable and non-identifiable patient identifiable information, so the
delisted. safety work product and data, nor does disposition requirements apply to both.
We have modified § 3.108(b)(2) in the final rule in the disposition Comment: One commenter noted that
another way. This paragraph retains the requirements. The Department reads certain public PSO entities may face
restatement that was in the proposed this disposition requirement as applying conflicts with state laws or regulations
rule of the statutory assurances to both identifiable and non-identifiable that establish requirements for the
disposition of information that they Overview of Public Comments: Public and is not applicable here. The only
hold. comment on the proposed provisions for other modifications are deletions of text
Response: The final rule’s voluntary relinquishment focused relating to implied voluntary
requirements for disposition of patient primarily on the two questions raised in relinquishment and a conforming
safety work product would preempt the proposed rule. change in a cross-reference.
conflicting state statutory requirements Two commenters agreed with our We have not accepted the views of
for disposition of information when it is interpretation that the statute limited commenters supporting appeals of
patient safety work product. the application of the additional relinquishment determinations by the
Comment: What are the protections for data submitted by Secretary in light of our decision to
responsibilities of a contractor holding providers to a former PSO in the 30-day narrow the scope of voluntary
patient safety work product under period following the date and time of relinquishment to situations in which
contract with a PSO that is revoked and revocation and delisting to situations in the PSO has requested relinquishment.
delisted for cause? which the PSO had been revoked and The comments regarding due process for
Response: The contractor must return delisted for cause. A number of those who voluntarily relinquish their
the former PSO’s patient safety work commenters argued for inclusion of a status would no longer be apt.
product that it is holding for disposition 30-day period of continued reporting for
as required by the rule. PSOs that voluntarily relinquished their (D) Section 3.108(d)—Public Notice of
status. They noted the importance of Delisting Regarding Removal From
(C) Section 3.108(c)—Voluntary
comparability but did not provide a Listing
Relinquishment
legal rationale for reading the statute Proposed Rule: Proposed § 3.108(d)
Proposed Rule: Section 3.108(c)(1) differently.
proposed two circumstances under would have incorporated the statutory
The second question posed by the requirement that the Secretary must
which a PSO would be considered to proposed rule was the appropriateness
have voluntarily relinquished its status publish a notice in the Federal Register
of paragraph (c)(5) which would regarding the revocation of acceptance
as a PSO: When a PSO advises the eliminate the right to challenge any
Secretary in writing that it no longer of certification of a PSO and its removal
decision by the Secretary regarding from listing. The proposed rule would
wishes to be a PSO, and when a PSO voluntary relinquishment. Several large
permits its three-year period of listing to have broadened the requirement to
provider groups supported our position
expire. To ensure that such a lapse is include publication of such a notice if
while others argued that a PSO should
not inadvertent, the proposed rule delisting results from a determination of
always have the right to challenge or
would require the Secretary to send a voluntary relinquishment.
appeal any decision by the Secretary.
notice of imminent expiration 45 Final Rule: We have modified and Overview of Public Comments: We
calendar days before the expiration of narrowed the scope of voluntary received no comments on this
its period of listing. relinquishment in the final rule. We subsection.
We proposed in § 3.108(c)(2) that a have eliminated from this section the Final Rule: We have modified
PSO seeking to relinquish its listing application of voluntary relinquishment § 3.108(d) in the final rule to reflect our
should include in its notification to the to situations in which a PSO has let its changes to subsection (c) that narrowed
Secretary attestations regarding its certifications lapse. As noted above, we the scope of voluntary relinquishment.
compliance with the provider have modified § 3.104(e) to make We also added a new reference that
notification and patient safety work expiration of a PSO’s listing automatic requires the Secretary to publish a
product disposition requirements, and in these circumstances. Revised notice when a PSO’s listing terminates
would have required appropriate § 3.108(c) provides for voluntary automatically at the end of the
contact information for further relinquishment in only one statutorily based three-year period,
communications from the Secretary. circumstance: When a PSO writes the pursuant to § 3.104(e).
The Secretary would be authorized by Secretary seeking to relinquish its (E) Section 3.108(e)—Expedited
§ 3.108(c)(3) to accept or reject the listing as a PSO. Revocation
PSO’s notification. We sought comment We have carefully reviewed again the
on our preliminary conclusion that, statutory authority that enables PSOs Proposed Rule: The proposed rule did
when a PSO voluntarily relinquishes its that have their listing revoked for cause not contain a proposed § 3.108(e). The
status, the statutory provisions to continue to receive data for 30 days proposed rule did include in subsection
providing protections for an additional following the date and time of (a) a request for comment about the
30 days for data submitted to the former revocation and delisting that will be possible inclusion in the final rule of an
PSO by providers do not apply. treated as patient safety work product. expedited revocation process. We noted
Section 3.108(c)(4) would have We reaffirm our interpretation that the that, while we anticipate that in the vast
enabled the Secretary to determine that statutory authority does not apply to an majority of circumstances, the PSO’s
implied voluntary relinquishment has entity seeking to voluntarily relinquish deficiency(ies) can and will be
taken place when a PSO permits its its status as a PSO. Commenters corrected, there may be situations in
listing to expire. The Secretary would provided no basis for a different reading which a PSO’s conduct is so egregious
remove the entity from the list of PSOs of the statute. Accordingly, we have not that the Secretary’s acceptance of the
at midnight on that day, notify the incorporated any change in the rule. PSO’s certification should be revoked
entity, and request that the entity make We have also deleted inappropriate without the opportunity to cure because
reasonable efforts to comply with the references to ‘‘patient safety work there is no meaningful cure. We invited
provider notification and patient safety product and data’’ in § 3.108(c)(2) and comments regarding this approach and
work product disposition requirements, replaced them with a reference only to how best to characterize the situations
and to provide appropriate contact patient safety work product. As we in which the opportunity to ‘‘cure,’’ e.g.,
information. Finally, § 3.108(c)(5) noted above, the term ‘‘data’’ in this to change policies, practices or
proposed that voluntary relinquishment context refers only to information procedures, sanction employees, send
would not constitute a deficiency as received by a former PSO in the 30-day out correction notices, would not be
referenced in subsection (a). period following revocation for cause sufficient, meaningful, or appropriate.
Overview of Public Comments: health care providers (other than reason to believe there have been
Several commenters expressed concern, members of the entity’s workforce or repeated deficiencies, or when the PSO
requested that we define the term health care providers holding privileges engages in fraudulent or illegal conduct.
‘‘egregious,’’ and opposed the with the entity) are required to report In light of these risks, we believe it is
elimination of a right for the PSO to information by law or regulation. only prudent to give the Secretary the
respond to the proposed expedited Because the certifications for listing authority to respond promptly to
revocation action. One commenter specifically require an entity to attest situations where there is a risk of
suggested that our proposal was that it is not excluded from seeking serious adverse harm, even if we cannot
appropriate in situations involving listing, this situation would mean that adequately foresee all of the specific
multiple willful violations and in which the PSO had either filed a false situations that might require prompt
immediate action is necessary to protect certification, or that the nature of the action.
patients and providers from further entity had significantly changed during We note that we have accepted the
improper actions by the PSO. the course of its listing. An example of position of another commenter that we
Only one commenter addressed, and an entity ‘‘about to become an excluded not include failure to meet the
opposed, our suggestion that we might entity’’ would be when there is advance minimum contract requirement as a
eliminate in the final rule the notice of a merger of the parent basis for expedited revocation. Our
opportunity for a PSO to contest organization of a component PSO with intent is to limit expedited revocation to
revocation when the entity had a health insurance issuer. A health those situations which pose a risk to
verifiably failed to meet the statutory insurance issuer is the only excluded providers or others.
minimum contract requirement. entity that may not have a component To accomplish expeditious remedial
Final Rule: The Department has become a PSO. If the Secretary learns revocation action, § 3.108(e)(2) waives
modified the rule to include a new that a PSO is about to become a the procedures in §§ 3.108(a)(2) through
§ 3.108(e) to provide for expedited component of a health insurance issuer, 3.108(a)(5) for correction of deficiencies,
revocation in a limited number of this is one circumstance under which determinations regarding correction of
circumstances. In deciding to include we believe prompt action by the deficiencies, processes related to the
this new subsection, we considered all Secretary is essential. opportunity for a written response by
of the comments received regarding The second circumstance, specified in the PSO to a notice of proposed
Subpart B, not only those discussed § 3.108(e)(1)(ii), is when the parent revocation and delisting, and final
here. There was a strong overall organization of a PSO is an excluded determination by the Secretary
sentiment that the Secretary must be entity and the parent organization uses regarding revocation and delisting of the
vigilant in ensuring that PSOs meet its authority over providers to require or PSO. Instead, the provisions of
their obligations to protect the induce them to use the patient safety § 3.108(e)(3) apply.
confidentiality of patient safety work services of its component PSO. This was Under § 3.108(e)(3) of the expedited
product. These concerns were especially a major concern of commenters in revocation process, the Secretary would
strong in response to our proposal to permitting components of accreditation, issue a notice of deficiency and
permit components of excluded entities licensure and regulatory entities to seek expedited revocation that identifies the
to seek listing. We also received support listing; the final rule in § 3.102(c) evidence that the circumstances for
for prompt Secretarial action for permits such a component to be listed expedited revocation exist and indicates
multiple willful violations and when only if it can certify that its parent any corrective action the PSO can take
providers and patients are at risk organization does not impose such if the Secretary determines that
because of a PSO’s actions. Accordingly, requirements on providers. When an corrective action may resolve the matter
we have incorporated an expedited excluded entity attempts to require or so that revocation and delisting could be
revocation process based around these induce providers to report information avoided. Absent evidence of actual
concerns. to its component PSO, there is receipt of this notice of deficiency and
New § 3.108(e)(1) lists three reasonable cause for concern regarding expedited revocation, the Secretary’s
circumstances in which the Secretary the integrity of the firewall between the notice will be deemed to be received
may use an expedited process for component PSO and its parent five days after it was sent.
revocation. The first two circumstances organization. Given the potential harm In developing this process, we have
reflect commenter concern regarding to providers if their identifiable patient taken note of commenters’ concern that
excluded entities. The first of these, safety work product is made available to as a general matter, a PSO alleged to be
specified in § 3.108(e)(1)(i), is if the the excluded entity, the Department deficient in compliance should have an
Secretary determines that a PSO is, or is concludes that the need for prompt opportunity to be heard and have
about to become, an entity excluded action is compelling. provided the PSO with an opportunity
from listing by § 3.102(a)(2). That The third circumstance specified in to respond as part of the expedited
section excludes from listing: A health § 3.108(e)(1)(iii) of the rule is when the revocation process. The Secretary must
insurance issuer; a unit or division of a Secretary has determined that the receive a response from the PSO within
health insurance issuer; an entity that is failure to act promptly would lead to 14 days of actual or constructive receipt
owned, managed or controlled by a serious adverse consequences. We of the notice, whichever is longer. In its
health insurance issuer; entities that would expect to use this authority written response, the PSO can correct
accredit or license health care providers; sparingly. Despite the confidential and the alleged facts or argue the
entities that oversee or enforce statutory protected nature of patient safety work applicability of the legal basis given for
or regulatory requirements governing product, we remain concerned that expedited revocation and delisting and
the delivery of health care services; there can still be serious harm to offer reasons that would support its case
agents of an entity that oversees or providers, patients, and reporters named for not being delisted.
enforces statutory or regulatory in patient safety work product if a PSO If the PSO does not submit a written
requirements governing the delivery of demonstrates reckless or willful response, the Secretary may revoke and
health care services; or entities that misconduct in its protection or use of delist the PSO. Provided the PSO
operate a Federal, State, Local, or Tribal the work product with which it is responds within the required time, the
patient safety reporting system to which entrusted, especially when there is Secretary may withdraw the notice,
grant the PSO with additional time to or controlled and a provider’s decision and PSOs for the purpose of learning
resolve the matter, or revoke and delist to work with a PSO is voluntary. from those events to improve patient
the PSO. If the Secretary decides to Therefore, we intend to maintain the safety and the quality of care. To
revoke and delist the PSO, we note that approach outlined in the proposed rule. achieve these objectives, Subpart C
the requirements of § 3.108(b) discussed In response to another commenter, the proposed that patient safety work
above apply. These requirements relate authority to implement Subpart B rests product would be privileged and
to notification of the providers who squarely within the authorities to foster confidential, except in the certain
have reported patient safety work patient safety and health care quality limited circumstances identified by the
product to the PSO, disposition of the improvement of the Agency for Patient Safety Act and as needed by the
PSO’s patient safety work product and Healthcare Research and Quality, and Department to implement and enforce
data, and the ability of providers to there is no reason to expect it to be the Patient Safety Act. In addition,
continue to report data to the former delegated to another part of the proposed Subpart C provided, in
PSO for 30 calendar days following the Department. accordance with the Patient Safety Act,
effective date and time of delisting and that patient safety work product that is
6. Section 3.112—Submissions and
have these data protected as patient disclosed generally would continue to
Forms
safety work product. be privileged and confidential, subject
Proposed Rule: Proposed § 3.112 to the delineated exceptions. Thus,
5. Section 3.110—Assessment of PSO would have provided instructions for
Compliance under the proposal, an entity or person
obtaining required forms and the receiving patient safety work product
Proposed Rule: Section 3.110 submission of materials, would have only would be able to disclose such
proposed the framework by which the provided contact information for AHRQ information for a purpose permitted by
Secretary would assess compliance of (mailing address, Web site, and e-mail the Patient Safety Act and the proposed
PSOs with the requirements of the address), and would have authorized rule, or if patient safety work product
statute and the rule. This section the Department to request additional was no longer confidential because it
provided that the Secretary may request information if a submission is was nonidentifiable or subject to an
information or conduct spot-checks incomplete or additional information is exception to confidentiality. Providers,
(reviews or site visits to PSOs, needed to enable the Secretary to make PSOs, and responsible persons who
announced or unannounced) to assess a determination on any submission. failed to adhere to these confidentiality
or verify PSO compliance with the Overview of Public Comments: We rules would be subject to enforcement
requirements of the statute and this received no comments on this section. by the Department, including the
proposed subpart. We noted that we Final Rule: We have made no
imposition of civil money penalties, if
anticipate that such spot checks would substantive modifications to this
appropriate, as provided in Subpart D of
involve no more than 5–10% of PSOs in section. We have made technical
the proposed rule.
any year. We also noted that this section changes and incorporated citations for
would reference the Department’s the AHRQ PSO Web site address and The proposed rule also explained that
overall authority to have access to corrected the e-mail address. several provisions of the Patient Safety
patient safety work product, if Act recognize that the patient safety
C. Subpart C—Confidentiality and regulatory scheme will exist alongside
necessary, as part of its implementation
Privilege Protections of Patient Safety other requirements for the use and
and enforcement of the Patient Safety
Work Product disclosure of protected health
Act.
Overview of Public Comments: There Proposed Subpart C would have information under the HIPAA Privacy
were few comments on this section. described the general privilege and Rule. For example, the Patient Safety
Commenters agreed that AHRQ’s confidentiality protections for patient Act establishes that PSOs will be
authority under this section should be safety work product, the permitted business associates of providers and the
limited to PSOs. Several commenters disclosures, and the conditions under patient safety activities they conduct
expressed concern about our discussion which the specific protections no longer will be health care operations of the
that we only anticipated spot-checking apply. The proposed Subpart also providers, incorporates individually
5%–10% of PSOs for compliance in any would have established the conditions identifiable health information under
given year. The projected number of under which a provider, PSO, or the HIPAA Privacy Rule as an element
spot checks in their view would not be responsible person must disclose of identifiable patient safety work
adequate to maintain provider patient safety work product to the product, and adopts a rule of
confidence and PSO compliance. Secretary in the course of compliance construction that states the intention not
Another commenter asked which and enforcement activities, and what to alter or affect any HIPAA Privacy
agency would be delegated the task and the Secretary may do with such Rule implementation provision (see
identified entities within HHS to which information. Moreover, the proposed section 922(g)(3) of the Public Health
the Secretary should not delegate this subpart would have established the Service Act, 42 U.S.C. 299b–22(g)(3)).
responsibility. standards for nonidentifiable patient As we explained in the proposed rule,
Final Rule: We have made no safety work product. we anticipate that most providers
substantive modifications to § 3.110 in Proposed Subpart C sought to balance reporting to PSOs will be HIPAA
the final rule. We note in response to key objectives of the Patient Safety Act. covered entities under the HIPAA
the commenters that urged a higher First, the proposal sought to address Privacy Rule, and as such, will be
level of spot checks and inspections that provider concerns about the potential required to recognize and comply with
the rule does not limit the ability of the for damage from unauthorized release of the requirements of the HIPAA Privacy
Department to increase the number if information, including the potential for Rule when disclosing identifiable
warranted. However, we have no basis the information to serve as a roadmap patient safety work product that
for assuming that higher levels of spot for provider liability from negative includes protected health information.
checks or inspections are warranted in patient outcomes. It also promoted the As Subpart C addresses disclosure of
light of the fact that Patient Safety sharing of information about adverse patient safety work product that may
Organizations are not federally funded patient safety events among providers include protected health information,
we discuss, where appropriate, the (A) Section 3.204(a)—Privilege these provisions nor can we provide
overlap between this rule and the Proposed Rule: Proposed § 3.204(a) further explanation or interpretation in
HIPAA Privacy Rule in the preamble would have described the general rule this final rule. Rather, as described
description of this Subpart, as we did in that, notwithstanding any other above, the privilege provisions are
the proposed rule. provision of Federal, State, local, or included only for convenience and
Tribal law, patient safety work product completeness, and because the privilege
1. Section 3.204—Privilege of Patient exceptions mirror exceptions to
Safety Work Product is privileged and shall not be: (1)
Subject to Federal, State, local, or Tribal confidentiality. The privilege
Proposed § 3.204 described the civil, criminal, or administrative protections attach to patient safety work
privilege protections of patient safety product, and we expect that the
subpoena or order, including in a
work product and the exceptions to privilege of patient safety work product
disciplinary proceeding against a
privilege. As we explained in the will be adjudicated and enforced by the
provider; (2) subject to discovery in
proposed rule, the Patient Safety Act tribunals, agencies or professional
connection with a Federal, State, local,
does not give authority to the Secretary disciplinary bodies before which the
or Tribal civil, criminal, or
to enforce breaches of the privilege information is sought and before whom
administrative proceeding, including a
protections, as it does with respect to the proceedings take place. A provider
disciplinary proceeding against a
breaches of the confidentiality facing an opposing party who seeks to
provider; (3) subject to disclosure under
provisions. Rather, we anticipate that introduce patient safety work product in
the Freedom of Information Act (section
the tribunals, agencies or professional court may seek to enforce the privilege
552 of Title 5, United States Code) or by filing the appropriate motions with
disciplinary bodies before whom the similar Federal, State, local, or Tribal
proceedings take place and before the court asserting the privilege to
law; (4) admitted as evidence in any exclude the patient safety work product
which patient safety work product is Federal, State, local, or Tribal
sought, will adjudicate the application from the proceeding.
governmental civil proceeding, criminal
of the privilege provisions of the Patient proceeding, administrative rulemaking (B) Section 3.204(b)—Exceptions to
Safety Act at section 922(a)(1)–(5) of the proceeding, or administrative privilege
Public Health Service Act, 42 U.S.C. adjudicatory proceeding, including any Proposed Rule: Proposed § 3.204(b)
299b–22(a)(1)–(5) and the exceptions to such proceeding against a provider; or described the exceptions to privilege
privilege at section 922(c)(1) of the (5) admitted in a professional established at section 922(c) of the
Public Health Service Act, 42 U.S.C. disciplinary proceeding of a Public Health Service Act, 42 U.S.C.
299b–22(c)(1). Even though the privilege professional disciplinary body 299b–22c, thereby permitting disclosure
protections will be enforced through the established or specifically authorized of patient safety work product under
court systems, and not by the Secretary, under State law. The proposed such circumstances. In all cases, the
we repeat the statutory privilege provision generally repeated the exceptions to privilege were also
protections and exceptions in this final statutory language at section 922(a) of proposed as exceptions to
rule, as we did in the proposed rule. the Public Health Service Act, 42 U.S.C. confidentiality at § 3.206(b). Proposed
This is done both for convenience and 299b–22(a) but also clarified that § 3.204(b)(1) would have permitted the
completeness, as well as because the privilege would have applied to protect disclosure of relevant patient safety
same exceptions in the privilege against use of the information in Tribal work product for use in a criminal
provisions are repeated in the courts and administrative proceedings. proceeding after a court makes an in
confidentiality provisions and the term Overview of Public Comments: We camera determination that the patient
‘‘disclosure’’ in the final rule describes received no comments opposed to this safety work product contains evidence
both the transfer of patient safety work proposed provision. of a criminal act, is material to the
product pursuant to a privilege Final Rule: The final rule adopts this proceeding, and is not reasonably
exception as well as a confidentiality proposed provision. available from any other source.
exception. Thus, a disclosure of patient Response to Other Public Comments Proposed § 3.204(b)(2) would have
safety work product that is a violation Comment: Several commenters permitted disclosure of identifiable
of privilege may also be a violation of expressed concern about the lack of patient safety work product to the extent
confidentiality, which the Secretary detailed explanation and information required to carry out the securing and
does have authority to enforce and for about the privilege protections as provision of equitable relief as provided
which he can impose a civil money compared to the confidentiality under section 922(f)(4)(A) of the Public
penalty, if appropriate. provisions in the proposed rule. Some Health Service Act, 42 U.S.C. 299b–
We also proposed to include at commenters asked for clarification 22(f)(4)(A). Proposed § 3.204(b)(3)
§ 3.204(c) a regulatory exception to about how breaches of privilege can be would have permitted disclosure of
privilege for disclosures to the Secretary enforced and who can assert privilege identifiable patient safety work product
for the purpose of enforcing the protection. Two commenters asked when each of the identified providers
confidentiality provisions and for whether hospital peer review authorized the disclosure. Finally,
making or supporting PSO certification committees established under state law proposed § 3.204(b)(4) would have
or listing decisions. In the final rule, we qualify as disciplinary bodies for excepted patient safety work product
adopt this proposed provision but also purposes of the privilege protection and from privilege when disclosed in
add language to make clear that the if there is a distinction between nonidentifiable form.
exception also applies to disclosures to discipline by a state licensing body and Overview of Public Comments: Some
the Secretary for HIPAA Privacy Rule discipline by an internal peer review commenters expressed concern that
enforcement, given the significant committee. allowing exceptions to privilege may

