Part II

[Federal Register: February 12, 2008 (Volume 73, Number 29)]

[Proposed Rules]

[Page 8111-8183]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr12fe08-8]

[[Page 8111]]

Part II

Department of Health and Human Services

42 CFR Part 3

Patient Safety and Quality Improvement; Proposed Rule

[[Page 8112]]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

42 CFR Part 3

RIN 0919-AA01

Patient Safety and Quality Improvement

AGENCY: Agency for Healthcare Research and Quality, Office for Civil Rights, HHS.

ACTION: Notice of proposed rulemaking.

SUMMARY: This document proposes regulations to implement certain aspects of the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act). The proposed regulations establish a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for analysis of patient safety events. The proposed regulations also outline the requirements that entities must meet to become PSOs and the processes for the Secretary to review and accept certifications and to list PSOs.

In addition, the proposed regulation establishes the confidentiality protections for the information that is assembled and developed by providers and PSOs, termed ``patient safety work product'' by the Patient Safety Act, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product.

DATES: Comments on the proposed rule will be considered if we receive them at the appropriate address, as provided below, no later than April 14, 2008.

ADDRESSES: Interested persons are invited to submit written comments by any of the following methods:

Federal eRulemaking Portal: http://www.regulations.gov.

Comments should include agency name and ``RIN 0919-AA01''.

Mail: Center for Quality Improvement and Patient Safety, Attention: Patient Safety Act NPRM Comments, AHRQ, 540 Gaither Road, Rockville, MD 20850.

Hand Delivery/Courier: Center for Quality Improvement and Patient Safety, Attention: Patient Safety Act NPRM Comments, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850.

Instructions: Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission or electronic mail. For detailed instructions on submitting comments and additional information on the rulemaking process, see the ``Public Participation'' heading of the SUPPLEMENTARY INFORMATION section of this document. Comments will be available for public inspection at the AHRQ Information Resources Center at the above-cited address between 8:30 a.m. and 5 p.m. Eastern Time on federal business days (Monday through Friday).

FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427- 1111 or (866) 403-3697.

SUPPLEMENTARY INFORMATION:

Public Participation

We welcome comments from the public on all issues set forth in this proposed rule to assist us in fully considering issues and developing policies. You can assist us by referencing the RIN number (RIN: 0919- 0AA01) and by preceding your discussion of any particular provision with a citation to the section of the proposed rule being discussed.

  1. Inspection of Public Comments

    All comments (electronic, mail, and hand delivery/courier) received in a timely manner will be available for public inspection as they are received, generally beginning approximately 6 weeks after publication of this document, at the mail address provided above, Monday through Friday of each week from 8:30 a.m. to 5 p.m. To schedule an appointment to view public comments, call Susan Grinder, (301) 427-1111 or (866) 403-3697.

    Comments submitted electronically will be available for viewing at the Federal eRulemaking Portal.

  2. Electronic Comments

    We will consider all electronic comments that include the full name, postal address, and affiliation (if applicable) of the sender and are submitted through the Federal eRulemaking Portal identified in the ADDRESSES section of this preamble. Copies of electronically submitted comments will be available for public inspection as soon as practicable at the address provided, and subject to the process described, in the preceding paragraph.

  3. Mailed Comments and Hand Delivered/Couriered Comments

    Mailed comments may be subject to delivery delays due to security procedures. Please allow sufficient time for mailed comments to be timely received in the event of delivery delays. Comments mailed to the address indicated for hand or courier delivery may be delayed and could be considered late.

  4. Copies

    To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by faxing to (202) 512-2250. The cost for each copy is $10. As an alternative, you may view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register.

  5. Electronic Access

    This Federal Register document is available from the Federal Register online database through GPO Access, a service of the U.S. Government Printing Office. The Web site address is: http://www.gpoaccess.gov/nara/index.html. This document is available

    electronically at the following Web site of the Department of Health and Human Services (HHS): http://www.ahrq.gov/.

  6. Response to Comments

    Because of the large number of public comments we normally receive on Federal Register documents, we are not able to acknowledge or respond to them individually. We will consider all comments we receive in accordance with the methods described above and by the date specified in the DATES section of this preamble. When we proceed with a final rule, we will respond to comments in the preamble to that rule.

    1. Background

  7. Purpose and Basis

    This proposed rule establishes the authorities, processes, and rules necessary to implement the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act), (Pub. L. 109-41), that amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.

    Much of the impetus for this legislation can be traced to the publication of the landmark report, ``To

    [[Page 8113]]

    Err Is Human'' \1\, by the Institute of Medicine in 1999 (Report). The Report cited studies that found that at least 44,000 people and potentially as many as 98,000 people die in U.S. hospitals each year as a result of preventable medical errors.\2\ Based on these studies and others, the Report estimated that the total national costs of preventable adverse events, including lost income, lost household productivity, permanent and temporary disability, and health care costs to be between $17 billion and $29 billion, of which health care costs represent one-half.\3\ One of the main conclusions was that the majority of medical errors do not result from individual recklessness or the actions of a particular group; rather, most errors are caused by faulty systems, processes, and conditions that lead people to make mistakes or fail to prevent adverse events.\4\ Thus, the Report recommended mistakes can best be prevented by designing the health care system at all levels to improve safety--making it harder to do something wrong and easier to do something right.\5\

    \1\ Institute of Medicine, ``To Err is Human: Building a Safer Health System'', 1999.

    \2\ Id. at 31.

    \3\ Id. at 42.

    \4\ Id. at 49-66.

    \5\ Id.

    As compared to other high-risk industries, the health care system is behind in its attention to ensuring basic safety.\6\ The reasons for this lag are complex and varied. Providers are often reluctant to participate in quality review activities for fear of liability, professional sanctions, or injury to their reputations. Traditional state-based legal protections for such health care quality improvement activities, collectively known as peer review protections, are limited in scope: They do not exist in all States; typically they only apply to peer review in hospitals and do not cover other health care settings, and seldom enable health care systems to pool data or share experience between facilities. If peer review protected information is transmitted outside an individual hospital, the peer review privilege for that information is generally considered to be waived. This limits the potential for aggregation of a sufficient number of patient safety events to permit the identification of patterns that could suggest the underlying causes of risks and hazards that then can be used to improve patient safety.

    \6\ Id. at 75.

    The Report outlined a comprehensive strategy to improve patient safety by which public officials, health care providers, industry, and consumers could reduce preventable medical errors. The Report recommended that, in order to reduce medical errors appreciably in the U.S., a balance be struck between regulatory and market-based initiatives and between the roles of professionals and organizations. It recognized a need to enhance knowledge and tools to improve patient safety and break down legal and cultural barriers that impede such improvement.

    Drawing upon the broad framework advanced by the Institute of Medicine, the Patient Safety Act specifically addresses a number of these long-recognized impediments to improving the quality, safety, and outcomes of health care services. For that reason, implementation of this proposed rule can be expected to accelerate the development of new, voluntary, provider-driven opportunities for improvement, increase the willingness of health care providers to participate in such efforts, and, most notably, set the stage for breakthroughs in our understanding of how best to improve patient safety.

    These outcomes will be advanced, in large measure, through implementation of this proposed rule of strong Federal confidentiality and privilege protections for information that is patient safety work product under the Patient Safety Act. For the first time, there will now be a uniform set of Federal protections that will be available in all states and U.S. territories and that extend to all health care practitioners and institutional providers. These protections will enable all health care providers, including multi-facility health care systems, to share data within a protected legal environment, both within and across states, without the threat of information being used against the subject providers.

    Pursuant to the Patient Safety Act, this proposed rule will also encourage the formation of new organizations with expertise in patient safety, known as patient safety organizations (PSOs), which can provide confidential, expert advice to health care providers in the analysis of patient safety events.\7\ The confidentiality and privilege protections of this statute attach to ``patient safety work product.'' This term as defined in the Patient Safety Act and this proposed rule means that patient safety information that is collected or developed by a provider and reported to a PSO, or that is developed by a PSO when conducting defined ``patient safety activities,'' or that reveals the deliberations of a provider or PSO within a patient safety evaluation system is protected. Thus, the proposed rule will enable health care providers to protect their internal deliberations and analysis of patient safety information because this type of information is patient safety work product.

    \7\ As we use the term, patient safety event means an incident that occurred during the delivery of a health care service and that harmed, or could have resulted in harm to, a patient. A patient safety event may include an error of omission or commission, mistake, or malfunction in a patient care process; it may also involve an input to such process (such as a drug or device) or the environment in which such process occurs. Our use of the term patient safety event in place of the more limited concept of medical error to describe the work that providers and PSOs may undertake reflects the evolution in the field of patient safety. It is increasingly recognized that important insights can be derived from the study of patient care processes and their organizational context and environment in order to prevent harm to patients. We note that patient safety in the context of this term also encompasses the safety of a person who is a subject in a research study conducted by a health care provider. In addition, the flexible concept of a patient safety event is applicable in any setting in which health care is delivered: A health care facility that is mobile (e.g., ambulance), fixed and free-standing (e.g., hospital), attached to another entity (e.g., school clinic), as well as the patient's home or workplace, whether or not a health care provider is physically present.

    The statute and the proposed rule seek to ensure that the confidentiality provisions (as defined in these proposed regulations) will be taken seriously by making breaches of the protections potentially subject to a civil money penalty of up to $10,000. The combination of strong Federal protections for patient safety work product and the potential penalties for violation of these protections should give providers the assurances they need to participate in patient safety improvement initiatives and should spur the growth of such initiatives.

    Patient safety experts have long recognized that the underlying causes of risks and hazards in patient care can best be recognized through the aggregation of significant numbers of individual events; in some cases, it may require the aggregation of thousands of individual patient safety events before underlying patterns are apparent. It is hoped that this proposed rule will foster routine reporting to PSOs of data on patient safety events in sufficient numbers for valid and reliable analyses. Analysis of such large volumes of patient safety events is expected to significantly advance our understanding of the patterns and commonalities in the underlying causes of risks and hazards in the delivery of patient care. These insights should enable providers to more effectively and efficiently target their efforts to improve patient safety.

    We recognize that risks and hazards can occur in a variety of environments, such as inpatient, outpatient, long-term

    [[Page 8114]]

    care, rehabilitation, research, or other health care settings. In many of these settings, patient safety analysis is a nascent enterprise that will benefit significantly from the routine, voluntary reporting and analysis of patient safety events. Accordingly, we strive in the proposed rule to avoid imposing limitations that might preclude innovative approaches to the identification of, and elimination of, risks and hazards in specific settings for the delivery of care, specific health care specialties, or in research settings. We defer to those creating PSOs and the health care providers that enter ongoing relationships with them to determine the scope of patient safety events that will be addressed.

    Finally, we note that the statute is quite specific that these protections do not relieve a provider from its obligation to comply with other legal, regulatory, accreditation, licensure, or other accountability requirements that it would otherwise need to meet. The fact that information is collected, developed, or analyzed under the protections of the Patient Safety Act does not shield a provider from needing to undertake similar activities, if applicable, outside the ambit of the statute, so that the provider can meet its obligations with non-patient safety work product. The Patient Safety Act, while precluding other organizations and entities from requiring providers to provide them with patient safety work product, recognizes that the data underlying patient safety work product remains available in most instances for the providers to meet these other information requirements.

    In summary, this proposed rule implements the Patient Safety Act and facilitates its goals by allowing the health care industry voluntarily to avail itself of this framework in the best manner it determines feasible. At the same time, it seeks to ensure that those who do avail themselves of this framework will be afforded the legal protections that Congress intended and that anyone who breaches those protections will be penalized commensurately with the violation.

  8. Listening Sessions

    We held three listening sessions for the general public (March 8, 13, and 16, 2006) which helped us better understand the thinking and plans of interested parties, including providers considering the use of PSO services and entities that anticipate establishing PSOs. As stated in the Federal Register notice 71 FR 37 (February 24, 2006) that announced the listening sessions, we do not regard the presentations or comments made at these sessions as formal comments and, therefore, they are not discussed in this document.

  9. Comment Period

    The comment period is sixty (60) days following the publication of the proposed rule.

    1. Overview of Proposed Rule

      We are proposing a new Part 3 to Title 42 of the Code of Federal Regulations to implement the Patient Safety Act. As described above, the Patient Safety Act is an attempt to address the barriers to patient safety and health care quality improvement activities in the U.S. In implementing the Patient Safety Act, this proposed rule encourages the development of provider-driven, voluntary opportunities for improving patient safety; this initiative is neither funded, nor controlled by the Federal Government.

      Under the proposal, a variety of types of organizations--public, private, for-profit, and not-for-profit--can become PSOs, and offer their consultative expertise to providers regarding patient safety events and quality improvement initiatives. There will be a process for certification and listing of PSOs, which will be implemented by the Agency for Healthcare Research and Quality (AHRQ), and providers can work voluntarily with PSOs to obtain confidential, expert advice in analyzing the patient safety event and other information they collect or develop at their offices, facilities, or institutions. PSOs may also provide feedback and recommendations regarding effective strategies to improve patient safety as well as proven approaches for implementation of such strategies. In addition, to encourage providers to undertake patient safety activities, the regulation is very specific that patient safety work product is subject to confidentiality and privilege protections, and persons that breach the confidentiality provisions may be subject to a $10,000 civil money penalty, to be enforced by the Office for Civil Rights (OCR).

      The provisions of this proposed rule greatly expand the potential for participation in patient safety activities. The proposal, among other things, enables providers across the health care industry to report information to a PSO and obtain the benefit of these new confidentiality and privilege protections. This proposal minimizes the barriers to entry for listing as a PSO by creating a review process that is both simple and efficient. As a result, we expect a broad range of organizations to seek listing by the Secretary as PSOs. Listing will not entitle these entities to Federal funding or subsidies, but it will enable these PSOs to offer individual and institutional providers the benefits of review and analysis of patient safety work product that is protected by strong Federal confidentiality and privilege protections.

      Our proposed regulation will enable and assist data aggregation by PSOs to leverage the possibility of learning from numerous patient safety events across the health care system and to facilitate the identification and correction of systemic and other errors. For example, PSOs are required to seek contracts with multiple providers, and proposed Subpart C permits them, with certain limitations, to aggregate patient safety work product from their multiple clients and with other PSOs. In addition, the Secretary will implement other provisions of the Patient Safety Act that, independent of this proposed rule, require the Secretary to facilitate the development of a network of patient safety databases for the aggregation of nonidentifiable patient safety work product and the development of consistent definitions and common formats for collecting and reporting patient safety work product. These measures will facilitate a new level of data aggregation that patient safety experts deem essential to maximize the benefits of the Patient Safety Act.

      The Patient Safety Act gives considerable attention to the relationship between it and the Standards for the Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule). We caution that the opportunity for a provider to report identifiable patient safety work product to a PSO does not relieve a provider that is a HIPAA covered entity of its obligations under the HIPAA Privacy Rule. In fact, the Patient Safety Act indicates that PSOs are deemed to be business associates of providers that are HIPAA covered entities. Thus, providers who are HIPAA covered entities will need to enter into business associate agreements with PSOs in accordance with their HIPAA Privacy Rule obligations. If such a provider also chooses to enter a PSO contract, we believe that such contracts could be entered into simultaneously as an agreement for the conduct of patient safety activities. However, the Patient Safety Act does not require a provider to enter a contract with a PSO to receive the protections of the Patient Safety Act.

      Proposed Subpart A, General Provisions, sets forth the purpose of the provisions and the definitions

      [[Page 8115]]

      applicable to the subparts that follow. Proposed Subpart B, PSO Requirements and Agency Procedures, sets forth the requirements for PSOs and describes how the Secretary will review, accept, revoke, and deny certifications for listing and continued listing of entities as PSOs and other required submissions. Proposed Subpart C, Confidentiality and Privilege Protections of Patient Safety Work Product, describes the provisions that relate to the confidentiality protections and permissible disclosure exceptions for patient safety work product. Proposed Subpart D, Enforcement Program, includes provisions that relate to activities for determining compliance, such as investigations of and cooperation by providers, PSOs, and others; the imposition of civil money penalties; and hearing procedures.

    2. Section by Section Description of the Proposed Rule

  10. Subpart A--General Provision

    1. Proposed Sec. 3.10--Purpose

    The purpose of this proposed Part is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b- 26. 2. Proposed Sec. 3.20--Definitions

    Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, defines several terms, and our proposed rules would, for the most part, restate the law. In some instances, we propose to clarify definitions to fit within the proposed framework. We also propose some new definitions for convenience and to clarify the application and operation of this proposed rule. Moreover, we reference terms defined under the HIPAA Privacy Rule for ease of interpretation and consistency, given the overlap between the Patient Safety Act protections of patient-identifiable patient safety work product (discussed below) and the HIPAA Privacy Rule.

    Proposed Sec. 3.20 would establish the basic definitions applicable to this proposed rule, as follows:

    AHRQ stands for the Agency for Healthcare Research and Quality in the U.S. Department of Health and Human Services (HHS). This definition is added for convenience.

    ALJ stands for an Administrative Law Judge at HHS. This definition is added for convenience in describing the process for appealing civil money penalty determinations.

    Board would mean the members of the HHS Departmental Appeals Board. This definition is added for convenience in providing for appeals of civil money penalty determinations.

    Bona fide contract would mean (a) a written contract between a provider and a PSO that is executed in good faith by officials authorized to execute such contract; or (b) a written agreement (such as a memorandum of understanding or equivalent recording of mutual commitments) between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO that is executed in good faith by officials authorized to execute such agreement.

    In addition to the primary interpretation of an enforceable contract under applicable law as proposed under paragraph (a) of this definition, we propose to make the scope of the term broad enough to encompass agreements between health care providers and PSOs that are components of Federal, State, local or Tribal governments or government agencies. Such entities could clearly perform the same data collection and analytic functions as performed by other providers and PSOs that the Patient Safety Act seeks to foster. Thus, paragraph (b) of the definition recognizes that certain government entities may not enter a formal contract with each other, but may only make a commitment with other agencies through the mechanism of some other type of agreement.

    We note that proposed Sec. 3.102(a)(2) incorporates the statutory restriction that a health insurance issuer and a component of a health insurance issuer may not become a PSO. That section also proposes to prohibit the listing of public and private entities that conduct regulatory oversight of health care providers, including accreditation and licensure.

    Complainant would mean a person who files a complaint with the Secretary pursuant to proposed Sec. 3.306.

    Component Organization would mean an entity that is either: (a) A unit or division of a corporate organization or of a multi- organizational enterprise; or (b) a separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organizations (i.e., its parent organization(s)). We discuss our preliminary interpretation of the terms ``owned,'' ``managed,'' or ``controlled'' in the definition of parent organization. Multi- organizational enterprise, as used here, means a common business or professional undertaking in which multiple entities participate as well as governmental agencies or Tribal entities in which there are multiple components.\8\

    \8\ The concept of multi-organizational enterprise as used in this regulation, in case law, and in a legal reference works such as Blumberg on Corporate Groups, Sec. 6.04 (2d ed. 2007 Supplement) refers to multi-organizational undertakings with separate corporations or organizations that are integrated in a common business activity. The component entities are often, but not necessarily, characterized by interdependence and some form of common control, typically by agreement. Blumberg notes that health care providers increasingly are integrated in various forms of multi-organizational enterprises.

    We anticipate that PSOs may be established by a wide array of health-related organizations and quality improvement enterprises, including hospitals, nursing homes and health care provider systems, health care professional societies, academic and commercial research organizations, Federal, State, local, and Tribal governmental units that are not subject to the proposed restriction on listing in proposed Sec. 3.102(a)(2), as well as joint undertakings by combinations of such organizations. One effect of defining component organization as we propose is that, pursuant to section 924 of the Patient Safety Act, 42 U.S.C. 299b-24, all applicant PSOs that fall within the scope of the definition of component organization must certify to the separation of confidential patient safety work product and staff from the rest of any organization or multi-organizational enterprise of which they (in the conduct of their work) are a part. Component organizations must also certify that their stated mission can be accomplished without conflicting with the rest of their parent organization(s).

    A subsidiary corporation may, in certain circumstances, be viewed as part of a multi-organizational enterprise with its parent corporation and would be so regarded under the proposed regulation. Thus, an entity, such as a PSO that is set up as a subsidiary by a hospital chain, would be considered a component of the corporate chain and a component PSO for purposes of this proposed rule. Considering a subsidiary of a corporation to be a ``component'' of its parent organization may seem contrary to the generally understood separateness of a subsidiary in its corporate relationship with its parent.\9\

    [[Page 8116]]

    That is, where two corporate entities are legally separate, one entity would ordinarily not be considered a component of the other entity, even when that other entity has a controlling interest or exercises some management control. However, we have preliminarily determined that viewing a subsidiary entity that seeks to be a PSO as a component of its parent organization(s) would be consistent with the objectives of the section on certifications required of component organizations in the Patient Safety Act and appears to be consistent with trends in the law discussed below. We invite comment on our interpretation.

    \9\ Corporations are certain types of organizations that are given legal independence and rights, (e.g. the right to litigate). Subsidiary corporations are corporations in which a majority of the shares are owned by another corporation, known as a parent corporation. Thus, subsidiaries are independent corporate entities in a formal legal sense, yet, at the same time, they are controlled, to some degree, by their parent by virtue of stock ownership and control. Both corporations and subsidiaries are legal constructs designed to foster investment and commerce by limiting entrepreneurial risks and corporate liabilities. In recognition of the legitimate utility of these objectives, courts have generally respected the separateness of parent corporations and subsidiaries, (e.g., courts do not ordinarily allow the liabilities of a subsidiary to be attributed to its parent corporation, despite the fact that by definition, parent corporations have a measure of control over a subsidiary). However, courts have looked behind the separate legal identities that separate parent and subsidiary to impose liability when individuals in litigation can establish that actual responsibility rests with a parent corporation by virtue of the degree and manner in which it has exercised control over its subsidiary. Under these circumstances, courts permit ``the corporate veil to be pierced.''

    Corporations law or ``entity law,'' which emphasizes the separateness and distinct rights and obligations of a corporation, has been supplemented by the development of ``relational law'' when necessary (e.g., to address evolving organizational arrangements such as multi-organizational enterprises). To determine rights and obligations in these circumstances, courts weigh the relationships of separate corporations that are closely related by virtue of participating in the same enterprise, (i.e., a common chain of economic activity fostering and characterized by interdependence).\10\ There has been a growing trend in various court decisions to attribute legal responsibilities based on actual behavior in organizational relationships, rather than on corporate formalities.

    \10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate Groups Sec. Sec. 6.01 and 6.02.

    We stress that neither the statute nor the proposed regulation imposes any legal responsibilities, obligations, or liability on the organization(s) of which a component PSO is a part. The focus of the Patient Safety Act and the regulation is principally on the entity that voluntarily seeks listing by the Secretary as a PSO.

    We note that two of the three certifications that the Patient Safety Act and the proposed regulation requires component entities to make--relating to the security and confidentiality of patient safety work product--are essentially duplicative of attestations that are required of all entities seeking listing or continued listing as a PSO (certifications made under section 924(a)(1)(A) and (a)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A) with respect to patient safety activities described in section 921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b- 21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have to attest that they have in place policies and procedures to, and actually do, perform patient safety activities, which include the maintenance of procedures to preserve patient safety work product confidentiality and the provision of appropriate security measures for patient safety work product. The overlapping nature of these confidentiality and security requirements on components suggests heightened congressional concern and emphasis regarding the need to maintain a strong ``firewall'' between a component PSO and its parent organization, which might have the opportunity and potential to access sensitive patient safety work product the component PSO assembles, develops, and maintains. A similar concern arises in the context of a PSO that is a unit of a corporate parent, a subsidiary or an entity affiliated with other organizations in a multi-organizational enterprise.

    Requiring entities seeking listing to disclose whether they have a parent organization or are part of a multi-organizational enterprise does not involve ``piercing the corporate veil'' as discussed in the footnote above. The Department would not be seeking this information to hold a parent liable for actions of the PSO, but to ensure full disclosure to the Department about the organizational relationships of an entity seeking to be listed as a PSO. Accordingly, we propose that an entity seeking listing as a PSO must do so as a component organization if it has one or more parent organizations (as described here and in the proposed definition of that term) or is part of a multi-organizational enterprise, and it must provide the names of its parent entities. If it has a parent or several parent organizations, as defined by the proposed regulation, the entity seeking to be listed must provide the additional certifications mandated by the statute and by the proposed regulation at Sec. 3.102(c) to maintain the separateness of its patient safety work product from its parent(s) and from other components or affiliates\11\ of its parent(s). Such certifications are consistent with the above-cited body of case law that permits and makes inquiries about organizational relationships and practices for purposes of carrying out statutes and statutory objectives.

    \11\ Corporate affiliates are commonly controlled corporations; sharing a corporate parent, they are sometimes referred to as sister corporations. Separate corporations that are part of a multi- organizational enterprise are also referred to by the common terms ``affiliates'' or ``affiliated organizations''.

    It may be helpful to illustrate how a potential applicant for listing should apply these principles in determining whether to seek listing as a component PSO. The fundamental principle is that if there is a parent organization relationship present and the entity is not prohibited from seeking listing by proposed Sec. 3.102(a)(2), the entity must seek listing as a component PSO. In determining whether an entity must seek listing as a component organization, we note that it does not matter whether the entity is a component of a provider or a non-provider organization and, if it is a component of a provider organization, whether it will undertake patient safety activities for the parent organization's providers or providers that have no relationship with its parent organization(s). The focus here is primarily on establishing the separateness of the entity's operation from any type of parent organization. Examples of entities that would need to seek listing as a component organization include: A division of a provider or non-provider organization; a subsidiary entity created by a provider or non-provider organization; or a joint venture created by several organizations (which could include provider organizations, non- provider organizations, or a mix of such organizations) where any or all of the organizations have a measure of control over the joint venture.

    Other examples of entities that would need to seek listing as a component PSO include: a division of a nursing home chain; a subsidiary entity created by a large academic health center or health system; or a joint venture created by several organizations to seek listing as a PSO where any or all of the organizations have a measure of control over the joint venture.

    Component PSO would mean a PSO listed by the Secretary that is a component organization.

    Confidentiality provisions would mean any requirement or prohibition concerning confidentiality established by Sections 921 and 922(b)-(d), (g) and (i) of the Public Health Service Act, 42

    [[Page 8117]]

    U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed provisions, at Sec. Sec. 3.206 and 3.208, by which we propose to implement the prohibition on disclosure of identifiable patient safety work product. We proposed to define this new term to provide an easy way to reference the provisions in the Patient Safety Act and in the proposed rule that implements the confidentiality protections of the Patient Safety Act for use in the enforcement and penalty provisions of this proposed rule. We found this a useful approach in the HIPAA Enforcement Rule, where we defined ``administrative simplification provision'' for that purpose. In determining how to define ``confidentiality provisions'' that could be violated, we considered the statutory enforcement provision at section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by reference section 922(b) and (c).\12\ Thus, the enforcement authority clearly implicates sections 922(b) and (c) of the Patient Safety Act, 42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec. 3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d), is entitled the ``Continued Protection of Information After Disclosure'' and sets forth continued confidentiality protections for patient safety work product after it has been disclosed under section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with certain exceptions. Thus, section 922(d) of the Public Health Service Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality protections provided for in section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued confidentiality provision at proposed Sec. 3.208 herein to be one of the confidentiality provisions. In addition, our understanding of these provisions is based on the rule of construction in section 922(g) of the Public Health Service Act, 42 U.S.C. 299b-22(g), and the clarification with respect to HIPAA in section 922(i) of the Public Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions are included in the definition.

    \12\ Section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), states that ``subject to paragraphs (2) and (3), a person who discloses identifiable patient safety work product in knowing or reckless violation of subsection (b) shall be subject to a civil money penalty of not more than $10,000 for each act constituting such violation'' (emphasis added). Subsection (b) of section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b), is entitled, ``Confidentiality of Patient Safety Work Product'' and states, ``Notwithstanding any other provision of Federal, State, or local law, and subject to subsection (c), patient safety work product shall be confidential and shall not be disclosed'' (emphasis added). Section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), in turn, contains the exceptions to confidentiality and privilege protections.

    In contrast to the confidentiality provisions, the privilege provisions in the Patient Safety Act will be enforced by the tribunals or agencies that are subject to them; the Patient Safety Act does not authorize the imposition of civil money penalties for breach of such provisions. We note, however, that to the extent a breach of privilege is also a breach of confidentiality, the Secretary would enforce the confidentiality breach under 42 U.S.C. 299b-22(f).

    Disclosure would mean the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding patient safety work product to another person. An impermissible disclosure (i.e., a disclosure of patient safety work product in violation of the confidentiality provisions) is the action upon which potential liability for a civil money penalty rests. Generally, if the person holding patient safety work product is an entity, disclosure occurs when the information is shared with another entity or a natural person outside the entity. We do not propose to hold entities liable for uses of the information within the entity, (i.e., when this information is exchanged or shared among the workforce members of the entity) except as noted below concerning component PSOs. If a natural person holds patient safety work product, except in the capacity as a workforce member, a disclosure occurs whenever exchange occurs to any other person or entity. In light of this definition, we note that a disclosure to a contractor that is under the direct control of an entity (i.e., a workforce member) would be a use of the information within the entity and, therefore, not a disclosure for which a permission is needed. However, a disclosure to an independent contractor would not be a disclosure to a workforce member, and thus, would be a disclosure for purposes of this proposed rule and the proposed enforcement provisions under Subpart D.

    For component PSOs, we propose to recognize as a disclosure the sharing or transfer of patient safety work product outside of the legal entity, as described above, and between the component PSO and the rest of the organization (i.e., parent organization) of which the component PSO is a part. The Patient Safety Act demonstrates a strong desire for the separation of patient safety work product between a component PSO and the rest of the organization. See section 924(b)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to recognize component organizations as component PSOs which exist within, but distinct from, a single legal entity, and such a component organization as a component PSO would be required to certify to limit access to patient safety work product under proposed Sec. 3.102(c), the release, transfer, provision of access to, or divulging in any other manner of patient safety work product from a component PSO to the rest of the organization will be recognized as a disclosure for purposes of this proposed rule and the proposed enforcement provisions under Subpart D.

    We considered whether or not we should hold entities liable for disclosures that occur within that entity (uses) by defining disclosure more discretely, (i.e., as between persons within an entity). If we were to define disclosure in this manner, it may promote better safeguarding against inappropriate uses of patient safety work product by providers and PSOs. It may also allow better control of uses by third parties to whom patient safety work product is disclosed, and it would create additional enforcement situations which could lead to additional potential civil money penalties. We note that HIPAA authorized the Department to regulate both the uses and disclosures of individually identifiable health information and, thus, the HIPAA Privacy Rule regulates both the uses and disclosures of such information by HIPAA covered entities. See section 264(b) and (c)(1) of HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand, addresses disclosures and authorizes the Secretary to penalize disclosures of patient safety work product.

    Nonetheless, we do not propose to regulate the use, transfer or sharing by internal disclosure, of patient safety work product within a legal entity. We also decline to propose to regulate uses because we would consider regulating uses within providers and PSOs to be intrusive into their internal affairs. This would be especially the case given that this is a voluntary program. Moreover, we do not believe that regulating uses would further the statutory goal of facilitating the sharing of patient safety work product with PSOs. In other words, regulating uses would not advance the ability of any entity to share patient safety work product for patient safety activities. Finally, we presume that there are sufficient incentives in place for providers and PSOs to prudently manage the uses of sensitive patient safety work product.

    [[Page 8118]]

    We are not regulating uses, whether in a provider, PSO, or any other entity that obtains patient safety work product. Because we are not proposing to regulate uses, there will be no federal sanction based on use of this information. If a provider or other entity wants to limit the uses or further disclosures (beyond the regulatory permissions) by a PSO or any future recipient, a disclosing entity is free to do so by contract. See section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec. 3.206(e). We seek comment about whether this strikes the right balance.

    The proposed definition mirrors the definition of disclosure used in the HIPAA Privacy Rule concerning disclosures of protected health information. Although we do not propose to regulate the use of patient safety work product, HIPAA covered entities that possess patient safety work product which contains protected health information must comply with the use and disclosure requirements of the HIPAA Privacy Rule with respect to the protected health information. Patient safety work product containing protected health information could only be used in accordance with the HIPAA Privacy Rule use permissions, including the minimum necessary requirement.

    Entity would mean any organization, regardless of whether the organization is public, private, for-profit, or not-for-profit. The statute permits any entity to seek listing as a PSO by the Secretary except a health insurance issuer and any component of a health insurance issuer and Sec. 3.102(a)(2) proposes, in addition, to prohibit public or private sector entities that conduct regulatory oversight of providers.

    Group health plan would mean an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income Security Act of 1974 (ERISA) to the extent that the plan provides medical care (as defined in paragraph (2) of section 2791(a) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services paid for as medical care) to employees or their dependents (as defined under the terms of the plan) directly or through insurance, reimbursement, or otherwise. Section 2791(b)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from the defined class of `health insurance issuer.' Therefore, a group health plan may establish a PSO unless the plan could be considered a component of a health insurance issuer, in which case such a plan would be precluded from being a PSO by the Patient Safety Act.

    Health insurance issuer would mean an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2)). The term, as defined in the Public Health Service Act, does not include a group health plan.

    Health maintenance organization would mean (1) a Federally qualified health maintenance organization (as defined in 42 U.S.C. 300e(a)); (2) an organization recognized under State law as a health maintenance organization; or (3) a similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization. Because the ERISA definition relied upon by the Patient Safety Act includes health maintenance organizations in the definition of health insurance issuer, an HMO may not be, control, or manage the operation of a PSO.

    HHS stands for the United States Department of Health and Human Services. This definition is added for convenience.

    HIPAA Privacy Rule would mean the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.

    Identifiable Patient Safety Work Product would mean patient safety work product that:

    (1) Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in activities that are a subject of the work product;

    (2) Constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or

    (3) Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO, or to a provider with the intention of having the information reported to a PSO (``reporter'').

    Identifiable patient safety work product is not patient safety work product that meets the nonidentification standards proposed for ``nonidentifiable patient safety work product''.

    Nonidentifiable Patient Safety Work Product would mean patient safety work product that is not identifiable in accordance with the nonidentification standards proposed at Sec. 3.212. Because the privilege and confidentiality protections of the Patient Safety Act and this Part do not apply to nonidentifiable patient safety work product once disclosed, the restrictions and data protection rules in this proposed rule phrased as pertaining to patient safety work product generally only apply to identifiable patient safety work product.

    OCR stands for the Office for Civil Rights in HHS. This definition is added for convenience.

    Parent organization would mean a public or private sector organization that, alone or with others, either owns a provider entity or a component PSO, or has the authority to control or manage agenda setting, project management, or day-to-day operations of the component, or the authority to review and override decisions of a component PSO. We have not proposed to define the term ``owns.'' We propose to use the term ``own a provider entity'' to mean a governmental agency or Tribal entity that controls or manages a provider entity as well as an organization having a controlling interest in a provider entity or a component PSO, for example, owning a majority or more of the stock of the owned entity, and expressly ask for comment on whether our further definition of controlling interest as follows below is appropriate.

    Under the proposed regulation, if an entity that seeks to be a PSO has a parent organization, that entity will be required to seek listing as a component PSO and must provide certifications set forth in proposed Sec. 3.102(c), which indicate that the entity maintains patient safety work product separately from the rest of the organization(s) and establishes security measures to maintain the confidentiality of patient safety work product, the entity does not make an unauthorized disclosure of patient safety work product to the rest of the organization(s), and the entity does not create a conflict of interest with the rest of the organization(s).

    Traditionally, a parent corporation is defined as a corporation that holds a controlling interest in one or more subsidiaries. By contrast, parent organization, as used in this proposed rule, is a more inclusive term and is not limited to definitions used in corporations law. Accordingly, the proposed definition emphasizes a parent organization's control (or influence) over a PSO that may or may not be based on stock ownership.\13\ Our

    [[Page 8119]]

    approach to interpreting the statutory reference in section 924(b)(2) of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to ``another organization'' in which an entity is a ``component'' (i.e., a ``parent organization'') is analogous to the growing attention in both statutory and case law, to the nature and conduct of business organizational relationships, including multi-organizational enterprises. As discussed above in the definition of ``component,'' the emphasis on actual organizational control, rather than the organization's structure, has numerous legal precedents in legislation implementing statutory programs and objectives and courts upholding such programs and objectives.\14\ Therefore, the definition of a ``parent organization,'' as used in the proposed regulation would encompass an affiliated organization that participates in a common enterprise with an entity seeking listing, and that owns, manages or exercises control over the entity seeking to be listed as a PSO. As indicated above, affiliated corporations have been legally defined to mean those who share a corporate parent or are part of a common corporate enterprise.\15\

    \13\ Cf. 17 CFR 240.12b-2 (defining ``control'' broadly as ``* * * the power to direct or cause the direction of the management and policies of an * * * [entity] whether through the ownership of voting securities, by contract, or otherwise.'')

    \14\ Blumberg on Corporate Groups Sec. 13 notes that, where applications for licenses are in a regulated industry, information is required by states about the applicant as well as corporate parents, subsidiaries and affiliates. In the proposed regulation, pursuant to the Patient Safety Act, information about parent organizations with potentially conflicting missions would be obtained to ascertain that component entities seeking to be PSOs have measures in place to protect the confidentiality of patient safety work product and the independent conduct of impartial scientific analyses by PSOs.

    \15\ See for example the definition of affiliates in regulations jointly promulgated by the Comptroller of the Currency, the Federal Reserve board, the FDIC, and the Office of Thrift Supervision to implement privacy provisions of Gramm Leach Bliley legislation using provisions of the Fair Credit Reporting Act (dealing with information sharing among affiliates): ``any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control with another company.'' Blumberg, supra note 2, at Sec. 122.09[A] (citing 12 CFR pt.41.3, 12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1) (2004)).

    Parent organization is defined to include affiliates primarily in recognition of the prospect that otherwise unrelated organizations might affiliate to jointly establish a PSO. We can foresee such an enterprise because improving patient safety through expert analysis of aggregated patient safety data could logically be a common and efficient objective shared by multiple potential cofounders of a PSO. It is fitting, in our view, that a component entity certify, as we propose in Sec. 3.102(c), that there is ``no conflict'' between its mission as a PSO and all of the rest of the parent or affiliated organizations that undertake a jointly sponsored PSO enterprise.\16\ Similarly, it is also appropriate that the additional certifications required of component entities in proposed Sec. 3.102(c) regarding separation of patient safety work product and the use of separate staff be required of an entity that has several co-founder parent organizations that exercise ownership, management or control, (i.e. to assure that the intended ``firewalls'' exist between the component entity and the rest of any affiliated organization that might exercise ownership, management or control over a PSO).

    \16\ We note that the certifications from a jointly established PSO could be supported or substantiated with references to protective procedural or policy walls that have been established to preclude a conflict of these organizations' other missions with the scientific analytic mission of the PSO.

    To recap this part of the discussion, we would consider an entity seeking listing as a PSO to have a parent organization, and such entity would seek listing as a component organization, under the following circumstances: (a) The entity is a unit in a corporate organization or a controlling interest in the entity is owned by another corporation; or (b) the entity is a distinct organizational part of a multi- organizational enterprise and one or more affiliates in the enterprise own, manage, or control the entity seeking listing as a PSO. An example of an entity described in (b) would be an entity created by a joint venture in which the entity would be managed or controlled by several co-founding parent organizations.

    The definition of provider in the proposed rule (which will be discussed below) includes the parent organization of any provider entity. Correspondingly, our definition of parent organization includes any organization that ``owns a provider entity.'' This is designed to provide an option for the holding company of a corporate health care system to enter a multi-facility or system-wide contract with a PSO.

    Patient Safety Act would mean the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b- 21 through 299b-26.

    Patient safety activities would mean the following activities carried out by or on behalf of a PSO or a provider:

    (1) Efforts to improve patient safety and the quality of health care delivery;

    (2) The collection and analysis of patient safety work product;

    (3) The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;

    (4) The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;

    (5) The maintenance of procedures to preserve confidentiality with respect to patient safety work product;

    (6) The provision of appropriate security measures with respect to patient safety work product;

    (7) The utilization of qualified staff; and

    (8) Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

    This definition is taken from the Patient Safety Act. See section 921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient safety activities is used as a key reference term for other provisions in the proposed rule and those provisions provide descriptions related to patient safety activities. See proposed requirements for PSOs at Sec. Sec. 3.102 and 3.106 and the proposed confidentiality disclosure permission at Sec. 3.206(b)(4).

    Patient safety evaluation system would mean the collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system is a core concept of the Patient Safety Act through which information, including data, reports, memoranda, analyses, and/or written or oral statements, is collected, maintained, analyzed, and communicated. When a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes, a patient safety evaluation system exists regardless of whether the provider or PSO has formally identified a ``patient safety evaluation system''. For example, when a provider collects information for the purpose of reporting to a PSO and reports the information to a PSO to generate patient safety work product, the provider is collecting and reporting through its patient safety evaluation system (see definition of patient safety work product ). Although we do not propose to require providers or PSOs formally to identify or define their patient safety evaluation system--because such systems exist by virtue of the providers or PSOs undertaking certain patient safety activities--a patient safety evaluation system can be

    [[Page 8120]]

    formally designated by a provider or PSO to establish a secure space in which these activities may take place.

    The formal identification or designation of a patient safety evaluation system could give structure to the various functions served by a patient safety evaluation system. These possible functions are:

    1. For reporting information by a provider to a PSO in order to generate patient safety work product and to protect the fact of reporting such information to a PSO (see section 921(6) and (7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-21(6) and (7)(A)(i)(I));

    2. For communicating feedback concerning patient safety events between PSOs and providers (see section 921(5)(H) of the Public Health Service Act, 42 U.S.C. 299b-21(5)(H));

    3. For creating and identifying the space within which deliberations and analyses of information and patient safety work product are conducted (see section 921(7)(A)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(ii));

    4. For separating patient safety work product and information collected, maintained, or developed for reporting to a PSO distinct and apart from information collected, maintained, or developed for other purposes (see section 921(7)(B)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii)); and,

    5. For identifying patient safety work product to maintain its privileged status and confidentiality, and to avoid impermissible disclosures (see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b)).

    A provider or PSO need not engage in all of the above-mentioned functions in order to establish or maintain a patient safety evaluation system. A patient safety evaluation system is flexible and scalable to the individual needs of a provider or PSO and may be modified as necessary to support the activities and level of engagement in the activities by a particular provider or PSO.

    Documentation. Because a patient safety evaluation system is critical in identifying and protecting patient safety work product, we encourage providers and PSOs to document what constitutes their patient safety evaluation system. We recommend that providers and PSOs consider documenting the following:

    How information enters the patient safety evaluation system;

    What processes, activities, physical space(s) and equipment comprise or are used by the patient safety evaluation system;

    Which personnel or categories of personnel need access to patient safety work product to carry out their duties involving operation of, or interaction with the patient safety evaluation system, and for each such person or category of persons, the category of patient safety work product to which access is needed and any conditions appropriate to such access; and,

    What procedures or mechanisms the patient safety evaluation system uses to report information to a PSO or disseminate information outside of the patient safety evaluation system.

    A documented patient safety evaluation system, as opposed to an undocumented or poorly documented patient safety evaluation system, may accrue many benefits to the operating provider or PSO. Providers or PSOs that have a documented patient safety evaluation system will have substantial proof to support claims of privilege and confidentiality when resisting requests for production of, or subpoenas for, information constituting patient safety work product or when making requests for protective orders against requests or subpoenas for such patient safety work product. Documentation of a patient safety evaluation system will enable a provider or PSO to provide supportive evidence to a court when claiming privilege protections for patient safety work product. This may be particularly critical since the same activities can be done inside and outside of a patient safety evaluation system.

    A documented and established patient safety evaluation system also gives notice to employees of the privileged and confidential nature of the information within a patient safety evaluation system in order to generate awareness, greater care in handling such information and more caution to prevent unintended or impermissible disclosures of patient safety work product. For providers with many employees, an established and documented patient safety evaluation system can serve to separate access to privileged and confidential patient safety work product from employees that have no need for patient safety work product. Documentation can serve to limit access by non-essential employees. By limiting who may access patient safety work product, a provider may reduce its exposure to the risks of inappropriate disclosures.

    Given all of the benefits, documentation of a patient safety evaluation system would be a prudent business practice. Moreover, as part of our enforcement program, we would expect entities to be following sound business practices in maintaining adequate documentation regarding their patient safety evaluation systems to demonstrate their compliance with the confidentiality provisions. Absent this type of documentation, it may be difficult for entities to satisfy the Secretary that they have met and are in compliance with their confidentiality obligations. While we believe it is a sound and prudent business practice, we have not required a patient safety evaluation system to be documented, and we do not believe it is required by the Patient Safety Act. We seek comment as to these issues.

    Patient Safety Organization (PSO) would mean a private or public entity or component thereof that is listed as a PSO by the Secretary in accordance with proposed Sec. 3.102.

    Patient Safety Work Product is a defined term in the Patient Safety Act that identifies the information to which the privilege and confidentiality protections apply. This proposed rule imports the statutory definition of patient safety work product specifically for the purpose of implementing the confidentiality protections under the Patient Safety Act. The proposed rule provides that, with certain exceptions, patient safety work product would mean any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material) (A) which could result in improved patient safety, health care quality, or health care outcomes and either (i) is assembled or developed by a provider for reporting to a PSO and is reported to a PSO; or (ii) is developed by a PSO for the conduct of patient safety activities; or (B) which identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system. The proposed rule excludes from patient safety work product a patient's original medical record, billing and discharge information, or any other original patient or provider information and any information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO does not by reason of its reporting become patient safety work product. The separately collected and maintained information remains available, for example, for public health reporting or disclosures pursuant to court order. The information contained in a provider's or PSO's patient safety evaluation system is protected, would be privileged and confidential, and may not be disclosed absent a statutory or regulatory permission.

    [[Page 8121]]

    What can become patient safety work product. The definition of patient safety work product lists the types of information that are likely to be exchanged between a provider and PSO to generate patient safety work product: ``Any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements'' (collectively referred to below as ``information'' for brevity). Congress intended the fostering of robust patient safety evaluation systems for exchanges between providers and PSOs. We expect this expansive list will maximize provider flexibility in operating its patient safety evaluation system by enabling the broadest possible incorporation and protection of information by providers and PSOs.

