Federal RegisterVol. 73_ No. 226Friday_ November 21_ 2008Rules by sdfgsg234


									                                            70732            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            DEPARTMENT OF HEALTH AND                                Health Service Act (42 U.S.C. 299 et                    covered entities under the HIPAA
                                            HUMAN SERVICES                                          seq.) by inserting new sections 921                     Privacy Rule and will be required to
                                                                                                    through 926, 42 U.S.C. 299b–21 through                  comply with the HIPAA Privacy Rule
                                            42 CFR Part 3                                           299b–26.1 The Patient Safety Act                        when they disclose patient safety work
                                            RIN 0919–AA01                                           focuses on creating a voluntary program                 product that contains protected health
                                                                                                    through which health care providers can                 information. The Patient Safety Act is
                                            Patient Safety and Quality                              share information relating to patient                   clear that it is not intended to interfere
                                            Improvement                                             safety events with PSOs, with the aim                   with the implementation of any
                                                                                                    of improving patient safety and the                     provision of the HIPAA Privacy Rule.
                                            AGENCY:  Agency for Healthcare Research                 quality of care nationwide. The statute                 See 42 U.S.C. 299b–22(g)(3). The statute
                                            and Quality, Office for Civil Rights,                   attaches privilege and confidentiality                  also provides that civil money penalties
                                            Department of Health and Human                          protections to this information, termed                 cannot be imposed under both the
                                            Services.                                               ‘‘patient safety work product,’’ to                     Patient Safety Act and the HIPAA
                                            ACTION: Final rule.                                     encourage providers to share this                       Privacy Rule for a single violation. See
                                                                                                    information without fear of liability and               42 U.S.C. 299b–22(f). In addition, the
                                            SUMMARY: The Secretary of Health and                    creates PSOs to receive this protected                  statute states that PSOs shall be treated
                                            Human Services is adopting rules to                     information and analyze patient safety                  as business associates, and patient
                                            implement certain aspects of the Patient                events. These protections will enable all               safety activities are deemed to be health
                                            Safety and Quality Improvement Act of                   health care providers, including multi-                 care operations under the HIPAA
                                            2005, Pub. L. 109–41, 42 U.S.C. 299b–                   facility health care systems, to share                  Privacy Rule. See 42 U.S.C. 299b and
                                            21—b–26 (Patient Safety Act). The final                 data within a protected legal                           299–22(i). Since patient safety activities
                                            rule establishes a framework by which                   environment, both within and across                     are deemed to be health care operations,
                                            hospitals, doctors, and other health care               states, without the threat that the                     the HIPAA Privacy Rule does not
                                            providers may voluntarily report                        information will be used against the                    require covered providers to obtain
                                            information to Patient Safety                           subject providers.                                      patient authorizations to disclose
                                            Organizations (PSOs), on a privileged                      However, we note that section                        patient safety work product containing
                                            and confidential basis, for the                         922(g)(2) of the Public Health Service                  protected health information to PSOs.
                                            aggregation and analysis of patient                     Act is quite specific that these                        Additionally, as business associates of
                                            safety events.                                          protections do not relieve a provider
                                              The final rule outlines the                                                                                   providers, PSOs must abide by the terms
                                                                                                    from its obligation to comply with other                of their HIPAA business associate
                                            requirements that entities must meet to                 Federal, State, or local laws pertaining
                                            become PSOs and the processes by                                                                                contracts, which require them to notify
                                                                                                    to information that is not privileged or                the provider of any impermissible use or
                                            which the Secretary will review and                     confidential under the Patient Safety
                                            accept certifications and list PSOs. It                                                                         disclosure of the protected health
                                                                                                    Act: section 922(g)(5) of the Public                    information of which they are aware.
                                            also describes the privilege and                        Health Service Act states that the
                                            confidentiality protections for the                                                                             See 45 CFR 164.504(e)(2)(ii)(C).
                                                                                                    Patient Safety Act does not affect any
                                            information that is assembled and                       State law requiring a provider to report                II. Overview of the Proposed and Final
                                            developed by providers and PSOs, the                    information that is not patient safety                  Rules
                                            exceptions to these privilege and                       work product. The fact that information                 A. The Proposed Rule
                                            confidentiality protections, and the                    is collected, developed, or analyzed
                                            procedures for the imposition of civil                                                                             The proposed rule sought to
                                                                                                    under the protections of the Patient
                                            money penalties for the knowing or                                                                              implement the Patient Safety Act to
                                                                                                    Safety Act does not shield a provider
                                            reckless impermissible disclosure of                                                                            create a voluntary system through
                                                                                                    from needing to undertake similar
                                            patient safety work product.                                                                                    which providers could share sensitive
                                                                                                    activities, if applicable, outside the
                                            DATES: The final rule is effective on                                                                           information relating to patient safety
                                                                                                    ambit of the statute, so that the provider
                                            January 19, 2009.                                                                                               events without fear of liability, which
                                                                                                    can meet its obligations with non-
                                                                                                                                                            should lead to improvements in patient
                                            FOR FURTHER INFORMATION CONTACT:                        patient safety work product. The Patient
                                            Susan Grinder, Agency for Healthcare                                                                            safety and in the quality of patient care.
                                                                                                    Safety Act, while precluding other
                                            Research and Quality, 540 Gaither Road,                                                                         The proposal reflected an approach to
                                                                                                    organizations and entities from
                                            Rockville, MD 20850, (301) 427–1111 or                                                                          the implementation of the Patient Safety
                                                                                                    requiring providers to provide them
                                            (866) 403–3697.                                                                                                 Act intended to ensure adequate
                                                                                                    with patient safety work product,
                                                                                                                                                            flexibility within the bounds of the
                                            SUPPLEMENTARY INFORMATION: On                           recognizes that the original records
                                                                                                                                                            statutory provisions and to encourage
                                            February 12, 2008, the Department of                    underlying patient safety work product
                                                                                                                                                            providers to participate in this
                                            Health and Human Services (HHS)                         remain available in most instances for
                                                                                                                                                            voluntary program. The proposed rule
                                            published a Notice of Proposed                          the providers to meet these other
                                                                                                                                                            emphasized that this program is not
                                            Rulemaking (proposed rule) at 73 FR                     reporting requirements.
                                                                                                       We note also that the Patient Safety                 federally funded and will be put into
                                            8112 proposing to implement the                                                                                 operation by the providers and PSOs
                                            Patient Safety Act. The comment period                  Act references the Standards for the
                                                                                                    Privacy of Individually Identifiable                    that wish to participate with little direct
                                            closed on April 14, 2008. One-hundred-                                                                          federal involvement. However, the
                                            sixty-one comments were received                        Health Information under the Health
                                                                                                    Insurance Portability and                               process for certification and listing of
                                            during the comment period.                                                                                      PSOs will be implemented and overseen
                                                                                                    Accountability Act of 1996 (HIPAA
                                            I. Background                                                                                                   by the Agency for Healthcare Research
dwashington3 on PRODPC61 with RULES3

                                                                                                    Privacy Rule), 45 CFR parts 160 and
                                                                                                    164. Many health care providers                         and Quality (AHRQ), while compliance
                                            Statutory Background                                                                                            with the confidentiality provisions will
                                                                                                    participating in this program will be
                                              This final rule establishes the                                                                               be investigated and enforced by the
                                            authorities, processes, and rules                         1 All citations to provisions in the Patient Safety   Office for Civil Rights (OCR).
                                            necessary to implement the Patient                      Act will be to the sections in the Public Health           Subpart A of the proposed rule set
                                            Safety Act that amended the Public                      Service Act or to its location in the U.S. Code.        forth the definitions of essential terms,

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00002   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70733

                                            such as patient safety work product,                    modified for clarity, and the definition              proceedings. Proposed § 3.206(b)(4) has
                                            patient safety evaluation system, and                   of disclosure was modified to clarify                 been amended to allow disclosures of
                                            PSO. In order to facilitate the sharing of              that the sharing of patient safety work               identifiable, non-anonymized patient
                                            patient safety work product and the                     product, between a component PSO and                  safety work product among affiliated
                                            analysis of patient safety events,                      the entity of which it is a part, qualifies           providers for patient safety activities. In
                                            Subpart B of the proposed rule                          as a disclosure, while the sharing of                 addition, proposed § 3.206(b)(7) has
                                            implemented the statutory requirements                  patient safety work product between a                 been modified to make clear that the
                                            for the listing of PSOs, the entities that              physician with staff privileges and the               provision permits disclosures to and
                                            will offer their expert advice in                       entity with which it holds privileges is              among FDA, entities required to report
                                            analyzing the patient safety events and                 not a disclosure. We have also modified               to FDA, and their contractors. We also
                                            other information they collect or                       the definition of patient safety work                 have modified proposed § 3.206(b)(8) to
                                            develop to provide feedback and                         product to include information that,                  require providers voluntarily disclosing
                                            recommendations to providers. The                       while not yet reported to a PSO, is                   patient safety work product to
                                            proposed rule established the criteria                  documented as being within a                          accrediting bodies either to obtain the
                                            and set forth a process for certification               provider’s patient safety evaluation                  agreement of identified non-disclosing
                                            and listing of PSOs and described how                   system and that will be reported to a                 providers or to anonymize the
                                            the Secretary would review, accept,                     PSO. This modification allows for                     information with respect to the non-
                                            condition, deny, or revoke certifications               providers to voluntarily remove, and                  disclosing providers prior to disclosure.
                                            for listing and continued listing of                    document the removal of, information                  Finally, we modified §§ 3.204(c),
                                            entities as PSOs.                                       from the patient safety evaluation                    3.206(d), and 3.210 to allow disclosures
                                              Based on the statutory mandates in                    system that has not yet been reported to              of patient safety work product to or by
                                            the Patient Safety Act, Subpart C of the                a PSO, in which case, the information                 the Secretary for the purposes of
                                            proposed rule set forth the privilege and               is no longer patient safety work product.             determining compliance with not only
                                            confidentiality protections that attach to                 The most significant modifications to              the Patient Safety Act, but also the
                                            patient safety work product; it also set                Subpart B include the following. With                 HIPAA Privacy Rule.
                                            forth the exceptions to these                           respect to the listing of PSOs, we have                 In Subpart D, we adopt the proposed
                                            protections. The proposed rule provided                 broadened the list of excluded entities               provisions except, where reference was
                                            that patient safety work product                        at § 3.102(a)(2)(ii), required PSOs at                made in the proposed rule to provisions
                                            generally continues to be protected as                  § 3.102(b)(1)(i)(B) to notify reporting               of the HIPAA Privacy Rule, the final
                                            privileged and confidential following a                 providers of inappropriate disclosures                rule includes the text of such provisions
                                            disclosure and set certain limitations on               or security breaches related to the                   for convenience of the reader.
                                            redisclosure of patient safety work                     information they reported, specified
                                                                                                                                                            We describe more fully these
                                            product.                                                compliance with the requirement
                                              Subpart D of the proposed rule                                                                              provisions, the comments received, and
                                                                                                    regarding the collection of patient safety
                                            established a framework to enable the                                                                         our responses to these comments below
                                                                                                    work product in § 3.102(b)(2)(iii),
                                            Secretary to monitor and ensure                         eliminated the requirements for separate              in the section-by-section description of
                                            compliance with this Part, a process for                information systems and restrictions on               the final rule below.
                                            imposing a civil money penalty for                      shared staff for most component PSOs                  III. Section-by-Section Description of
                                            breach of the confidentiality provisions,               but added additional restrictions and                 Final Rule and Response to Comments
                                            and procedures for a hearing contesting                 limitations for PSOs that are
                                            the imposition of a civil money penalty.                components of excluded entities at                    A. Subpart A—General Provisions
                                            These provisions were modeled largely                   § 3.102(c), and narrowed and clarified                1. Section 3.10—Purpose
                                            on the HIPAA Enforcement Rule at 45                     the disclosure requirements that PSOs
                                            CFR part 160, subparts C, D and E.                      must file regarding contracting                          Proposed Rule: Proposed § 3.10
                                                                                                    providers with whom they have                         provided that the purpose of proposed
                                            B. The Final Rule                                                                                             Part 3 is to implement the Patient Safety
                                                                                                    additional relationships at § 3.102(d)(2).
                                              We received over 150 comments on                      We have modified the security                         and Quality Improvement Act of 2005
                                            the proposed rule from a variety of                     requirement to provide flexibility for                (Pub. L. 109–41), which amended the
                                            entities, including small providers and                 PSOs to determine whether to maintain                 Public Health Service Act (42 U.S.C. 299
                                            large institutional providers, hospital                 patient safety work product separately                et seq.) by inserting new sections 921
                                            associations, medical associations,                     from unprotected information. The final               through 926, 42 U.S.C. 299b–21 through
                                            accrediting bodies, medical liability                   rule includes a new expedited                         299b–26.
                                            insurers, and state and federal agencies.               revocation process at § 3.108(e) for                     Overview of Public Comments: No
                                            Many of the commenters expressed                        exceptional circumstances that require                comments were received pertaining to
                                            support for the proposed rule and the                   prompt action, and eliminates implied                 this section.
                                            protections it granted to sensitive                     voluntary relinquishment, providing                      Final Rule: The Department adopts
                                            information related to patient safety                   instead in § 3.104(e) that a PSO’s listing            the proposed provision without
                                            events.                                                 automatically expires at the end of three             modification.
                                              Based upon the comments received,                     years, unless it is revoked for cause,                2. Section 3.20—Definitions
                                            the final rule adopts most of the                       voluntarily relinquished, or its
                                            provisions of the proposed rule without                 certifications for continued listing are                Proposed Rule: Proposed § 3.20
                                            modification; however, several                          approved.                                             provided for definitions applicable to
                                            significant changes to certain provisions                  Changes to proposed Subpart C                      Part 3. Some definitions were
dwashington3 on PRODPC61 with RULES3

                                            of the proposed rule have been made in                  include the addition of language in                   restatements of the definitions at section
                                            response to these comments. Changes to                  § 3.206(b)(2) that requires a reporter                921 of the Public Health Service Act, 42
                                            Subpart A include the addition of a                     seeking equitable relief to obtain a                  U.S.C. 299b–21, and other definitions
                                            definition of affiliated provider. The                  protective order to protect the                       were provided for convenience or to
                                            definitions of component organization,                  confidentiality of patient safety work                clarify the application and operation of
                                            parent organization, and provider were                  product during the course of the                      the proposed rule.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00003   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70734            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                              Overview of Public Comments: With                     limitations as restricting a provider’s               forms of control that such enterprises
                                            respect to the definitions for AHRQ,                    use of its own data. These comments are               can create that might impact component
                                            ALJ, Board, complainant, component                      addressed more fully below as part of                 entities. The preamble also discussed
                                            PSO, confidentiality provisions, entity,                the discussion of the patient safety                  the traditional meaning of subsidiaries
                                            group health plan, health maintenance                   activities disclosure permission.                     as being separate legal entities and,
                                            organization, HHS, HIPAA Privacy Rule,                                                                        therefore, not within the ordinary
                                                                                                    (B) Section 3.20—Definition of Bona
                                            identifiable patient safety work product,                                                                     meaning of the term ‘‘component.’’
                                                                                                    Fide Contract
                                            nonidentifiable patient safety work                                                                           However, the approach of the proposed
                                            product, OCR, Patient Safety Act,                          Proposed Rule: Proposed § 3.20                     rule was to express the Department’s
                                            patient safety activities, patient safety               provided that bona fide contract would                intention to encourage all forms of PSO
                                            organization, person, research,                         mean a written contract between a                     organizational arrangements including
                                            respondent, responsible person, and                     provider and a PSO that is executed in                the ownership of PSOs as subsidiaries.
                                            workforce, we received no comments.                     good faith or a written agreement                     At the same time, we wanted to be able
                                              We received a number of comments                      between a Federal, State, local, or Tribal            to accurately determine and to indicate
                                            on the various other definitions and                    provider and a Federal, State, local, or              to providers which PSOs should be
                                            these comments will be addressed                        Tribal PSO.                                           considered components of other entities
                                            below in reference to the specific term.                   Overview of Public Comments: One                   and the identity of a component PSO’s
                                              Final Rule: The Department adopts                     comment was received noting that                      parent organization. We explained our
                                            the above definitions as proposed.                      ‘‘good faith’’ need not be a part of a bona           intent was not to limit our approach to
                                            Certain definitions were added for                      fide contract.                                        corporate forms of organizations.
                                            convenience or clarity of the reader.                      Final Rule: Because meeting the                       Overview of Public Comments: The
                                                                                                    minimum contract requirement is                       majority of commenters supported our
                                            Response to Public Comments                             essential for a PSO to remain listed by               proposal to consider subsidiaries as
                                               Comment: Commenters requested                        the Secretary, the Department believes                component organizations for the
                                            definitions for accrediting body,                       that the requirement that contracts to be             purposes of this rule. Several
                                            reporter, redisclosure, impermissible                   entered in good faith should be retained.             commenters sought reassurance that our
                                            disclosure, use, evaluation and                         We also note that Federal, State, local or            interpretation does not impose
                                            demonstration projects, and legislatively               Tribal providers are free to enter into an            additional legal liability on the parent
                                            created PSO.                                            agreement with any PSO that would                     organization.
                                               Response: The Department does not                    serve their needs; thus, they can enter                  Concern was expressed that our
                                            agree that the additional definitions                   bona fide contracts with PSOs pursuant                approach suggested an over-reliance on
                                            requested by commenters are necessary.                  to paragraph (1) of the definition, or                the corporate model and the definition
                                            Some definitions requested have                         enter comparable arrangements with a                  needed to reflect other types of legally
                                            generally accepted meanings and we do                   Federal, State, local or Tribal PSO                   recognized entities. One comment
                                            not believe there is benefit in imposing                pursuant to paragraph (2). The                        reflected concern that our reference to
                                            more limitations on such terms. Some                    Department adopts the proposed                        ‘‘multi-organizational enterprise’’ in the
                                            terms such as legislatively created PSO                 provision without modification.                       definition was unnecessarily confusing
                                            are not used within the final rule. Other                                                                     because it was not commonly used.
                                                                                                    (C) Section 3.20—Definition of
                                            terms such as impermissible disclosure,                                                                       Another commenter disagreed with our
                                                                                                    Component Organization
                                            use, and reporter are readily understood                                                                      approach entirely, arguing that the
                                            from the context of the final rule and do                 Proposed Rule: Proposed § 3.20                      scope of our definition was overly broad
                                            not need definitions.                                   provided that component organization                  and unnecessary.
                                                                                                    would mean an entity that is either: (a)                 Final Rule: The final rule now defines
                                            (A) Section 3.20—New Definition of                      A unit or division of a corporate                     ‘‘component organization’’ to mean an
                                            Affiliated Provider                                     organization or of a multi-organizational             entity that: ‘‘(1) is a unit or division of
                                              Final Rule: The proposed rule did not                 enterprise; or (b) a separate                         a legal entity (including a corporation,
                                            include a definition for affiliated                     organization, whether incorporated or                 partnership, or a Federal, State, local or
                                            provider. The Department adopts the                     not, that is owned, managed or                        Tribal agency or organization); or
                                            term affiliated provider to mean, with                  controlled by one or more other                          (2) Is owned, managed, or controlled
                                            respect to a provider, a legally separate               organizations, i.e., its parent                       by one or more legally separate parent
                                            provider that is the parent organization                organization(s). Because this definition              organizations.’’
                                            of the provider, is under common                        used terms in a manner that was broader                  The definition of component
                                            ownership, management, or control                       than traditional usage, the proposed rule             organization is intended to be read with
                                            with the provider, or is owned,                         sought comment on whether it was                      a focus on management or control by
                                            managed, or controlled by the provider.                 appropriate for purposes of the                       others as its defining feature. The
                                            The Department includes this term to                    regulation to consider a subsidiary, an               definition must be read in conjunction
                                            identify to whom patient safety work                    otherwise legally independent entity, as              with the complementary definition of
                                            product may be disclosed pursuant to a                  a component organization.                             ‘‘parent organization.’’ While our
                                            clarification of the disclosure                           With respect to the terms ‘‘owned,                  approach remains little changed, we
                                            permission for patient safety activities.               managed, or controlled,’’ the preamble                have rearranged and streamlined the
                                              Overview of Comments: Several                         directed readers to our description of                text of the definition of component in
                                            commenters were concerned about                         these concepts in our discussion of the               response to the comments and concerns
                                            limitations of disclosures for patient                  term ‘‘parent organization.’’ The                     we received on it. For example, there is
dwashington3 on PRODPC61 with RULES3

                                            safety activities among providers.                      preamble to the proposed rule discussed               no longer an explicit reference in the
                                            Commenters raised concerns that                         the various ways that an organization                 definition of component to multi-
                                            limitations may inhibit the sharing and                 may be controlled by others. In                       organizational enterprises, which are
                                            learning among providers of the analysis                particular, there was a discussion of                 undertakings with separate corporations
                                            of patient safety events. Other                         multi-organizational enterprises and the              or organizations that are integrated in a
                                            commenters viewed the disclosure                        variety of management relationships or                common business activity. The revised

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00004   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70735

                                            definition, however, is sufficiently                    aspects of the component’s operations.                requirement to seek listing as a
                                            broad to apply to components of such                    If that occurs, we would consider the                 component organization.
                                            enterprises. In response to concerns that               sibling subsidiary that exercises control                Comment: It was suggested that the
                                            the earlier definition was too focused on               or management over the PSO as another                 inclusion of subsidiaries within the
                                            corporate organizations, we have                        parent organization of the PSO.                       meaning of component would require a
                                            incorporated an explicit reference to                      Obtaining the identity and contact                 health system that wished to create a
                                            ‘‘other legal entities’’ besides                        information of an entity’s parent                     PSO to create it as a component.
                                            corporations. In addition, specific                     organizations is useful for the purpose                  Response: There are several issues
                                            references have been added to more                      of letting providers know who may be                  that a health system needs to consider
                                            clearly accommodate possible                            managing or controlling a PSO. This                   in determining whether and how to
                                            organizational relationships of public                  information also will be useful in                    create a PSO, but the inclusion of
                                            agencies, such as the Department of                     implementing the certification and                    subsidiary within the meaning of
                                            Defense (DoD), Department of Veterans                   listing process for PSOs described in the             component is not necessarily
                                            Affairs (VA), the Indian Health Service                 rule which, for instance, excludes any                determinative. The statute requires the
                                            (IHS), and other State, local, and Tribal               health insurance issuer from becoming                 improvement of quality and patient
                                            organizations that manage or deliver                    a PSO and excludes a component of a                   safety to be the primary activity of the
                                            health care services.                                   health insurance issuer from becoming                 entity seeking listing. Since few
                                               In the scenario envisioned by the first              a PSO.                                                multifaceted health system
                                            prong of the definition, the legal entity                  In response to commenters concerned                organizations will meet this
                                            is a parent organization and the                        about the legal liability for parent                  requirement, existing organizations will
                                            component organization is a unit or                     organizations of component PSOs, we                   have an incentive to create single-
                                            division within the parent organization.                note that the preamble to the proposed                purpose component organizations that
                                            An underlying assumption of the                         rule stated as follows: ‘‘We stress that              clearly meet the requirement. The
                                            modified paragraph (1) is that a unit or                neither the statute nor the proposed                  second issue is whether to create a PSO
                                            division of a legal entity may be                       regulation imposes any legal                          as an internal component organization
                                            managed or controlled by one or more                    responsibilities, obligations, or liability           or as a separate legal entity. Because the
                                            parent organizations. Consistent with                   on the organization(s) of which it [the               final rule requires each PSO to enter two
                                            this paragraph, a component PSO may                     PSO] is a part.’’ The Department                      contracts, provider organizations may
                                            be managed or controlled by the legal                   reaffirms its position. At the same time,             find it useful for its component PSO to
                                            entity of which it is a part or by another              we note that the rule, at § 3.402(b),                 be a separate legal entity. Otherwise, the
                                            unit or division of that entity. It could               recognizes, provides for, and does not                component PSO may be precluded from
                                            also be controlled by a legally separate                alter the liability of principals based on            contracting with its parent organization.
                                            entity under the second paragraph of the                Federal common law.                                      Comment: There was a request for a
                                            definition.                                                                                                   definition of ‘‘own’’ with a suggestion
                                               The first prong of the definition                    Response to Other Public Comments                     for reference to Internal Revenue Code
                                            encompasses a component PSO that is                        Comment: One concern that was                      26 I.R.C. § 1563 to clarify its meaning
                                            a unit of a governmental agency that is                 expressed by several commenters                       and the meaning of having a controlling
                                            a legal entity. This could include a                    pertained to whether or not a health                  interest. This same commenter sought
                                            component organization managed by                       system that has a component or                        strong separation requirements between
                                            another division of such a governmental                 subsidiary health insurance issuer, e.g.,             a component PSO and any parent
                                            agency, e.g., a health care division of VA              a group health plan offered to the                    organization.
                                            or DoD. Thus, a component PSO could                     public, would be precluded from having                   Response: We have reviewed the cited
                                            be a unit or component of a Federal                     a component PSO as well.                              regulation but conclude that the
                                            agency that is a legal entity and it could                 Response: So long as the component                 approach presented is unlikely to clarify
                                            at the same time be a component of                      health insurance issuer does not come                 the meaning of ‘‘own’’ or ‘‘having a
                                            another unit or division of that agency                 within the definition of a parent                     controlling interest’’ for purposes of the
                                            which controls and directs or manages                   organization of the PSO, i.e., own a                  regulation. Accordingly, the definition
                                            its operation. So too in the private                    controlling or majority interest in,                  of component in the final rule will use
                                            sector, a component PSO could have                      manage, or control the health system’s                the term ‘‘owns,’’ but it should be read
                                            more than one parent and thus be a                      component PSO (i.e., the PSO would                    in conjunction with the phrase ‘‘owns a
                                            component, for example, of a                            not be a component of the health                      controlling or majority interest in’’ that
                                            professional society as well as a                       insurance issuer), the parent health                  is used in the related definition of
                                            component of the unit or division of the                system could establish a component                    ‘‘parent organization.’’ This will
                                            professional society that controls or                   PSO.                                                  indicate that the definition of
                                            manages the PSO.                                           Comment: It was asserted that                      component uses the term ‘‘owns’’ to
                                               The second prong of the definition                   including subsidiaries as components                  mean having a sufficient ownership
                                            addresses a variety of organizational                   would require a PSO that is not                       interest to control or manage a PSO. The
                                            relationships that could arise between                  controlled by another parent                          holder of a controlling or majority
                                            component PSOs and legally separate                     organization, but itself has a subsidiary,            interest in the entity seeking to be listed
                                            parent organizations that manage or                     to seek listing as a component PSO.                   should be identified as a parent
                                            control them. Under paragraph (2), a                       Response: The revised definition of                organization.
                                            subsidiary PSO could be managed or                      component organization emphasizes                        Comment: Components of government
                                            controlled by its legally separate parent               that a component is an organization that              entities should not be listed as PSOs.
dwashington3 on PRODPC61 with RULES3

                                            organization. In addition, we note that                 is controlled by another entity. It is not               Response: The Patient Safety Act
                                            a component PSO could be managed or                     the Department’s intention to require a               specifically permits public sector
                                            controlled by another unit or division of               PSO that is not controlled by another                 entities, and components of public
                                            its legally separate parent, e.g., if this              entity to seek listing as a component                 sector entities, to seek listing as a PSO.
                                            unit or division uses its knowledge and                 PSO. For this reason, the fact that a PSO             We have incorporated several
                                            skills to control or manage certain                     has a subsidiary does not trigger the                 exclusions, however, of entities with

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00005   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70736            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            regulatory authority and those                          definition of disclosure. No commenters               stated that the terms were used
                                            administering mandatory state reporting                 opposed the proposed definition or                    interchangeably and this caused
                                            programs because these activities are                   requested further clarification.                      confusion.
                                            incompatible with fostering a non-                         Most commenters that responded to                    Response: The term ‘‘disclosure’’
                                            punitive culture of safety among                        the question whether uses of patient                  describes the scope of the
                                            providers. As we explain in                             safety work product should be regulated               confidentiality protections and the
                                            § 3.102(a)(2)(ii), we conclude that it is               supported the decision not to regulate                manner in which patient safety work
                                            not necessary to exclude components of                  uses. Those commenters agreed that                    product may be shared. ‘‘Disclosure’’ is
                                            such entities but have adopted                          regulating uses would be overly                       also employed by the Patient Safety Act
                                            additional restrictions and requirements                intrusive without significant benefit and             when describing the assessment of civil
                                            in § 3.102(c) for such component                        that entities are free to enter into                  money penalties for the failure to
                                            entities.                                               agreements with greater protections.                  maintain confidentiality (see 42 U.S.C.
                                                                                                    Other commenters disagreed with the                   299b–22(f)(1)). Although the Patient
                                            (D) Section 3.20—Definition of                          Department’s proposal and stated that                 Safety Act employs the term ‘‘use’’ in
                                            Disclosure                                              regulation of uses would improve                      several provisions, we did not interpret
                                              Proposed Rule: Proposed § 3.20                        confidentiality and thereby increase                  those provisions to include a restriction
                                            provided that disclosure would mean                     provider participation.                               on the use of patient safety work
                                            the release, transfer, provision of access                 No commenters opposed the proposal                 product based on the confidentiality
                                            to, or divulging in any other manner of                 that sharing of patient safety work                   protections.
                                            patient safety work product by a person                 product from a component PSO to the                     Because the focus of the proposed
                                            holding patient safety work product to                  rest of the parent entity of which it is              rule was on disclosures, we did not
                                            another person.                                         a part would be a disclosure for                      believe that defining the term ‘‘use’’ was
                                              We did not generally propose to                       purposes of enforcement rather than a                 helpful; nor did we believe the terms
                                            regulate uses of patient safety work                    use internal to the entity.                           would be confusing. Use of patient
                                            product within an entity, i.e., when this                  Final Rule: The Department adopts                  safety work product is the sharing
                                            information is exchanged or shared                      the provision with modifications. In                  within a legal entity, such as between
                                            among the workforce members of an                       general, the modified definition of                   members of the workforce, which is not
                                            entity. We believe that regulating uses                 disclosure means the release of, transfer             a disclosure. By contrast, a disclosure is
                                            within providers and PSOs would be                      of, provision of access to, or divulging              the sharing or release of information
                                            unnecessarily intrusive given the                       in any other manner of, patient safety                outside of the entity for which a specific
                                            voluntary aspect of participation with a                work product by an entity or natural                  disclosure permission must be
                                            PSO. We believe that regulating uses                    person holding the patient safety work                applicable.
                                            would not further the statutory goal of                 product to another legally separate                     Comment: One commenter requested
                                            facilitating the sharing of patient safety              entity or natural person, other than a                clarification regarding the sharing of
                                            work product with PSOs and that                         workforce member of, or a physician                   patient safety work product among
                                            sufficient incentives exist for providers               holding privileges with, the entity                   legally separate participants that join to
                                            and PSOs to prudently manage the                        holding the patient safety work product.              form a single joint venture component
                                            internal sharing of sensitive patient                   Additionally, we have defined as a                    PSO.
                                            safety work product. However, based on                  disclosure the release of, transfer of,                 Response: The Department
                                            the statutory provision, we did propose                 provision of access to, or divulging in               distinguishes between the disclosure of
                                            that we would recognize as a disclosure                 any other manner of, patient safety work              patient safety work product between
                                            the sharing of patient safety work                      product by a component PSO to another                 legal entities and the use of patient
                                            product between a component PSO and                     entity or natural person outside the                  safety work product internal to a single
                                            the organization of which it is a                       component PSO.                                        legal entity. If a component PSO is part
                                            component. Such sharing would, absent                      We have modified the language for                  of a multi-organizational enterprise,
                                            the statutory provision and the                         clarity to distinguish the actions that are           uses of patient safety work product
                                            proposed regulation, be a use within the                a disclosure for a natural person and an              internal to the component PSO are not
                                            larger organization because the                         entity, separately. We have also                      regulated by this final rule, but sharing
                                            component PSO is not a separate entity.                 included language in the definition that              of patient safety work product between
                                            The Patient Safety Act supports this                    makes clear that sharing of patient                   the component PSO and another entity
                                            position by demonstrating a strong                      safety work product from a component                  or with a parent organization are
                                            desire for the protection of patient safety             PSO to the entity of which it is a part               considered disclosures for which a
                                            work product from the rest of the                       is a disclosure even though the                       disclosure permission must apply.
                                            organization of which the PSO is a part.                disclosure would be internal to an entity               Comment: One commenter raised
                                            We sought public comment on whether                     and generally permitted. Finally, we                  concerns that the final rule would
                                            the decision to not regulate uses was                   have added language to clearly indicate               restrict a provider’s use of its own data
                                            appropriate.                                            that the sharing of patient safety work               and thereby discourage collaboration
                                              The proposed rule discussed that                      product between a health care provider                with other care givers.
                                            sharing patient safety work product                     with privileges and the entity with                     Response: The Department believes
                                            with a contractor that is under the direct              which it holds privileges does not                    that the final rule balances the interests
                                            control of an entity, i.e., a workforce                 constitute a disclosure, consistent with              between the privacy of identified
                                            member, would not be a disclosure, but                  the treatment of patient safety work                  providers, patients and reporters and
                                            rather a use within the entity. However,                product shared among workforce                        the need to aggregate and share patient
dwashington3 on PRODPC61 with RULES3

                                            sharing patient safety work product                     members.                                              safety work product to improve patient
                                            with an independent contractor would                                                                          safety among all providers. The final
                                            be a disclosure requiring an applicable                 Response to Other Public Comments                     rule does not limit the sharing of patient
                                            disclosure permission.                                     Comment: Commenters asked that the                 safety work product within an entity
                                              Overview of Public Comments: Some                     Department clarify the terms                          and permits sharing among providers
                                            commenters supported the proposed                       ‘‘disclosure’’ and ‘‘use’’. Commenters                under certain conditions. Affiliated

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00006   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70737

                                            providers may share patient safety work                 vigilant in its exclusion of health                   with others, either owns a provider
                                            product for patient safety activities and               insurance issuers and components of                   entity or a component organization, or
                                            non-affiliated providers may share                      health insurance issuers, urging that                 has the authority to control or manage
                                            anonymized patient safety work                          HHS clearly define health insurance                   agenda setting, project management, or
                                            product. A provider may also share                      issuers in the final rule. Another                    day-to-day operations of the component,
                                            patient safety work product with a                      commenter sought clarification                        or the authority to review and override
                                            health care provider that has privileges                regarding risk management service                     decisions of a component organization.
                                            to practice at the provider facility.                   companies, i.e., those that offer                     The proposed rule did not provide a
                                            Further, if all identified providers are in             professional liability insurance,                     definition of ‘‘owned’’ but provided
                                            agreement regarding the need to share                   reinsurance, or consulting services.                  controlling interest (holding enough
                                            identifiable patient safety work product,                  Final Rule: The Department has                     stock in an entity to control it) as an
                                            each provider may authorize and                         reviewed the definition of ‘‘health                   example of ownership in the preamble
                                            thereby permit a disclosure.                            insurance issuer’’ and determined that                discussion of the term, ‘‘parent
                                              Comment: Several commenters asked                     the definition is clear. Because the                  organization.’’ The proposed rule
                                            whether uses were restricted based                      reference to group health plans could be              specifically sought comment on our use
                                            upon the purpose for which the patient                  a source of confusion, we note that we                of the term ‘‘controlling interest,’’
                                            safety work product is being shared                     have defined the term above.                          whether it was appropriate, and
                                            internally.                                             Accordingly, the Department adopts the                whether we needed to further define
                                              Response: The final rule does not                     proposed provision without                            ‘‘owns.’’ The remaining terms, ‘‘manage
                                            limit the purpose for which patient                     modification.                                         or control,’’ were explained in the
                                            safety work product may be shared                          In response to several comments                    proposed rule’s definition of ‘‘parent
                                            internal to an entity. Entities should                  regarding the scope of the term health                organization,’’ as having ‘‘the authority
                                            consider the extent to which sensitive                  insurance issuer, the Department has                  to control or manage agenda setting,
                                            patient safety work product is available                concluded that, for purposes of this                  project management, or day-to-day
                                            to members of its workforce as a good                   rule, risk management service                         operations of the component, or the
                                            business practice.                                      companies, professional liability                     authority to review and override
                                                                                                    insurers and reinsurers do not fall                   decisions of a component organization.’’
                                            (E) Section 3.20—Definition of Entity                                                                            Overview of Public Comments: We
                                                                                                    within the definition of health
                                              Proposed Rule: Proposed § 3.20                        insurance issuer.                                     received eight comments on the
                                            provided that entity would mean any                                                                           question of ‘‘controlling interest’’ and
                                            organization or organizational unit,                    Response to Other Public Comments                     there was no consensus among the
                                            regardless of whether the entity is                        Comment: One commenter asked if a                  commenters. Four commenters thought
                                            public, private, for-profit, or not-for-                provider system that was owned as a                   our discussion was appropriate.
                                            profit.                                                 subsidiary by an HMO could create a                   Another agreed with the concept of
                                              Overview of Public Comments: One                      component PSO.                                        controlling interest but wanted to limit
                                            comment was received suggesting that                       Response: Section 3.102(a)(2)(i)                   its application to a provider who
                                            the terms ‘‘governmental’’ or ‘‘body                    excludes a health insurance issuer, a                 reported patient safety work product to
                                            politic’’ should be added to clarify that               unit or division of a health insurance                the entity. One commenter cautioned
                                            the term ‘‘public’’ includes Federal,                   issuer, or an entity that is owned,                   that the term ‘‘controlling interest’’ was
                                            State, or local government as well as                   managed, or controlled by a health                    open to various interpretations and the
                                            public corporations.                                    insurance issuer from seeking listing as              final rule should provide additional
                                              Final Rule: The term ‘‘public’’ has                   a PSO. In this case, the HMO is                       guidance. Another commenter suggested
                                            long been used throughout Title 42 of                   considered a health insurance issuer                  ‘‘controlling interest’’ was worrisome
                                            the Code of Federal Regulations as                      and the provider system would be a                    but did not provide a rationale for this
                                            encompassing governmental agencies;                     component of the health insurance                     assessment. One commenter supported
                                            therefore we do not believe that the                    issuer. Under the rule, the HMO and the               additional protections, contending that
                                            addition is necessary. The Department                   provider system may not seek listing as               it was appropriate for HHS to pierce the
                                            adopts the proposed provision without                   a PSO, and the entity created by the                  corporate veil when there was fraud or
                                            modification.                                           provider system could not seek listing                collusion, and recommended the
                                                                                                    as a component PSO if it is owned,                    preamble outline situations in which
                                            (F) Section 3.20—Definition of Health
                                                                                                    managed or controlled by the provider                 HHS would pierce the corporate veil.
                                            Insurance Issuer                                                                                                 We received no negative comments on
                                                                                                    system or the HMO.
                                               Proposed Rule: Proposed § 3.20                          Comment: One commenting                            our proposed interpretation of what it
                                            provided that health insurance issuer                   organization requested discussion of                  means to manage or control another
                                            would mean an insurance company,                        what organizational structure might                   entity. One commenter suggested that
                                            insurance service, or insurance                         allow a health insurance issuer to                    the definition should recognize the
                                            organization (including a health                        participate in the patient safety work of             significant authority or control of a
                                            maintenance organization, as defined in                 an independent PSO.                                   provider entity or component
                                            42 U.S.C. 300gg–91(b)(3)) which is                         Response: The statutory exclusion                  organization through reserve powers, by
                                            licensed to engage in the business of                   means that the following entities may                 agreement, statute, or both.
                                            insurance in a State and which is                       not seek listing: a health insurance                     Final Rule: While approximately half
                                            subject to State law which regulates                    issuer or a component of a health                     of the comments supported our
                                            insurance (within the meaning of 29                     insurance issuer.                                     approach, there was not a clear
dwashington3 on PRODPC61 with RULES3

                                            U.S.C. 1144(b)(2). The definition                                                                             consensus in the comments we
                                            specifically excluded group health plans                (G) Section 3.20—Definition of Parent                 reviewed. So the approach we have
                                            from the meaning of the term.                           Organization                                          taken with the definition of ‘‘parent
                                               Overview of Public Comments:                           Proposed Rule: Proposed § 3.20                      organization’’ was to strive for greater
                                            Several commenters expressed concern                    provided that ‘‘parent organization’’                 clarity, taking into account its
                                            that the Department needed to be                        would mean an entity, that alone or                   interaction with our definition of

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00007   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70738            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            ‘‘component organization,’’ described                   mechanism through which information                      Overview of Public Comments:
                                            above.                                                  can be collected, maintained, analyzed,               Several commenters supported the
                                               The definition of ‘‘parent                           and communicated. The proposed rule                   efforts to enable the patient safety
                                            organization’’ in the final rule retains                discussed that a patient safety                       evaluation system to be flexible and
                                            the basic framework of the proposed                     evaluation system would not need to be                scalable to individual provider
                                            rule definition: an organization is a                   documented because it exists whenever                 operations. Most commenters that
                                            parent if it owns a component                           a provider engages in patient safety                  responded to the question whether a
                                            organization, has the ability to manage                 activities for the purpose of reporting to            patient safety evaluation system should
                                            or control a component, or has the                      a PSO or a PSO engages in these                       be documented supported the decision
                                            authority to review and overrule the                    activities with respect to information for            to not require documentation.
                                            component’s decisions.                                  patient safety purposes. The proposed                 Commenters stated that requiring
                                               The language of the proposed rule                    rule provided that formal                             documentation would inhibit the
                                            used only the term ‘‘own’’ while the                    documentation of a patient safety                     flexibility in the design of patient safety
                                            preamble cited the example of stock                     evaluation system could designate                     evaluation systems and the ability of
                                            ownership. Without further                              secure physical and electronic space for              providers to design systems best suited
                                            specification, we were concerned that                   the conduct of patient safety activities              for their specific practices and settings.
                                            this approach could have been                           and better delineate various functions of             Documentation would also be
                                            interpreted to mean that an organization                a patient safety evaluation system, such              burdensome to providers and should
                                            owning just a few shares of stock of a                  as when and how information would be                  ultimately be left to the discretion of
                                            component organization would be                         reported by a provider to a PSO, how                  individual providers based on their
                                            considered a parent organization. This                  feedback concerning patient safety                    needs. Other commenters supported a
                                            is not our intent. For clarity, we have                 events would be communicated                          requirement for documentation,
                                            modified the text to read ‘‘owns a                      between PSOs and providers, within                    suggesting that documentation would go
                                            controlling or majority interest.’’                     what space deliberations and analyses                 further in ensuring compliance with the
                                               We have also removed the phrase                      of information are conducted, and how                 confidentiality provisions and the
                                            ‘‘alone or with others’’ from the first                 protected information would be                        protection of information, thereby
                                            clause. We did so for two reasons. First,               identified and separated from                         encouraging provider participation.
                                            it is unnecessary since it does not matter              information collected, maintained, or                    Final Rule: The Department adopts
                                            whether ownership is shared with other                  developed for purposes other than                     the proposed provision without
                                            organizations, as in a joint venture. An                reporting to a PSO.                                   modification. Based on the comments,
                                            entity seeking listing as a PSO will use                  The Department recommended that a                   we have not modified the proposed
                                            this definition solely to determine if it               provider consider documentation of a                  decision to not require documentation.
                                            has any parent organizations and, if it                 patient safety evaluation system to                   We have, as described in the definition
                                            does, it must seek listing as a                         support the identification and                        of patient safety work product below,
                                            component organization and disclose                     protection of patient safety work                     clarified how documentation of a
                                            the names and contact information for                   product. Documentation may provide                    patient safety evaluation system clearly
                                            each of its parent organizations. Second,               substantial proof to support claims of                establishes when information is patient
                                            we have tried to make it as clear as                    privilege and confidentiality and will                safety work product. We encourage
                                            possible that any organization that has                 give notice to, will limit access to, and             providers to document their patient
                                            controlling ownership interests, or                     will create awareness among employees                 safety evaluation systems for the
                                            management or control authority over a                  of, the privileged and confidential                   benefits mentioned above. We believe
                                            PSO, should be considered, and                          nature of the information within a                    documentation is a best practice.
                                            reported in accordance with the                         patient safety evaluation system which
                                                                                                                                                          Response to Other Public Comments
                                            requirements of § 3.102(c)(1)(i), as a                  may prevent unintended or
                                            parent organization.                                    impermissible disclosures.                              Comment: Two commenters raised
                                               For similar reasons, we have removed                   We recommended that providers and                   concerns about how a patient safety
                                            the reference to provider from the first                PSOs consider documenting how                         evaluation system operates within a
                                            part of the definition and instead                      information enters the patient safety                 multi-hospital system comprised of a
                                            consistently used the term ‘‘component                  evaluation system; what processes,                    parent corporation and multiple
                                            organization’’ with respect to each                     activities, physical space(s) and                     hospitals that are separately
                                            characteristic of a parent organization.                equipment comprise or are used by the                 incorporated and licensed. One
                                            We added a second sentence to clarify                   patient safety evaluation system; which               commenter asked whether a parent
                                            that a provider could be the component                  personnel or categories of personnel                  corporation can establish a single
                                            organization in all three descriptive                   need access to patient safety work                    patient safety evaluation system in
                                            examples given of parental authority.                   product to carry out their duties                     which all hospitals participate. The
                                               In response to one commenter’s                       involving operation of, or interaction                other commenter recommended that
                                            concern, we believe that the phrase ‘‘has               with, the patient safety evaluation                   individual institutional affiliates of a
                                            the authority’’ as used in the definition               system; the category of patient safety                multi-hospital system be part of a single
                                            is sufficiently broad to encompass                      work product to which access is needed                patient safety evaluation system.
                                            reserve powers.                                         and any conditions appropriate to such                  Response: For a multi-provider entity,
                                                                                                    access; and what procedures the patient               the final rule permits either the
                                            (H) Section 3.20—Definition of Patient                  safety evaluation system uses to report               establishment of a single patient safety
                                            Safety Evaluation System                                information to a PSO or disseminate                   evaluation system or permits the sharing
dwashington3 on PRODPC61 with RULES3

                                              Proposed Rule: Proposed § 3.20                        information outside of the patient safety             of patient safety work product as a
                                            provided that patient safety evaluation                 evaluation system.                                    patient safety activity among affiliated
                                            system would mean the collection,                         The proposed rule sought comment                    providers. For example, a hospital chain
                                            management, or analysis of information                  about whether a patient safety                        that operates multiple hospitals may
                                            for reporting to or by a PSO. The patient               evaluation system should be required to               include the parent organization along
                                            safety evaluation system would be the                   be documented.                                        with each hospital in a single patient

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00008   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70739

                                            safety evaluation system. Thus, each                    external reporting obligations with                   in the Patient Safety Act. The proposed
                                            hospital may share patient safety work                  information that is not patient safety                rule provided that many types of
                                            product with the parent organization                    work product. Further, a provider may                 information can become patient safety
                                            and the patient safety evaluation system                not maintain a patient safety evaluation              work product to foster robust exchanges
                                            may exist within the parent organization                system within a PSO.                                  between providers and PSOs. Any
                                            as well as the individual hospitals.                       Comment: One commenter asked                       information must be collected or
                                               There may be situations where                        whether all information in a patient                  developed for the purpose of reporting
                                            establishing a single patient safety                    safety evaluation system is protected.                to a PSO.
                                            evaluation system may be burdensome                        Response: Information collected                       Three provisions identified how
                                            or a poor solution to exchanging patient                within a patient safety evaluation                    information becomes patient safety
                                            safety work product among member                        system that has been collected for the                work product. First, information may
                                            hospitals. To address this concern, we                  purpose of reporting to a PSO is patient              become patient safety work product if it
                                            have modified the disclosure                            safety work product if documented as                  is assembled or developed by a provider
                                            permission for patient safety activities                collected for reporting to a PSO. This is             for the purpose of reporting to a PSO
                                            to permit affiliated providers to disclose              discussed more fully at the definition of             and is reported to a PSO. Second,
                                            patient safety work product with each                   patient safety work product below.                    patient safety work product is
                                            other based on commonality of                           Information that is reported to a PSO is              information developed by a PSO for the
                                            ownership.                                              also protected, as discussed more fully               conduct of patient safety activities.
                                               Comment: One commenter asked how                     at the definition of patient safety work              Third, patient safety work product is
                                            a patient safety evaluation system exists               product below.                                        information that constitutes the
                                            within an institutional provider.                          Comment: One commenter was                         deliberations or analysis of, or identifies
                                               Response: A patient safety evaluation                concerned that the lack of a framework                the fact of reporting pursuant to, a
                                            system is unique and specific to a                      and too much flexibility may interfere                patient safety evaluation system.
                                            provider. The final rule retains a                      with interoperability and data                           The proposed rule provided that
                                            definition of a patient safety evaluation               aggregation at a later date.                          reporting means the actual transmission
                                            system that is flexible and scalable to                    Response: The Department believes                  or transfer of information to a PSO. We
                                            meet the specific needs of particular                   that a patient safety evaluation system               recognized that requiring the
                                            providers.                                              must of necessity be flexible and                     transmission of every piece of paper or
                                               With respect to a single institutional               scalable to meet the needs of specific                electronic file to a PSO could impose
                                            provider, such as a hospital, a provider                providers and PSOs. Without such                      significant transmission, management,
                                            may establish a patient safety evaluation               flexibility, a provider may not                       and storage burdens on providers and
                                            system that exists only within a                        participate, which may, lessen the                    PSOs. The proposed rule sought
                                            particular office or that exists at                     overall richness of the information that              comment on whether alternatives for
                                            particular points within the institution.               could be obtained about patient safety                actual reporting should be recognized as
                                            The decisions as to how a patient safety                events. The Department recognizes the                 sufficient to meet the reporting
                                            evaluation system operates will depend                  value of aggregated data and has,                     requirement. For example, the proposed
                                            upon the functions the institutional                    pursuant to the Patient Safety Act,                   rule suggested that a provider that
                                            provider desires the patient safety                     begun the process of identifying                      contracts with a PSO may functionally
                                            evaluation system to perform and its                    standard data reporting terms to                      report information to a PSO by
                                            tolerances regarding access to the                      facilitate aggregation and                            providing access and control of
                                            sensitive information contained within                  interoperability. Further, the Patient                information to a PSO without needing to
                                            the system. Providers should consider                   Safety Act requires that PSOs, to the                 physically transmit information. The
                                            how a patient safety evaluation system                  extent practical and appropriate, collect             proposed rule also sought comment on
                                            is constructed, carefully weighing the                  patient safety work product in a                      whether additional terms and
                                            balance between coordination and                        standardized manner (see 42 U.S.C.                    conditions should be required to permit
                                            fragmentation of a provider’s activities.               299b–24(b)(1)(F)). The Department                     functional reporting and whether
                                               Comment: Some commenters were                        hopes that, by permitting the widest                  functional reporting should be
                                            concerned that the patient safety                       range possible of providers to                        permitted only after an initial actual
                                            evaluation system provided a loophole                   participate in the gathering and analysis             report of information related to an
                                            for providers to avoid transparency of                  of patient safety events, increased                   event.
                                            operations and hide information about                   participation will generate more data                    The proposed rule also sought
                                            patient safety events. Some commenters                  and greater movement towards                          comment on whether a short period of
                                            suggested that a provider may establish                 addressing patient safety issues.                     protection for information assembled
                                            a patient safety evaluation system that is                 Comment: Many commenters                           but not yet reported is necessary for
                                            inside of a PSO, thus stashing away                     encouraged the Department to provide                  flexibility or for providers to efficiently
                                            harmful documents and information.                      technical assistance to providers and                 report information to a PSO. We also
                                               Response: The Department does not                    PSOs on the structuring and operation                 sought comment on an appropriate time
                                            believe that the patient safety evaluation              of a patient safety evaluation system.                period for such protection and whether
                                            system enables providers to avoid                          Response: The Department expects to                a provider must demonstrate intent to
                                            transparency. A patient safety                          provide such guidance on the operation                report in order to obtain protection.
                                            evaluation system provides a protected                  and activities of patient safety                         The proposed rule also sought
                                            space for the candid consideration of                   evaluation systems as it determines is                comment on when a provider could
                                            quality and safety. Nonetheless, the                    necessary.                                            begin collecting information for the
dwashington3 on PRODPC61 with RULES3