overlap with respect to disclosures Response: The Secretary does not not adequately protect patient safety
under the two rules. We discuss that have the authority to interpret and work product.
change, as well as the public comments enforce the privilege protections of the Final Rule: The final rule adopts the
and our responses with respect to the statute, and thus, the proposed rule did proposed provisions. The statute
other privilege provisions, below. not contain a detailed discussion of explicitly provides for these limited
exceptions to privilege and thus, they work product to or by the Secretary as under the HIPAA Privacy Rule. This
are included in this final rule. needed for investigating or determining new language implements the statutory
compliance, or seeking or imposing civil provision at section 922(g)(3) of the
money penalties, with respect to this Public Health Service Act, 42 U.S.C.
Comment: One commenter asked that rule or for making or supporting PSO 299b–22(g)(3), which, as explained
the final rule align the privilege certification or listing decisions under above, makes clear that the Patient
exceptions in § 3.204(b) with the the Patient Safety Act. We proposed that Safety Act is not intended to affect
permitted disclosures to law these disclosures also be permitted as an implementation of the HIPAA Privacy
enforcement in the HIPAA Privacy Rule exception to confidentiality at Rule. Given the significant potential for
at 45 CFR 164.512(f). § 3.206(d). We explained that, in order an alleged impermissible disclosure to
Response: We do not agree that to perform investigations and implicate both this rule’s confidentiality
expanding the exceptions to privilege in compliance reviews to determine provisions, as well as the HIPAA
such a manner is appropriate or whether a violation occurred, the Privacy Rule, the Secretary may require
prudent. Congress expressly limited the Secretary may need to have access to access to privileged patient safety work
exceptions to privilege to those we have privileged and confidential patient product for purposes of determining
repeated in the final rule. As relevant to safety work product and that we believe compliance with the HIPAA Privacy
law enforcement, the Patient Safety Act Congress could not have intended the Rule. The Secretary will use such
permits an exception from privilege privilege and confidentiality protections information consistent with the
protection for law enforcement purposes of the Patient Safety Act to impede such statutory prohibition against imposing
in only very narrow circumstances— enforcement by prohibiting access to civil money penalties under both
that is, patient safety work product may necessary information by the Secretary. authorities for the same act.
be used in a criminal proceeding, but Thus, the proposed provision would With respect to this rule, the
only after a judge makes an in camera have allowed disclosure of patient provision, as it did in the proposed rule,
determination that the information safety work product to and by the makes clear that privilege does not
contains evidence of a criminal act, is Secretary for enforcement purposes, apply to patient safety work product
material to the proceeding, and is not including the introduction of such disclosed to or by the Secretary if
reasonably available from any other information into ALJ or Board needed to investigate or determine
source. See § 3.204(b)(1). We do not proceedings, disclosure by the Board to compliance with this rule, or to make or
have authority to further expand or properly review determinations or to support decisions with respect to listing
interpret the exceptions to privilege provide records for court review, as well of a PSO. This may include access to
provided for in the statute. Further, we as disclosure during investigations by and disclosure of patient safety work
believe strong privilege protections are OCR or activities in reviewing PSO product to enforce the confidentiality
essential to ensuring the goals of the certifications by AHRQ. Patient safety provisions of the rule, to make or
statute are met by encouraging work product disclosed under this support decisions regarding the
maximum provider participation in proposed exception would have acceptance of certification and listing as
patient safety reporting. We note that remained privileged and confidential a PSO, or to revoke such acceptance and
§ 3.206(c)(10) permits the disclosure of pursuant to proposed § 3.208, and to delist a PSO, or to assess or verify
patient safety work product relating to proposed § 3.312 limited the Secretary PSO compliance with the rule.
an event that either constitutes the to only disclosing identifiable patient
commission of a crime, or for which the safety work product obtained in 2. Section 3.206—Confidentiality of
disclosing person reasonably believes connection with an investigation or Patient Safety Work Product
constitutes the commission of a crime, compliance review for enforcement Proposed § 3.206 described the
to law enforcement, provided that the purposes or as otherwise permitted by confidentiality protection of patient
disclosing person believes, reasonably the proposed rule or Patient Safety Act. safety work product, as well as the
under the circumstances, that the We also explained in the preamble to exceptions from confidentiality
patient safety work product that is the proposed rule that the privilege protection.
disclosed is necessary for criminal law provisions in the Patient Safety Act
enforcement purposes. In other cases would not bar the Secretary from using (A) Section 3.206(a)—Confidentiality
where law enforcement needs access to patient safety work product for Proposed Rule: Proposed § 3.206(a)
information that is contained within compliance and enforcement activities would have established the general
patient safety work product, we related to the HIPAA Privacy Rule. This principle that patient safety work
emphasize that the definition of interpretation was based on the product is confidential and shall not be
‘‘patient safety work product’’ statutory provision at section 922(g)(3) disclosed by anyone holding the patient
specifically excludes a patient’s medical of the Public Health Service Act, 42 safety work product, except as
or billing record or other original patient U.S.C. 299b–22(g)(3), which provides permitted or required by the rule.
information. See § 3.20, paragraph (2)(i) that the Patient Safety Act does not Overview of Public Comments: We
of the definition of ‘‘patient safety work affect the implementation of the HIPAA received no comments directly in
product.’’ Thus, such original patient Privacy Rule. reference to this provision.
information remains available to law Overview of Public Comments: We Final Rule: The final rule adopts this
enforcement in accordance with the received one comment in support of and proposed provision.
conditions set out in the HIPAA Privacy no comments opposed to this proposed
provision. (B) Section 3.206(b)—Exceptions to
Rule, if applicable.
Final Rule: The final rule adopts the confidentiality
(C) Section 3.204(c)—Implementation proposed provision, but expands it to Proposed Rule: Proposed § 3.206(b)
and Enforcement of the Patient Safety expressly provide that patient safety described the exceptions to
Act work product also may be disclosed to confidentiality, or permitted
Proposed Rule: Proposed § 3.204(c) or by the Secretary as needed to disclosures. The preamble to the
would have excepted from privilege investigate or determine compliance proposed rule explained that there were
disclosures of relevant patient safety with or to impose a civil money penalty several overarching principles that
applied to these exceptions from for the narrowly drawn exceptions to in the specific discussions of the
confidentiality. First, these exceptions confidentiality in the proposed rule, individual disclosure permissions. The
were ‘‘permissions’’ to disclose patient while one commenter expressed disclosure permissions in this section
safety work product and the holder of concern that the exceptions were reflect those provided by the statute,
the information retained full discretion unnecessarily complex to accomplish and the Secretary has no authority to
whether to disclose. Further, as the their purpose. Several commenters eliminate or neglect to implement
proposed rule was a Federal baseline of asked that the final rule include certain of the provisions. Further, the
protection, a provider, PSO, or additional exceptions to confidentiality statute provides only limited authority
responsible person could impose more or disclosure permissions. For example, to the Secretary to expand the
stringent confidentiality policies and some commenters suggested that the disclosure permissions. See, for
procedures on patient safety work final rule permit the disclosure of example, section 922(c)(2)(F) of the
product and condition the release of patient safety work product to federal, Public Health Service Act, 42 U.S.C.
patient safety work product within these state, and local agencies to fulfill 299b–22(c)(2)(F), providing the
exceptions by contract, employment mandatory reporting requirements. Secretary with authority to create
relationship, or other means. However, Other commenters suggested an permissions for disclosures that the
the Secretary would not enforce such exception be created to permit the Secretary may determine, by rule or
policies or private agreements. Second, disclosure of patient safety work other means, are necessary for business
when exercising discretion to disclose product to state survey agencies, operations and are consistent with the
patient safety work product, we regulatory bodies, or to any federal or goals of the statute. Thus, the final rule
encouraged providers, PSOs, and state agency for oversight purposes. does not create any new, or eliminate
responsible persons to attempt to Another commenter requested that the any proposed, categories of disclosure
disclose the amount of information final rule include a disclosure permissions.
commensurate with the purpose of the permission for emergency With respect to those commenters
disclosure and to disclose the least circumstances similar to the HIPAA who requested a disclosure permission
amount of identifiable patient safety Privacy Rule disclosure at 54 CFR be added to allow for the disclosure of
work product appropriate for the 164.512(j), allowing a PSO to disclose patient safety work product to federal,
disclosure even if that was less than patient safety work product if it state, and local agencies to fulfill
what would otherwise be permitted by determines a pattern of harm and that mandatory reporting requirements or for
the rule and regardless of whether the disclosure is necessary to prevent an oversight purposes, we disagree that
information continued to be protected individual from harming a person or the such a modification is necessary. The
under the rule after the disclosure. public. One commenter, however, final rule gives providers much
Third, the proposal prohibited persons believed the proposed rule contained flexibility in defining and structuring
receiving patient safety work product too many exceptions to confidentiality, their patient safety evaluation system, as
from redisclosing it except as permitted and thus, did not adequately protect well as determining what information is
by the rule, and we requested comment patient safety work product; this to become patient safety work product
on whether there were any negative commenter suggested that some and, thus, protected from disclosure.
implications of limiting redisclosures in disclosure permissions be eliminated in
Providers can structure their systems in
such a manner. the final rule but did not recommend
a manner that allows for the use of
We also described how the proposal which ones.
would work with respect to entities also Several commenters responded to the information that is not patient safety
subject to the Privacy Act and/or the question regarding whether there were work product to fulfill their mandatory
HIPAA Privacy Rule. We explained that any negative implications of limiting reporting obligations. See the discussion
agencies subject to the Patient Safety redisclosures as outlined in the regarding the definition of ‘‘patient
Act and the Privacy Act, 5 U.S.C. 552a, proposed rule. These commenters safety work product’’ in this preamble
must comply with both statutes when supported the limitations on for more information. Further, as
disclosing patient safety work product. redisclosures of patient safety work original medical and other records are
This means that, for agencies subject to product in the proposed rule; we expressly excepted from the definition
both laws, a disclosure of patient safety received no comments identifying any of ‘‘patient safety work product,’’
work product could only be made if negative implications of this limitation. providers always have the option of
permitted by both laws. The Privacy Act One commenter, however, noted that using those records to generate the
permits agencies to make disclosures the redisclosures should be governed by reports necessary for their mandatory
pursuant to established routine uses. the HIPAA Privacy and Security Rules. reporting obligations to federal, state,
See 5 U.S.C. 552a(a)(7); 552a(b)(3); and Finally, some commenters sought and local agencies.
552a(e)(4)(D). Accordingly, we clarification regarding preemption. With respect to disclosures for
recommended that Federal agencies that Several commenters asked whether the emergency circumstances, the Patient
maintain a Privacy Act system of federal patient safety work product Safety Act provides no general
records containing information that is protections preempted existing State exception for such disclosures.
patient safety work product include law that permitted or required However, patient safety work product
routine uses that will permit the disclosure of similar types of records. may be disclosed under § 3.206(b)(10) to
disclosures allowed by the Patient Other commenters asked whether law enforcement if the disclosing party
Safety Act. For HIPAA covered entities, greater State law protections continue to reasonably believes the patient safety
we explained that when a patient’s exist alongside patient safety work work product contains information that
protected health information is product protections, stating that some constitutes a crime. For emergency
encompassed within patient safety work providers may decide not to participate circumstances that do not rise to the
product, any disclosure of such with a PSO if they would lose existing level of criminal conduct, the
information also must comply with the State law protections. information necessary to identify and
HIPAA Privacy Rule. Final Rule: The final rule generally address such emergencies should be
Overview of Public Comments: Some adopts the proposed provisions, with readily available and accessible in
commenters expressed general support some modifications as explained below medical records and other original
documents that are not protected as product. Natural persons or entities who product disclosed pursuant to this
patient safety work product. receive patient safety work product provision continues to be privileged
The final rule also adopts the generally may further disclose such after disclosure but is no longer
redisclosure limitations of the proposed information pursuant to any of the confidential. See section 922(d)(2)(A) of
rule. As described above, commenters disclosure permissions in the final rule the Public Health Service Act, 42 U.S.C.
largely supported, and did not identify at § 3.206, except where expressly 299b–22(d)(2)(A). We explained that
negative implications of, these limited pursuant to the provision under this would mean, for example, that law
restrictions. We discuss the individual which the natural person or entity enforcement personnel who obtain
redisclosure limitations below in the received the information. These patient safety work product used in a
specific discussions regarding the restrictions on further disclosures may criminal proceeding could further
disclosure permissions to which they be found at §§ 3.206(b)(4)(ii) (disclosure disclose that information because
apply. We note that the HIPAA Privacy to a contractor of a provider or PSO for confidentiality protection would not
and Security Rules will govern patient safety activities), 3.206(b)(7) apply; however, law enforcement could
redisclosures of patient safety work (disclosure to the Food and Drug not seek to introduce the patient safety
product only to the extent that the Administration (FDA) and entities work product in another proceeding
redisclosures are made by a HIPAA required to report to FDA), 3.206(b)(8) without a new in camera determination
covered entity and the patient safety (voluntary disclosure to an accrediting that would have complied with the
work product encompasses protected body), 3.206(b)(9) (business operations), privilege exception at proposed
health information. and 3.206(b)(10) (disclosure to law § 3.204(b)(1).
In response to the comments and enforcement). These limitations are We also reminded entities that are
questions regarding preemption, we described more fully below in the subject to the HIPAA Privacy Rule that
note that the Patient Safety Act provides discussions concerning the disclosure any disclosures pursuant to this
that, notwithstanding any other permissions to which they apply. As provision that encompass protected
provision of Federal, State, or local law, with an impermissible disclosure, health information also would need to
and subject to the prescribed impermissible redisclosures are subject comply with the HIPAA Privacy Rule’s
exceptions, patient safety work product to enforcement by the Secretary and provision at 45 CFR 164.512(e) for
shall be privileged and confidential. See potential civil money penalties. disclosures pursuant to judicial
sections 922(a) and (b) of the Public Comment: Two commenters asked proceedings. We explained that we
Health Service Act, 42 U.S.C. 299b– that we monitor the impact of the rule expected court rulings following an in
22(a) and (b). The statute also provides to ensure that it does not improperly camera determination to be issued as a
as rules of construction the following: impede the necessary sharing of patient court order, which would satisfy the
(1) that the Patient Safety Act does not safety work product. HIPAA Privacy Rule’s requirements.
limit the application of other Federal, Response: As the rule is implemented, Overview of Public Comments: We
State, or local laws that provide greater we will monitor its impact and consider received no comments opposed to this
privilege or confidentiality protections whether any concerns that are raised by provision.
than those provided by the Patient providers, PSOs, and others should be Final Rule: The final rule adopts the
Safety Act; and (2) the Patient Safety addressed through future modification proposed provision.
Act does not preempt or otherwise affect to the rule or guidance, as appropriate.
any State law requiring a provider to Response to Other Public Comments
(1) Section 3.206(b)(1)—Criminal
report information that is not patient Comment: One commenter asked that
Proceedings
safety work product. See section 922(g) the final rule make clear that patient
of the Public Health Service Act, 42 Proposed Rule: Proposed § 3.206(b)(1) safety work product disclosed under
U.S.C. 299b–22(g). Thus, the patient would have permitted the disclosure of this provision continues to be privileged
safety work product protections identifiable patient safety work product and cannot be used or reused as
provided for under the statute generally for use in a criminal proceeding, if a evidence in any civil proceeding even
preempt State or other laws that would court makes an in camera determination though the information is no longer
permit or require disclosure of that the identifiable patient safety work confidential.
information contained within patient product sought for disclosure contains Response: The final rule makes this
safety work product. However, State evidence of a criminal act, is material to clear. See § 3.208(b)(1).
laws that provide for greater protection the proceeding, and is not reasonably
available from other sources. See section (2) Section 3.206(b)(2)—Equitable Relief
of patient safety work product are not for Reporters
preempted and continue to apply. 922(c)(1)(A) of the Public Health Service
Act, 42 U.S.C. 299b–22(c)(1)(A). The Proposed Rule: The Patient Safety Act
Response to Other Public Comments proposed provision paralleled the prohibits a provider from taking an
Comment: Several commenters asked exception to privilege at proposed adverse employment action against an
that the final rule discuss redisclosures § 3.204(b)(1). individual who, in good faith, reports
in more detail and further explain the As we explained in the proposed rule, information to the provider for
consequences of redisclosures. the Patient Safety Act establishes that subsequent reporting to a PSO or to a
Response: A redisclosure, or ‘‘further patient safety work product generally PSO directly. See section 922(e)(1) of
disclosure’’ as described in the will continue to be privileged and the Public Health Service Act, 42 U.S.C.
regulatory text, of patient safety work confidential upon disclosure. See 299b–22(e)(1). For purposes of this
product, like a disclosure, is the release, section 922(d)(1) of the Public Health provision, adverse employment actions
transfer, provision of access to, or Service Act, 42 U.S.C. 299b–22(d)(1) include loss of employment, failure to
divulging in any other manner of patient and § 3.208 of this rule. However, the promote, or adverse evaluations or
safety work product by an entity or Patient Safety Act limits the continued decisions regarding credentialing or
natural person holding the patient safety protection of patient safety work licensing. See 922(e)(2) of the Public
work product to another legally separate product disclosed for use in a criminal Health Service Act, 42 U.S.C. 299b–
entity or natural person outside the proceeding pursuant to this provision. 22(e)(2). The Patient Safety Act provides
entity holding the patient safety work In particular, patient safety work adversely affected reporters a civil right
of action to enjoin such adverse actions based upon their good faith obtaining of equitable relief provided for
employment actions and obtain other reporting of this information to a PSO. under the statute. Thus, the Secretary
equitable relief, including back pay or Several commenters responded to the will review the circumstances of such
reinstatement, to redress the prohibited question posed in the proposed rule complaints to determine whether to
actions. See 922(f)(4) of the Public asking whether a protective order exercise his enforcement discretion to
Health Service Act, 42 U.S.C. 299b– should be a condition of disclosure not pursue a civil money penalty.
22(f)(4). To effectuate the obtaining of under this provision or if a good faith
equitable relief under this provision, the effort in obtaining a protective order (3) Section 3.206(b)(3)—Authorized by
Patient Safety Act provides that patient should be sufficient. All of these Identified Providers
safety work product is not subject to the commenters agreed that the obtaining of Proposed Rule: Proposed § 3.206(b)(3)
privilege protections or to the a protective order should be a condition would have permitted a disclosure of
confidentiality protections. Thus, of disclosure of patient safety work patient safety work product when each
proposed § 3.206(b)(2) would have product under this provision. provider identified in the patient safety
permitted the disclosure of identifiable Final Rule: The final rule adopts the work product separately authorized the
patient safety work product by an proposed disclosure permission at disclosure. This provision paralleled the
employee seeking redress for adverse § 3.206(b)(2) but conditions the privilege exception at proposed
employment actions to the extent that permitted disclosure for equitable relief § 3.204(b)(3) and was based on section
the information is necessary to permit on the provision of a protective order by 922(c)(1)(C) of the Public Health Service
the equitable relief. This proposed the court or administrative tribunal to Act, 42 U.S.C. 299b–22(c)(1)(C). The
provision paralleled the privilege protect the confidentiality of the patient proposed rule explained that patient
exception to permit equitable relief at safety work product during the course of safety work product disclosed under
proposed § 3.204(b)(2). Also, in the proceeding. Although patient safety this exception would continue to be
accordance with the statute, we work product remains confidential and confidential pursuant to the continued
proposed that once patient safety work privileged in the hands of all recipients confidentiality provisions at section
product is disclosed pursuant to this after disclosure under this provision, we 922(d)(1) of the Public Health Service
provision, it would have remained recognize that the sensitive nature of the Act, 42 U.S.C. 299b–22(d)(1), and
subject to confidentiality and privilege patient safety work product warrants persons would be subject to liability for
protection in the hands of all requiring a protective order as further disclosures in violation of that
subsequent holders and could not be additional protection on this confidentiality.
further disclosed except as otherwise information. Because some participants
We also explained that it would be
permitted by the rule. and observers of a proceeding involving
insufficient to make identifiable
We also provided guidance with equitable relief for an adverse
information regarding a nonauthorizing
respect to the application of the HIPAA employment action may not be aware
provider nonidentifiable in lieu of
Privacy Rule if a covered entity (or its that certain information is protected as
obtaining an authorization. While we
business associate) was making the patient safety work product to which
considered such an approach, we
disclosure and the patient safety work penalties attach for impermissible
rejected it as impractical given that it
product included protected health disclosures, requiring a protective order
seemed there would be very few, if any,
information. In that regard, we is prudent to ensure that patient safety
situations in which a nonauthorizing
explained that, under the HIPAA work product is adequately protected
Privacy Rule at 45 CFR 164.512(e), and that individuals are put on notice provider could be nonidentified without
when protected health information is of its protected status. As we explained also needing to nonidentify, or nearly
sought to be disclosed in a judicial in the proposed rule, such a protective so, an authorizing provider in the same
proceeding via subpoenas and discovery order could take many forms that patient safety work product.
requests without a court order, the preserve the confidentiality of patient We encouraged persons disclosing
disclosing HIPAA covered entity must safety work product. For example, the patient safety work product to exercise
seek satisfactory assurances that the order could limit the use of the discretion with respect to the scope of
party requesting the information has information to case preparation, but not patient safety work product disclosed
made reasonable efforts to provide make it evidentiary. Or, the order might and to consider whether identifying
written notice to the individual who is prohibit the disclosure of the patient information regarding reporters or
the subject of the protected health safety work product in publicly patients was necessary, even though the
information or to secure a qualified accessible proceedings and in court statute required neither patient nor
protective order. records to prevent liability from moving reporter authorization under this
Finally, the proposed rule solicited to a myriad of unsuspecting parties. provision. We also explained that, if the
comments on whether the obtaining of We recognize that, in some cases, a disclosing entity is a HIPAA covered
a protective order should be a condition reporter seeking equitable relief may be entity (or business associate), the
of the disclosure under this provision or unable to obtain a protective order from HIPAA Privacy Rule, including the
whether, instead, the final rule should a court prior to making a necessary minimum necessary standard when
require only a good faith effort to obtain disclosure of patient safety work applicable, would apply to the
a protective order as a condition of this product, despite the reporter’s good disclosure of protected health
disclosure. faith and diligent effort to obtain one. If information contained within the
Overview of Public Comments: Two the Secretary receives a complaint that patient safety work product. Further, if
commenters expressed general support patient safety work product was the disclosure was not also permitted
for the proposed provision, stating that disclosed by a reporter seeking equitable under the HIPAA Privacy Rule, the
it struck the appropriate balance relief, the Secretary has discretion not to patient information would need to be
between maintaining the confidentiality impose a civil money penalty, if de-identified. We sought public
and privilege protections on patient appropriate. While the final rule comment as to whether the proposed
safety work product and allowing requires a protective order as a approach was sufficient to protect the
reporters of patient safety work product condition of disclosure, it is not the interests of reporters and patients
to seek redress for adverse employment Secretary’s intent to frustrate the identified in the patient safety work
product permitted to be disclosed the disclosing entity for six years from for patient safety activities at proposed
pursuant to this provision. the date of the last disclosure made in § 3.206(b)(4) because this disclosure
While the Patient Safety Act does not reliance on the authorization and made permission does not allow the sharing of
specify the form of the authorization available to the Secretary upon request. any provider information, even if made
under this exception, we proposed that Further, as the Department agrees with nonidentifiable, unless all providers
an authorization be in writing, be signed those commenters who believed the identified in the patient safety work
by the authorizing provider, and contain specific terms of the provider product authorize the disclosure, while
sufficient detail to fairly inform the authorizations should be left to the the disclosure permission for patient
provider of the nature and scope of the parties, the final rule, as in the proposed safety activities allows the sharing of
disclosures being authorized. The rule, requires only that the authorization provider information between PSOs and
proposed rule would not have required of each of the identified providers be in between providers, as long as it is
that any specific terms be included in writing and signed, and contain anonymized.
the authorization, only that disclosures sufficient detail to fairly inform the Response: These disclosure
be made in accordance with the terms provider of the nature and scope of the permissions are separate and
of the authorization, whatever they may disclosures being authorized. Thus, the independent of one another and serve
be. We sought public comment on parties are free to define their own different purposes. Disclosures of
whether a more stringent standard specific terms for provider patient safety work product may be
would be prudent and workable, such as authorizations, including any time made pursuant to either permission,
an authorization process that is limitations and to what extent and the provided the relevant conditions are
disclosure specific. process through which such met.
We also proposed that any authorizations are revocable. Given the Comment: One commenter expressed
authorization be maintained by the final rule does not prescribe a particular concern about the disclosure
disclosing entity or person for a period form or the terms of provider permission’s prohibition on disclosing
of six years from the date of the last authorizations under this provision, we patient safety work product in
disclosure made in reliance on the do not believe providing a model nonidentifiable form with respect to a
authorization, the limit of time within authorization form is appropriate or provider who has not authorized the
which the Secretary must initiate an feasible. disclosure of the information, stating
enforcement action. With respect to patient and reporter that this construct would make the
Overview of Public Comments: identifiers, we continue to strongly provision difficult to implement.
Several commenters responded that encourage disclosers to consider how Response: The final rule adopts the
patients and reporters identified in much patient safety work product is provisions of the proposed rule and
patient safety work product are necessary, and whether patient or does not permit patient safety work
adequately protected by this regulation reporter identifiers are necessary, to product to be disclosed if the
and by the HIPAA Privacy Rule for accomplish the purpose of the information is rendered nonidentifiable
covered entities. Some commenters, authorized disclosure. However, this with respect to a nonauthorizing
however, suggested that the HIPAA final rule does not include specific provider. As explained above, there are
Privacy Rule’s minimum necessary limitations on the disclosure of patient likely few situations in which a
standard be applied to disclosures and reporter identifiers under this nonauthorizing provider could be
under this provision so that only the provision, so long as the disclosure is in nonidentified without having to also
minimum necessary amount of patient accordance with the terms of the nonidentify the authorizing providers in
safety work product would be permitted provider authorizations. In addition, the the patient safety work product to be
to be disclosed. HIPAA Privacy Rule, including the disclosed under this provision.
Several commenters also responded to minimum necessary or de-identification Therefore, allowing nonidentification of
the question of whether a stricter or standard, as appropriate, continues to the nonauthorizing provider is
more prescribed standard for the apply to the disclosure of any protected impractical.
authorizations should be included in health information contained within the Comment: One commenter
the final rule, the majority of whom patient safety work product. recommended that a copy of the
stated that the authorization provider authorization be kept in a
requirements outlined in the proposed Response to Other Public Comments patient’s file, if the provider’s
rule were adequate. One commenter Comment: One commenter asked for authorized disclosure of patient safety
recommended that the final rule not clarification as to whether state laws work product resulted in a disclosure of
regulate the terms of the provider requiring greater protection for patient the patient’s protected health
authorization and that such terms be left safety work product would apply to information, so that these disclosures
to the parties. Another commenter disclosures pursuant to this provision. can be tracked and included in an
suggested that provider authorizations Response: Section 922(g)(1) of the accounting of disclosures as required by
be time-limited, while other Public Health Service Act, 42 U.S.C. 45 CFR 164.528 of the HIPAA Privacy
commenters asked for a model 299b–22(g)(1), provides that the Patient Rule.
authorization form and that the final Safety Act does not limit the application Response: While the commenter’s
rule provide a process for revocation of of other Federal, State, or local laws that suggestion may assist in complying with
authorizations. provide greater privilege or the HIPAA Privacy Rule’s accounting of
Final Rule: The final rule adopts the confidentiality protections than disclosures standard, we do not include
proposed provision. Thus, a provider, provided by the Act. Thus, state laws such a requirement in the final rule.
PSO, or responsible person may disclose providing greater protection for patient Given that the authorizations provided
identifiable patient safety work product safety work product are not preempted for under this provision are focused on
if a valid authorization is obtained from and would apply to disclosures of the disclosure of the provider’s
each identified provider and the patient safety work product. identifiable information and that the
disclosure is consistent with such Comment: One commenter expressed specific terms of such authorizations
authorization. As in the proposed rule, concern that this disclosure permission will vary based on the circumstances of
such authorizations must be retained by conflicts with the disclosure permission the disclosure and the parties, it is
unlikely that such authorizations will safety work product remained be done through encryption, provided
contain the information necessary for a adequately protected in such cases, the the disclosing entity did not disclose the
HIPAA covered entity to meet its proposed rule would have prohibited key to the encryption or the mechanism
accounting obligations to the individual contractors from further disclosing for re-identification.
patient. Further, HIPAA covered entities patient safety work product, except to Recognizing that fully nonidentifiable
are free to design and use approaches the provider or PSO from which they patient safety work product may have
for compliance with the HIPAA Privacy first received the information. We limited usefulness due to the removal of
Rule’s accounting standard that are best explained in the proposed rule that this key elements of identification, the
suited to their business needs and limitation would not, however, preclude proposed rule specifically sought public
information systems. a provider or PSO from exercising its comment on whether there were any
authority under section 922(g)(4) of the entities other than providers, PSOs, or
(4) Section 3.206(b)(4)—Patient Safety their contractors that would need fully
Activities Public Health Service Act, 42 U.S.C.
299b–22(g)(4), to separately delegate its identifiable or anonymized patient
Proposed Rule: Proposed § 3.206(b)(4) power to the contractor to make other safety work product for patient safety
would have permitted the disclosure of disclosures. We also stated that, activities.
identifiable patient safety work product although the proposed rule did not The proposed rule also explained the
for patient safety activities (i) by a require a contract between the provider intersection with the HIPAA Privacy
provider to a PSO or by a PSO to that or PSO and the contractor, we fully Rule with respect to these disclosures,
disclosing provider; or (ii) by a provider expected the parties to engage in and noted that, as provided by the
or a PSO to a contractor of the provider prudent practices to ensure patient statute, PSOs would be treated as
or PSO; or (iii) by a PSO to another PSO safety work product remained business associates and patient safety
or to another provider that has reported confidential. activities performed by, or on behalf of,
to the PSO, or by a provider to another a covered provider by a PSO would be
provider, provided, in both cases, Further, to allow for more effective deemed health care operations as
certain direct identifiers are removed. aggregation of patient safety work defined by the HIPAA Privacy Rule. For
This proposed permissible disclosure product, the proposal at § 3.206(b)(4)(iii) a more detailed discussion of the
provision was based on section would have allowed PSOs to disclose application of the HIPAA Privacy Rule
922(c)(2)(A) of the Public Health Service patient safety work product to other with respect to disclosures under this
Act, 42 U.S.C. 299b–22(c)(2)(A), which PSOs or to other providers that have proposed provision, see the preamble to
permits the disclosure of identifiable reported to the PSO (but not about the the proposed rule at 73 FR 8146–8147.
patient safety work product for patient specific event(s) to which the patient The proposed rule sought public
safety activities. The proposed rule safety work product relates), and comment on whether the HIPAA