    In addition, information must be collected or developed for the purpose of reporting to a PSO. Records collected or developed for a purpose other than for reporting to a PSO, such as to support internal risk management activities or to fulfill external reporting obligations, cannot become patient safety work product. However, copies of information collected for another purpose may become patient safety work product if, for example, the copies are made for the purpose of reporting to a PSO. This issue is discussed more fully below regarding information that cannot become patient safety work product.

    When information is reported by a provider to a PSO or when a PSO develops information for patient safety activities, the definition assumes that the protections apply to information that ``could result in improved patient safety, health care quality, or health care outcomes.'' This phrase imposes few practical limits on the type of information that can be protected since a broad range of clinical and non-clinical factors could have a beneficial impact on the safety, quality, or outcomes of patient care. Because the Patient Safety Act does not impose a narrow limitation, such as requiring information to relate solely, for example, to particular adverse or ``sentinel'' incidents or even to the safety of patient care, we conclude Congress intended providers to be able to cast a broad net in their data gathering and analytic efforts to identify causal factors or relationships that might impact patient safety, quality and outcomes. In addition, we note that the phrase ``could result in improved'' requires only potential utility, not proven utility, thereby allowing more information to become patient safety work product.

    How information becomes patient safety work product. Paragraphs (1)(i)(A), (1)(i)(B), and (1)(ii) of the proposed regulatory definition indicate three ways for information to become patient safety work product and therefore subject to the confidentiality and privilege protections of the Patient Safety Act.

    Information assembled or developed and reported by providers. By law and as set forth in our proposal, information that is assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO is patient safety work product. Section 921(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b- 21(7)(A)(i)(I).

    As noted, to become patient safety work product under this section of the definition, information must be reported by a provider to a PSO. For purposes of paragraph (1)(i)(A) of this definition, ``reporting'' generally means the actual transmission or transfer of information, as described above, to a PSO. We recognize, however, that requiring the transmission of every piece of paper or electronic file to a PSO could impose significant transmission, management, and storage burdens on providers and PSOs. In many cases, providers engaged in their own investigations may desire to avoid continued transmission of additional related information as its work proceeds.

    To alleviate the burden of reporting every piece of information assembled by a provider related to a particular patient safety event, we are interested in public comment regarding an alternative for providers that have established relationships with PSOs. We note that the reporting and generation of patient safety work product does not require a contract or any other relationship for a PSO to receive reports from a provider, for a PSO to examine patient safety work product, or for a PSO to provide feedback to a provider based upon the examination of reported information. Nonetheless, we anticipate that providers who are committed to patient safety improvements will establish a contractual or similar relationship with a PSO to report and receive feedback about patient safety incidents and adverse events. Such a contract or relationship would provide a basis to allow providers and PSOs to establish customized alternative arrangements for reporting.

    For providers that have established contracts with PSOs for the review and receipt of patient safety work product, we seek comment on whether a provider should be able to ``report'' to the PSO by providing its contracted PSO access to any information it intends to report (i.e., ``functional reporting''). For example, a provider and a PSO may establish, by contract, that information put into a database shared by the provider and the PSO is sufficient to report information to the PSO in lieu of the actual transmission requirement. We believe that functional reporting would be a valuable mechanism for the efficient reporting of information from a provider to a PSO. We are seeking public comment about what terms and conditions may be necessary to provide access to a PSO to be recognized as functional reporting. We also seek comment about whether this type of functional reporting arrangement should only be available for subsequent related information once an initial report on a specific topic or incident has been transmitted to a PSO.

    We do not intend a PSO to have an unfettered right of access to any provider information. Providers and PSOs are free to engage in alternative reporting arrangements under the proposed rule, and we solicit comments on the appropriate lines to be drawn around the arrangements that should be recognized under the proposed rule. However, our proposals should not be construed to suggest or propose that a PSO has a superior right to access information held by a provider based upon a reporting relationship. If a PSO believes information reported by a provider is insufficient, a PSO is free to request additional information from a provider or to indicate appropriate limitations to the conclusions or analyses based on insufficient or incomplete information.

    We seek public comment on two additional aspects regarding the timing of the obligation of a provider to report to a PSO in order for information to become protected patient safety work product and for the confidentiality protections to attach. The first issue relates to the timing between assembly or development of information for reporting and actual reporting under the proposed definition of patient safety work product. As currently proposed, information assembled or developed by a provider is not protected until the moment it is reported, (i.e., transmitted or transferred to a PSO). We are considering whether there is a need for a short period of protection for information assembled but not yet reported. We note that in such situations, a provider creates and operates a patient safety evaluation system. (See discussion of the definition of patient safety evaluation system at proposed Sec. 3.20.) We further note that even without such short period of

    [[Page 8122]]

    protection, information assembled or developed by a provider but not yet reported may be subject to other protections in the proposed rule (e.g., see section 921(7)(A)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(ii)).

    Our intent is not to relieve the provider of the statutory requirement for reporting pursuant to section 921(7)(A)(i) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i), but to extend to providers flexibility to efficiently transmit or transfer information to a PSO for protection. A short period of protection for information assembled but not yet reported could result in greater operational efficiency for a provider by allowing information to be compiled and reported to a PSO in batches. It could also alleviate the uncertainty regarding the status of information that is assembled, but not yet reported for administrative reasons. If we do address this issue in the final rule, we seek input on the appropriate time period for such protection and whether a provider must demonstrate an intent to report in order to obtain protections. If we do not address this issue in the final rule, such information held by a provider would not be confidential until it is actually transmitted to a PSO under this prong of the definition of patient safety work product.

    Second, for information to become patient safety work product under this prong of the definition, it must be assembled or developed for the purpose of reporting to a PSO and actually reported. We solicit comment on the point in time at which it can be established that information is being collected for the purpose of reporting to a PSO such that it is not excluded from the definition of patient safety work product as a consequence of it being collected, maintained or developed separately from a patient safety evaluation system. See section 921(7)(B)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii). To assemble information with the purpose of reporting to a PSO, a PSO must potentially exist, and thus, we believe that collection efforts cannot predate the passage of the Patient Safety Act on July 29, 2005.

    Information that is developed by a PSO for the conduct of patient safety activities. By law and as set forth in our proposal, information that is developed by a PSO for patient safety activities is patient safety work product. Section 921(7)(A)(i)(II) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II). This section of the definition does not address information discussed in the previous section that is assembled or developed by a provider and is reported to a PSO which becomes patient safety work product under that section. Rather, this section addresses other information that a PSO collects for development from third parties, non-providers and other PSOs for patient safety activities.

    For example, a PSO may be asked to assist a provider in analyzing a complex adverse event that took place. The initial information from the provider is protected because it was reported. If the PSO determines that the information is insufficient and conducts interviews with affected patients or collects additional data, that information is an example of the type of information that would be protected under this section of the definition. Even if the PSO ultimately decided not to analyze such information, the fact that the PSO collected and evaluated the information is a form of ``development'' transforming the information into patient safety work product. Such patient safety work product would be subject to confidentiality protections, and thus, the PSO would need safe disposal methods for any such information in accordance with its confidentiality obligations.

    Information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system. By law and as set forth in our proposal, information that constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system is patient safety work product. Section 921(7)(A)(ii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(ii). This provision extends patient safety work product protections to any information that would identify the fact of reporting pursuant to a patient safety evaluation system or that constitutes the deliberations or analyses that take place within such a system. The fact of reporting through a patient safety evaluation system (e.g., a fax cover sheet, an e-mail transmitting data, and an oral transmission of information to a PSO) is patient safety work product.

    With regard to providers, deliberations and analyses are protected while they are occurring provided they are done within a patient safety evaluation system. We are proposing that under paragraph (1)(ii) of this definition, any ``deliberations or analysis'' performed within the patient safety evaluation system becomes patient safety work product. In other words, to determine whether protections apply, the primary question is whether a patient safety evaluation system, which by law and as set forth in this proposed rule, is the collection, management, or analysis of information for reporting to a PSO, was in existence at the time of the deliberations and analysis.

    To determine whether a provider had a patient safety evaluation system at the time that the deliberations or analysis took place, we propose to consider whether a provider had certain indicia of a patient safety evaluation system, such as the following: (1) The provider has a contract with a PSO for the receipt and review of patient safety work product that is in effect at the time of the deliberations and analysis; (2) the provider has documentation for a patient safety evaluation system demonstrating the capacity to report to a PSO at the time of the deliberations and analysis; (3) the provider had reported information to the PSO either under paragraph (1)(i)(A) of the proposed definition of patient safety work product or with respect to deliberations and analysis; or (4) the provider has actually reported the underlying information that was the basis of the deliberations or analysis to a PSO. For example, if a provider claimed protection for information as the deliberation of a patient safety evaluation system, and had a contract with the PSO at the time the deliberations took place, it would be reasonable to believe that the deliberations and analysis were related to the provider's PSO reporting activities. This is not an exclusive list. We note therefore that a provider may still be able to show that information was patient safety work product using other indications.

    We note that the statutory protections for deliberations and analysis in a patient safety evaluation system apply without regard to the status of the underlying information being considered (i.e., it does not matter whether the underlying information being considered is patient safety work product or not). A provider can fully protect internal deliberations in its patient safety evaluation system over whether to report information to a PSO. The deliberations and analysis are protected, whether the provider chooses to report the underlying information to a PSO or not. However, the underlying information, separate and apart from the analysis or deliberation, becomes protected only when reported to a PSO. See section 921(7)(A)(i)(1) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(1).

    To illustrate, consider a hospital that is reviewing a list of all near-misses

    [[Page 8123]]

    reported within the past 30 days. The purpose of the hospital's review is to analyze whether to report any or part of the list to a PSO. The analyses (or any deliberations the provider undertakes) are fully protected whether the provider reports any near-misses or not. The status of the near-misses list does not change because the deliberations took place. The fact that the provider deliberated over reporting the list does not constitute reporting and does not change the protected status of the list. Separate and apart from the analysis, this list of near misses is not protected unless it is reported. By contrast, this provision fully protects the provider's deliberations and analyses in its patient safety evaluation system regarding the list.

    Delisting. In the event that a PSO is delisted for cause under proposed Sec. 3.108(b)(1), a provider may continue to report to that PSO for 30 days after the delisting and the reported information will be patient safety work product. Section 924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1). Information reported to a delisted PSO after the 30-day period will not be patient safety work product. However, after a PSO is delisted, the delisted entity may not continue to generate patient safety work product by developing information for the conduct of patient safety activities or through deliberations and analysis of information. Any patient safety work product held or generated by a PSO prior to its delisting remains protected even after the PSO is delisted. See discussion in the preamble regarding proposed Sec. 3.108(b)(2) for more information.

    We note that proposed Sec. 3.108(c) outlines the process for delisting based upon an entity's voluntary relinquishment of its PSO listing. As we discuss in the accompanying preamble, we tentatively conclude that the statutory provision for a 30-day period of continued protection does not apply after delisting due to voluntary relinquishment.

    Even though a PSO may not generate new patient safety work product after delisting, it may still have in its possession patient safety work product, which it must keep confidential. The statute establishes requirements, incorporated in proposed Sec. 3.108(b)(2) and (b)(3), that a PSO delisted for cause must meet regarding notification of providers and disposition of patient safety work product. We propose in Sec. 3.108(c) to implement similar notification and disposition measures for a PSO that voluntarily relinquishes its listing. For further discussion of the obligations of a delisted PSO, see proposed Sec. 3.108(b)(2), (b)(3), and (c).

    What is not patient safety work product. By law, and as set forth in this proposed rule, patient safety work product does not include a patient's original medical record, billing and discharge information, or any other original patient or provider record; nor does it include information that is collected, maintained, or developed separately or exists separately from, a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO shall not by reason of its reporting be considered patient safety work product.

    The specific examples cited in the Patient Safety Act of what is not patient safety work product--the patient's original medical record, billing and discharge information, or any other original patient record--are illustrative of the types of information that providers routinely assemble, develop, or maintain for purposes and obligations other than those of the Patient Safety Act. The Patient Safety Act also states that information that is collected, maintained, or developed separately, or exists separately from a patient safety evaluation system, is not patient safety work product. Therefore, if records are collected, maintained, or developed for a purpose other than for reporting to a PSO, those records cannot be patient safety work product. However, if, for example, a copy of such record is made for reporting to a PSO, the copy and the fact of reporting become patient safety work product. Thus, a provider could collect incident reports for internal quality assurance purposes, and later, determine that one incident report is relevant to a broader patient safety activity. If the provider then reports a copy of the incident report to a PSO, the copy of the incident report received by the PSO is protected as is the copy of the incident report as reported to the PSO that is maintained by the provider, while the original incident report collected for internal quality assurance purposes is not protected.

    The proposed rule sets forth the statutory rule of construction that prohibits construing anything in this Part from limiting (1) the discovery of or admissibility of information that is not patient safety work product in a criminal, civil, or administrative proceeding; (2) the reporting of information that is not patient safety work product to a Federal, State, or local governmental agency for public health surveillance, investigation, or other public health purposes or health oversight purposes; or (3) a provider's recordkeeping obligation with respect to information that is not patient safety work product under Federal, State or local law. Section 921(7)(B)(iii) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). Even when laws or regulations require the reporting of the information regarding the type of events also reported to PSOs, the Patient Safety Act does not shield providers from their obligation to comply with such requirements.

    As the Patient Safety Act states more than once, these external obligations must be met with information that is not patient safety work product, and, in accordance with the confidentiality provisions, patient safety work product cannot be disclosed for these purposes. We note that the Patient Safety Act clarifies that nothing in this Part prohibits any person from conducting additional analyses for any purpose regardless of whether such additional analysis involves issues identical to or similar to those for which information was reported to or assessed by a PSO or a patient safety evaluation system. Section 922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). A copy of information generated for such purposes may be entered into the provider's patient safety evaluation system for patient safety purposes although the originals of the information generated to meet external obligations do not become patient safety work product.

    Thus, information that is collected to comply with external obligations is not patient safety work product. Such activities may include: State incident reporting requirements; adverse drug event information reporting to the Food and Drug Administration (FDA); certification or licensing records for compliance with health oversight agency requirements; reporting to the National Practitioner Data Bank of physician disciplinary actions; or complying with required disclosures by particular providers or suppliers pursuant to Medicare's conditions of participation or conditions of coverage. In addition, the proposed rule does not change the law with respect to an employee's ability to file a complaint with Federal or State authorities regarding quality of care, or with respect to any prohibition on a provider's threatening or carrying out retaliation against an individual for doing so; the filing of any such complaint would not be deemed to be a violation of the Patient Safety Act, unless patient safety work product was improperly disclosed in such filing.

    Health Care Oversight Reporting and Patient Safety Work Product. The Patient Safety Act establishes a

    [[Page 8124]]

    protected space or system of protected information in order to allow frank discussion about causes and remediation of threats to patient safety. As described above, this protected system is separate, distinct, and resides alongside but does not replace other information collection activities mandated by laws, regulations, and accrediting and licensing requirements as well as voluntary reporting activities that occur for the purpose of maintaining accountability in the health care system. Information collection activities performed by the provider for purposes other than for reporting to a PSO by itself do not create patient safety work product. In anticipation of questions about how mandatory and voluntary reporting will continue to be possible, a brief explanation may be helpful regarding how this new patient safety framework would operate in relation to health care oversight activities (e.g., public health reporting, corrective actions, etc.).

    Situations may occur when the original (whether print or electronic) of information that is not patient safety work product is needed for a disclosure outside of the entity but cannot be located while a copy of the needed information resides in the patient safety evaluation system. If the reason for which the original information is being sought does not align with one of the permissible disclosures, discussed in proposed Subpart C, the protected copy may not be released. Nevertheless, this does not preclude efforts to reconstruct the information outside of the patient safety evaluation system from information that is not patient safety work product. Those who participated in the collection, development, analysis, or review of the missing information or have knowledge of its contents can fully disclose what they know or reconstruct an analysis outside of the patient safety evaluation system.

    The issue of how effectively a provider has instituted corrective action following identification of a threat to the quality or safety of patient care might lead to requests for information from external authorities. The Patient Safety Act does not relieve a provider of its responsibility to respond to such requests for information or to undertake or provide to external authorities evaluations of the effectiveness of corrective action, but the provider must respond with information that is not patient safety work product.

    To illustrate the distinction, consider the following example. We would expect that a provider's patient safety evaluation system or a PSO with which the provider works may make recommendations from time to time to the provider for changes it should make in the way it manages and delivers health care. The list of recommendations for changes, whether they originate from the provider's patient safety evaluation system or the PSO with which it is working, are always patient safety work product. We would also note that not all of these recommendations will address corrective actions (i.e., correcting a process, policy, or situation that poses a threat to patients). It is also possible that a provider with an exemplary quality and safety record is seeking advice on how to perform even better. Whatever the case, the feedback from the provider's patient safety evaluation system or PSO may not be disclosed to external authorities unless permitted by the disclosures specified in Subpart C of this proposed rule.

    The provider may choose to reject the recommendations it receives or implement some or all of the proposed changes. While the recommendations always remain protected, whether they are adopted or rejected by a provider, the actual changes that the provider implements to improve how it manages or delivers health care services (including changes in its organizational management or its care environments, structures, and processes) are not patient safety work product. In a practical sense, it would be virtually impossible to keep such changes confidential in any event, and we stress that if there is any distinction between the change that was adopted and the recommendation that the provider received, the provider can only describe the change that was implemented. The recommendation remains protected. Thus, if external authorities request a list of corrective actions that a provider has implemented, the provider has no basis for refusing the request. Even though the actions are based on protected information, the corrective actions themselves are not patient safety work product. On the other hand, if an external authority asks for a list of the recommendations that the provider did not implement or whether and how any implemented change differed from the recommendation the provider received, the provider must refuse the request; the recommendations themselves remain protected.

    Person would mean a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private. We propose to define ``person'' because the Patient Safety Act requires that civil money penalties be imposed against ``person[s]'' that violate the confidentiality provisions. However, the Patient Safety Act does not provide a definition of ``person''. The Definition Act at 1 U.S.C. 1 provides, ``in determining any Act of Congress, unless the context indicates otherwise * * * the words `person' and `whoever' include corporations, companies, associations, firms, partnerships, societies, and joint stock companies, as well as individuals'' (emphasis added). The Patient Safety Act indicates that States and other government entities may hold patient safety work product with the protections and liabilities attached, which is an expansion of the Definition Act provision. For this reason, we propose the broader definition of the term ``person''. We note that this proposed approach is consistent with the HHS Office of Inspector General (OIG) regulations, 42 CFR 1003.101, and the HIPAA Enforcement Rule, 45 CFR 160.103.

    Provider would mean any individual or entity licensed or otherwise authorized under State law to provide health care services. The list of specific providers in the proposed rule includes the following: institutional providers, such as a hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician or health care practitioner's office (including a group practice), long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or individual clinicians, such as a physician, physician assistant, registered nurse, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietitian or nutrition professional, physical or occupational therapist, pharmacist, or other individual health care practitioner. This list is merely illustrative; an individual or entity that is not listed here but meets the test of state licensure or authorization to provide health care services is a provider for the purpose of this proposed rule.

    The statute also authorizes the Secretary to expand the definition of providers. Under this authority, we propose to add the following to this list of providers:

    (a) Agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, organizations engaged as contractors by the Federal, State, local or Tribal governments to deliver health care, and individual health care

    [[Page 8125]]

    practitioners employed or engaged as contractors by the Federal government to deliver health care. It appears that all of these agencies, organizations, and individuals could participate in, and could benefit from, working with a PSO.

    (b) A corporate parent organization for one or more entities licensed or otherwise authorized to provide health care services under state law. Without this addition, hospital or other provider systems that are controlled by a parent organization that is not recognized as a provider under State law might be precluded from entering into system-wide contracts with PSOs. This addition furthers the goals of the statute to encourage aggregation of patient safety data and a coordinated approach for assessing and improving patient safety. We particularly seek comments regarding any concerns or operational issues that might result from this addition, and note that a PSO entering one system-wide contract still needs to meet the two contract minimum requirement based on section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C), and set out and discussed in proposed Sec. 3.102(b). The PSO can do this by entering into two contracts with different providers within the system.

    (c) A Federal, State, local, or Tribal government unit that manages or controls one or more health care providers described in the definition of provider at (1)(i) and (2). We propose this addition to the definition of ``provider'' for the same reason that we proposed the addition of parent organization that has a controlling interest in one or more entities licensed or otherwise authorized to provide health care services under state law.

    Research would have the same meaning as that term is defined in the HIPAA Privacy Rule at 45 CFR 164.501. In the HIPAA Privacy Rule, research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This definition is used to describe the scope of the confidentiality exception at proposed Sec. 3.206(b)(6). We propose to use the same definition as in the HIPAA Privacy Rule to improve the level of coordination and to reduce the burden of compliance. At the same time, if there is a modification to the definition in the HIPAA Privacy Rule, the definition herein will automatically change with such regulatory action.

    Respondent would mean a provider, PSO, or responsible person who is the subject of a complaint or a compliance review.

    Responsible person would mean a person, other than a provider or PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions. We note that because the Patient Safety Act has continued confidentiality protection at 42 U.S.C. 299b-22(d), many entities other than providers and PSOs may be subject to the confidentiality provisions. Thus, for example, researchers or law enforcement officials who obtain patient safety work product under one of the exceptions to confidentiality would be considered a ``responsible person''.

    Workforce would mean employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person. We use the term workforce member in several contexts in the proposed rule. Importantly, in proposed Sec. 3.402 where we discuss principal liability, we propose that an agent for which a principal may be liable can be a workforce member. We have included the term ``contractors'' in the definition of workforce member to clarify that such permitted sharing may occur with contractors who are under the direct control of the provider, PSO, or responsible person. For example, a patient safety activity disclosure by a provider to a PSO may be made directly to the PSO or to a consultant, as a workforce member, contracted by the PSO to help it carry out patient safety activities.

  11. Subpart B--PSO Requirements and Agency Procedures

    Proposed Subpart (B) sets forth requirements for Patient Safety Organizations (PSOs). This proposed Subpart specifies the certification and notification requirements that PSOs must meet, the actions that the Secretary may and will take relating to PSOs, the requirements that PSOs must meet for the security of patient safety work product, the processes governing correction of PSO deficiencies, revocation, and voluntary relinquishment, and related administrative authorities and implementation responsibilities. The requirements of this proposed Subpart would apply to PSOs, their workforce, a PSO's contractors when they hold patient safety work product, and the Secretary.

    This proposed Subpart is intended to provide the foundation for new, voluntary opportunities to improve the safety, quality, and outcomes of patient care. The Patient Safety Act does not require a provider to contract with a PSO, and the proposed rule does not include such a requirement. However, we expect that most providers will enter into contracts with PSOs when seeking the confidentiality and privilege protections of the statute. Contracts offer providers greater certainty that a provider's claim to these statutory protections will be sustained, if challenged. For example, the statutory definition of patient safety work product describes the nature and purpose of information that can be protected, the circumstances under which deliberations or analyses are protected, and the requirement that certain information be reported to a PSO. Pursuant to a contractual arrangement, providers can require and receive assistance from PSOs to ensure that these requirements are fully met. Contracts can provide clear evidence that a provider is taking all reasonable measures to operate under the ambit of the statute in collecting, developing, and maintaining patient safety work product. Contracts enable providers to specify even stronger confidentiality protections in how they report information to a PSO or how the PSO handles and uses the information.

    Contracts can also give providers greater assurance that they will have access to the expertise of the PSO to provide feedback regarding their patient safety events. While some providers may have patient safety expertise in-house, a PSO has the potential to offer providers considerable additional insight as a result of its expertise and ability to aggregate and analyze data from multiple providers and multiple PSOs. Experience has demonstrated that such aggregation and analysis of large volumes of data, such as a PSO has the ability to do, will often yield insights into the underlying causes of the hazards and risks associated with patient care that are simply not apparent when these analyses are limited to the information available from only one office, clinic, facility, or system.

    Pursuant to a contract with a PSO, a provider may also be able to obtain from a PSO operational guidance or best practices with respect to operation of a patient safety evaluation system. Such a contract also provides a mechanism for a provider to control the nature and extent of a PSO's aggregation of its data with those of other providers or PSOs, and the nature of related analysis and discussion of such data. A provider can also require, pursuant to its contract with a PSO, that the PSO will notify the provider if improper disclosures are

    [[Page 8126]]

    made of patient safety work product relating to that provider.

    This proposed Subpart enables a broad variety of health care providers to work voluntarily with entities that have certified to the Secretary that they have the ability and expertise to carry out broadly defined patient safety activities of the Patient Safety Act and, therefore, to serve as consultants to eligible providers to improve patient care. In accordance with the Patient Safety Act, we propose an attestation-based process for initial and continued listing of an entity as a PSO. This includes an attestation-based approach for meeting the statutory requirement that each PSO, within 24 months of being listed and in each sequential 24-month period thereafter, must have bona fide contracts with more than one provider for the receipt and review of patient safety work product.

    This streamlined approach of the statute and the proposed rule is intended to encourage the rapid development of expertise in health care improvement. This framework allows the marketplace to be the principal arbiter of the capabilities of each PSO. Listing as a PSO by the Secretary does not entitle an entity to Federal funding. The financial viability of most PSOs will derive from their ability to attract and retain contracts with providers or to attract financial support from other organizations, such as charitable foundations dedicated to health system improvement. Even when a provider organization considers establishing a PSO (what this proposed rule terms a component PSO) to serve the needs of its organization, we expect it will weigh the value of, and the business case for, such a PSO.

    Proposed Subpart B attempts to minimize regulatory burden while fostering transparency to enhance the ability of providers to assess the strengths and weaknesses of their choice of PSOs. For example, we encourage, but do not require, an entity seeking listing to develop and post on their own Web sites narrative statements describing the expertise of the personnel the entity will have at its disposal, and outlining the way it will approach its mission and comply with the statute's certification requirements.

    We similarly propose to apply transparency to our implementation of the statute's requirement for disclosure by PSOs of potential conflicts of interest with their provider clients. While the statute only requires public release of the findings of the Secretary after review of such disclosures, we propose to make public, consistent with applicable law, including the Freedom of Information Act, a PSO's disclosure statements as well. In our view, in addition to having the benefit of the Secretary's determination, a provider, as the prospective consumer of PSO services, should be able to make its own determination regarding the appropriateness of the relationships that a PSO has with its other provider clients and the impact those relationships might have on its particular needs. For example, a provider might care if a PSO--despite the Secretary's determination that it had been established with sufficient operational and other independence to qualify for listing as a PSO--was owned, operated, or managed by the provider's major competitor.

    The provisions of this proposed Subpart also emphasize the need for vigilance in providing security for patient safety work product. To achieve the widespread provider participation intended by this statute, PSOs must foster and maintain the confidence of providers in the security of patient safety work product in which providers and patients are identified. Therefore, we propose to require a security framework, which each PSO must address with standards it determines appropriate to the size and complexity of its organization, pertaining to the separation of data and systems and to security management control, monitoring, and assessment.

    The Patient Safety Act recognizes that PSOs will need to enter business associate agreements to receive protected health information from providers that are covered entities under the HIPAA Privacy Rule. As a business associate of such a provider, a PSO will have to meet certain contractual requirements on the use and disclosure of protected health information for compliance with the HIPAA Privacy Rule that are in addition to the requirements set forth in this proposed rule. Those requirements include the notification of a covered entity when protected health information is inappropriately disclosed in violation of the HIPAA Privacy Rule.

    We do not propose to require reporting of impermissible disclosures of other patient safety work product that does not contain protected health information. We solicit comments on whether to parallel the business associate requirements of the HIPAA Privacy Rule. Such a requirement, if implemented, would require a PSO to notify the organizational source of patient safety work product if the information it shared has been impermissibly used or disclosed. Note that such reporting requirements could be voluntarily agreed to by contract between providers and their PSO.

    Section 924(b)(2)(A) and (B) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(2)(A) and (B), suggests Congressional concern that a strong firewall must be maintained between a component PSO and the rest of the organization(s) of which it is a part. This proposed subpart proposes specific safeguards that such component PSOs must implement to effectively address those concerns.

    As this discussion suggests, in developing this proposed Subpart, we have proposed the most specific requirements in the areas of security and disclosure of potential conflicts of interest. We expect to offer technical assistance and encourage transparency wherever possible to promote implementation, compliance, and correction of deficiencies. At the same time, this proposed Subpart establishes processes that will permit the Secretary promptly to revoke a PSO's certification and remove it from listing, if such action proves necessary. 1. Proposed Sec. 3.102--Process and Requirements for Initial and Continued Listing of PSOs

    Proposed Sec. 3.102 sets out: The submissions that the Department, in carrying out its responsibilities, proposes to require, consistent with the Patient Safety Act, for initial and continued listing as a PSO; the certifications that all entities must make as part of the listing process; the additional certifications that component organizations must make as part of the listing process; the requirement for biennial submission of a certification that the PSO has entered into the required number of contracts; and the circumstances under which a PSO must submit a disclosure statement regarding the relationships it has with its contracting providers. (A) Proposed Sec. 3.102(a)--Eligibility and Process for Initial and Continued Listing

    In this section, we propose to establish a streamlined certification process that minimizes barriers to entry for a broad variety of entities seeking to be listed as a PSO. With several exceptions, any entity--public or private, for-profit or not-for profit--may seek initial or continued listing by the Secretary as a PSO. The statute precludes a health insurance issuer and a component of a health insurance issuer from becoming a PSO (section 924(b)(1)(D) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(D)).

    In addition, we propose to preclude any other entity, public or private, from

    [[Page 8127]]

    seeking listing as a PSO if the entity conducts regulatory oversight of health care providers, including accreditation or licensure. We propose this restriction for consistency with the statute, which seeks to foster a ``culture of safety'' in which health care providers are confident that the patient safety events that they report will be used for learning and improvement, not oversight, penalties, or punishment. Listing organizations with regulatory authority as PSOs would be likely to undermine provider confidence that adequate separation of PSO and regulatory activities would be maintained.

    We note that the Patient Safety Act permits a component organization of an entity to seek listing as a PSO if the component organization establishes a strong firewall between its activities as a PSO and the rest of the organization(s) of which it is a part. As drafted, this proposed regulation permits a component organization of an entity with any degree of regulatory authority to seek listing as a component PSO. We have not proposed any restrictions on such component organizations for several reasons. First, we expect that the statutory requirement for a strong firewall between a component PSO and its parent organization(s) with respect to its activities as a PSO and the protected information it holds will provide adequate safeguards. Second, providers will have access to the names of parent organizations of component PSOs. We propose in Sec. 3.102(c) that any component organization must disclose the name of its parent organization(s) (see the proposed definitions of component and parent organizations in Sec. 3.20). We intend to make this information publicly available and expect to post it on the PSO Web site we plan to establish (see the preamble discussion regarding proposed Sec. 3.104(d)). This will provide transparency and enable providers to determine whether the organizational affiliation(s) of a component PSO are of concern. Finally, we believe that allowing the marketplace to determine whether a component PSO has acceptable or unacceptable ties to an entity with regulatory authority is consistent with our overall approach to regulation of PSOs.

    At the same time, we recognize that some organizations exercise a considerable level of regulatory oversight over providers and there may be concerns that such organizations could circumvent the firewalls proposed below in Sec. 3.102(c) or might attempt to require providers to work with a component PSO that the regulatory entity creates. Accordingly, we specifically seek comment on the approach we have proposed and whether we should consider a broader restriction on component organizations of entities that are regulatory. For example, should components of state health departments be precluded from seeking listing because of the broad authority of such departments to regulate provider behavior? If a broader restriction is proposed, we would especially welcome suggestions on clear, unambiguous criteria for its implementation.

    We will develop certification forms for entities seeking initial and continued listing that contain or restate the respective certifications described in proposed Sec. 3.102(b) and Sec. 3.102(c). An individual with authority to make commitments on behalf of the entity seeking listing would be required to acknowledge each of the certification requirements, attest that the entity meets each of the certification requirements on the form, and provide contact information for the entity. The certification form would also require an attestation that the entity is not subject to the limitation on listing proposed in this subsection and an attestation that, once listed as a PSO, it will notify the Secretary if it is no longer able to meet the requirements of proposed Sec. 3.102(b) and Sec. 3.102(c).

    To facilitate the development of a marketplace for the services of PSOs, entities are encouraged, but not required, to develop and post on their own Web sites narratives that specify how the entity will approach its mission, how it will comply with the certification requirements, and describe the qualifications of the entity's personnel. With appropriate disclaimers of any implied endorsement, we expect to post citations or links to the Web sites of all listed entities on the PSO Web site that we plan to establish pursuant to proposed Sec. 3.104(d). We believe that clear narratives of how PSOs will meet their statutory and regulatory responsibilities will help providers, who are seeking the services of a PSO, to assess their options. The Department's PSO Web site address will be identified in the final rule and will be available from AHRQ upon request. (B) Proposed Sec. 3.102(b)--Fifteen General Certification Requirements

    In accordance with section 924(a) of the Public Health Service Act, 42 U.S.C. 299b-24(a), the proposed rule would require all entities seeking initial or continued listing as a PSO to meet 15 general certification requirements: eight requirements related to patient safety activities and seven criteria governing their operation. At initial listing, the entity would be required to certify that it has policies and procedures in place to carry out the eight patient safety activities defined in the Patient Safety Act and incorporated in proposed Sec. 3.20, and upon listing, would meet the seven criteria specified in proposed Sec. 3.102 (b)(2). Submissions for continued listing would require certifications that the PSO is performing, and will continue to perform, the eight patient safety activities and is complying with, and would continue to comply with, the seven criteria. (1) Proposed Sec. 3.102(b)(1)--Required Certification Regarding Eight Patient Safety Activities

    Proposed Sec. 3.102(b)(1) addresses the eight required patient safety activities that are listed in the definition of patient safety activities at proposed Sec. 3.20 (section 921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5)). Because certification relies primarily upon attestations by entities seeking listing, rather than submission and review of documentation, it is critical that entities seeking listing have a common and shared understanding of what each certification requirement entails. We conclude that five of the eight required patient safety activities need no elaboration. These five patient safety activities include: Efforts to improve patient safety and quality; the collection and analysis of patient safety work product; the development and dissemination of information with respect to improving patient safety; the utilization of patient safety work product for the purposes of encouraging a culture of safety and providing feedback and assistance; and the utilization of qualified staff.

    We address a sixth patient safety activity, related to the operation of a patient safety evaluation system, in the discussion of the definition of that term in proposed Sec. 3.20. We provide greater clarity here regarding the actions that an entity must take to comply with the remaining two patient safety activities, which involve the preservation of confidentiality of patient safety work product and the provision of appropriate security measures for patient safety work product.

    We interpret the certification to preserve confidentiality of patient safety work product to require conformance with the confidentiality provisions of proposed Subpart C as well as the requirements of the Patient Safety Act. Certification to provide appropriate security measures require PSOs, their workforce members, and their

    [[Page 8128]]

    contractors when they hold patient safety work product to conform to the requirements of proposed Sec. 3.106, as well as the provisions of the Patient Safety Act. (2) Proposed Sec. 3.102(b)(2)--Required Certification Regarding Seven PSO Criteria

    Proposed Sec. 3.102(b)(2) lists seven criteria that are drawn from the Patient Safety Act (section 924(b) of the Public Health Service Act, 42 U.S.C. 299b-24(b)), which an entity must meet during its period of listing. We conclude that the statutory language for three of the seven required criteria is clear and further elaboration is not required. These three criteria include: The mission and primary activity of the entity is patient safety, the entity has appropriately qualified staff, and the entity utilizes patient safety work product for provision of direct feedback and assistance to providers to effectively minimize patient risk.

    Two of the criteria are addressed elsewhere in the proposed rule: the exclusion of health insurance issuer or components of health insurance issuers from being PSOs is discussed above in the context of the definition of that term in proposed Sec. 3.20 and the requirements for submitting disclosure statements are addressed in the preamble discussion below regarding proposed Sec. 3.102(d)(2) (the proposed criteria against which the Secretary will review the disclosure statements are set forth in Sec. 3.104(c)). The remaining two PSO criteria--the minimum contract requirement and the collection of data in a standardized manner--are discussed here.

    The Minimum Contracts Requirement. First, we propose to clarify the requirement in section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C) that a PSO must enter into bona fide contracts with more than one provider for the receipt and review of patient safety work product within every 24-month period after the PSO's initial date of listing.

    We note that the statutory language establishes four conditions that must be met for a PSO to be in compliance with this requirement. We propose to interpret two of them for purposes of clarity in the final rule: (1) The PSO must have contracts with more than one provider, and (2) the contract period must be for ``a reasonable period of time.'' Most contracts will easily meet the third requirement: that contracts must be ``bona fide'' (our definition is in proposed Sec. 3.20). Finally, the fourth requirement, that contracts must involve the receipt and review of patient safety work product, does not require elaboration.

    We propose that a PSO would meet the requirement for ``contracts with more than one provider'' if it enters a minimum of two contracts within each 24-month period that begins with its initial date of listing. We note that the statutory requirement in section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C), unambiguously requires multiple contracts (i.e., more than one). One contract with two or more providers would not fully meet the statute's requirement. To illustrate, one contract with a 50-hospital system would not meet the requirement; two 25-hospital contracts with that same hospital system would meet the requirement. We believe that the statutory requirement was intended to encourage PSOs to aggregate data from multiple providers, in order to expand the volume of their data, thereby improving the basis on which patterns of errors and the causes for those errors can be identified. This statutory objective is worth noting as a goal for PSOs. A PSO can achieve this goal by aggregating data from multiple providers or by pooling or comparing data with other PSOs, subject to statutory, regulatory, and contractual limitations.

    The statute requires that these contracts must be ``for a reasonable period of time.'' We propose to clarify in the final rule when a PSO would be in compliance with this statutory requirement. The approach could be time-based (e.g., a specific number of months), task- based (e.g., the contract duration is linked to completion of specific tasks but, under this option, the final rule would not set a specific time period), or provide both options. We seek comments on the operational implications of these alternative approaches and the specific standard(s) for each option that we should consider. By establishing standard(s) in the final rule, we intend to create certainty for contracting providers and PSOs as to whether the duration requirement has been met. We note that whatever requirement is incorporated in the final rule will apply only to the two required contracts. A PSO can enter other contracts, whether time-based or task- based, without regard to the standard(s) for the two required contracts.

    Apart from the requirements outlined above, there are no limits on the types of contracts that a PSO can enter; its contracts can address all or just one of the required patient safety activities, assist providers in addressing all, or just a specialized range, of patient safety topics, or the PSO can specialize in assisting specific types of providers, specialty societies, or provider membership organizations. Because of the limits on the extraterritorial application of U.S. law and the fact that privilege protections are limited to courts in the United States (Federal, State, etc.), the protections in the proposed rule apply only to protected data shared between PSOs and providers within the United States and its territories; there is only this one geographical limitation on a PSO's operations.

    If they choose to do so, providers and PSOs may enter into contracts that specify stronger confidentiality protections than those specified in this proposed rule and the Patient Safety Act (section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22 (g)(3)). For example, a provider could choose to de-identify or anonymize information it reports to a PSO.

    We note that the Secretary proposes to exercise his authority to extend the definition of ``provider'' for the purposes of this statute to include a provider's ``parent organization'' (both terms are defined in proposed Sec. 3.20). This proposed addition is intended to provide an option for health systems (e.g., holding companies or a state system) to enter system-wide contracts with PSOs if they choose to do so. This option would not be available in the absence of this provision because the parent organizations of many health care systems are often corporate management entities or governmental entities that are not considered licensed or authorized health care providers under state law.

    Collecting data in a standardized manner. Section 924(b)(1)(F) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(F), requires PSOs, to the extent practical and appropriate, to collect patient safety work product from providers in a standardized manner, to permit valid comparisons of similar cases among similar providers. One of the goals of the legislation is to facilitate a PSO aggregating sufficient data to identify and to address underlying causal factors of patient safety problems. A PSO is more valuable if it is able to aggregate patient safety work product it receives directly from multiple providers, and if it chooses to do so, aggregate its data with patient safety work product received from other PSOs and/or share nonidentifiable patient safety work product with a network of patient safety databases described in section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. We recognize that if patient safety work product is not collected initially using common data

    [[Page 8129]]

    elements and consistent definitions, it may be difficult to aggregate such data subsequently in order to develop valid comparisons across providers and potentially, PSOs. We also recognize, however, that the providers who work with PSOs may have varying levels of sophistication with respect to patient safety issues and that reporting patient safety work product to a PSO in a standardized manner or using standardized reporting formats may not be initially practicable for certain providers or in certain circumstances. The discussion which follows outlines the timetable and the process to which we are committed.

    The Secretary intends to provide ongoing guidance to PSOs on formats and definitions that would facilitate the ability of PSOs to aggregate patient safety work product. We expect to provide initial guidance beginning with the most common types of patient safety events, before the final rule is issued, to facilitate the ability of PSOs to develop valid comparisons among providers. The Department will make such formats and definitions available for public comment in a non- regulatory format via publication in the Federal Register. We are considering, and we seek comment on, including a clarification in the final rule, that compliance with this certification requirement would mean that a PSO, to the extent practical and appropriate, will aggregate patient safety work product consistent with the Secretary's guidance regarding reporting formats and definitions when such guidance becomes available.

    The process for developing and maintaining common formats. AHRQ has established a process to develop common formats that: (1) Is evidence- based; (2) harmonizes across governmental health agencies; (3) incorporates feedback from the public, professional associations/ organizations, and users; and (4) permits timely updating of these clinically-sensitive formats.

    In anticipation of the need for common formats, AHRQ began the process of developing them in 2005. That process consists of the following steps: (1) Develop an inventory of functioning patient safety reporting systems to inform the construction of the common formats (an evidence base). Included in this inventory, now numbering 64 systems, are the major Centers for Disease Control and Prevention (CDC) and Food and Drug Administration (FDA) reporting systems as well as many from the private sector. (2) Convene an interagency Patient Safety Work Group (PSWG) to develop draft formats. Included are major health agencies within the Department--CDC, Centers for Medicare and Medicaid Services, FDA, Health Resources and Services Administration, the Indian Health Service (IHS), the National Institutes of Health--as well as the Department of Defense (DoD) and the Veterans Administration (VA). (3) Pilot test draft formats--to be conducted in February-March of 2008 in DoD, IHS, and VA facilities. (4) Publish version 0.1 (beta) of the formats in the Federal Register, along with explanatory material, and solicit public comment--planned for July/August 2008. (5) Let a task order contract (completed) with the National Quality Forum (NQF) to solicit input from the private sector regarding the formats. NQF's role will be periodically to solicit input from the private sector to assist the Department in updating its versions of the formats. NQF will begin with version 0.1 (beta) of the common formats and solicit public comments (including from providers, professional organizations, the general public, and PSOs), triage them in terms of immediacy of importance, set priorities, and convene expert panel(s) to offer advice on updates to the formats. This process will be a continuing one, guiding periodic updates of the common formats. (6) Accept input from the NQF, revise the formats in consultation with the PSWG, and publish subsequent versions in the Federal Register. Comments will be accepted at all times from public and governmental sources, as well as the NQF, and used in updating of the formats.

    This process ensures intergovernmental consistency as well as input from the private sector, including, most importantly, those who may use the common formats. This latter group, the users, will be the most sensitive to and aware of needed updates/improvements to the formats. The PSWG, acting as the fulcrum for original development and continuing upgrading/maintenance, assures consistency of definitions/formats among government agencies. For instance, the current draft formats follow CDC definitions of healthcare associated infections and FDA definitions of adverse drug events. AHRQ has been careful to promote consensus among Departmental agencies on all draft common formats developed to date. The NQF is a respected private sector organization that is suited to solicit and analyze input from the private sector.

    We welcome comments on our proposed approach to meeting statutory objectives. (C) Proposed Sec. 3.102(c)--Additional Certifications Required of Component Organizations

    Section 924(b)(2) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(2) and the proposed definition of component organization in proposed Sec. 3.20 requires an entity that is a component of another organization or multi-organizational enterprise that seeks initial or continued listing to certify that it will meet three requirements in addition to certifying that it will meet the 15 general requirements specified in proposed Sec. 3.102(b). We have indicated the types of entities that would be required to seek listing as a component organization in our discussion of the proposed definitions in proposed Sec. 3.20 of the terms ``component organization'' and ``parent organization.'' To be listed as a component PSO, an entity would also be required to make three additional certifications regarding the entity's independent operation and separateness from the larger organization or enterprise of which it is a part: the entity would certify to (1) the secure maintenance of documents and information separate from the rest of the organization(s) or enterprise of which it is a part; (2) the avoidance of unauthorized disclosures to the organization(s) or enterprise of which it is a part; and (3) the absence of a conflict between its mission and the rest of the organization(s) or enterprise of which it is a part. We propose in Sec. 3.102(c) specific requirements that will ensure that such component PSOs implement the type of safeguards for patient safety work product that the three additional statutory certification requirements for component organizations are intended to provide.

    First, the statute requires a component PSO to maintain patient safety work product separate from the rest of the organization(s) or enterprise of which it is a part (section 924(b)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(2)(A)). To ensure compliance with this statutory requirement, we considered, but did not include here, a proposal to prohibit a component PSO from contracting, subcontracting, or entering any agreement with any part of the organization(s) or enterprise of which it is a part for the performance of any work involving the use of patient safety work product. We seek comment on the limited exception proposed in Sec. 3.102(c) here that would permit such contracts or subcontracts only if they can be carried out in a manner that is consistent with the statutory

    [[Page 8130]]

    requirements of this section. This means that, while a component PSO could enter such arrangements involving the use of patient safety work product with a unit of the organization(s) or enterprise of which it is a part, the component PSO would maintain the patient safety work product and be responsible for its security (i.e., control the access and use of it by the contracting unit). In addition, under our proposal, while allowing access to the contracting unit of the identifiable patient safety work product necessary to carry out the contractual assignment would be a permissible disclosure, the component PSO would remain responsible for ensuring that the contracting unit does not violate the prohibitions related to unauthorized disclosures required under 924(b)(2)(B) of the PHS Act, 42 U.S.C. 299b-24(b)(2)(B), (i.e., disclosures to other units of the organization or enterprise) and that there is no conflict between the mission of the component PSO and the contracting unit, as required under 924(b)(2)(C) of the PHS Act, 42 U.S.C. 299b-24(b)(2)(C). We invite comment on whether such a limited exception is necessary or appropriate and, if so, the appropriateness of the restrictions we have proposed.