                                            Patient Safety Act and the final rule                                                                         purpose of reporting to a PSO such that
                                            have carefully assured that information                 (I) Section 3.20—Definition of Patient                it is not excluded from becoming patient
                                            generally available today remains                       Safety Work Product                                   safety work product because it was
                                            available, such as medical records,                        Proposed Rule: Proposed § 3.20                     collected, maintained or developed
                                            original provider documents, and                        adopted the statutory definition of                   separately from a patient safety
                                            business records. Providers must fulfill                patient safety work product as defined                evaluation system.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00009   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70740            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                               The proposed rule indicated that, if a               authorities evaluations of the                        When Is Information Protected
                                            PSO is delisted for cause, a provider                   effectiveness of corrective action, but                  Commenters raised significant and
                                            would be able to continue to report to                  the provider must respond with                        substantial concerns regarding when the
                                            that PSO for 30 days after the date of                  information that is not patient safety                protections for patient safety work
                                            delisting and the information reported                  work product. The proposed rule                       product begins, how existing patient
                                            would be treated as patient safety work                 provided that recommendations for                     safety processes will occur given the
                                            product (section 924(f)(1) of the Public                changes from the provider’s patient                   protections for patient safety work
                                            Health Service Act). However, after                     safety evaluation system or the PSO are               product, and the likelihood that
                                            delisting, the proposed rule indicated                  patient safety work product. However,                 providers may need to maintain
                                            that the former PSO may not generate                    the actual changes that the provider                  separate systems with substantially
                                            patient safety work product by                          implements to improve how it manages                  duplicate information. A significant
                                            developing information for the conduct                  or delivers health care services are not              majority of commenters responded to
                                            of patient safety activities or through                 patient safety work product, and it                   the concern regarding the status of
                                            deliberations and analysis of                           would be virtually impossible to keep                 information collected, but not yet
                                            information. Even though a PSO may                      such changes confidential.                            reported to a PSO. Most commenters
                                            not generate new patient safety work
                                                                                                       Overview of Public Comments:                       agreed with concerns raised by the
                                            product after delisting, it may still
                                                                                                    Commenters raised a significant number                Department that early protection could
                                            possess patient safety work product,
                                                                                                    of concerns regarding how information                 ease the burden on providers,
                                            which must be kept confidential and be
                                                                                                    becomes patient safety work product                   preventing a race to report to a PSO.
                                            disposed of in accordance with
                                                                                                    under particular provisions of the                    These commenters recommended that
                                            requirements in Subpart B.
                                               The proposed rule also described                     definition.                                           information be protected upon
                                            what is not patient safety work product,                                                                      collection and prior to reporting.
                                                                                                    Functional Reporting
                                            such as a patient’s original medical                                                                          Protection during this time would
                                            record, billing and discharge                              We received significant feedback from              permit providers to investigate an event
                                            information, or any other original                      commenters in support of recognizing                  and conduct preliminary analyses
                                            patient or provider record. Patient safety              alternative reporting methods. Most                   regarding causes of the event or whether
                                            work product does not include                           commenters agreed that an alternative                 to report information to a PSO. Many
                                            information that is collected,                          reporting arrangement should be                       commenters were concerned that
                                            maintained, or developed separately or                  permitted to promote efficiency and                   information related to patient safety
                                            exists separately from, a patient safety                relieve providers of the burden of                    events be protected at the same time the
                                            evaluation system. This distinction is                  continued transmission. Two                           information is preserved for other uses.
                                            made because these and similar records                  commenters opposed permitting                         Some providers indicated that if
                                            must be maintained by providers for                     alternative reporting methods based on                duplication of information is required,
                                            other purposes.                                         the concern that a shared resource may                providers may opt to not participate due
                                               The proposed rule also discussed that                confuse clear responsibility for a breach             to costs and burdens. Three commenters
                                            external reporting obligations as well as               of information and that a PSO that has                indicated that there should be no
                                            voluntary reporting activities that occur               access to a provider information system               protection until information is reported
                                            for the purpose of maintaining                          may also have access to patient records               to a PSO. One commenter was
                                            accountability in the health care system                and similar information for which                     concerned that early protection may
                                            cannot be satisfied with patient safety                 access may not be appropriate.                        interfere with State reporting
                                            work product. Thus, information that is                                                                       requirements because information
                                                                                                       Most commenters rejected the
                                            collected to comply with external                                                                             needed to report to a State may become
                                                                                                    suggestion that functional reporting
                                            obligations is not patient safety work                                                                        protected and unavailable for State
                                                                                                    should be limited to subsequent reports
                                            product. The proposed rule provided                                                                           reporting. Another commenter stated
                                                                                                    of information rather than allowing
                                            that such activities include: state                                                                           that earlier protection would not
                                                                                                    functional reports for the first report of
                                            incident reporting requirements;                                                                              alleviate the concerns regarding
                                                                                                    an event. Commenters believed that
                                            adverse drug event information                                                                                protection prior to reporting.
                                                                                                    such a limitation would inhibit                          Commenters provided a wide range of
                                            reporting to the Food and Drug
                                                                                                    participation and offset the benefits of              recommendations in response to when
                                            Administration (FDA); certification or
                                                                                                    allowing functional reporting.                        protection of information should begin
                                            licensing records for compliance with
                                                                                                    Commenters also believed such a                       prior to creation of patient safety work
                                            health oversight agency requirements;
                                                                                                    limitation would create an artificial                 product. Commenters suggested that
                                            reporting to the National Practitioner
                                                                                                    distinction between information that is               information be protected prior to
                                            Data Bank of physician disciplinary
                                            actions; or complying with required                     initially and subsequently reported to a              reporting for as little as 24 hours from
                                            disclosures by particular providers or                  PSO. Some commenters believed that                    an event up to 12 months. Other
                                            suppliers pursuant to Medicare’s                        details regarding functional reporting                commenters suggested that a timeframe
                                            conditions of participation or conditions               are better left to agreement between the              be reasonable and based upon relevant
                                            of coverage.                                            provider and PSO engaging in                          factors such as the complexity of facts
                                               The proposed rule also addressed the                 functional reporting. Two commenters                  and circumstances surrounding an
                                            issue that external authorities may seek                did support restricting functional                    event.
                                            information about how effectively a                     reporting to subsequent information, but
                                            provider has instituted corrective action               did not provide any rationale or concern              State Reporting
dwashington3 on PRODPC61 with RULES3

                                            following identification of a threat to the             to support their comment.                               One of the most significant areas of
                                            quality or safety of patient care. The                     No commenters identified additional                comment was how processes to create
                                            Patient Safety Act does not relieve a                   requirements or criteria that should be               patient safety work product may operate
                                            provider of its responsibility to respond               imposed beyond a formal contract or                   alongside similar processes within a
                                            to such requests for information or to                  agreement. Thus, the final rule permits               provider. Commenters were particularly
                                            undertake or provide to external                        functional reporting.                                 concerned that information collected for

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00010   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70741

                                            similar purposes, such as for reporting                 addressed and need be no more                         obtain protection in situations where a
                                            to a PSO and for reporting to a State                   complex than exists in provider settings              report ultimately may be unhelpful,
                                            health authority, would need to be                      today with shared resources and                       causing the expenditure of scarce
                                            maintained in separate systems, thereby                 integrated services.                                  resources both by a provider and a PSO
                                            increasing the burden on providers. The                   We agree with commenters that                       to secure the information as patient
                                            most significant comments received                      limitations regarding the initial or                  safety work product. The proposed rule
                                            related to how information related to                   subsequent reporting of information are               also may have caused some providers to
                                            patient safety events may be protected at               better left to the providers and PSOs                 choose between not participating or
                                            the same time the information is                        engaging in the practice and that                     developing dual systems for handling
                                            preserved for other uses. Some                          providers and PSOs should be permitted                similar information at increased costs.
                                            providers indicated that if duplication is              to design the appropriately flexible                     We believe it is important to address
                                            required, provider may opt to not                       reporting mechanism befitting the                     the shortcomings of a strict reporting
                                            participate due to costs and burdens.                   circumstances of their practice setting.              requirement through the following
                                                                                                    We further agree that additional                      modification. The final rule provides
                                            Earliest Time for Collection of                         limitations on the ability to use                     that information documented as
                                            Information                                             functional reporting are unwarranted,                 collected within a patient safety
                                               Few commenters responded to the                      absent clear identification of risks or               evaluation system by a provider shall be
                                            request for comment on the earliest date                concerns to be addressed by further                   protected as patient safety work
                                            information could be collected for                      limitations.                                          product. A provider would document
                                            purposes of reporting to a PSO, a                         For these reasons, we clarify that                  that the information was collected for
                                            requirement for information to become                   reporting of information to a PSO for the             reporting to a PSO and the date of
                                            patient safety work product. Four                       purposes of creating patient safety work              collection. The information would
                                            commenters recommended that                             product may include authorizing PSO                   become patient safety work product
                                            information collection be permitted                     access, pursuant to a contract or                     upon collection. Additionally, a
                                            back to the passage of the Patient Safety               equivalent agreement between a                        provider may document that the same
                                            Act. Four commenters recommended                        provider and a PSO, to specific                       information is being voluntarily
                                            that the earliest date of collection be                 information in a patient safety                       removed from the patient safety
                                            dependent upon each provider’s good                     evaluation system and authority to                    evaluation system and that the provider
                                            faith and intent to collect information                 process and analyze that information,                 no longer intends to report the
                                            for reporting to a PSO.                                 e.g., comparable to the authority a PSO               information to a PSO, in which case
                                               Final Rule: The Department adopts                    would have if the information were                    there are no protections. If a provider
                                            the proposed provision with some                        physically transmitted to the PSO. We                 fails to document this information, the
                                            modification.                                           do not believe a formal change in the                 Department will presume the intent to
                                            Functional Reporting                                    regulatory text is necessitated by this               report information in the patient safety
                                                                                                    clarification.                                        evaluation system to the PSO is present,
                                               The Department recognizes the                                                                              absent evidence to the contrary.
                                            concerns raised by commenters                           When Is Information Protected
                                                                                                                                                             We believe this modification
                                            regarding the functional reporting                        The Department recognizes that the                  addresses the concerns raised by the
                                            proposal, but believes the benefits                     Patient Safety Act’s protections are the              commenters. Protection that begins from
                                            outweigh the potential negative                         foundation to furthering the overall goal             the time of collection will encourage
                                            consequences; the relief of burden, and                 of the statute to develop a national                  participation by providers without
                                            the flexibility that derives from not                   system for analyzing and learning from                causing significant administrative
                                            adhering to a narrow reading of the                     patient safety events. To encourage                   burden. The alternative is a system that
                                            reporting requirement. First, we                        voluntary reporting of patient safety                 encourages providers to
                                            recognize that a provider and PSO                       events by providers, the protections                  indiscriminately report information to
                                            engaging in this alternative method of                  must be substantial and broad enough                  PSOs in a race for protection, resulting
                                            reporting have an established                           so that providers can participate in the              in PSOs receiving large volumes of
                                            relationship for the reporting of                       system without fear of liability or harm              unimportant information. By offering
                                            information and have spent some time                    to reputation. Further, we believe the                providers the ability to examine patient
                                            considering how best to achieve a                       protections should attach in a manner                 safety event reports in the patient safety
                                            mutually useful and suitable reporting                  that is as administratively flexible as               evaluation system without requiring
                                            relationship. That relationship will                    permitted to accommodate the many                     that all such information be
                                            necessitate consideration of what                       varied business processes and systems                 immediately reported to a PSO, and by
                                            information is necessary and not                        of providers and to not run afoul of the              providing a means to remove such
                                            necessary to achieve the purpose of                     statute’s express intent to not interfere             information from the patient safety
                                            reporting. Neither a provider nor a PSO                 with other Federal, State or local                    evaluation system and end its status as
                                            is required to accept an alternative                    reporting obligations on providers.                   patient safety work product, the final
                                            reporting mechanism. Further,                             The proposed rule required that                     rule permits providers to maximize
                                            providers continue to be under the same                 information must be reported to a PSO                 organizational and system efficiencies
                                            obligations to protect patient and other                before the information may become                     and lessens the need to maintain
                                            medical records from inappropriate                      patient safety work product under the                 duplicate information for different
                                            access from others, including the PSO,                  reporting provision of the definition of              needs. Because documentation will be
                                            without exception. Second, such a                       patient safety work product. However,                 crucial to the protection of patient safety
dwashington3 on PRODPC61 with RULES3

                                            relationship should establish clearly the               this standard left information collected,             work product at collection, providers
                                            mechanism for control of information                    but not yet reported to a PSO,                        are encouraged to document their
                                            reported or to which the PSO will have                  unprotected, a cause of significant                   patient safety evaluation system. We
                                            access, and the scope of PSO authority                  commenter concern. This standard also                 note, however, that a provider should
                                            to use the information. In addition, the                might encourage providers to race to                  not place information into its patient
                                            assessment of liability should be                       report information indiscriminately to                safety evaluation system unless it

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00011   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70742            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            intends for that information to be                      Generally, information may become                     administrative proceeding; (2) the
                                            reported to the PSO.                                    patient safety work product when                      reporting of information that is not
                                               Although this approach substantially                 reported to a PSO. Information may also               patient safety work product to a Federal,
                                            addresses commenter concerns, three                     become patient safety work product                    State, or local governmental agency for
                                            issues do cause concern. First, because                 upon collection within a patient safety               public health surveillance,
                                            information may be protected back to                    evaluation system. Such information                   investigation, or other public health
                                            the time of collection, providers are no                may be voluntarily removed from a                     purposes or health oversight purposes;
                                            longer required to promptly report                      patient safety evaluation system if it has            or (3) a provider’s recordkeeping
                                            information to a PSO to ensure                          not been reported and would no longer                 obligation with respect to information
                                            protection. Although we believe this is                 be patient safety work product. As a                  that is not patient safety work product
                                            an unavoidable result of the                            result, providers need not maintain                   under Federal, State or local law.
                                            modification, we believe the likely                     duplicate systems to separate                         Section 921(7)(B)(iii) of the Public
                                            impact may be rare because providers                    information to be reported to a PSO                   Health Service Act, 42 U.S.C. 299b–
                                            are likely to engage PSOs for their                     from information that may be required                 21(7)(B)(iii). The final rule does not
                                            expertise which requires such reporting.                to fulfill state reporting obligations. All           limit persons from conducting
                                            Second, the requirement to document                     of this information, collected in one                 additional analyses for any purpose
                                            collection in a patient safety evaluation               patient safety evaluation system, is                  regardless of whether such additional
                                            system and, potentially, removal from a                 protected as patient safety work product              analyses involve issues identical to or
                                            patient safety evaluation system could                  unless the provider determines that                   similar to those for which information
                                            be burdensome to a provider. However,                   certain information must be removed                   was reported to or assessed by a PSO or
                                            we believe these are important                          from the patient safety evaluation                    a patient safety evaluation system.
                                            requirements particularly in light of the               system for reporting to the state. Once               Section 922(h) of the Public Health
                                            enforcement role OCR will play. A                       removed from the patient safety                       Service Act, 42 U.S.C. 299b–22(h).
                                            provider will need to substantiate that                 evaluation system, this information is                   Even when laws or regulations require
                                            information is patient safety work                      no longer patient safety work product.                the reporting of the information
                                            product, or OCR will be unable to                                                                             regarding the type of events also
                                            determine the status of information                     Earliest Time for Collection of                       reported to PSOs, the Patient Safety Act
                                            potentially leaving sensitive information               Information                                           does not shield providers from their
                                            unprotected—or subjecting the provider                    The Department believes that a clear                obligation to comply with such
                                            to penalties for improperly disclosing                  indication of a specific time when                    requirements. These external obligations
                                            patient safety work product. Third, the                 information may first be collected is                 must be met with information that is not
                                            ability of a provider to remove                         beneficial to providers by reducing the               patient safety work product and
                                            information from a patient safety                       complexity and ambiguity concerning                   oversight entities continue to have
                                            evaluation system raises concern that a                 when information is protected as patient              access to this original information in the
                                            provider may circumvent the intent of a                 safety work product. Although each                    same manner as such entities have had
                                            provider employee to obtain protection                  provider collecting information for                   access prior to the passage of the Patient
                                            for information when reporting to the                   reporting to a PSO may need to support                Safety Act. Providers should carefully
                                            provider’s patient safety evaluation                    the purpose of information collection at              consider the need for this information to
                                            system. For providers that engage in                    the time of collection, such a standard               meet their external reporting or health
                                            functional reporting, the concern is                    may be overly burdensome. The                         oversight obligations, such as for
                                            substantially mitigated because, under                  Department agrees that information may                meeting public health reporting
                                            functional reporting, information is                    have been collected for the purpose of                obligations. Providers have the
                                            reported to a PSO when it is transmitted                reporting to a PSO beginning from                     flexibility to protect this information as
                                            to the patient safety evaluation system                 passage of the Patient Safety Act.                    patient safety work product within their
                                            to which the PSO has access, and, thus,                 Information that existed prior to the                 patient safety evaluation system while
                                            protected. Alternatively, a provider                    passage of the Patient Safety Act may be              they consider whether the information
                                            employee may report as permitted                        subsequently collected for reporting to a             is needed to meet external reporting
                                            directly to a PSO. Ultimately, this issue               PSO, but the original record remains                  obligations. Information can be removed
                                            is to be settled between a provider that                unprotected. This clarification does not              from the patient safety evaluation
                                            wishes to encourage reports that may                    require any regulatory language change                system before it is reported to a PSO to
                                            not otherwise come to light and its                     in the proposed rule.                                 fulfill external reporting obligations.
                                            employees who must be confident that                                                                          Once the information is removed, it is
                                                                                                    What Is Not Patient Safety Work
                                            reporting will not result in adverse                                                                          no longer patient safety work product
                                            consequences.                                                                                                 and is no longer subject to the
                                               For these reasons, the Department                       We reaffirm that patient safety work               confidentiality provisions.
                                            modifies the definition of patient safety               product does not include a patient’s                     The Patient Safety Act establishes a
                                            work product to include additional                      original medical record, billing and                  protected space or system that is
                                            language in the first provision of the                  discharge information, or any other                   separate, distinct, and resides alongside
                                            definition that protects information                    original patient or provider record; nor              but does not replace other information
                                            based upon reporting to a PSO.                          does it include information that is                   collection activities mandated by laws,
                                                                                                    collected, maintained, or developed                   regulations, and accrediting and
                                            State Reporting                                         separately or exists separately from, a               licensing requirements as well as
                                              To address commenter concerns about                   patient safety evaluation system. The                 voluntary reporting activities that occur
dwashington3 on PRODPC61 with RULES3

                                            the duplication of resources for similar                final rule includes the statutory                     for the purpose of maintaining
                                            patient safety efforts and the lack of                  provision that prohibits construing                   accountability in the health care system.
                                            protection upon collection, we have                     anything in this Part from limiting (1)               Information is not patient safety work
                                            clarified the requirements for how                      the discovery of or admissibility of                  product if it is collected to comply with
                                            information becomes patient safety                      information that is not patient safety                external obligations, such as: state
                                            work product when reported to a PSO.                    work product in a criminal, civil, or                 incident reporting requirements;

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00012   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                          70743

                                            adverse drug event information                          protected at the same time as the                     the establishment of a standard of care
                                            reporting to the Food and Drug                          analysis.                                             is a function of courts and entities that
                                            Administration (FDA); certification or                     Response: As indicated in the                      have jurisdiction over the issue for
                                            licensing records for compliance with                   definition of patient safety work                     which a standard of care is relevant. The
                                            health oversight agency requirements;                   product, information that constitutes the             introduction of patient safety work
                                            reporting to the National Practitioner                  deliberation or analysis within a patient             product as information that may help
                                            Data Bank of physician disciplinary                     safety evaluation system is protected.                establish a standard of care is highly
                                            actions; complying with required                        Information underlying the analysis                   unlikely given the limited disclosure
                                            disclosures by particular providers or                  may have been either reported to a PSO                permissions. For these reasons, we make
                                            suppliers pursuant to Medicare’s                        and protected or collected in a patient               no modifications in the final rule.
                                            conditions of participation or conditions               safety evaluation system. Information                    Comment: Several commenters raised
                                            of coverage; or provision of access to                  documented as collected within a                      concerns about the distinction between
                                            records by Protection and Advocacy                      patient safety evaluation system is                   original documents and copies of
                                            organizations as required by law.                       protected based on the modification to                original documents. One commenter
                                                                                                    the definition of patient safety work                 stated that it was an artificial distinction
                                            Response to Other Public Comments                       product. Thus, information underlying                 in an electronic environment.
                                               Comment: One commenter in                            an analysis may be protected. However,                   Response: The Patient Safety Act and
                                            responding to questions about timing                    underlying information that is original               the final rule distinguish certain original
                                            and early protection interpreted the                    medical records may not be protected if               records from information collected for
                                            timing concern to be an expiration of an                it is excluded by the definition of                   reporting to a PSO. Because information
                                            allowed period of time to report, such                  patient safety work product.                          contained in these original records may
                                            that an event must be reported within a                    Comment: Two commenters raised                     be valuable to the analysis of a patient
                                            certain number of days or it may not                    concerns that PSOs do not have                        safety event, the important information
                                            become protected.                                       discretion regarding the receipt of                   must be allowed to be incorporated into
                                               Response: As noted above, the timing                 unsolicited information reported to                   patient safety work product. However,
                                            issues in the final rule relate to when                 PSOs from providers. One commenter                    the original information must be kept
                                            information may have been collected for                 was concerned about the burden on a                   and maintained separately to preserve
                                            reporting to a PSO. There is no                         PSO receiving unsolicited reports and                 the original records for their intended
                                            expiration date for an event that would                 the obligation a PSO may have regarding               purposes. If the information were to
                                                                                                    unsolicited reports. Another commenter                become patient safety work product, it
                                            prohibit future protection of a report of
                                                                                                    was concerned that unsolicited reports                could only be disclosed pursuant to the
                                            it as patient safety work product so long
                                                                                                    may be materially flawed or contain                   confidentiality protections.
                                            as the protection of the information is                                                                          Comment: One commenter was
                                                                                                    incorrect information.
                                            pursuant to the final rule.                                Response: The Department does not                  concerned that information collected for
                                               Comment: One commenter suggested                     agree that this is a major issue for PSOs             reporting to a PSO may be the same
                                            that event registries may seek to become                or that PSOs need some regulatory                     information providers collect for
                                            PSOs because the model is well                          ability to reject reported information. If            reporting to a state regulatory agency.
                                            positioned to allow for tracking and                    a PSO receives information from a                     The commenter suggested that
                                            identification of patients that require                 provider that was collected by that                   protections should only attach to
                                            follow-up.                                              provider for the purposes of sending to               information after state-mandated
                                               Response: The Department recognizes                  a PSO, then the information is patient                reporting requirements have been
                                            that event registries may have particular               safety work product. PSOs may use or                  fulfilled. The commenter was concerned
                                            benefits that may be helpful in the                     analyze the information, but must                     that the confidentiality protections may
                                            analysis of patient safety events, but we               protect it as patient safety work product             impede state data collection,
                                            caution any holder of patient safety                    and dispose of the information properly.              surveillance and enforcement efforts. A
                                            work product that future disclosure of                  However, there is no requirement that a               separate commenter requested
                                            patient safety work product must be                     PSO maintain or analyze the                           clarification that if patient safety work
                                            done pursuant to the disclosure                         information. For these reasons, we do                 product is reported under a state
                                            permissions. Thus, while it may be                      not modify the proposed rule position                 mandated incident reporting system, the
                                            appropriate for event registries to                     regarding these issues.                               patient safety work product continues to
                                            identify and track patients who may                        Comment: Some commenters were                      be protected.
                                            require follow-up care, the final rule                  concerned that recommendations of                        Response: The final rule is clear that
                                            would generally not permit disclosure                   PSOs may be treated as a standard of                  providers must comply with applicable
                                            of patient safety work product to                       care. Commenters recommended that                     regulatory requirements and that the
                                            patients for such a purpose.                            recommendations from PSOs be                          protection of information as patient
                                            Accordingly, while there may be                         protected as patient safety work                      safety work product does not relieve a
                                            benefits to an event registry becoming a                product.                                              provider of any obligation to maintain
                                            PSO, a registry should take into                           Response: The Department stated in                 information separately. The Department
                                            consideration the limitations on                        the proposed rule that PSO                            believes that some providers, such as
                                            disclosure of patient safety work                       recommendations are patient safety                    hospitals, have been operating in similar
                                            product, and what impact such limits                    work product, but the changes                         circumstances previously when
                                            would have on its mission, prior to                     undertaken by a provider based upon a                 conducting peer review activities under
                                            seeking listing.                                        PSO’s recommendations are not patient                 state peer review law protections. For
dwashington3 on PRODPC61 with RULES3

                                               Comment: Several commenters sought                   safety work product. With respect to the              patient safety work product to be
                                            clarification whether information                       concern that PSO recommendations                      disclosed, even to a State entity, the
                                            underlying analyses within a patient                    may establish a standard of care, the                 discloser must have an applicable
                                            safety evaluation system was protected.                 issue is not within the scope of the                  disclosure permission. While the Patient
                                            One commenter suggested that data                       Patient Safety Act and not appropriate                Safety Act does not preempt state laws
                                            used to conduct an analysis should be                   for the regulation to address. Generally,             that require providers to report

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00013   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70744            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            information that is not patient safety                  Patient Safety Act, may become                        medical product vendors,
                                            work product, a State may not require                   protected as a copy, but the original                 pharmaceutical companies, medical
                                            that patient safety work product be                     document remains unprotected.                         device manufacturers, risk retention
                                            disclosed.                                                                                                    groups, and captive professional
                                               Comment: One commenter advised                       (J) Section 3.20—Definition of Provider
                                                                                                                                                          liability insurance companies that are
                                            that the final rule should build on                        Proposed Rule: Proposed § 3.20 would               controlled by risk retention groups.
                                            existing infrastructure for reporting and               have divided the meaning of provider                     There was general support for the
                                            examination of patient safety events to                 into three categories. The first paragraph            inclusion of parent organizations of
                                            minimize duplication of resources and                   included ‘‘an individual or entity                    private and public sector providers in
                                            maximize existing efforts.                              licensed or otherwise authorized under                paragraph (3), although two commenters
                                               Response: The Department has                         State law to provide health care                      disagreed. One commenter argued that
                                            modified the proposed rule to address                   services, including’’ and this                        naming the parent organization as a
                                            the potential issue of duplicated                       introductory language was followed by                 provider suggested a ‘‘one size fits all’’
                                            resources by allowing providers the                     a list of institutional health care                   solution and suggested that eligibility
                                            flexibility to collect and review                       providers in subparagraph (1) and a list              should be linked to whether the parent
                                            information within a patient safety                     of individual health care practitioners in            organization is involved in the patient
                                            evaluation system to determine if the                   subparagraph (2). The preamble                        safety evaluation system for its
                                            information is needed to fulfill external               indicated that these statutory lists were             subsidiaries. Other commenters, while
                                            reporting obligations as addressed                      illustrative.                                         not objecting, worried that this addition
                                            above. The Department recognizes the                       Under the Secretary’s authority to                 could open the door for organizations
                                            high costs of health care, both in dollars              expand the list of providers in the                   such as health insurance issuers,
                                            and in the health of individuals. The                   statutory definition, the proposed rule               including Health Maintenance
                                            final rule establishes a workable and                   would have added two categories to the                Organizations, regulatory and
                                            flexible framework to permit providers                  list of providers. The second paragraph               accrediting entities to qualify as
                                            that have mature patient safety efforts to              would have covered agencies,                          component PSOs. One commenter
                                            fully participate as well as for providers              organizations, and individuals within                 suggested that by using the phrase
                                            with no patient safety activities to be                 Federal, State, local, or Tribal                      ‘‘controlling interest’’ with respect to
                                            encouraged to begin patient safety                      governments that deliver health care,                 private sector parent organizations, the
                                            efforts.                                                the contractors these entities engage,                focus of this part of the proposed
                                               Comment: One commenter asked                         and individual health care practitioners              paragraph was inappropriately narrow,
                                            whether multiple PSOs can establish a                   employed or engaged as contractors by                 appearing to emphasize a corporate
                                            single reporting portal for receiving                   these entities. We included this addition             parent, and that the language needed to
                                            reports from providers.                                 because public health care entities and               reflect a broader array of potential
                                               Response: The final rule does not                    their staff are not always authorized or              parent organizations, such as
                                            address procedures regarding how a                      licensed by state law to provide their                partnerships or limited liability
                                            PSO receives information. Providers                     services and, therefore, might not be                 companies.
                                            must meet any requirements regarding                    included within the terms of the                         Several commenters expressed
                                            sharing information that is protected                   original statutory definition.                        concern that by encompassing entities
                                            health information, such as the HIPAA                      The third paragraph would have                     that are not traditionally providers,
                                            Privacy Rule, in any circumstances                      included a parent organization that has               under HIPAA or other rules, our
                                            when reporting information to a PSO or                  a controlling interest in one or more                 definition of ‘‘provider’’ would lead to
                                            joint PSO portal.                                       entities described in paragraph (1)(i) of             confusion. One commenter suggested it
                                               Comment: Several commenters asked                    this definition or a Federal, State, local,           would be appropriate for the
                                            whether retrospective analyses could be                 or Tribal government unit that manages                commentary accompanying the final
                                            included as patient safety work product.                or controls one or more entities                      rule to address the two terms,
                                               Response: The final rule permits any                 described in (1)(i) or (2) of this                    emphasize the differences, and clarify
                                            data, which is a term that is broadly                   definition. This addition was intended                the obligations.
                                            defined and would include                               to permit the parent organization of a                   Final Rule: We have modified the
                                            retrospective analyses, to become                       health care provider system to enter a                definition of provider in the final rule
                                            patient safety work product. The fact                   system-wide contract with a PSO. The                  in response to several comments. The
                                            that information was developed prior to                 parent of a health system also may not                first modification is a non-substantive
                                            the collection for reporting to a PSO                   be licensed or authorized by state law to             substitution of the term behavioral
                                            does not bar a provider from reporting                  provide health care services as required              health for behavior health. In response
                                            an analysis to a PSO and creating                       by the statutory definition.                          to the comments we received and to
                                            patient safety work product. Providers                     Overview of Public Comments: There                 ensure clarity, we reiterate what we
                                            should be cautioned to consider                         were a number of comments with                        stated in the proposed rule that a list
                                            whether there are other purposes for                    respect to the entities and individuals               preceded by ‘‘including’’ is an
                                            which an analysis may be used to                        that are identified as providers in the               illustrative list, not an exhaustive list.
                                            determine whether protection as patient                 subparagraphs of paragraph (1). For                      In general, the question of whether
                                            safety work product is necessary or                     example, one commenter sought                         any private sector individual or entity,
                                            warranted. Further, the definition of                   clarification that ‘‘assisted living                  such as assisted living residential care
                                            patient safety work product is clear that               residential care and other community                  and other community-based care
                                            information collected for a purpose                     based care’’ providers are included in                providers, comes within the rule’s
dwashington3 on PRODPC61 with RULES3

                                            other than for reporting to a PSO may                   the broader term ‘‘long term care                     meaning of ‘‘provider’’ is determined by
                                            not become patient safety work product                  facilities’’ as identified in the list of             whether the individual or entity is
                                            only based upon the reporting of that                   covered providers. A number of other                  licensed or otherwise authorized under
                                            information to a PSO. Such information,                 individual commenters each identified                 state law to deliver health care services.
                                            particularly information collected or                   entities that the Secretary should                    We note that paragraphs (2) and (3) of
                                            developed prior to the passage of the                   include in the definition of providers:               the definition address public sector

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00014   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70745

                                            providers and parent organizations of                   contracts or compacts under the                       fostering transparency to enhance the
                                            health care providers.                                  ISDEAA to deliver health care fall                    ability of providers to assess the
                                               We have not adopted any of the other                 squarely within paragraph (2) of the                  strengths and weaknesses of their choice
                                            recommendations for additions to the                    definition of provider because they are               of PSOs.
                                            list of providers. The statute provides                 organizations engaged as contractors by                  We proposed a security framework
                                            confidentiality and privilege protections               the Federal government to deliver                     pertaining to the separation of data and
                                            for reporting by individuals and entities               health care. Additionally, the workforce              systems and to security management,
                                            that actually provide health care                       of a provider covered under the rule, by              control, monitoring, and assessment.
                                            services to patients. In our view, it was               definition, includes employees,                       Thus, each PSO would address the
                                            not intended to apply to those who                      volunteers, trainees, contractors, and                framework with standards it determines
                                            manufacture or supply materials used in                 other persons, whether or not paid by                 appropriate to the size and complexity
                                            treatments or to entities that provide                  the provider, that perform work under                 of its organization. We proposed
                                            fiscal or administrative support to those               the direct control of that provider.                  additional requirements to ensure that a
                                            providing health care services.                         Federal employees detailed to a tribe or              strong firewall would be maintained
                                               With respect to paragraph (3) of the                 Tribal organization carrying out an                   between a component PSO and the rest
                                            definition, the use of the term parent                  ISDEAA contract would be covered                      of the organization(s) of which it is a
                                            organization here should conform to our                 under paragraph (2) in the definition of              part.
                                            definition of ‘‘parent organization’’                   provider, even if they were not part of                  We noted that we expect to offer
                                            above. Therefore, we have streamlined                   the Tribal organization’s workforce.                  technical assistance and encourage
                                            the language, deleting unnecessary text                 Therefore, no change is needed in                     transparency wherever possible to
                                            that might suggest that we were                         response to this comment.                             promote implementation, compliance,
                                            applying a different definition.                                                                              and correction of deficiencies. At the
                                               The Department does not share the                    B. Subpart B—PSO Requirements and                     same time, this proposed Subpart
                                            concerns of commenters that                             Agency Procedures                                     established processes that would permit
                                            incorporating a broader definition of                     Proposed Subpart B would have set                   the Secretary promptly to revoke a
                                            ‘‘provider’’ in this rule will cause                    forth requirements for Patient Safety                 PSO’s certification and remove it from
                                            confusion in the marketplace, because                   Organizations (PSOs) including the                    listing, if such action proves necessary.
                                            its use will be limited. The application                certification and notification
                                                                                                                                                          1. Section 3.102—Process and
                                            of the term ‘‘provider’’ in this rule is                requirements that PSOs must meet, the
                                                                                                                                                          Requirements for Initial and Continued
                                            intended to give the full range of health               actions that the Secretary may and will
                                                                                                                                                          Listing of PSOs
                                            care providers the ability to report                    take relating to PSOs, the requirements
                                            information to, and work with, PSOs                     that PSOs must meet for the security of                  Proposed Rule: The proposed rule in
                                            and receive confidentiality and privilege               patient safety work product, the                      § 3.102 addressed the eligibility of, and
                                            protections as set forth in the Patient                 processes governing correction of PSO                 the processes and requirements for, an
                                            Safety Act and this rule. Although we                   deficiencies, revocation, and voluntary               entity seeking a three-year period of
                                            appreciate the administrative benefits of               relinquishment, and related                           listing by the Secretary as a PSO and
                                            uniformity, and have tried to maximize                  administrative authorities and                        described the timing and requirements
                                            the consistency or interoperability of                  implementation responsibilities. The                  of notifications that a PSO must submit
                                            this rule with the HIPAA Privacy and                    requirements of the proposed Subpart                  to the Secretary during its period of
                                            Security Rules, it would not be                         would have applied to entities that seek              listing. The proposed rule described our
                                            appropriate in this rule to adhere to any               to be listed as PSOs, PSOs, their                     intention to minimize barriers to entry
                                            less inclusive definition of provider                   workforce, a PSO’s contractors when                   for entities seeking listing and create
                                            used in other regulations.                              they hold patient safety work product,                maximum transparency to create a
                                               We did not condition the designation                 and the Secretary.                                    robust marketplace for PSO services.
                                            of provider status for a parent                           The proposed rule did not require a                 The Patient Safety Act set forth limited
                                            organization on its involvement in a                    provider to contract with a PSO to                    prerequisites that must be met to be
                                            patient safety evaluation system. We                    obtain the protections of the Patient                 listed by the Secretary as a PSO, which
                                            expect that most parent organizations                   Safety Act; however, we noted that we                 the regulation incorporates. The
                                            will, in fact, be a part of a system-wide               anticipate that most providers would                  Department expects that providers will
                                            patient safety evaluation system if they                enter into contracts with PSOs when                   be the ultimate arbiters of the quality of
                                            choose to pursue PSO services.                          seeking the confidentiality and privilege             services that an individual PSO
                                            However, establishing such a                            protections of the statute. We proposed               provides.
                                            requirement now, when it is unclear                     to enable a broad variety of health care                 Overview of Public Comments: The
                                            what types of innovative arrangements                   providers to work voluntarily with                    following discussion focuses on the
                                            and effective strategies might emerge,                  entities that would be listed as PSOs by              broad comments we received
                                            might prove more detrimental than                       the Secretary based upon their                        concerning our overall approach to
                                            helpful.                                                certifications that, among other things,              initial and continued listing of PSOs.
                                                                                                    state that they have the ability and                  These comments do not address specific
                                            Response to Other Public Comments                       expertise to carry out the broadly                    provisions of the proposed rule. Public
                                              Comment: One commenter raised                         defined patient safety activities of the              comments that address specific
                                            concerns that paragraph (2) may not                     Patient Safety Act and, therefore, to                 provisions of § 3.102 are addressed in
                                            include Indian tribes that operate or                   serve as consultants to eligible providers            the individual subsection discussions
                                            contract for their own health care                      to improve patient care. In accordance                that follow. Questions and situation-
dwashington3 on PRODPC61 with RULES3

                                            systems under the Indian Self-                          with the Patient Safety Act, the                      specific comments are addressed below
                                            Determination and Education                             proposed rule set out an attestation-                 under the heading of ‘‘Response to
                                            Assistance Act (ISDEAA), rather than                    based process to qualify for 3-year                   Other Public Comments.’’
                                            relying upon the Indian Health Service.                 renewable periods of listing as a PSO.                   The Department received generally
                                              Response: Tribal organizations                        Proposed Subpart B attempted to                       favorable comment on our proposed
                                            carrying out self-determination                         minimize regulatory burden, while                     approach in this section, which

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00015   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70746            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            emphasizes a streamlined certification                     Final Rule: The Department has not                 PSO will be determined primarily by
                                            process, and public release of                          modified the approach taken in the                    the providers that use its services on an
                                            documentation submitted by PSOs                         proposed rule in response to these                    ongoing basis.
                                            whenever appropriate. There were,                       comments. With respect to limiting the                  It is unclear at this point how
                                            however, two broad sets of concerns                     number of PSOs that are listed by the                 providers will choose to use PSOs. Only
                                            expressed about our overall approach.                   Secretary, the statutory language is clear            with experience will it become clear
                                               The first concern related to the                     that any entity, public or private, that              which analyses a provider will choose
                                            potential number of PSOs that might be                  can meet the stated requirements is                   to undertake in its own patient safety
                                            listed by the Secretary as a result of the              eligible for listing by the Secretary.                evaluation system and which analyses a
                                            Department’s proposed ‘‘ease of entry’’                 While the Department understands the                  provider will rely upon a PSO to
                                            approach. These comments focused on                     concerns of the commenters that a very                undertake. The mix and balance of
                                            the importance of PSOs being able to                    large number of PSOs could frustrate the              activities between a provider’s patient
                                            aggregate significant amounts of data                   statutory goal of data aggregation across             safety evaluation system and its PSO (or
                                            across multiple providers to develop                    multiple providers, we believe that this              PSOs) will undoubtedly shift over time
                                            meaningful analyses. Noting that patient                scenario is unlikely for several reasons.             as the working relationships between
                                            safety events are often rare events, one                   First, a provider does not need to                 providers and PSOs evolve toward
                                            commenter noted that in some cases it                   shoulder the financial burden alone to                greater efficiency. Thus, we remain
                                            may be necessary to aggregate data for                  support a full-time PSO. Providers enjoy              convinced that providers are in the best
                                            an entire state in order to develop                     the same protections under the Patient                position to assess the value of a PSO
                                            insights regarding the underlying causes                Safety Act when they contract with an                 and its ability to contribute to
                                            of such events. Another commenter                       independent PSO or when they create a                 improving the quality and safety of
                                            noted that if every hospital in the state               component organization to seek listing                patient care.
                                            established its own component PSO, the                  as a PSO. A provider that establishes a
                                                                                                    working relationship with a PSO can                   Response to Other Public Comments
                                            potential impact of PSO analyses could
                                            be minimal. Because most PSOs will be                   have a division of labor between the                     Comment: While contracts are not
                                            dependent upon revenue from providers                   analyses that its staff undertakes in-                required between PSOs and providers to
                                            submitting data, one commenter                          house within its patient safety                       obtain protections, the Department
                                            worried that too many PSOs could also                   evaluation system and the tasks it                    stated that it anticipates most providers
                                            affect the ability of individual PSOs to                assigns to the PSO. In both                           will enter contracts with providers. In
                                            obtain adequate funding to perform                      circumstances, the statutory protections              light of this expectation, one commenter
                                            their analytic functions and to                         apply. Thus, for a provider, establishing             urged the Department to develop and
                                                                                                    its own PSO is an option, not a                       make available a model contract.
                                            implement potentially costly security
                                                                                                    necessity.                                               Response: We do not think a model
                                                                                                       Second, there are important insights               contract can be developed easily. The
                                               These concerns led some commenters                   into patient safety that can only be                  issues that need to be addressed will
                                            to suggest inclusion in the final rule of               derived from aggregating data across                  vary significantly based upon the nature
                                            a limitation on the number of PSOs that                 multiple providers. Given the low                     of the relationship. Therefore, we do not
                                            the Secretary would list. One                           frequency of some patient safety events,              expect to be developing and releasing a
                                            commenter asked whether it would be                     even larger health systems are likely to              model contract.
                                            possible for the Department to list one                 derive additional benefits from working                  Comment: One commenter suggested
                                            national PSO, noting this could improve                 with PSOs that have multiple and,                     that the final rule should explain how
                                            efficiency for providers. Another                       potentially, diverse clients.                         AHRQ will publish the results from
                                            commenter suggested listing of 2–4                         A final limiting factor is the shortage            which providers and others can evaluate
                                            PSOs per state using a competitive                      of personnel who are well-trained or                  a PSO before entering a contract.
                                            process or limiting the number of PSOs                  experienced in the use of the                            Response: For the reasons discussed
                                            by increasing the number of required                    methodologies of patient safety                       above, AHRQ will not require or release
                                            provider contracts that each PSO must                   analyses. While the marketplace will                  PSO-specific performance information.
                                            have. Most commenters who favored                       respond to the need for the development                  Comment: One commenter suggested
                                            limiting the number of listed PSOs did                  of additional training and certification              that AHRQ should ensure that PSOs
                                            not suggest a specific approach.                        programs, the availability of highly-                 should not be able to make commercial
                                               A second broad set of                                skilled staff will be a constraining factor           gain from the knowledge it derives as a
                                            recommendations focused on the need                     initially. In combination, these three                PSO.
                                            for periodic or ongoing evaluation of the               factors should provide a natural                         Response: The statute permits all
                                            effectiveness of PSOs that could be                     constraint on the number of single-                   types of private and public entities to
                                            linked to, or be separate from, the                     provider PSOs.                                        seek listing as a PSO; it does not limit
                                            evaluation of certifications for                           Regarding the other general set of                 private entities to not-for-profits. The
                                            continued listing. Some commenters                      comments related to the listing process,              final rule mirrors that formulation. The
                                            recommended that the Department                         the Department has considered these                   Department concludes that the statute
                                            routinely collect information from PSOs                 suggestions and has determined not to                 does not invite us to impose such
                                            to evaluate whether the individual and                  incorporate in the final rule                         restrictions and expects that providers’
                                            collective work of PSOs is actually                     requirements for an ongoing evaluation                decisions will determine the
                                            reducing medical errors and improving                   process or the routine collection of data             acceptability of for-profit PSOs.
                                            the quality of care that is delivered. One              from PSOs. PSOs are not a Federal                        Comment: One commenter suggested
dwashington3 on PRODPC61 with RULES3

                                            commenter stressed the importance of                    program in the traditional sense. Most                that providers should only be permitted
                                            establishing in the final rule                          significantly, they are not Federally                 to submit data to one PSO.
                                            expectations related to PSO                             funded. Their project goals, priorities,                 Response: The Patient Safety Act’s
                                            performance and demonstrated results                    and the specific analyses that they                   framework for PSO-provider
                                            and provided draft language for                         undertake are not Federally directed.                 relationships is voluntary from a public
                                            inclusion in the final rule.                            The value and impact of an individual                 policy perspective. In our view, it

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00016   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70747

                                            would be inconsistent with section                      regulatory oversight of health care                   certifications and urged the Department
                                            922(e)(1)(B) of the Public Health Service               providers, which included organizations               to arrange for independent review of
                                            Act for the Department or any entity to                 that accredit or license providers. We                such documentation, coupled with an
                                            use the authority of law or regulation to               proposed this restriction for consistency             audit process that would ensure
                                            limit or direct provider reporting.                     with the statute, which seeks to foster a             compliance.
                                               Comment: One commenter suggested                     ‘‘culture of safety’’ in which health care               The comments we received were
                                            that the final rule should require PSOs                 providers are confident that the patient              supportive of including a requirement
                                            to share aggregated, non-identifiable                   safety events that they report will be                that entities certify whether there is any
                                            patient safety work product with state                  used for learning and improvement, not                relevant history regarding delisting
                                            regulatory authorities.                                 oversight, penalties, or punishment. The              about which the Secretary needs to be
                                               Response: The Department does not                    proposed rule would permit a                          aware. Several commenters suggested
                                            agree that it is appropriate to place such              component organization of such an                     that the entity seeking to be relisted
                                            an unfunded mandate upon PSOs.                          entity to seek listing as a PSO. To ensure            should be required to include reason(s)
                                               Comment: One commenter stated that                   that providers would know the parent                  for any prior delisting. Another
                                            it is a waste of effort and expense to                  organizations of such PSOs, we                        suggestion was that the Secretary should
                                            create new government entities to work                  proposed that certifications include the              have discretion in relisting an entity not
                                            with providers when current                             name(s) of its parent organization(s),                to release the names of officials who had
                                            organizations can do that just as well.                 which the Secretary would release to                  positions of responsibility in a
                                            The commenter also asked whether                        the public. We sought comment on                      previously delisted entity.
                                            anyone has estimated the 10-year costs.                 whether we should consider broader                       The proposed restrictions on
                                               Response: As this final rule makes                   restrictions on eligibility.                          eligibility engendered considerable
                                            clear, these entities are not government                   The proposed rule would permit a                   comment. With respect to the statutory
                                            entities and will not receive Federal                   delisted entity, whether delisted for                 restriction on health insurance issuers,
                                            funding. While we expect                                cause or because of voluntary                         concerns and questions were raised
                                            implementation will spur the                            relinquishment of its status,                         regarding whether the exclusion applied
                                            development of new entities, we also                    subsequently to seek a new listing as a               to self-insured providers or malpractice
                                            expect that existing entities will be able              PSO. To ensure that the Secretary would               liability insurers and whether health
                                            to expand their current patient safety                  be able to take into account the history              systems that include a subsidiary that is
                                            improvement efforts if they seek listing                of such entities, we proposed such                    a health insurance issuer could establish
                                            and are able to offer the confidentiality               entities submit this information with                 a component PSO.
                                            and privilege protections provided by                   their certifications for listing.                        We received a significant level of
                                            the Patient Safety Act. While we have                      Overview of Public Comments: The                   comment regarding our proposed
                                            not done a 10-year cost estimate, our                   Department received generally favorable               restriction on listing of regulatory
                                            regulatory impact statement at the end                  comments on our proposal to adopt a                   oversight bodies. While the majority of
                                            of the preamble projects net savings of                 streamlined attestation-based approach                commenters supported the proposed
                                            $76 to $92 million in 2012, depending                   to initial listing of PSOs. A number of               exclusion, some commenters took issue
                                            upon whether the net present value                      commenters expressed concern about                    with various aspects of our proposal.
                                            discount rate is estimated at 7% or 3%.                 our attestation-based approach,                          Commenters engaged in accreditation
                                                                                                    however, arguing for a more in-depth                  activities generally criticized our
                                            (A) Section 3.102(a)—Eligibility and                                                                          characterization of these activities as
                                                                                                    assessment to ensure that an entity had
                                            Process for Listing                                                                                           regulatory. They pointed out that the
                                                                                                    the capability to carry out its statutory
                                               Proposed Rule: Section 3.102(a) of the               and regulatory responsibilities and meet              proposed rule did not take into account
                                            proposed rule would have provided                       the patient safety objectives of the                  the distinction between voluntary and
                                            that, with several exceptions discussed                 statute. Some believed that the private               mandatory accreditation and, in their
                                            below, any entity—public or private,                    marketplace is not necessarily well-                  view, most accreditation was voluntary.
                                            for-profit or not-for profit—that can                   equipped to judge which organizations                 They also noted that accreditation
                                            meet the statutory and regulatory                       can most effectively meet these                       activities were initially developed to
                                            requirements may seek initial or                        requirements. Arguing that one                        ensure the quality and safety of patient
                                            continued listing by the Secretary as a                 misguided or fraudulent organization                  care and that accreditation entities,
                                            PSO. The Department proposed to                         could taint the entire enterprise for                 unlike licensure agencies, have greater
                                            establish a streamlined certification                   years, a few commenters suggested that                discretion in addressing any problems
                                            process for entities seeking initial or                 we require interested organizations at                that they identify with a provider’s
                                            continued listing that relied upon                      initial listing to submit documentation               operations in a non-punitive way. For
                                            attestations that the entities met                      of their ability to meet their statutory              these commenters, accreditation
                                            statutory and regulatory requirements.                  and regulatory responsibilities.                      activities were not inconsistent with
                                            To foster informed provider choice,                        Most commenters who urged a                        fostering a ‘‘culture of safety.’’ By
                                            entities were encouraged, but would not                 stronger approach to the evaluation of                contrast, most provider comments
                                            be required, to post narratives on their                certifications for listing acknowledged               supported the exclusion, and singled
                                            respective Web sites that explained how                 the value of an expedited process for                 out accreditation entities as warranting
                                            each entity intended to comply with                     initial listing and instead focused their             exclusion.
                                            these requirements and carry out its                    recommendations on the importance of                     State health departments and state-
                                            mission.                                                creating a more rigorous process for                  created entities expressed concern about
                                               The proposed rule incorporated a                     continued listing. A common                           an outright prohibition on their being
dwashington3 on PRODPC61 with RULES3

                                            statutory prohibition that precludes a                  recommendation was to require, in                     listed as PSOs, noting that the
                                            health insurance issuer and a                           addition to the proposed certifications               prohibition could disrupt effective
                                            component of a health insurance issuer                  for continued listing, that a PSO be                  patient safety initiatives now underway.
                                            from becoming a PSO. The Department                     required to submit documentation that                 A number of specific state-sanctioned
                                            also proposed to exclude any entity,                    described in detail how it is complying               patient safety initiatives were described
                                            public or private, that conducts                        with the requirements underlying its                  in their submissions. Commenters

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00017   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70748            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            pointed to the fact that state health                   argued that a broader exclusion could                 will post on their websites, or otherwise
                                            departments have both regulatory and                    both disrupt existing, effective public               advertise, the names and qualifications
                                            non-regulatory elements to their                        sector patient safety initiatives and                 of their top staff experts and
                                            authority, have routinely demonstrated                  preclude opportunities for the public                 consultants. Their Web site locations
                                            that they can effectively keep these                    sector to play a meaningful role.                     will be on the AHRQ PSO Web site.
                                            elements separate, and thus, they saw                      Many commenters that opposed                          Similarly, documentation can
                                            no reason for the Department to doubt                   extending the exclusion to component                  demonstrate that a PSO has provided
                                            that state agencies could continue to do                organizations nevertheless suggested                  feedback to participants in a provider’s
                                            so effectively if they were permitted to                additional restrictions to strengthen the             patient safety evaluation system and
                                            operate PSOs.                                           separation of activities between                      thereby met the statutory requirement.
                                               Other commenters suggested                           component PSOs and these types of                     But the most relevant questions are
                                            extending the prohibition to other types                parent organizations. Their suggestions               whether the feedback reflected a valid
                                            of entities (such as purchasers of health               are discussed below with respect to                   analysis of the provider’s patient safety
                                            care or agents of regulatory entities) and              § 3.102(c).                                           work product and existing scientific
                                            raised questions regarding the scope of                    Final Rule: The Department                         knowledge, and whether the feedback
                                            the exclusion.                                          considered whether to modify the                      was framed in ways that made it
                                               We received a significant number of                  attestation process either for initial or             understandable, ‘‘actionable,’’ and
                                            comments in response to a specific                      continued listing of PSOs or both but                 appropriate to the nature of the
                                            question raised in the proposed rule                    ultimately concluded that streamlined                 provider’s operation. The answers to
                                            whether the exclusion of regulatory                     attestations should be retained for both.             these questions cannot be assessed by
                                            entities should be extended to                          Given the voluntary, unfunded nature of               the Department readily through the
                                            components of such organizations.                       this initiative and the centrality of the             listing process.
                                            Commenters that supported extension of                  client-consultant paradigm of provider-                  As a result, in many cases, the
                                            the prohibition generally argued that the               PSO relationships, an approach that                   provider-client, rather than the
                                            firewalls that the statute requires a                   requires documentation and routine                    Department, will be better able to
                                            component PSO to maintain between                       audits is likely to be costly and                     determine whether the outcomes of a
                                            itself and its parent organization(s)                   burdensome, both to entities seeking                  PSO’s conduct of patient safety
                                            could be circumvented, that the                         listing and the Department. More                      activities meet its needs in a meaningful
                                            flexibility in the proposed rule to enable              importantly, such an approach is                      way. The Department believes that
                                            a component PSO to draw upon the                        unlikely to achieve its intended                      providers, especially institutional
                                            expertise of its parent organization(s)                 objective, for the reasons discussed                  providers, will have access to the
                                            would be inappropriate in this situation,               below.                                                expertise to make them especially
                                            and there was a significant possibility                    There are limitations of a                         sophisticated customers for PSO
                                            that such a parent organization could                   documentation approach to ensuring the                services. Providers are likely to assess
                                            use its position of authority to attempt                capabilities and compliance of PSOs                   very carefully the capabilities of a PSO
                                            to coerce providers into reporting                      with the requirements for listing, and                and will be in a position to request
                                            patient safety work product to its                      such an approach is unlikely to yield                 appropriate documentation, if
                                            component PSO.                                          the types of information that providers               necessary, to assess a PSO’s ability to
                                               A majority of commenters, however,                   will need in selecting a PSO. Consider,               meet their specific requirements.
                                            opposed expanding the exclusion to                      for example, two of these requirements:               Therefore, the Department does not see
                                            components of such regulatory                           the criterion that requires that a PSO                a compelling public policy rationale for
                                            organizations. They contend that the                    have qualified staff, including licensed              substituting its judgment for that of a
                                            statutorily required separations between                or certified medical professionals, and               provider. Providers can demand
                                            a component PSO and its parent                          the patient safety activity that requires             references and evidence of relevant
                                            organization(s) would provide adequate                  the provision of feedback to participants             accomplishments, and effectively
                                            protection against improper access and                  in a (provider’s) patient safety                      evaluate the adequacy and suitability of
                                            adverse use of confidential patient                     evaluation system. Documentation,                     a PSO’s expertise and experience. In
                                            safety work product by the excluded                     through submission of resumes or                      summary, a listing process that imposes
                                            entities with which such a component                    summaries of the credentials of                       documentation and audit requirements
                                            PSO is affiliated. A number of                          professional staff, can demonstrate that              on each PSO will impose a significant
                                            commenters noted that an expansion of                   the PSO meets the statutory                           burden on all parties, but yield only
                                            the exclusion to components of such                     requirement. What each provider really                marginally useful information to
                                            entities would have unintended                          needs to assess, however, is whether the              prospective clients.
                                            consequences. For example, an                           skill sets of the professional staff                     Accordingly, we believe the approach
                                            increasing number of medical specialty                  employed by or under contract to the                  outlined in the proposed rule offers a
                                            societies operate, or are in the process                PSO are an appropriate match for the                  more efficient and effective approach.
                                            of developing, accreditation programs                   specific tasks that led the provider to               The approach does include authority for
                                            for their members in response to                        seek a PSO’s assistance. Depending                    spot-checking compliance outlined in
                                            growing public and private sector                       upon the analytic tasks, a provider may               § 3.110, responding to complaints or
                                            pressure for quality improvement. These                 need expertise that is setting-specific,              concerns, and enabling the Secretary, in
                                            organizations see the creation of                       e.g., nursing homes versus acute care                 making listing decisions (see § 3.104(b)),
                                            specialty-specific component PSOs as                    settings, technology-specific, specialty-             to take into consideration the history of
                                            an important complement to their other                  specific, or, may require expertise                   an entity and its key officials and senior
dwashington3 on PRODPC61 with RULES3