provided that, consistent with the providers to disclose patient safety work Privacy Rule definition of ‘‘health care
statute, patient safety work product product to other providers, for patient operations’’ should be modified to
would remain privileged and safety activities, as long as the patient include a specific reference to patient
confidential once disclosed under this safety work product was anonymized safety activities and whether the HIPAA
provision. through the removal of direct identifiers Privacy Rule disclosure permission for
We explained in the proposed rule of providers and patients. See proposed health care operations should be
that patient safety activities are the core § 3.206(b)(4)(iii)(A). In particular, to modified to include a reference to
mechanism by which providers may anonymize provider identifiers, the patient safety activities.
disclose patient safety work product to proposed rule would have required the Overview of Public Comments: The
obtain external expertise from PSOs and removal of the following direct commenters expressed general support
through which PSOs may aggregate identifiers of any providers and of for the reciprocal disclosure of patient
information from multiple providers, affiliated organizations, corporate safety work product between providers
and communicate feedback and parents, subsidiaries, practice partners, and PSOs for patient safety activities.
analyses back to providers. Thus, the employers, members of the workforce, Additionally, commenters expressed
rule needs to facilitate such or household members of such general support for the disclosure of
communications so that improvements providers: (1) Names; (2) postal address patient safety work product by a PSO or
in patient safety can occur. To realize information, other than town or city, provider to its contractor to carry out
this goal, the proposed rule at State and zip code; (3) telephone patient safety activities.
§ 3.206(b)(4)(i) would have allowed for numbers; (4) fax numbers; (5) electronic Commenters also generally supported
the disclosure of identifiable patient mail addresses; (6) social security the proposed permissible disclosure of
safety work product reciprocally numbers or taxpayer identification patient safety work product between
between providers and the PSOs to numbers; (7) provider or practitioner PSOs for patient safety activities,
which they have reported. This would credentialing or DEA numbers; (8) between PSOs and other providers that
allow PSOs to collect, aggregate, and national provider identification number; have reported to that PSO, and between
analyze patient safety event information (9) certificate/license numbers; (10) web providers. However, many commenters
and disseminate findings and universal resource locators; (11) internet expressed concern about the proposed
recommendations for safety and quality protocol (IP) address numbers; (12) rule requirement at § 3.206(b)(4)(iii) to
improvements. biometric identifiers, including finger anonymize patient safety work product
The proposed rule at § 3.206(b)(4)(ii) and voice prints; and (13) full face prior to disclosure. Some commenters
also would have allowed for disclosures photographic images and any stated that this requirement
by providers and PSOs to their comparable images. For patient inappropriately limited a PSO’s ability
contractors who are not workforce identifiers, the proposed rule would to share this information with other
members, recognizing that there may be have applied the HIPAA Privacy Rule PSOs and could prevent PSOs from
situations where providers and PSOs limited data set standard. See 45 CFR being able to identify duplicate reports
want to engage contractors who are not 164.514(e). We explained in the of a single event coming from
agents to carry out patient safety proposed rule that removal of the independent sources in the patient
activities. However, to ensure patient required identifiers could be absolute or safety work product received from other
PSOs. One suggested that PSOs be able affiliated providers for patient safety PSO receiving patient safety work
to share identifiable patient safety work activities. Unlike disclosures between product from a provider to contact that
product with other PSOs, while another providers in § 3.206(b)(4)(iv), the patient provider and recommend that the
commenter stated that provider names, safety work product disclosed pursuant provider also report the patient safety
addresses, and phone numbers should to this permission need not be work product to an additional PSO; (2)
be included in patient safety work anonymized prior to disclosure. An a provider reporting to a PSO to delegate
product to permit follow up contact affiliated provider is defined in the final its authority to the PSO to report its
with the provider and as a way to rule as ‘‘with respect to a provider, a patient safety work product to an
identify duplicate adverse event reports. legally separate provider that is the additional PSO; (3) a PSO to hire
This commenter suggested that PSOs be parent organization of the provider, is another PSO as a consultant to assist in
able to contract with other PSOs as their under common ownership, the evaluation of patient safety work
contractors so that they could share management, or control with the product received from a reporting
patient safety information that has not provider, or is owned, managed, or provider, pursuant to § 3.206(b)(4)(ii);
been anonymized with one another controlled by the provider.’’ See § 3.20. and (4) a PSO to disclose identifiable
subject to § 3.206(b)(4)(ii), or This addition to the final rule is and non-anonymized patient safety
alternatively, that the final rule allow included in recognition that certain work product to another PSO if it has
PSOs to share patient safety work provider entities with a common obtained authorization to do so from
product identifying providers with other corporate affiliation, such as integrated each provider identified in the patient
PSOs if a contract ensuring the health systems, may have a need, just as safety work product. See § 3.206(b)(3).
confidentiality of this information is in a single legal entity, to share identifiable To address the concerns of providers
place between the PSOs. Other and non-anonymized patient safety generally that the rule would prohibit
commenters expressed concern that the work product among the various the disclosure of patient safety work
anonymization requirement limited the provider affiliates and their parent product among physicians and other
ability of providers to use and disclose organization for patient safety activities health care professionals, particularly
patient safety work product to other and to facilitate, if desired, one for educational purposes or for
providers or students for educational, corporate patient safety evaluation preventing or ameliorating patient harm,
academic, or professional purposes. system. We emphasize that provider we emphasize that the rule does not
These commenters feared that the entities can choose not to use this regulate uses of patient safety work
proposed rule would inhibit providers’ disclosure mechanism if they believe product within a single legal entity.
ability to consult with other providers that doing so would adversely affect (However, we note that we have
about patient safety events and provider participation, given that expressly defined as a disclosure the
requested clarification from the patient safety work product would be sharing of patient safety work product
Department that the rule would not shared more broadly across the affiliated between a component PSO and the rest
prohibit the disclosure of patient safety entities. of the legal entity of which it is a part.)
work product among physicians and The final rule adopts the disclosure Thus, consistent with this policy,
other health care professionals, permission for patient safety work providers within a single legal entity are
particularly for education purposes or product proposed at § 3.206(b)(4)(iii) in free to discuss and share patient safety
for preventing or ameliorating harm. the proposed rule; however, the final work product in identifiable and non-
Many commenters also responded to rule relocates this disclosure permission anonymized form for educational,
the question in the proposed rule to § 3.206(b)(4)(iv) and retitles this academic, or other professional
regarding whether the patient safety section for clarity. This disclosure purposes. We have made this policy
activities disclosure permission should permission requires that patient safety clear in the final rule by modifying the
be expanded to encompass additional work product disclosed for patient definition of disclosure to apply only to
entities. Commenters identified no safety activities by a PSO to another the release, transfer, provision of access
additional entities to include in this PSO or to another provider that has to, or divulging in any other manner of
disclosure permission; however, some reported to the PSO or by a provider to patient safety work product by: (1) an
commenters suggested that the another provider must be anonymized entity or natural person holding the
Department monitor this provision so through the removal of certain provider- patient safety work product to another
that exceptions for disclosures to related direct identifiers listed in legally separate entity or natural person
additional entities may be made in the § 3.206(b)(4)(iii)(A), as well as the outside the entity holding the patient
future if necessary. removal of patient direct identifiers safety work product; or (2) a component
Final Rule: The final rule adopts pursuant to the HIPAA Privacy Rule’s PSO to another entity or natural person
without modification proposed limited data set standard at 45 CFR outside the component organization.
§ 3.206(b)(4)(i) and § 3.206(b)(4)(ii), 164.514(e)(2). Further, as described above, the new
permitting disclosure of patient safety Although the final rule includes a provision at § 3.206(b)(4)(iii) allows the
work product for patient safety activities provision for disclosure of fully sharing of fully identifiable patient
between providers and PSOs, and identifiable patient safety work product safety work product among affiliated
between providers or PSOs and their among affiliated providers, we believe it providers. However, if providers wish to
contractors that undertake patient safety is unnecessary to provide a similar disclose patient safety work product to
activities on their behalf. In addition, provision that would allow for the other providers outside of their legal
the final rule modifies proposed sharing of identifiable and non- entity or to non-affiliated providers, the
§ 3.206(b)(4)(iii) with respect to anonymized patient safety work product information must be anonymized
disclosures to another PSO or provider, between PSOs since the final rule subject to § 3.206(b)(4)(iv)(A) and (B) or
redesignates the provision as includes multiple avenues for secondary disclosed subject to another applicable
§ 3.206(b)(4)(iv), and adds a new PSOs, i.e., those PSOs that do not have disclosure permission.
§ 3.206(b)(4)(iii). the direct reporting relationship with
New § 3.206(b)(4)(iii) of the final rule the provider, to receive provider Response to Other Public Comments
permits disclosure of identifiable identifiable data, if needed. In Comment: One commenter asked that
patient safety work product among particular, the final rule allows: (1) A the final rule prohibit the
recommendations made by a PSO from to the extent such disclosures are operations’’ for purposes of the HIPAA
being introduced as evidence of a subject to an accounting at 45 CFR Privacy Rule. With respect to
standard of care or for other purposes in 164.528. Further, the HIPAA Privacy disclosures, however, we do not agree
a judicial or administrative proceeding. Rule provides that a contract between a that expanding the disclosure
Response: A recommendation made HIPAA covered entity and its business permission in the manner suggested by
by a PSO is patient safety work product associate must require the business the commenter is appropriate. The
to which the privilege and associate to make available to the disclosure permissions in the final rule
confidentiality protections attach. covered entity the information it needs are carefully crafted to balance the need
Therefore, the information can only be to comply with the HIPAA Privacy for the information to remain
disclosed through an applicable Rule’s accounting standard. See 45 CFR confidential with the need to disclose
disclosure permission. However, as we 164.504(e). However, we expect that patient safety work product to effectuate
explained in the proposed rule, while most permissible disclosures of patient the goals of the statute or for other
the recommendations themselves are safety work product that include limited purposes provided by the
protected, the corrective actions protected health information will not be statute. With respect to disclosures for
implemented by a provider, even if subject to the HIPAA Privacy Rule’s patient safety activities, while it is clear
based on the protected accounting requirements. The HIPAA that patient safety activities are health
recommendations from a PSO, are not Privacy Rule’s accounting standard does care operations under the HIPAA
patient safety work product. not require that disclosures made for Privacy Rule, only a subset of activities
Comment: One commenter asked if health care operations be included in an within the definition of ‘‘health care
permissible disclosures of patient safety accounting. See 45 CFR 164.528(a)(1)(i). operations’’ are relevant to patient
work product for patient safety activities Thus, because disclosures for patient safety.
under this disclosure permission could safety activities at § 3.206(b)(4), business Comment: One commenter asked for
include disclosures for credentialing, operations at § 3.206(b)(9), or clarification about whether a provider
disciplinary, and peer review purposes. accreditation purposes at § 3.206(b)(8) can report a single patient safety event
Response: The disclosure permission will generally be for the provider’s to multiple PSOs.
at § 3.206(b)(4) of the final rule for health care operations, the provider Response: Providers are free to report
patient safety activities does not does not need to account for these patient safety work product to, and have
encompass the disclosure of patient disclosures. Additionally, for relationships with, multiple PSOs.
safety work product to an external entity disclosures of patient safety work Comment: A commenter asked that
or within an administrative proceeding product that are subject to the HIPAA the final rule explain the process for
for credentialing, disciplinary, or peer Privacy Rule’s accounting requirement, disclosing patient safety work product
review purposes. However, as explained such as disclosures to the FDA and to the National Patient Safety Databank.
above, uses of patient safety work entities required to report to the FDA at Response: The Department intends to
product within a legal entity are not § 3.206(b)(7), the HIPAA Privacy Rule provide further guidance and
regulated and thus, patient safety work offers enough flexibility for a provider information regarding the creation of
product may be used within an entity generally to provide an accounting of and reporting to and among the network
for any purpose, including those those disclosures without revealing the of patient safety databases, as part of
described by the commenter, so long as existence of patient safety work product. implementation of section 923 of the
such use does not run afoul of the Therefore, we do not believe including Public Health Service Act, including
statutory prohibition on a provider a requirement directly on PSOs with information on common formats for
taking an adverse employment action respect to the HIPAA Privacy Rule’s collecting and disclosing
against an individual based on the fact accounting standard is needed or nonidentifiable patient safety work
that the individual in good faith appropriate. Nor do we agree that product for such purposes. The
reported information either to the contracts between providers and PSOs Department announced the availability
provider with the intention of having should designate individuals as third of, and sought comment on, common
the information reported to a PSO or party beneficiaries of such contracts. We formats for common hospital-based
directly to a PSO. (Note, though, that we believe the HIPAA Privacy Rule’s patient safety events in the Federal
have expressly defined as a disclosure existing provisions provide adequate Register on August 29, 2008 (http://
the sharing of patient safety work protections for identifiable patient www.pso.ahrq.gov/formats/
product between a component PSO and information that may be encompassed commonfmt.htm).
the rest of the legal entity of which it is within patient safety work product; Comment: One commenter suggested
a part.) however, we also expect PSOs generally that the final rule require providers and
Comment: One commenter suggested to disclose anonymized and PSOs to have written contracts in place
that PSOs should be required to nonidentifiable patient safety work with contractors who are not their
maintain an accounting of all product. agents but who will carry out patient
disclosures of patient safety work Comment: Another commenter safety activities on their behalf. Another
product containing individually suggested that patient safety work commenter asked if the final rule will
identifiable health information in product should be able to be used and include a requirement similar to a
parallel to the HIPAA Privacy Rule disclosed in the same circumstances business associate contract under the
requirement for covered entities. In that protected health information can be HIPAA Privacy Rule between PSOs and
order to further protect patient privacy, used and disclosed under the HIPAA its contractors.
this commenter suggested that patients Privacy Rule for health care operations. Response: The final rule does not
be made third party beneficiaries of the Response: The final rule does not require providers and PSOs to have
contracts between providers and PSOs. regulate ‘‘uses’’ of patient safety work written contracts in place with
Response: A HIPAA covered entity is product within a legal entity; thus, a contractors who are not their agents but
responsible for ensuring that disclosures provider, PSO, or responsible person who will carry out patient safety
of protected health information made by may use patient safety work product for activities on their behalf. However, we
a PSO, as its business associate, are any purpose within the legal entity, expect that, in practice, such
included in an accounting of disclosures including those considered ‘‘health care relationships will be governed by
contract, but we leave the terms of those the provider and the PSO to which it Privacy Rule were necessary to address
relationships up to the parties. We note, reports. This information can contain any workability issues.
though, that if a HIPAA covered entity information identifying other providers. Response: OCR will consider these
hires a contractor to conduct patient If the patient safety work product is comments and will seek opportunity to
safety activities on its behalf, which being disclosed between PSOs, between address them in regulation or in
requires access to protected health unaffiliated providers, or between a PSO guidance.
information, the HIPAA Privacy Rule and other providers that have reported (5) Section 3.206(b)(5)—Disclosure of
would require that a business associate to it, then the information must be Nonidentifiable Patient Safety Work
agreement be in place prior to any anonymized prior to disclosure subject Product
disclosure of such information to the to § 3.206(b)(4)(iv)(A) and (B). In
contractor. See 45 CFR 164.502(e) and addition, if a provider or PSO obtains Proposed Rule: Proposed § 3.206(b)(5)
164.504(e). authorizations from all providers would have permitted the disclosure of
Comment: Some commenters asked identified in the patient safety work nonidentifiable patient safety work
that the final rule provide clarification product, or if the patient safety work product if the patient safety work
regarding the circumstances under product is being shared among affiliated product met the standard for
which PSOs can disclose patient safety providers, then such information may nonidentification in proposed § 3.212.
work product to other PSOs to aggregate be disclosed in identifiable form under See section 922(c)(2)(B) of the Public
this information for patient safety § 3.206(b)(3) and 3.206(b)(4)(iii). Health Service Act, 42 U.S.C. 299b-
activities purposes. Comment: Several commenters 22(c)(2)(B). As described in proposed
Response: Section 3.206(b)(4)(iv) of expressed concern about the § 3.208(b)(ii), nonidentifiable patient
the final rule permits such disclosures, anonymization requirement at proposed safety work product, once disclosed,
provided the patient safety work § 3.206(b)(4)(iii)(A) and stated that a would no longer be privileged and
product is anonymized by removal of provider may be identifiable even if the confidential and thus, could be
the direct identifiers of both providers patient safety work product is redisclosed by a recipient without any
and patients. Also, the final rule permits anonymized. One commenter suggested Patient Safety Act limitations or
a PSO to disclose patient safety work that zip codes should be included in the liability. Any provider, PSO or
product to another PSO if authorized by list of identifiers that must be removed responsible person could nonidentify
the identified providers as provided in from the patient safety work product. patient safety work product. See the
§ 3.206(b)(3) or in non-identifiable form Other commenters felt that the discussion regarding § 3.212 for more
in accordance with § 3.206(b)(5). anonymization standard was too strict. information about the nonidentification
Finally, a provider reporting to a PSO Response: We believe the standard.
may delegate its authority to the PSO to anonymization standard in the final rule Overview of Public Comments: We
report its patient safety work product to at § 3.206(b)(4)(iv)(A) strikes the received no comments opposed to this
an additional PSO, as provided by appropriate balance between the need to proposed provision.
§ 3.206(e). protect patient safety work product and Final Rule: The final rule adopts the
Comment: A commenter suggested the need for broader sharing of such proposed provision.
that a data use agreement be required information at an aggregate level,
when any information, including outside of the direct provider and PSO
individually identifiable health relationship, to achieve the goals of the Comment: One commenter asked that
information, is being shared through a statute and improve patient safety. the final rule require data use
limited data set. Comment: We received several agreements for disclosures of
Response: If a HIPAA covered entity comments in response to the questions nonidentifiable patient safety work
is sharing a limited data set, as defined asked in the proposed rule about product in cases where there is a chance
by the HIPAA Privacy Rule, the covered whether the HIPAA Privacy Rule for identification or reidentification of
entity must enter into a data use definition of ‘‘health care operations’’ provider identities.
agreement with the recipient of the should include a specific reference to Response: We emphasize that patient
information. See 45 CFR 164.504(e). For patient safety activities and whether the safety work product is considered
entities that are not covered by the Privacy Rule disclosure permission for nonidentifiable only if, either: (1) the
HIPAA Privacy Rule, the final rule does health care operations should be statistical method at § 3.212(a)(1) is used
not include such a requirement; modified to conform to the disclosure and there is a very small risk that the
however, we encourage such parties to for patient safety activities. These information could be used, alone or in
engage in these and similar practices to commenters expressed overwhelming combination with other reasonably
further protect patient safety work support for modifying the HIPAA available information, by an anticipated
product. Privacy Rule’s definition of ‘‘health care recipient to identify an identified
Comment: Two commenters asked for operations’’ to include such a specific provider; or (2) the identifiers listed at
clarification in the final rule about reference and to aligning the disclosure § 3.212(a)(2) are stripped and the person
whether patient safety work product permission for health care operations making the disclosure does not have
disclosed by a provider to a PSO or by with that for patient safety activities. actual knowledge that the remaining
a PSO to a provider can identify other The commenters stated that including information could be used, alone or in
providers regardless of whether they such specific references would make the combination with other information that
have also reported to that PSO. One intersection of both regulations clear, is reasonably available to the intended
commenter asked if the rule requires and would encourage patient safety recipient, to identify a provider. Thus,
that authorization from all the identified discourse among providers and PSOs. the commenter should consider whether
providers is required before this One commenter stated that there was no the information about which it is
disclosure can be made. need to modify the definition of ‘‘health concerned would be nonidentifiable for
Response: The final rule at care operations’’ because it already purposes of this rule. Further, while the
§ 3.206(b)(4)(i) allows the disclosure of unambiguously encompassed patient final rule does not require that the
patient safety work product in safety activities. No commenters disclosure of nonidentifiable patient
identifiable form reciprocally between suggested that modifications to the safety work product be conditioned on
an agreement between the parties to the work product which identifies patients (7) Section 3.206(b)(7)—To the Food
disclosure, we note that providers, may only be released to the extent that and Drug Administration
PSOs, and responsible persons are free protected health information would be Proposed Rule: Section 922(c)(2)(D) of
to contract or enter into agreements that disclosable for research purposes under the Public Health Service Act, 42 U.S.C.
place further conditions on the release the HIPAA Privacy Rule. We interpreted 299b-22(c)(2)(D), permits the disclosure
of patient safety work product, this provision as requiring HIPAA by a provider to the Food and Drug
including in nonidentifiable form, than covered entities to ensure any Administration (FDA) with respect to a
required by the final rule. See § 3.206(e). disclosures of patient safety work product or activity regulated by the
Comment: Several commenters stated product under this provision that also FDA. Proposed § 3.206(b)(7) would have
that identifiable information about include protected health information implemented this provision by
nondisclosing providers should not be comply with the HIPAA Privacy Rule’s permitting providers to disclose patient
disclosed and that adequate safeguards research provisions. Accordingly, the safety work product concerning
should be in place to ensure that proposal incorporated by reference 45 products or activities regulated by the
information identifying nondisclosing CFR 164.512(i) of the HIPAA Privacy
FDA to the FDA or to an entity required
providers is not released. These Rule, which generally requires a
to report to the FDA concerning the
commenters also suggested that AHRQ covered entity to obtain documentation
set up a workgroup to evaluate the quality, safety, or effectiveness of an
of a waiver (or alteration of waiver) of
standards and approaches set forth in FDA-regulated product or activity. The
authorization by either an Institutional
the proposed rule. proposed rule also would have
Review Board (IRB) or a Privacy Board
Response: The nonidentification permitted the sharing of patient safety
prior to using or disclosing protected
standard at § 3.212 of the final rule work product between the FDA, entities
health information without the
addresses the commenters’ concern by required to report to the FDA, and their
individual’s authorization.
requiring either that: (1) a statistician We noted that our interpretation of contractors concerning the quality,
determine, with respect to information, the statute would not impact the safety, or effectiveness of an FDA-
that the risk is very small that the disclosure of identifiable patient safety regulated product or activity. Patient
information could be used, alone or in work product by entities or persons that safety work product disclosed pursuant
combination with other reasonably are not HIPAA covered entities. We also to this disclosure permission would
available information, by an anticipated explained that the incorporation by continue to be privileged and
recipient to identify an identified reference of the HIPAA Privacy Rule confidential.
provider; or (2) all of the provider- should provide for the proper alignment We specifically sought public
related identifiers listed at § 3.212(a)(2) of disclosures for research purposes comment on our interpretation that the
be removed and the provider, PSO, or under the two rules. However, the statutory language concerning reporting
responsible person making the exception under the Patient Safety Act ‘‘to the FDA’’ included reporting by the
disclosure not have actual knowledge also refers to evaluations and provider to persons or entities regulated
that the information could be used, demonstration projects, some of which by the FDA and that are required to
alone or in combination with other may not meet the definition of research report to the FDA concerning the
information that is reasonably available under the HIPAA Privacy Rule because quality, safety, or effectiveness of an
to the intended recipient, to identify the they may not result in generalizable FDA-regulated product or activity. We
particular provider. knowledge but rather may fall within proposed this interpretation to allow
the HIPAA Privacy Rule’s definition of providers to report to entities that are
(6) Section 3.206(b)(6)—For Research required to report to the FDA, such as
‘‘health care operations.’’ We stated that,
Proposed Rule: Proposed § 3.206(b)(6) in such cases, HIPAA covered entities drug manufacturers, without violating
would have allowed the disclosure of disclosing patient safety work product this rule, and asked if including such
identifiable patient safety work product that includes protected health language would bring about any
to entities carrying out research, information under this exception could unintended consequences for providers.
evaluations, or demonstration projects do so without violation of the HIPAA We further proposed at
that are funded, certified, or otherwise Privacy Rule. See the definition of § 3.206(b)(7)(ii) that the FDA and
sanctioned by rule or other means by ‘‘health care operations’’ at 45 CFR entities required to report to the FDA
the Secretary. See section 922(c)(2)(C) of 164.501 of the HIPAA Privacy Rule. may only further disclose patient safety
the Public Health Service Act, 42 U.S.C. Overview of Public Comments: We work product for the purpose of
299b-22(c)(2)(C). We explained in the received no comments in reference to evaluating the quality, safety, or
proposed rule that this disclosure this provision. effectiveness of that product or activity
permission was only for research Final Rule: The final rule adopts the and such further disclosures would only
sanctioned by the Secretary. We also proposed provision, except that the be permitted between the FDA, entities
explained that we expected that most specific reference to ‘‘45 CFR required to report to the FDA, their
research that may be subject to this 164.512(i)’’ is deleted. We have contractors, and the disclosing
disclosure permission would be related included only a general reference to the providers. Thus, for example, the FDA
to the methodologies, analytic HIPAA Privacy Rule in recognition of or a drug manufacturer receiving
processes, and interpretation, feedback the fact that disclosures of patient safety adverse drug event information that is
and quality improvement results from work product containing protected patient safety work product may engage
PSOs, rather than general medical, or health information pursuant to this in further communications with the
even health services, research. Patient provision could be permissible under disclosing provider(s), for the purpose
safety work product disclosed for the HIPAA Privacy Rule under of evaluating the quality, safety, or
research under this provision would provisions other than 45 CFR 164.512(i), effectiveness of the particular regulated
continue to be confidential and such as, for example, disclosures for product or activity, or may work with
privileged. health care operations pursuant to 45 their contractors. Moreover, an entity
Section 922(c)(2)(C) of the Public CFR 164.506, or disclosures of a limited regulated by the FDA may further
Health Service Act, 42 U.S.C. 299b- data set for research purposes pursuant disclose the information to the FDA.
22(c)(2)(C), requires that patient safety to 45 CFR 164.514(e). The proposed provision also would
have prohibited contractors receiving provider may disclose patient safety providers to report patient safety work
patient safety work product under this work product concerning an FDA- product to the FDA or to an entity
provision from further disclosing such regulated product or activity to the FDA, required to report to the FDA.
information, except to the entity from an entity required to report to the FDA Comment: One commenter asked for
which they received the information. concerning the quality, safety, or clarification as to whether lot numbers
Finally, we explained that the HIPAA effectiveness of an FDA-regulated and device identifiers and serial
Privacy Rule at 45 CFR 164.512(b) product or activity, or a contractor numbers may be reported to the FDA
permits HIPAA covered entities to acting on behalf of FDA or such entity under this disclosure permission.
disclose protected health information for these purposes. Further, Response: Section 3.206(b)(7) would
concerning FDA-regulated activities and § 3.206(b)(7)(ii) clarifies that the FDA, allow such information contained
products to persons responsible for its regulated entity entitled to receive within patient safety work product to be
collection of information about the information under this provision, and reported to FDA provided it concerned
quality, safety, and effectiveness of their contractors may share patient an FDA-regulated product or activity.
those FDA-regulated activities and safety work product received under this (8) Section 3.206(b)(8)—Voluntary
products. Therefore, disclosures under provision for the purpose of evaluating Disclosure to an Accrediting Body
this exception of patient safety work the quality, safety, or effectiveness of
product containing protected health that product or activity among Proposed Rule: Proposed § 3.206(b)(8)
information would be permitted under themselves, as well as with the would have permitted the voluntary
the HIPAA Privacy Rule. disclosing provider. disclosure of identifiable patient safety
Overview of Public Comments: We We do not include a comprehensive work product by a provider to an
received general support in the public list of acceptable disclosures to FDA- accrediting body that accredits that
comments for the express reference to regulated entities as it would be disclosing provider. See section
FDA-regulated entities within this impractical to do so. As we explained in 922(c)(2)(E) of the Public Health Service
disclosure permission; only one the proposed rule, drug, device, and Act, 42 U.S.C. 299b-22(c)(2)(E). Patient
commenter opposed this provision. biological product manufacturers are safety work product disclosed pursuant
Some commenters asked that the final required to report adverse experiences to this proposed exception would
rule provide examples of the types of to the FDA and currently rely on remain privileged and confidential.
disclosures that might occur to FDA- voluntary reports from product users, This provision would have allowed a
regulated entities, and one commenter including providers. Further, the provider to disclose patient safety work
suggested that if such disclosures are analysis of events by a provider or PSO product that identifies that disclosing
permitted, the final rule should include that constitutes patient safety work provider. Further, the proposed rule
a comprehensive list of acceptable product may generate information that would not have required that patient
disclosures to these entities. Another should be reported to the FDA or FDA- safety work product be nonidentifiable
commenter noted that if disclosures to regulated entity because it relates to the as to nondisclosing providers. The
FDA-regulated entities are permitted safety or effectiveness of an FDA- proposed rule specifically sought public
under this disclosure permission, the regulated product or activity. This comment on whether patient safety
final rule should limit the use of patient provision allows providers to report work product should be anonymized
safety work product to the purposes such information without violating the with respect to nondisclosing providers
stated in the statute and should prohibit confidentiality provisions of the statute prior to disclosure to an accrediting
the use of this information for marketing or rule. However, we emphasize that, body under this provision.
purposes. No commenters identified any despite this disclosure permission, we The proposed rule also provided that
unintended consequences of including expect that most reporting to the FDA an accrediting body could not take an
FDA-regulated entities within the and its regulated entities will be done accreditation action against a provider
disclosure permission. with information that is not patient based on that provider’s participation,
Final Rule: The final rule adopts the safety work product, as is done today. in good faith, in the collection, reporting
provisions of the proposed rule at This disclosure permission is intended or development of patient safety work
§ 3.206(b)(7), including the express to allow for reporting to the FDA or product. It also would have prohibited
reference to FDA-regulated entities. We FDA-regulated entity in those special accrediting bodies from requiring a
also modify the title of the provision to cases where, only after an analysis of provider to reveal its communications
reflect that disclosures to such entities patient safety work product, does a with any PSO.
are encompassed within the disclosure provider realize it should make a report. Overview of Public Comments:
permission. As explained in the As in the proposed rule, patient safety Several commenters responded to the
proposed rule, we believe including work product disclosed pursuant to this question of whether the final rule
FDA-regulated entities within the scope provision remains privileged and should require the anonymization of
of the disclosure permission is confidential. patient safety work product with respect
consistent with both the rule of to nondisclosing providers, all of which
construction in the statute which Response to Other Public Comments supported such a requirement. Another
preserves required reporting to the FDA, Comment: Five commenters asked commenter noted that the final rule
as well as the goals of the statute which that the final rule allow PSOs as well as should expressly prohibit accrediting
are to improve patient safety. See providers to disclose or report patient bodies from taking accreditation actions
section 922(g)(6) of the Public Health safety work product to the FDA or to an against nondisclosing providers based
Service Act, 42 U.S.C. 299b-22(g)(6). In entity that is required to report to the upon the patient safety work product
addition, the final rule includes FDA. reported to them by disclosing
modifications to more clearly indicate Response: We do not modify the providers.