    Second, a component PSO would not be permitted to have a shared information system with the rest of the organization(s) since this might provide unauthorized access to patient safety work product. For example, we intend to prohibit a component PSO from storing any patient safety work product in information systems or databases to which the rest of the organization(s) or enterprise of which it is a part would have access or the ability to remove or transmit a copy. We preliminarily conclude that most security measures, such as password protection of the component PSO's information, are too easily circumvented.

    Third, the proposed rule provides that the workforce of the component PSO must not engage in work for the rest of the organization(s) if such work could be informed or influenced by the individual's knowledge of identifiable patient safety work product. For example, a component PSO could share accounting or administrative support staff under our proposal because the work of these individuals for the rest of the organization(s) would not be informed or influenced by their knowledge of patient safety work product. By contrast, if the rest of the organization provides health care services, a physician who served on a parent organization's credentialing, hiring, or disciplinary committee(s) could not also work for the PSO. Knowledge of confidential patient safety work product could influence his or her decisions regarding credentialing, hiring, or disciplining of providers who are identifiable in the patient safety work product.

    We provide one exception to the last prohibition. It is not our intent to prohibit a clinician, whose work for the rest of the organization is solely the provision of patient care, from undertaking work for the component PSO. We see no conflict if the patient care provided by the clinician is informed by the clinical insights that result from his or her work for the component PSO. If a clinician has duties beyond patient care, this exception only applies if the other duties do not violate the general prohibition (i.e., that the other duties for the rest of the organization(s) cannot be informed by knowledge of patient safety work product).

    As part of the requirement that the PSO must certify that there is no conflict between its mission and the rest of the organization(s), we propose that the certification form will require the PSO to provide the name(s) of the organization(s) or enterprise of which it is a part (see the discussions of our definitions of parent and component organizations in proposed Sec. 3.20).

    We have not proposed specific standards to determine whether conflicts exist between a PSO and other components of the organization or enterprise of which it is a part. We recognize that some industries and particular professions, such as the legal profession through state- based codes of professional responsibility, have specific standards or tests for determining whether a conflict exists. We request comments on whether the final rule should include any specific standards, and, if so, what criteria should be put in place to determine whether a conflict exists. (D) Proposed Sec. 3.102(d)--Required Notifications

    Proposed Sec. 3.102(d) establishes in regulation two required notifications that implement two statutory provisions: a notification to the Secretary certifying whether the PSO has met the biennial requirement for bona fide contracts with more than one provider (section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(C)); and the submission of a disclosure statement to the Secretary whenever a PSO has established specific types of relationships (discussed below) with a contracting provider, in particular where a PSO is not managed or controlled independently from, or if it does not operate independently from, a contracting provider (section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(E)). (1) Proposed Sec. 3.102(d)(1)--Notification Regarding PSO Compliance With the Minimum Contract Requirement

    Proposed Sec. 3.102(d)(1) requires a PSO to notify the Secretary whether it has entered at least two bona fide contracts that meet the requirements of proposed Sec. 3.102(b)(2). The notification requirement implements the statutory requirement in section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(C), that a PSO must have contracts with more than one provider. Notification to the Secretary will be by attestation on a certification form developed pursuant to proposed Sec. 3.112. Prompt notification of the Secretary that a PSO has entered two or more contracts will result in earlier publication of that information by the Secretary and this may be to the PSO's benefit.

    We propose that the Secretary receive initial notification from a PSO no later than 45 calendar days before the last day of the period that is 24 months after the date of its initial listing and 45 calendar days prior to the last day of every 24-month period thereafter. While each PSO will have the full statutory period of 24 months to comply with this requirement, we propose an earlier date for notification of the Secretary to harmonize this notification requirement with the requirement, established by section 924(e) of the Public Health Service Act, 42 U.S.C. 299b-24(e), that the Secretary provide each PSO with a period of time to correct a deficiency. If the Secretary were to provide a period for correction that begins after the 24-month period has ended, the result would be that some PSOs would be granted compliance periods that extend beyond the unambiguous statutory deadline for compliance. To avoid this unfair result, we propose that a PSO certify to the Secretary whether it has complied with this requirement 45 calendar days in advance of the final day of its applicable 24-month period.

    If a PSO notifies the Secretary that it cannot certify compliance or fails to submit the required notification, the Secretary, pursuant to proposed Sec. 3.108(a)(2), will then issue a preliminary finding of deficiency and provide a period for correction that extends until midnight of the last day of the applicable 24-month assessment period for the PSO. In this way, the requirement for an opportunity for correction can be met without granting any PSO a period for compliance that

    [[Page 8131]]

    exceeds the statutory limit. We invite comments on alternative approaches to harmonize these two potentially conflicting requirements.

    We note that contracts that are entered into after midnight on the last day of the applicable 24-month period do not count toward meeting the two-contract requirement for that 24-month assessment period. If a PSO does not meet the requirement by midnight of the last day of the applicable 24-month assessment period, the Secretary will issue a notice of revocation and delisting pursuant to proposed Sec. 3.108(a)(3). (2) Proposed Sec. 3.102(d)(2)--Notification Regarding PSO's Relationships With Its Contracting Providers

    Proposed Sec. 3.102(d)(2) establishes the circumstances under which a PSO must submit a disclosure statement to the Secretary regarding its relationship(s) with any contracting provider(s) and the deadline for such required submissions.

    The purpose of this disclosure requirement is illuminated by the statutory obligation of the Secretary, set forth in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), to review the disclosure statements and make public findings ``whether the entity can fairly and accurately perform the patient safety activities of a patient safety organization.'' To provide the Secretary with the information necessary to make such a judgment, section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(E), requires a PSO to fully disclose information to the Secretary if the PSO has certain types of relationships with a contracting provider and, if applicable, whether the PSO is not independently managed or controlled, or if it does not operate independently from, the contracting provider.

    The statutory requirement for a PSO to submit a disclosure statement applies only when a PSO has entered into a contract with a provider; if there is no contractual relationship between the PSO and a provider pursuant to the Patient Safety Act, a disclosure statement is not required. Even when a PSO has entered a contract with a provider, we propose that a PSO would need to file a disclosure statement regarding a contracting provider only when the circumstances, specified in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299- 24(c)(3), and discussed here, are present.

    A PSO is first required to assess whether a disclosure statement must be submitted to the Secretary when the PSO enters a contract with a provider, but we note that the disclosure requirement remains in effect during the entire contract period. Even when a disclosure statement is not required at the outset of the contract period, if the circumstances discussed here arise, a disclosure statement must be submitted at that time to the Secretary for review.

    With respect to a provider with which it has entered a contract, a PSO is required to submit a disclosure statement to the Secretary only if either or both of the following circumstances are present. First, a disclosure statement must be filed if the PSO has any financial, reporting, or contractual relationships with a contracting provider (other than the contract entered into pursuant to the Patient Safety Act). Second, taking into account all relationships that the PSO has with that contracting provider, a PSO must file a disclosure statement if it is not independently managed or controlled, or if it does not operate independently from, the contracting provider.

    With respect to financial, reporting or contractual relationships, the proposed rule states that contractual relationships that must be disclosed are not limited to formal contracts but encompass any oral or written arrangement that imposes responsibilities on the PSO. For example, the provider may already have a contract or other arrangement with the PSO for assistance in implementation of proven patient safety interventions and is now seeking additional help from the PSO for the review of patient safety work product. A financial relationship involves almost any direct or indirect ownership or investment relationship between the PSO and the contracting provider, shared or common financial interests, or direct or indirect compensation arrangement, whether in cash or in-kind. A reporting relationship includes a relationship that gives the provider access to information that the PSO holds that is not available to other contracting providers or control, directly or indirectly, over the work of the PSO that is not available to other contracting providers. If any such relationships are present, the PSO must file a disclosure statement and describe fully all of these relationships.

    The other circumstance that triggers the requirement to disclose information to the Secretary is the provision of the Patient Safety Act that requires the entity to fully disclose ``if applicable, the fact that the entity is not managed, controlled, and operated independently from any provider that contracts with the entity.'' See section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b- 24(b)(1)(E). We propose to interpret this provision as noted above because we believe that the adverb ``independently'' modifies all three verbs--that is, that the entity is required to disclose when it is not managed independently from, is not controlled independently from, or is not operated independently from, any provider that contracts with the entity.

    Disclosure would be required, for example, if the contracting provider created the PSO and exercises a degree of management or control over the PSO, such as overseeing the establishment of its budget or fees, hiring decisions, or staff assignments. Another example of such a relationship that would require disclosure would be the existence of any form of inter-locking governance structure. We recognize that contracts, by their very nature, will enable a contracting provider to specify tasks that the PSO undertakes or to direct the PSO to review specific cases and not others. These types of requirements reflect the nature of any contractual relationship and do not trigger a requirement to file such a disclosure statement. The focus of this provision as indicated in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), and here is on the exercise of the type of control that could compromise the ability of the PSO to fairly and accurately carry out patient safety activities. If the contracting provider exercises this type of influence over the PSO, the PSO must file a disclosure statement and fully disclose the nature of the influence exercised by the contracting provider.

    To meet the statutory requirement for full disclosure, a PSO's submission should attempt to put the significance of the financial, reporting, or contractual relationship in perspective (e.g., relative to other sources of PSO revenue or other types of contractual or reporting relationships). We would also encourage PSOs to list any agreements, stipulations, or procedural safeguards that might offset the influence of the provider and that might protect the ability of the PSO to operate independently. By doing so, a PSO can ensure that its disclosure statements present a full and, if applicable, balanced picture of the relationships and degree of independence that exist between the PSO and its contracting provider(s).

    We propose to require that, whenever a PSO determines that it must file a statement based upon these requirements, the Secretary must receive the disclosure statement within 45 calendar days. The PSO must make an initial determination on the date on which a contract is entered. If the PSO determines that it must file a disclosure

    [[Page 8132]]

    statement, the Secretary must receive the disclosure statement no later than 45 days after the date on which the contract was entered. During the contract period, the Secretary must receive a disclosure statement within 45 calendar days of the date on which either or both of the circumstances described above arise. If the Secretary determines, after the applicable 45-day period, that a required disclosure statement was not received from a PSO, the Secretary may issue to the PSO a notice of a preliminary finding of deficiency, the first step in the revocation process established by proposed Sec. 3.108. 2. Proposed Sec. 3.104--Secretarial Actions

    Proposed Sec. 3.104 describes the actions that the Secretary may and will take regarding certification submissions for listing or continued listing, the required notification certifying that the PSO has entered the required minimum of two contracts, and disclosure statements, including the criteria that the Secretary will use in reviewing such statements and the determinations the Secretary may make. This proposed section also outlines the types of information that the Secretary will make public regarding PSOs, specifies how, and for what period of time, the Secretary will list a PSO whose certification he has accepted and establishes an effective date for Secretarial actions under this proposed subpart. See section 924(c) of the Public Health Service Act, 42 U.S.C. 299b-24(c). (A) Proposed Sec. 3.104(a)--Actions in Response to Certification Submissions for Initial and Continued Listing as a PSO

    Proposed Sec. 3.104(a) describes the actions that the Secretary may and will take in response to certification for initial or continued listing as a PSO (section 924(c)(1)-(2) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(1)-(2)), submitted to the Secretary pursuant to the requirements of proposed Sec. 3.102. The decision on whether and how to list an entity as a PSO will be based upon a determination of whether the entity meets the applicable requirements of the Patient Safety Act and this proposed part. In most cases, it is anticipated that the Secretary will either accept the submission and list the entity or deny the listing on this basis.

    In determining whether to list an entity as a PSO, the proposed rule requires the Secretary to consider the submitted certification and any relevant history, such as prior actions the Secretary has taken regarding the entity or PSO including delisting, any history of or current non-compliance by the entity or PSO with statutory or regulatory requirements or requests by the Secretary, relationships of the entity or PSO with providers and any findings by the Secretary in accordance with proposed Sec. 3.104(c). Initially, the Secretary will rely solely on the submitted certification; entities seeking listing will not have any applicable history of the type specified for the Secretary to consider. Even over time, we anticipate that the Secretary would normally rely upon the submitted certification in making a listing determination.

    There may be occasions in future years when the Secretary may need to take into account the history of an entity or PSO in making a determination for initial or continued listing. Examples of such situations might include: A PSO seeking continued listing that has a history of deficiencies; an entity seeking initial listing may be a renamed former PSO whose certifications had been revoked for cause by the Secretary; or the leadership of an entity seeking listing may have played a leadership role in a former PSO that failed to meet its obligations to providers during voluntary relinquishment (see proposed Sec. 3.108(c)). In such circumstances, it may not be prudent for the Secretary to rely solely upon the certification submitted by the entity or PSO and this proposed subsection would enable the Secretary to seek additional information or assurances before reaching a determination on whether to list an entity. To ensure that the Secretary is aware of any relevant history before making a listing determination, without imposing additional burden on most entities seeking listing, we propose to include an attestation on the certification form that would require acknowledgement if the entity (under its current name or another) or any member of its workforce have been party to a delisting determination by the Secretary. We welcome comment on this proposal, or alternative approaches, for ensuring that the Secretary can carry out the requirements of this proposed section.

    The Secretary also has the authority, under certain circumstances, to condition the listing of a PSO under section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3). The Secretary may establish conditions on the listing of a PSO following a determination, pursuant to proposed Sec. 3.104(c), that such conditions are necessary to ensure that the PSO can fairly and accurately perform patient safety activities. A decision to impose such conditions will typically occur after the listing of a PSO, when the PSO submits a disclosure statement about its relationships with a contracting provider. It also could occur at the time of initial or continued listing based upon a Secretarial review of a disclosure statement submitted contemporaneously with the review of an entity's certification submission.

    The Secretary expects to be able to conclude review of an application for initial or continued listing within 30 days of receipt unless additional information or assurances, as described above in the paragraph discussing the history of an entity or PSO, are required, or the application as initially submitted is incomplete. The Secretary will notify each entity that requests listing of the action taken on its certification submission for initial or continued listing. The Secretary will provide reasons when an entity's certification is not accepted and, if the listing is conditioned based upon a determination made pursuant to proposed Sec. 3.104(c), the reasons for imposing conditions. (B) Proposed Sec. 3.104(b)--Actions Regarding PSO Compliance With the Minimum Contract Requirement

    Proposed Sec. 3.104(b) sets forth the required Secretarial action regarding PSO compliance with the requirement of the proposed rule for a minimum of two bona fide contracts. If a PSO attests, in the notification required by proposed Sec. 3.102(d)(1), that it has met the requirement, the Secretary will acknowledge in writing receipt of the attestation and include information on the list established pursuant to proposed Sec. 3.104(d) that the PSO has certified that it has met the requirement. If the PSO notifies the Secretary that it has not yet met the requirement, or if notification is not received from the PSO by the date required under proposed Sec. 3.102(d)(1), the Secretary, pursuant to proposed Sec. 3.108(a)(2), will issue a notice of a preliminary finding of deficiency to the PSO and provide an opportunity for correction that will extend no later than midnight of the last day of its applicable 24-month assessment period. Under this authority, the Secretary will require notification of correction and compliance from a PSO by midnight of the final day of the applicable 24-month period. If the deficiency has not been corrected by that date, the Secretary will issue promptly a notice of proposed revocation and delisting pursuant to the requirements of proposed Sec. 3.108(a)(3).

    [[Page 8133]]

    (C) Proposed Sec. 3.104(c)--Actions Regarding Required Disclosures by PSOs of Relationships With Contracting Providers.

    Proposed Sec. 3.104(c) establishes criteria that the Secretary will use to evaluate a disclosure statement submitted pursuant to proposed Sec. 3.102(d)(2), specifies the determinations the Secretary may make based upon evaluation of any disclosure statement, and proposes public release, consistent with the Freedom of Information Act, of disclosure statements submitted by PSOs as well as the Secretary's findings (see section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3)).

    In reviewing disclosure statements and making public findings, we propose that the Secretary consider the nature, significance, and duration of the relationship between the PSO and the contracting provider. We seek input on other appropriate factors to consider.

    Following review of the disclosure statement, the Secretary will make public findings regarding the ability of the PSO to carry out fairly and accurately defined patient safety activities as required by the Patient Safety Act. The Secretary may conclude that the disclosures require no action on his part or, depending on whether the entity is listed or seeking listing, may condition his listing of the PSO, exercise his authority under proposed Sec. 3.104(a) to refuse to list, or exercise his authority under proposed Sec. 3.108 to revoke the listing of the entity. The Secretary will notify each entity of his findings and decision regarding each disclosure statement.

    This subsection proposes to make this process transparent, recognizing that providers seeking to contract with a PSO may want to make their own judgments regarding the appropriateness of the disclosed relationships. Therefore, with the exception of information, such as information that would be exempt from disclosure under the Freedom of Information Act, we propose to make public each disclosure statement received from a PSO by including it on the list of PSOs maintained pursuant to proposed Sec. 3.104(d) and we may post such statements on the PSO Web site we plan to establish. Public release of PSO disclosure statements would be in addition to the statutory requirement in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), that the Secretary's findings regarding disclosure statements must be made public. Greater transparency is intended to promote more informed decision making by providers, who are the primary customers for PSO services. (D) Proposed Sec. 3.104(d)--Maintaining a List of PSOs

    Proposed Sec. 3.104(d) implements the statutory requirement in section 924(d) of the Public Health Service Act, 42 U.S.C. 299b-24(d), that the Secretary compile and maintain a list of those entities whose PSO certifications have been accepted in accordance with proposed Sec. 3.104(a) and which certifications have not been revoked or voluntarily relinquished in accordance with proposed Sec. 3.108(b) or (c). The list will include contact information for each PSO, the effective date and time of listing of the PSO, a copy of each certification form and disclosure statement that the Secretary receives from the entity, and information on whether the PSO has certified that it has met the two contract requirement in each 24-month assessment period. The list will also include a copy of the Secretary's findings regarding any disclosure statements filed by each PSO, including whether any conditions have been placed on the listing of the entity as a PSO, and other information that this proposed subpart authorizes the Secretary to make public. To facilitate the development of a marketplace for the services of PSOs, we plan to establish a PSO Web site (or a future technological equivalent) and expect to post the list of PSOs on the PSO Web site, reserving the right to exclude information contained in disclosure statements that would be exempt from disclosure under the Freedom of Information Act. We seek comment on whether there are specific types of information that the Secretary should consider posting routinely on this Web site for the benefit of PSOs, providers, and other consumers of PSO services. (E) Proposed Sec. 3.104(e)--Three-Year Period of Listing

    Proposed Sec. 3.104(e) states that, when the Secretary has accepted certification submitted for initial or continued listing, the entity will be listed as a PSO for a period of three years (section 924(a)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(2)), unless the Secretary revokes the listing or the Secretary determines that the entity has voluntarily relinquished its status as a PSO (see proposed Sec. 3.108).

    This subsection also provides that the Secretary will send a written notice of imminent expiration to a PSO no later than 45 calendar days before the date on which the PSO's three-year period of listing expires if the Secretary has not received a certification seeking continued listing. This notice is intended to ensure that a PSO does not let its listing lapse inadvertently. We expect that the Secretary will include in the notice a date by which the PSO should submit its certifications to ensure that the Secretary has sufficient time to act before the current period of listing expires.

    We are considering including in the final rule, and seek comment on, a requirement that the Secretary include information on the public list of PSOs maintained pursuant to Sec. 3.104(d), that identifies the PSOs to which a notice of imminent expiration has been sent. The intent of such a requirement would be to ensure that a provider reporting data to such a PSO has adequate notice and time to ascertain, if it chooses to do so, whether that PSO intends to seek continued listing and, if not, to make alternative arrangements for reporting data to another PSO. (F) Proposed Sec. 3.104(f)--Effective Date of Secretarial Actions

    Proposed Sec. 3.104(f) states that, unless otherwise specified, the effective date of each action by the Secretary pursuant to this proposed subpart will be specified in the written notice that is sent to the entity. To ensure that an entity receives prompt notification, the Department anticipates sending such a notice by electronic mail or other electronic means in addition to a hard copy version. We are confident that any entity seeking listing as a PSO will have electronic mail capacity. For listing and delisting, the Secretary will specify both an effective time and date for such actions in the written notice. Our intent is to ensure clarity regarding when the entity can receive information that will be protected as patient safety work product. 3. Proposed Sec. 3.106--Security Requirements

    Proposed Sec. 3.106 identifies the entities and individuals that are subject to the security requirements of this section and establishes the considerations that entities and individuals specified in subsection (a) should address to secure patient safety work product in their possession. This section provides a common framework for compliance with the requirement in section 921(5)(F) of the Public Health Service Act, 42 U.S.C. 299b-21(5)(F), that a PSO provide appropriate security measures with respect to patient safety work product. In light of the importance of data security to those who supply patient safety work product to any PSO, maintenance of data security will be a high and ongoing priority for PSOs.

    [[Page 8134]]

    (A) Proposed Sec. 3.106(a)--Application

    Proposed Sec. 3.106(a) states that the security requirements in proposed Sec. 3.106(b) apply to each PSO, its workforce members, and its contractors when the contractors hold patient safety work product. This proposed subsection applies the requirements at all times and at any location at which patient safety work product is held. We expect that it will be more efficient for most PSOs to contract for at least a portion of the expertise they need to carry out patient safety activities, including the evaluation of certain types of patient safety events. In such situations, when a PSO discloses patient safety work product to a contractor to assist the PSO in carrying out patient safety activities and the contractor maintains such patient safety work product at locations other than those controlled by the PSO, our intent is to ensure that these same security requirements apply. We recognize that some contractors that a PSO chooses to employ may not want to, or may not have the resources to, meet these requirements at other locations. In such circumstances, the contractors will need to perform their services at locations at which the PSO can ensure that these security requirements can be met.

    We note that this regulation does not impose these requirements on providers, but agreements between PSOs and providers may by contract call for providers to adopt equivalent standards. (B) Proposed Sec. 3.106(b)--Security Framework

    Proposed Sec. 3.106(b) establishes a framework consisting of four categories for the security of patient safety work product that a PSO must consider, including security management, separation of systems, security control and monitoring, and security assessment.

    This framework is consistent with the standards of the National Institute of Standards and Technology (NIST) that federal agencies must follow but this section does not impose on PSOs the specific NIST standards that Federal agencies must meet. We recognize that it is not likely that PSOs will have the scale of operation or the resources to comply with Federal data security standards. Instead, we propose to require that each PSO must consider the four categories of the NIST framework set forth in this section by developing appropriate and scalable standards that are suitable for the size and complexity of its organization. We seek comment on the extent to which this proposal adequately and appropriately identifies the most significant security issues, with respect to patient safety work product that PSOs receive, develop, or maintain, and which PSOs should be expected to address with due diligence, and the extent to which our approach provides PSOs with sufficient flexibility to develop scalable standards. (1) Proposed Sec. 3.106(b)(1)--Security Management

    Proposed Sec. 3.106(b)(1) requires the PSO to approach its security requirements by: documenting its security requirements for patient safety work product; taking steps to ensure that its workforce and contractors as specified in proposed Sec. 3.106(a) understand their responsibilities regarding patient safety work product and the confidentiality requirements of the statute, including the potential imposition of civil money penalties for impermissible disclosures; and monitoring and improving the effectiveness of its security policies and procedures. (2) Proposed Sec. 3.106(b)(2)--Separation of Systems

    Under the statute, to preserve the confidentiality of patient safety work product, it is important to maintain a clear separation between patient safety work product and information that is not protected, and a clear separation between patient safety activities and other activities. As a result, we have incorporated requirements in proposed Sec. 3.106(b)(2) that PSOs must ensure such separation. The specific requirements for which a PSO must develop appropriate standards include: maintaining functional and physical separation of patient safety work product from other systems of records; protection of patient safety work product while it is held by the PSO; appropriate disposal or sanitization of media that have contained patient safety work product; and preventing physical access to patient safety work product by unauthorized users or recipients. (3) Proposed Sec. 3.106(b)(3)--Security Control and Monitoring

    Proposed Sec. 3.106(b)(3) requires that policies and procedures adopted by a PSO related to security control and monitoring must enable the PSO to identify and authenticate users of patient safety work product and must create an audit capacity to detect unlawful, unauthorized, or inappropriate activities involving access to patient safety work product. To ensure accountability, controls should be designed to preclude unauthorized removal, transmission or disclosures of patient safety work product. (4) Proposed Sec. 3.106(b)(4)--Security Assessment

    Proposed Sec. 3.106(b)(4) requires a PSO to develop policies and procedures that permit it to assess periodically the effectiveness and weaknesses of its overall approach to security of patient safety work product. A PSO needs to determine the frequency of security assessments, determine when it needs to undertake a risk assessment exercise so that the leadership and the workforce of the PSO are aware of the risks to PSO assets from security lapses, and specify how it will assess and adjust its procedures to ensure the security of its communications involving patient safety work product to and from providers and other authorized parties. Such communications are potentially vulnerable weak points for any security system and require ongoing special attention by a PSO. 4. Proposed Sec. 3.108--Correction of Deficiencies, Revocation and Voluntary Relinquishment

    Proposed Sec. 3.108 describes the process by which PSOs will be given an opportunity to correct deficiencies, the process for revocation of acceptance of the certification submitted by an entity for cause and its removal from the list of PSOs, and specifies the circumstances under which an entity will be considered to have voluntarily relinquished its status as a PSO.

    This section would establish procedural opportunities for a PSO to respond during the process that might lead to revocation. When the Secretary identifies a possible deficiency, the PSO would be given an opportunity to correct the record if it can demonstrate that the information regarding a deficiency is erroneous, and if the existence of a deficiency is uncontested, an opportunity to correct it. The PSO is encouraged to alert the Department if it faces unanticipated challenges in correcting the deficiency; we propose that the Secretary will consider such information in determining whether the PSO has acted in good faith, whether the deadline for corrective action should be extended, or whether the required corrective action should be modified. If the Secretary determines that the PSO has not timely corrected the deficiency and issues a notice of proposed revocation and delisting, the PSO will be given an automatic right of appeal to present its case in writing.

    If the Secretary makes a decision to revoke acceptance of the entity's certification and remove it from the list

    [[Page 8135]]

    of PSOs, this proposed section specifies the required actions that the Secretary and the entity must take following such a decision. The proposed rule implements the statutory requirements for the establishment of a limited period during which providers can continue to report information to the former PSO and receive patient safety work product protections for these data, and establishes a framework for appropriate disposition of patient safety work product or data held by the former PSO. See section 924(e)-(g) of the Public Health Service Act, 42 U.S.C. 299b-24(e)-(g).

    This section also describes two circumstances under which an entity will be considered to have voluntarily relinquished its status as a PSO: (1) Notification of the Secretary in writing by the PSO of its intent to relinquish its status voluntarily; and (2) if a PSO lets its period of listing expire without submission of a certification for continued listing that the Secretary has accepted. In both circumstances, we propose that such a PSO consult with the source of the patient safety work product in its possession to provide notice of its intention to cease operations and provide for appropriate disposition of such patient safety work product. When the Secretary removes a PSO from listing as a result of revocation for cause or voluntarily relinquishment, the Secretary is required to provide public notice of the action.

    We note that section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, and, therefore, the proposed rule, defines a PSO as an entity that is listed by the Secretary pursuant to the requirements of the statute that are incorporated into this proposed rule. This means that an entity remains a PSO for its three-year period of listing unless the Secretary removes the entity from the list of PSOs because he revokes acceptance of its certification and listing for cause or because the entity voluntarily relinquishes its status as described below. Accordingly, even when a deficiency is identified publicly or the proposed requirements of this section have been initiated, we stress that an entity remains a PSO until the date and time at which the Secretary's removal of the entity from listing is effective. Until then, data that is reported to a listed entity by providers shall be considered patient safety work product and the protections accorded patient safety work product continue to apply following the delisting of the PSO. (A) Proposed Sec. 3.108(a)--Process for Correction of a Deficiency and Revocation

    Proposed Sec. 3.108(a) describes the process by which the Secretary would provide an opportunity for a PSO to correct identified deficiencies and, if not timely corrected or if the deficiencies cannot be ``cured,'' the process that can lead to a determination by the Secretary to revoke acceptance of a PSO's certification. This section proposes a two-stage process. The first stage would provide an opportunity to correct a deficiency. Under the proposal, when the Secretary identifies a deficiency, the Secretary would send the PSO a notice of preliminary determination of a deficiency. The PSO would then have an opportunity to demonstrate that the information on which the notice was based is incorrect. The notice would include a timetable for correction of the deficiency and may specify the specific corrective action and the documentation that the Secretary would need to determine if the deficiency has been corrected. The PSO would be encouraged to provide information for the administrative record on unexpected challenges in correcting the deficiency, since the Secretary has great flexibility to work with a PSO to facilitate correction of deficiencies. We anticipate that most PSO deficiencies would be resolved at this stage.

    Under the proposal, the second stage would occur when the Secretary would conclude that a PSO has not timely corrected a deficiency or has a pattern of non-compliance and issues the PSO a notice of proposed revocation and delisting. Rather than requiring a PSO to seek an opportunity to appeal, the proposed rule would provide an automatic period of 30 days for a PSO to be heard in writing by submitting a rebuttal to the findings in the Secretary's notice of revocation and delisting. The Secretary may then affirm, modify, or reverse the notice of revocation and delisting.

    In light of the procedures in the proposed rule to ensure due process, we have not proposed to incorporate any further internal administrative appeal process beyond the Secretary's determination regarding a notice of proposed revocation and delisting pursuant to proposed Sec. 3.108(a)(5). We invite comments on our proposed approach. (1) Proposed Sec. 3.108(a)(1)--Circumstances Leading to Revocation

    Proposed Sec. 3.108(a)(1) lists four circumstances, each of which is statutorily based, that may lead the Secretary to revoke acceptance of a PSO's certification and delist the entity: the PSO is not meeting the obligations to which it certified its compliance as required by proposed Sec. 3.102; the PSO has not certified to the Secretary that it has entered the required minimum of two contracts within the applicable 24-month period pursuant to proposed Sec. 3.102(d)(1); the Secretary, after reviewing a PSO's disclosure statement submitted pursuant to proposed Sec. 3.102(d)(2), determines that the PSO cannot fairly and accurately perform its duties pursuant to proposed Sec. 3.104(c); or the PSO is not in compliance with any other provision of the Patient Safety Act or this proposed part. (See section 924(c) and (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and (e).) (2) Proposed Sec. 3.108(a)(2)--Notice of Preliminary Finding of Deficiency and Establishment of an Opportunity for Correction of a Deficiency

    Under proposed Sec. 3.108(a)(2), when the Secretary has reason to believe that a PSO is not in compliance with the requirements of the statute and the final rule, the Secretary would send a written notice of a preliminary finding of deficiency to the PSO (see section 924(c) and (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and (e)). The notice would specifically state the actions or inactions that describe the deficiency, outline the evidence that a deficiency exists, specify the possible and/or required corrective action(s) that must be taken, establish an opportunity for correction and a date by which the corrective action(s) must be completed, and, in certain circumstances, specify the documentation that the PSO would be required to submit to demonstrate that the deficiency has been corrected.

    We propose that, absent other evidence of actual receipt, we would assume that the notice of a preliminary finding of deficiency has been received 5 calendar days after it was sent. Under the proposal, if a PSO submits evidence to the Secretary that demonstrates to the Secretary that the preliminary finding is factually incorrect within 14 calendar days following receipt of this notice, the preliminary finding of deficiency would be withdrawn; otherwise, it would be the basis for a finding of deficiency. We stress that this would not be an opportunity to file an appeal regarding the proposed corrective actions, the period allotted for correcting the deficiency, or the time to provide explanations regarding why a deficiency exists. This 14-day period would only ensure that the PSO has an opportunity,

    [[Page 8136]]

    if the information on which the notice is based is not accurate, to correct the record immediately. For example, a notice of a preliminary finding of deficiency may be based on the fact that the Secretary has no record that the PSO has entered the required two contracts. In this case, if a PSO can attest that it submitted the certification as required or can attest that it has entered the required two contracts consistent with the requirements of proposed Sec. 3.102(d)(1), the Secretary would then withdraw the notice. If a notice of deficiency is based on the failure of the PSO to submit a required disclosure statement within 45 days, the PSO might submit evidence that the required statement had been sent as required. If the evidence is convincing, the Secretary would withdraw the notice of preliminary finding of deficiency. If the Secretary does not consider the evidence convincing, the Secretary would so notify the PSO and the notice would remain in effect. The PSO would then need to demonstrate that it has met the requirements of the notice regarding correction of the deficiency.

    We anticipate that in the vast majority of circumstances in which the Secretary believes there is a deficiency, the deficiency can and will be corrected by the PSO. In those cases, as discussed above, the PSO will be given an opportunity to take the appropriate action to correct the deficiency, and avoid revocation and delisting. However, we can anticipate situations in which a PSO's conduct is so egregious that the Secretary's acceptance of the PSO's certification should be revoked without the opportunity to cure because there is no meaningful cure. An example would be where a PSO has a policy and practice of knowingly and inappropriately selling patient safety work product or where the PSO is repeatedly deficient and this conduct continues despite previous opportunities to cure. We are considering adding a provision whereby an opportunity to ``cure'' would not be available in this type of situation. Providing the PSO with an opportunity for correction, as provided in the Patient Safety Act, would entail providing an opportunity to correct the preliminary factual findings of the Department. Thus, the PSO would have the chance to demonstrate that we have the facts wrong or there are relevant facts we are overlooking. We invite comments regarding this approach and how best to characterize the situations in which the opportunity to ``cure'' (e.g., to change policies, practices or procedures, sanction employees, send out correction notices) would not be sufficient, meaningful, or appropriate. (3) Proposed Sec. 3.108(a)(3)--Determination of Correction of a Deficiency

    Proposed section Sec. 3.108(a)(3) addresses the determination of whether a deficiency has been corrected, including the time frame for submission of the required documentation that the deficiency has been corrected, and the actions the Secretary may take after review of the documentation and any site visit(s) the Secretary deems necessary or appropriate (see sections 924(c) and (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and (e)).

    Under the proposal, during the period of correction, we would encourage the PSO to keep the Department apprised in writing of its progress, especially with respect to any challenges it faces in implementing the required corrective actions. Such communications would become part of the administrative record. Until there is additional experience with the operational challenges that PSOs face in implementing specific types of corrective actions, such information, if submitted, would be especially helpful for ensuring that the time frames and the corrective actions specified by the Secretary are reasonable and appropriate. As noted below, such information would be considered by the Secretary in making a determination regarding a PSO's compliance with the correction of a deficiency. Unless the Secretary specifies a different submission date, or approves such a request from the PSO, we propose that documentation submitted by the PSO to demonstrate correction of the deficiency must be received by the Secretary no later than 5 calendar days after the final day of the correction period.

    Under the proposed rule, in making a determination, the Secretary would consider the documentation and other information submitted by the PSO, the findings of any site visit that might have been conducted, recommendations of program staff, and any other information available regarding the PSO that the Secretary deems appropriate. After completing his review, the Secretary may make one of the following determinations: (1) The action(s) taken by the PSO have corrected any deficiency, in which case the Secretary will withdraw the notice of deficiency and so notify the PSO; (2) the PSO has acted in good faith to correct the deficiency but an additional period of time is necessary to achieve full compliance and/or the required corrective action specified in the notice of a preliminary finding of deficiency needs to be modified in light of the actions undertaken by the PSO so far, in which case the Secretary will extend the period for correction and/or modify the specific corrective action required; or (3) the PSO has not completed the corrective action because it has not acted with reasonable diligence or timeliness to ensure that the corrective action was completed within the allotted time, in which case the Secretary will issue to the PSO a notice of proposed revocation and delisting.

    When the Secretary issues a notice of proposed revocation and delisting, this notice would include those deficiencies that have not been timely corrected. The notice would be accompanied by information concerning the manner in which the PSO may exercise its opportunity to be heard in writing to respond to the deficiency findings described in the notice. (4) Proposed Sec. 3.108(a)(4)--Opportunity to be Heard in Writing Following a Notice of Proposed Revocation and Delisting

    Proposed Sec. 3.108(a)(4) sets forth our approach to meeting the statutory requirement established in section 924(e) of the Public Health Service Act, 42 U.S.C. 299b-24(e), for a PSO to have an opportunity to dispute the findings of deficiency in a notice of proposed revocation and delisting.

    Absent other evidence of actual receipt, we would assume that the notice of proposed revocation and delisting has been received by a PSO five calendar days after it was sent. Under the proposed rule, unless a PSO chooses to waive its right to contest a notice of proposed revocation and delisting and so notifies the Secretary, a PSO would not need to request an opportunity to appeal a notice of proposed revocation and delisting. A PSO would automatically have 30 calendar days, beginning the day the notice is deemed to be received, to exercise its opportunity to be heard in writing. The Secretary would consider, and include in the administrative record, any written information submitted by the PSO within this 30-day period that responds to the deficiency findings in the notice of proposed revocation and delisting. If a PSO does not take advantage of the opportunity to submit a substantive response in writing within 30 calendar days of receipt of the notice of proposed revocation and delisting, the notice would become final as a matter of law at midnight of the date specified by the Secretary in the notice. The Secretary

    [[Page 8137]]

    would provide the PSO with policies and rules of procedures that govern the form or transmission of the written response to the notice of proposed revocation and delisting.

    We are considering incorporating in the final rule an exception to our proposed policy of automatically providing a PSO with a 30-day period in which to submit a written response to a notice of proposed revocation and delisting. The one exception we are considering relates to failure to meet the requirement for a minimum of two contracts. The statutory requirement is unambiguous that this requirement must be met within every 24-month period after the initial date of listing of the PSO. We propose elsewhere that a PSO submit its notification 45 calendar days early so that a period for correction can be established that concludes at midnight of the last day of the applicable 24-month period established by the statute for compliance. The Secretary would then need to receive notification from a PSO that this requirement has been met no later than midnight of that last day (see proposed Sec. 3.102(d)(1) and proposed Sec. 3.104(b)). Other than verifying that the PSO has not entered into and reported the required two bona fide contracts by midnight on the last day of the applicable 24-month period, we see no basis for a written rebuttal of such a deficiency determination. The language we are considering, therefore, would authorize the Secretary, when the basis for a notice of proposed revocation and delisting is the failure of a PSO to meet this very specific requirement, to proceed to revocation and delisting five calendar days after the notice of proposed revocation and delisting would be deemed to have been received. (5) Proposed Sec. 3.108(a)(5)--The Secretary's Decision Regarding Revocation

    If a written response to the deficiency findings of a notice of proposed revocation and delisting is submitted by a PSO, proposed Sec. 3.108(a)(5) provides that the Secretary will review the entire administrative record pertaining to the notice of proposed revocation and delisting and any written materials submitted by the PSO under proposed Sec. 3.108(a)(4). The Secretary may affirm, reverse, or modify the notice of proposed revocation and delisting. The Secretary will notify the PSO in writing of his decision with respect to any revocation of the acceptance of its certification and its continued listing as a PSO. (See section 924(e) of the Public Health Service Act, 42 U.S.C. 299b-24(e).) (B) Proposed Sec. 3.108(b)--Revocation of the Secretary's Acceptance of a PSO's Certification

    When the Secretary makes a determination to remove the listing of a PSO for cause pursuant to proposed Sec. 3.108(a), proposed Sec. 3.108(b) specifies the actions that the Secretary and the entity must take, and implements the protections that the statute affords to data submitted to such an entity. (1) Proposed Sec. 3.108(b)(1)--Establishing Revocation for Cause

    Under our proposal, after following the requirements of proposed Sec. 3.108(a), if the Secretary determines pursuant to paragraph (a)(5) of this section that revocation of the acceptance of a PSO's certification is warranted for failure to comply with the requirements of the Patient Safety Act, or the regulations implementing the Patient Safety Act, the Secretary would establish, and notify the PSO of, the date and time at which the Secretary will revoke the acceptance of its certification and remove the entity from the list of PSOs. The Secretary may include information in the notice on the statutory requirements, incorporated in proposed Sec. 3.108(b)(2) and Sec. 3.108 (b)(4) and discussed below, that apply to the entity following the Secretary's actions, and the Secretary would provide public notice as required by proposed Sec. 3.108(d). (2) Proposed Sec. 3.108(b)(2)--Required Notification of Providers and Status of Data

    Proposed Sec. 3.108(b)(2) incorporates in the proposed rule the statutory requirements that are intended to ensure that providers receive a reasonable amount of notice that the PSO with which they are working is being removed from the list of PSOs (section 924(e)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(e)(2)) and to clarify the status of data submitted by providers to a PSO whose listing has been revoked (section 924(f) of the Public Health Service Act, 42 U.S.C. 299b-24(f)).

    As required by the statute, within 15 calendar days of the date established in the Secretary's notification of action under paragraph (b)(1) of this section, the entity subject to proposed Sec. 3.108(b)(1) shall confirm to the Secretary that it has taken all reasonable actions to notify each provider whose patient safety work product has been collected or analyzed by the PSO that the entity has been removed from the list of PSOs. We would recommend, but do not propose to require, that PSOs make a priority of notifying providers who report most frequently to the PSO, especially providers with contracts with the PSO. These providers would need to close out any current contract they have with the PSO, determine if they wish to enter a contract with another PSO, and if so, they would need time to identify another PSO and then negotiate another contract.

    We also recognize that, even when this statutory notification requirement is met, the notification period is short. While we do not have the authority to require a PSO to undertake notification of providers more quickly than the statute specifies, we invite comment on whether there are any other steps the Secretary should take to ensure that affected providers receive timely notice. We are considering requiring notice by electronic or priority mail if no notice has been given at the end of seven days.

    Confidentiality and privilege protections that applied to patient safety work product while the former PSO was listed continue to apply after the entity is removed from listing. Furthermore, section 924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1) provides that data submitted to an entity within 30 calendar days of the date on which acceptance of its certification is revoked and it is removed from the list of PSOs, shall have the same status as data submitted while the entity was still listed. Thus, data that would otherwise be patient safety work product had it been submitted while the PSO was listed, will be protected as patient safety work product if submitted during this 30-day period after delisting.

    We stress that the statutory language in section 924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1), pertains only to data submitted to such an entity within 30 calendar days after such revocation and removal. This provision does not enable an entity that has been removed from listing to generate patient safety work product on its own pursuant to section 921(7)(A)(i)(II) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II); the entity loses that authority on the effective date and time of the Secretary's action to remove it from listing. (3) Proposed Sec. 3.108(b)(3)--Disposition of Patient Safety Work Product and Data

    Proposed Sec. 3.108(e) incorporates in the proposed rule statutory requirements regarding the disposition of patient safety work product or data following revocation and delisting of a PSO (section 924(g) of the Public Health Service Act, 42 U.S.C. 299b-24(g)). This proposed subsection would require that the former PSO provide for the

    [[Page 8138]]

    disposition of patient safety work product or data in its possession in accordance with one or more of three alternatives described in section 924(g) of the Public Health Service Act, 42 U.S.C. 299b-24(g). The three alternatives include: transfer of the patient safety work product with the approval of the source from which it was received to a PSO which has agreed to accept it; return of the patient safety work product or data to the source from which it was received; or, if return is not practicable, destroy such work product or data.

    The text of the proposed rule refers to the ``source'' of the patient safety work product or data that is held by the former PSO, which is a broader formulation than the statutory phrase ``received from another entity.'' While the statutory requirement encompasses PSOs as well as institutional providers, we tentatively conclude that the underlying intent of this statutory provision is to require the appropriate disposition of patient safety work product from all sources, not merely institutional sources. We note that the statute, and therefore the proposed rule, permits individual providers to report data to PSOs and individual providers are able to enter the same type of ongoing arrangements, or contractual arrangements, as institutional providers. Moreover, proposed Sec. 3.108(b)(2) would require PSOs to notify all providers (individual as well as institutional providers) from whom they receive data about the Secretary's revocation and delisting decision. We preliminarily conclude, therefore, that it is consistent with the statute that a former PSO consult with all sources (individuals as well as entities) regarding the appropriate disposition of the patient safety work product or data that they supplied. Moreover, it is a good business practice. If workforce members of a former PSO retain possession of any patient safety work product, they would incur obligations and potential liability if it is impermissibly disclosed. We welcome comments on our interpretation.

    The statutory provision indicates that these requirements apply to both patient safety work product or 'data' described in 924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1). Subsection (f)(1), entitled 'new data' and incorporated in proposed Sec. 3.108(b)(2), describes data submitted to an entity within 30 calendar days after the entity is removed from listing as a PSO and provides that this data ``shall have the same status as data submitted while the entity was still listed.'' The proposed regulation mirrors this formulation.

    While the statute and this proposed rule would permit destruction of patient safety work product, we would encourage entities that have their listing as a PSO revoked to work with providers to ensure that patient safety work product remains available for aggregation and further analysis whenever possible, either by returning it to the provider or, with concurrence of the provider, transferring it to a PSO willing to accept it.

    The statute does not establish a time frame for a PSO subject to revocation and delisting to complete the disposition of the patient safety work product or data in its possession. We invite comment on whether we should include a date by which this requirement must be completed (for example, a specific number of months after the date of revocation and delisting). (C) Proposed Sec. 3.108(c)--Voluntary Relinquishment

    The statute recognizes the right of an entity to relinquish voluntarily its status as a PSO, in which case the Secretary will remove the entity from the list of PSOs. See section 924(d) of the Public Health Service Act, 42 U.S.C. 299b-24(d).

    We stress that, if the Secretary determines that an entity has relinquished voluntarily its status as a PSO and removes the entity from listing, the confidentiality and privilege protections that applied to patient safety work product while the former PSO was listed continue to apply after the entity is removed from listing. (1) Proposed Sec. 3.108(c)(1)--Circumstances Constituting Voluntary Relinquishment

    Proposed Sec. 3.108(c)(1) provides that an entity would be considered to have relinquished voluntarily its status as a PSO under two circumstances: when a PSO advises the Secretary in writing that it no longer wishes to be a PSO, and when a PSO permits its three-year period of listing to expire without timely submission of the required certification to the Secretary for continued listing. To ensure that such a lapse is not inadvertent, we provide in proposed Sec. 3.104(e)(2) that the Secretary would send a notice of imminent expiration to any PSO from which the Secretary has not received a certification for continued listing by the date that is 45 calendar days before the expiration of its current period of listing. This notice is intended to ensure that the PSO has sufficient time to submit a certification for continued listing if it chooses to do so and that, if a lapse occurs, it is not inadvertent. (2) Proposed Sec. 3.108(c)(2)--Notification of Voluntary Relinquishment

    Proposed Sec. 3.108(c)(2) would require an entity that seeks to relinquish voluntarily its status as a PSO to include attestations in its notice to the Secretary that it has made all reasonable efforts to provide for the orderly termination of the PSO. First, the PSO must attest that it has made--or will have made within 15 calendar days of the date of this notification to the Secretary--all reasonable efforts to notify organizations or individuals who have submitted data to the PSO of its intent to cease operation and to alert providers that they should cease reporting or submitting any further information as quickly as possible.