                                            quality improvement activities.                         outside the traditional scope of health               managers. This approach will be
                                            Similarly, some commenters contend                      care. Thus, there is not a single template            buttressed with a program of technical
                                            that widespread patient safety                          against which the expertise of a PSO’s                assistance for PSOs administered by
                                            improvements require coordination and                   professional staff can be judged. In                  AHRQ. In addition, the final rule
                                            communication across the public and                     addition, we anticipate that PSOs                     incorporates a new expedited revocation
                                            private sectors. These commenters                       seeking additional clients (providers)                process that can be used when the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00018   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70749

                                            Secretary determines that there would                   owned, managed, or controlled by a                    activities as examples of regulatory
                                            be serious adverse consequences if a                    health insurance issuer. New                          activities.
                                            PSO were to remain listed. False                        subparagraph (ii) modifies and restates                  Similarly, we have retained the broad
                                            statements contained in a PSO’s                         the exclusion from listing of any entity              exclusion from listing of regulatory
                                            submitted certifications can result in a                that: (1) Accredits or licenses health                entities, by which we mean public or
                                            loss of listing or other possible penalties             care providers; (2) oversees or enforces              private entities that oversee or enforce
                                            under other laws.                                       statutory or regulatory requirements                  statutory or regulatory requirements
                                               For convenience and clarity, we have                 governing the delivery of health care                 governing the delivery of health care
                                            restructured § 3.102(a)(1) to provide a                 services; (3) acts as an agent of a                   services. Their defining characteristic is
                                            unified list of the certifications and                  regulatory entity by assisting in the                 that these entities have the authority to
                                            information that an entity must submit                  conduct of that entity’s oversight or                 discipline institutional or individual
                                            for listing as a PSO. Sections                          enforcement responsibilities vis-a-vis                providers for the failure to comply with
                                            3.102(a)(1)(i) through 3.102(a)(1)(vii) set             the delivery of health care services; or              statutory or regulatory requirements, by
                                            forth and cross-reference the                           (4) operates a Federal, State, local or               withholding, limiting, or revoking
                                            requirements of the final rule. Two of                  Tribal patient safety reporting system to             authority to deliver health care services,
                                            these requirements are new. Section                     which health care providers (other than               by denying payment for such services,
                                            3.102(a)(1)(iv) cross-references the                    members of the entity’s workforce or                  or through fines or other sanctions.
                                            additional requirements in                              health care providers holding privileges                 We consider entities with a mix of
                                            § 3.102(c)(1)(ii) that components of                    with the entity) are required to report               regulatory and non-regulatory authority
                                            entities that are excluded from listing                 information by law or regulation.                     and activities also to be appropriately
                                            must meet in order for such components                     In reviewing the comments on the                   excluded from being listed. We
                                            to be listed. Section 3.102(a)(1)(v)                                                                          acknowledge that health departments
                                                                                                    proposed regulatory exclusion, we did
                                            incorporates our proposal, for which                                                                          and other entities with regulatory
                                                                                                    not find the arguments for narrowing
                                            comments were supportive, to require                                                                          authority may undertake a mix of
                                                                                                    the prohibition compelling. Almost
                                            disclosure to the Secretary if the entity                                                                     regulatory and non-regulatory functions.
                                                                                                    every provider group expressed concern
                                            seeking listing (under its current name                                                                       It may also be true, as several comments
                                                                                                    regarding the possible operation of PSOs
                                            or another) has ever been denied listing                                                                      reflected, that state health departments
                                                                                                    by entities that accredit or license
                                            or delisted or if the officials or senior                                                                     have experience, and a track record, for
                                                                                                    providers as well as possible operation
                                            managers of the entity now seeking                                                                            maintaining information separately and
                                                                                                    of PSOs by regulatory entities. We share
                                            listing have held comparable positions                                                                        securely from the regulatory portions of
                                                                                                    their concerns that entities with the
                                            in a PSO that the Secretary delisted or                                                                       their operations when necessary.
                                                                                                    potential to compel or penalize provider              However, we note that the final rule
                                            refused to list.
                                               We have not adopted                                  behavior cannot create the ‘‘culture of               retains the proposed approach not to
                                            recommendations that we require                         safety’’ (which emphasizes                            regulate uses of patient safety work
                                            explanations for the historical situations              communication and cooperation rather                  product within a PSO. However, the
                                            encompassed by § 3.102(a)(1)(v).                        than a culture of blame and                           final rule retains the ability of a state
                                            Instead, we require that the name(s) of                 punishment) that is envisioned by the                 health department to establish a
                                            any delisted PSO or of any entity that                  statute.                                              component organization that could seek
                                            was denied listing be included with the                    We also concluded that it is difficult             listing as a PSO, subject to the
                                            certifications. The Department can then                 to draw a ‘‘bright-line’’ distinction                 additional restrictions discussed in
                                            search its records for background                       between voluntary and mandatory                       § 3.102(c) below. The benefit of this
                                            information. In response to concerns                    accreditation as several of the                       approach is that providers will have the
                                            regarding public disclosure of the names                commenters from accreditation                         reassurance that the penalties under the
                                            of the officials or senior managers that                organizations proposed. While most                    Patient Safety Act and the final rule will
                                            would trigger the notification                          accreditation is technically voluntary                apply to any impermissible disclosures
                                            requirement, we do not require                          from the standpoint of many                           of patient safety work product from
                                            submission of the names of the                          accreditation entities, its mandatory                 such a PSO to the rest of the state health
                                            individuals with the certifications. With               aspect generally derives from                         department.
                                            respect to the workforce of the entity,                 requirements established by, or its use                  We have not included the proposal of
                                            we note that we have narrowed the                       by, other entities such as payers. Thus,              several commenters to exclude
                                            requirement in two ways. First, we have                 if we were to incorporate such a                      purchasers of health care from becoming
                                            narrowed the focus from ‘‘any’’                         distinction that permitted the listing of             PSOs. Commenters did not suggest a
                                            employee to officials and senior                        organizations that provide voluntary                  compelling public policy case for the
                                            managers. Second, the requirement to                    accreditation today, its voluntary nature             exclusion of any particular type of
                                            disclose only applies when officials or                 could disappear over time if other                    purchasers. Given the vagueness and
                                            senior managers of the entity seeking                   organizations mandated use of its                     potential scope of such a prohibition,
                                            listing also held comparable positions of               accreditation services. Thus, a listed                the potential for unintended
                                            responsibility in the entity that was                   PSO might need to be delisted at some                 consequences is simply too great to
                                            delisted or refused listing.                            point in the future solely because of the             warrant its inclusion. For example,
                                               Restructured § 3.102(a)(2) retains the               actions of a third party mandating that               health care institutions in their role as
                                            statutory exclusion from listing of                     organization’s accreditation as a                     employers can also be considered
                                            health insurance issuers and                            requirement. Therefore, we have                       purchasers of health care.
                                            components of health insurance issuers                  retained the prohibition on                              We have incorporated two additional
dwashington3 on PRODPC61 with RULES3

                                            in subparagraph (i). For greater clarity,               accreditation and licensure entities and              exclusions. First, based upon
                                            we have restated the exclusion to reflect               have not incorporated any distinctions                recommendation from commenters, we
                                            the rule’s definition of component so it                regarding voluntary versus mandatory                  exclude from listing entities that serve
                                            now references: a health insurance                      accreditation in the final rule. We have              as the agents of a regulatory entity, e.g.
                                            issuer; a unit or division of a health                  reformulated the exclusion and no                     by conducting site visits or
                                            insurance issuer; or an entity that is                  longer include accreditation or licensure             investigations for the regulatory entity.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00019   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70750            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            While we understand that such agents                    PSO’s three-year period of listing. This                 Response: While we expect customer
                                            generally do not take action directly                   requirement derives from our concern                  satisfaction evaluations of PSOs will
                                            against providers, their findings or                    for protecting providers if a PSO decides             develop naturally in the private sector,
                                            recommendations serve as the basis for                  not to seek continued listing and simply              the Department has not incorporated
                                            potential punitive actions against                      lets its certifications expire at the end of          this recommendation in the listing
                                            providers. As a result, we believe that                 a three-year period of listing. To                    process. If a provider or any individual
                                            the rationale we outlined in the                        preclude an inadvertent lapse, the                    believes that a PSO’s performance is not
                                            proposed rule regarding the exclusion of                proposed rule included a provision to                 in compliance with the requirements of
                                            regulatory bodies is also applicable to                 send PSOs a notice of imminent                        the rule, this concern can be
                                            agents of regulatory entities helping to                expiration shortly before the end of its              communicated to AHRQ at any time.
                                            carry out these regulatory functions.                   period of listing and sought comment on               Improper disclosures may also be
                                               Second, as we considered comments                    posting that notice publicly so that                  reported to the Office for Civil Rights in
                                            seeking clarification on the eligibility of             providers reporting patient safety work               accordance with Subpart D.
                                            entities that operate certain mandatory                 product could take appropriate action.                Incorporation of a public consultation
                                            or voluntary patient safety reporting                   Section 3.104(e)(2) states that the                   process poses a number of
                                            systems to seek listing as PSOs, we                     Secretary will send a notice of imminent              implementation issues. For example, it
                                            concluded that mandatory systems, to                    expiration to a PSO at least 60 days                  could potentially delay a time sensitive
                                            which some or all health care providers                 before its last day of listing if                     Secretarial determination regarding
                                            are required by law or regulation to                    certifications for continued listing have             continued listing (which must be made
                                            report patient safety information to a                  not been received. However, the failure               before expiration of a PSO’s current
                                            designated entity, were inconsistent                    of the Secretary to send this notice does             period of listing) and could require the
                                            with the voluntary nature of the                        not relieve the PSO of its                            Department to assess the validity of
                                            activities which the Patient Safety Act                 responsibilities regarding continued                  each specific complaint, e.g., the extent
                                            sought to foster. However, this                         listing. The requirement to submit                    to which dissatisfaction with an
                                            exclusion does not apply to mandatory                   certifications 75 days in advance is                  analysis reflects the competence with
                                            reporting systems operated by Federal,                  intended to ensure that such a notice is              which it was performed or a lack of
                                            State, local or Tribal entities if the                  not sent or publicly posted until after               precision in the assignment to the PSO.
                                            reporting requirements only affect their                the submissions are expected by the                      Comment: One commenter suggested
                                            own workforce as defined in § 3.20 and                  Department.                                           that state-sanctioned patient safety
                                            health care providers holding privileges                                                                      organizations should be deemed to meet
                                            with the entity. The exception is                       Response to Other Public Comments                     the requirements for listing.
                                            intended to apply to Federal, State, local                 Comment: One commenter urged the                      Response: The Department does not
                                            or Tribal health care facilities in which               Secretary not to require organizations to             believe that the Patient Safety Act gives
                                            the reporting requirement applies only                  have specific infrastructure and                      the Secretary authority to delegate
                                            to its workforce and health care                        technology in place before they could be              listing decisions to states. Moreover, the
                                            providers holding privileges with the                   listed.                                               statute establishes the requirements that
                                            facility or health care system. This                       Response: The Department has not                   an entity must meet for listing as a PSO;
                                            exception ensures that, with respect to                 proposed any specific infrastructure or               automatically deeming state-sanctioned
                                            eligibility for listing as a PSO, entities              technology requirements. However, the                 organizations to be PSOs would
                                            that administer an internal patient                     statute and the final rule require a PSO              inappropriately override federal
                                            safety reporting system within a public                 at initial listing to certify that it has             statutory requirements and mandate the
                                            or private section health care facility or              policies and procedures in place to                   Secretary to list PSOs that may not be
                                            health care system are treated                          ensure the security of patient safety                 in compliance with all the statutory
                                            comparably under the rule and would                     work product. The final rule requires                 requirements. Accordingly, the final
                                            be eligible to seek listing as a PSO.                   that those policies and procedures be                 rule does not include such a provision.
                                               The final rule retains the ability of                consistent with the framework                            Comment: Several commenters asked
                                            components of the four categories of                    established by § 3.106. The Department                if the exclusion on health insurance
                                            excluded entities in § 3.102(a)(2)(ii) to               interprets the statute to require a listed            issuers precludes a self-insured entity
                                            seek listing as a component PSO. After                  PSO to be able to provide security for                from seeking listing.
                                            careful review, the Department                          patient safety work product during its                   Response: The Department has
                                            concluded that there was a significant                  entire period of listing, which includes              examined this issue and concluded that
                                            degree of congruence in the concerns                    its first day of listing.                             the exclusion of health insurance
                                            expressed by both proponents and                           Comment: Two commenters agreed                     issuers does not apply to self-insured
                                            opponents of extending the exclusion to                 that PSOs should be encouraged, but not               organizations that provide health benefit
                                            such components. The opponents of                       required, to post on their Web sites                  plans to their employees. The statutory
                                            extending the exclusion routinely                       narrative statements regarding their                  exclusion contained in section
                                            suggested that the Department address                   capabilities.                                         924(b)(1)(D) of the Public Health Service
                                            their core concerns by adopting                            Response: The Department continues                 Act incorporates by reference the
                                            additional protections, rather than the                 to encourage PSOs to develop and post                 definition of health insurance issuer in
                                            blunt tool of a broader exclusion. We                   such narrative statements.                            section 2971 of the Public Health
                                            have adopted this approach, and we                         Comment: One commenter suggested                   Service Act and that definition
                                            have incorporated in § 3.102(c)                         that the listing process should include               explicitly excludes health benefit plans
                                            additional requirements and limitations                 an opportunity for the Secretary to                   that a health care provider organization
dwashington3 on PRODPC61 with RULES3

                                            for components of excluded entities.                    receive public comment before making                  offers to its employees.
                                               In addition, we have incorporated a                  a listing decision, especially in the case               Comment: Several commenters
                                            new requirement in § 3.102(a)(3) that                   of continued listing, when providers                  inquired whether organizations that
                                            submissions for continued listing must                  may want to share their experiences                   provide professional liability insurance
                                            be received by the Secretary no later                   with the Secretary regarding a specific               coverage (also referred to as medical
                                            than 75 days before the expiration of a                 PSO.                                                  liability insurance or malpractice

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00020   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70751

                                            liability insurance) for health care                    from having both a health insurance                   failure to make legally required reports
                                            providers are covered by the health                     issuer subsidiary and a component PSO.                can potentially result in a loss of
                                            insurance issuer exclusion. The                            Comment: Several commenters raised                 individual or institutional licensure and
                                            commenters uniformly argued that the                    questions from different perspectives                 the ability to practice or deliver health
                                            exclusion should not apply. Several                     regarding situations in which providers               care services. Accordingly, we have
                                            commenters noted their intent to have                   might be required to report data to a                 added to the list of entities excluded
                                            their ‘‘captive’’ liability insurer seek                PSO. Some commenters suggested that                   from listing in § 3.102(b)(2)(ii) entities
                                            listing as a PSO. Another commenter                     the final rule should prohibit a facility             that administer such mandatory patient
                                            sought assurances that if a captive                     or health care delivery system from                   safety reporting systems.
                                            liability insurer sought listing as a PSO,              requiring individual clinicians (who are                 A voluntary Federal, state, local, or
                                            the PSO would not be considered a                       employed, under contract, or have                     Tribal patient safety reporting system
                                            component of the provider                               privileges at the facility or within the              can seek listing as a PSO. This means
                                            organizations that owned the liability                  system) to report data to a specific PSO.             that the entity administering the
                                            insurer.                                                Others raised questions regarding the                 reporting system does not have statutory
                                               Response: The Department notes that                  eligibility for listing of existing Federal,          or regulatory authority to require
                                            there is some ambiguity in the statutory                state, local or Tribal patient safety                 providers to submit data to the
                                            language but concludes that the health                  reporting systems that are administered               administering organization, and that
                                            insurance issuer exclusion does not                     by an entity without regulatory                       organization is not required by statute or
                                            apply to such organizations.                            authority.                                            regulation to make the collected
                                               While the health insurance issuer                       Response: While the Patient Safety                 identifiable data available in ways that
                                            exclusion does not apply, the                           Act does not require any provider to                  would be incompatible with the
                                            Department notes that the statute and                   report data to a PSO, the statute is silent           limitations on disclosure discussed in
                                            the final rule require that an entity                   on whether others (such as institutional              Subpart C.
                                            seeking listing must attest that its                    providers or other public entities) can                  Comment: Two commenters
                                            mission and primary activity is the                     impose such requirements on providers.                addressed the issue of whether Quality
                                            improvement of patient safety. That test                The Department makes a distinction                    Improvement Organizations (QIOs),
                                            is readily met when an organization,                    based upon the source of reporting                    which are organizations that have
                                            such as a captive liability insurer,                    requirements and the extent to which                  contracts with Medicare and often with
                                            creates a component organization since                  the requirement can be viewed as                      other payers or purchasers to review
                                            the creation of a distinct new entity can               consistent with the statutory goal of                 compliance with regulatory or
                                            be established in a manner that clearly                 fostering a ‘‘culture of safety.’’ Thus, the          contractual requirements and make
                                            addresses and meets the ‘‘primary                       Department has declined to include in                 reports that may adversely impact
                                            activity’’ criterion. The Department has                the final rule any restriction on the                 providers financially, can seek listing as
                                            the authority to review all applications,               ability of a multi-facility health care               PSOs.
                                            including those from organizations with                 system to require its facilities to report               Response: QIOs are precluded from
                                            multiple activities, and to look behind                 to a designated PSO or of a provider                  seeking listing as PSOs. The final rule
                                            the attestations to determine whether                   practice, facility, or health care system             precludes agents of a regulatory entity
                                            the applicant meets the ‘‘primary                       to require reporting data to a designated             from seeking listing and QIOs serve as
                                            activity’’ criterion.                                   PSO by those providing health care                    agents of Medicare. Some QIOs also
                                               We note that a captive entity meets                  services under its aegis, whether as                  serve in similar capacities as agents of
                                            the definition of a component                           employees, contractors, or providers                  state regulatory bodies. As noted above,
                                            organization in this rule. Therefore, if                who have been granted privileges to                   an agent of a regulator may create a
                                            the captive organization is eligible for                practice. A patient safety event                      component organization that would be
                                            listing because it meets the ‘‘primary                  reporting requirement as a condition of               eligible to seek listing as a PSO,
                                            activity’’ criterion, it must seek listing as           employment or practice can be                         provided such a component
                                            a component organization and clearly                    consistent with the statutory goal of                 organization meets the additional
                                            would be subject to the requirements on                 encouraging institutional or                          requirements of § 3.102(c)(1)(ii).
                                            component PSOs. If the captive                          organizational providers to develop a                    Comment: Several commenters asked
                                            organization does not meet the primary                  protected confidential sphere for                     if the proposed exclusions of entities
                                            activity criterion for listing, it is free to           examination of patient safety issues.                 applied to State Boards of Health,
                                            create a component organization to seek                 While an employer may require its                     programs offering providers
                                            listing. Once again, however, the                       providers to make reports through its                 certifications, and physician specialty
                                            additional requirements for a                           patient safety evaluation system, section             boards.
                                            component PSO apply.                                    922(e)(1)(B) prohibits an employer from                  Response: With respect to State
                                               Comment: Several commenters asked                    taking an adverse employment action                   Boards of Health, there are two issues
                                            whether the health insurance issuer                     against an individual based upon the                  regarding their potential ineligibility for
                                            exclusion prevents a health system that                 individual’s reporting information in                 becoming PSOs. The first, raised by the
                                            has subsidiaries that include providers                 good faith directly to a PSO.                         commenter, is whether these boards can
                                            and a health insurance issuer, from                        By contrast, the Department views                  be considered regulatory entities and in
                                            establishing a component organization                   mandatory reporting requirements that                 most cases they would be. While State
                                            to seek listing as a PSO.                               are applicable to providers that are not              Boards of Health provide leadership and
                                               Response: As described by several                    workforce members and that are based                  policy coordination for state health
                                            commenters, the PSO and the health                      in law or regulation, regardless of                   policies, they generally have the power
dwashington3 on PRODPC61 with RULES3

                                            insurance issuer would be affiliates in a               whether the specific data collected by                to oversee, enforce or administer
                                            ‘‘brother-sister’’ relationship within the              these systems is anonymous or                         regulations governing the delivery of
                                            parent organization. As long as the                     identifiable, as incompatible with the                health care services and would,
                                            health insurance issuer does not have                   intent of the Patient Safety Act to foster            therefore, be ineligible to be listed as a
                                            the authority to control or manage the                  voluntary patient safety reporting                    PSO. The second issue is whether such
                                            PSO, the health system is not precluded                 activities. In these situations, provider             a board with its multiple

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00021   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70752            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            responsibilities could attest that the                  or security breaches occur, with respect              had additional concerns, they could
                                            conduct of activities to improve patient                to the provider’s patient safety work                 address them contractually. It was also
                                            safety and health care quality is its                   product.                                              suggested that the preamble to the final
                                            primary activity.                                          A PSO would meet the minimum                       rule should carefully describe a PSO’s
                                               With respect to entities that offer                  contract requirement under the                        obligations when the HIPAA Privacy
                                            certifications, physician specialty                     proposed rule with two contracts, each                and Security Rules apply and the
                                            boards, or similar activities, we would                 with a different provider, at some point              requirements to report impermissible
                                            use a fact-based approach that assesses                 during a PSO’s sequential 24-month                    disclosures even when protected health
                                            the activities in light of the exclusions               periods of listing. The proposed rule                 information is not involved.
                                            in the rule at § 3.102(a)(2)(ii).                       sought comment on how to interpret the                   With respect to the statutory
                                               Comment: One commenter questioned                    requirement that the required contracts               requirement for contracts with more
                                            whether the proposed requirement that                   must be ‘‘for a reasonable period of                  than one provider, several commenters
                                            a PSO notify the Secretary if it can no                 time,’’ asking whether the final rule                 proposed that one contract with
                                            longer meet the requirements for listing                should use a standard that was time-                  multiple providers should be deemed to
                                            essentially meant that the PSO was                      based, task-based, or include both                    meet the statutory requirement. These
                                            admitting a deficiency.                                 options.                                              commenters often argued that it was
                                               Response: We expect this requirement                    The proposed rule noted that PSOs                  inefficient to require a PSO to enter
                                            to operate prospectively so that the                    are required by the statute, to the extent            multiple contracts when the statutory
                                            Secretary can evaluate whether the                      practical and appropriate, to collect                 intent of collecting data from multiple
                                            changed circumstances may still be                      patient safety work product from                      providers could be met through a single
                                            cured. While it is possible that this                   providers in a standardized manner that               contract. Several commenters alleged
                                            requirement in some situations would                    permits valid comparisons of similar                  that the proposed rule did not interpret
                                            be the equivalent of a PSO admitting a                  cases among similar providers. We                     the requirement that contracts be
                                            current, rather than prospective                        stated that we were considering                       entered with ‘‘different providers’’ and
                                            deficiency, we note two aspects of the                  including in the final rule, and sought               sought clarification in the final rule.
                                            process outlined here. First, the                       comment on, a clarification that                         The vast majority of commenters
                                            correction of deficiencies is not a                     compliance would mean that a PSO, to                  opposed including any standard in the
                                            punitive process. Second, the obligation                the extent practical and appropriate,                 final rule for determining when one of
                                            to inform the Secretary of changes is a                 will collect patient safety work product              the required contracts was ‘‘for a
                                            companion element to the Department’s                   consistent with guidance that the                     reasonable period of time.’’ Many
                                            approach in listing entities based upon                 Secretary is developing regarding                     argued that this decision should be left
                                            attestations.                                           reporting formats and common                          to the marketplace, permitting providers
                                            (B) Section 3.102(b)—Fifteen General                    definitions when the guidance becomes                 and PSOs to enter customized
                                            PSO Certification Requirements                          available. We also sought comment on                  arrangements. A few commenters
                                                                                                    the process for the development of                    supported incorporation of a time-based
                                               Proposed Rule: Section 3.102(b) of the               common formats and definitions.                       standard, ranging from 3–12 months.
                                            proposed rule incorporated the 15                          Overview of Public Comment: Most of                One commenter recommended
                                            requirements specified in the Patient                   the comments we received on this                      incorporating both time-based and task-
                                            Safety Act that every entity must meet                  subsection focused on the contract                    based standards.
                                            for listing as a PSO. These 15                          requirement and the specific questions                   In response to our specific request for
                                            requirements are comprised of eight                     posed by the proposed rule. Nearly all                comment on whether the final rule
                                            patient safety activities and seven other               of the commenters who addressed the                   should reference the Secretary’s
                                            criteria. At initial listing, an entity                 issue supported the inclusion in the                  guidance on common formats and
                                            would certify that it has policies and                  final rule of a requirement that PSOs                 definitions, the vast preponderance of
                                            procedures in place to perform the eight                must notify a provider if the work                    comments were supportive, with many
                                            specified patient safety activities and,                product submitted by the provider was                 detailing reasons why use of common
                                            upon listing, would comply with the                     inappropriately disclosed or its security             formats was important. Several
                                            seven other criteria during its period of               was breached. Those favoring the                      organizations offered caveats to their
                                            listing. At continued listing, the PSO                  inclusion of the requirement cited                    support, such as concern that the
                                            would certify that it has performed                     concern about the sensitivity of patient              development of Secretarial guidance
                                            during its period of listing, and would                 safety work product and the importance                might slow the process and may further
                                            continue to perform, all eight patient                  of ensuring that providers know if the                interfere with innovation. Many
                                            safety activities and that, it has                      PSO to which they reported data was                   organizations offered suggestions to the
                                            complied with, and would continue to                    living up to its obligations to protect the           Department such as: Allowing private
                                            comply with, the seven other statutory                  security and confidentiality of their                 sector feedback; harmonizing with other
                                            criteria during its next period of listing.             data. They noted that the HIPAA                       data reporting requirements; allowing
                                               We proposed to define the                            Privacy and Security Rules will not                   collection of data in addition to the
                                            confidentiality and security                            always be applicable: That some                       common formats, particularly for use at
                                            requirements that are part of the patient               providers will not be considered                      the local level; and allowing time to
                                            safety activities that PSOs must carry                  covered entities and identifiable patient             phase in use of common formats.
                                            out as requiring compliance with the                    safety work product may not always                       Virtually all comments were
                                            confidentiality provisions of Subpart C                 contain protected health information.                 supportive of the process by which the
                                            and the security measures required by                      Those opposed to the requirement                   Department was developing guidance
dwashington3 on PRODPC61 with RULES3

                                            § 3.106. We did not propose that, but                   argued that most patient safety work                  on common formats. Many commenters
                                            sought comment on whether the final                     product will contain protected health                 suggested steps that they wished the
                                            rule should include a requirement that                  information and providers reporting to a              Department to take such as: Greater or
                                            a PSO inform any provider from which                    PSO are likely to be covered entities.                earlier involvement of the private sector;
                                            it received patient safety work product                 Thus, the HIPAA Privacy Rule will                     transparency in the process; acceptance
                                            if there are impermissible disclosures of,              cover most situations and, if providers               of comments from outside government;

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00022   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70753

                                            and use of evidence from existing                       contracts’’ with different providers; we              and would be expected to be in
                                            reporting systems. The process we                       have deleted the words ‘‘entered into.’’              compliance with all eight patient safety
                                            outlined for private sector consultation                Our intent in the proposed rule text was              activities during its entire period of
                                            was viewed positively. We received                      to encourage PSOs to enter long-term                  listing.
                                            several comments and                                    contracts with providers by enabling a                   In response to commenters who
                                            recommendations related to this process                 multi-year contract to be counted                     sought clarification on what is meant by
                                            that were outside the scope of the rule                 toward the two contract minimum in                    compliance with the two-contract
                                            and, therefore, are not addressed below.                each of the 24-month periods during                   requirement, we reaffirm that the
                                               Final Rule: For convenience and                      which the contract was in effect. By                  statutory requirement is clear. There
                                            clarity, we have modified the text in the               deleting the words ‘‘entered into,’’ the              must be two written contracts; a single
                                            final rule to separate initial and                      text of the final rule more clearly                   contract with multiple providers can
                                            continued listing within § 3.102(b)(1),                 reflects our original intent.                         only be counted as one contract. We
                                            which states the required certifications                   We also provide clarification here,                interpret the requirement that the
                                            for the eight patient safety activities and             which we did not consider necessary to                contracts must be with ‘‘different’’
                                            within § 3.102(b)(2), which states the                  include in the rule text, regarding the               providers straight-forwardly. The only
                                            required certifications for the seven PSO               obligations of a PSO. The certifications              requirement is that the bona fide
                                            criteria. This modification does not                    for initial listing regarding patient safety          contracts must be with individuals or
                                            reflect a substantive change.                           activities track the statute and require a            institutions that are providers as defined
                                               We have incorporated in                              PSO to have policies and procedures in                in the rule. We have imposed no other
                                            § 3.102(b)(1)(B) of the final rule one                  place to perform patient safety                       requirements; the contracts can be with
                                            additional requirement, posed as a                      activities. At continued listing, PSOs                an institutional provider and an
                                            question in the proposed rule and                       will be expected to have performed all                individual clinician, or with two
                                            strongly supported by commenters, that                  eight patient safety activities. Some of              entities within the same or different
                                            a PSO must inform the provider from                     the required patient safety activities                system(s).
                                            which it received patient safety work                   must be performed at all times, such as                  After careful consideration of the
                                            product if the work product submitted                   utilizing qualified staff, having effective           comments we received, the Department
                                            by that provider is inappropriately                     policies and systems to protect the                   has concluded that we will not
                                            disclosed or its security is breached.                  security and confidentiality of patient               incorporate an interpretation of the term
                                            The Department recognizes that in                       safety work product when the PSO                      ‘‘each for a reasonable period of time’’
                                            certain cases a PSO may not know the                    receives work product, undertaking                    regarding the required contracts. As we
                                            identity of the provider that submitted                 efforts to improve the quality and safety             noted in the proposed rule, our intent in
                                            patient safety work product, e.g.,                      of patient care, and developing and                   proposing to interpret the language was
                                            anonymous submissions, or it might not                  disseminating information to improve                  to give providers increased certainty
                                            be possible to contact the provider, e.g.,              patient safety. Other required patient                that the listing of the PSO to which they
                                            if the provider has gone out of business                safety activities can only be performed               are reporting data could not be
                                            or retired. In these cases, the                         when the PSO is working with a                        challenged on the basis that its required
                                            Department would expect the PSO to be                   provider (such as providing feedback to               contracts were not for a reasonable
                                            able to demonstrate, if selected for a                  participants in a patient safety                      period of time. However, the provider
                                            ‘‘spot check,’’ that it made a good faith               evaluation system) and receiving patient              community opposed interpreting the
                                            effort to reach every provider that                     safety work product from providers                    provision, fearing that it would limit
                                            submitted the work product subject to                   (such as utilization of patient safety                their ability to customize contracts to
                                            an inappropriate disclosure or a security               work product to develop a culture of                  meet their analytic needs and urged the
                                            breach. We also note that this                          safety).                                              Department to rely upon the
                                            requirement only requires the PSO to                       The Department recognizes that, for                marketplace to interpret this
                                            contact the provider that submitted the                 any given contractual arrangement,                    requirement. With no empirical basis for
                                            information; the PSO is not expected to                 providers, not PSOs, will determine the               choosing one standard or one time
                                            contact providers or others whose                       tasks PSOs undertake and for which                    frame over another, and given the
                                            names are included in the patient safety                they will be compensated. Therefore,                  inability to anticipate what types of
                                            work product. As a business associate of                our approach to assessing compliance                  contractual relationships will evolve
                                            a provider covered by the HIPAA                         will be as follows. If subject to a spot              under the final rule, the Department
                                            Privacy Rule, the PSO must abide by its                 check for compliance, a PSO must be                   concluded that incorporating a standard
                                            business associate contract with that                   able to demonstrate that it has                       at this time could have unintended
                                            provider, obligating it to notify the                   performed all eight patient safety work               negative consequences and has chosen
                                            provider if it becomes aware of an                      products at some point during its three-              not to do so. As a result, a PSO will be
                                            impermissible disclosure of protected                   year period of listing. However, we will              required to have two contracts in effect
                                            health information. See 45 CFR                          expect a PSO to demonstrate that it                   at some point during each 24-month
                                            164.504(e)(2)(ii)(C). Once the PSO has                  performs throughout its period of listing             reporting period established by the
                                            informed the provider of the                            the patient safety activities that are not            statute but the contracts are not required
                                            impermissible disclosure, the HIPAA                     dependent upon a relationship with a                  to cover a specific or minimum time
                                            Privacy Rule requires the provider to                   provider or receipt of patient safety                 period and they are not required to be
                                            mitigate the harmful effects of an                      work product. We will expect                          in effect at the same time.
                                            impermissible disclosure. See 45 CFR                    compliance with the other patient safety                 While we received overwhelmingly
                                            164.530(f).                                             activities consistent with the contracts              favorable support for requiring
dwashington3 on PRODPC61 with RULES3

                                               We have also incorporated in                         or agreements that the PSO has with                   compliance with the Secretary’s
                                            § 3.102(b)(2)(i)(C) a minor modification                providers. A component PSO that is                    guidance on common definitions and
                                            in the text of the criterion relating to the            established by a health care provider,                reporting formats (common formats) for
                                            required two contracts. The text in the                 and for which the parent-provider                     the collection of patient safety work
                                            proposed rule stated that a PSO ‘‘must                  organization is a primary client, would               product, we recognize that the
                                            have entered into two bona fide                         not be dependent on external contracts                Department’s efforts to develop

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00023   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70754            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            guidance will take time. We issued                         We believe this approach effectively               has been retained. We note that this
                                            common formats in August 2008                           balances the statutory goal of promoting              statutory language imposes a dual
                                            addressing all patient safety events in                 the ability to aggregate, and learn from,             requirement: improvement of patient
                                            acute-care hospitals; AHRQ has made                     patient safety work product, while                    safety and the quality of health care
                                            the common formats available on its                     recognizing the statutory caveat that this            delivery must be reflected in the entity’s
                                            Web site to facilitate their use by                     requirement applies ‘‘to the extent                   mission and this improvement activity
                                            providers with varying levels of                        practical and appropriate.’’ Our                      must constitute the entity’s primary
                                            sophistication as well as by PSOs. The                  approach ensures that PSOs will take                  activity. Since many organizations
                                            guidance will be expanded over time to                  the requirement seriously and that a                  could reasonably claim that
                                            other settings of care. Because we                      PSO’s statement that it is not ‘‘practical            improvement of the quality of health
                                            anticipate that some PSOs may choose                    or appropriate’’ to comply at this time               care and patient safety are fundamental
                                            to concentrate their work in areas for                  is well-founded.                                      to their missions and even have these
                                            which guidance from the Secretary is                                                                          words in their mission statements, the
                                                                                                    Response to Other Public Comments.
                                            not yet available, we have modified the                                                                       critical and distinguishing requirement
                                            text of the rule by incorporating a new                    Comment: Several commenters                        in this statutorily-based criterion is that
                                            paragraph (iii) that interprets                         suggested that the final rule include a               such improvement activities must be the
                                            compliance in the following way.                        requirement that entities provide                     entity’s primary activity.
                                               At initial listing, the requirement will             assurances that they are financially                     While we understand the rationale of
                                                                                                    viable.                                               the commenter—many of the
                                            be interpreted as a commitment by the
                                                                                                       Response: The Department has not                   organizations interested in becoming
                                            entity seeking listing to adopt the
                                                                                                    adopted this proposal. We do not                      PSOs will have difficulty attesting that
                                            Secretary’s recommended formats and                     believe that assuring the financial
                                            definitions by the time it seeks                                                                              this is their primary activity—the
                                                                                                    viability of PSOs is either an authorized             Department does not have the authority
                                            continued listing ‘‘to the extent practical             or an appropriate Federal task in
                                            and appropriate.’’ During the initial                                                                         to alter this statutory requirement by
                                                                                                    carrying out the Patient Safety Act. The              making improvement of health care
                                            three-year period of listing, AHRQ will                 statutory framework leaves this inquiry
                                            not issue a preliminary finding of                                                                            delivery and patient safety one of any
                                                                                                    and determination to prospective clients              number of significant activities that an
                                            deficiency to any PSO that has not                      in the market for PSO services. PSOs
                                            adopted the Secretary’s recommended                                                                           organization performs. The statute
                                                                                                    will learn to address this concern                    effectively recognizes this dilemma and
                                            formats and definitions.                                routinely if required by providers to do              provides an option in this situation. An
                                               At continued listing, a PSO will be                  so.                                                   entity can create a component
                                            required to: (1) Certify that the PSO is                   Comment: One commenter suggested                   organization, discussed in the next
                                            using the Secretary’s guidance for                      that the final rule include a provision to            subsection, to seek listing. Such a new
                                            common formats and definitions; (2)                     require PSOs to have policies and                     component created for this exclusive
                                            certify that the PSO is using an                        procedures in place to safeguard the                  purpose or with this purpose as its
                                            alternative system of formats and                       privacy and confidentiality of a staff                primary activity would inherently meet
                                            definitions that permits valid                          member of a PSO, who is identified in                 this requirement.
                                            comparisons of similar cases among                      patient safety work product.                             It is likely that some providers will
                                            similar providers; or (3) provide a clear                  Response: The Department agrees that               find it more reassuring to work with a
                                            explanation for why it is not practical or              PSOs should consider and address                      PSO that is focused solely on the
                                            appropriate for the PSO to comply with                  issues of confidentiality, including                  statutorily mandated objectives. If an
                                            options (1) or (2) at this time. The                    those of its workforce members.                       organization with other activities and
                                            Secretary will consider a PSO to be in                  However, we do not believe it is                      personnel is listed in its entirety as a
                                            compliance if it is using the Secretary’s               appropriate or necessary to mandate                   PSO, it can share a provider’s
                                            guidance, satisfactorily demonstrates                   how a PSO addresses this issue.                       identifiable patient safety work product
                                            that the alternative system it is using                    Comment: Several commenters raised                 throughout the legal entity, including
                                            permits valid comparisons of similar                    concerns regarding the statutory                      with individuals who are not involved
                                            cases among similar providers, or                       requirement that ‘‘the mission and                    in the work of the PSO, without
                                            satisfactorily demonstrates why neither                 primary activity of a PSO must be to                  violating the disclosure restrictions of
                                            option is practical or appropriate at this              conduct activities that are to improve                the statute and without triggering
                                            time. An example of a satisfactory                      patient safety and the quality of health              Federal enforcement action pursuant to
                                            justification might be that the PSO                     care delivery’’ might make it difficult for           subparts C and D of the rule. We expect
                                            specializes in analyses in a specific                   existing organizations with multiple                  many providers will prefer that their
                                            niche of health care delivery in which                  activities to qualify for listing. One                protected information be closely held.
                                            there remains significant controversy                   commenter suggested that the                          Thus, existing organizations have other
                                            over relevant reporting formats and                     requirement be altered so that the                    reasons, in addition to the mission and
                                            definitions and/or the Secretary has not                mission and primary activity ‘‘includes’’             primary activity criterion, to consider
                                            recommended any relevant common                         quality improvement and patient safety.               the option of establishing a PSO as a
                                            formats or definitions. The Secretary, if               Questions were also raised whether                    component organization.
                                            he determines that the PSO is otherwise                 organizations that currently undertake                   In response to an example posed in
                                            eligible for continued listing, but has                 other activities such as provider                     two separate comments, if an entity’s
                                            not satisfactorily demonstrated that it                 education or other collections and                    primary activity is the collection and
                                            meets one of the three requirements in                  analyses of clinical data to improve the              analysis of clinical data to improve the
dwashington3 on PRODPC61 with RULES3

                                            § 3.102(b)(2)(iii), may exercise his                    quality, safety, and efficiency of health             quality, safety, and efficiency, the
                                            discretion to continue the listing of the               care would meet the requirement.                      Department would consider these
                                            PSO and use the process for correction                     Response: It is important to recognize             activities consistent with the statutory
                                            of deficiencies in § 3.108(a) to bring the              that the language at issue was                        requirement. Other situations may
                                            PSO into compliance after its listing has               incorporated into the proposed rule                   warrant discussion with AHRQ staff
                                            been continued.                                         directly from the statute. Accordingly, it            during the planning stage of a PSO or

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00024   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70755

                                            at least before submitting certifications                  Comment: A commenter asked if the                     Response: It is not clear what the
                                            for listing. Another example posed by a                 establishment of a ‘‘relationship’’ with a            commenters mean by a ‘‘member’’ of a
                                            commenter—an entity that provides                       provider is sufficient to meet the                    PSO in this context. To the extent that
                                            general health education to providers—                  minimum contract requirement.                         the comments are referring to a possible
                                            would appear to require further                            Response: No. The rule requires two                joint venture that creates a PSO, there
                                            discussion. As presented, general health                bona fide contracts, as defined in                    are few productive roles that an
                                            education would appear to have a link                   section 3.20, meeting the requirements                excluded entity could play. Such
                                            to, but an inadequate emphasis on, the                  of the rule.                                          excluded entities could not have or
                                            analytic focus of a PSO’s mandatory                        Comment: One commenter expressed                   exercise any level of control over the
                                            patient safety and quality improvement                  concern about the ability of his agency               activities or operation of a PSO. Thus,
                                            activities. The health education entity                 to meet the minimum contract                          they could not have access to patient
                                            can certainly avail itself of the option to             requirement. His agency administers a                 safety work product. As a result, the
                                            establish a component organization to                   public patient safety reporting system to             potential for involvement of an
                                            seek listing.                                           which hospitals are required to report                excluded entity with a PSO would be
                                               Comment: One commenter asked                         by state law. His concern was that the                very limited.
                                            what is meant by the concept of carrying                hospitals might see no need to enter
                                            out patient safety activities. Does this                                                                         We note, however, that a component
                                                                                                    contracts with his agency if it were                  of an entity excluded by § 3.102(a)(2)(ii)
                                            mean that patient safety activities must                listed as a PSO.
                                            be performed and, if so, when?                                                                                can seek listing. These types of
                                                                                                       Response: The modifications to the                 component organizations must meet
                                               Response: We note that this obligation               final rule in § 3.102(a)(2)(ii) preclude an
                                            rests with a PSO, not providers. The                                                                          additional requirements set forth in
                                                                                                    entity that manages or operates a                     § 3.102(c)(1).
                                            requirement means that a PSO must                       mandatory patient safety reporting
                                            perform all eight patient safety activities             system from seeking listing as a PSO.                    Comment: One commenter requested
                                            during its period of listing. We clarify                                                                      clarification regarding the required
                                                                                                       Comment: One commenter urged that
                                            how the Department will assess PSO                                                                            patient safety activity to provide
                                                                                                    the final rule not marginalize State
                                            compliance with this requirement in the                                                                       feedback and assistance to providers to
                                                                                                    mandatory reporting systems through
                                            discussion of the final rule above.                                                                           effectively minimize patient risk.
                                                                                                    the separation of provider reporting to
                                               Comment: One commenter asked if a
                                                                                                    PSOs. The commenter recommended                          Response: We recognize that the
                                            PSO could meet the minimum contract
                                                                                                    that the final rule permit States to                  performance of some patient safety
                                            requirement by entering a contract with
                                                                                                    become listed as PSOs or enter into                   activities will be dependent upon a
                                            a 50-hospital system and one
                                                                                                    collaborative arrangements with PSOs to               PSO’s arrangements with its clients. As
                                            independent practitioner (either with a
                                                                                                    share data and staff.                                 we noted in our discussion of the final
                                            physician or nurse practitioner).
                                               Response: To meet the requirement, a                    Response: While we believe that an                 rule, we will interpret a PSO to be in
                                            PSO must have at least two contracts                    entity that operates a Federal, state,                compliance with this requirement if the
                                            with different providers. In this case, a               local, or Tribal mandatory patient safety             feedback and assistance is performed at
                                            contract with a solo health care                        reporting system should not be listed as              some point during the PSO’s period of
                                            practitioner (such as a physician or a                  a PSO, the rule does permit a                         listing.
                                            nurse practitioner) would meet the                      component of such an entity to seek                      Comment: Two commenters pointed
                                            requirement for the second contract.                    listing. A PSO that is a component of an              to the importance of the use of
                                               Comment: One commenter asked if a                    excluded entity is prohibited from                    contracted staff to enable a PSO to carry
                                            contract between the parent of a health                 sharing staff with the excluded entity
                                                                                                                                                          out its duties, especially in rural or low
                                            system and a PSO is tantamount to                       and has limitations on its ability to
                                                                                                                                                          population density areas. In such
                                            entering a contract with each provider                  contract with such a parent organization
                                                                                                                                                          circumstances, a PSO needs to draw
                                            that comprises the health system.                       (see § 3.102(c)(4)). However, the
                                                                                                                                                          upon competencies and skills as needed
                                               Response: Such an arrangement does                   component PSO could enter into some
                                                                                                                                                          and asked that we clarify that such
                                            not meet the requirement; the                           types of limited collaboration with an
                                                                                                                                                          contractors, whether paid or volunteer,
                                            requirement focuses on the number of                    excluded entity. For example, a PSO
                                                                                                                                                          could enable a PSO to meet the
                                            contracts, not the number of providers                  may accept additional data from an
                                                                                                                                                          qualified staff requirement.
                                            that are involved with any contract. The                excluded entity for inclusion in its
                                            rule, based on the terms of section                     analyses with the understanding that                     Response: The Department assumes
                                            924(b)(1)(C) of the Public Health Service               the PSO may only share its findings                   that many PSOs, especially component
                                            Act, requires two contracts.                            pursuant to one of the permissible                    PSOs, will use a mix of full-time
                                               Comment: Can providers within the                    disclosures in Subpart C, e.g., if the                personnel and individuals from whom
                                            same system count as different                          findings are made non-identifiable. In                they seek services as needed, whether
                                            providers for meeting the minimum                       addition, other PSOs similarly may                    paid or on a volunteer or shared basis.
                                            contract requirement?                                   share their nonidentifiable findings with             That is why we have incorporated a
                                               Response: The answer to this question                mandatory state patient safety reporting              broad definition of ‘‘workforce’’ in the
                                            is yes if the PSO has separate contracts                systems and to the extent permitted by                rule that encompasses employees,
                                            with at least two different providers.                  state law the state systems might give                volunteers, trainees, contractors, and
                                            Whether the providers have a common                     data to completely separate PSOs for                  other persons whether or not they are
                                            organizational affiliation is not relevant.             analysis and reports in nonidentifiable               paid by the PSO. As defined in this rule,
                                            The only requirements are that the                      terms.                                                workforce refers to persons whose
dwashington3 on PRODPC61 with RULES3

                                            individuals or facilities must be                          Comment: Several commenters                        performance of activities for the PSO is
                                            providers as defined in § 3.20 of the rule              suggested that excluded entities might                under the direct control of the PSO. In
                                            and that there are at least two contracts               become members of a PSO as long as                    addition, however, a PSO is free to enter
                                            with different providers. Once again, the               they were not vertically linked to the                contracts for specific or specialized
                                            focus of the requirement is the number                  PSO, although they did not explain                    services, subject to other requirements
                                            of contracts.                                           what they meant by the term, members.                 of the rule.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00025   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70756            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            (C) Section 3.102(c)—Additional                         with their certifications for listing a               we noted that a number of commenters
                                            Certifications Required of Component                    description of how they intend to meet                that supported permitting components
                                            Organizations                                           the requirement for technological and                 of such entities to seek listing,
                                               Proposed Rule: Along with the 15                     other controls to ensure that there is an             suggested, nevertheless, that we
                                            requirements under subsection (b) that                  effective protection against                          establish additional limitations and
                                            all PSOs would have to meet, § 3.102(c)                 inappropriate access to the patient                   requirements. Their suggestions
                                            of the proposed rule would require an                   safety work product held by the                       included requiring that such a
                                            entity that is a component of another                   component PSO.                                        component organization seeking listing
                                                                                                       There was significant concern with                 must: Specifically identify its parent
                                            organization to make three additional
                                                                                                    the proposal to limit the sharing of                  organization as a regulator and specify
                                            certifications regarding: (1) The secure
                                                                                                    employees between the parent                          the scope of the parent organization’s
                                            maintenance of patient safety work
                                                                                                    organization(s) and the component PSO                 regulatory authority; submit to the
                                            product separate from the rest of the
                                                                                                    if the employee’s work could be                       Secretary attestations from providers
                                            organization(s) of which it is a part; (2)              informed by knowledge of a provider’s                 choosing to report to the PSO that they
                                            the avoidance of unauthorized                           identifiable patient safety work product.             have been informed of the scope of
                                            disclosures of patient safety work                      Some commenters argued that the                       regulatory authority of the parent
                                            product to the rest of the organization(s)              prohibition was too broad, that it should             organization; and provide assurances to
                                            of which it is a part; and (3) the mission              be narrowed, or that the standard was                 the Secretary that the parent
                                            of the component organization not                       too vague and had the potential for                   organization has no policies that compel
                                            creating a conflict of interest with the                creating confusion. A number of                       providers to report patient safety work
                                            rest of the organization(s) of which it is              commenters recognized the merits of the               product to its component PSO. They
                                            a part.                                                 intended prohibition but thought that                 also suggested such a PSO not be
                                               We proposed two additional                           the proposed rule’s formulation was so                permitted to share staff with the parent
                                            requirements that would interpret these                 vague that it might limit the ability of              organization and not be able to take
                                            statutory provisions: (1) A component                   any physician in an academic health                   advantage of the proposed limited
                                            PSO could not have a shared                             center to assist the component PSO if                 provision that would permit a
                                            information system with the rest of the                 the physician supervised and evaluated                component PSO to contract with its
                                            organization(s) of which it is a part; and              interns and residents during their                    parent organization for assistance in the
                                            (2) the workforce of the component PSO                  training, presuming this to be an                     review of patient safety work product.
                                            could not engage in work for the rest of                unintended result.                                       The proposed rule did not propose an
                                            the organization(s) if such work could                     Several alternative approaches were                interpretation but sought comment on
                                            be informed or influenced by the                        suggested, including: (1) Limit the                   the circumstances under which the
                                            individual’s knowledge of identifiable                  prohibition to staff in the parent                    mission of a component PSO could
                                            patient safety work product (except if                  organization who would use patient                    create a conflict of interest for the rest
                                            the work for the rest of the organization               safety work product for non-patient                   of the parent organization(s) of which it
                                            is solely the provision of patient care).               safety activities; (2) obtain pledges by              is a part. The recommendations of
                                            The proposed rule did not propose an                    staff not to use patient safety work                  commenters reflected a variety of
                                            interpretation, but sought public                       product for ‘‘facility administrative                 perspectives: One view was that the rule
                                            comment, on the requirement that a                      functions;’’ (3) limit the prohibition to             should not adopt a general standard; a
                                            component organization not create a                     persons with disciplinary/credentialing               component organization should disclose
                                            conflict of interest with the rest of the               functions; (4) require management staff               what it believes may be its conflicts and
                                            organization(s) of which it is a part.                  to sign agreements not to use patient                 that this disclosure should be deemed
                                               We proposed, and sought comment                      safety work product in hiring/firing,                 sufficient to have cured the conflict;
                                            on, a limited option for a component                    credential/privilege decisions; and (5)               another said the Department should
                                            PSO to take advantage of the expertise                  permit shared staff for specific types of             undertake case-by-case analysis; and a
                                            of the rest of its parent organization(s)               entities, such as state hospital                      third suggested the Department should
                                            to assist the PSO in carrying out patient               associations, but not others.                         adopt guidance, not regulatory language.
                                            safety activities. Under this proposal, a                  Our proposal to provide a limited                     Another commenter wrote that there
                                            component PSO could enter into a                        option for a component PSO to draw                    could be no conflict of interest if the
                                            written agreement with individuals or                   upon the expertise of its parent                      parent organization is a provider; others
                                            units of the rest of the organization                   organization(s) to assist the PSO in                  suggested that certain types of parent
                                            involving the use of patient safety work                carrying out patient safety activities was            organizations posed conflicts of interest,
                                            product, subject to specified                           well received. Most commenters were                   such as when the parent organization is
                                            requirements.                                           supportive of the flexibility provided by             an investor-owned hospital or if there
                                               Overview of Public Comments:                         this provision although one commenter                 are certain legal relationships which
                                            Numerous commenters strongly                            suggested deleting it. Several                        providers have with a parent
                                            disagreed with the Department’s                         commenters stressed that a ‘‘substantial              organization or its subsidiaries.
                                            proposal that PSOs must maintain                        firewall’’ should be maintained and that              Similarly, one commenter suggested
                                            separate information systems. These                     such contracting should only be allowed               that not-for-profit status of a PSO should
                                            commenters argued that it would                         ‘‘for clearly defined and limited staff               be an indicator that there is no conflict
                                            impose a tremendous financial and                       services.’’ One commenter urged that                  of interest. In a parallel vein, another
                                            administrative burden to establish                      such contracts or agreements should be                commenter argued that if the PSO could
                                            separate information systems. A number                  submitted to the Secretary in advance so              use or sell its information for
dwashington3 on PRODPC61 with RULES3