who can receive patient safety work provision as there is no statutory Final Rule: In light of the comments
product under this provision, as well as authority to allow PSOs to report patient received, the final rule modifies the
what further disclosures may be made of safety work product to the FDA or to an proposed provision at § 3.206(b)(8) to
such information. Specifically, entity required to report to the FDA. condition the voluntary disclosure by a
§ 3.206(b)(7)(i) now makes clear that a However, the statute does permit provider of patient safety work product
to an accrediting body that accredits the Response: The final rule prohibits the patient safety work product directly
provider on either: (1) the agreement of accrediting bodies from further from a provider pursuant to
the nondisclosing providers to the disclosing patient safety work product § 3.206(b)(8).
disclosure; or (2) the anonymization of they have voluntarily received from Comment: One commenter asked that
the patient safety work product with providers under § 3.206(b)(8). the final rule allow accrediting bodies to
respect to any nondisclosing providers Comment: One commenter asked if use voluntarily reported patient safety
identified in the patient safety work survey and licensure bodies were work product in accreditation decisions,
product, by removal of the direct considered to be accrediting bodies and or that the final rule give accrediting
identifiers listed at § 3.206(b)(4)(iv)(A). thus, precluded from taking action bodies immunity from liability that
Direct identifiers of the disclosing against providers who voluntarily might arise from their failure to take this
providers do not need to be removed. submit patient safety work product to patient safety work product into account
We also note that the final rule does not them. in its accreditation decisions. This
prescribe the form of the agreement Response: Survey and licensure commenter also stated that, since
obtained from non-disclosing providers. bodies are not accrediting bodies and accrediting bodies cannot take action
Providers are free to design their own are not treated as such under this based on information voluntarily
policies for obtaining such agreements. provision. Thus, such entities are not disclosed pursuant to this provision, the
Some institutional providers may, for entitled to receive patient safety work final rule should make clear that
example, make it a condition of product voluntarily from providers accrediting bodies cannot be held
employment or privileges that providers under this provision. responsible for decisions that might
agree to the disclosure of patient safety Comment: Two commenters have been different if the accrediting
work product to accrediting bodies. In expressed concern about this disclosure body had been able to act based on the
addition, unlike the provision at permission for accrediting bodies that patient safety work product received.
§ 3.206(b)(3) of the final rule, with create component PSOs. One Response: We clarify that the final
respect to any of the non-disclosing commenter stated that allowing rule, as the proposed rule, does not
providers identified in the patient safety accrediting bodies to create component prohibit an accrediting body from using
work product, the disclosing provider PSOs creates a potential conflict of patient safety work product voluntarily
need obtain either the provider’s interest that may adversely affect reported by a provider pursuant to this
agreement or anonymize the provider’s provider organizations. If an accrediting provision in its accreditations decisions
information. body’s component organization is a with respect to that provider. Thus, it is
PSO, the commenter asked how OCR not necessary nor is it appropriate for
Response to Other Public Comments will determine whether the component the Secretary to give accrediting bodies
Comment: Several commenters stated organization improperly disclosed immunity from liability. However, an
that they did not support this disclosure information or whether the accrediting accrediting body may not require a
permission allowing voluntary body received the information provider to disclose patient safety work
disclosures of patient safety work voluntarily from a provider. product, or take an accrediting action
product to accrediting bodies due to Response: Providers are free to choose against a provider who refuses to
possible unintended consequences of the PSOs with which they want to work. disclose patient safety work product, to
these disclosures. Another commenter We expect that any selection by a the accrediting body. See section
asked that we be aware of punitive provider will involve a thorough vetting 922(d)(4)(B) of the Public Health Service
actions by regulatory organizations as a and consideration of a number of Act, 42 U.S.C. 299b-22(d)(4)(B), and
result of voluntary disclosures to factors, including whether the PSO is a § 3.206(b)(8)(iii), which expressly
accrediting bodies and monitor this component of an accrediting body and prohibits an accrediting body from
process carefully for any unintended if so, what assurances are in place to taking an accrediting action against a
consequences. protect against improper access by the provider based on the good faith
Response: The disclosure permission accrediting body to patient safety work participation of the provider in the
allowing providers to voluntarily product. Component organizations have collection, development, reporting, or
disclose patient safety work product to clear requirements to maintain patient maintenance of patient safety work
accrediting bodies is prescribed by the safety work product separately from product in accordance with the statute.
statute and thus, is included in this final parent organizations. Further, the final Comment: One commenter asked if
rule. However, as described above, the rule recognizes that a disclosure from a the limitation on redisclosure of
final rule requires either anonymization component organization to a parent voluntarily reported patient safety work
or agreement with respect to non- organization is a disclosure which must product received by an accrediting body
disclosing providers as a condition of be made pursuant to one of the applies if the information sent to the
the disclosure. This provision, along permissions set forth in the statute and accrediting body was not patient safety
with the express prohibition at here; disclosures for which there is no work product at the time the accrediting
§ 3.206(b)(8)(iii) on an accrediting body permission are subject to enforcement body received the information, but was
taking an accrediting action against a by the Department and imposition of later reported, by the provider to a PSO
provider based on a good faith civil money penalties, as well as may and became protected.
participation of the provider in the adversely impact on the PSO’s Response: If the information
collection, development, reporting, or continued listing by the Secretary as a submitted to an accrediting body was
maintenance of patient safety work PSO. Should OCR receive a complaint not patient safety work product as
product should alleviate commenter or conduct a compliance review that defined at § 3.20 at the time it was
concerns. implicates an impermissible disclosure reported, then § 3.206(b)(8), including
Comment: One commenter asked if by a component PSO of an accrediting the redisclosure limitation, does not
the regulation allowed accrediting body, OCR will investigate and review apply to such information.
bodies to disclose patient safety work the particular facts and circumstances Comment: One commenter asked that
product to CMS as part a commitment surrounding the alleged impermissible the final rule clarify that the disclosure
to advise CMS of adverse accreditation disclosure, including, if appropriate, of patient safety work product to an
decisions. whether the accrediting body received accrediting body is voluntary.
Response: Section 3.208(b)(8) rule. We also received several responses otherwise support activities included in
expressly provides only for the to the question asking if the final rule the definition of ‘‘patient safety
voluntary reporting of patient safety should allow for any additional activities’’ at § 3.20 of this rule, these
work product, provided the conditions disclosures under the business disclosures may be made to such
are met. We do not see a need for further operations provision. Three commenters contractors pursuant to § 3.206(b)(4)(ii).
clarification. stated that the final rule should not
include any additional business
(9) Section 3.206(b)(9)—Business Comment: Two commenters suggested
operations disclosures. Others asked
Operations that the final rule include a requirement
that the business operations disclosure
Proposed Rule: Proposed § 3.206(b)(9) permission be broad enough to for a contract between providers or
would have allowed disclosures of encompass all the activities defined as PSOs and their attorneys, accountants,
patient safety work product by a ‘‘health care operations’’ in the HIPAA and other professionals to whom patient
provider or a PSO to professionals such Privacy Rule, which would then include safety work product will be disclosed as
as attorneys and accountants for the disclosures to entities such as a business operation.
business operations purposes of the photocopy shops, document storage Response: We do not require a
provider or PSO. See section services, shredding companies, IT contract as a condition of disclosure in
922(c)(2)(F) of the Public Health Service support companies, and other entities the final rule. However, we agree that a
Act, 42 U.S.C. 299b–22(c)(2)(F). Under involved in a PSO’s management or contract between these parties is a
the proposed rule, such contractors administration. Other commenters prudent business practice and expect
could not further disclose patient safety suggested that disclosures of patient that parties will enter into appropriate
work product, except to the entity from safety work product to independent agreements to ensure patient safety
which it received the information. contractors, professional liability work product remains protected.
However, the proposed rule made clear insurance companies, captives, and risk Further, where HIPAA covered entities
that a provider or PSO still would have retention groups be included as are concerned, we note that the HIPAA
had the authority to delegate its power disclosures for business operations Privacy Rule requires that such entities
to the contractor to make other under this provision in the final rule. have a business associate agreement in
disclosures. In addition, the proposed All commenters responding to the place with professionals providing
rule provided that any patient safety question about how the Secretary services that require access to protected
work product disclosed pursuant to this should adopt additional business health information.
provision continued to be privileged operations stated that additional (10) Section 3.206(b)(10)—Disclosure to
and confidential. business operations should be adopted
The Patient Safety Act gives the Law Enforcement
only through the rulemaking process.
Secretary authority to designate Final Rule: The final rule adopts the Proposed Rule: Proposed
additional exceptions as necessary proposed provision, allowing disclosure § 3.206(b)(10) would have permitted the
business operations that are consistent of patient safety work product by a disclosure of identifiable patient safety
with the goals of the statute. The provider or a PSO for business work product to law enforcement
proposed rule sought public comment operations to attorneys, accountants, authorities, so long as the person
regarding whether there are any other and other professionals. The final rule making the disclosure believes—and
consultants or contractors, to whom a allows disclosure of patient safety work that belief is reasonable under the
business operations disclosure should product to these professionals who are circumstances—that the patient safety
also be permitted, or whether the bound by legal and ethical duties to work product disclosed relates to a
Secretary should consider any maintain the confidence of their clients crime and is necessary for criminal law
additional exceptions under this and the confidentiality of client enforcement purposes. See section
authority. The proposed rule noted that information, including patient safety 922(c)(2)(G) of the Public Health Service
the Secretary would designate work product. These professionals will Act, 42 U.S.C. 299b–22(c)(2)(G). The
additional exceptions only through provide a broad array of services to and proposed rule provided that patient
regulation; however, it asked if other functions for the providers and PSOs safety work product disclosed under
mechanisms for the adoption of with whom they are contracted and will this provision would remain privileged
business operations exceptions should need access to patient safety work and confidential.
be adopted or incorporated. product to perform their duties. We are The proposed rule also provided that
The proposed rule also explained that not persuaded by the comments of a the law enforcement entity receiving the
a business operations designation by the need to expand, at this time, the patient safety work product could use
Secretary that enables a HIPAA covered disclosure permission to encompass the patient safety work product to
entity to disclose patient safety work other categories of persons or entities. pursue any law enforcement purposes;
product containing protected health However, as described in the proposed however, the recipient law enforcement
information to professionals is rule, should the Secretary seek in the entity could only redisclose the
permissible as a health care operations future to designate additional business information to other law enforcement
disclosure under the HIPAA Privacy operations exceptions to be authorities as needed for law
Rule. See 45 CFR 164.506. Generally, encompassed within this disclosure enforcement activities related to the
such professionals will be business permission, he will do so through event that necessitated the original
associates of the covered entity, which regulation to provide adequate disclosure. The proposed rule sought
will require that a business associate opportunity for public comment. comment regarding whether these
agreement be in place. See 45 CFR With respect to many of the other provisions would allow for legitimate
160.103, 164.502(e), and 164.504(e). entities identified by the commenters, law enforcement needs, while ensuring
Overview of Public Comments: we note that, to the extent the services appropriate protections.
Several commenters expressed general provided by such entities are necessary Overview of Public Comments:
support for the business operations for the maintenance of patient safety Commenters responding to the question
disclosures to attorneys, accountants, work product or the operation of a in the proposed rule regarding whether
and other professionals in the proposed patient safety evaluation system, or this disclosure permission would allow
for legitimate law enforcement needs expressly limiting law enforcement’s would provide them with the same
while ensuring that information remain redisclosure of patient safety work leeway for inadvertent disclosures of
appropriately protected stated that the product received pursuant to the patient safety work product as
proposed disclosure permission was provision to other law enforcement providers.
appropriate and did permit legitimate authorities as needed for law Response: The statute expressly limits
disclosures to law enforcement. enforcement activities related to the the safe harbor provision to providers.
Final Rule: The final rule adopts the event that gave rise to the initial Therefore, we do not have the authority
proposed provision with slight disclosure. Thus, law enforcement is not to extend this provision to PSOs.
modification for purposes of permitted to further disclose the patient (D) Section 3.206(d)—Implementation
clarification only. We add the word safety work product for the enforcement and Enforcement of the Patient Safety
‘‘only’’ to the final rule to clarify that of a crime unrelated to the crime for Act
law enforcement receiving patient safety which the patient safety work product
work product pursuant to this exception was originally disclosed to the law Proposed Rule: Proposed § 3.206(d)
may only further disclose this enforcement entity. would have permitted the disclosure of
information to other law enforcement Comment: One commenter stated that relevant patient safety work product to
authorities as needed for law the proposed rule represented an or by the Secretary as needed for
enforcement activities related to the expansion of the statutory language investigating or determining compliance
event that gave rise to the original because it allowed persons to disclose with or to seek or impose civil money
disclosure. patient safety work product to law penalties with respect to this Part or for
enforcement entities in the absence of making or supporting PSO certification
Response to Other Public Comments or listing decisions, under the Patient
an active law enforcement investigation
Comment: Two commenters suggested and in the absence of a request for this Safety Act. Patient safety work product
that the statutory standard of reasonable information by law enforcement. disclosed under this exception would
belief was vague and that clarity was Response: The statute does not remain confidential.
needed to reduce the uncertainty of require that a law enforcement entity be Overview of Public Comments: We
disclosures and to further define what involved in an active investigation or received no comments in reference to
could constitute a reasonable belief. that a law enforcement entity request this provision.
Another commenter noted that the information prior to a person making a Final Rule: Consistent with the
phrase ‘‘relates to a crime and is disclosure of patient safety work changes made to § 3.204(c) with respect
necessary for criminal law enforcement product to a law enforcement entity to privilege, the final rule adopts the
purposes’’ is too broad and leaves too pursuant to this disclosure permission. proposed provision, but expands it to
much discretion to entities such as expressly provide that patient safety
See 922(c)(2)(G) of the Public Health
PSOs. work product also may be disclosed to
Service Act, 42 U.S.C. 299b–22(c)(2)(G).
Response: The final rule provision at or by the Secretary as needed to
§ 3.206(b)(10) generally repeats the (C) Section 3.206(c)—Safe Harbor investigate or determine compliance
statutory provision upon which it is Proposed Rule: Proposed § 3.206(c) with or to impose a civil money penalty
based, which provides that the would have prohibited the disclosure of under the HIPAA Privacy Rule. This
disclosure of patient safety work a subject provider’s identity with new language implements the statutory
product be permitted if it relates to the information, whether oral or written, provision at section 922(g)(3) of the
commission of a crime and the person that: (1) assesses that provider’s quality Public Health Service Act, 42 U.S.C.
making the disclosure believes, of care; or (2) identifies specific acts 299b–22(g)(3), which makes clear that
reasonably under the circumstances, attributable to such provider. See the Patient Safety Act is not intended to
that the patient safety work product is section 922(c)(2)(H) of the Public Health affect implementation of the HIPAA
necessary for criminal law enforcement Service Act, 42 U.S.C. 299b–22(c)(2)(H). Privacy Rule. As in the privilege
purposes. See section 922(c)(2)(G) of the This provision would have been only context, given the significant potential
Public Health Service Act, 42 U.S.C. applicable to providers. Patient safety for an alleged impermissible disclosure
299b–22(c)(2)(G). work product disclosed under this to implicate both this rule’s
Comment: One commenter expressed exception could identify providers, confidentiality provisions, as well as the
concern regarding the redisclosure of reporters or patients so long as the HIPAA Privacy Rule, the Secretary may
patient safety work product to law provider(s) that were the subject of the require access to confidential patient
enforcement under this disclosure actions described were nonidentified. safety work product for purposes of
permission. The commenter stated that The proposed rule would have required determining compliance with the
there could be successive disclosures of that nonidentification be accomplished HIPAA Privacy Rule. The Secretary will
protected information to law in accordance with the use such information consistent with
enforcement without consideration of nonidentification standard set forth in the statutory prohibition against
whether there is a reasonable belief that proposed § 3.212. imposing civil money penalties under
the redisclosure is necessary for Overview of Public Comments: We both authorities for the same act.
criminal law enforcement purposes. received no comments opposed to this With respect to this rule, the final
Another commenter recommended that provision. rule, as in the proposed rule, makes
this disclosure permission should Final Rule: The final rule adopts the clear that disclosures of patient safety
expressly prohibit patient safety work proposed provision. work product to or by the Secretary are
product from being used against permitted to investigate or determine
patients who are identified in the Response to Other Public Comments compliance with this rule, or to make or
patient safety work product but who are Comment: Several commenters support decisions with respect to listing
not the subject of the criminal act for suggested that the safe harbor provision of a PSO. This may include access to
which the information was originally be extended to PSOs as well as and disclosure of patient safety work
disclosed. providers. One commenter noted that product to enforce the confidentiality
Response: We believe § 3.206(b)(10) there was no reason to exclude PSOs provisions of the rule, to make or
addresses the commenters’ concerns by from this provision and including PSOs support decisions regarding the
acceptance of certification and listing as Subpart. Neither the statute nor the work product. The first was an
a PSO, or to revoke such acceptance and proposed rule limited the authority of a exception to continued confidentiality
to delist a PSO, or to assess or verify provider to place limitations on protection when patient safety work
PSO compliance with the rule. disclosures or uses. product is disclosed for use in a
Overview of Public Comments: We criminal proceeding, pursuant to
Response to Other Public Comments received no comments opposed to this § 3.206(b)(1). See section 922(d)(2)(A),
Comment: Several commenters asked provision. 42 U.S.C. 299b–22(d)(2)(A). The second
the Secretary to use judicious restraint Final Rule: The final rule adopts the exception to continued protection was
when requesting patient safety work proposed provision. in circumstances where patient safety
product for compliance and Response to Other Public Comments work product is disclosed in
enforcement activities. Some of these Comment: One commenter suggested nonidentifiable form, pursuant to
commenters also asked that the that providers and PSOs should not be §§ 3.204(b)(4) and 3.206(b)(5). See
Secretary reserve his full enforcement able to enter into agreements that would section 922(d)(2)(B), 42 U.S.C. 299b–
power for only the most egregious prohibit the disclosure of patient safety 22(d)(2)(B).
violations of the confidentiality work product to report a crime or to The proposed rule would not have
provisions. comply with state reporting required the labeling of information as
Response: We acknowledge the requirements. patient safety work product or that
commenters’ concerns regarding the Response: The Patient Safety Act disclosure of patient safety work
disclosure of patient safety work expressly provides that it does not product be accompanied by a notice as
product for enforcement purposes. As preempt or otherwise affect any State to either the fact that the information
we explained in the proposed rule, we law requiring a provider to report disclosed is patient safety work product
strongly believe in the protection of information that is not patient safety or that it is confidential. The proposed
patient safety work product as provided work product. See section 922(g)(5) of rule did acknowledge that both
by the Patient Safety Act. However, the Public Health Service Act, 42 U.S.C. practices may be prudent business
confidentiality protections are 299b–22(g)(5). Further, patient safety practices.
meaningless without the ability to work product does not include original Overview of Public Comments: We
enforce breaches of the protections, medical and other records. Thus, received several comments suggesting
investigations of which may require nothing in the final rule or the statute that the final rule require that patient
access to confidential patient safety relieves a provider from his or her safety work product be labeled as such
work product. Further, § 3.310 of the obligation to disclose information from or that a recipient of patient safety work
final rule provides the Secretary with such original records or other product be given notice of the protected
authority to obtain access to only that information that is not patient safety status of the information received.
patient safety work product and other work product to comply with state Commenters suggested that putting
information that is pertinent to reporting or other laws. Moreover, the recipients of patient safety work product
ascertaining compliance with the rule’s final rule at § 3.206(b)(10)(i) permits on notice about the sensitive and
confidentiality provisions. providers and PSOs to disclose patient confidential nature of the information
Also, as we explained in the proposed safety work product to report a crime to would assure and encourage appropriate
rule, we will seek to minimize the risk a law enforcement authority provided treatment of this information.
of improper disclosure of patient safety that the disclosing person reasonably Final Rule: The final rule adopts this
work product by using and disclosing believes that the patient safety work proposed provision but does not require
patient safety work product only in product that is disclosed is necessary for that patient safety work product be
limited and necessary circumstances, criminal law enforcement purposes. labeled or that disclosing parties
and by limiting the amount of patient However, the Department cannot, provide recipients of patient safety work
safety work product disclosed to that through this rule, prevent such product with notice that they are
necessary to accomplish the purpose. agreements because the Patient Safety receiving protected information. We
Further, § 3.312 of the final rule Act, at section 922(g)(4) of the Public believe imposing a labeling or notice
expressly prohibits the Secretary from Health Service Act, 42 U.S.C. 299b– requirement would be overly
disclosing identifiable patient safety 22(g)(4), specifically provides that the burdensome on entities. We do,
work product obtained by the Secretary Act cannot be construed ‘‘to limit the however, expect providers, PSOs, and
in connection with an investigation or authority of any provider, patient safety responsible persons holding patient
compliance review except as permitted organization, or other entity to enter safety work product to treat and
by § 3.206(d) for compliance and into a contract requiring greater safeguard such sensitive information
enforcement or as otherwise permitted confidentiality’’ than that provided appropriately and encourage such
by the rule or the Patient Safety Act. under the Act. persons to consider whether labeling or
See the discussion of the provisions of notice may be an appropriate safeguard
3. Section 3.208—Continued Protection in certain circumstances. Further, we
Subpart D of the final rule for more
of Patient Safety Work Product note that the final rule provides that
information on how the Secretary may
exercise discretion in enforcement. Proposed Rule: Proposed § 3.208 information that is documented as
provided that the privilege and within a patient safety evaluation
(E) Section 3.206(e)—No Limitation on confidentiality protections would system for reporting to a PSO is patient
Authority To Limit or Delegate continue to apply to patient safety work safety work product. In addition, the
Disclosure or use product following disclosure and also final rule allows patient safety work
Proposed Rule: Proposed § 3.206(e) described the narrow circumstances product to be removed from a patient
would have established that a person when the protections terminate. See safety evaluation system and no longer
holding patient safety work product section 922(d) of the Public Health considered patient safety work product
may enter into a contract that requires Service Act, 42 U.S.C. 299b–22(d). In if it has not yet been reported to a PSO
greater confidentiality protections or particular, the proposed rule would and its removal is documented. See the
may delegate its authority to make a have provided two exceptions to the definition of ‘‘patient safety work
disclosure in accordance with this continued protection of patient safety product’’ at § 3.20. These
documentation provisions may assist in impermissible disclosure of patient Secretary has determined that such
identifying, and putting persons on safety work product has been made, the information is needed for compliance or
notice as to, what is and is not protected Secretary will examine each situation enforcement of this rule or the HIPAA
information. based on the individual circumstances Privacy Rule or for PSO certification or
and make an appropriate determination listing. Further, during an investigation
about whether to impose a civil money or compliance review, § 3.310(c)
Comment: With respect to penalty. See the discussion regarding requires a respondent to provide the
§§ 3.206(b)(2), 3.206(b)(3), 3.206(b)(8), Subpart D of this final rule for a more Secretary with access to only that
3.206(b)(9), and 3.206(b)(10), extensive discussion of the Secretary’s information, including patient safety
commenters asked that the final rule enforcement discretion. Finally, with work product, that is pertinent to
emphasize the fact that subsequent respect to the commenter’s First ascertaining compliance with this rule.
holders of patient safety work product Amendment concerns, we do not
are subject to the privilege and 5. Section 3.212—Nonidentification of
believe the confidentiality provisions
confidentiality provisions when they Patient Safety Work Product
afforded to patient safety work product
receive the patient safety work product in the statute and the rule contravene Proposed Rule: Proposed § 3.212
pursuant to a privilege or confidentiality the First Amendment. would have established the standard by
exception and that this patient safety which patient safety work product
work product cannot be subpoenaed, 4. Section 3.210—Required Disclosure would be rendered nonidentifiable,
ordered, or entered into evidence in a of Patient Safety Work Product to the implementing section 922(c)(2)(B) of the
civil or criminal proceeding through any Secretary Public Health Service Act, 42 U.S.C.
of these exceptions. Proposed Rule: Proposed § 3.210 299b–22(c)(2)(B). Under the Patient
Response: Section 3.208 makes clear would have required providers, PSOs, Safety Act and this Part, identifiable
that, with limited exceptions, patient and other persons holding patient safety patient safety work product includes
safety work product continues to be work product to disclose such information that identifies any provider
privileged and confidential upon information to the Secretary upon a or reporter or contains individually
disclosure. determination by the Secretary that such identifiable health information under
Comment: One commenter expressed patient safety work product is needed the HIPAA Privacy Rule (see 45 CFR
concern over the proposed rule’s for the investigation and enforcement 160.103). See section 921(2) of the
statement that an impermissible activities related to this Part, or is Public Health Service Act, 42 U.S.C.
disclosure of patient safety work needed in seeking and imposing civil 299b–21(2). By contrast, nonidentifiable
product, even if unintentional, does not money penalties. patient safety work product does not
terminate the confidentiality of the Overview of Public Comments: We include information that permits
information and that individuals and received no comments opposed to this identification of any provider, reporter
entities receiving this patient safety provision. or subject of individually identifiable
work product may be subject to civil Final Rule: The final rule adopts the health information. See section 921(3) of
money penalties. The commenter stated proposed provision but expands it to the Public Health Service Act, 42 U.S.C.
that the applicability of this broad encompass disclosures of patient safety 299b–21(3).
statement to third and fourth party work product needed for investigation The proposed rule explained that
recipients of patient safety work product and enforcement activities with respect because individually identifiable health
could violate the First Amendment and to the HIPAA Privacy Rule, consistent information as defined in the HIPAA
expressed concern with the possibility with changes made to §§ 3.204(c) and Privacy Rule is one element of
that the Secretary would seek to impose 3.206(d). As in the proposed rule, the identifiable patient safety work product,
a civil money penalty upon a newspaper final rule makes clear that, with respect the de-identification standard provided
for printing patient safety information. to this rule, providers, PSOs, and in the HIPAA Privacy Rule would apply
Response: Section 3.208 implements responsible persons must disclose with respect to the patient-identifiable
the statutory provision that patient patient safety work product to the information in the patient safety work
safety work product continues to be Secretary upon request when needed to product. Therefore, where patient safety
privileged and confidential upon investigate or determine compliance work product contained individually
disclosure, including when in the with this rule, or to make or support identifiable health information, the
possession of the person to whom the decisions with respect to listing of a proposal would have required that the
disclosure was made. See section 922(d) PSO. This may include disclosure of information be de-identified in
of the Public Health Service Act, 42 patient safety work product to the accordance with 45 CFR 164.514(a)–(c)
U.S.C. 299b–22(d). To encourage Secretary as necessary to enforce the to qualify as nonidentifiable patient
provider reporting of sensitive patient confidentiality provisions of the rule, to safety work product with respect to
safety information, Congress saw a need make or support decisions regarding the individually identifiable health
for strong privilege and confidentiality acceptance of certification and listing as information under the Patient Safety
protections that continue to apply a PSO, or to revoke such acceptance and Act.
downstream even after disclosure, to delist a PSO, or to assess or verify Further, with respect to providers and
regardless of who holds the information. PSO compliance with the rule. reporters, the proposal imported and
With respect to the commenter’s adapted the HIPAA Privacy Rule’s
concern regarding ‘‘unintentional’’ Response to Other Public Comments standards for de-identification. In
disclosures, we note that the Secretary Comment: Several commenters particular, the proposal included two
has discretion to elect not to impose suggested that disclosures to the methods by which nonidentification
civil money penalties for an Secretary be limited to only the patient could be accomplished: (1) A statistical
impermissible disclosure of patient safety work product that is needed for method of nonidentification and (2) the
safety work product, in appropriate the Secretary’s activities. removal of 15 specified categories of
circumstances. Thus, if it is determined, Response: Section 3.210 requires direct identifiers of providers or
through a complaint investigation or a disclosure of patient safety work reporters and of parties related to the
compliance review, that an product only in those cases where the providers and reporters, including
corporate parents, subsidiaries, practice anonymization standard, as appropriate, reidentification keys, we note that
partners, employers, workforce to eliminate unnecessary duplication of § 3.212(a)(3) prohibits a provider, PSO,
members, or household members, and such elements in the regulatory text. or responsible party disclosing
that the discloser have no actual Therefore, persons wishing to nonidentifiable patient safety work
knowledge that the remaining nonidentify patient safety work product product from also disclosing the
information, alone or in combination must remove the direct identifiers listed mechanism for reidentification. If a
with other information reasonably in the anonymization standard at reidentification key is disclosed along
available to the intended recipient, § 3.206(b)(4)(iv)(A)(1) through (13), as with patient safety work product that
could be used to identify any provider well as any additional geographic would otherwise be nonidentifiable,
or reporter, i.e., a contextual subdivisions smaller than a State that then such information is identifiable
nonidentification standard. In addition, are not required to be removed by patient safety work product to which
the proposal would have permitted a § 3.206(b)(4)(A)(2), e.g., town or city, all the privilege and confidentiality
provider, PSO, or other disclosing entity elements of dates (except year) that are protections attach.
or person to assign a code or other directly related to a patient safety Comment: One commenter asked to
means of record identification to allow incident or event, and any other unique whom must patient safety work product
information made nonidentifiable to be identifying number, characteristic, or be made nonidentifiable and if
re-identified by the disclosing person, code (except as permitted for information is adequately
provided certain conditions were met. reidentification). We were not nonidentifiable despite the ability of a
The proposal specifically invited persuaded by commenters that changes provider or patient involved in the
comment on the proposed standards to the standard were necessary, event to recognize their case.
and approaches and asked whether it especially given the lack of consensus Response: Under § 3.212(a)(1), patient
would be possible to include any among commenters as to whether the safety work product is rendered
geographical identifiers, and if so, at standard was too stringent or not nonidentifiable if a determination is
what level of detail (state, county, zip stringent enough. Further, commenters made, applying generally accepted
code). We also requested comment did not offer suggestions as to potential statistical and scientific principles, that
regarding whether there were alternative alternative approaches to the risk is very small that the
approaches to standards for entities nonidentification. Additionally, because information could be used, alone or in
determining when health information this rule’s nonidentification standard combination with other reasonably
could reasonably be considered with respect to providers and reporters available information, by an anticipated
nonidentifiable. is adapted from the HIPAA Privacy recipient to identify a provider or
Overview of Public Comments: We Rule’s de-identification standard and reporter. Similarly, under § 3.212(a)(2),
received a variety of comments with respect to individuals, incorporates patient safety work product is rendered
addressing the nonidentification the HIPAA Privacy Rule’s de- nonidentifiable if the listed identifiers
standard. One commenter supported the identification standard, this approach are stripped and the provider, PSO or
proposed methodologies for minimizes complexity and burden for responsible person making the
nonidentification, while several entities that are subject to both disclosure does not have actual
commenters expressed concern that the regulatory schemes. knowledge that the information could
nonidentification standard was too strict be used, alone or in combination with
and rendered patient safety work Response to Other Public Comments other information that is reasonably
product useless to its recipients. One Comment: One commenter expressed available to the intended recipient, to
commenter was concerned that concern over the possibility that identify the particular provider or
imposing an inflexible, stringent provider identities could be derived reporter. So long as the remaining
nonidentification standard would from nonidentifiable patient safety work information meets either of these two
impede the future disclosures of product and asked that the final rule standards, such information is
aggregated patient safety information require a party disclosing identifiable considered nonidentifiable for purposes
that the commenter currently makes. information to produce evidence, if of this rule, despite the hypothetical
Some of these commenters proposed challenged, of how the information was ability of a provider or patient involved
alternatives to the proposed obtained if not via nonidentifiable in the event to recognize their case.
nonidentification standard, such as patient safety work product. Another Comment: One commenter asked for
considering information nonidentified commenter suggested that the final rule clarification that nonidentification can
even if it contains dates of treatment include a provision that prohibits the be accomplished through either the
and geographic identifiers as long as use or disclosure of any individually statistical method or through the safe
data of a certain threshold number of identifiable information that was harbor method but that entities are not
providers was aggregated or eliminating obtained via the use of nonidentifiable required to nonidentify patient safety
the nonidentification standard entirely patient safety work product. Finally, work product subject to both methods.
and applying a less stringent another commenter suggested that keys Response: We clarify that either
anonymization standard. In contrast, to reidentification of nonidentifiable method may be used to render
several other commenters expressed patient safety work product be protected information nonidentifiable for
concern that the nonidentification from discovery and should be protected purposes of this rule.
standard was too flexible, was as patient safety work product to
inadequate to truly nonidentify prevent reidentification by unintended D. Subpart D—Enforcement Program
information and protect provider parties. Subpart D of the final rule establishes
identities, and could be too easily Response: We believe that the a framework to enable the Secretary to
reverse engineered. nonidentification standard in the final monitor and ensure compliance with
Final Rule: The final rule adopts this rule, which is based upon the existing this Part, a process for imposing a civil
proposed provision with only a minor HIPAA Privacy Rule’s de-identification money penalty for breach of the
technical change to incorporate by standard, is appropriate and sufficient confidentiality provisions, and
reference the direct identifiers listed at to protect the identities of providers. procedures for a hearing contesting a
§ 3.206(b)(4)(iv)(A) of the With respect to protection of civil money penalty. The provisions in
Subpart D are modeled largely on the complaint with the Secretary and well as more generally through
HIPAA Enforcement Rule at 45 CFR Part provisions for the Secretary to published guidance that addresses
160, Subparts C, D and E. This will investigate such complaints (proposed common compliance or other questions
maintain a common approach to § 3.306); (3) provisions for the Secretary about the rule. As we noted in the
enforcement and appeals of civil money to conduct compliance reviews preamble to the proposed rule, however,
penalty determinations based on section (proposed § 3.308); (4) provisions the absence of technical assistance or
1128A of the Social Security Act, 42 establishing responsibilities of guidance by the Secretary may not be
U.S.C. 1320a–7a, upon which both the respondents with respect to cooperating raised as a defense to civil money
HIPAA and Patient Safety Act penalties with the Secretary during investigations penalty liability. We also encourage
are based, as well as minimize or compliance reviews and providing persons participating in patient safety
complexity for entities that are subject access to information necessary and activities and subject to this rule to
to both regulatory schemes. This pertinent to the Secretary determining develop and share with others similarly
enforcement scheme also provides the compliance (proposed § 3.310); (5) situated in the industry ‘‘best practices’’
Secretary maximum flexibility to provisions describing the Secretary’s for the confidentiality of patient safety
address confidentiality violations so as course of action during complaints and work product.
to encourage participation in patient compliance reviews, including the Comment: One commenter requested
safety activities and achieve the goals of circumstances under which the that the final rule provide additional
the Patient Safety Act. Secretary may attempt to resolve detail on the consideration that will go
General Comments: Several compliance matters by informal means into the determination of whether to
commenters expressed support for the or issue a notice of proposed pursue an investigation or to conduct a
decision to base this rule’s enforcement determination, as well as the compliance review.
regime on the HIPAA Enforcement Rule circumstances under which the Response: We do not believe that
and noted that the HIPAA Enforcement Secretary may use or disclose including additional detail in the final
Rule was properly adapted to the information, including identifiable rule regarding when we will investigate
patient safety context. However, two patient safety work product, obtained or conduct compliance reviews is
commenters expressed concern that during an investigation or compliance prudent or feasible. The decision of
basing the enforcement regime in this review (proposed § 3.312); and (6) whether to conduct an investigation or
rule on the HIPAA Enforcement Rule provisions and procedures for the compliance review is left to the
will be insufficient to adequately Secretary to issue subpoenas to require discretion of the Secretary and will be
address and penalize violations of the witness testimony and the production of made based on the specific
confidentiality provisions because of the evidence and to conduct investigational circumstances of each individual case.
Department’s approach to enforcement inquiries (proposed § 3.314). The decision to investigate a complaint
of the HIPAA Privacy Rule. One Overview of Public Comments: We is necessarily fact specific. For example,
commenter argued that this might cause received no comments opposed to the some complaints may not allege facts
providers to decide against reporting the proposed provisions. that fall within the Secretary’s
most serious patient safety events, and Final Rule: The final rule adopts the jurisdiction or that constitute a violation
therefore, would undermine the purpose provisions of the proposed rule, except, if true. With respect to compliance
of the statute. where reference was made in the reviews, the Secretary needs to maintain
Response to General Comments: The proposed rule to provisions of the flexibility to conduct whatever reviews
Department believes that modeling this HIPAA Enforcement Rule, the final rule are necessary to ensure compliance.
rule’s enforcement provisions on the includes the text of such provisions for Compliance reviews may be initiated
existing HIPAA Enforcement Rule is convenience of the reader. based on, for example, information that
prudent and appropriate. As noted comes to the Department’s attention
above, such an approach grants the outside of the formal complaint process,
Secretary maximum flexibility to Comment: One commenter asked how or trends the Department is seeing as a
address violations of the confidentiality and when the Secretary will provide result of its enforcement activities. It
provisions, relies on an existing and technical assistance to providers, PSOs, would be premature at this time to
established enforcement regime, and and responsible persons regarding indicate the specific circumstances
minimizes complexity for entities compliance with the confidentiality under which such reviews may be
subject to both the Patient Safety Act provisions. conducted, given the absence of any
and HIPAA. Response: The Secretary intends to compliance and enforcement experience
provide technical assistance through a with the rule. Further, making public
1. Sections 3.304, 3.306, 3.308, 3.310, variety of mechanisms. First, as the Department’s considerations in this
3.312, 3.314—Compliance and authorized by the Patient Safety Act, the area may undermine the effectiveness of
Investigations Secretary intends, as practical, to such reviews. Thus, we did not propose
Proposed Rule: Sections 3.304–3.314 convene annual meetings for PSOs to and do not include in this final rule
of the proposed rule provided the discuss methodology, communication, affirmative criteria for conducting
framework by which the Secretary data collection, privacy concerns, or compliance reviews.
would seek compliance by providers, other issues relating to their patient Comment: One commenter requested
PSOs, and responsible persons with the safety systems. See section 925 of the clarification that the Secretary may only
confidentiality provisions of the rule. Public Health Service Act, 42 U.S.C. require respondents to produce records,
These proposed requirements included: 299b–25. Second, the Secretary intends books, and accounts that are reasonably
(1) Provisions for the Secretary to seek to exercise his discretion under § 3.304 related to an investigation.
cooperation from these entities in by, when practicable and appropriate, Response: Section 3.310(c) of the
obtaining compliance and to provide providing technical assistance to proposed rule, which the final rule
technical assistance (proposed § 3.304); affected persons and entities both on an adopts, provided that a respondent must
(2) procedures for any person who individual basis when such persons or permit the Secretary access to the
believes there has been a violation of the entities are involved in complaint information that is pertinent to
confidentiality provisions to file a investigations or compliance reviews, as ascertaining compliance with the
confidentiality provisions of the rule. no right to appeal such penalty may otherwise go unnoticed, as well as
Given this provision in the final rule, (proposed § 3.422); (9) provided that demonstrate the security practices that
we do not see a need to provide further once the penalty becomes final, it will led to the discovery of the breach and
clarification. be collected by the Secretary, unless how the breach was remedied, we agree
compromised, and describes the with those commenters who argued that
2. Sections 3.402, 3.404, 3.408, 3.414, methods for collection (proposed including such a factor may be viewed
3.416, 3.418, 3.420, 3.422, 3.424, § 3.424); and (10) provided that the incorrectly as an additional and ongoing
3.426—Civil Money Penalties Secretary will notify the public and the reporting obligation on providers, PSOs,
Proposed Rule: Sections 3.402–3.426 appropriate State or local medical or and others to report every potentially
of the proposed rule provided the professional organizations, appropriate impermissible disclosure. This would
process for the Secretary to impose a State agencies administering or unnecessarily increase administrative
civil money penalty for noncompliance supervising the administration of State burden both on the Department and the
by a PSO, provider, or responsible health care programs, appropriate reporting persons. Additionally,
person with the confidentiality utilization and quality control peer inclusion of such a factor may interfere
provisions of the rule. These proposed review organizations, and appropriate with contractual relationships between
provisions: (1) Described the basis for State or local licensing agencies or providers and PSOs that address how
imposing a civil money penalty on a organizations, of a final penalty and the parties are to deal with breaches.
person who discloses identifiable reason it was imposed (proposed However, we note that even though
patient safety work product in knowing § 3.426). we are not expressly including a self-
or reckless violation of the In addition, with respect to the factors reporting factor in the list at § 3.408, the
confidentiality provisions, as well as on at proposed § 3.408, we specifically Secretary retains discretion to consider
a principal, in accordance with the sought comment on whether the factors self-reports on a case-by-case basis
federal common law of agency 2, based should be expanded to expressly under § 3.408(f), which permits the
on the act of its agent acting within the include a factor for persons who self- Secretary to consider ‘‘such other
scope of the agency (proposed § 3.402); report disclosures that may potentially matters as justice may require’’ in
(2) described how a penalty amount violate the confidentiality provisions determining the amount of a civil
would be determined, and provided the such that voluntary self-reporting would money penalty.
statutory cap of any such penalty be a mitigating consideration when
(proposed § 3.404); (3) provided the list assessing a civil money penalty.
of factors the Secretary may consider as Overview of Public Comments: We Comment: One commenter supported
aggravating or mitigating, as received no comments opposed to these the knowing or reckless standard for
proposed provisions. With respect to establishing the basis for imposing a
appropriate, in determining the amount
proposed § 3.408, commenters generally civil money penalty for a confidentiality
of a civil money penalty, including the
supported the list of detailed factors, violation but also stated that every effort
nature and circumstances of the
which may be aggravating or mitigating should be made to reduce the risk of
violation and the degree of culpability
depending on the context, for use by the liability and to encourage provider
of the respondent (proposed § 3.408); (4)
Secretary in determining the amount of participation. Another commenter
set forth the 6-year limitations period on
a civil money penalty. In response to the supported the Secretary’s ability to
the Secretary initiating an action for
question in the proposed rule regarding exercise discretion in determining
imposition of a civil money penalty
whether the final rule should include a whether to impose a civil money
(proposed § 3.414); (5) set out the
factor for persons who self-report penalty for a knowing or reckless
Secretary’s authority to settle any issue violation of the confidentiality
disclosures that may be potential
or case or to compromise any penalty provisions but also suggested that, in
violations, some commenters opposed
(proposed § 3.416); (6) provided that a cases where a PSO is compelled to
such an expansion, arguing that such a
civil money penalty imposed under this disclose patient safety work product by
provision could be viewed as an
rule would be in addition to any other a court and has, in good faith, attempted
additional reporting obligation on
penalty prescribed by law, except that a to assert the privilege protection, the
persons and entities. Several other
civil money penalty may not be PSO automatically should be excused
commenters expressed general support
imposed both under this rule and the from a civil money penalty for the
for the consideration of such a
HIPAA Privacy Rule for the same act impermissible disclosure of patient
mitigating factor in the determination of
(proposed § 3.418); (7) required that the safety work product to the court.
any penalty, and one commenter
Secretary provide a respondent with specifically recommended expanding Response: We agree that the
written notice of his intent to impose a the list of factors to include self- appropriate basis for imposing a civil
civil money penalty, prescribe the reporting. money penalty is for knowing or
contents of such notice, and provide the Final Rule: The final rule adopts the reckless disclosures of identifiable
respondent with a right to request a provisions of the proposed rule except, patient safety work product in violation
hearing before an ALJ to contest the where reference was made in the of the confidentiality provisions of the
proposed penalty (proposed § 3.420); (8) proposed rule to provisions of the rule and that it is important the
provided that if the respondent fails to HIPAA Enforcement Rule, the final rule Secretary ultimately retain discretion as
timely request a hearing and the matter includes the text of such provisions for to whether to impose a penalty pursuant
is not settled by the Secretary, the convenience of the reader. We do not to this standard. This provision is based
Secretary may impose the proposed expand the list of factors at § 3.408 to on section 922(f) of the Public Health
penalty (or any lesser penalty) and will include the fact of self-reporting by a Service Act, 42 U.S.C. 299b–22(f). We
notify the respondent of any penalty respondent in the final rule. As we also agree that provider participation is
imposed, and that the respondent has noted in the preamble to the proposed essential to meeting the overall goal of
2 For more information and guidance about
rule, while including a factor for the statute to improve patient safety and
violations of the rule attributed to a principal based
voluntary self-reporting may encourage quality of care, and we believe that
on the federal common law of agency, see the persons to report breaches of strong privilege and confidentiality
preamble to the proposed rule at 73 FR 8158–8159. confidentiality, particularly those that protections for patient safety work
product are fundamental to ensuring disclosures to, for example, the media or $10,000 amount is a maximum penalty
this participation. As we explained in to the public, would result in civil and the Secretary has discretion to
the preamble to the proposed rule, a money penalties. impose penalties that are less than that
civil money penalty under § 3.402 may Response: Section 3.402(a) of the final amount or can elect not to impose a
only be imposed if the Secretary first rule provides that persons who disclose penalty at all for a violation, depending
establishes a wrongful disclosure—that identifiable patient safety work product on the circumstances. In particular,
is, the information disclosed was in knowing or reckless violation of the § 3.404 provides that the amount of any
identifiable patient safety work product confidentiality provisions are subject to penalty will be determined using the
and the manner of the disclosure does civil money penalty liability for such factors at § 3.408, which include such
not fit within any permitted exception. violations. This liability would include factors as the nature and circumstances
The Secretary must then determine disclosures to the media or public, to of the violation, the degree of
whether a person making the disclosure the extent the knowing or reckless culpability of the respondent including
acted ‘‘knowingly’’ or ‘‘recklessly.’’ To standard of § 3.402(a) is met. whether the violation was intentional,
do so, the Secretary must prove either Comment: We received two comments as well as the financial condition and
that: (1) The person making the stating that the maximum penalty of size of the respondent.
disclosure knew a disclosure was being $10,000 for a single violation is Comment: Several commenters asked
made (not that the person knew he or insufficient to serve as a deterrent for clarification regarding the
she was disclosing identifiable patient against impermissible disclosures. In Secretary’s authority to levy separate
safety work product in violation of the contrast, one commenter expressed fines under the Patient Safety Act and
rule or statute); or (2) the person acted concern that the maximum penalty HIPAA. Many of these commenters
recklessly in making the disclosure, that would be far too severe for some small argued that the Secretary should be able
is, the person was aware, or a reasonable providers and in cases in which the to impose penalties under both
person in his or her situation should impermissible disclosure was incidental
authorities for the same act to maximize
have been aware, that his or her conduct or accidental.
the enforcement tools at his disposal
created a substantial risk of disclosure Response: In response to those
commenters who believe the penalty and to effectively penalize bad behavior.
of information and to disregard such In contrast, one commenter supported
risk constituted a gross deviation from amount is not high enough, the $10,000
maximum penalty for each act the statutory mandate that civil money
reasonable conduct. For more guidance penalties not be imposed under both the
on this standard or the knowing or constituting a violation is prescribed by
the statute and thus, cannot be Patient Safety Act and HIPAA for a
reckless standard, see the preamble to single violation. One commenter asked
the proposed rule at 73 FR 8157–8158. increased by the Secretary in this rule.
We expect, however, that there will be for clarification as to how civil money
Once a knowing or reckless violation penalties may be imposed under both
has been established, the Secretary still cases where multiple related acts are at
issue as discrete violations, each of the Patient Safety Act and HIPAA when
retains discretion as to whether to a PSO is a business associate of a
impose a penalty for a violation and which could result in separate penalties
up to $10,000. The preamble to the covered entity for HIPAA Privacy Rule
may elect not to do so. Thus, we believe purposes.
the standard at § 3.402 of the final rule proposed rule indicated that the Patient
strikes the right balance in ensuring Safety Act provides that a person who Response: The final rule at § 3.418
those who are culpable are subject to violates the Patient Safety Act shall be reflects the statutory prohibition against
penalties, while still encouraging subject to a civil money penalty of ‘‘not the Secretary imposing civil money
maximum participation by providers. more than $10,000’’ for each act penalties under both the Patient Safety
For example, circumstances where a constituting such violation. We note Act and HIPAA for a single act that
person who disclosed identifiable that pursuant to the Federal Civil constitutes a violation. As the preamble
patient safety work product in violation Penalties Inflation Adjustment Act of to the proposed rule explained,
of the rule can show he or she did not 1990, as amended by the Debt Congress recognized that, because
know and had no reason to know that Collection Improvement Act of 1996, patient safety work product includes
the information was patient safety work the Department will be required to individually identifiable health
product may warrant discretion by the adjust this civil money penalty amount information about patients, a HIPAA
Secretary. Further, as we stated in the based on increases in the consumer covered entity making a disclosure of
preamble to the proposed rule, the price index (CPI). The Department has patient safety work product could be
Secretary may exercise discretion and up to four years to update the civil liable for a violation under both the
not pursue a civil money penalty against money penalty amount, and the Patient Safety Act and HIPAA, and
a respondent ordered by a court to adjustment will be based on the percent made such penalties mutually
produce patient safety work product increase in the CPI from the time the exclusive. Thus, in situations in which
where the respondent has in good faith Patient Safety Act was enacted, in a single violation could qualify as both
undertaken reasonable steps to avoid accordance with the cost-of-living a violation of the Patient Safety Act and
production and is, nevertheless, adjustment set forth at the Federal Civil HIPAA, the Secretary has discretion to
compelled to produce the information Penalties Inflation Adjustment Act of impose a civil money penalty under
or be held in contempt of court. We do 1990 § 5, at 28 U.S.C. 2461 note. either regulatory scheme, not both.
not, however, agree that an automatic However, the first adjustment may not However, as we explained in the
exception from liability for respondents exceed ten percent of the penalty. Thus, proposed rule, we interpreted the
in such circumstances is appropriate or pursuant to this statute, the $10,000 Patient Safety Act as only prohibiting
necessary. The Secretary will examine maximum penalty will be adjusted the imposition of a civil money penalty
each situation based on the individual upwards periodically to account for under the Patient Safety Act when there
circumstances and make an appropriate inflation. has been a civil, as opposed to criminal,
determination about whether to impose With respect to those commenters penalty imposed under HIPAA for the
a civil money penalty. who were concerned that the $10,000 same act. Therefore, a person could
Comment: One commenter asked that penalty may be too severe in certain have a civil money penalty imposed
the final rule state that inappropriate circumstances, we emphasize that the under the Patient Safety Act as well as
a criminal penalty under HIPAA for the substituted the term ‘‘identifiable modified by the technical changes
same act. patient safety work product’’ for described above to adapt the provisions
With respect to the commenter who ‘‘individually identifiable health to the Patient Safety Act confidentiality
requested clarification about penalties information’’; (4) proposed § 3.504(h) provisions. The final rule includes the
relating to a PSO that is a business excluded the language in 45 CFR full text of such provisions for
associate of a HIPAA covered entity, we 160.518(a) relating to the provision of a convenience of the reader.
note that it is possible for a civil money statistical expert’s report not less than Also, we incorporate one additional
penalty to be imposed under both the 30 days before a scheduled hearing technical change to better adapt the
Patient Safety Act and HIPAA, where because we did not propose language language to this rule’s confidentiality
such penalty is imposed against permitting use of statistical sampling to provisions, as well as one conforming
different entities. Thus, for example, estimate the number of violations; (5) change. In particular, at § 3.512(b)(11),
because a PSO will be a business proposed § 3.504(o) substituted ‘‘a we replace the term ‘‘privacy of’’ with
associate of a covered entity under confidentiality provision’’ for ‘‘an ‘‘confidentiality of’’ in addition to
HIPAA, any violation involving patient administrative simplification provision’’ replacing ‘‘individually identifiable
safety work product that contains in 45 CFR 160.532; (6) proposed health information’’ with ‘‘identifiable
protected health information by the PSO § 3.504(p) substituted, for language not patient safety work product.’’ In
will be a violation of the Patient Safety relevant to the Patient Safety Act in 45 addition, at § 3.504(b), we replace the
Act and not HIPAA, since the PSO is CFR 160.534(b)(1), new language stating term ‘‘90 days’’ with ‘‘60 days.’’ We
not a covered entity. However, if the that the respondent has the burden of proposed at § 3.420(a)(6) to include in a
PSO notifies the covered entity of the going forward and the burden of notice of proposed determination a
impermissible disclosure (as required by persuasion with respect to any statement that a respondent must
the business associate contract under challenge to the amount of a proposed request a hearing within 60 days or lose
HIPAA), and the covered entity does not civil money penalty, including any its right to a hearing under § 3.504.
take the appropriate steps to mitigate mitigating factors raised, and provided However, we inadvertently omitted
and address the consequences of the that good cause shown under 45 CFR from § 3.504 a conforming change to the
impermissible disclosure of protected 160.534(c) may be that identifiable language incorporated from 45 CFR
health information, the covered entity patient safety work product has been 160.504(b) to change the hearing request
may then be liable for a penalty under introduced into evidence or is expected deadline from 90 days to 60 days. Thus,
HIPAA. to be introduced into evidence; (7) this change is necessary to align the two
3. Section 3.504—Procedures for proposed § 3.504(s) added language to provisions.
Hearings provide that good cause for making
redactions to the record would include
Proposed Rule: Proposed § 3.504 the presence of identifiable patient Comment: One commenter asked that
provided the procedures for an safety work product; and (8) proposed the final rule clarify the involvement of
administrative hearing to contest a civil §§ 3.504(l), (q), (r), and (u) substituted the Departmental Appeals Board during
money penalty. The proposed section citations to subpart D of the Patient the hearings and appeals processes as
set forth the authority of the ALJ, the Safety rule, as appropriate. well as whether the Secretary has
rights and burdens of proof of the We also explained in the proposed authority to review ALJ decisions.
parties, requirements for the exchange rule that we intended to maintain the Response: Sections 3.504–3.552 of the
of information and pre-hearing, hearing, alignment between these provisions and final rule incorporate the provisions of
and post-hearing processes. This section the HIPAA Enforcement Rule by the HIPAA Enforcement Rule, which lay
cross-referenced the relevant provisions incorporating any changes to the HIPAA out the hearings and appeals process.
of the HIPAA Enforcement Rule Enforcement Rule that would become The current process provides that any
extensively. Specifically, §§ 3.504(b), final based on the Department’s Notice party, including the Secretary, may
(d), (f)–(g), (i)–(k), (m), (n), (t), (w) and of Proposed Rulemaking entitled, appeal a decision of the ALJ to the
(x) of the proposed rule incorporated ‘‘Revisions to Procedures for the Departmental Appeals Board, as well as
unchanged the provisions of the HIPAA Departmental Appeals Board and Other file a reconsideration request with the
Enforcement Rule. Sections 3.504(a), (c), Departmental Hearings’’ (see 72 FR Board following any Board decision.
(e), (h), (l), (o)–(s), (u) and (v) of the 73708 (December 28, 2007)). That Unless the ALJ decision is timely
proposed rule incorporated the HIPAA Notice of Proposed Rulemaking appealed, such decision becomes final
Enforcement Rule but included proposed to amend the HIPAA and binding on the parties 60 days from
technical changes to adapt these Enforcement Rule at 45 CFR 160.508(c) the date of service of the ALJ’s decision.
provisions to the Patient Safety Act and 160.548, and add a new provision Comment: One commenter asked that
confidentiality provisions. These at 160.554, providing that the Secretary the final rule provide no restrictions to
technical changes addressed the may review all ALJ decisions that the full judicial review for appeals and
following: (1) Proposed §§ 3.504(a) and Board has declined to review and all hearing requests.
3.504 (v) excluded language from 45 Board decisions for error in applying Response: Section 3.548(k) provides
CFR 160.504(c) and 160.548(e), statutes, regulations, or interpretive respondents the right to petition for
respectively, relating to an affirmative policy. As of the publication date of this judicial review of the final decision of
defense under 45 CFR 160.410(b)(1), final rule, however, that regulation is the Secretary once all administrative
which is a defense unique to HIPAA not final. appeals have been exhausted, that is,
and not included in the Patient Safety Overview of Public Comments: We once the Departmental Appeals Board
Act; (2) proposed § 3.504(c) excluded received no comments opposed to these has rendered a decision on appeal or
the provision at 45 CFR 160.508(c)(5) for provisions. reconsideration that has become the
remedied violations based on reasonable Final Rule: The final rule adopts the final decision of the Secretary, as
cause to be insulated from liability for proposed provisions, except renumbers appropriate.
a civil money penalty because there is them into individual sections and Comment: One commenter suggested
no such requirement under the Patient republishes the referenced provisions of that any time patient safety work
Safety Act; (3) proposed § 3.504(e) the HIPAA Enforcement Rule, as product could be disclosed in an ALJ
proceeding, the proceeding should be environmental, public health and safety identifying the underlying causes of,
closed to the public. effects, distributive impacts, and and the best strategies for reducing or
Response: The final rule at § 3.534(c) equity). A regulatory impact analysis eliminating, medical errors. The
expressly provides that the ALJ may (RIA) must be prepared for major rules proposed rule provided a foundation of
close a proceeding to the public for good with economically significant effects confidentiality and privilege protections
cause shown, which may include the ($100 million or more in any 1 year). for information developed and
potential for patient safety work product Although we cannot determine the exchanged when health care providers
to be introduced as evidence in the specific economic impact of this final voluntarily choose to work with a PSO.
proceeding. We do not see a need to rule, we believe that the economic We proposed that health care providers
require that proceedings be closed impact may approach $100 million. could receive the confidentiality and
under such circumstances but rather HHS has determined that the rule is privilege protections of the statute by
will continue to rely on the experienced ‘‘significant’’ because it raises novel reporting information to a PSO
discretion of the ALJ in determining legal and policy issues with the occasionally, without entering contracts
such matters. establishment of a new regulatory or incurring significant costs. Other
IV. Impact Statement and Other framework, authorized by the Patient health care providers could develop
Required Analyses Safety Act, and imposes requirements, more costly internal systems that would
albeit voluntary, on entities that had not serve as the hub of the provider’s
Regulatory Impact Analysis been subject to regulation in this area. interactions with a PSO with which the
AHRQ has previously analyzed the In preparing the regulatory impact provider had a contractual relationship;
potential economic impact of this rule analysis for inclusion in the proposed such structured, documented internal
as part of its February 2008 Notice of rule, AHRQ did not develop an systems with dedicated personnel
Proposed Rulemaking (proposed rule) as alternative to the statutorily authorized would be more costly. To create an
required by Executive Order 12866 voluntary framework. In light of the ‘‘upper bound’’ on the analyses in the
(September 1993, Regulatory Planning approach taken in the proposed rule, proposed rule, we assumed that all
and Review), the Regulatory Flexibility alternatives would have been mandatory providers that would choose to work
Act (RFA) (September 16, 1980, Pub. L. or more proscriptive as well as with PSOs would follow this more
96–354), section 1102(b) of the Social inconsistent with statutory intent. The costly approach. It should be noted that
Security Act, the Unfunded Mandates proposed rule established a system in most hospital providers already have
Reform Act of 1995 (Pub. L. 104–4), and which entities would voluntarily seek patient safety reporting activities in
Executive Order 13132. This analysis designation (or ‘‘listing’’) by the place (98% according to a 2006 AHRQ
can be found on pages 8164 to 8171 of Secretary as a Patient Safety survey). While documenting these
the proposed rule, which was published Organization (PSO), most PSO activities and, it is hoped, expanding
in the Federal Register on February 12, requirements would be met by them through participation with a PSO
2008. attestation and overall compliance will result in increased costs, that
Executive Order 12866 (as amended assessed by spot-checks rather than increase will be marginal, not complete,
by Executive Order 13258, February document submission or routine audits, in the hospital community.
2002, and Executive Order 13422, and the Department would look to the A summary of the AHRQ analysis of
January 2007), directs agencies to assess marketplace to assess the quality and costs and benefits of Patient Safety Act
all costs and benefits of available value of each PSO. PSOs will not be costs and benefits from the proposed
regulatory alternatives and, if regulation Federally funded nor directed; their rule follows below. For a full discussion
is necessary, to select regulatory funding and activities will be of the assumptions underlying these
approaches that maximize net benefits determined by health care providers estimates, please refer to the proposed
(including potential economic, who seek their expert assistance in rule.
TABLE 3—TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2009–2013
Year
2009 2010 2011 2012 2013
Hospital Penetration Rate .................................................... 10% 40% 60% 75% 85%