    We preliminarily conclude that, when a PSO voluntarily relinquishes its status, data submitted by providers to the entity after the date on which the Secretary removes it from listing is not patient safety work product. The statutory provision, incorporated in the proposed rule at Sec. 3.108(b)(2), that permits providers to submit data to an entity for an additional 30 days after the date of its removal from listing applies only to PSOs for which the Secretary has revoked acceptance of its certification for cause. It does not apply to a PSO that voluntarily relinquishes its status. We welcome comment on our interpretation.

    Second, the PSO would be required to attest that, in consultation with the organizations or individuals who submitted the patient safety work product in its possession, it has established--or will have made all reasonable efforts within 15 calendar days of the date of this notification to establish--a plan for the appropriate disposition of such work product, consistent to the extent possible with the statutory requirements incorporated in proposed Sec. 3.108(b)(3). Finally, the individual submitting the notification of voluntary relinquishment would provide appropriate contact information for further communications that the Secretary deems necessary.

    We caution any PSO considering voluntary relinquishment that its status remains in effect until the Secretary removes the entity from listing. The PSO's responsibilities, including those related to the confidentiality and security of the patient safety work product or data in its possession, are not discharged by the decision of a PSO to cease operations. Accordingly, we urge PSOs that are experiencing financial distress or other circumstances that may

    [[Page 8139]]

    lead to voluntary relinquishment, to contact AHRQ program staff as early as possible so that the PSO's obligations can be appropriately discharged. (3) Proposed Sec. 3.108(c)(3)--Response to Notification of Voluntary Relinquishment

    In response to the submission of a notification of voluntary relinquishment, proposed Sec. 3.108(c)(3) provides that the Secretary would respond in writing and indicate whether the proposed voluntary relinquishment is accepted. We anticipate that the Secretary would normally approve such requests but the text provides the Secretary with discretion to accept or reject such a request from a PSO that seeks voluntary relinquishment during or immediately after revocation proceedings. Our proposal is intended to recognize that, in certain circumstances, for example, when the deficiencies of the PSO are significant or reflect a pattern of non-compliance with the Patient Safety Act or the proposed rule, the Secretary may decide that giving precedence to the revocation process may be more appropriate. (4) Proposed Sec. 3.108(c)(4)--Implied Voluntary Relinquishment

    Proposed Sec. 3.108(c)(4) enables the Secretary to determine that implied voluntary relinquishment has taken place if a PSO permits its period of listing to expire without receipt and acceptance by the Secretary of a certification for continued listing. In our view, the statute does not permit an entity to function as a PSO beyond its 3- year period of listing unless it has submitted, and the Secretary has accepted, a certification for a 3-year period of continued listing. To ensure that such a lapse is not inadvertent, we propose a requirement in Sec. 3.104(e)(2) that the Secretary would send a notice of imminent expiration to any PSO from which the Secretary has not received the required certification for continued listing by the date that is 45 calendar days prior to the last date of the PSOs current period of listing. Accordingly, we propose that the Secretary would determine that a PSO under these circumstances has relinquished voluntarily its status at midnight on the last day of its current period of listing, remove the entity from the list of PSOs at midnight on that day, make reasonable efforts to notify the entity in writing of the action taken, and promptly provide public notice in accordance with proposed Sec. 3.108(d).

    Under the proposed rule, the notice of delisting would request that the entity make reasonable efforts to comply with the requirements of proposed Sec. 3.108(c)(2). Compliance with these requirements in this circumstance would mean that the former PSO would be required to notify individuals and organizations that routinely reported data to the entity during its period of listing that it has voluntarily relinquished its status as a PSO and that they should no longer report or submit data, and make reasonable efforts to provide for the disposition of patient safety work product or data in consultation with the sources from which such information was received in compliance with the statutory requirements incorporated in proposed Sec. 3.108(b)(3)(i)-(iii). The former PSO would also be expected to provide appropriate contact information for further communications from the Secretary.

    We are aware that, if a PSO does not give appropriate notice to providers from which it receives data, that it does not intend to seek continued listing, this could jeopardize protections for data that these providers continue to report. To address this issue, we are seeking comment in proposed Sec. 3.104(e) on a proposal that would ensure that providers have advance notice that a PSO is approaching the end of its period of listing but has not yet sought continued listing. (5) Proposed Sec. 3.108(c)(5)--Non-Applicability of Certain Procedures and Requirements

    Proposed Sec. 3.108(c)(5) provides that neither a decision by a PSO to notify the Secretary that it wishes to relinquish voluntarily its status as a PSO, nor a situation in which a PSO lets its period of listing lapse, constitutes a deficiency as referenced in the discussion regarding proposed Sec. 3.108(a). As a result, neither the procedures and requirements that apply to the Secretary or a PSO subject to the revocation process outlined in that proposed subsection, nor the requirements that apply to the Secretary or a PSO following action by the Secretary pursuant to proposed Sec. 3.108(b)(1), would apply in cases of voluntary relinquishment. Adoption of this proposal would mean that a PSO has no basis for appealing decisions of the Secretary in response to a request for voluntary relinquishment or challenging its removal from listing if its period of listing lapses and the Secretary determines that implied voluntary relinquishment has occurred. We specifically welcome comment on this proposal. (D) Proposed Sec. 3.108(d)--Public Notice of Delisting Regarding Removal From Listing

    Proposed Sec. 3.108(d) incorporates in the proposed rule the statutory requirement that the Secretary must publish a notice in the Federal Register regarding the revocation of acceptance of certification of a PSO and its removal from listing pursuant to proposed Sec. 3.108(b)(1) (see section 924(e)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(e)(3)). This proposal also would require the Secretary to publish such a notice if delisting results from a determination of voluntary relinquishment pursuant to proposed Sec. 3.108(c)(3) or (c)(4). The Secretary would specify the effective date and time of the actions in these notices. 5. Proposed Sec. 3.110--Assessment of PSO Compliance

    Proposed Sec. 3.110 provides that the Secretary may request information or conduct spot-checks (reviews or site visits to PSOs that may be unannounced) to assess or verify PSO compliance with the requirements of the statute and this proposed subpart. We anticipate that such spot checks will involve no more than 5-10% of PSOs in any year. The legislative history of patient safety legislation in the 108th and 109th Congress suggests that the Senate Health, Education, Labor and Pensions (HELP) Committee assumed that the Secretary had the inherent authority to undertake inspections as necessary to ensure that PSOs were meeting their obligations under the statute. In fact, in reporting legislation in 2004, the Senate HELP Committee justified its proposal for an expedited process for listing PSOs--that is substantially the same as the one incorporated in the Patient Safety Act that was enacted in 2005 and is incorporated in this proposed rule--on the basis that the Secretary could and would be able to conduct such inspections.

    The ability of the Secretary to ``examine any organization at any time to see whether it in fact is performing those required activities'' the Senate HELP Committee wrote, enables the Committee to ``strike the right balance'' in adopting an expedited process for the listing of PSOs by the Secretary (Senate Report 108-196). Accordingly, we tentatively conclude that this proposed authority for undertaking inspections on a spot-check basis is consistent with Congressional intent and the overall approach of the proposed rule of using regulatory authority sparingly.

    [[Page 8140]]

    While patient safety work product would not be a focus of inspections conducted under this proposed authority, we recognize that it may not be possible to assess a PSO's compliance with required patient safety activities without access to all of a PSO's records, including some patient safety work product. This proposed section references the broader authority of the Department to access patient safety work product as part of its proposed implementation and enforcement of the Patient Safety Act.

    We also note that the inspection authority of this proposed subpart is limited to PSOs and does not extend to providers. 6. Proposed Sec. 3.112--Submissions and Forms

    Paragraphs (a) and (b) of proposed Sec. 3.112 explain how to obtain forms and how to submit applications and other information under the proposed regulations. Also, to help ensure the timely resolution of incomplete submissions, proposed paragraph (c) of this section would provide for requests for additional information if a submission is incomplete or additional information is needed to enable the Secretary to make a determination on the submission.

  12. Subpart C--Confidentiality and Privilege Protections of Patient Safety Work Product

    Proposed Subpart C would establish the general confidentiality protections for patient safety work product, the permitted disclosures, and the conditions under which the specific protections no longer apply. The proposed Subpart also establishes the conditions under which a provider, PSO, or responsible person must disclose patient safety work product to the Secretary in the course of compliance activities, and what the Secretary may do with such information. Finally, proposed Subpart C establishes the standards for nonidentifiable patient safety work product.

    The privilege and confidentiality protections set forth in this proposed Subpart apply to the PSO framework established by the Patient Safety Act and this proposed Part, which will involve providers, PSOs, and responsible persons who possess patient safety work product. The Patient Safety Act and this proposed Subpart seek to balance key objectives. First, it seeks to address provider concerns about the potential for damage from unauthorized release of such information, including the potential for the information to serve as a roadmap for provider liability from negative patient outcomes. Second, it seeks to promote the sharing of information about adverse patient safety events among providers and PSOs for the purpose of learning from those events to improve patient safety and creating a culture of safety. To address these objectives, the Patient Safety Act established that patient safety work product would be confidential and privileged, with certain exceptions. Thus, the Patient Safety Act allows sharing of patient safety work product for certain purposes, including for patient safety activities, but simultaneously attaches strict confidentiality and privilege protections for that patient safety work product. To further strengthen the confidentiality protections, the Patient Safety Act imposes significant monetary penalties for violation of the confidentiality provisions, as set forth in proposed Subpart D.

    Moreover, patient safety work product that is disclosed generally continues to be privileged and confidential, that is, it may only be permissibly disclosed by the receiving entity or person for a purpose permitted by the Patient Safety Act and this proposed Subpart. The only way that patient safety work product is no longer confidential is if the patient safety work product disclosed is nonidentifiable or when an exception to continued confidentiality exists. See section 922(d)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(B). A person disclosing such work product outside of these statutory permissions in violation of the Patient Safety Act and this proposed Subpart may be subject to civil money penalties.

    Proposed Sec. 3.204, among other provisions, provides that patient safety work product is privileged and generally shall not be admitted as evidence in Federal, State, local, or Tribal civil, criminal or administrative proceedings and shall not be subject to a subpoena or order, unless an exception to the privilege applies; the exceptions are discussed in proposed Sec. 3.204(b). Proposed Sec. 3.206 provides that patient safety work product is confidential and shall not be disclosed except as permitted in accordance with the disclosures described in proposed Sec. Sec. 3.206(b)-(e), 3.208 and 3.210. Under proposed Sec. 3.208, patient safety work product continues to be privileged and confidential after disclosure with certain exceptions. Under proposed Sec. 3.210, providers, PSOs, and responsible persons must disclose to the Secretary such patient safety work product as required by the Secretary for the purposes of investigating or determining compliance with this proposed Part, enforcing the confidentiality provisions, or making determinations on certifying and listing PSOs. Proposed Sec. 3.210 also provides for disclosure to the Secretary. Proposed Sec. 3.212 describes the standard for determining that patient safety work product is nonidentifiable.

    Throughout the proposed rule, the term patient safety work product means both identifiable patient safety work product and nonidentifiable patient safety work product, unless otherwise specified. In addition, if a disclosure is made by or to a workforce member of an entity, it will be considered a disclosure by or to the entity itself.

    Finally, throughout our discussion we note the relationship between the Patient Safety Act and the HIPAA Privacy Rule. Several provisions of the Patient Safety Act recognize that the patient safety regulatory scheme will exist alongside other requirements for the use and disclosure of protected health information under the HIPAA Privacy Rule. For example, the Patient Safety Act establishes that PSOs will be business associates of providers, incorporates individually identifiable health information under the HIPAA Privacy Rule as an element of identifiable patient safety work product, and adopts a rule of construction that states the intention not to alter or affect any HIPAA Privacy Rule implementation provision (see section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). We anticipate that most providers reporting to PSOs will be HIPAA covered entities under the HIPAA Privacy Rule, and as such, will be required to recognize when requirements of the HIPAA Privacy Rule apply. Because this proposed rule focuses on disclosures of identifiable patient safety work product which may include protected health information, we discuss where appropriate the overlaps between the proposed Patient Safety Act permitted disclosures and the existing HIPAA Privacy Rule use and disclosure permissions. 1. Proposed Sec. 3.204--Privilege of Patient Safety Work Product

    Proposed Sec. 3.204 describes the privilege protections of patient safety work product and when the privilege protections do not apply. The Patient Safety Act does not give authority to the Secretary to enforce breaches of privilege protections. Rather, we anticipate that the tribunals, agencies or professional disciplinary bodies before whom these proceedings take place will

    [[Page 8141]]

    adjudicate the application of privilege as set forth in section 922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b- 22(a)(1)-(5). Even though the privilege protections will be enforced through the court systems, and not by the Secretary, we repeat the statutory privilege provisions and exceptions for convenience. We note, however, that the same exceptions are repeated in the confidentiality context, which the Secretary does enforce; so these are repeated at proposed Sec. 3.206 and such impermissible disclosure may be penalized under proposed Subpart D.

    To determine the permissible scope of disclosures under the Patient Safety Act, it is important to understand the application of the privilege protection and its exceptions described in conjunction with the related proposed confidentiality disclosures. The admission of patient safety work product as evidence in a proceeding or through a subpoena, court order or any other exception to privilege, whether permissibly or not, amounts to a disclosure of that patient safety work product to all parties receiving or with access to the patient safety work product admitted. Thus, we use the term disclosure to describe the transfer of patient safety work product pursuant to an exception to privilege, as well as to an exception to confidentiality. In addition, although the Secretary does not have authority to impose civil money penalties for violations of the privilege protection, a violation of privilege may also be a violation of the confidentiality provisions. For these reasons, we include the privilege language in the proposed implementing regulations.

    Finally, as discussed in proposed Sec. 3.204(c), we include a regulatory exception to privilege for disclosures to the Secretary for the purpose of enforcing the confidentiality provisions and for making or supporting PSO certification or listing decisions. (A) Proposed Sec. 3.204(a)--Privilege

    Proposed Sec. 3.204(a) would repeat the statutory language at section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a), establishing the general principle that patient safety work product is privileged and is not subject to Federal, State or local civil, criminal or administrative proceedings or orders; is not subject to disclosure under the Freedom of Information Act or similar Federal, State or local laws; and may not be admitted into evidence in any Federal, State or local civil, criminal or administrative proceeding or the proceedings of a disciplinary body established or specifically authorized under State law. In addition, we have clarified that patient safety work product shall be privileged and not subject to use in Tribal courts or administrative proceedings. Because the Patient Safety Act is a statute of general applicability, it applies to Indian Tribes. In addition, the application of the Federal privilege to Tribal proceedings implements the strong privilege protections intended under section 922 of the Public Health Service Act, 42 U.S.C. 299b-22. (See section 922(g)(1)-(2) of the Public Health Service Act, 42 U.S.C. 299b- 22(g)(1)-(2), preserving more stringent Federal, State, and local confidentiality laws). (B) Proposed Sec. 3.204(b)--Exceptions to Privilege

    Proposed Sec. 3.204(b) describes the exceptions to the privilege protection at proposed Sec. 3.204(a) that are established in section 922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), as added by the Patient Safety Act. When the conditions set forth in proposed Sec. 3.204(b) are met, then privilege does not apply and would not prevent the patient safety work product from, for example, being entered into evidence in a proceeding or subject to discovery. In all cases, the exceptions from privilege are also exceptions from confidentiality. For proposed Sec. 3.204(b)(1)-(4) and Sec. 3.204(c), we discuss the scope of the applicable confidentiality protection in proposed Sec. 3.206(b) and Sec. 3.206(d). (1) Proposed Sec. 3.204(b)(1)--Criminal Proceedings

    Proposed Sec. 3.204(b)(1) would permit disclosure of identifiable patient safety work product for use in a criminal proceeding, as provided in section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). Such patient safety work product is not subject to the privilege prohibitions described in proposed Sec. 3.204(a) or the confidentiality protection described in proposed Sec. 3.206(a). See proposed Sec. 3.206(b)(1). Prior to a court determining that an exception to privilege applies pursuant to this provision, a court must make an in camera determination that the identifiable patient safety work product sought for disclosure contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from other sources. See section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). We discuss in full the requirements of this disclosure under the confidentiality disclosure discussion below. (2) Proposed Sec. 3.204(b)(2)--Equitable Relief for Reporters

    Proposed Sec. 3.204(b)(2) permits the disclosure of identifiable patient safety work product to the extent required to carry out the securing and provision of specified equitable relief as provided for under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). This exception is based on section 922(c)(1)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(B). The Patient Safety Act permits this disclosure as an exception to privilege and confidentiality to effectuate the provision that authorizes equitable relief for an employee who has been subjected to an adverse employment action for good faith reporting of information to a PSO directly or to a provider for the intended report to a PSO. We discuss in full the requirements of this disclosure under the confidentiality disclosure discussion below. (3) Proposed Sec. 3.204(b)(3)--Authorized by Identified Providers

    Proposed Sec. 3.204(b)(3) describes when identifiable patient safety work product may be excepted from privilege when each of the providers identified in the patient safety work product authorizes the disclosure. This provision is based on section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). Such patient safety work product is also not subject to the confidentiality protections described in proposed Sec. 3.206(a). We discuss in full the requirements of this disclosure under the confidentiality disclosure discussion below. (4) Proposed Sec. 3.2049(b)(4)--Nonidentifiable Patient Safety Work Product

    Proposed Sec. 3.204(b)(4) permits patient safety work product to be excepted from privilege when disclosed in nonidentifiable form. This provision is based on section 922(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(3). As with other privilege protections, we expect the tribunals for which the information is sought to adjudicate the application of this exception. We discuss in full the requirements of this disclosure in the confidentiality disclosure discussion below. (C) Proposed Sec. 3.204(c)--Implementation and Enforcement of the Patient Safety Act

    Proposed Sec. 3.204(c) excepts from privilege disclosures of relevant patient safety work product to or by the Secretary as needed for investigation or determining compliance with this Part

    [[Page 8142]]

    or for enforcement of the confidentiality provisions, or for making or supporting PSO certification or listing decisions, under the Patient Safety Act. We propose that the Secretary may use and disclose patient safety work product when pursuing civil money penalties for impermissible disclosures. This is a privilege exception in the same manner as exceptions listed in proposed Sec. 3.204(b), but we state it separately to provide specific emphasis for the inclusion of this exception to privilege by the Secretary for enforcement activities. This information is also a permissible disclosure under proposed Sec. 3.206(d), discussed below.

    The Patient Safety Act provides for broad privilege and confidentiality protections, as well as the authority for the Secretary to impose civil money penalties on persons who knowingly or recklessly disclose identifiable patient safety work product in violation of those protections. However, in order to perform investigations and compliance reviews to determine whether a violation has occurred, the Secretary may need to have access to privileged and confidential patient safety work product.

    We believe that Congress could not have intended that the privilege and confidentiality protections afforded to patient safety work product operate to frustrate the sole enforcement mechanism Congress provided for the punishment of impermissible disclosures and to preclude the imposition of civil money penalties. As a matter of public policy, the creation of a confidentiality protection is meaningless without the capacity to enforce a breach of those protections. For these reasons, we propose a privilege exception narrowly drawn to permit the Secretary to perform the enforcement and operational duties required by the Patient Safety Act, which include the submission of patient safety work product to administrative law judges (ALJs), the Departmental Appeals Board (Board), and the courts.

    This proposed provision would permit the disclosure of patient safety work product to the Secretary or disclosure by the Secretary so long as such disclosure is for the purpose of implementation and enforcement of these proposed regulations. Such disclosure would include the introduction of patient safety work product into proceedings before ALJs or the Board under proposed Subpart D by the Secretary, as well as the disclosure during investigations by OCR or activities in reviewing PSO certifications by AHRQ. Moreover, disclosures of patient safety work product made to the Board or other parts of the Department that are received by workforce members, such as contractors operating electronic web portals or mail sorting and paper scanning services, would be permitted as a disclosure to the Secretary under this proposed provision. This provision would also permit the Board to disclose any patient safety work product in order to properly review determinations or to provide records for court review.

    Patient safety work product disclosed under this exception remains protected by both privilege and confidentiality protections as proposed in Sec. 3.208. This exception does not limit the ability of the Secretary to disclose patient safety work product in accordance with the exceptions under proposed Sec. 3.206(b) or this Part. Rather, this proposed section provides a specific permission by which patient safety work product may be disclosed to the Secretary and the Secretary may further disclose such patient safety work product for compliance and enforcement purposes.

    We believe strongly in the protection of patient safety work product as provided in the Patient Safety Act and the proposed regulation, and seek to minimize the risk of improper disclosure of patient safety work product by using and disclosing patient safety work product only in limited and necessary circumstances. We intend that any disclosure made pursuant to this proposed provision be limited in the amount of patient safety work product disclosed to accomplish the purpose of implementation, compliance, and enforcement. Proposed Sec. 3.312 discusses the limitations on what the Secretary may do with any patient safety work product obtained pursuant to an investigation or compliance review under proposed Subpart D. As discussed in the preamble to proposed Sec. 3.312, section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), provides that the Patient Safety Act does not affect the implementation of the HIPAA confidentiality regulations. Accordingly, the privilege provisions in the Patient Safety Act would not bar the Secretary from introducing patient safety work product in a HIPAA enforcement proceeding. 2. Proposed Sec. 3.206--Confidentiality of Patient Safety Work Product

    Proposed Sec. 3.206 describes the confidentiality protection of patient safety work product as well as exceptions from confidentiality protection. The following discussion generally refers to an act that falls within an exception from confidentiality as a permissible disclosure. (A) Proposed Sec. 3.206(a)--Confidentiality

    Proposed Sec. 3.206(a) would establish the overarching general principle that patient safety work product is confidential and shall not be disclosed. The principle applies to patient safety work product held by anyone. This provision is based on section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b). (B) Proposed Sec. 3.206(b)--Exceptions to Confidentiality

    Proposed Sec. 3.206(b) describes the exceptions to confidentiality, or the permitted disclosures. Certain overarching principles apply to the proposed confidentiality standards. First, we consider these exceptions to be ``permissions'' to disclose patient safety work product and the holder of the patient safety work product retains full discretion whether or not to disclose. Thus, similar to the disclosures permitted under the HIPAA Privacy Rule, we are defining a uniform federal baseline of protection that is enforceable by federally imposed civil money penalties. We are not encouraging or requiring disclosures, except to the Secretary as provided in this proposed rule. Therefore, a provider, PSO, or responsible person, may create confidentiality policies and procedures with respect to patient safety work product that are more stringent than these proposed rules and are free to otherwise condition the release of patient safety work product that comes within these exceptions by contract, employment relationship, or other means. See, for example, section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4). However, the Secretary will not enforce such policies or private agreements.

    Second, when exercising the discretion to disclose patient safety work product, we encourage providers, PSOs, and responsible persons to consider the purposes for which the disclosures are made. Disclosures should be narrow and consistent with the overarching goals of the privilege and confidentiality protections, even though these protections generally continue to apply to patient safety work product after disclosure. We encourage any entity or person making a disclosure to consider both the amount of patient safety work product that is being disclosed, as well as the amount of identifiable information disclosed. Even though not required, entities or persons should attempt to disclose the amount of information commensurate with the

    [[Page 8143]]

    purposes for which a disclosure is made. We encourage the disclosure of the least amount of identifiable patient safety work product that is appropriate for the purpose of the disclosure, which might mean the disclosure of less information than all of the information that would be permitted to be disclosed under the confidentiality provisions. We also encourage the removal of identifiable information when feasible regardless of whether protection under this rule continues. While a provider, PSO, or responsible person need not designate a workforce member to determine when a disclosure of patient safety work product is permitted, such a designation may be a best practice to ensure that a disclosure complies with the confidentiality provisions, and contains the least amount of patient safety work product necessary.

    Third, we have addressed the scope of redisclosure by persons receiving patient safety work product. Persons receiving patient safety work product would only be allowed to redisclose that information to the extent permitted by the proposed regulation. For example, we propose that accrediting bodies receiving patient safety work product pursuant to the accrediting body disclosure at proposed Sec. 3.206(b)(8) may not further disclose that patient safety work product. We seek public comment on the subject of whether there are any negative implications associated with limiting redisclosures in this way.

    Additionally, agencies subject to both the Patient Safety Act and the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when disclosing patient safety work product. Under the Patient Safety Act, see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b- 22(b), if another law, such as the Privacy Act, permits or requires the disclosure of patient safety work product, disclosure of this information would be in violation of the Patient Safety Act unless the Patient Safety Act also permits this disclosure. However, if the Privacy Act prohibits the disclosure of information that is patient safety work product, the permissible disclosure of this information under the Patient Safety Act would be in violation of the Privacy Act. Therefore, for agencies subject to both statutes, patient safety work product must be disclosed in a manner that is permissible under both statutes. The Privacy Act does permit agencies to make disclosures pursuant to established routine uses. See 5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). We recommend that Federal agencies that maintain a Privacy Act system of records containing information that is patient safety work product include routine uses that will permit disclosures allowed by the Patient Safety Act.

    Finally, for HIPAA covered entities, when individually identifiable health information is encompassed within the patient safety work product, the disclosure must also comply with the HIPAA Privacy Rule. Thus, for patient safety work product disclosures that contain individually identifiable health information, as defined in 45 CFR 160.103, we note some of the comparable HIPAA Privacy Rule permissions for consideration. (1) Proposed Sec. 3.206(b)(1)--Criminal Proceeding

    Proposed Sec. 3.206(b)(1) would establish the permitted criminal proceeding disclosure which parallels the privilege exception disclosure for use in a criminal proceeding, proposed Sec. 3.204(b)(1). Proposed Sec. 3.206(b)(1) would permit disclosure of identifiable patient safety work product for use in a criminal proceeding. Prior to a court determining that an exception to privilege applies pursuant to this provision, a court must make an in camera determination that the identifiable patient safety work product sought for disclosure contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from other sources. See section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(A).

    After such determinations by a court, the patient safety work product may be permissibly disclosed within the criminal proceeding. This provision and these limitations are based on section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). When considering claims that confidentiality protection has been breached, we intend to defer to, and not review, the court's in camera determinations made in context of determining the privilege exception. The Secretary has not been authorized to enforce the underlying privilege protection or make determinations regarding its applicability. The Secretary's authority is limited to investigating and enforcing violations of the confidentiality protections parallel to this privilege exception at proposed Sec. 3.206(b)(1).

    The Patient Safety Act establishes that patient safety work product, once disclosed, will generally continue to be privileged and confidential as discussed in proposed Sec. 3.208. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1). However, the Patient Safety Act limits the continued protection of the specific patient safety work product disclosed for use in a criminal proceeding. Patient safety work product disclosed for use in a criminal proceeding continues to be privileged and cannot be reused as evidence or in any context prohibited by the privilege protection, but is no longer confidential. See section 922(d)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(A). For example, law enforcement personnel who obtain patient safety work product used in a criminal proceeding may further disclose that patient safety work product because the confidentiality protection does not apply. However, if law enforcement sought to enter the information into another criminal proceeding, it would need a new in camera determination for the new criminal proceeding. For a further discussion of continued confidentiality, see discussion of proposed Sec. 3.208 below.

    For entities that are subject to the HIPAA Privacy Rule and this Part, disclosures must conform to 45 CFR 164.512(e) of the HIPAA Privacy Rule. We expect that court rulings following an in camera determination would be issued as a court order, which would satisfy the requirements of 45 CFR 164.512(e). So long as such legal process is in compliance with 45 CFR 164.512(e), the disclosure would be permissible under the HIPAA Privacy Rule. (2) Proposed Sec. 3.206(b)(2)--Equitable Relief for Reporters

    Proposed Sec. 3.206(b)(2) would permit the disclosure of identifiable patient safety work product to the extent required to carry out equitable relief as provided for under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). See section 922(c)(1)(B) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(B). This proposed provision parallels the privilege exception to carry out equitable relief at proposed Sec. 3.204(b)(2). The Patient Safety Act permits this disclosure to effectuate the provision that authorizes an employee to seek redress for adverse employment actions for good faith reporting of information to a PSO directly or to a provider with the intended disclosure to a PSO.

    The Patient Safety Act prohibits a provider from taking an adverse employment action against an individual who, in good faith, reports information to the provider for subsequent reporting to a PSO, or to a PSO directly. See section 922(e)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(e)(1). Adverse employment actions are described at section 922(e)(2)

    [[Page 8144]]

    of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2), and include loss of employment, failure to promote, or adverse evaluations or decisions regarding credentialing or licensing. The Patient Safety Act provides adversely affected reporters a civil right of action to enjoin such adverse employment actions and obtain other equitable relief, including back pay or reinstatement, to redress the prohibited actions. As part of that right to seek equitable relief, the Patient Safety Act provides that patient safety work product is not subject to the privilege protections described in section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a), and as similarly described in proposed Sec. 3.204(a), or to the confidentiality protection in section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b), and as similarly described in proposed Sec. 3.206(a), to the extent such patient safety work product is necessary to carry out the equitable relief.

    Although such disclosure is excepted from both confidentiality and privilege as to efforts to seek equitable relief, the identifiable patient safety work product remains subject to confidentiality and privilege protection in the hands of all subsequent holders and the protections apply to all subsequent potential disclosures. See section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1). Thus, even though the reporter is afforded discretion to disclose the relevant patient safety work product to seek and obtain equitable relief, all subsequent holders receiving the patient safety work product from the reporter are bound by the continued privilege and confidentiality protections.

    Thus, this provision would allow the reporter seeking equitable relief from an adverse employment action to include patient safety work product in briefs and in open court. To protect the patient safety work product as much as possible in these circumstances, we could condition the disclosure of identifiable patient safety work product in these circumstances on a party's, most likely the reporter's, obtaining of a protective order in these types of proceedings. Such a protective order could take many forms that preserve the confidentiality of patient safety work product. For example, it could limit the use of the information to case preparation, but not make it evidentiary. Such an order might prohibit the disclosure of the patient safety work product in publicly accessible proceedings and in court records to prevent liability from moving to a myriad of unsuspecting parties (for example, parties in a courtroom may not know that they may be liable for civil money penalties if they share the patient safety work product they hear). We solicit comments on whether a protective order should be a condition for this disclosure, imposed by regulation, or whether instead we should require a good faith effort to obtain a protective order as a condition for this disclosure and use our enforcement discretion to consider whether to assess a penalty for anyone who cannot obtain such an order and thus breaches the statutory continued confidentiality protection of this information. See discussion below at proposed Sec. 3.402(a).

    We also address the intersection of the HIPAA Privacy Rule herein because identifiable patient safety work product may contain individually identifiable health information and be sought for disclosure under this exception from a HIPAA covered entity or that HIPAA covered entity's business associate. Under the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health information is sought to be disclosed in a judicial proceeding via subpoenas and discovery requests without a court order, the disclosing HIPAA covered entity must seek satisfactory assurances that the party requesting the information has made reasonable efforts to provide written notice to the individual who is the subject of the protected health information or to secure a qualified protective order. A protective order that meets the qualified protective order under 45 CFR 164.512(e) would be permissible under the HIPAA Privacy Rule and render a disclosure under this exception in compliance with the HIPAA Privacy Rule. (3) Proposed Sec. 3.206(b)(3)--Authorized by Identified Providers

    Proposed Sec. 3.206(b)(3) would establish a permitted disclosure parallel to the privilege exception at proposed Sec. 3.204(b)(3), when each of the providers identified in the patient safety work product authorizes the disclosure in question. This provision is based on section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b- 22(c)(1)(C). In these circumstances, patient safety work product may be disclosed, not withstanding the privilege protections described in proposed Sec. 3.204(a) or the confidentiality protections described in proposed Sec. 3.206(a). However, patient safety work product disclosed under this exception continues to be confidential pursuant to the continued confidentiality provisions at section 922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons are subject to liability for further disclosures in violation of that confidentiality.

    This exception applies to patient safety work product that contains identifiable provider information. Under the proposed language, each provider identified in the patient safety work product sought to be disclosed must separately authorize the disclosure. For example, if patient safety work product sought to be disclosed by an entity or person pursuant to this exception describes an incident involving three physicians, each physician would need to authorize disclosure of the patient safety work product, in order for the entity or person to disclose it. Making information regarding one provider nonidentifiable in lieu of obtaining an authorization is not sufficient.

    We considered whether the rule should allow a provider to nonidentify the patient safety work product with respect to a nonauthorizing provider and disclose the patient safety work product with respect to the remaining authorizing providers. However, we rejected that approach as being impracticable. In light of the contextual nonidentification standard proposed in Sec. 3.212, it would seem that there would be very few, if any, situations in which a nonauthorizing provider could be nonidentified without also needing to nonidentify, or nearly so, an authorizing provider in the same patient safety work product. Unless we adopt a less stringent nonidentification standard, disclosing persons can either totally nonidentify patient safety work product and disclose under proposed Sec. 3.206(b)(5), or disclose the patient safety work product only if all identified providers in patient safety work product authorize its disclosure.

    When all identified providers authorize the disclosure of patient safety work product, the Patient Safety Act permits such disclosure, but remains silent about the identification of patients or reporters in such patient safety work product. As to other persons that make patient safety work product identifiable, i.e., patients and reporters, the Patient Safety Act does not provide a separate right of authorization. However, as one of the core principles underlying the Patient Safety Act is the protection of the privacy and confidentiality concerns of certain persons in connection with specific patient safety work product (i.e., providers, patients and reporters), we encourage persons disclosing patient safety work product to exercise discretion in the scope of patient safety work product disclosed, even though neither patient nor reporter authorization is required. Disclosers are

    [[Page 8145]]

    encouraged to consider whether the disclosure of identifying information regarding patients and reporters is necessary to accomplish the particular purpose of the disclosure. As discussed below, if the disclosing entity is a HIPAA covered entity, the HIPAA Privacy Rule, including the minimum necessary standard when applicable, would apply to the disclosure of protected health information contained within the patient safety work product. We seek public comment as to whether the proposed approach is sufficient to protect the interests of reporters and patients identified in the patient safety work product permitted to be disclosed pursuant to identifiable provider authorizations. Does this approach sufficiently balance the interests of the patients and reporters and their confidentiality versus the purposes for which the providers are authorizing the disclosures?

    The Patient Safety Act does not specify the form of the authorization by a provider to come within this disclosure exception or a timeframe for recordkeeping. We propose that an authorization be in writing, be signed by the authorizing provider, and give adequate notice to the provider of the nature and scope of the disclosures authorized. The content of the authorization should fairly inform the provider as to the nature and scope of the identifiable patient safety work product to be disclosed to ensure the provider is making a knowing authorization. We do not intend that each authorization identify the specific patient safety work product to be disclosed. Such a requirement would be unworkable in complex health care arrangements existing today. Rather, an authorization can be general, (e.g., referring to categories of patient safety work product) and even to patient safety work product to be created in the future, so long as the authorization can be determined to have reasonably informed the authorizing provider of the scope of the authorized disclosure. The authorization requirement also enables providers to place limits on disclosures made pursuant to this proposed exception regarding patient safety work product identifying the provider. Any disclosure must be made in accordance with the terms of the signed authorization, but we do not require that any specific terms be included, only that such terms regarding the scope of the authorized disclosure of patient safety work product be adhered to. We seek public comment on whether a more stringent standard would be prudent and workable, such as an authorization process that is disclosure specific (i.e., no future application or a one time disclosure only authorization).

    We also propose that any authorization be maintained by the disclosing entity or person for a period of six years from the date of the last disclosure made in reliance on the authorization, the limit of time within which the Secretary must initiate an enforcement action. While we recognize that a prudent person disclosing patient safety work product under this disclosure will likely maintain records in order to support a claim that such disclosure was permissible, nonetheless we require a six year retention of authorizations so that, if challenged, the Secretary may examine authorizations to determine whether a disclosure was valid pursuant to this disclosure provision. While we would not be monitoring or penalizing a person for lack of maintenance of an authorization, the failure to present a valid authorization will raise significant concerns regarding the permissibility of a disclosure pursuant to this permission.

    With respect to compliance with the HIPAA Privacy Rule for patient safety work product that contains individually identifiable health information, authorization by a provider pursuant to this permitted disclosure does not permit a HIPAA covered entity or such a HIPAA covered entity's business associate to release such protected health information contained in the patient safety work product under the HIPAA Privacy Rule. Therefore, either the individually identifiable health information must be de-identified or the release of the individually identifiable health information must otherwise be permitted under the HIPAA Privacy Rule. Because this disclosure does not limit the purposes for which identifiable patient safety work product may be released with the provider's authorization, a HIPAA covered entity would need to review releases on a case-by-case basis to determine if there is an applicable provision in the HIPAA Privacy Rule that would otherwise permit such disclosure. (4) Proposed Sec. 3.206(b)(4)--Patient Safety Activities

    Section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(A), permits the disclosure of identifiable patient safety work product for patient safety activities. Proposed Sec. 3.206(b)(4) permits the disclosure of identifiable patient safety work product for patient safety activities (i) by a provider to a PSO or by a PSO to that disclosing provider; or (ii) by a provider or a PSO to a contractor of the provider or PSO; or (iii) by a PSO to another PSO or to another provider that has reported to the PSO, or by a provider to another provider, provided, in both cases, certain direct identifiers are removed. Patient safety activities are the core mechanism by which providers may disclose patient safety work product to obtain external expertise from PSOs. PSOs may aggregate information from multiple providers, and communicate feedback and analyses to providers. Ultimately, it is through such communications that much of the improvement in patient safety may occur. Thus, the rule needs to facilitate the communication between a provider and one or more PSOs.

    To further this essential statutory purpose, we propose to allow providers to disclose identifiable patient safety work product to PSOs; one of the ways that information can become patient safety work product is through reporting of it to a PSO. We also propose to allow PSOs to reciprocally disclose patient safety work product back to such providers for patient safety activities. This free flow of information will ensure that the statute's goals of collecting, aggregating, and analyzing patient safety event information as well as disseminating recommendations for safety and quality improvements are achieved. Such a dialogue will allow both providers and PSOs to take a shared role in the advancement of patient safety improvements.

    In addition, we recognize that there may be situations where providers and PSOs want to engage contractors who are not agents to carry out patient safety activities. Thus, the proposal would allow disclosures by providers to their contractors who are not workforce members and by PSOs to their contractors who are not workforce members. Contractors may not further disclose patient safety work product, except to the entity from which they first received the information. We note that this limitation does not preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures. Although we do not require a contract between a provider or PSO and its contractor, we expect that most providers and PSOs will engage in prudent practices when disclosing confidential patient safety work product for patient safety activities, (i.e., ensuring such information is narrowly used by the contractor solely for the purpose for which disclosed and

    [[Page 8146]]

    adequately protected from wrongful disclosure).

    While the permission allows the necessary communication as between a single provider and its PSO, such exchanges may not be sufficient. It is possible to conceive of meaningful patient safety activities occurring between two PSOs or between a PSO and a provider that is different than the original reporting provider, or between two providers. For example, PSOs may be able to more effectively aggregate patient safety work product if such expanded sharing of information is permitted. Aggregation may help PSOs pool sufficient information to achieve contextual nonidentification, in accordance with Sec. 3.212(a)(ii), but keep meaningful data in the information when disclosing to the network of patient safety databases contemplated in section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Providers may be able to collaborate and learn more efficiently about patient safety solutions if such sharing is permitted. At the same time, we are concerned that, without any limitation on such sharing, providers may be not only reluctant to disclose patient safety work product, but also potentially reticent to participate at all in patient safety activities, given the sensitive nature of the information, and the potential lack of certainty with respect to where the information might ultimately be disclosed.

    Balancing these concerns, we are proposing that other than the reporting relationship between a provider and a PSO, PSOs be permitted to disclose patient safety work product to other PSOs or to other providers that have reported to the PSO, and providers be permitted to make disclosures to other providers, for patient safety activities, with provider and reporter identifiers in an anonymized (i.e., with certain direct identifiers removed, but not nonidentifiable under the proposed rule) or encrypted but not fully nonidentified form. For patient identifiers, the HIPAA Privacy Rule limited data set standard would apply. See 45 CFR 164.514(e). To anonymize the provider or reporter identifiers in the patient safety work product, the disclosing entity must remove the following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers: (1) Names; (2) Postal address information, other than town or city, State and zip code; (3) Telephone numbers; (4) Fax numbers; (5) Electronic mail addresses; (6) Social security numbers or taxpayer identification numbers; (7) Provider or practitioner credentialing or DEA numbers; (8) National provider identification number; (9) Certificate/license numbers; (10) Web Universal Resource Locators (URLs); (11) Internet Protocol (IP) address numbers; (12) Biometric identifiers, including finger and voice prints; and (13) Full face photographic images and any comparable images. Removal of such identifiers may be absolute or may be done through encryption, provided that the disclosing entity does not disclose the key to the encryption or the mechanism for re-identification.

    We have not proposed an unrestricted disclosure of identifiable patient safety work product to any person for patient safety activities. It is our understanding that disclosures to persons other than those proposed above do not need identifiable patient safety work product and that sufficient information may be communicated with nonidentifiable patient safety work product; we seek comment on this issue. Similarly, we recognize that nonidentifiable patient safety work product may have more limited usefulness due to the removal of key elements of identification; however, we have no basis for opening the patient safety activity disclosure permission further without specific examples of beneficial disclosures prohibited by our proposal.

    The exchange of patient safety work product for patient safety activities permits extensive sharing among both providers and PSOs interested in improving patient safety. As patient safety work product is disclosed, however, it continues to be protected by the confidentiality provisions. The permission allows continual exchange of information without breach of confidentiality. At any time and as needed, information may be nonidentified, and the patient safety activities disclosure may be employed for this purpose.

    Moreover, providers and PSOs are capable of imposing greater confidentiality requirements for the future use and disclosure of the patient safety work product through private agreements (see section 922(g)(4) of the Public Heath Service Act, 42 U.S.C. 299b-22(g)(4)). However, we note that the government would not be permitted to apply civil money penalties under this Part based on a violation of a private agreement that was not a violation of the confidentiality provisions.

    Compliance With the HIPAA Privacy Rule

    With respect to compliance with the HIPAA Privacy Rule, the Patient Safety Act establishes that PSOs shall be treated as business associates; and patient safety activities performed by, or on behalf of, a covered provider by a PSO are deemed health care operations as defined by the HIPAA Privacy Rule. A HIPAA covered entity is permitted to use or disclose protected health information as defined at 45 CFR 160.103 without an individual's authorization for its own health care operations and, in certain circumstances (which would include patient safety activities), for the health care operations of another HIPAA covered entity (e.g., HIPAA covered provider) under 45 CFR 164.506. To share protected health information with another HIPAA covered entity for that entity's health care operations, both HIPAA covered entities must share a patient relationship with the individual who is the subject of the protected health information and the protected health information that is shared must pertain to that relationship.

    In addition, in cases where providers and PSOs share anonymized patient safety work product, providers may disclose a limited data set of patient information. Under 45 CFR 164.514(e)(3), a HIPAA covered entity may use or disclose a limited data set for the purpose of health care operations, including patient safety activities. Such disclosures, however, must be accompanied by a data use agreement, ensuring that the limited data set recipient will only use or disclose the protected health information for limited purposes. See 45 CFR 164.514(e)(4).

    We seek comment regarding whether the HIPAA Privacy Rule definition for health care operations should contain a specific reference to patient safety activities conducted pursuant to this regulatory scheme. A health care provider that is a HIPAA covered entity may not disclose identifiable patient safety work product that is protected health information to a PSO unless that PSO is performing patient safety activities (as a health care operation) for that provider. Under this exception for patient safety activities, a health care provider that is a HIPAA covered entity may disclose identifiable patient safety work product that is protected health information to another provider (1) for the sending provider's patient safety activities; (2) for the patient safety activities of an organized health care arrangement (OHCA) (as defined at 45

    [[Page 8147]]

    CFR 160.103) if both the sending and receiving provider participate in the OHCA; or (3) to another provider for the receiving provider's patient safety activities if the protected health information relates to a common patient (including to determine that there is a common patient). We further seek comment regarding whether the provision permitting the disclosure of protected health information for health care operations at 45 CFR 164.506 should be modified to conform to the patient safety work product disclosures for patient safety activities set forth herein. (5) Proposed Sec. 3.206(b)(5)--Disclosure of Nonidentifiable Patient Safety Work Product

    Proposed Sec. 3.206(b)(5) permits the disclosure of nonidentifiable patient safety work product when the patient safety work product meets the standard for nonidentification in proposed Sec. 3.212. This implements section 922(c)(2)(B) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under proposed Sec. 3.206(b)(5), nonidentifiable patient safety work product may be disclosed by any entity or person that holds the nonidentifiable patient safety work product without violating the confidentiality provisions. Moreover, any provider, PSO or responsible person may nonidentify patient safety work product. As described in proposed Sec. 3.208(b)(ii), nonidentifiable patient safety work product, once disclosed, loses its privilege and confidentiality protection. Thus, it may be redisclosed by its recipient without any Patient Safety Act limitations.

    Nonidentification Standard

    The nonidentification standard is proposed at Sec. 3.212. However, we will discuss that standard at this point in the preamble due to its connection with the disclosure permission for nonidentifiable patient safety work product at proposed Sec. 3.206(b)(5). Proposed Sec. 3.212 would establish the standard by which patient safety work product will be determined nonidentifiable. The determination of what constitutes nonidentifiable patient safety work product is important because the standard for nonidentification effectively creates the boundary between protected and unprotected patient safety work product.

    Under the Patient Safety Act and this Part, identifiable patient safety work product includes information that identifies any provider or reporter or contains individually identifiable health information under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2) of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient safety work product does not include information that permits identification of any provider, reporter or subject of individually identifiable health information. See section 921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3).

    Because individually identifiable health information as defined in the HIPAA Privacy Rule is one element of identifiable patient safety work product, the de-identification standard provided in the HIPAA Privacy Rule applies with respect to the patient-identifiable information in the patient safety work product. Therefore, where patient safety work product contains individually identifiable health information, that information must be de-identified in accordance with 45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work product with respect to individually identifiable health information under the Patient Safety Act.