                                            of commenters suggested alternative                     that they ‘‘can be scrutinized by HHS to              commercial gain, this was a conflict.
                                            approaches that could achieve the same                  assess whether confidentiality or                     This commenter also argued that if a
                                            goal. For example, one commenter                        privilege protections can practically                 PSO could be used to create an oasis
                                            recommended that HHS adopt a non-                       remain intact.’’                                      solely for protection of information
                                            directive concept of functional                            In our discussion regarding entities               reported by the system that created it,
                                            separation and require PSOs to submit                   excluded from listing in § 3.102(a)(2)(ii),           this represented a conflict; the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00026   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                          70757

                                            information held by a PSO must be                       shared staff. The final rule does not                 patient safety work product. Finally,
                                            made available at minimal or no cost for                impose these proposed requirements on                 there is the right of action that the
                                            further aggregation. Another commenter                  most component organizations.                         statute grants to individual providers
                                            suggested that a component PSO should                   However, as discussed below regarding                 who believe and allege that their
                                            never evaluate patient safety work                      § 3.102(c)(4), we have retained the                   employer took an adverse employment
                                            product of an affiliated organization; if               prohibition on shared staff only with                 action against them based upon their
                                            it does so, this creates a conflict-of-                 respect to components of entities that                providing information to the employer’s
                                            interest.                                               are excluded from listing and, for such               patient safety evaluation system for
                                               Finally, several commenters also                     component PSOs, narrowed the                          reporting to the PSO or based upon their
                                            suggested that there must be no conflict                circumstances when contracting with a                 providing information directly to the
                                            between patient safety work product                     parent organization is permissible only               PSO. Given the importance to providers
                                            and non-patient safety work product                     with respect to components of entities                of maintaining protections for their
                                            functions. A similar comment from                       that are excluded from listing.                       work product, we conclude that it is
                                            another entity argued that a PSO must                      With respect to separate information               unlikely that a parent organization will
                                            certify that members of the component                   systems, the Department has concluded,                intentionally jeopardize those
                                            PSO workforce are not engaged in work                   based upon the information that was                   protections. Therefore, we have
                                            for the parent organization that conflicts              included by commenters, that there are                eliminated the proposed restriction on
                                            with the mission of the PSO.                            a number of cost-effective alternatives               the use of shared staff, except for
                                               Final Rule: After careful consideration              for achieving the statutory goal of                   components of entities excluded from
                                            of the extensive number of comments                     separate maintenance of patient safety                listing as discussed below regarding
                                            received regarding component                            work product. Accordingly, we have                    § 3.102(c)(4). In its place, we have
                                            organizations, the Department has                       included new language that requires a                 restated the statutory requirement that
                                            modified and restructured the text for                  component PSO to ensure that the                      the component organization (and its
                                            § 3.102(c) in the following ways.                       information system in which patient                   workforce and contractors) may not
                                               We have restructured § 3.102(c) into                 safety work product is maintained must                make unauthorized disclosures to the
                                            four separate paragraphs. New                           not permit unauthorized access by any                 rest of the organization(s) of which the
                                            § 3.102(c)(1)(i) lists the provisions with              individuals in, or units of, the rest of the          PSO is a part.
                                            which different component                               parent organization(s) of which it is a                  We have retained without change in
                                            organizations must comply. This                         part.                                                 § 3.102(c)(2)(iii) the proposed rule text
                                            subparagraph sets forth the                                Similarly, after careful consideration             prohibiting the pursuit of the mission of
                                            requirements that all component                         of the comments, we have eliminated                   the PSO from creating a conflict of
                                            organizations must meet. The language                   the proposed restriction on the use of                interest with the rest of the
                                            of this subparagraph is retained from the               shared staff for most component PSOs.                 organization(s) of which it is a part. To
                                            proposed rule but includes a                            The Department has concluded that                     the extent that individuals or units of
                                            requirement that all component                          there are significant incentives for                  the rest of the parent organization(s)
                                            organizations must submit with their                    component PSOs and parent                             have obligations and responsibilities
                                            certifications contact information for                  organizations to be very cautious in                  that are inconsistent with the ‘‘culture
                                            their parent organization(s) and provide                their use of shared personnel, protecting             of safety’’ that the statute seeks to foster,
                                            an update to the Secretary in a timely                  against inappropriate disclosures, and                a component PSO could create a conflict
                                            manner if the information changes. This                 the disclosure of patient safety work                 of interest by sharing identifiable
                                            requirement was proposed in the                         product. A number of commenters                       patient safety work product with them
                                            preamble but was not incorporated in                    appeared to appreciate the importance                 as shared staff or under a written
                                            the text of the proposed rule. Many of                  of maintaining separation between their               agreement pursuant to § 3.102(c)(3),
                                            the commenters noted the importance to                  patient safety activities and internal                discussed below. On the other hand, the
                                            providers of having information                         disciplinary, privileges, and                         component PSO could draw upon the
                                            regarding the parent organization of a                  credentialing decisions, which were the               expertise of these same individuals in
                                            component PSO and, therefore, we have                   focus of our concern.                                 other capacities in which identifiable
                                            incorporated the provision.                                Our review has led us to conclude                  work product is not shared and, thereby,
                                               New § 3.102(c)(1)(ii) outlines the                   that the potential negative consequences              avoid creating conflicts of interest.
                                            requirements for components of entities                 for providers, independent of any fear of             Thus, we would interpret permitting the
                                            excluded from listing under                             Department action, lessens the need for               creation of conflicting situations for staff
                                            § 3.102(a)(2)(ii) of this section. These                the rule to address this issue. For                   or units of the parent organization(s) as
                                            components must meet the                                example, institutional providers are                  inconsistent with a component PSO’s
                                            requirements for all component PSOs in                  likely to find it difficult to develop                attestation.
                                            § 3.102(c)(1)(i) as well as submit the                  robust reporting systems if the                          Section 3.102(c)(3) retains without
                                            additional certifications and                           clinicians on their staff learn or even               substantive change the provision in the
                                            information and adhere to the further                   suspect that the same individuals                     proposed rule to enable a component
                                            limitations set forth in § 3.102(c)(4) that             involved in analysis of patient safety                PSO, within limits, to take advantage of
                                            are discussed below.                                    work product play key roles in                        the expertise of the rest of the
                                               New § 3.102(c)(2) restates the three                 administrative decisions that can lead to             organization of which it is part. In
                                            additional statutory certifications that                adverse personnel decisions. This may                 response to concerns expressed by some
                                            must be made by all component                           lead to decreased reporting of patient                commenters, we stress the statutory
                                            organizations seeking listing. We have                  safety events. The suspicion of                       requirement for the PSO to maintain
dwashington3 on PRODPC61 with RULES3

                                            deleted two requirements for                            contamination between the processes                   patient safety work product separately
                                            component entities from the text of the                 could also provide a new basis for                    from the rest of the organization. In such
                                            proposed rule that were intended to                     challenging adverse employment                        circumstances, it cannot be transferred
                                            interpret these statutory requirements:                 actions, which could require providers                to individuals or units of the rest of the
                                            the requirement for separate information                to prove that their actions were not                  organization except as permitted by the
                                            systems and the restriction on the use of               influenced by inappropriate use of                    rule. As a practical matter, if the parent

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00027   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70758            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            organization is a provider organization                 actions during its period of listing. An              contract or written agreement to have
                                            and the component PSO is evaluating                     example of an inducement would be if                  staff from the rest of the organization
                                            the parent organization’s data, the                     a parent organization that accredited or              assist the PSO in carrying out patient
                                            parent-provider is likely to have a copy                licensed providers awarded special                    safety activities. If the parent
                                            of all of the data transmitted to the                   scoring consideration to providers                    organization engages in a mix of
                                            component PSO.                                          reporting to the parent organization’s                activities, some of which are not a basis
                                               We do not dismiss the concerns of                    component PSO; additional scoring                     for exclusion from listing, the
                                            commenters that this contracting                        consideration for reporting to any PSO,               component organization will be able to
                                            authority could be used inappropriately.                by contrast, would not violate this                   take advantage of this contracting
                                            We remind each component PSO that                       restriction.                                          option, subject to our caveat above.
                                            the statute requires it to maintain                        3. Certify that the component PSO
                                            patient safety work product separately                  will include information on its website               Response to Other Public Comments
                                            from the rest of the organization(s) of                 and in any promotional materials for                     Comment: One commenter asked us
                                            which the component PSO is a part and                   providers describing the activities                   to confirm that component PSOs can
                                            prohibits unauthorized disclosures to                   which were the basis of the parent                    maintain patient safety work product
                                            the rest of the organization(s) of which                organization’s exclusion under                        behind secure firewalls using existing
                                            they are a part. Therefore, it may not be               § 3.102(a)(2)(ii).                                    information systems.
                                            appropriate for its parent organization to                 We have incorporated these                            Response: The modifications we have
                                            serve as its main provider of analytic or               additional requirements for information               adopted and discussed above means
                                            data services if such arrangements                      and attestations to address widespread                that the final rule permits this approach.
                                            would effectively confound statutory                    concerns among commenters that an                        Comment: Several commenters
                                            intent for a firewall between a                         excluded parent organization might                    suggested that it was unrealistic for the
                                            component PSO and the rest of the                       attempt to compel providers to report                 component PSO to maintain patient
                                            organization(s) of which it is a part. The              data to its component PSO and                         safety work product separately from its
                                            flexibility provided by the rule to use                 circumvent the firewalls for access to                parent organization if the parent
                                            in-house expertise is intended to                       that data. These extra requirements for               organization is a provider reporting data
                                            supplement, not replace, the PSO’s                      such component PSOs will strengthen                   to the component PSO.
                                            authority to contract with external                     transparency and the additional                          Response: The Patient Safety Act
                                            expert individuals and organizations.                   statements submitted with the                         requires a component PSO maintain
                                               Section 3.102(c)(4) incorporates new                 component organization’s certifications               patient safety work product separately
                                            requirements, drawn from our review of                  will be posted on the AHRQ PSO Web                    from the rest of the organization(s) of
                                            public comments, that only apply to                     site along with all its other                         which it is a part; therefore, we cannot
                                            organizations that are components of                    certifications. Our intent is to ensure               remove the restriction. While contracts
                                            entities excluded from listing under                    that such a component organization’s                  between a PSO and a provider are likely
                                            § 3.102(a)(2)(ii). Thus, these component                website and its promotional materials                 to address the extent to which a
                                            organizations have three sets of                        for providers will inform providers                   provider has access to information held
                                            requirements to meet: The 15 general                    regarding the nature and role of its                  by a PSO, we caution contracting parties
                                            certification requirements in                           parent organization. The rule is                      to be mindful of this statutory
                                            §§ 3.102(b)(1) and 3.102 (b)(2); the                    emphatically clear that the Department                restriction in crafting their contracts.
                                            requirements that all component PSOs                    will take prompt action to revoke and                 The requirement for separation does not
                                            must meet in §§ 3.102(c)(1)(i) and                      delist a component organization whose                 mean that the component organization
                                            3.102(c)(2); and the requirements that                  excluded parent organization attempts                 cannot share information with a parent
                                            are established by § 3.102(c)(4).                       to compel providers to report data to its
                                                                                                                                                          organization but any sharing must be
                                               Section 3.102(c)(4) establishes a                    component PSO. New § 3.108(e)(1) lists
                                                                                                                                                          consistent with the permissible
                                            requirement for additional information                  specific circumstances, including this
                                                                                                                                                          disclosures of this rule.
                                            and certifications that must be                         situation, in which revocation and
                                            submitted with the component                            delisting will take place on an expedited             (D) Section 3.102(d)    Required
                                            organization’s certifications for listing               basis.                                                Notifications
                                            and it establishes two additional                          During its period of listing, the final
                                                                                                                                                          (1) Section 3.102(d)(1)—Notification
                                            restrictions with which a component                     rule also prohibits a PSO that is a
                                                                                                                                                          Regarding PSO Compliance With
                                            organization must comply during its                     component organization of an entity
                                                                                                                                                          Minimum Contract Requirement
                                            period of listing. The additional                       excluded from listing to share staff with
                                            information and certifications require a                the rest of the organization(s) of which                Proposed Rule: Section 3.102(d)(1) of
                                            component PSO of an entity described                    it is a part. Such a component PSO may                the proposed rule would require PSOs
                                            in § 3.102(a)(2)(ii) to:                                enter into contracts or written                       to attest within every 24-month period,
                                               1. Describe the parent organization’s                agreements with the rest of the                       beginning with its initial date of listing,
                                            role, and the scope of the parent                       organization(s) under the authority                   that the PSO has met the two-contract
                                            organization’s authority, with respect to               provided to all component PSOs by                     requirement. We proposed to require
                                            the activities which are the basis of the               § 3.102(c)(3) but with one additional                 notification of the Secretary 45 days
                                            parent organization’s exclusion from                    limitation. Such contracts or written                 before the end of the applicable 24-
                                            being listed under § 3.102(a)(2)(ii).                   agreements are limited to units or                    month period. Early notification would
                                               2. Certify that the parent organization              individuals of the parent organization(s)             enable the Department to meet another
                                            has no policies or procedures that                      whose responsibilities do not involve                 statutory requirement to provide PSOs
dwashington3 on PRODPC61 with RULES3

                                            would require or induce providers to                    the activities that are the basis of the              with an opportunity to correct a
                                            report patient safety work product to the               parent organization’s exclusion under                 deficiency. If the requirement is not yet
                                            component organization once it is listed                § 3.102(a)(2)(ii). If the parent                      met, this would enable the Secretary to
                                            as a PSO, and affirm that the component                 organization’s sole activity is the reason            establish an opportunity for correction
                                            PSO will notify the Secretary if the                    for its exclusion, the component                      that ends at midnight on the last day of
                                            parent organization takes any such                      organization could never enter a                      the 24-month period.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00028   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70759

                                               Overview of Public Comments: The                     that the emphasis in the proposed rule                without being burdensome, it enables
                                            comments we received endorsed our                       on the statutory requirement for full                 both the Secretary and providers
                                            proposed approach. One commenter                        disclosure, without a corresponding                   considering contracts with a PSO to
                                            suggested we should consider requiring                  discussion of the parameters for the                  request additional information regarding
                                            notification 60 days in advance.                        contents and level of detail of the                   any relationships of concern. We have
                                               Final Rule: We expect that, in most                  statements, raised the prospect that                  adopted a clearer and narrower
                                            circumstances, contracts will be the                    PSOs would feel compelled to develop                  interpretation of the disclosures of
                                            primary source of revenue for PSOs. In                  disproportionately detailed information               relationships that must be made in view
                                            light of the fact that only two contracts               that might not be germane. One                        of concerns expressed by commenters
                                            are required, we do not anticipate that                 commenter suggested what was most                     about the scope of the required reports.
                                            many PSOs will reach this point in their                important is awareness of the                         In response to requests for more
                                            period of listing without meeting the                   fundamental relationship(s) that exist,               guidance on the required submissions,
                                            requirement. We have not accepted the                   not the specific details, suggesting that             this final rule calls for a two-part
                                            recommendation to require notification                  if the provider in question is the parent             disclosure statement and describes what
                                            sooner. The Department adopts the                       entity of the PSO, it should be sufficient            must be included in each part.
                                            provision as recommended in the                         to know that the parent-provider is the                  These modifications to the final rule
                                            proposed rule without modification.                     source of financial support to the PSO,               reflect several considerations. The
                                                                                                    employs its workforce, and provides                   Department has concluded that the
                                            (2) Section 3.102(d)(2)—Notification
                                                                                                    management to its activities.                         Patient Safety Act does not provide
                                            Regarding a PSO’s Relationships With
                                                                                                       In addition, there was concern that                incentives for a provider to control or
                                            Its Contracting Providers
                                                                                                    since the disclosure statements are                   manipulate the findings of a PSO with
                                               Proposed Rule: The proposed rule                     going to be made public, detailed                     respect to its own patient safety
                                            incorporated in § 3.102(d)(2) the                       submissions regarding the financial and               information. A PSO’s conclusions and
                                            statutory requirement that a PSO would                  contractual obligations would make it                 recommendations are patient safety
                                            make disclosures to the Secretary                       difficult to maintain the confidentiality             work product and, whether the PSO is
                                            regarding its relationship(s) with any                  of potentially sensitive business                     critical or complimentary of the
                                            provider(s) with whom the PSO enters                    information. Several commenters noted                 provider or the provider agrees or
                                            a contract pursuant to the Patient Safety               that it is not unusual for certain types              disagrees with the PSO, the PSO
                                            Act (Patient Safety Act contract). The                  of contractual work with commercially                 analysis and guidance remains
                                            statute requires PSOs to disclose                       sensitive implications to include                     confidential and privileged under the
                                            whether a PSO has any financial,                        confidentiality agreements and one                    Act, which means that there are
                                            contractual, or reporting relationships                 commenter suggested that the process                  constraints on the ability of a provider
                                            with this contracting provider and, if                  permit a PSO to request that the                      to disclose the PSO’s conclusions and
                                            applicable, whether the PSO is not                      Secretary not disclose specific                       recommendations. Even when they can
                                            managed, controlled, or operated                        information under certain                             be disclosed, calling the public’s
                                            independently of this contracting                       circumstances.                                        attention to positive findings is likely to
                                            provider.                                                  A number of commenters expressed                   engender scrutiny of the extent to which
                                               The proposed rule noted that a PSO                   concern about the potential unintended                the provider’s relationship with its PSO
                                            would need to make this assessment                      consequences of disclosure, especially                is truly an arms-length relationship. In
                                            when it enters a contract with a                        with respect to the identity of providers.            sum, providers have little to gain under
                                            provider and, if disclosures are                        One commenter raised concern that the                 the statute’s framework from attempting
                                            required, submit a disclosure statement                 requirement would lead to                             to control or manipulate the analyses
                                            within 45 days of the effective date of                 ‘‘differential’’ disclosure, by which the             and findings of a PSO.
                                            the contract. If relationships arise                    commenter meant that, of the total                       At the same time, the Department
                                            during the contract period, submission                  number of providers with which a PSO                  expects the statutory disclosure
                                            would be required within 45 days of the                 enters contracts, only those with other               requirements, coupled with public
                                            date the relationships are established.                 relationships would have their names                  release of disclosure statements and the
                                               The proposed rule would have                         disclosed and the other providers would               Secretary’s findings as provided by
                                            provided guidance on our interpretation                 not have their names made known                       § 3.104(b), will provide important and
                                            of financial, contractual, and reporting                through the proposed public release of                useful information to providers seeking
                                            relationships and emphasized that the                   disclosure statements by the Secretary.               to contract with a PSO. As we pointed
                                            statute required a PSO to ‘‘fully                          Final Rule: After careful review of the            out in the proposed rule, a provider
                                            disclose’’ the relationships. We noted                  comments, the Department has                          seeking to contract with a PSO will have
                                            that disclosure would be required only                  reconsidered its approach to this                     its own standards for what other PSO
                                            when the PSO entered a Patient Safety                   disclosure requirement and has made                   relationships it considers to be
                                            Act contract with a provider and there                  modifications to the text that are                    acceptable. Therefore, the submission
                                            were relationships that required                        incorporated in the final rule. Based                 and public release of this information
                                            disclosure. We also encouraged, but did                 upon this review, we have shifted the                 should improve the efficiency of the
                                            not require, PSOs to list any agreements,               emphasis of the term ‘‘fully disclose’’               search process by providers.
                                            stipulations, or procedural safeguards                  from stressing the level of detail that a                In light of these considerations, the
                                            that might offset the influence of the                  PSO must provide in describing each of                Department has determined that the
                                            provider and that might protect the                     the other types of relationships (listed              most appropriate interpretation of the
                                            ability of the PSO to operate                           below) that the PSO has with a                        statutory requirement to ‘‘fully disclose’’
dwashington3 on PRODPC61 with RULES3

                                            independently.                                          contracting provider to an emphasis on                other relationships is to emphasize the
                                               Overview of Public Comments:                         requiring that the PSO disclose clearly               need to require the disclosure of every
                                            Commenters expressed concern that the                   and concisely every relationship that                 pertinent relationship specified by the
                                            proposed rule was not sufficiently                      requires disclosure. This shift in                    statute. Providers that are considering
                                            specific with respect to the required                   emphasis remains consistent with our                  entering a contract with a PSO can
                                            disclosure statements. They suggested                   overall emphasis on transparency;                     determine for themselves if any

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00029   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70760            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            disclosed relationships pose concerns. If               describing the statutory list of                      no more than 1,000 words) that
                                            so, they can then request further                       disclosures: contractual, financial, and              addresses the issues described below
                                            detailed information as they see fit. This              reporting relationships are incorporated              and is intended to explain the measures
                                            approach has the further benefit of                     in subparagraphs (A)–(C) and control,                 taken by the PSO to assure that its
                                            limiting the potential for inappropriate                management, and operation of the PSO,                 analyses and findings are fair and
                                            release of proprietary or commercial                    independent from the provider, is                     accurate.
                                            information, another matter of concern                  incorporated in subparagraph (D). We                     We use the term ‘‘obligations’’—rather
                                            to commenters. The Department will                      have narrowed the language in                         than the statutory term
                                            protect confidential commercial                         paragraphs (A)–(C) by limiting the                    ‘‘relationships’’—in § 3.102(d)(2)(ii) of
                                            information as permitted by the                         required disclosures to current                       the rule for the following reason. If a
                                            Freedom of Information Act and in                       contractual, financial, and reporting                 PSO has multiple relationships with a
                                            accordance with 18 U.S.C. 1905.                         relationships and restating the                       provider, many of these relationships
                                               Thus, in making his required                         requirements to emphasize that                        are likely to be both contractual and
                                            determination, the Secretary will both                  disclosure is only required for                       financial (and may involve other
                                            give great weight to, and hold a PSO                    relationships other than those in Patient             relationships for which the statute
                                            accountable for, its attestation that it                Safety Act contract(s). We have restated              requires disclosure). A disclosure
                                            will fully disclose all relationships                   and streamlined the language of                       statement that was organized by the four
                                            required to be reported and whether the                 subparagraph (A) to emphasize                         types of relationships that require
                                            PSO’s operations, management, and                       contracts and arrangements that impose                disclosure (subparagraphs (A)–(D)
                                            control are not independent of any                      obligations on the PSO.                               discussed above) would be confusing
                                            provider with whom it has entered a                        We have retained the substantive                   and difficult to interpret since items in
                                            Patient Safety Act contract. The                        requirements for financial relationships.             different categories would be related.
                                            Secretary retains the authority to require              Based upon comments received, we                      For example, if the PSO already has a
                                            an entity to provide more detailed                      have determined that if the PSO is a                  contract with a provider to render a
                                            information if necessary to make his                    membership organization, the                          service for which it is paid, we do not
                                            required determination under 42 U.S.C.                  Department does not consider dues or                  see the benefit of having the contract
                                            299b–24(c)(3) regarding the ability of                  other assessments applied to all                      listed in one reporting category and the
                                            the PSO to fairly and accurately perform                members to constitute a financial                     financial relationship in another
                                            its patient safety activities in light of               relationship for this purpose. The rule               reporting category since they are clearly
                                            any reported relationships.                             narrows the scope of subparagraph (C),                related.
                                               The final rule retains the general                   where the text narrows the definition of                 Therefore, in drafting the required
                                            framework of the proposed rule for a                    reporting relationships to those in                   disclosure statement, a PSO should
                                            PSO to use in determining when a                        which this contracting provider has                   address the four statutorily-required
                                            disclosure statement must be submitted.                 access to information about the work                  disclosures discussed above as aspects
                                            The two thresholds remain unchanged.                    and internal operation of the PSO that                of the separate obligations or
                                            The disclosure requirement only applies                 is not available to other contracting                 arrangements that exist between a PSO
                                            when a PSO has entered a contract that                  providers. By focusing on this particular             and the provider with which the PSO is
                                            provides the protections of the Patient                 aspect of reporting relationships, we                 entering or has a Patient Safety Act
                                            Safety Act, i.e., a Patient Safety Act                  have tried to make plain that it is not               contract. A PSO should focus on clarity
                                            contract, and the PSO has other                         our intent to collect information                     and brevity in explaining each
                                            relationships with that contracting                     regarding the multiple ordinary types of              obligation in a single paragraph: A
                                            provider of the types specified below. A                reporting relationships that exist                    sentence or two describing the nature of
                                            disclosure statement is not required if                 routinely between contracting parties.                the obligation, and the remainder of the
                                            the PSO has a Patient Safety contract                   We have made the requirement                          paragraph should address each of the
                                            with a provider and the relationships                   narrower both for clarity and simplicity.             four required disclosures that are
                                            described below are not present, nor is                 The deleted reference to control is                   present and specifically note any of the
                                            a disclosure statement required if the                  addressed by subparagraph (D), which                  four that are not.
                                            relationships are present but there is no               we have narrowed to simply restate the                   As we use the term, an obligation is
                                            Patient Safety Act contract.                            statutory language on what must be                    not limited to services that a PSO
                                               We have restructured the text in the                 disclosed or reported regarding                       renders to a provider (such as
                                            final rule. There are now three                         management, control, and operation                    developing information and undertaking
                                            paragraphs: A restatement of the                        independent of the contracting provider.              analyses or providing a service or
                                            requirement in paragraph (i), a                         We deleted the language requiring a                   technical assistance). An obligation
                                            description of the required content of a                PSO to assess whether any of the                      could also reflect a PSO’s relationship
                                            disclosure statement in paragraph (ii),                 relationships in what is now                          with an investor or owner and any
                                            and the deadlines for submission of                     subparagraph (D) might impair its                     arrangement that affects the PSO’s
                                            disclosure statements set forth in                      ability to perform patient safety                     independence or involves any of the
                                            paragraph (iii).                                        activities fairly and accurately because              statutorily-required disclosures
                                               Section 3.102(d)(2)(i) contains the                  PSOs will now address these issues in                 described above. In developing its list,
                                            following substantive changes.                          the required narrative that comprises                 a PSO should not combine separate and
                                            Compared with the requirements of the                   the second part of the disclosure                     distinct obligations such as more than
                                            proposed rule, this paragraph eliminates                statement, described below.                           one contract, nor should it disaggregate
                                            the need to submit a disclosure                            New § 3.102(d)(2)(ii) specifies the two            a single obligation. For example, if a
dwashington3 on PRODPC61 with RULES3

                                            statement if the PSO’s only other                       required parts of a disclosure statement.             PSO undertakes technology assessments
                                            relationships with this contracting                     The first part must disclose in summary               and has three separate contracts for
                                            provider are limited to Patient Safety                  form succinct descriptions of all of the              different assessments, these would be
                                            Act contracts.                                          obligations that the PSO has with this                three separate obligations and should be
                                               In response to commenters’ questions                 provider. The second part must be a                   reported separately. On the other hand,
                                            and concerns, we have modified the text                 related short narrative (we recommend                 an obligation that has more than one

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00030   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70761

                                            task, such as providing assistance in                   and any other policies, procedures, or                relationships’’ between a provider and a
                                            implementing and evaluating a process                   agreements that ensure that the PSO can               PSO. There is no other section of the
                                            improvement, should only be listed                      fairly and accurately perform patient                 rule that would require disclosure of
                                            once; we are not suggesting that PSOs                   safety activities.                                    membership dues or assessments.
                                            report separately on the different                         Section 3.102(d)(2)(iii) of the rule               Before seeking listing, however, a
                                            elements of a single unified project.                   retains the deadlines for submission of               membership organization should
                                               To apply these concepts, consider a                  disclosure statements that were                       carefully assess whether it meets the
                                            hospital that was one of five hospitals                 included in the proposed rule.                        statutory requirement that its primary
                                            that invested in the creation of a PSO                                                                        activity must be the conduct of activities
                                                                                                    Response to Other Public Comments
                                            and the hospital subsequently enters a                                                                        to improve patient safety and the quality
                                            Patient Safety Act contract with the                       Comment: One commenter asked that                  of health care delivery.
                                            PSO. If this investment is the only                     we exempt a PSO with fewer than 5
                                            obligation other than the Patient Safety                clients from releasing the names of its               2. Section 3.104—Secretarial Actions
                                            Act contract that exists between the PSO                clients.                                              (A) Section 3.104(a)—Actions in
                                            and the provider, the PSO’s disclosure                     Response: We note that a PSO never                 Response to Certification Submissions
                                            statement would include only one                        has to reveal the names of its clients                for Initial and Continued Listing as a
                                            obligation and it could be described in                 (providers) as long as the PSO does not               PSO
                                            a single paragraph. Within that                         have the other types of relationships
                                                                                                    described in this subsection with those                  Proposed Rule: Section 3.104(a)
                                            paragraph, the PSO should
                                                                                                    providers. However, when such                         described the actions that the Secretary
                                            systematically address the required
                                                                                                    relationships are present, the statute                could and will take in response to the
                                            statutory disclosures or note that they
                                                                                                    does not provide authority for us to                  certification material submitted for
                                            are not present. In addressing financial
                                                                                                    create such exceptions.                               initial or continued listing as a PSO. We
                                            relationships, the PSO should not
                                            include the amount of the investment or                    Comment: One commenter asked that                  proposed that, in making a listing
                                            specific terms. In this case, the required              we clarify that the required disclosures              determination, the Secretary would
                                            paragraph would describe the essential                  can be made in a way that the PSO does                consider the submitted certifications,
                                            nature of the financial relationship, e.g.,             not breach the confidentiality                        issues related to the history of the
                                            it is a loan requiring repayment over X                 requirements that may be a part of                    entity, and any findings by the Secretary
                                            years; it is a long-term investment                     another contractual arrangement with a                regarding disclosure statements. The
                                            requiring the payment of dividends,                     contracting provider.                                 proposed rule also included authority
                                            etc., whether it was formalized by a                       Response: The Department cannot                    for the Secretary, under certain
                                            contract, whether a reporting                           make a definitive statement that such                 circumstances, to condition the listing
                                            relationship exists, e.g., the provider has             confidentiality agreements can always                 of a PSO. We did not propose a deadline
                                            access to internal quarterly financial                  be honored; this requires a case-by-case              for Secretarial review of certifications
                                            statements not available to other                       determination. A PSO is encouraged to                 submitted, but noted that we expect the
                                            providers, and whether the obligation                   discuss the issue with AHRQ staff                     Secretary to be able to conclude review
                                            gives the provider any ability to control               before submitting a disclosure                        within 30 days of receipt unless
                                            or manage the PSO’s operations, e.g., the               statement. As noted above, the agency’s               additional information or assurances are
                                            provider has a seat on the board or                     public disclosures are constrained by 18              required.
                                            review or veto authority over new                       U.S.C. 1905, but agency officials have                   Overview of Public Comments: We
                                            clients, specific contracts, budgets, staff             some discretion with respect to                       received several comments pertaining to
                                            hiring, etc.                                            determining what information would be                 this section. One comment endorsed the
                                               If the PSO is a subsidiary of a health               restricted under that statute. We note                proposed provision. Another requested
                                            system, the paragraph could indicate                    also that the agency has the discretion               that we modify the rule to require
                                            that PSO is a subsidiary of the provider,               to deny Freedom of Information Act                    Secretarial action within 60 days. A
                                            the provider is the primary source of                   requests for information it regards as                third commenter recommended that the
                                            revenue for the component PSO, the                      confidential commercial information (5                Secretary establish timetables for all
                                            types of internal PSO information to                    U.S.C. 552(b)(4)). Agency                             actions and opposed open-ended
                                            which the provider has access, e.g., all                determinations will be assisted by                    timeframes.
                                            financial, personnel, administrative                    explanations of what is viewed by a                      Final Rule: We have retained the text
                                            internal information, and that the                      submitter as confidential commercial                  from the proposed rule with two
                                            provider manages or controls (or has                    information and the reasons why that is               modifications. The text of
                                            review and approval authority) of day-                  the case.                                             § 3.104(a)(1)(iii) of the proposed rule
                                            to-day decision-making, hiring and                         Comment: One commenter posed a                     stated that the Secretary may require
                                            firing decisions, etc. By incorporating                 series of questions related to an entity              conditions for listing as part of his
                                            the required statutory disclosures into a               that seeks listing that receives general              review of disclosure statements
                                            succinct discussion of the obligations                  membership dues or assessments, i.e.,                 submitted pursuant to § 3.102(d)(2); that
                                            that a PSO has with this provider, we                   whether such general dues or                          text has been retained. We also noted in
                                            anticipate that the descriptions will be                assessments would be considered                       the preamble discussing proposed
                                            more comprehensible.                                    financial relationships and, therefore,               § 3.104(a) that there may be certain
                                               Part II of a disclosure statement must               require the filing of disclosure                      circumstances in which the Secretary
                                            describe why or how the PSO, given the                  statements. The commenter also asked if               determines that it would not be prudent
                                            disclosures in part I, can fairly and                   disclosure of such membership dues or                 to rely solely on the certifications for
dwashington3 on PRODPC61 with RULES3

                                            accurately perform patient safety                       assessments is required under any other               listing submitted by an entity that was
                                            activities. The PSO must address: The                   section of the rule.                                  previously revoked and delisted for
                                            policies and procedures that the PSO                       Response: The Department has                       cause or previously refused listing by
                                            has in place to ensure adherence to                     determined that membership dues or                    the Secretary. In such limited
                                            professional analytic standards and                     general assessments applied to all                    circumstances, we suggested the
                                            objectivity in the analyses it undertakes;              members do not constitute ‘‘financial                 Secretary may seek additional

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00031   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70762            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            assurances from the PSO that would                      midnight of the last day of its applicable            organization systems that contract with
                                            increase the Secretary’s confidence that,               24-month assessment period. If the                    a PSO on behalf of some or all of its
                                            despite the history of the entity and its               Secretary verifies that the PSO has not               hospitals so that a disclosure statement
                                            officers and senior staff, the entity could             met the requirement by the last day of                would not be required, deeming that the
                                            now be relied upon to comply with its                   the 24-month period, he would issue a                 component PSO of a multi-hospital
                                            statutory and regulatory obligations. To                notice of proposed revocation and                     organization can perform patient safety
                                            reflect the potential need for assurances               delisting.                                            activities fairly and accurately. Another
                                            in such cases, and to better align the text               Overview of Public Comments: We                     suggestion was that the Secretary should
                                            with the preamble discussion of the                     received no comments on this                          adopt a standard requiring that there be
                                            proposed rule, we have modified the                     subsection.                                           no conflicts of interests.
                                            text of § 3.104(a)(1)(iii) to permit the                  Final Rule: The final rule incorporates               Final Rule: We have retained much of
                                            Secretary to condition the listing of a                 the substance of the NPRM text without                the text from the proposed rule but have
                                            PSO in this limited circumstance to                     modification but restructures the text for            modified the paragraph setting forth the
                                            ensure that such a PSO honors the                       clarity. The restructured text clarifies              basis for the Secretary’s findings
                                            assurances it makes in seeking listing.                 that the Secretary will only issue a                  regarding disclosure statements. In light
                                               The second change is a conforming                    notice of a preliminary finding of                    of the comments, we have deleted the
                                            modification to the basis for the                       deficiency after the date on which a                  reference to ‘‘nature, significance, and
                                            Secretary’s determination in                            PSO’s notification to the Secretary is                duration’’ as not appropriate in every
                                            § 3.104(a)(2), which specifically                       required by § 3.102(d)(1).                            circumstance. The modification to the
                                            recognizes the right of the Secretary to                (C) Section 3.104(c)—Actions Regarding                rule now requires the Secretary to
                                            take into account any history of or                     Required Disclosures by PSOs of                       consider the disclosures made by the
                                            current non-compliance with                             Relationships With Contracting                        PSO and an explanatory statement from
                                            requirements of the rule by officials and               Providers                                             the PSO making the case for why the
                                            senior managers of the entity. This                                                                           PSO can fairly and accurately perform
                                            change also mirrors the requirement in                     Proposed Rule: Section 3.104(c) of the
                                                                                                    proposed rule stated that the Secretary               patient safety activities.
                                            § 3.102(a)(1) that entities seeking listing
                                                                                                    would evaluate a disclosure statement                   We have not adopted the other
                                            inform the Secretary if their officials or
                                                                                                    submitted by a PSO regarding its                      suggestions. As we discuss above, with
                                            senior managers held comparable
                                                                                                    relationships with contracting providers              respect to § 3.102(d)(2), we agree with
                                            positions in a PSO that was delisted or
                                                                                                    by considering the nature, significance,              the commenter that there is little reason
                                            with an entity that was denied listing by
                                                                                                    and duration of the relationships                     for a provider organization to exert
                                            the Secretary.
                                               We have not accepted the                             between the PSO and the contracting                   inappropriate control over its
                                            commenter’s recommendation to                           provider. We sought public comment on                 component PSO. At the same time we
                                            establish a regulatory deadline of 60                   other appropriate factors to consider.                do not believe the statute permits us to
                                            days for Secretarial action. This is a                  The statute requires disclosure of the                waive Secretarial review under any set
                                            novel initiative and without a better                   Secretary’s findings, and we proposed                 of circumstances.
                                            sense of the potential issues that may                  public release, consistent with the                     We do not agree with commenters
                                            arise, such as when a delisted PSO seeks                Freedom of Information Act and 18                     that the common formats inter-agency
                                            a new listing, we are reluctant to                      U.S.C. 1905, of PSO disclosure                        work group is the appropriate group to
                                            circumscribe the flexibility that the                   statements as well.                                   address disclosure statements. At this
                                            statute and the proposed rule provided                     This proposed section also listed the              time, their informatics and clinical
                                            the Secretary. In addition, the statute                 statutorily permissible actions that the              expertise and responsibilities are not
                                            requires an affirmative acceptance and                  Secretary could take following his                    congruent with assisting in the design or
                                            listing action by the Secretary. Listing                review: Conclude that the disclosed                   substantive requirements for disclosure
                                            cannot occur as a result of any failure                 relationships require no action on his                statements.
                                            to meet a deadline. Accordingly, we                     part or, depending on whether the entity              (D) Section 3.104(d)—Maintaining a List
                                            have not adopted the recommendation.                    is listed or seeking listing, condition his           of PSOs
                                                                                                    listing of the PSO, exercise his authority
                                            (B) Section 3.104(b)—Actions Regarding                  to refuse to list, or exercise his authority             Proposed Rule: The proposed rule
                                            PSO Compliance With the Minimum                         to revoke the listing of the entity. The              sought to incorporate in § 3.104(d) the
                                            Contract Requirement                                    Secretary would notify each entity of his             statutory requirement that the Secretary
                                               Proposed Rule: Section 3.104(b) of the               findings and decisions.                               compile and maintain a list of those
                                            proposed rule stated that, after                           Overview of Public Comments: One                   entities whose PSO certifications have
                                            reviewing the required notification from                commenter suggested that our proposal                 been accepted and which certifications
                                            a PSO regarding its compliance with the                 that the Secretary consider the nature,               have not been revoked or voluntarily
                                            minimum contract requirement, the                       significance, and duration of the                     relinquished. We proposed that the list
                                            Secretary would, for a PSO that attests                 relationship in evaluating the                        would include information related to
                                            that it has met the requirement, would                  relationships had no statutory                        certifications for listing, disclosure
                                            acknowledge in writing receipt of the                   foundation. Another commenter                         statements, compliance with the
                                            attestation and include information on                  suggested that we take into account                   minimum contract requirement, and any
                                            the list of PSOs. If the PSO notifies the               corrective action. Several commenters                 other information required by this
                                            Secretary that it has not yet met the                   proposed that we rely upon the inter-                 Subpart. We noted that we expected to
                                            requirement, or if notification is not                  agency work group that is assisting                   post this information on the AHRQ PSO
dwashington3 on PRODPC61 with RULES3

                                            received from the PSO by the required                   AHRQ in developing common formats                     Web site, and sought comment on
                                            date, the proposed rule stated that the                 and definitions for reporting patient                 whether there are specific types of
                                            Secretary would promptly issue a notice                 safety work product to assist in                      information that the Secretary should
                                            of a preliminary finding of deficiency                  developing disclosure statements. One                 consider posting routinely on this Web
                                            and provide the PSO an opportunity for                  commenter suggested that we create a                  site for the benefit of PSOs, providers,
                                            correction that will extend no later than               ‘‘safe harbor’’ for multi-hospital parent             and other consumers of PSO services.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00032   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70763

                                               Overview of Public Comments: In                      for three years, unless the Secretary                 to review and make a determination
                                            addition to the list in the proposed rule,              revokes the listing or the PSO                        regarding certifications for continued
                                            several commenters urged that we post                   voluntarily relinquished its status. We               listing. The second modification
                                            the contact information for the parent                  also proposed that the Secretary would                incorporates our proposal to post a
                                            organizations, subsidiaries, and                        send a written notice of imminent                     notice on the AHRQ PSO website, for
                                            affiliates, a list of states in which the               expiration to a PSO no later than 45                  which commenters expressed strong
                                            parent organization does business, and                  calendar days before its listing expires              support. In combination, we expect
                                            the business objectives of the parent                   if the Secretary has not received a                   these modifications will provide both
                                            organizations, and whether each parent                  certification seeking continued listing.              the PSO and the providers from which
                                            organization is for-profit or not-for-                  We sought comment on a requirement                    it receives data sufficient notice that the
                                            profit.                                                 that the Secretary publicly post the                  entity’s period of listing is drawing to a
                                               Two commenters suggested that the                    names of PSOs to which a notice of                    close.
                                            Secretary’s guidance on common                          imminent expiration has been sent.                       We have not incorporated the
                                            reporting formats and definitions should                   Overview of Public Comments:                       recommendation to require PSOs
                                            be available on the PSO Web site. One                   Commenters were virtually unanimous                   receiving the notice to contact all
                                            commenter urged that the final rule and                 that, at the time we send a PSO a notice              providers. We expect most providers
                                            contact information for AHRQ staff                      of imminent expiration, we should post                and PSOs to take advantage of AHRQ’s
                                            should also be available there. Another                 similar information on the AHRQ PSO                   existing listserv that will provide
                                            commenter suggested that, since AHRQ                    website. Several commenters suggested                 electronic notice to all subscribers when
                                            works with PSOs, the value to                           that PSOs should be required to notify                a notice such as this is posted on the
                                            prospective providers would be                          providers that the PSO has received a                 AHRQ PSO website. Providers will also
                                            increased if we posted information on                   notice of imminent expiration and                     be able to sign up on the web site to
                                            areas of specialization of individual                   expressing concerns about the time                    receive individual emails if their PSO
                                            PSOs and use the Web site as one tool                   needed for providers to make alternative              becomes delisted. In this way, we can be
                                            for facilitating confirming analyses by                 arrangements. One commenter                           assured that notification is sent to, and
                                            other PSOs of initial work.                             suggested that notice to providers                    received by, all interested parties.
                                               Final Rule: The final rule incorporates              should be a part of the contract with the
                                            the proposed rule text without                          PSO. Another suggested that the                       (F) Section 3.104(f)—Effective Date of
                                            modification. We have not modified the                  Department establish an email listserv                Secretarial Actions
                                            text of the rule because most of the                    that providers could join for alerts such                Proposed Rule: The proposed rule in
                                            recommendations relate to information                   as this. One commenter opposed public                 section 3.104(f) states that, unless
                                            that AHRQ will be receiving or                          notice and one expressed conditional                  otherwise specified, the effective date of
                                            producing for PSOs and can be posted                    support, provided the Department                      each action by the Secretary would be
                                            to the Web site without additions or                    ensured the accuracy of the information               specified in the written notice that is
                                            changes to the rule text.                               on the Web site.                                      sent to the entity. We noted that the
                                            Recommendations to post information                        Final Rule: We have modified and                   Department anticipates sending notices
                                            related to AHRQ staff and the final rule                redrafted § 3.104(e) of the final rule. The           by electronic mail or other electronic
                                            can be done without regulation as well.                 final rule retains the proposed provision             means in addition to a hard copy
                                            As AHRQ provides technical assistance                   that the period of listing will be for                version. We also pointed out that for
                                            to PSOs and works with the provider                     three years, unless revoked or                        listing and delisting decisions, the
                                            community to encourage the use of PSO                   relinquished. The first modification is               Secretary would specify both an
                                            services, we expect to publish                          that this section now explicitly provides             effective time and date for such actions
                                            information on the Web site that PSOs                   for the automatic expiration of a PSO’s               in the written notice to ensure clarity
                                            and the provider community request. In                  listing at the end of three years, unless             regarding when information received by
                                            addition, the names and contact                         the Secretary approves its certification              the entity will be protected as patient
                                            information of parent organizations of                  for continued listing before the date of              safety work product.
                                            component PSOs and other information                    expiration. By incorporating this                        Overview of Public Comments: We
                                            submitted at listing will be posted in                  modification and making the process                   received no public comments on this
                                            accordance with the proposed rule text.                 automatic, we have been able to                       subsection.
                                               Commenters urged us to post some                     eliminate the proposal in § 3.108(c) for                 Final Rule: The final rule incorporates
                                            information that we have no plans to                    a process we termed ‘‘implied voluntary               the proposed rule text without
                                            collect, and, therefore, we have not                    relinquishment.’’ In comparison with                  modification.
                                            accepted their recommendations. Most                    the proposed rule approach, which
                                            of these recommendations related to the                 required the Secretary to take                        3. Section 3.106—Security
                                            business objectives, or the for-profit or               affirmative action to delist a PSO that let           Requirements
                                            not-for-profit status of parent                         its certifications lapse, this automatic                 Proposed Rule: Section 3.106 of the
                                            organizations of component PSOs. In                     approach simplifies the administrative                proposed rule outlined a framework
                                            our view, requiring component                           process.                                              consisting of four categories for the
                                            organizations to submit such                               We have modified subparagraph                      security of patient safety work product
                                            information would be burdensome and                     3.104(e)(2) in two ways. We will send a               that PSOs would consider in developing
                                            unnecessary. Providers will be able to                  PSO a notice of imminent expiration                   policies and procedures for the
                                            find that information by using the                      even earlier—at least 60 days rather                  protection of data. Because § 3.106
                                            published contact information on PSOs                   than 45 days—before its certifications                contains only two subsections and we
dwashington3 on PRODPC61 with RULES3

                                            and parent organizations.                               expire. We adopted the earlier                        received few comments, we will discuss
                                                                                                    notification date in response to general              both subsections of the rule together.
                                            (E) Section 3.104(e)—Three-Year Period                  concerns reflected in the comments                       Section 3.106(a) proposed that the
                                            of Listing                                              about the time a provider needed to                   security requirements of this section
                                              Proposed Rule: Section 3.104(e)                       make alternative arrangements and to                  would apply to each PSO, its workforce
                                            proposed that listing as a PSO would be                 ensure sufficient time for the Secretary              members, and its contractors whenever

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00033   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70764            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            the contractors hold patient safety work                   While there were few comments                         The most significant substantive
                                            product. If contractors cannot meet                     overall on this section of the rule, the              change in the security framework is in
                                            these security requirements, we                         specific provision that elicited the most             § 3.106(b)(2), which had required the
                                            proposed that their tasks be performed                  concern was the requirement in                        separation of patient safety work
                                            at locations at which the PSO can meet                  § 3.106(b)(2) that patient safety work                product from non-patient safety work
                                            these requirements. We stated that the                  product needed to be maintained                       product at all times. Based on comments
                                            rule does not impose these requirements                 securely separate from other systems of               received, we have modified both the
                                            on providers; this Subpart would only                   records. As discussed above with                      title of § 3.106(b)(2) and the text of
                                            apply to PSOs.                                          respect to obligations of component                   § 3.106(b)(2)(i). Section 3.106(b)(2) is
                                               Proposed § 3.106(b) would have                       organizations, commenters expressed                   now entitled ‘‘Distinguishing Patient
                                            established a framework consisting of                   concern regarding the potential burden                Safety Work Product,’’ rather than
                                            four categories for the security of patient             of such a requirement and several                     ‘‘Separation of Systems,’’ and
                                            safety work product that a PSO must                     pointed to the analytic benefits of being             § 3.106(b)(2)(i) recognizes that the
                                            consider. We proposed that each PSO                     able to readily merge data sets for                   security of patient safety work product
                                            develop appropriate and scalable                        specific analyses. It was recommended                 can be maintained either when patient
                                            standards that are suitable for the size                that the final rule permit the patient                safety work product is maintained
                                            and complexity of its organization.                     safety work product and non-patient                   separately from non-patient safety work
                                               The four categories of the framework                 safety work product to be stored in the               product or when it is co-located with
                                            would have included: Security                           same database as long as the security                 non-patient safety work product,
                                            management issues (documenting its                      requirements are implemented for the                  provided that the patient safety work
                                            security requirements, ensuring that its                database as a whole.                                  product is distinguishable. This will
                                            workforce and contractors understand                       Another commenter pointed to the                   ensure that the appropriate form and
                                            the requirements, and monitoring and                    confusion, inconsistency, and errors                  level of security can be maintained. This
                                            improving the effectiveness of its                      that were likely to result from the rule              change responds to several comments
                                            policies and procedures); separation of                 text in which each paragraph began                    that opposed the absolute requirement
                                            systems (required physical separation of                with the words that a PSO ‘‘must                      for separation in the proposed rule.
                                            patient safety work product, appropriate                address’’ each security issue within the                 While we have, thus, allowed greater
                                            disposal or sanitization of media, and                  framework while introductory                          procedural flexibility, we caution PSOs
                                            preventing physical access to patient                   paragraph (b) indicated that PSOs                     to be attentive to ensuring that patient
                                            safety work product by unauthorized                     merely needed to ‘‘consider’’ the                     safety work product remains
                                            users or recipients); security control and              security framework.                                   distinguishable at all times if it is not
                                            monitoring controls (ability to identify                   Final Rule: We have modified the text              kept separated. To the extent that
                                            and authenticate users, an audit                        of § 3.106 both to improve its clarity in             patient safety work product becomes co-
                                            capacity to detect unlawful,                            non-substantive ways and to incorporate               mingled with non-protected
                                            unauthorized, or inappropriate                          several substantive modifications in                  information, there is increased risk of
                                            activities, and controls to preclude                    response to the comments we received.                 impermissible disclosures and
                                            unauthorized removal, transmission or                   The changes to § 3.106(a) are for clarity.            violations of the confidentiality
                                            disclosures); and policies and                          For uniformity and brevity, throughout                requirements of the rule and the Patient
                                            procedures for periodic assessment of                   § 3.106, we have standardized                         Safety Act.
                                            the effectiveness and weaknesses of its                 references regarding the application of                  We have also eliminated a reference
                                            overall approach to security (determine                 security requirements to the ‘‘receipt,               to a PSO determination of
                                            when it needs to undertake risk                         access, and handling’’ of patient safety              appropriateness that was in the text of
                                            assessment exercises and specify how it                 work product. The rule text defines                   the proposed rule in § 3.106(b)(4)(i) as
                                            would assess and adjust its procedures                  ‘‘handling’’ of patient safety work                   redundant, since the rule permits a PSO
                                            to ensure the security of its                           product as including its processing,                  to develop appropriate and scalable
                                            communications involving patient                        development, use, maintenance, storage,               standards for each element of the
                                            safety work product to and from                         removal, disclosure, transmission and                 security framework, including this
                                            providers and other authorized parties).                destruction.                                          element.
                                               Overview of Public Comments: There                      We have incorporated several                          Given the strong support for our
                                            were no public comments that                            modifications to the text of § 3.106(b).              flexible and scalable framework, we
                                            specifically addressed § 3.106(a) of the                We have both simplified the text of the               have not adopted recommendations of
                                            rule. Commenters focused instead on                     opening paragraph of this subsection                  two commenters to substitute the
                                            the overall security framework                          and substituted the requirement that                  HIPAA Security Rule for these
                                            established by § 3.106(b). The majority                 ‘‘PSOs must have written policies and                 provisions. We would expect that PSOs
                                            of commenters supported the proposed                    procedures that address’’ for the                     that are familiar with, and have existing
                                            requirements and emphasized the                         language of the proposed rule that stated             rules that implement, the HIPAA
                                            concepts of scalability and flexibility                 the ‘‘PSO must consider.’’ We agree                   Security Rule will incorporate those
                                            that were reflected in the proposed rule.               with the commenter that retention of the              standards as appropriate, when they
                                            Two commenters urged the Department                     proposed rule language would create                   develop their written policies and
                                            to adopt the HIPAA Security Rule                        confusion regarding what is required of               procedures to implement security for
                                            instead. Another commenter suggested                    a PSO. By retaining the language that                 the patient safety work product they
                                            that the final rule should emphasize the                permits a PSO to develop specific                     receive, access and handle. The security
                                            need for PSOs to maintain up-to-date                    standards that address the security                   framework presented here does not
dwashington3 on PRODPC61 with RULES3

                                            security processes and urged that the                   framework in this section with                        impose any limitations on the ability of
                                            final rule specifically recognize that                  standards that are appropriate and                    PSOs to incorporate or address
                                            PSOs can include HIPAA Security Rule                    scalable, we intend to retain flexibility             additional security requirements or
                                            requirements in their business associate                for PSOs to determine how they will                   issues as the PSO determines to be
                                            contracts with providers that are                       address each element of the security                  appropriate. The flexible approach we
                                            covered entities.                                       framework.                                            have adopted should minimize the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00034   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70765