Hospital Cost ........................................................................ $7.5 M $30.0 M $45.0 M $56.2 M $63.7 M
PSO Cost ............................................................................. $61.4 M $92.1 M $122.8 M $122.8 M $122.8 M
Total cost ...................................................................... $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M

Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112–8183.
Costs for PSO implementation were U.S. hospitals already have adverse dedicated staff of 1.5 to 4 FTEs,
calculated by considering two event reporting systems, and virtually assuming an average salary rate of $67/
components: Costs incurred by hospitals all hospitals have a safety/quality hour. We also estimated that a
in engaging in PSO activities and costs function. We assumed that PSOs would significant overhead figure of 100%,
of PSOs themselves. It was assumed that be staffed modestly, relying on existing coupled with 20% for General and
in early years of PSO operation, the hospital activities in reporting adverse Administrative (G&A) expenses, will
hospital would be the primary site of events, and that a significant proportion cover the appreciable costs anticipated
PSO-related activity. Hospital costs of PSOs are likely to be component for legal, security, travel, and
were assumed to be incremental, given PSOs, with support and expertise miscellaneous PSO expenses.
that a previously-completed survey provided by a parent organization. Our
funded by AHRQ revealed that 98% of assumptions were that PSOs will hire
Provider—PSO Costs and Charges hospitals and other health care and charges are between providers and
providers to PSOs, PSO revenues, or PSOs, they will cancel each other out,
We have not figured into our PSO break-even analyses. We have not as expenses to providers will become
calculations any estimates for the price speculated about subsidies or business revenue to PSOs.
of PSO services, amounts paid by models. Regardless of what the costs
TABLE 4—TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2009–2013 *
Year
2009 2010 2011 2012 2013
Hospital Penetration Rate .................................................... 10% 40% 60% 75% 85%

Percent Reduction in Adverse Events ................................. 1% 1.5% 2% 2.5% 3%
Savings ................................................................................ $11.5 M $69 M $138 M $215.625 M $293.25 M
* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events
(between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.
TABLE 5—NET BENEFITS: 2009–2013

Year
2009 2010 2011 2012 2013
Total Benefits ....................................................................... $11.5 M $69 M $138 M $215.625 M $293.25 M

Total Costs ........................................................................... $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M
Net Benefits ......................................................................... ($57.4) M ($53.1) M ($29.8) M $36.625 M $106.75 M
Discounted net present value at 3% ................................... ($55.7) M ($50.0) M ($27.3) M $32.5 M $92.1 M
Discounted net present value at 7% ................................... ($53.6) M ($46.4) M ($24.3) M $27.9 M $76.1 M
The final rule includes several business associates of covered entities the patient safety evaluation system. For
modifications that could alter the actual must notify the covered entity if any of providers who choose this option, the
economic impact of the Patient Safety its protected health information has information they assemble and develop
Act, but AHRQ concludes that these been inappropriately disclosed or its within their patient safety evaluation
changes will not exceed the ‘‘upper security breached. The final rule system will be accorded privilege and
bound’’ established in our previous requires PSOs to notify the providers confidentiality, contingent upon the
analysis, and we anticipate that the that submitted patient safety work information ultimately being reported to
actual economic impact may be less. product to the PSO if the work product a PSO, from the outset. To the extent
Several changes incorporated in the it submitted has been disclosed or its that this encourages providers, who
final rule are likely to lower the costs of security breached. As we noted in the would not otherwise have done so, to
implementation. For example, the final proposed rule, the vast majority of establish a structured, documented
rule has removed a requirement that providers reporting data will be covered patient safety evaluation system, there
PSOs that are components of other entities under HIPAA and will need to would be an increase in costs. As noted
existing organizations must maintain include such notification requirements above, this should not significantly
separate information systems and, for all in the business associate agreements affect our previous analysis since we
but a small category of component they will enter with PSOs. In addition, assumed all providers working with a
PSOs, we have removed restrictions on the HIPAA requirement is likely to PSO would have established a
the use of shared staff. As we noted in apply in many disclosure or security documented patient safety evaluation
our economic analysis, we expect the breach situations because most work system.
most common type of PSO to be ones product is expected to contain protected Taking advantage of this option will
that are established by one or more health information. Nevertheless, this also enable health care providers with
existing organizations. As commenters requirement may increase costs to the integrated health information
pointed out, personnel costs are likely extent that PSOs receive work product technology systems to avoid the
to be the most significant cost facing a from non-covered entities, although requirement in the proposed rule that
PSO, and the ability to share personnel these potential increased costs will be they maintain the assembly and
means that skilled personnel are dependent upon the vigilance with development of patient safety work
available at significantly less cost, and which the providers and PSOs meet product separately from their routine
in some cases at no cost, than the PSO their confidentiality and security data collection activities, which would
would pay to hire or externally contract requirements. have required a number of providers to
for personnel. Similarly, the costs and With respect to health care providers, establish dual information systems.
administrative burdens associated with the final rule does not impose While we expect that the costs of
the development and maintenance were requirements. The final rule does afford developing dual information collection
a major focus of commenters. These two increased flexibility and protections to systems would exceed the costs of
changes are likely to have the greatest providers that voluntarily choose to developing and maintaining a
impact on reducing costs for PSOs. both establish and document a more structured, documented patient safety
There are two changes in the final structured process for working with a evaluation system, we do not estimate
rule that might increase costs slightly PSO, i.e., what the rule terms a patient any savings because we cannot be clear
but selectively. The final rule parallels safety evaluation system, and document how many providers would have
a HIPAA Privacy Rule requirement that the flow of information into and out of incurred the dual health information
technology systems costs or would have TABLE 1—TOTAL BURDEN HOURS final regulation under § 3.108 are also
simply chosen to forego participation. RELATED TO CERTIFICATION FORMS exempt from PRA requirements
After considering the impact of the [Summary of all burden hours, by provision,
pursuant to an exception in 5 CFR
increased flexibility in the final rule for for PSOs] 1320.4 for information gathered as part
PSOs and health care providers, we now of administrative investigations and
expect the implementation costs will be Annualized actions regarding specific parties:
Provision
lower than those in our previous burden hours information supplied in response to
analysis. preliminary agency determinations of
3.112 ................................ 30 minutes. PSO deficiencies or in response to
Final Regulatory Flexibility Analysis proposed revocation and delisting, e.g.,
Under 5 CFR 1320.3(c), a covered information providing the agency with
Since formation of a PSO is voluntary, collection of information includes the
formation is not likely to occur unless correct facts, reporting corrective
requirement by an agency of a actions taken, or appealing proposed
the organization believes it is an disclosure of information to third
economically viable endeavor. agency revocation decisions.
parties by means of identical reporting, AHRQ and OCR published in the
Furthermore, PSOs are not likely to recordkeeping, or disclosure
undertake tasks that will provide Federal Register their proposed
requirements, imposed on ten or more information collection forms on
insufficient payment to cover their persons. The final rule reflects the
costs. Therefore, the Secretary certifies February 20, 2008. Following the first,
previously established reporting 60-day comment period, the forms were
that the regulation will not impose a requirements for breach of
significant economic burden on a again published in the Federal Register
confidentiality applicable to business on April 21, 2008, to begin the second,
substantial number of small entities. associates under HIPAA regulations 30-day comment period. The forms were
Unfunded Mandates Reform Act requiring contracts to contain a not changed following the first comment
provision requiring the business period, and they and the one comment
Section 202 of the Unfunded associate (in this case, the PSO) to notify
Mandates Reform Act requires that a received were sent to OMB, which
providers of breaches of their received them on April 25, 2008. Minor
covered agency prepare a budgetary identifiable patient data’s
impact statement before promulgating a changes to the proposed forms will be
confidentiality or security. Accordingly, necessary to align them with the final
rule that includes any Federal mandate this reporting requirement referenced in rule. AHRQ and OCR will work with
that may result in the expenditure by the regulation previously met OMB to ensure that the forms needed to
State, local, and Tribal governments, in Paperwork Reduction Act review implement the Patient Safety Act
the aggregate, or by the private sector, of requirements. conform to the requirements of the final
$100 million or more in any one year. The final rule requires in § 3.108(c) rule.
The Department has determined that that a PSO notify the Secretary if it
this final rule will not impose a intends to relinquish voluntarily its Federalism
mandate that will result in the status as a PSO. The entity is required Executive Order 13132 establishes
expenditure by State, Local, and Tribal to notify the Secretary that it has, or will certain requirements that an agency
governments, in the aggregate, or by the soon, alert providers and other must meet when it promulgates a final
private sector, of more than $100 organizations from which it has rule that imposes substantial direct
million in any one year. received patient safety work product or requirement costs on state and local
Paperwork Reduction Act data of its intention and provide for the governments, preempts State law, or
appropriate disposition of the data in otherwise has Federalism implications.
This final rule adding a new Part 3 to consultation with each source of patient The Patient Safety Act upon which the
volume 42 of the Code of Federal safety work product or data held by the final regulation is based makes patient
Regulations contains information entity. In addition, the entity is asked to safety work product confidential and
collection requirements. This summary provide the Secretary with current privileged. To the extent this is
includes the estimated costs and contact information for further inconsistent with any state law,
assumptions for the paperwork communication from the Secretary as including court decisions, the Federal
requirements related to the final rule. the entity ceases operations. The statute preempts such state law or court
With respect to § 3.102 concerning the reporting aspect of this requirement is order. The final rule will not have any
submission of certifications for initial essentially an attestation that is greater preemptive effect on state or
and continued listing as a PSO, and of equivalent to the requirements for local governments than that imposed by
updated information, all such listing, continued listing, and meeting the statute. While the Patient Safety Act
information would be submitted on the the minimum contracts requirement. does establish new Federal
‘‘Patient Safety Organization: This minimal data requirement would confidentiality and privilege protections
Certification for Initial Listing’’ form. To come within 5 CFR 1320.3(h)(1) which for certain information, these
maintain its listing, a PSO must also provides an exception from PRA protections only apply when health care
submit a brief attestation, once every 24- requirements for affirmations, providers work with PSOs and new
month period after its initial date of certifications, or acknowledgments as processes, such as patient safety
listing, submitted on the ‘‘Attestation long as they entail no burden other than evaluation systems, that do not
Regarding the Two Bona Fide Contracts that necessary to identify the currently exist. These Federal data
Requirement’’ form, stating that it has respondent, the date, the respondent’s protections provide a mechanism for
entered contracts with two providers. address, and the nature of the protection of sensitive information that
We estimate that the final rule will instrument. In this case, the nature of could improve the quality, safety, and
create an average burden of 30 minutes the instrument is an attestation that the outcomes of health care by fostering a
annually for each entity that seeks to PSO is working with its providers for non-threatening environment in which
become a PSO to complete the necessary the orderly cessation of activities. The information about adverse medical
certification forms. Table 1 summarizes following other collections of events and near misses can be
burden hours. information that are required by the discussed. It is hoped that confidential
analysis of patient safety events will of public or private sector regulatory Report, To Err Is Human. The range of
reduce the occurrence of adverse entities to seek listing as a PSO. AHRQ costs is the same as was included in the
medical events and, thereby, reduce the received no expressions of concerns NPRM, where minimum and maximum
costs arising from such events, regarding the Federalism aspects of the estimates were calculated as 10% above
including costs incurred by state and proposed rule although several State and 10% below the Agency’s primary
local governments attributable to such health departments and commissions estimate of costs.
events. In addition, the Patient Safety submitted written comments regarding All figures are calculated at two
Act and the final rule do not relieve the PSO eligibility criteria in the discount rates, 7% and 3%, and dollars
health care providers of their proposed rule.
are held constant at the 2008 level. The
responsibilities to comply with state
reporting requirements. OMB Accounting Statement discount rates, 3% or 7%, represent two
AHRQ, in conjunction with OCR, held The table below summarizes the rates of return that might be expected
three public listening sessions prior to estimated costs and benefits of from government investments. The
drafting the proposed rule. implementing the Patient Safety and purpose is to project the expected future
Representatives of several states Quality Improvement Act for the next costs and benefits in today’s dollars.
participated in these sessions. In five years, beginning with January 1, (Future dollars will be worth less than
particular, states that had begun to 2009, by which time it is expected that today’s dollars, barring appropriate
collect and analyze patient safety event the rule will be effective. investments.) Figures are annualized,
information spoke about their related The figures in the table are derived that is average-per-year over the five
experiences and plans. Following from the regulatory impact analyses years. The discount rates, 3% or 7%,
publication of the proposed rule, AHRQ outlined above and, more completely, in represent two rates of return that might
consulted with state officials and the February 12, 2008 NPRM published be expected from government
organizations to review the scope of the in the Federal Register, on pages 8164 investments. The purpose is to project
proposed rule and to specifically seek to 8171. As in the previous analyses, the the expected future costs and benefits in
input on federalism issues and a range of benefits derives directly from today’s dollars. (Future dollars will be
proposal in the rule at proposed the range of potentially-avoidable worth less than today’s dollars, barring
§ 3.102(a)(2) that would limit the ability incidents cited (estimated) in IOM appropriate investments.)
OMB #: Agency/Program Office: AHRQ
Rule Title: Patient Safety and Quality Improvement Act
RIN #: Date: 8/25/2008
CATEGORY Primary Minimum Maximum Source citation

estimate estimate estimate (RIA, preamble,
(millions) (millions) (millions) etc.)
BENEFITS .................................................................................................... $145.5 $107.5 $183.4 AHRQ Analysis.
Annualized discounted (5 years):

@ 7% ..................................................................................................... 111.5 82.4 140.5
@ 3% ..................................................................................................... 129.4 95.7 163.2
COSTS .......................................................................................................... 144.9 130.4 159.3 AHRQ Analysis.
Annualized discounted (5 years):
@ 7% ..................................................................................................... 115.5 104.0 127.1
@ 3% ..................................................................................................... 131.1 118.0 144.2
Transfers ....................................................................................................... N/A