    We propose that patient safety work product be contextually nonidentifiable in order to be considered nonidentifiable for the purposes of this rule. Contextual nonidentification of both providers and reporters would match the standard of de-identification in the HIPAA Privacy Rule. We are proposing two methods by which nonidentification can be accomplished which are similar to the standards for de-identification under the HIPAA Privacy Rule: (1) A statistical method of nonidentification and (2) the removal of 15 specified categories of direct identifiers of providers or reporters and of parties related to the providers and reporters, including corporate parents, subsidiaries, practice partners, employers, workforce members, or household members, and that the discloser have no actual knowledge that the remaining information, alone or in combination with other information reasonably available to the intended recipient, could be used to identify any provider or reporter (i.e., a contextual nonidentification standard).

    In proposed Sec. 3.212(a)(1), the first method for rendering patient safety work product nonidentifiable with respect to a provider or reporter, we propose that patient safety work product can be nonidentified if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider or reporter.

    We believe that this method of nonidentification may sometimes be preferable to the safeharbor method proposed in Sec. 3.212(a)(2) discussed below and may be especially useful when aggregating data for populating the network of patient safety databases referenced in section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Under this proposal, if a statistician makes a determination as described above and documents the analysis, patient safety work product could be labeled as nonidentifiable even though it contains detailed clinical information and some potentially identifiable information such as zip codes.

    In proposed Sec. 3.212(a)(2), the second method for rendering patient safety work product nonidentifiable with respect to a provider or reporter, we outline a process as a safeharbor requiring that the disclosing entity remove a list of specific typical identifiers and have no actual knowledge that the information to be disclosed could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter. We have limited the knowledge component to that which is known to be reasonably available to the intended recipient in order to provide data custodians with a workable knowledge standard. With the contextual nonidentification standard in place, providers will have the most confidence that their identities will not be derived from nonidentifiable information and will be more likely to participate in the program. Moreover, requiring that patient safety work product be contextually nonidentifiable is consistent with the de-identification standard for patient identities, as described above.

    We recognize that the more stringent the nonidentifiable patient safety work product standard is, the more cost, burden, and risk of error in nonidentification there will be to the disclosing entity. We also acknowledge that our proposal introduces uncertainty and subjectivity into the standard, making it a harder standard to enforce. The proposed standard may require the removal of more clinical and demographic information than would be removed in the absence of the contextual nonidentification requirement, and the resulting information would likely be less useful

    [[Page 8148]]

    to a recipient. This outcome would particularly impact the network of patient safety databases of nonidentifiable patient safety work product to be established under section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. In particular, the information that ultimately resides in the network may have reduced utility and a reduced capacity to contribute to the evaluation of patient safety issues.

    To mitigate these concerns, this standard would work in conjunction with a separate permission for sharing identifiable patient safety work product through the patient safety activities disclosure. Disclosures as patient safety activities should enable the aggregation of sufficient patient safety work product to allow contextual nonidentification without the removal of all important specific clinical and demographic details. We invite comment on the proposed standards and approaches. For example, we are interested in knowing whether, under a contextual nonidentification standard, it is possible to have any geographical identifiers; and if so, at what level of detail (state, county, zip code). We are also interested in public comments regarding whether there are alternative approaches to standards for entities determining when health information can reasonably be considered nonidentifiable. Re-identification

    We permit a provider, PSO, or other disclosing entity or person to assign a code or other means of record identification to allow information made nonidentifiable to be re-identified by the disclosing person, provided certain conditions that further the goal of confidentiality are met regarding such code or other means of record identification. Further, a discloser may not release any key or other information that would enable a recipient to re-identify any provider or reporter or subject of individual identifiable health information. We propose to permit a re-identification mechanism to facilitate follow-up inquiries regarding, and analysis of, nonidentified patient safety work product that has been disclosed, such as from users of the network of patient safety databases when analyzing national and regional statistics. Such keys would not be for the purpose of permitting re-identification of patient safety work product obtained through the network of databases. Rather, such keys would facilitate the investigation of data anomalies reported to the network, correction of nonidentifiable records, and the potential to avoid duplicate records when richer information may be made available due to aggregation. Finally, with respect to HIPAA compliance, we note that, because nonidentified patient safety work product will, by definition, be de-identified information under the HIPAA Privacy Rule, a disclosure under Sec. 3.206(b)(5) will not violate the HIPAA Privacy Rule. (6) Proposed Sec. 3.206(b)(6)--For Research

    Proposed Sec. 3.206(b)(6) describes the disclosure of identifiable patient safety work product to entities carrying out research, evaluations, or demonstration projects that are funded, certified, or otherwise sanctioned by rule or other means by the Secretary. This disclosure is not for general research. Any research for which patient safety work product is disclosed under this exception must be sanctioned by the Secretary. See section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). Research that is not sanctioned by the Secretary is insufficient to be a basis for the disclosure of patient safety work product under this exception. Further, although disclosure can be made for any research, evaluation, or demonstration project sanctioned by the Secretary, we expect that most research that may be subject to this disclosure permission will be related to the methodologies, analytic processes, and interpretation, feedback and quality improvement results from PSOs, rather than general medical, or even health services, research. Patient safety work product disclosed for research under this provision continues to be confidential and privileged.

    Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), requires that patient safety work product which identifies patients may only be released to the extent that protected health information would be disclosable for research purposes under the HIPAA Privacy Rule. Under 45 CFR 164.512(i), a HIPAA covered entity may use or disclose protected health information for research, without the individual's authorization, provided that there is a waiver (or alteration of waiver) of authorization by either an Institutional Review Board (IRB) or a Privacy Board. The IRB/Privacy Board evaluates the request against various criteria that measure the privacy risk to the individuals who are the subjects of the protected health information.\17\ The HIPAA Privacy Rule only operates with respect to the identifiable health information of patients when held by a HIPAA covered entity or its business associate, and does not address the rights of individuals who may otherwise be the subject of the research.

    \17\ The following are the waiver criteria at 45 CFR 164.512(i)(2)(ii):

    (A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

    1. An adequate plan to protect the identifiers from improper use and disclosure;

    2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

    3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

    (B) The research could not practicably be conducted without the waiver or alteration; and

    (C) The research could not practicably be conducted without access to and use of the protected health information.

    We tentatively conclude that the language in the Patient Safety Act that applies the exception ``to the extent that disclosure of protected health information would be allowed for research purposes under the HIPAA [Privacy Rule]'' is intended to apply the HIPAA Privacy Rule research provisions at 45 CFR 164.512(i) only to HIPAA covered entities when they release identifiable patient safety work product containing protected health information for research. This interpretation would result in the HIPAA Privacy Rule research standards being preserved in their application to HIPAA covered entities without burdening non- covered entities with HIPAA compliance.

    We note that our interpretation of section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), is not a bar to the disclosure of identifiable patient safety work product by entities or persons that are not HIPAA covered entities. We further note that for providers, reporters and other persons identified in patient safety work product disclosed for research purposes, the Common Rule, which is applicable to research conducted or supported by the Secretary, and the FDA human subjects protection regulations will provide appropriate protections to any natural persons who would be deemed subjects of the research.

    With regard to research, the incorporation by reference of the HIPAA Privacy Rule should provide for the proper alignment of disclosures for research purposes. However, the exception under the Patient Safety Act also refers to evaluations and demonstration projects. Some of these activities may meet the definition of research under the HIPAA Privacy Rule, while other activities may not result in generalizable knowledge, but may

    [[Page 8149]]

    nonetheless meet the definition of health care operations under the HIPAA Privacy Rule. Where the disclosure of protected health information for evaluations and demonstration projects are permitted as health care operations under the HIPAA Privacy Rule, HIPAA covered entities disclosing patient safety work product that includes protected health information under this exception could do so without violation of the HIPAA Privacy Rule. (7) Proposed Sec. 3.206(b)(7)--To the Food and Drug Administration

    Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D) permits the disclosure by a provider to the FDA with respect to a product or activity regulated by the FDA. Proposed Sec. 3.206(b)(7) permits the disclosing by providers of patient safety work product concerning products or activities regulated by the Food and Drug Administration (FDA) to the FDA or to an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA- regulated product or activity. For example, hospitals and health care professionals may disclose patient safety work product concerning the safety of drugs, medical devices, biological products, and dietary supplements, or vaccine and medical device adverse experiences to the FDA as part of an FDA monitoring or alert system. The proposed provision also permits sharing between the FDA, entities required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, and their contractors for the same purposes. Patient safety work product disclosed pursuant to this disclosure permission continues to be confidential and privileged.

    The FDA has monitoring and alert systems in place to assure the safety of FDA regulated products. These systems rely heavily on voluntary reports from providers, such as hospitals and health care professionals. Most reports that hospitals and health care professionals make directly to the FDA today concerning drugs, medical devices, biological products, and dietary supplements are voluntary, although health care professionals are required to report to the FDA certain vaccine adverse experiences, and user facilities such as hospitals must report to FDA some medical device adverse experiences. Manufacturers of drugs, devices, and biological products are required to report to the FDA concerning adverse experiences, but the manufacturers themselves must rely on information provided voluntarily by product users, including hospitals and health care professionals. There are three provisions of the Patient Safety Act that are implicated for reporting to the FDA: (1) The disclosure for reporting to the FDA (section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D)); (2) the clarification as to what is not patient safety work product which states that information ``collected, maintained, or developed separately, or [that] exists separately, from a [patient safety evaluation system]'' is not patient safety work product, and which, accordingly, can be reported for public health purposes (section 921(7)(B) of the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)); and (3) the rule of construction which preserves required reporting to the FDA (section 922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6)).

    The FDA disclosure provision at proposed Sec. 3.206(b)(7) would be applicable when patient safety work product is at issue. For example, the analysis of events by the provider or PSO that constitutes patient safety work product may generate information that should be reported to the FDA because it relates to the safety or effectiveness of an FDA- regulated product or activity. The exception would allow this patient safety work product to be disclosed to the FDA. Privilege and confidentiality protections would attach to the patient safety work product disclosed when received by FDA and continue to apply to any future disclosures by the FDA.

    We tentatively conclude that the statutory language concerning reporting ``to the FDA'' includes reporting by the provider to the persons or entities regulated by the FDA and that are required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity. We propose this interpretation to allow providers to report to manufacturers who are required to report to the FDA, such as drug manufacturers, without violating this rule. This interpretation reflects both the rule of construction which preserves required reporting to the FDA and the goals of this statute which are to improve patient safety.

    We further propose at Sec. 3.206(b)(7)(ii) that the FDA and entities required to report to the FDA may only further disclose patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity; such further disclosures are only permitted between the FDA, entities required to report to the FDA, their contractors, and disclosing providers. This permission is crucial to the effective operation of the FDA's activities and to facilitate the purpose for which the report was made initially. Thus, the FDA or a drug manufacturer receiving adverse drug event information that is patient safety work product may engage in further communications with the disclosing provider(s), for the purpose of evaluating the quality, safety, or effectiveness of the particular regulated product or activity, or may work with their contractors. Moreover, an entity regulated by the FDA may further disclose the information to the FDA; without this provision, such reporting would not meet the regulatory intent that disclosures be to the FDA and a narrow interpretation could impede the FDA's ability to effectuate improvements through the use of patient safety work product.

    We recognize that there may be situations where the FDA or entities required to report to the FDA want to engage contractors who are not agents for the purpose of evaluating the quality, safety, or effectiveness of that product or activity. Thus, the proposal would allow disclosures to contractors who are not workforce members. Contractors may not further disclose patient safety work product, except to the entity from which they first received the information.

    Because Congress did not expressly include disclosure to FDA- regulated entities, we seek public comment on our proposal related to this interpretation of section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(D). In particular, we question whether this interpretation will cause any unintended consequences to disclosing providers.

    The HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered entities to disclose protected health information concerning FDA- regulated activities and products to persons responsible for collection of information about the quality, safety, and effectiveness of those FDA-regulated activities and products. Therefore, disclosures under this exception of patient safety work product containing protected health information would be permitted under the HIPAA Privacy Rule. (8) Proposed Sec. 3.206(b)(8)--Voluntary Disclosure to an Accrediting Body

    Proposed Sec. 3.206(b)(8) permits the voluntary disclosure of identifiable patient safety work product by a provider to an accrediting body that accredits the disclosing provider. Voluntary means not compelled, a disclosure that the provider affirmatively chose to make. Patient

    [[Page 8150]]

    safety work product disclosed pursuant to this proposed exception continues to be privileged and confidential.

    Under this proposed disclosure, the identifiable patient safety work product that would be permitted to be disclosed must identify the disclosing provider, given the Patient Safety Act's explicit linkage of the disclosing provider to a body that accredits that specific provider in this permitted disclosure. We believe that the only information that would be relevant to that provider's accreditation would be information about the disclosing provider (i.e., actions or inactions of the disclosing provider), and not information about the provider's colleagues or any other accredited provider. Thus, a provider may not use this exception to disclose patient safety work product that is unrelated to the actual actions of the disclosing provider, such as information about the provider's colleagues or any other accredited individual or entity.

    An issue arises concerning the identities of other providers, reporters, or patients contained within the disclosed patient safety work product. We considered whether to require the patient safety work product to be nonidentifiable as to providers other than the disclosing provider, since incidental disclosures of patient safety work product identifying other providers, especially if they were also accredited by the same accrediting institution, would not be a voluntary disclosure by those other providers. However, we do not believe that such an approach is necessary.

    We understand that most providers that are accredited are large institutions, and in general their accreditors seek vast amounts of data during the accreditation process, some of which may include identifiers of practitioners who work in such institutions. We have preliminarily concluded that the disclosure of patient safety work product including practitioners in such circumstances will be harmless because, in many cases, the providers will not be accredited by the institution's accrediting body.

    Even in circumstances where a non-disclosing provider identified by a provider voluntarily disclosing to an accrediting body is subject to the accrediting body, we believe the accrediting body will not use the information. First, we believe it is unlikely that a provider may have or seek to disclose patient safety work product containing information about the actions or inactions of a provider also accredited by the same accrediting body. Second, even if such a disclosure occurs, although it may not be voluntary as to the non-disclosing provider, we do not believe the accrediting body will use such information to take accrediting actions against the non-disclosing provider. We would expect that an accrediting body may ignore or give little weight to information about providers not disclosing information directly to the accrediting body. Such second hand information may be incomplete and incorrect. We anticipate that accrediting bodies would seek to obtain information about a provider's actions directly from the subject provider rather than second hand.

    Furthermore, we propose to limit the accrediting body's permission to further redisclose such patient safety work product. To ensure that any patient safety work product in the hands of an accrediting body that contains provider identifiers of a provider who did not voluntarily disclose to such body, Sec. 3.206(b)(7)(i) proposes that an accrediting body may not further disclose the patient safety work product that was originally voluntarily disclosed. As an alternative to this approach, we could, as proposed in the patient safety activities disclosure, require that information with respect to non-disclosing providers be anonymized. See preamble discussion at proposed Sec. 3.206(b)(4). We seek comments as to whether the problem of information being disclosed non-voluntarily to an accrediting body by non- disclosing providers requires rendering such information anonymized.

    The accrediting body takes the patient safety work product subject to the confidentiality protection, and would therefore be subject to civil money penalties for any re-disclosure. The patient safety work product disclosed under this permission in the hands of the accrediting body remains privileged and confidential, in accordance with the continued confidentiality provisions at proposed Sec. 3.208. Thus, it is incumbent upon the accrediting body to handle and maintain the patient safety work product in a way that preserves its confidential status. Such safeguards may include maintaining this information separately from other accrediting information in a confidential file, if the other information is not similarly held confidential.

    Additionally, the Patient Safety Act includes strong provisions limiting the disclosure of patient safety work product to accrediting bodies and limiting the actions an accrediting body may take to seek patient safety work product. Proposed Sec. 3.206(b)(8)(ii) provides that an accrediting body may not take an accreditation action against a provider based on that provider's participation, in good faith, in the collection, reporting or development of patient safety work product. Accrediting bodies are also prohibited from requiring a provider to reveal its communications with any PSO, without regard to whether such provider actually reports information to a PSO. Thus, a provider may disclose patient safety work product to an accrediting body voluntarily, but cannot be compelled or required as a condition of accreditation to divulge patient safety work product or communications with a PSO. This subsection is based on the statutory requirements at section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b- 22(d)(4)(B).

    Under the HIPAA Privacy Rule, a HIPAA covered entity may disclose protected health information to an accrediting body for the HIPAA covered entity's own health care operations, provided there is a business associate agreement with the accrediting body. Such health care operations include the activity of accreditation for the HIPAA covered entity as well as the accreditation of workforce members. Thus, providers that are HIPAA covered entities or are workforce members of a HIPAA covered entity that hold the protected health information may voluntarily disclose identifiable patient safety work product containing individually identifiable health information to an accrediting body that accredits that provider, provided there is a business associate agreement between the HIPAA covered entity and the accreditation organization. (9) Proposed Sec. 3.206(b)(9)--Business Operations

    Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), gives the Secretary authority to designate additional disclosures as permissible exceptions to the confidentiality protection if such disclosures are necessary for business operations and are consistent with the goals of the Patient Safety Act. Any patient safety work product disclosed pursuant to a business operations exception so designated by the Secretary continues to be confidential and privileged.

    We propose to allow disclosures of patient safety work product by a provider or a PSO to professionals such as attorneys and accountants for the business operations purposes of the provider or PSO. A disclosure to an attorney may be necessary when a provider is seeking outside legal advice in defending against a malpractice claim or other litigation, even though the

    [[Page 8151]]

    information would not be admissible as part of a legal proceeding. A provider might also need to disclose patient safety work product to an attorney in the case of due diligence related to a merger, sale or acquisition. Similarly, a provider may need to disclose patient safety work product to an accountant who is auditing the books and records of providers and PSOs. In order to ensure that such routine business operations are possible, we propose to allow disclosures by providers and PSOs for business operations to attorneys, accountants, and other professionals. Professionals such as those identified are usually bound by professional ethics to maintain the confidences of their clients. Such contractors may not further disclose patient safety work product, except to the entity from which it received the information. We note that this limitation does not preclude a provider or PSO from exercising its authority under section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power to the contractor to make other disclosures.

    We note that if a provider or PSO were to disclose relevant patient safety work product to such professionals, we would rely upon the professional's legal and ethical constraints not to disclose the information for any unauthorized purpose. Our presumption is that professionals are generally subject to a set of governing rules. Nonetheless, we expect that providers and PSOs who disclose privileged and confidential information to attorneys, accountants or other ethically bound professionals for business purposes will engage in the prudent practice of ensuring such information is narrowly used by the contractor solely for the purpose for which it was disclosed and adequately protected from wrongful disclosure.

    Because patient safety work product is specialized and highly confidential information, we have not conceived of any other third parties to whom it would be appropriate to disclose patient safety work product as a business operations disclosure. Because we are not regulating uses, any business operations need within the entity could occur unimpeded. Although we considered whether to adopt an exception for activities in the operation of a patient safety evaluation system, we believe these activities are within the definition of patient safety activities and, thus, within the confidentiality exception proposed at Sec. 3.206(b)(4). We seek public comment regarding whether there are any other consultants or contractors to whom a business operations disclosure should also be permitted, or whether there are any additional exceptions for the Secretary's consideration under this authority.

    Under the HIPAA Privacy Rule, at 45 CFR 164.506, HIPAA covered entities are permitted to disclose protected health information for the HIPAA covered entity's own health care operations. ``Health care operations'' are certain activities of a HIPAA covered entity that are necessary to run its business and to support the core functions of treatment and payment, including ``conducting or arranging for medical review, legal services, and auditing functions * * *.'' 45 CFR 164.501. Thus, a business operation designation by the Secretary that enables a HIPAA covered entity to disclose patient safety work product containing protected health information to professionals is permissible as health care operations disclosures under the HIPAA Privacy Rule. Generally such professionals would fall within the definition of business associate at 45 CFR 160.103 and would require a business associate agreement. The Secretary's Business Operations Exception Designation Authority

    Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F), gives the Secretary broad authority to designate additional exceptions that are necessary for business operations and are consistent with the goals of the Patient Safety Act. At this point, we plan to designate additional exceptions only through regulation. Although the Patient Safety Act establishes that other means are available for adoption by the Secretary, which we interpret as including the publication of letters, notice within the Federal Register or publication on the Department Web site, we believe these methods may not provide for sufficient opportunity for public comment or transparency in the development of other business operations exceptions. Moreover, because an impermissible disclosure that violates a business operations exception can result in a civil money penalty, we believe it is important that any proposed business operations exception be implemented in a way that is unquestionably binding on both the public and the Department. We invite public comments with respect to whether the Secretary should incorporate or preserve other mechanisms for the adoption of business operations exceptions, given that we cannot anticipate all potential business operations needs at this time. (10) Proposed Sec. 3.206(b)(10)--Disclosure to Law Enforcement

    Proposed Sec. 3.206(b)(10) permits the disclosure of identifiable patient safety work product to law enforcement authorities, so long as the person making the disclosure believes--and that belief is reasonable under the circumstances--that the patient safety work product disclosed relates to a crime and is necessary for criminal law enforcement purposes. Under proposed Sec. 3.208, the disclosed patient safety work product would continue to be privileged and confidential.

    We view this exception as permitting, for example, a disclosure by a whistleblower who would initiate the disclosure to law enforcement. The focus of this exception is the state of mind of the subject discloser. In making a disclosure, the discloser must reasonably believe that the event constitutes a crime and that the patient safety work product disclosed is necessary for criminal law enforcement purposes. The discloser need not be correct in these determinations, but his beliefs must be objectively reasonable. This standard provides some constraint on the discloser, and further protects against a release merely in response to a request by law enforcement.

    Patient safety work product received by law enforcement under this exception continues to be confidential and privileged. The law enforcement entity receiving the patient safety work product may use the patient safety work product to pursue any law enforcement purposes; however, because the patient safety work product disclosed to law enforcement entities under the Patient Safety Act and proposed Sec. 3.206(b)(10) remains privileged and confidential, the law enforcement entity can only disclose such patient safety work product--including in a court proceeding--as permitted by this proposed rule.

    We further propose that a law enforcement entity be permitted to redisclose the patient safety work product it receives under this exception to other law enforcement entities as needed for law enforcement activities related to the event that gave rise to the disclosure. We seek comment regarding whether these provisions allow for legitimate law enforcement needs, while ensuring appropriate protections.

    We note that disclosure pursuant to this exception does not except patient safety work product from the privilege protection. Thus, patient safety work product cannot be subpoenaed, ordered, or entered into evidence in a criminal or civil proceeding through this exception;

    [[Page 8152]]

    nor should a discloser rely solely on a law enforcement agent's statement that such information is necessary for law enforcement purposes. As already discussed, the Patient Safety Act framework permits an exception from privilege protection or law enforcement compulsion only in very narrow circumstances (see above privilege exception discussion). Under section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A), patient safety work product may be disclosed for use in a criminal proceeding, but only after a judge has determined by means of an in camera review that the patient safety work product is material to a criminal proceeding and not reasonably available from any other source. Even after its use in such a criminal proceeding, and the lifting of the confidentiality protections with respect to such patient safety work product, the privilege protection continues. In light of the strict privilege protections for this information, we do not interpret this law enforcement disclosure exception as allowing the disclosure of patient safety work product based on a less compelling request by law enforcement for its release. The decision as to whether a discloser reasonably believes that the patient safety work product is necessary for a law enforcement purpose is the discloser's decision alone, provided that the decision is reasonable.

    While the HIPAA Privacy Rule permits disclosures by HIPAA covered entities to law enforcement under a variety of circumstances, few align well with the proposed interpretation of this exception as being limited to disclosures to law enforcement initiated by the HIPAA covered entity. Although there is a very narrow set of HIPAA Privacy Rule permissions under which a HIPAA covered entity as a holder of patient safety work product would be allowed to release patient safety work product that contains protected health information to law enforcement, we note that a HIPAA covered entity would be permitted to de-identify the protected health information, in which case only the Patient Safety Act would apply to the disclosure of the patient safety work product. If the protected health information is needed by law enforcement, the HIPAA Privacy Rule has standards that permit the release of protected health information in response to certain law enforcement processes. If such information is not patient safety work product, it would not be subject to the privilege protections of the Patient Safety Act. (C) Proposed Sec. 3.206(c)--Safe Harbor

    Proposed Sec. 3.206(c) is based on section 922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(H). This provision permits the disclosure of identifiable patient safety work product when that information does not include oral or written materials that either contain an assessment of the quality of care of an identifiable provider or describe or pertain to the actions or failure to act of an identifiable provider. The use of this exception is limited to persons other than PSOs. This provision essentially prohibits the disclosure of a subject provider's identity with information, whether oral or written, that: (1) Assesses that provider's quality of care; or (2) identifies specific acts attributable to such provider. Thus, a permissible disclosure may include a provider's identity, so long as no ``quality information'' about the subject provider is also disclosed and so long as it does not describe or pertain to an action or failure to act by the subject provider.

    We propose that the provider identity element under this exception means the identity of any provider that is a subject of the patient safety work product. In other words, if the patient safety work product does not contain quality information about a particular provider or describe or pertain to any actions or failures to act by the provider, such provider could be identifiable within the patient safety work product disclosed pursuant to this exception. For example, if a nurse reports a patient safety event, but was not otherwise involved in the occurrence of that event, the nurse could be named in the disclosure. Providers that cannot be identified are those about whom the patient safety work product assesses the quality of care or describes or pertains to actions or failures to act of that provider. We propose that the threshold for identification of a provider will be determined in accordance with the nonidentification standard set forth in proposed Sec. 3.210. Thus, confidential patient safety work product disclosed under this exception may identify providers, reporters or patients so long as the provider(s) that are the subject of the actions described are nonidentified.

    In general, the determination with respect to the content of quality information is straightforward. We also interpret quality information to include the fact that patient safety work product exists, without the specifics of the patient safety event at issue. For example, if a provider employee discloses to a friend that a particular surgeon had an incident reported to the PSO, without actually describing this incident, the fact that the surgeon was associated with patient safety work product would be a prohibited disclosure.

    This is the only exception that defines prohibited conduct, rather than permitted conduct. We recognize that institutional providers, even practitioners offices, are communities unto themselves. We preliminarily interpret this exception as creating a narrow safe harbor for disclosures, possibly inadvertent, which may occur by a provider or other responsible person, when the patient safety work product does not reveal a link between a subject provider and the provider's quality of care or an action or failure to act by that subject provider. By proposing this provision as a safe harbor, we seek to have it available to mitigate harmless errors, rather than as a disclosure permission that may render all other disclosure permissions practically meaningless.

    Under the HIPAA Privacy Rule, HIPAA covered entities are broadly permitted to disclose protected health information for the HIPAA covered entity's treatment, payment or health care operations. Otherwise, specific standards are described that limit the use and disclosure of protected health information. If such disclosure is made by a HIPAA covered entity, it is possible that the disclosure of protected health information would be permissible as a health care operation, or as incidental to another permitted disclosure. Nevertheless, examination of whether a HIPAA Privacy Rule standard has been violated will need to be made on a case-by-case basis. (D) Proposed Sec. 3.206(d)--Implementation and Enforcement of the Patient Safety Act

    Proposed Sec. 3.206(d) permits the disclosure of relevant patient safety work product to or by the Secretary as needed for investigating or determining compliance with this Part or for enforcement of the confidentiality provisions of this Subpart or in making or supporting PSO certification or listing decisions under the Patient Safety Act and Subpart B of this regulation. This disclosure parallels the privilege exception under proposed Sec. 3.204(c). Patient safety work product disclosed under this exception remains confidential. This exception does not limit the ability of the Secretary to disclose patient safety work product in accordance with the exceptions under proposed Sec. 3.206(b) or this Part. Rather, this proposed section provides a specific permission pursuant to which

    [[Page 8153]]

    patient safety work product may be disclosed to the Secretary and the Secretary may further use such disclosed patient safety work product for compliance and enforcement purposes.

    We propose to permit a disclosure of patient safety work product in order to allow the Secretary to obtain such information as is needed to implement and enforce this program, both for the purposes of enforcing the confidentiality of patient safety work product and for the oversight of PSOs. Enforcement of the confidentiality provisions includes the imposition of civil money penalties and adherence to the prohibition against imposing a civil money penalty for a single act that violates both the Patient Safety Act and the HIPAA Privacy Rule. This exception ensures that there will not be a conflict between the confidentiality obligations of a holder of patient safety work product and other provisions that allow the Secretary access to protected information and/or require disclosure to the Secretary for enforcement purposes. See proposed Sec. Sec. 3.110, 3.210, and 3.310. Although the statute does not explicitly address this disclosure, we believe that the authority to disclose to the Secretary for these purposes is inherent in the statute, and that this disclosure is permitted and necessary to meaningfully exercise our authority to enforce against breaches of confidentiality as well as to ensure that PSOs meet their certification attestations if needed. Proposed Sec. 3.312(c) discusses the limitations on what the Secretary may do with any patient safety work product obtained pursuant to an investigation or compliance review regarding an alleged impermissible disclosure.

    This proposed provision would permit the disclosure of patient safety work product to the Secretary or disclosure by the Secretary so long as such disclosure is limited to the purpose of implementation and enforcement of these proposed regulations. Such disclosure would include the introduction of patient safety work product into proceedings before ALJs or the Board under proposed Subpart D by the Secretary, as well as the disclosure during investigations by the Secretary, or activities in reviewing PSO certifications by AHRQ. Disclosures of patient safety work product made to the Board or other parts of the Department that are received by workforce members, such as contractors operating electronic web portals or mail sorting and paper scanning services, would be permitted as a disclosure to the Secretary under this proposed provision. This provision would also permit the Board to disclose any patient safety work product in order to properly review determinations or to provide records for court review.

    We believe strongly in the protection of patient safety work product as provided in the Patient Safety Act and the proposed regulations, and seek to minimize the risk of improper disclosure of patient safety work product by using and disclosing patient safety work product only in limited and necessary circumstances. With respect to disclosures to an ALJ or the Board, we note that the Board has numerous administrative, technical and physical safeguards available to protect sensitive information. For example, the Board has the authority to: Enter protective orders; hold closed hearings; redact records; anonymize names of cases and parties prior to publishing opinions; and put records under seal. It routinely maintains a controlled environment; trains staff about proper handling of confidential information; flags confidential information in records prior to archiving cases and shreds copies of case files, etc. Most importantly, understanding that any patient safety work product that is used in an enforcement proceeding is sensitive, the Board would seek to include only information in an opinion that is necessary to the decision, and omit any extraneous sensitive information that is not needed for its judgments.

    This proposed provision also requires that patient safety work product disclosed to or by the Secretary must be necessary for the purpose for which the disclosure is made. We intend that any disclosure made pursuant to this proposed provision be limited in the amount of patient safety work product disclosed to accomplish the purpose of implementation, compliance, and enforcement. We discuss our anticipated uses and protections further in proposed Subpart D. (E) Proposed Sec. 3.206(e)--No Limitation on Authority To Limit or Delegate Disclosure or Use

    Proposed Sec. 3.206(e) reflects the Patient Safety Act's rule of construction in section 922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(4), establishing that a person holding patient safety work product may enter into a contract that requires greater confidentiality protections or may delegate its authority to make a disclosure in accordance with this Subpart. For example, a provider may delegate its permission (which it may have as a provider) to disclose to the FDA under proposed Sec. 3.206(b)(7) to a PSO through a contractual arrangement. In such a case, the PSO would be acting on behalf of the provider in making disclosures to the FDA. Without the delegated permission, it would, in this scenario, be impermissible for the PSO to disclose identifiable patient safety work product to the FDA, and a PSO that made such a disclosure could be subject to a civil money penalty. However, if a delegation of disclosing authority exists, the delegating person would be responsible for the disclosures of the delegee. Thus, in the example above, if the PSO made an impermissible disclosure, the delegating provider could be liable under the principle of principal liability for the acts of its agent. The PSO making the disclosure could also be liable. See discussion in proposed Sec. 3.402(b). Neither the statute nor the proposed rule limits the authority of a provider to place limitations on disclosures or uses. For example, a provider may require that a PSO remove all employee names prior to disclosing any patient safety work product despite such disclosure being permissible under this Subpart with the names included. 3. Proposed Sec. 3.208--Continued Protection of Patient Safety Work Product

    Proposed Sec. 3.208 provides that the privilege and confidentiality protections continue to apply to patient safety work product when disclosed and describes the narrow circumstances when the protections terminate. Generally, when identifiable patient safety work product is disclosed, whether pursuant to a permitted exception to privilege and/or confidentiality or disclosed impermissibly, that patient safety work product continues to be privileged and confidential. Any person receiving such patient safety work product receives that patient safety work product pursuant to the privilege and confidentiality protections. The receiving person holds the patient safety work product subject to these protections and is generally bound by the same limitations on disclosure and the potential civil money penalty liability if he or she discloses the patient safety work product in a manner that warrants imposition of a civil money penalty under proposed Subpart D.

    An example would be if identifiable patient safety work product is disclosed to a provider's employee for patient safety activities, the identifiable patient safety work product disclosed to the employee would be confidential and the employee would be subject to civil money penalty liability for any knowing

    [[Page 8154]]

    or reckless disclosure of the patient safety work product in identifiable form not permitted by the exceptions. Similarly, if confidential patient safety work product is received impermissibly, such as by an unauthorized computer access (i.e., hacker), the impermissible disclosure, even when unintentional, does not terminate the confidentiality. Thus, the hacker may be subject to civil money penalty liability for impermissible disclosures of that information.

    We do not require that notification of the privilege and confidentiality of patient safety work product be made with each disclosure. We also note that the Secretary does not have authority to impose a civil money penalty for an impermissible breach of the privilege protection. Rather, any breach of privilege, permissible or not, would encompass a disclosure and concurrent breach of confidentiality, subject to penalty under the CMP provisions of the Patient Safety Act and this proposed rule, unless a confidentiality exception applied. See the discussion above of confidentiality protections at proposed Sec. 3.206 and the discussion of the enforcement provisions at proposed Subpart D.

    Nor do we require notification of either the confidentiality of patient safety work product or the fact that patient safety work product is being disclosed. The Secretary's authority to impose a civil money penalty is not dependent upon whether the disclosing entity or person knows that the information being disclosed is patient safety work product or whether patient safety work product is confidential (see discussion under proposed Subpart D). Thus, we do not require that the disclosure of patient safety work product be accompanied by a notice as to either the fact that the information disclosed is patient safety work product or that it is confidential. Labeling does not make information protected patient safety work product, and the failure to label patient safety work product does not remove the protection. However, we do believe that such a notification would be beneficial to the recipient to alert such recipient to the fact that the information received should be held in a confidential manner and that knowing or reckless disclosure in violation of the confidentiality protection may subject a discloser to civil money penalties. Labeling patient safety work product may also make it easier for the provider to establish that such information is privileged patient safety work product. Also, a notification may also be prudent management for providers, PSOs, and responsible persons who could be subject to liability under agency principles for actions of disclosing agents. Moreover, such a notification policy may serve as a mitigating factor under the factors outlined under proposed Subpart D. Similarly, labeling of patient safety work product may be a good practice for the internal management of information by an entity that holds protected patient safety work product.

    There are two exceptions to the continued protection of patient safety work product which terminate either the confidentiality or both the privilege and confidentiality under section 922(d)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2). The first exception to continued protection is an exception to continued confidentiality when patient safety work product is disclosed for use in a criminal proceeding, pursuant to proposed Sec. Sec. 3.204(b)(1) and 3.206(b)(1). Proposed Sec. 3.204(b)(1) is an exception to privilege for the particular proceeding at issue and does not permit the use of such patient safety work product in other proceedings or otherwise remove the privilege protection afforded such information. Thus, in the case of a criminal proceeding disclosure, the privilege continues even though the confidentiality terminates. In other words, when a court makes an in camera determination that patient safety work product can be entered into a criminal proceeding, that information remains privileged for any future proceedings, but is no longer confidential and may be further disclosed without restriction.

    The second exception to continued protection is when patient safety work product is disclosed in nonidentifiable form, pursuant to proposed Sec. Sec. 3.204(b)(4) and 3.206(b)(5). Under both of these exceptions, the patient safety work product disclosed is no longer confidential, and may be further disclosed without restriction. The termination of the continued protections is based on section 922(d)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2). 4. Proposed Sec. 3.210--Required Disclosure of Patient Safety Work Product to the Secretary

    We are proposing in Sec. 3.210 that providers, PSOs, and other persons that hold patient safety work product be required to disclose such patient safety work product to the Secretary upon a determination by the Secretary that such patient safety work product is needed for the investigation and enforcement activities related to this Part, or is needed in seeking and imposing civil money penalties. Such patient safety work product disclosed to the Secretary will be excepted from privilege and confidentiality protections insofar as the Secretary has a need to use such patient safety work product for the above purposes which include: accepting, conditioning, or revoking acceptance of PSO certification or in supporting such actions. See proposed Sec. 3.206(d). 5. Proposed Sec. 3.212--Nonidentification of Patient Safety Work Product

    Proposed Sec. 3.210 establishes the standard by which patient safety work product will be determined nonidentifiable. For the ease of the reader, we have discussed this standard within the context of proposed Sec. 3.206(b)(5), the confidentiality disclosure exception for nonidentifiable patient safety work product.

  13. Subpart D--Enforcement Program

    The authority of the Secretary to enforce the confidentiality provisions of the Patient Safety Act is intended to deter impermissible disclosures of patient safety work product. Proposed Subpart D would establish a framework to enable the Secretary to monitor and ensure compliance with this Part, procedures for imposing a civil money penalty for breach of confidentiality, and procedures for a hearing contesting a civil money penalty.

    The proposed enforcement program has been designed to provide maximum flexibility to the Secretary in addressing violations of the confidentiality provisions to encourage participation in patient safety activities and achieve the goals of the Patient Safety Act while safeguarding the confidentiality and protected nature of patient safety work product under the Patient Safety Act and this part. Failures to maintain confidentiality may be serious, deleterious and broad-ranging, and, if unpunished, may discourage participation by providers in the PSO voluntary reporting system. The Secretary's enforcement authority will be exercised commensurately to respond to the nature of any such failure and the resulting harm from such failures. The proposed regulations seek to provide the Secretary with reasonable discretion, particularly in areas where the exercise of judgment is called for by the statute or proposed rules, and to avoid being overly prescriptive in areas and causing unintended adverse effects where it would be helpful to gain experience with the practical impact of the proposed rules.

    The provisions of section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, apply to the imposition of a

    [[Page 8155]]

    civil money penalty under section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), ``in the same manner as'' they apply to the imposition of civil money penalties under section 1128A itself. Section 1128A(1) of the Social Security Act, 42 U.S.C. 1320a-7a(l), provides that a principal is liable for penalties for the actions of its agents acting within the scope of their agency. Therefore, a provider or PSO will be responsible for the actions of a workforce member when such member discloses patient safety work product in violation of the confidentiality provisions while acting within the scope of the member's agency relationship.

    Proposed Sec. Sec. 3.304 through 3.314 are designed to enable the Secretary to assist with, monitor, and investigate alleged failures with respect to compliance with the confidentiality provisions. Proposed Sec. Sec. 3.304 through 3.314 would establish the processes and procedures for the Secretary to provide technical assistance with compliance, for filing complaints with the Secretary, and for investigations and compliance reviews performed by the Secretary. Proposed Sec. Sec. 3.402 through 3.426 would provide the legal basis for imposing a civil money penalty, determining the amount of a civil money penalty, implementing the prohibition on the imposition of a civil money penalty under both HIPAA and the Patient Safety Act, and issuing a notice of proposed determination to impose a civil money penalty and establishing the process that would be relevant subsequent to the issuance of such a notice, whether or not a hearing follows the issuance of the notice of proposed determination. These sections also would contain provisions on the statute of limitations, authority to settle, collection of any penalty imposed for violation of the confidentiality provisions, and public notice of the imposition of such penalties. Finally, proposed Sec. 3.504 addresses the administrative hearing phase of the enforcement process, including provisions for appellate review within HHS of a hearing decision and burden of proof in such proceedings.

    Generally, proposed Subpart D is based on the HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C, D and E. We have closely followed the HIPAA Enforcement Rule for several reasons. First, because civil money penalties under both the HIPAA Enforcement Rule and Patient Safety Act are based on section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, we believe there is benefit in maintaining a common approach to enforcement and appeals of such civil money penalty determinations. Second, we believe that these procedures set forth in the HIPAA Enforcement Rule, which in turn are based on the procedures established by the OIG, work and satisfactorily address issues raised and addressed in prior rulemakings by the Department and the OIG. We do not reiterate those concerns, or their resolutions, here, but they have informed our decision making on these proposed rules.

    Proposed Sec. Sec. 3.504(b)-(d), (f)-(g), (i)-(k), (m), (n), (t), (w) and (x) of the proposed rule are unchanged from, or incorporate the provisions of, the HIPAA Enforcement Rule. For a full discussion of the basis for these proposed sections, please refer to the proposed and final HIPAA Enforcement Rule, published on April 18, 2005, at 70 FR 20224 (proposed) and on February 16, 2006, at 71 FR 8390 (final). Although the preamble discussion of the HIPAA Enforcement Rule pertains to the HIPAA Administrative Simplification provisions, HIPAA covered entities, and protected health information under HIPAA, we believe the same interpretations and analyses are applicable to the Patient Safety Act confidentiality provisions, providers, PSOs, and responsible persons, and patient safety work product.

    Proposed Sec. Sec. 3.424 and 3.504(a), (e), (h), (l), (o)-(s), (u) and (v) of the proposed rule also are based on, or incorporate, the HIPAA Enforcement Rule, but include technical changes made in order to adapt these provisions to the Patient Safety Act confidentiality provisions. We discuss these technical changes below but refer to the proposed and final HIPAA Enforcement Rule for a substantive discussion of these proposed sections.

    For the above proposed sections, while we have chosen not to repeat our discussion of the rationale for these regulations, we invite comments regarding whether any further substantive or technical changes are needed to adapt these provisions to the Patient Safety Act confidentiality provisions.

    The remaining sections in Subpart D of the proposed rule reprint HIPAA Enforcement Rule provisions in their entirety or constitute substantive changes from the analogous provisions of the HIPAA Enforcement Rule. We discuss these proposed sections in full below. 1. Proposed Sec. 3.304--Principles for Achieving Compliance

    Proposed Sec. 3.304(a) would establish the principle that the Secretary will seek the cooperation of providers, PSOs, and responsible persons in maintaining and preserving the confidentiality of patient safety work product, relying on the civil money penalty authority when appropriate to remediate violations. Proposed Sec. 3.304(b) provides that the Secretary may provide technical assistance to providers, PSOs, and responsible persons to help them comply with the confidentiality provisions.

    We will seek to achieve compliance through technical assistance and outreach so that providers, PSOs, and responsible persons that hold patient safety work product may better understand the requirements of the confidentiality provisions and, thus, may voluntarily comply by preventing breaches. However, we believe that the types of events that are likely to trigger complaints are actual breaches of confidentiality which will need remedial action (such events cannot be mitigated through preventive measures alone). Given the existing framework of peer review systems and other similar processes, we believe that most providers and patient safety experts already have well-established mechanisms for using sensitive information while respecting its confidentiality. Moreover, such persons will have incentives to maintain the confidentiality of patient safety work product each such person possesses in the future. Thus, while there may be situations where an issue may be resolved through technical assistance and corrective action, we anticipate that the resolution of complaints of breaches of confidentiality may warrant imposition of a civil money penalty to deter future non-compliance and similar violations. This Subpart preserves the discretion of the Secretary to enforce confidentiality in the manner that best fits the situation.

    The Secretary will exercise discretion in developing a technical assistance program that may include the provision of written material when appropriate to assist persons in achieving compliance. We encourage persons to share ``best practices'' for the confidential utilization of patient safety work product. However, the absence of technical assistance or guidance may not be raised as a defense to civil money penalty liability. 2. Proposed Sec. 3.306--Complaints to the Secretary

    We are proposing in Sec. 3.306 that any person may file a complaint with the Secretary if the person believes that a provider, PSO or responsible person has disclosed patient safety work product in violation of the confidentiality

    [[Page 8156]]

    provisions. A complaint-driven process would provide helpful information about the handling and disclosure of patient safety work product and could serve to identify particularly troublesome compliance problems on an early basis.

    The procedures proposed in this section are modeled on those used for the HIPAA Enforcement Rule. We would require: complaints to be in writing; complainants to identify the person(s), and describe the acts, alleged to be out of compliance; and that the complainant file such complaint within 180 days of when the complainant knew or should have known that the act complained of occurred, unless this time limit is waived by the Secretary for good cause shown. We have tried to keep the requirements for filing complaints as minimal as possible to facilitate use of this process. The Secretary would also attempt to keep the identity of complainants confidential, if possible. However, we recognize that it could be necessary to disclose the identity of a complainant in order to investigate the substance of the complaint, and the rules proposed below would permit such disclosures.

    For the same reason that the HIPAA Enforcement Rule adopted the ``known or should have known'' standard for filing a complaint, we require that complaints be filed within 180 days of when the complainant knew or should have known that the violation complained of occurred unless this time limit is waived by the Secretary for good cause shown. We believe that an investigation of a complaint is likely to be most effective if persons can be interviewed and documents reviewed as close to the time of the alleged violation as possible. Requiring that complaints generally be filed within a certain period of time increases the likelihood that the Secretary will be able to obtain necessary and reliable information in order to investigate allegations. Moreover, we are taking this approach in order to encourage complainants to file complaints as soon as possible. By receiving complaints in a timely fashion, we can, if such complaints prove valid, reduce the harm caused by the violation.

    In most cases, we expect that the providers, PSOs, responsible persons, and/or their employees will be aware of disclosures of patient safety work product. Nevertheless, other persons may become aware of the wrongful disclosure of patient safety work product as well. For these reasons, we do not limit who may file a complaint. We will accept complaints alleging violations from any person.

    Once a complaint is received, the Secretary will notify the provider, PSO, or responsible person(s) against whom the complaint has been filed (i.e., the respondent), investigate and seek resolution to any violations based on the circumstances of the violation, in accordance with the principles for achieving compliance. In enforcing the confidentiality provisions of the Patient Safety Act, the Secretary will generally inform the respondent of the nature of any complaints received against the respondent. The Secretary will also generally afford the entity an opportunity to share information with the Secretary that may result in an early resolution. 3. Proposed Sec. 3.308--Compliance Reviews

    We are proposing in Sec. 3.308 that the Secretary could conduct compliance reviews to determine whether a provider, PSO, or responsible person is in compliance. A compliance review could be based on information indicating a possible violation of the confidentiality provisions even though a formal complaint has not been filed. As is the case with a complaint investigation, a compliance review may examine the policies, practices or procedures of a respondent and may result in voluntary compliance or in a finding of a violation or no violation finding.