                                            potential for conflict with the                         incorrect. The Secretary could then                   entity’s certification and delist a PSO for
                                            requirements of other programs. By                      withdraw the notice or require the PSO                cause. The eight commenters that
                                            taking advantage of this flexibility, and               to proceed with correction. The                       specifically addressed the issue
                                            ensuring that its security requirements                 preamble sought comment on whether                    recommended inclusion of such a
                                            also address the requirements of the                    there should be an expedited revocation               mechanism.
                                            HIPAA Security Rule, a PSO should be                    process when deficiencies are not, or                    Final Rule: The final rule incorporates
                                            able to meet its obligations as a business              cannot, be cured. Public comment and                  only technical modifications to the text
                                            associate of any provider that is also a                the provisions of the final rule are                  of subsection 3.108(a). The deletion of
                                            ‘‘covered entity’’ under HIPAA                          discussed below in new subsection (e),                text in § 3.108(a)(1)(ii) is intended to
                                            regulations.                                            expedited revocation.                                 clarify that the basis for revocation and
                                                                                                       Following the correction period,                   delisting matches our intent in the
                                            4. Section 3.108—Correction of                          proposed § 3.108(a)(3) would have                     proposed rule, i.e., the failure to meet
                                            Deficiencies, Revocation and Voluntary                  required the Secretary to determine                   the two-contract requirement, not the
                                            Relinquishment                                          whether a deficiency has been                         failure to timely notify the Secretary
                                               Section 3.108 establishes the                        corrected. The Secretary could                        that the requirement had been met. In
                                            processes and procedures related to                     determine: (1) The deficiency is                      addition, we have incorporated a related
                                            correction of deficiencies, revocation,                 corrected and withdraw the notice of                  new § 3.108(e) that establishes a new
                                            and voluntary relinquishment. Section                   deficiency; (2) additional time for, or               expedited revocation process to be used
                                            3.108(a) establishes the processes and                  modification of, the required corrective              in exceptional circumstances.
                                            procedures for correction of deficiencies               action is warranted; or (3) the deficiency               Despite the strong support by
                                            by PSOs and, when deficiencies have                     is not corrected, the PSO has not acted               commenters that we incorporate in the
                                            not been timely corrected, the process                  with reasonable diligence or timeliness,              final rule an opportunity for an
                                            leading to a decision by the Secretary to               and issue a Notice of Proposed                        administrative appeal when the
                                            revoke his acceptance of the entity’s                   Revocation and Delisting.                             Secretary decides to revoke his
                                            certification and delist a PSO. Section                    Section 3.108(a)(4) would have                     acceptance of a PSO’s certification and
                                            3.108(b) sets forth the actions that the                provided an automatic 30 calendar day                 delist a PSO for cause, we have not
                                            Secretary and a PSO must take                           period, unless waived by the PSO, for it              modified the rule. The process
                                            following a decision by the Secretary to                to respond in writing to the proposed                 described in § 3.108(a) permits an early
                                            revoke his acceptance of the entity’s                   revocation and delisting. If a PSO fails              response to findings of deficiency and
                                            certification and delist the entity.                    to submit a written response, the                     where facts cited by the Secretary are
                                            Section 3.108(c) establishes the process                Secretary would revoke his acceptance                 correct, the process emphasizes the
                                            by which an entity can voluntarily                      of its certification, and delist the entity.          Department will work with PSOs to
                                            relinquish its status as a PSO. Section                 After review of the response and other                correct deficiencies, rather than
                                            3.108(d) requires publication of notices                relevant information, § 3.108(a)(5)                   punishing PSOs for deficiencies. Given
                                            in the Federal Register whenever an                     proposed that the Secretary could                     the flexibility and extensive nature of
                                            entity is being removed from listing.                   affirm, reverse, or modify the notice of              the communication and correction
                                            New § 3.108(e) establishes an expedited                 proposed revocation and delisting, and                opportunities and procedures outlined
                                            process for revoking the Secretary’s                    notify the PSO in writing of his decision             in 3.108(a), we expect that the
                                            acceptance of the entity’s certification                with respect to any revocation of his                 revocation process will be utilized
                                            under certain circumstances.                            prior acceptance of its certification and             rarely, and only after significant efforts
                                                                                                    delisting. We noted that the proposed                 have been made to bring a PSO back
                                            (A) Section 3.108(a)—Process for
                                                                                                    rule did not include an administrative                into compliance. However, if a PSO is
                                            Correction of a Deficiency and
                                                                                                    process for appealing the Secretary’s                 not working with us in good faith to
                                                                                                    decision to revoke his acceptance of the              correct any remaining deficiencies,
                                               Proposed Rule: Section 3.108(a) listed               entity’s certification and delist a PSO,              there must be a timely finality to the
                                            in paragraph (a)(1) the circumstances                   and specifically sought public comment                process. For this system to work,
                                            that could lead to revocation and                       on our approach.                                      providers must have confidence that the
                                            delisting and the remaining subsections                    Overview of Public Comments:                       Department will act in a timely manner
                                            set forth our proposed process for                      Commenters focused on the due process                 when a PSO chooses not to meet its
                                            correction by a PSO of a deficiency                     aspects of subsection (a). While most                 statutory and regulatory obligations.
                                            identified by the Secretary and, if the                 commenters commended the proposed
                                            deficiencies are not timely corrected or                rule for its focus on working with PSOs               Response to Other Public Comments
                                            cannot be ‘‘cured,’’ the process that                   to resolve deficiencies and its inclusion                Comment: One commenter
                                            could lead to the revocation and                        of due process elements throughout the                recommended that the rule provide
                                            delisting. We review the entirety of                    process, the commenters recommended                   some degree of transparency regarding
                                            § 3.108(a) here.                                        that the final rule incorporate an                    PSOs that have received notice of
                                               Once the Secretary believes that a                   additional opportunity for an                         deficiencies by posting some limited
                                            PSO is deficient in meeting its                         administrative appeal of a revocation                 information about this on the PSO Web
                                            requirements, proposed § 3.108(a)(2)                    and delisting decision and expressed                  site.
                                            outlined the processes he would follow.                 concern that the final rule should not                   Response: The Department gave
                                            First, the Secretary would send a                       limit the due process rights and                      careful consideration to this comment
                                            written notice of a preliminary finding                 opportunities that had been proposed.                 because of our overall commitment to
                                            of deficiency; the contents of the                         For example, while several                         providing transparency wherever
dwashington3 on PRODPC61 with RULES3

                                            deficiency notice are specified in the                  commenters endorsed our overall                       possible. Our conclusion is that we will
                                            rule. Following receipt of the notice, a                approach, no commenter specifically                   not post information on deficiencies
                                            PSO would have 14 days to correct the                   stated agreement with our decision not                because of our concern that this will
                                            record by submitting evidence that the                  to include an administrative appeal                   undermine another of our objectives,
                                            information on which the preliminary                    mechanism following a decision by the                 which is to promote and permit
                                            finding had been based was factually                    Secretary to revoke his acceptance of the             correction of deficiencies in a non-

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00035   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70766            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            punitive manner. Providers considering                  Department believed that it had an                    continue to generate new patient safety
                                            entering a contract with a specific PSO                 obligation to establish a process for truly           work product.
                                            are, of course, free to seek information                exceptional circumstances. We do not                     Section 3.108(b)(3) proposed to
                                            from the PSO regarding whether it has                   intend to use this authority as a                     implement the statutory requirements
                                            received deficiency notices and is                      substitute for the normal process                     regarding the disposition of patient
                                            currently under an obligation to take                   established by subsection (a). Thus, if a             safety work product or data following
                                            corrective actions.                                     conflict-of-interest does not raise the               revocation and delisting of a PSO. The
                                               Comment: Another commenter                           prospect of serious adverse                           three alternatives provided by the
                                            suggested that the final rule specifically              consequences for providers or others, it              statute are: Transfer of the patient safety
                                            recognize the authority of the Secretary,               is our intention to use the correction                work product with the approval of the
                                            if warranted by the circumstances that                  processes of subsection (a).                          source from which it was received to a
                                            led to the delisting of a PSO, to debar                    Comment: Would a provider’s patient                PSO which has agreed to accept it;
                                            the entity from seeking a new listing for               safety work product be at risk if the                 return of the patient safety work product
                                            a period of time.                                       Department failed to alert the provider               or data to the source from which it was
                                               Response: We have not adopted this                   in a timely manner of a deficiency in its             received; or, if return is not practicable,
                                            specific suggestion, but we note that the               PSO?                                                  destruction of such work product or
                                            Secretary is not required to relist an                                                                        data. We noted that the text of the
                                                                                                       Response: No. As we pointed out in
                                            entity automatically. The Secretary can                                                                       proposed rule refers to the ‘‘source’’ of
                                                                                                    the preamble discussion of § 3.108 in
                                            and will take into account the reasons                                                                        the patient safety work product or data;
                                                                                                    the proposed rule, the presence of
                                            for the revocation and delisting and the                                                                      this would be a broader formulation
                                                                                                    deficiencies or the fact that an entity is
                                            entity’s compliance with its obligations                                                                      than the statutory language and includes
                                                                                                    undergoing revocation has no impact on
                                            following revocation and delisting.                                                                           individuals. The statute does not
                                               Comment: Several commenters                          the information submitted to the entity
                                                                                                                                                          establish a time frame for a PSO to
                                            suggested that the period of time                       by providers until the date and time that
                                                                                                                                                          comply with disposition requirements;
                                            provided to the PSO to submit a written                 an entity is revoked and removed from
                                                                                                                                                          we sought comment on setting a
                                            response to a notice of proposed                        listing. If the PSO is revoked and
                                            revocation and delisting should be                      delisted for cause, the statute provides                 Overview of Public Comments: Most
                                            expanded from 30 days to 45 days.                       an additional 30-day period that begins               commenters addressed the specific
                                               Response: We have not accepted this                  at the time of delisting during which                 questions raised in the proposed rule,
                                            recommendation. We recognize the                        data reported to the former PSO receives              although a few commenters raised
                                            importance of striking a balance                        the same protections as patient safety                questions and offered recommendations
                                            between providing an entity sufficient                  work product.                                         related to the requirements for
                                            time to respond to such a notice and                    (B) Section 3.108(b)—Revocation of the                disposition of patient safety work
                                            ensuring that providers can have                        Secretary’s Acceptance of a PSO’s                     product. In response to the
                                            confidence that the Department will act                 Certification                                         Department’s question in the proposed
                                            in a timely manner when a PSO do not                                                                          rule of whether there were other steps
                                            meet its obligations. It is important to                   Proposed Rule: When the Secretary                  that the Secretary could take to ensure
                                            realize that by the time the PSO receives               makes a determination to remove the                   that providers were informed when a
                                            a notice of proposed revocation and                     listing of a PSO for cause, proposed                  PSO to which they reported data was
                                            delisting under the process set forth in                § 3.108(b)(1) required the Secretary to               revoked and delisted, many commenters
                                            § 3.108(a)(3), the Department has                       establish, and notify the entity, of the              concluded that the statutory
                                            already worked with the PSO to correct                  effective date and time of its delisting              requirement for notification by the
                                            the deficiencies and has indicated                      and inform the entity of its obligations              former PSO was sufficient. Others urged
                                            remaining problems so the PSO will                      under §§ 3.108(b)(2) and 3.108(b)(3).                 AHRQ to post notices of revocation and
                                            have reason to anticipate any such                         Section 3.108(b)(2) proposed to                    delisting on the PSO website. Several
                                            notice of proposed revocation in                        implement two statutory provisions.                   commenters urged the Secretary to
                                            advance of its issuance. Thus the PSO,                  First, the former PSO would be required               require the former PSO to provide
                                            realistically, will have more than 30                   to notify providers with which it has                 AHRQ with a list of its providers when
                                            days to prepare its response to a                       been working of its removal from listing              it submits its required confirmation 15
                                            proposed revocation.                                    and confirm to the Secretary within 15                days after revocation that it has notified
                                               Comment: One commenter suggested                     days of the date of revocation and                    providers. Presumably, the intent was to
                                            that, if the Secretary determines that the              delisting that it has done so. In light of            permit the Secretary to follow up with
                                            PSO has conflicts of interest, this should              the brief notification period, we sought              these providers to confirm that they had
                                            serve as a basis for proceeding directly                comment on whether there are other                    been notified.
                                            to revocation.                                          steps the Secretary should take to                       There were only three comments in
                                               Response: The Department recognizes                  ensure that affected providers receive                response to our question in the
                                            the commenter’s underlying point that                   timely notice. Second, this subsection                proposed rule whether it was
                                            conflicts of interest may, in fact, not be              would have reaffirmed the continued                   appropriate to require disposition of
                                            curable and thus, in certain                            protection of patient safety work                     patient safety work product that was
                                            circumstances, may warrant proceeding                   product received while the entity was                 received from all sources. Two
                                            directly to revocation. To the extent that              listed. In addition, any data received by             comments supported our interpretation
                                            such a conflict of interest provides a                  the former PSO from a provider in the                 of the statutory requirement. One
                                            basis for the Secretary determining that                30 days following the date of revocation              commenter raised concerns that this
dwashington3 on PRODPC61 with RULES3

                                            continued listing would have serious                    and delisting would be accorded the                   requirement could be difficult to
                                            adverse consequences, we could address                  same protections as patient safety work               accomplish.
                                            it under § 3.108(e), the subsection                     product. We noted that this additional                   Commenters strongly supported
                                            establishing the new expedited                          period of protection was only for the                 inclusion in the final rule of a deadline
                                            revocation process. We should note that,                benefit of providers reporting data; it               by which former PSOs needed to
                                            in crafting that new authority, the                     would not permit a former PSO to                      complete their disposition of patient

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00036   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                       70767

                                            safety work product. Some commenters                    regarding the continued protections for               patient safety work product and data.
                                            suggested that we follow existing                       patient safety work product reported to               We note that Subpart C permits
                                            HIPAA guidelines and others suggested                   a PSO before the effective date of a                  disclosure of non-identifiable patient
                                            that the rule set a deadline, ranging from              revocation and delisting action by the                safety work product at any time by a
                                            90 days to 180 days following the date                  Secretary and the protections for data                PSO. However, after the date and time
                                            of revocation. One commenter suggested                  reported to the former PSO during the                 that the Secretary sets for revocation
                                            setting standards linked to the volume                  30-day period following the date of                   and delisting, the former PSO must
                                            of patient safety work product held by                  delisting. The modification requires the              follow the prescribed disposition
                                            the former PSO.                                         former PSO to include this information                requirements. Thus, prior to the
                                               The options for disposition of patient               in its notices to providers regarding its             effective date and time of a PSO’s
                                            safety work product elicited a number of                delisting. We incorporated this                       delisting, the PSO can transfer to
                                            comments. Some noted the difficulty of                  modification to better effectuate the                 another PSO non-identifiable and
                                            returning patient safety work product to                statutory purpose by ensuring that the                anonymized patient safety work
                                            its source as the former PSO closes its                 providers contacted by the former PSO                 product, without consent of the
                                            operations and expressed concern that                   are aware of these protections for the                source(s) of that information.
                                            destruction was not an option until the                 data they may still want to report during                Comment: One commenter suggested
                                            PSO concluded that returning the work                   the 30-day period.                                    that there may be good business reasons
                                            product was not possible. In the view of                   Several commenters sought ways to                  for a former PSO that has been delisted
                                            this commenter, this could lead a PSO                   preserve patient safety work product                  to retain patient safety work product
                                            to simply abandon the patient safety                    and data for continued learning.                      and asked that we provide that option.
                                            work product since it may have neither                  However, the requirements for                            Response: The statutory disposition
                                            time nor resources to contact the                       disposition of patient safety work                    requirement does not permit such an
                                            sources of the work product. However,                   product and ‘‘data’’ in the final                     option for an entity that is revoked and
                                            most commenters focused on the                          regulation follow the statutory                       delisted for cause, and the final rule
                                            importance of identifying ways to avoid                 formulation. We note that ‘‘data’’ in this            mirrors this limitation. A PSO that
                                            destruction of patient safety work                      context refers to information submitted               voluntarily relinquishes its status is
                                            product.                                                to a former PSO in the 30 days following              required to attest that it has made all
                                               Final Rule: Section 3.108(b) has been                its delisting. Some amount of patient                 reasonable efforts to comply with the
                                            modified in several ways. The first                     safety work product can be preserved if               disposition requirements.
                                            changes, in § 3.108(b)(1), are technical                the PSO shares or discloses this
                                            changes. The first change renames the                                                                            Comment: One commenter noted that
                                                                                                    information prior to the effective date of
                                            section to more accurately describe its                                                                       the disposition options appear to be
                                                                                                    its revocation as permitted by the rule,
                                            provisions. The second technical change                                                                       premised on a concept of the source’s
                                                                                                    e.g., to other PSOs in non-identifiable or
                                            incorporates two additional cross-                                                                            ownership interest in the patient safety
                                                                                                    anonymized form.
                                            references to the ability of the Secretary                 We have modified the text of                       work product provided to the PSO.
                                            to revoke his acceptance of a PSO’s                     § 3.108(b)(3) in one respect. In response             Noting that as PSOs continue to
                                            certifications and delist an entity                     to comments, we require the disposition               aggregate data from multiple providers
                                            pursuant to the new expedited                           requirement to be completed within 90                 or through the sharing of work product
                                            revocation process established in                       days. Some commenters suggested that                  with other PSOs, the commenter
                                            § 3.108(e).                                             we follow existing HIPAA guidelines in                asserted that at some point the PSO’s
                                               We have not imposed any new                          establishing deadlines for the                        work product becomes its own. The
                                            requirements on the Department in                       disposition of patient safety work                    question to consider is whether this
                                            § 3.108(b)(2) to notify providers. Many                 product. Neither the HIPAA Privacy                    distinction can be made in applying the
                                            commenters did not see the need for                     Rule nor the HIPAA Security Rule have                 disposition requirement.
                                            additional intervention by the                          deadlines for the disposition of                         Response: The Department reads the
                                            Department and several commenters                       protected health information. Providers               disposition requirement of the Patient
                                            suggested additional steps that we can                  are, of course, free to establish in their            Safety Act to apply to all patient safety
                                            and will take independent of the rule.                  contracts an earlier date for disposition             work product and data held by an
                                            For example, AHRQ has already                           of their patient safety work product or               involuntarily delisted former PSO. Most
                                            established an e-mail-based listserv for                data and may provide prior                            work product created by PSOs will be
                                            individuals interested in electronic                    authorization for transfer to another                 based upon reports from providers.
                                            alerts regarding the agency’s                           PSO.                                                  While the commenter points to repeated
                                            implementation of the Patient Safety                                                                          aggregation of data from larger and
                                            Act. Following publication of the final                 Response to Other Public Comments                     larger numbers of providers as making
                                            rule, AHRQ will encourage all                             Comment: One commenter asked                        the linkage to the reporting providers
                                            interested providers and PSOs to add                    whether the disposition requirement                   more tenuous, in our view the linkage
                                            their names to the listserv, which will                 applies to non-identifiable patient safety            remains as long as there is information
                                            provide immediate notification when                     work product, such as data reported                   that identifies any source of the data in
                                            the Secretary takes actions related to the              anonymously by hospitals.                             the analysis. The linkage is only broken
                                            listing and delisting of PSOs or posts                    Response: The statutory section on                  when the source(s) is (are) truly non-
                                            significant new information on AHRQ’s                   disposition of patient safety work                    identifiable. As we noted above, the
                                            PSO Web site. Providers will also be                    product does not make an explicit                     statute does not make a distinction
                                            able to signup on the Web site to receive               distinction between disposition of                    between identifiable and non-
dwashington3 on PRODPC61 with RULES3

                                            individual e-mails if their PSO becomes                 identifiable and non-identifiable patient             identifiable information, so the
                                            delisted.                                               safety work product and data, nor does                disposition requirements apply to both.
                                               We have modified § 3.108(b)(2) in                    the final rule in the disposition                        Comment: One commenter noted that
                                            another way. This paragraph retains the                 requirements. The Department reads                    certain public PSO entities may face
                                            restatement that was in the proposed                    this disposition requirement as applying              conflicts with state laws or regulations
                                            rule of the statutory assurances                        to both identifiable and non-identifiable             that establish requirements for the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00037   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70768            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            disposition of information that they                       Overview of Public Comments: Public                and is not applicable here. The only
                                            hold.                                                   comment on the proposed provisions for                other modifications are deletions of text
                                              Response: The final rule’s                            voluntary relinquishment focused                      relating to implied voluntary
                                            requirements for disposition of patient                 primarily on the two questions raised in              relinquishment and a conforming
                                            safety work product would preempt                       the proposed rule.                                    change in a cross-reference.
                                            conflicting state statutory requirements                   Two commenters agreed with our                       We have not accepted the views of
                                            for disposition of information when it is               interpretation that the statute limited               commenters supporting appeals of
                                            patient safety work product.                            the application of the additional                     relinquishment determinations by the
                                              Comment: What are the                                 protections for data submitted by                     Secretary in light of our decision to
                                            responsibilities of a contractor holding                providers to a former PSO in the 30-day               narrow the scope of voluntary
                                            patient safety work product under                       period following the date and time of                 relinquishment to situations in which
                                            contract with a PSO that is revoked and                 revocation and delisting to situations in             the PSO has requested relinquishment.
                                            delisted for cause?                                     which the PSO had been revoked and                    The comments regarding due process for
                                              Response: The contractor must return                  delisted for cause. A number of                       those who voluntarily relinquish their
                                            the former PSO’s patient safety work                    commenters argued for inclusion of a                  status would no longer be apt.
                                            product that it is holding for disposition              30-day period of continued reporting for
                                            as required by the rule.                                PSOs that voluntarily relinquished their              (D) Section 3.108(d)—Public Notice of
                                                                                                    status. They noted the importance of                  Delisting Regarding Removal From
                                            (C) Section 3.108(c)—Voluntary
                                                                                                    comparability but did not provide a                   Listing
                                                                                                    legal rationale for reading the statute                  Proposed Rule: Proposed § 3.108(d)
                                               Proposed Rule: Section 3.108(c)(1)                   differently.
                                            proposed two circumstances under                                                                              would have incorporated the statutory
                                                                                                       The second question posed by the                   requirement that the Secretary must
                                            which a PSO would be considered to                      proposed rule was the appropriateness
                                            have voluntarily relinquished its status                                                                      publish a notice in the Federal Register
                                                                                                    of paragraph (c)(5) which would                       regarding the revocation of acceptance
                                            as a PSO: When a PSO advises the                        eliminate the right to challenge any
                                            Secretary in writing that it no longer                                                                        of certification of a PSO and its removal
                                                                                                    decision by the Secretary regarding                   from listing. The proposed rule would
                                            wishes to be a PSO, and when a PSO                      voluntary relinquishment. Several large
                                            permits its three-year period of listing to                                                                   have broadened the requirement to
                                                                                                    provider groups supported our position
                                            expire. To ensure that such a lapse is                                                                        include publication of such a notice if
                                                                                                    while others argued that a PSO should
                                            not inadvertent, the proposed rule                                                                            delisting results from a determination of
                                                                                                    always have the right to challenge or
                                            would require the Secretary to send a                                                                         voluntary relinquishment.
                                                                                                    appeal any decision by the Secretary.
                                            notice of imminent expiration 45                           Final Rule: We have modified and                      Overview of Public Comments: We
                                            calendar days before the expiration of                  narrowed the scope of voluntary                       received no comments on this
                                            its period of listing.                                  relinquishment in the final rule. We                  subsection.
                                               We proposed in § 3.108(c)(2) that a                  have eliminated from this section the                    Final Rule: We have modified
                                            PSO seeking to relinquish its listing                   application of voluntary relinquishment               § 3.108(d) in the final rule to reflect our
                                            should include in its notification to the               to situations in which a PSO has let its              changes to subsection (c) that narrowed
                                            Secretary attestations regarding its                    certifications lapse. As noted above, we              the scope of voluntary relinquishment.
                                            compliance with the provider                            have modified § 3.104(e) to make                      We also added a new reference that
                                            notification and patient safety work                    expiration of a PSO’s listing automatic               requires the Secretary to publish a
                                            product disposition requirements, and                   in these circumstances. Revised                       notice when a PSO’s listing terminates
                                            would have required appropriate                         § 3.108(c) provides for voluntary                     automatically at the end of the
                                            contact information for further                         relinquishment in only one                            statutorily based three-year period,
                                            communications from the Secretary.                      circumstance: When a PSO writes the                   pursuant to § 3.104(e).
                                            The Secretary would be authorized by                    Secretary seeking to relinquish its                   (E) Section 3.108(e)—Expedited
                                            § 3.108(c)(3) to accept or reject the                   listing as a PSO.                                     Revocation
                                            PSO’s notification. We sought comment                      We have carefully reviewed again the
                                            on our preliminary conclusion that,                     statutory authority that enables PSOs                    Proposed Rule: The proposed rule did
                                            when a PSO voluntarily relinquishes its                 that have their listing revoked for cause             not contain a proposed § 3.108(e). The
                                            status, the statutory provisions                        to continue to receive data for 30 days               proposed rule did include in subsection
                                            providing protections for an additional                 following the date and time of                        (a) a request for comment about the
                                            30 days for data submitted to the former                revocation and delisting that will be                 possible inclusion in the final rule of an
                                            PSO by providers do not apply.                          treated as patient safety work product.               expedited revocation process. We noted
                                               Section 3.108(c)(4) would have                       We reaffirm our interpretation that the               that, while we anticipate that in the vast
                                            enabled the Secretary to determine that                 statutory authority does not apply to an              majority of circumstances, the PSO’s
                                            implied voluntary relinquishment has                    entity seeking to voluntarily relinquish              deficiency(ies) can and will be
                                            taken place when a PSO permits its                      its status as a PSO. Commenters                       corrected, there may be situations in
                                            listing to expire. The Secretary would                  provided no basis for a different reading             which a PSO’s conduct is so egregious
                                            remove the entity from the list of PSOs                 of the statute. Accordingly, we have not              that the Secretary’s acceptance of the
                                            at midnight on that day, notify the                     incorporated any change in the rule.                  PSO’s certification should be revoked
                                            entity, and request that the entity make                   We have also deleted inappropriate                 without the opportunity to cure because
                                            reasonable efforts to comply with the                   references to ‘‘patient safety work                   there is no meaningful cure. We invited
                                            provider notification and patient safety                product and data’’ in § 3.108(c)(2) and               comments regarding this approach and
dwashington3 on PRODPC61 with RULES3

                                            work product disposition requirements,                  replaced them with a reference only to                how best to characterize the situations
                                            and to provide appropriate contact                      patient safety work product. As we                    in which the opportunity to ‘‘cure,’’ e.g.,
                                            information. Finally, § 3.108(c)(5)                     noted above, the term ‘‘data’’ in this                to change policies, practices or
                                            proposed that voluntary relinquishment                  context refers only to information                    procedures, sanction employees, send
                                            would not constitute a deficiency as                    received by a former PSO in the 30-day                out correction notices, would not be
                                            referenced in subsection (a).                           period following revocation for cause                 sufficient, meaningful, or appropriate.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00038   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70769

                                               Overview of Public Comments:                         health care providers (other than                     reason to believe there have been
                                            Several commenters expressed concern,                   members of the entity’s workforce or                  repeated deficiencies, or when the PSO
                                            requested that we define the term                       health care providers holding privileges              engages in fraudulent or illegal conduct.
                                            ‘‘egregious,’’ and opposed the                          with the entity) are required to report               In light of these risks, we believe it is
                                            elimination of a right for the PSO to                   information by law or regulation.                     only prudent to give the Secretary the
                                            respond to the proposed expedited                          Because the certifications for listing             authority to respond promptly to
                                            revocation action. One commenter                        specifically require an entity to attest              situations where there is a risk of
                                            suggested that our proposal was                         that it is not excluded from seeking                  serious adverse harm, even if we cannot
                                            appropriate in situations involving                     listing, this situation would mean that               adequately foresee all of the specific
                                            multiple willful violations and in which                the PSO had either filed a false                      situations that might require prompt
                                            immediate action is necessary to protect                certification, or that the nature of the              action.
                                            patients and providers from further                     entity had significantly changed during                  We note that we have accepted the
                                            improper actions by the PSO.                            the course of its listing. An example of              position of another commenter that we
                                               Only one commenter addressed, and                    an entity ‘‘about to become an excluded               not include failure to meet the
                                            opposed, our suggestion that we might                   entity’’ would be when there is advance               minimum contract requirement as a
                                            eliminate in the final rule the                         notice of a merger of the parent                      basis for expedited revocation. Our
                                            opportunity for a PSO to contest                        organization of a component PSO with                  intent is to limit expedited revocation to
                                            revocation when the entity had                          a health insurance issuer. A health                   those situations which pose a risk to
                                            verifiably failed to meet the statutory                 insurance issuer is the only excluded                 providers or others.
                                            minimum contract requirement.                           entity that may not have a component                     To accomplish expeditious remedial
                                               Final Rule: The Department has                       become a PSO. If the Secretary learns                 revocation action, § 3.108(e)(2) waives
                                            modified the rule to include a new                      that a PSO is about to become a                       the procedures in §§ 3.108(a)(2) through
                                            § 3.108(e) to provide for expedited                     component of a health insurance issuer,               3.108(a)(5) for correction of deficiencies,
                                            revocation in a limited number of                       this is one circumstance under which                  determinations regarding correction of
                                            circumstances. In deciding to include                   we believe prompt action by the                       deficiencies, processes related to the
                                            this new subsection, we considered all                  Secretary is essential.                               opportunity for a written response by
                                            of the comments received regarding                         The second circumstance, specified in              the PSO to a notice of proposed
                                            Subpart B, not only those discussed                     § 3.108(e)(1)(ii), is when the parent                 revocation and delisting, and final
                                            here. There was a strong overall                        organization of a PSO is an excluded                  determination by the Secretary
                                            sentiment that the Secretary must be                    entity and the parent organization uses               regarding revocation and delisting of the
                                            vigilant in ensuring that PSOs meet                     its authority over providers to require or            PSO. Instead, the provisions of
                                            their obligations to protect the                        induce them to use the patient safety                 § 3.108(e)(3) apply.
                                            confidentiality of patient safety work                  services of its component PSO. This was                  Under § 3.108(e)(3) of the expedited
                                            product. These concerns were especially                 a major concern of commenters in                      revocation process, the Secretary would
                                            strong in response to our proposal to                   permitting components of accreditation,               issue a notice of deficiency and
                                            permit components of excluded entities                  licensure and regulatory entities to seek             expedited revocation that identifies the
                                            to seek listing. We also received support               listing; the final rule in § 3.102(c)                 evidence that the circumstances for
                                            for prompt Secretarial action for                       permits such a component to be listed                 expedited revocation exist and indicates
                                            multiple willful violations and when                    only if it can certify that its parent                any corrective action the PSO can take
                                            providers and patients are at risk                      organization does not impose such                     if the Secretary determines that
                                            because of a PSO’s actions. Accordingly,                requirements on providers. When an                    corrective action may resolve the matter
                                            we have incorporated an expedited                       excluded entity attempts to require or                so that revocation and delisting could be
                                            revocation process based around these                   induce providers to report information                avoided. Absent evidence of actual
                                            concerns.                                               to its component PSO, there is                        receipt of this notice of deficiency and
                                               New § 3.108(e)(1) lists three                        reasonable cause for concern regarding                expedited revocation, the Secretary’s
                                            circumstances in which the Secretary                    the integrity of the firewall between the             notice will be deemed to be received
                                            may use an expedited process for                        component PSO and its parent                          five days after it was sent.
                                            revocation. The first two circumstances                 organization. Given the potential harm                   In developing this process, we have
                                            reflect commenter concern regarding                     to providers if their identifiable patient            taken note of commenters’ concern that
                                            excluded entities. The first of these,                  safety work product is made available to              as a general matter, a PSO alleged to be
                                            specified in § 3.108(e)(1)(i), is if the                the excluded entity, the Department                   deficient in compliance should have an
                                            Secretary determines that a PSO is, or is               concludes that the need for prompt                    opportunity to be heard and have
                                            about to become, an entity excluded                     action is compelling.                                 provided the PSO with an opportunity
                                            from listing by § 3.102(a)(2). That                        The third circumstance specified in                to respond as part of the expedited
                                            section excludes from listing: A health                 § 3.108(e)(1)(iii) of the rule is when the            revocation process. The Secretary must
                                            insurance issuer; a unit or division of a               Secretary has determined that the                     receive a response from the PSO within
                                            health insurance issuer; an entity that is              failure to act promptly would lead to                 14 days of actual or constructive receipt
                                            owned, managed or controlled by a                       serious adverse consequences. We                      of the notice, whichever is longer. In its
                                            health insurance issuer; entities that                  would expect to use this authority                    written response, the PSO can correct
                                            accredit or license health care providers;              sparingly. Despite the confidential and               the alleged facts or argue the
                                            entities that oversee or enforce statutory              protected nature of patient safety work               applicability of the legal basis given for
                                            or regulatory requirements governing                    product, we remain concerned that                     expedited revocation and delisting and
                                            the delivery of health care services;                   there can still be serious harm to                    offer reasons that would support its case
dwashington3 on PRODPC61 with RULES3

                                            agents of an entity that oversees or                    providers, patients, and reporters named              for not being delisted.
                                            enforces statutory or regulatory                        in patient safety work product if a PSO                  If the PSO does not submit a written
                                            requirements governing the delivery of                  demonstrates reckless or willful                      response, the Secretary may revoke and
                                            health care services; or entities that                  misconduct in its protection or use of                delist the PSO. Provided the PSO
                                            operate a Federal, State, Local, or Tribal              the work product with which it is                     responds within the required time, the
                                            patient safety reporting system to which                entrusted, especially when there is                   Secretary may withdraw the notice,

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00039   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70770            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            grant the PSO with additional time to                   or controlled and a provider’s decision               and PSOs for the purpose of learning
                                            resolve the matter, or revoke and delist                to work with a PSO is voluntary.                      from those events to improve patient
                                            the PSO. If the Secretary decides to                    Therefore, we intend to maintain the                  safety and the quality of care. To
                                            revoke and delist the PSO, we note that                 approach outlined in the proposed rule.               achieve these objectives, Subpart C
                                            the requirements of § 3.108(b) discussed                In response to another commenter, the                 proposed that patient safety work
                                            above apply. These requirements relate                  authority to implement Subpart B rests                product would be privileged and
                                            to notification of the providers who                    squarely within the authorities to foster             confidential, except in the certain
                                            have reported patient safety work                       patient safety and health care quality                limited circumstances identified by the
                                            product to the PSO, disposition of the                  improvement of the Agency for                         Patient Safety Act and as needed by the
                                            PSO’s patient safety work product and                   Healthcare Research and Quality, and                  Department to implement and enforce
                                            data, and the ability of providers to                   there is no reason to expect it to be                 the Patient Safety Act. In addition,
                                            continue to report data to the former                   delegated to another part of the                      proposed Subpart C provided, in
                                            PSO for 30 calendar days following the                  Department.                                           accordance with the Patient Safety Act,
                                            effective date and time of delisting and                                                                      that patient safety work product that is
                                                                                                    6. Section 3.112—Submissions and
                                            have these data protected as patient                                                                          disclosed generally would continue to
                                            safety work product.                                                                                          be privileged and confidential, subject
                                                                                                       Proposed Rule: Proposed § 3.112                    to the delineated exceptions. Thus,
                                            5. Section 3.110—Assessment of PSO                      would have provided instructions for
                                            Compliance                                                                                                    under the proposal, an entity or person
                                                                                                    obtaining required forms and the                      receiving patient safety work product
                                               Proposed Rule: Section 3.110                         submission of materials, would have                   only would be able to disclose such
                                            proposed the framework by which the                     provided contact information for AHRQ                 information for a purpose permitted by
                                            Secretary would assess compliance of                    (mailing address, Web site, and e-mail                the Patient Safety Act and the proposed
                                            PSOs with the requirements of the                       address), and would have authorized                   rule, or if patient safety work product
                                            statute and the rule. This section                      the Department to request additional                  was no longer confidential because it
                                            provided that the Secretary may request                 information if a submission is                        was nonidentifiable or subject to an
                                            information or conduct spot-checks                      incomplete or additional information is               exception to confidentiality. Providers,
                                            (reviews or site visits to PSOs,                        needed to enable the Secretary to make                PSOs, and responsible persons who
                                            announced or unannounced) to assess                     a determination on any submission.                    failed to adhere to these confidentiality
                                            or verify PSO compliance with the                          Overview of Public Comments: We                    rules would be subject to enforcement
                                            requirements of the statute and this                    received no comments on this section.                 by the Department, including the
                                            proposed subpart. We noted that we                         Final Rule: We have made no
                                                                                                                                                          imposition of civil money penalties, if
                                            anticipate that such spot checks would                  substantive modifications to this
                                                                                                                                                          appropriate, as provided in Subpart D of
                                            involve no more than 5–10% of PSOs in                   section. We have made technical
                                                                                                                                                          the proposed rule.
                                            any year. We also noted that this section               changes and incorporated citations for
                                            would reference the Department’s                        the AHRQ PSO Web site address and                        The proposed rule also explained that
                                            overall authority to have access to                     corrected the e-mail address.                         several provisions of the Patient Safety
                                            patient safety work product, if                                                                               Act recognize that the patient safety
                                                                                                    C. Subpart C—Confidentiality and                      regulatory scheme will exist alongside
                                            necessary, as part of its implementation
                                                                                                    Privilege Protections of Patient Safety               other requirements for the use and
                                            and enforcement of the Patient Safety
                                                                                                    Work Product                                          disclosure of protected health
                                               Overview of Public Comments: There                     Proposed Subpart C would have                       information under the HIPAA Privacy
                                            were few comments on this section.                      described the general privilege and                   Rule. For example, the Patient Safety
                                            Commenters agreed that AHRQ’s                           confidentiality protections for patient               Act establishes that PSOs will be
                                            authority under this section should be                  safety work product, the permitted                    business associates of providers and the
                                            limited to PSOs. Several commenters                     disclosures, and the conditions under                 patient safety activities they conduct
                                            expressed concern about our discussion                  which the specific protections no longer              will be health care operations of the
                                            that we only anticipated spot-checking                  apply. The proposed Subpart also                      providers, incorporates individually
                                            5%–10% of PSOs for compliance in any                    would have established the conditions                 identifiable health information under
                                            given year. The projected number of                     under which a provider, PSO, or                       the HIPAA Privacy Rule as an element
                                            spot checks in their view would not be                  responsible person must disclose                      of identifiable patient safety work
                                            adequate to maintain provider                           patient safety work product to the                    product, and adopts a rule of
                                            confidence and PSO compliance.                          Secretary in the course of compliance                 construction that states the intention not
                                            Another commenter asked which                           and enforcement activities, and what                  to alter or affect any HIPAA Privacy
                                            agency would be delegated the task and                  the Secretary may do with such                        Rule implementation provision (see
                                            identified entities within HHS to which                 information. Moreover, the proposed                   section 922(g)(3) of the Public Health
                                            the Secretary should not delegate this                  subpart would have established the                    Service Act, 42 U.S.C. 299b–22(g)(3)).
                                            responsibility.                                         standards for nonidentifiable patient                 As we explained in the proposed rule,
                                               Final Rule: We have made no                          safety work product.                                  we anticipate that most providers
                                            substantive modifications to § 3.110 in                   Proposed Subpart C sought to balance                reporting to PSOs will be HIPAA
                                            the final rule. We note in response to                  key objectives of the Patient Safety Act.             covered entities under the HIPAA
                                            the commenters that urged a higher                      First, the proposal sought to address                 Privacy Rule, and as such, will be
                                            level of spot checks and inspections that               provider concerns about the potential                 required to recognize and comply with
                                            the rule does not limit the ability of the              for damage from unauthorized release of               the requirements of the HIPAA Privacy
dwashington3 on PRODPC61 with RULES3

                                            Department to increase the number if                    information, including the potential for              Rule when disclosing identifiable
                                            warranted. However, we have no basis                    the information to serve as a roadmap                 patient safety work product that
                                            for assuming that higher levels of spot                 for provider liability from negative                  includes protected health information.
                                            checks or inspections are warranted in                  patient outcomes. It also promoted the                As Subpart C addresses disclosure of
                                            light of the fact that Patient Safety                   sharing of information about adverse                  patient safety work product that may
                                            Organizations are not federally funded                  patient safety events among providers                 include protected health information,

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00040   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                       70771

                                            we discuss, where appropriate, the                      (A) Section 3.204(a)—Privilege                        these provisions nor can we provide
                                            overlap between this rule and the                          Proposed Rule: Proposed § 3.204(a)                 further explanation or interpretation in
                                            HIPAA Privacy Rule in the preamble                      would have described the general rule                 this final rule. Rather, as described
                                            description of this Subpart, as we did in               that, notwithstanding any other                       above, the privilege provisions are
                                            the proposed rule.                                      provision of Federal, State, local, or                included only for convenience and
                                                                                                    Tribal law, patient safety work product               completeness, and because the privilege
                                            1. Section 3.204—Privilege of Patient                                                                         exceptions mirror exceptions to
                                            Safety Work Product                                     is privileged and shall not be: (1)
                                                                                                    Subject to Federal, State, local, or Tribal           confidentiality. The privilege
                                               Proposed § 3.204 described the                       civil, criminal, or administrative                    protections attach to patient safety work
                                            privilege protections of patient safety                                                                       product, and we expect that the
                                                                                                    subpoena or order, including in a
                                            work product and the exceptions to                                                                            privilege of patient safety work product
                                                                                                    disciplinary proceeding against a
                                            privilege. As we explained in the                                                                             will be adjudicated and enforced by the
                                                                                                    provider; (2) subject to discovery in
                                            proposed rule, the Patient Safety Act                                                                         tribunals, agencies or professional
                                                                                                    connection with a Federal, State, local,
                                            does not give authority to the Secretary                                                                      disciplinary bodies before which the
                                                                                                    or Tribal civil, criminal, or
                                            to enforce breaches of the privilege                                                                          information is sought and before whom
                                                                                                    administrative proceeding, including a
                                            protections, as it does with respect to                                                                       the proceedings take place. A provider
                                                                                                    disciplinary proceeding against a
                                            breaches of the confidentiality                                                                               facing an opposing party who seeks to
                                                                                                    provider; (3) subject to disclosure under
                                            provisions. Rather, we anticipate that                                                                        introduce patient safety work product in
                                                                                                    the Freedom of Information Act (section
                                            the tribunals, agencies or professional                                                                       court may seek to enforce the privilege
                                                                                                    552 of Title 5, United States Code) or                by filing the appropriate motions with
                                            disciplinary bodies before whom the                     similar Federal, State, local, or Tribal
                                            proceedings take place and before                                                                             the court asserting the privilege to
                                                                                                    law; (4) admitted as evidence in any                  exclude the patient safety work product
                                            which patient safety work product is                    Federal, State, local, or Tribal
                                            sought, will adjudicate the application                                                                       from the proceeding.
                                                                                                    governmental civil proceeding, criminal
                                            of the privilege provisions of the Patient              proceeding, administrative rulemaking                 (B) Section 3.204(b)—Exceptions to
                                            Safety Act at section 922(a)(1)–(5) of the              proceeding, or administrative                         privilege
                                            Public Health Service Act, 42 U.S.C.                    adjudicatory proceeding, including any                   Proposed Rule: Proposed § 3.204(b)
                                            299b–22(a)(1)–(5) and the exceptions to                 such proceeding against a provider; or                described the exceptions to privilege
                                            privilege at section 922(c)(1) of the                   (5) admitted in a professional                        established at section 922(c) of the
                                            Public Health Service Act, 42 U.S.C.                    disciplinary proceeding of a                          Public Health Service Act, 42 U.S.C.
                                            299b–22(c)(1). Even though the privilege                professional disciplinary body                        299b–22c, thereby permitting disclosure
                                            protections will be enforced through the                established or specifically authorized                of patient safety work product under
                                            court systems, and not by the Secretary,                under State law. The proposed                         such circumstances. In all cases, the
                                            we repeat the statutory privilege                       provision generally repeated the                      exceptions to privilege were also
                                            protections and exceptions in this final                statutory language at section 922(a) of               proposed as exceptions to
                                            rule, as we did in the proposed rule.                   the Public Health Service Act, 42 U.S.C.              confidentiality at § 3.206(b). Proposed
                                            This is done both for convenience and                   299b–22(a) but also clarified that                    § 3.204(b)(1) would have permitted the
                                            completeness, as well as because the                    privilege would have applied to protect               disclosure of relevant patient safety
                                            same exceptions in the privilege                        against use of the information in Tribal              work product for use in a criminal
                                            provisions are repeated in the                          courts and administrative proceedings.                proceeding after a court makes an in
                                            confidentiality provisions and the term                    Overview of Public Comments: We                    camera determination that the patient
                                            ‘‘disclosure’’ in the final rule describes              received no comments opposed to this                  safety work product contains evidence
                                            both the transfer of patient safety work                proposed provision.                                   of a criminal act, is material to the
                                            product pursuant to a privilege                            Final Rule: The final rule adopts this             proceeding, and is not reasonably
                                            exception as well as a confidentiality                  proposed provision.                                   available from any other source.
                                            exception. Thus, a disclosure of patient                   Response to Other Public Comments                  Proposed § 3.204(b)(2) would have
                                            safety work product that is a violation                    Comment: Several commenters                        permitted disclosure of identifiable
                                            of privilege may also be a violation of                 expressed concern about the lack of                   patient safety work product to the extent
                                            confidentiality, which the Secretary                    detailed explanation and information                  required to carry out the securing and
                                            does have authority to enforce and for                  about the privilege protections as                    provision of equitable relief as provided
                                            which he can impose a civil money                       compared to the confidentiality                       under section 922(f)(4)(A) of the Public
                                            penalty, if appropriate.                                provisions in the proposed rule. Some                 Health Service Act, 42 U.S.C. 299b–
                                               We also proposed to include at                       commenters asked for clarification                    22(f)(4)(A). Proposed § 3.204(b)(3)
                                            § 3.204(c) a regulatory exception to                    about how breaches of privilege can be                would have permitted disclosure of
                                            privilege for disclosures to the Secretary              enforced and who can assert privilege                 identifiable patient safety work product
                                            for the purpose of enforcing the                        protection. Two commenters asked                      when each of the identified providers
                                            confidentiality provisions and for                      whether hospital peer review                          authorized the disclosure. Finally,
                                            making or supporting PSO certification                  committees established under state law                proposed § 3.204(b)(4) would have
                                            or listing decisions. In the final rule, we             qualify as disciplinary bodies for                    excepted patient safety work product
                                            adopt this proposed provision but also                  purposes of the privilege protection and              from privilege when disclosed in
                                            add language to make clear that the                     if there is a distinction between                     nonidentifiable form.
                                            exception also applies to disclosures to                discipline by a state licensing body and                 Overview of Public Comments: Some
                                            the Secretary for HIPAA Privacy Rule                    discipline by an internal peer review                 commenters expressed concern that
dwashington3 on PRODPC61 with RULES3

                                            enforcement, given the significant                      committee.                                            allowing exceptions to privilege may
                                            overlap with respect to disclosures                        Response: The Secretary does not                   not adequately protect patient safety
                                            under the two rules. We discuss that                    have the authority to interpret and                   work product.
                                            change, as well as the public comments                  enforce the privilege protections of the                 Final Rule: The final rule adopts the
                                            and our responses with respect to the                   statute, and thus, the proposed rule did              proposed provisions. The statute
                                            other privilege provisions, below.                      not contain a detailed discussion of                  explicitly provides for these limited

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00041   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70772            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            exceptions to privilege and thus, they                  work product to or by the Secretary as                under the HIPAA Privacy Rule. This
                                            are included in this final rule.                        needed for investigating or determining               new language implements the statutory
                                                                                                    compliance, or seeking or imposing civil              provision at section 922(g)(3) of the
                                            Response to Other Public Comments
                                                                                                    money penalties, with respect to this                 Public Health Service Act, 42 U.S.C.
                                               Comment: One commenter asked that                    rule or for making or supporting PSO                  299b–22(g)(3), which, as explained
                                            the final rule align the privilege                      certification or listing decisions under              above, makes clear that the Patient
                                            exceptions in § 3.204(b) with the                       the Patient Safety Act. We proposed that              Safety Act is not intended to affect
                                            permitted disclosures to law                            these disclosures also be permitted as an             implementation of the HIPAA Privacy
                                            enforcement in the HIPAA Privacy Rule                   exception to confidentiality at                       Rule. Given the significant potential for
                                            at 45 CFR 164.512(f).                                   § 3.206(d). We explained that, in order               an alleged impermissible disclosure to
                                               Response: We do not agree that                       to perform investigations and                         implicate both this rule’s confidentiality
                                            expanding the exceptions to privilege in                compliance reviews to determine                       provisions, as well as the HIPAA
                                            such a manner is appropriate or                         whether a violation occurred, the                     Privacy Rule, the Secretary may require
                                            prudent. Congress expressly limited the                 Secretary may need to have access to                  access to privileged patient safety work
                                            exceptions to privilege to those we have                privileged and confidential patient                   product for purposes of determining
                                            repeated in the final rule. As relevant to              safety work product and that we believe               compliance with the HIPAA Privacy
                                            law enforcement, the Patient Safety Act                 Congress could not have intended the                  Rule. The Secretary will use such
                                            permits an exception from privilege                     privilege and confidentiality protections             information consistent with the
                                            protection for law enforcement purposes                 of the Patient Safety Act to impede such              statutory prohibition against imposing
                                            in only very narrow circumstances—                      enforcement by prohibiting access to                  civil money penalties under both
                                            that is, patient safety work product may                necessary information by the Secretary.               authorities for the same act.
                                            be used in a criminal proceeding, but                   Thus, the proposed provision would                      With respect to this rule, the
                                            only after a judge makes an in camera                   have allowed disclosure of patient                    provision, as it did in the proposed rule,
                                            determination that the information                      safety work product to and by the                     makes clear that privilege does not
                                            contains evidence of a criminal act, is                 Secretary for enforcement purposes,                   apply to patient safety work product
                                            material to the proceeding, and is not                  including the introduction of such                    disclosed to or by the Secretary if
                                            reasonably available from any other                     information into ALJ or Board                         needed to investigate or determine
                                            source. See § 3.204(b)(1). We do not                    proceedings, disclosure by the Board to               compliance with this rule, or to make or
                                            have authority to further expand or                     properly review determinations or to                  support decisions with respect to listing
                                            interpret the exceptions to privilege                   provide records for court review, as well             of a PSO. This may include access to
                                            provided for in the statute. Further, we                as disclosure during investigations by                and disclosure of patient safety work
                                            believe strong privilege protections are                OCR or activities in reviewing PSO                    product to enforce the confidentiality
                                            essential to ensuring the goals of the                  certifications by AHRQ. Patient safety                provisions of the rule, to make or
                                            statute are met by encouraging                          work product disclosed under this                     support decisions regarding the
                                            maximum provider participation in                       proposed exception would have                         acceptance of certification and listing as
                                            patient safety reporting. We note that                  remained privileged and confidential                  a PSO, or to revoke such acceptance and
                                            § 3.206(c)(10) permits the disclosure of                pursuant to proposed § 3.208, and                     to delist a PSO, or to assess or verify
                                            patient safety work product relating to                 proposed § 3.312 limited the Secretary                PSO compliance with the rule.
                                            an event that either constitutes the                    to only disclosing identifiable patient
                                            commission of a crime, or for which the                 safety work product obtained in                       2. Section 3.206—Confidentiality of
                                            disclosing person reasonably believes                   connection with an investigation or                   Patient Safety Work Product
                                            constitutes the commission of a crime,                  compliance review for enforcement                        Proposed § 3.206 described the
                                            to law enforcement, provided that the                   purposes or as otherwise permitted by                 confidentiality protection of patient
                                            disclosing person believes, reasonably                  the proposed rule or Patient Safety Act.              safety work product, as well as the
                                            under the circumstances, that the                          We also explained in the preamble to               exceptions from confidentiality
                                            patient safety work product that is                     the proposed rule that the privilege                  protection.
                                            disclosed is necessary for criminal law                 provisions in the Patient Safety Act
                                            enforcement purposes. In other cases                    would not bar the Secretary from using                (A) Section 3.206(a)—Confidentiality
                                            where law enforcement needs access to                   patient safety work product for                         Proposed Rule: Proposed § 3.206(a)
                                            information that is contained within                    compliance and enforcement activities                 would have established the general
                                            patient safety work product, we                         related to the HIPAA Privacy Rule. This               principle that patient safety work
                                            emphasize that the definition of                        interpretation was based on the                       product is confidential and shall not be
                                            ‘‘patient safety work product’’                         statutory provision at section 922(g)(3)              disclosed by anyone holding the patient
                                            specifically excludes a patient’s medical               of the Public Health Service Act, 42                  safety work product, except as
                                            or billing record or other original patient             U.S.C. 299b–22(g)(3), which provides                  permitted or required by the rule.
                                            information. See § 3.20, paragraph (2)(i)               that the Patient Safety Act does not                    Overview of Public Comments: We
                                            of the definition of ‘‘patient safety work              affect the implementation of the HIPAA                received no comments directly in
                                            product.’’ Thus, such original patient                  Privacy Rule.                                         reference to this provision.
                                            information remains available to law                       Overview of Public Comments: We                      Final Rule: The final rule adopts this
                                            enforcement in accordance with the                      received one comment in support of and                proposed provision.
                                            conditions set out in the HIPAA Privacy                 no comments opposed to this proposed
                                                                                                    provision.                                            (B) Section 3.206(b)—Exceptions to
                                            Rule, if applicable.
                                                                                                       Final Rule: The final rule adopts the              confidentiality
dwashington3 on PRODPC61 with RULES3

                                            (C) Section 3.204(c)—Implementation                     proposed provision, but expands it to                   Proposed Rule: Proposed § 3.206(b)
                                            and Enforcement of the Patient Safety                   expressly provide that patient safety                 described the exceptions to
                                            Act                                                     work product also may be disclosed to                 confidentiality, or permitted
                                              Proposed Rule: Proposed § 3.204(c)                    or by the Secretary as needed to                      disclosures. The preamble to the
                                            would have excepted from privilege                      investigate or determine compliance                   proposed rule explained that there were
                                            disclosures of relevant patient safety                  with or to impose a civil money penalty               several overarching principles that

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00042   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70773

                                            applied to these exceptions from                        for the narrowly drawn exceptions to                  in the specific discussions of the
                                            confidentiality. First, these exceptions                confidentiality in the proposed rule,                 individual disclosure permissions. The
                                            were ‘‘permissions’’ to disclose patient                while one commenter expressed                         disclosure permissions in this section
                                            safety work product and the holder of                   concern that the exceptions were                      reflect those provided by the statute,
                                            the information retained full discretion                unnecessarily complex to accomplish                   and the Secretary has no authority to
                                            whether to disclose. Further, as the                    their purpose. Several commenters                     eliminate or neglect to implement
                                            proposed rule was a Federal baseline of                 asked that the final rule include                     certain of the provisions. Further, the
                                            protection, a provider, PSO, or                         additional exceptions to confidentiality              statute provides only limited authority
                                            responsible person could impose more                    or disclosure permissions. For example,               to the Secretary to expand the
                                            stringent confidentiality policies and                  some commenters suggested that the                    disclosure permissions. See, for
                                            procedures on patient safety work                       final rule permit the disclosure of                   example, section 922(c)(2)(F) of the
                                            product and condition the release of                    patient safety work product to federal,               Public Health Service Act, 42 U.S.C.
                                            patient safety work product within these                state, and local agencies to fulfill                  299b–22(c)(2)(F), providing the
                                            exceptions by contract, employment                      mandatory reporting requirements.                     Secretary with authority to create
                                            relationship, or other means. However,                  Other commenters suggested an                         permissions for disclosures that the
                                            the Secretary would not enforce such                    exception be created to permit the                    Secretary may determine, by rule or
                                            policies or private agreements. Second,                 disclosure of patient safety work                     other means, are necessary for business
                                            when exercising discretion to disclose                  product to state survey agencies,                     operations and are consistent with the
                                            patient safety work product, we                         regulatory bodies, or to any federal or               goals of the statute. Thus, the final rule
                                            encouraged providers, PSOs, and                         state agency for oversight purposes.                  does not create any new, or eliminate
                                            responsible persons to attempt to                       Another commenter requested that the                  any proposed, categories of disclosure
                                            disclose the amount of information                      final rule include a disclosure                       permissions.
                                            commensurate with the purpose of the                    permission for emergency                                 With respect to those commenters
                                            disclosure and to disclose the least                    circumstances similar to the HIPAA                    who requested a disclosure permission
                                            amount of identifiable patient safety                   Privacy Rule disclosure at 54 CFR                     be added to allow for the disclosure of
                                            work product appropriate for the                        164.512(j), allowing a PSO to disclose                patient safety work product to federal,
                                            disclosure even if that was less than                   patient safety work product if it                     state, and local agencies to fulfill
                                            what would otherwise be permitted by                    determines a pattern of harm and that                 mandatory reporting requirements or for
                                            the rule and regardless of whether the                  disclosure is necessary to prevent an                 oversight purposes, we disagree that
                                            information continued to be protected                   individual from harming a person or the               such a modification is necessary. The
                                            under the rule after the disclosure.                    public. One commenter, however,                       final rule gives providers much
                                            Third, the proposal prohibited persons                  believed the proposed rule contained                  flexibility in defining and structuring
                                            receiving patient safety work product                   too many exceptions to confidentiality,               their patient safety evaluation system, as
                                            from redisclosing it except as permitted                and thus, did not adequately protect                  well as determining what information is
                                            by the rule, and we requested comment                   patient safety work product; this                     to become patient safety work product
                                            on whether there were any negative                      commenter suggested that some                         and, thus, protected from disclosure.
                                            implications of limiting redisclosures in               disclosure permissions be eliminated in
                                                                                                                                                          Providers can structure their systems in
                                            such a manner.                                          the final rule but did not recommend
                                                                                                                                                          a manner that allows for the use of
                                               We also described how the proposal                   which ones.
                                            would work with respect to entities also                   Several commenters responded to the                information that is not patient safety
                                            subject to the Privacy Act and/or the                   question regarding whether there were                 work product to fulfill their mandatory
                                            HIPAA Privacy Rule. We explained that                   any negative implications of limiting                 reporting obligations. See the discussion
                                            agencies subject to the Patient Safety                  redisclosures as outlined in the                      regarding the definition of ‘‘patient
                                            Act and the Privacy Act, 5 U.S.C. 552a,                 proposed rule. These commenters                       safety work product’’ in this preamble
                                            must comply with both statutes when                     supported the limitations on                          for more information. Further, as
                                            disclosing patient safety work product.                 redisclosures of patient safety work                  original medical and other records are
                                            This means that, for agencies subject to                product in the proposed rule; we                      expressly excepted from the definition
                                            both laws, a disclosure of patient safety               received no comments identifying any                  of ‘‘patient safety work product,’’
                                            work product could only be made if                      negative implications of this limitation.             providers always have the option of
                                            permitted by both laws. The Privacy Act                 One commenter, however, noted that                    using those records to generate the
                                            permits agencies to make disclosures                    the redisclosures should be governed by               reports necessary for their mandatory
                                            pursuant to established routine uses.                   the HIPAA Privacy and Security Rules.                 reporting obligations to federal, state,
                                            See 5 U.S.C. 552a(a)(7); 552a(b)(3); and                   Finally, some commenters sought                    and local agencies.
                                            552a(e)(4)(D). Accordingly, we                          clarification regarding preemption.                      With respect to disclosures for
                                            recommended that Federal agencies that                  Several commenters asked whether the                  emergency circumstances, the Patient
                                            maintain a Privacy Act system of                        federal patient safety work product                   Safety Act provides no general
                                            records containing information that is                  protections preempted existing State                  exception for such disclosures.
                                            patient safety work product include                     law that permitted or required                        However, patient safety work product
                                            routine uses that will permit the                       disclosure of similar types of records.               may be disclosed under § 3.206(b)(10) to
                                            disclosures allowed by the Patient                      Other commenters asked whether                        law enforcement if the disclosing party
                                            Safety Act. For HIPAA covered entities,                 greater State law protections continue to             reasonably believes the patient safety
                                            we explained that when a patient’s                      exist alongside patient safety work                   work product contains information that
                                            protected health information is                         product protections, stating that some                constitutes a crime. For emergency
dwashington3 on PRODPC61 with RULES3

                                            encompassed within patient safety work                  providers may decide not to participate               circumstances that do not rise to the
                                            product, any disclosure of such                         with a PSO if they would lose existing                level of criminal conduct, the
                                            information also must comply with the                   State law protections.                                information necessary to identify and
                                            HIPAA Privacy Rule.                                        Final Rule: The final rule generally               address such emergencies should be
                                               Overview of Public Comments: Some                    adopts the proposed provisions, with                  readily available and accessible in
                                            commenters expressed general support                    some modifications as explained below                 medical records and other original

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00043   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70774            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            documents that are not protected as                     product. Natural persons or entities who              product disclosed pursuant to this
                                            patient safety work product.                            receive patient safety work product                   provision continues to be privileged
                                              The final rule also adopts the                        generally may further disclose such                   after disclosure but is no longer
                                            redisclosure limitations of the proposed                information pursuant to any of the                    confidential. See section 922(d)(2)(A) of
                                            rule. As described above, commenters                    disclosure permissions in the final rule              the Public Health Service Act, 42 U.S.C.
                                            largely supported, and did not identify                 at § 3.206, except where expressly                    299b–22(d)(2)(A). We explained that
                                            negative implications of, these                         limited pursuant to the provision under               this would mean, for example, that law
                                            restrictions. We discuss the individual                 which the natural person or entity                    enforcement personnel who obtain
                                            redisclosure limitations below in the                   received the information. These                       patient safety work product used in a
                                            specific discussions regarding the                      restrictions on further disclosures may               criminal proceeding could further
                                            disclosure permissions to which they                    be found at §§ 3.206(b)(4)(ii) (disclosure            disclose that information because
                                            apply. We note that the HIPAA Privacy                   to a contractor of a provider or PSO for              confidentiality protection would not
                                            and Security Rules will govern                          patient safety activities), 3.206(b)(7)               apply; however, law enforcement could
                                            redisclosures of patient safety work                    (disclosure to the Food and Drug                      not seek to introduce the patient safety
                                            product only to the extent that the                     Administration (FDA) and entities                     work product in another proceeding
                                            redisclosures are made by a HIPAA                       required to report to FDA), 3.206(b)(8)               without a new in camera determination
                                            covered entity and the patient safety                   (voluntary disclosure to an accrediting               that would have complied with the
                                            work product encompasses protected                      body), 3.206(b)(9) (business operations),             privilege exception at proposed
                                            health information.                                     and 3.206(b)(10) (disclosure to law                   § 3.204(b)(1).
                                              In response to the comments and                       enforcement). These limitations are                      We also reminded entities that are
                                            questions regarding preemption, we                      described more fully below in the                     subject to the HIPAA Privacy Rule that
                                            note that the Patient Safety Act provides               discussions concerning the disclosure                 any disclosures pursuant to this
                                            that, notwithstanding any other                         permissions to which they apply. As                   provision that encompass protected
                                            provision of Federal, State, or local law,              with an impermissible disclosure,                     health information also would need to
                                            and subject to the prescribed                           impermissible redisclosures are subject               comply with the HIPAA Privacy Rule’s
                                            exceptions, patient safety work product                 to enforcement by the Secretary and                   provision at 45 CFR 164.512(e) for
                                            shall be privileged and confidential. See               potential civil money penalties.                      disclosures pursuant to judicial
                                            sections 922(a) and (b) of the Public                      Comment: Two commenters asked                      proceedings. We explained that we
                                            Health Service Act, 42 U.S.C. 299b–                     that we monitor the impact of the rule                expected court rulings following an in
                                            22(a) and (b). The statute also provides                to ensure that it does not improperly                 camera determination to be issued as a
                                            as rules of construction the following:                 impede the necessary sharing of patient               court order, which would satisfy the
                                            (1) that the Patient Safety Act does not                safety work product.                                  HIPAA Privacy Rule’s requirements.
                                            limit the application of other Federal,                    Response: As the rule is implemented,                 Overview of Public Comments: We
                                            State, or local laws that provide greater               we will monitor its impact and consider               received no comments opposed to this
                                            privilege or confidentiality protections                whether any concerns that are raised by               provision.
                                            than those provided by the Patient                      providers, PSOs, and others should be                    Final Rule: The final rule adopts the
                                            Safety Act; and (2) the Patient Safety                  addressed through future modification                 proposed provision.
                                            Act does not preempt or otherwise affect                to the rule or guidance, as appropriate.
                                            any State law requiring a provider to                                                                         Response to Other Public Comments
                                                                                                    (1) Section 3.206(b)(1)—Criminal
                                            report information that is not patient                                                                          Comment: One commenter asked that
                                            safety work product. See section 922(g)                                                                       the final rule make clear that patient
                                            of the Public Health Service Act, 42                      Proposed Rule: Proposed § 3.206(b)(1)               safety work product disclosed under
                                            U.S.C. 299b–22(g). Thus, the patient                    would have permitted the disclosure of                this provision continues to be privileged
                                            safety work product protections                         identifiable patient safety work product              and cannot be used or reused as
                                            provided for under the statute generally                for use in a criminal proceeding, if a                evidence in any civil proceeding even
                                            preempt State or other laws that would                  court makes an in camera determination                though the information is no longer
                                            permit or require disclosure of                         that the identifiable patient safety work             confidential.
                                            information contained within patient                    product sought for disclosure contains                  Response: The final rule makes this
                                            safety work product. However, State                     evidence of a criminal act, is material to            clear. See § 3.208(b)(1).
                                            laws that provide for greater protection                the proceeding, and is not reasonably
                                                                                                    available from other sources. See section             (2) Section 3.206(b)(2)—Equitable Relief
                                            of patient safety work product are not                                                                        for Reporters
                                            preempted and continue to apply.                        922(c)(1)(A) of the Public Health Service
                                                                                                    Act, 42 U.S.C. 299b–22(c)(1)(A). The                     Proposed Rule: The Patient Safety Act
                                            Response to Other Public Comments                       proposed provision paralleled the                     prohibits a provider from taking an
                                               Comment: Several commenters asked                    exception to privilege at proposed                    adverse employment action against an
                                            that the final rule discuss redisclosures               § 3.204(b)(1).                                        individual who, in good faith, reports
                                            in more detail and further explain the                    As we explained in the proposed rule,               information to the provider for
                                            consequences of redisclosures.                          the Patient Safety Act establishes that               subsequent reporting to a PSO or to a
                                               Response: A redisclosure, or ‘‘further               patient safety work product generally                 PSO directly. See section 922(e)(1) of
                                            disclosure’’ as described in the                        will continue to be privileged and                    the Public Health Service Act, 42 U.S.C.
                                            regulatory text, of patient safety work                 confidential upon disclosure. See                     299b–22(e)(1). For purposes of this
                                            product, like a disclosure, is the release,             section 922(d)(1) of the Public Health                provision, adverse employment actions
                                            transfer, provision of access to, or                    Service Act, 42 U.S.C. 299b–22(d)(1)                  include loss of employment, failure to
dwashington3 on PRODPC61 with RULES3

                                            divulging in any other manner of patient                and § 3.208 of this rule. However, the                promote, or adverse evaluations or
                                            safety work product by an entity or                     Patient Safety Act limits the continued               decisions regarding credentialing or
                                            natural person holding the patient safety               protection of patient safety work                     licensing. See 922(e)(2) of the Public
                                            work product to another legally separate                product disclosed for use in a criminal               Health Service Act, 42 U.S.C. 299b–
                                            entity or natural person outside the                    proceeding pursuant to this provision.                22(e)(2). The Patient Safety Act provides
                                            entity holding the patient safety work                  In particular, patient safety work                    adversely affected reporters a civil right

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00044   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70775

                                            of action to enjoin such adverse                        actions based upon their good faith                   obtaining of equitable relief provided for
                                            employment actions and obtain other                     reporting of this information to a PSO.               under the statute. Thus, the Secretary
                                            equitable relief, including back pay or                 Several commenters responded to the                   will review the circumstances of such
                                            reinstatement, to redress the prohibited                question posed in the proposed rule                   complaints to determine whether to
                                            actions. See 922(f)(4) of the Public                    asking whether a protective order                     exercise his enforcement discretion to
                                            Health Service Act, 42 U.S.C. 299b–                     should be a condition of disclosure                   not pursue a civil money penalty.
                                            22(f)(4). To effectuate the obtaining of                under this provision or if a good faith
                                            equitable relief under this provision, the              effort in obtaining a protective order                (3) Section 3.206(b)(3)—Authorized by
                                            Patient Safety Act provides that patient                should be sufficient. All of these                    Identified Providers
                                            safety work product is not subject to the               commenters agreed that the obtaining of                  Proposed Rule: Proposed § 3.206(b)(3)
                                            privilege protections or to the                         a protective order should be a condition              would have permitted a disclosure of
                                            confidentiality protections. Thus,                      of disclosure of patient safety work                  patient safety work product when each
                                            proposed § 3.206(b)(2) would have                       product under this provision.                         provider identified in the patient safety
                                            permitted the disclosure of identifiable                   Final Rule: The final rule adopts the              work product separately authorized the
                                            patient safety work product by an                       proposed disclosure permission at                     disclosure. This provision paralleled the
                                            employee seeking redress for adverse                    § 3.206(b)(2) but conditions the                      privilege exception at proposed
                                            employment actions to the extent that                   permitted disclosure for equitable relief             § 3.204(b)(3) and was based on section
                                            the information is necessary to permit                  on the provision of a protective order by             922(c)(1)(C) of the Public Health Service
                                            the equitable relief. This proposed                     the court or administrative tribunal to               Act, 42 U.S.C. 299b–22(c)(1)(C). The
                                            provision paralleled the privilege                      protect the confidentiality of the patient            proposed rule explained that patient
                                            exception to permit equitable relief at                 safety work product during the course of              safety work product disclosed under
                                            proposed § 3.204(b)(2). Also, in                        the proceeding. Although patient safety               this exception would continue to be
                                            accordance with the statute, we                         work product remains confidential and                 confidential pursuant to the continued
                                            proposed that once patient safety work                  privileged in the hands of all recipients             confidentiality provisions at section
                                            product is disclosed pursuant to this                   after disclosure under this provision, we             922(d)(1) of the Public Health Service
                                            provision, it would have remained                       recognize that the sensitive nature of the            Act, 42 U.S.C. 299b–22(d)(1), and
                                            subject to confidentiality and privilege                patient safety work product warrants                  persons would be subject to liability for
                                            protection in the hands of all                          requiring a protective order as                       further disclosures in violation of that
                                            subsequent holders and could not be                     additional protection on this                         confidentiality.
                                            further disclosed except as otherwise                   information. Because some participants
                                                                                                                                                             We also explained that it would be
                                            permitted by the rule.                                  and observers of a proceeding involving
                                                                                                                                                          insufficient to make identifiable
                                               We also provided guidance with                       equitable relief for an adverse
                                                                                                                                                          information regarding a nonauthorizing
                                            respect to the application of the HIPAA                 employment action may not be aware
                                                                                                                                                          provider nonidentifiable in lieu of
                                            Privacy Rule if a covered entity (or its                that certain information is protected as
                                                                                                                                                          obtaining an authorization. While we
                                            business associate) was making the                      patient safety work product to which
                                                                                                                                                          considered such an approach, we
                                            disclosure and the patient safety work                  penalties attach for impermissible
                                                                                                                                                          rejected it as impractical given that it
                                            product included protected health                       disclosures, requiring a protective order
                                                                                                                                                          seemed there would be very few, if any,
                                            information. In that regard, we                         is prudent to ensure that patient safety
                                                                                                                                                          situations in which a nonauthorizing
                                            explained that, under the HIPAA                         work product is adequately protected
                                            Privacy Rule at 45 CFR 164.512(e),                      and that individuals are put on notice                provider could be nonidentified without
                                            when protected health information is                    of its protected status. As we explained              also needing to nonidentify, or nearly
                                            sought to be disclosed in a judicial                    in the proposed rule, such a protective               so, an authorizing provider in the same
                                            proceeding via subpoenas and discovery                  order could take many forms that                      patient safety work product.
                                            requests without a court order, the                     preserve the confidentiality of patient                  We encouraged persons disclosing
                                            disclosing HIPAA covered entity must                    safety work product. For example, the                 patient safety work product to exercise
                                            seek satisfactory assurances that the                   order could limit the use of the                      discretion with respect to the scope of
                                            party requesting the information has                    information to case preparation, but not              patient safety work product disclosed
                                            made reasonable efforts to provide                      make it evidentiary. Or, the order might              and to consider whether identifying
                                            written notice to the individual who is                 prohibit the disclosure of the patient                information regarding reporters or
                                            the subject of the protected health                     safety work product in publicly                       patients was necessary, even though the
                                            information or to secure a qualified                    accessible proceedings and in court                   statute required neither patient nor
                                            protective order.                                       records to prevent liability from moving              reporter authorization under this
                                               Finally, the proposed rule solicited                 to a myriad of unsuspecting parties.                  provision. We also explained that, if the
                                            comments on whether the obtaining of                       We recognize that, in some cases, a                disclosing entity is a HIPAA covered
                                            a protective order should be a condition                reporter seeking equitable relief may be              entity (or business associate), the
                                            of the disclosure under this provision or               unable to obtain a protective order from              HIPAA Privacy Rule, including the
                                            whether, instead, the final rule should                 a court prior to making a necessary                   minimum necessary standard when
                                            require only a good faith effort to obtain              disclosure of patient safety work                     applicable, would apply to the
                                            a protective order as a condition of this               product, despite the reporter’s good                  disclosure of protected health
                                            disclosure.                                             faith and diligent effort to obtain one. If           information contained within the
                                               Overview of Public Comments: Two                     the Secretary receives a complaint that               patient safety work product. Further, if
                                            commenters expressed general support                    patient safety work product was                       the disclosure was not also permitted
                                            for the proposed provision, stating that                disclosed by a reporter seeking equitable             under the HIPAA Privacy Rule, the
dwashington3 on PRODPC61 with RULES3

                                            it struck the appropriate balance                       relief, the Secretary has discretion not to           patient information would need to be
                                            between maintaining the confidentiality                 impose a civil money penalty, if                      de-identified. We sought public
                                            and privilege protections on patient                    appropriate. While the final rule                     comment as to whether the proposed
                                            safety work product and allowing                        requires a protective order as a                      approach was sufficient to protect the
                                            reporters of patient safety work product                condition of disclosure, it is not the                interests of reporters and patients
                                            to seek redress for adverse employment                  Secretary’s intent to frustrate the                   identified in the patient safety work

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00045   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70776            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            product permitted to be disclosed                       the disclosing entity for six years from              for patient safety activities at proposed
                                            pursuant to this provision.                             the date of the last disclosure made in               § 3.206(b)(4) because this disclosure
                                               While the Patient Safety Act does not                reliance on the authorization and made                permission does not allow the sharing of
                                            specify the form of the authorization                   available to the Secretary upon request.              any provider information, even if made
                                            under this exception, we proposed that                  Further, as the Department agrees with                nonidentifiable, unless all providers
                                            an authorization be in writing, be signed               those commenters who believed the                     identified in the patient safety work
                                            by the authorizing provider, and contain                specific terms of the provider                        product authorize the disclosure, while
                                            sufficient detail to fairly inform the                  authorizations should be left to the                  the disclosure permission for patient
                                            provider of the nature and scope of the                 parties, the final rule, as in the proposed           safety activities allows the sharing of
                                            disclosures being authorized. The                       rule, requires only that the authorization            provider information between PSOs and
                                            proposed rule would not have required                   of each of the identified providers be in             between providers, as long as it is
                                            that any specific terms be included in                  writing and signed, and contain                       anonymized.
                                            the authorization, only that disclosures                sufficient detail to fairly inform the                   Response: These disclosure
                                            be made in accordance with the terms                    provider of the nature and scope of the               permissions are separate and
                                            of the authorization, whatever they may                 disclosures being authorized. Thus, the               independent of one another and serve
                                            be. We sought public comment on                         parties are free to define their own                  different purposes. Disclosures of
                                            whether a more stringent standard                       specific terms for provider                           patient safety work product may be
                                            would be prudent and workable, such as                  authorizations, including any time                    made pursuant to either permission,
                                            an authorization process that is                        limitations and to what extent and the                provided the relevant conditions are
                                            disclosure specific.                                    process through which such                            met.
                                               We also proposed that any                            authorizations are revocable. Given the                  Comment: One commenter expressed
                                            authorization be maintained by the                      final rule does not prescribe a particular            concern about the disclosure
                                            disclosing entity or person for a period                form or the terms of provider                         permission’s prohibition on disclosing
                                            of six years from the date of the last                  authorizations under this provision, we               patient safety work product in
                                            disclosure made in reliance on the                      do not believe providing a model                      nonidentifiable form with respect to a
                                            authorization, the limit of time within                 authorization form is appropriate or                  provider who has not authorized the
                                            which the Secretary must initiate an                    feasible.                                             disclosure of the information, stating
                                            enforcement action.                                        With respect to patient and reporter               that this construct would make the
                                               Overview of Public Comments:                         identifiers, we continue to strongly                  provision difficult to implement.
                                            Several commenters responded that                       encourage disclosers to consider how                     Response: The final rule adopts the
                                            patients and reporters identified in                    much patient safety work product is                   provisions of the proposed rule and
                                            patient safety work product are                         necessary, and whether patient or                     does not permit patient safety work
                                            adequately protected by this regulation                 reporter identifiers are necessary, to                product to be disclosed if the
                                            and by the HIPAA Privacy Rule for                       accomplish the purpose of the                         information is rendered nonidentifiable
                                            covered entities. Some commenters,                      authorized disclosure. However, this                  with respect to a nonauthorizing
                                            however, suggested that the HIPAA                       final rule does not include specific                  provider. As explained above, there are
                                            Privacy Rule’s minimum necessary                        limitations on the disclosure of patient              likely few situations in which a
                                            standard be applied to disclosures                      and reporter identifiers under this                   nonauthorizing provider could be
                                            under this provision so that only the                   provision, so long as the disclosure is in            nonidentified without having to also
                                            minimum necessary amount of patient                     accordance with the terms of the                      nonidentify the authorizing providers in
                                            safety work product would be permitted                  provider authorizations. In addition, the             the patient safety work product to be
                                            to be disclosed.                                        HIPAA Privacy Rule, including the                     disclosed under this provision.
                                               Several commenters also responded to                 minimum necessary or de-identification                Therefore, allowing nonidentification of
                                            the question of whether a stricter or                   standard, as appropriate, continues to                the nonauthorizing provider is
                                            more prescribed standard for the                        apply to the disclosure of any protected              impractical.
                                            authorizations should be included in                    health information contained within the                  Comment: One commenter
                                            the final rule, the majority of whom                    patient safety work product.                          recommended that a copy of the
                                            stated that the authorization                                                                                 provider authorization be kept in a
                                            requirements outlined in the proposed                   Response to Other Public Comments                     patient’s file, if the provider’s
                                            rule were adequate. One commenter                         Comment: One commenter asked for                    authorized disclosure of patient safety
                                            recommended that the final rule not                     clarification as to whether state laws                work product resulted in a disclosure of
                                            regulate the terms of the provider                      requiring greater protection for patient              the patient’s protected health
                                            authorization and that such terms be left               safety work product would apply to                    information, so that these disclosures
                                            to the parties. Another commenter                       disclosures pursuant to this provision.               can be tracked and included in an
                                            suggested that provider authorizations                    Response: Section 922(g)(1) of the                  accounting of disclosures as required by
                                            be time-limited, while other                            Public Health Service Act, 42 U.S.C.                  45 CFR 164.528 of the HIPAA Privacy
                                            commenters asked for a model                            299b–22(g)(1), provides that the Patient              Rule.
                                            authorization form and that the final                   Safety Act does not limit the application                Response: While the commenter’s
                                            rule provide a process for revocation of                of other Federal, State, or local laws that           suggestion may assist in complying with
                                            authorizations.                                         provide greater privilege or                          the HIPAA Privacy Rule’s accounting of
                                               Final Rule: The final rule adopts the                confidentiality protections than                      disclosures standard, we do not include
                                            proposed provision. Thus, a provider,                   provided by the Act. Thus, state laws                 such a requirement in the final rule.
                                            PSO, or responsible person may disclose                 providing greater protection for patient              Given that the authorizations provided
dwashington3 on PRODPC61 with RULES3

                                            identifiable patient safety work product                safety work product are not preempted                 for under this provision are focused on
                                            if a valid authorization is obtained from               and would apply to disclosures of                     the disclosure of the provider’s
                                            each identified provider and the                        patient safety work product.                          identifiable information and that the
                                            disclosure is consistent with such                        Comment: One commenter expressed                    specific terms of such authorizations
                                            authorization. As in the proposed rule,                 concern that this disclosure permission               will vary based on the circumstances of
                                            such authorizations must be retained by                 conflicts with the disclosure permission              the disclosure and the parties, it is

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00046   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70777

                                            unlikely that such authorizations will                  safety work product remained                          be done through encryption, provided
                                            contain the information necessary for a                 adequately protected in such cases, the               the disclosing entity did not disclose the
                                            HIPAA covered entity to meet its                        proposed rule would have prohibited                   key to the encryption or the mechanism
                                            accounting obligations to the individual                contractors from further disclosing                   for re-identification.
                                            patient. Further, HIPAA covered entities                patient safety work product, except to                  Recognizing that fully nonidentifiable
                                            are free to design and use approaches                   the provider or PSO from which they                   patient safety work product may have
                                            for compliance with the HIPAA Privacy                   first received the information. We                    limited usefulness due to the removal of
                                            Rule’s accounting standard that are best                explained in the proposed rule that this              key elements of identification, the
                                            suited to their business needs and                      limitation would not, however, preclude               proposed rule specifically sought public
                                            information systems.                                    a provider or PSO from exercising its                 comment on whether there were any
                                                                                                    authority under section 922(g)(4) of the              entities other than providers, PSOs, or
                                            (4) Section 3.206(b)(4)—Patient Safety                                                                        their contractors that would need fully
                                            Activities                                              Public Health Service Act, 42 U.S.C.
                                                                                                    299b–22(g)(4), to separately delegate its             identifiable or anonymized patient
                                               Proposed Rule: Proposed § 3.206(b)(4)                power to the contractor to make other                 safety work product for patient safety
                                            would have permitted the disclosure of                  disclosures. We also stated that,                     activities.
                                            identifiable patient safety work product                although the proposed rule did not                      The proposed rule also explained the
                                            for patient safety activities (i) by a                  require a contract between the provider               intersection with the HIPAA Privacy
                                            provider to a PSO or by a PSO to that                   or PSO and the contractor, we fully                   Rule with respect to these disclosures,
                                            disclosing provider; or (ii) by a provider              expected the parties to engage in                     and noted that, as provided by the
                                            or a PSO to a contractor of the provider                prudent practices to ensure patient                   statute, PSOs would be treated as
                                            or PSO; or (iii) by a PSO to another PSO                safety work product remained                          business associates and patient safety
                                            or to another provider that has reported                confidential.                                         activities performed by, or on behalf of,
                                            to the PSO, or by a provider to another                                                                       a covered provider by a PSO would be
                                            provider, provided, in both cases,                         Further, to allow for more effective               deemed health care operations as
                                            certain direct identifiers are removed.                 aggregation of patient safety work                    defined by the HIPAA Privacy Rule. For
                                            This proposed permissible disclosure                    product, the proposal at § 3.206(b)(4)(iii)           a more detailed discussion of the
                                            provision was based on section                          would have allowed PSOs to disclose                   application of the HIPAA Privacy Rule
                                            922(c)(2)(A) of the Public Health Service               patient safety work product to other                  with respect to disclosures under this
                                            Act, 42 U.S.C. 299b–22(c)(2)(A), which                  PSOs or to other providers that have                  proposed provision, see the preamble to
                                            permits the disclosure of identifiable                  reported to the PSO (but not about the                the proposed rule at 73 FR 8146–8147.
                                            patient safety work product for patient                 specific event(s) to which the patient                The proposed rule sought public
                                            safety activities. The proposed rule                    safety work product relates), and                     comment on whether the HIPAA
                                            provided that, consistent with the                      providers to disclose patient safety work             Privacy Rule definition of ‘‘health care
                                            statute, patient safety work product                    product to other providers, for patient               operations’’ should be modified to
                                            would remain privileged and                             safety activities, as long as the patient             include a specific reference to patient
                                            confidential once disclosed under this                  safety work product was anonymized                    safety activities and whether the HIPAA
                                            provision.                                              through the removal of direct identifiers             Privacy Rule disclosure permission for
                                               We explained in the proposed rule                    of providers and patients. See proposed               health care operations should be
                                            that patient safety activities are the core             § 3.206(b)(4)(iii)(A). In particular, to              modified to include a reference to
                                            mechanism by which providers may                        anonymize provider identifiers, the                   patient safety activities.
                                            disclose patient safety work product to                 proposed rule would have required the                   Overview of Public Comments: The
                                            obtain external expertise from PSOs and                 removal of the following direct                       commenters expressed general support
                                            through which PSOs may aggregate                        identifiers of any providers and of                   for the reciprocal disclosure of patient
                                            information from multiple providers,                    affiliated organizations, corporate                   safety work product between providers
                                            and communicate feedback and                            parents, subsidiaries, practice partners,             and PSOs for patient safety activities.
                                            analyses back to providers. Thus, the                   employers, members of the workforce,                  Additionally, commenters expressed
                                            rule needs to facilitate such                           or household members of such                          general support for the disclosure of
                                            communications so that improvements                     providers: (1) Names; (2) postal address              patient safety work product by a PSO or
                                            in patient safety can occur. To realize                 information, other than town or city,                 provider to its contractor to carry out
                                            this goal, the proposed rule at                         State and zip code; (3) telephone                     patient safety activities.
                                            § 3.206(b)(4)(i) would have allowed for                 numbers; (4) fax numbers; (5) electronic                Commenters also generally supported
                                            the disclosure of identifiable patient                  mail addresses; (6) social security                   the proposed permissible disclosure of
                                            safety work product reciprocally                        numbers or taxpayer identification                    patient safety work product between
                                            between providers and the PSOs to                       numbers; (7) provider or practitioner                 PSOs for patient safety activities,
                                            which they have reported. This would                    credentialing or DEA numbers; (8)                     between PSOs and other providers that
                                            allow PSOs to collect, aggregate, and                   national provider identification number;              have reported to that PSO, and between
                                            analyze patient safety event information                (9) certificate/license numbers; (10) web             providers. However, many commenters
                                            and disseminate findings and                            universal resource locators; (11) internet            expressed concern about the proposed
                                            recommendations for safety and quality                  protocol (IP) address numbers; (12)                   rule requirement at § 3.206(b)(4)(iii) to
                                            improvements.                                           biometric identifiers, including finger               anonymize patient safety work product
                                               The proposed rule at § 3.206(b)(4)(ii)               and voice prints; and (13) full face                  prior to disclosure. Some commenters
                                            also would have allowed for disclosures                 photographic images and any                           stated that this requirement
                                            by providers and PSOs to their                          comparable images. For patient                        inappropriately limited a PSO’s ability
dwashington3 on PRODPC61 with RULES3

                                            contractors who are not workforce                       identifiers, the proposed rule would                  to share this information with other
                                            members, recognizing that there may be                  have applied the HIPAA Privacy Rule                   PSOs and could prevent PSOs from
                                            situations where providers and PSOs                     limited data set standard. See 45 CFR                 being able to identify duplicate reports
                                            want to engage contractors who are not                  164.514(e). We explained in the                       of a single event coming from
                                            agents to carry out patient safety                      proposed rule that removal of the                     independent sources in the patient
                                            activities. However, to ensure patient                  required identifiers could be absolute or             safety work product received from other

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00047   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70778            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            PSOs. One suggested that PSOs be able                   affiliated providers for patient safety               PSO receiving patient safety work
                                            to share identifiable patient safety work               activities. Unlike disclosures between                product from a provider to contact that
                                            product with other PSOs, while another                  providers in § 3.206(b)(4)(iv), the patient           provider and recommend that the
                                            commenter stated that provider names,                   safety work product disclosed pursuant                provider also report the patient safety
                                            addresses, and phone numbers should                     to this permission need not be                        work product to an additional PSO; (2)
                                            be included in patient safety work                      anonymized prior to disclosure. An                    a provider reporting to a PSO to delegate
                                            product to permit follow up contact                     affiliated provider is defined in the final           its authority to the PSO to report its
                                            with the provider and as a way to                       rule as ‘‘with respect to a provider, a               patient safety work product to an
                                            identify duplicate adverse event reports.               legally separate provider that is the                 additional PSO; (3) a PSO to hire
                                            This commenter suggested that PSOs be                   parent organization of the provider, is               another PSO as a consultant to assist in
                                            able to contract with other PSOs as their               under common ownership,                               the evaluation of patient safety work
                                            contractors so that they could share                    management, or control with the                       product received from a reporting
                                            patient safety information that has not                 provider, or is owned, managed, or                    provider, pursuant to § 3.206(b)(4)(ii);
                                            been anonymized with one another                        controlled by the provider.’’ See § 3.20.             and (4) a PSO to disclose identifiable
                                            subject to § 3.206(b)(4)(ii), or                        This addition to the final rule is                    and non-anonymized patient safety
                                            alternatively, that the final rule allow                included in recognition that certain                  work product to another PSO if it has
                                            PSOs to share patient safety work                       provider entities with a common                       obtained authorization to do so from
                                            product identifying providers with other                corporate affiliation, such as integrated             each provider identified in the patient
                                            PSOs if a contract ensuring the                         health systems, may have a need, just as              safety work product. See § 3.206(b)(3).
                                            confidentiality of this information is in               a single legal entity, to share identifiable             To address the concerns of providers
                                            place between the PSOs. Other                           and non-anonymized patient safety                     generally that the rule would prohibit
                                            commenters expressed concern that the                   work product among the various                        the disclosure of patient safety work
                                            anonymization requirement limited the                   provider affiliates and their parent                  product among physicians and other
                                            ability of providers to use and disclose                organization for patient safety activities            health care professionals, particularly
                                            patient safety work product to other                    and to facilitate, if desired, one                    for educational purposes or for
                                            providers or students for educational,                  corporate patient safety evaluation                   preventing or ameliorating patient harm,
                                            academic, or professional purposes.                     system. We emphasize that provider                    we emphasize that the rule does not
                                            These commenters feared that the                        entities can choose not to use this                   regulate uses of patient safety work
                                            proposed rule would inhibit providers’                  disclosure mechanism if they believe                  product within a single legal entity.
                                            ability to consult with other providers                 that doing so would adversely affect                  (However, we note that we have
                                            about patient safety events and                         provider participation, given that                    expressly defined as a disclosure the
                                            requested clarification from the                        patient safety work product would be                  sharing of patient safety work product
                                            Department that the rule would not                      shared more broadly across the affiliated             between a component PSO and the rest
                                            prohibit the disclosure of patient safety               entities.                                             of the legal entity of which it is a part.)
                                            work product among physicians and                          The final rule adopts the disclosure               Thus, consistent with this policy,
                                            other health care professionals,                        permission for patient safety work                    providers within a single legal entity are
                                            particularly for education purposes or                  product proposed at § 3.206(b)(4)(iii) in             free to discuss and share patient safety
                                            for preventing or ameliorating harm.                    the proposed rule; however, the final                 work product in identifiable and non-
                                               Many commenters also responded to                    rule relocates this disclosure permission             anonymized form for educational,
                                            the question in the proposed rule                       to § 3.206(b)(4)(iv) and retitles this                academic, or other professional
                                            regarding whether the patient safety                    section for clarity. This disclosure                  purposes. We have made this policy
                                            activities disclosure permission should                 permission requires that patient safety               clear in the final rule by modifying the
                                            be expanded to encompass additional                     work product disclosed for patient                    definition of disclosure to apply only to
                                            entities. Commenters identified no                      safety activities by a PSO to another                 the release, transfer, provision of access
                                            additional entities to include in this                  PSO or to another provider that has                   to, or divulging in any other manner of
                                            disclosure permission; however, some                    reported to the PSO or by a provider to               patient safety work product by: (1) an
                                            commenters suggested that the                           another provider must be anonymized                   entity or natural person holding the
                                            Department monitor this provision so                    through the removal of certain provider-              patient safety work product to another
                                            that exceptions for disclosures to                      related direct identifiers listed in                  legally separate entity or natural person
                                            additional entities may be made in the                  § 3.206(b)(4)(iii)(A), as well as the                 outside the entity holding the patient
                                            future if necessary.                                    removal of patient direct identifiers                 safety work product; or (2) a component
                                               Final Rule: The final rule adopts                    pursuant to the HIPAA Privacy Rule’s                  PSO to another entity or natural person
                                            without modification proposed                           limited data set standard at 45 CFR                   outside the component organization.
                                            § 3.206(b)(4)(i) and § 3.206(b)(4)(ii),                 164.514(e)(2).                                        Further, as described above, the new
                                            permitting disclosure of patient safety                    Although the final rule includes a                 provision at § 3.206(b)(4)(iii) allows the
                                            work product for patient safety activities              provision for disclosure of fully                     sharing of fully identifiable patient
                                            between providers and PSOs, and                         identifiable patient safety work product              safety work product among affiliated
                                            between providers or PSOs and their                     among affiliated providers, we believe it             providers. However, if providers wish to
                                            contractors that undertake patient safety               is unnecessary to provide a similar                   disclose patient safety work product to
                                            activities on their behalf. In addition,                provision that would allow for the                    other providers outside of their legal
                                            the final rule modifies proposed                        sharing of identifiable and non-                      entity or to non-affiliated providers, the
                                            § 3.206(b)(4)(iii) with respect to                      anonymized patient safety work product                information must be anonymized
                                            disclosures to another PSO or provider,                 between PSOs since the final rule                     subject to § 3.206(b)(4)(iv)(A) and (B) or
dwashington3 on PRODPC61 with RULES3

                                            redesignates the provision as                           includes multiple avenues for secondary               disclosed subject to another applicable
                                            § 3.206(b)(4)(iv), and adds a new                       PSOs, i.e., those PSOs that do not have               disclosure permission.
                                            § 3.206(b)(4)(iii).                                     the direct reporting relationship with
                                               New § 3.206(b)(4)(iii) of the final rule             the provider, to receive provider                     Response to Other Public Comments
                                            permits disclosure of identifiable                      identifiable data, if needed. In                        Comment: One commenter asked that
                                            patient safety work product among                       particular, the final rule allows: (1) A              the final rule prohibit the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00048   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                          70779

                                            recommendations made by a PSO from                      to the extent such disclosures are                    operations’’ for purposes of the HIPAA
                                            being introduced as evidence of a                       subject to an accounting at 45 CFR                    Privacy Rule. With respect to
                                            standard of care or for other purposes in               164.528. Further, the HIPAA Privacy                   disclosures, however, we do not agree
                                            a judicial or administrative proceeding.                Rule provides that a contract between a               that expanding the disclosure
                                               Response: A recommendation made                      HIPAA covered entity and its business                 permission in the manner suggested by
                                            by a PSO is patient safety work product                 associate must require the business                   the commenter is appropriate. The
                                            to which the privilege and                              associate to make available to the                    disclosure permissions in the final rule
                                            confidentiality protections attach.                     covered entity the information it needs               are carefully crafted to balance the need
                                            Therefore, the information can only be                  to comply with the HIPAA Privacy                      for the information to remain
                                            disclosed through an applicable                         Rule’s accounting standard. See 45 CFR                confidential with the need to disclose
                                            disclosure permission. However, as we                   164.504(e). However, we expect that                   patient safety work product to effectuate
                                            explained in the proposed rule, while                   most permissible disclosures of patient               the goals of the statute or for other
                                            the recommendations themselves are                      safety work product that include                      limited purposes provided by the
                                            protected, the corrective actions                       protected health information will not be              statute. With respect to disclosures for
                                            implemented by a provider, even if                      subject to the HIPAA Privacy Rule’s                   patient safety activities, while it is clear
                                            based on the protected                                  accounting requirements. The HIPAA                    that patient safety activities are health
                                            recommendations from a PSO, are not                     Privacy Rule’s accounting standard does               care operations under the HIPAA
                                            patient safety work product.                            not require that disclosures made for                 Privacy Rule, only a subset of activities
                                               Comment: One commenter asked if                      health care operations be included in an              within the definition of ‘‘health care
                                            permissible disclosures of patient safety               accounting. See 45 CFR 164.528(a)(1)(i).              operations’’ are relevant to patient
                                            work product for patient safety activities              Thus, because disclosures for patient                 safety.
                                            under this disclosure permission could                  safety activities at § 3.206(b)(4), business             Comment: One commenter asked for
                                            include disclosures for credentialing,                  operations at § 3.206(b)(9), or                       clarification about whether a provider
                                            disciplinary, and peer review purposes.                 accreditation purposes at § 3.206(b)(8)               can report a single patient safety event
                                               Response: The disclosure permission                  will generally be for the provider’s                  to multiple PSOs.
                                            at § 3.206(b)(4) of the final rule for                  health care operations, the provider                     Response: Providers are free to report
                                            patient safety activities does not                      does not need to account for these                    patient safety work product to, and have
                                            encompass the disclosure of patient                     disclosures. Additionally, for                        relationships with, multiple PSOs.
                                            safety work product to an external entity               disclosures of patient safety work                       Comment: A commenter asked that
                                            or within an administrative proceeding                  product that are subject to the HIPAA                 the final rule explain the process for
                                            for credentialing, disciplinary, or peer                Privacy Rule’s accounting requirement,                disclosing patient safety work product
                                            review purposes. However, as explained                  such as disclosures to the FDA and                    to the National Patient Safety Databank.
                                            above, uses of patient safety work                      entities required to report to the FDA at                Response: The Department intends to
                                            product within a legal entity are not                   § 3.206(b)(7), the HIPAA Privacy Rule                 provide further guidance and
                                            regulated and thus, patient safety work                 offers enough flexibility for a provider              information regarding the creation of
                                            product may be used within an entity                    generally to provide an accounting of                 and reporting to and among the network
                                            for any purpose, including those                        those disclosures without revealing the               of patient safety databases, as part of
                                            described by the commenter, so long as                  existence of patient safety work product.             implementation of section 923 of the
                                            such use does not run afoul of the                      Therefore, we do not believe including                Public Health Service Act, including
                                            statutory prohibition on a provider                     a requirement directly on PSOs with                   information on common formats for
                                            taking an adverse employment action                     respect to the HIPAA Privacy Rule’s                   collecting and disclosing
                                            against an individual based on the fact                 accounting standard is needed or                      nonidentifiable patient safety work
                                            that the individual in good faith                       appropriate. Nor do we agree that                     product for such purposes. The
                                            reported information either to the                      contracts between providers and PSOs                  Department announced the availability
                                            provider with the intention of having                   should designate individuals as third                 of, and sought comment on, common
                                            the information reported to a PSO or                    party beneficiaries of such contracts. We             formats for common hospital-based
                                            directly to a PSO. (Note, though, that we               believe the HIPAA Privacy Rule’s                      patient safety events in the Federal
                                            have expressly defined as a disclosure                  existing provisions provide adequate                  Register on August 29, 2008 (http://
                                            the sharing of patient safety work                      protections for identifiable patient                  www.pso.ahrq.gov/formats/
                                            product between a component PSO and                     information that may be encompassed                   commonfmt.htm).
                                            the rest of the legal entity of which it is             within patient safety work product;                      Comment: One commenter suggested
                                            a part.)                                                however, we also expect PSOs generally                that the final rule require providers and
                                               Comment: One commenter suggested                     to disclose anonymized and                            PSOs to have written contracts in place
                                            that PSOs should be required to                         nonidentifiable patient safety work                   with contractors who are not their
                                            maintain an accounting of all                           product.                                              agents but who will carry out patient
                                            disclosures of patient safety work                         Comment: Another commenter                         safety activities on their behalf. Another
                                            product containing individually                         suggested that patient safety work                    commenter asked if the final rule will
                                            identifiable health information in                      product should be able to be used and                 include a requirement similar to a
                                            parallel to the HIPAA Privacy Rule                      disclosed in the same circumstances                   business associate contract under the
                                            requirement for covered entities. In                    that protected health information can be              HIPAA Privacy Rule between PSOs and
                                            order to further protect patient privacy,               used and disclosed under the HIPAA                    its contractors.
                                            this commenter suggested that patients                  Privacy Rule for health care operations.                 Response: The final rule does not
                                            be made third party beneficiaries of the                   Response: The final rule does not                  require providers and PSOs to have
dwashington3 on PRODPC61 with RULES3

                                            contracts between providers and PSOs.                   regulate ‘‘uses’’ of patient safety work              written contracts in place with
                                               Response: A HIPAA covered entity is                  product within a legal entity; thus, a                contractors who are not their agents but
                                            responsible for ensuring that disclosures               provider, PSO, or responsible person                  who will carry out patient safety
                                            of protected health information made by                 may use patient safety work product for               activities on their behalf. However, we
                                            a PSO, as its business associate, are                   any purpose within the legal entity,                  expect that, in practice, such
                                            included in an accounting of disclosures                including those considered ‘‘health care              relationships will be governed by

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00049   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70780            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            contract, but we leave the terms of those               the provider and the PSO to which it                  Privacy Rule were necessary to address
                                            relationships up to the parties. We note,               reports. This information can contain                 any workability issues.
                                            though, that if a HIPAA covered entity                  information identifying other providers.                Response: OCR will consider these
                                            hires a contractor to conduct patient                   If the patient safety work product is                 comments and will seek opportunity to
                                            safety activities on its behalf, which                  being disclosed between PSOs, between                 address them in regulation or in
                                            requires access to protected health                     unaffiliated providers, or between a PSO              guidance.
                                            information, the HIPAA Privacy Rule                     and other providers that have reported                (5) Section 3.206(b)(5)—Disclosure of
                                            would require that a business associate                 to it, then the information must be                   Nonidentifiable Patient Safety Work
                                            agreement be in place prior to any                      anonymized prior to disclosure subject                Product
                                            disclosure of such information to the                   to § 3.206(b)(4)(iv)(A) and (B). In
                                            contractor. See 45 CFR 164.502(e) and                   addition, if a provider or PSO obtains                   Proposed Rule: Proposed § 3.206(b)(5)
                                            164.504(e).                                             authorizations from all providers                     would have permitted the disclosure of
                                               Comment: Some commenters asked                       identified in the patient safety work                 nonidentifiable patient safety work
                                            that the final rule provide clarification               product, or if the patient safety work                product if the patient safety work
                                            regarding the circumstances under                       product is being shared among affiliated              product met the standard for
                                            which PSOs can disclose patient safety                  providers, then such information may                  nonidentification in proposed § 3.212.
                                            work product to other PSOs to aggregate                 be disclosed in identifiable form under               See section 922(c)(2)(B) of the Public
                                            this information for patient safety                     § 3.206(b)(3) and 3.206(b)(4)(iii).                   Health Service Act, 42 U.S.C. 299b-
                                            activities purposes.                                       Comment: Several commenters                        22(c)(2)(B). As described in proposed
                                               Response: Section 3.206(b)(4)(iv) of                 expressed concern about the                           § 3.208(b)(ii), nonidentifiable patient
                                            the final rule permits such disclosures,                anonymization requirement at proposed                 safety work product, once disclosed,
                                            provided the patient safety work                        § 3.206(b)(4)(iii)(A) and stated that a               would no longer be privileged and
                                            product is anonymized by removal of                     provider may be identifiable even if the              confidential and thus, could be
                                            the direct identifiers of both providers                patient safety work product is                        redisclosed by a recipient without any
                                            and patients. Also, the final rule permits              anonymized. One commenter suggested                   Patient Safety Act limitations or
                                            a PSO to disclose patient safety work                   that zip codes should be included in the              liability. Any provider, PSO or
                                            product to another PSO if authorized by                 list of identifiers that must be removed              responsible person could nonidentify
                                            the identified providers as provided in                 from the patient safety work product.                 patient safety work product. See the
                                            § 3.206(b)(3) or in non-identifiable form               Other commenters felt that the                        discussion regarding § 3.212 for more
                                            in accordance with § 3.206(b)(5).                       anonymization standard was too strict.                information about the nonidentification
                                            Finally, a provider reporting to a PSO                     Response: We believe the                           standard.
                                            may delegate its authority to the PSO to                anonymization standard in the final rule                 Overview of Public Comments: We
                                            report its patient safety work product to               at § 3.206(b)(4)(iv)(A) strikes the                   received no comments opposed to this
                                            an additional PSO, as provided by                       appropriate balance between the need to               proposed provision.
                                            § 3.206(e).                                             protect patient safety work product and                  Final Rule: The final rule adopts the
                                               Comment: A commenter suggested                       the need for broader sharing of such                  proposed provision.
                                            that a data use agreement be required                   information at an aggregate level,
                                                                                                                                                          Response to Other Public Comments
                                            when any information, including                         outside of the direct provider and PSO
                                            individually identifiable health                        relationship, to achieve the goals of the                Comment: One commenter asked that
                                            information, is being shared through a                  statute and improve patient safety.                   the final rule require data use
                                            limited data set.                                          Comment: We received several                       agreements for disclosures of
                                               Response: If a HIPAA covered entity                  comments in response to the questions                 nonidentifiable patient safety work
                                            is sharing a limited data set, as defined               asked in the proposed rule about                      product in cases where there is a chance
                                            by the HIPAA Privacy Rule, the covered                  whether the HIPAA Privacy Rule                        for identification or reidentification of
                                            entity must enter into a data use                       definition of ‘‘health care operations’’              provider identities.
                                            agreement with the recipient of the                     should include a specific reference to                   Response: We emphasize that patient
                                            information. See 45 CFR 164.504(e). For                 patient safety activities and whether the             safety work product is considered
                                            entities that are not covered by the                    Privacy Rule disclosure permission for                nonidentifiable only if, either: (1) the
                                            HIPAA Privacy Rule, the final rule does                 health care operations should be                      statistical method at § 3.212(a)(1) is used
                                            not include such a requirement;                         modified to conform to the disclosure                 and there is a very small risk that the
                                            however, we encourage such parties to                   for patient safety activities. These                  information could be used, alone or in
                                            engage in these and similar practices to                commenters expressed overwhelming                     combination with other reasonably
                                            further protect patient safety work                     support for modifying the HIPAA                       available information, by an anticipated
                                            product.                                                Privacy Rule’s definition of ‘‘health care            recipient to identify an identified
                                               Comment: Two commenters asked for                    operations’’ to include such a specific               provider; or (2) the identifiers listed at
                                            clarification in the final rule about                   reference and to aligning the disclosure              § 3.212(a)(2) are stripped and the person
                                            whether patient safety work product                     permission for health care operations                 making the disclosure does not have
                                            disclosed by a provider to a PSO or by                  with that for patient safety activities.              actual knowledge that the remaining
                                            a PSO to a provider can identify other                  The commenters stated that including                  information could be used, alone or in
                                            providers regardless of whether they                    such specific references would make the               combination with other information that
                                            have also reported to that PSO. One                     intersection of both regulations clear,               is reasonably available to the intended
                                            commenter asked if the rule requires                    and would encourage patient safety                    recipient, to identify a provider. Thus,
                                            that authorization from all the identified              discourse among providers and PSOs.                   the commenter should consider whether
dwashington3 on PRODPC61 with RULES3

                                            providers is required before this                       One commenter stated that there was no                the information about which it is
                                            disclosure can be made.                                 need to modify the definition of ‘‘health             concerned would be nonidentifiable for
                                               Response: The final rule at                          care operations’’ because it already                  purposes of this rule. Further, while the
                                            § 3.206(b)(4)(i) allows the disclosure of               unambiguously encompassed patient                     final rule does not require that the
                                            patient safety work product in                          safety activities. No commenters                      disclosure of nonidentifiable patient
                                            identifiable form reciprocally between                  suggested that modifications to the                   safety work product be conditioned on

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00050   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                       70781

                                            an agreement between the parties to the                 work product which identifies patients                (7) Section 3.206(b)(7)—To the Food
                                            disclosure, we note that providers,                     may only be released to the extent that               and Drug Administration
                                            PSOs, and responsible persons are free                  protected health information would be                    Proposed Rule: Section 922(c)(2)(D) of
                                            to contract or enter into agreements that               disclosable for research purposes under               the Public Health Service Act, 42 U.S.C.
                                            place further conditions on the release                 the HIPAA Privacy Rule. We interpreted                299b-22(c)(2)(D), permits the disclosure
                                            of patient safety work product,                         this provision as requiring HIPAA                     by a provider to the Food and Drug
                                            including in nonidentifiable form, than                 covered entities to ensure any                        Administration (FDA) with respect to a
                                            required by the final rule. See § 3.206(e).             disclosures of patient safety work                    product or activity regulated by the
                                              Comment: Several commenters stated                    product under this provision that also                FDA. Proposed § 3.206(b)(7) would have
                                            that identifiable information about                     include protected health information                  implemented this provision by
                                            nondisclosing providers should not be                   comply with the HIPAA Privacy Rule’s                  permitting providers to disclose patient
                                            disclosed and that adequate safeguards                  research provisions. Accordingly, the                 safety work product concerning
                                            should be in place to ensure that                       proposal incorporated by reference 45                 products or activities regulated by the
                                            information identifying nondisclosing                   CFR 164.512(i) of the HIPAA Privacy
                                                                                                                                                          FDA to the FDA or to an entity required
                                            providers is not released. These                        Rule, which generally requires a
                                                                                                                                                          to report to the FDA concerning the
                                            commenters also suggested that AHRQ                     covered entity to obtain documentation
                                            set up a workgroup to evaluate the                                                                            quality, safety, or effectiveness of an
                                                                                                    of a waiver (or alteration of waiver) of
                                            standards and approaches set forth in                                                                         FDA-regulated product or activity. The
                                                                                                    authorization by either an Institutional
                                            the proposed rule.                                                                                            proposed rule also would have
                                                                                                    Review Board (IRB) or a Privacy Board
                                              Response: The nonidentification                                                                             permitted the sharing of patient safety
                                                                                                    prior to using or disclosing protected
                                            standard at § 3.212 of the final rule                                                                         work product between the FDA, entities
                                                                                                    health information without the
                                            addresses the commenters’ concern by                                                                          required to report to the FDA, and their
                                                                                                    individual’s authorization.
                                            requiring either that: (1) a statistician                  We noted that our interpretation of                contractors concerning the quality,
                                            determine, with respect to information,                 the statute would not impact the                      safety, or effectiveness of an FDA-
                                            that the risk is very small that the                    disclosure of identifiable patient safety             regulated product or activity. Patient
                                            information could be used, alone or in                  work product by entities or persons that              safety work product disclosed pursuant
                                            combination with other reasonably                       are not HIPAA covered entities. We also               to this disclosure permission would
                                            available information, by an anticipated                explained that the incorporation by                   continue to be privileged and
                                            recipient to identify an identified                     reference of the HIPAA Privacy Rule                   confidential.
                                            provider; or (2) all of the provider-                   should provide for the proper alignment                  We specifically sought public
                                            related identifiers listed at § 3.212(a)(2)             of disclosures for research purposes                  comment on our interpretation that the
                                            be removed and the provider, PSO, or                    under the two rules. However, the                     statutory language concerning reporting
                                            responsible person making the                           exception under the Patient Safety Act                ‘‘to the FDA’’ included reporting by the
                                            disclosure not have actual knowledge                    also refers to evaluations and                        provider to persons or entities regulated
                                            that the information could be used,                     demonstration projects, some of which                 by the FDA and that are required to
                                            alone or in combination with other                      may not meet the definition of research               report to the FDA concerning the
                                            information that is reasonably available                under the HIPAA Privacy Rule because                  quality, safety, or effectiveness of an
                                            to the intended recipient, to identify the              they may not result in generalizable                  FDA-regulated product or activity. We
                                            particular provider.                                    knowledge but rather may fall within                  proposed this interpretation to allow
                                                                                                    the HIPAA Privacy Rule’s definition of                providers to report to entities that are
                                            (6) Section 3.206(b)(6)—For Research                                                                          required to report to the FDA, such as
                                                                                                    ‘‘health care operations.’’ We stated that,
                                              Proposed Rule: Proposed § 3.206(b)(6)                 in such cases, HIPAA covered entities                 drug manufacturers, without violating
                                            would have allowed the disclosure of                    disclosing patient safety work product                this rule, and asked if including such
                                            identifiable patient safety work product                that includes protected health                        language would bring about any
                                            to entities carrying out research,                      information under this exception could                unintended consequences for providers.
                                            evaluations, or demonstration projects                  do so without violation of the HIPAA                     We further proposed at
                                            that are funded, certified, or otherwise                Privacy Rule. See the definition of                   § 3.206(b)(7)(ii) that the FDA and
                                            sanctioned by rule or other means by                    ‘‘health care operations’’ at 45 CFR                  entities required to report to the FDA
                                            the Secretary. See section 922(c)(2)(C) of              164.501 of the HIPAA Privacy Rule.                    may only further disclose patient safety
                                            the Public Health Service Act, 42 U.S.C.                   Overview of Public Comments: We                    work product for the purpose of
                                            299b-22(c)(2)(C). We explained in the                   received no comments in reference to                  evaluating the quality, safety, or
                                            proposed rule that this disclosure                      this provision.                                       effectiveness of that product or activity
                                            permission was only for research                           Final Rule: The final rule adopts the              and such further disclosures would only
                                            sanctioned by the Secretary. We also                    proposed provision, except that the                   be permitted between the FDA, entities
                                            explained that we expected that most                    specific reference to ‘‘45 CFR                        required to report to the FDA, their
                                            research that may be subject to this                    164.512(i)’’ is deleted. We have                      contractors, and the disclosing
                                            disclosure permission would be related                  included only a general reference to the              providers. Thus, for example, the FDA
                                            to the methodologies, analytic                          HIPAA Privacy Rule in recognition of                  or a drug manufacturer receiving
                                            processes, and interpretation, feedback                 the fact that disclosures of patient safety           adverse drug event information that is
                                            and quality improvement results from                    work product containing protected                     patient safety work product may engage
                                            PSOs, rather than general medical, or                   health information pursuant to this                   in further communications with the
                                            even health services, research. Patient                 provision could be permissible under                  disclosing provider(s), for the purpose
                                            safety work product disclosed for                       the HIPAA Privacy Rule under                          of evaluating the quality, safety, or
dwashington3 on PRODPC61 with RULES3

                                            research under this provision would                     provisions other than 45 CFR 164.512(i),              effectiveness of the particular regulated
                                            continue to be confidential and                         such as, for example, disclosures for                 product or activity, or may work with
                                            privileged.                                             health care operations pursuant to 45                 their contractors. Moreover, an entity
                                              Section 922(c)(2)(C) of the Public                    CFR 164.506, or disclosures of a limited              regulated by the FDA may further
                                            Health Service Act, 42 U.S.C. 299b-                     data set for research purposes pursuant               disclose the information to the FDA.
                                            22(c)(2)(C), requires that patient safety               to 45 CFR 164.514(e).                                 The proposed provision also would

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00051   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70782            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            have prohibited contractors receiving                   provider may disclose patient safety                  providers to report patient safety work
                                            patient safety work product under this                  work product concerning an FDA-                       product to the FDA or to an entity
                                            provision from further disclosing such                  regulated product or activity to the FDA,             required to report to the FDA.
                                            information, except to the entity from                  an entity required to report to the FDA                  Comment: One commenter asked for
                                            which they received the information.                    concerning the quality, safety, or                    clarification as to whether lot numbers
                                               Finally, we explained that the HIPAA                 effectiveness of an FDA-regulated                     and device identifiers and serial
                                            Privacy Rule at 45 CFR 164.512(b)                       product or activity, or a contractor                  numbers may be reported to the FDA
                                            permits HIPAA covered entities to                       acting on behalf of FDA or such entity                under this disclosure permission.
                                            disclose protected health information                   for these purposes. Further,                             Response: Section 3.206(b)(7) would
                                            concerning FDA-regulated activities and                 § 3.206(b)(7)(ii) clarifies that the FDA,             allow such information contained
                                            products to persons responsible for                     its regulated entity entitled to receive              within patient safety work product to be
                                            collection of information about the                     information under this provision, and                 reported to FDA provided it concerned
                                            quality, safety, and effectiveness of                   their contractors may share patient                   an FDA-regulated product or activity.
                                            those FDA-regulated activities and                      safety work product received under this               (8) Section 3.206(b)(8)—Voluntary
                                            products. Therefore, disclosures under                  provision for the purpose of evaluating               Disclosure to an Accrediting Body
                                            this exception of patient safety work                   the quality, safety, or effectiveness of
                                            product containing protected health                     that product or activity among                          Proposed Rule: Proposed § 3.206(b)(8)
                                            information would be permitted under                    themselves, as well as with the                       would have permitted the voluntary
                                            the HIPAA Privacy Rule.                                 disclosing provider.                                  disclosure of identifiable patient safety
                                               Overview of Public Comments: We                         We do not include a comprehensive                  work product by a provider to an
                                            received general support in the public                  list of acceptable disclosures to FDA-                accrediting body that accredits that
                                            comments for the express reference to                   regulated entities as it would be                     disclosing provider. See section
                                            FDA-regulated entities within this                      impractical to do so. As we explained in              922(c)(2)(E) of the Public Health Service
                                            disclosure permission; only one                         the proposed rule, drug, device, and                  Act, 42 U.S.C. 299b-22(c)(2)(E). Patient
                                            commenter opposed this provision.                       biological product manufacturers are                  safety work product disclosed pursuant
                                            Some commenters asked that the final                    required to report adverse experiences                to this proposed exception would
                                            rule provide examples of the types of                   to the FDA and currently rely on                      remain privileged and confidential.
                                            disclosures that might occur to FDA-                    voluntary reports from product users,                   This provision would have allowed a
                                            regulated entities, and one commenter                   including providers. Further, the                     provider to disclose patient safety work
                                            suggested that if such disclosures are                  analysis of events by a provider or PSO               product that identifies that disclosing
                                            permitted, the final rule should include                that constitutes patient safety work                  provider. Further, the proposed rule
                                            a comprehensive list of acceptable                      product may generate information that                 would not have required that patient
                                            disclosures to these entities. Another                  should be reported to the FDA or FDA-                 safety work product be nonidentifiable
                                            commenter noted that if disclosures to                  regulated entity because it relates to the            as to nondisclosing providers. The
                                            FDA-regulated entities are permitted                    safety or effectiveness of an FDA-                    proposed rule specifically sought public
                                            under this disclosure permission, the                   regulated product or activity. This                   comment on whether patient safety
                                            final rule should limit the use of patient              provision allows providers to report                  work product should be anonymized
                                            safety work product to the purposes                     such information without violating the                with respect to nondisclosing providers
                                            stated in the statute and should prohibit               confidentiality provisions of the statute             prior to disclosure to an accrediting
                                            the use of this information for marketing               or rule. However, we emphasize that,                  body under this provision.
                                            purposes. No commenters identified any                  despite this disclosure permission, we                  The proposed rule also provided that
                                            unintended consequences of including                    expect that most reporting to the FDA                 an accrediting body could not take an
                                            FDA-regulated entities within the                       and its regulated entities will be done               accreditation action against a provider
                                            disclosure permission.                                  with information that is not patient                  based on that provider’s participation,
                                               Final Rule: The final rule adopts the                safety work product, as is done today.                in good faith, in the collection, reporting
                                            provisions of the proposed rule at                      This disclosure permission is intended                or development of patient safety work
                                            § 3.206(b)(7), including the express                    to allow for reporting to the FDA or                  product. It also would have prohibited
                                            reference to FDA-regulated entities. We                 FDA-regulated entity in those special                 accrediting bodies from requiring a
                                            also modify the title of the provision to               cases where, only after an analysis of                provider to reveal its communications
                                            reflect that disclosures to such entities               patient safety work product, does a                   with any PSO.
                                            are encompassed within the disclosure                   provider realize it should make a report.               Overview of Public Comments:
                                            permission. As explained in the                         As in the proposed rule, patient safety               Several commenters responded to the
                                            proposed rule, we believe including                     work product disclosed pursuant to this               question of whether the final rule
                                            FDA-regulated entities within the scope                 provision remains privileged and                      should require the anonymization of
                                            of the disclosure permission is                         confidential.                                         patient safety work product with respect
                                            consistent with both the rule of                                                                              to nondisclosing providers, all of which
                                            construction in the statute which                       Response to Other Public Comments                     supported such a requirement. Another
                                            preserves required reporting to the FDA,                  Comment: Five commenters asked                      commenter noted that the final rule
                                            as well as the goals of the statute which               that the final rule allow PSOs as well as             should expressly prohibit accrediting
                                            are to improve patient safety. See                      providers to disclose or report patient               bodies from taking accreditation actions
                                            section 922(g)(6) of the Public Health                  safety work product to the FDA or to an               against nondisclosing providers based
                                            Service Act, 42 U.S.C. 299b-22(g)(6). In                entity that is required to report to the              upon the patient safety work product
                                            addition, the final rule includes                       FDA.                                                  reported to them by disclosing
dwashington3 on PRODPC61 with RULES3

                                            modifications to more clearly indicate                    Response: We do not modify the                      providers.
                                            who can receive patient safety work                     provision as there is no statutory                      Final Rule: In light of the comments
                                            product under this provision, as well as                authority to allow PSOs to report patient             received, the final rule modifies the
                                            what further disclosures may be made of                 safety work product to the FDA or to an               proposed provision at § 3.206(b)(8) to
                                            such information. Specifically,                         entity required to report to the FDA.                 condition the voluntary disclosure by a
                                            § 3.206(b)(7)(i) now makes clear that a                 However, the statute does permit                      provider of patient safety work product

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00052   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70783

                                            to an accrediting body that accredits the                  Response: The final rule prohibits                 the patient safety work product directly
                                            provider on either: (1) the agreement of                accrediting bodies from further                       from a provider pursuant to
                                            the nondisclosing providers to the                      disclosing patient safety work product                § 3.206(b)(8).
                                            disclosure; or (2) the anonymization of                 they have voluntarily received from                      Comment: One commenter asked that
                                            the patient safety work product with                    providers under § 3.206(b)(8).                        the final rule allow accrediting bodies to
                                            respect to any nondisclosing providers                     Comment: One commenter asked if                    use voluntarily reported patient safety
                                            identified in the patient safety work                   survey and licensure bodies were                      work product in accreditation decisions,
                                            product, by removal of the direct                       considered to be accrediting bodies and               or that the final rule give accrediting
                                            identifiers listed at § 3.206(b)(4)(iv)(A).             thus, precluded from taking action                    bodies immunity from liability that
                                            Direct identifiers of the disclosing                    against providers who voluntarily                     might arise from their failure to take this
                                            providers do not need to be removed.                    submit patient safety work product to                 patient safety work product into account
                                            We also note that the final rule does not               them.                                                 in its accreditation decisions. This
                                            prescribe the form of the agreement                        Response: Survey and licensure                     commenter also stated that, since
                                            obtained from non-disclosing providers.                 bodies are not accrediting bodies and                 accrediting bodies cannot take action
                                            Providers are free to design their own                  are not treated as such under this                    based on information voluntarily
                                            policies for obtaining such agreements.                 provision. Thus, such entities are not                disclosed pursuant to this provision, the
                                            Some institutional providers may, for                   entitled to receive patient safety work               final rule should make clear that
                                            example, make it a condition of                         product voluntarily from providers                    accrediting bodies cannot be held
                                            employment or privileges that providers                 under this provision.                                 responsible for decisions that might
                                            agree to the disclosure of patient safety                  Comment: Two commenters                            have been different if the accrediting
                                            work product to accrediting bodies. In                  expressed concern about this disclosure               body had been able to act based on the
                                            addition, unlike the provision at                       permission for accrediting bodies that                patient safety work product received.
                                            § 3.206(b)(3) of the final rule, with                   create component PSOs. One                               Response: We clarify that the final
                                            respect to any of the non-disclosing                    commenter stated that allowing                        rule, as the proposed rule, does not
                                            providers identified in the patient safety              accrediting bodies to create component                prohibit an accrediting body from using
                                            work product, the disclosing provider                   PSOs creates a potential conflict of                  patient safety work product voluntarily
                                            need obtain either the provider’s                       interest that may adversely affect                    reported by a provider pursuant to this
                                            agreement or anonymize the provider’s                   provider organizations. If an accrediting             provision in its accreditations decisions
                                            information.                                            body’s component organization is a                    with respect to that provider. Thus, it is
                                                                                                    PSO, the commenter asked how OCR                      not necessary nor is it appropriate for
                                            Response to Other Public Comments                       will determine whether the component                  the Secretary to give accrediting bodies
                                               Comment: Several commenters stated                   organization improperly disclosed                     immunity from liability. However, an
                                            that they did not support this disclosure               information or whether the accrediting                accrediting body may not require a
                                            permission allowing voluntary                           body received the information                         provider to disclose patient safety work
                                            disclosures of patient safety work                      voluntarily from a provider.                          product, or take an accrediting action
                                            product to accrediting bodies due to                       Response: Providers are free to choose             against a provider who refuses to
                                            possible unintended consequences of                     the PSOs with which they want to work.                disclose patient safety work product, to
                                            these disclosures. Another commenter                    We expect that any selection by a                     the accrediting body. See section
                                            asked that we be aware of punitive                      provider will involve a thorough vetting              922(d)(4)(B) of the Public Health Service
                                            actions by regulatory organizations as a                and consideration of a number of                      Act, 42 U.S.C. 299b-22(d)(4)(B), and
                                            result of voluntary disclosures to                      factors, including whether the PSO is a               § 3.206(b)(8)(iii), which expressly
                                            accrediting bodies and monitor this                     component of an accrediting body and                  prohibits an accrediting body from
                                            process carefully for any unintended                    if so, what assurances are in place to                taking an accrediting action against a
                                            consequences.                                           protect against improper access by the                provider based on the good faith
                                               Response: The disclosure permission                  accrediting body to patient safety work               participation of the provider in the
                                            allowing providers to voluntarily                       product. Component organizations have                 collection, development, reporting, or
                                            disclose patient safety work product to                 clear requirements to maintain patient                maintenance of patient safety work
                                            accrediting bodies is prescribed by the                 safety work product separately from                   product in accordance with the statute.
                                            statute and thus, is included in this final             parent organizations. Further, the final                 Comment: One commenter asked if
                                            rule. However, as described above, the                  rule recognizes that a disclosure from a              the limitation on redisclosure of
                                            final rule requires either anonymization                component organization to a parent                    voluntarily reported patient safety work
                                            or agreement with respect to non-                       organization is a disclosure which must               product received by an accrediting body
                                            disclosing providers as a condition of                  be made pursuant to one of the                        applies if the information sent to the
                                            the disclosure. This provision, along                   permissions set forth in the statute and              accrediting body was not patient safety
                                            with the express prohibition at                         here; disclosures for which there is no               work product at the time the accrediting
                                            § 3.206(b)(8)(iii) on an accrediting body               permission are subject to enforcement                 body received the information, but was
                                            taking an accrediting action against a                  by the Department and imposition of                   later reported, by the provider to a PSO
                                            provider based on a good faith                          civil money penalties, as well as may                 and became protected.
                                            participation of the provider in the                    adversely impact on the PSO’s                            Response: If the information
                                            collection, development, reporting, or                  continued listing by the Secretary as a               submitted to an accrediting body was
                                            maintenance of patient safety work                      PSO. Should OCR receive a complaint                   not patient safety work product as
                                            product should alleviate commenter                      or conduct a compliance review that                   defined at § 3.20 at the time it was
                                            concerns.                                               implicates an impermissible disclosure                reported, then § 3.206(b)(8), including
dwashington3 on PRODPC61 with RULES3

                                               Comment: One commenter asked if                      by a component PSO of an accrediting                  the redisclosure limitation, does not
                                            the regulation allowed accrediting                      body, OCR will investigate and review                 apply to such information.
                                            bodies to disclose patient safety work                  the particular facts and circumstances                   Comment: One commenter asked that
                                            product to CMS as part a commitment                     surrounding the alleged impermissible                 the final rule clarify that the disclosure
                                            to advise CMS of adverse accreditation                  disclosure, including, if appropriate,                of patient safety work product to an
                                            decisions.                                              whether the accrediting body received                 accrediting body is voluntary.

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00053   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70784            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                              Response: Section 3.208(b)(8)                         rule. We also received several responses              otherwise support activities included in
                                            expressly provides only for the                         to the question asking if the final rule              the definition of ‘‘patient safety
                                            voluntary reporting of patient safety                   should allow for any additional                       activities’’ at § 3.20 of this rule, these
                                            work product, provided the conditions                   disclosures under the business                        disclosures may be made to such
                                            are met. We do not see a need for further               operations provision. Three commenters                contractors pursuant to § 3.206(b)(4)(ii).
                                            clarification.                                          stated that the final rule should not
                                                                                                                                                          Response to Other Public Comments
                                                                                                    include any additional business
                                            (9) Section 3.206(b)(9)—Business                                                                                Comment: Two commenters suggested
                                                                                                    operations disclosures. Others asked
                                            Operations                                                                                                    that the final rule include a requirement
                                                                                                    that the business operations disclosure
                                              Proposed Rule: Proposed § 3.206(b)(9)                 permission be broad enough to                         for a contract between providers or
                                            would have allowed disclosures of                       encompass all the activities defined as               PSOs and their attorneys, accountants,
                                            patient safety work product by a                        ‘‘health care operations’’ in the HIPAA               and other professionals to whom patient
                                            provider or a PSO to professionals such                 Privacy Rule, which would then include                safety work product will be disclosed as
                                            as attorneys and accountants for the                    disclosures to entities such as                       a business operation.
                                            business operations purposes of the                     photocopy shops, document storage                       Response: We do not require a
                                            provider or PSO. See section                            services, shredding companies, IT                     contract as a condition of disclosure in
                                            922(c)(2)(F) of the Public Health Service               support companies, and other entities                 the final rule. However, we agree that a
                                            Act, 42 U.S.C. 299b–22(c)(2)(F). Under                  involved in a PSO’s management or                     contract between these parties is a
                                            the proposed rule, such contractors                     administration. Other commenters                      prudent business practice and expect
                                            could not further disclose patient safety               suggested that disclosures of patient                 that parties will enter into appropriate
                                            work product, except to the entity from                 safety work product to independent                    agreements to ensure patient safety
                                            which it received the information.                      contractors, professional liability                   work product remains protected.
                                            However, the proposed rule made clear                   insurance companies, captives, and risk               Further, where HIPAA covered entities
                                            that a provider or PSO still would have                 retention groups be included as                       are concerned, we note that the HIPAA
                                            had the authority to delegate its power                 disclosures for business operations                   Privacy Rule requires that such entities
                                            to the contractor to make other                         under this provision in the final rule.               have a business associate agreement in
                                            disclosures. In addition, the proposed                     All commenters responding to the                   place with professionals providing
                                            rule provided that any patient safety                   question about how the Secretary                      services that require access to protected
                                            work product disclosed pursuant to this                 should adopt additional business                      health information.
                                            provision continued to be privileged                    operations stated that additional                     (10) Section 3.206(b)(10)—Disclosure to
                                            and confidential.                                       business operations should be adopted
                                              The Patient Safety Act gives the                                                                            Law Enforcement
                                                                                                    only through the rulemaking process.
                                            Secretary authority to designate                           Final Rule: The final rule adopts the                Proposed Rule: Proposed
                                            additional exceptions as necessary                      proposed provision, allowing disclosure               § 3.206(b)(10) would have permitted the
                                            business operations that are consistent                 of patient safety work product by a                   disclosure of identifiable patient safety
                                            with the goals of the statute. The                      provider or a PSO for business                        work product to law enforcement
                                            proposed rule sought public comment                     operations to attorneys, accountants,                 authorities, so long as the person
                                            regarding whether there are any other                   and other professionals. The final rule               making the disclosure believes—and
                                            consultants or contractors, to whom a                   allows disclosure of patient safety work              that belief is reasonable under the
                                            business operations disclosure should                   product to these professionals who are                circumstances—that the patient safety
                                            also be permitted, or whether the                       bound by legal and ethical duties to                  work product disclosed relates to a
                                            Secretary should consider any                           maintain the confidence of their clients              crime and is necessary for criminal law
                                            additional exceptions under this                        and the confidentiality of client                     enforcement purposes. See section
                                            authority. The proposed rule noted that                 information, including patient safety                 922(c)(2)(G) of the Public Health Service
                                            the Secretary would designate                           work product. These professionals will                Act, 42 U.S.C. 299b–22(c)(2)(G). The
                                            additional exceptions only through                      provide a broad array of services to and              proposed rule provided that patient
                                            regulation; however, it asked if other                  functions for the providers and PSOs                  safety work product disclosed under
                                            mechanisms for the adoption of                          with whom they are contracted and will                this provision would remain privileged
                                            business operations exceptions should                   need access to patient safety work                    and confidential.
                                            be adopted or incorporated.                             product to perform their duties. We are                 The proposed rule also provided that
                                              The proposed rule also explained that                 not persuaded by the comments of a                    the law enforcement entity receiving the
                                            a business operations designation by the                need to expand, at this time, the                     patient safety work product could use
                                            Secretary that enables a HIPAA covered                  disclosure permission to encompass                    the patient safety work product to
                                            entity to disclose patient safety work                  other categories of persons or entities.              pursue any law enforcement purposes;
                                            product containing protected health                     However, as described in the proposed                 however, the recipient law enforcement
                                            information to professionals is                         rule, should the Secretary seek in the                entity could only redisclose the
                                            permissible as a health care operations                 future to designate additional business               information to other law enforcement
                                            disclosure under the HIPAA Privacy                      operations exceptions to be                           authorities as needed for law
                                            Rule. See 45 CFR 164.506. Generally,                    encompassed within this disclosure                    enforcement activities related to the
                                            such professionals will be business                     permission, he will do so through                     event that necessitated the original
                                            associates of the covered entity, which                 regulation to provide adequate                        disclosure. The proposed rule sought
                                            will require that a business associate                  opportunity for public comment.                       comment regarding whether these
                                            agreement be in place. See 45 CFR                          With respect to many of the other                  provisions would allow for legitimate
dwashington3 on PRODPC61 with RULES3

                                            160.103, 164.502(e), and 164.504(e).                    entities identified by the commenters,                law enforcement needs, while ensuring
                                              Overview of Public Comments:                          we note that, to the extent the services              appropriate protections.
                                            Several commenters expressed general                    provided by such entities are necessary                 Overview of Public Comments:
                                            support for the business operations                     for the maintenance of patient safety                 Commenters responding to the question
                                            disclosures to attorneys, accountants,                  work product or the operation of a                    in the proposed rule regarding whether
                                            and other professionals in the proposed                 patient safety evaluation system, or                  this disclosure permission would allow

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00054   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70785

                                            for legitimate law enforcement needs                    expressly limiting law enforcement’s                  would provide them with the same
                                            while ensuring that information remain                  redisclosure of patient safety work                   leeway for inadvertent disclosures of
                                            appropriately protected stated that the                 product received pursuant to the                      patient safety work product as
                                            proposed disclosure permission was                      provision to other law enforcement                    providers.
                                            appropriate and did permit legitimate                   authorities as needed for law                           Response: The statute expressly limits
                                            disclosures to law enforcement.                         enforcement activities related to the                 the safe harbor provision to providers.
                                               Final Rule: The final rule adopts the                event that gave rise to the initial                   Therefore, we do not have the authority
                                            proposed provision with slight                          disclosure. Thus, law enforcement is not              to extend this provision to PSOs.
                                            modification for purposes of                            permitted to further disclose the patient             (D) Section 3.206(d)—Implementation
                                            clarification only. We add the word                     safety work product for the enforcement               and Enforcement of the Patient Safety
                                            ‘‘only’’ to the final rule to clarify that              of a crime unrelated to the crime for                 Act
                                            law enforcement receiving patient safety                which the patient safety work product
                                            work product pursuant to this exception                 was originally disclosed to the law                      Proposed Rule: Proposed § 3.206(d)
                                            may only further disclose this                          enforcement entity.                                   would have permitted the disclosure of
                                            information to other law enforcement                      Comment: One commenter stated that                  relevant patient safety work product to
                                            authorities as needed for law                           the proposed rule represented an                      or by the Secretary as needed for
                                            enforcement activities related to the                   expansion of the statutory language                   investigating or determining compliance
                                            event that gave rise to the original                    because it allowed persons to disclose                with or to seek or impose civil money
                                            disclosure.                                             patient safety work product to law                    penalties with respect to this Part or for
                                                                                                    enforcement entities in the absence of                making or supporting PSO certification
                                            Response to Other Public Comments                                                                             or listing decisions, under the Patient
                                                                                                    an active law enforcement investigation
                                              Comment: Two commenters suggested                     and in the absence of a request for this              Safety Act. Patient safety work product
                                            that the statutory standard of reasonable               information by law enforcement.                       disclosed under this exception would
                                            belief was vague and that clarity was                     Response: The statute does not                      remain confidential.
                                            needed to reduce the uncertainty of                     require that a law enforcement entity be                 Overview of Public Comments: We
                                            disclosures and to further define what                  involved in an active investigation or                received no comments in reference to
                                            could constitute a reasonable belief.                   that a law enforcement entity request                 this provision.
                                            Another commenter noted that the                        information prior to a person making a                   Final Rule: Consistent with the
                                            phrase ‘‘relates to a crime and is                      disclosure of patient safety work                     changes made to § 3.204(c) with respect
                                            necessary for criminal law enforcement                  product to a law enforcement entity                   to privilege, the final rule adopts the
                                            purposes’’ is too broad and leaves too                  pursuant to this disclosure permission.               proposed provision, but expands it to
                                            much discretion to entities such as                                                                           expressly provide that patient safety
                                                                                                    See 922(c)(2)(G) of the Public Health
                                            PSOs.                                                                                                         work product also may be disclosed to
                                                                                                    Service Act, 42 U.S.C. 299b–22(c)(2)(G).
                                              Response: The final rule provision at                                                                       or by the Secretary as needed to
                                            § 3.206(b)(10) generally repeats the                    (C) Section 3.206(c)—Safe Harbor                      investigate or determine compliance
                                            statutory provision upon which it is                       Proposed Rule: Proposed § 3.206(c)                 with or to impose a civil money penalty
                                            based, which provides that the                          would have prohibited the disclosure of               under the HIPAA Privacy Rule. This
                                            disclosure of patient safety work                       a subject provider’s identity with                    new language implements the statutory
                                            product be permitted if it relates to the               information, whether oral or written,                 provision at section 922(g)(3) of the
                                            commission of a crime and the person                    that: (1) assesses that provider’s quality            Public Health Service Act, 42 U.S.C.
                                            making the disclosure believes,                         of care; or (2) identifies specific acts              299b–22(g)(3), which makes clear that
                                            reasonably under the circumstances,                     attributable to such provider. See                    the Patient Safety Act is not intended to
                                            that the patient safety work product is                 section 922(c)(2)(H) of the Public Health             affect implementation of the HIPAA
                                            necessary for criminal law enforcement                  Service Act, 42 U.S.C. 299b–22(c)(2)(H).              Privacy Rule. As in the privilege
                                            purposes. See section 922(c)(2)(G) of the               This provision would have been only                   context, given the significant potential
                                            Public Health Service Act, 42 U.S.C.                    applicable to providers. Patient safety               for an alleged impermissible disclosure
                                            299b–22(c)(2)(G).                                       work product disclosed under this                     to implicate both this rule’s
                                              Comment: One commenter expressed                      exception could identify providers,                   confidentiality provisions, as well as the
                                            concern regarding the redisclosure of                   reporters or patients so long as the                  HIPAA Privacy Rule, the Secretary may
                                            patient safety work product to law                      provider(s) that were the subject of the              require access to confidential patient
                                            enforcement under this disclosure                       actions described were nonidentified.                 safety work product for purposes of
                                            permission. The commenter stated that                   The proposed rule would have required                 determining compliance with the
                                            there could be successive disclosures of                that nonidentification be accomplished                HIPAA Privacy Rule. The Secretary will
                                            protected information to law                            in accordance with the                                use such information consistent with
                                            enforcement without consideration of                    nonidentification standard set forth in               the statutory prohibition against
                                            whether there is a reasonable belief that               proposed § 3.212.                                     imposing civil money penalties under
                                            the redisclosure is necessary for                          Overview of Public Comments: We                    both authorities for the same act.
                                            criminal law enforcement purposes.                      received no comments opposed to this                     With respect to this rule, the final
                                            Another commenter recommended that                      provision.                                            rule, as in the proposed rule, makes
                                            this disclosure permission should                          Final Rule: The final rule adopts the              clear that disclosures of patient safety
                                            expressly prohibit patient safety work                  proposed provision.                                   work product to or by the Secretary are
                                            product from being used against                                                                               permitted to investigate or determine
                                            patients who are identified in the                      Response to Other Public Comments                     compliance with this rule, or to make or
dwashington3 on PRODPC61 with RULES3

                                            patient safety work product but who are                    Comment: Several commenters                        support decisions with respect to listing
                                            not the subject of the criminal act for                 suggested that the safe harbor provision              of a PSO. This may include access to
                                            which the information was originally                    be extended to PSOs as well as                        and disclosure of patient safety work
                                            disclosed.                                              providers. One commenter noted that                   product to enforce the confidentiality
                                              Response: We believe § 3.206(b)(10)                   there was no reason to exclude PSOs                   provisions of the rule, to make or
                                            addresses the commenters’ concerns by                   from this provision and including PSOs                support decisions regarding the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00055   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70786            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            acceptance of certification and listing as              Subpart. Neither the statute nor the                  work product. The first was an
                                            a PSO, or to revoke such acceptance and                 proposed rule limited the authority of a              exception to continued confidentiality
                                            to delist a PSO, or to assess or verify                 provider to place limitations on                      protection when patient safety work
                                            PSO compliance with the rule.                           disclosures or uses.                                  product is disclosed for use in a
                                                                                                       Overview of Public Comments: We                    criminal proceeding, pursuant to
                                            Response to Other Public Comments                       received no comments opposed to this                  § 3.206(b)(1). See section 922(d)(2)(A),
                                               Comment: Several commenters asked                    provision.                                            42 U.S.C. 299b–22(d)(2)(A). The second
                                            the Secretary to use judicious restraint                   Final Rule: The final rule adopts the              exception to continued protection was
                                            when requesting patient safety work                     proposed provision.                                   in circumstances where patient safety
                                            product for compliance and                                 Response to Other Public Comments                  work product is disclosed in
                                            enforcement activities. Some of these                      Comment: One commenter suggested                   nonidentifiable form, pursuant to
                                            commenters also asked that the                          that providers and PSOs should not be                 §§ 3.204(b)(4) and 3.206(b)(5). See
                                            Secretary reserve his full enforcement                  able to enter into agreements that would              section 922(d)(2)(B), 42 U.S.C. 299b–
                                            power for only the most egregious                       prohibit the disclosure of patient safety             22(d)(2)(B).
                                            violations of the confidentiality                       work product to report a crime or to                     The proposed rule would not have
                                            provisions.                                             comply with state reporting                           required the labeling of information as
                                               Response: We acknowledge the                         requirements.                                         patient safety work product or that
                                            commenters’ concerns regarding the                         Response: The Patient Safety Act                   disclosure of patient safety work
                                            disclosure of patient safety work                       expressly provides that it does not                   product be accompanied by a notice as
                                            product for enforcement purposes. As                    preempt or otherwise affect any State                 to either the fact that the information
                                            we explained in the proposed rule, we                   law requiring a provider to report                    disclosed is patient safety work product
                                            strongly believe in the protection of                   information that is not patient safety                or that it is confidential. The proposed
                                            patient safety work product as provided                 work product. See section 922(g)(5) of                rule did acknowledge that both
                                            by the Patient Safety Act. However,                     the Public Health Service Act, 42 U.S.C.              practices may be prudent business
                                            confidentiality protections are                         299b–22(g)(5). Further, patient safety                practices.
                                            meaningless without the ability to                      work product does not include original                   Overview of Public Comments: We
                                            enforce breaches of the protections,                    medical and other records. Thus,                      received several comments suggesting
                                            investigations of which may require                     nothing in the final rule or the statute              that the final rule require that patient
                                            access to confidential patient safety                   relieves a provider from his or her                   safety work product be labeled as such
                                            work product. Further, § 3.310 of the                   obligation to disclose information from               or that a recipient of patient safety work
                                            final rule provides the Secretary with                  such original records or other                        product be given notice of the protected
                                            authority to obtain access to only that                 information that is not patient safety                status of the information received.
                                            patient safety work product and other                   work product to comply with state                     Commenters suggested that putting
                                            information that is pertinent to                        reporting or other laws. Moreover, the                recipients of patient safety work product
                                            ascertaining compliance with the rule’s                 final rule at § 3.206(b)(10)(i) permits               on notice about the sensitive and
                                            confidentiality provisions.                             providers and PSOs to disclose patient                confidential nature of the information
                                               Also, as we explained in the proposed                safety work product to report a crime to              would assure and encourage appropriate
                                            rule, we will seek to minimize the risk                 a law enforcement authority provided                  treatment of this information.
                                            of improper disclosure of patient safety                that the disclosing person reasonably                    Final Rule: The final rule adopts this
                                            work product by using and disclosing                    believes that the patient safety work                 proposed provision but does not require
                                            patient safety work product only in                     product that is disclosed is necessary for            that patient safety work product be
                                            limited and necessary circumstances,                    criminal law enforcement purposes.                    labeled or that disclosing parties
                                            and by limiting the amount of patient                   However, the Department cannot,                       provide recipients of patient safety work
                                            safety work product disclosed to that                   through this rule, prevent such                       product with notice that they are
                                            necessary to accomplish the purpose.                    agreements because the Patient Safety                 receiving protected information. We
                                            Further, § 3.312 of the final rule                      Act, at section 922(g)(4) of the Public               believe imposing a labeling or notice
                                            expressly prohibits the Secretary from                  Health Service Act, 42 U.S.C. 299b–                   requirement would be overly
                                            disclosing identifiable patient safety                  22(g)(4), specifically provides that the              burdensome on entities. We do,
                                            work product obtained by the Secretary                  Act cannot be construed ‘‘to limit the                however, expect providers, PSOs, and
                                            in connection with an investigation or                  authority of any provider, patient safety             responsible persons holding patient
                                            compliance review except as permitted                   organization, or other entity to enter                safety work product to treat and
                                            by § 3.206(d) for compliance and                        into a contract requiring greater                     safeguard such sensitive information
                                            enforcement or as otherwise permitted                   confidentiality’’ than that provided                  appropriately and encourage such
                                            by the rule or the Patient Safety Act.                  under the Act.                                        persons to consider whether labeling or
                                               See the discussion of the provisions of                                                                    notice may be an appropriate safeguard
                                                                                                    3. Section 3.208—Continued Protection                 in certain circumstances. Further, we
                                            Subpart D of the final rule for more
                                                                                                    of Patient Safety Work Product                        note that the final rule provides that
                                            information on how the Secretary may
                                            exercise discretion in enforcement.                        Proposed Rule: Proposed § 3.208                    information that is documented as
                                                                                                    provided that the privilege and                       within a patient safety evaluation
                                            (E) Section 3.206(e)—No Limitation on                   confidentiality protections would                     system for reporting to a PSO is patient
                                            Authority To Limit or Delegate                          continue to apply to patient safety work              safety work product. In addition, the
                                            Disclosure or use                                       product following disclosure and also                 final rule allows patient safety work
                                              Proposed Rule: Proposed § 3.206(e)                    described the narrow circumstances                    product to be removed from a patient
dwashington3 on PRODPC61 with RULES3

                                            would have established that a person                    when the protections terminate. See                   safety evaluation system and no longer
                                            holding patient safety work product                     section 922(d) of the Public Health                   considered patient safety work product
                                            may enter into a contract that requires                 Service Act, 42 U.S.C. 299b–22(d). In                 if it has not yet been reported to a PSO
                                            greater confidentiality protections or                  particular, the proposed rule would                   and its removal is documented. See the
                                            may delegate its authority to make a                    have provided two exceptions to the                   definition of ‘‘patient safety work
                                            disclosure in accordance with this                      continued protection of patient safety                product’’ at § 3.20. These

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00056   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                       70787

                                            documentation provisions may assist in                  impermissible disclosure of patient                   Secretary has determined that such
                                            identifying, and putting persons on                     safety work product has been made, the                information is needed for compliance or
                                            notice as to, what is and is not protected              Secretary will examine each situation                 enforcement of this rule or the HIPAA
                                            information.                                            based on the individual circumstances                 Privacy Rule or for PSO certification or
                                                                                                    and make an appropriate determination                 listing. Further, during an investigation
                                            Response to Other Public Comments
                                                                                                    about whether to impose a civil money                 or compliance review, § 3.310(c)
                                              Comment: With respect to                              penalty. See the discussion regarding                 requires a respondent to provide the
                                            §§ 3.206(b)(2), 3.206(b)(3), 3.206(b)(8),               Subpart D of this final rule for a more               Secretary with access to only that
                                            3.206(b)(9), and 3.206(b)(10),                          extensive discussion of the Secretary’s               information, including patient safety
                                            commenters asked that the final rule                    enforcement discretion. Finally, with                 work product, that is pertinent to
                                            emphasize the fact that subsequent                      respect to the commenter’s First                      ascertaining compliance with this rule.
                                            holders of patient safety work product                  Amendment concerns, we do not
                                            are subject to the privilege and                                                                              5. Section 3.212—Nonidentification of
                                                                                                    believe the confidentiality provisions
                                            confidentiality provisions when they                                                                          Patient Safety Work Product
                                                                                                    afforded to patient safety work product
                                            receive the patient safety work product                 in the statute and the rule contravene                   Proposed Rule: Proposed § 3.212
                                            pursuant to a privilege or confidentiality              the First Amendment.                                  would have established the standard by
                                            exception and that this patient safety                                                                        which patient safety work product
                                            work product cannot be subpoenaed,                      4. Section 3.210—Required Disclosure                  would be rendered nonidentifiable,
                                            ordered, or entered into evidence in a                  of Patient Safety Work Product to the                 implementing section 922(c)(2)(B) of the
                                            civil or criminal proceeding through any                Secretary                                             Public Health Service Act, 42 U.S.C.
                                            of these exceptions.                                       Proposed Rule: Proposed § 3.210                    299b–22(c)(2)(B). Under the Patient
                                              Response: Section 3.208 makes clear                   would have required providers, PSOs,                  Safety Act and this Part, identifiable
                                            that, with limited exceptions, patient                  and other persons holding patient safety              patient safety work product includes
                                            safety work product continues to be                     work product to disclose such                         information that identifies any provider
                                            privileged and confidential upon                        information to the Secretary upon a                   or reporter or contains individually
                                            disclosure.                                             determination by the Secretary that such              identifiable health information under
                                              Comment: One commenter expressed                      patient safety work product is needed                 the HIPAA Privacy Rule (see 45 CFR
                                            concern over the proposed rule’s                        for the investigation and enforcement                 160.103). See section 921(2) of the
                                            statement that an impermissible                         activities related to this Part, or is                Public Health Service Act, 42 U.S.C.
                                            disclosure of patient safety work                       needed in seeking and imposing civil                  299b–21(2). By contrast, nonidentifiable
                                            product, even if unintentional, does not                money penalties.                                      patient safety work product does not
                                            terminate the confidentiality of the                       Overview of Public Comments: We                    include information that permits
                                            information and that individuals and                    received no comments opposed to this                  identification of any provider, reporter
                                            entities receiving this patient safety                  provision.                                            or subject of individually identifiable
                                            work product may be subject to civil                       Final Rule: The final rule adopts the              health information. See section 921(3) of
                                            money penalties. The commenter stated                   proposed provision but expands it to                  the Public Health Service Act, 42 U.S.C.
                                            that the applicability of this broad                    encompass disclosures of patient safety               299b–21(3).
                                            statement to third and fourth party                     work product needed for investigation                    The proposed rule explained that
                                            recipients of patient safety work product               and enforcement activities with respect               because individually identifiable health
                                            could violate the First Amendment and                   to the HIPAA Privacy Rule, consistent                 information as defined in the HIPAA
                                            expressed concern with the possibility                  with changes made to §§ 3.204(c) and                  Privacy Rule is one element of
                                            that the Secretary would seek to impose                 3.206(d). As in the proposed rule, the                identifiable patient safety work product,
                                            a civil money penalty upon a newspaper                  final rule makes clear that, with respect             the de-identification standard provided
                                            for printing patient safety information.                to this rule, providers, PSOs, and                    in the HIPAA Privacy Rule would apply
                                              Response: Section 3.208 implements                    responsible persons must disclose                     with respect to the patient-identifiable
                                            the statutory provision that patient                    patient safety work product to the                    information in the patient safety work
                                            safety work product continues to be                     Secretary upon request when needed to                 product. Therefore, where patient safety
                                            privileged and confidential upon                        investigate or determine compliance                   work product contained individually
                                            disclosure, including when in the                       with this rule, or to make or support                 identifiable health information, the
                                            possession of the person to whom the                    decisions with respect to listing of a                proposal would have required that the
                                            disclosure was made. See section 922(d)                 PSO. This may include disclosure of                   information be de-identified in
                                            of the Public Health Service Act, 42                    patient safety work product to the                    accordance with 45 CFR 164.514(a)–(c)
                                            U.S.C. 299b–22(d). To encourage                         Secretary as necessary to enforce the                 to qualify as nonidentifiable patient
                                            provider reporting of sensitive patient                 confidentiality provisions of the rule, to            safety work product with respect to
                                            safety information, Congress saw a need                 make or support decisions regarding the               individually identifiable health
                                            for strong privilege and confidentiality                acceptance of certification and listing as            information under the Patient Safety
                                            protections that continue to apply                      a PSO, or to revoke such acceptance and               Act.
                                            downstream even after disclosure,                       to delist a PSO, or to assess or verify                  Further, with respect to providers and
                                            regardless of who holds the information.                PSO compliance with the rule.                         reporters, the proposal imported and
                                            With respect to the commenter’s                                                                               adapted the HIPAA Privacy Rule’s
                                            concern regarding ‘‘unintentional’’                     Response to Other Public Comments                     standards for de-identification. In
                                            disclosures, we note that the Secretary                   Comment: Several commenters                         particular, the proposal included two
                                            has discretion to elect not to impose                   suggested that disclosures to the                     methods by which nonidentification
dwashington3 on PRODPC61 with RULES3

                                            civil money penalties for an                            Secretary be limited to only the patient              could be accomplished: (1) A statistical
                                            impermissible disclosure of patient                     safety work product that is needed for                method of nonidentification and (2) the
                                            safety work product, in appropriate                     the Secretary’s activities.                           removal of 15 specified categories of
                                            circumstances. Thus, if it is determined,                 Response: Section 3.210 requires                    direct identifiers of providers or
                                            through a complaint investigation or a                  disclosure of patient safety work                     reporters and of parties related to the
                                            compliance review, that an                              product only in those cases where the                 providers and reporters, including

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00057   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70788            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            corporate parents, subsidiaries, practice               anonymization standard, as appropriate,               reidentification keys, we note that
                                            partners, employers, workforce                          to eliminate unnecessary duplication of               § 3.212(a)(3) prohibits a provider, PSO,
                                            members, or household members, and                      such elements in the regulatory text.                 or responsible party disclosing
                                            that the discloser have no actual                       Therefore, persons wishing to                         nonidentifiable patient safety work
                                            knowledge that the remaining                            nonidentify patient safety work product               product from also disclosing the
                                            information, alone or in combination                    must remove the direct identifiers listed             mechanism for reidentification. If a
                                            with other information reasonably                       in the anonymization standard at                      reidentification key is disclosed along
                                            available to the intended recipient,                    § 3.206(b)(4)(iv)(A)(1) through (13), as              with patient safety work product that
                                            could be used to identify any provider                  well as any additional geographic                     would otherwise be nonidentifiable,
                                            or reporter, i.e., a contextual                         subdivisions smaller than a State that                then such information is identifiable
                                            nonidentification standard. In addition,                are not required to be removed by                     patient safety work product to which
                                            the proposal would have permitted a                     § 3.206(b)(4)(A)(2), e.g., town or city, all          the privilege and confidentiality
                                            provider, PSO, or other disclosing entity               elements of dates (except year) that are              protections attach.
                                            or person to assign a code or other                     directly related to a patient safety                    Comment: One commenter asked to
                                            means of record identification to allow                 incident or event, and any other unique               whom must patient safety work product
                                            information made nonidentifiable to be                  identifying number, characteristic, or                be made nonidentifiable and if
                                            re-identified by the disclosing person,                 code (except as permitted for                         information is adequately
                                            provided certain conditions were met.                   reidentification). We were not                        nonidentifiable despite the ability of a
                                               The proposal specifically invited                    persuaded by commenters that changes                  provider or patient involved in the
                                            comment on the proposed standards                       to the standard were necessary,                       event to recognize their case.
                                            and approaches and asked whether it                     especially given the lack of consensus                  Response: Under § 3.212(a)(1), patient
                                            would be possible to include any                        among commenters as to whether the                    safety work product is rendered
                                            geographical identifiers, and if so, at                 standard was too stringent or not                     nonidentifiable if a determination is
                                            what level of detail (state, county, zip                stringent enough. Further, commenters                 made, applying generally accepted
                                            code). We also requested comment                        did not offer suggestions as to potential             statistical and scientific principles, that
                                            regarding whether there were alternative                alternative approaches to                             the risk is very small that the
                                            approaches to standards for entities                    nonidentification. Additionally, because              information could be used, alone or in
                                            determining when health information                     this rule’s nonidentification standard                combination with other reasonably
                                            could reasonably be considered                          with respect to providers and reporters               available information, by an anticipated
                                            nonidentifiable.                                        is adapted from the HIPAA Privacy                     recipient to identify a provider or
                                               Overview of Public Comments: We                      Rule’s de-identification standard and                 reporter. Similarly, under § 3.212(a)(2),
                                            received a variety of comments                          with respect to individuals, incorporates             patient safety work product is rendered
                                            addressing the nonidentification                        the HIPAA Privacy Rule’s de-                          nonidentifiable if the listed identifiers
                                            standard. One commenter supported the                   identification standard, this approach                are stripped and the provider, PSO or
                                            proposed methodologies for                              minimizes complexity and burden for                   responsible person making the
                                            nonidentification, while several                        entities that are subject to both                     disclosure does not have actual
                                            commenters expressed concern that the                   regulatory schemes.                                   knowledge that the information could
                                            nonidentification standard was too strict                                                                     be used, alone or in combination with
                                            and rendered patient safety work                        Response to Other Public Comments                     other information that is reasonably
                                            product useless to its recipients. One                     Comment: One commenter expressed                   available to the intended recipient, to
                                            commenter was concerned that                            concern over the possibility that                     identify the particular provider or
                                            imposing an inflexible, stringent                       provider identities could be derived                  reporter. So long as the remaining
                                            nonidentification standard would                        from nonidentifiable patient safety work              information meets either of these two
                                            impede the future disclosures of                        product and asked that the final rule                 standards, such information is
                                            aggregated patient safety information                   require a party disclosing identifiable               considered nonidentifiable for purposes
                                            that the commenter currently makes.                     information to produce evidence, if                   of this rule, despite the hypothetical
                                            Some of these commenters proposed                       challenged, of how the information was                ability of a provider or patient involved
                                            alternatives to the proposed                            obtained if not via nonidentifiable                   in the event to recognize their case.
                                            nonidentification standard, such as                     patient safety work product. Another                    Comment: One commenter asked for
                                            considering information nonidentified                   commenter suggested that the final rule               clarification that nonidentification can
                                            even if it contains dates of treatment                  include a provision that prohibits the                be accomplished through either the
                                            and geographic identifiers as long as                   use or disclosure of any individually                 statistical method or through the safe
                                            data of a certain threshold number of                   identifiable information that was                     harbor method but that entities are not
                                            providers was aggregated or eliminating                 obtained via the use of nonidentifiable               required to nonidentify patient safety
                                            the nonidentification standard entirely                 patient safety work product. Finally,                 work product subject to both methods.
                                            and applying a less stringent                           another commenter suggested that keys                   Response: We clarify that either
                                            anonymization standard. In contrast,                    to reidentification of nonidentifiable                method may be used to render
                                            several other commenters expressed                      patient safety work product be protected              information nonidentifiable for
                                            concern that the nonidentification                      from discovery and should be protected                purposes of this rule.
                                            standard was too flexible, was                          as patient safety work product to
                                            inadequate to truly nonidentify                         prevent reidentification by unintended                D. Subpart D—Enforcement Program
                                            information and protect provider                        parties.                                                 Subpart D of the final rule establishes
                                            identities, and could be too easily                        Response: We believe that the                      a framework to enable the Secretary to
dwashington3 on PRODPC61 with RULES3

                                            reverse engineered.                                     nonidentification standard in the final               monitor and ensure compliance with
                                               Final Rule: The final rule adopts this               rule, which is based upon the existing                this Part, a process for imposing a civil
                                            proposed provision with only a minor                    HIPAA Privacy Rule’s de-identification                money penalty for breach of the
                                            technical change to incorporate by                      standard, is appropriate and sufficient               confidentiality provisions, and
                                            reference the direct identifiers listed at              to protect the identities of providers.               procedures for a hearing contesting a
                                            § 3.206(b)(4)(iv)(A) of the                             With respect to protection of                         civil money penalty. The provisions in

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00058   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                         70789

                                            Subpart D are modeled largely on the                    complaint with the Secretary and                      well as more generally through
                                            HIPAA Enforcement Rule at 45 CFR Part                   provisions for the Secretary to                       published guidance that addresses
                                            160, Subparts C, D and E. This will                     investigate such complaints (proposed                 common compliance or other questions
                                            maintain a common approach to                           § 3.306); (3) provisions for the Secretary            about the rule. As we noted in the
                                            enforcement and appeals of civil money                  to conduct compliance reviews                         preamble to the proposed rule, however,
                                            penalty determinations based on section                 (proposed § 3.308); (4) provisions                    the absence of technical assistance or
                                            1128A of the Social Security Act, 42                    establishing responsibilities of                      guidance by the Secretary may not be
                                            U.S.C. 1320a–7a, upon which both the                    respondents with respect to cooperating               raised as a defense to civil money
                                            HIPAA and Patient Safety Act penalties                  with the Secretary during investigations              penalty liability. We also encourage
                                            are based, as well as minimize                          or compliance reviews and providing                   persons participating in patient safety
                                            complexity for entities that are subject                access to information necessary and                   activities and subject to this rule to
                                            to both regulatory schemes. This                        pertinent to the Secretary determining                develop and share with others similarly
                                            enforcement scheme also provides the                    compliance (proposed § 3.310); (5)                    situated in the industry ‘‘best practices’’
                                            Secretary maximum flexibility to                        provisions describing the Secretary’s                 for the confidentiality of patient safety
                                            address confidentiality violations so as                course of action during complaints and                work product.
                                            to encourage participation in patient                   compliance reviews, including the                        Comment: One commenter requested
                                            safety activities and achieve the goals of              circumstances under which the                         that the final rule provide additional
                                            the Patient Safety Act.                                 Secretary may attempt to resolve                      detail on the consideration that will go
                                              General Comments: Several                             compliance matters by informal means                  into the determination of whether to
                                            commenters expressed support for the                    or issue a notice of proposed                         pursue an investigation or to conduct a
                                            decision to base this rule’s enforcement                determination, as well as the                         compliance review.
                                            regime on the HIPAA Enforcement Rule                    circumstances under which the                            Response: We do not believe that
                                            and noted that the HIPAA Enforcement                    Secretary may use or disclose                         including additional detail in the final
                                            Rule was properly adapted to the                        information, including identifiable                   rule regarding when we will investigate
                                            patient safety context. However, two                    patient safety work product, obtained                 or conduct compliance reviews is
                                            commenters expressed concern that                       during an investigation or compliance                 prudent or feasible. The decision of
                                            basing the enforcement regime in this                   review (proposed § 3.312); and (6)                    whether to conduct an investigation or
                                            rule on the HIPAA Enforcement Rule                      provisions and procedures for the                     compliance review is left to the
                                            will be insufficient to adequately                      Secretary to issue subpoenas to require               discretion of the Secretary and will be
                                            address and penalize violations of the                  witness testimony and the production of               made based on the specific
                                            confidentiality provisions because of the               evidence and to conduct investigational               circumstances of each individual case.
                                            Department’s approach to enforcement                    inquiries (proposed § 3.314).                         The decision to investigate a complaint
                                            of the HIPAA Privacy Rule. One                            Overview of Public Comments: We                     is necessarily fact specific. For example,
                                            commenter argued that this might cause                  received no comments opposed to the                   some complaints may not allege facts
                                            providers to decide against reporting the               proposed provisions.                                  that fall within the Secretary’s
                                            most serious patient safety events, and                   Final Rule: The final rule adopts the               jurisdiction or that constitute a violation
                                            therefore, would undermine the purpose                  provisions of the proposed rule, except,              if true. With respect to compliance
                                            of the statute.                                         where reference was made in the                       reviews, the Secretary needs to maintain
                                              Response to General Comments: The                     proposed rule to provisions of the                    flexibility to conduct whatever reviews
                                            Department believes that modeling this                  HIPAA Enforcement Rule, the final rule                are necessary to ensure compliance.
                                            rule’s enforcement provisions on the                    includes the text of such provisions for              Compliance reviews may be initiated
                                            existing HIPAA Enforcement Rule is                      convenience of the reader.                            based on, for example, information that
                                            prudent and appropriate. As noted                                                                             comes to the Department’s attention
                                                                                                    Response to Other Public Comments
                                            above, such an approach grants the                                                                            outside of the formal complaint process,
                                            Secretary maximum flexibility to                           Comment: One commenter asked how                   or trends the Department is seeing as a
                                            address violations of the confidentiality               and when the Secretary will provide                   result of its enforcement activities. It
                                            provisions, relies on an existing and                   technical assistance to providers, PSOs,              would be premature at this time to
                                            established enforcement regime, and                     and responsible persons regarding                     indicate the specific circumstances
                                            minimizes complexity for entities                       compliance with the confidentiality                   under which such reviews may be
                                            subject to both the Patient Safety Act                  provisions.                                           conducted, given the absence of any
                                            and HIPAA.                                                 Response: The Secretary intends to                 compliance and enforcement experience
                                                                                                    provide technical assistance through a                with the rule. Further, making public
                                            1. Sections 3.304, 3.306, 3.308, 3.310,                 variety of mechanisms. First, as                      the Department’s considerations in this
                                            3.312, 3.314—Compliance and                             authorized by the Patient Safety Act, the             area may undermine the effectiveness of
                                            Investigations                                          Secretary intends, as practical, to                   such reviews. Thus, we did not propose
                                               Proposed Rule: Sections 3.304–3.314                  convene annual meetings for PSOs to                   and do not include in this final rule
                                            of the proposed rule provided the                       discuss methodology, communication,                   affirmative criteria for conducting
                                            framework by which the Secretary                        data collection, privacy concerns, or                 compliance reviews.
                                            would seek compliance by providers,                     other issues relating to their patient                   Comment: One commenter requested
                                            PSOs, and responsible persons with the                  safety systems. See section 925 of the                clarification that the Secretary may only
                                            confidentiality provisions of the rule.                 Public Health Service Act, 42 U.S.C.                  require respondents to produce records,
                                            These proposed requirements included:                   299b–25. Second, the Secretary intends                books, and accounts that are reasonably
                                            (1) Provisions for the Secretary to seek                to exercise his discretion under § 3.304              related to an investigation.
dwashington3 on PRODPC61 with RULES3

                                            cooperation from these entities in                      by, when practicable and appropriate,                    Response: Section 3.310(c) of the
                                            obtaining compliance and to provide                     providing technical assistance to                     proposed rule, which the final rule
                                            technical assistance (proposed § 3.304);                affected persons and entities both on an              adopts, provided that a respondent must
                                            (2) procedures for any person who                       individual basis when such persons or                 permit the Secretary access to the
                                            believes there has been a violation of the              entities are involved in complaint                    information that is pertinent to
                                            confidentiality provisions to file a                    investigations or compliance reviews, as              ascertaining compliance with the

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00059   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70790             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            confidentiality provisions of the rule.                  no right to appeal such penalty                       may otherwise go unnoticed, as well as
                                            Given this provision in the final rule,                  (proposed § 3.422); (9) provided that                 demonstrate the security practices that
                                            we do not see a need to provide further                  once the penalty becomes final, it will               led to the discovery of the breach and
                                            clarification.                                           be collected by the Secretary, unless                 how the breach was remedied, we agree
                                                                                                     compromised, and describes the                        with those commenters who argued that
                                            2. Sections 3.402, 3.404, 3.408, 3.414,                  methods for collection (proposed                      including such a factor may be viewed
                                            3.416, 3.418, 3.420, 3.422, 3.424,                       § 3.424); and (10) provided that the                  incorrectly as an additional and ongoing
                                            3.426—Civil Money Penalties                              Secretary will notify the public and the              reporting obligation on providers, PSOs,
                                               Proposed Rule: Sections 3.402–3.426                   appropriate State or local medical or                 and others to report every potentially
                                            of the proposed rule provided the                        professional organizations, appropriate               impermissible disclosure. This would
                                            process for the Secretary to impose a                    State agencies administering or                       unnecessarily increase administrative
                                            civil money penalty for noncompliance                    supervising the administration of State               burden both on the Department and the
                                            by a PSO, provider, or responsible                       health care programs, appropriate                     reporting persons. Additionally,
                                            person with the confidentiality                          utilization and quality control peer                  inclusion of such a factor may interfere
                                            provisions of the rule. These proposed                   review organizations, and appropriate                 with contractual relationships between
                                            provisions: (1) Described the basis for                  State or local licensing agencies or                  providers and PSOs that address how
                                            imposing a civil money penalty on a                      organizations, of a final penalty and the             parties are to deal with breaches.
                                            person who discloses identifiable                        reason it was imposed (proposed                         However, we note that even though
                                            patient safety work product in knowing                   § 3.426).                                             we are not expressly including a self-
                                            or reckless violation of the                                In addition, with respect to the factors           reporting factor in the list at § 3.408, the
                                            confidentiality provisions, as well as on                at proposed § 3.408, we specifically                  Secretary retains discretion to consider
                                            a principal, in accordance with the                      sought comment on whether the factors                 self-reports on a case-by-case basis
                                            federal common law of agency 2, based                    should be expanded to expressly                       under § 3.408(f), which permits the
                                            on the act of its agent acting within the                include a factor for persons who self-                Secretary to consider ‘‘such other
                                            scope of the agency (proposed § 3.402);                  report disclosures that may potentially               matters as justice may require’’ in
                                            (2) described how a penalty amount                       violate the confidentiality provisions                determining the amount of a civil
                                            would be determined, and provided the                    such that voluntary self-reporting would              money penalty.
                                            statutory cap of any such penalty                        be a mitigating consideration when
                                                                                                                                                           Response to Other Public Comments
                                            (proposed § 3.404); (3) provided the list                assessing a civil money penalty.
                                            of factors the Secretary may consider as                    Overview of Public Comments: We                       Comment: One commenter supported
                                            aggravating or mitigating, as                            received no comments opposed to these                 the knowing or reckless standard for
                                                                                                     proposed provisions. With respect to                  establishing the basis for imposing a
                                            appropriate, in determining the amount
                                                                                                     proposed § 3.408, commenters generally                civil money penalty for a confidentiality
                                            of a civil money penalty, including the
                                                                                                     supported the list of detailed factors,               violation but also stated that every effort
                                            nature and circumstances of the
                                                                                                     which may be aggravating or mitigating                should be made to reduce the risk of
                                            violation and the degree of culpability
                                                                                                     depending on the context, for use by the              liability and to encourage provider
                                            of the respondent (proposed § 3.408); (4)
                                                                                                     Secretary in determining the amount of                participation. Another commenter
                                            set forth the 6-year limitations period on
                                                                                                     a civil money penalty. In response to the             supported the Secretary’s ability to
                                            the Secretary initiating an action for
                                                                                                     question in the proposed rule regarding               exercise discretion in determining
                                            imposition of a civil money penalty
                                                                                                     whether the final rule should include a               whether to impose a civil money
                                            (proposed § 3.414); (5) set out the
                                                                                                     factor for persons who self-report                    penalty for a knowing or reckless
                                            Secretary’s authority to settle any issue                                                                      violation of the confidentiality
                                                                                                     disclosures that may be potential
                                            or case or to compromise any penalty                                                                           provisions but also suggested that, in
                                                                                                     violations, some commenters opposed
                                            (proposed § 3.416); (6) provided that a                                                                        cases where a PSO is compelled to
                                                                                                     such an expansion, arguing that such a
                                            civil money penalty imposed under this                                                                         disclose patient safety work product by
                                                                                                     provision could be viewed as an
                                            rule would be in addition to any other                                                                         a court and has, in good faith, attempted
                                                                                                     additional reporting obligation on
                                            penalty prescribed by law, except that a                                                                       to assert the privilege protection, the
                                                                                                     persons and entities. Several other
                                            civil money penalty may not be                                                                                 PSO automatically should be excused
                                                                                                     commenters expressed general support
                                            imposed both under this rule and the                                                                           from a civil money penalty for the
                                                                                                     for the consideration of such a
                                            HIPAA Privacy Rule for the same act                                                                            impermissible disclosure of patient
                                                                                                     mitigating factor in the determination of
                                            (proposed § 3.418); (7) required that the                                                                      safety work product to the court.
                                                                                                     any penalty, and one commenter
                                            Secretary provide a respondent with                      specifically recommended expanding                       Response: We agree that the
                                            written notice of his intent to impose a                 the list of factors to include self-                  appropriate basis for imposing a civil
                                            civil money penalty, prescribe the                       reporting.                                            money penalty is for knowing or
                                            contents of such notice, and provide the                    Final Rule: The final rule adopts the              reckless disclosures of identifiable
                                            respondent with a right to request a                     provisions of the proposed rule except,               patient safety work product in violation
                                            hearing before an ALJ to contest the                     where reference was made in the                       of the confidentiality provisions of the
                                            proposed penalty (proposed § 3.420); (8)                 proposed rule to provisions of the                    rule and that it is important the
                                            provided that if the respondent fails to                 HIPAA Enforcement Rule, the final rule                Secretary ultimately retain discretion as
                                            timely request a hearing and the matter                  includes the text of such provisions for              to whether to impose a penalty pursuant
                                            is not settled by the Secretary, the                     convenience of the reader. We do not                  to this standard. This provision is based
                                            Secretary may impose the proposed                        expand the list of factors at § 3.408 to              on section 922(f) of the Public Health
                                            penalty (or any lesser penalty) and will                 include the fact of self-reporting by a               Service Act, 42 U.S.C. 299b–22(f). We
dwashington3 on PRODPC61 with RULES3

                                            notify the respondent of any penalty                     respondent in the final rule. As we                   also agree that provider participation is
                                            imposed, and that the respondent has                     noted in the preamble to the proposed                 essential to meeting the overall goal of
                                              2 For more information and guidance about
                                                                                                     rule, while including a factor for                    the statute to improve patient safety and
                                            violations of the rule attributed to a principal based
                                                                                                     voluntary self-reporting may encourage                quality of care, and we believe that
                                            on the federal common law of agency, see the             persons to report breaches of                         strong privilege and confidentiality
                                            preamble to the proposed rule at 73 FR 8158–8159.        confidentiality, particularly those that              protections for patient safety work

                                       VerDate Aug<31>2005    15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00060   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                        70791

                                            product are fundamental to ensuring                     disclosures to, for example, the media or             $10,000 amount is a maximum penalty
                                            this participation. As we explained in                  to the public, would result in civil                  and the Secretary has discretion to
                                            the preamble to the proposed rule, a                    money penalties.                                      impose penalties that are less than that
                                            civil money penalty under § 3.402 may                      Response: Section 3.402(a) of the final            amount or can elect not to impose a
                                            only be imposed if the Secretary first                  rule provides that persons who disclose               penalty at all for a violation, depending
                                            establishes a wrongful disclosure—that                  identifiable patient safety work product              on the circumstances. In particular,
                                            is, the information disclosed was                       in knowing or reckless violation of the               § 3.404 provides that the amount of any
                                            identifiable patient safety work product                confidentiality provisions are subject to             penalty will be determined using the
                                            and the manner of the disclosure does                   civil money penalty liability for such                factors at § 3.408, which include such
                                            not fit within any permitted exception.                 violations. This liability would include              factors as the nature and circumstances
                                            The Secretary must then determine                       disclosures to the media or public, to                of the violation, the degree of
                                            whether a person making the disclosure                  the extent the knowing or reckless                    culpability of the respondent including
                                            acted ‘‘knowingly’’ or ‘‘recklessly.’’ To               standard of § 3.402(a) is met.                        whether the violation was intentional,
                                            do so, the Secretary must prove either                     Comment: We received two comments                  as well as the financial condition and
                                            that: (1) The person making the                         stating that the maximum penalty of                   size of the respondent.
                                            disclosure knew a disclosure was being                  $10,000 for a single violation is                        Comment: Several commenters asked
                                            made (not that the person knew he or                    insufficient to serve as a deterrent                  for clarification regarding the
                                            she was disclosing identifiable patient                 against impermissible disclosures. In                 Secretary’s authority to levy separate
                                            safety work product in violation of the                 contrast, one commenter expressed                     fines under the Patient Safety Act and
                                            rule or statute); or (2) the person acted               concern that the maximum penalty                      HIPAA. Many of these commenters
                                            recklessly in making the disclosure, that               would be far too severe for some small                argued that the Secretary should be able
                                            is, the person was aware, or a reasonable               providers and in cases in which the                   to impose penalties under both
                                            person in his or her situation should                   impermissible disclosure was incidental
                                                                                                                                                          authorities for the same act to maximize
                                            have been aware, that his or her conduct                or accidental.
                                                                                                                                                          the enforcement tools at his disposal
                                            created a substantial risk of disclosure                   Response: In response to those
                                                                                                    commenters who believe the penalty                    and to effectively penalize bad behavior.
                                            of information and to disregard such                                                                          In contrast, one commenter supported
                                            risk constituted a gross deviation from                 amount is not high enough, the $10,000
                                                                                                    maximum penalty for each act                          the statutory mandate that civil money
                                            reasonable conduct. For more guidance                                                                         penalties not be imposed under both the
                                            on this standard or the knowing or                      constituting a violation is prescribed by
                                                                                                    the statute and thus, cannot be                       Patient Safety Act and HIPAA for a
                                            reckless standard, see the preamble to                                                                        single violation. One commenter asked
                                            the proposed rule at 73 FR 8157–8158.                   increased by the Secretary in this rule.
                                                                                                    We expect, however, that there will be                for clarification as to how civil money
                                            Once a knowing or reckless violation                                                                          penalties may be imposed under both
                                            has been established, the Secretary still               cases where multiple related acts are at
                                                                                                    issue as discrete violations, each of                 the Patient Safety Act and HIPAA when
                                            retains discretion as to whether to                                                                           a PSO is a business associate of a
                                            impose a penalty for a violation and                    which could result in separate penalties
                                                                                                    up to $10,000. The preamble to the                    covered entity for HIPAA Privacy Rule
                                            may elect not to do so. Thus, we believe                                                                      purposes.
                                            the standard at § 3.402 of the final rule               proposed rule indicated that the Patient
                                            strikes the right balance in ensuring                   Safety Act provides that a person who                    Response: The final rule at § 3.418
                                            those who are culpable are subject to                   violates the Patient Safety Act shall be              reflects the statutory prohibition against
                                            penalties, while still encouraging                      subject to a civil money penalty of ‘‘not             the Secretary imposing civil money
                                            maximum participation by providers.                     more than $10,000’’ for each act                      penalties under both the Patient Safety
                                               For example, circumstances where a                   constituting such violation. We note                  Act and HIPAA for a single act that
                                            person who disclosed identifiable                       that pursuant to the Federal Civil                    constitutes a violation. As the preamble
                                            patient safety work product in violation                Penalties Inflation Adjustment Act of                 to the proposed rule explained,
                                            of the rule can show he or she did not                  1990, as amended by the Debt                          Congress recognized that, because
                                            know and had no reason to know that                     Collection Improvement Act of 1996,                   patient safety work product includes
                                            the information was patient safety work                 the Department will be required to                    individually identifiable health
                                            product may warrant discretion by the                   adjust this civil money penalty amount                information about patients, a HIPAA
                                            Secretary. Further, as we stated in the                 based on increases in the consumer                    covered entity making a disclosure of
                                            preamble to the proposed rule, the                      price index (CPI). The Department has                 patient safety work product could be
                                            Secretary may exercise discretion and                   up to four years to update the civil                  liable for a violation under both the
                                            not pursue a civil money penalty against                money penalty amount, and the                         Patient Safety Act and HIPAA, and
                                            a respondent ordered by a court to                      adjustment will be based on the percent               made such penalties mutually
                                            produce patient safety work product                     increase in the CPI from the time the                 exclusive. Thus, in situations in which
                                            where the respondent has in good faith                  Patient Safety Act was enacted, in                    a single violation could qualify as both
                                            undertaken reasonable steps to avoid                    accordance with the cost-of-living                    a violation of the Patient Safety Act and
                                            production and is, nevertheless,                        adjustment set forth at the Federal Civil             HIPAA, the Secretary has discretion to
                                            compelled to produce the information                    Penalties Inflation Adjustment Act of                 impose a civil money penalty under
                                            or be held in contempt of court. We do                  1990 § 5, at 28 U.S.C. 2461 note.                     either regulatory scheme, not both.
                                            not, however, agree that an automatic                   However, the first adjustment may not                 However, as we explained in the
                                            exception from liability for respondents                exceed ten percent of the penalty. Thus,              proposed rule, we interpreted the
                                            in such circumstances is appropriate or                 pursuant to this statute, the $10,000                 Patient Safety Act as only prohibiting
                                            necessary. The Secretary will examine                   maximum penalty will be adjusted                      the imposition of a civil money penalty
dwashington3 on PRODPC61 with RULES3

                                            each situation based on the individual                  upwards periodically to account for                   under the Patient Safety Act when there
                                            circumstances and make an appropriate                   inflation.                                            has been a civil, as opposed to criminal,
                                            determination about whether to impose                      With respect to those commenters                   penalty imposed under HIPAA for the
                                            a civil money penalty.                                  who were concerned that the $10,000                   same act. Therefore, a person could
                                               Comment: One commenter asked that                    penalty may be too severe in certain                  have a civil money penalty imposed
                                            the final rule state that inappropriate                 circumstances, we emphasize that the                  under the Patient Safety Act as well as

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00061   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70792            Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            a criminal penalty under HIPAA for the                  substituted the term ‘‘identifiable                   modified by the technical changes
                                            same act.                                               patient safety work product’’ for                     described above to adapt the provisions
                                              With respect to the commenter who                     ‘‘individually identifiable health                    to the Patient Safety Act confidentiality
                                            requested clarification about penalties                 information’’; (4) proposed § 3.504(h)                provisions. The final rule includes the
                                            relating to a PSO that is a business                    excluded the language in 45 CFR                       full text of such provisions for
                                            associate of a HIPAA covered entity, we                 160.518(a) relating to the provision of a             convenience of the reader.
                                            note that it is possible for a civil money              statistical expert’s report not less than                Also, we incorporate one additional
                                            penalty to be imposed under both the                    30 days before a scheduled hearing                    technical change to better adapt the
                                            Patient Safety Act and HIPAA, where                     because we did not propose language                   language to this rule’s confidentiality
                                            such penalty is imposed against                         permitting use of statistical sampling to             provisions, as well as one conforming
                                            different entities. Thus, for example,                  estimate the number of violations; (5)                change. In particular, at § 3.512(b)(11),
                                            because a PSO will be a business                        proposed § 3.504(o) substituted ‘‘a                   we replace the term ‘‘privacy of’’ with
                                            associate of a covered entity under                     confidentiality provision’’ for ‘‘an                  ‘‘confidentiality of’’ in addition to
                                            HIPAA, any violation involving patient                  administrative simplification provision’’             replacing ‘‘individually identifiable
                                            safety work product that contains                       in 45 CFR 160.532; (6) proposed                       health information’’ with ‘‘identifiable
                                            protected health information by the PSO                 § 3.504(p) substituted, for language not              patient safety work product.’’ In
                                            will be a violation of the Patient Safety               relevant to the Patient Safety Act in 45              addition, at § 3.504(b), we replace the
                                            Act and not HIPAA, since the PSO is                     CFR 160.534(b)(1), new language stating               term ‘‘90 days’’ with ‘‘60 days.’’ We
                                            not a covered entity. However, if the                   that the respondent has the burden of                 proposed at § 3.420(a)(6) to include in a
                                            PSO notifies the covered entity of the                  going forward and the burden of                       notice of proposed determination a
                                            impermissible disclosure (as required by                persuasion with respect to any                        statement that a respondent must
                                            the business associate contract under                   challenge to the amount of a proposed                 request a hearing within 60 days or lose
                                            HIPAA), and the covered entity does not                 civil money penalty, including any                    its right to a hearing under § 3.504.
                                            take the appropriate steps to mitigate                  mitigating factors raised, and provided               However, we inadvertently omitted
                                            and address the consequences of the                     that good cause shown under 45 CFR                    from § 3.504 a conforming change to the
                                            impermissible disclosure of protected                   160.534(c) may be that identifiable                   language incorporated from 45 CFR
                                            health information, the covered entity                  patient safety work product has been                  160.504(b) to change the hearing request
                                            may then be liable for a penalty under                  introduced into evidence or is expected               deadline from 90 days to 60 days. Thus,
                                            HIPAA.                                                  to be introduced into evidence; (7)                   this change is necessary to align the two
                                            3. Section 3.504—Procedures for                         proposed § 3.504(s) added language to                 provisions.
                                            Hearings                                                provide that good cause for making
                                                                                                                                                          Response to Other Public Comments
                                                                                                    redactions to the record would include
                                               Proposed Rule: Proposed § 3.504                      the presence of identifiable patient                     Comment: One commenter asked that
                                            provided the procedures for an                          safety work product; and (8) proposed                 the final rule clarify the involvement of
                                            administrative hearing to contest a civil               §§ 3.504(l), (q), (r), and (u) substituted            the Departmental Appeals Board during
                                            money penalty. The proposed section                     citations to subpart D of the Patient                 the hearings and appeals processes as
                                            set forth the authority of the ALJ, the                 Safety rule, as appropriate.                          well as whether the Secretary has
                                            rights and burdens of proof of the                         We also explained in the proposed                  authority to review ALJ decisions.
                                            parties, requirements for the exchange                  rule that we intended to maintain the                    Response: Sections 3.504–3.552 of the
                                            of information and pre-hearing, hearing,                alignment between these provisions and                final rule incorporate the provisions of
                                            and post-hearing processes. This section                the HIPAA Enforcement Rule by                         the HIPAA Enforcement Rule, which lay
                                            cross-referenced the relevant provisions                incorporating any changes to the HIPAA                out the hearings and appeals process.
                                            of the HIPAA Enforcement Rule                           Enforcement Rule that would become                    The current process provides that any
                                            extensively. Specifically, §§ 3.504(b),                 final based on the Department’s Notice                party, including the Secretary, may
                                            (d), (f)–(g), (i)–(k), (m), (n), (t), (w) and           of Proposed Rulemaking entitled,                      appeal a decision of the ALJ to the
                                            (x) of the proposed rule incorporated                   ‘‘Revisions to Procedures for the                     Departmental Appeals Board, as well as
                                            unchanged the provisions of the HIPAA                   Departmental Appeals Board and Other                  file a reconsideration request with the
                                            Enforcement Rule. Sections 3.504(a), (c),               Departmental Hearings’’ (see 72 FR                    Board following any Board decision.
                                            (e), (h), (l), (o)–(s), (u) and (v) of the              73708 (December 28, 2007)). That                      Unless the ALJ decision is timely
                                            proposed rule incorporated the HIPAA                    Notice of Proposed Rulemaking                         appealed, such decision becomes final
                                            Enforcement Rule but included                           proposed to amend the HIPAA                           and binding on the parties 60 days from
                                            technical changes to adapt these                        Enforcement Rule at 45 CFR 160.508(c)                 the date of service of the ALJ’s decision.
                                            provisions to the Patient Safety Act                    and 160.548, and add a new provision                     Comment: One commenter asked that
                                            confidentiality provisions. These                       at 160.554, providing that the Secretary              the final rule provide no restrictions to
                                            technical changes addressed the                         may review all ALJ decisions that the                 full judicial review for appeals and
                                            following: (1) Proposed §§ 3.504(a) and                 Board has declined to review and all                  hearing requests.
                                            3.504 (v) excluded language from 45                     Board decisions for error in applying                    Response: Section 3.548(k) provides
                                            CFR 160.504(c) and 160.548(e),                          statutes, regulations, or interpretive                respondents the right to petition for
                                            respectively, relating to an affirmative                policy. As of the publication date of this            judicial review of the final decision of
                                            defense under 45 CFR 160.410(b)(1),                     final rule, however, that regulation is               the Secretary once all administrative
                                            which is a defense unique to HIPAA                      not final.                                            appeals have been exhausted, that is,
                                            and not included in the Patient Safety                     Overview of Public Comments: We                    once the Departmental Appeals Board
                                            Act; (2) proposed § 3.504(c) excluded                   received no comments opposed to these                 has rendered a decision on appeal or
dwashington3 on PRODPC61 with RULES3

                                            the provision at 45 CFR 160.508(c)(5) for               provisions.                                           reconsideration that has become the
                                            remedied violations based on reasonable                    Final Rule: The final rule adopts the              final decision of the Secretary, as
                                            cause to be insulated from liability for                proposed provisions, except renumbers                 appropriate.
                                            a civil money penalty because there is                  them into individual sections and                        Comment: One commenter suggested
                                            no such requirement under the Patient                   republishes the referenced provisions of              that any time patient safety work
                                            Safety Act; (3) proposed § 3.504(e)                     the HIPAA Enforcement Rule, as                        product could be disclosed in an ALJ

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00062   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                                  Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                                   70793

                                            proceeding, the proceeding should be                                    environmental, public health and safety                identifying the underlying causes of,
                                            closed to the public.                                                   effects, distributive impacts, and                     and the best strategies for reducing or
                                              Response: The final rule at § 3.534(c)                                equity). A regulatory impact analysis                  eliminating, medical errors. The
                                            expressly provides that the ALJ may                                     (RIA) must be prepared for major rules                 proposed rule provided a foundation of
                                            close a proceeding to the public for good                               with economically significant effects                  confidentiality and privilege protections
                                            cause shown, which may include the                                      ($100 million or more in any 1 year).                  for information developed and
                                            potential for patient safety work product                               Although we cannot determine the                       exchanged when health care providers
                                            to be introduced as evidence in the                                     specific economic impact of this final                 voluntarily choose to work with a PSO.
                                            proceeding. We do not see a need to                                     rule, we believe that the economic                     We proposed that health care providers
                                            require that proceedings be closed                                      impact may approach $100 million.                      could receive the confidentiality and
                                            under such circumstances but rather                                     HHS has determined that the rule is                    privilege protections of the statute by
                                            will continue to rely on the experienced                                ‘‘significant’’ because it raises novel                reporting information to a PSO
                                            discretion of the ALJ in determining                                    legal and policy issues with the                       occasionally, without entering contracts
                                            such matters.                                                           establishment of a new regulatory                      or incurring significant costs. Other
                                            IV. Impact Statement and Other                                          framework, authorized by the Patient                   health care providers could develop
                                            Required Analyses                                                       Safety Act, and imposes requirements,                  more costly internal systems that would
                                                                                                                    albeit voluntary, on entities that had not             serve as the hub of the provider’s
                                            Regulatory Impact Analysis                                              been subject to regulation in this area.               interactions with a PSO with which the
                                               AHRQ has previously analyzed the                                        In preparing the regulatory impact                  provider had a contractual relationship;
                                            potential economic impact of this rule                                  analysis for inclusion in the proposed                 such structured, documented internal
                                            as part of its February 2008 Notice of                                  rule, AHRQ did not develop an                          systems with dedicated personnel
                                            Proposed Rulemaking (proposed rule) as                                  alternative to the statutorily authorized              would be more costly. To create an
                                            required by Executive Order 12866                                       voluntary framework. In light of the                   ‘‘upper bound’’ on the analyses in the
                                            (September 1993, Regulatory Planning                                    approach taken in the proposed rule,                   proposed rule, we assumed that all
                                            and Review), the Regulatory Flexibility                                 alternatives would have been mandatory                 providers that would choose to work
                                            Act (RFA) (September 16, 1980, Pub. L.                                  or more proscriptive as well as                        with PSOs would follow this more
                                            96–354), section 1102(b) of the Social                                  inconsistent with statutory intent. The                costly approach. It should be noted that
                                            Security Act, the Unfunded Mandates                                     proposed rule established a system in                  most hospital providers already have
                                            Reform Act of 1995 (Pub. L. 104–4), and                                 which entities would voluntarily seek                  patient safety reporting activities in
                                            Executive Order 13132. This analysis                                    designation (or ‘‘listing’’) by the                    place (98% according to a 2006 AHRQ
                                            can be found on pages 8164 to 8171 of                                   Secretary as a Patient Safety                          survey). While documenting these
                                            the proposed rule, which was published                                  Organization (PSO), most PSO                           activities and, it is hoped, expanding
                                            in the Federal Register on February 12,                                 requirements would be met by                           them through participation with a PSO
                                            2008.                                                                   attestation and overall compliance                     will result in increased costs, that
                                               Executive Order 12866 (as amended                                    assessed by spot-checks rather than                    increase will be marginal, not complete,
                                            by Executive Order 13258, February                                      document submission or routine audits,                 in the hospital community.
                                            2002, and Executive Order 13422,                                        and the Department would look to the                      A summary of the AHRQ analysis of
                                            January 2007), directs agencies to assess                               marketplace to assess the quality and                  costs and benefits of Patient Safety Act
                                            all costs and benefits of available                                     value of each PSO. PSOs will not be                    costs and benefits from the proposed
                                            regulatory alternatives and, if regulation                              Federally funded nor directed; their                   rule follows below. For a full discussion
                                            is necessary, to select regulatory                                      funding and activities will be                         of the assumptions underlying these
                                            approaches that maximize net benefits                                   determined by health care providers                    estimates, please refer to the proposed
                                            (including potential economic,                                          who seek their expert assistance in                    rule.

                                                         TABLE 3—TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2009–2013

                                                                                                                                        2009                  2010           2011            2012          2013

                                            Hospital Penetration Rate ....................................................                   10%                  40%             60%            75%           85%
                                            Hospital Cost ........................................................................         $7.5 M              $30.0 M         $45.0 M        $56.2 M       $63.7 M
                                            PSO Cost .............................................................................        $61.4 M              $92.1 M        $122.8 M       $122.8 M      $122.8 M

                                                  Total cost ......................................................................       $68.9 M             $122.1 M        $167.8 M       $179.0 M      $186.5 M
                                               Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112–8183.

                                              Costs for PSO implementation were                                     U.S. hospitals already have adverse                    dedicated staff of 1.5 to 4 FTEs,
                                            calculated by considering two                                           event reporting systems, and virtually                 assuming an average salary rate of $67/
                                            components: Costs incurred by hospitals                                 all hospitals have a safety/quality                    hour. We also estimated that a
                                            in engaging in PSO activities and costs                                 function. We assumed that PSOs would                   significant overhead figure of 100%,
                                            of PSOs themselves. It was assumed that                                 be staffed modestly, relying on existing               coupled with 20% for General and
dwashington3 on PRODPC61 with RULES3

                                            in early years of PSO operation, the                                    hospital activities in reporting adverse               Administrative (G&A) expenses, will
                                            hospital would be the primary site of                                   events, and that a significant proportion              cover the appreciable costs anticipated
                                            PSO-related activity. Hospital costs                                    of PSOs are likely to be component                     for legal, security, travel, and
                                            were assumed to be incremental, given                                   PSOs, with support and expertise                       miscellaneous PSO expenses.
                                            that a previously-completed survey                                      provided by a parent organization. Our
                                            funded by AHRQ revealed that 98% of                                     assumptions were that PSOs will hire

                                       VerDate Aug<31>2005        15:22 Nov 20, 2008        Jkt 217001      PO 00000       Frm 00063   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70794                  Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            Provider—PSO Costs and Charges                                           hospitals and other health care                         and charges are between providers and
                                                                                                                     providers to PSOs, PSO revenues, or                     PSOs, they will cancel each other out,
                                              We have not figured into our                                           PSO break-even analyses. We have not                    as expenses to providers will become
                                            calculations any estimates for the price                                 speculated about subsidies or business                  revenue to PSOs.
                                            of PSO services, amounts paid by                                         models. Regardless of what the costs
                                                          TABLE 4—TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2009–2013 *

                                                                                                                                         2009                  2010           2011             2012          2013

                                            Hospital Penetration Rate ....................................................                    10%                  40%             60%              75%           85%
                                            Percent Reduction in Adverse Events .................................                               1%                 1.5%             2%              2.5%           3%
                                            Savings ................................................................................       $11.5 M                $69 M          $138 M       $215.625 M     $293.25 M
                                              * Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events
                                            (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.

                                                                                                                      TABLE 5—NET BENEFITS: 2009–2013

                                                                                                                                         2009                  2010           2011             2012          2013

                                            Total Benefits .......................................................................         $11.5   M              $69    M       $138    M    $215.625   M   $293.25   M
                                            Total Costs ...........................................................................        $68.9   M           $122.1    M     $167.8    M      $179.0   M    $186.5   M
                                            Net Benefits .........................................................................       ($57.4)   M           ($53.1)   M     ($29.8)   M     $36.625   M   $106.75   M
                                            Discounted net present value at 3% ...................................                       ($55.7)   M           ($50.0)   M     ($27.3)   M       $32.5   M     $92.1   M
                                            Discounted net present value at 7% ...................................                       ($53.6)   M           ($46.4)   M     ($24.3)   M       $27.9   M     $76.1   M

                                               The final rule includes several                                       business associates of covered entities                 the patient safety evaluation system. For
                                            modifications that could alter the actual                                must notify the covered entity if any of                providers who choose this option, the
                                            economic impact of the Patient Safety                                    its protected health information has                    information they assemble and develop
                                            Act, but AHRQ concludes that these                                       been inappropriately disclosed or its                   within their patient safety evaluation
                                            changes will not exceed the ‘‘upper                                      security breached. The final rule                       system will be accorded privilege and
                                            bound’’ established in our previous                                      requires PSOs to notify the providers                   confidentiality, contingent upon the
                                            analysis, and we anticipate that the                                     that submitted patient safety work                      information ultimately being reported to
                                            actual economic impact may be less.                                      product to the PSO if the work product                  a PSO, from the outset. To the extent
                                            Several changes incorporated in the                                      it submitted has been disclosed or its                  that this encourages providers, who
                                            final rule are likely to lower the costs of                              security breached. As we noted in the                   would not otherwise have done so, to
                                            implementation. For example, the final                                   proposed rule, the vast majority of                     establish a structured, documented
                                            rule has removed a requirement that                                      providers reporting data will be covered                patient safety evaluation system, there
                                            PSOs that are components of other                                        entities under HIPAA and will need to                   would be an increase in costs. As noted
                                            existing organizations must maintain                                     include such notification requirements                  above, this should not significantly
                                            separate information systems and, for all                                in the business associate agreements                    affect our previous analysis since we
                                            but a small category of component                                        they will enter with PSOs. In addition,                 assumed all providers working with a
                                            PSOs, we have removed restrictions on                                    the HIPAA requirement is likely to                      PSO would have established a
                                            the use of shared staff. As we noted in                                  apply in many disclosure or security                    documented patient safety evaluation
                                            our economic analysis, we expect the                                     breach situations because most work                     system.
                                            most common type of PSO to be ones                                       product is expected to contain protected                   Taking advantage of this option will
                                            that are established by one or more                                      health information. Nevertheless, this                  also enable health care providers with
                                            existing organizations. As commenters                                    requirement may increase costs to the                   integrated health information
                                            pointed out, personnel costs are likely                                  extent that PSOs receive work product                   technology systems to avoid the
                                            to be the most significant cost facing a                                 from non-covered entities, although                     requirement in the proposed rule that
                                            PSO, and the ability to share personnel                                  these potential increased costs will be                 they maintain the assembly and
                                            means that skilled personnel are                                         dependent upon the vigilance with                       development of patient safety work
                                            available at significantly less cost, and                                which the providers and PSOs meet                       product separately from their routine
                                            in some cases at no cost, than the PSO                                   their confidentiality and security                      data collection activities, which would
                                            would pay to hire or externally contract                                 requirements.                                           have required a number of providers to
                                            for personnel. Similarly, the costs and                                     With respect to health care providers,               establish dual information systems.
                                            administrative burdens associated with                                   the final rule does not impose                          While we expect that the costs of
                                            the development and maintenance were                                     requirements. The final rule does afford                developing dual information collection
                                            a major focus of commenters. These two                                   increased flexibility and protections to                systems would exceed the costs of
dwashington3 on PRODPC61 with RULES3

                                            changes are likely to have the greatest                                  providers that voluntarily choose to                    developing and maintaining a
                                            impact on reducing costs for PSOs.                                       both establish and document a more                      structured, documented patient safety
                                               There are two changes in the final                                    structured process for working with a                   evaluation system, we do not estimate
                                            rule that might increase costs slightly                                  PSO, i.e., what the rule terms a patient                any savings because we cannot be clear
                                            but selectively. The final rule parallels                                safety evaluation system, and document                  how many providers would have
                                            a HIPAA Privacy Rule requirement that                                    the flow of information into and out of                 incurred the dual health information

                                       VerDate Aug<31>2005        15:22 Nov 20, 2008         Jkt 217001      PO 00000       Frm 00064   Fmt 4701   Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                                             Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations                                             70795

                                            technology systems costs or would have                      TABLE 1—TOTAL BURDEN HOURS                              final regulation under § 3.108 are also
                                            simply chosen to forego participation.                     RELATED TO CERTIFICATION FORMS                           exempt from PRA requirements
                                              After considering the impact of the                     [Summary of all burden hours, by provision,
                                                                                                                                                                pursuant to an exception in 5 CFR
                                            increased flexibility in the final rule for                               for PSOs]                                 1320.4 for information gathered as part
                                            PSOs and health care providers, we now                                                                              of administrative investigations and
                                            expect the implementation costs will be                                                             Annualized      actions regarding specific parties:
                                            lower than those in our previous                                                                   burden hours     information supplied in response to
                                            analysis.                                                                                                           preliminary agency determinations of
                                                                                                    3.112 ................................   30 minutes.        PSO deficiencies or in response to
                                            Final Regulatory Flexibility Analysis                                                                               proposed revocation and delisting, e.g.,
                                                                                                       Under 5 CFR 1320.3(c), a covered                         information providing the agency with
                                              Since formation of a PSO is voluntary,                collection of information includes the
                                            formation is not likely to occur unless                                                                             correct facts, reporting corrective
                                                                                                    requirement by an agency of a                               actions taken, or appealing proposed
                                            the organization believes it is an                      disclosure of information to third
                                            economically viable endeavor.                                                                                       agency revocation decisions.
                                                                                                    parties by means of identical reporting,                       AHRQ and OCR published in the
                                            Furthermore, PSOs are not likely to                     recordkeeping, or disclosure
                                            undertake tasks that will provide                                                                                   Federal Register their proposed
                                                                                                    requirements, imposed on ten or more                        information collection forms on
                                            insufficient payment to cover their                     persons. The final rule reflects the
                                            costs. Therefore, the Secretary certifies                                                                           February 20, 2008. Following the first,
                                                                                                    previously established reporting                            60-day comment period, the forms were
                                            that the regulation will not impose a                   requirements for breach of
                                            significant economic burden on a                                                                                    again published in the Federal Register
                                                                                                    confidentiality applicable to business                      on April 21, 2008, to begin the second,
                                            substantial number of small entities.                   associates under HIPAA regulations                          30-day comment period. The forms were
                                            Unfunded Mandates Reform Act                            requiring contracts to contain a                            not changed following the first comment
                                                                                                    provision requiring the business                            period, and they and the one comment
                                              Section 202 of the Unfunded                           associate (in this case, the PSO) to notify
                                            Mandates Reform Act requires that a                                                                                 received were sent to OMB, which
                                                                                                    providers of breaches of their                              received them on April 25, 2008. Minor
                                            covered agency prepare a budgetary                      identifiable patient data’s
                                            impact statement before promulgating a                                                                              changes to the proposed forms will be
                                                                                                    confidentiality or security. Accordingly,                   necessary to align them with the final
                                            rule that includes any Federal mandate                  this reporting requirement referenced in                    rule. AHRQ and OCR will work with
                                            that may result in the expenditure by                   the regulation previously met                               OMB to ensure that the forms needed to
                                            State, local, and Tribal governments, in                Paperwork Reduction Act review                              implement the Patient Safety Act
                                            the aggregate, or by the private sector, of             requirements.                                               conform to the requirements of the final
                                            $100 million or more in any one year.                      The final rule requires in § 3.108(c)                    rule.
                                            The Department has determined that                      that a PSO notify the Secretary if it
                                            this final rule will not impose a                       intends to relinquish voluntarily its                       Federalism
                                            mandate that will result in the                         status as a PSO. The entity is required                        Executive Order 13132 establishes
                                            expenditure by State, Local, and Tribal                 to notify the Secretary that it has, or will                certain requirements that an agency
                                            governments, in the aggregate, or by the                soon, alert providers and other                             must meet when it promulgates a final
                                            private sector, of more than $100                       organizations from which it has                             rule that imposes substantial direct
                                            million in any one year.                                received patient safety work product or                     requirement costs on state and local
                                            Paperwork Reduction Act                                 data of its intention and provide for the                   governments, preempts State law, or
                                                                                                    appropriate disposition of the data in                      otherwise has Federalism implications.
                                               This final rule adding a new Part 3 to               consultation with each source of patient                    The Patient Safety Act upon which the
                                            volume 42 of the Code of Federal                        safety work product or data held by the                     final regulation is based makes patient
                                            Regulations contains information                        entity. In addition, the entity is asked to                 safety work product confidential and
                                            collection requirements. This summary                   provide the Secretary with current                          privileged. To the extent this is
                                            includes the estimated costs and                        contact information for further                             inconsistent with any state law,
                                            assumptions for the paperwork                           communication from the Secretary as                         including court decisions, the Federal
                                            requirements related to the final rule.                 the entity ceases operations. The                           statute preempts such state law or court
                                               With respect to § 3.102 concerning the               reporting aspect of this requirement is                     order. The final rule will not have any
                                            submission of certifications for initial                essentially an attestation that is                          greater preemptive effect on state or
                                            and continued listing as a PSO, and of                  equivalent to the requirements for                          local governments than that imposed by
                                            updated information, all such                           listing, continued listing, and meeting                     the statute. While the Patient Safety Act
                                            information would be submitted on the                   the minimum contracts requirement.                          does establish new Federal
                                            ‘‘Patient Safety Organization:                          This minimal data requirement would                         confidentiality and privilege protections
                                            Certification for Initial Listing’’ form. To            come within 5 CFR 1320.3(h)(1) which                        for certain information, these
                                            maintain its listing, a PSO must also                   provides an exception from PRA                              protections only apply when health care
                                            submit a brief attestation, once every 24-              requirements for affirmations,                              providers work with PSOs and new
                                            month period after its initial date of                  certifications, or acknowledgments as                       processes, such as patient safety
                                            listing, submitted on the ‘‘Attestation                 long as they entail no burden other than                    evaluation systems, that do not
                                            Regarding the Two Bona Fide Contracts                   that necessary to identify the                              currently exist. These Federal data
                                            Requirement’’ form, stating that it has                 respondent, the date, the respondent’s                      protections provide a mechanism for
                                            entered contracts with two providers.                   address, and the nature of the                              protection of sensitive information that
dwashington3 on PRODPC61 with RULES3

                                            We estimate that the final rule will                    instrument. In this case, the nature of                     could improve the quality, safety, and
                                            create an average burden of 30 minutes                  the instrument is an attestation that the                   outcomes of health care by fostering a
                                            annually for each entity that seeks to                  PSO is working with its providers for                       non-threatening environment in which
                                            become a PSO to complete the necessary                  the orderly cessation of activities. The                    information about adverse medical
                                            certification forms. Table 1 summarizes                 following other collections of                              events and near misses can be
                                            burden hours.                                           information that are required by the                        discussed. It is hoped that confidential

                                       VerDate Aug<31>2005   15:22 Nov 20, 2008   Jkt 217001   PO 00000   Frm 00065       Fmt 4701     Sfmt 4700   E:\FR\FM\21NOR3.SGM   21NOR3
                                            70796                  Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / Rules and Regulations

                                            analysis of patient safety events will                                    of public or private sector regulatory                             Report, To Err Is Human. The range of
                                            reduce the occurrence of adverse                                          entities to seek listing as a PSO. AHRQ                            costs is the same as was included in the
                                            medical events and, thereby, reduce the                                   received no expressions of concerns                                NPRM, where minimum and maximum
                                            costs arising from such events,                                           regarding the Federalism aspects of the                            estimates were calculated as 10% above
                                            including costs incurred by state and                                     proposed rule although several State                               and 10% below the Agency’s primary
                                            local governments attributable to such                                    health departments and commissions                                 estimate of costs.
                                            events. In addition, the Patient Safety                                   submitted written comments regarding                                  All figures are calculated at two
                                            Act and the final rule do not relieve                                     the PSO eligibility criteria in the                                discount rates, 7% and 3%, and dollars
                                            health care providers of their                                            proposed rule.
                                                                                                                                                                                         are held constant at the 2008 level. The
                                            responsibilities to comply with state
                                            reporting requirements.                                                   OMB Accounting Statement                                           discount rates, 3% or 7%, represent two
                                              AHRQ, in conjunction with OCR, held                                        The table below summarizes the                                  rates of return that might be expected
                                            three public listening sessions prior to                                  estimated costs and benefits of                                    from government investments. The
                                            drafting the proposed rule.                                               implementing the Patient Safety and                                purpose is to project the expected future
                                            Representatives of several states                                         Quality Improvement Act for the next                               costs and benefits in today’s dollars.
                                            participated in these sessions. In                                        five years, beginning with January 1,                              (Future dollars will be worth less than
                                            particular, states that had begun to                                      2009, by which time it is expected that                            today’s dollars, barring appropriate
                                            collect and analyze patient safety event                                  the rule will be effective.                                        investments.) Figures are annualized,
                                            information spoke about their related                                        The figures in the table are derived                            that is average-per-year over the five
                                            experiences and plans. Following                                          from the regulatory impact analyses                                years. The discount rates, 3% or 7%,
                                            publication of the proposed rule, AHRQ                                    outlined above and, more completely, in                            represent two rates of return that might
                                            consulted with state officials and                                        the February 12, 2008 NPRM published                               be expected from government
                                            organizations to review the scope of the                                  in the Federal Register, on pages 8164                             investments. The purpose is to project
                                            proposed rule and to specifically seek                                    to 8171. As in the previous analyses, the                          the expected future costs and benefits in
                                            input on federalism issues and a                                          range of benefits derives directly from                            today’s dollars. (Future dollars will be
                                            proposal in the rule at proposed                                          the range of potentially-avoidable                                 worth less than today’s dollars, barring
                                            § 3.102(a)(2) that would limit the ability                                incidents cited (estimated) in IOM                                 appropriate investments.)

                                            OMB #:                                                                                                                Agency/Program Office: AHRQ

                                            Rule Title: Patient Safety and Quality Improvement Act

                                            RIN #:                                                                                                                Date: 8/25/2008

                                                                                          CATEGORY                                                                    Primary          Minimum               Maximum        Source citation
                                                                                                                                                                     estimate          estimate              estimate      (RIA, preamble,
                                                                                                                                                                     (millions)        (millions)            (millions)          etc.)

                                            BENEFITS ....................................................................................................                   $145.5          $107.5                $183.4   AHRQ Analysis.

                                            Annualized discounted (5 years):
                                               @ 7% .....................................................................................................                    111.5             82.4                140.5
                                               @ 3% .....................................................................................................                    129.4             95.7                163.2
                                            COSTS ..........................................................................................................                 144.9            130.4                159.3   AHRQ Analysis.
                                            Annualized discounted (5 years):
                                               @ 7% .....................................................................................................                    115.5            104.0                127.1
                                               @ 3% .....................................................................................................                    131.1            118.0                144.2

                                            Transfers .......................................................................................................                                         N/A
                                            Effects on small businesses .........................................................................                                                     N/A
                                            Effects on States and tribes .........................................................................                                                    N/A

                                            List of Subjects in 42 CFR Part 3                                         Federal Regulations by adding a new                                3.108 Correction of deficiencies, revocation,
                                                                                                                      part 3 to read as follows:                                             and voluntary relinquishment.
                                              Administrative practice and                                                                                                                3.110 Assessment of PSO compliance.
                                            procedure, Civil money penalty,                                                                                                              3.112 Submissions and forms.
                                                                                                                      PART 3—PATIENT SAFETY
                                            Confidentiality, Conflict of interests,
                                                                                                                      ORGANIZATIONS AND PATIENT                                          Subpart C—Confidentiality and Privilege
                                            Courts, Freedom of information, Health,                                                                                                      Protections of Patient Safety Work Product
                                                                                                                      SAFETY WORK PRODUCT
                                            Health care, Health facilities, Health
                                                                                                                                                                                         3.204 Privilege of patient safety work
                                            insurance, Health professions, Health                                     Subpart A—General Provisions                                           product.
                                            records, Hospitals, Investigations, Law                                                                                                      3.206 Confidentiality of patient safety work
                                            enforcement, Medical research,                                                                                                                   product.
                                                                                                                      3.10      Purpose.
                                            Organization and functions, Patient,                                                                                                         3.208 Continued protection of patient safety
                                                                                                                      3.20      Definitions.
                                            Patient safety, Privacy, Privilege, Public                                                                                                       work product.
dwashington3 on PRODPC61 with RULES3

                                            health, Reporting and recordkeeping                                       Subpart B—PSO Requirements and Agency                              3.210 Required disclosure of patient safety
                                            requirements, Safety, State and local                                     Procedures                                                             work product to the Secretary.
                                            governments, Technical assistance.                                                                                                           3.212 Nonidentification of patient safety
                                                                                                                      3.102 Process and requirements for initial
                                                                                                                                                                                             work product.
                                            ■ For the reasons s