Effects on small businesses ......................................................................... N/A
Effects on States and tribes ......................................................................... N/A
List of Subjects in 42 CFR Part 3 Federal Regulations by adding a new 3.108 Correction of deficiencies, revocation,
part 3 to read as follows: and voluntary relinquishment.
Administrative practice and 3.110 Assessment of PSO compliance.
procedure, Civil money penalty, 3.112 Submissions and forms.
PART 3—PATIENT SAFETY
Confidentiality, Conflict of interests,
ORGANIZATIONS AND PATIENT Subpart C—Confidentiality and Privilege
Courts, Freedom of information, Health, Protections of Patient Safety Work Product
SAFETY WORK PRODUCT
Health care, Health facilities, Health
3.204 Privilege of patient safety work
insurance, Health professions, Health Subpart A—General Provisions product.
records, Hospitals, Investigations, Law 3.206 Confidentiality of patient safety work
Sec.
enforcement, Medical research, product.
3.10 Purpose.
Organization and functions, Patient, 3.208 Continued protection of patient safety
3.20 Definitions.
Patient safety, Privacy, Privilege, Public work product.
health, Reporting and recordkeeping Subpart B—PSO Requirements and Agency 3.210 Required disclosure of patient safety
requirements, Safety, State and local Procedures work product to the Secretary.
governments, Technical assistance. 3.212 Nonidentification of patient safety
3.102 Process and requirements for initial
work product.
■ For the reasons stated in the preamble, and continued listing of PSOs.
the Department of Health and Human 3.104 Secretarial actions. Subpart D—Enforcement Program
Services amends Title 42 of the Code of 3.106 Security requirements. 3.304 Principles for achieving compliance.
3.306 Complaints to the Secretary. ALJ stands for an Administrative Law Retirement Income Security Act of 1974
3.308 Compliance reviews. Judge of HHS. (ERISA)) to the extent that the plan
3.310 Responsibilities of respondents. Board means the members of the HHS provides medical care (as defined in
3.312 Secretarial action regarding Departmental Appeals Board, in the paragraph (2) of section 2791(a) of the
complaints and compliance reviews.
Office of the Secretary, which issues Public Health Service Act, including
3.314 Investigational subpoenas and
inquiries. decisions in panels of three. items and services paid for as medical
3.402 Basis for a civil money penalty. Bona fide contract means: care) to employees or their dependents
3.404 Amount of a civil money penalty. (1) A written contract between a (as defined under the terms of the plan)
3.408 Factors considered in determining the provider and a PSO that is executed in directly or through insurance,
amount of a civil money penalty. good faith by officials authorized to reimbursement, or otherwise.
3.414 Limitations. execute such contract; or Health insurance issuer means an
3.416 Authority to settle. (2) A written agreement (such as a insurance company, insurance service,
3.418 Exclusivity of penalty. memorandum of understanding or or insurance organization (including a
3.420 Notice of proposed determination. equivalent recording of mutual health maintenance organization, as
3.422 Failure to request a hearing. commitments) between a Federal, State,
3.424 Collection of penalty. defined in 42 U.S.C. 300gg–91(b)(3))
3.426 Notification of the public and other
local, or Tribal provider and a Federal, which is licensed to engage in the
agencies. State, local, or Tribal PSO that is business of insurance in a State and
3.504 Hearings before an ALJ. executed in good faith by officials which is subject to State law which
3.506 Rights of the parties. authorized to execute such agreement. regulates insurance (within the meaning
3.508 Authority of the ALJ. Complainant means a person who of 29 U.S.C. 1144(b)(2)). This term does
3.510 Ex parte contacts. files a complaint with the Secretary not include a group health plan.
3.512 Prehearing conferences. pursuant to § 3.306. Health maintenance organization
3.514 Authority to settle. Component organization means an means:
3.516 Discovery. entity that: (1) A Federally qualified health
3.518 Exchange of witness lists, witness (1) Is a unit or division of a legal
statements, and exhibits.
maintenance organization (HMO) (as
entity (including a corporation, defined in 42 U.S.C. 300e(a));
3.520 Subpoenas for attendance at hearing.
3.522 Fees.
partnership, or a Federal, State, local or (2) An organization recognized under
3.524 Form, filing, and service of papers. Tribal agency or organization); or State law as a health maintenance
3.526 Computation of time. (2) Is owned, managed, or controlled organization; or
3.528 Motions. by one or more legally separate parent (3) A similar organization regulated
3.530 Sanctions. organizations. under State law for solvency in the same
3.532 Collateral estoppel. Component PSO means a PSO listed manner and to the same extent as such
3.534 The hearing. by the Secretary that is a component a health maintenance organization.
3.538 Witnesses. organization. HHS stands for the United States
3.540 Evidence. Confidentiality provisions means for Department of Health and Human
3.542 The record. purposes of Subparts C and D, any
3.544 Post hearing briefs.
Services.
requirement or prohibition concerning HIPAA Privacy Rule means the
3.546 ALJ’s decision.
3.548 Appeal of the ALJ’s decision. confidentiality established by sections regulations promulgated under section
3.550 Stay of the Secretary’s decision. 921 and 922(b)–(d), (g) and (i) of the 264(c) of the Health Insurance
3.552 Harmless error. Public Health Service Act, 42 U.S.C. Portability and Accountability Act of
299b–21, 299b–22(b)–(d), (g) and (i) and 1996 (HIPAA), at 45 CFR part 160 and
Authority: 42 U.S.C. 216, 299b–21 through
299b–26; 42 U.S.C. 299c–6. the provisions, at §§ 3.206 and 3.208, Subparts A and E of Part 164.
that implement the statutory prohibition Identifiable patient safety work
Subpart A—General Provisions on disclosure of identifiable patient product means patient safety work
safety work product. product that:
§ 3.10 Purpose. Disclosure means the release, transfer, (1) Is presented in a form and manner
The purpose of this Part is to provision of access to, or divulging in that allows the identification of any
implement the Patient Safety and any other manner of patient safety work provider that is a subject of the work
Quality Improvement Act of 2005 (Pub. product by: product, or any providers that
L. 109–41), which amended Title IX of (1) An entity or natural person participate in, or are responsible for,
the Public Health Service Act (42 U.S.C. holding the patient safety work product activities that are a subject of the work
299 et seq.) by adding sections 921 to another legally separate entity or product;
through 926, 42 U.S.C. 299b–21 through natural person, other than a workforce (2) Constitutes individually
299b–26. member of, or a health care provider identifiable health information as that
holding privileges with, the entity term is defined in the HIPAA Privacy
§ 3.20 Definitions. holding the patient safety work product; Rule at 45 CFR 160.103; or
As used in this Part, the terms listed or (3) Is presented in a form and manner
alphabetically below have the meanings (2) A component PSO to another that allows the identification of an
set forth as follows: entity or natural person outside the individual who in good faith reported
Affiliated provider means, with component PSO and within the legal information directly to a PSO or to a
respect to a provider, a legally separate entity of which the component PSO is provider with the intention of having
provider that is the parent organization a part. the information reported to a PSO
of the provider, is under common Entity means any organization or (‘‘reporter’’).
ownership, management, or control organizational unit, regardless of Nonidentifiable patient safety work
with the provider, or is owned, whether the organization is public, product means patient safety work
managed, or controlled by the provider. private, for-profit, or not-for-profit. product that is not identifiable patient
AHRQ stands for the Agency for Group health plan means an safety work product in accordance with
Healthcare Research and Quality in employee welfare benefit plan (as the nonidentification standards set forth
HHS. defined in section 3(1) of the Employee at § 3.212.
OCR stands for the Office for Civil root cause analyses), or written or oral (i) A hospital, nursing facility,
Rights in HHS. statements (or copies of any of this comprehensive outpatient rehabilitation
Parent organization means an material) facility, home health agency, hospice
organization that: owns a controlling (i) Which could improve patient program, renal dialysis facility,
interest or a majority interest in a safety, health care quality, or health care ambulatory surgical center, pharmacy,
component organization; has the outcomes; and physician or health care practitioner’s
authority to control or manage agenda (A) Which are assembled or office (includes a group practice), long
setting, project management, or day-to- developed by a provider for reporting to term care facility, behavior health
day operations; or the authority to a PSO and are reported to a PSO, which residential treatment facility, clinical
review and override decisions of a includes information that is laboratory, or health center; or
component organization. The documented as within a patient safety (ii) A physician, physician assistant,
component organization may be a evaluation system for reporting to a registered nurse, nurse practitioner,
provider. PSO, and such documentation includes clinical nurse specialist, certified
Patient Safety Act means the Patient the date the information entered the registered nurse anesthetist, certified
Safety and Quality Improvement Act of patient safety evaluation system; or nurse midwife, psychologist, certified
2005 (Pub. L. 109–41), which amended (B) Are developed by a PSO for the social worker, registered dietitian or
Title IX of the Public Health Service Act conduct of patient safety activities; or nutrition professional, physical or
(42 U.S.C. 299 et seq.) by inserting a (ii) Which identify or constitute the occupational therapist, pharmacist, or
new Part C, sections 921 through 926, deliberations or analysis of, or identify other individual health care
which are codified at 42 U.S.C. 299b–21 the fact of reporting pursuant to, a practitioner;
through 299b–26. patient safety evaluation system. (2) Agencies, organizations, and
Patient safety activities means the (2)(i) Patient safety work product does individuals within Federal, State, local,
following activities carried out by or on not include a patient’s medical record, or Tribal governments that deliver
behalf of a PSO or a provider: billing and discharge information, or health care, organizations engaged as
(1) Efforts to improve patient safety any other original patient or provider contractors by the Federal, State, local,
and the quality of health care delivery; information; nor does it include or Tribal governments to deliver health
(2) The collection and analysis of information that is collected, care, and individual health care
patient safety work product; maintained, or developed separately, or practitioners employed or engaged as
(3) The development and exists separately, from a patient safety contractors by the Federal State, local,
dissemination of information with evaluation system. Such separate or Tribal governments to deliver health
respect to improving patient safety, such information or a copy thereof reported care; or
as recommendations, protocols, or to a PSO shall not by reason of its (3) A parent organization of one or
information regarding best practices; reporting be considered patient safety more entities described in paragraph
(4) The utilization of patient safety work product. (1)(i) of this definition or a Federal,
work product for the purposes of (ii) Patient safety work product State, local, or Tribal government unit
encouraging a culture of safety and of assembled or developed by a provider that manages or controls one or more
providing feedback and assistance to for reporting to a PSO may be removed entities described in paragraphs (1)(i) or
effectively minimize patient risk; from a patient safety evaluation system (2) of this definition.
(5) The maintenance of procedures to and no longer considered patient safety Research has the same meaning as the
preserve confidentiality with respect to work product if: term is defined in the HIPAA Privacy
patient safety work product; (A) The information has not yet been Rule at 45 CFR 164.501.
(6) The provision of appropriate reported to a PSO; and Respondent means a provider, PSO,
security measures with respect to (B) The provider documents the act or responsible person who is the subject
patient safety work product; and date of removal of such information of a complaint or a compliance review.
(7) The utilization of qualified staff; from the patient safety evaluation Responsible person means a person,
and system. other than a provider or a PSO, who has
(8) Activities related to the operation (iii) Nothing in this part shall be possession or custody of identifiable
of a patient safety evaluation system and construed to limit information that is patient safety work product and is
to the provision of feedback to not patient safety work product from subject to the confidentiality provisions.
participants in a patient safety being: Workforce means employees,
evaluation system. (A) Discovered or admitted in a volunteers, trainees, contractors, or
Patient safety evaluation system criminal, civil or administrative other persons whose conduct, in the
means the collection, management, or proceeding; performance of work for a provider, PSO
analysis of information for reporting to (B) Reported to a Federal, State, local or responsible person, is under the
or by a PSO. or Tribal governmental agency for direct control of such provider, PSO or
Patient safety organization (PSO) public health or health oversight responsible person, whether or not they
means a private or public entity or purposes; or are paid by the provider, PSO or
component thereof that is listed as a (C) Maintained as part of a provider’s responsible person.
PSO by the Secretary in accordance recordkeeping obligation under Federal,
with Subpart B. A health insurance State, local or Tribal law. Subpart B—PSO Requirements and
issuer or a component organization of a Person means a natural person, trust Agency Procedures
health insurance issuer may not be a or estate, partnership, corporation,
PSO. See also the exclusions in § 3.102 professional association or corporation, § 3.102 Process and requirements for
of this Part. or other entity, public or private. initial and continued listing of PSOs.
Patient safety work product: Provider means: (a) Eligibility and process for initial
(1) Except as provided in paragraph (1) An individual or entity licensed or and continued listing—(1) Submission
(2) of this definition, patient safety work otherwise authorized under State law to of certification. Any entity, except as
product means any data, reports, provide health care services, specified in paragraph (a)(2) of this
records, memoranda, analyses (such as including— section, may request from the Secretary
an initial or continued listing as a PSO reporting system to which health care (B) The PSO must have appropriately
by submitting a completed certification providers (other than members of the qualified workforce members, including
form that meets the requirements of this entity’s workforce or health care licensed or certified medical
section, in accordance with § 3.112. An providers holding privileges with the professionals.
individual with authority to make entity) are required to report (C) The PSO, within the 24-month
commitments on behalf of the entity information by law or regulation. period that begins on the date of its
seeking listing will be required to (iii) A component of an entity listed initial listing as a PSO, and within each
submit contact information for the in paragraph (a)(2)(ii) may seek listing sequential 24-month period thereafter,
entity and: as a component PSO subject to the must have 2 bona fide contracts, each of
(i) Attest that the entity is not subject requirements and restrictions of a reasonable period of time, each with
to any exclusion in paragraph (a)(2) of paragraph (c)(1)(ii) of this section. a different provider for the purpose of
this section; (3) Submission of certification for receiving and reviewing patient safety
(ii) Provide certifications that the continued listing. To facilitate a timely work product.
entity meets each requirement for PSOs Secretarial determination regarding (D) The PSO is not a health insurance
in paragraph (b) of this section; acceptance of its certification for issuer, and is not a component of a
(iii) If the entity is a component of continued listing, a PSO must submit health insurance issuer.
another organization, provide the the required certification no later than (E) The PSO must make disclosures to
additional certifications that the entity 75 days before the expiration of a PSO’s the Secretary as required under
meets the requirements of paragraph three-year period of listing. § 3.102(d), in accordance with § 3.112 of
(c)(1)(i) of this section; (b) Fifteen general PSO certification this subpart.
(iv) If the entity is a component of an requirements. The certifications (F) To the extent practical and
excluded entity described in paragraph submitted to the Secretary in appropriate, the PSO must collect
(a)(2)(ii), provide the additional accordance with paragraph (a)(1)(ii) of patient safety work product from
certifications and information required this section must conform to the providers in a standardized manner that
by paragraph (c)(1)(ii) of this section; following 15 requirements: permits valid comparisons of similar
(v) Attest that the entity has disclosed (1) Required certification regarding cases among similar providers.
if the Secretary has ever delisted this eight patient safety activities. (G) The PSO must utilize patient
entity (under its current name or any (i) Initial listing. An entity seeking safety work product for the purpose of
other) or refused to list the entity or initial listing as a PSO must certify that providing direct feedback and assistance
whether any of its officials or senior it has written policies and procedures in to providers to effectively minimize
managers held comparable positions of place to perform each of the eight patient risk.
responsibility in an entity that was patient safety activities, defined in (ii) Continued Listing. A PSO seeking
denied listing or delisted and, if any of § 3.20. With respect to paragraphs (5) continued listing must certify that it is
these circumstances apply, submit with and (6) in the definition of patient safety complying with, and will continue to
its certifications and related disclosures, activities regarding confidentiality and comply with, the requirements of
the name of the entity or entities that security, the policies and procedures paragraphs (b)(2)(i)(A) through (G) of
the Secretary declined to list or delisted; must include and provide for: this section.
(vi) Attest that the PSO will promptly
(A) Compliance with the (iii) Compliance with the criterion for
notify the Secretary during its period of
confidentiality provisions of Subpart C collecting patient safety work product in
listing if it can no longer comply with
of this part and with appropriate a standardized manner to the extent
any of its attestations and the applicable
security measures as required by § 3.106 practical and appropriate. With respect
requirements in §§ 3.102(b) and 3.102(c)
of this subpart. to paragraph (b)(2)(i)(F) of this section,
or if there have been any changes in the
(B) Notification of each provider that the Secretary will assess compliance by
accuracy of the information submitted
submitted patient safety work product a PSO in the following manner.
for listing, along with the pertinent
or data as described in § 3.108(b)(2) to (A) A PSO seeking continued listing
changes; and
(vii) Provide other information that the entity if the submitted work product must:
the Secretary determines to be necessary or data was subject to an unauthorized (1) Certify that the PSO is using the
to make the requested listing disclosure or its security was breached. Secretary’s published guidance for
determination. (ii) Continued Listing. A PSO seeking common formats and definitions in its
(2) Exclusion of certain entities. The continued listing must certify that it is collection of patient safety work product
following types of entities may not seek performing, and will continue to (option (I));
listing as a PSO: perform, each of the patient safety (2) Certify that the PSO is using an
(i) A health insurance issuer; a unit or activities defined in § 3.20, and is and alternative system of formats and
division of a health insurance issuer; or will continue to comply with the definitions that permits valid
an entity that is owned, managed, or requirements of paragraphs (b)(1)(i)(A) comparisons of similar cases among
controlled by a health insurance issuer; and (B) of this section. similar providers (option (II)); or
(ii) (A) An entity that accredits or (2) Required certification regarding (3) Provide a clear explanation for
licenses health care providers; seven PSO criteria. why it is not practical or appropriate for
(B) An entity that oversees or enforces (i) Initial Listing. In its initial the PSO to comply with options (I) or
statutory or regulatory requirements certification submission, an entity must (II) at this time.
governing the delivery of health care also certify that, if listed as a PSO, it (B) The Secretary will consider a PSO
services; will comply with the seven to be in compliance if the entity
(C) An agent of an entity that oversees requirements in paragraphs (b)(2)(i)(A) complies with option (I), satisfactorily
or enforces statutory or regulatory through (G) of this section. demonstrates that option (II) permits
requirements governing the delivery of (A) The mission and primary activity valid comparisons of similar cases
health care services; or of the PSO must be to conduct activities among similar providers, or
(D) An entity that operates a Federal, that are to improve patient safety and satisfactorily demonstrates that it is not
state, local or Tribal patient safety the quality of health care delivery. practical or appropriate for the PSO to
comply with options (I) or (II) at this component PSO may provide access to expedited revocation process in
time. identifiable patient safety work product accordance with § 3.108(e); and
(c) Additional certifications required to one or more individuals in, or to one (C) An attestation that the component
of component organizations—(1) or more units of, the rest of the parent organization will prominently post
Requirements when seeking listing—(i) organization(s) of which it is a part, if notification on its Web site and publish
Requirements that all component the component PSO enters into a in any promotional materials for
organizations must meet. In addition to written agreement with such dissemination to providers, a summary
meeting the 15 general PSO certification individuals or units which requires that: of the information that is required by
requirements of paragraph (b) of this (i) The component PSO will only paragraph (c)(4)(i)(A) of this section.
section, an entity seeking initial listing provide access to identifiable patient (ii) Comply with the following
that is a component of another safety work product to enable such requirements during its period of listing:
organization must certify that it will individuals or units to assist the (A) The component organization may
comply with the requirements of component PSO in its conduct of not share staff with its parent
paragraph (c)(2) of this section. A patient safety activities, and organization(s).
component PSO seeking continued (ii) Such individuals or units that (B) The component organization may
listing must certify that it is complying receive access to identifiable patient enter into a written agreement pursuant
with, and will continue to comply with, safety work product pursuant to such to paragraph (c)(3) but such agreements
the requirements of this same paragraph written agreement will only use or are limited to units or individuals of the
(c)(2). At initial and continued listing, a disclose such information as specified parent organization(s) whose
component entity must attach to its by the component PSO to assist the responsibilities do not involve the
certifications for listing contact component PSO in its conduct of activities specified in the restrictions in
information for its parent patient safety activities, will take paragraph (a)(2)(ii) of this section.
organization(s). appropriate security measures to (d) Required notifications. Upon
(ii) Additional requirements and prevent unauthorized disclosures and listing, PSOs must meet the following
limitations applicable to components of will comply with the other certifications notification requirements:
entities that are excluded from listing. the component has made pursuant to (1) Notification regarding PSO
In addition to the requirements under paragraph (c)(2) of this section regarding compliance with the minimum contract
paragraph (c)(1)(i) of this section, a unauthorized disclosures and requirement. No later than 45 calendar
component of an organization excluded conducting the mission of the PSO days prior to the last day of the
from listing under paragraph (a)(2)(ii) of without creating conflicts of interest. pertinent 24-month assessment period,
this section must submit the additional (4) Required attestations, information specified in paragraph (b)(2)(iii)(C) of
certifications and specified information and operational limitations for this section, the Secretary must receive
for initial and continued listing and components of entities excluded from from a PSO a certification that states
comply with paragraph (c)(4) of this listing. A component organization of an whether it has met the requirement of
section. entity that is subject to the restrictions that paragraph regarding two bona fide
(2) Required component of paragraph (a)(2)(ii) of this section contracts, submitted in accordance with
certifications—(i) Separation of patient must: § 3.112 of this subpart.
safety work product. A component PSO (i) Submit the following information (2) Notification regarding a PSO’s
must maintain patient safety work with its certifications for listing: relationships with its contracting
product separately from the rest of the (A) A statement describing its parent providers.
parent organization(s) of which it is a organization’s role, and the scope of the (i) Requirement. A PSO must file a
part, and establish appropriate security parent organization’s authority, with disclosure statement regarding a
measures to maintain the confidentiality respect to any of the following that provider with which it has a contract
of patient safety work product. The apply: Accreditation or licensure of that provides the confidentiality and
information system in which the health care providers, oversight or privilege protections of the Patient
component PSO maintains patient enforcement of statutory or regulatory Safety Act (hereinafter referred to as a
safety work product must not permit requirements governing the delivery of Patient Safety Act contract) if the PSO
unauthorized access by one or more health care services, serving as an agent has any other relationships with this
individuals in, or by units of, the rest of of such a regulatory oversight or provider that are described in
the parent organization(s) of which it is enforcement authority, or administering paragraphs (d)(2)(i)(A) through (D) of
a part. a public mandatory patient safety this section. The PSO must disclose all
(ii) Nondisclosure of patient safety reporting system; such relationships. A disclosure
work product. A component PSO must (B) An attestation that the parent statement is not required if all of its
require that members of its workforce organization has no policies or other relationships with the provider are
and any other contractor staff not make procedures that would require or induce limited to Patient Safety Act contracts.
unauthorized disclosures of patient providers to report patient safety work (A) The provider and PSO have
safety work product to the rest of the product to their component organization current contractual relationships, other
parent organization(s) of which it is a once listed as a PSO and that the than those arising from any Patient
part. component PSO will notify the Safety Act contracts, including formal
(iii) No conflict of interest. The Secretary within 5 calendar days of the contracts or agreements that impose
pursuit of the mission of a component date on which the component obligations on the PSO.
PSO must not create a conflict of organization has knowledge of the (B) The provider and PSO have
interest with the rest of the parent adoption by the parent organization of current financial relationships other
organization(s) of which it is a part. such policies or procedures, and an than those arising from any Patient
(3) Written agreements for assisting a acknowledgment that the adoption of Safety Act contracts. A financial
component PSO in the conduct of such policies or procedures by the relationship may include any direct or
patient safety activities. parent organization during the indirect ownership or investment
Notwithstanding the requirements of component PSO’s period of listing will relationship between the PSO and the
paragraph (c)(2) of this section, a result in the Secretary initiating an contracting provider, shared or common
financial interests or direct or indirect circumstances subsequently arise, the acknowledge in writing receipt of the
compensation arrangements whether in Secretary must receive a disclosure notification and add information to the
cash or in-kind. statement from the PSO within 45 days list established pursuant to paragraph
(C) The PSO and provider have of the date that any disclosure (d) of this section stating that the PSO
current reporting relationships other requirement in paragraph (d)(2)(i) of this has certified that it has met the
than those arising from any Patient section first applies. requirement.
Safety Act contracts, by which the (2) If the PSO states that it has not yet
provider has access to information § 3.104 Secretarial actions. met the minimum contract requirement
regarding the work and operation of the (a) Actions in response to certification by the date specified in § 3.102(d)(1), or
PSO that is not available to other submissions for initial and continued if notice is not received by that date, the
contracting providers. listing as a PSO. (1) In response to an Secretary will issue to the PSO a notice
(D) Taking into account all initial or continued certification of a preliminary finding of deficiency as
relationships that the PSO has with the submission by an entity, pursuant to the specified in § 3.108(a)(2) and establish a
provider, the PSO is not independently requirements of § 3.102 of this subpart, period for correction that extends until
managed or controlled, or the PSO does the Secretary may— midnight of the last day of the PSO’s
not operate independently from, the (i) Accept the certification submission applicable 24-month period of
contracting provider. and list the entity as a PSO, or maintain assessment. Thereafter, if the
(ii) Content. A PSO must submit to the listing of a PSO, if the Secretary requirement has not been met, the
the Secretary the required attestation determines that the entity meets the Secretary will provide the PSO a written
form for disclosures with the applicable requirements of the Patient notice of proposed revocation and
information specified below in Safety Act and this subpart; delisting in accordance with
accordance with § 3.112 and this (ii) Deny acceptance of a certification § 3.108(a)(3).
section. The substantive information submission and, in the case of a (c) Actions regarding required
that must be included with each currently listed PSO, remove the entity disclosures by PSOs of relationships
submission has two required parts: from the list if the entity does not meet with contracting providers. The
(A) The Required Disclosures. The the applicable requirements of the Secretary will review and make findings
first part of the substantive information Patient Safety Act and this subpart; or regarding each disclosure statement
must provide a succinct list of (iii) Condition the listing of an entity submitted by a PSO, pursuant to
obligations between the PSO and the or the continued listing of a PSO, § 3.102(d)(2), regarding its relationships
contracting provider apart from their following a determination made with contracting provider(s), determine
Patient Safety Act contract(s) that create, pursuant to paragraph (c) of this section whether such findings warrant action
or contain, any of the types of or a determination after review of the regarding the listing of the PSO in
relationships that must be disclosed pertinent history of an entity that has accordance with paragraph (c)(2) of this
based upon the requirements of been delisted or refused listing and its section, and make the findings public.
paragraphs (d)(2)(i)(A) through (D) of officials and senior managers. (1) Basis of findings regarding PSO
this section. Each reportable obligation (2) Basis for determination. In making disclosure statements. In reviewing
or discrete set of obligations that the a determination regarding listing, the disclosure statements, submitted
PSO has with this contracting provider Secretary will consider the certification pursuant to § 3.102(d)(2) of this subpart,
should be listed only once; noting the submission; any prior actions by the the Secretary will consider the disclosed
specific aspects of the obligation(s) that Secretary regarding the entity or PSO relationship(s) between the PSO and the
reflect contractual or financial including delisting; any history of or contracting provider and the statements
relationships, involve access to current non-compliance by the entity or and material submitted by the PSO
information that is not available to other the PSO or its officials or senior describing the policies and procedures
providers, or affect the independence of managers with statutory or regulatory that the PSO has in place to determine
PSO operations, management, or requirements or requests from the whether the PSO can fairly and
control. Secretary; the relationships of the entity accurately perform the required patient
(B) An Explanatory Narrative. The or PSO with providers; and any findings safety activities.
second required part of the substantive made by the Secretary in accordance (2) Determination by the Secretary.
information must provide a brief with paragraph (c) of this section. Based on the Secretary’s review and
explanatory narrative succinctly (3) Notification. The Secretary will findings, he may choose to take any of
describing: The policies and procedures notify in writing each entity of action the following actions:
that the PSO has in place to ensure taken on its certification submission for (i) For an entity seeking an initial or
adherence to objectivity and initial or continued listing. The continued listing, the Secretary may list
professionally recognized analytic Secretary will provide reasons when an or continue the listing of an entity
standards in the assessments it entity’s certification is conditionally without conditions, list the entity
undertakes; and any other policies or accepted and the entity is conditionally subject to conditions, or deny the
procedures, or agreements with this listed, when an entity’s certification is entity’s certification for initial or
provider, that the PSO has in place to not accepted and the entity is not listed, continued listing; or
ensure that it can fairly and accurately or when acceptance of its certification is (ii) For a listed PSO, the Secretary
perform patient safety activities. revoked and the entity is delisted. may determine that the entity will
(iii) Deadlines for submission. The (b) Actions regarding PSO compliance remain listed without conditions,
Secretary must receive a disclosure with the minimum contract continue the entity’s listing subject to
statement within 45 days of the date on requirement. After the date on which conditions, or remove the entity from
which a PSO enters a contract with a the Secretary, under § 3.102(d)(1) of this the list of PSOs.
provider if the circumstances described subpart, must receive notification (3) Release of disclosure statements
in any of the paragraphs (d)(2)(i)(A) regarding compliance of a PSO with the and Secretarial findings. (i) Subject to
through (D) of this section are met on minimum contract requirement— paragraph (c)(3)(ii) of this section, the
the date the contract is entered. During (1) If the PSO has met the minimum Secretary will make disclosure
the contract period, if these contract requirement, the Secretary will statements available to the public along
with related findings that are made effective date and time of listing or equipment where patient safety work
available in accordance with paragraph delisting. product is received, accessed, or
(c) of this section. handled.
§ 3.106 Security requirements. (3) Security control and monitoring. A
(ii) The Secretary may withhold
information that is exempt from public (a) Application. A PSO must secure PSO must address:
disclosure under the Freedom of patient safety work product in (i) Identification of those authorized
Information Act, e.g., trade secrets or conformance with the security to receive, access, or handle patient
confidential commercial information requirements of paragraph (b) of this safety work product and an audit
that are subject to the restrictions of 18 section. These requirements must be capacity to detect unlawful,
U.S.C. 1905. met at all times and at any location at unauthorized, or inappropriate receipt,
(d) Maintaining a list of PSOs. The which the PSO, its workforce members, access, or handling of patient safety
Secretary will compile and maintain a or its contractors receive, access, or work product, and
publicly available list of entities whose handle patient safety work product. (ii) Methods to prevent unauthorized
certifications as PSOs have been Handling patient safety work product receipt, access, or handling of patient
accepted. The list will include contact includes its processing, development, safety work product.
information for each entity, a copy of all use, maintenance, storage, removal, (4) Security assessment. A PSO must
certification forms and disclosure disclosure, transmission and address:
statements submitted by each entity in destruction. (i) Periodic assessments of security
accordance with paragraph (c)(3)(ii) of (b) Security framework. A PSO must risks and controls to establish if its
this section, the effective date of the have written policies and procedures controls are effective, to correct any
PSO’s listing, and information on that address each of the considerations deficiency identified, and to reduce or
whether a PSO has certified that it has specified in this subsection. In eliminate any vulnerabilities.
met the two contract requirement. The addressing the framework that follows, (ii) System and communications
list also will include a copy of the the PSO may develop appropriate and protection, to monitor, control, and
Secretary’s findings regarding each scalable security standards, policies, protect PSO receipt, access, or handling
disclosure statement submitted by an and procedures that are suitable for the of patient safety work product with
entity, information describing any size and complexity of its organization. particular attention to the transmission
(1) Security management. A PSO must of patient safety work product to and
related conditions that have been placed
address: from providers, other PSOs, contractors
by the Secretary on the listing of an (i) Maintenance and effective
entity as a PSO, and other information or any other responsible persons.
implementation of written policies and
that this Subpart states may be made procedures that conform to the § 3.108 Correction of deficiencies,
public. AHRQ may maintain a PSO requirements of this section to protect revocation, and voluntary relinquishment.
website (or a comparable future form of the confidentiality, integrity, and (a) Process for correction of a
public notice) and may post the list on availability of the patient safety work deficiency and revocation—(1)
this website. product that is received, accessed, or Circumstances leading to revocation.
(e) Three-year period of listing. (1) handled; and to monitor and improve The Secretary may revoke his
The three-year period of listing of a PSO the effectiveness of such policies and acceptance of an entity’s certification
will automatically expire at midnight of procedures, and (‘‘revocation’’) and delist the entity as a
the last day of this period, unless the (ii) Training of the PSO workforce and PSO if he determines—
listing had been revoked or relinquished PSO contractors who receive, access, or (i) The PSO is not fulfilling the
earlier in accordance with § 3.108 of this handle patient safety work product certifications made to the Secretary as
subpart, or if, prior to this automatic regarding the requirements of the required by § 3.102;
expiration, the PSO seeks a new three- Patient Safety Act, this Part, and the (ii) The PSO has not met the two
year listing, in accordance with § 3.102, PSO’s policies and procedures regarding contract requirement, as required by
and the Secretary accepts the PSO’s the confidentiality and security of § 3.102(d)(1);
certification for a new three-year listing, patient safety work product. (iii) Based on a PSO’s disclosures
in accordance with § 3.104(a). (2) Distinguishing patient safety work made pursuant to § 3.102(d)(2) , that the
(2) The Secretary plans to send a product. A PSO must address: entity cannot fairly and accurately
written notice of imminent expiration to (i) Maintenance of the security of perform the patient safety activities of a
a PSO at least 60 calendar days prior to patient safety work product, whether in PSO with a public finding to that effect;
the date on which its three-year period electronic or other media, through either or
of listing expires if the Secretary has not physical separation from non-patient (iv) The PSO is not in compliance
yet received a certification for continued safety work product, or if co-located with any other provision of the Patient
listing. The Secretary plans to indicate, with non-patient safety work product, Safety Act or this Part.
on the AHRQ PSO website, the PSOs by making patient safety work product (2) Notice of preliminary finding of
from whom certifications for continued distinguishable so that the appropriate deficiency and establishment of an
listing have not been timely received. form and level of security can be opportunity for correction of a
(f) Effective dates of Secretarial applied and maintained; deficiency. (i) Except as provided by
actions. Unless otherwise stated, the (ii) Protection of the media, whether paragraph (e) of this section, if the
effective date of each action by the in electronic, paper, or other media or Secretary determines that a PSO is not
Secretary pursuant to this subpart will format, that contain patient safety work in compliance with its obligations under
be specified in the written notice of product, limiting access to authorized the Patient Safety Act or this Subpart,
such action that is sent to the entity. users, and sanitizing and destroying the Secretary must send a PSO written
When the Secretary sends a notice that such media before their disposal or notice of the preliminary finding of
addresses acceptance or revocation of an release for reuse; and deficiency. The notice must state the
entity’s certifications or voluntary (iii) Physical and environmental actions or inactions that encompass the
relinquishment by an entity of its status protection, to control and limit physical deficiency finding, outline the evidence
as a PSO, the notice will specify the and virtual access to places and that the deficiency exists, specify the
possible and/or required corrective (iv) When the Secretary issues a acceptance of a PSO’s certification is
actions that must be taken, and establish written notice of proposed revocation warranted for its failure to comply with
a date by which the deficiency must be and delisting, the notice will specify the requirements of the Patient Safety Act or
corrected. The Secretary may specify in deficiencies that have not been timely of this Part, the Secretary will establish
the notice the form of documentation corrected and will detail the manner in the effective time and date for such
required to demonstrate that the which the PSO may exercise its prompt revocation and removal of the
deficiency has been corrected. opportunity to be heard in writing to entity from the list of PSOs, so notify
(ii) The notice of a preliminary respond to the deficiencies specified in the PSO in writing, and provide the
finding of deficiency is presumed the notice. relevant public notice required by
received five days after it is sent, absent (4) Opportunity to be heard in writing § 3.108(d) of this subpart.
evidence of the actual receipt date. If a following a notice of proposed (2) Required notification of providers
PSO does not submit evidence to the revocation and delisting. The Secretary and status of data. (i) Upon being
Secretary within 14 calendar days of will afford a PSO an opportunity to be notified of the Secretary’s action
actual or constructive receipt of such heard in writing, as specified in pursuant to paragraph (b)(1) of this
notice, whichever is longer, which paragraph (a)(4)(i) of this section, to section, the former PSO will take all
demonstrates that the preliminary provide a substantive response to the reasonable actions to notify each
finding is factually incorrect, the deficiency finding(s) set forth in the provider, whose patient safety work
preliminary finding will be the basis for notice of proposed revocation and product it collected or analyzed, of the
a finding of deficiency. delisting. Secretary’s action(s) and the following
(3) Determination of correction of a (i) The notice of proposed revocation statutory information: Confidentiality
deficiency. (i) Unless the Secretary and delisting is presumed received five and privilege protections that applied to
specifies another date, the Secretary days after it is sent, absent evidence of patient safety work product while the
must receive documentation to actual receipt. The Secretary will former PSO was listed continue to apply
demonstrate that the PSO has corrected provide a PSO with a period of time, after the entity is removed from listing.
any deficiency cited in the preliminary beginning with the date of receipt of the Data submitted by providers to the
finding of deficiency no later than five notice of proposed revocation and former PSO for 30 calendar days
calendar days following the last day of delisting of which there is evidence, or following the date and time on which
the correction period that is specified by the presumed date of receipt if there is the entity was removed from the list of
the Secretary in such notice. no evidence of earlier receipt, and PSOs pursuant to paragraph (b)(1) of
(ii) In making a determination ending at midnight 30 calendar days
this section will have the same status as
regarding the correction of any thereafter, during which the PSO may
data submitted while the entity was still
deficiency, the Secretary will consider submit a substantive response to the
listed.
the documentation submitted by the deficiency findings in writing.
(ii) The Secretary will provide to the (ii) Within 15 days of being notified
PSO, any assessments under § 3.110,
PSO any rules of procedure governing of the Secretary’s action pursuant to
recommendations of program staff, and
the form or transmission of the written paragraph (b)(1) of this section, the
any other information available
response to the notice of proposed former PSO shall submit to the
regarding the PSO that the Secretary
revocation and delisting. Such rules Secretary confirmation that it has taken
deems appropriate and relevant to the
may also be posted on the AHRQ PSO the actions in paragraph (b)(2)(i) of this
PSO’s implementation of the terms of its
Web site or published in the Federal section.
certification.
(iii) After completing his review, the Register. (3) Disposition of patient safety work
Secretary may make one of the (iii) If a PSO does not submit a written product and data. Within 90 days
following determinations: response to the deficiency finding(s) following the effective date of
(A) The action(s) taken by the PSO within 30 calendar days of receipt of the revocation and delisting pursuant to
have corrected any deficiency, in which notice of proposed revocation and paragraph (b)(1) of this section, the
case the Secretary will withdraw the delisting, the notice of proposed former PSO will take one or more of the
notice of deficiency and so notify the revocation becomes final as a matter of following measures in regard to patient
PSO; law and the basis for Secretarial action safety work product and data described
(B) The PSO has acted in good faith under paragraph (b)(1) of this section. in paragraph (b)(2)(i) of this section:
to correct the deficiency, but the (5) The Secretary’s decision regarding (i) Transfer such patient safety work
Secretary finds an additional period of revocation. The Secretary will review product or data, with the approval of the
time is necessary to achieve full the entire administrative record source from which it was received, to a
compliance and/or the required pertaining to a notice of proposed PSO that has agreed to receive such
corrective action specified in the notice revocation and delisting and any written patient safety work product or data;
of a preliminary finding of deficiency materials submitted by the PSO under (ii) Return such work product or data
needs to be modified in light of the paragraph (a)(4) of this section. The to the source from which it was
experience of the PSO in attempting to Secretary may affirm, reverse, or modify submitted; or
implement the corrective action, in the notice of proposed revocation and (iii) If returning such patient safety
which case the Secretary will extend the delisting and will make a determination work product or data to its source is not
period for correction and/or modify the with respect to the continued listing of practicable, destroy such patient safety
specific corrective action required; or the PSO. work product or data.
(C) The PSO has not completed the (b) Revocation of the Secretary’s (c) Voluntary relinquishment—(1)
corrective action because it has not acceptance of a PSO’s certifications—(1) Circumstances constituting voluntary
acted with reasonable diligence or speed Establishing the date and time of relinquishment. A PSO will be
to ensure that the corrective action was revocation and delisting. When the considered to have voluntarily
completed within the allotted time, in Secretary concludes, in accordance with relinquished its status as a PSO if the
which case the Secretary will issue to a decision made under paragraphs Secretary accepts a notification from a
the PSO a notice of proposed revocation (a)(5), (e)(3)(iii) or (e)(3)(iv)(C) of this PSO that it wishes to relinquish
and delisting. section, that revocation of the voluntarily its listing as a PSO.
(2) Notification of voluntary (4) Non-applicability of certain section exist, and any corrective action
relinquishment. A PSO’s notification of procedures and requirements. (i) A that the PSO must take if the Secretary
voluntary relinquishment to the decision by the Secretary to accept a determines that corrective action may
Secretary must include the following: request by a PSO to relinquish resolve the matter so that the entity
(i) An attestation that all reasonable voluntarily its status as a PSO pursuant would not be delisted; and
efforts have been made, or will have to paragraph (c)(2) of this section does (B) Provides an opportunity for the
been made by a PSO within 15 calendar not constitute a determination of a PSO to respond in writing to correct the
days of this statement, to notify the deficiency in PSO compliance with the facts or the legal bases for delisting
sources from which it received patient Patient Safety Act or with this Subpart. found in the notice, and to offer any
safety work product of the PSO’s (ii) The procedures and requirements other grounds for its not being delisted.
intention to cease PSO operations and of § 3.108(a) of this subpart regarding (ii) The notice of deficiency will be
activities, to relinquish voluntarily its deficiencies including the opportunity presumed to be received five days after
status as a PSO, to request that these to correct deficiencies and to be heard it is sent, absent evidence of the actual
other entities cease reporting or in writing, and the procedures and receipt date.
submitting any further information to requirements of § 3.108(b) are not (iii) If the PSO does not submit a
the PSO as soon as possible, and inform applicable to determinations of the written response to the Secretary within
them that any information reported after Secretary made pursuant to this 14 calendar days of actual or
the effective date and time of delisting subsection. constructive receipt of such notice,
that the Secretary sets pursuant to (d) Public notice of delisting regarding whichever is longer, the Secretary may
paragraph (c)(3) of this section will not removal from listing. If the Secretary revoke his acceptance of the PSO’s
be protected as patient safety work removes an entity from the list of PSOs certifications and remove the entity
product under the Patient Safety Act. following revocation of acceptance of
(ii) An attestation that the entity has from the list of PSOs.
the entity’s certification pursuant to
established a plan, or within 15 (iv) If the PSO responds in writing
§ 3.108(b)(1), voluntary relinquishment
calendar days of this statement, will within the required 14-day time period,
pursuant to § 3.108(c)(3), or expiration
have made all reasonable efforts to the Secretary may take any of the
of an entity’s period of listing pursuant
establish a plan, in consultation with following actions:
to § 3.104(e)(1), the Secretary will
the sources from which it received promptly publish in the Federal (A) Withdraw the notice of deficiency;
patient safety work product, that Register and on the AHRQ PSO website, (B) Provide the PSO with more time
provides for the disposition of the or in a comparable future form of public to resolve the matter to the Secretary’s
patient safety work product held by the notice, a notice of the actions taken and satisfaction; or
PSO consistent with, to the extent the effective dates. (C) Revoke his acceptance of the
practicable, the statutory options for (e) Expedited revocation and PSO’s certifications and remove the
disposition of patient safety work delisting—(1) Basis for expedited entity from the list of PSOs.
product as set out in paragraph (b)(3) of revocation. Notwithstanding any other § 3.110 Assessment of PSO compliance.
this section; and provision of this section, the Secretary
(iii) Appropriate contact information may use the expedited revocation The Secretary may request
for further communications from the process described in paragraph (e)(3) of information or conduct announced or
Secretary. this section if he determines— unannounced reviews of, or site visits
(3) Response to notification of (i) The PSO is not in compliance with to, PSOs, to assess or verify PSO
voluntary relinquishment. (i) After a this Part because it is or is about to compliance with the requirements of
PSO provides the notification required become an entity described in this subpart and for these purposes will
by paragraph (c)(2) of this section, the § 3.102(a)(2). be allowed to inspect the physical or
Secretary will respond in writing to the (ii) The parent organization of the virtual sites maintained or controlled by
entity indicating whether the proposed PSO is an entity described in the PSO. The Secretary will be allowed
voluntary relinquishment of its PSO § 3.102(a)(2) and requires or induces to inspect and/or be given or sent copies
status is accepted. If the voluntary health care providers to report patient of any PSO records deemed necessary
relinquishment is accepted, the safety work product to its component and requested by the Secretary to
Secretary’s response will indicate an PSO; or implement the provisions of this
effective date and time for the entity’s (iii) The circumstances for revocation subpart. Such PSO records may include
removal from the list of PSOs and will in paragraph (a)(1) of this section exist, patient safety work product in
provide public notice of the voluntary and the Secretary has determined that accordance with § 3.206(d) of this part.
relinquishment and the effective date there would be serious adverse
and time of the delisting, in accordance § 3.112 Submissions and forms.
consequences if the PSO were to remain
with § 3.108(d) of this subpart. listed. (a) Forms referred to in this subpart
(ii) If the Secretary receives a (2) Applicable provisions. If the may be obtained on the PSO Web site
notification of voluntary relinquishment Secretary uses the expedited revocation (http://www.pso.ahrq.gov) maintained
during or immediately after revocation process described in paragraph (e)(3) of for the Secretary by AHRQ or a
proceedings for cause under paragraphs this section, the procedures in successor agency or on successor
(a)(4) and (a)(5) of this section, the paragraphs (a)(2) through (5) of this publication technology or by requesting
Secretary, as a matter of discretion, may section shall not apply and paragraph them in writing by e-mail at
accept voluntary relinquishment in (a)(1) and paragraphs (b) and (d) of this pso@ahrq.hhs.gov, or by mail from the
accordance with the preceding section shall apply. Agency for Healthcare Research and
paragraph or decide not to accept the (3) Expedited revocation process. (i) Quality, CQuIPS, PSO Liaison, 540
entity’s proposed voluntary The Secretary must send the PSO a Gaither Road, Rockville, MD 20850. A
relinquishment and proceed with the written notice of deficiency that: form (including any required
revocation for cause and delisting (A) Identifies the evidence that the attachments) must be submitted in
pursuant to paragraph (b)(1) of this circumstances for revocation and accordance with the accompanying
section. delisting under paragraph (a)(1) of this instructions.
(b) Information submitted to AHRQ in (2) Disclosure to the extent required to product prior to disclosure. A valid
writing, but not required to be on or permit equitable relief subject to the authorization must:
attached to a form, and requests for conditions at § 3.206(b)(2) of this (A) Be in writing and signed by the
information from AHRQ, may be subpart. provider from whom authorization is
submitted by mail or other delivery to (3) Disclosure pursuant to provider sought; and
the Agency for Healthcare Research and authorizations subject to the conditions (B) Contain sufficient detail to fairly
Quality, CQuIPS, PSO Liaison, 540 at § 3.206(b)(3) of this subpart. inform the provider of the nature and
Gaither Road, Rockville, MD 20850, by (4) Disclosure of non-identifiable scope of the disclosures being
facsimile at (301) 427–1341, or by e-mail patient safety work product subject to authorized;
at pso@ahrq.hhs.gov. the conditions at § 3.206(b)(5) of this (ii) A valid authorization must be
(c) If a submission to the Secretary is subpart. retained by the disclosing entity for six
incomplete or additional information is (c) Implementation and enforcement years from the date of the last disclosure
needed to allow a determination to be by the Secretary. Privilege shall not made in reliance on the authorization
made under this subpart, the submitter apply to (and shall not be construed to and made available to the Secretary
will be notified if any additional prohibit) disclosures of relevant patient upon request.
information is required. safety work product to or by the (4) Disclosure for patient safety
Secretary if such patient safety work activities—(i) Disclosure between a
Subpart C—Confidentiality and product is needed to investigate or provider and a PSO. Disclosure of
Privilege Protections of Patient Safety determine compliance, or to seek or patient safety work product for patient
Work Product impose civil money penalties, with safety activities by a provider to a PSO
respect to this part or the HIPAA or by a PSO to that disclosing provider.
§ 3.204 Privilege of patient safety work (ii) Disclosure to a contractor of a
product. Privacy Rule, or to make or support
decisions with respect to listing of a provider or a PSO. A provider or a PSO
(a) Privilege. Notwithstanding any may disclose patient safety work
other provision of Federal, State, local, PSO.
product for patient safety activities to an
or Tribal law and subject to paragraph § 3.206 Confidentiality of patient safety entity with which it has contracted to
(b) of this section and § 3.208 of this work product. undertake patient safety activities on its
subpart, patient safety work product behalf. A contractor receiving patient
(a) Confidentiality. Subject to
shall be privileged and shall not be: safety work product for patient safety
paragraphs (b) through (e) of this
(1) Subject to a Federal, State, local, activities may not further disclose
section, and §§ 3.208 and 3.210 of this
or Tribal civil, criminal, or patient safety work product, except to
subpart, patient safety work product
administrative subpoena or order, the provider or PSO with which it is
shall be confidential and shall not be
including in a Federal, State, local, or contracted.
disclosed.
Tribal civil or administrative (iii) Disclosure among affiliated
disciplinary proceeding against a (b) Exceptions to confidentiality. The
confidentiality provisions shall not providers. Disclosure of patient safety
provider; work product for patient safety activities
(2) Subject to discovery in connection apply to (and shall not be construed to
prohibit) one or more of the following by a provider to an affiliated provider.
with a Federal, State, local, or Tribal (iv) Disclosure to another PSO or
civil, criminal, or administrative disclosures:
(1) Disclosure in criminal provider. Disclosure of patient safety
proceeding, including in a Federal, work product for patient safety activities
State, local, or Tribal civil or proceedings. Disclosure of relevant
patient safety work product for use in a by a PSO to another PSO or to another
administrative disciplinary proceeding provider that has reported to the PSO,
against a provider; criminal proceeding, but only after a
court makes an in-camera determination or, except as otherwise permitted in
(3) Subject to disclosure pursuant to paragraph (b)(4)(iii) of this section, by a
section 552 of Title 5, United States that:
(i) Such patient safety work product provider to another provider, provided:
Code (commonly known as the Freedom (A) The following direct identifiers of
of Information Act) or any other similar contains evidence of a criminal act;
(ii) Such patient safety work product any providers and of affiliated
Federal, State, local, or Tribal law; organizations, corporate parents,
(4) Admitted as evidence in any is material to the proceeding; and
subsidiaries, practice partners,
Federal, State, local, or Tribal (iii) Such patient safety work product
employers, members of the workforce,
governmental civil proceeding, criminal is not reasonably available from any
or household members of such
proceeding, administrative rulemaking other source.
providers are removed:
proceeding, or administrative (2) Disclosure to permit equitable (1) Names;
adjudicatory proceeding, including any relief for reporters. Disclosure of patient (2) Postal address information, other
such proceeding against a provider; or safety work product to the extent than town or city, State and zip code;
(5) Admitted in a professional required to permit equitable relief under (3) Telephone numbers;
disciplinary proceeding of a section 922 (f)(4)(A) of the Public Health (4) Fax numbers;
professional disciplinary body Service Act, provided the court or (5) Electronic mail addresses;
established or specifically authorized administrative tribunal has issued a (6) Social security numbers or
under State law. protective order to protect the taxpayer identification numbers;
(b) Exceptions to privilege. Privilege confidentiality of the patient safety (7) Provider or practitioner
shall not apply to (and shall not be work product in the course of the credentialing or DEA numbers;
construed to prohibit) one or more of proceeding. (8) National provider identification
the following disclosures: (3) Disclosure authorized by identified number;

(1) Disclosure of relevant patient providers. (i) Disclosure of identifiable (9) Certificate/license numbers;
safety work product for use in a patient safety work product consistent (10) Web Universal Resource Locators
criminal proceeding, subject to the with a valid authorization if such (URLs);
conditions at § 3.206(b)(1) of this authorization is obtained from each (11) Internet Protocol (IP) address
subpart. provider identified in such work numbers;
(12) Biometric identifiers, including (ii) An accrediting body may not of relevant patient safety work product
finger and voice prints; and further disclose patient safety work to or by the Secretary if such patient
(13) Full face photographic images product it receives pursuant to safety work product is needed to
and any comparable images; and paragraph (b)(8)(i) of this section. investigate or determine compliance or
(B) With respect to any individually (iii) An accrediting body may not take to seek or impose civil money penalties,
identifiable health information in such an accrediting action against a provider with respect to this part or the HIPAA
patient safety work product, the direct based on a good faith participation of Privacy Rule, or to make or support
identifiers listed at 45 CFR 164.514(e)(2) the provider in the collection, decisions with respect to listing of a
have been removed. development, reporting, or maintenance PSO.
(5) Disclosure of nonidentifiable of patient safety work product in (e) No limitation on authority to limit
patient safety work product. Disclosure accordance with this Part. An or delegate disclosure or use. Nothing in
of nonidentifiable patient safety work accrediting body may not require a subpart C of this part shall be construed
product when patient safety work provider to reveal its communications to limit the authority of any person to
product meets the standard for with any PSO. enter into a contract requiring greater
nonidentification in accordance with (9) Disclosure for business operations. confidentiality or delegating authority to
§ 3.212 of this subpart. (i) Disclosure of patient safety work make a disclosure or use in accordance
(6) Disclosure for research. (i) product by a provider or a PSO for with this subpart.
Disclosure of patient safety work business operations to attorneys,
accountants, and other professionals. § 3.208 Continued protection of patient
product to persons carrying out safety work product.
research, evaluation or demonstration Such contractors may not further
projects authorized, funded, certified, or disclose patient safety work product, (a) Except as provided in paragraph
otherwise sanctioned by rule or other except to the entity from which they (b) of this section, patient safety work
means by the Secretary, for the purpose received the information. product disclosed in accordance with
of conducting research. (ii) Disclosure of patient safety work this subpart, or disclosed
(ii) If the patient safety work product product for such other business impermissibly, shall continue to be
disclosed pursuant to paragraph (b)(6)(i) operations that the Secretary may privileged and confidential.
of this section is by a HIPAA covered prescribe by regulation as consistent (b)(1) Patient safety work product
entity as defined at 45 CFR 160.103 and with the goals of this part. disclosed for use in a criminal
(10) Disclosure to law enforcement. (i) proceeding pursuant to section
contains protected health information as
Disclosure of patient safety work 922(c)(1)(A) of the Public Health Service
defined by the HIPAA Privacy Rule at
product to an appropriate law Act, 42 U.S.C. 299b–22(c)(1)(A), and/or
45 CFR 160.103, such patient safety
enforcement authority relating to an pursuant to § 3.206(b)(1) of this subpart
work product may only be disclosed
event that either constitutes the continues to be privileged, but is no
under this exception in the same
commission of a crime, or for which the longer confidential.
manner as would be permitted under
disclosing person reasonably believes (2) Non-identifiable patient safety
the HIPAA Privacy Rule.
constitutes the commission of a crime, work product that is disclosed is no
(7) Disclosure to the Food and Drug
provided that the disclosing person longer privileged or confidential and not
Administration (FDA) and entities
believes, reasonably under the subject to the regulations under this
required to report to FDA. (i) Disclosure
circumstances, that the patient safety part.
by a provider of patient safety work
work product that is disclosed is (3) Paragraph (b) of this section
product concerning an FDA-regulated
necessary for criminal law enforcement applies only to the specific patient
product or activity to the FDA, an entity
purposes. safety work product disclosed.
required to report to the FDA (ii) Law enforcement personnel
concerning the quality, safety, or receiving patient safety work product § 3.210 Required disclosure of patient
effectiveness of an FDA-regulated pursuant to paragraph (b)(10)(i) of this safety work product to the Secretary.
product or activity, or a contractor section only may disclose that patient Notwithstanding any other provision
acting on behalf of FDA or such entity safety work product to other law in this part, providers, PSOs, and
for these purposes. enforcement authorities as needed for responsible persons must disclose
(ii) Any person permitted to receive law enforcement activities related to the patient safety work product upon
patient safety work product pursuant to event that gave rise to the disclosure request by the Secretary when the
paragraph (b)(7)(i) of this section may under paragraph (b)(10)(i) of this Secretary determines such patient safety
only further disclose such patient safety section. work product is needed to investigate or
work product for the purpose of (c) Safe harbor. A provider or determine compliance or to seek or
evaluating the quality, safety, or responsible person, but not a PSO, is not impose civil money penalties, with
effectiveness of that product or activity considered to have violated the respect to this part or the HIPAA
to another such person or the disclosing requirements of this subpart if a member Privacy Rule, or to make or support
provider. of its workforce discloses patient safety decisions with respect to listing of a
(8) Voluntary disclosure to an work product, provided that the PSO.
accrediting body. (i) Voluntary disclosure does not include materials,
disclosure by a provider of patient including oral statements, that: § 3.212 Nonidentification of patient safety
safety work product to an accrediting (1) Assess the quality of care of an work product.
body that accredits that provider, identifiable provider; or (a) Patient safety work product is
provided, with respect to any identified (2) Describe or pertain to one or more nonidentifiable with respect to a
provider other than the provider making actions or failures to act by an particular identified provider or a
the disclosure: identifiable provider. particular identified reporter if:
(A) The provider agrees to the (d) Implementation and enforcement (1) A person with appropriate
disclosure; or by the Secretary. The confidentiality knowledge of and experience with
(B) The identifiers at provisions shall not apply to (and shall generally accepted statistical and
§ 3.206(b)(4)(iv)(A) are removed. not be construed to prohibit) disclosures scientific principles and methods for
rendering information not individually patient only if the individually whether a respondent is complying with
identifiable: identifiable health information the applicable confidentiality
(i) Applying such principles and regarding that patient is de-identified in provisions.
methods, determines that the risk is accordance with the HIPAA Privacy
very small that the information could be Rule standard and implementation § 3.310 Responsibilities of respondents.
used, alone or in combination with specifications for the de-identification at (a) Provide records and compliance
other reasonably available information, 45 CFR 164.514(a) through (c). reports. A respondent must keep such
by an anticipated recipient to identify records and submit such compliance
an identified provider or reporter; and Subpart D—Enforcement Program reports, in such time and manner and
(ii) Documents the methods and containing such information, as the
§ 3.304 Principles for achieving
results of the analysis that justify such compliance. Secretary may determine to be necessary
determination; or to enable the Secretary to ascertain
(2)(i) The following identifiers of such (a) Cooperation. The Secretary will, to
the extent practicable, seek the whether the respondent has complied or
provider or reporter and of affiliated is complying with the applicable
organizations, corporate parents, cooperation of providers, PSOs, and
responsible persons in obtaining confidentiality provisions.
subsidiaries, practice partners, (b) Cooperate with complaint
employers, members of the workforce, compliance with the applicable
confidentiality provisions. investigations and compliance reviews.
or household members of such A respondent must cooperate with the
(b) Assistance. The Secretary may
providers or reporters are removed: Secretary, if the Secretary undertakes an
(A) The direct identifiers listed at provide technical assistance to
providers, PSOs, and responsible investigation or compliance review of
§ 3.206(b)(4)(iv)(A)(1) through (13) of the policies, procedures, or practices of
this subpart; persons to help them comply
voluntarily with the applicable the respondent to determine whether it
(B) Geographic subdivisions smaller is complying with the applicable
than a State, including street address, confidentiality provisions.
confidentiality provisions.
city, county, precinct, zip code and § 3.306 Complaints to the Secretary. (c) Permit access to information. (1) A
equivalent geocodes, except for the (a) Right to file a complaint. A person respondent must permit access by the
initial three digits of a zip code if, who believes that patient safety work Secretary during normal business hours
according to the current publicly product has been disclosed in violation to its facilities, books, records, accounts,
available data from the Bureau of the of the confidentiality provisions may and other sources of information,
Census, the geographic unit formed by file a complaint with the Secretary. including patient safety work product,
combining all zip codes with the same (b) Requirements for filing that are pertinent to ascertaining
three initial digits contains more than complaints. Complaints under this compliance with the applicable
20,000 people; section must meet the following
(C) All elements of dates (except year) confidentiality provisions. If the
requirements: Secretary determines that exigent
for dates directly related to a patient (1) A complaint must be filed in
safety incident or event; and circumstances exist, such as when
writing, either on paper or documents may be hidden or destroyed,
(D) Any other unique identifying electronically.
number, characteristic, or code except a respondent must permit access by the
(2) A complaint must name the person Secretary at any time and without
as permitted for re-identification; and that is the subject of the complaint and
(ii) The provider, PSO or responsible notice.
describe the act(s) believed to be in
person making the disclosure does not (2) If any information required of a
violation of the applicable
have actual knowledge that the respondent under this section is in the
confidentiality provision(s).
information could be used, alone or in (3) A complaint must be filed within exclusive possession of any other
combination with other information that 180 days of when the complainant knew agency, institution, or person, and the
is reasonably available to the intended or should have known that the act other agency, institution, or person fails
recipient, to identify the particular complained of occurred, unless this or refuses to furnish the information, the
provider or reporter. time limit is waived by the Secretary for respondent must so certify and set forth
(3) Re-identification. A provider, PSO, good cause shown. what efforts it has made to obtain the
or responsible person may assign a code (4) The Secretary may prescribe information.
or other means of record identification additional procedures for the filing of § 3.312 Secretarial action regarding
to allow information made complaints, as well as the place and complaints and compliance reviews.
nonidentifiable under this section to be manner of filing, by notice in the
re-identified by such provider, PSO, or (a) Resolution when noncompliance is
Federal Register.
responsible person, provided that: (c) Investigation. The Secretary may indicated. (1) If an investigation of a
(i) The code or other means of record investigate complaints filed under this complaint pursuant to § 3.306 of this
identification is not derived from or section. Such investigation may include subpart or a compliance review
related to information about the a review of the pertinent policies, pursuant to § 3.308 of this subpart
provider or reporter and is not procedures, or practices of the indicates noncompliance, the Secretary
otherwise capable of being translated so respondent and of the circumstances may attempt to reach a resolution of the
as to identify the provider or reporter; regarding any alleged violation. At the matter satisfactory to the Secretary by
and time of initial written communication informal means. Informal means may
(ii) The provider, PSO, or responsible with the respondent about the include demonstrated compliance or a
person does not use or disclose the code complaint, the Secretary will describe completed corrective action plan or
or other means of record identification the act(s) that are the basis of the other agreement.
for any other purpose, and does not complaint. (2) If the matter is resolved by
disclose the mechanism for re- informal means, the Secretary will so
identification. § 3.308 Compliance reviews. inform the respondent and, if the matter
(b) Patient safety work product is non- The Secretary may conduct arose from a complaint, the
identifiable with respect to a particular compliance reviews to determine complainant, in writing.
(3) If the matter is not resolved by (iv) Include a reasonably specific will be answered on the record, subject
informal means, the Secretary will— description of any documents or items to objection.
(i) So inform the respondent and required to be produced; and (7) If a witness refuses to answer any
provide the respondent an opportunity (v) If the subpoena is addressed to an question not privileged or to produce
to submit written evidence of any entity, describe with reasonable requested documents or items, or
mitigating factors. The respondent must particularity the subject matter on engages in conduct likely to delay or
submit any evidence to the Secretary which testimony is required. In that obstruct the investigational inquiry, the
within 30 days (computed in the same event, the entity must designate one or Secretary may seek enforcement of the
manner as prescribed under § 3.526 of more natural persons who will testify on subpoena under paragraph (a)(5) of this
this subpart) of receipt of such its behalf, and must state as to each such section.
notification; and person that person’s name and address (8) The proceedings will be recorded
and the matters on which he or she will and transcribed. The witness is entitled
(ii) If, following action pursuant to
testify. The designated person must to a copy of the transcript, upon
paragraph (a)(3)(i) of this section, the
testify as to matters known or payment of prescribed costs, except
Secretary decides that a civil money
reasonably available to the entity. that, for good cause, the witness may be
penalty should be imposed, inform the
(2) A subpoena under this section limited to inspection of the official
respondent of such finding in a notice
must be served by— transcript of his or her testimony.
of proposed determination in
(i) Delivering a copy to the natural (9)(i) The transcript will be submitted
accordance with § 3.420 of this subpart.
person named in the subpoena or to the to the witness for signature.
(b) Resolution when no violation is entity named in the subpoena at its last (A) Where the witness will be
found. If, after an investigation pursuant principal place of business; or provided a copy of the transcript, the
to § 3.306 of this subpart or a (ii) Registered or certified mail transcript will be submitted to the
compliance review pursuant to § 3.308 addressed to the natural person at his or witness for signature. The witness may
of this subpart, the Secretary determines her last known dwelling place or to the submit to the Secretary written
that further action is not warranted, the entity at its last known principal place proposed corrections to the transcript,
Secretary will so inform the respondent of business. with such corrections attached to the
and, if the matter arose from a (3) A verified return by the natural transcript. If the witness does not return
complaint, the complainant, in writing. person serving the subpoena setting a signed copy of the transcript or
(c) Uses and disclosures of forth the manner of service or, in the proposed corrections within 30 days
information obtained. (1) Identifiable case of service by registered or certified (computed in the same manner as
patient safety work product obtained by mail, the signed return post office prescribed under § 3.526 of this part) of
the Secretary in connection with an receipt, constitutes proof of service. its being submitted to him or her for
investigation or compliance review (4) Witnesses are entitled to the same signature, the witness will be deemed to
under this subpart will not be disclosed fees and mileage as witnesses in the have agreed that the transcript is true
by the Secretary, except in accordance district courts of the United States (28 and accurate.
with § 3.206(d) of this subpart, or if U.S.C. 1821 and 1825). Fees need not be (B) Where, as provided in paragraph
otherwise permitted by this part or the paid at the time the subpoena is served. (b)(8) of this section, the witness is
Patient Safety Act. (5) A subpoena under this section is limited to inspecting the transcript, the
(2) Except as provided for in enforceable through the district court of witness will have the opportunity at the
paragraph (c)(1) of this section, the United States for the district where time of inspection to propose
information, including testimony and the subpoenaed natural person resides corrections to the transcript, with
other evidence, obtained by the or is found or where the entity transacts corrections attached to the transcript.
Secretary in connection with an business. The witness will also have the
investigation or compliance review (b) Investigational inquiries are non- opportunity to sign the transcript. If the
under this subpart may be used by HHS public investigational proceedings witness does not sign the transcript or
in any of its activities and may be used conducted by the Secretary. offer corrections within 30 days
or offered into evidence in any (1) Testimony at investigational (computed in the same manner as
administrative or judicial proceeding. inquiries will be taken under oath or prescribed under § 3.526 of this part) of
affirmation. receipt of notice of the opportunity to
§ 3.314 Investigational subpoenas and (2) Attendance of non-witnesses is inspect the transcript, the witness will
inquiries. discretionary with the Secretary, except be deemed to have agreed that the
(a) The Secretary may issue that a witness is entitled to be transcript is true and accurate.
subpoenas in accordance with 42 U.S.C. accompanied, represented, and advised (ii) The Secretary’s proposed
405(d) and (e), and 1320a–7a(j), to by an attorney. corrections to the record of transcript
require the attendance and testimony of (3) Representatives of the Secretary will be attached to the transcript.
witnesses and the production of any are entitled to attend and ask questions.
(4) A witness will have the § 3.402 Basis for a civil money penalty.
other evidence including patient safety
work product during an investigation or opportunity to clarify his or her answers (a) General rule. A person who
compliance review pursuant to this part. on the record following questioning by discloses identifiable patient safety
the Secretary. work product in knowing or reckless
(1) A subpoena issued under this
(5) Any claim of privilege must be violation of the confidentiality
paragraph must—
asserted by the witness on the record. provisions shall be subject to a civil
(i) State the name of the person (6) Objections must be asserted on the money penalty for each act constituting
(including the entity, if applicable) to record. Errors of any kind that might be such violation.
whom the subpoena is addressed; corrected if promptly presented will be (b) Violation attributed to a principal.
(ii) State the statutory authority for deemed to be waived unless reasonable A principal is independently liable, in
the subpoena; objection is made at the investigational accordance with the federal common
(iii) Indicate the date, time, and place inquiry. Except where the objection is law of agency, for a civil money penalty
that the testimony will take place; on the grounds of privilege, the question based on the act of the principal’s agent,
including a workforce member, acting this subpart, within 6 years from the certified mail, return receipt requested,
within the scope of the agency if such date of the occurrence of the violation. of any penalty that has been imposed
act could give rise to a civil money and of the means by which the
penalty in accordance with § 3.402(a) of § 3.416 Authority to settle. respondent may satisfy the penalty, and
this subpart. Nothing in this subpart limits the the penalty is final on receipt of the
authority of the Secretary to settle any notice. The respondent has no right to
§ 3.404 Amount of a civil money penalty. issue or case or to compromise any appeal a penalty under § 3.548 of this
(a) The amount of a civil money penalty. subpart with respect to which the
penalty will be determined in respondent has not timely requested a
accordance with paragraph (b) of this § 3.418 Exclusivity of penalty.
hearing.
section and § 3.408 of this subpart. (a) Except as otherwise provided by
(b) The Secretary may impose a civil paragraph (b) of this section, a penalty § 3.424 Collection of penalty.
money penalty in the amount of not imposed under this part is in addition (a) Once a determination of the
more than $10,000. to any other penalty prescribed by law. Secretary to impose a penalty has
(b) Civil money penalties shall not be become final, the penalty will be
§ 3.408 Factors considered in determining imposed both under this part and under collected by the Secretary, subject to the
the amount of a civil money penalty. the HIPAA Privacy Rule (45 CFR parts first sentence of 42 U.S.C. 1320a–7a(f).
In determining the amount of any 160 and 164). (b) The penalty may be recovered in
civil money penalty, the Secretary may a civil action brought in the United
consider as aggravating or mitigating § 3.420 Notice of proposed determination.
States district court for the district
factors, as appropriate, any of the (a) If a penalty is proposed in where the respondent resides, is found,
following: accordance with this part, the Secretary or is located.
(a) The nature of the violation. must deliver, or send by certified mail (c) The amount of a penalty, when
(b) The circumstances, including the with return receipt requested, to the finally determined, or the amount
consequences, of the violation, respondent, written notice of the agreed upon in compromise, may be
including: Secretary’s intent to impose a penalty. deducted from any sum then or later
(1) The time period during which the This notice of proposed determination owing by the United States, or by a State
violation(s) occurred; and must include: agency, to the respondent.
(2) Whether the violation caused (1) Reference to the statutory basis for (d) Matters that were raised or that
physical or financial harm or the penalty; could have been raised in a hearing
reputational damage; (2) A description of the findings of before an ALJ, or in an appeal under 42
(c) The degree of culpability of the fact regarding the violations with U.S.C. 1320a–7a(e), may not be raised as
respondent, including: respect to which the penalty is a defense in a civil action by the United
(1) Whether the violation was proposed; States to collect a penalty under this
intentional; and (3) The reason(s) why the violation(s) part.
(2) Whether the violation was beyond subject(s) the respondent to a penalty;
the direct control of the respondent. (4) The amount of the proposed § 3.426 Notification of the public and other
(d) Any history of prior compliance penalty; agencies.
with the Patient Safety Act, including (5) Any factors described in § 3.408 of Whenever a proposed penalty
violations, by the respondent, including: this subpart that were considered in becomes final, the Secretary will notify,
(1) Whether the current violation is determining the amount of the proposed in such manner as the Secretary deems
the same or similar to prior violation(s); penalty; and appropriate, the public and the
(2) Whether and to what extent the (6) Instructions for responding to the following organizations and entities
respondent has attempted to correct notice, including a statement of the thereof and the reason it was imposed:
previous violations; respondent’s right to a hearing, a The appropriate State or local medical
(3) How the respondent has statement that failure to request a or professional organization, the
responded to technical assistance from hearing within 60 days permits the appropriate State agency or agencies
the Secretary provided in the context of imposition of the proposed penalty administering or supervising the
a compliance effort; and without the right to a hearing under administration of State health care
(4) How the respondent has § 3.504 of this subpart or a right of programs (as defined in 42 U.S.C.
responded to prior complaints. appeal under § 3.548 of this subpart, 1320a–7(h)), the appropriate utilization
(e) The financial condition of the and the address to which the hearing and quality control peer review
respondent, including: request must be sent. organization, and the appropriate State
(1) Whether the respondent had (b) The respondent may request a or local licensing agency or organization
financial difficulties that affected its hearing before an ALJ on the proposed (including the agency specified in 42
ability to comply; penalty by filing a request in accordance U.S.C. 1395aa(a), 1396a(a)(33)).
(2) Whether the imposition of a civil with § 3.504 of this subpart.
money penalty would jeopardize the § 3.504 Hearings before an ALJ.
ability of the respondent to continue to § 3.422 Failure to request a hearing. (a) A respondent may request a
provide health care or patient safety If the respondent does not request a hearing before an ALJ. The parties to the
activities; and hearing within the time prescribed by hearing proceeding consist of—
(3) The size of the respondent. § 3.504 of this subpart and the matter is (1) The respondent; and
(f) Such other matters as justice may not settled pursuant to § 3.416 of this (2) The officer(s) or employee(s) of
require. subpart, the Secretary may impose the HHS to whom the enforcement
proposed penalty or any lesser penalty authority involved has been delegated.
§ 3.414 Limitations. permitted by sections 921 through 926 (b) The request for a hearing must be
No action under this subpart may be of the Public Health Service Act, 42 made in writing signed by the
entertained unless commenced by the U.S.C. 299b–21 through 299b–26. The respondent or by the respondent’s
Secretary, in accordance with § 3.420 of Secretary will notify the respondent by attorney and sent by certified mail,
return receipt requested, to the address (c) Fees for any services performed on issue in a case, unless on notice and
specified in the notice of proposed behalf of a party by an attorney are not opportunity for both parties to
determination. The request for a hearing subject to the provisions of 42 U.S.C. participate. This provision does not
must be mailed within 60 days after 406, which authorizes the Secretary to prohibit a party or person from
notice of the proposed determination is specify or limit their fees. inquiring about the status of a case or
received by the respondent. For asking routine questions concerning
purposes of this section, the § 3.508 Authority of the ALJ. administrative functions or procedures.
respondent’s date of receipt of the (a) The ALJ must conduct a fair and
notice of proposed determination is impartial hearing, avoid delay, maintain § 3.512 Prehearing conferences.
presumed to be 5 days after the date of order, and ensure that a record of the (a) The ALJ must schedule at least one
the notice unless the respondent makes proceeding is made. prehearing conference, and may
a reasonable showing to the contrary to (b) The ALJ may— schedule additional prehearing
the ALJ. (1) Set and change the date, time and conferences as appropriate, upon
(c) The request for a hearing must place of the hearing upon reasonable reasonable notice, which may not be
clearly and directly admit, deny, or notice to the parties; less than 14 business days, to the
explain each of the findings of fact (2) Continue or recess the hearing in parties.
contained in the notice of proposed whole or in part for a reasonable period (b) The ALJ may use prehearing
determination with regard to which the of time; conferences to discuss the following—
respondent has any knowledge. If the (3) Hold conferences to identify or (1) Simplification of the issues;
respondent has no knowledge of a simplify the issues, or to consider other (2) The necessity or desirability of
particular finding of fact and so states, matters that may aid in the expeditious amendments to the pleadings, including
the finding shall be deemed denied. The disposition of the proceeding; the need for a more definite statement;
request for a hearing must also state the (4) Administer oaths and affirmations; (3) Stipulations and admissions of fact
circumstances or arguments that the (5) Issue subpoenas requiring the or as to the contents and authenticity of
respondent alleges constitute the attendance of witnesses at hearings and documents;
grounds for any defense and the factual the production of documents at or in (4) Whether the parties can agree to
and legal basis for opposing the penalty. relation to hearings; submission of the case on a stipulated
(d) The ALJ must dismiss a hearing (6) Rule on motions and other record;
request where— procedural matters; (5) Whether a party chooses to waive
(1) On motion of the Secretary, the (7) Regulate the scope and timing of appearance at an oral hearing and to
ALJ determines that the respondent’s documentary discovery as permitted by submit only documentary evidence
hearing request is not timely filed as this subpart; (subject to the objection of the other
required by paragraph (b) or does not (8) Regulate the course of the hearing party) and written argument;
meet the requirements of paragraph (c) and the conduct of representatives, (6) Limitation of the number of
of this section; parties, and witnesses; witnesses;
(2) The respondent withdraws the (9) Examine witnesses; (7) Scheduling dates for the exchange
request for a hearing; (10) Receive, rule on, exclude, or limit of witness lists and of proposed
(3) The respondent abandons the evidence; exhibits;
request for a hearing; or (11) Upon motion of a party, take (8) Discovery of documents as
(4) The respondent’s hearing request official notice of facts; permitted by this subpart;
fails to raise any issue that may properly (12) Conduct any conference, (9) The time and place for the hearing;
be addressed in a hearing. argument or hearing in person or, upon (10) The potential for the settlement
§ 3.506 Rights of the parties. agreement of the parties, by telephone; of the case by the parties; and
(a) Except as otherwise limited by this and (11) Other matters as may tend to
subpart, each party may— (13) Upon motion of a party, decide encourage the fair, just and expeditious
(1) Be accompanied, represented, and cases, in whole or in part, by summary disposition of the proceedings,
advised by an attorney; judgment where there is no disputed including the protection of
(2) Participate in any conference held issue of material fact. A summary confidentiality of identifiable patient
by the ALJ; judgment decision constitutes a hearing safety work product that may be
(3) Conduct discovery of documents on the record for the purposes of this submitted into evidence or otherwise
as permitted by this subpart; subpart. used in the proceeding, if appropriate.
(4) Agree to stipulations of fact or law (c) The ALJ— (c) The ALJ must issue an order
that will be made part of the record; (1) May not find invalid or refuse to containing the matters agreed upon by
(5) Present evidence relevant to the follow Federal statutes, regulations, or the parties or ordered by the ALJ at a
issues at the hearing; Secretarial delegations of authority and prehearing conference.
(6) Present and cross-examine must give deference to published
witnesses; guidance to the extent not inconsistent § 3.514 Authority to settle.
(7) Present oral arguments at the with statute or regulation; The Secretary has exclusive authority
hearing as permitted by the ALJ; and (2) May not enter an order in the to settle any issue or case without the
(8) Submit written briefs and nature of a directed verdict; consent of the ALJ.
proposed findings of fact and (3) May not compel settlement
conclusions of law after the hearing. negotiations; or § 3.516 Discovery.
(b) A party may appear in person or (4) May not enjoin any act of the (a) A party may make a request to
by a representative. Natural persons Secretary. another party for production of

who appear as an attorney or other documents for inspection and copying
representative must conform to the § 3.510 Ex parte contacts. that are relevant and material to the
standards of conduct and ethics No party or person (except employees issues before the ALJ.
required of practitioners before the of the ALJ’s office) may communicate in (b) For the purpose of this section, the
courts of the United States. any way with the ALJ on any matter at term ‘‘documents’’ includes
information, reports, answers, records, (b)(1) If, at any time, a party objects days before the date fixed for the
accounts, papers and other data and to the proposed admission of evidence hearing, unless otherwise allowed by
documentary evidence. Nothing not exchanged in accordance with the ALJ for good cause shown. That
contained in this section may be paragraph (a) of this section, the ALJ motion must—
interpreted to require the creation of a must determine whether the failure to (1) Specify any evidence to be
document, except that requested data comply with paragraph (a) of this produced;
stored in an electronic data storage section should result in the exclusion of (2) Designate the witnesses; and
system must be produced in a form that evidence. (3) Describe the address and location
accessible to the requesting party. (2) Unless the ALJ finds that with sufficient particularity to permit
(c) Requests for documents, requests extraordinary circumstances justified those witnesses to be found.
for admissions, written interrogatories, the failure timely to exchange the (e) The subpoena must specify the
depositions and any forms of discovery, information listed under paragraph (a) time and place at which the witness is
other than those permitted under of this section, the ALJ must exclude to appear and any evidence the witness
paragraph (a) of this section, are not from the party’s case-in-chief— is to produce.
authorized. (i) The testimony of any witness (f) Within 15 days after the written
(d) This section may not be construed whose name does not appear on the motion requesting issuance of a
to require the disclosure of interview witness list; and subpoena is served, any party may file
reports or statements obtained by any (ii) Any exhibit not provided to the an opposition or other response.
party, or on behalf of any party, of opposing party as specified in paragraph (g) If the motion requesting issuance
persons who will not be called as (a) of this section. of a subpoena is granted, the party
witnesses by that party, or analyses and (3) If the ALJ finds that extraordinary seeking the subpoena must serve it by
summaries prepared in conjunction circumstances existed, the ALJ must delivery to the person named, or by
with the investigation or litigation of the then determine whether the admission certified mail addressed to that person
case, or any otherwise privileged of that evidence would cause substantial at the person’s last dwelling place or
documents. prejudice to the objecting party. principal place of business.
(e)(1) When a request for production (i) If the ALJ finds that there is no (h) The person to whom the subpoena
of documents has been received, within substantial prejudice, the evidence may is directed may file with the ALJ a
30 days the party receiving that request be admitted. motion to quash the subpoena within 10
must either fully respond to the request, (ii) If the ALJ finds that there is days after service.
or state that the request is being objected substantial prejudice, the ALJ may (i) The exclusive remedy for
to and the reasons for that objection. If exclude the evidence, or, if he or she contumacy by, or refusal to obey a
objection is made to part of an item or does not exclude the evidence, must subpoena duly served upon, any person
category, the part must be specified. postpone the hearing for such time as is is specified in 42 U.S.C. 405(e).
Upon receiving any objections, the party necessary for the objecting party to
prepare and respond to the evidence, § 3.522 Fees.
seeking production may then, within 30
days or any other time frame set by the unless the objecting party waives The party requesting a subpoena must
ALJ, file a motion for an order postponement. pay the cost of the fees and mileage of
compelling discovery. The party (c) Unless the other party objects any witness subpoenaed in the amounts
receiving a request for production may within a reasonable period of time that would be payable to a witness in a
also file a motion for protective order before the hearing, documents proceeding in United States District
any time before the date the production exchanged in accordance with Court. A check for witness fees and
is due. paragraph (a) of this section will be mileage must accompany the subpoena
(2) The ALJ may grant a motion for deemed to be authentic for the purpose when served, except that, when a
protective order or deny a motion for an of admissibility at the hearing. subpoena is issued on behalf of the
order compelling discovery if the ALJ Secretary, a check for witness fees and
§ 3.520 Subpoenas for attendance at mileage need not accompany the
finds that the discovery sought— hearing.
(i) Is irrelevant; subpoena.
(ii) Is unduly costly or burdensome; (a) A party wishing to procure the
appearance and testimony of any person § 3.524 Form, filing, and service of papers.
(iii) Will unduly delay the
proceeding; or at the hearing may make a motion (a) Forms. (1) Unless the ALJ directs
(iv) Seeks privileged information. requesting the ALJ to issue a subpoena the parties to do otherwise, documents
(3) The ALJ may extend any of the if the appearance and testimony are filed with the ALJ must include an
time frames set forth in paragraph (e)(1) reasonably necessary for the original and two copies.
of this section. presentation of a party’s case. (2) Every pleading and paper filed in
(4) The burden of showing that (b) A subpoena requiring the the proceeding must contain a caption
discovery should be allowed is on the attendance of a person in accordance setting forth the title of the action, the
party seeking discovery. with paragraph (a) of this section may case number, and a designation of the
also require the person (whether or not paper, such as motion to quash
§ 3.518 Exchange of witness lists, witness the person is a party) to produce subpoena.
statements, and exhibits. relevant and material evidence at or (3) Every pleading and paper must be
(a) The parties must exchange witness before the hearing. signed by and must contain the address
lists, copies of prior written statements (c) When a subpoena is served by a and telephone number of the party or
of proposed witnesses, and copies of respondent on a particular employee or the person on whose behalf the paper
proposed hearing exhibits, including official or particular office of HHS, the was filed, or his or her representative.
copies of any written statements that the Secretary may comply by designating (4) Papers are considered filed when
party intends to offer in lieu of live any knowledgeable HHS representative they are mailed.
testimony in accordance with § 3.538, to appear and testify. (b) Service. A party filing a document
not more than 60, and not less than 15, (d) A party seeking a subpoena must with the ALJ or the Board must, at the
days before the scheduled hearing. file a written motion not less than 30 time of filing, serve a copy of the
document on the other party. Service failing to comply with an order or evidence or is expected to be introduced
upon any party of any document must procedure, for failing to defend an into evidence.
be made by delivering a copy, or placing action or for other misconduct that (d)(1) Subject to the 15-day rule under
a copy of the document in the United interferes with the speedy, orderly or § 3.518(a) and the admissibility of
States mail, postage prepaid and fair conduct of the hearing. The evidence under § 3.540, either party
addressed, or with a private delivery sanctions must reasonably relate to the may introduce, during its case in chief,
service, to the party’s last known severity and nature of the failure or items or information that arose or
address. When a party is represented by misconduct. The sanctions may became known after the date of the
an attorney, service must be made upon include— issuance of the notice of proposed
the attorney in lieu of the party. (a) In the case of refusal to provide or determination or the request for hearing,
(c) Proof of service. A certificate of the permit discovery under the terms of this as applicable. Such items and
natural person serving the document by part, drawing negative factual inferences information may not be admitted into
personal delivery or by mail, setting or treating the refusal as an admission evidence, if introduced—
forth the manner of service, constitutes by deeming the matter, or certain facts, (i) By the Secretary, unless they are
proof of service. to be established; material and relevant to the acts or
(b) Prohibiting a party from omissions with respect to which the
§ 3.526 Computation of time. introducing certain evidence or penalty is proposed in the notice of
(a) In computing any period of time otherwise supporting a particular claim proposed determination pursuant to
under this subpart or in an order issued or defense; § 3.420 of this part, including
thereunder, the time begins with the day (c) Striking pleadings, in whole or in circumstances that may increase
following the act, event or default, and part; penalties; or
includes the last day of the period (d) Staying the proceedings; (ii) By the respondent, unless they are
unless it is a Saturday, Sunday, or legal (e) Dismissal of the action; material and relevant to an admission,
holiday observed by the Federal (f) Entering a decision by default; denial or explanation of a finding of fact
Government, in which event it includes (g) Ordering the party or attorney to in the notice of proposed determination
the next business day. pay the attorney’s fees and other costs under § 3.420 of this part, or to a
(b) When the period of time allowed caused by the failure or misconduct; specific circumstance or argument
is less than 7 days, intermediate and expressly stated in the request for
Saturdays, Sundays, and legal holidays (h) Refusing to consider any motion or hearing under § 3.504, including
observed by the Federal Government other action that is not filed in a timely circumstances that may reduce
must be excluded from the computation. manner. penalties.
(c) Where a document has been served
§ 3.532 Collateral estoppel. (2) After both parties have presented
or issued by placing it in the mail, an
When a final determination that the their cases, evidence may be admitted in
additional 5 days must be added to the
respondent violated a confidentiality rebuttal even if not previously
time permitted for any response. This
provision has been rendered in any exchanged in accordance with § 3.518.
paragraph does not apply to requests for
hearing under § 3.504. proceeding in which the respondent § 3.538 Witnesses.
was a party and had an opportunity to
§ 3.528 Motions. (a) Except as provided in paragraph
be heard, the respondent is bound by
(b) of this section, testimony at the
(a) An application to the ALJ for an that determination in any proceeding
hearing must be given orally by
order or ruling must be by motion. under this part.
witnesses under oath or affirmation.
Motions must state the relief sought, the
authority relied upon and the facts § 3.534 The hearing. (b) At the discretion of the ALJ,
alleged, and must be filed with the ALJ (a) The ALJ must conduct a hearing testimony of witnesses other than the
and served on all other parties. on the record in order to determine testimony of expert witnesses may be
(b) Except for motions made during a whether the respondent should be admitted in the form of a written
prehearing conference or at the hearing, found liable under this part. statement. The ALJ may, at his or her
all motions must be in writing. The ALJ (b)(1) The respondent has the burden discretion, admit prior sworn testimony
may require that oral motions be of going forward and the burden of of experts that has been subject to
reduced to writing. persuasion with respect to any adverse examination, such as a
(c) Within 10 days after a written challenge to the amount of a proposed deposition or trial testimony. Any such
motion is served, or such other time as penalty pursuant to §§ 3.404 and 3.408, written statement must be provided to
may be fixed by the ALJ, any party may including any factors raised as the other party, along with the last
file a response to the motion. mitigating factors. known address of the witness, in a
(d) The ALJ may not grant a written (2) The Secretary has the burden of manner that allows sufficient time for
motion before the time for filing going forward and the burden of the other party to subpoena the witness
responses has expired, except upon persuasion with respect to all other for cross-examination at the hearing.
consent of the parties or following a issues, including issues of liability and Prior written statements of witnesses
hearing on the motion, but may overrule the existence of any factors considered proposed to testify at the hearing must
or deny the motion without awaiting a as aggravating factors in determining the be exchanged as provided in § 3.518.
response. amount of the proposed penalty. (c) The ALJ must exercise reasonable
(e) The ALJ must make a reasonable (3) The burden of persuasion will be control over the mode and order of
effort to dispose of all outstanding judged by a preponderance of the interrogating witnesses and presenting
motions before the beginning of the evidence. evidence so as to:

hearing. (c) The hearing must be open to the (1) Make the interrogation and
public unless otherwise ordered by the presentation effective for the
§ 3.530 Sanctions. ALJ for good cause shown, which may ascertainment of the truth;
The ALJ may sanction a person, be that identifiable patient safety work (2) Avoid repetition or needless
including any party or attorney, for product has been introduced into consumption of time; and
(3) Protect witnesses from harassment open to examination by both parties, § 3.548 Appeal of the ALJ’s decision.
or undue embarrassment. unless otherwise ordered by the ALJ for (a) Any party may appeal the decision
(d) The ALJ must permit the parties to good cause shown. of the ALJ to the Board by filing a notice
conduct cross-examination of witnesses of appeal with the Board within 30 days
as may be required for a full and true § 3.542 The record.
of the date of service of the ALJ
disclosure of the facts. (a) The hearing must be recorded and decision. The Board may extend the
(e) The ALJ may order witnesses transcribed. Transcripts may be initial 30 day period for a period of time
excluded so that they cannot hear the obtained following the hearing from the not to exceed 30 days if a party files
testimony of other witnesses, except ALJ. A party that requests a transcript of with the Board a request for an
that the ALJ may not order to be hearing proceedings must pay the cost extension within the initial 30 day
excluded— of preparing the transcript unless, for period and shows good cause.
(1) A party who is a natural person; good cause shown by the party, the (b) If a party files a timely notice of
(2) In the case of a party that is not payment is waived by the ALJ or the appeal with the Board, the ALJ must
a natural person, the officer or employee Board, as appropriate. forward the record of the proceeding to
of the party appearing for the entity pro (b) The transcript of the testimony, the Board.
se or designated as the party’s exhibits, and other evidence admitted at (c) A notice of appeal must be
representative; or the hearing, and all papers and requests accompanied by a written brief
(3) A natural person whose presence filed in the proceeding constitute the specifying exceptions to the initial
is shown by a party to be essential to the record for decision by the ALJ and the decision and reasons supporting the
presentation of its case, including a Secretary. exceptions. Any party may file a brief in
person engaged in assisting the attorney (c) The record may be inspected and opposition to the exceptions, which
for the Secretary. copied (upon payment of a reasonable may raise any relevant issue not
fee) by any person, unless otherwise addressed in the exceptions, within 30
§ 3.540 Evidence. ordered by the ALJ for good cause
(a) The ALJ must determine the days of receiving the notice of appeal
shown, which may include the presence and the accompanying brief. The Board
admissibility of evidence. in the record of identifiable patient
(b) Except as provided in this subpart, may permit the parties to file reply
safety work product. briefs.
the ALJ is not bound by the Federal (d) For good cause, which may
Rules of Evidence. However, the ALJ (d) There is no right to appear
include the presence in the record of personally before the Board or to appeal
may apply the Federal Rules of identifiable patient safety work product,
Evidence where appropriate, for to the Board any interlocutory ruling by
the ALJ may order appropriate
example, to exclude unreliable the ALJ.
redactions made to the record. (e) The Board may not consider any
evidence.
(c) The ALJ must exclude irrelevant or § 3.544 Post hearing briefs. issue not raised in the parties’ briefs,
immaterial evidence. The ALJ may require the parties to file nor any issue in the briefs that could
(d) Although relevant, evidence may post-hearing briefs. In any event, any have been raised before the ALJ but was
be excluded if its probative value is party may file a post-hearing brief. The not.
substantially outweighed by the danger ALJ must fix the time for filing the (f) If any party demonstrates to the
of unfair prejudice, confusion of the briefs. The time for filing may not satisfaction of the Board that additional
issues, or by considerations of undue exceed 60 days from the date the parties evidence not presented at such hearing
delay or needless presentation of receive the transcript of the hearing or, is relevant and material and that there
cumulative evidence. if applicable, the stipulated record. The were reasonable grounds for the failure
(e) Although relevant, evidence must briefs may be accompanied by proposed to adduce such evidence at the hearing,
be excluded if it is privileged under findings of fact and conclusions of law. the Board may remand the matter to the
Federal law. The ALJ may permit the parties to file ALJ for consideration of such additional
(f) Evidence concerning offers of reply briefs. evidence.
compromise or settlement is (g) The Board may decline to review
inadmissible to the extent provided in § 3.546 ALJ’s decision. the case, or may affirm, increase,
Rule 408 of the Federal Rules of (a) The ALJ must issue a decision, reduce, reverse or remand any penalty
Evidence. based only on the record, which must determined by the ALJ.
(g) Evidence of crimes, wrongs, or acts contain findings of fact and conclusions (h) The standard of review on a
other than those at issue in the instant of law. disputed issue of fact is whether the
case is admissible in order to show (b) The ALJ may affirm, increase, or initial decision of the ALJ is supported
motive, opportunity, intent, knowledge, reduce the penalties imposed by the by substantial evidence on the whole
preparation, identity, lack of mistake, or Secretary. record. The standard of review on a
existence of a scheme. This evidence is (c) The ALJ must issue the decision to disputed issue of law is whether the
admissible regardless of whether the both parties within 60 days after the decision is erroneous.
crimes, wrongs, or acts occurred during time for submission of post-hearing (i) Within 60 days after the time for
the statute of limitations period briefs and reply briefs, if permitted, has submission of briefs and reply briefs, if
applicable to the acts or omissions that expired. If the ALJ fails to meet the permitted, has expired, the Board must
constitute the basis for liability in the deadline contained in this paragraph, he serve on each party to the appeal a copy
case and regardless of whether they or she must notify the parties of the of the Board’s decision and a statement
were referenced in the Secretary’s notice reason for the delay and set a new describing the right of any respondent
of proposed determination under deadline. who is penalized to seek judicial
§ 3.420. (d) Unless the decision of the ALJ is review.

(h) The ALJ must permit the parties to timely appealed as provided for in (j)(1) The Board’s decision under
introduce rebuttal witnesses and § 3.548, the decision of the ALJ will be paragraph (i) of this section, including
evidence. final and binding on the parties 60 days a decision to decline review of the
(i) All documents and other evidence from the date of service of the ALJ’s initial decision, becomes the final
offered or taken for the record must be decision. decision of the Secretary 60 days after
the date of service of the Board’s procedures as the Board determines the effective date of any penalty with
decision, except with respect to a necessary to address the effect of any the ALJ. The request must be
decision to remand to the ALJ or if error. The Board’s decision on accompanied by a copy of the notice of
reconsideration is requested under this reconsideration becomes the final appeal filed with the Federal court. The
paragraph. decision of the Secretary on the date of filing of the request automatically stays
(2) The Board will reconsider its service of the decision, except with the effective date of the penalty until
decision only if it determines that the respect to a decision to remand to the such time as the ALJ rules upon the
decision contains a clear error of fact or ALJ. request.
error of law. New evidence will not be (5) If service of a ruling or decision
issued under this section is by mail, the (b) The ALJ may not grant a
a basis for reconsideration unless the respondent’s request for stay of any
party demonstrates that the evidence is date of service will be deemed to be 5
days from the date of mailing. penalty unless the respondent posts a
newly discovered and was not bond or provides other adequate
previously available. (k)(1) A respondent’s petition for
judicial review must be filed within 60 security.
(3) A party may file a motion for
reconsideration with the Board before days of the date on which the decision (c) The ALJ must rule upon a
the date the decision becomes final of the Board becomes the final decision respondent’s request for stay within 10
under paragraph (j)(1) of this section. A of the Secretary under paragraph (j) of days of receipt.
motion for reconsideration must be this section.
(2) In compliance with 28 U.S.C. § 3.552 Harmless error.
accompanied by a written brief
2112(a), a copy of any petition for No error in either the admission or the
specifying any alleged error of fact or
judicial review filed in any U.S. Court exclusion of evidence, and no error or
law and, if the party is relying on
of Appeals challenging the final defect in any ruling or order or in any
additional evidence, explaining why the
decision of the Secretary must be sent act done or omitted by the ALJ or by any
evidence was not previously available.
by certified mail, return receipt
Any party may file a brief in opposition of the parties is ground for vacating,
requested, to the General Counsel of
within 15 days of receiving the motion modifying or otherwise disturbing an
HHS. The petition copy must be a copy
for reconsideration and the otherwise appropriate ruling or order or
showing that it has been time-stamped
accompanying brief unless this time act, unless refusal to take such action
by the clerk of the court when the
limit is extended by the Board for good appears to the ALJ or the Board
original was filed with the court.
cause shown. Reply briefs are not (3) If the General Counsel of HHS inconsistent with substantial justice.
permitted. received two or more petitions within The ALJ and the Board at every stage of
(4) The Board must rule on the motion 10 days after the final decision of the the proceeding must disregard any error
for reconsideration not later than 30 Secretary, the General Counsel will or defect in the proceeding that does not
days from the date the opposition brief notify the U.S. Judicial Panel on affect the substantial rights of the
is due. If the Board denies the motion, Multidistrict Litigation of any petitions parties.
the decision issued under paragraph (i) that were received within the 10 day Dated: September 2, 2008.
of this section becomes the final period. Michael O. Leavitt,
decision of the Secretary on the date of
service of the ruling. If the Board grants § 3.550 Stay of the Secretary’s decision. Secretary.
the motion, the Board will issue a (a) Pending judicial review, the [FR Doc. E8–27475 Filed 11–20–08; 8:45 am]
reconsidered decision, after such respondent may file a request for stay of BILLING CODE 4150–28–P

Department of Health and Human Services: Friday, November 21, 2008

Uploaded by

Copyright:

Available Formats

You might also like

Department of Health and Human Services: Friday, November 21, 2008

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Department of Health and Human Services: Friday, November 21, 2008

Uploaded by

Copyright:

Available Formats

Friday,

November 21, 2008

U.S.C. 1144(b)(2). The definition consensus in the comments we

independently. contracting provider to an emphasis on other relationships is to emphasize the

enforcement, given the significant committee. allowing exceptions to privilege may

modifications to more clearly indicate Response: We do not modify the providers.

2009 2010 2011 2012 2013

Hospital Penetration Rate .................................................... 10% 40% 60% 75% 85%

Total cost ...................................................................... $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M

2009 2010 2011 2012 2013

Hospital Penetration Rate .................................................... 10% 40% 60% 75% 85%

TABLE 5—NET BENEFITS: 2009–2013

2009 2010 2011 2012 2013

Total Benefits ....................................................................... $11.5 M $69 M $138 M $215.625 M $293.25 M

OMB #: Agency/Program Office: AHRQ

Rule Title: Patient Safety and Quality Improvement Act

RIN #: Date: 8/25/2008

CATEGORY Primary Minimum Maximum Source citation

BENEFITS .................................................................................................... $145.5 $107.5 $183.4 AHRQ Analysis.

Annualized discounted (5 years):

Transfers ....................................................................................................... N/A

the following disclosures: (3) Disclosure authorized by identified number;

by a representative. Natural persons Secretary. another party for production of

motions before the beginning of the evidence. evidence so as to:

§ 3.420. (d) Unless the decision of the ALJ is review.

You might also like