    We believe the Secretary's ability to conduct compliance reviews should be flexible and unobstructed by limitations or required links to ongoing investigations. We do not establish any affirmative criteria for the conduct of a compliance review. Compliance reviews may be undertaken without regard to ongoing investigations or prior conduct. We recognize that cooperating with compliance reviews may create some burden and expense. However, the Secretary needs to maintain the flexibility to conduct whatever reviews are necessary to ensure compliance with the rule.

    We note that, at least in the short term, HHS will be taking a case-based, complaint-driven approach to investigations and enforcement, rather than focusing resources on compliance reviews unrelated to any information or allegations of confidentiality violations. 4. Proposed Sec. 3.310--Responsibilities of Respondents

    Proposed Sec. 3.310 establishes certain obligations for respondents that would be necessary to enable the Secretary to carry out the statutory role to determine their compliance with the requirements of the confidentiality provisions. Respondents would be required to maintain records as proposed in this proposed rule, participate as required in investigations and compliance reviews, and provide information to the Secretary upon demand. Respondents would also be required to disclose patient safety work product to the Secretary for investigations and compliance activities. We interpret the enforcement provision at section 922(f) of the Patient Safety Act, 42 U.S.C. 299b-22(f), to allow for such disclosure to the Secretary for the purpose of enforcing the confidentiality provisions.

    Proposed Sec. 3.310(b) would require cooperation by respondents with investigations as well as compliance reviews.

    Proposed Sec. 3.310(c) would provide that the Secretary must be provided access to a respondent's facilities, books, records, accounts, and other sources of information, including patient safety work product. Ordinarily, the Secretary will provide notice requesting access during normal business hours. However, if exigent circumstances exist, such as where documents might be hidden or destroyed, the Secretary may require access at any time and without notice. The Secretary will consider alternative approaches, such as subpoenas or search warrants, in seeking information from respondents that are not providers, PSOs, or a member of their workforce. 5. Proposed Sec. 3.312--Secretarial Action Regarding Complaints and Compliance Reviews

    Proposed Sec. 3.312(a) provides that, if a complaint investigation or compliance review indicates noncompliance, the Secretary may attempt to resolve the matter by informal means. If the Secretary determines that the matter cannot be resolved by informal means, the Secretary will issue findings to the respondent and, if applicable, the complainant.

    Proposed Sec. 3.312(a)(1) provides that, where noncompliance is indicated, the Secretary could seek to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means would include demonstrated compliance or a completed corrective action plan or other agreement. Under this provision, entering into a corrective action plan or other agreement would not, in and of itself, resolve the noncompliance; rather, the full performance by the respondent of its obligations under the corrective action plan or other agreement would be necessary to resolve the noncompliance.

    [[Page 8157]]

    Proposed Sec. Sec. 3.312(a)(2) and (3) address what notifications would be provided by the Secretary where noncompliance is indicated, based on an investigation or compliance review. Notification under these paragraphs would not be required where the only contacts made were with the complainant to determine whether the complaint warrants investigation. Section 3.312(a)(2) proposes written notice to the respondent and, if the matter arose from a complaint, the complainant, where the matter is resolved by informal means. If the matter is not resolved by informal means, proposed Sec. 3.312(a)(3)(i) would require the Secretary to so inform the respondent and provide the respondent 30 days in which to raise any mitigating factors the Secretary should consider in imposing a civil money penalty. Section 3.312(a)(3)(ii) proposes that, where a matter is not resolved by informal means and the Secretary decides that imposition of a civil money penalty is warranted based upon a response from the respondent or expiration of the 30 day response time limit, the formal finding would be contained in the notice of proposed determination issued under proposed Sec. 3.420.

    Proposed Sec. 3.312(b) provides that, if the Secretary finds, after an investigation or compliance review, no further action is warranted, the Secretary will so inform the respondent and, if the matter arose from a complaint, the complainant. This section does not apply where no investigation or compliance review has been initiated, such as where a complaint has been dismissed due to lack of jurisdiction.

    Proposed Sec. 3.312(c) addresses how the Secretary will handle information obtained during the course of an investigation or compliance review. Under proposed Sec. 3.312(c)(1), identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review under this Part remains subject to the privilege and confidentiality protections and will not be disclosed except in accordance with proposed Sec. 3.206(d), if necessary for ascertaining or enforcing compliance with this part, or as permitted by this Part or the Patient Safety Act. In other words, the Secretary, as with any other entity or person, would receive patient safety work product subject to the confidentiality and privilege requirements and protections. The proposed rule strikes a balance between these protections and enforcement, providing that the Secretary would not disclose such patient safety work product, except as may be necessary to enable the Secretary to ascertain compliance with this Part, in enforcement proceedings, or as otherwise permitted by this Part. We note that, pursuant to section 922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), as added by the Patient Safety Act, the Patient Safety Act does not affect the implementation of the HIPAA confidentiality regulations (known as the HIPAA Privacy Rule). Accordingly, we propose that the Secretary may use patient safety work product obtained in connection with an investigation hereunder to enforce the HIPAA confidentiality regulations.

    Proposed Sec. 3.312(c)(2) provides that, except for patient safety work product, testimony and other evidence obtained in connection with an investigation or compliance review may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding. Such information would include that which is obtained from investigational subpoenas and inquiries under proposed Sec. 3.314. The Department generally seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and programmatic responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR Part 5, provide substantial protection for records about individuals where disclosure would constitute an unwarranted invasion of their personal privacy. Moreover, in enforcing the Patient Safety Act and its implementing regulations, OCR plans to continue its current practice of protecting its complaint files from disclosure. These files, thus, would constitute investigatory records compiled for law enforcement purposes, one of the exemptions to disclosure under the Freedom of Information Act. In the case of patient safety work product that is not otherwise subject to a statutory exception permitting disclosure, the Patient Safety Act prohibits the disclosure of such information in response to a Freedom of Information Act request. See section 922(a)(3) of the Public Health Service Act, 42 U.S.C. 299b- 22(a)(3).

    The Secretary continues to be subject to the existing HIPAA Enforcement Rule with respect to the use and disclosure of protected health information received by the Secretary in connection with a HIPAA Privacy Rule investigation or compliance review (see 45 CFR 160.310(c)(3)); these proposed provisions do not modify those regulations. 6. Proposed Sec. 3.314--Investigational Subpoenas and Inquiries

    Proposed Sec. 3.314 provides procedures for the issuance of subpoenas to require the attendance and testimony of witnesses and the production of any other evidence, including patient safety work product, during an investigation or compliance review. We propose to issue subpoenas in the same manner as 45 CFR 160.314(a)(1)-(5) of the HIPAA Enforcement Rule, except that the term ``this part'' shall refer to 42 CFR Part 3. The language modification is necessary to reference the appropriate authority.

    We also propose that the Secretary is permitted to conduct investigational inquiries in the same manner as the provisions of 45 CFR 160.314(b)(1)-(9) of the HIPAA Enforcement Rule. The referenced provisions describe the manner in which investigational inquiries will be conducted. 7. Proposed Sec. 3.402--Basis for a Civil Money Penalty

    Under proposed Sec. 3.402, a person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions shall be subject to a civil money penalty of not more than $10,000 for each act constituting a violation. See section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b- 22(f)(1). (A) Proposed Sec. 3.402(a)--General Rule

    Proposed Sec. 3.402(a) would allow the Secretary to impose a civil money penalty on any person which the Secretary determines has knowingly or recklessly violated the confidentiality provisions. This provision is based on the language in section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), that ``a person who discloses identifiable patient safety work product in knowing or reckless violation of subsection (b) shall be subject to a civil money penalty of not more than $10,000 for each act constituting such violation.''

    A civil money penalty may only be imposed if the Secretary first establishes a wrongful disclosure (i.e., (1) the information disclosed was identifiable patient safety work product; (2) the information was disclosed; and (3) the manner of the disclosure does not fit within any permitted exception). If a wrongful disclosure is established, the Secretary must then determine whether the person making the disclosure acted ``knowingly'' or ``recklessly.''

    The applicable law on the issue of ``knowing'' provides that ``unless the

    [[Page 8158]]

    text of the statute dictates a different result, the term `knowingly' merely requires proof of knowledge of the facts that constitute the offense [rather than] a culpable state of mind or [] knowledge of the law.'' Bryan v. United States, 524 U.S. 184 (1998) (emphasis added). Applying this meaning in the context of the Patient Safety Act, the Secretary would not need to prove that the person making the disclosure knew the law (i.e., knew that the disclosed information constituted identifiable patient safety work product or that such disclosure did not meet one of the standards for a permissive disclosure in the Patient Safety Act). Rather, the Secretary would only need to show that the person knew a disclosure was being made. Although knowledge that disclosed information is patient safety work product is not required, circumstances in which a person can show no such knowledge and no reason to know such knowledge may warrant discretion by the Secretary. By contrast, as a person's opportunity for knowledge and disregard of that opportunity increases, the Secretary's compulsion to exercise discretion not to impose a penalty declines.

    Where a ``knowing'' violation cannot be established, the Secretary can still impose a civil money penalty by showing that the person was reckless in making the disclosure of identifiable patient safety work product. A person acts recklessly if they are aware, or a reasonable person in their situation should be aware, that their conduct creates a substantial risk of disclosure of information and to disregard such risk constitutes a gross deviation from reasonable conduct. A ``substantial risk'' represents a significant threshold, more than the mere possibility of disclosure of patient safety work product. Whether a risk is ``substantial'' is a fact-specific inquiry. Additionally, whether a reasonable person in the situation should know of a risk is based on context. For example, an employee whose job duties regularly involve working with sensitive patient information may be expected to know of disclosure risks of which other types of employees may reasonably be unaware.

    Finally, the disregarding of the risk must be a gross deviation from reasonable conduct. This gross deviation standard is commonly used to describe reckless conduct. See, e.g., Model Penal Code Sec. 2A1.4(2006), definition of ``reckless'' for purposes of involuntary manslaughter; Black's Law Dictionary (8th ed., 2004). This does not mean that the conduct itself must be a gross deviation from reasonable conduct. Rather, the standard is whether the disregarding of the risk was a gross deviation (i.e., whether a reasonable person who is aware of the substantial risk of making an impermissible disclosure would find going forward despite the risk to be grossly unreasonable). Thus, disclosures that violate this Part and occur because an individual acted despite knowing of, or having reason to know of, a grossly unreasonable risk of disclosure are punishable by civil money penalty, regardless of whether such conduct may otherwise be widespread in the industry.

    An example of a reckless disclosure of identifiable patient safety work product would be leaving a laptop unattended in a public area and accessible to unauthorized persons with identifiable patient safety work product displayed on the laptop screen. Such a situation would be reckless because it would create a substantial risk of disclosure of the information displayed on the laptop screen. If a person did not remove the identifiable patient safety work product from the laptop screen or take other measures to prevent the public view of the laptop screen, then leaving the laptop unattended would be a disregard for the substantial risk of disclosure that would be a gross deviation from reasonable conduct. Under these circumstances, the person leaving the laptop unattended could be liable for a civil money penalty.

    The use of the term ``shall be subject to'' in section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), conveys authority to the Secretary to exercise discretion as to whether to impose a penalty for a knowing or reckless violation of the confidentiality provisions. Based on the nature and circumstances of a violation and whether such violation was done in a knowing or reckless manner, the Secretary may impose a civil money penalty, require a corrective action plan, or seek voluntary compliance with these regulations.

    Even in cases that constitute violations of the confidentiality provisions, the Secretary may exercise discretion. For example, in a situation where a provider makes a good faith attempt to assert the patient safety work product privilege, but is nevertheless ordered by a court to make a disclosure, and the provider does so, the Secretary could elect not to impose a civil money penalty. Thus, for example, it is not the Secretary's intention to impose a civil money penalty on a provider ordered by a court to produce patient safety work product where the provider has deliberately and in good faith undertaken reasonable steps to avoid such production and is, nevertheless, faced with compelled production or being held in contempt of court.

    Similarly, an individual may innocently come into possession of information, unaware of the fact that the information is patient safety work product, and may innocently share the information in a manner not permitted by the confidentiality provisions. In such circumstances, the Secretary would look at the facts and circumstances of the case and could elect not to impose a penalty. Relevant facts and circumstances might include the individual's relationship with the source of the information (e.g., whether the information originated with a health care provider or a patient safety organization for which the individual was employed); whether, and the extent to which, the individual had a basis to know the information was patient safety work product or to know that the information was confidential; to whom the information was disclosed; and the intent of the individual in making the disclosure. (B) Proposed Sec. 3.402(b)--Violations Attributed to a Principal

    The proposed rule includes a provision, at proposed Sec. 3.402(b), that addresses the liability of a principal for a violation by a principal's agent. Proposed Sec. 3.402(b) adopts the principle that the federal common law of agency applies when addressing the liability of a principal for the acts of his or her agent. Under this principle, a provider, PSO or responsible person generally can be held liable for a violation based on the actions of any agent, including an employee or other workforce member, acting within the scope of the agency or employment. This liability is separate from the underlying liability attributable to the agent and could result in a separate and exclusive civil money penalty. In other words, a principal may be liable for a $10,000 civil money penalty and an agent may be liable for a separate $10,000 civil money penalty arising from the same act that is a violation.

    Section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b- 22(f)(2), provides that ``the provisions of section 1128A * * * shall apply to civil money penalties under this subsection [of the Patient Safety Act] in the same manner as such provisions apply to a penalty or proceeding under section 1128A.'' Section 1128A(l) of the Social Security Act, 42 U.S.C. 1320a-7a(l), establishes that ``a principal is liable for penalties * * * under this section for the actions of the principal's agents acting within the scope of the agency.'' This is similar

    [[Page 8159]]

    to the traditional rule of agency in which principals are vicariously liable for the acts of their agents acting within the scope of their authority. See Meyer v. Holley, 537 U.S. 280 (2003). Therefore, a provider, PSO or responsible person generally will be responsible for the actions of its workforce members within the scope of agency, such as where an employee discloses confidential patient safety work product in violation of the confidentiality provisions during the course of his or her employment.

    The determination of whether or not a principal is responsible for a violation would be based on two fact-dependent determinations. First, the Secretary must find that a principal-agent relationship exists between the person doing the violative act and the principal. If a principal-agent relationship is established, then a second determination, whether the act in violation of the confidentiality provisions was within the scope of the agency, must be made. The determination as to whether an agent's conduct is outside the scope of the agency will be dependent upon the application of the federal common law of agency to the facts.

    The purpose of applying the federal common law of agency to determine when a provider, PSO, or responsible person is vicariously liable for the acts of its agents is to achieve nationwide uniformity in the implementation of the confidentiality provisions and nationwide consistency in the enforcement of these rules by OCR. Reliance on State law could introduce inconsistency in the implementation of the patient safety work product confidentiality provisions by persons or entities in different States. Federal Common Law of Agency

    A principal's liability for the actions of its agents is generally governed by State law. However, the U.S. Supreme Court has provided that the federal common law of agency may be applied where there is a strong governmental interest in nationwide uniformity and a predictable standard, and when the federal rule in question is interpreting a federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).

    The confidentiality and enforcement provisions of this regulation interpret a federal statute, the Patient Safety Act. Under the Patient Safety Act, there is a strong interest in nationwide uniformity in the confidentiality provisions and how those provisions are enforced. The fundamental goal of the Patient Safety Act is to promote the examination and correction of patient safety events in order to improve patient safety and create a culture of patient safety in the health care system. Therefore, it is essential for the Secretary to apply one consistent body of law regardless of where an agent is employed, an alleged violation occurred, or an action is brought. The same considerations support a strong federal interest in the predictable operation of the confidentiality provisions, to ensure that persons using patient safety work product can do so consistently so as to facilitate the appropriate exchange of information. Thus, the tests for application of the federal common law of agency are met.

    Where the federal common law of agency applies, the courts often look to the Restatement (Second) of Agency (1958) (Restatement) as a basis for explaining the common law's application. While the determination of whether an agent is acting within the scope of its authority must be decided on a case-by-case basis, the Restatement provides guidelines for this determination. Section 229 of the Restatement provides:

    (1) To be within the scope of the employment, conduct must be of the same general nature as that authorized, or incidental to the conduct authorized.

    (2) In determining whether or not the conduct, although not authorized, is nevertheless so similar to or incidental to the conduct authorized as to be within the scope of employment, the following matters of fact are to be considered;

    (a) Whether or not the act is one commonly done by such servants;

    (b) The time, place and purpose of the act;

    (c) The previous relations between the master and the servant;

    (d) The extent to which the business of the master is apportioned between different servants;

    (e) Whether or not the act is outside the enterprise of the master or, if within the enterprise, has not been entrusted to any servant;

    (f) Whether or not the master has reason to expect that such an act will be done;

    (g) The similarity in quality of the act done to the act authorized;

    (h) Whether or not the instrumentality by which the harm is done has been furnished by the master to the servant;

    (i) The extent of departure from the normal method of accomplishing an authorized result; and

    (j) Whether or not the act is seriously criminal.

    In some cases, under federal agency law, a principal may be liable for an agent's acts even if the agent acts outside the scope of its authority. Restatement (Second) of Agency section 219 (1958). However, proposed Sec. 3.402(b) would follow section 1128A(l) of the Social Security Act, 42 U.S.C. 1320a-7a(l), which limits liability for the actions of an agent to those actions that are within the scope of the agency. Agents

    Various categories of persons may be agents of a provider, PSO, or responsible person. These persons include workforce members. We propose a slightly expanded definition of ``workforce'' from the term defined in the HIPAA Privacy Rule. The proposed definition of ``workforce'' includes employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such principal, whether or not they are paid by the principal. Because of the ``direct control'' language of the proposed rule, we believe that all workforce members, including those who are not employees, are agents of a principal. Under the proposed rule, a principal could be liable for a violation based on an act that is a violation by any workforce member acting within the scope of employment or agency. The determinative issue is whether a person is sufficiently under the control of a person or entity and acting within the scope of the agency. Proposed Sec. 3.402(b) creates a presumption that a workforce member is an agent of an employer. 8. Proposed Sec. 3.404--Amount of Civil Money Penalty

    Proposed Sec. 3.404, the amount of the civil money penalty, is determined in accordance with section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), and the provisions of this Part. Section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b- 22(f)(1), establishes a maximum penalty amount for violations of ``not more than $10,000'' per person for each violation. The statutory cap is reflected in proposed Sec. 3.404(b).

    The statute establishes only maximum penalty amounts, so the Secretary has the discretion to impose penalties that are less than the statutory maximum. This proposed regulation would not establish minimum penalties. Under proposed Sec. 3.404(a), the penalty amount would be determined using the factors set forth in proposed Sec. 3.408, subject to the statutory maximum reflected in proposed Sec. 3.404(b).

    As stated in the discussion under proposed Sec. 3.402(b), a principal can be

    [[Page 8160]]

    held liable for the acts of its agent acting within the scope of the agency. Read together, with proposed Sec. 3.404(b), if a principal and an agent are determined to be liable for a single act that is a violation, the Secretary may impose a penalty of up to $10,000 against each separately. That is, the $10,000 limit applies to each person separately, not the act that was a violation. Thus, in the circumstance where an agent and a principal are determined to have violated the confidentiality provisions, the Secretary may impose a civil money penalty of up to $10,000 against the agent and a civil money penalty of up to $10,000 against the principal, for a total of $20,000 for a single act that is a violation. 9. Proposed Sec. 3.408--Factors Considered in Determining the Amount of a Civil Money Penalty

    Section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d), made applicable to the imposition of civil money penalties by section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2), requires that, in determining the amount of ``any penalty,'' the Secretary shall take into account: (1) The nature of the claims and the circumstances under which they were presented, (2) the degree of culpability, history of prior offenses, and financial condition of the person presenting the claims, and (3) such other matters as justice may require. This language establishes factors to be considered in determining the amount of a civil money penalty.

    This approach is taken in other regulations that cross-reference section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, which rely on these factors for purposes of determining civil money penalty amounts. See, for example, 45 CFR 160.408. The factors listed in section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d), were drafted to apply to violations involving claims for payment under federally funded health programs. Because Patient Safety Act violations will not be about specific claims, we propose to tailor the section 1128A(d) factors to violations of the confidentiality provisions and further particularize the statutory factors by providing discrete criteria, as done in the HIPAA Enforcement Rule and the OIG regulations that implement section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a. Consistent with these other regulations, and to provide more guidance to providers, PSOs, and responsible persons as to the factors that would be used in calculating civil money penalties, we propose the following detailed factors:

    (1) The nature of the violation.

    (2) The circumstances and consequences of the violation, including the time period during which the violation occurred; and whether the violation caused physical or financial harm or reputational damage.

    (3) The degree of culpability of the respondent, including whether the violation was intentional, and whether the violation was beyond the direct control of the respondent.

    (4) Any history of prior compliance with the confidentiality provisions, including violations, by the respondent, and whether the current violation is the same as or similar to prior violation(s), whether and to what extent the respondent has attempted to correct previous violations, how the respondent has responded to technical assistance from the Secretary provided in the context of a compliance effort, and how the respondent has responded to prior complaints.

    (5) The financial condition of the respondent, including whether the respondent had financial difficulties that affected its ability to comply, whether the imposition of a civil money penalty would jeopardize the ability of the respondent to continue to provide health care or patient safety activities, and the size of the respondent.

    (6) Such other matters as justice may require.

    For further discussion of these factors, please see the preambles to the Interim Final Rule and the Final Rule for the HIPAA Enforcement Rule at 70 FR 20235-36, Apr. 18, 2005, and 71 FR 8407-09, Feb. 16, 2006. Meeting certain conditions, such as financial condition, is a fact-specific determination based upon the individual circumstances of the situation presented.

    We seek comments regarding whether the above list of factors should be expanded to expressly include a factor for persons who self-report disclosures that may potentially violate the confidentiality provisions such that voluntary self-reporting would be a mitigating consideration when assessing a civil money penalty. Voluntary self-reporting may encourage persons to report breaches of confidentiality, particularly breaches that may otherwise go unnoticed, and to demonstrate the security practices that led to the discovery of the breach and how the breach has been remedied. However, including self-reporting as a factor may be viewed incorrectly as an additional reporting obligation to report every potentially impermissible disclosure, thereby, unnecessarily increasing administrative burdens on the Department and the individuals or entities making the self-reporting, or it may interfere with obligations to identified persons, particularly when a negotiated, contractual relationship between a provider and a PSO exists that addresses how the parties are to deal with breaches.

    Respondents are responsible for raising any issues that pertain to any of the factors to the Secretary within 30 days after receiving notice from the Secretary that informal resolution attempts have not resolved the issue in accordance with proposed Sec. 3.312(a)(3)(i). The Secretary is under no obligation to affirmatively raise any mitigating factor if a respondent fails to identify the issue. See proposed Sec. 3.504(p).

    In many regulations that implement section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, the statutory factors and/or the discrete criteria are designated as either aggravating or mitigating. For example, at 42 CFR 1003.106(b)(3) of the OIG regulations, ``history of prior offenses'' is listed as an aggravating factor and is applicable as a factor to a narrow range of prohibited conduct. However, because proposed Sec. 3.408 will apply to a variety of persons and circumstances, we propose that factors may be aggravating or mitigating, depending on the context. For example, the factor ``time period during which the violation(s) occurred'' could be an aggravating factor if the respondent's violation went undetected for a long period of time or undetected actions resulted in multiple violations, but could be a mitigating factor if a violation was detected and corrected quickly. This approach is consistent with other regulations implementing section 1128A of the Social Security Act, 42 U.S.C. 1320a- 7a. See, for example, 45 CFR 160.408.

    We propose to leave to the Secretary's discretion the decision regarding when aggravating and mitigating factors will be taken into account in determining the amount of a civil money penalty. The facts of each violation will drive the determination of whether a particular factor is aggravating or mitigating. 10. Proposed Sec. 3.414--Limitations

    Proposed Sec. 3.414 sets forth the 6-year limitations period on initiating an action for imposition of a civil money penalty provided for by section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a- 7a(c)(1). We propose the date of the occurrence of the violation be the date from which the limitation period begins.

    [[Page 8161]]

    11. Proposed Sec. 3.416--Authority to Settle

    Proposed Sec. 3.416 states the authority of the Secretary to settle any issue or case or to compromise any penalty during the process addressed in this Part, including cases that are in hearing. The first sentence of section 1128A(f) of the Social Security Act, 42 U.S.C. 1320a-7a(f), made applicable by section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2), states, in part, ``civil money penalties * * * imposed under this section may be compromised by the Secretary.'' This authority to settle is the same as that set forth in 45 CFR 160.416 of the HIPAA Enforcement Rule. 12. Proposed Sec. 3.418--Exclusivity of Penalty

    Proposed Sec. 3.418 makes clear that, except as noted below, penalties imposed under this Part are not intended to be exclusive where a violation under this Part may also be a violation of, and subject the respondent to, penalties under another federal or State law. This provision is modeled on 42 CFR 1003.108 of the OIG regulations.

    Proposed Sec. 3.418(b) repeats the statutory prohibition against imposing a penalty under both the Patient Safety Act and under HIPAA for a single act or omission that constitutes a violation of both the Patient Safety Act and HIPAA. Congress recognized that there could be overlap between the confidentiality provisions and the HIPAA Privacy Rule. Because identifiable patient safety work product includes individually identifiable health information as defined under the HIPAA Privacy Rule, HIPAA covered entities could be liable for violations of the HIPAA Privacy Rule based upon a single disclosure of identifiable patient safety work product. We tentatively interpret the Patient Safety Act as only prohibiting the imposition of a civil money penalty under the Patient Safety Act when there have been civil, as opposed to criminal, penalties imposed on the respondent under the HIPAA Privacy Rule for the same single act or omission. In other words, a person could have a civil money penalty imposed against him under the Patient Safety Act as well as a criminal penalty under HIPAA for the same act or omission. However, an act that amounts to a civil violation of both the confidentiality provisions and the HIPAA Privacy Rule would be enforceable under either authority, but not both.

    The decision regarding which statute applies to a particular situation will be made based upon the facts of individual situations. HIPAA covered entities that seek to disclose confidential patient safety work product that contains protected health information must know when such disclosure is permissible under both statutes. 13. Proposed Sec. 3.420--Notice of Proposed Determination

    Proposed Sec. 3.420 sets forth the requirements for the notice to a respondent sent when the Secretary proposes a penalty under this Part. This notice implements the requirement for notice contained in section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a- 7a(c)(1). These requirements are substantially the same as those in the HIPAA Enforcement Rule at 45 CFR 160.420, except for the removal of provisions related to statistical sampling.

    The notice provided for in this section must be given whenever a civil money penalty is proposed. The proposed requirements of this section serve to inform any person under investigation of the basis for the Secretary's proposed civil money penalty determination. These requirements include the statutory basis for a penalty, a description of the findings of fact regarding the violation, the reasons the violation causes liability, the amount of the proposed penalty, factors considered under proposed Sec. 3.408 in determining the amount of the penalty, and instructions for responding to the notice, including the right to a hearing.

    At this point in the process, the Secretary may also send a notice of proposed determination to a principal based upon liability for a violation under proposed Sec. 3.402(b). 14. Proposed Sec. 3.422--Failure To Request a Hearing

    Under proposed Sec. 3.422, when a respondent does not timely request a hearing on a proposed civil money penalty, the Secretary may impose the civil money penalty or any less severe civil money penalty permitted by section 1128A(d)(5) of the Social Security Act, 42 U.S.C. 1320a-7a(d)(5). Once the time has expired for the respondent to file for an appeal, the Secretary will decide whether to impose the civil money penalty and provide notice to the respondent of the civil money penalty. If the Secretary does pursue a civil money penalty, the civil money penalty is final, and the respondent has no right to appeal a civil money penalty imposed under these circumstances. This section is similar to 45 CFR 160.422 of the HIPAA Enforcement Rule.

    For purposes of determining when subsequent actions may commence, such as collection of an imposed civil money penalty, we propose that the penalty be final upon receipt of a penalty notice sent by certified mail return receipt requested. 15. Proposed Sec. 3.424--Collection of Penalty

    Proposed Sec. 3.424 provides that once a determination to impose a civil money penalty has become final, the civil money penalty must be collected by the Secretary, unless compromised, and prescribes the methods for collection. We propose that civil money penalties be collected as set forth under the HIPAA Enforcement Rule at 45 CFR 160.424, except that the term ``this part'' shall refer to 42 CFR Part 3. The modification is made for the provision to refer to the appropriate authority. 16. Proposed Sec. 3.426--Notification of the Public and Other Agencies

    Proposed Sec. 3.426 would implement section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h). When a civil money penalty proposed by the Secretary becomes final, section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h), directs the Secretary to notify appropriate State or local agencies, organizations, and associations and to provide the reasons for the civil money penalty. We propose to add the public generally as a group that may receive notice, in order to make the information available to anyone who must make decisions with respect to persons that have had a civil money penalty imposed for violation of the confidentiality provisions. For instance, knowledge of the imposition of a civil money penalty for violation of the Patient Safety Act could be important to hospitals, other health care organizations, health care consumers, as well as to current and future business partners throughout the industry.

    The basis for this public notice portion lies in the Freedom of Information Act, 5 U.S.C. 552. The Freedom of Information Act requires final opinions and orders made in adjudication cases to be made available for public inspection and copying. See 5 U.S.C. 552(a)(2)(A). While it is true that section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h), does not require that such notice be given to the public, neither does it prohibit such wider dissemination of that information, and nothing in section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h), suggests that it modifies the Secretary's obligations under the Freedom of Information Act.

    [[Page 8162]]

    The Freedom of Information Act requires making final orders or opinions available for public inspection and copying by ``computer telecommunication * * * or other electronic means,'' which would encompass a display on the Department's Web site. See 5 U.S.C. 552(a)(2).

    A civil money penalty is considered to be final, for purposes of notification, when it is a final agency action (i.e., the time for administrative appeal has run or the adverse administrative finding has otherwise become final). The final opinion or order that is subject to the notification provisions of this section is the notice of proposed determination, if a request for hearing is not timely filed, the decision of the ALJ, if that is not appealed, or the final decision of the Board.

    Currently final decisions of the ALJs and the Board are made public via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such

    postings, however, would not include penalties that become final because a request for hearing was not filed under proposed Sec. 3.504(a). Under proposed Sec. 3.426, notices of proposed determination under proposed Sec. 3.420 that become final because a hearing has not been timely requested, would also be made available for public inspection and copying as final orders, with appropriate redaction of any patient safety work product or other confidential information, via OCR's Web site. See the OCR patient safety Web site at http://www.hhs.gov/ocr/PSQIA. By making the entire final opinion or order

    available to the public, the facts underlying the penalty determination and the law applied to those facts will be apparent. Given that information, the public may discern the nature and extent of the violation as well as the basis for imposition of the civil money penalty.

    The regulatory language would provide for notification in such manner as the Secretary deems appropriate. Posting to a Department Web site and/or the periodic publication of a notice in the Federal Register are among the methods which the Secretary is considering using for the efficient dissemination of such information. These methods would avoid the need for the Secretary to determine which entities, among a potentially large universe, should be notified and would also permit the general public served by providers, PSOs, and responsible persons upon whom civil money penalties have been imposed--as well as their business partners--to be apprised of this fact, where that information is of interest to them. While the Secretary could provide notice to individual agencies where desired, the Secretary could, at his option, use a single public method of notice, such as posting to a Department Web site, to satisfy the obligation to notify the specified agencies and the public. 17. Proposed Sec. 3.504--Procedures for Hearings

    Proposed Sec. 3.504 is a compilation of procedures related to administrative hearings on civil money penalties imposed by the Secretary. The proposed section sets forth the authority of the ALJ, the rights and burdens of proof of the parties, requirements for the exchange of information and pre-hearing, hearing, and post-hearing processes. These individual sections are described in greater detail below.

    This proposed section cross-references the HIPAA Enforcement Rule extensively due to the similar nature of the enforcement and appeal procedures, the nature of the issues and substance presented, and the parties most affected by these proposed regulations. We intend that the provisions of the HIPAA Enforcement Rule will be applied to the imposition of civil money penalties under this Subpart in the same manner as they are applied to violations of the HIPAA administrative simplification provisions, subject to any modifications set forth in proposed Sec. 3.504. We believe the best and most efficient manner of achieving this result is through explicitly referencing and adopting the relevant provisions of the HIPAA Enforcement Rule. Where modifications are necessary to address the differences between the appeals of determinations under the HIPAA Enforcement Rule and the Patient Safety Act, we have made specific exceptions that we discuss below.

    We note that the recently published Notice of Proposed Rulemaking entitled ``Revisions to Procedures for the Departmental Appeals Board and Other Departmental Hearings'' (see 72 FR 73708 (December 28, 2007)) proposes to modify the HIPAA Enforcement Rule, which we reference extensively in this proposed rule. Our intent for the patient safety regulations would be to maintain the alignment between the patient safety enforcement process and the HIPAA Enforcement Rule, as stated previously. Should the amendments to the HIPAA Enforcement Rule become final based on that Notice of Proposed Rulemaking, our intent would be to incorporate those changes in any final rulemaking here. That Notice of Proposed Rulemaking proposes to amend 45 CFR 160.508(c) and 45 CFR 160.548, and to add a new provision, 45 CFR 160.554, providing that the Secretary may review all ALJ decisions that the Board has declined to review and all Board decisions for error in applying statutes, regulations or interpretive policy. 18. Proposed Sec. 3.504(a)--Hearings Before an ALJ

    Proposed Sec. 3.504(a) provides the time and manner in which a hearing must be requested, or dismissed when not timely requested. This proposed section applies the same regulations as the HIPAA Enforcement Rule cited at 45 CFR 160.504(a)-(d), except that the language in paragraph (c) of 45 CFR 160.504 following and including ``except that'' does not apply. The excluded provision refers to the ability of respondents to raise an affirmative defense under 45 CFR 160.410(b)(1) for which we have not adopted a comparable provision because the provision implements a statutory defense unique to HIPAA. 19. Proposed Sec. 3.504(b)--Rights of the Parties

    Proposed Sec. 3.504(b) provides that the rights of the parties not specifically provided elsewhere in this Part shall be the same as those provided in 45 CFR 160.506 of the HIPAA Enforcement Rule. 20. Proposed Sec. 3.504(c)--Authority of the ALJ

    Proposed Sec. 3.504(c) provides that the general guidelines and authority of the ALJ shall be the same as provided in the HIPAA Enforcement Rule at 45 CFR 160.508(a)-(c)(4). We exclude the provision at 45 CFR 160.508(c)(5) because there is no requirement under the Patient Safety Act for remedied violations based on reasonable cause to be insulated from liability for a civil money penalty. 21. Proposed Sec. 3.504(d)--Ex parte Contacts

    Proposed Sec. 3.504(d) is designed to ensure the fairness of the hearing by prohibiting ex-parte contacts with the ALJ on matters at issue. We propose to incorporate the same restrictions as provided for in the HIPAA Enforcement Rule at 45 CFR 160.510. 22. Proposed Sec. 3.504(e)--Prehearing Conferences

    Proposed Sec. 3.504(e) adopts the same provisions as govern prehearing conferences in the HIPAA Enforcement Rule at 45 CFR 160.512, except that the term ``identifiable patient safety work product'' is substituted for ``individually identifiable health

    [[Page 8163]]

    information.'' Under this proposed provision, the ALJ is required to schedule at least one prehearing conference, in order to narrow the issues to be addressed at the hearing and, thus, expedite the formal hearing process, and to prescribe a timeframe for prehearings. 23. Proposed Sec. 3.504(f)--Authority To Settle

    Proposed Sec. 3.504(f) adopts 45 CFR 160.514 of the HIPAA Enforcement Rule. This proposal provides that the Secretary has exclusive authority to settle any issue or case at any time and need not obtain the consent of the ALJ. 24. Proposed Sec. 3.504(g)--Discovery

    We propose in Sec. 3.504(g) to adopt the discovery procedures as provided for in the HIPAA Enforcement Rule at 45 CFR 160.516. These provisions allow limited discovery in the form of the production for inspection and copying of documents that are relevant and material to the issues before the ALJ. These provisions do not authorize other forms of discovery, such as depositions and interrogatories.

    Although the adoption of 45 CFR 160.516 would permit parties to raise claims of privilege and permit an ALJ to deny a motion to compel privileged information, a respondent could not claim privilege, and an ALJ could not deny a motion to compel, if the Secretary seeks patient safety work product relevant to the alleged confidentiality violation because the patient safety work product would not be privileged under proposed Sec. 3.204(c).

    Under this proposal, a respondent concerned with potential public access to patient safety work product may raise the issue before the ALJ and seek a protective order. The ALJ may, for good cause shown, order appropriate redactions made to the record after hearing. See proposed Sec. 3.504(s). 25. Proposed Sec. 3.504(h)--Exchange of Witness Lists, Witness Statements, and Exhibits

    Proposed Sec. 3.504(h) provides for the prehearing exchange of certain documents, including witness lists, copies of prior statements of witnesses, and copies of hearing exhibits. We propose that the requirements set forth in 45 CFR 160.518 of the HIPAA Enforcement Rule shall apply, except that the language in paragraph (a) of 45 CFR 160.518 following and including ``except that'' shall not apply. We exclude the provisions relating to the provision of a statistical expert's report not less than 30 days before a scheduled hearing because we do not propose language permitting the use of statistical sampling to estimate the number of violations. 26. Proposed Sec. 3.504(i)--Subpoenas for Attendance at Hearing

    Proposed Sec. 3.504(i) provides procedures for the ALJ to issue subpoenas for witnesses to appear at a hearing and for parties and prospective witnesses to contest such subpoenas. We propose to adopt the same regulations as provided at 45 CFR 160.520 of the HIPAA Enforcement Rule. 27. Proposed Sec. 3.504(j)--Fees

    Proposed Sec. 3.504(j) provides for the payment of witness fees by the party requesting a subpoena. We propose that the fees requirements be the same as those provided in 45 CFR 160.522 of the HIPAA Enforcement Rule. 28. Proposed Sec. 3.504(k)--Form, Filing and Service of Papers

    Proposed Sec. 3.504(k) provides requirements for documents filed with the ALJ. We propose to adopt the requirements of 45 CFR 160.524 of the HIPAA Enforcement Rule. 29. Proposed Sec. 3.504(l)--Computation of Time

    Proposed Sec. 3.504(l) provides the method for computing time periods under this Part. We propose to adopt the requirements of 45 CFR 160.526 of the HIPAA Enforcement Rule, except the term ``this subpart'' shall refer to 42 CFR Part 3, Subpart D and the citation ``Sec. 3.504(a) of 42 CFR Part 3'' shall be substituted for the citation ``Sec. 160.504.'' 30. Proposed Sec. 3.504(m)--Motions

    Proposed Sec. 3.504(m) provides requirements for the content of motions and the time allowed for responses. We propose to adopt the requirements of 45 CFR 160.528 of the HIPAA Enforcement Rule. 31. Proposed Sec. 3.504(n)--Sanctions

    Proposed Sec. 3.504(n) provides the sanctions an ALJ may impose on parties and their representatives for failing to comply with an order or procedure, failing to defend an action, or other misconduct. We propose to adopt the provisions of 45 CFR 160.530 of the HIPAA Enforcement Rule. 32. Proposed Sec. 3.504(o)--Collateral Estoppel

    Proposed Sec. 3.504(o) would adopt the doctrine of collateral estoppel with respect to a final decision of an administrative agency. Collateral estoppel means that determinations made with respect to issues litigated and determined in a proceeding between two parties will bind the respective parties in later disputes concerning the same issues and parties. We propose to adopt the provisions of 45 CFR 160.532 of the HIPAA Enforcement Rule, except that the term ``a confidentiality provision'' shall be substituted for the term ``an administrative simplification provision''. 33. Proposed Sec. 3.504(p)--The Hearing

    Proposed Sec. 3.504(p) provides for a public hearing on the record, the burden of proof at the hearing and the admission of rebuttal evidence. We propose to adopt the provisions of 45 CFR 160.534 of the HIPAA Enforcement Rule, except the following text shall be substituted for Sec. 160.534(b)(1): ``The respondent has the burden of going forward and the burden of persuasion with respect to any challenge to the amount of a proposed penalty pursuant to Sec. Sec. 3.404-3.408 of 42 CFR Part 3, including any factors raised as mitigating factors.'' We propose to adopt this new language for Sec. 160.534(b)(1) because references to affirmative defenses in the excluded text are not applicable in the context of the Patient Safety Act as such defenses are under the HIPAA Enforcement Rule; nor does the Patient Safety Act include provisions for the waiver or reduction of a civil money penalty in accordance with 45 CFR 160.412.

    45 CFR 160.534(c) states that the hearing must be open to the public unless otherwise ordered by the ALJ for good cause shown. In proposed Sec. 3.504(p) of this Subpart, we propose that good cause shown under 45 CFR 160.534(c) may be that identifiable patient safety work product has been introduced into evidence or is expected to be introduced into evidence. Protecting patient safety work product is important and is an issue about which all parties and the ALJ should be concerned. 34. Proposed Sec. 3.504(q)--Witnesses

    Under proposed Sec. 3.504(q), the ALJ may allow oral testimony to be admitted or provided in the form of a written statement or deposition so long as the opposing party has a sufficient opportunity to subpoena the person whose statement is being offered. We propose to adopt the provisions of 45 CFR 160.538 of the HIPAA Enforcement Rule, except that the citation ``Sec. 3.504(h) of 42 CFR Part 3'' shall be substituted for the citation ``Sec. 160.518.''

    [[Page 8164]]

    35. Proposed Sec. 3.504(r)--Evidence

    Proposed Sec. 3.504(r) would provide guidelines for the acceptance of evidence in hearings. We propose to adopt the provisions of 45 CFR 160.540 of the HIPAA Enforcement Rule, except that the citation ``Sec. 3.420 of 42 CFR Part 3'' shall be substituted for the citation ``Sec. 160.420 of this part''.

    In the same manner as the exception to privilege for enforcement activities under Sec. 3.204(c) applies to proposed Sec. 3.504(g), the exception to privilege applies under proposed Sec. 3.504(r) as well. Although the adoption of 45 CFR 160.540(e) would permit parties to raise claims of privilege and permit an ALJ to exclude from evidence privileged information, a respondent could not claim privilege and an ALJ could not exclude identifiable patient safety work product if the Secretary seeks to introduce that patient safety work product because disclosure of the patient safety work product would not be a violation of the privilege and confidentiality provisions under proposed Sec. 3.204(c). 36. Proposed Sec. 3.504(s)--The Record

    Proposed Sec. 3.504(s) provides for recording and transcription of the hearing, and for the record to be available for inspection and copying by any person. We propose to adopt the provisions at 45 CFR 160.542 of the HIPAA Enforcement Rule. We also propose to provide that good cause for making appropriate redactions includes the presence of identifiable patient safety work product in the record. 37. Proposed Sec. 3.504(t)--Post-Hearing Briefs

    Proposed Sec. 3.504(t) provides that the ALJ has the discretion to order post-hearing briefs, although the parties may file post-hearing briefs in any event if they desire. We propose to adopt the provisions of 45 CFR 160.544 of the HIPAA Enforcement Rule. 38. Proposed Sec. 3.504(u)--ALJ's Decision

    Proposed Sec. 3.504(u) provides that not later than 60 days after the filing of post-hearing briefs, the ALJ shall serve on the parties a decision making specific findings of fact and conclusions of law. The ALJ's decision is the final decision of the Secretary, and will be final and binding on the parties 60 days from the date of service of the ALJ decision, unless it is timely appealed by either party. We propose to adopt the provisions of 45 CFR 160.546 of the HIPAA Enforcement Rule, except the citation ``Sec. 3.504(v) of 42 CFR Part 3'' shall be substituted for ``Sec. 160.548.'' 39. Proposed Sec. 3.504(v)--Appeal of the ALJ's Decision

    Proposed Sec. 3.504(v) provides for manner and time for review of an ALJ's decision regarding penalties imposed under this Part and subsequent judicial review. We propose to adopt the same provisions as 45 CFR 160.548 of the HIPAA Enforcement Rule, except the following language in paragraph (e) of 45 CFR 160.548 shall not apply: ``Except for an affirmative defense under Sec. 160.410(b)(1) of this part.'' We exclude this language because the Patient Safety Act does not provide for affirmative defenses in the same manner as HIPAA. 40. Proposed Sec. 3.504(w)--Stay of the Secretary's Decision

    Proposed Sec. 3.504(w) provides that a respondent may request a stay of the effective date of a penalty pending judicial review. We propose to adopt the provisions of 45 CFR 160.550 of the HIPAA Enforcement Rule to govern this process. 41. Proposed Sec. 3.504(x)--Harmless Error

    Proposed Sec. 3.504(x) adopts the ``harmless error'' standard as expressed in the HIPAA Enforcement Rule at 45 CFR 160.522. This proposed rule provides that the ALJ and the Board at every stage of the proceeding will disregard any error or defect in the proceeding that does not affect the substantial rights of the parties.

    1. Impact Statement and Other Required Analyses

    Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act requires that a covered agency prepare a budgetary impact statement before promulgating a rule that includes any Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. The Department has determined that this proposed rule would not impose a mandate that will result in the expenditure by State, Local, and Tribal governments, in the aggregate, or by the private sector, of more than $100 million in any one year.

    Paperwork Reduction Act

    This notice of proposed rulemaking adding a new Part 3 to volume 42 of the Code of Federal Regulations contains information collection requirements. This summary includes the estimated costs and assumptions for the paperwork requirements related to this proposed rule. A copy of the information collection request will be available on the PSO Web site (http://www.pso.ahrq.gov) and can be obtained in hardcopy by contacting

    Susan Grinder at the Center for Quality Improvement and Patient Safety, AHRQ, (301) 427-1111 (o); (301) 427-1341 (fax). These paperwork requirements have been submitted to the Office of Management and Budget for review under number xxxx-xxxx as required by 44 U.S.C. 3507(a)(1)(c) of the Paperwork Reduction Act of 1995, as amended (PRA). Respondents are not required to respond to any collection of information unless it displays a current valid OMB control number.

    With respect to proposed Sec. 3.102 concerning the submission of certifications for initial and continued listing as a PSO, and of updated information, all such information would be submitted on Form SF-XXXX. To maintain its listing, a PSO must also submit a brief attestation, once every 24-month period after its initial date of listing, submitted on Form SF-XXXX, stating that it has entered contracts with two providers. We estimate that the proposed rule would create an average burden of 30 minutes annually for each entity that seeks to become a PSO to complete the necessary certification forms. Table 1 summarizes burden hours.

    Table 1.--Total Burden Hours Related to Certification Forms [Summary of all burden hours, by Provision, for PSOs]

    Provision

    Annualized burden hours

    3.112..................................... 30 minutes.

    HHS is working with OMB to obtain approval of the associated burden in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) before the effective date of the final rule. Comments on this proposed information collection should be directed to Susan Grinder, by sending an e-mail to Psosupport@ahrq.hhs.gov or sending a fax to (301) 427-1341.

    Under 5 CFR 1320.3(c), a covered collection of information includes the requirement by an agency of a disclosure of information to third parties by means of identical reporting, recordkeeping, or disclosure requirements, imposed on ten or more persons. The proposed rule reflects the previously established reporting requirements for breach of confidentiality applicable to business associates under HIPAA regulations requiring contracts top contain a provision requiring the business associate (in this case, the PSO) to notify

    [[Page 8165]]

    providers of breaches of their identifiable patient data's confidentiality or security. Accordingly, this reporting requirement referenced in the regulation previously met Paperwork Reduction Act review requirements.

    The proposed rule requires in proposed Sec. 3.108(c) that a PSO notify the Secretary if it intends to relinquish voluntarily its status as a PSO. The entity would be required to notify the Secretary that it has, or will soon, alert providers and other organizations from which it has received patient safety work product or data of its intention and provide for the appropriate disposition of the data in consultation with each source of patient safety work product or data held by the entity. In addition, the entity is asked to provide the Secretary with current contact information for further communication from the Secretary as the entity ceases operations. The reporting aspect of this requirement is essentially an attestation that is equivalent to the requirements for listing, continued listing, and meeting the minimum contracts requirement. This minimal data requirement would come within 5 CFR 1320.3(h)(1) which provides an exception from PRA requirements for affirmations, certifications, or acknowledgments as long as they entail no burden other than that necessary to identify the respondent, the date, the respondent's address, and the nature of the instrument. In this case, the nature of the instrument would be an attestation that the PSO is working with its providers for the orderly cessation of activities. The following other collections of information that would be required by the proposed regulation under proposed Sec. 3.108 are also exempt from PRA requirements pursuant to an exception in 5 CFR 1320.4 for information gathered as part of administrative investigations and actions regarding specific parties: information supplied in response to preliminary agency determinations of PSO deficiencies or in response to proposed revocation and delisting (e.g., information providing the agency with correct facts, reporting corrective actions taken, or appealing proposed agency revocation decisions).

    Federalism

    Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts State law, or otherwise has Federalism implications. The Patient Safety Act upon which the proposed regulation is based makes patient safety work product confidential and privileged. To the extent this would not be consistent with any state law, including court decisions, the Federal statute would preempt such state law or court order. The proposed rule (and subsequent final rule) will not have any greater preemptive effect on state or local governments than that imposed by the statute. While the Patient Safety Act does establish new Federal confidentiality and privilege protections for certain information, these protections only apply when health care providers work with PSOs and new processes, such as patient safety evaluation systems, that do not currently exist. These Federal data protections provide a mechanism for protection of sensitive information that could improve the quality, safety, and outcomes of health care by fostering a non-threatening environment in which information about adverse medical events and near misses can be discussed. It is hoped that confidential analysis of patient safety events will reduce the occurrence of adverse medical events and, thereby, reduce the costs arising from such events, including costs incurred by state and local governments attributable to such events.

    AHRQ, in conjunction with OCR, held three public listening sessions prior to drafting the proposed rule. Representatives of several states participated in these sessions. In particular, states that had begun to collect and analyze patient safety event information spoke about their related experiences and plans. Following publication of the NPRM, AHRQ will consult with appropriate state officials and organizations to review the scope of the proposed rule and to specifically seek input on federalism issues and a proposal in the rule at proposed Sec. 3.102(a)(2) that would limit the ability of public or private sector regulatory entities to seek listing as a PSO.

    Regulatory Impact Analysis

    Under Executive Order 12866 (58 FR 51735, October 4, 1993), Federal Agencies must determine whether a regulatory action is ``significant'' and, therefore, subject to OMB review and the requirements of the Executive Order. Executive Order 12866 defines ``significant regulatory action'' as one that is likely to result in a rule that may:

    1. Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or tribal government or communities.

    2. Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency.

    3. Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof.

    4. Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

    AHRQ has accordingly examined the impact of the proposed rule under Executive Order 12866, the Regulatory Flexibility Act (5 U.S.C. 601- 612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4). Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity). A regulatory impact analysis must be prepared for major rules with economically significant effects ($100 million or more in any one year). In the course of developing the proposed rule, AHRQ has considered the rule's costs and benefits, as mandated by Executive Order 12866. Although we cannot determine with precision the aggregate economic impact of the proposed rule, we believe that the impact may approach $100 million or more annually. HHS has determined that the proposed rule is ``significant'' also because it raises novel legal and policy issues with the establishment of a new regulatory framework, authorized by the Patient Safety Act, and imposes requirements, albeit voluntary, on entities that had not previously been subject to regulation in this area. Consequently, as required under Executive Order 12866, AHRQ conducted an analysis of the economic impact of the proposed rule. Background

    The Patient Safety Act establishes a framework for health care providers voluntarily to report information on the safety, quality, and outcomes of patient care that to PSOs listed by HHS. The main objectives of the Patient Safety Act are to: (1) Encourage health care providers to collect and examine patient safety events more freely and consistently than they do now, (2) encourage many provider arrangements or contracts with expert PSOs to receive, aggregate, and analyze data on patient

    [[Page 8166]]

    safety events so that PSOs may provide feedback and assistance to the provider to improve patient safety and (3) allow the providers to improve the quality of care delivered and reduce patient risk. The Patient Safety Act provides privilege from legal discovery for patient safety work product, as well as confidentiality protections in order to foster a culture of patient safety. The Patient Safety Act does not contain mandatory reporting requirements. It does, however, require information submissions by entities that voluntarily seek to be recognized, (i.e., listed) as PSOs by the Secretary.

    The cost of an adverse patient safety event can be very high in terms of human life, and it also often carries a significant financial cost. The Institute of Medicine report, To Err is Human: Building a Safer Health Care System, estimates that adverse events cost the United States approximately $37.6 billion to $50 billion each year. ``Total national costs (lost income, lost household production, disability, and health care costs) of preventable adverse events (medical errors resulting in injury) are estimated to be between $17 billion and $29 billion, of which health care costs represent over one-half.'' \18\

    \18\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T., Pike, K. C., for the Committee on Quality of Health Care in America. To Err is Human: Building a Safer Health System. Washington, DC.: National Academy Press; 2000.

    The proposed rule was written to minimize the regulatory and economic burden on an entity that seeks certification as a PSO in order to collect, aggregate, and analyze confidential information reported by health care providers. Collecting, aggregating, and analyzing information on adverse events will allow problems to be identified, addressed, and eventually prevented. This, in turn, will help improve patient safety and the quality of care, while also reducing medical costs. The following analysis of costs and benefits--both quantitative and qualitative--includes estimates based on the best available health care data and demonstrates that the benefits of the proposed regulation justify the costs involved in its implementation.

    The economic impact of an alternative to the proposed rule is not discussed in the following analysis because an alternative to the statutorily authorized voluntary framework is the existence of no new program, which would produce no economic change or have no economic impact, or--alternatively--a mandatory regulatory program for all health care providers, which is not authorized by the Patient Safety Act and which is necessarily not a realistic alternative and would likely be much more expensive. (A guiding principle of those drafting the regulation was to minimize the economic and regulatory burden on those entities seeking to be PSOs and providers choosing to work with PSOs, within the limits of the Patient Safety Act. Hence this proposed rule represents the Department's best effort at minimal impact while still meeting statutory provisions.)

    AHRQ has relied on key findings from the literature to provide baseline measures for estimating the likely costs and benefits of the proposed rule. We believe that the costs of becoming a PSO (i.e., the costs of applying to be listed by the Secretary) will be relatively small, and the costs of operating a PSO will be small, in relation to the possible cost savings that will be derived from reducing the number of preventable adverse medical events each year.

    The direct costs to individual providers of working with PSOs will vary considerably. For an institutional or individual provider that chooses to report readily accessible information to a PSO occasionally, costs may be negligible. The proposed rule does not require a provider to enter into a contract with a PSO, establish internal reporting or analytic systems, or meet specific security requirements for patient safety work product. A provider's costs will derive from its own choice whether to undertake and, if so, whether to conduct or contract for data collection, information development, or analytic functions. Such decisions will be based on the provider's assessment of the cost and benefits it expects to incur and achieve. As we discuss below, hospitals in particular have developed, and can be expected to take advantage of the protections afforded by the Patient Safety Act by expanding data collection, information development, and analytic functions at their institutions. We anticipate that many providers will choose to enter into contracts with PSOs voluntarily. If providers choose to report data routinely to a PSO, a contract will be a good business practice. It provides greater assurance that a provider can demonstrate, if its claims of protections are challenged, that it is operating in full compliance with the statute. It enables the provider to exert greater control over the use and sharing of its data and, in the case of a provider that is a covered entity under the HIPAA Privacy Rule, the provider will need to enter a business associate agreement with a PSO for compliance with that regulation if the reported data includes protected health information.

    The following cost estimates represent an effort to develop an ``upper bound'' on the cost impact of the proposed rule by assuming that providers choosing to work with PSOs will follow best business practices, take full advantage of the Patient Safety Act's protections, and develop robust internal reporting and analytic systems, rather than meeting the minimal requirements of the proposed rule. The cost estimates below are based on existing hospital-based activities for reporting patient safety events, which are likely to be similar to most events that a PSO will analyze (namely quality and safety activities within hospitals). While the Patient Safety Act is not limited to hospitals, AHRQ has received indications from various stakeholder groups that hospital providers will be the predominant provider type initially interested in working with PSOs. Affected Entities

    To date, AHRQ has no hard information on the exact number of interested parties that may wish to become a PSO. AHRQ estimates, however, that 50 to 100 entities may request to become a listed PSO by the Secretary during the first three years after publication of the final rule. AHRQ anticipates a gradual increase in the number of entities seeking listing as a PSO and estimates that roughly 50 entities will seek PSO certification during Year 1, 25 entities during Year 2, and an additional 25 entities during Year 3, totaling 100 PSOs by the end of Year 3. After Year 3, we anticipate that the number of PSOs will remain about constant, with the number of new entrants roughly equivalent to the number of PSOs that cease to operate.

    Healthcare providers, especially hospitals, currently assume some level of burden to collect, develop, and analyze patient safety event information similar to the information that will be reported to PSOs. We note that most institutional providers (especially larger ones) already do some of this data gathering. AHRQ anticipates that entities that currently operate internal patient safety event reporting systems either may be interested in: (1) Establishing a component organization to seek certification as a PSO; or (2) contracting with a PSO. Using data from the 2004 American Hospital Association, AHRQ conducted an analysis of the burden hours and likely costs associated with reporting patient safety event information to a PSO. See below.

    [[Page 8167]]

    Costs

    The proposed rule enables providers to receive Federal protections for information on patient safety events that the providers choose to collect, analyze, and report in conformity with the requirements of the Patient Safety Act and the proposed rule. The proposed rule, consistent with the Patient Safety Act, does not require any entity to seek listing as a PSO and does not require any provider to work with a PSO. While all holders of patient safety work product must avoid impermissible disclosures of patient safety work product, we do not impose any specific requirements that holders must meet to comply with this obligation. The requirements of the proposed rule apply only to entities that choose to seek listing by the Secretary as a PSO. Similarly, the proposed rule does not impose requirements on States or private sector entities (including small businesses) that would result in additional spending, that is, the government is not imposing any direct costs on States or the private sector.

    The Patient Safety Act, and therefore, the proposed rule, does impose obligations on entities that are listed by the Secretary as PSOs. Every PSO must carry out eight patient safety activities and comply with seven statutory criteria during its period of listing, including requirements related to the provision of security for patient safety work product, the ability to receive and analyze data from providers and assist them in implementing system improvements to mitigate or eliminate potential risk or harm to patients from the delivery of health care services.\19\ Because this is a new, untested, and voluntary initiative--coupled with the fact that PSOs currently do not exist--AHRQ does not have data on PSO fees, income, or expenses to estimate the precise monetized and non-monetized costs and benefits of the proposed rule. The following estimates reflect the cost of all incremental activities required (or contemplated) by the proposed rule.

    \19\ These 15 requirements from the Patient Safety Act are discussed in proposed Sec. 3.102(b). The eight patient safety activities are defined in proposed Sec. 3.20 and the seven criteria are specified in proposed Sec. 3.102(b)(2).

    For entities that seek to be listed as a PSO by the Secretary, AHRQ assumes that most of the total costs incurred will be for the establishment of a new organizational structure. AHRQ expects such costs to vary considerably based on the types of entities that request PSO listing (e.g., size; geographic location; setting; academic, professional, or business affiliation; and whether or not the entity is a component of a parent organization). It is anticipated that the proposed rule's cost to a PSO will likely be highest in the first year due to start-up and initial operational costs and establishment of policies and procedures for complying with PSO regulations. PSO operational costs will include the hiring of qualified staff, setting up data collection and reporting systems, establishing policies and procedures for ensuring data security and confidentiality, maintaining a patient safety evaluation system as required by the Patient Safety Act, and receiving and generating patient safety work product. The fact that PSOs are new entities for which there are no existing financial data means that estimates of the cost or charges for PSO services are a matter of speculation at this time. Additionally, the degree to which PSOs will exercise market power, what services they will offer, and the impact of a competitive environment is not yet known. Based on discussions with stakeholder groups, we believe that there will be a number of business models that emerge for PSOs. We anticipate that many PSOs will be components of existing organizations, which will likely subsidize the operations of their component PSOs for some time. Despite these limitations, AHRQ believes it can construct reasonable estimates of the costs and benefits of the Patient Safety Act. See ``Provider-- PSO Costs and Charges'' for an explanation of why the above-mentioned uncertainties do not preclude AHRQ from calculating overall costs, benefits, and net benefits of the Patient Safety Act.

    As noted above, the proposed rule does not require providers to establish internal reporting or analytic systems. AHRQ expects, however, that many providers will do so in order to take full advantage of the protections of the Patient Safety Act. As a result, our estimates reflect an upper bound on the potential costs associated with implementation by assuming that all providers that choose to participate will establish robust internal reporting and analytic systems.

    AHRQ recognizes that many state governments, public and private health care purchasers, and private accrediting and certifying organizations already employ voluntary and/or mandatory patient safety event reporting systems. As health care organizations increasingly focus on the monitoring of adverse events, the use of voluntary reporting systems to detect, evaluate, and track such events has also increased. Preliminary findings from AHRQ's Adverse Event Reporting Survey, conducted by the RAND Corporation (RAND) and the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), show that 98 percent of hospitals are already reporting adverse medical events.\20\ This survey was administered to a representative sample of 2,000 hospitals, with an 81 percent response rate. Thus, it is anticipated that the associated costs of the proposed rule for hospitals with existing patient safety event reporting systems will be very minimal, because the majority of these organizations already have the institutional infrastructure and operations to carry out the data collection activities of the proposed rule. AHRQ assumes that the estimated 2 percent of hospitals that currently have no reporting system are unlikely to initiate a new reporting system based on the proposed rule, at least in the first year that PSOs are operational.

    \20\ RAND and Joint Commission on Accreditation of Healthcare Organizations. Survey on Hospital Adverse Event Reporting Systems: Briefing on Baseline Data. August 16, 2006 Briefing.

    Hospital Costs

    We extrapolated findings from the RAND-JCAHO survey in order to calculate the burden hours and monetized costs associated with the proposed rule, using data from the American Hospital Association's 2004 \21\ annual survey of hospitals in the United States \22\ to estimate the number of hospitals nationwide. This figure served as the denominator in our analysis. We acknowledge that, over time, not all providers working with PSOs will be hospitals; however, it is reasonable to use hospitals as a basis for our initial estimates, given the preliminary indications that hospitals will be the predominant, if not exclusive, providers submitting information to PSOs during the early years in which PSOs are operational.

    \21\ American Hospital Association. Fast Facts on U.S. Hospitals from AHA Hospital Statistics. November 14, 2005. Available at: http://www.aha.org/aha/resource_center/fastfacts/fast_facts_US_hospitals.html. Web Page.

    \22\ The 2005 survey results will likely be release in November 2006.

    Based on American Hospital Association data, there are 5,759 registered U.S. hospitals--including community hospitals, Federal hospitals, non-Federal psychiatric hospitals, non-Federal long-term care hospitals, and hospital units of institutions--in which there are 955,768 staffed operational beds. Based on the RAND-JCAHO finding regarding event reporting in hospitals, AHRQ calculates that 98 percent of the 5,759 hospitals (5,644 hospitals with 936,653 staffed beds)

    [[Page 8168]]

    already have, and are supporting the costs of, a centralized patient safety event reporting system.

    AHRQ assumed that an institution will report an average of one patient safety event (including no harm events and close calls) per bed per month. Based on this assumption, AHRQ estimates that all hospitals nationwide are currently completing a total of 11,239,832 patient safety event reports per year. Based on the assumption that it takes 15 minutes to complete each patient safety event report, we estimate that hospitals are already spending 2,809,958 hours per year on this activity. At a Full-Time Equivalent (FTE) rate of $80 per hour, we estimate that all hospitals nationwide are currently spending approximately $224,796,634 per year on patient safety event reporting activities.

    AHRQ estimates that, once collected, it will take an additional five minutes for hospital staff to submit patient safety event information to a PSO. We, therefore, estimate that the total burden hours for all hospitals nationwide to submit patient safety event information to a PSO totals 936,653 hours annually with an associated cost of $74,932,211 based on the assumption that all hospitals nationwide reported all possible patient safety events (using the heuristic of one event per bed per month).

    During the first year following publication of the final rule PSOs will be forming themselves into organizations and engaging in startup activities. We assume that there will be a gradual increase in the number of entities seeking listing as PSOs, beginning with a 10 percent participation rate. We assume as many as 25 percent of hospitals may enter into arrangements with PSOs by the end of the first year; however, the overall effective participation rate will only average 10 percent. This assumption translates to 93,665 hours of additional burden for hospitals to report patient safety event information to PSOs with an estimated cost of $7,493,221. Assuming a 40 percent participation rate of all hospitals nationwide during the second year that PSOs are operational, there would be 374,660 burden hours with an estimated cost of $29,972,884. Assuming there is 60 percent participation rate of all hospitals nationwide during the third year that PSOs are operational, there would be 561,990 burden hours nationwide with an estimated cost of $44,959,326. (See Table 1).

    In summary, the direct costs--which would be voluntarily incurred if all hospitals nationwide that choose to work with PSOs during the first five years also chose to establish systematic reporting systems-- are projected to range from approximately $7.5 million to nearly $63.7 million in any single year, based on 10 percent to 85 percent participation rate among hospitals. These cost estimates may be high if provider institutions, such as hospitals, do not submit all the patient safety data they collect to a PSO. If only a fraction of the data is reported to a PSO, the cost estimates and burden will be proportionately reduced.

    Table 1.--Estimated Hospitals Costs To Submit Information to PSOs: 2008-2012

    Year

    2008

    2009

    2010

    2011

    2012

    Hospital Penetration Rate..... 10%............ 40%............ 60%........... 75%........... 85%. Hospital Cost................. $7.5 M......... $30.0 M........ $45.0 M....... $56.2 M....... $63.7 M.

    PSO Costs

    A second category of costs, in addition to incremental costs borne by hospitals, is that of the PSOs themselves. PSO cost estimates are based on estimates of organizational and consulting capabilities and statutory requirements. We followed the standard accounting format for calculating ``independent government cost estimates,'' although the categories did not seem entirely appropriate for the private sector. In order to estimate PSO costs over a five-year period, we made several assumptions about the size and operations of new PSOs. Specifically, we assumed that PSOs would be staffed modestly, relying on existing hospital activities in reporting adverse events, and that a significant proportion of PSOs are likely to be component PSOs, with support and expertise provided by a parent organization. Our assumptions are that PSOs will hire dedicated staff of from 1.5 to 4 FTEs, assuming an average salary rate of $67/hour. We estimate that a significant overhead figure of 100%, coupled with 20% for General and Administrative (G&A) expenses, will cover the appreciable costs anticipated for legal, security, travel, and miscellaneous PSO expenses.

    Although we believe that the above estimates may be conservative, we also believe that PSOs will become more effective over time without increasing staff size. Finally, we estimate that the number of PSOs will increase from 50 to 100 during the first three years in which the Secretary lists PSOs and remain at 100 PSOs in subsequent years. Table 2 summarizes PSO operational costs for the first five years based on these estimates.

    Table 2.--Total PSO Operational Costs: 2008-2012

    Year

    2008

    2009

    2010

    2011

    2012

    Number of PSOs................ 50............. 75............. 100........... 100........... 100. PSO Cost...................... $61.4 M........ $92.1 M........ $122.8 M...... $122.8 M...... $122.8 M.

    Table 3 presents the total estimated incremental costs related to implementation of the Patient Safety Act, based on new activities on the part of hospitals and the formation of new entities, PSOs, from 2008-2012. Estimates for total Patient Safety Act costs are $80 million in Year 1, increasing to $186.5 million in Year 5.

    [[Page 8169]]

    Table 3.--Total Patient Safety Act Costs Including Hospital Costs and PSO Costs: 2008-2012

    Year

    2008

    2009

    2010

    2011

    2012

    Hospital Penetration Rate..... 10%............ 40%............ 60%........... 75%........... 85%. Hospital Cost................. $7.5 M......... $30.0 M........ $45.0 M....... $56.2 M....... $63.7 M. PSO Cost...................... $61.4 M........ $92.1 M........ $122.8 M...... $122.8 M...... $122.8 M.

    Total Cost................ $68.9 M........ $122.1 M....... $167.8 M...... $179.0 M...... $186.5 M.

    Provider--PSO Costs and Charges

    We have not figured into our calculations any estimates for the price of PSO services, amounts paid by hospitals and other health care providers to PSOs, PSO revenues, or PSO break-even analyses. We have not speculated about subsidies or business models. Regardless of what the costs and charges are between providers and PSOs, they will cancel each other out, as expenses to providers will become revenue to PSOs. Benefits

    The primary benefit of the proposed rule is to provide the foundation for new, voluntary opportunities for health care providers to improve the safety, quality, and outcomes of patient care. The non- monetized benefits to public health from the proposed rule are clear, translating to improvements in patient safety, although such benefits are intangible and difficult to quantify, not only in monetary terms but also with respect to outcome measures such as years added or years with improved quality-of-life. Although AHRQ is unable to quantify the net benefits of this proposed rule precisely, it believes firmly that the proposed rule will be effective in addressing costly medical care problems in the health system that adversely affect patients, their families, their employees, and society in general. Finally, estimating the impact of the proposed rule in terms of measurable monetized and non-monetized benefits is a challenge due to a lack of baseline data on the incidence and prevalence of patient safety events themselves. In fact, one of the intended benefits of the Patient Safety Act is to provide more objective data in this important area, which will begin to allow tracking of improvement.

    AHRQ has relied on key findings from the medical professional literature to provide a qualitative description of the scope of the problem. The Institute of Medicine reports that 44,000 to 98,000 people die in hospitals each year as a result of adverse events.\23\ The Harvard Medical Practice Study found a rate of 3.7 adverse events per 100 hospital admissions.\24\ Similar results were found in a replication of this study in Colorado and Utah; adverse events were reported at a rate of 2.9 per 100 admissions.\25\ Adverse events do not occur only in hospitals; they also occur in physician's offices, nursing homes, pharmacies, urgent care centers, ambulatory care settings, and care delivered in the home.

    \23\ Institute of Medicine, ``To Err Is Human: Building a Safer Health System'', 1999.

    \24\ Brennan TA, Leape LL, Laird NM, et al. Incidence of Adverse Events and Negligence in Hospitalized Patients. New England Journal of Medicine. 1991. 324: 370-76.

    \25\ Thomas EJ, Studdert DM, Burstin HR, et al. Incidence and Types of Adverse Events and Negligent Care in Utah and Colorado. Medical Care. 2000. 38: 261-71.

    The importance of evaluating the incidence and cost of adverse events cannot be underestimated. They are not only related to possible morbidity and mortality, but also impose a significant economic burden on both society and the individual (patient, family, health care workers) in terms of consumption of health care resources and lost productivity, and in many cases avoidable pain and suffering. However, to prevent adverse events, it may take many years for the proposed rule to achieve its full beneficial effects, and it will remain a challenge to track the effect of the proposed rule on the patient population and society, generally.

    It may be possible to measure improvements in patient safety in general descriptive terms regarding improved health outcomes. However, it is more difficult to translate such improvements to direct monetary savings or outcome measures that can be integrated into a single numerical index (e.g., units of health improvement, years of life gained). By analyzing patient safety event information, PSOs will be able to identify patterns of failures in the health care system and propose measures to eliminate patient safety risks and hazards as a means to improve patient outcomes. As more information is learned about patient safety events through data collection by the PSOs, the care delivery environment can be redesigned to prevent adverse events in the future. However, PSOs will not have the necessary authority to implement recommended changes to improve patient safety in providers' health care delivery organizations. It will be up to the providers themselves to bring about the changes that will result in a reduction in adverse events and a resultant improvement in the quality of care delivered.

    The submission of more comprehensive information by health care providers regarding patient risks and hazards will likely increase the understanding of the factors that contribute to events that adversely affect patients. The expected benefit of this information would be improvements in patient safety event reports and analyses, which would translate to better patient outcomes and possible economic savings attributable to the more efficient use of health care services. Due to the uncertainty of the benefits and costs associated with the proposed rule as delineated above, it is then possible only to make general estimates of the monetary values of expected improvements in patient outcomes, that is, savings to the healthcare system.

    We can estimate monetized benefits by referring to the Institute of Medicine report, To Err Is Human,\26\ which estimates total national costs of preventable adverse events to be between $17 billion and $29 billion, of which direct health care costs represent over one-half (totaling between $8.5 billion and $14.5 billion). Based on the assumption that PSOs may be able to reduce the preventable adverse events by between one percent and three percent within their first five years of operation, this reduction would amount to be between $85 million--$145 million in savings at the 1 percent level if the whole nation were affected, and $255 million--$435 million at the 3 percent level, if the whole nation were affected. Applying a median figure from the Institute of Medicine range to PSOs, based on an increasing impact from 1%-3% as it grows over the first five

    [[Page 8170]]

    years, we see progressively growing savings as shown in Table 4. It should be noted that we are estimating savings by assuming a percentage reduction of adverse events from the overall occurrence rate delineated by the Institute of Medicine report. We are not tying the estimated reduction to those events specifically reported to PSOs. Events that have already occurred do not represent a potential for savings. The presumption behind the estimated savings is that the reporting, analysis, and institution of ameliorating policies and procedures will result in fewer adverse events going forward because of such PSO activities.

    \26\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T., Pike, K. C., for the Committee on Quality of Health Care in America. To Err Is Human: Building a Safer Health System. Washington, DC: National Academy Press; 2000.

    Table 4.--Total Estimated Cost Savings by Percent Reduction in Adverse Events: 2008-2012 *

    Year

    2008

    2009

    2010

    2011

    2012

    Hospital Penetration Rate.... 10%........... 40%........... 60%........... 75%.............. 85%. Percent Reduction in Adverse 1%............ 1.5%.......... 2%............ 2.5%............. 3%. Events. Savings...................... $11.5 M....... $69 M......... $138 M........ $215.625 M....... $293.25 M.

    * Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.

    It is assumed that when the proposed rule is implemented, it will have a beneficial effect on patient outcomes. Eliminating adverse events would help to ensure the greatest value possible from the billions of dollars spent on medical care in the United States.\27\ AHRQ concludes that the potential benefits of the Patient Safety Act-- which encourages hospitals, doctors, and other health care providers to work voluntarily with PSOs by reporting of health care errors and enabling PSOs to analyze them to improve health care quality and safety--would justify the costs of the proposed rule.

    \27\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T., Pike, K. C., for the Committee on Quality of Health Care in America. To Err Is Human: Building a Safer Health System. Washington, DC: National Academy Press; 2000.

    During the first five operational years of PSOs, we calculated the net benefits based on total costs and benefits. (See Table 5.) We estimate that costs of implementing the Patient Safety Act will reach break-even after 2010 and provide progressively greater benefits thereafter.

    Table 5.--Net Benefits: 2008-2012

    Year

    2008

    2009

    2010

    2011

    2012

    Total Benefits.................... $11.5 M............... $69 M................. $138 M................ $215.625 M........... $293.25 M. Total Costs....................... $68.9 M............... $122.1 M.............. $167.8 M.............. $179.0 M............. $186.5 M. Net Benefits...................... ($57.4) M............. ($53.1) M............. ($29.8) M............. $36.625 M............ $106.75 M. Discounted net present value at 3% ($55.7) M............. ($50.0) M............. ($27.3) M............. $32.5 M.............. $92.1 M. Discounted net present value at 7% ($53.6) M............. ($46.4) M............. ($24.3) M............. $27.9 M.............. $76.1 M.

    Confidentiality Rule

    The confidentiality provisions are included in the Patient Safety Act to encourage provider participation. Without such protections, providers will be reluctant to participate in the expanded reporting and analysis of patient safety events, and low participation will severely inhibit the opportunity to reap the benefits from efforts to improve patient safety. The proposed rule requires any holder of patient safety work product to maintain its confidentiality but, with the exception of PSOs, the appropriate security measures are left to the holder's discretion. Proposed Sec. 3.106 establishes a security framework that PSOs must address but, even then, PSOs are given discretion to establish the specific security standards most appropriate to their organization. Violation of the confidentiality provisions under the proposed rule creates a risk of liability for a substantial civil money penalty. If a person makes a knowing or reckless disclosure in violation of the confidentiality provisions, that person will be subject to the enforcement process, and subject to costs including participation in an investigation and payment of a civil money penalty, if imposed.

    While participating providers may incur some costs associated with maintaining the confidentiality of patient safety work product (e.g., developing policies/procedures to keep information confidential, safeguarding the information, training staff, etc.), those activities and associated costs are not required by the proposed rule and are likely minimal in light of existing procedures to meet existing requirements on providers to maintain sensitive information as confidential. We are proposing a scheme that places the least possible amount of regulatory burden on participants while simultaneously ensuring that the confidentiality provisions are effectively implemented and balanced with the objective of encouraging the maximum amount of participation possible. We were mindful of not placing unnecessary regulatory requirements on participating entities because this is a voluntary initiative, and we did not want entities interested in participating to forego participation because of concerns about the associated risk of liability for civil money penalties.

    Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act requires agencies to analyze regulatory options that would minimize any significant impact of a rule on small entities. Because the Patient Safety Act enables a broad spectrum of entities--public, private, for-profit, and not-for-profit-- to seek certification as a PSO, there may be many different types of organizations interested in becoming certified as a PSO that would be affected by the proposed rule. The proposed rule minimizes possible barriers to entry and creates a review process that is both simple and quick. As a result, AHRQ expects that a broad range of health care provider systems, medical specialty societies, and provider-based membership organizations will seek listing as a PSO by the Secretary.

    AHRQ preliminarily determines that the proposed rule does not have a

    [[Page 8171]]

    significant impact on small businesses because it does not impose a mandatory regulatory burden, and because the Department has made a significant effort to promulgate regulations that are the minimum necessary to interpret and implement the law. As stated previously, working with PSOs is completely voluntary; the proposed rule provides benefits in the form of legal protections that are expected to outweigh the cost of participation from the perspective of participating providers. AHRQ believes that the proposed rule will not have a significant impact on a substantial number of small entities because the proposed rules do not place small entities at a significant competitive disadvantage to large entities. AHRQ does not anticipate that there will be a disproportional effect on profits, costs, or net revenues for a substantial number of small entities. The proposed rule will not significantly reduce profit for a substantial number of small entities. Impacts on Small Entities 1. The Need for and the Objectives of the Proposed Rule

    The proposed rule establishes the authorities, processes, and requirements necessary to implement the Patient Safety Act, sections 921-926 of the Public Health Service Act, 42 U.S.C. 299b-21 to 299b-26. The proposed rules seek to establish a streamlined process for the Department to accept certification by entities seeking to become PSOs. Under the proposal, PSOs will be available voluntarily to enter into arrangements with health care providers and provide expert advice regarding the causes and prevention of adverse patient safety events. Information collected or developed by a health care provider or PSO, and reported to or by a PSO, that relate to a patient safety event would become privileged and confidential. Related deliberations would also be protected. Persons who breached the confidentiality provisions of the rule could be subject to civil money penalties of up to $10,000. 2. Description and Estimate of the Number of Small Entities Affected

    For purposes of the Regulatory Flexibility Act, small entities include small businesses, non-profit organizations, and government jurisdictions. Most hospitals and many other health care providers and suppliers are small entities, either because they are nonprofit organizations or because they generate revenues of $6.5 million to $31.5 million in any one year. Individuals and States are not included in the definition of a small entity. The proposed rule would affect most hospitals, and other health care delivery entities, plus all small entities that are interested in becoming certified PSOs. Based on various stakeholder meetings, AHRQ estimates that approximately 50-100 entities may be interested in becoming listed as PSOs during the first three years following publication of the final rule. This figure is likely to stabilize over time, as some new PSOs form and some existing PSOs cease operations. 3. Impact on Small Entities

    AHRQ believes that the proposed rule will not have a significant impact on a substantial number of small provider or PSO entities because the proposed rule does not place a substantial number of small entities at a significant competitive disadvantage to large entities. AHRQ does not anticipate that there will be a disproportional effect on profits, costs, or net revenues for a substantial number of small entities. The proposed rule will not significantly reduce profit for a substantial number of small entities. In fact, when fully implemented, we expect that the benefits and/or provider savings will outweigh the costs.

    Compliance requirements for small entities under this proposed rule are the same as those described above for other affected entities. AHRQ has proposed only those regulations that are necessary to comply with provisions and goals of the Patient Safety Act, with the objective of encouraging the maximum participation possible. The proposed rule was written to minimize the regulatory and economic burden on any entity that seeks to be listed as a PSO by the Secretary, regardless of size. It is impossible for AHRQ to develop alternatives to the proposed rule for small entities, as the proposed rule must adhere to statutory requirements. For example, the proposed rule requires confidentiality and privilege protections and places the least amount of regulatory burden on participating players--while simultaneously ensuring that the goals of confidentiality are effectively implemented--with the objective of encouraging the maximum participation possible. In addition, the proposed rule was written recognizing that many providers will be HIPAA covered entities, and many PSOs will be business associates, which entails certain obligations under the HIPAA Privacy Rule. Thus, this proposed rule is coordinated with existing law, to minimize the burden of compliance.

    AHRQ believes that the proposed rule will not have a significant impact on small providers. The proposed rule does not impose any costs directly on providers, large or small, that choose to work with a PSO. To the extent that providers hold patient safety work product, they must prevent impermissible disclosures; however, the proposed rule does not establish requirements for how providers must meet this requirement.

    Finally, it is the statutory and supporting regulatory guarantee of the confidentiality of the reporting of adverse events that will enable PSOs to operate and perform their function. Thus, while the compliance costs in the form of start-up operational costs may be substantial, the benefits that will be generated as a result of these costs will exceed the actual costs, as illustrated in Table 5.

    The Secretary certifies that the proposed rule will not have a significant economic impact on a substantial number of small entities.

    List of Subjects in 42 CFR Part 3

    Administrative practice and procedure, Civil money penalty, Confidentiality, Conflict of interests, Courts, Freedom of information, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Investigations, Law enforcement, Medical research, Organization and functions, Patient, Patient safety, Privacy, Privilege, Public health, Reporting and recordkeeping requirements, Safety, State and local governments, Technical assistance.

    For the reasons stated in the preamble, the Department of Health and Human Services proposes to amend Title 42 of the Code of Federal Regulations by adding a new part 3 to read as follows:

    PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK PRODUCT

    Subpart A--General Provisions Sec. 3.10 Purpose. 3.20 Definitions. Subpart B--PSO Requirements and Agency Procedures 3.102 Process and requirements for initial and continued listing of PSOs. 3.104 Secretarial actions. 3.106 Security requirements. 3.108 Correction of deficiencies, revocation, and voluntary relinquishment. 3.110 Assessment of PSO compliance. 3.112 Submissions and forms.

    [[Page 8172]]

    Subpart C--Confidentiality and Privilege Protections of Patient Safety Work Product 3.204 Privilege of Patient Safety Work Product. 3.206 Confidentiality of Patient Safety Work Product. 3.208 Continued protection of Patient Safety Work Product. 3.210 Required disclosure of Patient Safety Work Product to the Secretary 3.212 Nonidentification of Patient Safety Work Product. Subpart D--Enforcement Program 3.304 Principles for achieving compliance. 3.306 Complaints to the Secretary. 3.308 Compliance reviews. 3.310 Responsibilities of respondents. 3.312 Secretarial action regarding complaints and compliance reviews. 3.314 Investigational subpoenas and inquiries. 3.402 Basis for a civil money penalty. 3.404 Amount of a civil money penalty. 3.408 Factors considered in determining the amount of a civil money penalty. 3.414 Limitations. 3.416 Authority to settle. 3.418 Exclusivity of penalty. 3.420 Notice of proposed determination. 3.422 Failure to request a hearing. 3.424 Collection of penalty. 3.426 Notification of the public and other agencies. 3.504 Procedures for hearings.

    Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C. 299c-6

    Subpart A--General Provisions

    Sec. 3.10 Purpose.

    The purpose of this Part is to implement the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.

    Sec. 3.20 Definitions.

    As used in this Part, the terms listed alphabetically below have the meanings set forth as follows:

    AHRQ stands for the Agency for Healthcare Research and Quality in HHS.

    ALJ stands for an Administrative Law Judge of HHS.

    Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, who issue decisions in panels of three.

    Bona fide contract means:

    (1) A written contract between a provider and a PSO that is executed in good faith by officials authorized to execute such contract; or

    (2) A written agreement (such as a memorandum of understanding or equivalent recording of mutual commitments) between a Federal, State, Local, or Tribal provider and a Federal, State, Local, or Tribal PSO that is executed in good faith by officials authorized to execute such agreement.

    Complainant means a person who files a complaint with the Secretary pursuant to Sec. 3.306.

    Component organization means an entity that is either:

    (1) A unit or division of a corporate organization or of a multi- organizational enterprise; or

    (2) A separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organization(s), i.e., its parent organization(s).

    Component PSO means a PSO listed by the Secretary that is a component organization.

    Confidentiality provisions means for purposes of Subparts C and D, any requirement or prohibition concerning confidentiality established by section 921 and 922(b), (d), (g) and (i) of the Public Health Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the provisions, at Sec. Sec. 3.206 and 3.208, that implement the statutory prohibition on disclosure of identifiable patient safety work product.

    Disclosure means the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by a person holding the patient safety work product to another.

    Entity means any organization or organizational unit, regardless of whether the organization is public, private, for-profit, or not-for- profit.

    Group health plan means employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income Security Act of 1974 (ERISA)) to the extent that the plan provides medical care (as defined in paragraph (2) of section 2791(a) of the Public Health Service Act, including items and services paid for as medical care) to employees or their dependents (as defined under the terms of the plan) directly or through insurance, reimbursement, or otherwise.

    Health insurance issuer means an insurance company, insurance service, or insurance organization (including a health maintenance organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the business of insurance in a State and which is subject to State law which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2)). The term does not include a group health plan.

    Health maintenance organization means:

    (1) A Federally qualified health maintenance organization (HMO) (as defined in 42 U.S.C. 300e(a)),

    (2) An organization recognized under State law as a health maintenance organization, or

    (3) A similar organization regulated under State law for solvency in the same manner and to the same extent as such a health maintenance organization.

    HHS stands for the United States Department of Health and Human Services.

    HIPAA Privacy Rule means the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.

    Identifiable patient safety work product means patient safety work product that:

    (1) Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in, or are responsible for, activities that are a subject of the work product;

    (2) Constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or

    (3) Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO or to a provider with the intention of having the information reported to a PSO (``reporter'').

    Nonidentifiable patient safety work product means patient safety work product that is not identifiable patient safety work product in accordance with the nonidentification standards set forth at Sec. 3.212.

    OCR stands for the Office for Civil Rights in HHS.

    Parent organization means an entity that, alone or with others, either owns a provider entity or a component organization, or has the authority to control or manage agenda setting, project management, or day-to-day operations, or the authority to review and override decisions of a component organization.

    Patient Safety Act means the Patient Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-21 through 299b-26.

    Patient safety activities means the following activities carried out by or on behalf of a PSO or a provider:

    (1) Efforts to improve patient safety and the quality of health care delivery;

    (2) The collection and analysis of patient safety work product;

    [[Page 8173]]

    (3) The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;

    (4) The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;

    (5) The maintenance of procedures to preserve confidentiality with respect to patient safety work product;

    (6) The provision of appropriate security measures with respect to patient safety work product;

    (7) The utilization of qualified staff; and

    (8) Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

    Patient safety evaluation system means the collection, management, or analysis of information for reporting to or by a PSO.

    Patient safety organization (PSO) means a private or public entity or component thereof that currently is listed as a PSO by the Secretary in accordance with Subpart B. A health insurance issuer or a component organization of a health insurance issuer may not be a PSO. See also the exclusion in proposed Sec. 3.102 of this Part.

    Patient safety work product (PSWP).

    (1) Except as provided in paragraph (2) of this definition, patient safety work product means any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material)

    (i)(A) Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or

    (B) Are developed by a PSO for the conduct of patient safety activities; and which could improve patient safety, health care quality, or health care outcomes; or

    (ii) Which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.

    (2)(i) Patient safety work product does not include a patient's medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a PSO shall not by reason of its reporting be considered patient safety work product.

    (ii) Nothing in this part shall be construed to limit information that is not patient safety work product from being:

    (A) Discovered or admitted in a criminal, civil or administrative proceeding;

    (B) Reported to a Federal, State, local or tribal governmental agency for public health or health oversight purposes; or

    (C) Maintained as part of a provider's recordkeeping obligation under Federal, State, local or tribal law.

    Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

    Provider means:

    (1) An individual or entity licensed or otherwise authorized under State law to provide health care services, including--

    (i) A hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician or health care practitioner's office (includes a group practice), long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or

    (ii) A physician, physician assistant, registered nurse, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietitian or nutrition professional, physical or occupational therapist, pharmacist, or other individual health care practitioner;

    (2) Agencies, organizations, and individuals within Federal, State, local, or Tribal governments that deliver health care, organizations engaged as contractors by the Federal, State, local, or Tribal governments to deliver health care, and individual health care practitioners employed or engaged as contractors by the Federal State, local, or Tribal governments to deliver health care; or

    (3) A parent organization that has a controlling interest in one or more entities described in paragraph (1)(i) of this definition or a Federal, State, local, or Tribal government unit that manages or controls one or more entities described in (1)(i) or (2) of this definition.

    Research has the same meaning as the term is defined in the HIPAA Privacy Rule at 45 CFR 164.501.

    Respondent means a provider, PSO, or responsible person who is the subject of a complaint or a compliance review.

    Responsible person means a person, other than a provider or a PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions.

    Workforce means employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person.

    Subpart B--PSO Requirements and Agency Procedures

    Sec. 3.102 Process and requirements for initial and continued listing of PSOs.

    (a) Eligibility and process for initial and continued listing.

    (1) Submission of Certification. Any entity, except as specified in paragraph (a)(2) of this section, may request from the Secretary an initial or continued listing as a PSO by submitting a completed certification form that meets the requirements of this section, in accordance with the submission requirements at Sec. 3.112. An individual with authority to make commitments on behalf of the entity seeking listing will be required to acknowledge each of the certification requirements, attest that the entity meets each requirement, provide contact information for the entity, and certify that the PSO will promptly notify the Secretary during its period of listing if it can no longer comply with any of the criteria in this section.

    (2) Restrictions on certain entities. Entities that may not seek listing as a PSO include: health insurance issuers or components of health insurance issuers. Any other entity, public or private, that conducts regulatory oversight of health care providers, such as accreditation or licensure, may not seek listing, except that a component of such an entity may seek listing as a component PSO. An applicant completing the required certification forms described in paragraph (a)(1) of this section will be required to attest that the entity is not subject to the restrictions of this paragraph.

    (b) Fifteen general PSO certification requirements. The certifications submitted to the Secretary in accordance with paragraph (a)(1) of this section must conform to the following 15 requirements:

    (1) Required certification regarding eight patient safety activities. An entity seeking initial listing as a PSO must certify that it has written policies and procedures in place to perform each of the eight patient safety activities,

    [[Page 8174]]

    defined in Sec. 3.20. Such policies and procedures will provide for compliance with the confidentiality provisions of subpart C of this part and the appropriate security measures required by Sec. 3.106 of this subpart. A PSO seeking continued listing must certify that it is performing, and will continue to perform, each of the patient safety activities, and is and will continue to comply with subpart C of this part and the security requirements referenced in the preceding sentence.

    (2) Required certification regarding seven PSO criteria. In its initial certification submission, an entity must also certify that it will comply with the additional seven requirements in paragraphs (b)(2)(i) through (b)(2)(vii) of this section. A PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of this paragraph.

    (i) The mission and primary activity of a PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery.

    (ii) The PSO must have appropriately qualified workforce members, including licensed or certified medical professionals.

    (iii) The PSO, within the 24-month period that begins on the date of its initial listing as a PSO, and within each sequential 24-month period thereafter, must have entered into 2 bona fide contracts, each of a reasonable period of time, each with a different provider for the purpose of receiving and reviewing patient safety work product.

    (iv) The PSO is not a health insurance issuer, and is not a component of a health insurance issuer.

    (v) The PSO must make disclosures to the Secretary as required under Sec. 3.102(d), in accordance with Sec. 3.112 of this subpart.

    (vi) To the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.

    (vii) The PSO must utilize patient safety work product for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.

    (c) Additional certifications required of component organizations. In addition to meeting the 15 general PSO certification requirements of paragraph (b) of this section, an entity seeking initial listing that is a component of another organization or enterprise must certify that it will comply with the requirements of paragraphs (c)(1) through (c)(3) of this section. A component PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of this paragraph.

    (1) Separation of patient safety work product.

    (i) A component PSO must:

    (A) Maintain patient safety work product separately from the rest of the parent organization(s) of which it is a part; and

    (B) Not have a shared information system that could permit access to its patient safety work product to an individual(s) in, or unit(s) of, the rest of the parent organization(s) of which it is a part.

    (ii) Notwithstanding the requirements of paragraph (c)(1)(i) of this section, a component PSO may provide access to identifiable patient safety work product to an individual(s) in, or a unit(s) of, the rest of the parent organization(s) of which it is a part if the component PSO enters into a written agreement with such individuals or units that requires that:

    (A) The component PSO will only provide access to identifiable patient safety work product to enable such individuals or units to assist the component PSO in its conduct of patient safety activities, and

    (B) Such individuals or units that receive access to identifiable patient safety work product pursuant to such written agreement will only use or disclose such information as specified by the component PSO to assist the component PSO in its conduct of patient safety activities, will take appropriate security measures to prevent unauthorized disclosures and will comply with the other certifications the component has made pursuant to paragraphs (c)(2) and (c)(3) of this section regarding unauthorized disclosures and conflicts with the mission of the component PSO.

    (2) Nondisclosure of patient safety work product. A component PSO must require that members of its workforce and any other contractor staff, or individuals in, or units of, its parent organization(s) that receive access in accordance with paragraph (c)(1)(ii) of this section to its identifiable patient safety work product, not be engaged in work for the parent organization(s) of which it is a part, if the work could be informed or influenced by such individuals' knowledge of identifiable patient safety work product, except for individuals whose other work for the rest of the parent organization(s) is solely the provision of clinical care.

    (3) No conflict of interest. The pursuit of the mission of a component PSO must not create a conflict of interest with the rest of the parent organization(s) of which it is a part.

    (d) Required notifications. PSOs must meet the following notification requirements:

    (1) Notification regarding PSO compliance with the minimum contract requirement. No later than 45 calendar days prior to the last day of the applicable 24-month assessment period, specified in paragraph (b)(2)(iii) of this section, the Secretary must receive from a PSO a certification that states whether it has met the requirement of that paragraph regarding two bona fide contracts, in accordance with Sec. 3.112 of this subpart.

    (2) Notification regarding a PSO's relationships with its contracting providers. A PSO must submit to the Secretary a disclosure statement, in accordance with Sec. 3.112 of this subpart, regarding its relationships with each provider with which the PSO has a contract pursuant to the Patient Safety Act if the circumstances described in either paragraph (d)(2)(i) or (d)(2)(ii) of this section are applicable. The Secretary must receive a disclosure statement within 45 days of the date on which a PSO enters a contract with a provider if the circumstances are met on the date the contract is entered. During the contract period, if a PSO subsequently enters one or more relationships with a contracting provider that create the circumstances described in paragraph (d)(2)(i) of this section or a provider exerts any control over the PSO of the type described in paragraph (d)(2)(ii) of this section, the Secretary must receive a disclosure statement from the PSO within 45 days of the date that the PSO entered each new relationship or of the date on which the provider imposed control of the type described in paragraph (d)(2)(ii).

    (i) Taking into account all relationships that the PSO has with the provider, other than the bona fide contract entered into pursuant to the Patient Safety Act, the PSO must fully disclose any other contractual, financial, or reporting relationships described below that it has with that provider.

    (A) Contractual relationships which are not limited to relationships based on formal contracts but also encompass relationships based on any oral or written agreement or any arrangement that imposes responsibilities on the PSO.

    (B) Financial relationships including any direct or indirect ownership or investment relationship between the PSO and the contracting provider, shared or common financial interests or direct or indirect compensation

    [[Page 8175]]

    arrangement, whether in cash or in-kind.

    (C) Reporting relationships including any relationship that gives the provider access to information or control, directly or indirectly, over the work of the PSO that is not available to other contracting providers.

    (ii) Taking into account all relationships that the PSO has with the provider, the PSO must fully disclose if it is not independently managed or controlled, or if it does not operate independently from, the contracting provider. In particular, the PSO must further disclose whether the contracting provider has exercised or imposed any type of management control that could limit the PSO's ability to fairly and accurately perform patient safety activities and fully describe such control(s).

    (iii) PSOs may also describe or include in their disclosure statements, as applicable, any agreements, stipulations, or procedural safeguards that have been created to protect the ability of the PSO to operate independently or information that indicates the limited impact or insignificance of its financial, reporting, or contractual relationships with a contracting provider.

    Sec. 3.104 Secretarial actions.

    (a) Actions in response to certification submissions for initial and continued listing as a PSO. (1) In response to an initial or continued certification submission by an entity, pursuant to the requirements of Sec. 3.102 of this subpart, the Secretary may--

    (i) Accept the certification submission and list the entity as a PSO, or maintain the listing of a PSO, if the Secretary determines that the entity meets the applicable requirements of the Patient Safety Act and this subpart;

    (ii) Deny acceptance of a certification submission and, in the case of a currently listed PSO, remove the entity from the list if the entity does not meet the applicable requirements of the Patient Safety Act and this subpart; or

    (iii) Condition the listing of an entity, or continued listing of a PSO, following a determination made pursuant to paragraph (c) of this section.

    (2) Basis of determination. In making a determination regarding listing, the Secretary will consider the certification submission; any prior actions by the Secretary regarding the entity or PSO including delisting; any history of or current non-compliance by the entity or the PSO with statutory or regulatory requirements or requests from the Secretary; the relationships of the entity or PSO with providers; and any findings made by the Secretary in accordance with paragraph (c) of this section.

    (3) Notification. The Secretary will notify in writing each entity of action taken on its certification submission for initial or continued listing. The Secretary will provide reasons when an entity's certification is conditionally accepted and the entity is conditionally listed, when an entity's certification is not accepted and the entity is not listed, or when acceptance of its certification is revoked and the entity is delisted.

    (b) Actions regarding PSO compliance with the minimum contract requirement. When the Secretary receives notification required by Sec. 3.102(d)(1) of this subpart that the PSO has met the minimum contract requirement, the Secretary will acknowledge in writing receipt of the notification and add information to the list established pursuant to paragraph (d) of this section stating that the PSO has certified that it has met the requirement. If the PSO states that it has not yet met the minimum contract requirement, or if notice is not received by the date specified in Sec. 3.102(d)(1) of this subpart, the Secretary will issue to the PSO a notice of a preliminary finding of deficiency as specified in Sec. 3.108(a)(2) and establish a period for correction that extends until midnight of the last day of the PSO's applicable 24- month period of assessment. Immediately thereafter, if the requirement has not been met, the Secretary will provide the PSO a written notice of proposed revocation and delisting in accordance with Sec. 3.108(a)(3) of this subpart.

    (c) Actions regarding required disclosures by PSOs of relationships with contracting providers. The Secretary will review and make findings regarding each disclosure statement submitted by a PSO, pursuant to Sec. 3.102(d)(2) of this subpart, regarding its relationships with contracting provider(s), determine whether such findings warrant action regarding the listing of the PSO, and make the findings public.

    (1) Basis of findings regarding PSO disclosure statements. In reviewing disclosure statements, submitted pursuant to Sec. 3.102(d)(2) of this subpart, the Secretary will consider the nature, significance, and duration of the disclosed relationship(s) between the PSO and the contracting provider and will determine whether the PSO can fairly and accurately perform the required patient safety activities.

    (2) Determination by the Secretary. Based on the Secretary's review and findings, he may choose to take any of the following actions:

    (i) For an entity seeking an initial or continued listing, the Secretary may list or continue the listing of an entity without conditions, list the entity subject to conditions, or deny the entity's certification for initial or continued listing; or

    (ii) For a listed PSO, the Secretary may determine that the entity will remain listed without conditions, continue the entity's listing subject to conditions, or remove the entity from listing.

    (3) Release of disclosure statements and Secretarial findings.

    (i) Subject to paragraph (c)(3)(ii) of this section, the Secretary will make disclosure statements available to the public along with related findings that are made available in accordance with paragraph (c) of this section.

    (ii) The Secretary may withhold information that is exempt from public disclosure under the Freedom of Information Act.

    (d) Maintaining a list of PSOs. The Secretary will compile and maintain a publicly available list of entities whose certifications as PSOs have been accepted. The list will include contact information for each entity, a copy of all certification forms and disclosure statements submitted by each entity, the effective date of the PSO's listing, and information on whether a PSO has certified that it has met the two-contract requirement. The list also will include a copy of the Secretary's findings regarding each disclosure statement submitted by an entity, information describing any related conditions that have been placed by the Secretary on the listing of an entity as a PSO, and other information that this Subpart states may be made public. AHRQ will establish a PSO Web site (or a comparable future form of public notice) and may post the list on this Web site.

    (e) Three-year period of listing. (1) The period of listing of a PSO will be for a three-year period, unless the listing is revoked or relinquished prior to the expiration of the three-year period, in accordance with Sec. 3.108 of this subpart.

    (2) The Secretary will send a written notice of imminent expiration to a PSO at least 45 calendar days prior to the date on which its three-year period of listing expires if the Secretary has not received a certification for continued listing.

    (f) Effective dates of Secretarial actions. Unless otherwise stated, the effective date of each action by the Secretary pursuant to this subpart will be specified in the written notice of such action that is sent to the entity. When the Secretary sends a notice that addresses acceptance or revocation of an

    [[Page 8176]]

    entity's certifications or voluntary relinquishment by an entity of its status as a PSO, the notice will specify the effective date and time of listing or delisting.

    Sec. 3.106 Security requirements.

    (a) Application. A PSO must provide security for patient safety work product that conforms to the security requirements of paragraph (b) of this section. These requirements must be met at all times and at any location at which the PSO, its workforce members, or its contractors hold patient safety work product.

    (b) Security framework. PSOs must consider the following framework for the security of patient safety work product. The framework includes four elements: security management, separation of systems, security monitoring and control, and system assessment. To address the four elements of this framework, a PSO must develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization.

    (1) Security management. A PSO must address:

    (i) Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is processed, stored, and transmitted; and to monitor and improve the effectiveness of such policies and procedures, and

    (ii) Training of the PSO workforce and PSO contractors who access or hold patient safety work product regarding the requirements of the Patient Safety Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.

    (2) Separation of Systems. A PSO must address:

    (i) Maintenance of patient safety work product, whether in electronic or other media, physically and functionally separate from any other system of records;

    (ii) Protection of the media, whether in electronic, paper, or other format, that contain patient safety work product, limiting access to authorized users, and sanitizing and destroying such media before disposal or release for reuse; and

    (iii) Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is stored or used.

    (3) Security control and monitoring. A PSO must address:

    (i) Identification of those authorized to have access to patient safety work product and an audit capacity to detect unlawful, unauthorized, or inappropriate access to patient safety work product, and

    (ii) Measures to prevent unauthorized removal, transmission or disclosure of patient safety work product.

    (4) Security assessment. A PSO must address:

    (i) Periodic assessments of security risks and controls, as determined appropriate by the PSO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.

    (ii) System and communications protection, to monitor, control, and protect PSO uses, communications, and transmissions involving patient safety work product to and from providers and any other responsible persons.

    Sec. 3.108 Correction of deficiencies, revocation, and voluntary relinquishment.

    (a) Process for correction of a deficiency and revocation--(1) Circumstances leading to revocation. The Secretary may revoke his acceptance of an entity's certification and delist the entity as a PSO if he determines--

    (i) The PSO is not fulfilling the certifications it made to the Secretary that are set forth in Sec. 3.102 of this subpart;

    (ii) The PSO has not timely notified the Secretary that it has met the two contract requirement, as required by Sec. 3.102(d)(1) of this subpart;

    (iii) The Secretary, based on a PSO's disclosures made pursuant to Sec. 3.102(d)(2) of this subpart, makes a public finding that the entity cannot fairly and accurately perform the patient safety activities of a PSO; or

    (iv) The PSO is not in compliance with any other provision of the Patient Safety Act or this Part.

    (2) Notice of preliminary finding of deficiency and establishment of an opportunity for correction of a deficiency. (i) If the Secretary determines that a PSO is not in compliance with its obligations under the Patient Safety Act or this Subpart, the Secretary must send a PSO written notice of the preliminary finding of deficiency. The notice must state the actions or inactions that encompass the deficiency finding, outline the evidence that the deficiency exists, specify the possible and/or required corrective actions that must be taken, and establish a date by which the deficiency must be corrected. The Secretary may specify in the notice the level of documentation required to demonstrate that the deficiency has been corrected.

    (ii) The notice of a preliminary finding of deficiency is presumed received five days after it is sent, absent evidence of the actual receipt date. If a PSO does not submit evidence to the Secretary within 14 calendar days of actual or constructive receipt of such notice, whichever is longer, which demonstrates that the preliminary finding is factually incorrect, the preliminary finding will be the basis for a finding of deficiency.

    (3) Determination of correction of a deficiency. (i) Unless the Secretary specifies another date, the Secretary must receive documentation to demonstrate that the PSO has corrected the deficiency no later than five calendar days following the last day of the correction period, that is specified by the Secretary in the notice of preliminary finding of deficiency.

    (ii) In making a determination regarding the correction of any deficiency, the Secretary will consider the documentation submitted by the PSO, the findings of any site visit that he determines is necessary or appropriate, recommendations of program staff, and any other information available regarding the PSO that the Secretary deems appropriate and relevant to the PSO's implementation of the terms of its certification.

    (iii) After completing his review, the Secretary may make one of the following determinations:

    (A) The action(s) taken by the PSO have corrected any deficiency, in which case the Secretary will withdraw the notice of deficiency and so notify the PSO;

    (B) The PSO has acted in good faith to correct the deficiency but the Secretary finds an additional period of time is necessary to achieve full compliance and/or the required corrective action specified in the notice of a preliminary finding of deficiency needs to be modified in light of the experience of the PSO in attempting to implement the corrective action, in which case the Secretary will extend the period for correction and/or modify the specific corrective action required; or

    (C) The PSO has not completed the corrective action because it has not acted with reasonable diligence or speed to ensure that the corrective action was completed within the allotted time, in which case the Secretary will issue to the PSO a notice of proposed revocation and delisting.

    (iv) When the Secretary issues a written notice of proposed revocation and delisting, the notice will specify the

    [[Page 8177]]

    deficiencies that have not been timely corrected and will detail the manner in which the PSO may exercise its opportunity to be heard in writing to respond to the deficiencies specified in the notice.

    (4) Opportunity to be heard in writing following a notice of proposed revocation and delisting. The Secretary will afford a PSO an opportunity to be heard in writing, as specified in paragraph (a)(4)(i) of this section, to provide a substantive response to the deficiency finding(s) set forth in the notice of proposed revocation and delisting.

    (i) The notice of proposed revocation and delisting is presumed received five days after it is sent, absent evidence of actual receipt. The Secretary will provide a PSO with a period of time, beginning with the date of receipt of the notice of proposed revocation and delisting of which there is evidence, or the presumed date of receipt if there is no evidence of earlier receipt, and ending at midnight 30 calendar days thereafter, during which the PSO can submit a substantive response to the deficiency findings in writing.

    (ii) The Secretary will provide to the PSO rules of procedure governing the form or transmission of the written response to the notice of proposed revocation and delisting. The Rules may also be posted on the AHRQ PSO Web site or published in the Federal Register.

    (iii) If a PSO does not submit a written response to the deficiency finding(s) within 30 calendar days of receipt of the notice of proposed revocation and delisting, the notice of proposed revocation becomes final as a matter of law and the basis for Secretarial action under paragraph (b)(1) of this section.

    (5) The Secretary's decision regarding revocation. The Secretary will review the entire administrative record pertaining to a notice of proposed revocation and delisting and any written materials submitted by the PSO under paragraph (a)(4) of this section. The Secretary may affirm, reverse, or modify the notice of proposed revocation and delisting and will make a determination with respect to the continued listing of the PSO.

    (b) Revocation of the Secretary's acceptance of a PSO's certifications--(1) Establishing revocation for cause. When the Secretary concludes, in accordance with a decision made under paragraph (a)(5) of this section, that revocation of the acceptance of a PSO's certification is warranted for its failure to comply with requirements of the Patient Safety Act or of this Subpart, the Secretary will establish the time and date for the prompt revocation and removal of the entity from the list of PSOs, so notify the PSO in writing, and provide the relevant public notice required by Sec. 3.108(d) of this subpart.

    (2) Required notification of providers and status of data. Within 15 days of being notified of the Secretary's action pursuant to paragraph (b)(1) of this section, an entity subject to paragraph (b)(1) of this section will submit to the Secretary confirmation that it has taken all reasonable actions to notify each provider, whose patient safety work product it collected or analyzed, of the Secretary's action(s). Confidentiality and privilege protections that applied to patient safety work product while the former PSO was listed continue to apply after the entity is removed from listing. Data submitted by providers to the former PSO within 30 calendar days of the date on which it is removed from the list of PSOs pursuant to paragraph (b)(1) of this section will have the same status as data submitted while the entity was still listed.

    (3) Disposition of patient safety work product and data. Following revocation and delisting pursuant to paragraph (b)(1) of this section, the former PSO will take one or more of the following measures:

    (i) Transfer such patient safety work product or data, with the approval of the source from which it was received, to a PSO that has agreed to receive such patient safety work product or data;

    (ii) Return such work product or data to the source from which it was submitted; or

    (iii) If returning such patient safety work product or data to its source is not practicable, destroy such patient safety work product or data.

    (c) Voluntary relinquishment--(1) Circumstances constituting voluntary relinquishment. A PSO will be considered to have voluntarily relinquished its status as a PSO if the Secretary accepts a notification from a PSO that it wishes to relinquish voluntarily its listing as a PSO or the Secretary determines that an implied voluntary relinquishment has taken place because the period of listing of a PSO has expired without receipt of a timely submission of certifications for continued listing.

    (2) Notification of voluntary relinquishment. A PSO's notification of voluntary relinquishment to the Secretary must include the following:

    (i) An attestation that all reasonable efforts have been made, or will have been made by a PSO within 15 calendar days of this statement, to notify the sources from which it received patient safety work product or data of the PSO's intention to cease operations, to relinquish voluntarily its status as a PSO, to request that these other entities cease reporting or submitting any further information to the PSO as soon as possible, and inform them that any data submitted after the effective date and time of delisting, that the Secretary sets pursuant to paragraph (c)(3) of this section, will not be protected as patient safety work product under the Patient Safety Act based upon such submissions;

    (ii) An attestation that the entity has established a plan, or within 15 calendar days of this statement, will have made all reasonable efforts to establish a plan, in consultation with the sources from which it received patient safety work product or data, that provides for the disposition of such patient safety work product or data consistent with, to the extent practicable, the statutory options for disposition of patient safety work product or data as set out in paragraphs (b)(3)(i) through (iii) of this section; and

    (iii) Appropriate contact information for further communications from the Secretary.

    (3) Response to notification of voluntary relinquishment. (i) After a PSO provides the notification required by paragraph (c)(2) of this section, the Secretary will respond in writing to the entity indicating whether the proposed voluntary relinquishment of its PSO status is accepted. If the voluntary relinquishment is accepted, the Secretary's response will indicate an effective date and time for the entity's removal from the list of PSOs and will provide public notice of the delisting, in accordance with Sec. 3.108(d) of this subpart.

    (ii) If the Secretary receives a notification of voluntary relinquishment during or immediately after revocation proceedings for cause under paragraphs (a)(4) and (a)(5) of this section, the Secretary, as a matter of discretion, may accept voluntary relinquishment in accordance with the preceding paragraph or decide not to accept the entity's proposed voluntary relinquishment and proceed with the revocation for cause and delisting pursuant to paragraph (b)(1) of this section.

    (4) Implied voluntary relinquishment. (i) If the period of listing of a PSO lapses without timely receipt and acceptance by the Secretary of a certification seeking continued listing or timely receipt of a notification of voluntary relinquishment of its PSO status in accordance with paragraph (c)(2) of this section, the Secretary will determine that voluntary relinquishment has

    [[Page 8178]]

    occurred and will remove the entity from the list of PSOs effective as of midnight on the last day of its three-year period of listing. The Secretary will take reasonable measures to notify the entity of its delisting and will provide public notice of the delisting in accordance with Sec. 3.108(d) of this subpart.

    (ii) The Secretary will request in the notice to the entity that it make reasonable efforts to comply with the requirements of paragraph (c)(2) of this section with respect to notification, appropriate disposition of patient safety work product, and the provision of contact information to the Secretary.

    (5) Non-applicability of certain procedures and requirements. (i) A decision by the Secretary to accept a request by a PSO to relinquish voluntarily its status as a PSO pursuant to paragraph (c)(2) of this section or a decision that voluntary relinquishment has occurred pursuant to paragraph (c)(4) of this section does not constitute a determination of a deficiency in PSO compliance with the Patient Safety Act or with this Subpart and no opportunity for corrective action by the PSO is required.

    (ii) The procedures and requirements of Sec. 3.108(a) of this subpart regarding deficiencies including the opportunity to be heard in writing, and those that are based upon determinations of the Secretary pursuant to Sec. 3.108(b)(1) of this subpart are not applicable to determinations of the Secretary made pursuant to paragraph (c) of this section.

    (d) Public notice of delisting regarding removal from listing. If the Secretary removes an entity from the list of PSOs following revocation of acceptance of the entity's certification pursuant to Sec. 3.108(b)(1) of this subpart or following a determination of voluntary relinquishment pursuant to Sec. 3.108(c)(3) or (c)(4) of this subpart, the Secretary will promptly publish in the Federal Register and on the AHRQ PSO Web site, or in a comparable future form of public notice, established pursuant to Sec. 3.104(d) of this subpart, a notice of the actions taken and the effective dates.

    Sec. 3.110 Assessment of PSO compliance.

    The Secretary may request information or conduct announced or unannounced reviews of or site visits to PSOs, to assess or verify PSO compliance with the requirements of this subpart and for these purposes will be allowed to inspect the physical or virtual sites maintained or controlled by the PSO. The Secretary will be allowed to inspect and/or be given or sent copies of any PSO records deemed necessary and requested by the Secretary to implement the provisions of this subpart. Such PSO records may include patient safety work product in accordance with Sec. 3.206(d) of this subpart.

    Sec. 3.112 Submissions and forms.

    (a) Forms referred to in this subpart may be obtained on the AHRQ PSO Web site or a comparable future form of public notice or by requesting them in writing by e-mail at psimplement@ahrq.hhs.gov, or by mail from the Agency for Healthcare Research and Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any required attachments) must be submitted in accordance with the accompanying instructions.

    (b) Information submitted to AHRQ in writing, but not required to be on a form, and requests for information from AHRQ, may be submitted by mail or other delivery to the Agency for Healthcare Research and Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850, by facsimile at (301) 427-1341, or by e-mail at psimplement@ahrq.hhs.gov.

    (c) If a submission to the Secretary is incomplete or additional information is needed to allow a determination to be made under this subpart, the submitter will be notified if any additional information is required.

    Subpart C--Confidentiality and Privilege Protections of Patient Safety Work Product

    Sec. 3.204 Privilege of Patient Safety Work Product

    (a) Privilege. Notwithstanding any other provision of Federal, State, local, or tribal law and subject to paragraph (b) of this section and Sec. 3.208 of this subpart, patient safety work product shall be privileged and shall not be:

    (1) Subject to a Federal, State, local, or tribal civil, criminal, or administrative subpoena or order, including in a Federal, State, local, or tribal civil or administrative disciplinary proceeding against a provider;

    (2) Subject to discovery in connection with a Federal, State, local, or tribal civil, criminal, or administrative proceeding, including in a Federal, State, local, or tribal civil or administrative disciplinary proceeding against a provider;

    (3) Subject to disclosure pursuant to section 552 of Title 5, United States Code (commonly known as the Freedom of Information Act) or any other similar Federal, State, local, or tribal law;

    (4) Admitted as evidence in any Federal, State, local, or tribal governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or

    (5) Admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law.

    (b) Exceptions to privilege. Privilege shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:

    (1) Disclosure of relevant patient safety work product for use in a criminal proceeding, subject to the conditions at Sec. 3.206(b)(1) of this subpart.

    (2) Disclosure to the extent required to permit equitable relief subject to the conditions at Sec. 3.206(b)(2) of this subpart.

    (3) Disclosure pursuant to provider authorizations subject to the conditions at Sec. 3.206(b)(3) of this subpart.

    (4) Disclosure of non-identifiable patient safety work product subject to the conditions at Sec. 3.206(b)(5) of this subpart.

    (c) Implementation and Enforcement of the Patient Safety Act. Privilege shall not apply to (and shall not be construed to prohibit) disclosures of relevant patient safety work product to or by the Secretary if such patient safety work product is needed to investigate or determine compliance with this part or is needed in seeking or imposing civil money penalties, or in making or supporting PSO certification or listing decisions, under the Patient Safety Act.

    Sec. 3.206 Confidentiality of Patient Safety Work Product.

    (a) Confidentiality. Subject to paragraphs (b) through (e) of this section, and Sec. Sec. 3.208 and 3.210 of this subpart, patient safety work product shall be confidential and shall not be disclosed.

    (b) Exceptions to confidentiality. The confidentiality provisions shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:

    (1) Criminal proceedings. Disclosure of relevant patient safety work product for use in a criminal proceeding, but only after a court makes an in camera determination that:

    (i) Such patient safety work product contains evidence of a criminal act;

    (ii) Such patient safety work product is material to the proceeding; and

    (iii) Such patient safety work product is not reasonably available from any other source.

    (2) Equitable relief for reporters. Disclosure of patient safety work

    [[Page 8179]]

    product to the extent required to permit equitable relief under section 922 (f)(4)(A) of the Public Health Service Act.

    (3) Authorized by identified providers. (i) Disclosure of identifiable patient safety work product consistent with a valid authorization if such authorization is obtained from each provider identified in such work product prior to disclosure. A valid authorization must:

    (A) Be in writing and signed by the provider from whom authorization is sought; and

    (B) Contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized;

    (ii) A valid authorization must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request.

    (4) Patient safety activities--(i) Disclosure between a provider and a PSO. Disclosure of patient safety work product for patient safety activities by a provider to a PSO or by a PSO to that disclosing provider.

    (ii) Disclosure to a contractor of a provider or a PSO. A provider or a PSO may disclose patient safety work product for patient safety activities to an entity with which it has contracted to undertake patient safety activities on its behalf. A contractor receiving patient safety work product for patient safety activities may not further disclose patient safety work product, except to the entity with which it is contracted.

    (iii) Disclosure by a PSO to another PSO or by a provider to another provider. Disclosure of patient safety work product for patient safety activities by a PSO to another PSO or to another provider that has reported to the PSO, or by a provider to another provider, provided:

    (A) The following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers are removed:

    (1) Names;

    (2) Postal address information, other than town or city, State and zip code;

    (3) Telephone numbers;

    (4) Fax numbers;

    (5) Electronic mail addresses;

    (6) Social security numbers or taxpayer identification numbers;

    (7) Provider or practitioner credentialing or DEA numbers;

    (8) National provider identification number;

    (9) Certificate/license numbers;

    (10) Web Universal Resource Locators (URLs);

    (11) Internet Protocol (IP) address numbers;

    (12) Biometric identifiers, including finger and voice prints; and

    (13) Full face photographic images and any comparable images; and

    (B) With respect to any individually identifiable health information in such patient safety work product, the direct identifiers listed at 45 CFR 164.514(e)(2) have been removed.

    (5) Disclosure of nonidentifiable patient safety work product. Disclosure of nonidentifiable patient safety work product when patient safety work product meets the standard for nonidentification in accordance with Sec. 3.212 of this subpart.

    (6) For research. (i) Disclosure of patient safety work product to persons carrying out research, evaluation or demonstration projects authorized, funded, certified, or otherwise sanctioned by rule or other means by the Secretary, for the purpose of conducting research.

    (ii) If the patient safety work product disclosed pursuant to paragraph (b)(6)(i) of this section is by a HIPAA covered entity as defined at 45 CFR 160.103 and contains protected health information as defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient safety work product may only be disclosed under this exception in the same manner as would be permitted under the HIPAA Privacy Rule at 45 CFR 164.512(i).

    (7) To the Food and Drug Administration (FDA).

    (i) Disclosure by a provider of patient safety work product concerning an FDA-regulated product or activity to the FDA or to an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity.

    (ii) The FDA and any entity receiving patient safety work product pursuant to paragraph (b)(7)(i) of this section may only further disclose such patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity between each other, their contractors, and the disclosing provider. A contractor receiving patient safety work product pursuant to this paragraph may not further disclose patient safety work product, except to the entity from which it received the patient safety work product.

    (8) Voluntary disclosure to an accrediting body.

    (i) Voluntary disclosure by a provider of patient safety work product that identifies that provider to an accrediting body that accredits that provider. Such accrediting body may not further disclose such patient safety work product.

    (ii) An accrediting body may not take an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with this Part. An accrediting body may not require a provider to reveal its communications with any PSO.

    (9) Business operations. (i) Disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. Such contractors may not further disclose patient safety work product, except to the entity from which they received the information.

    (ii) Disclosure of patient safety work product for such other business operations that the Secretary may prescribe by regulation as consistent with the goals of this part.

    (10) Disclosure to law enforcement.

    (i) Disclosure of patient safety work product to an appropriate law enforcement authority relating to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes.

    (ii) Law enforcement personnel receiving patient safety work product pursuant to paragraph (b)(10)(i) of this section may disclose that patient safety work product to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the disclosure under paragraph (b)(10)(i) of this section.

    (c) Safe harbor. A provider or responsible person, but not a PSO, is not considered to have violated the requirements of this subpart if a member of its workforce discloses patient safety work product, provided that the disclosure does not include materials, including oral statements, that:

    (1) Assess the quality of care of an identifiable provider; or

    (2) Describe or pertain to one or more actions or failures to act by an identifiable provider.

    (d) Implementation and Enforcement of the Patient Safety Act. The confidentiality provisions shall not apply to (and shall not be construed to

    [[Page 8180]]

    prohibit) disclosures of relevant patient safety work product to or by the Secretary if such patient safety work product is needed to investigate or determine compliance with this part or is needed in seeking and imposing civil money penalties, or in making or supporting PSO certification or listing decisions, under the Patient Safety Act.

    (e) No limitation on authority to limit or delegate disclosure or use. Nothing in subpart C of this part shall be construed to limit the authority of any person to enter into a contract requiring greater confidentiality or delegating authority to make a disclosure or use in accordance with this subpart.

    Sec. 3.208 Continued protection of Patient Safety Work Product.

    (a) Except as provided in paragraph (b) of this section, patient safety work product disclosed in accordance with this subpart, or disclosed impermissibly, shall continue to be privileged and confidential.

    (b)(1) Patient safety work product disclosed for use in a criminal proceeding pursuant to section 922(c)(1)(A) of the Public Health Service Act and/or pursuant to Sec. 3.206(b)(1) of this subpart continues to be privileged, but is no longer confidential.

    (2) Non-identifiable patient safety work product that is disclosed is no longer privileged or confidential and not subject to the regulations under this part.

    (3) Paragraph (b) of this section applies only to the specific patient safety work product disclosed.

    Sec. 3.210 Required disclosure of Patient Safety Work Product to the Secretary.

    Providers, PSOs, and responsible persons must disclose patient safety work product upon request by the Secretary when the Secretary determines such patient safety work product is needed to investigate or determine compliance with this part or is needed in seeking and imposing civil money penalties or making determinations on certifying and listing PSOs.

    Sec. 3.212 Nonidentification of Patient Safety Work Product.

    (a) Patient safety work product is nonidentifiable with respect to a particular identified provider or a particular identified reporter if:

    (1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

    (i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider or reporter; and

    (ii) Documents the methods and results of the analysis that justify such determination; or

    (2)(i) The following identifiers of such provider or reporter and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers or reporters are removed:

    (A) Names;

    (B) Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people;

    (C) All elements of dates (except year) for dates directly related to a patient safety incident or event;

    (D) Telephone numbers;

    (E) Fax numbers;

    (F) Electronic mail addresses;

    (G) Social security numbers or taxpayer identification numbers;

    (H) Provider or practitioner credentialing or DEA numbers;

    (I) National provider identification number;

    (J) Certificate/license numbers;

    (K) Web Universal Resource Locators (URLs);

    (L) Internet Protocol (IP) address numbers;

    (M) Biometric identifiers, including finger and voice prints;

    (N) Full face photographic images and any comparable images; and,

    (O) Any other unique identifying number, characteristic, or code except as permitted for re-identification; and

    (ii) The provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter.

    (3) Re-identification. A provider, PSO, or responsible person may assign a code or other means of record identification to allow information made nonidentifiable under this section to be re-identified by such provider, PSO, or responsible person, provided that:

    (i) The code or other means of record identification is not derived from or related to information about the provider or reporter and is not otherwise capable of being translated so as to identify the provider or reporter; and

    (ii) The provider, PSO, or responsible person does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

    (b) Patient safety work product is non-identifiable with respect a particular patient only if the individually identifiable health information regarding that patient is de-identified in accordance with the HIPAA Privacy Rule standard and implementation specifications for the de-identification at 45 CFR 164.514 (a) through (c).

    Subpart D--Enforcement Program

    Sec. 3.304 Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable, seek the cooperation of providers, PSOs, and responsible persons in obtaining compliance with the applicable confidentiality provisions.

    (b) Assistance. The Secretary may provide technical assistance to providers, PSOs, and responsible persons to help them comply voluntarily with the applicable confidentiality provisions.

    Sec. 3.306 Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes that patient safety work product has been disclosed in violation of the confidentiality provisions may file a complaint with the Secretary.

    (b) Requirements for filing complaints. Complaints under this section must meet the following requirements:

    (1) A complaint must be filed in writing, either on paper or electronically.

    (2) A complaint must name the person that is the subject of the complaint and describe the act(s) believed to be in violation of the applicable confidentiality provision(s).

    (3) A complaint must be filed within 180 days of when the complainant knew or should have known that the act complained of occurred, unless this time limit is waived by the Secretary for good cause shown.

    (4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register.

    (c) Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include

    [[Page 8181]]

    a review of the pertinent policies, procedures, or practices of the respondent and of the circumstances regarding any alleged violation. At the time of initial written communication with the respondent about the complaint, the Secretary will describe the act(s) that are the basis of the complaint.

    Sec. 3.308 Compliance reviews.

    The Secretary may conduct compliance reviews to determine whether a respondent is complying with the applicable confidentiality provisions.

    Sec. 3.310 Responsibilities of respondents.

    (a) Provide records and compliance reports. A respondent must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the respondent has complied or is complying with the applicable confidentiality provisions.

    (b) Cooperate with complaint investigations and compliance reviews. A respondent must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the respondent to determine whether it is complying with the applicable confidentiality provisions.

    (c) Permit access to information. (1) A respondent must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including patient safety work product, that are pertinent to ascertaining compliance with the applicable confidentiality provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a respondent must permit access by the Secretary at any time and without notice.

    (2) If any information required of a respondent under this section is in the exclusive possession of any other agency, institution, or person, and the other agency, institution, or person fails or refuses to furnish the information, the respondent must so certify and set forth what efforts it has made to obtain the information.

    Sec. 3.312 Secretarial action regarding complaints and compliance reviews.

    (a) Resolution when noncompliance is indicated. (1) If an investigation of a complaint pursuant to Sec. 3.306 of this subpart or a compliance review pursuant to Sec. 3.308 of this subpart indicates noncompliance, the Secretary may attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement.

    (2) If the matter is resolved by informal means, the Secretary will so inform the respondent and, if the matter arose from a complaint, the complainant, in writing.

    (3) If the matter is not resolved by informal means, the Secretary will--

    (i) So inform the respondent and provide the respondent an opportunity to submit written evidence of any mitigating factors. The respondent must submit any evidence to the Secretary within 30 days (computed in the same manner as prescribed under Sec. 3.504(l) of this subpart) of receipt of such notification; and

    (ii) If, following action pursuant to paragraph (a)(3)(i) of this section, the Secretary decides that a civil money penalty should be imposed, inform the respondent of such finding in a notice of proposed determination in accordance with Sec. 3.420 of this subpart.

    (b) Resolution when no violation is found. If, after an investigation pursuant to Sec. 3.306 of this subpart or a compliance review pursuant to Sec. 3.308 of this subpart, the Secretary determines that further action is not warranted, the Secretary will so inform the respondent and, if the matter arose from a complaint, the complainant, in writing.

    (c) Uses and disclosures of information obtained. (1) Identifiable patient safety work product obtained by the Secretary in connection with an investigation or compliance review under this subpart will not be disclosed by the Secretary, except in accordance with Sec. 3.206(d) of this subpart, or if otherwise permitted by this part or the Patient Safety Act.

    (2) Except as provided for in paragraph (c)(1) of this section, information, including testimony and other evidence, obtained by the Secretary in connection with an investigation or compliance review under this subpart may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding.

    Sec. 3.314 Investigational subpoenas and inquiries.

    (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 405(d) and (e), and 1320a-7a(j), to require the attendance and testimony of witnesses and the production of any other evidence including patient safety work product during an investigation or compliance review pursuant to this part. The Secretary will issue and serve subpoenas pursuant to this subpart in accordance with 45 CFR 160.314(a)(1) through (5), except the term ``this part'' shall refer to 42 CFR part 3.

    (b) Investigational inquiries are non-public investigational proceedings conducted by the Secretary. The Secretary will conduct investigational proceedings in accordance with 45 CFR 160.314(b)(1) through (9).

    Sec. 3.402 Basis for a civil money penalty.

    (a) General rule. A person who discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions shall be subject to a civil money penalty for each act constituting such violation.

    (b) Violation attributed to a principal. A principal is independently liable, in accordance with the federal common law of agency, for a civil money penalty based on the act of the principal's agent, including a workforce member, acting within the scope of the agency if such act could give rise to a civil money penalty in accordance with Sec. 3.402(a) of this subpart.

    Sec. 3.404 Amount of a civil money penalty.

    (a) The amount of a civil money penalty will be determined in accordance with paragraph (b) of this section and Sec. 3.408 of this subpart.

    (b) The Secretary may impose a civil money penalty in the amount of not more than $10,000.

    Sec. 3.408 Factors considered in determining the amount of a civil money penalty.

    In determining the amount of any civil money penalty, the Secretary may consider as aggravating or mitigating factors, as appropriate, any of the following:

    (a) The nature of the violation.

    (b) The circumstances, including the consequences, of the violation, including:

    (1) The time period during which the violation(s) occurred; and

    (2) Whether the violation caused physical or financial harm or reputational damage;

    (c) The degree of culpability of the respondent, including:

    (1) Whether the violation was intentional; and

    (2) Whether the violation was beyond the direct control of the respondent.

    (d) Any history of prior compliance with the Patient Safety Act, including violations, by the respondent, including:

    (1) Whether the current violation is the same or similar to prior violation(s);

    [[Page 8182]]

    (2) Whether and to what extent the respondent has attempted to correct previous violations;

    (3) How the respondent has responded to technical assistance from the Secretary provided in the context of a compliance effort; and

    (4) How the respondent has responded to prior complaints.

    (e) The financial condition of the respondent, including:

    (1) Whether the respondent had financial difficulties that affected its ability to comply;

    (2) Whether the imposition of a civil money penalty would jeopardize the ability of the respondent to continue to provide health care or patient safety activities; and

    (3) The size of the respondent.

    (f) Such other matters as justice may require.

    Sec. 3.414 Limitations.

    No action under this subpart may be entertained unless commenced by the Secretary, in accordance with Sec. 3.420 of this subpart, within 6 years from the date of the occurrence of the violation.

    Sec. 3.416 Authority to settle.

    Nothing in this subpart limits the authority of the Secretary to settle any issue or case or to compromise any penalty.

    Sec. 3.418 Exclusivity of penalty.

    (a) Except as otherwise provided by paragraph (b) of this section, a penalty imposed under this part is in addition to any other penalty prescribed by law.

    (b) Civil money penalties shall not be imposed both under this part and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).

    Sec. 3.420 Notice of proposed determination.

    (a) If a penalty is proposed in accordance with this part, the Secretary must deliver, or send by certified mail with return receipt requested, to the respondent, written notice of the Secretary's intent to impose a penalty. This notice of proposed determination must include:

    (1) Reference to the statutory basis for the penalty;

    (2) A description of the findings of fact regarding the violations with respect to which the penalty is proposed;

    (3) The reason(s) why the violation(s) subject(s) the respondent to a penalty;

    (4) The amount of the proposed penalty;

    (5) Any factors described in Sec. 3.408 of this subpart that were considered in determining the amount of the proposed penalty; and

    (6) Instructions for responding to the notice, including a statement of the respondent's right to a hearing, a statement that failure to request a hearing within 60 days permits the imposition of the proposed penalty without the right to a hearing under Sec. 3.504 of this subpart or a right of appeal under Sec. 3.504(v) of this subpart, and the address to which the hearing request must be sent.

    (b) The respondent may request a hearing before an ALJ on the proposed penalty by filing a request in accordance with Sec. 3.504 of this subpart.

    Sec. 3.422 Failure to request a hearing.

    If the respondent does not request a hearing within the time prescribed by Sec. 3.504 of this subpart and the matter is not settled pursuant to Sec. 3.416 of this subpart, the Secretary may impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 299b-21 through 299b-26. The Secretary will notify the respondent by certified mail, return receipt requested, of any penalty that has been imposed and of the means by which the respondent may satisfy the penalty, and the penalty is final on receipt of the notice. The respondent has no right to appeal a penalty under Sec. 3.504(v) of this subpart with respect to which the respondent has not timely requested a hearing.

    Sec. 3.424 Collection of penalty.

    Once a determination of the Secretary to impose a penalty has become final, the penalty will be collected by the Secretary in accordance with 45 CFR 160.424, except the term ``this part'' shall refer to 42 CFR Part 3.

    Sec. 3.426 Notification of the public and other agencies.

    Whenever a proposed penalty becomes final, the Secretary will notify, in such manner as the Secretary deems appropriate, the public and the following organizations and entities thereof and the reason it was imposed: The appropriate State or local medical or professional organization, the appropriate State agency or agencies administering or supervising the administration of State health care programs (as defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and quality control peer review organization, and the appropriate State or local licensing agency or organization (including the agency specified in 42 U.S.C. 1395aa(a), 1396a(a)(33)).

    Sec. 3.504 Procedures for hearings.

    (a) Hearings before an ALJ. A respondent may request a hearing before an ALJ. Hearings must be requested in accordance with 45 CFR 160.504(a) through (c), except the language in paragraph (c) following and including ``except that'' shall not apply. The ALJ must dismiss a hearing request in accordance with 45 CFR 160.504(d).

    (b) Rights of the parties. The hearing rights of the parties will be determined in accordance with 45 CFR 160.506.

    (c) Authority of the ALJ. The ALJ will conduct a fair and impartial hearing in accordance with 45 CFR 160.508(a) through (c)(4).

    (d) Ex parte contacts. Ex parte contacts are prohibited in accordance with 45 CFR 160.510.

    (e) Prehearing conferences. Prehearing conferences will be conducted in accordance with 45 CFR 160.512, except the term ``identifiable patient safety work product'' shall apply in place of the term ``individually identifiable health information.''

    (f) Authority to settle. The Secretary has authority to settle issues in accordance with 45 CFR 160.514.

    (g) Discovery. Discovery will proceed in accordance with 45 CFR 160.516.

    (h) Exchange of witness lists, witness statements, and exhibits. The parties will exchange hearing material in accordance with 45 CFR 160.518, except the language in paragraph (a) following and including ``except that'' shall not apply.

    (i) Subpoenas for attendance at hearing. The ALJ will issue a subpoena for the appearance and testimony of any person at the hearing in accordance with 45 CFR 160.520.

    (j) Fees. Fees and mileage for subpoenaed witnesses will be paid in accordance with 45 CFR 160.522.

    (k) Form, filing, and service of papers. Hearing documents will be filed and serviced in accordance with 45 CFR 160.524.

    (l) Computation of time. Computation of time shall be in accordance with 45 CFR 160.526, except the term ``this subpart'' shall refer to 42 CFR part 3, Subpart D, and the citation ``Sec. 3.504(a) of 42 CFR part 3'' shall apply in place of the citation ``Sec. 160.504.''

    (m) Motions. Procedures for the filing and disposition of motions will be in accordance with 45 CFR 160.528.

    (n) Sanctions. The ALJ may sanction a person in accordance with authorities at 45 CFR 160.530.

    (o) Collateral estoppel. Collateral estoppel will apply to hearings conducted pursuant to this subpart in accordance with 45 CFR 160.532, except the term ``a confidentiality provision'' shall apply in place of the term ``an administrative simplification provision.''

    (p) The hearing. Hearings will be conducted in accordance with 45 CFR

    [[Page 8183]]

    160.534, except the following text shall apply in place of Sec. 160.534(b)(1): ``The respondent has the burden of going forward and the burden of persuasion with respect to any challenge to the amount of a proposed penalty pursuant to Sec. Sec. 3.404-3.408 of 42 CFR part 3, including any factors raised as mitigating factors.'' Good cause shown under 45 CFR 160.534(c) may be that identifiable patient safety work product has been introduced into evidence or is expected to be introduced into evidence.

    (q) Witnesses. The testimony of witnesses will be handled in accordance with 45 CFR 160.538, except that the citation ``Sec. 3.504(h) of 42 CFR part 3'' shall apply in place of the citation ``Sec. 160.518.''

    (r) Evidence. The ALJ will determine the admissibility of evidence in accordance with 45 CFR 160.540, except that the citation ``Sec. 3.420 of 42 CFR part 3'' shall apply in place of the citation ``Sec. 160.420 of this part.''

    (s) The record. The record of the hearing will be created and made available in accordance with 45 CFR 160.542. Good cause under 45 CFR 160.542(c) through (d) may include the presence in the record of identifiable patient safety work product.

    (t) Post hearing briefs. Post-hearing briefs, if required by the ALJ, will be filed in accordance with 45 CFR 160.544.

    (u) ALJ's decision. The ALJ will issue a decision in accordance with 45 CFR 160.546, except the citation ``Sec. 3.504(v) of 42 CFR part 3'' shall apply in place of ``Sec. 160.548.''

    (v) Appeal of the ALJ's decision. Any party may appeal the decision of the ALJ in accordance with 45 CFR 160.548, except the following language in paragraph (e) shall not apply: ``Except for an affirmative defense under Sec. 160.410(b)(1) of this part.''

    (w) Stay of the Secretary's decision. Pending judicial review, a stay of the Secretary's decision may be requested in accordance with 45 CFR 160.550.

    (x) Harmless error. Harmless errors will be handled in accordance with 45 CFR 160.552.

    Dated: October 5, 2007. Michael O. Levitt, Secretary. [FR Doc. E8-2375 Filed 2-11-08; 8:45 am]

    BILLING CODE 4153-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT