Patient Safety and Quality Improvement: Proposed Rule

  [Federal Register: February 12, 2008 (Volume 73, Number 29)]  [Proposed Rules]                 [Page 8111-8183]  From the Federal Register Online via GPO Access [wais.access.gpo.gov]  [DOCID:fr12fe08-8]                           [[Page 8111]]  -----------------------------------------------------------------------  Part II    Department of Health and Human Services  -----------------------------------------------------------------------  42 CFR Part 3  Patient Safety and Quality Improvement; Proposed Rule    [[Page 8112]]  -----------------------------------------------------------------------  DEPARTMENT OF HEALTH AND HUMAN SERVICES  42 CFR Part 3  RIN 0919-AA01     Patient Safety and Quality Improvement    AGENCY: Agency for Healthcare Research and Quality, Office for Civil   Rights, HHS.    ACTION: Notice of proposed rulemaking.  -----------------------------------------------------------------------    SUMMARY: This document proposes regulations to implement certain   aspects of the Patient Safety and Quality Improvement Act of 2005   (Patient Safety Act). The proposed regulations establish a framework by   which hospitals, doctors, and other health care providers may   voluntarily report information to Patient Safety Organizations (PSOs),   on a privileged and confidential basis, for analysis of patient safety   events. The proposed regulations also outline the requirements that   entities must meet to become PSOs and the processes for the Secretary   to review and accept certifications and to list PSOs.      In addition, the proposed regulation establishes the   confidentiality protections for the information that is assembled and   developed by providers and PSOs, termed ``patient safety work product''   by the Patient Safety Act, and the procedures for the imposition of   civil money penalties for the knowing or reckless impermissible   disclosure of patient safety work product.    DATES: Comments on the proposed rule will be considered if we receive   them at the appropriate address, as provided below, no later than April   14, 2008.    ADDRESSES: Interested persons are invited to submit written comments by   any of the following methods:       Federal eRulemaking Portal: http://www.regulations.gov.     Comments should include agency name and ``RIN 0919-AA01''.       Mail: Center for Quality Improvement and Patient Safety,   Attention: Patient Safety Act NPRM Comments, AHRQ, 540 Gaither Road,   Rockville, MD 20850.       Hand Delivery/Courier: Center for Quality Improvement and   Patient Safety, Attention: Patient Safety Act NPRM Comments, Agency for   Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850.      Instructions: Because of staff and resource limitations, we cannot   accept comments by facsimile (FAX) transmission or electronic mail. For   detailed instructions on submitting comments and additional information   on the rulemaking process, see the ``Public Participation'' heading of   the SUPPLEMENTARY INFORMATION section of this document. Comments will   be available for public inspection at the AHRQ Information Resources   Center at the above-cited address between 8:30 a.m. and 5 p.m. Eastern   Time on federal business days (Monday through Friday).    FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare   Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-  1111 or (866) 403-3697.    SUPPLEMENTARY INFORMATION:    Public Participation        We welcome comments from the public on all issues set forth in this   proposed rule to assist us in fully considering issues and developing   policies. You can assist us by referencing the RIN number (RIN: 0919-  0AA01) and by preceding your discussion of any particular provision   with a citation to the section of the proposed rule being discussed.    A. Inspection of Public Comments        All comments (electronic, mail, and hand delivery/courier) received   in a timely manner will be available for public inspection as they are   received, generally beginning approximately 6 weeks after publication   of this document, at the mail address provided above, Monday through   Friday of each week from 8:30 a.m. to 5 p.m. To schedule an appointment   to view public comments, call Susan Grinder, (301) 427-1111 or (866)   403-3697.      Comments submitted electronically will be available for viewing at   the Federal eRulemaking Portal.    B. Electronic Comments        We will consider all electronic comments that include the full   name, postal address, and affiliation (if applicable) of the sender and   are submitted through the Federal eRulemaking Portal identified in the   ADDRESSES section of this preamble. Copies of electronically submitted   comments will be available for public inspection as soon as practicable   at the address provided, and subject to the process described, in the   preceding paragraph.    C. Mailed Comments and Hand Delivered/Couriered Comments        Mailed comments may be subject to delivery delays due to security   procedures. Please allow sufficient time for mailed comments to be   timely received in the event of delivery delays. Comments mailed to the   address indicated for hand or courier delivery may be delayed and could   be considered late.    D. Copies        To order copies of the Federal Register containing this document,   send your request to: New Orders, Superintendent of Documents, P.O. Box   371954, Pittsburgh, PA 15250-7954. Specify the date of the issue   requested and enclose a check or money order payable to the   Superintendent of Documents, or enclose your Visa or Master Card number   and expiration date. Credit card orders can also be placed by calling   the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by   faxing to (202) 512-2250. The cost for each copy is $10. As an   alternative, you may view and photocopy the Federal Register document   at most libraries designated as Federal Depository Libraries and at   many other public and academic libraries throughout the country that   receive the Federal Register.    E. Electronic Access        This Federal Register document is available from the Federal   Register online database through GPO Access, a service of the U.S.   Government Printing Office. The Web site address is: http://www.gpoaccess.gov/nara/index.html.   This document is available     electronically at the following Web site of the Department of Health   and Human Services (HHS): http://www.ahrq.gov/.      F. Response to Comments        Because of the large number of public comments we normally receive   on Federal Register documents, we are not able to acknowledge or   respond to them individually. We will consider all comments we receive   in accordance with the methods described above and by the date   specified in the DATES section of this preamble. When we proceed with a   final rule, we will respond to comments in the preamble to that rule.    I. Background    A. Purpose and Basis        This proposed rule establishes the authorities, processes, and   rules necessary to implement the Patient Safety and Quality Improvement   Act of 2005 (Patient Safety Act), (Pub. L. 109-41), that amended the   Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new   sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.      Much of the impetus for this legislation can be traced to the   publication of the landmark report, ``To    [[Page 8113]]    Err Is Human'' \1\, by the Institute of Medicine in 1999 (Report). The   Report cited studies that found that at least 44,000 people and   potentially as many as 98,000 people die in U.S. hospitals each year as   a result of preventable medical errors.\2\ Based on these studies and   others, the Report estimated that the total national costs of   preventable adverse events, including lost income, lost household   productivity, permanent and temporary disability, and health care costs   to be between $17 billion and $29 billion, of which health care costs   represent one-half.\3\ One of the main conclusions was that the   majority of medical errors do not result from individual recklessness   or the actions of a particular group; rather, most errors are caused by   faulty systems, processes, and conditions that lead people to make   mistakes or fail to prevent adverse events.\4\ Thus, the Report   recommended mistakes can best be prevented by designing the health care   system at all levels to improve safety--making it harder to do   something wrong and easier to do something right.\5\  ---------------------------------------------------------------------------        \1\ Institute of Medicine, ``To Err is Human: Building a Safer   Health System'', 1999.      \2\ Id. at 31.      \3\ Id. at 42.      \4\ Id. at 49-66.      \5\ Id.  ---------------------------------------------------------------------------        As compared to other high-risk industries, the health care system   is behind in its attention to ensuring basic safety.\6\ The reasons for   this lag are complex and varied. Providers are often reluctant to   participate in quality review activities for fear of liability,   professional sanctions, or injury to their reputations. Traditional   state-based legal protections for such health care quality improvement   activities, collectively known as peer review protections, are limited   in scope: They do not exist in all States; typically they only apply to   peer review in hospitals and do not cover other health care settings,   and seldom enable health care systems to pool data or share experience   between facilities. If peer review protected information is transmitted   outside an individual hospital, the peer review privilege for that   information is generally considered to be waived. This limits the   potential for aggregation of a sufficient number of patient safety   events to permit the identification of patterns that could suggest the   underlying causes of risks and hazards that then can be used to improve   patient safety.  ---------------------------------------------------------------------------        \6\ Id. at 75.  ---------------------------------------------------------------------------        The Report outlined a comprehensive strategy to improve patient   safety by which public officials, health care providers, industry, and   consumers could reduce preventable medical errors. The Report   recommended that, in order to reduce medical errors appreciably in the   U.S., a balance be struck between regulatory and market-based   initiatives and between the roles of professionals and organizations.   It recognized a need to enhance knowledge and tools to improve patient   safety and break down legal and cultural barriers that impede such   improvement.      Drawing upon the broad framework advanced by the Institute of   Medicine, the Patient Safety Act specifically addresses a number of   these long-recognized impediments to improving the quality, safety, and   outcomes of health care services. For that reason, implementation of   this proposed rule can be expected to accelerate the development of   new, voluntary, provider-driven opportunities for improvement, increase   the willingness of health care providers to participate in such   efforts, and, most notably, set the stage for breakthroughs in our   understanding of how best to improve patient safety.      These outcomes will be advanced, in large measure, through   implementation of this proposed rule of strong Federal confidentiality   and privilege protections for information that is patient safety work   product under the Patient Safety Act. For the first time, there will   now be a uniform set of Federal protections that will be available in   all states and U.S. territories and that extend to all health care   practitioners and institutional providers. These protections will   enable all health care providers, including multi-facility health care   systems, to share data within a protected legal environment, both   within and across states, without the threat of information being used   against the subject providers.      Pursuant to the Patient Safety Act, this proposed rule will also   encourage the formation of new organizations with expertise in patient   safety, known as patient safety organizations (PSOs), which can provide   confidential, expert advice to health care providers in the analysis of   patient safety events.\7\ The confidentiality and privilege protections   of this statute attach to ``patient safety work product.'' This term as   defined in the Patient Safety Act and this proposed rule means that   patient safety information that is collected or developed by a provider   and reported to a PSO, or that is developed by a PSO when conducting   defined ``patient safety activities,'' or that reveals the   deliberations of a provider or PSO within a patient safety evaluation   system is protected. Thus, the proposed rule will enable health care   providers to protect their internal deliberations and analysis of   patient safety information because this type of information is patient   safety work product.  ---------------------------------------------------------------------------        \7\ As we use the term, patient safety event means an incident   that occurred during the delivery of a health care service and that   harmed, or could have resulted in harm to, a patient. A patient   safety event may include an error of omission or commission,   mistake, or malfunction in a patient care process; it may also   involve an input to such process (such as a drug or device) or the   environment in which such process occurs. Our use of the term   patient safety event in place of the more limited concept of medical   error to describe the work that providers and PSOs may undertake   reflects the evolution in the field of patient safety. It is   increasingly recognized that important insights can be derived from   the study of patient care processes and their organizational context   and environment in order to prevent harm to patients. We note that   patient safety in the context of this term also encompasses the   safety of a person who is a subject in a research study conducted by   a health care provider. In addition, the flexible concept of a   patient safety event is applicable in any setting in which health   care is delivered: A health care facility that is mobile (e.g.,   ambulance), fixed and free-standing (e.g., hospital), attached to   another entity (e.g., school clinic), as well as the patient's home   or workplace, whether or not a health care provider is physically   present.  ---------------------------------------------------------------------------        The statute and the proposed rule seek to ensure that the   confidentiality provisions (as defined in these proposed regulations)   will be taken seriously by making breaches of the protections   potentially subject to a civil money penalty of up to $10,000. The   combination of strong Federal protections for patient safety work   product and the potential penalties for violation of these protections   should give providers the assurances they need to participate in   patient safety improvement initiatives and should spur the growth of   such initiatives.      Patient safety experts have long recognized that the underlying   causes of risks and hazards in patient care can best be recognized   through the aggregation of significant numbers of individual events; in   some cases, it may require the aggregation of thousands of individual   patient safety events before underlying patterns are apparent. It is   hoped that this proposed rule will foster routine reporting to PSOs of   data on patient safety events in sufficient numbers for valid and   reliable analyses. Analysis of such large volumes of patient safety   events is expected to significantly advance our understanding of the   patterns and commonalities in the underlying causes of risks and   hazards in the delivery of patient care. These insights should enable   providers to more effectively and efficiently target their efforts to   improve patient safety.      We recognize that risks and hazards can occur in a variety of   environments, such as inpatient, outpatient, long-term    [[Page 8114]]    care, rehabilitation, research, or other health care settings. In many   of these settings, patient safety analysis is a nascent enterprise that   will benefit significantly from the routine, voluntary reporting and   analysis of patient safety events. Accordingly, we strive in the   proposed rule to avoid imposing limitations that might preclude   innovative approaches to the identification of, and elimination of,   risks and hazards in specific settings for the delivery of care,   specific health care specialties, or in research settings. We defer to   those creating PSOs and the health care providers that enter ongoing   relationships with them to determine the scope of patient safety events   that will be addressed.      Finally, we note that the statute is quite specific that these   protections do not relieve a provider from its obligation to comply   with other legal, regulatory, accreditation, licensure, or other   accountability requirements that it would otherwise need to meet. The   fact that information is collected, developed, or analyzed under the   protections of the Patient Safety Act does not shield a provider from   needing to undertake similar activities, if applicable, outside the   ambit of the statute, so that the provider can meet its obligations   with non-patient safety work product. The Patient Safety Act, while   precluding other organizations and entities from requiring providers to   provide them with patient safety work product, recognizes that the data   underlying patient safety work product remains available in most   instances for the providers to meet these other information   requirements.      In summary, this proposed rule implements the Patient Safety Act   and facilitates its goals by allowing the health care industry   voluntarily to avail itself of this framework in the best manner it   determines feasible. At the same time, it seeks to ensure that those   who do avail themselves of this framework will be afforded the legal   protections that Congress intended and that anyone who breaches those   protections will be penalized commensurately with the violation.    B. Listening Sessions        We held three listening sessions for the general public (March 8,   13, and 16, 2006) which helped us better understand the thinking and   plans of interested parties, including providers considering the use of   PSO services and entities that anticipate establishing PSOs. As stated   in the Federal Register notice 71 FR 37 (February 24, 2006) that   announced the listening sessions, we do not regard the presentations or   comments made at these sessions as formal comments and, therefore, they   are not discussed in this document.    C. Comment Period        The comment period is sixty (60) days following the publication of   the proposed rule.    II. Overview of Proposed Rule        We are proposing a new Part 3 to Title 42 of the Code of Federal   Regulations to implement the Patient Safety Act. As described above,   the Patient Safety Act is an attempt to address the barriers to patient   safety and health care quality improvement activities in the U.S. In   implementing the Patient Safety Act, this proposed rule encourages the   development of provider-driven, voluntary opportunities for improving   patient safety; this initiative is neither funded, nor controlled by   the Federal Government.      Under the proposal, a variety of types of organizations--public,   private, for-profit, and not-for-profit--can become PSOs, and offer   their consultative expertise to providers regarding patient safety   events and quality improvement initiatives. There will be a process for   certification and listing of PSOs, which will be implemented by the   Agency for Healthcare Research and Quality (AHRQ), and providers can   work voluntarily with PSOs to obtain confidential, expert advice in   analyzing the patient safety event and other information they collect   or develop at their offices, facilities, or institutions. PSOs may also   provide feedback and recommendations regarding effective strategies to   improve patient safety as well as proven approaches for implementation   of such strategies. In addition, to encourage providers to undertake   patient safety activities, the regulation is very specific that patient   safety work product is subject to confidentiality and privilege   protections, and persons that breach the confidentiality provisions may   be subject to a $10,000 civil money penalty, to be enforced by the   Office for Civil Rights (OCR).      The provisions of this proposed rule greatly expand the potential   for participation in patient safety activities. The proposal, among   other things, enables providers across the health care industry to   report information to a PSO and obtain the benefit of these new   confidentiality and privilege protections. This proposal minimizes the   barriers to entry for listing as a PSO by creating a review process   that is both simple and efficient. As a result, we expect a broad range   of organizations to seek listing by the Secretary as PSOs. Listing will   not entitle these entities to Federal funding or subsidies, but it will   enable these PSOs to offer individual and institutional providers the   benefits of review and analysis of patient safety work product that is   protected by strong Federal confidentiality and privilege protections.      Our proposed regulation will enable and assist data aggregation by   PSOs to leverage the possibility of learning from numerous patient   safety events across the health care system and to facilitate the   identification and correction of systemic and other errors. For   example, PSOs are required to seek contracts with multiple providers,   and proposed Subpart C permits them, with certain limitations, to   aggregate patient safety work product from their multiple clients and   with other PSOs. In addition, the Secretary will implement other   provisions of the Patient Safety Act that, independent of this proposed   rule, require the Secretary to facilitate the development of a network   of patient safety databases for the aggregation of nonidentifiable   patient safety work product and the development of consistent   definitions and common formats for collecting and reporting patient   safety work product. These measures will facilitate a new level of data   aggregation that patient safety experts deem essential to maximize the   benefits of the Patient Safety Act.      The Patient Safety Act gives considerable attention to the   relationship between it and the Standards for the Privacy of   Individually Identifiable Health Information under the Health Insurance   Portability and Accountability Act of 1996 (HIPAA Privacy Rule). We   caution that the opportunity for a provider to report identifiable   patient safety work product to a PSO does not relieve a provider that   is a HIPAA covered entity of its obligations under the HIPAA Privacy   Rule. In fact, the Patient Safety Act indicates that PSOs are deemed to   be business associates of providers that are HIPAA covered entities.   Thus, providers who are HIPAA covered entities will need to enter into   business associate agreements with PSOs in accordance with their HIPAA   Privacy Rule obligations. If such a provider also chooses to enter a   PSO contract, we believe that such contracts could be entered into   simultaneously as an agreement for the conduct of patient safety   activities. However, the Patient Safety Act does not require a provider   to enter a contract with a PSO to receive the protections of the   Patient Safety Act.      Proposed Subpart A, General Provisions, sets forth the purpose of   the provisions and the definitions    [[Page 8115]]    applicable to the subparts that follow. Proposed Subpart B, PSO   Requirements and Agency Procedures, sets forth the requirements for   PSOs and describes how the Secretary will review, accept, revoke, and   deny certifications for listing and continued listing of entities as   PSOs and other required submissions. Proposed Subpart C,   Confidentiality and Privilege Protections of Patient Safety Work   Product, describes the provisions that relate to the confidentiality   protections and permissible disclosure exceptions for patient safety   work product. Proposed Subpart D, Enforcement Program, includes   provisions that relate to activities for determining compliance, such   as investigations of and cooperation by providers, PSOs, and others;   the imposition of civil money penalties; and hearing procedures.    III. Section by Section Description of the Proposed Rule    A. Subpart A--General Provision    1. Proposed Sec.  3.10--Purpose      The purpose of this proposed Part is to implement the Patient   Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which   amended the Public Health Service Act (42 U.S.C. 299 et seq.) by   inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-  26.  2. Proposed Sec.  3.20--Definitions      Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21,   defines several terms, and our proposed rules would, for the most part,   restate the law. In some instances, we propose to clarify definitions   to fit within the proposed framework. We also propose some new   definitions for convenience and to clarify the application and   operation of this proposed rule. Moreover, we reference terms defined   under the HIPAA Privacy Rule for ease of interpretation and   consistency, given the overlap between the Patient Safety Act   protections of patient-identifiable patient safety work product   (discussed below) and the HIPAA Privacy Rule.      Proposed Sec.  3.20 would establish the basic definitions   applicable to this proposed rule, as follows:      AHRQ stands for the Agency for Healthcare Research and Quality in   the U.S. Department of Health and Human Services (HHS). This definition   is added for convenience.      ALJ stands for an Administrative Law Judge at HHS. This definition   is added for convenience in describing the process for appealing civil   money penalty determinations.      Board would mean the members of the HHS Departmental Appeals Board.   This definition is added for convenience in providing for appeals of   civil money penalty determinations.      Bona fide contract would mean (a) a written contract between a   provider and a PSO that is executed in good faith by officials   authorized to execute such contract; or (b) a written agreement (such   as a memorandum of understanding or equivalent recording of mutual   commitments) between a Federal, State, local, or Tribal provider and a   Federal, State, local, or Tribal PSO that is executed in good faith by   officials authorized to execute such agreement.      In addition to the primary interpretation of an enforceable   contract under applicable law as proposed under paragraph (a) of this   definition, we propose to make the scope of the term broad enough to   encompass agreements between health care providers and PSOs that are   components of Federal, State, local or Tribal governments or government   agencies. Such entities could clearly perform the same data collection   and analytic functions as performed by other providers and PSOs that   the Patient Safety Act seeks to foster. Thus, paragraph (b) of the   definition recognizes that certain government entities may not enter a   formal contract with each other, but may only make a commitment with   other agencies through the mechanism of some other type of agreement.      We note that proposed Sec.  3.102(a)(2) incorporates the statutory   restriction that a health insurance issuer and a component of a health   insurance issuer may not become a PSO. That section also proposes to   prohibit the listing of public and private entities that conduct   regulatory oversight of health care providers, including accreditation   and licensure.      Complainant would mean a person who files a complaint with the   Secretary pursuant to proposed Sec.  3.306.      Component Organization would mean an entity that is either: (a) A   unit or division of a corporate organization or of a multi-  organizational enterprise; or (b) a separate organization, whether   incorporated or not, that is owned, managed or controlled by one or   more other organizations (i.e., its parent organization(s)). We discuss   our preliminary interpretation of the terms ``owned,'' ``managed,'' or   ``controlled'' in the definition of parent organization. Multi-  organizational enterprise, as used here, means a common business or   professional undertaking in which multiple entities participate as well   as governmental agencies or Tribal entities in which there are multiple   components.\8\  ---------------------------------------------------------------------------        \8\ The concept of multi-organizational enterprise as used in   this regulation, in case law, and in a legal reference works such as   Blumberg on Corporate Groups, Sec.  6.04 (2d ed. 2007 Supplement)   refers to multi-organizational undertakings with separate   corporations or organizations that are integrated in a common   business activity. The component entities are often, but not   necessarily, characterized by interdependence and some form of   common control, typically by agreement. Blumberg notes that health   care providers increasingly are integrated in various forms of   multi-organizational enterprises.  ---------------------------------------------------------------------------        We anticipate that PSOs may be established by a wide array of   health-related organizations and quality improvement enterprises,   including hospitals, nursing homes and health care provider systems,   health care professional societies, academic and commercial research   organizations, Federal, State, local, and Tribal governmental units   that are not subject to the proposed restriction on listing in proposed   Sec.  3.102(a)(2), as well as joint undertakings by combinations of   such organizations. One effect of defining component organization as we   propose is that, pursuant to section 924 of the Patient Safety Act, 42   U.S.C. 299b-24, all applicant PSOs that fall within the scope of the   definition of component organization must certify to the separation of   confidential patient safety work product and staff from the rest of any   organization or multi-organizational enterprise of which they (in the   conduct of their work) are a part. Component organizations must also   certify that their stated mission can be accomplished without   conflicting with the rest of their parent organization(s).      A subsidiary corporation may, in certain circumstances, be viewed   as part of a multi-organizational enterprise with its parent   corporation and would be so regarded under the proposed regulation.   Thus, an entity, such as a PSO that is set up as a subsidiary by a   hospital chain, would be considered a component of the corporate chain   and a component PSO for purposes of this proposed rule. Considering a   subsidiary of a corporation to be a ``component'' of its parent   organization may seem contrary to the generally understood separateness   of a subsidiary in its corporate relationship with its parent.\9\    [[Page 8116]]    That is, where two corporate entities are legally separate, one entity   would ordinarily not be considered a component of the other entity,   even when that other entity has a controlling interest or exercises   some management control. However, we have preliminarily determined that   viewing a subsidiary entity that seeks to be a PSO as a component of   its parent organization(s) would be consistent with the objectives of   the section on certifications required of component organizations in   the Patient Safety Act and appears to be consistent with trends in the   law discussed below. We invite comment on our interpretation.  ---------------------------------------------------------------------------        \9\ Corporations are certain types of organizations that are   given legal independence and rights, (e.g. the right to litigate).   Subsidiary corporations are corporations in which a majority of the   shares are owned by another corporation, known as a parent   corporation. Thus, subsidiaries are independent corporate entities   in a formal legal sense, yet, at the same time, they are controlled,   to some degree, by their parent by virtue of stock ownership and   control. Both corporations and subsidiaries are legal constructs   designed to foster investment and commerce by limiting   entrepreneurial risks and corporate liabilities. In recognition of   the legitimate utility of these objectives, courts have generally   respected the separateness of parent corporations and subsidiaries,   (e.g., courts do not ordinarily allow the liabilities of a   subsidiary to be attributed to its parent corporation, despite the   fact that by definition, parent corporations have a measure of   control over a subsidiary). However, courts have looked behind the   separate legal identities that separate parent and subsidiary to   impose liability when individuals in litigation can establish that   actual responsibility rests with a parent corporation by virtue of   the degree and manner in which it has exercised control over its   subsidiary. Under these circumstances, courts permit ``the corporate   veil to be pierced.''  ---------------------------------------------------------------------------        Corporations law or ``entity law,'' which emphasizes the   separateness and distinct rights and obligations of a corporation, has   been supplemented by the development of ``relational law'' when   necessary (e.g., to address evolving organizational arrangements such   as multi-organizational enterprises). To determine rights and   obligations in these circumstances, courts weigh the relationships of   separate corporations that are closely related by virtue of   participating in the same enterprise, (i.e., a common chain of economic   activity fostering and characterized by interdependence).\10\ There has   been a growing trend in various court decisions to attribute legal   responsibilities based on actual behavior in organizational   relationships, rather than on corporate formalities.  ---------------------------------------------------------------------------        \10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate   Groups Sec. Sec.  6.01 and 6.02.  ---------------------------------------------------------------------------        We stress that neither the statute nor the proposed regulation   imposes any legal responsibilities, obligations, or liability on the   organization(s) of which a component PSO is a part. The focus of the   Patient Safety Act and the regulation is principally on the entity that   voluntarily seeks listing by the Secretary as a PSO.      We note that two of the three certifications that the Patient   Safety Act and the proposed regulation requires component entities to   make--relating to the security and confidentiality of patient safety   work product--are essentially duplicative of attestations that are   required of all entities seeking listing or continued listing as a PSO   (certifications made under section 924(a)(1)(A) and (a)(2)(A) of the   Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A)   with respect to patient safety activities described in section   921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b-  21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have   to attest that they have in place policies and procedures to, and   actually do, perform patient safety activities, which include the   maintenance of procedures to preserve patient safety work product   confidentiality and the provision of appropriate security measures for   patient safety work product. The overlapping nature of these   confidentiality and security requirements on components suggests   heightened congressional concern and emphasis regarding the need to   maintain a strong ``firewall'' between a component PSO and its parent   organization, which might have the opportunity and potential to access   sensitive patient safety work product the component PSO assembles,   develops, and maintains. A similar concern arises in the context of a   PSO that is a unit of a corporate parent, a subsidiary or an entity   affiliated with other organizations in a multi-organizational   enterprise.      Requiring entities seeking listing to disclose whether they have a   parent organization or are part of a multi-organizational enterprise   does not involve ``piercing the corporate veil'' as discussed in the   footnote above. The Department would not be seeking this information to   hold a parent liable for actions of the PSO, but to ensure full   disclosure to the Department about the organizational relationships of   an entity seeking to be listed as a PSO. Accordingly, we propose that   an entity seeking listing as a PSO must do so as a component   organization if it has one or more parent organizations (as described   here and in the proposed definition of that term) or is part of a   multi-organizational enterprise, and it must provide the names of its   parent entities. If it has a parent or several parent organizations, as   defined by the proposed regulation, the entity seeking to be listed   must provide the additional certifications mandated by the statute and   by the proposed regulation at Sec.  3.102(c) to maintain the   separateness of its patient safety work product from its parent(s) and   from other components or affiliates\11\ of its parent(s). Such   certifications are consistent with the above-cited body of case law   that permits and makes inquiries about organizational relationships and   practices for purposes of carrying out statutes and statutory   objectives.  ---------------------------------------------------------------------------        \11\ Corporate affiliates are commonly controlled corporations;   sharing a corporate parent, they are sometimes referred to as sister   corporations. Separate corporations that are part of a multi-  organizational enterprise are also referred to by the common terms   ``affiliates'' or ``affiliated organizations''.  ---------------------------------------------------------------------------        It may be helpful to illustrate how a potential applicant for   listing should apply these principles in determining whether to seek   listing as a component PSO. The fundamental principle is that if there   is a parent organization relationship present and the entity is not   prohibited from seeking listing by proposed Sec.  3.102(a)(2), the   entity must seek listing as a component PSO. In determining whether an   entity must seek listing as a component organization, we note that it   does not matter whether the entity is a component of a provider or a   non-provider organization and, if it is a component of a provider   organization, whether it will undertake patient safety activities for   the parent organization's providers or providers that have no   relationship with its parent organization(s). The focus here is   primarily on establishing the separateness of the entity's operation   from any type of parent organization. Examples of entities that would   need to seek listing as a component organization include: A division of   a provider or non-provider organization; a subsidiary entity created by   a provider or non-provider organization; or a joint venture created by   several organizations (which could include provider organizations, non-  provider organizations, or a mix of such organizations) where any or   all of the organizations have a measure of control over the joint   venture.      Other examples of entities that would need to seek listing as a   component PSO include: a division of a nursing home chain; a subsidiary   entity created by a large academic health center or health system; or a   joint venture created by several organizations to seek listing as a PSO   where any or all of the organizations have a measure of control over   the joint venture.      Component PSO would mean a PSO listed by the Secretary that is a   component organization.      Confidentiality provisions would mean any requirement or   prohibition concerning confidentiality established by Sections 921 and   922(b)-(d), (g) and (i) of the Public Health Service Act, 42    [[Page 8117]]    U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed   provisions, at Sec. Sec.  3.206 and 3.208, by which we propose to   implement the prohibition on disclosure of identifiable patient safety   work product. We proposed to define this new term to provide an easy   way to reference the provisions in the Patient Safety Act and in the   proposed rule that implements the confidentiality protections of the   Patient Safety Act for use in the enforcement and penalty provisions of   this proposed rule. We found this a useful approach in the HIPAA   Enforcement Rule, where we defined ``administrative simplification   provision'' for that purpose. In determining how to define   ``confidentiality provisions'' that could be violated, we considered   the statutory enforcement provision at section 922(f) of the Public   Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by   reference section 922(b) and (c).\12\ Thus, the enforcement authority   clearly implicates sections 922(b) and (c) of the Patient Safety Act,   42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec.    3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d),   is entitled the ``Continued Protection of Information After   Disclosure'' and sets forth continued confidentiality protections for   patient safety work product after it has been disclosed under section   922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with   certain exceptions. Thus, section 922(d) of the Public Health Service   Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality   protections provided for in section 922(b) of the Public Health Service   Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued   confidentiality provision at proposed Sec.  3.208 herein to be one of   the confidentiality provisions. In addition, our understanding of these   provisions is based on the rule of construction in section 922(g) of   the Public Health Service Act, 42 U.S.C. 299b-22(g), and the   clarification with respect to HIPAA in section 922(i) of the Public   Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions   are included in the definition.  ---------------------------------------------------------------------------        \12\ Section 922(f) of the Public Health Service Act, 42 U.S.C.   299b-22(f), states that ``subject to paragraphs (2) and (3), a   person who discloses identifiable patient safety work product in   knowing or reckless violation of subsection (b) shall be subject to   a civil money penalty of not more than $10,000 for each act   constituting such violation'' (emphasis added). Subsection (b) of   section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b),   is entitled, ``Confidentiality of Patient Safety Work Product'' and   states, ``Notwithstanding any other provision of Federal, State, or   local law, and subject to subsection (c), patient safety work   product shall be confidential and shall not be disclosed'' (emphasis   added). Section 922(c) of the Public Health Service Act, 42 U.S.C.   299b-22(c), in turn, contains the exceptions to confidentiality and   privilege protections.  ---------------------------------------------------------------------------        In contrast to the confidentiality provisions, the privilege   provisions in the Patient Safety Act will be enforced by the tribunals   or agencies that are subject to them; the Patient Safety Act does not   authorize the imposition of civil money penalties for breach of such   provisions. We note, however, that to the extent a breach of privilege   is also a breach of confidentiality, the Secretary would enforce the   confidentiality breach under 42 U.S.C. 299b-22(f).      Disclosure would mean the release, transfer, provision of access   to, or divulging in any other manner of patient safety work product by   a person holding patient safety work product to another person. An   impermissible disclosure (i.e., a disclosure of patient safety work   product in violation of the confidentiality provisions) is the action   upon which potential liability for a civil money penalty rests.   Generally, if the person holding patient safety work product is an   entity, disclosure occurs when the information is shared with another   entity or a natural person outside the entity. We do not propose to   hold entities liable for uses of the information within the entity,   (i.e., when this information is exchanged or shared among the workforce   members of the entity) except as noted below concerning component PSOs.   If a natural person holds patient safety work product, except in the   capacity as a workforce member, a disclosure occurs whenever exchange   occurs to any other person or entity. In light of this definition, we   note that a disclosure to a contractor that is under the direct control   of an entity (i.e., a workforce member) would be a use of the   information within the entity and, therefore, not a disclosure for   which a permission is needed. However, a disclosure to an independent   contractor would not be a disclosure to a workforce member, and thus,   would be a disclosure for purposes of this proposed rule and the   proposed enforcement provisions under Subpart D.      For component PSOs, we propose to recognize as a disclosure the   sharing or transfer of patient safety work product outside of the legal   entity, as described above, and between the component PSO and the rest   of the organization (i.e., parent organization) of which the component   PSO is a part. The Patient Safety Act demonstrates a strong desire for   the separation of patient safety work product between a component PSO   and the rest of the organization. See section 924(b)(2) of the Public   Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to   recognize component organizations as component PSOs which exist within,   but distinct from, a single legal entity, and such a component   organization as a component PSO would be required to certify to limit   access to patient safety work product under proposed Sec.  3.102(c),   the release, transfer, provision of access to, or divulging in any   other manner of patient safety work product from a component PSO to the   rest of the organization will be recognized as a disclosure for   purposes of this proposed rule and the proposed enforcement provisions   under Subpart D.      We considered whether or not we should hold entities liable for   disclosures that occur within that entity (uses) by defining disclosure   more discretely, (i.e., as between persons within an entity). If we   were to define disclosure in this manner, it may promote better   safeguarding against inappropriate uses of patient safety work product   by providers and PSOs. It may also allow better control of uses by   third parties to whom patient safety work product is disclosed, and it   would create additional enforcement situations which could lead to   additional potential civil money penalties. We note that HIPAA   authorized the Department to regulate both the uses and disclosures of   individually identifiable health information and, thus, the HIPAA   Privacy Rule regulates both the uses and disclosures of such   information by HIPAA covered entities. See section 264(b) and (c)(1) of   HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand,   addresses disclosures and authorizes the Secretary to penalize   disclosures of patient safety work product.      Nonetheless, we do not propose to regulate the use, transfer or   sharing by internal disclosure, of patient safety work product within a   legal entity. We also decline to propose to regulate uses because we   would consider regulating uses within providers and PSOs to be   intrusive into their internal affairs. This would be especially the   case given that this is a voluntary program. Moreover, we do not   believe that regulating uses would further the statutory goal of   facilitating the sharing of patient safety work product with PSOs. In   other words, regulating uses would not advance the ability of any   entity to share patient safety work product for patient safety   activities. Finally, we presume that there are sufficient incentives in   place for providers and PSOs to prudently manage the uses of sensitive   patient safety work product.    [[Page 8118]]        We are not regulating uses, whether in a provider, PSO, or any   other entity that obtains patient safety work product. Because we are   not proposing to regulate uses, there will be no federal sanction based   on use of this information. If a provider or other entity wants to   limit the uses or further disclosures (beyond the regulatory   permissions) by a PSO or any future recipient, a disclosing entity is   free to do so by contract. See section 922(g)(4) of the Public Health   Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec.  3.206(e). We   seek comment about whether this strikes the right balance.      The proposed definition mirrors the definition of disclosure used   in the HIPAA Privacy Rule concerning disclosures of protected health   information. Although we do not propose to regulate the use of patient   safety work product, HIPAA covered entities that possess patient safety   work product which contains protected health information must comply   with the use and disclosure requirements of the HIPAA Privacy Rule with   respect to the protected health information. Patient safety work   product containing protected health information could only be used in   accordance with the HIPAA Privacy Rule use permissions, including the   minimum necessary requirement.      Entity would mean any organization, regardless of whether the   organization is public, private, for-profit, or not-for-profit. The   statute permits any entity to seek listing as a PSO by the Secretary   except a health insurance issuer and any component of a health   insurance issuer and Sec.  3.102(a)(2) proposes, in addition, to   prohibit public or private sector entities that conduct regulatory   oversight of providers.      Group health plan would mean an employee welfare benefit plan (as   defined in section 3(1) of the Employee Retirement Income Security Act   of 1974 (ERISA) to the extent that the plan provides medical care (as   defined in paragraph (2) of section 2791(a) of the Public Health   Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services   paid for as medical care) to employees or their dependents (as defined   under the terms of the plan) directly or through insurance,   reimbursement, or otherwise. Section 2791(b)(2) of the Public Health   Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from   the defined class of `health insurance issuer.' Therefore, a group   health plan may establish a PSO unless the plan could be considered a   component of a health insurance issuer, in which case such a plan would   be precluded from being a PSO by the Patient Safety Act.      Health insurance issuer would mean an insurance company, insurance   service, or insurance organization (including a health maintenance   organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed   to engage in the business of insurance in a State and which is subject   to State law which regulates insurance (within the meaning of 29 U.S.C.   1144(b)(2)). The term, as defined in the Public Health Service Act,   does not include a group health plan.      Health maintenance organization would mean (1) a Federally   qualified health maintenance organization (as defined in 42 U.S.C.   300e(a)); (2) an organization recognized under State law as a health   maintenance organization; or (3) a similar organization regulated under   State law for solvency in the same manner and to the same extent as   such a health maintenance organization. Because the ERISA definition   relied upon by the Patient Safety Act includes health maintenance   organizations in the definition of health insurance issuer, an HMO may   not be, control, or manage the operation of a PSO.      HHS stands for the United States Department of Health and Human   Services. This definition is added for convenience.      HIPAA Privacy Rule would mean the regulations promulgated under   section 264(c) of the Health Insurance Portability and Accountability   Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part   164.      Identifiable Patient Safety Work Product would mean patient safety   work product that:      (1) Is presented in a form and manner that allows the   identification of any provider that is a subject of the work product,   or any providers that participate in activities that are a subject of   the work product;      (2) Constitutes individually identifiable health information as   that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or      (3) Is presented in a form and manner that allows the   identification of an individual who in good faith reported information   directly to a PSO, or to a provider with the intention of having the   information reported to a PSO (``reporter'').      Identifiable patient safety work product is not patient safety work   product that meets the nonidentification standards proposed for   ``nonidentifiable patient safety work product''.      Nonidentifiable Patient Safety Work Product would mean patient   safety work product that is not identifiable in accordance with the   nonidentification standards proposed at Sec.  3.212. Because the   privilege and confidentiality protections of the Patient Safety Act and   this Part do not apply to nonidentifiable patient safety work product   once disclosed, the restrictions and data protection rules in this   proposed rule phrased as pertaining to patient safety work product   generally only apply to identifiable patient safety work product.      OCR stands for the Office for Civil Rights in HHS. This definition   is added for convenience.      Parent organization would mean a public or private sector   organization that, alone or with others, either owns a provider entity   or a component PSO, or has the authority to control or manage agenda   setting, project management, or day-to-day operations of the component,   or the authority to review and override decisions of a component PSO.   We have not proposed to define the term ``owns.'' We propose to use the   term ``own a provider entity'' to mean a governmental agency or Tribal   entity that controls or manages a provider entity as well as an   organization having a controlling interest in a provider entity or a   component PSO, for example, owning a majority or more of the stock of   the owned entity, and expressly ask for comment on whether our further   definition of controlling interest as follows below is appropriate.      Under the proposed regulation, if an entity that seeks to be a PSO   has a parent organization, that entity will be required to seek listing   as a component PSO and must provide certifications set forth in   proposed Sec.  3.102(c), which indicate that the entity maintains   patient safety work product separately from the rest of the   organization(s) and establishes security measures to maintain the   confidentiality of patient safety work product, the entity does not   make an unauthorized disclosure of patient safety work product to the   rest of the organization(s), and the entity does not create a conflict   of interest with the rest of the organization(s).      Traditionally, a parent corporation is defined as a corporation   that holds a controlling interest in one or more subsidiaries. By   contrast, parent organization, as used in this proposed rule, is a more   inclusive term and is not limited to definitions used in corporations   law. Accordingly, the proposed definition emphasizes a parent   organization's control (or influence) over a PSO that may or may not be   based on stock ownership.\13\ Our    [[Page 8119]]    approach to interpreting the statutory reference in section 924(b)(2)   of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to ``another   organization'' in which an entity is a ``component'' (i.e., a ``parent   organization'') is analogous to the growing attention in both statutory   and case law, to the nature and conduct of business organizational   relationships, including multi-organizational enterprises. As discussed   above in the definition of ``component,'' the emphasis on actual   organizational control, rather than the organization's structure, has   numerous legal precedents in legislation implementing statutory   programs and objectives and courts upholding such programs and   objectives.\14\ Therefore, the definition of a ``parent organization,''   as used in the proposed regulation would encompass an affiliated   organization that participates in a common enterprise with an entity   seeking listing, and that owns, manages or exercises control over the   entity seeking to be listed as a PSO. As indicated above, affiliated   corporations have been legally defined to mean those who share a   corporate parent or are part of a common corporate enterprise.\15\  ---------------------------------------------------------------------------        \13\ Cf. 17 CFR 240.12b-2 (defining ``control'' broadly as ``* *   * the power to direct or cause the direction of the management and   policies of an * * * [entity] whether through the ownership of   voting securities, by contract, or otherwise.'')      \14\ Blumberg on Corporate Groups Sec.  13 notes that, where   applications for licenses are in a regulated industry, information   is required by states about the applicant as well as corporate   parents, subsidiaries and affiliates. In the proposed regulation,   pursuant to the Patient Safety Act, information about parent   organizations with potentially conflicting missions would be   obtained to ascertain that component entities seeking to be PSOs   have measures in place to protect the confidentiality of patient   safety work product and the independent conduct of impartial   scientific analyses by PSOs.      \15\ See for example the definition of affiliates in regulations   jointly promulgated by the Comptroller of the Currency, the Federal   Reserve board, the FDIC, and the Office of Thrift Supervision to   implement privacy provisions of Gramm Leach Bliley legislation using   provisions of the Fair Credit Reporting Act (dealing with   information sharing among affiliates): ``any company that is related   or affiliated by common ownership, or affiliated by corporate   control or common corporate control with another company.''   Blumberg, supra note 2, at Sec.  122.09[A] (citing 12 CFR pt.41.3,   12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1)   (2004)).  ---------------------------------------------------------------------------        Parent organization is defined to include affiliates primarily in   recognition of the prospect that otherwise unrelated organizations   might affiliate to jointly establish a PSO. We can foresee such an   enterprise because improving patient safety through expert analysis of   aggregated patient safety data could logically be a common and   efficient objective shared by multiple potential cofounders of a PSO.   It is fitting, in our view, that a component entity certify, as we   propose in Sec.  3.102(c), that there is ``no conflict'' between its   mission as a PSO and all of the rest of the parent or affiliated   organizations that undertake a jointly sponsored PSO enterprise.\16\   Similarly, it is also appropriate that the additional certifications   required of component entities in proposed Sec.  3.102(c) regarding   separation of patient safety work product and the use of separate staff   be required of an entity that has several co-founder parent   organizations that exercise ownership, management or control, (i.e. to   assure that the intended ``firewalls'' exist between the component   entity and the rest of any affiliated organization that might exercise   ownership, management or control over a PSO).  ---------------------------------------------------------------------------        \16\ We note that the certifications from a jointly established   PSO could be supported or substantiated with references to   protective procedural or policy walls that have been established to   preclude a conflict of these organizations' other missions with the   scientific analytic mission of the PSO.  ---------------------------------------------------------------------------        To recap this part of the discussion, we would consider an entity   seeking listing as a PSO to have a parent organization, and such entity   would seek listing as a component organization, under the following   circumstances: (a) The entity is a unit in a corporate organization or   a controlling interest in the entity is owned by another corporation;   or (b) the entity is a distinct organizational part of a multi-  organizational enterprise and one or more affiliates in the enterprise   own, manage, or control the entity seeking listing as a PSO. An example   of an entity described in (b) would be an entity created by a joint   venture in which the entity would be managed or controlled by several   co-founding parent organizations.      The definition of provider in the proposed rule (which will be   discussed below) includes the parent organization of any provider   entity. Correspondingly, our definition of parent organization includes   any organization that ``owns a provider entity.'' This is designed to   provide an option for the holding company of a corporate health care   system to enter a multi-facility or system-wide contract with a PSO.      Patient Safety Act would mean the Patient Safety and Quality   Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the   Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new   Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-  21 through 299b-26.      Patient safety activities would mean the following activities   carried out by or on behalf of a PSO or a provider:      (1) Efforts to improve patient safety and the quality of health   care delivery;      (2) The collection and analysis of patient safety work product;      (3) The development and dissemination of information with respect   to improving patient safety, such as recommendations, protocols, or   information regarding best practices;      (4) The utilization of patient safety work product for the purposes   of encouraging a culture of safety and of providing feedback and   assistance to effectively minimize patient risk;      (5) The maintenance of procedures to preserve confidentiality with   respect to patient safety work product;      (6) The provision of appropriate security measures with respect to   patient safety work product;      (7) The utilization of qualified staff; and      (8) Activities related to the operation of a patient safety   evaluation system and to the provision of feedback to participants in a   patient safety evaluation system.      This definition is taken from the Patient Safety Act. See section   921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient   safety activities is used as a key reference term for other provisions   in the proposed rule and those provisions provide descriptions related   to patient safety activities. See proposed requirements for PSOs at   Sec. Sec.  3.102 and 3.106 and the proposed confidentiality disclosure   permission at Sec.  3.206(b)(4).      Patient safety evaluation system would mean the collection,   management, or analysis of information for reporting to or by a PSO.   The patient safety evaluation system is a core concept of the Patient   Safety Act through which information, including data, reports,   memoranda, analyses, and/or written or oral statements, is collected,   maintained, analyzed, and communicated. When a provider engages in   patient safety activities for the purpose of reporting to a PSO or a   PSO engages in these activities with respect to information for patient   safety purposes, a patient safety evaluation system exists regardless   of whether the provider or PSO has formally identified a ``patient   safety evaluation system''. For example, when a provider collects   information for the purpose of reporting to a PSO and reports the   information to a PSO to generate patient safety work product, the   provider is collecting and reporting through its patient safety   evaluation system (see definition of patient safety work product ).   Although we do not propose to require providers or PSOs formally to   identify or define their patient safety evaluation system--because such   systems exist by virtue of the providers or PSOs undertaking certain   patient safety activities--a patient safety evaluation system can be    [[Page 8120]]    formally designated by a provider or PSO to establish a secure space in   which these activities may take place.      The formal identification or designation of a patient safety   evaluation system could give structure to the various functions served   by a patient safety evaluation system. These possible functions are:      1. For reporting information by a provider to a PSO in order to   generate patient safety work product and to protect the fact of   reporting such information to a PSO (see section 921(6) and   (7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-21(6) and   (7)(A)(i)(I));      2. For communicating feedback concerning patient safety events   between PSOs and providers (see section 921(5)(H) of the Public Health   Service Act, 42 U.S.C. 299b-21(5)(H));      3. For creating and identifying the space within which   deliberations and analyses of information and patient safety work   product are conducted (see section 921(7)(A)(ii) of the Public Health   Service Act, 42 U.S.C. 299b-21(7)(A)(ii));      4. For separating patient safety work product and information   collected, maintained, or developed for reporting to a PSO distinct and   apart from information collected, maintained, or developed for other   purposes (see section 921(7)(B)(ii) of the Public Health Service Act,   42 U.S.C. 299b-21(7)(B)(ii)); and,      5. For identifying patient safety work product to maintain its   privileged status and confidentiality, and to avoid impermissible   disclosures (see section 922(b) of the Public Health Service Act, 42   U.S.C. 299b-22(b)).      A provider or PSO need not engage in all of the above-mentioned   functions in order to establish or maintain a patient safety evaluation   system. A patient safety evaluation system is flexible and scalable to   the individual needs of a provider or PSO and may be modified as   necessary to support the activities and level of engagement in the   activities by a particular provider or PSO.      Documentation. Because a patient safety evaluation system is   critical in identifying and protecting patient safety work product, we   encourage providers and PSOs to document what constitutes their patient   safety evaluation system. We recommend that providers and PSOs consider   documenting the following:       How information enters the patient safety evaluation   system;       What processes, activities, physical space(s) and   equipment comprise or are used by the patient safety evaluation system;       Which personnel or categories of personnel need access to   patient safety work product to carry out their duties involving   operation of, or interaction with the patient safety evaluation system,   and for each such person or category of persons, the category of   patient safety work product to which access is needed and any   conditions appropriate to such access; and,       What procedures or mechanisms the patient safety   evaluation system uses to report information to a PSO or disseminate   information outside of the patient safety evaluation system.      A documented patient safety evaluation system, as opposed to an   undocumented or poorly documented patient safety evaluation system, may   accrue many benefits to the operating provider or PSO. Providers or   PSOs that have a documented patient safety evaluation system will have   substantial proof to support claims of privilege and confidentiality   when resisting requests for production of, or subpoenas for,   information constituting patient safety work product or when making   requests for protective orders against requests or subpoenas for such   patient safety work product. Documentation of a patient safety   evaluation system will enable a provider or PSO to provide supportive   evidence to a court when claiming privilege protections for patient   safety work product. This may be particularly critical since the same   activities can be done inside and outside of a patient safety   evaluation system.      A documented and established patient safety evaluation system also   gives notice to employees of the privileged and confidential nature of   the information within a patient safety evaluation system in order to   generate awareness, greater care in handling such information and more   caution to prevent unintended or impermissible disclosures of patient   safety work product. For providers with many employees, an established   and documented patient safety evaluation system can serve to separate   access to privileged and confidential patient safety work product from   employees that have no need for patient safety work product.   Documentation can serve to limit access by non-essential employees. By   limiting who may access patient safety work product, a provider may   reduce its exposure to the risks of inappropriate disclosures.      Given all of the benefits, documentation of a patient safety   evaluation system would be a prudent business practice. Moreover, as   part of our enforcement program, we would expect entities to be   following sound business practices in maintaining adequate   documentation regarding their patient safety evaluation systems to   demonstrate their compliance with the confidentiality provisions.   Absent this type of documentation, it may be difficult for entities to   satisfy the Secretary that they have met and are in compliance with   their confidentiality obligations. While we believe it is a sound and   prudent business practice, we have not required a patient safety   evaluation system to be documented, and we do not believe it is   required by the Patient Safety Act. We seek comment as to these issues.      Patient Safety Organization (PSO) would mean a private or public   entity or component thereof that is listed as a PSO by the Secretary in   accordance with proposed Sec.  3.102.      Patient Safety Work Product is a defined term in the Patient Safety   Act that identifies the information to which the privilege and   confidentiality protections apply. This proposed rule imports the   statutory definition of patient safety work product specifically for   the purpose of implementing the confidentiality protections under the   Patient Safety Act. The proposed rule provides that, with certain   exceptions, patient safety work product would mean any data, reports,   records, memoranda, analyses (such as root cause analyses), or written   or oral statements (or copies of any of this material) (A) which could   result in improved patient safety, health care quality, or health care   outcomes and either (i) is assembled or developed by a provider for   reporting to a PSO and is reported to a PSO; or (ii) is developed by a   PSO for the conduct of patient safety activities; or (B) which   identifies or constitutes the deliberations or analysis of, or   identifies the fact of reporting pursuant to, a patient safety   evaluation system. The proposed rule excludes from patient safety work   product a patient's original medical record, billing and discharge   information, or any other original patient or provider information and   any information that is collected, maintained, or developed separately,   or exists separately, from a patient safety evaluation system. Such   separate information or a copy thereof reported to a PSO does not by   reason of its reporting become patient safety work product. The   separately collected and maintained information remains available, for   example, for public health reporting or disclosures pursuant to court   order. The information contained in a provider's or PSO's patient   safety evaluation system is protected, would be privileged and   confidential, and may not be disclosed absent a statutory or regulatory   permission.    [[Page 8121]]        What can become patient safety work product. The definition of   patient safety work product lists the types of information that are   likely to be exchanged between a provider and PSO to generate patient   safety work product: ``Any data, reports, records, memoranda, analyses   (such as root cause analyses), or written or oral statements''   (collectively referred to below as ``information'' for brevity).   Congress intended the fostering of robust patient safety evaluation   systems for exchanges between providers and PSOs. We expect this   expansive list will maximize provider flexibility in operating its   patient safety evaluation system by enabling the broadest possible   incorporation and protection of information by providers and PSOs.      In addition, information must be collected or developed for the   purpose of reporting to a PSO. Records collected or developed for a   purpose other than for reporting to a PSO, such as to support internal   risk management activities or to fulfill external reporting   obligations, cannot become patient safety work product. However, copies   of information collected for another purpose may become patient safety   work product if, for example, the copies are made for the purpose of   reporting to a PSO. This issue is discussed more fully below regarding   information that cannot become patient safety work product.      When information is reported by a provider to a PSO or when a PSO   develops information for patient safety activities, the definition   assumes that the protections apply to information that ``could result   in improved patient safety, health care quality, or health care   outcomes.'' This phrase imposes few practical limits on the type of   information that can be protected since a broad range of clinical and   non-clinical factors could have a beneficial impact on the safety,   quality, or outcomes of patient care. Because the Patient Safety Act   does not impose a narrow limitation, such as requiring information to   relate solely, for example, to particular adverse or ``sentinel''   incidents or even to the safety of patient care, we conclude Congress   intended providers to be able to cast a broad net in their data   gathering and analytic efforts to identify causal factors or   relationships that might impact patient safety, quality and outcomes.   In addition, we note that the phrase ``could result in improved''   requires only potential utility, not proven utility, thereby allowing   more information to become patient safety work product.      How information becomes patient safety work product. Paragraphs   (1)(i)(A), (1)(i)(B), and (1)(ii) of the proposed regulatory definition   indicate three ways for information to become patient safety work   product and therefore subject to the confidentiality and privilege   protections of the Patient Safety Act.      Information assembled or developed and reported by providers. By   law and as set forth in our proposal, information that is assembled or   developed by a provider for the purpose of reporting to a PSO and is   reported to a PSO is patient safety work product. Section   921(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-  21(7)(A)(i)(I).      As noted, to become patient safety work product under this section   of the definition, information must be reported by a provider to a PSO.   For purposes of paragraph (1)(i)(A) of this definition, ``reporting''   generally means the actual transmission or transfer of information, as   described above, to a PSO. We recognize, however, that requiring the   transmission of every piece of paper or electronic file to a PSO could   impose significant transmission, management, and storage burdens on   providers and PSOs. In many cases, providers engaged in their own   investigations may desire to avoid continued transmission of additional   related information as its work proceeds.      To alleviate the burden of reporting every piece of information   assembled by a provider related to a particular patient safety event,   we are interested in public comment regarding an alternative for   providers that have established relationships with PSOs. We note that   the reporting and generation of patient safety work product does not   require a contract or any other relationship for a PSO to receive   reports from a provider, for a PSO to examine patient safety work   product, or for a PSO to provide feedback to a provider based upon the   examination of reported information. Nonetheless, we anticipate that   providers who are committed to patient safety improvements will   establish a contractual or similar relationship with a PSO to report   and receive feedback about patient safety incidents and adverse events.   Such a contract or relationship would provide a basis to allow   providers and PSOs to establish customized alternative arrangements for   reporting.      For providers that have established contracts with PSOs for the   review and receipt of patient safety work product, we seek comment on   whether a provider should be able to ``report'' to the PSO by providing   its contracted PSO access to any information it intends to report   (i.e., ``functional reporting''). For example, a provider and a PSO may   establish, by contract, that information put into a database shared by   the provider and the PSO is sufficient to report information to the PSO   in lieu of the actual transmission requirement. We believe that   functional reporting would be a valuable mechanism for the efficient   reporting of information from a provider to a PSO. We are seeking   public comment about what terms and conditions may be necessary to   provide access to a PSO to be recognized as functional reporting. We   also seek comment about whether this type of functional reporting   arrangement should only be available for subsequent related information   once an initial report on a specific topic or incident has been   transmitted to a PSO.      We do not intend a PSO to have an unfettered right of access to any   provider information. Providers and PSOs are free to engage in   alternative reporting arrangements under the proposed rule, and we   solicit comments on the appropriate lines to be drawn around the   arrangements that should be recognized under the proposed rule.   However, our proposals should not be construed to suggest or propose   that a PSO has a superior right to access information held by a   provider based upon a reporting relationship. If a PSO believes   information reported by a provider is insufficient, a PSO is free to   request additional information from a provider or to indicate   appropriate limitations to the conclusions or analyses based on   insufficient or incomplete information.      We seek public comment on two additional aspects regarding the   timing of the obligation of a provider to report to a PSO in order for   information to become protected patient safety work product and for the   confidentiality protections to attach. The first issue relates to the   timing between assembly or development of information for reporting and   actual reporting under the proposed definition of patient safety work   product. As currently proposed, information assembled or developed by a   provider is not protected until the moment it is reported, (i.e.,   transmitted or transferred to a PSO). We are considering whether there   is a need for a short period of protection for information assembled   but not yet reported. We note that in such situations, a provider   creates and operates a patient safety evaluation system. (See   discussion of the definition of patient safety evaluation system at   proposed Sec.  3.20.) We further note that even without such short   period of    [[Page 8122]]    protection, information assembled or developed by a provider but not   yet reported may be subject to other protections in the proposed rule   (e.g., see section 921(7)(A)(ii) of the Public Health Service Act, 42   U.S.C. 299b-21(7)(A)(ii)).      Our intent is not to relieve the provider of the statutory   requirement for reporting pursuant to section 921(7)(A)(i) of the   Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i), but to extend to   providers flexibility to efficiently transmit or transfer information   to a PSO for protection. A short period of protection for information   assembled but not yet reported could result in greater operational   efficiency for a provider by allowing information to be compiled and   reported to a PSO in batches. It could also alleviate the uncertainty   regarding the status of information that is assembled, but not yet   reported for administrative reasons. If we do address this issue in the   final rule, we seek input on the appropriate time period for such   protection and whether a provider must demonstrate an intent to report   in order to obtain protections. If we do not address this issue in the   final rule, such information held by a provider would not be   confidential until it is actually transmitted to a PSO under this prong   of the definition of patient safety work product.      Second, for information to become patient safety work product under   this prong of the definition, it must be assembled or developed for the   purpose of reporting to a PSO and actually reported. We solicit comment   on the point in time at which it can be established that information is   being collected for the purpose of reporting to a PSO such that it is   not excluded from the definition of patient safety work product as a   consequence of it being collected, maintained or developed separately   from a patient safety evaluation system. See section 921(7)(B)(ii) of   the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii). To assemble   information with the purpose of reporting to a PSO, a PSO must   potentially exist, and thus, we believe that collection efforts cannot   predate the passage of the Patient Safety Act on July 29, 2005.      Information that is developed by a PSO for the conduct of patient   safety activities. By law and as set forth in our proposal, information   that is developed by a PSO for patient safety activities is patient   safety work product. Section 921(7)(A)(i)(II) of the Public Health   Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II). This section of the   definition does not address information discussed in the previous   section that is assembled or developed by a provider and is reported to   a PSO which becomes patient safety work product under that section.   Rather, this section addresses other information that a PSO collects   for development from third parties, non-providers and other PSOs for   patient safety activities.      For example, a PSO may be asked to assist a provider in analyzing a   complex adverse event that took place. The initial information from the   provider is protected because it was reported. If the PSO determines   that the information is insufficient and conducts interviews with   affected patients or collects additional data, that information is an   example of the type of information that would be protected under this   section of the definition. Even if the PSO ultimately decided not to   analyze such information, the fact that the PSO collected and evaluated   the information is a form of ``development'' transforming the   information into patient safety work product. Such patient safety work   product would be subject to confidentiality protections, and thus, the   PSO would need safe disposal methods for any such information in   accordance with its confidentiality obligations.      Information that constitutes the deliberations or analysis of, or   identifies the fact of reporting pursuant to, a patient safety   evaluation system. By law and as set forth in our proposal, information   that constitutes the deliberations or analysis of, or identifies the   fact of reporting pursuant to, a patient safety evaluation system is   patient safety work product. Section 921(7)(A)(ii) of the Public Health   Service Act, 42 U.S.C. 299b-21(7)(A)(ii). This provision extends   patient safety work product protections to any information that would   identify the fact of reporting pursuant to a patient safety evaluation   system or that constitutes the deliberations or analyses that take   place within such a system. The fact of reporting through a patient   safety evaluation system (e.g., a fax cover sheet, an e-mail   transmitting data, and an oral transmission of information to a PSO) is   patient safety work product.      With regard to providers, deliberations and analyses are protected   while they are occurring provided they are done within a patient safety   evaluation system. We are proposing that under paragraph (1)(ii) of   this definition, any ``deliberations or analysis'' performed within the   patient safety evaluation system becomes patient safety work product.   In other words, to determine whether protections apply, the primary   question is whether a patient safety evaluation system, which by law   and as set forth in this proposed rule, is the collection, management,   or analysis of information for reporting to a PSO, was in existence at   the time of the deliberations and analysis.      To determine whether a provider had a patient safety evaluation   system at the time that the deliberations or analysis took place, we   propose to consider whether a provider had certain indicia of a patient   safety evaluation system, such as the following: (1) The provider has a   contract with a PSO for the receipt and review of patient safety work   product that is in effect at the time of the deliberations and   analysis; (2) the provider has documentation for a patient safety   evaluation system demonstrating the capacity to report to a PSO at the   time of the deliberations and analysis; (3) the provider had reported   information to the PSO either under paragraph (1)(i)(A) of the proposed   definition of patient safety work product or with respect to   deliberations and analysis; or (4) the provider has actually reported   the underlying information that was the basis of the deliberations or   analysis to a PSO. For example, if a provider claimed protection for   information as the deliberation of a patient safety evaluation system,   and had a contract with the PSO at the time the deliberations took   place, it would be reasonable to believe that the deliberations and   analysis were related to the provider's PSO reporting activities. This   is not an exclusive list. We note therefore that a provider may still   be able to show that information was patient safety work product using   other indications.      We note that the statutory protections for deliberations and   analysis in a patient safety evaluation system apply without regard to   the status of the underlying information being considered (i.e., it   does not matter whether the underlying information being considered is   patient safety work product or not). A provider can fully protect   internal deliberations in its patient safety evaluation system over   whether to report information to a PSO. The deliberations and analysis   are protected, whether the provider chooses to report the underlying   information to a PSO or not. However, the underlying information,   separate and apart from the analysis or deliberation, becomes protected   only when reported to a PSO. See section 921(7)(A)(i)(1) of the Public   Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(1).      To illustrate, consider a hospital that is reviewing a list of all   near-misses    [[Page 8123]]    reported within the past 30 days. The purpose of the hospital's review   is to analyze whether to report any or part of the list to a PSO. The   analyses (or any deliberations the provider undertakes) are fully   protected whether the provider reports any near-misses or not. The   status of the near-misses list does not change because the   deliberations took place. The fact that the provider deliberated over   reporting the list does not constitute reporting and does not change   the protected status of the list. Separate and apart from the analysis,   this list of near misses is not protected unless it is reported. By   contrast, this provision fully protects the provider's deliberations   and analyses in its patient safety evaluation system regarding the   list.      Delisting. In the event that a PSO is delisted for cause under   proposed Sec.  3.108(b)(1), a provider may continue to report to that   PSO for 30 days after the delisting and the reported information will   be patient safety work product. Section 924(f)(1) of the Public Health   Service Act, 42 U.S.C. 299b-24(f)(1). Information reported to a   delisted PSO after the 30-day period will not be patient safety work   product. However, after a PSO is delisted, the delisted entity may not   continue to generate patient safety work product by developing   information for the conduct of patient safety activities or through   deliberations and analysis of information. Any patient safety work   product held or generated by a PSO prior to its delisting remains   protected even after the PSO is delisted. See discussion in the   preamble regarding proposed Sec.  3.108(b)(2) for more information.      We note that proposed Sec.  3.108(c) outlines the process for   delisting based upon an entity's voluntary relinquishment of its PSO   listing. As we discuss in the accompanying preamble, we tentatively   conclude that the statutory provision for a 30-day period of continued   protection does not apply after delisting due to voluntary   relinquishment.      Even though a PSO may not generate new patient safety work product   after delisting, it may still have in its possession patient safety   work product, which it must keep confidential. The statute establishes   requirements, incorporated in proposed Sec.  3.108(b)(2) and (b)(3),   that a PSO delisted for cause must meet regarding notification of   providers and disposition of patient safety work product. We propose in   Sec.  3.108(c) to implement similar notification and disposition   measures for a PSO that voluntarily relinquishes its listing. For   further discussion of the obligations of a delisted PSO, see proposed   Sec.  3.108(b)(2), (b)(3), and (c).      What is not patient safety work product. By law, and as set forth   in this proposed rule, patient safety work product does not include a   patient's original medical record, billing and discharge information,   or any other original patient or provider record; nor does it include   information that is collected, maintained, or developed separately or   exists separately from, a patient safety evaluation system. Such   separate information or a copy thereof reported to a PSO shall not by   reason of its reporting be considered patient safety work product.      The specific examples cited in the Patient Safety Act of what is   not patient safety work product--the patient's original medical record,   billing and discharge information, or any other original patient   record--are illustrative of the types of information that providers   routinely assemble, develop, or maintain for purposes and obligations   other than those of the Patient Safety Act. The Patient Safety Act also   states that information that is collected, maintained, or developed   separately, or exists separately from a patient safety evaluation   system, is not patient safety work product. Therefore, if records are   collected, maintained, or developed for a purpose other than for   reporting to a PSO, those records cannot be patient safety work   product. However, if, for example, a copy of such record is made for   reporting to a PSO, the copy and the fact of reporting become patient   safety work product. Thus, a provider could collect incident reports   for internal quality assurance purposes, and later, determine that one   incident report is relevant to a broader patient safety activity. If   the provider then reports a copy of the incident report to a PSO, the   copy of the incident report received by the PSO is protected as is the   copy of the incident report as reported to the PSO that is maintained   by the provider, while the original incident report collected for   internal quality assurance purposes is not protected.      The proposed rule sets forth the statutory rule of construction   that prohibits construing anything in this Part from limiting (1) the   discovery of or admissibility of information that is not patient safety   work product in a criminal, civil, or administrative proceeding; (2)   the reporting of information that is not patient safety work product to   a Federal, State, or local governmental agency for public health   surveillance, investigation, or other public health purposes or health   oversight purposes; or (3) a provider's recordkeeping obligation with   respect to information that is not patient safety work product under   Federal, State or local law. Section 921(7)(B)(iii) of the Public   Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). Even when laws or   regulations require the reporting of the information regarding the type   of events also reported to PSOs, the Patient Safety Act does not shield   providers from their obligation to comply with such requirements.      As the Patient Safety Act states more than once, these external   obligations must be met with information that is not patient safety   work product, and, in accordance with the confidentiality provisions,   patient safety work product cannot be disclosed for these purposes. We   note that the Patient Safety Act clarifies that nothing in this Part   prohibits any person from conducting additional analyses for any   purpose regardless of whether such additional analysis involves issues   identical to or similar to those for which information was reported to   or assessed by a PSO or a patient safety evaluation system. Section   922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). A copy   of information generated for such purposes may be entered into the   provider's patient safety evaluation system for patient safety purposes   although the originals of the information generated to meet external   obligations do not become patient safety work product.      Thus, information that is collected to comply with external   obligations is not patient safety work product. Such activities may   include: State incident reporting requirements; adverse drug event   information reporting to the Food and Drug Administration (FDA);   certification or licensing records for compliance with health oversight   agency requirements; reporting to the National Practitioner Data Bank   of physician disciplinary actions; or complying with required   disclosures by particular providers or suppliers pursuant to Medicare's   conditions of participation or conditions of coverage. In addition, the   proposed rule does not change the law with respect to an employee's   ability to file a complaint with Federal or State authorities regarding   quality of care, or with respect to any prohibition on a provider's   threatening or carrying out retaliation against an individual for doing   so; the filing of any such complaint would not be deemed to be a   violation of the Patient Safety Act, unless patient safety work product   was improperly disclosed in such filing.      Health Care Oversight Reporting and Patient Safety Work Product.   The Patient Safety Act establishes a    [[Page 8124]]    protected space or system of protected information in order to allow   frank discussion about causes and remediation of threats to patient   safety. As described above, this protected system is separate,   distinct, and resides alongside but does not replace other information   collection activities mandated by laws, regulations, and accrediting   and licensing requirements as well as voluntary reporting activities   that occur for the purpose of maintaining accountability in the health   care system. Information collection activities performed by the   provider for purposes other than for reporting to a PSO by itself do   not create patient safety work product. In anticipation of questions   about how mandatory and voluntary reporting will continue to be   possible, a brief explanation may be helpful regarding how this new   patient safety framework would operate in relation to health care   oversight activities (e.g., public health reporting, corrective   actions, etc.).      Situations may occur when the original (whether print or   electronic) of information that is not patient safety work product is   needed for a disclosure outside of the entity but cannot be located   while a copy of the needed information resides in the patient safety   evaluation system. If the reason for which the original information is   being sought does not align with one of the permissible disclosures,   discussed in proposed Subpart C, the protected copy may not be   released. Nevertheless, this does not preclude efforts to reconstruct   the information outside of the patient safety evaluation system from   information that is not patient safety work product. Those who   participated in the collection, development, analysis, or review of the   missing information or have knowledge of its contents can fully   disclose what they know or reconstruct an analysis outside of the   patient safety evaluation system.      The issue of how effectively a provider has instituted corrective   action following identification of a threat to the quality or safety of   patient care might lead to requests for information from external   authorities. The Patient Safety Act does not relieve a provider of its   responsibility to respond to such requests for information or to   undertake or provide to external authorities evaluations of the   effectiveness of corrective action, but the provider must respond with   information that is not patient safety work product.      To illustrate the distinction, consider the following example. We   would expect that a provider's patient safety evaluation system or a   PSO with which the provider works may make recommendations from time to   time to the provider for changes it should make in the way it manages   and delivers health care. The list of recommendations for changes,   whether they originate from the provider's patient safety evaluation   system or the PSO with which it is working, are always patient safety   work product. We would also note that not all of these recommendations   will address corrective actions (i.e., correcting a process, policy, or   situation that poses a threat to patients). It is also possible that a   provider with an exemplary quality and safety record is seeking advice   on how to perform even better. Whatever the case, the feedback from the   provider's patient safety evaluation system or PSO may not be disclosed   to external authorities unless permitted by the disclosures specified   in Subpart C of this proposed rule.      The provider may choose to reject the recommendations it receives   or implement some or all of the proposed changes. While the   recommendations always remain protected, whether they are adopted or   rejected by a provider, the actual changes that the provider implements   to improve how it manages or delivers health care services (including   changes in its organizational management or its care environments,   structures, and processes) are not patient safety work product. In a   practical sense, it would be virtually impossible to keep such changes   confidential in any event, and we stress that if there is any   distinction between the change that was adopted and the recommendation   that the provider received, the provider can only describe the change   that was implemented. The recommendation remains protected. Thus, if   external authorities request a list of corrective actions that a   provider has implemented, the provider has no basis for refusing the   request. Even though the actions are based on protected information,   the corrective actions themselves are not patient safety work product.   On the other hand, if an external authority asks for a list of the   recommendations that the provider did not implement or whether and how   any implemented change differed from the recommendation the provider   received, the provider must refuse the request; the recommendations   themselves remain protected.      Person would mean a natural person, trust or estate, partnership,   corporation, professional association or corporation, or other entity,   public or private. We propose to define ``person'' because the Patient   Safety Act requires that civil money penalties be imposed against   ``person[s]'' that violate the confidentiality provisions. However, the   Patient Safety Act does not provide a definition of ``person''. The   Definition Act at 1 U.S.C. 1 provides, ``in determining any Act of   Congress, unless the context indicates otherwise * * * the words   `person' and `whoever' include corporations, companies, associations,   firms, partnerships, societies, and joint stock companies, as well as   individuals'' (emphasis added). The Patient Safety Act indicates that   States and other government entities may hold patient safety work   product with the protections and liabilities attached, which is an   expansion of the Definition Act provision. For this reason, we propose   the broader definition of the term ``person''. We note that this   proposed approach is consistent with the HHS Office of Inspector   General (OIG) regulations, 42 CFR 1003.101, and the HIPAA Enforcement   Rule, 45 CFR 160.103.      Provider would mean any individual or entity licensed or otherwise   authorized under State law to provide health care services. The list of   specific providers in the proposed rule includes the following:   institutional providers, such as a hospital, nursing facility,   comprehensive outpatient rehabilitation facility, home health agency,   hospice program, renal dialysis facility, ambulatory surgical center,   pharmacy, physician or health care practitioner's office (including a   group practice), long term care facility, behavior health residential   treatment facility, clinical laboratory, or health center; or   individual clinicians, such as a physician, physician assistant,   registered nurse, nurse practitioner, clinical nurse specialist,   certified registered nurse anesthetist, certified nurse midwife,   psychologist, certified social worker, registered dietitian or   nutrition professional, physical or occupational therapist, pharmacist,   or other individual health care practitioner. This list is merely   illustrative; an individual or entity that is not listed here but meets   the test of state licensure or authorization to provide health care   services is a provider for the purpose of this proposed rule.      The statute also authorizes the Secretary to expand the definition   of providers. Under this authority, we propose to add the following to   this list of providers:      (a) Agencies, organizations, and individuals within Federal, State,   local, or Tribal governments that deliver health care, organizations   engaged as contractors by the Federal, State, local or Tribal   governments to deliver health care, and individual health care    [[Page 8125]]    practitioners employed or engaged as contractors by the Federal   government to deliver health care. It appears that all of these   agencies, organizations, and individuals could participate in, and   could benefit from, working with a PSO.      (b) A corporate parent organization for one or more entities   licensed or otherwise authorized to provide health care services under   state law. Without this addition, hospital or other provider systems   that are controlled by a parent organization that is not recognized as   a provider under State law might be precluded from entering into   system-wide contracts with PSOs. This addition furthers the goals of   the statute to encourage aggregation of patient safety data and a   coordinated approach for assessing and improving patient safety. We   particularly seek comments regarding any concerns or operational issues   that might result from this addition, and note that a PSO entering one   system-wide contract still needs to meet the two contract minimum   requirement based on section 924(b)(1)(C) of the Public Health Service   Act, 42 U.S.C. 299b-24(b)(1)(C), and set out and discussed in proposed   Sec.  3.102(b). The PSO can do this by entering into two contracts with   different providers within the system.      (c) A Federal, State, local, or Tribal government unit that manages   or controls one or more health care providers described in the   definition of provider at (1)(i) and (2). We propose this addition to   the definition of ``provider'' for the same reason that we proposed the   addition of parent organization that has a controlling interest in one   or more entities licensed or otherwise authorized to provide health   care services under state law.      Research would have the same meaning as that term is defined in the   HIPAA Privacy Rule at 45 CFR 164.501. In the HIPAA Privacy Rule,   research means a systematic investigation, including research   development, testing, and evaluation, designed to develop or contribute   to generalizable knowledge. This definition is used to describe the   scope of the confidentiality exception at proposed Sec.  3.206(b)(6).   We propose to use the same definition as in the HIPAA Privacy Rule to   improve the level of coordination and to reduce the burden of   compliance. At the same time, if there is a modification to the   definition in the HIPAA Privacy Rule, the definition herein will   automatically change with such regulatory action.      Respondent would mean a provider, PSO, or responsible person who is   the subject of a complaint or a compliance review.      Responsible person would mean a person, other than a provider or   PSO, who has possession or custody of identifiable patient safety work   product and is subject to the confidentiality provisions. We note that   because the Patient Safety Act has continued confidentiality protection   at 42 U.S.C. 299b-22(d), many entities other than providers and PSOs   may be subject to the confidentiality provisions. Thus, for example,   researchers or law enforcement officials who obtain patient safety work   product under one of the exceptions to confidentiality would be   considered a ``responsible person''.      Workforce would mean employees, volunteers, trainees, contractors,   and other persons whose conduct, in the performance of work for a   provider, PSO or responsible person, is under the direct control of   such provider, PSO or responsible person, whether or not they are paid   by the provider, PSO or responsible person. We use the term workforce   member in several contexts in the proposed rule. Importantly, in   proposed Sec.  3.402 where we discuss principal liability, we propose   that an agent for which a principal may be liable can be a workforce   member. We have included the term ``contractors'' in the definition of   workforce member to clarify that such permitted sharing may occur with   contractors who are under the direct control of the provider, PSO, or   responsible person. For example, a patient safety activity disclosure   by a provider to a PSO may be made directly to the PSO or to a   consultant, as a workforce member, contracted by the PSO to help it   carry out patient safety activities.    B. Subpart B--PSO Requirements and Agency Procedures        Proposed Subpart (B) sets forth requirements for Patient Safety   Organizations (PSOs). This proposed Subpart specifies the certification   and notification requirements that PSOs must meet, the actions that the   Secretary may and will take relating to PSOs, the requirements that   PSOs must meet for the security of patient safety work product, the   processes governing correction of PSO deficiencies, revocation, and   voluntary relinquishment, and related administrative authorities and   implementation responsibilities. The requirements of this proposed   Subpart would apply to PSOs, their workforce, a PSO's contractors when   they hold patient safety work product, and the Secretary.      This proposed Subpart is intended to provide the foundation for   new, voluntary opportunities to improve the safety, quality, and   outcomes of patient care. The Patient Safety Act does not require a   provider to contract with a PSO, and the proposed rule does not include   such a requirement. However, we expect that most providers will enter   into contracts with PSOs when seeking the confidentiality and privilege   protections of the statute. Contracts offer providers greater certainty   that a provider's claim to these statutory protections will be   sustained, if challenged. For example, the statutory definition of   patient safety work product describes the nature and purpose of   information that can be protected, the circumstances under which   deliberations or analyses are protected, and the requirement that   certain information be reported to a PSO. Pursuant to a contractual   arrangement, providers can require and receive assistance from PSOs to   ensure that these requirements are fully met. Contracts can provide   clear evidence that a provider is taking all reasonable measures to   operate under the ambit of the statute in collecting, developing, and   maintaining patient safety work product. Contracts enable providers to   specify even stronger confidentiality protections in how they report   information to a PSO or how the PSO handles and uses the information.      Contracts can also give providers greater assurance that they will   have access to the expertise of the PSO to provide feedback regarding   their patient safety events. While some providers may have patient   safety expertise in-house, a PSO has the potential to offer providers   considerable additional insight as a result of its expertise and   ability to aggregate and analyze data from multiple providers and   multiple PSOs. Experience has demonstrated that such aggregation and   analysis of large volumes of data, such as a PSO has the ability to do,   will often yield insights into the underlying causes of the hazards and   risks associated with patient care that are simply not apparent when   these analyses are limited to the information available from only one   office, clinic, facility, or system.      Pursuant to a contract with a PSO, a provider may also be able to   obtain from a PSO operational guidance or best practices with respect   to operation of a patient safety evaluation system. Such a contract   also provides a mechanism for a provider to control the nature and   extent of a PSO's aggregation of its data with those of other providers   or PSOs, and the nature of related analysis and discussion of such   data. A provider can also require, pursuant to its contract with a PSO,   that the PSO will notify the provider if improper disclosures are    [[Page 8126]]    made of patient safety work product relating to that provider.      This proposed Subpart enables a broad variety of health care   providers to work voluntarily with entities that have certified to the   Secretary that they have the ability and expertise to carry out broadly   defined patient safety activities of the Patient Safety Act and,   therefore, to serve as consultants to eligible providers to improve   patient care. In accordance with the Patient Safety Act, we propose an   attestation-based process for initial and continued listing of an   entity as a PSO. This includes an attestation-based approach for   meeting the statutory requirement that each PSO, within 24 months of   being listed and in each sequential 24-month period thereafter, must   have bona fide contracts with more than one provider for the receipt   and review of patient safety work product.      This streamlined approach of the statute and the proposed rule is   intended to encourage the rapid development of expertise in health care   improvement. This framework allows the marketplace to be the principal   arbiter of the capabilities of each PSO. Listing as a PSO by the   Secretary does not entitle an entity to Federal funding. The financial   viability of most PSOs will derive from their ability to attract and   retain contracts with providers or to attract financial support from   other organizations, such as charitable foundations dedicated to health   system improvement. Even when a provider organization considers   establishing a PSO (what this proposed rule terms a component PSO) to   serve the needs of its organization, we expect it will weigh the value   of, and the business case for, such a PSO.      Proposed Subpart B attempts to minimize regulatory burden while   fostering transparency to enhance the ability of providers to assess   the strengths and weaknesses of their choice of PSOs. For example, we   encourage, but do not require, an entity seeking listing to develop and   post on their own Web sites narrative statements describing the   expertise of the personnel the entity will have at its disposal, and   outlining the way it will approach its mission and comply with the   statute's certification requirements.      We similarly propose to apply transparency to our implementation of   the statute's requirement for disclosure by PSOs of potential conflicts   of interest with their provider clients. While the statute only   requires public release of the findings of the Secretary after review   of such disclosures, we propose to make public, consistent with   applicable law, including the Freedom of Information Act, a PSO's   disclosure statements as well. In our view, in addition to having the   benefit of the Secretary's determination, a provider, as the   prospective consumer of PSO services, should be able to make its own   determination regarding the appropriateness of the relationships that a   PSO has with its other provider clients and the impact those   relationships might have on its particular needs. For example, a   provider might care if a PSO--despite the Secretary's determination   that it had been established with sufficient operational and other   independence to qualify for listing as a PSO--was owned, operated, or   managed by the provider's major competitor.      The provisions of this proposed Subpart also emphasize the need for   vigilance in providing security for patient safety work product. To   achieve the widespread provider participation intended by this statute,   PSOs must foster and maintain the confidence of providers in the   security of patient safety work product in which providers and patients   are identified. Therefore, we propose to require a security framework,   which each PSO must address with standards it determines appropriate to   the size and complexity of its organization, pertaining to the   separation of data and systems and to security management control,   monitoring, and assessment.      The Patient Safety Act recognizes that PSOs will need to enter   business associate agreements to receive protected health information   from providers that are covered entities under the HIPAA Privacy Rule.   As a business associate of such a provider, a PSO will have to meet   certain contractual requirements on the use and disclosure of protected   health information for compliance with the HIPAA Privacy Rule that are   in addition to the requirements set forth in this proposed rule. Those   requirements include the notification of a covered entity when   protected health information is inappropriately disclosed in violation   of the HIPAA Privacy Rule.      We do not propose to require reporting of impermissible disclosures   of other patient safety work product that does not contain protected   health information. We solicit comments on whether to parallel the   business associate requirements of the HIPAA Privacy Rule. Such a   requirement, if implemented, would require a PSO to notify the   organizational source of patient safety work product if the information   it shared has been impermissibly used or disclosed. Note that such   reporting requirements could be voluntarily agreed to by contract   between providers and their PSO.      Section 924(b)(2)(A) and (B) of the Public Health Service Act, 42   U.S.C. 299b-24(b)(2)(A) and (B), suggests Congressional concern that a   strong firewall must be maintained between a component PSO and the rest   of the organization(s) of which it is a part. This proposed subpart   proposes specific safeguards that such component PSOs must implement to   effectively address those concerns.      As this discussion suggests, in developing this proposed Subpart,   we have proposed the most specific requirements in the areas of   security and disclosure of potential conflicts of interest. We expect   to offer technical assistance and encourage transparency wherever   possible to promote implementation, compliance, and correction of   deficiencies. At the same time, this proposed Subpart establishes   processes that will permit the Secretary promptly to revoke a PSO's   certification and remove it from listing, if such action proves   necessary.  1. Proposed Sec.  3.102--Process and Requirements for Initial and   Continued Listing of PSOs      Proposed Sec.  3.102 sets out: The submissions that the Department,   in carrying out its responsibilities, proposes to require, consistent   with the Patient Safety Act, for initial and continued listing as a   PSO; the certifications that all entities must make as part of the   listing process; the additional certifications that component   organizations must make as part of the listing process; the requirement   for biennial submission of a certification that the PSO has entered   into the required number of contracts; and the circumstances under   which a PSO must submit a disclosure statement regarding the   relationships it has with its contracting providers.  (A) Proposed Sec.  3.102(a)--Eligibility and Process for Initial and   Continued Listing      In this section, we propose to establish a streamlined   certification process that minimizes barriers to entry for a broad   variety of entities seeking to be listed as a PSO. With several   exceptions, any entity--public or private, for-profit or not-for   profit--may seek initial or continued listing by the Secretary as a   PSO. The statute precludes a health insurance issuer and a component of   a health insurance issuer from becoming a PSO (section 924(b)(1)(D) of   the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(D)).      In addition, we propose to preclude any other entity, public or   private, from    [[Page 8127]]    seeking listing as a PSO if the entity conducts regulatory oversight of   health care providers, including accreditation or licensure. We propose   this restriction for consistency with the statute, which seeks to   foster a ``culture of safety'' in which health care providers are   confident that the patient safety events that they report will be used   for learning and improvement, not oversight, penalties, or punishment.   Listing organizations with regulatory authority as PSOs would be likely   to undermine provider confidence that adequate separation of PSO and   regulatory activities would be maintained.      We note that the Patient Safety Act permits a component   organization of an entity to seek listing as a PSO if the component   organization establishes a strong firewall between its activities as a   PSO and the rest of the organization(s) of which it is a part. As   drafted, this proposed regulation permits a component organization of   an entity with any degree of regulatory authority to seek listing as a   component PSO. We have not proposed any restrictions on such component   organizations for several reasons. First, we expect that the statutory   requirement for a strong firewall between a component PSO and its   parent organization(s) with respect to its activities as a PSO and the   protected information it holds will provide adequate safeguards.   Second, providers will have access to the names of parent organizations   of component PSOs. We propose in Sec.  3.102(c) that any component   organization must disclose the name of its parent organization(s) (see   the proposed definitions of component and parent organizations in Sec.    3.20). We intend to make this information publicly available and expect   to post it on the PSO Web site we plan to establish (see the preamble   discussion regarding proposed Sec.  3.104(d)). This will provide   transparency and enable providers to determine whether the   organizational affiliation(s) of a component PSO are of concern.   Finally, we believe that allowing the marketplace to determine whether   a component PSO has acceptable or unacceptable ties to an entity with   regulatory authority is consistent with our overall approach to   regulation of PSOs.      At the same time, we recognize that some organizations exercise a   considerable level of regulatory oversight over providers and there may   be concerns that such organizations could circumvent the firewalls   proposed below in Sec.  3.102(c) or might attempt to require providers   to work with a component PSO that the regulatory entity creates.   Accordingly, we specifically seek comment on the approach we have   proposed and whether we should consider a broader restriction on   component organizations of entities that are regulatory. For example,   should components of state health departments be precluded from seeking   listing because of the broad authority of such departments to regulate   provider behavior? If a broader restriction is proposed, we would   especially welcome suggestions on clear, unambiguous criteria for its   implementation.      We will develop certification forms for entities seeking initial   and continued listing that contain or restate the respective   certifications described in proposed Sec.  3.102(b) and Sec.  3.102(c).   An individual with authority to make commitments on behalf of the   entity seeking listing would be required to acknowledge each of the   certification requirements, attest that the entity meets each of the   certification requirements on the form, and provide contact information   for the entity. The certification form would also require an   attestation that the entity is not subject to the limitation on listing   proposed in this subsection and an attestation that, once listed as a   PSO, it will notify the Secretary if it is no longer able to meet the   requirements of proposed Sec.  3.102(b) and Sec.  3.102(c).      To facilitate the development of a marketplace for the services of   PSOs, entities are encouraged, but not required, to develop and post on   their own Web sites narratives that specify how the entity will   approach its mission, how it will comply with the certification   requirements, and describe the qualifications of the entity's   personnel. With appropriate disclaimers of any implied endorsement, we   expect to post citations or links to the Web sites of all listed   entities on the PSO Web site that we plan to establish pursuant to   proposed Sec.  3.104(d). We believe that clear narratives of how PSOs   will meet their statutory and regulatory responsibilities will help   providers, who are seeking the services of a PSO, to assess their   options. The Department's PSO Web site address will be identified in   the final rule and will be available from AHRQ upon request.  (B) Proposed Sec.  3.102(b)--Fifteen General Certification Requirements      In accordance with section 924(a) of the Public Health Service Act,   42 U.S.C. 299b-24(a), the proposed rule would require all entities   seeking initial or continued listing as a PSO to meet 15 general   certification requirements: eight requirements related to patient   safety activities and seven criteria governing their operation. At   initial listing, the entity would be required to certify that it has   policies and procedures in place to carry out the eight patient safety   activities defined in the Patient Safety Act and incorporated in   proposed Sec.  3.20, and upon listing, would meet the seven criteria   specified in proposed Sec.  3.102 (b)(2). Submissions for continued   listing would require certifications that the PSO is performing, and   will continue to perform, the eight patient safety activities and is   complying with, and would continue to comply with, the seven criteria.  (1) Proposed Sec.  3.102(b)(1)--Required Certification Regarding Eight   Patient Safety Activities      Proposed Sec.  3.102(b)(1) addresses the eight required patient   safety activities that are listed in the definition of patient safety   activities at proposed Sec.  3.20 (section 921(5) of the Public Health   Service Act, 42 U.S.C. 299b-21(5)). Because certification relies   primarily upon attestations by entities seeking listing, rather than   submission and review of documentation, it is critical that entities   seeking listing have a common and shared understanding of what each   certification requirement entails. We conclude that five of the eight   required patient safety activities need no elaboration. These five   patient safety activities include: Efforts to improve patient safety   and quality; the collection and analysis of patient safety work   product; the development and dissemination of information with respect   to improving patient safety; the utilization of patient safety work   product for the purposes of encouraging a culture of safety and   providing feedback and assistance; and the utilization of qualified   staff.      We address a sixth patient safety activity, related to the   operation of a patient safety evaluation system, in the discussion of   the definition of that term in proposed Sec.  3.20. We provide greater   clarity here regarding the actions that an entity must take to comply   with the remaining two patient safety activities, which involve the   preservation of confidentiality of patient safety work product and the   provision of appropriate security measures for patient safety work   product.      We interpret the certification to preserve confidentiality of   patient safety work product to require conformance with the   confidentiality provisions of proposed Subpart C as well as the   requirements of the Patient Safety Act. Certification to provide   appropriate security measures require PSOs, their workforce members,   and their    [[Page 8128]]    contractors when they hold patient safety work product to conform to   the requirements of proposed Sec.  3.106, as well as the provisions of   the Patient Safety Act.  (2) Proposed Sec.  3.102(b)(2)--Required Certification Regarding Seven   PSO Criteria      Proposed Sec.  3.102(b)(2) lists seven criteria that are drawn from   the Patient Safety Act (section 924(b) of the Public Health Service   Act, 42 U.S.C. 299b-24(b)), which an entity must meet during its period   of listing. We conclude that the statutory language for three of the   seven required criteria is clear and further elaboration is not   required. These three criteria include: The mission and primary   activity of the entity is patient safety, the entity has appropriately   qualified staff, and the entity utilizes patient safety work product   for provision of direct feedback and assistance to providers to   effectively minimize patient risk.      Two of the criteria are addressed elsewhere in the proposed rule:   the exclusion of health insurance issuer or components of health   insurance issuers from being PSOs is discussed above in the context of   the definition of that term in proposed Sec.  3.20 and the requirements   for submitting disclosure statements are addressed in the preamble   discussion below regarding proposed Sec.  3.102(d)(2) (the proposed   criteria against which the Secretary will review the disclosure   statements are set forth in Sec.  3.104(c)). The remaining two PSO   criteria--the minimum contract requirement and the collection of data   in a standardized manner--are discussed here.      The Minimum Contracts Requirement. First, we propose to clarify the   requirement in section 924(b)(1)(C) of the Public Health Service Act,   42 U.S.C. 299b-24(b)(1)(C) that a PSO must enter into bona fide   contracts with more than one provider for the receipt and review of   patient safety work product within every 24-month period after the   PSO's initial date of listing.      We note that the statutory language establishes four conditions   that must be met for a PSO to be in compliance with this requirement.   We propose to interpret two of them for purposes of clarity in the   final rule: (1) The PSO must have contracts with more than one   provider, and (2) the contract period must be for ``a reasonable period   of time.'' Most contracts will easily meet the third requirement: that   contracts must be ``bona fide'' (our definition is in proposed Sec.    3.20). Finally, the fourth requirement, that contracts must involve the   receipt and review of patient safety work product, does not require   elaboration.      We propose that a PSO would meet the requirement for ``contracts   with more than one provider'' if it enters a minimum of two contracts   within each 24-month period that begins with its initial date of   listing. We note that the statutory requirement in section 924(b)(1)(C)   of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C),   unambiguously requires multiple contracts (i.e., more than one). One   contract with two or more providers would not fully meet the statute's   requirement. To illustrate, one contract with a 50-hospital system   would not meet the requirement; two 25-hospital contracts with that   same hospital system would meet the requirement. We believe that the   statutory requirement was intended to encourage PSOs to aggregate data   from multiple providers, in order to expand the volume of their data,   thereby improving the basis on which patterns of errors and the causes   for those errors can be identified. This statutory objective is worth   noting as a goal for PSOs. A PSO can achieve this goal by aggregating   data from multiple providers or by pooling or comparing data with other   PSOs, subject to statutory, regulatory, and contractual limitations.      The statute requires that these contracts must be ``for a   reasonable period of time.'' We propose to clarify in the final rule   when a PSO would be in compliance with this statutory requirement. The   approach could be time-based (e.g., a specific number of months), task-  based (e.g., the contract duration is linked to completion of specific   tasks but, under this option, the final rule would not set a specific   time period), or provide both options. We seek comments on the   operational implications of these alternative approaches and the   specific standard(s) for each option that we should consider. By   establishing standard(s) in the final rule, we intend to create   certainty for contracting providers and PSOs as to whether the duration   requirement has been met. We note that whatever requirement is   incorporated in the final rule will apply only to the two required   contracts. A PSO can enter other contracts, whether time-based or task-  based, without regard to the standard(s) for the two required   contracts.      Apart from the requirements outlined above, there are no limits on   the types of contracts that a PSO can enter; its contracts can address   all or just one of the required patient safety activities, assist   providers in addressing all, or just a specialized range, of patient   safety topics, or the PSO can specialize in assisting specific types of   providers, specialty societies, or provider membership organizations.   Because of the limits on the extraterritorial application of U.S. law   and the fact that privilege protections are limited to courts in the   United States (Federal, State, etc.), the protections in the proposed   rule apply only to protected data shared between PSOs and providers   within the United States and its territories; there is only this one   geographical limitation on a PSO's operations.      If they choose to do so, providers and PSOs may enter into   contracts that specify stronger confidentiality protections than those   specified in this proposed rule and the Patient Safety Act (section   922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22 (g)(3)).   For example, a provider could choose to de-identify or anonymize   information it reports to a PSO.      We note that the Secretary proposes to exercise his authority to   extend the definition of ``provider'' for the purposes of this statute   to include a provider's ``parent organization'' (both terms are defined   in proposed Sec.  3.20). This proposed addition is intended to provide   an option for health systems (e.g., holding companies or a state   system) to enter system-wide contracts with PSOs if they choose to do   so. This option would not be available in the absence of this provision   because the parent organizations of many health care systems are often   corporate management entities or governmental entities that are not   considered licensed or authorized health care providers under state   law.      Collecting data in a standardized manner. Section 924(b)(1)(F) of   the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(F), requires   PSOs, to the extent practical and appropriate, to collect patient   safety work product from providers in a standardized manner, to permit   valid comparisons of similar cases among similar providers. One of the   goals of the legislation is to facilitate a PSO aggregating sufficient   data to identify and to address underlying causal factors of patient   safety problems. A PSO is more valuable if it is able to aggregate   patient safety work product it receives directly from multiple   providers, and if it chooses to do so, aggregate its data with patient   safety work product received from other PSOs and/or share   nonidentifiable patient safety work product with a network of patient   safety databases described in section 923 of the Public Health Service   Act, 42 U.S.C. 299b-23. We recognize that if patient safety work   product is not collected initially using common data    [[Page 8129]]    elements and consistent definitions, it may be difficult to aggregate   such data subsequently in order to develop valid comparisons across   providers and potentially, PSOs. We also recognize, however, that the   providers who work with PSOs may have varying levels of sophistication   with respect to patient safety issues and that reporting patient safety   work product to a PSO in a standardized manner or using standardized   reporting formats may not be initially practicable for certain   providers or in certain circumstances. The discussion which follows   outlines the timetable and the process to which we are committed.      The Secretary intends to provide ongoing guidance to PSOs on   formats and definitions that would facilitate the ability of PSOs to   aggregate patient safety work product. We expect to provide initial   guidance beginning with the most common types of patient safety events,   before the final rule is issued, to facilitate the ability of PSOs to   develop valid comparisons among providers. The Department will make   such formats and definitions available for public comment in a non-  regulatory format via publication in the Federal Register. We are   considering, and we seek comment on, including a clarification in the   final rule, that compliance with this certification requirement would   mean that a PSO, to the extent practical and appropriate, will   aggregate patient safety work product consistent with the Secretary's   guidance regarding reporting formats and definitions when such guidance   becomes available.      The process for developing and maintaining common formats. AHRQ has   established a process to develop common formats that: (1) Is evidence-  based; (2) harmonizes across governmental health agencies; (3)   incorporates feedback from the public, professional associations/  organizations, and users; and (4) permits timely updating of these   clinically-sensitive formats.      In anticipation of the need for common formats, AHRQ began the   process of developing them in 2005. That process consists of the   following steps: (1) Develop an inventory of functioning patient safety   reporting systems to inform the construction of the common formats (an   evidence base). Included in this inventory, now numbering 64 systems,   are the major Centers for Disease Control and Prevention (CDC) and Food   and Drug Administration (FDA) reporting systems as well as many from   the private sector. (2) Convene an interagency Patient Safety Work   Group (PSWG) to develop draft formats. Included are major health   agencies within the Department--CDC, Centers for Medicare and Medicaid   Services, FDA, Health Resources and Services Administration, the Indian   Health Service (IHS), the National Institutes of Health--as well as the   Department of Defense (DoD) and the Veterans Administration (VA). (3)   Pilot test draft formats--to be conducted in February-March of 2008 in   DoD, IHS, and VA facilities. (4) Publish version 0.1 (beta) of the   formats in the Federal Register, along with explanatory material, and   solicit public comment--planned for July/August 2008. (5) Let a task   order contract (completed) with the National Quality Forum (NQF) to   solicit input from the private sector regarding the formats. NQF's role   will be periodically to solicit input from the private sector to assist   the Department in updating its versions of the formats. NQF will begin   with version 0.1 (beta) of the common formats and solicit public   comments (including from providers, professional organizations, the   general public, and PSOs), triage them in terms of immediacy of   importance, set priorities, and convene expert panel(s) to offer advice   on updates to the formats. This process will be a continuing one,   guiding periodic updates of the common formats. (6) Accept input from   the NQF, revise the formats in consultation with the PSWG, and publish   subsequent versions in the Federal Register. Comments will be accepted   at all times from public and governmental sources, as well as the NQF,   and used in updating of the formats.      This process ensures intergovernmental consistency as well as input   from the private sector, including, most importantly, those who may use   the common formats. This latter group, the users, will be the most   sensitive to and aware of needed updates/improvements to the formats.   The PSWG, acting as the fulcrum for original development and continuing   upgrading/maintenance, assures consistency of definitions/formats among   government agencies. For instance, the current draft formats follow CDC   definitions of healthcare associated infections and FDA definitions of   adverse drug events. AHRQ has been careful to promote consensus among   Departmental agencies on all draft common formats developed to date.   The NQF is a respected private sector organization that is suited to   solicit and analyze input from the private sector.      We welcome comments on our proposed approach to meeting statutory   objectives.  (C) Proposed Sec.  3.102(c)--Additional Certifications Required of   Component Organizations      Section 924(b)(2) of the Public Health Service Act, 42 U.S.C. 299b-  24(b)(2) and the proposed definition of component organization in   proposed Sec.  3.20 requires an entity that is a component of another   organization or multi-organizational enterprise that seeks initial or   continued listing to certify that it will meet three requirements in   addition to certifying that it will meet the 15 general requirements   specified in proposed Sec.  3.102(b). We have indicated the types of   entities that would be required to seek listing as a component   organization in our discussion of the proposed definitions in proposed   Sec.  3.20 of the terms ``component organization'' and ``parent   organization.'' To be listed as a component PSO, an entity would also   be required to make three additional certifications regarding the   entity's independent operation and separateness from the larger   organization or enterprise of which it is a part: the entity would   certify to (1) the secure maintenance of documents and information   separate from the rest of the organization(s) or enterprise of which it   is a part; (2) the avoidance of unauthorized disclosures to the   organization(s) or enterprise of which it is a part; and (3) the   absence of a conflict between its mission and the rest of the   organization(s) or enterprise of which it is a part. We propose in   Sec.  3.102(c) specific requirements that will ensure that such   component PSOs implement the type of safeguards for patient safety work   product that the three additional statutory certification requirements   for component organizations are intended to provide.      First, the statute requires a component PSO to maintain patient   safety work product separate from the rest of the organization(s) or   enterprise of which it is a part (section 924(b)(2)(A) of the Public   Health Service Act, 42 U.S.C. 299b-24(b)(2)(A)). To ensure compliance   with this statutory requirement, we considered, but did not include   here, a proposal to prohibit a component PSO from contracting,   subcontracting, or entering any agreement with any part of the   organization(s) or enterprise of which it is a part for the performance   of any work involving the use of patient safety work product. We seek   comment on the limited exception proposed in Sec.  3.102(c) here that   would permit such contracts or subcontracts only if they can be carried   out in a manner that is consistent with the statutory    [[Page 8130]]    requirements of this section. This means that, while a component PSO   could enter such arrangements involving the use of patient safety work   product with a unit of the organization(s) or enterprise of which it is   a part, the component PSO would maintain the patient safety work   product and be responsible for its security (i.e., control the access   and use of it by the contracting unit). In addition, under our   proposal, while allowing access to the contracting unit of the   identifiable patient safety work product necessary to carry out the   contractual assignment would be a permissible disclosure, the component   PSO would remain responsible for ensuring that the contracting unit   does not violate the prohibitions related to unauthorized disclosures   required under 924(b)(2)(B) of the PHS Act, 42 U.S.C. 299b-24(b)(2)(B),   (i.e., disclosures to other units of the organization or enterprise)   and that there is no conflict between the mission of the component PSO   and the contracting unit, as required under 924(b)(2)(C) of the PHS   Act, 42 U.S.C. 299b-24(b)(2)(C). We invite comment on whether such a   limited exception is necessary or appropriate and, if so, the   appropriateness of the restrictions we have proposed.      Second, a component PSO would not be permitted to have a shared   information system with the rest of the organization(s) since this   might provide unauthorized access to patient safety work product. For   example, we intend to prohibit a component PSO from storing any patient   safety work product in information systems or databases to which the   rest of the organization(s) or enterprise of which it is a part would   have access or the ability to remove or transmit a copy. We   preliminarily conclude that most security measures, such as password   protection of the component PSO's information, are too easily   circumvented.      Third, the proposed rule provides that the workforce of the   component PSO must not engage in work for the rest of the   organization(s) if such work could be informed or influenced by the   individual's knowledge of identifiable patient safety work product. For   example, a component PSO could share accounting or administrative   support staff under our proposal because the work of these individuals   for the rest of the organization(s) would not be informed or influenced   by their knowledge of patient safety work product. By contrast, if the   rest of the organization provides health care services, a physician who   served on a parent organization's credentialing, hiring, or   disciplinary committee(s) could not also work for the PSO. Knowledge of   confidential patient safety work product could influence his or her   decisions regarding credentialing, hiring, or disciplining of providers   who are identifiable in the patient safety work product.      We provide one exception to the last prohibition. It is not our   intent to prohibit a clinician, whose work for the rest of the   organization is solely the provision of patient care, from undertaking   work for the component PSO. We see no conflict if the patient care   provided by the clinician is informed by the clinical insights that   result from his or her work for the component PSO. If a clinician has   duties beyond patient care, this exception only applies if the other   duties do not violate the general prohibition (i.e., that the other   duties for the rest of the organization(s) cannot be informed by   knowledge of patient safety work product).      As part of the requirement that the PSO must certify that there is   no conflict between its mission and the rest of the organization(s), we   propose that the certification form will require the PSO to provide the   name(s) of the organization(s) or enterprise of which it is a part (see   the discussions of our definitions of parent and component   organizations in proposed Sec.  3.20).      We have not proposed specific standards to determine whether   conflicts exist between a PSO and other components of the organization   or enterprise of which it is a part. We recognize that some industries   and particular professions, such as the legal profession through state-  based codes of professional responsibility, have specific standards or   tests for determining whether a conflict exists. We request comments on   whether the final rule should include any specific standards, and, if   so, what criteria should be put in place to determine whether a   conflict exists.  (D) Proposed Sec.  3.102(d)--Required Notifications      Proposed Sec.  3.102(d) establishes in regulation two required   notifications that implement two statutory provisions: a notification   to the Secretary certifying whether the PSO has met the biennial   requirement for bona fide contracts with more than one provider   (section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-  24(b)(1)(C)); and the submission of a disclosure statement to the   Secretary whenever a PSO has established specific types of   relationships (discussed below) with a contracting provider, in   particular where a PSO is not managed or controlled independently from,   or if it does not operate independently from, a contracting provider   (section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-  24(b)(1)(E)).  (1) Proposed Sec.  3.102(d)(1)--Notification Regarding PSO Compliance   With the Minimum Contract Requirement      Proposed Sec.  3.102(d)(1) requires a PSO to notify the Secretary   whether it has entered at least two bona fide contracts that meet the   requirements of proposed Sec.  3.102(b)(2). The notification   requirement implements the statutory requirement in section   924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-  24(b)(1)(C), that a PSO must have contracts with more than one   provider. Notification to the Secretary will be by attestation on a   certification form developed pursuant to proposed Sec.  3.112. Prompt   notification of the Secretary that a PSO has entered two or more   contracts will result in earlier publication of that information by the   Secretary and this may be to the PSO's benefit.      We propose that the Secretary receive initial notification from a   PSO no later than 45 calendar days before the last day of the period   that is 24 months after the date of its initial listing and 45 calendar   days prior to the last day of every 24-month period thereafter. While   each PSO will have the full statutory period of 24 months to comply   with this requirement, we propose an earlier date for notification of   the Secretary to harmonize this notification requirement with the   requirement, established by section 924(e) of the Public Health Service   Act, 42 U.S.C. 299b-24(e), that the Secretary provide each PSO with a   period of time to correct a deficiency. If the Secretary were to   provide a period for correction that begins after the 24-month period   has ended, the result would be that some PSOs would be granted   compliance periods that extend beyond the unambiguous statutory   deadline for compliance. To avoid this unfair result, we propose that a   PSO certify to the Secretary whether it has complied with this   requirement 45 calendar days in advance of the final day of its   applicable 24-month period.      If a PSO notifies the Secretary that it cannot certify compliance   or fails to submit the required notification, the Secretary, pursuant   to proposed Sec.  3.108(a)(2), will then issue a preliminary finding of   deficiency and provide a period for correction that extends until   midnight of the last day of the applicable 24-month assessment period   for the PSO. In this way, the requirement for an opportunity for   correction can be met without granting any PSO a period for compliance   that    [[Page 8131]]    exceeds the statutory limit. We invite comments on alternative   approaches to harmonize these two potentially conflicting requirements.      We note that contracts that are entered into after midnight on the   last day of the applicable 24-month period do not count toward meeting   the two-contract requirement for that 24-month assessment period. If a   PSO does not meet the requirement by midnight of the last day of the   applicable 24-month assessment period, the Secretary will issue a   notice of revocation and delisting pursuant to proposed Sec.    3.108(a)(3).  (2) Proposed Sec.  3.102(d)(2)--Notification Regarding PSO's   Relationships With Its Contracting Providers      Proposed Sec.  3.102(d)(2) establishes the circumstances under   which a PSO must submit a disclosure statement to the Secretary   regarding its relationship(s) with any contracting provider(s) and the   deadline for such required submissions.      The purpose of this disclosure requirement is illuminated by the   statutory obligation of the Secretary, set forth in section 924(c)(3)   of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), to review   the disclosure statements and make public findings ``whether the entity   can fairly and accurately perform the patient safety activities of a   patient safety organization.'' To provide the Secretary with the   information necessary to make such a judgment, section 924(b)(1)(E) of   the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(E), requires a   PSO to fully disclose information to the Secretary if the PSO has   certain types of relationships with a contracting provider and, if   applicable, whether the PSO is not independently managed or controlled,   or if it does not operate independently from, the contracting provider.      The statutory requirement for a PSO to submit a disclosure   statement applies only when a PSO has entered into a contract with a   provider; if there is no contractual relationship between the PSO and a   provider pursuant to the Patient Safety Act, a disclosure statement is   not required. Even when a PSO has entered a contract with a provider,   we propose that a PSO would need to file a disclosure statement   regarding a contracting provider only when the circumstances, specified   in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299-  24(c)(3), and discussed here, are present.      A PSO is first required to assess whether a disclosure statement   must be submitted to the Secretary when the PSO enters a contract with   a provider, but we note that the disclosure requirement remains in   effect during the entire contract period. Even when a disclosure   statement is not required at the outset of the contract period, if the   circumstances discussed here arise, a disclosure statement must be   submitted at that time to the Secretary for review.      With respect to a provider with which it has entered a contract, a   PSO is required to submit a disclosure statement to the Secretary only   if either or both of the following circumstances are present. First, a   disclosure statement must be filed if the PSO has any financial,   reporting, or contractual relationships with a contracting provider   (other than the contract entered into pursuant to the Patient Safety   Act). Second, taking into account all relationships that the PSO has   with that contracting provider, a PSO must file a disclosure statement   if it is not independently managed or controlled, or if it does not   operate independently from, the contracting provider.      With respect to financial, reporting or contractual relationships,   the proposed rule states that contractual relationships that must be   disclosed are not limited to formal contracts but encompass any oral or   written arrangement that imposes responsibilities on the PSO. For   example, the provider may already have a contract or other arrangement   with the PSO for assistance in implementation of proven patient safety   interventions and is now seeking additional help from the PSO for the   review of patient safety work product. A financial relationship   involves almost any direct or indirect ownership or investment   relationship between the PSO and the contracting provider, shared or   common financial interests, or direct or indirect compensation   arrangement, whether in cash or in-kind. A reporting relationship   includes a relationship that gives the provider access to information   that the PSO holds that is not available to other contracting providers   or control, directly or indirectly, over the work of the PSO that is   not available to other contracting providers. If any such relationships   are present, the PSO must file a disclosure statement and describe   fully all of these relationships.      The other circumstance that triggers the requirement to disclose   information to the Secretary is the provision of the Patient Safety Act   that requires the entity to fully disclose ``if applicable, the fact   that the entity is not managed, controlled, and operated independently   from any provider that contracts with the entity.'' See section   924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-  24(b)(1)(E). We propose to interpret this provision as noted above   because we believe that the adverb ``independently'' modifies all three   verbs--that is, that the entity is required to disclose when it is not   managed independently from, is not controlled independently from, or is   not operated independently from, any provider that contracts with the   entity.      Disclosure would be required, for example, if the contracting   provider created the PSO and exercises a degree of management or   control over the PSO, such as overseeing the establishment of its   budget or fees, hiring decisions, or staff assignments. Another example   of such a relationship that would require disclosure would be the   existence of any form of inter-locking governance structure. We   recognize that contracts, by their very nature, will enable a   contracting provider to specify tasks that the PSO undertakes or to   direct the PSO to review specific cases and not others. These types of   requirements reflect the nature of any contractual relationship and do   not trigger a requirement to file such a disclosure statement. The   focus of this provision as indicated in section 924(c)(3) of the Public   Health Service Act, 42 U.S.C. 299b-24(c)(3), and here is on the   exercise of the type of control that could compromise the ability of   the PSO to fairly and accurately carry out patient safety activities.   If the contracting provider exercises this type of influence over the   PSO, the PSO must file a disclosure statement and fully disclose the   nature of the influence exercised by the contracting provider.      To meet the statutory requirement for full disclosure, a PSO's   submission should attempt to put the significance of the financial,   reporting, or contractual relationship in perspective (e.g., relative   to other sources of PSO revenue or other types of contractual or   reporting relationships). We would also encourage PSOs to list any   agreements, stipulations, or procedural safeguards that might offset   the influence of the provider and that might protect the ability of the   PSO to operate independently. By doing so, a PSO can ensure that its   disclosure statements present a full and, if applicable, balanced   picture of the relationships and degree of independence that exist   between the PSO and its contracting provider(s).      We propose to require that, whenever a PSO determines that it must   file a statement based upon these requirements, the Secretary must   receive the disclosure statement within 45 calendar days. The PSO must   make an initial determination on the date on which a contract is   entered. If the PSO determines that it must file a disclosure    [[Page 8132]]    statement, the Secretary must receive the disclosure statement no later   than 45 days after the date on which the contract was entered. During   the contract period, the Secretary must receive a disclosure statement   within 45 calendar days of the date on which either or both of the   circumstances described above arise. If the Secretary determines, after   the applicable 45-day period, that a required disclosure statement was   not received from a PSO, the Secretary may issue to the PSO a notice of   a preliminary finding of deficiency, the first step in the revocation   process established by proposed Sec.  3.108.  2. Proposed Sec.  3.104--Secretarial Actions      Proposed Sec.  3.104 describes the actions that the Secretary may   and will take regarding certification submissions for listing or   continued listing, the required notification certifying that the PSO   has entered the required minimum of two contracts, and disclosure   statements, including the criteria that the Secretary will use in   reviewing such statements and the determinations the Secretary may   make. This proposed section also outlines the types of information that   the Secretary will make public regarding PSOs, specifies how, and for   what period of time, the Secretary will list a PSO whose certification   he has accepted and establishes an effective date for Secretarial   actions under this proposed subpart. See section 924(c) of the Public   Health Service Act, 42 U.S.C. 299b-24(c).  (A) Proposed Sec.  3.104(a)--Actions in Response to Certification   Submissions for Initial and Continued Listing as a PSO      Proposed Sec.  3.104(a) describes the actions that the Secretary   may and will take in response to certification for initial or continued   listing as a PSO (section 924(c)(1)-(2) of the Public Health Service   Act, 42 U.S.C. 299b-24(c)(1)-(2)), submitted to the Secretary pursuant   to the requirements of proposed Sec.  3.102. The decision on whether   and how to list an entity as a PSO will be based upon a determination   of whether the entity meets the applicable requirements of the Patient   Safety Act and this proposed part. In most cases, it is anticipated   that the Secretary will either accept the submission and list the   entity or deny the listing on this basis.      In determining whether to list an entity as a PSO, the proposed   rule requires the Secretary to consider the submitted certification and   any relevant history, such as prior actions the Secretary has taken   regarding the entity or PSO including delisting, any history of or   current non-compliance by the entity or PSO with statutory or   regulatory requirements or requests by the Secretary, relationships of   the entity or PSO with providers and any findings by the Secretary in   accordance with proposed Sec.  3.104(c). Initially, the Secretary will   rely solely on the submitted certification; entities seeking listing   will not have any applicable history of the type specified for the   Secretary to consider. Even over time, we anticipate that the Secretary   would normally rely upon the submitted certification in making a   listing determination.      There may be occasions in future years when the Secretary may need   to take into account the history of an entity or PSO in making a   determination for initial or continued listing. Examples of such   situations might include: A PSO seeking continued listing that has a   history of deficiencies; an entity seeking initial listing may be a   renamed former PSO whose certifications had been revoked for cause by   the Secretary; or the leadership of an entity seeking listing may have   played a leadership role in a former PSO that failed to meet its   obligations to providers during voluntary relinquishment (see proposed   Sec.  3.108(c)). In such circumstances, it may not be prudent for the   Secretary to rely solely upon the certification submitted by the entity   or PSO and this proposed subsection would enable the Secretary to seek   additional information or assurances before reaching a determination on   whether to list an entity. To ensure that the Secretary is aware of any   relevant history before making a listing determination, without   imposing additional burden on most entities seeking listing, we propose   to include an attestation on the certification form that would require   acknowledgement if the entity (under its current name or another) or   any member of its workforce have been party to a delisting   determination by the Secretary. We welcome comment on this proposal, or   alternative approaches, for ensuring that the Secretary can carry out   the requirements of this proposed section.      The Secretary also has the authority, under certain circumstances,   to condition the listing of a PSO under section 924(c)(3) of the Public   Health Service Act, 42 U.S.C. 299b-24(c)(3). The Secretary may   establish conditions on the listing of a PSO following a determination,   pursuant to proposed Sec.  3.104(c), that such conditions are necessary   to ensure that the PSO can fairly and accurately perform patient safety   activities. A decision to impose such conditions will typically occur   after the listing of a PSO, when the PSO submits a disclosure statement   about its relationships with a contracting provider. It also could   occur at the time of initial or continued listing based upon a   Secretarial review of a disclosure statement submitted   contemporaneously with the review of an entity's certification   submission.      The Secretary expects to be able to conclude review of an   application for initial or continued listing within 30 days of receipt   unless additional information or assurances, as described above in the   paragraph discussing the history of an entity or PSO, are required, or   the application as initially submitted is incomplete. The Secretary   will notify each entity that requests listing of the action taken on   its certification submission for initial or continued listing. The   Secretary will provide reasons when an entity's certification is not   accepted and, if the listing is conditioned based upon a determination   made pursuant to proposed Sec.  3.104(c), the reasons for imposing   conditions.  (B) Proposed Sec.  3.104(b)--Actions Regarding PSO Compliance With the   Minimum Contract Requirement      Proposed Sec.  3.104(b) sets forth the required Secretarial action   regarding PSO compliance with the requirement of the proposed rule for   a minimum of two bona fide contracts. If a PSO attests, in the   notification required by proposed Sec.  3.102(d)(1), that it has met   the requirement, the Secretary will acknowledge in writing receipt of   the attestation and include information on the list established   pursuant to proposed Sec.  3.104(d) that the PSO has certified that it   has met the requirement. If the PSO notifies the Secretary that it has   not yet met the requirement, or if notification is not received from   the PSO by the date required under proposed Sec.  3.102(d)(1), the   Secretary, pursuant to proposed Sec.  3.108(a)(2), will issue a notice   of a preliminary finding of deficiency to the PSO and provide an   opportunity for correction that will extend no later than midnight of   the last day of its applicable 24-month assessment period. Under this   authority, the Secretary will require notification of correction and   compliance from a PSO by midnight of the final day of the applicable   24-month period. If the deficiency has not been corrected by that date,   the Secretary will issue promptly a notice of proposed revocation and   delisting pursuant to the requirements of proposed Sec.  3.108(a)(3).    [[Page 8133]]    (C) Proposed Sec.  3.104(c)--Actions Regarding Required Disclosures by   PSOs of Relationships With Contracting Providers.      Proposed Sec.  3.104(c) establishes criteria that the Secretary   will use to evaluate a disclosure statement submitted pursuant to   proposed Sec.  3.102(d)(2), specifies the determinations the Secretary   may make based upon evaluation of any disclosure statement, and   proposes public release, consistent with the Freedom of Information   Act, of disclosure statements submitted by PSOs as well as the   Secretary's findings (see section 924(c)(3) of the Public Health   Service Act, 42 U.S.C. 299b-24(c)(3)).      In reviewing disclosure statements and making public findings, we   propose that the Secretary consider the nature, significance, and   duration of the relationship between the PSO and the contracting   provider. We seek input on other appropriate factors to consider.      Following review of the disclosure statement, the Secretary will   make public findings regarding the ability of the PSO to carry out   fairly and accurately defined patient safety activities as required by   the Patient Safety Act. The Secretary may conclude that the disclosures   require no action on his part or, depending on whether the entity is   listed or seeking listing, may condition his listing of the PSO,   exercise his authority under proposed Sec.  3.104(a) to refuse to list,   or exercise his authority under proposed Sec.  3.108 to revoke the   listing of the entity. The Secretary will notify each entity of his   findings and decision regarding each disclosure statement.      This subsection proposes to make this process transparent,   recognizing that providers seeking to contract with a PSO may want to   make their own judgments regarding the appropriateness of the disclosed   relationships. Therefore, with the exception of information, such as   information that would be exempt from disclosure under the Freedom of   Information Act, we propose to make public each disclosure statement   received from a PSO by including it on the list of PSOs maintained   pursuant to proposed Sec.  3.104(d) and we may post such statements on   the PSO Web site we plan to establish. Public release of PSO disclosure   statements would be in addition to the statutory requirement in section   924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3),   that the Secretary's findings regarding disclosure statements must be   made public. Greater transparency is intended to promote more informed   decision making by providers, who are the primary customers for PSO   services.  (D) Proposed Sec.  3.104(d)--Maintaining a List of PSOs      Proposed Sec.  3.104(d) implements the statutory requirement in   section 924(d) of the Public Health Service Act, 42 U.S.C. 299b-24(d),   that the Secretary compile and maintain a list of those entities whose   PSO certifications have been accepted in accordance with proposed Sec.    3.104(a) and which certifications have not been revoked or voluntarily   relinquished in accordance with proposed Sec.  3.108(b) or (c). The   list will include contact information for each PSO, the effective date   and time of listing of the PSO, a copy of each certification form and   disclosure statement that the Secretary receives from the entity, and   information on whether the PSO has certified that it has met the two   contract requirement in each 24-month assessment period. The list will   also include a copy of the Secretary's findings regarding any   disclosure statements filed by each PSO, including whether any   conditions have been placed on the listing of the entity as a PSO, and   other information that this proposed subpart authorizes the Secretary   to make public. To facilitate the development of a marketplace for the   services of PSOs, we plan to establish a PSO Web site (or a future   technological equivalent) and expect to post the list of PSOs on the   PSO Web site, reserving the right to exclude information contained in   disclosure statements that would be exempt from disclosure under the   Freedom of Information Act. We seek comment on whether there are   specific types of information that the Secretary should consider   posting routinely on this Web site for the benefit of PSOs, providers,   and other consumers of PSO services.  (E) Proposed Sec.  3.104(e)--Three-Year Period of Listing      Proposed Sec.  3.104(e) states that, when the Secretary has   accepted certification submitted for initial or continued listing, the   entity will be listed as a PSO for a period of three years (section   924(a)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(2)),   unless the Secretary revokes the listing or the Secretary determines   that the entity has voluntarily relinquished its status as a PSO (see   proposed Sec.  3.108).      This subsection also provides that the Secretary will send a   written notice of imminent expiration to a PSO no later than 45   calendar days before the date on which the PSO's three-year period of   listing expires if the Secretary has not received a certification   seeking continued listing. This notice is intended to ensure that a PSO   does not let its listing lapse inadvertently. We expect that the   Secretary will include in the notice a date by which the PSO should   submit its certifications to ensure that the Secretary has sufficient   time to act before the current period of listing expires.      We are considering including in the final rule, and seek comment   on, a requirement that the Secretary include information on the public   list of PSOs maintained pursuant to Sec.  3.104(d), that identifies the   PSOs to which a notice of imminent expiration has been sent. The intent   of such a requirement would be to ensure that a provider reporting data   to such a PSO has adequate notice and time to ascertain, if it chooses   to do so, whether that PSO intends to seek continued listing and, if   not, to make alternative arrangements for reporting data to another   PSO.  (F) Proposed Sec.  3.104(f)--Effective Date of Secretarial Actions      Proposed Sec.  3.104(f) states that, unless otherwise specified,   the effective date of each action by the Secretary pursuant to this   proposed subpart will be specified in the written notice that is sent   to the entity. To ensure that an entity receives prompt notification,   the Department anticipates sending such a notice by electronic mail or   other electronic means in addition to a hard copy version. We are   confident that any entity seeking listing as a PSO will have electronic   mail capacity. For listing and delisting, the Secretary will specify   both an effective time and date for such actions in the written notice.   Our intent is to ensure clarity regarding when the entity can receive   information that will be protected as patient safety work product.  3. Proposed Sec.  3.106--Security Requirements      Proposed Sec.  3.106 identifies the entities and individuals that   are subject to the security requirements of this section and   establishes the considerations that entities and individuals specified   in subsection (a) should address to secure patient safety work product   in their possession. This section provides a common framework for   compliance with the requirement in section 921(5)(F) of the Public   Health Service Act, 42 U.S.C. 299b-21(5)(F), that a PSO provide   appropriate security measures with respect to patient safety work   product. In light of the importance of data security to those who   supply patient safety work product to any PSO, maintenance of data   security will be a high and ongoing priority for PSOs.    [[Page 8134]]    (A) Proposed Sec.  3.106(a)--Application      Proposed Sec.  3.106(a) states that the security requirements in   proposed Sec.  3.106(b) apply to each PSO, its workforce members, and   its contractors when the contractors hold patient safety work product.   This proposed subsection applies the requirements at all times and at   any location at which patient safety work product is held. We expect   that it will be more efficient for most PSOs to contract for at least a   portion of the expertise they need to carry out patient safety   activities, including the evaluation of certain types of patient safety   events. In such situations, when a PSO discloses patient safety work   product to a contractor to assist the PSO in carrying out patient   safety activities and the contractor maintains such patient safety work   product at locations other than those controlled by the PSO, our intent   is to ensure that these same security requirements apply. We recognize   that some contractors that a PSO chooses to employ may not want to, or   may not have the resources to, meet these requirements at other   locations. In such circumstances, the contractors will need to perform   their services at locations at which the PSO can ensure that these   security requirements can be met.      We note that this regulation does not impose these requirements on   providers, but agreements between PSOs and providers may by contract   call for providers to adopt equivalent standards.  (B) Proposed Sec.  3.106(b)--Security Framework      Proposed Sec.  3.106(b) establishes a framework consisting of four   categories for the security of patient safety work product that a PSO   must consider, including security management, separation of systems,   security control and monitoring, and security assessment.      This framework is consistent with the standards of the National   Institute of Standards and Technology (NIST) that federal agencies must   follow but this section does not impose on PSOs the specific NIST   standards that Federal agencies must meet. We recognize that it is not   likely that PSOs will have the scale of operation or the resources to   comply with Federal data security standards. Instead, we propose to   require that each PSO must consider the four categories of the NIST   framework set forth in this section by developing appropriate and   scalable standards that are suitable for the size and complexity of its   organization. We seek comment on the extent to which this proposal   adequately and appropriately identifies the most significant security   issues, with respect to patient safety work product that PSOs receive,   develop, or maintain, and which PSOs should be expected to address with   due diligence, and the extent to which our approach provides PSOs with   sufficient flexibility to develop scalable standards.  (1) Proposed Sec.  3.106(b)(1)--Security Management      Proposed Sec.  3.106(b)(1) requires the PSO to approach its   security requirements by: documenting its security requirements for   patient safety work product; taking steps to ensure that its workforce   and contractors as specified in proposed Sec.  3.106(a) understand   their responsibilities regarding patient safety work product and the   confidentiality requirements of the statute, including the potential   imposition of civil money penalties for impermissible disclosures; and   monitoring and improving the effectiveness of its security policies and   procedures.  (2) Proposed Sec.  3.106(b)(2)--Separation of Systems      Under the statute, to preserve the confidentiality of patient   safety work product, it is important to maintain a clear separation   between patient safety work product and information that is not   protected, and a clear separation between patient safety activities and   other activities. As a result, we have incorporated requirements in   proposed Sec.  3.106(b)(2) that PSOs must ensure such separation. The   specific requirements for which a PSO must develop appropriate   standards include: maintaining functional and physical separation of   patient safety work product from other systems of records; protection   of patient safety work product while it is held by the PSO; appropriate   disposal or sanitization of media that have contained patient safety   work product; and preventing physical access to patient safety work   product by unauthorized users or recipients.  (3) Proposed Sec.  3.106(b)(3)--Security Control and Monitoring      Proposed Sec.  3.106(b)(3) requires that policies and procedures   adopted by a PSO related to security control and monitoring must enable   the PSO to identify and authenticate users of patient safety work   product and must create an audit capacity to detect unlawful,   unauthorized, or inappropriate activities involving access to patient   safety work product. To ensure accountability, controls should be   designed to preclude unauthorized removal, transmission or disclosures   of patient safety work product.  (4) Proposed Sec.  3.106(b)(4)--Security Assessment      Proposed Sec.  3.106(b)(4) requires a PSO to develop policies and   procedures that permit it to assess periodically the effectiveness and   weaknesses of its overall approach to security of patient safety work   product. A PSO needs to determine the frequency of security   assessments, determine when it needs to undertake a risk assessment   exercise so that the leadership and the workforce of the PSO are aware   of the risks to PSO assets from security lapses, and specify how it   will assess and adjust its procedures to ensure the security of its   communications involving patient safety work product to and from   providers and other authorized parties. Such communications are   potentially vulnerable weak points for any security system and require   ongoing special attention by a PSO.  4. Proposed Sec.  3.108--Correction of Deficiencies, Revocation and   Voluntary Relinquishment      Proposed Sec.  3.108 describes the process by which PSOs will be   given an opportunity to correct deficiencies, the process for   revocation of acceptance of the certification submitted by an entity   for cause and its removal from the list of PSOs, and specifies the   circumstances under which an entity will be considered to have   voluntarily relinquished its status as a PSO.      This section would establish procedural opportunities for a PSO to   respond during the process that might lead to revocation. When the   Secretary identifies a possible deficiency, the PSO would be given an   opportunity to correct the record if it can demonstrate that the   information regarding a deficiency is erroneous, and if the existence   of a deficiency is uncontested, an opportunity to correct it. The PSO   is encouraged to alert the Department if it faces unanticipated   challenges in correcting the deficiency; we propose that the Secretary   will consider such information in determining whether the PSO has acted   in good faith, whether the deadline for corrective action should be   extended, or whether the required corrective action should be modified.   If the Secretary determines that the PSO has not timely corrected the   deficiency and issues a notice of proposed revocation and delisting,   the PSO will be given an automatic right of appeal to present its case   in writing.      If the Secretary makes a decision to revoke acceptance of the   entity's certification and remove it from the list    [[Page 8135]]    of PSOs, this proposed section specifies the required actions that the   Secretary and the entity must take following such a decision. The   proposed rule implements the statutory requirements for the   establishment of a limited period during which providers can continue   to report information to the former PSO and receive patient safety work   product protections for these data, and establishes a framework for   appropriate disposition of patient safety work product or data held by   the former PSO. See section 924(e)-(g) of the Public Health Service   Act, 42 U.S.C. 299b-24(e)-(g).      This section also describes two circumstances under which an entity   will be considered to have voluntarily relinquished its status as a   PSO: (1) Notification of the Secretary in writing by the PSO of its   intent to relinquish its status voluntarily; and (2) if a PSO lets its   period of listing expire without submission of a certification for   continued listing that the Secretary has accepted. In both   circumstances, we propose that such a PSO consult with the source of   the patient safety work product in its possession to provide notice of   its intention to cease operations and provide for appropriate   disposition of such patient safety work product. When the Secretary   removes a PSO from listing as a result of revocation for cause or   voluntarily relinquishment, the Secretary is required to provide public   notice of the action.      We note that section 921 of the Public Health Service Act, 42   U.S.C. 299b-21, and, therefore, the proposed rule, defines a PSO as an   entity that is listed by the Secretary pursuant to the requirements of   the statute that are incorporated into this proposed rule. This means   that an entity remains a PSO for its three-year period of listing   unless the Secretary removes the entity from the list of PSOs because   he revokes acceptance of its certification and listing for cause or   because the entity voluntarily relinquishes its status as described   below. Accordingly, even when a deficiency is identified publicly or   the proposed requirements of this section have been initiated, we   stress that an entity remains a PSO until the date and time at which   the Secretary's removal of the entity from listing is effective. Until   then, data that is reported to a listed entity by providers shall be   considered patient safety work product and the protections accorded   patient safety work product continue to apply following the delisting   of the PSO.  (A) Proposed Sec.  3.108(a)--Process for Correction of a Deficiency and   Revocation      Proposed Sec.  3.108(a) describes the process by which the   Secretary would provide an opportunity for a PSO to correct identified   deficiencies and, if not timely corrected or if the deficiencies cannot   be ``cured,'' the process that can lead to a determination by the   Secretary to revoke acceptance of a PSO's certification. This section   proposes a two-stage process. The first stage would provide an   opportunity to correct a deficiency. Under the proposal, when the   Secretary identifies a deficiency, the Secretary would send the PSO a   notice of preliminary determination of a deficiency. The PSO would then   have an opportunity to demonstrate that the information on which the   notice was based is incorrect. The notice would include a timetable for   correction of the deficiency and may specify the specific corrective   action and the documentation that the Secretary would need to determine   if the deficiency has been corrected. The PSO would be encouraged to   provide information for the administrative record on unexpected   challenges in correcting the deficiency, since the Secretary has great   flexibility to work with a PSO to facilitate correction of   deficiencies. We anticipate that most PSO deficiencies would be   resolved at this stage.      Under the proposal, the second stage would occur when the Secretary   would conclude that a PSO has not timely corrected a deficiency or has   a pattern of non-compliance and issues the PSO a notice of proposed   revocation and delisting. Rather than requiring a PSO to seek an   opportunity to appeal, the proposed rule would provide an automatic   period of 30 days for a PSO to be heard in writing by submitting a   rebuttal to the findings in the Secretary's notice of revocation and   delisting. The Secretary may then affirm, modify, or reverse the notice   of revocation and delisting.      In light of the procedures in the proposed rule to ensure due   process, we have not proposed to incorporate any further internal   administrative appeal process beyond the Secretary's determination   regarding a notice of proposed revocation and delisting pursuant to   proposed Sec.  3.108(a)(5). We invite comments on our proposed   approach.  (1) Proposed Sec.  3.108(a)(1)--Circumstances Leading to Revocation      Proposed Sec.  3.108(a)(1) lists four circumstances, each of which   is statutorily based, that may lead the Secretary to revoke acceptance   of a PSO's certification and delist the entity: the PSO is not meeting   the obligations to which it certified its compliance as required by   proposed Sec.  3.102; the PSO has not certified to the Secretary that   it has entered the required minimum of two contracts within the   applicable 24-month period pursuant to proposed Sec.  3.102(d)(1); the   Secretary, after reviewing a PSO's disclosure statement submitted   pursuant to proposed Sec.  3.102(d)(2), determines that the PSO cannot   fairly and accurately perform its duties pursuant to proposed Sec.    3.104(c); or the PSO is not in compliance with any other provision of   the Patient Safety Act or this proposed part. (See section 924(c) and   (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and (e).)  (2) Proposed Sec.  3.108(a)(2)--Notice of Preliminary Finding of   Deficiency and Establishment of an Opportunity for Correction of a   Deficiency      Under proposed Sec.  3.108(a)(2), when the Secretary has reason to   believe that a PSO is not in compliance with the requirements of the   statute and the final rule, the Secretary would send a written notice   of a preliminary finding of deficiency to the PSO (see section 924(c)   and (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and   (e)). The notice would specifically state the actions or inactions that   describe the deficiency, outline the evidence that a deficiency exists,   specify the possible and/or required corrective action(s) that must be   taken, establish an opportunity for correction and a date by which the   corrective action(s) must be completed, and, in certain circumstances,   specify the documentation that the PSO would be required to submit to   demonstrate that the deficiency has been corrected.      We propose that, absent other evidence of actual receipt, we would   assume that the notice of a preliminary finding of deficiency has been   received 5 calendar days after it was sent. Under the proposal, if a   PSO submits evidence to the Secretary that demonstrates to the   Secretary that the preliminary finding is factually incorrect within 14   calendar days following receipt of this notice, the preliminary finding   of deficiency would be withdrawn; otherwise, it would be the basis for   a finding of deficiency. We stress that this would not be an   opportunity to file an appeal regarding the proposed corrective   actions, the period allotted for correcting the deficiency, or the time   to provide explanations regarding why a deficiency exists. This 14-day   period would only ensure that the PSO has an opportunity,    [[Page 8136]]    if the information on which the notice is based is not accurate, to   correct the record immediately. For example, a notice of a preliminary   finding of deficiency may be based on the fact that the Secretary has   no record that the PSO has entered the required two contracts. In this   case, if a PSO can attest that it submitted the certification as   required or can attest that it has entered the required two contracts   consistent with the requirements of proposed Sec.  3.102(d)(1), the   Secretary would then withdraw the notice. If a notice of deficiency is   based on the failure of the PSO to submit a required disclosure   statement within 45 days, the PSO might submit evidence that the   required statement had been sent as required. If the evidence is   convincing, the Secretary would withdraw the notice of preliminary   finding of deficiency. If the Secretary does not consider the evidence   convincing, the Secretary would so notify the PSO and the notice would   remain in effect. The PSO would then need to demonstrate that it has   met the requirements of the notice regarding correction of the   deficiency.      We anticipate that in the vast majority of circumstances in which   the Secretary believes there is a deficiency, the deficiency can and   will be corrected by the PSO. In those cases, as discussed above, the   PSO will be given an opportunity to take the appropriate action to   correct the deficiency, and avoid revocation and delisting. However, we   can anticipate situations in which a PSO's conduct is so egregious that   the Secretary's acceptance of the PSO's certification should be revoked   without the opportunity to cure because there is no meaningful cure. An   example would be where a PSO has a policy and practice of knowingly and   inappropriately selling patient safety work product or where the PSO is   repeatedly deficient and this conduct continues despite previous   opportunities to cure. We are considering adding a provision whereby an   opportunity to ``cure'' would not be available in this type of   situation. Providing the PSO with an opportunity for correction, as   provided in the Patient Safety Act, would entail providing an   opportunity to correct the preliminary factual findings of the   Department. Thus, the PSO would have the chance to demonstrate that we   have the facts wrong or there are relevant facts we are overlooking. We   invite comments regarding this approach and how best to characterize   the situations in which the opportunity to ``cure'' (e.g., to change   policies, practices or procedures, sanction employees, send out   correction notices) would not be sufficient, meaningful, or   appropriate.  (3) Proposed Sec.  3.108(a)(3)--Determination of Correction of a   Deficiency      Proposed section Sec.  3.108(a)(3) addresses the determination of   whether a deficiency has been corrected, including the time frame for   submission of the required documentation that the deficiency has been   corrected, and the actions the Secretary may take after review of the   documentation and any site visit(s) the Secretary deems necessary or   appropriate (see sections 924(c) and (e) of the Public Health Service   Act, 42 U.S.C. 299b-24(c) and (e)).      Under the proposal, during the period of correction, we would   encourage the PSO to keep the Department apprised in writing of its   progress, especially with respect to any challenges it faces in   implementing the required corrective actions. Such communications would   become part of the administrative record. Until there is additional   experience with the operational challenges that PSOs face in   implementing specific types of corrective actions, such information, if   submitted, would be especially helpful for ensuring that the time   frames and the corrective actions specified by the Secretary are   reasonable and appropriate. As noted below, such information would be   considered by the Secretary in making a determination regarding a PSO's   compliance with the correction of a deficiency. Unless the Secretary   specifies a different submission date, or approves such a request from   the PSO, we propose that documentation submitted by the PSO to   demonstrate correction of the deficiency must be received by the   Secretary no later than 5 calendar days after the final day of the   correction period.      Under the proposed rule, in making a determination, the Secretary   would consider the documentation and other information submitted by the   PSO, the findings of any site visit that might have been conducted,   recommendations of program staff, and any other information available   regarding the PSO that the Secretary deems appropriate. After   completing his review, the Secretary may make one of the following   determinations: (1) The action(s) taken by the PSO have corrected any   deficiency, in which case the Secretary will withdraw the notice of   deficiency and so notify the PSO; (2) the PSO has acted in good faith   to correct the deficiency but an additional period of time is necessary   to achieve full compliance and/or the required corrective action   specified in the notice of a preliminary finding of deficiency needs to   be modified in light of the actions undertaken by the PSO so far, in   which case the Secretary will extend the period for correction and/or   modify the specific corrective action required; or (3) the PSO has not   completed the corrective action because it has not acted with   reasonable diligence or timeliness to ensure that the corrective action   was completed within the allotted time, in which case the Secretary   will issue to the PSO a notice of proposed revocation and delisting.      When the Secretary issues a notice of proposed revocation and   delisting, this notice would include those deficiencies that have not   been timely corrected. The notice would be accompanied by information   concerning the manner in which the PSO may exercise its opportunity to   be heard in writing to respond to the deficiency findings described in   the notice.  (4) Proposed Sec.  3.108(a)(4)--Opportunity to be Heard in Writing   Following a Notice of Proposed Revocation and Delisting      Proposed Sec.  3.108(a)(4) sets forth our approach to meeting the   statutory requirement established in section 924(e) of the Public   Health Service Act, 42 U.S.C. 299b-24(e), for a PSO to have an   opportunity to dispute the findings of deficiency in a notice of   proposed revocation and delisting.      Absent other evidence of actual receipt, we would assume that the   notice of proposed revocation and delisting has been received by a PSO   five calendar days after it was sent. Under the proposed rule, unless a   PSO chooses to waive its right to contest a notice of proposed   revocation and delisting and so notifies the Secretary, a PSO would not   need to request an opportunity to appeal a notice of proposed   revocation and delisting. A PSO would automatically have 30 calendar   days, beginning the day the notice is deemed to be received, to   exercise its opportunity to be heard in writing. The Secretary would   consider, and include in the administrative record, any written   information submitted by the PSO within this 30-day period that   responds to the deficiency findings in the notice of proposed   revocation and delisting. If a PSO does not take advantage of the   opportunity to submit a substantive response in writing within 30   calendar days of receipt of the notice of proposed revocation and   delisting, the notice would become final as a matter of law at midnight   of the date specified by the Secretary in the notice. The Secretary    [[Page 8137]]    would provide the PSO with policies and rules of procedures that govern   the form or transmission of the written response to the notice of   proposed revocation and delisting.      We are considering incorporating in the final rule an exception to   our proposed policy of automatically providing a PSO with a 30-day   period in which to submit a written response to a notice of proposed   revocation and delisting. The one exception we are considering relates   to failure to meet the requirement for a minimum of two contracts. The   statutory requirement is unambiguous that this requirement must be met   within every 24-month period after the initial date of listing of the   PSO. We propose elsewhere that a PSO submit its notification 45   calendar days early so that a period for correction can be established   that concludes at midnight of the last day of the applicable 24-month   period established by the statute for compliance. The Secretary would   then need to receive notification from a PSO that this requirement has   been met no later than midnight of that last day (see proposed Sec.    3.102(d)(1) and proposed Sec.  3.104(b)). Other than verifying that the   PSO has not entered into and reported the required two bona fide   contracts by midnight on the last day of the applicable 24-month   period, we see no basis for a written rebuttal of such a deficiency   determination. The language we are considering, therefore, would   authorize the Secretary, when the basis for a notice of proposed   revocation and delisting is the failure of a PSO to meet this very   specific requirement, to proceed to revocation and delisting five   calendar days after the notice of proposed revocation and delisting   would be deemed to have been received.  (5) Proposed Sec.  3.108(a)(5)--The Secretary's Decision Regarding   Revocation      If a written response to the deficiency findings of a notice of   proposed revocation and delisting is submitted by a PSO, proposed Sec.    3.108(a)(5) provides that the Secretary will review the entire   administrative record pertaining to the notice of proposed revocation   and delisting and any written materials submitted by the PSO under   proposed Sec.  3.108(a)(4). The Secretary may affirm, reverse, or   modify the notice of proposed revocation and delisting. The Secretary   will notify the PSO in writing of his decision with respect to any   revocation of the acceptance of its certification and its continued   listing as a PSO. (See section 924(e) of the Public Health Service Act,   42 U.S.C. 299b-24(e).)  (B) Proposed Sec.  3.108(b)--Revocation of the Secretary's Acceptance   of a PSO's Certification      When the Secretary makes a determination to remove the listing of a   PSO for cause pursuant to proposed Sec.  3.108(a), proposed Sec.    3.108(b) specifies the actions that the Secretary and the entity must   take, and implements the protections that the statute affords to data   submitted to such an entity.  (1) Proposed Sec.  3.108(b)(1)--Establishing Revocation for Cause      Under our proposal, after following the requirements of proposed   Sec.  3.108(a), if the Secretary determines pursuant to paragraph   (a)(5) of this section that revocation of the acceptance of a PSO's   certification is warranted for failure to comply with the requirements   of the Patient Safety Act, or the regulations implementing the Patient   Safety Act, the Secretary would establish, and notify the PSO of, the   date and time at which the Secretary will revoke the acceptance of its   certification and remove the entity from the list of PSOs. The   Secretary may include information in the notice on the statutory   requirements, incorporated in proposed Sec.  3.108(b)(2) and Sec.    3.108 (b)(4) and discussed below, that apply to the entity following   the Secretary's actions, and the Secretary would provide public notice   as required by proposed Sec.  3.108(d).  (2) Proposed Sec.  3.108(b)(2)--Required Notification of Providers and   Status of Data      Proposed Sec.  3.108(b)(2) incorporates in the proposed rule the   statutory requirements that are intended to ensure that providers   receive a reasonable amount of notice that the PSO with which they are   working is being removed from the list of PSOs (section 924(e)(2) of   the Public Health Service Act, 42 U.S.C. 299b-24(e)(2)) and to clarify   the status of data submitted by providers to a PSO whose listing has   been revoked (section 924(f) of the Public Health Service Act, 42   U.S.C. 299b-24(f)).      As required by the statute, within 15 calendar days of the date   established in the Secretary's notification of action under paragraph   (b)(1) of this section, the entity subject to proposed Sec.    3.108(b)(1) shall confirm to the Secretary that it has taken all   reasonable actions to notify each provider whose patient safety work   product has been collected or analyzed by the PSO that the entity has   been removed from the list of PSOs. We would recommend, but do not   propose to require, that PSOs make a priority of notifying providers   who report most frequently to the PSO, especially providers with   contracts with the PSO. These providers would need to close out any   current contract they have with the PSO, determine if they wish to   enter a contract with another PSO, and if so, they would need time to   identify another PSO and then negotiate another contract.      We also recognize that, even when this statutory notification   requirement is met, the notification period is short. While we do not   have the authority to require a PSO to undertake notification of   providers more quickly than the statute specifies, we invite comment on   whether there are any other steps the Secretary should take to ensure   that affected providers receive timely notice. We are considering   requiring notice by electronic or priority mail if no notice has been   given at the end of seven days.      Confidentiality and privilege protections that applied to patient   safety work product while the former PSO was listed continue to apply   after the entity is removed from listing. Furthermore, section   924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1)   provides that data submitted to an entity within 30 calendar days of   the date on which acceptance of its certification is revoked and it is   removed from the list of PSOs, shall have the same status as data   submitted while the entity was still listed. Thus, data that would   otherwise be patient safety work product had it been submitted while   the PSO was listed, will be protected as patient safety work product if   submitted during this 30-day period after delisting.      We stress that the statutory language in section 924(f)(1) of the   Public Health Service Act, 42 U.S.C. 299b-24(f)(1), pertains only to   data submitted to such an entity within 30 calendar days after such   revocation and removal. This provision does not enable an entity that   has been removed from listing to generate patient safety work product   on its own pursuant to section 921(7)(A)(i)(II) of the Public Health   Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II); the entity loses that   authority on the effective date and time of the Secretary's action to   remove it from listing.  (3) Proposed Sec.  3.108(b)(3)--Disposition of Patient Safety Work   Product and Data      Proposed Sec.  3.108(e) incorporates in the proposed rule statutory   requirements regarding the disposition of patient safety work product   or data following revocation and delisting of a PSO (section 924(g) of   the Public Health Service Act, 42 U.S.C. 299b-24(g)). This proposed   subsection would require that the former PSO provide for the    [[Page 8138]]    disposition of patient safety work product or data in its possession in   accordance with one or more of three alternatives described in section   924(g) of the Public Health Service Act, 42 U.S.C. 299b-24(g). The   three alternatives include: transfer of the patient safety work product   with the approval of the source from which it was received to a PSO   which has agreed to accept it; return of the patient safety work   product or data to the source from which it was received; or, if return   is not practicable, destroy such work product or data.      The text of the proposed rule refers to the ``source'' of the   patient safety work product or data that is held by the former PSO,   which is a broader formulation than the statutory phrase ``received   from another entity.'' While the statutory requirement encompasses PSOs   as well as institutional providers, we tentatively conclude that the   underlying intent of this statutory provision is to require the   appropriate disposition of patient safety work product from all   sources, not merely institutional sources. We note that the statute,   and therefore the proposed rule, permits individual providers to report   data to PSOs and individual providers are able to enter the same type   of ongoing arrangements, or contractual arrangements, as institutional   providers. Moreover, proposed Sec.  3.108(b)(2) would require PSOs to   notify all providers (individual as well as institutional providers)   from whom they receive data about the Secretary's revocation and   delisting decision. We preliminarily conclude, therefore, that it is   consistent with the statute that a former PSO consult with all sources   (individuals as well as entities) regarding the appropriate disposition   of the patient safety work product or data that they supplied.   Moreover, it is a good business practice. If workforce members of a   former PSO retain possession of any patient safety work product, they   would incur obligations and potential liability if it is impermissibly   disclosed. We welcome comments on our interpretation.      The statutory provision indicates that these requirements apply to   both patient safety work product or 'data' described in 924(f)(1) of   the Public Health Service Act, 42 U.S.C. 299b-24(f)(1). Subsection   (f)(1), entitled 'new data' and incorporated in proposed Sec.    3.108(b)(2), describes data submitted to an entity within 30 calendar   days after the entity is removed from listing as a PSO and provides   that this data ``shall have the same status as data submitted while the   entity was still listed.'' The proposed regulation mirrors this   formulation.      While the statute and this proposed rule would permit destruction   of patient safety work product, we would encourage entities that have   their listing as a PSO revoked to work with providers to ensure that   patient safety work product remains available for aggregation and   further analysis whenever possible, either by returning it to the   provider or, with concurrence of the provider, transferring it to a PSO   willing to accept it.      The statute does not establish a time frame for a PSO subject to   revocation and delisting to complete the disposition of the patient   safety work product or data in its possession. We invite comment on   whether we should include a date by which this requirement must be   completed (for example, a specific number of months after the date of   revocation and delisting).  (C) Proposed Sec.  3.108(c)--Voluntary Relinquishment      The statute recognizes the right of an entity to relinquish   voluntarily its status as a PSO, in which case the Secretary will   remove the entity from the list of PSOs. See section 924(d) of the   Public Health Service Act, 42 U.S.C. 299b-24(d).      We stress that, if the Secretary determines that an entity has   relinquished voluntarily its status as a PSO and removes the entity   from listing, the confidentiality and privilege protections that   applied to patient safety work product while the former PSO was listed   continue to apply after the entity is removed from listing.  (1) Proposed Sec.  3.108(c)(1)--Circumstances Constituting Voluntary   Relinquishment      Proposed Sec.  3.108(c)(1) provides that an entity would be   considered to have relinquished voluntarily its status as a PSO under   two circumstances: when a PSO advises the Secretary in writing that it   no longer wishes to be a PSO, and when a PSO permits its three-year   period of listing to expire without timely submission of the required   certification to the Secretary for continued listing. To ensure that   such a lapse is not inadvertent, we provide in proposed Sec.    3.104(e)(2) that the Secretary would send a notice of imminent   expiration to any PSO from which the Secretary has not received a   certification for continued listing by the date that is 45 calendar   days before the expiration of its current period of listing. This   notice is intended to ensure that the PSO has sufficient time to submit   a certification for continued listing if it chooses to do so and that,   if a lapse occurs, it is not inadvertent.  (2) Proposed Sec.  3.108(c)(2)--Notification of Voluntary   Relinquishment      Proposed Sec.  3.108(c)(2) would require an entity that seeks to   relinquish voluntarily its status as a PSO to include attestations in   its notice to the Secretary that it has made all reasonable efforts to   provide for the orderly termination of the PSO. First, the PSO must   attest that it has made--or will have made within 15 calendar days of   the date of this notification to the Secretary--all reasonable efforts   to notify organizations or individuals who have submitted data to the   PSO of its intent to cease operation and to alert providers that they   should cease reporting or submitting any further information as quickly   as possible.      We preliminarily conclude that, when a PSO voluntarily relinquishes   its status, data submitted by providers to the entity after the date on   which the Secretary removes it from listing is not patient safety work   product. The statutory provision, incorporated in the proposed rule at   Sec.  3.108(b)(2), that permits providers to submit data to an entity   for an additional 30 days after the date of its removal from listing   applies only to PSOs for which the Secretary has revoked acceptance of   its certification for cause. It does not apply to a PSO that   voluntarily relinquishes its status. We welcome comment on our   interpretation.      Second, the PSO would be required to attest that, in consultation   with the organizations or individuals who submitted the patient safety   work product in its possession, it has established--or will have made   all reasonable efforts within 15 calendar days of the date of this   notification to establish--a plan for the appropriate disposition of   such work product, consistent to the extent possible with the statutory   requirements incorporated in proposed Sec.  3.108(b)(3). Finally, the   individual submitting the notification of voluntary relinquishment   would provide appropriate contact information for further   communications that the Secretary deems necessary.      We caution any PSO considering voluntary relinquishment that its   status remains in effect until the Secretary removes the entity from   listing. The PSO's responsibilities, including those related to the   confidentiality and security of the patient safety work product or data   in its possession, are not discharged by the decision of a PSO to cease   operations. Accordingly, we urge PSOs that are experiencing financial   distress or other circumstances that may    [[Page 8139]]    lead to voluntary relinquishment, to contact AHRQ program staff as   early as possible so that the PSO's obligations can be appropriately   discharged.  (3) Proposed Sec.  3.108(c)(3)--Response to Notification of Voluntary   Relinquishment      In response to the submission of a notification of voluntary   relinquishment, proposed Sec.  3.108(c)(3) provides that the Secretary   would respond in writing and indicate whether the proposed voluntary   relinquishment is accepted. We anticipate that the Secretary would   normally approve such requests but the text provides the Secretary with   discretion to accept or reject such a request from a PSO that seeks   voluntary relinquishment during or immediately after revocation   proceedings. Our proposal is intended to recognize that, in certain   circumstances, for example, when the deficiencies of the PSO are   significant or reflect a pattern of non-compliance with the Patient   Safety Act or the proposed rule, the Secretary may decide that giving   precedence to the revocation process may be more appropriate.  (4) Proposed Sec.  3.108(c)(4)--Implied Voluntary Relinquishment      Proposed Sec.  3.108(c)(4) enables the Secretary to determine that   implied voluntary relinquishment has taken place if a PSO permits its   period of listing to expire without receipt and acceptance by the   Secretary of a certification for continued listing. In our view, the   statute does not permit an entity to function as a PSO beyond its 3-  year period of listing unless it has submitted, and the Secretary has   accepted, a certification for a 3-year period of continued listing. To   ensure that such a lapse is not inadvertent, we propose a requirement   in Sec.  3.104(e)(2) that the Secretary would send a notice of imminent   expiration to any PSO from which the Secretary has not received the   required certification for continued listing by the date that is 45   calendar days prior to the last date of the PSOs current period of   listing. Accordingly, we propose that the Secretary would determine   that a PSO under these circumstances has relinquished voluntarily its   status at midnight on the last day of its current period of listing,   remove the entity from the list of PSOs at midnight on that day, make   reasonable efforts to notify the entity in writing of the action taken,   and promptly provide public notice in accordance with proposed Sec.    3.108(d).      Under the proposed rule, the notice of delisting would request that   the entity make reasonable efforts to comply with the requirements of   proposed Sec.  3.108(c)(2). Compliance with these requirements in this   circumstance would mean that the former PSO would be required to notify   individuals and organizations that routinely reported data to the   entity during its period of listing that it has voluntarily   relinquished its status as a PSO and that they should no longer report   or submit data, and make reasonable efforts to provide for the   disposition of patient safety work product or data in consultation with   the sources from which such information was received in compliance with   the statutory requirements incorporated in proposed Sec.    3.108(b)(3)(i)-(iii). The former PSO would also be expected to provide   appropriate contact information for further communications from the   Secretary.      We are aware that, if a PSO does not give appropriate notice to   providers from which it receives data, that it does not intend to seek   continued listing, this could jeopardize protections for data that   these providers continue to report. To address this issue, we are   seeking comment in proposed Sec.  3.104(e) on a proposal that would   ensure that providers have advance notice that a PSO is approaching the   end of its period of listing but has not yet sought continued listing.  (5) Proposed Sec.  3.108(c)(5)--Non-Applicability of Certain Procedures   and Requirements      Proposed Sec.  3.108(c)(5) provides that neither a decision by a   PSO to notify the Secretary that it wishes to relinquish voluntarily   its status as a PSO, nor a situation in which a PSO lets its period of   listing lapse, constitutes a deficiency as referenced in the discussion   regarding proposed Sec.  3.108(a). As a result, neither the procedures   and requirements that apply to the Secretary or a PSO subject to the   revocation process outlined in that proposed subsection, nor the   requirements that apply to the Secretary or a PSO following action by   the Secretary pursuant to proposed Sec.  3.108(b)(1), would apply in   cases of voluntary relinquishment. Adoption of this proposal would mean   that a PSO has no basis for appealing decisions of the Secretary in   response to a request for voluntary relinquishment or challenging its   removal from listing if its period of listing lapses and the Secretary   determines that implied voluntary relinquishment has occurred. We   specifically welcome comment on this proposal.  (D) Proposed Sec.  3.108(d)--Public Notice of Delisting Regarding   Removal From Listing      Proposed Sec.  3.108(d) incorporates in the proposed rule the   statutory requirement that the Secretary must publish a notice in the   Federal Register regarding the revocation of acceptance of   certification of a PSO and its removal from listing pursuant to   proposed Sec.  3.108(b)(1) (see section 924(e)(3) of the Public Health   Service Act, 42 U.S.C. 299b-24(e)(3)). This proposal also would require   the Secretary to publish such a notice if delisting results from a   determination of voluntary relinquishment pursuant to proposed Sec.    3.108(c)(3) or (c)(4). The Secretary would specify the effective date   and time of the actions in these notices.  5. Proposed Sec.  3.110--Assessment of PSO Compliance      Proposed Sec.  3.110 provides that the Secretary may request   information or conduct spot-checks (reviews or site visits to PSOs that   may be unannounced) to assess or verify PSO compliance with the   requirements of the statute and this proposed subpart. We anticipate   that such spot checks will involve no more than 5-10% of PSOs in any   year. The legislative history of patient safety legislation in the   108th and 109th Congress suggests that the Senate Health, Education,   Labor and Pensions (HELP) Committee assumed that the Secretary had the   inherent authority to undertake inspections as necessary to ensure that   PSOs were meeting their obligations under the statute. In fact, in   reporting legislation in 2004, the Senate HELP Committee justified its   proposal for an expedited process for listing PSOs--that is   substantially the same as the one incorporated in the Patient Safety   Act that was enacted in 2005 and is incorporated in this proposed   rule--on the basis that the Secretary could and would be able to   conduct such inspections.      The ability of the Secretary to ``examine any organization at any   time to see whether it in fact is performing those required   activities'' the Senate HELP Committee wrote, enables the Committee to   ``strike the right balance'' in adopting an expedited process for the   listing of PSOs by the Secretary (Senate Report 108-196). Accordingly,   we tentatively conclude that this proposed authority for undertaking   inspections on a spot-check basis is consistent with Congressional   intent and the overall approach of the proposed rule of using   regulatory authority sparingly.    [[Page 8140]]        While patient safety work product would not be a focus of   inspections conducted under this proposed authority, we recognize that   it may not be possible to assess a PSO's compliance with required   patient safety activities without access to all of a PSO's records,   including some patient safety work product. This proposed section   references the broader authority of the Department to access patient   safety work product as part of its proposed implementation and   enforcement of the Patient Safety Act.      We also note that the inspection authority of this proposed subpart   is limited to PSOs and does not extend to providers.  6. Proposed Sec.  3.112--Submissions and Forms      Paragraphs (a) and (b) of proposed Sec.  3.112 explain how to   obtain forms and how to submit applications and other information under   the proposed regulations. Also, to help ensure the timely resolution of   incomplete submissions, proposed paragraph (c) of this section would   provide for requests for additional information if a submission is   incomplete or additional information is needed to enable the Secretary   to make a determination on the submission.    C. Subpart C--Confidentiality and Privilege Protections of Patient   Safety Work Product        Proposed Subpart C would establish the general confidentiality   protections for patient safety work product, the permitted disclosures,   and the conditions under which the specific protections no longer   apply. The proposed Subpart also establishes the conditions under which   a provider, PSO, or responsible person must disclose patient safety   work product to the Secretary in the course of compliance activities,   and what the Secretary may do with such information. Finally, proposed   Subpart C establishes the standards for nonidentifiable patient safety   work product.      The privilege and confidentiality protections set forth in this   proposed Subpart apply to the PSO framework established by the Patient   Safety Act and this proposed Part, which will involve providers, PSOs,   and responsible persons who possess patient safety work product. The   Patient Safety Act and this proposed Subpart seek to balance key   objectives. First, it seeks to address provider concerns about the   potential for damage from unauthorized release of such information,   including the potential for the information to serve as a roadmap for   provider liability from negative patient outcomes. Second, it seeks to   promote the sharing of information about adverse patient safety events   among providers and PSOs for the purpose of learning from those events   to improve patient safety and creating a culture of safety. To address   these objectives, the Patient Safety Act established that patient   safety work product would be confidential and privileged, with certain   exceptions. Thus, the Patient Safety Act allows sharing of patient   safety work product for certain purposes, including for patient safety   activities, but simultaneously attaches strict confidentiality and   privilege protections for that patient safety work product. To further   strengthen the confidentiality protections, the Patient Safety Act   imposes significant monetary penalties for violation of the   confidentiality provisions, as set forth in proposed Subpart D.      Moreover, patient safety work product that is disclosed generally   continues to be privileged and confidential, that is, it may only be   permissibly disclosed by the receiving entity or person for a purpose   permitted by the Patient Safety Act and this proposed Subpart. The only   way that patient safety work product is no longer confidential is if   the patient safety work product disclosed is nonidentifiable or when an   exception to continued confidentiality exists. See section 922(d)(2)(B)   of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(B). A person   disclosing such work product outside of these statutory permissions in   violation of the Patient Safety Act and this proposed Subpart may be   subject to civil money penalties.      Proposed Sec.  3.204, among other provisions, provides that patient   safety work product is privileged and generally shall not be admitted   as evidence in Federal, State, local, or Tribal civil, criminal or   administrative proceedings and shall not be subject to a subpoena or   order, unless an exception to the privilege applies; the exceptions are   discussed in proposed Sec.  3.204(b). Proposed Sec.  3.206 provides   that patient safety work product is confidential and shall not be   disclosed except as permitted in accordance with the disclosures   described in proposed Sec. Sec.  3.206(b)-(e), 3.208 and 3.210. Under   proposed Sec.  3.208, patient safety work product continues to be   privileged and confidential after disclosure with certain exceptions.   Under proposed Sec.  3.210, providers, PSOs, and responsible persons   must disclose to the Secretary such patient safety work product as   required by the Secretary for the purposes of investigating or   determining compliance with this proposed Part, enforcing the   confidentiality provisions, or making determinations on certifying and   listing PSOs. Proposed Sec.  3.210 also provides for disclosure to the   Secretary. Proposed Sec.  3.212 describes the standard for determining   that patient safety work product is nonidentifiable.      Throughout the proposed rule, the term patient safety work product   means both identifiable patient safety work product and nonidentifiable   patient safety work product, unless otherwise specified. In addition,   if a disclosure is made by or to a workforce member of an entity, it   will be considered a disclosure by or to the entity itself.      Finally, throughout our discussion we note the relationship between   the Patient Safety Act and the HIPAA Privacy Rule. Several provisions   of the Patient Safety Act recognize that the patient safety regulatory   scheme will exist alongside other requirements for the use and   disclosure of protected health information under the HIPAA Privacy   Rule. For example, the Patient Safety Act establishes that PSOs will be   business associates of providers, incorporates individually   identifiable health information under the HIPAA Privacy Rule as an   element of identifiable patient safety work product, and adopts a rule   of construction that states the intention not to alter or affect any   HIPAA Privacy Rule implementation provision (see section 922(g)(3) of   the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). We anticipate   that most providers reporting to PSOs will be HIPAA covered entities   under the HIPAA Privacy Rule, and as such, will be required to   recognize when requirements of the HIPAA Privacy Rule apply. Because   this proposed rule focuses on disclosures of identifiable patient   safety work product which may include protected health information, we   discuss where appropriate the overlaps between the proposed Patient   Safety Act permitted disclosures and the existing HIPAA Privacy Rule   use and disclosure permissions.  1. Proposed Sec.  3.204--Privilege of Patient Safety Work Product      Proposed Sec.  3.204 describes the privilege protections of patient   safety work product and when the privilege protections do not apply.   The Patient Safety Act does not give authority to the Secretary to   enforce breaches of privilege protections. Rather, we anticipate that   the tribunals, agencies or professional disciplinary bodies before whom   these proceedings take place will    [[Page 8141]]    adjudicate the application of privilege as set forth in section   922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-  22(a)(1)-(5). Even though the privilege protections will be enforced   through the court systems, and not by the Secretary, we repeat the   statutory privilege provisions and exceptions for convenience. We note,   however, that the same exceptions are repeated in the confidentiality   context, which the Secretary does enforce; so these are repeated at   proposed Sec.  3.206 and such impermissible disclosure may be penalized   under proposed Subpart D.      To determine the permissible scope of disclosures under the Patient   Safety Act, it is important to understand the application of the   privilege protection and its exceptions described in conjunction with   the related proposed confidentiality disclosures. The admission of   patient safety work product as evidence in a proceeding or through a   subpoena, court order or any other exception to privilege, whether   permissibly or not, amounts to a disclosure of that patient safety work   product to all parties receiving or with access to the patient safety   work product admitted. Thus, we use the term disclosure to describe the   transfer of patient safety work product pursuant to an exception to   privilege, as well as to an exception to confidentiality. In addition,   although the Secretary does not have authority to impose civil money   penalties for violations of the privilege protection, a violation of   privilege may also be a violation of the confidentiality provisions.   For these reasons, we include the privilege language in the proposed   implementing regulations.      Finally, as discussed in proposed Sec.  3.204(c), we include a   regulatory exception to privilege for disclosures to the Secretary for   the purpose of enforcing the confidentiality provisions and for making   or supporting PSO certification or listing decisions.  (A) Proposed Sec.  3.204(a)--Privilege      Proposed Sec.  3.204(a) would repeat the statutory language at   section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a),   establishing the general principle that patient safety work product is   privileged and is not subject to Federal, State or local civil,   criminal or administrative proceedings or orders; is not subject to   disclosure under the Freedom of Information Act or similar Federal,   State or local laws; and may not be admitted into evidence in any   Federal, State or local civil, criminal or administrative proceeding or   the proceedings of a disciplinary body established or specifically   authorized under State law. In addition, we have clarified that patient   safety work product shall be privileged and not subject to use in   Tribal courts or administrative proceedings. Because the Patient Safety   Act is a statute of general applicability, it applies to Indian Tribes.   In addition, the application of the Federal privilege to Tribal   proceedings implements the strong privilege protections intended under   section 922 of the Public Health Service Act, 42 U.S.C. 299b-22. (See   section 922(g)(1)-(2) of the Public Health Service Act, 42 U.S.C. 299b-  22(g)(1)-(2), preserving more stringent Federal, State, and local   confidentiality laws).  (B) Proposed Sec.  3.204(b)--Exceptions to Privilege      Proposed Sec.  3.204(b) describes the exceptions to the privilege   protection at proposed Sec.  3.204(a) that are established in section   922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), as added   by the Patient Safety Act. When the conditions set forth in proposed   Sec.  3.204(b) are met, then privilege does not apply and would not   prevent the patient safety work product from, for example, being   entered into evidence in a proceeding or subject to discovery. In all   cases, the exceptions from privilege are also exceptions from   confidentiality. For proposed Sec.  3.204(b)(1)-(4) and Sec.  3.204(c),   we discuss the scope of the applicable confidentiality protection in   proposed Sec.  3.206(b) and Sec.  3.206(d).  (1) Proposed Sec.  3.204(b)(1)--Criminal Proceedings      Proposed Sec.  3.204(b)(1) would permit disclosure of identifiable   patient safety work product for use in a criminal proceeding, as   provided in section 922(c)(1)(A) of the Public Health Service Act, 42   U.S.C. 299b-22(c)(1)(A). Such patient safety work product is not   subject to the privilege prohibitions described in proposed Sec.    3.204(a) or the confidentiality protection described in proposed Sec.    3.206(a). See proposed Sec.  3.206(b)(1). Prior to a court determining   that an exception to privilege applies pursuant to this provision, a   court must make an in camera determination that the identifiable   patient safety work product sought for disclosure contains evidence of   a criminal act, is material to the proceeding, and is not reasonably   available from other sources. See section 922(c)(1)(A) of the Public   Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). We discuss in full the   requirements of this disclosure under the confidentiality disclosure   discussion below.  (2) Proposed Sec.  3.204(b)(2)--Equitable Relief for Reporters      Proposed Sec.  3.204(b)(2) permits the disclosure of identifiable   patient safety work product to the extent required to carry out the   securing and provision of specified equitable relief as provided for   under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C.   299b-22(f)(4)(A). This exception is based on section 922(c)(1)(B) of   the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(B). The Patient   Safety Act permits this disclosure as an exception to privilege and   confidentiality to effectuate the provision that authorizes equitable   relief for an employee who has been subjected to an adverse employment   action for good faith reporting of information to a PSO directly or to   a provider for the intended report to a PSO. We discuss in full the   requirements of this disclosure under the confidentiality disclosure   discussion below.  (3) Proposed Sec.  3.204(b)(3)--Authorized by Identified Providers      Proposed Sec.  3.204(b)(3) describes when identifiable patient   safety work product may be excepted from privilege when each of the   providers identified in the patient safety work product authorizes the   disclosure. This provision is based on section 922(c)(1)(C) of the   Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). Such patient   safety work product is also not subject to the confidentiality   protections described in proposed Sec.  3.206(a). We discuss in full   the requirements of this disclosure under the confidentiality   disclosure discussion below.  (4) Proposed Sec.  3.2049(b)(4)--Nonidentifiable Patient Safety Work   Product      Proposed Sec.  3.204(b)(4) permits patient safety work product to   be excepted from privilege when disclosed in nonidentifiable form. This   provision is based on section 922(c)(3) of the Public Health Service   Act, 42 U.S.C. 299b-22(c)(3). As with other privilege protections, we   expect the tribunals for which the information is sought to adjudicate   the application of this exception. We discuss in full the requirements   of this disclosure in the confidentiality disclosure discussion below.  (C) Proposed Sec.  3.204(c)--Implementation and Enforcement of the   Patient Safety Act      Proposed Sec.  3.204(c) excepts from privilege disclosures of   relevant patient safety work product to or by the Secretary as needed   for investigation or determining compliance with this Part    [[Page 8142]]    or for enforcement of the confidentiality provisions, or for making or   supporting PSO certification or listing decisions, under the Patient   Safety Act. We propose that the Secretary may use and disclose patient   safety work product when pursuing civil money penalties for   impermissible disclosures. This is a privilege exception in the same   manner as exceptions listed in proposed Sec.  3.204(b), but we state it   separately to provide specific emphasis for the inclusion of this   exception to privilege by the Secretary for enforcement activities.   This information is also a permissible disclosure under proposed Sec.    3.206(d), discussed below.      The Patient Safety Act provides for broad privilege and   confidentiality protections, as well as the authority for the Secretary   to impose civil money penalties on persons who knowingly or recklessly   disclose identifiable patient safety work product in violation of those   protections. However, in order to perform investigations and compliance   reviews to determine whether a violation has occurred, the Secretary   may need to have access to privileged and confidential patient safety   work product.      We believe that Congress could not have intended that the privilege   and confidentiality protections afforded to patient safety work product   operate to frustrate the sole enforcement mechanism Congress provided   for the punishment of impermissible disclosures and to preclude the   imposition of civil money penalties. As a matter of public policy, the   creation of a confidentiality protection is meaningless without the   capacity to enforce a breach of those protections. For these reasons,   we propose a privilege exception narrowly drawn to permit the Secretary   to perform the enforcement and operational duties required by the   Patient Safety Act, which include the submission of patient safety work   product to administrative law judges (ALJs), the Departmental Appeals   Board (Board), and the courts.      This proposed provision would permit the disclosure of patient   safety work product to the Secretary or disclosure by the Secretary so   long as such disclosure is for the purpose of implementation and   enforcement of these proposed regulations. Such disclosure would   include the introduction of patient safety work product into   proceedings before ALJs or the Board under proposed Subpart D by the   Secretary, as well as the disclosure during investigations by OCR or   activities in reviewing PSO certifications by AHRQ. Moreover,   disclosures of patient safety work product made to the Board or other   parts of the Department that are received by workforce members, such as   contractors operating electronic web portals or mail sorting and paper   scanning services, would be permitted as a disclosure to the Secretary   under this proposed provision. This provision would also permit the   Board to disclose any patient safety work product in order to properly   review determinations or to provide records for court review.      Patient safety work product disclosed under this exception remains   protected by both privilege and confidentiality protections as proposed   in Sec.  3.208. This exception does not limit the ability of the   Secretary to disclose patient safety work product in accordance with   the exceptions under proposed Sec.  3.206(b) or this Part. Rather, this   proposed section provides a specific permission by which patient safety   work product may be disclosed to the Secretary and the Secretary may   further disclose such patient safety work product for compliance and   enforcement purposes.      We believe strongly in the protection of patient safety work   product as provided in the Patient Safety Act and the proposed   regulation, and seek to minimize the risk of improper disclosure of   patient safety work product by using and disclosing patient safety work   product only in limited and necessary circumstances. We intend that any   disclosure made pursuant to this proposed provision be limited in the   amount of patient safety work product disclosed to accomplish the   purpose of implementation, compliance, and enforcement. Proposed Sec.    3.312 discusses the limitations on what the Secretary may do with any   patient safety work product obtained pursuant to an investigation or   compliance review under proposed Subpart D. As discussed in the   preamble to proposed Sec.  3.312, section 922(g)(3) of the Public   Health Service Act, 42 U.S.C. 299b-22(g)(3), provides that the Patient   Safety Act does not affect the implementation of the HIPAA   confidentiality regulations. Accordingly, the privilege provisions in   the Patient Safety Act would not bar the Secretary from introducing   patient safety work product in a HIPAA enforcement proceeding.  2. Proposed Sec.  3.206--Confidentiality of Patient Safety Work Product      Proposed Sec.  3.206 describes the confidentiality protection of   patient safety work product as well as exceptions from confidentiality   protection. The following discussion generally refers to an act that   falls within an exception from confidentiality as a permissible   disclosure.  (A) Proposed Sec.  3.206(a)--Confidentiality      Proposed Sec.  3.206(a) would establish the overarching general   principle that patient safety work product is confidential and shall   not be disclosed. The principle applies to patient safety work product   held by anyone. This provision is based on section 922(b) of the Public   Health Service Act, 42 U.S.C. 299b-22(b).  (B) Proposed Sec.  3.206(b)--Exceptions to Confidentiality      Proposed Sec.  3.206(b) describes the exceptions to   confidentiality, or the permitted disclosures. Certain overarching   principles apply to the proposed confidentiality standards. First, we   consider these exceptions to be ``permissions'' to disclose patient   safety work product and the holder of the patient safety work product   retains full discretion whether or not to disclose. Thus, similar to   the disclosures permitted under the HIPAA Privacy Rule, we are defining   a uniform federal baseline of protection that is enforceable by   federally imposed civil money penalties. We are not encouraging or   requiring disclosures, except to the Secretary as provided in this   proposed rule. Therefore, a provider, PSO, or responsible person, may   create confidentiality policies and procedures with respect to patient   safety work product that are more stringent than these proposed rules   and are free to otherwise condition the release of patient safety work   product that comes within these exceptions by contract, employment   relationship, or other means. See, for example, section 922(g)(4) of   the Public Health Service Act, 42 U.S.C. 299b-22(g)(4). However, the   Secretary will not enforce such policies or private agreements.      Second, when exercising the discretion to disclose patient safety   work product, we encourage providers, PSOs, and responsible persons to   consider the purposes for which the disclosures are made. Disclosures   should be narrow and consistent with the overarching goals of the   privilege and confidentiality protections, even though these   protections generally continue to apply to patient safety work product   after disclosure. We encourage any entity or person making a disclosure   to consider both the amount of patient safety work product that is   being disclosed, as well as the amount of identifiable information   disclosed. Even though not required, entities or persons should attempt   to disclose the amount of information commensurate with the    [[Page 8143]]    purposes for which a disclosure is made. We encourage the disclosure of   the least amount of identifiable patient safety work product that is   appropriate for the purpose of the disclosure, which might mean the   disclosure of less information than all of the information that would   be permitted to be disclosed under the confidentiality provisions. We   also encourage the removal of identifiable information when feasible   regardless of whether protection under this rule continues. While a   provider, PSO, or responsible person need not designate a workforce   member to determine when a disclosure of patient safety work product is   permitted, such a designation may be a best practice to ensure that a   disclosure complies with the confidentiality provisions, and contains   the least amount of patient safety work product necessary.      Third, we have addressed the scope of redisclosure by persons   receiving patient safety work product. Persons receiving patient safety   work product would only be allowed to redisclose that information to   the extent permitted by the proposed regulation. For example, we   propose that accrediting bodies receiving patient safety work product   pursuant to the accrediting body disclosure at proposed Sec.    3.206(b)(8) may not further disclose that patient safety work product.   We seek public comment on the subject of whether there are any negative   implications associated with limiting redisclosures in this way.      Additionally, agencies subject to both the Patient Safety Act and   the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when   disclosing patient safety work product. Under the Patient Safety Act,   see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-  22(b), if another law, such as the Privacy Act, permits or requires the   disclosure of patient safety work product, disclosure of this   information would be in violation of the Patient Safety Act unless the   Patient Safety Act also permits this disclosure. However, if the   Privacy Act prohibits the disclosure of information that is patient   safety work product, the permissible disclosure of this information   under the Patient Safety Act would be in violation of the Privacy Act.   Therefore, for agencies subject to both statutes, patient safety work   product must be disclosed in a manner that is permissible under both   statutes. The Privacy Act does permit agencies to make disclosures   pursuant to established routine uses. See 5 U.S.C. 552a(a)(7);   552a(b)(3); and 552a(e)(4)(D). We recommend that Federal agencies that   maintain a Privacy Act system of records containing information that is   patient safety work product include routine uses that will permit   disclosures allowed by the Patient Safety Act.      Finally, for HIPAA covered entities, when individually identifiable   health information is encompassed within the patient safety work   product, the disclosure must also comply with the HIPAA Privacy Rule.   Thus, for patient safety work product disclosures that contain   individually identifiable health information, as defined in 45 CFR   160.103, we note some of the comparable HIPAA Privacy Rule permissions   for consideration.  (1) Proposed Sec.  3.206(b)(1)--Criminal Proceeding      Proposed Sec.  3.206(b)(1) would establish the permitted criminal   proceeding disclosure which parallels the privilege exception   disclosure for use in a criminal proceeding, proposed Sec.    3.204(b)(1). Proposed Sec.  3.206(b)(1) would permit disclosure of   identifiable patient safety work product for use in a criminal   proceeding. Prior to a court determining that an exception to privilege   applies pursuant to this provision, a court must make an in camera   determination that the identifiable patient safety work product sought   for disclosure contains evidence of a criminal act, is material to the   proceeding, and is not reasonably available from other sources. See   section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-  22(c)(1)(A).      After such determinations by a court, the patient safety work   product may be permissibly disclosed within the criminal proceeding.   This provision and these limitations are based on section 922(c)(1)(A)   of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). When   considering claims that confidentiality protection has been breached,   we intend to defer to, and not review, the court's in camera   determinations made in context of determining the privilege exception.   The Secretary has not been authorized to enforce the underlying   privilege protection or make determinations regarding its   applicability. The Secretary's authority is limited to investigating   and enforcing violations of the confidentiality protections parallel to   this privilege exception at proposed Sec.  3.206(b)(1).      The Patient Safety Act establishes that patient safety work   product, once disclosed, will generally continue to be privileged and   confidential as discussed in proposed Sec.  3.208. See section   922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1).   However, the Patient Safety Act limits the continued protection of the   specific patient safety work product disclosed for use in a criminal   proceeding. Patient safety work product disclosed for use in a criminal   proceeding continues to be privileged and cannot be reused as evidence   or in any context prohibited by the privilege protection, but is no   longer confidential. See section 922(d)(2)(A) of the Public Health   Service Act, 42 U.S.C. 299b-22(d)(2)(A). For example, law enforcement   personnel who obtain patient safety work product used in a criminal   proceeding may further disclose that patient safety work product   because the confidentiality protection does not apply. However, if law   enforcement sought to enter the information into another criminal   proceeding, it would need a new in camera determination for the new   criminal proceeding. For a further discussion of continued   confidentiality, see discussion of proposed Sec.  3.208 below.      For entities that are subject to the HIPAA Privacy Rule and this   Part, disclosures must conform to 45 CFR 164.512(e) of the HIPAA   Privacy Rule. We expect that court rulings following an in camera   determination would be issued as a court order, which would satisfy the   requirements of 45 CFR 164.512(e). So long as such legal process is in   compliance with 45 CFR 164.512(e), the disclosure would be permissible   under the HIPAA Privacy Rule.  (2) Proposed Sec.  3.206(b)(2)--Equitable Relief for Reporters      Proposed Sec.  3.206(b)(2) would permit the disclosure of   identifiable patient safety work product to the extent required to   carry out equitable relief as provided for under section 922(f)(4)(A)   of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). See   section 922(c)(1)(B) of the Public Health Service Act, 42 U.S.C. 299b-  22(c)(1)(B). This proposed provision parallels the privilege exception   to carry out equitable relief at proposed Sec.  3.204(b)(2). The   Patient Safety Act permits this disclosure to effectuate the provision   that authorizes an employee to seek redress for adverse employment   actions for good faith reporting of information to a PSO directly or to   a provider with the intended disclosure to a PSO.      The Patient Safety Act prohibits a provider from taking an adverse   employment action against an individual who, in good faith, reports   information to the provider for subsequent reporting to a PSO, or to a   PSO directly. See section 922(e)(1) of the Public Health Service Act,   42 U.S.C. 299b-22(e)(1). Adverse employment actions are described at   section 922(e)(2)    [[Page 8144]]    of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2), and include   loss of employment, failure to promote, or adverse evaluations or   decisions regarding credentialing or licensing. The Patient Safety Act   provides adversely affected reporters a civil right of action to enjoin   such adverse employment actions and obtain other equitable relief,   including back pay or reinstatement, to redress the prohibited actions.   As part of that right to seek equitable relief, the Patient Safety Act   provides that patient safety work product is not subject to the   privilege protections described in section 922(a) of the Public Health   Service Act, 42 U.S.C. 299b-22(a), and as similarly described in   proposed Sec.  3.204(a), or to the confidentiality protection in   section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b),   and as similarly described in proposed Sec.  3.206(a), to the extent   such patient safety work product is necessary to carry out the   equitable relief.      Although such disclosure is excepted from both confidentiality and   privilege as to efforts to seek equitable relief, the identifiable   patient safety work product remains subject to confidentiality and   privilege protection in the hands of all subsequent holders and the   protections apply to all subsequent potential disclosures. See section   922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1).   Thus, even though the reporter is afforded discretion to disclose the   relevant patient safety work product to seek and obtain equitable   relief, all subsequent holders receiving the patient safety work   product from the reporter are bound by the continued privilege and   confidentiality protections.      Thus, this provision would allow the reporter seeking equitable   relief from an adverse employment action to include patient safety work   product in briefs and in open court. To protect the patient safety work   product as much as possible in these circumstances, we could condition   the disclosure of identifiable patient safety work product in these   circumstances on a party's, most likely the reporter's, obtaining of a   protective order in these types of proceedings. Such a protective order   could take many forms that preserve the confidentiality of patient   safety work product. For example, it could limit the use of the   information to case preparation, but not make it evidentiary. Such an   order might prohibit the disclosure of the patient safety work product   in publicly accessible proceedings and in court records to prevent   liability from moving to a myriad of unsuspecting parties (for example,   parties in a courtroom may not know that they may be liable for civil   money penalties if they share the patient safety work product they   hear). We solicit comments on whether a protective order should be a   condition for this disclosure, imposed by regulation, or whether   instead we should require a good faith effort to obtain a protective   order as a condition for this disclosure and use our enforcement   discretion to consider whether to assess a penalty for anyone who   cannot obtain such an order and thus breaches the statutory continued   confidentiality protection of this information. See discussion below at   proposed Sec.  3.402(a).      We also address the intersection of the HIPAA Privacy Rule herein   because identifiable patient safety work product may contain   individually identifiable health information and be sought for   disclosure under this exception from a HIPAA covered entity or that   HIPAA covered entity's business associate. Under the HIPAA Privacy Rule   at 45 CFR 164.512(e), when protected health information is sought to be   disclosed in a judicial proceeding via subpoenas and discovery requests   without a court order, the disclosing HIPAA covered entity must seek   satisfactory assurances that the party requesting the information has   made reasonable efforts to provide written notice to the individual who   is the subject of the protected health information or to secure a   qualified protective order. A protective order that meets the qualified   protective order under 45 CFR 164.512(e) would be permissible under the   HIPAA Privacy Rule and render a disclosure under this exception in   compliance with the HIPAA Privacy Rule.  (3) Proposed Sec.  3.206(b)(3)--Authorized by Identified Providers      Proposed Sec.  3.206(b)(3) would establish a permitted disclosure   parallel to the privilege exception at proposed Sec.  3.204(b)(3), when   each of the providers identified in the patient safety work product   authorizes the disclosure in question. This provision is based on   section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-  22(c)(1)(C). In these circumstances, patient safety work product may be   disclosed, not withstanding the privilege protections described in   proposed Sec.  3.204(a) or the confidentiality protections described in   proposed Sec.  3.206(a). However, patient safety work product disclosed   under this exception continues to be confidential pursuant to the   continued confidentiality provisions at section 922(d)(1) of the Public   Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons are subject to   liability for further disclosures in violation of that confidentiality.      This exception applies to patient safety work product that contains   identifiable provider information. Under the proposed language, each   provider identified in the patient safety work product sought to be   disclosed must separately authorize the disclosure. For example, if   patient safety work product sought to be disclosed by an entity or   person pursuant to this exception describes an incident involving three   physicians, each physician would need to authorize disclosure of the   patient safety work product, in order for the entity or person to   disclose it. Making information regarding one provider nonidentifiable   in lieu of obtaining an authorization is not sufficient.      We considered whether the rule should allow a provider to   nonidentify the patient safety work product with respect to a   nonauthorizing provider and disclose the patient safety work product   with respect to the remaining authorizing providers. However, we   rejected that approach as being impracticable. In light of the   contextual nonidentification standard proposed in Sec.  3.212, it would   seem that there would be very few, if any, situations in which a   nonauthorizing provider could be nonidentified without also needing to   nonidentify, or nearly so, an authorizing provider in the same patient   safety work product. Unless we adopt a less stringent nonidentification   standard, disclosing persons can either totally nonidentify patient   safety work product and disclose under proposed Sec.  3.206(b)(5), or   disclose the patient safety work product only if all identified   providers in patient safety work product authorize its disclosure.      When all identified providers authorize the disclosure of patient   safety work product, the Patient Safety Act permits such disclosure,   but remains silent about the identification of patients or reporters in   such patient safety work product. As to other persons that make patient   safety work product identifiable, i.e., patients and reporters, the   Patient Safety Act does not provide a separate right of authorization.   However, as one of the core principles underlying the Patient Safety   Act is the protection of the privacy and confidentiality concerns of   certain persons in connection with specific patient safety work product   (i.e., providers, patients and reporters), we encourage persons   disclosing patient safety work product to exercise discretion in the   scope of patient safety work product disclosed, even though neither   patient nor reporter authorization is required. Disclosers are    [[Page 8145]]    encouraged to consider whether the disclosure of identifying   information regarding patients and reporters is necessary to accomplish   the particular purpose of the disclosure. As discussed below, if the   disclosing entity is a HIPAA covered entity, the HIPAA Privacy Rule,   including the minimum necessary standard when applicable, would apply   to the disclosure of protected health information contained within the   patient safety work product. We seek public comment as to whether the   proposed approach is sufficient to protect the interests of reporters   and patients identified in the patient safety work product permitted to   be disclosed pursuant to identifiable provider authorizations. Does   this approach sufficiently balance the interests of the patients and   reporters and their confidentiality versus the purposes for which the   providers are authorizing the disclosures?      The Patient Safety Act does not specify the form of the   authorization by a provider to come within this disclosure exception or   a timeframe for recordkeeping. We propose that an authorization be in   writing, be signed by the authorizing provider, and give adequate   notice to the provider of the nature and scope of the disclosures   authorized. The content of the authorization should fairly inform the   provider as to the nature and scope of the identifiable patient safety   work product to be disclosed to ensure the provider is making a knowing   authorization. We do not intend that each authorization identify the   specific patient safety work product to be disclosed. Such a   requirement would be unworkable in complex health care arrangements   existing today. Rather, an authorization can be general, (e.g.,   referring to categories of patient safety work product) and even to   patient safety work product to be created in the future, so long as the   authorization can be determined to have reasonably informed the   authorizing provider of the scope of the authorized disclosure. The   authorization requirement also enables providers to place limits on   disclosures made pursuant to this proposed exception regarding patient   safety work product identifying the provider. Any disclosure must be   made in accordance with the terms of the signed authorization, but we   do not require that any specific terms be included, only that such   terms regarding the scope of the authorized disclosure of patient   safety work product be adhered to. We seek public comment on whether a   more stringent standard would be prudent and workable, such as an   authorization process that is disclosure specific (i.e., no future   application or a one time disclosure only authorization).      We also propose that any authorization be maintained by the   disclosing entity or person for a period of six years from the date of   the last disclosure made in reliance on the authorization, the limit of   time within which the Secretary must initiate an enforcement action.   While we recognize that a prudent person disclosing patient safety work   product under this disclosure will likely maintain records in order to   support a claim that such disclosure was permissible, nonetheless we   require a six year retention of authorizations so that, if challenged,   the Secretary may examine authorizations to determine whether a   disclosure was valid pursuant to this disclosure provision. While we   would not be monitoring or penalizing a person for lack of maintenance   of an authorization, the failure to present a valid authorization will   raise significant concerns regarding the permissibility of a disclosure   pursuant to this permission.      With respect to compliance with the HIPAA Privacy Rule for patient   safety work product that contains individually identifiable health   information, authorization by a provider pursuant to this permitted   disclosure does not permit a HIPAA covered entity or such a HIPAA   covered entity's business associate to release such protected health   information contained in the patient safety work product under the   HIPAA Privacy Rule. Therefore, either the individually identifiable   health information must be de-identified or the release of the   individually identifiable health information must otherwise be   permitted under the HIPAA Privacy Rule. Because this disclosure does   not limit the purposes for which identifiable patient safety work   product may be released with the provider's authorization, a HIPAA   covered entity would need to review releases on a case-by-case basis to   determine if there is an applicable provision in the HIPAA Privacy Rule   that would otherwise permit such disclosure.  (4) Proposed Sec.  3.206(b)(4)--Patient Safety Activities      Section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C.   299b-22(c)(2)(A), permits the disclosure of identifiable patient safety   work product for patient safety activities. Proposed Sec.  3.206(b)(4)   permits the disclosure of identifiable patient safety work product for   patient safety activities (i) by a provider to a PSO or by a PSO to   that disclosing provider; or (ii) by a provider or a PSO to a   contractor of the provider or PSO; or (iii) by a PSO to another PSO or   to another provider that has reported to the PSO, or by a provider to   another provider, provided, in both cases, certain direct identifiers   are removed. Patient safety activities are the core mechanism by which   providers may disclose patient safety work product to obtain external   expertise from PSOs. PSOs may aggregate information from multiple   providers, and communicate feedback and analyses to providers.   Ultimately, it is through such communications that much of the   improvement in patient safety may occur. Thus, the rule needs to   facilitate the communication between a provider and one or more PSOs.      To further this essential statutory purpose, we propose to allow   providers to disclose identifiable patient safety work product to PSOs;   one of the ways that information can become patient safety work product   is through reporting of it to a PSO. We also propose to allow PSOs to   reciprocally disclose patient safety work product back to such   providers for patient safety activities. This free flow of information   will ensure that the statute's goals of collecting, aggregating, and   analyzing patient safety event information as well as disseminating   recommendations for safety and quality improvements are achieved. Such   a dialogue will allow both providers and PSOs to take a shared role in   the advancement of patient safety improvements.      In addition, we recognize that there may be situations where   providers and PSOs want to engage contractors who are not agents to   carry out patient safety activities. Thus, the proposal would allow   disclosures by providers to their contractors who are not workforce   members and by PSOs to their contractors who are not workforce members.   Contractors may not further disclose patient safety work product,   except to the entity from which they first received the information. We   note that this limitation does not preclude a provider or PSO from   exercising its authority under section 922(g)(4) of the Public Health   Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power   to the contractor to make other disclosures. Although we do not require   a contract between a provider or PSO and its contractor, we expect that   most providers and PSOs will engage in prudent practices when   disclosing confidential patient safety work product for patient safety   activities, (i.e., ensuring such information is narrowly used by the   contractor solely for the purpose for which disclosed and    [[Page 8146]]    adequately protected from wrongful disclosure).      While the permission allows the necessary communication as between   a single provider and its PSO, such exchanges may not be sufficient. It   is possible to conceive of meaningful patient safety activities   occurring between two PSOs or between a PSO and a provider that is   different than the original reporting provider, or between two   providers. For example, PSOs may be able to more effectively aggregate   patient safety work product if such expanded sharing of information is   permitted. Aggregation may help PSOs pool sufficient information to   achieve contextual nonidentification, in accordance with Sec.    3.212(a)(ii), but keep meaningful data in the information when   disclosing to the network of patient safety databases contemplated in   section 923 of the Public Health Service Act, 42 U.S.C. 299b-23.   Providers may be able to collaborate and learn more efficiently about   patient safety solutions if such sharing is permitted. At the same   time, we are concerned that, without any limitation on such sharing,   providers may be not only reluctant to disclose patient safety work   product, but also potentially reticent to participate at all in patient   safety activities, given the sensitive nature of the information, and   the potential lack of certainty with respect to where the information   might ultimately be disclosed.      Balancing these concerns, we are proposing that other than the   reporting relationship between a provider and a PSO, PSOs be permitted   to disclose patient safety work product to other PSOs or to other   providers that have reported to the PSO, and providers be permitted to   make disclosures to other providers, for patient safety activities,   with provider and reporter identifiers in an anonymized (i.e., with   certain direct identifiers removed, but not nonidentifiable under the   proposed rule) or encrypted but not fully nonidentified form. For   patient identifiers, the HIPAA Privacy Rule limited data set standard   would apply. See 45 CFR 164.514(e). To anonymize the provider or   reporter identifiers in the patient safety work product, the disclosing   entity must remove the following direct identifiers of any providers   and of affiliated organizations, corporate parents, subsidiaries,   practice partners, employers, members of the workforce, or household   members of such providers: (1) Names; (2) Postal address information,   other than town or city, State and zip code; (3) Telephone numbers; (4)   Fax numbers; (5) Electronic mail addresses; (6) Social security numbers   or taxpayer identification numbers; (7) Provider or practitioner   credentialing or DEA numbers; (8) National provider identification   number; (9) Certificate/license numbers; (10) Web Universal Resource   Locators (URLs); (11) Internet Protocol (IP) address numbers; (12)   Biometric identifiers, including finger and voice prints; and (13) Full   face photographic images and any comparable images. Removal of such   identifiers may be absolute or may be done through encryption, provided   that the disclosing entity does not disclose the key to the encryption   or the mechanism for re-identification.      We have not proposed an unrestricted disclosure of identifiable   patient safety work product to any person for patient safety   activities. It is our understanding that disclosures to persons other   than those proposed above do not need identifiable patient safety work   product and that sufficient information may be communicated with   nonidentifiable patient safety work product; we seek comment on this   issue. Similarly, we recognize that nonidentifiable patient safety work   product may have more limited usefulness due to the removal of key   elements of identification; however, we have no basis for opening the   patient safety activity disclosure permission further without specific   examples of beneficial disclosures prohibited by our proposal.      The exchange of patient safety work product for patient safety   activities permits extensive sharing among both providers and PSOs   interested in improving patient safety. As patient safety work product   is disclosed, however, it continues to be protected by the   confidentiality provisions. The permission allows continual exchange of   information without breach of confidentiality. At any time and as   needed, information may be nonidentified, and the patient safety   activities disclosure may be employed for this purpose.      Moreover, providers and PSOs are capable of imposing greater   confidentiality requirements for the future use and disclosure of the   patient safety work product through private agreements (see section   922(g)(4) of the Public Heath Service Act, 42 U.S.C. 299b-22(g)(4)).   However, we note that the government would not be permitted to apply   civil money penalties under this Part based on a violation of a private   agreement that was not a violation of the confidentiality provisions.    Compliance With the HIPAA Privacy Rule        With respect to compliance with the HIPAA Privacy Rule, the Patient   Safety Act establishes that PSOs shall be treated as business   associates; and patient safety activities performed by, or on behalf   of, a covered provider by a PSO are deemed health care operations as   defined by the HIPAA Privacy Rule. A HIPAA covered entity is permitted   to use or disclose protected health information as defined at 45 CFR   160.103 without an individual's authorization for its own health care   operations and, in certain circumstances (which would include patient   safety activities), for the health care operations of another HIPAA   covered entity (e.g., HIPAA covered provider) under 45 CFR 164.506. To   share protected health information with another HIPAA covered entity   for that entity's health care operations, both HIPAA covered entities   must share a patient relationship with the individual who is the   subject of the protected health information and the protected health   information that is shared must pertain to that relationship.      In addition, in cases where providers and PSOs share anonymized   patient safety work product, providers may disclose a limited data set   of patient information. Under 45 CFR 164.514(e)(3), a HIPAA covered   entity may use or disclose a limited data set for the purpose of health   care operations, including patient safety activities. Such disclosures,   however, must be accompanied by a data use agreement, ensuring that the   limited data set recipient will only use or disclose the protected   health information for limited purposes. See 45 CFR 164.514(e)(4).      We seek comment regarding whether the HIPAA Privacy Rule definition   for health care operations should contain a specific reference to   patient safety activities conducted pursuant to this regulatory scheme.   A health care provider that is a HIPAA covered entity may not disclose   identifiable patient safety work product that is protected health   information to a PSO unless that PSO is performing patient safety   activities (as a health care operation) for that provider. Under this   exception for patient safety activities, a health care provider that is   a HIPAA covered entity may disclose identifiable patient safety work   product that is protected health information to another provider (1)   for the sending provider's patient safety activities; (2) for the   patient safety activities of an organized health care arrangement   (OHCA) (as defined at 45    [[Page 8147]]    CFR 160.103) if both the sending and receiving provider participate in   the OHCA; or (3) to another provider for the receiving provider's   patient safety activities if the protected health information relates   to a common patient (including to determine that there is a common   patient). We further seek comment regarding whether the provision   permitting the disclosure of protected health information for health   care operations at 45 CFR 164.506 should be modified to conform to the   patient safety work product disclosures for patient safety activities   set forth herein.  (5) Proposed Sec.  3.206(b)(5)--Disclosure of Nonidentifiable Patient   Safety Work Product      Proposed Sec.  3.206(b)(5) permits the disclosure of   nonidentifiable patient safety work product when the patient safety   work product meets the standard for nonidentification in proposed Sec.    3.212. This implements section 922(c)(2)(B) of the Public Health   Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under proposed Sec.    3.206(b)(5), nonidentifiable patient safety work product may be   disclosed by any entity or person that holds the nonidentifiable   patient safety work product without violating the confidentiality   provisions. Moreover, any provider, PSO or responsible person may   nonidentify patient safety work product. As described in proposed Sec.    3.208(b)(ii), nonidentifiable patient safety work product, once   disclosed, loses its privilege and confidentiality protection. Thus, it   may be redisclosed by its recipient without any Patient Safety Act   limitations.    Nonidentification Standard        The nonidentification standard is proposed at Sec.  3.212. However,   we will discuss that standard at this point in the preamble due to its   connection with the disclosure permission for nonidentifiable patient   safety work product at proposed Sec.  3.206(b)(5). Proposed Sec.  3.212   would establish the standard by which patient safety work product will   be determined nonidentifiable. The determination of what constitutes   nonidentifiable patient safety work product is important because the   standard for nonidentification effectively creates the boundary between   protected and unprotected patient safety work product.      Under the Patient Safety Act and this Part, identifiable patient   safety work product includes information that identifies any provider   or reporter or contains individually identifiable health information   under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2)   of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast,   nonidentifiable patient safety work product does not include   information that permits identification of any provider, reporter or   subject of individually identifiable health information. See section   921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3).      Because individually identifiable health information as defined in   the HIPAA Privacy Rule is one element of identifiable patient safety   work product, the de-identification standard provided in the HIPAA   Privacy Rule applies with respect to the patient-identifiable   information in the patient safety work product. Therefore, where   patient safety work product contains individually identifiable health   information, that information must be de-identified in accordance with   45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work   product with respect to individually identifiable health information   under the Patient Safety Act.      We propose that patient safety work product be contextually   nonidentifiable in order to be considered nonidentifiable for the   purposes of this rule. Contextual nonidentification of both providers   and reporters would match the standard of de-identification in the   HIPAA Privacy Rule. We are proposing two methods by which   nonidentification can be accomplished which are similar to the   standards for de-identification under the HIPAA Privacy Rule: (1) A   statistical method of nonidentification and (2) the removal of 15   specified categories of direct identifiers of providers or reporters   and of parties related to the providers and reporters, including   corporate parents, subsidiaries, practice partners, employers,   workforce members, or household members, and that the discloser have no   actual knowledge that the remaining information, alone or in   combination with other information reasonably available to the intended   recipient, could be used to identify any provider or reporter (i.e., a   contextual nonidentification standard).      In proposed Sec.  3.212(a)(1), the first method for rendering   patient safety work product nonidentifiable with respect to a provider   or reporter, we propose that patient safety work product can be   nonidentified if a person with appropriate knowledge of and experience   with generally accepted statistical and scientific principles and   methods for rendering information not individually identifiable   applying such principles and methods, determines that the risk is very   small that the information could be used, alone or in combination with   other reasonably available information, by an anticipated recipient to   identify an identified provider or reporter.      We believe that this method of nonidentification may sometimes be   preferable to the safeharbor method proposed in Sec.  3.212(a)(2)   discussed below and may be especially useful when aggregating data for   populating the network of patient safety databases referenced in   section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Under   this proposal, if a statistician makes a determination as described   above and documents the analysis, patient safety work product could be   labeled as nonidentifiable even though it contains detailed clinical   information and some potentially identifiable information such as zip   codes.      In proposed Sec.  3.212(a)(2), the second method for rendering   patient safety work product nonidentifiable with respect to a provider   or reporter, we outline a process as a safeharbor requiring that the   disclosing entity remove a list of specific typical identifiers and   have no actual knowledge that the information to be disclosed could be   used, alone or in combination with other information that is reasonably   available to the intended recipient, to identify the particular   provider or reporter. We have limited the knowledge component to that   which is known to be reasonably available to the intended recipient in   order to provide data custodians with a workable knowledge standard.   With the contextual nonidentification standard in place, providers will   have the most confidence that their identities will not be derived from   nonidentifiable information and will be more likely to participate in   the program. Moreover, requiring that patient safety work product be   contextually nonidentifiable is consistent with the de-identification   standard for patient identities, as described above.      We recognize that the more stringent the nonidentifiable patient   safety work product standard is, the more cost, burden, and risk of   error in nonidentification there will be to the disclosing entity. We   also acknowledge that our proposal introduces uncertainty and   subjectivity into the standard, making it a harder standard to enforce.   The proposed standard may require the removal of more clinical and   demographic information than would be removed in the absence of the   contextual nonidentification requirement, and the resulting information   would likely be less useful    [[Page 8148]]    to a recipient. This outcome would particularly impact the network of   patient safety databases of nonidentifiable patient safety work product   to be established under section 923 of the Public Health Service Act,   42 U.S.C. 299b-23. In particular, the information that ultimately   resides in the network may have reduced utility and a reduced capacity   to contribute to the evaluation of patient safety issues.      To mitigate these concerns, this standard would work in conjunction   with a separate permission for sharing identifiable patient safety work   product through the patient safety activities disclosure. Disclosures   as patient safety activities should enable the aggregation of   sufficient patient safety work product to allow contextual   nonidentification without the removal of all important specific   clinical and demographic details. We invite comment on the proposed   standards and approaches. For example, we are interested in knowing   whether, under a contextual nonidentification standard, it is possible   to have any geographical identifiers; and if so, at what level of   detail (state, county, zip code). We are also interested in public   comments regarding whether there are alternative approaches to   standards for entities determining when health information can   reasonably be considered nonidentifiable.  Re-identification      We permit a provider, PSO, or other disclosing entity or person to   assign a code or other means of record identification to allow   information made nonidentifiable to be re-identified by the disclosing   person, provided certain conditions that further the goal of   confidentiality are met regarding such code or other means of record   identification. Further, a discloser may not release any key or other   information that would enable a recipient to re-identify any provider   or reporter or subject of individual identifiable health information.   We propose to permit a re-identification mechanism to facilitate   follow-up inquiries regarding, and analysis of, nonidentified patient   safety work product that has been disclosed, such as from users of the   network of patient safety databases when analyzing national and   regional statistics. Such keys would not be for the purpose of   permitting re-identification of patient safety work product obtained   through the network of databases. Rather, such keys would facilitate   the investigation of data anomalies reported to the network, correction   of nonidentifiable records, and the potential to avoid duplicate   records when richer information may be made available due to   aggregation. Finally, with respect to HIPAA compliance, we note that,   because nonidentified patient safety work product will, by definition,   be de-identified information under the HIPAA Privacy Rule, a disclosure   under Sec.  3.206(b)(5) will not violate the HIPAA Privacy Rule.  (6) Proposed Sec.  3.206(b)(6)--For Research      Proposed Sec.  3.206(b)(6) describes the disclosure of identifiable   patient safety work product to entities carrying out research,   evaluations, or demonstration projects that are funded, certified, or   otherwise sanctioned by rule or other means by the Secretary. This   disclosure is not for general research. Any research for which patient   safety work product is disclosed under this exception must be   sanctioned by the Secretary. See section 922(c)(2)(C) of the Public   Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). Research that is not   sanctioned by the Secretary is insufficient to be a basis for the   disclosure of patient safety work product under this exception.   Further, although disclosure can be made for any research, evaluation,   or demonstration project sanctioned by the Secretary, we expect that   most research that may be subject to this disclosure permission will be   related to the methodologies, analytic processes, and interpretation,   feedback and quality improvement results from PSOs, rather than general   medical, or even health services, research. Patient safety work product   disclosed for research under this provision continues to be   confidential and privileged.      Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C.   299b-22(c)(2)(C), requires that patient safety work product which   identifies patients may only be released to the extent that protected   health information would be disclosable for research purposes under the   HIPAA Privacy Rule. Under 45 CFR 164.512(i), a HIPAA covered entity may   use or disclose protected health information for research, without the   individual's authorization, provided that there is a waiver (or   alteration of waiver) of authorization by either an Institutional   Review Board (IRB) or a Privacy Board. The IRB/Privacy Board evaluates   the request against various criteria that measure the privacy risk to   the individuals who are the subjects of the protected health   information.\17\ The HIPAA Privacy Rule only operates with respect to   the identifiable health information of patients when held by a HIPAA   covered entity or its business associate, and does not address the   rights of individuals who may otherwise be the subject of the research.  ---------------------------------------------------------------------------        \17\ The following are the waiver criteria at 45 CFR   164.512(i)(2)(ii):      (A) The use or disclosure of protected health information   involves no more than a minimal risk to the privacy of individuals,   based on, at least, the presence of the following elements:      a. An adequate plan to protect the identifiers from improper use   and disclosure;      b. An adequate plan to destroy the identifiers at the earliest   opportunity consistent with conduct of the research, unless there is   a health or research justification for retaining the identifiers or   such retention is otherwise required by law; and      c. Adequate written assurances that the protected health   information will not be reused or disclosed to any other person or   entity, except as required by law, for authorized oversight of the   research study, or for other research for which the use or   disclosure of protected health information would be permitted by   this subpart;      (B) The research could not practicably be conducted without the   waiver or alteration; and      (C) The research could not practicably be conducted without   access to and use of the protected health information.  ---------------------------------------------------------------------------        We tentatively conclude that the language in the Patient Safety Act   that applies the exception ``to the extent that disclosure of protected   health information would be allowed for research purposes under the   HIPAA [Privacy Rule]'' is intended to apply the HIPAA Privacy Rule   research provisions at 45 CFR 164.512(i) only to HIPAA covered entities   when they release identifiable patient safety work product containing   protected health information for research. This interpretation would   result in the HIPAA Privacy Rule research standards being preserved in   their application to HIPAA covered entities without burdening non-  covered entities with HIPAA compliance.      We note that our interpretation of section 922(c)(2)(C) of the   Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), is not a bar to   the disclosure of identifiable patient safety work product by entities   or persons that are not HIPAA covered entities. We further note that   for providers, reporters and other persons identified in patient safety   work product disclosed for research purposes, the Common Rule, which is   applicable to research conducted or supported by the Secretary, and the   FDA human subjects protection regulations will provide appropriate   protections to any natural persons who would be deemed subjects of the   research.      With regard to research, the incorporation by reference of the   HIPAA Privacy Rule should provide for the proper alignment of   disclosures for research purposes. However, the exception under the   Patient Safety Act also refers to evaluations and demonstration   projects. Some of these activities may meet the definition of research   under the HIPAA Privacy Rule, while other activities may not result in   generalizable knowledge, but may    [[Page 8149]]    nonetheless meet the definition of health care operations under the   HIPAA Privacy Rule. Where the disclosure of protected health   information for evaluations and demonstration projects are permitted as   health care operations under the HIPAA Privacy Rule, HIPAA covered   entities disclosing patient safety work product that includes protected   health information under this exception could do so without violation   of the HIPAA Privacy Rule.  (7) Proposed Sec.  3.206(b)(7)--To the Food and Drug Administration      Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C.   299b-22(c)(2)(D) permits the disclosure by a provider to the FDA with   respect to a product or activity regulated by the FDA. Proposed Sec.    3.206(b)(7) permits the disclosing by providers of patient safety work   product concerning products or activities regulated by the Food and   Drug Administration (FDA) to the FDA or to an entity required to report   to the FDA concerning the quality, safety, or effectiveness of an FDA-  regulated product or activity. For example, hospitals and health care   professionals may disclose patient safety work product concerning the   safety of drugs, medical devices, biological products, and dietary   supplements, or vaccine and medical device adverse experiences to the   FDA as part of an FDA monitoring or alert system. The proposed   provision also permits sharing between the FDA, entities required to   report to the FDA concerning the quality, safety, or effectiveness of   an FDA-regulated product or activity, and their contractors for the   same purposes. Patient safety work product disclosed pursuant to this   disclosure permission continues to be confidential and privileged.      The FDA has monitoring and alert systems in place to assure the   safety of FDA regulated products. These systems rely heavily on   voluntary reports from providers, such as hospitals and health care   professionals. Most reports that hospitals and health care   professionals make directly to the FDA today concerning drugs, medical   devices, biological products, and dietary supplements are voluntary,   although health care professionals are required to report to the FDA   certain vaccine adverse experiences, and user facilities such as   hospitals must report to FDA some medical device adverse experiences.   Manufacturers of drugs, devices, and biological products are required   to report to the FDA concerning adverse experiences, but the   manufacturers themselves must rely on information provided voluntarily   by product users, including hospitals and health care professionals.   There are three provisions of the Patient Safety Act that are   implicated for reporting to the FDA: (1) The disclosure for reporting   to the FDA (section 922(c)(2)(D) of the Public Health Service Act, 42   U.S.C. 299b-22(c)(2)(D)); (2) the clarification as to what is not   patient safety work product which states that information ``collected,   maintained, or developed separately, or [that] exists separately, from   a [patient safety evaluation system]'' is not patient safety work   product, and which, accordingly, can be reported for public health   purposes (section 921(7)(B) of the Public Health Service Act, 42 U.S.C.   299b-21(7)(B)); and (3) the rule of construction which preserves   required reporting to the FDA (section 922(g)(6) of the Public Health   Service Act, 42 U.S.C. 299b-22(g)(6)).      The FDA disclosure provision at proposed Sec.  3.206(b)(7) would be   applicable when patient safety work product is at issue. For example,   the analysis of events by the provider or PSO that constitutes patient   safety work product may generate information that should be reported to   the FDA because it relates to the safety or effectiveness of an FDA-  regulated product or activity. The exception would allow this patient   safety work product to be disclosed to the FDA. Privilege and   confidentiality protections would attach to the patient safety work   product disclosed when received by FDA and continue to apply to any   future disclosures by the FDA.      We tentatively conclude that the statutory language concerning   reporting ``to the FDA'' includes reporting by the provider to the   persons or entities regulated by the FDA and that are required to   report to the FDA concerning the quality, safety, or effectiveness of   an FDA-regulated product or activity. We propose this interpretation to   allow providers to report to manufacturers who are required to report   to the FDA, such as drug manufacturers, without violating this rule.   This interpretation reflects both the rule of construction which   preserves required reporting to the FDA and the goals of this statute   which are to improve patient safety.      We further propose at Sec.  3.206(b)(7)(ii) that the FDA and   entities required to report to the FDA may only further disclose   patient safety work product for the purpose of evaluating the quality,   safety, or effectiveness of that product or activity; such further   disclosures are only permitted between the FDA, entities required to   report to the FDA, their contractors, and disclosing providers. This   permission is crucial to the effective operation of the FDA's   activities and to facilitate the purpose for which the report was made   initially. Thus, the FDA or a drug manufacturer receiving adverse drug   event information that is patient safety work product may engage in   further communications with the disclosing provider(s), for the purpose   of evaluating the quality, safety, or effectiveness of the particular   regulated product or activity, or may work with their contractors.   Moreover, an entity regulated by the FDA may further disclose the   information to the FDA; without this provision, such reporting would   not meet the regulatory intent that disclosures be to the FDA and a   narrow interpretation could impede the FDA's ability to effectuate   improvements through the use of patient safety work product.      We recognize that there may be situations where the FDA or entities   required to report to the FDA want to engage contractors who are not   agents for the purpose of evaluating the quality, safety, or   effectiveness of that product or activity. Thus, the proposal would   allow disclosures to contractors who are not workforce members.   Contractors may not further disclose patient safety work product,   except to the entity from which they first received the information.      Because Congress did not expressly include disclosure to FDA-  regulated entities, we seek public comment on our proposal related to   this interpretation of section 922(c)(2)(D) of the Public Health   Service Act, 42 U.S.C. 299b-22(c)(2)(D). In particular, we question   whether this interpretation will cause any unintended consequences to   disclosing providers.      The HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered   entities to disclose protected health information concerning FDA-  regulated activities and products to persons responsible for collection   of information about the quality, safety, and effectiveness of those   FDA-regulated activities and products. Therefore, disclosures under   this exception of patient safety work product containing protected   health information would be permitted under the HIPAA Privacy Rule.  (8) Proposed Sec.  3.206(b)(8)--Voluntary Disclosure to an Accrediting   Body      Proposed Sec.  3.206(b)(8) permits the voluntary disclosure of   identifiable patient safety work product by a provider to an   accrediting body that accredits the disclosing provider. Voluntary   means not compelled, a disclosure that the provider affirmatively chose   to make. Patient    [[Page 8150]]    safety work product disclosed pursuant to this proposed exception   continues to be privileged and confidential.      Under this proposed disclosure, the identifiable patient safety   work product that would be permitted to be disclosed must identify the   disclosing provider, given the Patient Safety Act's explicit linkage of   the disclosing provider to a body that accredits that specific provider   in this permitted disclosure. We believe that the only information that   would be relevant to that provider's accreditation would be information   about the disclosing provider (i.e., actions or inactions of the   disclosing provider), and not information about the provider's   colleagues or any other accredited provider. Thus, a provider may not   use this exception to disclose patient safety work product that is   unrelated to the actual actions of the disclosing provider, such as   information about the provider's colleagues or any other accredited   individual or entity.      An issue arises concerning the identities of other providers,   reporters, or patients contained within the disclosed patient safety   work product. We considered whether to require the patient safety work   product to be nonidentifiable as to providers other than the disclosing   provider, since incidental disclosures of patient safety work product   identifying other providers, especially if they were also accredited by   the same accrediting institution, would not be a voluntary disclosure   by those other providers. However, we do not believe that such an   approach is necessary.      We understand that most providers that are accredited are large   institutions, and in general their accreditors seek vast amounts of   data during the accreditation process, some of which may include   identifiers of practitioners who work in such institutions. We have   preliminarily concluded that the disclosure of patient safety work   product including practitioners in such circumstances will be harmless   because, in many cases, the providers will not be accredited by the   institution's accrediting body.      Even in circumstances where a non-disclosing provider identified by   a provider voluntarily disclosing to an accrediting body is subject to   the accrediting body, we believe the accrediting body will not use the   information. First, we believe it is unlikely that a provider may have   or seek to disclose patient safety work product containing information   about the actions or inactions of a provider also accredited by the   same accrediting body. Second, even if such a disclosure occurs,   although it may not be voluntary as to the non-disclosing provider, we   do not believe the accrediting body will use such information to take   accrediting actions against the non-disclosing provider. We would   expect that an accrediting body may ignore or give little weight to   information about providers not disclosing information directly to the   accrediting body. Such second hand information may be incomplete and   incorrect. We anticipate that accrediting bodies would seek to obtain   information about a provider's actions directly from the subject   provider rather than second hand.      Furthermore, we propose to limit the accrediting body's permission   to further redisclose such patient safety work product. To ensure that   any patient safety work product in the hands of an accrediting body   that contains provider identifiers of a provider who did not   voluntarily disclose to such body, Sec.  3.206(b)(7)(i) proposes that   an accrediting body may not further disclose the patient safety work   product that was originally voluntarily disclosed. As an alternative to   this approach, we could, as proposed in the patient safety activities   disclosure, require that information with respect to non-disclosing   providers be anonymized. See preamble discussion at proposed Sec.    3.206(b)(4). We seek comments as to whether the problem of information   being disclosed non-voluntarily to an accrediting body by non-  disclosing providers requires rendering such information anonymized.      The accrediting body takes the patient safety work product subject   to the confidentiality protection, and would therefore be subject to   civil money penalties for any re-disclosure. The patient safety work   product disclosed under this permission in the hands of the accrediting   body remains privileged and confidential, in accordance with the   continued confidentiality provisions at proposed Sec.  3.208. Thus, it   is incumbent upon the accrediting body to handle and maintain the   patient safety work product in a way that preserves its confidential   status. Such safeguards may include maintaining this information   separately from other accrediting information in a confidential file,   if the other information is not similarly held confidential.      Additionally, the Patient Safety Act includes strong provisions   limiting the disclosure of patient safety work product to accrediting   bodies and limiting the actions an accrediting body may take to seek   patient safety work product. Proposed Sec.  3.206(b)(8)(ii) provides   that an accrediting body may not take an accreditation action against a   provider based on that provider's participation, in good faith, in the   collection, reporting or development of patient safety work product.   Accrediting bodies are also prohibited from requiring a provider to   reveal its communications with any PSO, without regard to whether such   provider actually reports information to a PSO. Thus, a provider may   disclose patient safety work product to an accrediting body   voluntarily, but cannot be compelled or required as a condition of   accreditation to divulge patient safety work product or communications   with a PSO. This subsection is based on the statutory requirements at   section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-  22(d)(4)(B).      Under the HIPAA Privacy Rule, a HIPAA covered entity may disclose   protected health information to an accrediting body for the HIPAA   covered entity's own health care operations, provided there is a   business associate agreement with the accrediting body. Such health   care operations include the activity of accreditation for the HIPAA   covered entity as well as the accreditation of workforce members. Thus,   providers that are HIPAA covered entities or are workforce members of a   HIPAA covered entity that hold the protected health information may   voluntarily disclose identifiable patient safety work product   containing individually identifiable health information to an   accrediting body that accredits that provider, provided there is a   business associate agreement between the HIPAA covered entity and the   accreditation organization.  (9) Proposed Sec.  3.206(b)(9)--Business Operations      Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C.   299b-22(c)(2)(F), gives the Secretary authority to designate additional   disclosures as permissible exceptions to the confidentiality protection   if such disclosures are necessary for business operations and are   consistent with the goals of the Patient Safety Act. Any patient safety   work product disclosed pursuant to a business operations exception so   designated by the Secretary continues to be confidential and   privileged.      We propose to allow disclosures of patient safety work product by a   provider or a PSO to professionals such as attorneys and accountants   for the business operations purposes of the provider or PSO. A   disclosure to an attorney may be necessary when a provider is seeking   outside legal advice in defending against a malpractice claim or other   litigation, even though the    [[Page 8151]]    information would not be admissible as part of a legal proceeding. A   provider might also need to disclose patient safety work product to an   attorney in the case of due diligence related to a merger, sale or   acquisition. Similarly, a provider may need to disclose patient safety   work product to an accountant who is auditing the books and records of   providers and PSOs. In order to ensure that such routine business   operations are possible, we propose to allow disclosures by providers   and PSOs for business operations to attorneys, accountants, and other   professionals. Professionals such as those identified are usually bound   by professional ethics to maintain the confidences of their clients.   Such contractors may not further disclose patient safety work product,   except to the entity from which it received the information. We note   that this limitation does not preclude a provider or PSO from   exercising its authority under section 922(g)(4) of the Public Health   Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power   to the contractor to make other disclosures.      We note that if a provider or PSO were to disclose relevant patient   safety work product to such professionals, we would rely upon the   professional's legal and ethical constraints not to disclose the   information for any unauthorized purpose. Our presumption is that   professionals are generally subject to a set of governing rules.   Nonetheless, we expect that providers and PSOs who disclose privileged   and confidential information to attorneys, accountants or other   ethically bound professionals for business purposes will engage in the   prudent practice of ensuring such information is narrowly used by the   contractor solely for the purpose for which it was disclosed and   adequately protected from wrongful disclosure.      Because patient safety work product is specialized and highly   confidential information, we have not conceived of any other third   parties to whom it would be appropriate to disclose patient safety work   product as a business operations disclosure. Because we are not   regulating uses, any business operations need within the entity could   occur unimpeded. Although we considered whether to adopt an exception   for activities in the operation of a patient safety evaluation system,   we believe these activities are within the definition of patient safety   activities and, thus, within the confidentiality exception proposed at   Sec.  3.206(b)(4). We seek public comment regarding whether there are   any other consultants or contractors to whom a business operations   disclosure should also be permitted, or whether there are any   additional exceptions for the Secretary's consideration under this   authority.      Under the HIPAA Privacy Rule, at 45 CFR 164.506, HIPAA covered   entities are permitted to disclose protected health information for the   HIPAA covered entity's own health care operations. ``Health care   operations'' are certain activities of a HIPAA covered entity that are   necessary to run its business and to support the core functions of   treatment and payment, including ``conducting or arranging for medical   review, legal services, and auditing functions * * *.'' 45 CFR 164.501.   Thus, a business operation designation by the Secretary that enables a   HIPAA covered entity to disclose patient safety work product containing   protected health information to professionals is permissible as health   care operations disclosures under the HIPAA Privacy Rule. Generally   such professionals would fall within the definition of business   associate at 45 CFR 160.103 and would require a business associate   agreement.  The Secretary's Business Operations Exception Designation Authority      Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C.   299b-22(c)(2)(F), gives the Secretary broad authority to designate   additional exceptions that are necessary for business operations and   are consistent with the goals of the Patient Safety Act. At this point,   we plan to designate additional exceptions only through regulation.   Although the Patient Safety Act establishes that other means are   available for adoption by the Secretary, which we interpret as   including the publication of letters, notice within the Federal   Register or publication on the Department Web site, we believe these   methods may not provide for sufficient opportunity for public comment   or transparency in the development of other business operations   exceptions. Moreover, because an impermissible disclosure that violates   a business operations exception can result in a civil money penalty, we   believe it is important that any proposed business operations exception   be implemented in a way that is unquestionably binding on both the   public and the Department. We invite public comments with respect to   whether the Secretary should incorporate or preserve other mechanisms   for the adoption of business operations exceptions, given that we   cannot anticipate all potential business operations needs at this time.  (10) Proposed Sec.  3.206(b)(10)--Disclosure to Law Enforcement      Proposed Sec.  3.206(b)(10) permits the disclosure of identifiable   patient safety work product to law enforcement authorities, so long as   the person making the disclosure believes--and that belief is   reasonable under the circumstances--that the patient safety work   product disclosed relates to a crime and is necessary for criminal law   enforcement purposes. Under proposed Sec.  3.208, the disclosed patient   safety work product would continue to be privileged and confidential.      We view this exception as permitting, for example, a disclosure by   a whistleblower who would initiate the disclosure to law enforcement.   The focus of this exception is the state of mind of the subject   discloser. In making a disclosure, the discloser must reasonably   believe that the event constitutes a crime and that the patient safety   work product disclosed is necessary for criminal law enforcement   purposes. The discloser need not be correct in these determinations,   but his beliefs must be objectively reasonable. This standard provides   some constraint on the discloser, and further protects against a   release merely in response to a request by law enforcement.      Patient safety work product received by law enforcement under this   exception continues to be confidential and privileged. The law   enforcement entity receiving the patient safety work product may use   the patient safety work product to pursue any law enforcement purposes;   however, because the patient safety work product disclosed to law   enforcement entities under the Patient Safety Act and proposed Sec.    3.206(b)(10) remains privileged and confidential, the law enforcement   entity can only disclose such patient safety work product--including in   a court proceeding--as permitted by this proposed rule.      We further propose that a law enforcement entity be permitted to   redisclose the patient safety work product it receives under this   exception to other law enforcement entities as needed for law   enforcement activities related to the event that gave rise to the   disclosure. We seek comment regarding whether these provisions allow   for legitimate law enforcement needs, while ensuring appropriate   protections.      We note that disclosure pursuant to this exception does not except   patient safety work product from the privilege protection. Thus,   patient safety work product cannot be subpoenaed, ordered, or entered   into evidence in a criminal or civil proceeding through this exception;    [[Page 8152]]    nor should a discloser rely solely on a law enforcement agent's   statement that such information is necessary for law enforcement   purposes. As already discussed, the Patient Safety Act framework   permits an exception from privilege protection or law enforcement   compulsion only in very narrow circumstances (see above privilege   exception discussion). Under section 922(c)(1)(A) of the Public Health   Service Act, 42 U.S.C. 299b-22(c)(1)(A), patient safety work product   may be disclosed for use in a criminal proceeding, but only after a   judge has determined by means of an in camera review that the patient   safety work product is material to a criminal proceeding and not   reasonably available from any other source. Even after its use in such   a criminal proceeding, and the lifting of the confidentiality   protections with respect to such patient safety work product, the   privilege protection continues. In light of the strict privilege   protections for this information, we do not interpret this law   enforcement disclosure exception as allowing the disclosure of patient   safety work product based on a less compelling request by law   enforcement for its release. The decision as to whether a discloser   reasonably believes that the patient safety work product is necessary   for a law enforcement purpose is the discloser's decision alone,   provided that the decision is reasonable.      While the HIPAA Privacy Rule permits disclosures by HIPAA covered   entities to law enforcement under a variety of circumstances, few align   well with the proposed interpretation of this exception as being   limited to disclosures to law enforcement initiated by the HIPAA   covered entity. Although there is a very narrow set of HIPAA Privacy   Rule permissions under which a HIPAA covered entity as a holder of   patient safety work product would be allowed to release patient safety   work product that contains protected health information to law   enforcement, we note that a HIPAA covered entity would be permitted to   de-identify the protected health information, in which case only the   Patient Safety Act would apply to the disclosure of the patient safety   work product. If the protected health information is needed by law   enforcement, the HIPAA Privacy Rule has standards that permit the   release of protected health information in response to certain law   enforcement processes. If such information is not patient safety work   product, it would not be subject to the privilege protections of the   Patient Safety Act.  (C) Proposed Sec.  3.206(c)--Safe Harbor      Proposed Sec.  3.206(c) is based on section 922(c)(2)(H) of the   Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(H). This provision   permits the disclosure of identifiable patient safety work product when   that information does not include oral or written materials that either   contain an assessment of the quality of care of an identifiable   provider or describe or pertain to the actions or failure to act of an   identifiable provider. The use of this exception is limited to persons   other than PSOs. This provision essentially prohibits the disclosure of   a subject provider's identity with information, whether oral or   written, that: (1) Assesses that provider's quality of care; or (2)   identifies specific acts attributable to such provider. Thus, a   permissible disclosure may include a provider's identity, so long as no   ``quality information'' about the subject provider is also disclosed   and so long as it does not describe or pertain to an action or failure   to act by the subject provider.      We propose that the provider identity element under this exception   means the identity of any provider that is a subject of the patient   safety work product. In other words, if the patient safety work product   does not contain quality information about a particular provider or   describe or pertain to any actions or failures to act by the provider,   such provider could be identifiable within the patient safety work   product disclosed pursuant to this exception. For example, if a nurse   reports a patient safety event, but was not otherwise involved in the   occurrence of that event, the nurse could be named in the disclosure.   Providers that cannot be identified are those about whom the patient   safety work product assesses the quality of care or describes or   pertains to actions or failures to act of that provider. We propose   that the threshold for identification of a provider will be determined   in accordance with the nonidentification standard set forth in proposed   Sec.  3.210. Thus, confidential patient safety work product disclosed   under this exception may identify providers, reporters or patients so   long as the provider(s) that are the subject of the actions described   are nonidentified.      In general, the determination with respect to the content of   quality information is straightforward. We also interpret quality   information to include the fact that patient safety work product   exists, without the specifics of the patient safety event at issue. For   example, if a provider employee discloses to a friend that a particular   surgeon had an incident reported to the PSO, without actually   describing this incident, the fact that the surgeon was associated with   patient safety work product would be a prohibited disclosure.      This is the only exception that defines prohibited conduct, rather   than permitted conduct. We recognize that institutional providers, even   practitioners offices, are communities unto themselves. We   preliminarily interpret this exception as creating a narrow safe harbor   for disclosures, possibly inadvertent, which may occur by a provider or   other responsible person, when the patient safety work product does not   reveal a link between a subject provider and the provider's quality of   care or an action or failure to act by that subject provider. By   proposing this provision as a safe harbor, we seek to have it available   to mitigate harmless errors, rather than as a disclosure permission   that may render all other disclosure permissions practically   meaningless.      Under the HIPAA Privacy Rule, HIPAA covered entities are broadly   permitted to disclose protected health information for the HIPAA   covered entity's treatment, payment or health care operations.   Otherwise, specific standards are described that limit the use and   disclosure of protected health information. If such disclosure is made   by a HIPAA covered entity, it is possible that the disclosure of   protected health information would be permissible as a health care   operation, or as incidental to another permitted disclosure.   Nevertheless, examination of whether a HIPAA Privacy Rule standard has   been violated will need to be made on a case-by-case basis.  (D) Proposed Sec.  3.206(d)--Implementation and Enforcement of the   Patient Safety Act      Proposed Sec.  3.206(d) permits the disclosure of relevant patient   safety work product to or by the Secretary as needed for investigating   or determining compliance with this Part or for enforcement of the   confidentiality provisions of this Subpart or in making or supporting   PSO certification or listing decisions under the Patient Safety Act and   Subpart B of this regulation. This disclosure parallels the privilege   exception under proposed Sec.  3.204(c). Patient safety work product   disclosed under this exception remains confidential. This exception   does not limit the ability of the Secretary to disclose patient safety   work product in accordance with the exceptions under proposed Sec.    3.206(b) or this Part. Rather, this proposed section provides a   specific permission pursuant to which    [[Page 8153]]    patient safety work product may be disclosed to the Secretary and the   Secretary may further use such disclosed patient safety work product   for compliance and enforcement purposes.      We propose to permit a disclosure of patient safety work product in   order to allow the Secretary to obtain such information as is needed to   implement and enforce this program, both for the purposes of enforcing   the confidentiality of patient safety work product and for the   oversight of PSOs. Enforcement of the confidentiality provisions   includes the imposition of civil money penalties and adherence to the   prohibition against imposing a civil money penalty for a single act   that violates both the Patient Safety Act and the HIPAA Privacy Rule.   This exception ensures that there will not be a conflict between the   confidentiality obligations of a holder of patient safety work product   and other provisions that allow the Secretary access to protected   information and/or require disclosure to the Secretary for enforcement   purposes. See proposed Sec. Sec.  3.110, 3.210, and 3.310. Although the   statute does not explicitly address this disclosure, we believe that   the authority to disclose to the Secretary for these purposes is   inherent in the statute, and that this disclosure is permitted and   necessary to meaningfully exercise our authority to enforce against   breaches of confidentiality as well as to ensure that PSOs meet their   certification attestations if needed. Proposed Sec.  3.312(c) discusses   the limitations on what the Secretary may do with any patient safety   work product obtained pursuant to an investigation or compliance review   regarding an alleged impermissible disclosure.      This proposed provision would permit the disclosure of patient   safety work product to the Secretary or disclosure by the Secretary so   long as such disclosure is limited to the purpose of implementation and   enforcement of these proposed regulations. Such disclosure would   include the introduction of patient safety work product into   proceedings before ALJs or the Board under proposed Subpart D by the   Secretary, as well as the disclosure during investigations by the   Secretary, or activities in reviewing PSO certifications by AHRQ.   Disclosures of patient safety work product made to the Board or other   parts of the Department that are received by workforce members, such as   contractors operating electronic web portals or mail sorting and paper   scanning services, would be permitted as a disclosure to the Secretary   under this proposed provision. This provision would also permit the   Board to disclose any patient safety work product in order to properly   review determinations or to provide records for court review.      We believe strongly in the protection of patient safety work   product as provided in the Patient Safety Act and the proposed   regulations, and seek to minimize the risk of improper disclosure of   patient safety work product by using and disclosing patient safety work   product only in limited and necessary circumstances. With respect to   disclosures to an ALJ or the Board, we note that the Board has numerous   administrative, technical and physical safeguards available to protect   sensitive information. For example, the Board has the authority to:   Enter protective orders; hold closed hearings; redact records;   anonymize names of cases and parties prior to publishing opinions; and   put records under seal. It routinely maintains a controlled   environment; trains staff about proper handling of confidential   information; flags confidential information in records prior to   archiving cases and shreds copies of case files, etc. Most importantly,   understanding that any patient safety work product that is used in an   enforcement proceeding is sensitive, the Board would seek to include   only information in an opinion that is necessary to the decision, and   omit any extraneous sensitive information that is not needed for its   judgments.      This proposed provision also requires that patient safety work   product disclosed to or by the Secretary must be necessary for the   purpose for which the disclosure is made. We intend that any disclosure   made pursuant to this proposed provision be limited in the amount of   patient safety work product disclosed to accomplish the purpose of   implementation, compliance, and enforcement. We discuss our anticipated   uses and protections further in proposed Subpart D.  (E) Proposed Sec.  3.206(e)--No Limitation on Authority To Limit or   Delegate Disclosure or Use      Proposed Sec.  3.206(e) reflects the Patient Safety Act's rule of   construction in section 922(g)(4) of the Public Health Service Act, 42   U.S.C. 299b-22(g)(4), establishing that a person holding patient safety   work product may enter into a contract that requires greater   confidentiality protections or may delegate its authority to make a   disclosure in accordance with this Subpart. For example, a provider may   delegate its permission (which it may have as a provider) to disclose   to the FDA under proposed Sec.  3.206(b)(7) to a PSO through a   contractual arrangement. In such a case, the PSO would be acting on   behalf of the provider in making disclosures to the FDA. Without the   delegated permission, it would, in this scenario, be impermissible for   the PSO to disclose identifiable patient safety work product to the   FDA, and a PSO that made such a disclosure could be subject to a civil   money penalty. However, if a delegation of disclosing authority exists,   the delegating person would be responsible for the disclosures of the   delegee. Thus, in the example above, if the PSO made an impermissible   disclosure, the delegating provider could be liable under the principle   of principal liability for the acts of its agent. The PSO making the   disclosure could also be liable. See discussion in proposed Sec.    3.402(b). Neither the statute nor the proposed rule limits the   authority of a provider to place limitations on disclosures or uses.   For example, a provider may require that a PSO remove all employee   names prior to disclosing any patient safety work product despite such   disclosure being permissible under this Subpart with the names   included.  3. Proposed Sec.  3.208--Continued Protection of Patient Safety Work   Product      Proposed Sec.  3.208 provides that the privilege and   confidentiality protections continue to apply to patient safety work   product when disclosed and describes the narrow circumstances when the   protections terminate. Generally, when identifiable patient safety work   product is disclosed, whether pursuant to a permitted exception to   privilege and/or confidentiality or disclosed impermissibly, that   patient safety work product continues to be privileged and   confidential. Any person receiving such patient safety work product   receives that patient safety work product pursuant to the privilege and   confidentiality protections. The receiving person holds the patient   safety work product subject to these protections and is generally bound   by the same limitations on disclosure and the potential civil money   penalty liability if he or she discloses the patient safety work   product in a manner that warrants imposition of a civil money penalty   under proposed Subpart D.      An example would be if identifiable patient safety work product is   disclosed to a provider's employee for patient safety activities, the   identifiable patient safety work product disclosed to the employee   would be confidential and the employee would be subject to civil money   penalty liability for any knowing    [[Page 8154]]    or reckless disclosure of the patient safety work product in   identifiable form not permitted by the exceptions. Similarly, if   confidential patient safety work product is received impermissibly,   such as by an unauthorized computer access (i.e., hacker), the   impermissible disclosure, even when unintentional, does not terminate   the confidentiality. Thus, the hacker may be subject to civil money   penalty liability for impermissible disclosures of that information.      We do not require that notification of the privilege and   confidentiality of patient safety work product be made with each   disclosure. We also note that the Secretary does not have authority to   impose a civil money penalty for an impermissible breach of the   privilege protection. Rather, any breach of privilege, permissible or   not, would encompass a disclosure and concurrent breach of   confidentiality, subject to penalty under the CMP provisions of the   Patient Safety Act and this proposed rule, unless a confidentiality   exception applied. See the discussion above of confidentiality   protections at proposed Sec.  3.206 and the discussion of the   enforcement provisions at proposed Subpart D.      Nor do we require notification of either the confidentiality of   patient safety work product or the fact that patient safety work   product is being disclosed. The Secretary's authority to impose a civil   money penalty is not dependent upon whether the disclosing entity or   person knows that the information being disclosed is patient safety   work product or whether patient safety work product is confidential   (see discussion under proposed Subpart D). Thus, we do not require that   the disclosure of patient safety work product be accompanied by a   notice as to either the fact that the information disclosed is patient   safety work product or that it is confidential. Labeling does not make   information protected patient safety work product, and the failure to   label patient safety work product does not remove the protection.   However, we do believe that such a notification would be beneficial to   the recipient to alert such recipient to the fact that the information   received should be held in a confidential manner and that knowing or   reckless disclosure in violation of the confidentiality protection may   subject a discloser to civil money penalties. Labeling patient safety   work product may also make it easier for the provider to establish that   such information is privileged patient safety work product. Also, a   notification may also be prudent management for providers, PSOs, and   responsible persons who could be subject to liability under agency   principles for actions of disclosing agents. Moreover, such a   notification policy may serve as a mitigating factor under the factors   outlined under proposed Subpart D. Similarly, labeling of patient   safety work product may be a good practice for the internal management   of information by an entity that holds protected patient safety work   product.      There are two exceptions to the continued protection of patient   safety work product which terminate either the confidentiality or both   the privilege and confidentiality under section 922(d)(2) of the Public   Health Service Act, 42 U.S.C. 299b-22(d)(2). The first exception to   continued protection is an exception to continued confidentiality when   patient safety work product is disclosed for use in a criminal   proceeding, pursuant to proposed Sec. Sec.  3.204(b)(1) and   3.206(b)(1). Proposed Sec.  3.204(b)(1) is an exception to privilege   for the particular proceeding at issue and does not permit the use of   such patient safety work product in other proceedings or otherwise   remove the privilege protection afforded such information. Thus, in the   case of a criminal proceeding disclosure, the privilege continues even   though the confidentiality terminates. In other words, when a court   makes an in camera determination that patient safety work product can   be entered into a criminal proceeding, that information remains   privileged for any future proceedings, but is no longer confidential   and may be further disclosed without restriction.      The second exception to continued protection is when patient safety   work product is disclosed in nonidentifiable form, pursuant to proposed   Sec. Sec.  3.204(b)(4) and 3.206(b)(5). Under both of these exceptions,   the patient safety work product disclosed is no longer confidential,   and may be further disclosed without restriction. The termination of   the continued protections is based on section 922(d)(2) of the Public   Health Service Act, 42 U.S.C. 299b-22(d)(2).  4. Proposed Sec.  3.210--Required Disclosure of Patient Safety Work   Product to the Secretary      We are proposing in Sec.  3.210 that providers, PSOs, and other   persons that hold patient safety work product be required to disclose   such patient safety work product to the Secretary upon a determination   by the Secretary that such patient safety work product is needed for   the investigation and enforcement activities related to this Part, or   is needed in seeking and imposing civil money penalties. Such patient   safety work product disclosed to the Secretary will be excepted from   privilege and confidentiality protections insofar as the Secretary has   a need to use such patient safety work product for the above purposes   which include: accepting, conditioning, or revoking acceptance of PSO   certification or in supporting such actions. See proposed Sec.    3.206(d).  5. Proposed Sec.  3.212--Nonidentification of Patient Safety Work   Product      Proposed Sec.  3.210 establishes the standard by which patient   safety work product will be determined nonidentifiable. For the ease of   the reader, we have discussed this standard within the context of   proposed Sec.  3.206(b)(5), the confidentiality disclosure exception   for nonidentifiable patient safety work product.    D. Subpart D--Enforcement Program        The authority of the Secretary to enforce the confidentiality   provisions of the Patient Safety Act is intended to deter impermissible   disclosures of patient safety work product. Proposed Subpart D would   establish a framework to enable the Secretary to monitor and ensure   compliance with this Part, procedures for imposing a civil money   penalty for breach of confidentiality, and procedures for a hearing   contesting a civil money penalty.      The proposed enforcement program has been designed to provide   maximum flexibility to the Secretary in addressing violations of the   confidentiality provisions to encourage participation in patient safety   activities and achieve the goals of the Patient Safety Act while   safeguarding the confidentiality and protected nature of patient safety   work product under the Patient Safety Act and this part. Failures to   maintain confidentiality may be serious, deleterious and broad-ranging,   and, if unpunished, may discourage participation by providers in the   PSO voluntary reporting system. The Secretary's enforcement authority   will be exercised commensurately to respond to the nature of any such   failure and the resulting harm from such failures. The proposed   regulations seek to provide the Secretary with reasonable discretion,   particularly in areas where the exercise of judgment is called for by   the statute or proposed rules, and to avoid being overly prescriptive   in areas and causing unintended adverse effects where it would be   helpful to gain experience with the practical impact of the proposed   rules.      The provisions of section 1128A of the Social Security Act, 42   U.S.C. 1320a-7a, apply to the imposition of a    [[Page 8155]]    civil money penalty under section 922(f) of the Public Health Service   Act, 42 U.S.C. 299b-22(f), ``in the same manner as'' they apply to the   imposition of civil money penalties under section 1128A itself. Section   1128A(1) of the Social Security Act, 42 U.S.C. 1320a-7a(l), provides   that a principal is liable for penalties for the actions of its agents   acting within the scope of their agency. Therefore, a provider or PSO   will be responsible for the actions of a workforce member when such   member discloses patient safety work product in violation of the   confidentiality provisions while acting within the scope of the   member's agency relationship.      Proposed Sec. Sec.  3.304 through 3.314 are designed to enable the   Secretary to assist with, monitor, and investigate alleged failures   with respect to compliance with the confidentiality provisions.   Proposed Sec. Sec.  3.304 through 3.314 would establish the processes   and procedures for the Secretary to provide technical assistance with   compliance, for filing complaints with the Secretary, and for   investigations and compliance reviews performed by the Secretary.   Proposed Sec. Sec.  3.402 through 3.426 would provide the legal basis   for imposing a civil money penalty, determining the amount of a civil   money penalty, implementing the prohibition on the imposition of a   civil money penalty under both HIPAA and the Patient Safety Act, and   issuing a notice of proposed determination to impose a civil money   penalty and establishing the process that would be relevant subsequent   to the issuance of such a notice, whether or not a hearing follows the   issuance of the notice of proposed determination. These sections also   would contain provisions on the statute of limitations, authority to   settle, collection of any penalty imposed for violation of the   confidentiality provisions, and public notice of the imposition of such   penalties. Finally, proposed Sec.  3.504 addresses the administrative   hearing phase of the enforcement process, including provisions for   appellate review within HHS of a hearing decision and burden of proof   in such proceedings.      Generally, proposed Subpart D is based on the HIPAA Enforcement   Rule, 45 CFR Part 160, Subparts C, D and E. We have closely followed   the HIPAA Enforcement Rule for several reasons. First, because civil   money penalties under both the HIPAA Enforcement Rule and Patient   Safety Act are based on section 1128A of the Social Security Act, 42   U.S.C. 1320a-7a, we believe there is benefit in maintaining a common   approach to enforcement and appeals of such civil money penalty   determinations. Second, we believe that these procedures set forth in   the HIPAA Enforcement Rule, which in turn are based on the procedures   established by the OIG, work and satisfactorily address issues raised   and addressed in prior rulemakings by the Department and the OIG. We do   not reiterate those concerns, or their resolutions, here, but they have   informed our decision making on these proposed rules.      Proposed Sec. Sec.  3.504(b)-(d), (f)-(g), (i)-(k), (m), (n), (t),   (w) and (x) of the proposed rule are unchanged from, or incorporate the   provisions of, the HIPAA Enforcement Rule. For a full discussion of the   basis for these proposed sections, please refer to the proposed and   final HIPAA Enforcement Rule, published on April 18, 2005, at 70 FR   20224 (proposed) and on February 16, 2006, at 71 FR 8390 (final).   Although the preamble discussion of the HIPAA Enforcement Rule pertains   to the HIPAA Administrative Simplification provisions, HIPAA covered   entities, and protected health information under HIPAA, we believe the   same interpretations and analyses are applicable to the Patient Safety   Act confidentiality provisions, providers, PSOs, and responsible   persons, and patient safety work product.      Proposed Sec. Sec.  3.424 and 3.504(a), (e), (h), (l), (o)-(s), (u)   and (v) of the proposed rule also are based on, or incorporate, the   HIPAA Enforcement Rule, but include technical changes made in order to   adapt these provisions to the Patient Safety Act confidentiality   provisions. We discuss these technical changes below but refer to the   proposed and final HIPAA Enforcement Rule for a substantive discussion   of these proposed sections.      For the above proposed sections, while we have chosen not to repeat   our discussion of the rationale for these regulations, we invite   comments regarding whether any further substantive or technical changes   are needed to adapt these provisions to the Patient Safety Act   confidentiality provisions.      The remaining sections in Subpart D of the proposed rule reprint   HIPAA Enforcement Rule provisions in their entirety or constitute   substantive changes from the analogous provisions of the HIPAA   Enforcement Rule. We discuss these proposed sections in full below.  1. Proposed Sec.  3.304--Principles for Achieving Compliance      Proposed Sec.  3.304(a) would establish the principle that the   Secretary will seek the cooperation of providers, PSOs, and responsible   persons in maintaining and preserving the confidentiality of patient   safety work product, relying on the civil money penalty authority when   appropriate to remediate violations. Proposed Sec.  3.304(b) provides   that the Secretary may provide technical assistance to providers, PSOs,   and responsible persons to help them comply with the confidentiality   provisions.      We will seek to achieve compliance through technical assistance and   outreach so that providers, PSOs, and responsible persons that hold   patient safety work product may better understand the requirements of   the confidentiality provisions and, thus, may voluntarily comply by   preventing breaches. However, we believe that the types of events that   are likely to trigger complaints are actual breaches of confidentiality   which will need remedial action (such events cannot be mitigated   through preventive measures alone). Given the existing framework of   peer review systems and other similar processes, we believe that most   providers and patient safety experts already have well-established   mechanisms for using sensitive information while respecting its   confidentiality. Moreover, such persons will have incentives to   maintain the confidentiality of patient safety work product each such   person possesses in the future. Thus, while there may be situations   where an issue may be resolved through technical assistance and   corrective action, we anticipate that the resolution of complaints of   breaches of confidentiality may warrant imposition of a civil money   penalty to deter future non-compliance and similar violations. This   Subpart preserves the discretion of the Secretary to enforce   confidentiality in the manner that best fits the situation.      The Secretary will exercise discretion in developing a technical   assistance program that may include the provision of written material   when appropriate to assist persons in achieving compliance. We   encourage persons to share ``best practices'' for the confidential   utilization of patient safety work product. However, the absence of   technical assistance or guidance may not be raised as a defense to   civil money penalty liability.  2. Proposed Sec.  3.306--Complaints to the Secretary      We are proposing in Sec.  3.306 that any person may file a   complaint with the Secretary if the person believes that a provider,   PSO or responsible person has disclosed patient safety work product in   violation of the confidentiality    [[Page 8156]]    provisions. A complaint-driven process would provide helpful   information about the handling and disclosure of patient safety work   product and could serve to identify particularly troublesome compliance   problems on an early basis.      The procedures proposed in this section are modeled on those used   for the HIPAA Enforcement Rule. We would require: complaints to be in   writing; complainants to identify the person(s), and describe the acts,   alleged to be out of compliance; and that the complainant file such   complaint within 180 days of when the complainant knew or should have   known that the act complained of occurred, unless this time limit is   waived by the Secretary for good cause shown. We have tried to keep the   requirements for filing complaints as minimal as possible to facilitate   use of this process. The Secretary would also attempt to keep the   identity of complainants confidential, if possible. However, we   recognize that it could be necessary to disclose the identity of a   complainant in order to investigate the substance of the complaint, and   the rules proposed below would permit such disclosures.      For the same reason that the HIPAA Enforcement Rule adopted the   ``known or should have known'' standard for filing a complaint, we   require that complaints be filed within 180 days of when the   complainant knew or should have known that the violation complained of   occurred unless this time limit is waived by the Secretary for good   cause shown. We believe that an investigation of a complaint is likely   to be most effective if persons can be interviewed and documents   reviewed as close to the time of the alleged violation as possible.   Requiring that complaints generally be filed within a certain period of   time increases the likelihood that the Secretary will be able to obtain   necessary and reliable information in order to investigate allegations.   Moreover, we are taking this approach in order to encourage   complainants to file complaints as soon as possible. By receiving   complaints in a timely fashion, we can, if such complaints prove valid,   reduce the harm caused by the violation.      In most cases, we expect that the providers, PSOs, responsible   persons, and/or their employees will be aware of disclosures of patient   safety work product. Nevertheless, other persons may become aware of   the wrongful disclosure of patient safety work product as well. For   these reasons, we do not limit who may file a complaint. We will accept   complaints alleging violations from any person.      Once a complaint is received, the Secretary will notify the   provider, PSO, or responsible person(s) against whom the complaint has   been filed (i.e., the respondent), investigate and seek resolution to   any violations based on the circumstances of the violation, in   accordance with the principles for achieving compliance. In enforcing   the confidentiality provisions of the Patient Safety Act, the Secretary   will generally inform the respondent of the nature of any complaints   received against the respondent. The Secretary will also generally   afford the entity an opportunity to share information with the   Secretary that may result in an early resolution.  3. Proposed Sec.  3.308--Compliance Reviews      We are proposing in Sec.  3.308 that the Secretary could conduct   compliance reviews to determine whether a provider, PSO, or responsible   person is in compliance. A compliance review could be based on   information indicating a possible violation of the confidentiality   provisions even though a formal complaint has not been filed. As is the   case with a complaint investigation, a compliance review may examine   the policies, practices or procedures of a respondent and may result in   voluntary compliance or in a finding of a violation or no violation   finding.      We believe the Secretary's ability to conduct compliance reviews   should be flexible and unobstructed by limitations or required links to   ongoing investigations. We do not establish any affirmative criteria   for the conduct of a compliance review. Compliance reviews may be   undertaken without regard to ongoing investigations or prior conduct.   We recognize that cooperating with compliance reviews may create some   burden and expense. However, the Secretary needs to maintain the   flexibility to conduct whatever reviews are necessary to ensure   compliance with the rule.      We note that, at least in the short term, HHS will be taking a   case-based, complaint-driven approach to investigations and   enforcement, rather than focusing resources on compliance reviews   unrelated to any information or allegations of confidentiality   violations.  4. Proposed Sec.  3.310--Responsibilities of Respondents      Proposed Sec.  3.310 establishes certain obligations for   respondents that would be necessary to enable the Secretary to carry   out the statutory role to determine their compliance with the   requirements of the confidentiality provisions. Respondents would be   required to maintain records as proposed in this proposed rule,   participate as required in investigations and compliance reviews, and   provide information to the Secretary upon demand. Respondents would   also be required to disclose patient safety work product to the   Secretary for investigations and compliance activities. We interpret   the enforcement provision at section 922(f) of the Patient Safety Act,   42 U.S.C. 299b-22(f), to allow for such disclosure to the Secretary for   the purpose of enforcing the confidentiality provisions.      Proposed Sec.  3.310(b) would require cooperation by respondents   with investigations as well as compliance reviews.      Proposed Sec.  3.310(c) would provide that the Secretary must be   provided access to a respondent's facilities, books, records, accounts,   and other sources of information, including patient safety work   product. Ordinarily, the Secretary will provide notice requesting   access during normal business hours. However, if exigent circumstances   exist, such as where documents might be hidden or destroyed, the   Secretary may require access at any time and without notice. The   Secretary will consider alternative approaches, such as subpoenas or   search warrants, in seeking information from respondents that are not   providers, PSOs, or a member of their workforce.  5. Proposed Sec.  3.312--Secretarial Action Regarding Complaints and   Compliance Reviews      Proposed Sec.  3.312(a) provides that, if a complaint investigation   or compliance review indicates noncompliance, the Secretary may attempt   to resolve the matter by informal means. If the Secretary determines   that the matter cannot be resolved by informal means, the Secretary   will issue findings to the respondent and, if applicable, the   complainant.      Proposed Sec.  3.312(a)(1) provides that, where noncompliance is   indicated, the Secretary could seek to reach a resolution of the matter   satisfactory to the Secretary by informal means. Informal means would   include demonstrated compliance or a completed corrective action plan   or other agreement. Under this provision, entering into a corrective   action plan or other agreement would not, in and of itself, resolve the   noncompliance; rather, the full performance by the respondent of its   obligations under the corrective action plan or other agreement would   be necessary to resolve the noncompliance.    [[Page 8157]]        Proposed Sec. Sec.  3.312(a)(2) and (3) address what notifications   would be provided by the Secretary where noncompliance is indicated,   based on an investigation or compliance review. Notification under   these paragraphs would not be required where the only contacts made   were with the complainant to determine whether the complaint warrants   investigation. Section 3.312(a)(2) proposes written notice to the   respondent and, if the matter arose from a complaint, the complainant,   where the matter is resolved by informal means. If the matter is not   resolved by informal means, proposed Sec.  3.312(a)(3)(i) would require   the Secretary to so inform the respondent and provide the respondent 30   days in which to raise any mitigating factors the Secretary should   consider in imposing a civil money penalty. Section 3.312(a)(3)(ii)   proposes that, where a matter is not resolved by informal means and the   Secretary decides that imposition of a civil money penalty is warranted   based upon a response from the respondent or expiration of the 30 day   response time limit, the formal finding would be contained in the   notice of proposed determination issued under proposed Sec.  3.420.      Proposed Sec.  3.312(b) provides that, if the Secretary finds,   after an investigation or compliance review, no further action is   warranted, the Secretary will so inform the respondent and, if the   matter arose from a complaint, the complainant. This section does not   apply where no investigation or compliance review has been initiated,   such as where a complaint has been dismissed due to lack of   jurisdiction.      Proposed Sec.  3.312(c) addresses how the Secretary will handle   information obtained during the course of an investigation or   compliance review. Under proposed Sec.  3.312(c)(1), identifiable   patient safety work product obtained by the Secretary in connection   with an investigation or compliance review under this Part remains   subject to the privilege and confidentiality protections and will not   be disclosed except in accordance with proposed Sec.  3.206(d), if   necessary for ascertaining or enforcing compliance with this part, or   as permitted by this Part or the Patient Safety Act. In other words,   the Secretary, as with any other entity or person, would receive   patient safety work product subject to the confidentiality and   privilege requirements and protections. The proposed rule strikes a   balance between these protections and enforcement, providing that the   Secretary would not disclose such patient safety work product, except   as may be necessary to enable the Secretary to ascertain compliance   with this Part, in enforcement proceedings, or as otherwise permitted   by this Part. We note that, pursuant to section 922(g)(3) of the Public   Health Service Act, 42 U.S.C. 299b-22(g)(3), as added by the Patient   Safety Act, the Patient Safety Act does not affect the implementation   of the HIPAA confidentiality regulations (known as the HIPAA Privacy   Rule). Accordingly, we propose that the Secretary may use patient   safety work product obtained in connection with an investigation   hereunder to enforce the HIPAA confidentiality regulations.      Proposed Sec.  3.312(c)(2) provides that, except for patient safety   work product, testimony and other evidence obtained in connection with   an investigation or compliance review may be used by HHS in any of its   activities and may be used or offered into evidence in any   administrative or judicial proceeding. Such information would include   that which is obtained from investigational subpoenas and inquiries   under proposed Sec.  3.314. The Department generally seeks to protect   the privacy of individuals to the fullest extent possible, while   permitting the exchange of records required to fulfill its   administrative and programmatic responsibilities. The Freedom of   Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45   CFR Part 5, provide substantial protection for records about   individuals where disclosure would constitute an unwarranted invasion   of their personal privacy. Moreover, in enforcing the Patient Safety   Act and its implementing regulations, OCR plans to continue its current   practice of protecting its complaint files from disclosure. These   files, thus, would constitute investigatory records compiled for law   enforcement purposes, one of the exemptions to disclosure under the   Freedom of Information Act. In the case of patient safety work product   that is not otherwise subject to a statutory exception permitting   disclosure, the Patient Safety Act prohibits the disclosure of such   information in response to a Freedom of Information Act request. See   section 922(a)(3) of the Public Health Service Act, 42 U.S.C. 299b-  22(a)(3).      The Secretary continues to be subject to the existing HIPAA   Enforcement Rule with respect to the use and disclosure of protected   health information received by the Secretary in connection with a HIPAA   Privacy Rule investigation or compliance review (see 45 CFR   160.310(c)(3)); these proposed provisions do not modify those   regulations.  6. Proposed Sec.  3.314--Investigational Subpoenas and Inquiries      Proposed Sec.  3.314 provides procedures for the issuance of   subpoenas to require the attendance and testimony of witnesses and the   production of any other evidence, including patient safety work   product, during an investigation or compliance review. We propose to   issue subpoenas in the same manner as 45 CFR 160.314(a)(1)-(5) of the   HIPAA Enforcement Rule, except that the term ``this part'' shall refer   to 42 CFR Part 3. The language modification is necessary to reference   the appropriate authority.      We also propose that the Secretary is permitted to conduct   investigational inquiries in the same manner as the provisions of 45   CFR 160.314(b)(1)-(9) of the HIPAA Enforcement Rule. The referenced   provisions describe the manner in which investigational inquiries will   be conducted.  7. Proposed Sec.  3.402--Basis for a Civil Money Penalty      Under proposed Sec.  3.402, a person who discloses identifiable   patient safety work product in knowing or reckless violation of the   confidentiality provisions shall be subject to a civil money penalty of   not more than $10,000 for each act constituting a violation. See   section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-  22(f)(1).  (A) Proposed Sec.  3.402(a)--General Rule      Proposed Sec.  3.402(a) would allow the Secretary to impose a civil   money penalty on any person which the Secretary determines has   knowingly or recklessly violated the confidentiality provisions. This   provision is based on the language in section 922(f) of the Public   Health Service Act, 42 U.S.C. 299b-22(f), that ``a person who discloses   identifiable patient safety work product in knowing or reckless   violation of subsection (b) shall be subject to a civil money penalty   of not more than $10,000 for each act constituting such violation.''      A civil money penalty may only be imposed if the Secretary first   establishes a wrongful disclosure (i.e., (1) the information disclosed   was identifiable patient safety work product; (2) the information was   disclosed; and (3) the manner of the disclosure does not fit within any   permitted exception). If a wrongful disclosure is established, the   Secretary must then determine whether the person making the disclosure   acted ``knowingly'' or ``recklessly.''      The applicable law on the issue of ``knowing'' provides that   ``unless the    [[Page 8158]]    text of the statute dictates a different result, the term `knowingly'   merely requires proof of knowledge of the facts that constitute the   offense [rather than] a culpable state of mind or [] knowledge of the   law.'' Bryan v. United States, 524 U.S. 184 (1998) (emphasis added).   Applying this meaning in the context of the Patient Safety Act, the   Secretary would not need to prove that the person making the disclosure   knew the law (i.e., knew that the disclosed information constituted   identifiable patient safety work product or that such disclosure did   not meet one of the standards for a permissive disclosure in the   Patient Safety Act). Rather, the Secretary would only need to show that   the person knew a disclosure was being made. Although knowledge that   disclosed information is patient safety work product is not required,   circumstances in which a person can show no such knowledge and no   reason to know such knowledge may warrant discretion by the Secretary.   By contrast, as a person's opportunity for knowledge and disregard of   that opportunity increases, the Secretary's compulsion to exercise   discretion not to impose a penalty declines.      Where a ``knowing'' violation cannot be established, the Secretary   can still impose a civil money penalty by showing that the person was   reckless in making the disclosure of identifiable patient safety work   product. A person acts recklessly if they are aware, or a reasonable   person in their situation should be aware, that their conduct creates a   substantial risk of disclosure of information and to disregard such   risk constitutes a gross deviation from reasonable conduct. A   ``substantial risk'' represents a significant threshold, more than the   mere possibility of disclosure of patient safety work product. Whether   a risk is ``substantial'' is a fact-specific inquiry. Additionally,   whether a reasonable person in the situation should know of a risk is   based on context. For example, an employee whose job duties regularly   involve working with sensitive patient information may be expected to   know of disclosure risks of which other types of employees may   reasonably be unaware.      Finally, the disregarding of the risk must be a gross deviation   from reasonable conduct. This gross deviation standard is commonly used   to describe reckless conduct. See, e.g., Model Penal Code Sec.    2A1.4(2006), definition of ``reckless'' for purposes of involuntary   manslaughter; Black's Law Dictionary (8th ed., 2004). This does not   mean that the conduct itself must be a gross deviation from reasonable   conduct. Rather, the standard is whether the disregarding of the risk   was a gross deviation (i.e., whether a reasonable person who is aware   of the substantial risk of making an impermissible disclosure would   find going forward despite the risk to be grossly unreasonable). Thus,   disclosures that violate this Part and occur because an individual   acted despite knowing of, or having reason to know of, a grossly   unreasonable risk of disclosure are punishable by civil money penalty,   regardless of whether such conduct may otherwise be widespread in the   industry.      An example of a reckless disclosure of identifiable patient safety   work product would be leaving a laptop unattended in a public area and   accessible to unauthorized persons with identifiable patient safety   work product displayed on the laptop screen. Such a situation would be   reckless because it would create a substantial risk of disclosure of   the information displayed on the laptop screen. If a person did not   remove the identifiable patient safety work product from the laptop   screen or take other measures to prevent the public view of the laptop   screen, then leaving the laptop unattended would be a disregard for the   substantial risk of disclosure that would be a gross deviation from   reasonable conduct. Under these circumstances, the person leaving the   laptop unattended could be liable for a civil money penalty.      The use of the term ``shall be subject to'' in section 922(f) of   the Public Health Service Act, 42 U.S.C. 299b-22(f), conveys authority   to the Secretary to exercise discretion as to whether to impose a   penalty for a knowing or reckless violation of the confidentiality   provisions. Based on the nature and circumstances of a violation and   whether such violation was done in a knowing or reckless manner, the   Secretary may impose a civil money penalty, require a corrective action   plan, or seek voluntary compliance with these regulations.      Even in cases that constitute violations of the confidentiality   provisions, the Secretary may exercise discretion. For example, in a   situation where a provider makes a good faith attempt to assert the   patient safety work product privilege, but is nevertheless ordered by a   court to make a disclosure, and the provider does so, the Secretary   could elect not to impose a civil money penalty. Thus, for example, it   is not the Secretary's intention to impose a civil money penalty on a   provider ordered by a court to produce patient safety work product   where the provider has deliberately and in good faith undertaken   reasonable steps to avoid such production and is, nevertheless, faced   with compelled production or being held in contempt of court.      Similarly, an individual may innocently come into possession of   information, unaware of the fact that the information is patient safety   work product, and may innocently share the information in a manner not   permitted by the confidentiality provisions. In such circumstances, the   Secretary would look at the facts and circumstances of the case and   could elect not to impose a penalty. Relevant facts and circumstances   might include the individual's relationship with the source of the   information (e.g., whether the information originated with a health   care provider or a patient safety organization for which the individual   was employed); whether, and the extent to which, the individual had a   basis to know the information was patient safety work product or to   know that the information was confidential; to whom the information was   disclosed; and the intent of the individual in making the disclosure.  (B) Proposed Sec.  3.402(b)--Violations Attributed to a Principal      The proposed rule includes a provision, at proposed Sec.  3.402(b),   that addresses the liability of a principal for a violation by a   principal's agent. Proposed Sec.  3.402(b) adopts the principle that   the federal common law of agency applies when addressing the liability   of a principal for the acts of his or her agent. Under this principle,   a provider, PSO or responsible person generally can be held liable for   a violation based on the actions of any agent, including an employee or   other workforce member, acting within the scope of the agency or   employment. This liability is separate from the underlying liability   attributable to the agent and could result in a separate and exclusive   civil money penalty. In other words, a principal may be liable for a   $10,000 civil money penalty and an agent may be liable for a separate   $10,000 civil money penalty arising from the same act that is a   violation.      Section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-  22(f)(2), provides that ``the provisions of section 1128A * * * shall   apply to civil money penalties under this subsection [of the Patient   Safety Act] in the same manner as such provisions apply to a penalty or   proceeding under section 1128A.'' Section 1128A(l) of the Social   Security Act, 42 U.S.C. 1320a-7a(l), establishes that ``a principal is   liable for penalties * * * under this section for the actions of the   principal's agents acting within the scope of the agency.'' This is   similar    [[Page 8159]]    to the traditional rule of agency in which principals are vicariously   liable for the acts of their agents acting within the scope of their   authority. See Meyer v. Holley, 537 U.S. 280 (2003). Therefore, a   provider, PSO or responsible person generally will be responsible for   the actions of its workforce members within the scope of agency, such   as where an employee discloses confidential patient safety work product   in violation of the confidentiality provisions during the course of his   or her employment.      The determination of whether or not a principal is responsible for   a violation would be based on two fact-dependent determinations. First,   the Secretary must find that a principal-agent relationship exists   between the person doing the violative act and the principal. If a   principal-agent relationship is established, then a second   determination, whether the act in violation of the confidentiality   provisions was within the scope of the agency, must be made. The   determination as to whether an agent's conduct is outside the scope of   the agency will be dependent upon the application of the federal common   law of agency to the facts.      The purpose of applying the federal common law of agency to   determine when a provider, PSO, or responsible person is vicariously   liable for the acts of its agents is to achieve nationwide uniformity   in the implementation of the confidentiality provisions and nationwide   consistency in the enforcement of these rules by OCR. Reliance on State   law could introduce inconsistency in the implementation of the patient   safety work product confidentiality provisions by persons or entities   in different States.  Federal Common Law of Agency      A principal's liability for the actions of its agents is generally   governed by State law. However, the U.S. Supreme Court has provided   that the federal common law of agency may be applied where there is a   strong governmental interest in nationwide uniformity and a predictable   standard, and when the federal rule in question is interpreting a   federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).      The confidentiality and enforcement provisions of this regulation   interpret a federal statute, the Patient Safety Act. Under the Patient   Safety Act, there is a strong interest in nationwide uniformity in the   confidentiality provisions and how those provisions are enforced. The   fundamental goal of the Patient Safety Act is to promote the   examination and correction of patient safety events in order to improve   patient safety and create a culture of patient safety in the health   care system. Therefore, it is essential for the Secretary to apply one   consistent body of law regardless of where an agent is employed, an   alleged violation occurred, or an action is brought. The same   considerations support a strong federal interest in the predictable   operation of the confidentiality provisions, to ensure that persons   using patient safety work product can do so consistently so as to   facilitate the appropriate exchange of information. Thus, the tests for   application of the federal common law of agency are met.      Where the federal common law of agency applies, the courts often   look to the Restatement (Second) of Agency (1958) (Restatement) as a   basis for explaining the common law's application. While the   determination of whether an agent is acting within the scope of its   authority must be decided on a case-by-case basis, the Restatement   provides guidelines for this determination. Section 229 of the   Restatement provides:      (1) To be within the scope of the employment, conduct must be of   the same general nature as that authorized, or incidental to the   conduct authorized.      (2) In determining whether or not the conduct, although not   authorized, is nevertheless so similar to or incidental to the conduct   authorized as to be within the scope of employment, the following   matters of fact are to be considered;      (a) Whether or not the act is one commonly done by such servants;      (b) The time, place and purpose of the act;      (c) The previous relations between the master and the servant;      (d) The extent to which the business of the master is apportioned   between different servants;      (e) Whether or not the act is outside the enterprise of the master   or, if within the enterprise, has not been entrusted to any servant;      (f) Whether or not the master has reason to expect that such an act   will be done;      (g) The similarity in quality of the act done to the act   authorized;      (h) Whether or not the instrumentality by which the harm is done   has been furnished by the master to the servant;      (i) The extent of departure from the normal method of accomplishing   an authorized result; and      (j) Whether or not the act is seriously criminal.      In some cases, under federal agency law, a principal may be liable   for an agent's acts even if the agent acts outside the scope of its   authority. Restatement (Second) of Agency section 219 (1958). However,   proposed Sec.  3.402(b) would follow section 1128A(l) of the Social   Security Act, 42 U.S.C. 1320a-7a(l), which limits liability for the   actions of an agent to those actions that are within the scope of the   agency.  Agents      Various categories of persons may be agents of a provider, PSO, or   responsible person. These persons include workforce members. We propose   a slightly expanded definition of ``workforce'' from the term defined   in the HIPAA Privacy Rule. The proposed definition of ``workforce''   includes employees, volunteers, trainees, contractors, and other   persons whose conduct, in the performance of work for a provider, PSO   or responsible person, is under the direct control of such principal,   whether or not they are paid by the principal. Because of the ``direct   control'' language of the proposed rule, we believe that all workforce   members, including those who are not employees, are agents of a   principal. Under the proposed rule, a principal could be liable for a   violation based on an act that is a violation by any workforce member   acting within the scope of employment or agency. The determinative   issue is whether a person is sufficiently under the control of a person   or entity and acting within the scope of the agency. Proposed Sec.    3.402(b) creates a presumption that a workforce member is an agent of   an employer.  8. Proposed Sec.  3.404--Amount of Civil Money Penalty      Proposed Sec.  3.404, the amount of the civil money penalty, is   determined in accordance with section 922(f) of the Public Health   Service Act, 42 U.S.C. 299b-22(f), and the provisions of this Part.   Section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-  22(f)(1), establishes a maximum penalty amount for violations of ``not   more than $10,000'' per person for each violation. The statutory cap is   reflected in proposed Sec.  3.404(b).      The statute establishes only maximum penalty amounts, so the   Secretary has the discretion to impose penalties that are less than the   statutory maximum. This proposed regulation would not establish minimum   penalties. Under proposed Sec.  3.404(a), the penalty amount would be   determined using the factors set forth in proposed Sec.  3.408, subject   to the statutory maximum reflected in proposed Sec.  3.404(b).      As stated in the discussion under proposed Sec.  3.402(b), a   principal can be    [[Page 8160]]    held liable for the acts of its agent acting within the scope of the   agency. Read together, with proposed Sec.  3.404(b), if a principal and   an agent are determined to be liable for a single act that is a   violation, the Secretary may impose a penalty of up to $10,000 against   each separately. That is, the $10,000 limit applies to each person   separately, not the act that was a violation. Thus, in the circumstance   where an agent and a principal are determined to have violated the   confidentiality provisions, the Secretary may impose a civil money   penalty of up to $10,000 against the agent and a civil money penalty of   up to $10,000 against the principal, for a total of $20,000 for a   single act that is a violation.  9. Proposed Sec.  3.408--Factors Considered in Determining the Amount   of a Civil Money Penalty      Section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d),   made applicable to the imposition of civil money penalties by section   922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2),   requires that, in determining the amount of ``any penalty,'' the   Secretary shall take into account: (1) The nature of the claims and the   circumstances under which they were presented, (2) the degree of   culpability, history of prior offenses, and financial condition of the   person presenting the claims, and (3) such other matters as justice may   require. This language establishes factors to be considered in   determining the amount of a civil money penalty.      This approach is taken in other regulations that cross-reference   section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, which   rely on these factors for purposes of determining civil money penalty   amounts. See, for example, 45 CFR 160.408. The factors listed in   section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d),   were drafted to apply to violations involving claims for payment under   federally funded health programs. Because Patient Safety Act violations   will not be about specific claims, we propose to tailor the section   1128A(d) factors to violations of the confidentiality provisions and   further particularize the statutory factors by providing discrete   criteria, as done in the HIPAA Enforcement Rule and the OIG regulations   that implement section 1128A of the Social Security Act, 42 U.S.C.   1320a-7a. Consistent with these other regulations, and to provide more   guidance to providers, PSOs, and responsible persons as to the factors   that would be used in calculating civil money penalties, we propose the   following detailed factors:      (1) The nature of the violation.      (2) The circumstances and consequences of the violation, including   the time period during which the violation occurred; and whether the   violation caused physical or financial harm or reputational damage.      (3) The degree of culpability of the respondent, including whether   the violation was intentional, and whether the violation was beyond the   direct control of the respondent.      (4) Any history of prior compliance with the confidentiality   provisions, including violations, by the respondent, and whether the   current violation is the same as or similar to prior violation(s),   whether and to what extent the respondent has attempted to correct   previous violations, how the respondent has responded to technical   assistance from the Secretary provided in the context of a compliance   effort, and how the respondent has responded to prior complaints.      (5) The financial condition of the respondent, including whether   the respondent had financial difficulties that affected its ability to   comply, whether the imposition of a civil money penalty would   jeopardize the ability of the respondent to continue to provide health   care or patient safety activities, and the size of the respondent.      (6) Such other matters as justice may require.      For further discussion of these factors, please see the preambles   to the Interim Final Rule and the Final Rule for the HIPAA Enforcement   Rule at 70 FR 20235-36, Apr. 18, 2005, and 71 FR 8407-09, Feb. 16,   2006. Meeting certain conditions, such as financial condition, is a   fact-specific determination based upon the individual circumstances of   the situation presented.      We seek comments regarding whether the above list of factors should   be expanded to expressly include a factor for persons who self-report   disclosures that may potentially violate the confidentiality provisions   such that voluntary self-reporting would be a mitigating consideration   when assessing a civil money penalty. Voluntary self-reporting may   encourage persons to report breaches of confidentiality, particularly   breaches that may otherwise go unnoticed, and to demonstrate the   security practices that led to the discovery of the breach and how the   breach has been remedied. However, including self-reporting as a factor   may be viewed incorrectly as an additional reporting obligation to   report every potentially impermissible disclosure, thereby,   unnecessarily increasing administrative burdens on the Department and   the individuals or entities making the self-reporting, or it may   interfere with obligations to identified persons, particularly when a   negotiated, contractual relationship between a provider and a PSO   exists that addresses how the parties are to deal with breaches.      Respondents are responsible for raising any issues that pertain to   any of the factors to the Secretary within 30 days after receiving   notice from the Secretary that informal resolution attempts have not   resolved the issue in accordance with proposed Sec.  3.312(a)(3)(i).   The Secretary is under no obligation to affirmatively raise any   mitigating factor if a respondent fails to identify the issue. See   proposed Sec.  3.504(p).      In many regulations that implement section 1128A of the Social   Security Act, 42 U.S.C. 1320a-7a, the statutory factors and/or the   discrete criteria are designated as either aggravating or mitigating.   For example, at 42 CFR 1003.106(b)(3) of the OIG regulations, ``history   of prior offenses'' is listed as an aggravating factor and is   applicable as a factor to a narrow range of prohibited conduct.   However, because proposed Sec.  3.408 will apply to a variety of   persons and circumstances, we propose that factors may be aggravating   or mitigating, depending on the context. For example, the factor ``time   period during which the violation(s) occurred'' could be an aggravating   factor if the respondent's violation went undetected for a long period   of time or undetected actions resulted in multiple violations, but   could be a mitigating factor if a violation was detected and corrected   quickly. This approach is consistent with other regulations   implementing section 1128A of the Social Security Act, 42 U.S.C. 1320a-  7a. See, for example, 45 CFR 160.408.      We propose to leave to the Secretary's discretion the decision   regarding when aggravating and mitigating factors will be taken into   account in determining the amount of a civil money penalty. The facts   of each violation will drive the determination of whether a particular   factor is aggravating or mitigating.  10. Proposed Sec.  3.414--Limitations      Proposed Sec.  3.414 sets forth the 6-year limitations period on   initiating an action for imposition of a civil money penalty provided   for by section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a-  7a(c)(1). We propose the date of the occurrence of the violation be the   date from which the limitation period begins.    [[Page 8161]]    11. Proposed Sec.  3.416--Authority to Settle      Proposed Sec.  3.416 states the authority of the Secretary to   settle any issue or case or to compromise any penalty during the   process addressed in this Part, including cases that are in hearing.   The first sentence of section 1128A(f) of the Social Security Act, 42   U.S.C. 1320a-7a(f), made applicable by section 922(f)(2) of the Public   Health Service Act, 42 U.S.C. 299b-22(f)(2), states, in part, ``civil   money penalties * * * imposed under this section may be compromised by   the Secretary.'' This authority to settle is the same as that set forth   in 45 CFR 160.416 of the HIPAA Enforcement Rule.  12. Proposed Sec.  3.418--Exclusivity of Penalty      Proposed Sec.  3.418 makes clear that, except as noted below,   penalties imposed under this Part are not intended to be exclusive   where a violation under this Part may also be a violation of, and   subject the respondent to, penalties under another federal or State   law. This provision is modeled on 42 CFR 1003.108 of the OIG   regulations.      Proposed Sec.  3.418(b) repeats the statutory prohibition against   imposing a penalty under both the Patient Safety Act and under HIPAA   for a single act or omission that constitutes a violation of both the   Patient Safety Act and HIPAA. Congress recognized that there could be   overlap between the confidentiality provisions and the HIPAA Privacy   Rule. Because identifiable patient safety work product includes   individually identifiable health information as defined under the HIPAA   Privacy Rule, HIPAA covered entities could be liable for violations of   the HIPAA Privacy Rule based upon a single disclosure of identifiable   patient safety work product. We tentatively interpret the Patient   Safety Act as only prohibiting the imposition of a civil money penalty   under the Patient Safety Act when there have been civil, as opposed to   criminal, penalties imposed on the respondent under the HIPAA Privacy   Rule for the same single act or omission. In other words, a person   could have a civil money penalty imposed against him under the Patient   Safety Act as well as a criminal penalty under HIPAA for the same act   or omission. However, an act that amounts to a civil violation of both   the confidentiality provisions and the HIPAA Privacy Rule would be   enforceable under either authority, but not both.      The decision regarding which statute applies to a particular   situation will be made based upon the facts of individual situations.   HIPAA covered entities that seek to disclose confidential patient   safety work product that contains protected health information must   know when such disclosure is permissible under both statutes.  13. Proposed Sec.  3.420--Notice of Proposed Determination      Proposed Sec.  3.420 sets forth the requirements for the notice to   a respondent sent when the Secretary proposes a penalty under this   Part. This notice implements the requirement for notice contained in   section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a-  7a(c)(1). These requirements are substantially the same as those in the   HIPAA Enforcement Rule at 45 CFR 160.420, except for the removal of   provisions related to statistical sampling.      The notice provided for in this section must be given whenever a   civil money penalty is proposed. The proposed requirements of this   section serve to inform any person under investigation of the basis for   the Secretary's proposed civil money penalty determination. These   requirements include the statutory basis for a penalty, a description   of the findings of fact regarding the violation, the reasons the   violation causes liability, the amount of the proposed penalty, factors   considered under proposed Sec.  3.408 in determining the amount of the   penalty, and instructions for responding to the notice, including the   right to a hearing.      At this point in the process, the Secretary may also send a notice   of proposed determination to a principal based upon liability for a   violation under proposed Sec.  3.402(b).  14. Proposed Sec.  3.422--Failure To Request a Hearing      Under proposed Sec.  3.422, when a respondent does not timely   request a hearing on a proposed civil money penalty, the Secretary may   impose the civil money penalty or any less severe civil money penalty   permitted by section 1128A(d)(5) of the Social Security Act, 42 U.S.C.   1320a-7a(d)(5). Once the time has expired for the respondent to file   for an appeal, the Secretary will decide whether to impose the civil   money penalty and provide notice to the respondent of the civil money   penalty. If the Secretary does pursue a civil money penalty, the civil   money penalty is final, and the respondent has no right to appeal a   civil money penalty imposed under these circumstances. This section is   similar to 45 CFR 160.422 of the HIPAA Enforcement Rule.      For purposes of determining when subsequent actions may commence,   such as collection of an imposed civil money penalty, we propose that   the penalty be final upon receipt of a penalty notice sent by certified   mail return receipt requested.  15. Proposed Sec.  3.424--Collection of Penalty      Proposed Sec.  3.424 provides that once a determination to impose a   civil money penalty has become final, the civil money penalty must be   collected by the Secretary, unless compromised, and prescribes the   methods for collection. We propose that civil money penalties be   collected as set forth under the HIPAA Enforcement Rule at 45 CFR   160.424, except that the term ``this part'' shall refer to 42 CFR Part   3. The modification is made for the provision to refer to the   appropriate authority.  16. Proposed Sec.  3.426--Notification of the Public and Other Agencies      Proposed Sec.  3.426 would implement section 1128A(h) of the Social   Security Act, 42 U.S.C. 1320a-7a(h). When a civil money penalty   proposed by the Secretary becomes final, section 1128A(h) of the Social   Security Act, 42 U.S.C. 1320a-7a(h), directs the Secretary to notify   appropriate State or local agencies, organizations, and associations   and to provide the reasons for the civil money penalty. We propose to   add the public generally as a group that may receive notice, in order   to make the information available to anyone who must make decisions   with respect to persons that have had a civil money penalty imposed for   violation of the confidentiality provisions. For instance, knowledge of   the imposition of a civil money penalty for violation of the Patient   Safety Act could be important to hospitals, other health care   organizations, health care consumers, as well as to current and future   business partners throughout the industry.      The basis for this public notice portion lies in the Freedom of   Information Act, 5 U.S.C. 552. The Freedom of Information Act requires   final opinions and orders made in adjudication cases to be made   available for public inspection and copying. See 5 U.S.C. 552(a)(2)(A).   While it is true that section 1128A(h) of the Social Security Act, 42   U.S.C. 1320a-7a(h), does not require that such notice be given to the   public, neither does it prohibit such wider dissemination of that   information, and nothing in section 1128A(h) of the Social Security   Act, 42 U.S.C. 1320a-7a(h), suggests that it modifies the Secretary's   obligations under the Freedom of Information Act.    [[Page 8162]]    The Freedom of Information Act requires making final orders or opinions   available for public inspection and copying by ``computer   telecommunication * * * or other electronic means,'' which would   encompass a display on the Department's Web site. See 5 U.S.C.   552(a)(2).      A civil money penalty is considered to be final, for purposes of   notification, when it is a final agency action (i.e., the time for   administrative appeal has run or the adverse administrative finding has   otherwise become final). The final opinion or order that is subject to   the notification provisions of this section is the notice of proposed   determination, if a request for hearing is not timely filed, the   decision of the ALJ, if that is not appealed, or the final decision of   the Board.      Currently final decisions of the ALJs and the Board are made public   via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such     postings, however, would not include penalties that become final   because a request for hearing was not filed under proposed Sec.    3.504(a). Under proposed Sec.  3.426, notices of proposed determination   under proposed Sec.  3.420 that become final because a hearing has not   been timely requested, would also be made available for public   inspection and copying as final orders, with appropriate redaction of   any patient safety work product or other confidential information, via   OCR's Web site. See the OCR patient safety Web site at http://www.hhs.gov/ocr/PSQIA.   By making the entire final opinion or order     available to the public, the facts underlying the penalty determination   and the law applied to those facts will be apparent. Given that   information, the public may discern the nature and extent of the   violation as well as the basis for imposition of the civil money   penalty.      The regulatory language would provide for notification in such   manner as the Secretary deems appropriate. Posting to a Department Web   site and/or the periodic publication of a notice in the Federal   Register are among the methods which the Secretary is considering using   for the efficient dissemination of such information. These methods   would avoid the need for the Secretary to determine which entities,   among a potentially large universe, should be notified and would also   permit the general public served by providers, PSOs, and responsible   persons upon whom civil money penalties have been imposed--as well as   their business partners--to be apprised of this fact, where that   information is of interest to them. While the Secretary could provide   notice to individual agencies where desired, the Secretary could, at   his option, use a single public method of notice, such as posting to a   Department Web site, to satisfy the obligation to notify the specified   agencies and the public.  17. Proposed Sec.  3.504--Procedures for Hearings      Proposed Sec.  3.504 is a compilation of procedures related to   administrative hearings on civil money penalties imposed by the   Secretary. The proposed section sets forth the authority of the ALJ,   the rights and burdens of proof of the parties, requirements for the   exchange of information and pre-hearing, hearing, and post-hearing   processes. These individual sections are described in greater detail   below.      This proposed section cross-references the HIPAA Enforcement Rule   extensively due to the similar nature of the enforcement and appeal   procedures, the nature of the issues and substance presented, and the   parties most affected by these proposed regulations. We intend that the   provisions of the HIPAA Enforcement Rule will be applied to the   imposition of civil money penalties under this Subpart in the same   manner as they are applied to violations of the HIPAA administrative   simplification provisions, subject to any modifications set forth in   proposed Sec.  3.504. We believe the best and most efficient manner of   achieving this result is through explicitly referencing and adopting   the relevant provisions of the HIPAA Enforcement Rule. Where   modifications are necessary to address the differences between the   appeals of determinations under the HIPAA Enforcement Rule and the   Patient Safety Act, we have made specific exceptions that we discuss   below.      We note that the recently published Notice of Proposed Rulemaking   entitled ``Revisions to Procedures for the Departmental Appeals Board   and Other Departmental Hearings'' (see 72 FR 73708 (December 28, 2007))   proposes to modify the HIPAA Enforcement Rule, which we reference   extensively in this proposed rule. Our intent for the patient safety   regulations would be to maintain the alignment between the patient   safety enforcement process and the HIPAA Enforcement Rule, as stated   previously. Should the amendments to the HIPAA Enforcement Rule become   final based on that Notice of Proposed Rulemaking, our intent would be   to incorporate those changes in any final rulemaking here. That Notice   of Proposed Rulemaking proposes to amend 45 CFR 160.508(c) and 45 CFR   160.548, and to add a new provision, 45 CFR 160.554, providing that the   Secretary may review all ALJ decisions that the Board has declined to   review and all Board decisions for error in applying statutes,   regulations or interpretive policy.  18. Proposed Sec.  3.504(a)--Hearings Before an ALJ      Proposed Sec.  3.504(a) provides the time and manner in which a   hearing must be requested, or dismissed when not timely requested. This   proposed section applies the same regulations as the HIPAA Enforcement   Rule cited at 45 CFR 160.504(a)-(d), except that the language in   paragraph (c) of 45 CFR 160.504 following and including ``except that''   does not apply. The excluded provision refers to the ability of   respondents to raise an affirmative defense under 45 CFR 160.410(b)(1)   for which we have not adopted a comparable provision because the   provision implements a statutory defense unique to HIPAA.  19. Proposed Sec.  3.504(b)--Rights of the Parties      Proposed Sec.  3.504(b) provides that the rights of the parties not   specifically provided elsewhere in this Part shall be the same as those   provided in 45 CFR 160.506 of the HIPAA Enforcement Rule.  20. Proposed Sec.  3.504(c)--Authority of the ALJ      Proposed Sec.  3.504(c) provides that the general guidelines and   authority of the ALJ shall be the same as provided in the HIPAA   Enforcement Rule at 45 CFR 160.508(a)-(c)(4). We exclude the provision   at 45 CFR 160.508(c)(5) because there is no requirement under the   Patient Safety Act for remedied violations based on reasonable cause to   be insulated from liability for a civil money penalty.  21. Proposed Sec.  3.504(d)--Ex parte Contacts      Proposed Sec.  3.504(d) is designed to ensure the fairness of the   hearing by prohibiting ex-parte contacts with the ALJ on matters at   issue. We propose to incorporate the same restrictions as provided for   in the HIPAA Enforcement Rule at 45 CFR 160.510.  22. Proposed Sec.  3.504(e)--Prehearing Conferences      Proposed Sec.  3.504(e) adopts the same provisions as govern   prehearing conferences in the HIPAA Enforcement Rule at 45 CFR 160.512,   except that the term ``identifiable patient safety work product'' is   substituted for ``individually identifiable health    [[Page 8163]]    information.'' Under this proposed provision, the ALJ is required to   schedule at least one prehearing conference, in order to narrow the   issues to be addressed at the hearing and, thus, expedite the formal   hearing process, and to prescribe a timeframe for prehearings.  23. Proposed Sec.  3.504(f)--Authority To Settle      Proposed Sec.  3.504(f) adopts 45 CFR 160.514 of the HIPAA   Enforcement Rule. This proposal provides that the Secretary has   exclusive authority to settle any issue or case at any time and need   not obtain the consent of the ALJ.  24. Proposed Sec.  3.504(g)--Discovery      We propose in Sec.  3.504(g) to adopt the discovery procedures as   provided for in the HIPAA Enforcement Rule at 45 CFR 160.516. These   provisions allow limited discovery in the form of the production for   inspection and copying of documents that are relevant and material to   the issues before the ALJ. These provisions do not authorize other   forms of discovery, such as depositions and interrogatories.      Although the adoption of 45 CFR 160.516 would permit parties to   raise claims of privilege and permit an ALJ to deny a motion to compel   privileged information, a respondent could not claim privilege, and an   ALJ could not deny a motion to compel, if the Secretary seeks patient   safety work product relevant to the alleged confidentiality violation   because the patient safety work product would not be privileged under   proposed Sec.  3.204(c).      Under this proposal, a respondent concerned with potential public   access to patient safety work product may raise the issue before the   ALJ and seek a protective order. The ALJ may, for good cause shown,   order appropriate redactions made to the record after hearing. See   proposed Sec.  3.504(s).  25. Proposed Sec.  3.504(h)--Exchange of Witness Lists, Witness   Statements, and Exhibits      Proposed Sec.  3.504(h) provides for the prehearing exchange of   certain documents, including witness lists, copies of prior statements   of witnesses, and copies of hearing exhibits. We propose that the   requirements set forth in 45 CFR 160.518 of the HIPAA Enforcement Rule   shall apply, except that the language in paragraph (a) of 45 CFR   160.518 following and including ``except that'' shall not apply. We   exclude the provisions relating to the provision of a statistical   expert's report not less than 30 days before a scheduled hearing   because we do not propose language permitting the use of statistical   sampling to estimate the number of violations.  26. Proposed Sec.  3.504(i)--Subpoenas for Attendance at Hearing      Proposed Sec.  3.504(i) provides procedures for the ALJ to issue   subpoenas for witnesses to appear at a hearing and for parties and   prospective witnesses to contest such subpoenas. We propose to adopt   the same regulations as provided at 45 CFR 160.520 of the HIPAA   Enforcement Rule.  27. Proposed Sec.  3.504(j)--Fees      Proposed Sec.  3.504(j) provides for the payment of witness fees by   the party requesting a subpoena. We propose that the fees requirements   be the same as those provided in 45 CFR 160.522 of the HIPAA   Enforcement Rule.  28. Proposed Sec.  3.504(k)--Form, Filing and Service of Papers      Proposed Sec.  3.504(k) provides requirements for documents filed   with the ALJ. We propose to adopt the requirements of 45 CFR 160.524 of   the HIPAA Enforcement Rule.  29. Proposed Sec.  3.504(l)--Computation of Time      Proposed Sec.  3.504(l) provides the method for computing time   periods under this Part. We propose to adopt the requirements of 45 CFR   160.526 of the HIPAA Enforcement Rule, except the term ``this subpart''   shall refer to 42 CFR Part 3, Subpart D and the citation ``Sec.    3.504(a) of 42 CFR Part 3'' shall be substituted for the citation   ``Sec.  160.504.''  30. Proposed Sec.  3.504(m)--Motions      Proposed Sec.  3.504(m) provides requirements for the content of   motions and the time allowed for responses. We propose to adopt the   requirements of 45 CFR 160.528 of the HIPAA Enforcement Rule.  31. Proposed Sec.  3.504(n)--Sanctions      Proposed Sec.  3.504(n) provides the sanctions an ALJ may impose on   parties and their representatives for failing to comply with an order   or procedure, failing to defend an action, or other misconduct. We   propose to adopt the provisions of 45 CFR 160.530 of the HIPAA   Enforcement Rule.  32. Proposed Sec.  3.504(o)--Collateral Estoppel      Proposed Sec.  3.504(o) would adopt the doctrine of collateral   estoppel with respect to a final decision of an administrative agency.   Collateral estoppel means that determinations made with respect to   issues litigated and determined in a proceeding between two parties   will bind the respective parties in later disputes concerning the same   issues and parties. We propose to adopt the provisions of 45 CFR   160.532 of the HIPAA Enforcement Rule, except that the term ``a   confidentiality provision'' shall be substituted for the term ``an   administrative simplification provision''.  33. Proposed Sec.  3.504(p)--The Hearing      Proposed Sec.  3.504(p) provides for a public hearing on the   record, the burden of proof at the hearing and the admission of   rebuttal evidence. We propose to adopt the provisions of 45 CFR 160.534   of the HIPAA Enforcement Rule, except the following text shall be   substituted for Sec.  160.534(b)(1): ``The respondent has the burden of   going forward and the burden of persuasion with respect to any   challenge to the amount of a proposed penalty pursuant to Sec. Sec.    3.404-3.408 of 42 CFR Part 3, including any factors raised as   mitigating factors.'' We propose to adopt this new language for Sec.    160.534(b)(1) because references to affirmative defenses in the   excluded text are not applicable in the context of the Patient Safety   Act as such defenses are under the HIPAA Enforcement Rule; nor does the   Patient Safety Act include provisions for the waiver or reduction of a   civil money penalty in accordance with 45 CFR 160.412.      45 CFR 160.534(c) states that the hearing must be open to the   public unless otherwise ordered by the ALJ for good cause shown. In   proposed Sec.  3.504(p) of this Subpart, we propose that good cause   shown under 45 CFR 160.534(c) may be that identifiable patient safety   work product has been introduced into evidence or is expected to be   introduced into evidence. Protecting patient safety work product is   important and is an issue about which all parties and the ALJ should be   concerned.  34. Proposed Sec.  3.504(q)--Witnesses      Under proposed Sec.  3.504(q), the ALJ may allow oral testimony to   be admitted or provided in the form of a written statement or   deposition so long as the opposing party has a sufficient opportunity   to subpoena the person whose statement is being offered. We propose to   adopt the provisions of 45 CFR 160.538 of the HIPAA Enforcement Rule,   except that the citation ``Sec.  3.504(h) of 42 CFR Part 3'' shall be   substituted for the citation ``Sec.  160.518.''    [[Page 8164]]    35. Proposed Sec.  3.504(r)--Evidence      Proposed Sec.  3.504(r) would provide guidelines for the acceptance   of evidence in hearings. We propose to adopt the provisions of 45 CFR   160.540 of the HIPAA Enforcement Rule, except that the citation ``Sec.    3.420 of 42 CFR Part 3'' shall be substituted for the citation ``Sec.    160.420 of this part''.      In the same manner as the exception to privilege for enforcement   activities under Sec.  3.204(c) applies to proposed Sec.  3.504(g), the   exception to privilege applies under proposed Sec.  3.504(r) as well.   Although the adoption of 45 CFR 160.540(e) would permit parties to   raise claims of privilege and permit an ALJ to exclude from evidence   privileged information, a respondent could not claim privilege and an   ALJ could not exclude identifiable patient safety work product if the   Secretary seeks to introduce that patient safety work product because   disclosure of the patient safety work product would not be a violation   of the privilege and confidentiality provisions under proposed Sec.    3.204(c).  36. Proposed Sec.  3.504(s)--The Record      Proposed Sec.  3.504(s) provides for recording and transcription of   the hearing, and for the record to be available for inspection and   copying by any person. We propose to adopt the provisions at 45 CFR   160.542 of the HIPAA Enforcement Rule. We also propose to provide that   good cause for making appropriate redactions includes the presence of   identifiable patient safety work product in the record.  37. Proposed Sec.  3.504(t)--Post-Hearing Briefs      Proposed Sec.  3.504(t) provides that the ALJ has the discretion to   order post-hearing briefs, although the parties may file post-hearing   briefs in any event if they desire. We propose to adopt the provisions   of 45 CFR 160.544 of the HIPAA Enforcement Rule.  38. Proposed Sec.  3.504(u)--ALJ's Decision      Proposed Sec.  3.504(u) provides that not later than 60 days after   the filing of post-hearing briefs, the ALJ shall serve on the parties a   decision making specific findings of fact and conclusions of law. The   ALJ's decision is the final decision of the Secretary, and will be   final and binding on the parties 60 days from the date of service of   the ALJ decision, unless it is timely appealed by either party. We   propose to adopt the provisions of 45 CFR 160.546 of the HIPAA   Enforcement Rule, except the citation ``Sec.  3.504(v) of 42 CFR Part   3'' shall be substituted for ``Sec.  160.548.''  39. Proposed Sec.  3.504(v)--Appeal of the ALJ's Decision      Proposed Sec.  3.504(v) provides for manner and time for review of   an ALJ's decision regarding penalties imposed under this Part and   subsequent judicial review. We propose to adopt the same provisions as   45 CFR 160.548 of the HIPAA Enforcement Rule, except the following   language in paragraph (e) of 45 CFR 160.548 shall not apply: ``Except   for an affirmative defense under Sec.  160.410(b)(1) of this part.'' We   exclude this language because the Patient Safety Act does not provide   for affirmative defenses in the same manner as HIPAA.  40. Proposed Sec.  3.504(w)--Stay of the Secretary's Decision      Proposed Sec.  3.504(w) provides that a respondent may request a   stay of the effective date of a penalty pending judicial review. We   propose to adopt the provisions of 45 CFR 160.550 of the HIPAA   Enforcement Rule to govern this process.  41. Proposed Sec.  3.504(x)--Harmless Error      Proposed Sec.  3.504(x) adopts the ``harmless error'' standard as   expressed in the HIPAA Enforcement Rule at 45 CFR 160.522. This   proposed rule provides that the ALJ and the Board at every stage of the   proceeding will disregard any error or defect in the proceeding that   does not affect the substantial rights of the parties.    IV. Impact Statement and Other Required Analyses    Unfunded Mandates Reform Act        Section 202 of the Unfunded Mandates Reform Act requires that a   covered agency prepare a budgetary impact statement before promulgating   a rule that includes any Federal mandate that may result in the   expenditure by State, local, and Tribal governments, in the aggregate,   or by the private sector, of $100 million or more in any one year. The   Department has determined that this proposed rule would not impose a   mandate that will result in the expenditure by State, Local, and Tribal   governments, in the aggregate, or by the private sector, of more than   $100 million in any one year.    Paperwork Reduction Act        This notice of proposed rulemaking adding a new Part 3 to volume 42   of the Code of Federal Regulations contains information collection   requirements. This summary includes the estimated costs and assumptions   for the paperwork requirements related to this proposed rule. A copy of   the information collection request will be available on the PSO Web   site (http://www.pso.ahrq.gov) and can be obtained in hardcopy by contacting     Susan Grinder at the Center for Quality Improvement and Patient Safety,   AHRQ, (301) 427-1111 (o); (301) 427-1341 (fax). These paperwork   requirements have been submitted to the Office of Management and Budget   for review under number xxxx-xxxx as required by 44 U.S.C.   3507(a)(1)(c) of the Paperwork Reduction Act of 1995, as amended (PRA).   Respondents are not required to respond to any collection of   information unless it displays a current valid OMB control number.      With respect to proposed Sec.  3.102 concerning the submission of   certifications for initial and continued listing as a PSO, and of   updated information, all such information would be submitted on Form   SF-XXXX. To maintain its listing, a PSO must also submit a brief   attestation, once every 24-month period after its initial date of   listing, submitted on Form SF-XXXX, stating that it has entered   contracts with two providers. We estimate that the proposed rule would   create an average burden of 30 minutes annually for each entity that   seeks to become a PSO to complete the necessary certification forms.   Table 1 summarizes burden hours.           Table 1.--Total Burden Hours Related to Certification Forms            [Summary of all burden hours, by Provision, for PSOs]  ------------------------------------------------------------------------                   Provision                     Annualized burden hours  ------------------------------------------------------------------------  3.112.....................................  30 minutes.  ------------------------------------------------------------------------        HHS is working with OMB to obtain approval of the associated burden   in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.   3507(d)) before the effective date of the final rule. Comments on this   proposed information collection should be directed to Susan Grinder, by   sending an e-mail to Psosupport@ahrq.hhs.gov or sending a fax to (301)   427-1341.      Under 5 CFR 1320.3(c), a covered collection of information includes   the requirement by an agency of a disclosure of information to third   parties by means of identical reporting, recordkeeping, or disclosure   requirements, imposed on ten or more persons. The proposed rule   reflects the previously established reporting requirements for breach   of confidentiality applicable to business associates under HIPAA   regulations requiring contracts top contain a provision requiring the   business associate (in this case, the PSO) to notify    [[Page 8165]]    providers of breaches of their identifiable patient data's   confidentiality or security. Accordingly, this reporting requirement   referenced in the regulation previously met Paperwork Reduction Act   review requirements.      The proposed rule requires in proposed Sec.  3.108(c) that a PSO   notify the Secretary if it intends to relinquish voluntarily its status   as a PSO. The entity would be required to notify the Secretary that it   has, or will soon, alert providers and other organizations from which   it has received patient safety work product or data of its intention   and provide for the appropriate disposition of the data in consultation   with each source of patient safety work product or data held by the   entity. In addition, the entity is asked to provide the Secretary with   current contact information for further communication from the   Secretary as the entity ceases operations. The reporting aspect of this   requirement is essentially an attestation that is equivalent to the   requirements for listing, continued listing, and meeting the minimum   contracts requirement. This minimal data requirement would come within   5 CFR 1320.3(h)(1) which provides an exception from PRA requirements   for affirmations, certifications, or acknowledgments as long as they   entail no burden other than that necessary to identify the respondent,   the date, the respondent's address, and the nature of the instrument.   In this case, the nature of the instrument would be an attestation that   the PSO is working with its providers for the orderly cessation of   activities. The following other collections of information that would   be required by the proposed regulation under proposed Sec.  3.108 are   also exempt from PRA requirements pursuant to an exception in 5 CFR   1320.4 for information gathered as part of administrative   investigations and actions regarding specific parties: information   supplied in response to preliminary agency determinations of PSO   deficiencies or in response to proposed revocation and delisting (e.g.,   information providing the agency with correct facts, reporting   corrective actions taken, or appealing proposed agency revocation   decisions).    Federalism        Executive Order 13132 establishes certain requirements that an   agency must meet when it promulgates a proposed rule (and subsequent   final rule) that imposes substantial direct requirement costs on state   and local governments, preempts State law, or otherwise has Federalism   implications. The Patient Safety Act upon which the proposed regulation   is based makes patient safety work product confidential and privileged.   To the extent this would not be consistent with any state law,   including court decisions, the Federal statute would preempt such state   law or court order. The proposed rule (and subsequent final rule) will   not have any greater preemptive effect on state or local governments   than that imposed by the statute. While the Patient Safety Act does   establish new Federal confidentiality and privilege protections for   certain information, these protections only apply when health care   providers work with PSOs and new processes, such as patient safety   evaluation systems, that do not currently exist. These Federal data   protections provide a mechanism for protection of sensitive information   that could improve the quality, safety, and outcomes of health care by   fostering a non-threatening environment in which information about   adverse medical events and near misses can be discussed. It is hoped   that confidential analysis of patient safety events will reduce the   occurrence of adverse medical events and, thereby, reduce the costs   arising from such events, including costs incurred by state and local   governments attributable to such events.      AHRQ, in conjunction with OCR, held three public listening sessions   prior to drafting the proposed rule. Representatives of several states   participated in these sessions. In particular, states that had begun to   collect and analyze patient safety event information spoke about their   related experiences and plans. Following publication of the NPRM, AHRQ   will consult with appropriate state officials and organizations to   review the scope of the proposed rule and to specifically seek input on   federalism issues and a proposal in the rule at proposed Sec.    3.102(a)(2) that would limit the ability of public or private sector   regulatory entities to seek listing as a PSO.    Regulatory Impact Analysis        Under Executive Order 12866 (58 FR 51735, October 4, 1993), Federal   Agencies must determine whether a regulatory action is ``significant''   and, therefore, subject to OMB review and the requirements of the   Executive Order. Executive Order 12866 defines ``significant regulatory   action'' as one that is likely to result in a rule that may:      1. Have an annual effect on the economy of $100 million or more or   adversely affect in a material way the economy, a sector of the   economy, productivity, competition, jobs, the environment, public   health or safety, or state, local, or tribal government or communities.      2. Create a serious inconsistency or otherwise interfere with an   action taken or planned by another agency.      3. Materially alter the budgetary impact of entitlements, grants,   user fees, or loan programs or the rights and obligations of recipients   thereof.      4. Raise novel legal or policy issues arising out of legal   mandates, the President's priorities, or the principles set forth in   the Executive Order.      AHRQ has accordingly examined the impact of the proposed rule under   Executive Order 12866, the Regulatory Flexibility Act (5 U.S.C. 601-  612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4).   Executive Order 12866 directs agencies to assess all costs and benefits   of available regulatory alternatives and, when regulation is necessary,   to select regulatory approaches that maximize net benefits (including   potential economic, environmental, public health and safety, and other   advantages; distributive impacts; and equity). A regulatory impact   analysis must be prepared for major rules with economically significant   effects ($100 million or more in any one year). In the course of   developing the proposed rule, AHRQ has considered the rule's costs and   benefits, as mandated by Executive Order 12866. Although we cannot   determine with precision the aggregate economic impact of the proposed   rule, we believe that the impact may approach $100 million or more   annually. HHS has determined that the proposed rule is ``significant''   also because it raises novel legal and policy issues with the   establishment of a new regulatory framework, authorized by the Patient   Safety Act, and imposes requirements, albeit voluntary, on entities   that had not previously been subject to regulation in this area.   Consequently, as required under Executive Order 12866, AHRQ conducted   an analysis of the economic impact of the proposed rule.  Background      The Patient Safety Act establishes a framework for health care   providers voluntarily to report information on the safety, quality, and   outcomes of patient care that to PSOs listed by HHS. The main   objectives of the Patient Safety Act are to: (1) Encourage health care   providers to collect and examine patient safety events more freely and   consistently than they do now, (2) encourage many provider arrangements   or contracts with expert PSOs to receive, aggregate, and analyze data   on patient    [[Page 8166]]    safety events so that PSOs may provide feedback and assistance to the   provider to improve patient safety and (3) allow the providers to   improve the quality of care delivered and reduce patient risk. The   Patient Safety Act provides privilege from legal discovery for patient   safety work product, as well as confidentiality protections in order to   foster a culture of patient safety. The Patient Safety Act does not   contain mandatory reporting requirements. It does, however, require   information submissions by entities that voluntarily seek to be   recognized, (i.e., listed) as PSOs by the Secretary.      The cost of an adverse patient safety event can be very high in   terms of human life, and it also often carries a significant financial   cost. The Institute of Medicine report, To Err is Human: Building a   Safer Health Care System, estimates that adverse events cost the United   States approximately $37.6 billion to $50 billion each year. ``Total   national costs (lost income, lost household production, disability, and   health care costs) of preventable adverse events (medical errors   resulting in injury) are estimated to be between $17 billion and $29   billion, of which health care costs represent over one-half.'' \18\  ---------------------------------------------------------------------------        \18\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T.,   Pike, K. C., for the Committee on Quality of Health Care in America.   To Err is Human: Building a Safer Health System. Washington, DC.:   National Academy Press; 2000.  ---------------------------------------------------------------------------        The proposed rule was written to minimize the regulatory and   economic burden on an entity that seeks certification as a PSO in order   to collect, aggregate, and analyze confidential information reported by   health care providers. Collecting, aggregating, and analyzing   information on adverse events will allow problems to be identified,   addressed, and eventually prevented. This, in turn, will help improve   patient safety and the quality of care, while also reducing medical   costs. The following analysis of costs and benefits--both quantitative   and qualitative--includes estimates based on the best available health   care data and demonstrates that the benefits of the proposed regulation   justify the costs involved in its implementation.      The economic impact of an alternative to the proposed rule is not   discussed in the following analysis because an alternative to the   statutorily authorized voluntary framework is the existence of no new   program, which would produce no economic change or have no economic   impact, or--alternatively--a mandatory regulatory program for all   health care providers, which is not authorized by the Patient Safety   Act and which is necessarily not a realistic alternative and would   likely be much more expensive. (A guiding principle of those drafting   the regulation was to minimize the economic and regulatory burden on   those entities seeking to be PSOs and providers choosing to work with   PSOs, within the limits of the Patient Safety Act. Hence this proposed   rule represents the Department's best effort at minimal impact while   still meeting statutory provisions.)      AHRQ has relied on key findings from the literature to provide   baseline measures for estimating the likely costs and benefits of the   proposed rule. We believe that the costs of becoming a PSO (i.e., the   costs of applying to be listed by the Secretary) will be relatively   small, and the costs of operating a PSO will be small, in relation to   the possible cost savings that will be derived from reducing the number   of preventable adverse medical events each year.      The direct costs to individual providers of working with PSOs will   vary considerably. For an institutional or individual provider that   chooses to report readily accessible information to a PSO occasionally,   costs may be negligible. The proposed rule does not require a provider   to enter into a contract with a PSO, establish internal reporting or   analytic systems, or meet specific security requirements for patient   safety work product. A provider's costs will derive from its own choice   whether to undertake and, if so, whether to conduct or contract for   data collection, information development, or analytic functions. Such   decisions will be based on the provider's assessment of the cost and   benefits it expects to incur and achieve. As we discuss below,   hospitals in particular have developed, and can be expected to take   advantage of the protections afforded by the Patient Safety Act by   expanding data collection, information development, and analytic   functions at their institutions. We anticipate that many providers will   choose to enter into contracts with PSOs voluntarily. If providers   choose to report data routinely to a PSO, a contract will be a good   business practice. It provides greater assurance that a provider can   demonstrate, if its claims of protections are challenged, that it is   operating in full compliance with the statute. It enables the provider   to exert greater control over the use and sharing of its data and, in   the case of a provider that is a covered entity under the HIPAA Privacy   Rule, the provider will need to enter a business associate agreement   with a PSO for compliance with that regulation if the reported data   includes protected health information.      The following cost estimates represent an effort to develop an   ``upper bound'' on the cost impact of the proposed rule by assuming   that providers choosing to work with PSOs will follow best business   practices, take full advantage of the Patient Safety Act's protections,   and develop robust internal reporting and analytic systems, rather than   meeting the minimal requirements of the proposed rule. The cost   estimates below are based on existing hospital-based activities for   reporting patient safety events, which are likely to be similar to most   events that a PSO will analyze (namely quality and safety activities   within hospitals). While the Patient Safety Act is not limited to   hospitals, AHRQ has received indications from various stakeholder   groups that hospital providers will be the predominant provider type   initially interested in working with PSOs.  Affected Entities      To date, AHRQ has no hard information on the exact number of   interested parties that may wish to become a PSO. AHRQ estimates,   however, that 50 to 100 entities may request to become a listed PSO by   the Secretary during the first three years after publication of the   final rule. AHRQ anticipates a gradual increase in the number of   entities seeking listing as a PSO and estimates that roughly 50   entities will seek PSO certification during Year 1, 25 entities during   Year 2, and an additional 25 entities during Year 3, totaling 100 PSOs   by the end of Year 3. After Year 3, we anticipate that the number of   PSOs will remain about constant, with the number of new entrants   roughly equivalent to the number of PSOs that cease to operate.      Healthcare providers, especially hospitals, currently assume some   level of burden to collect, develop, and analyze patient safety event   information similar to the information that will be reported to PSOs.   We note that most institutional providers (especially larger ones)   already do some of this data gathering. AHRQ anticipates that entities   that currently operate internal patient safety event reporting systems   either may be interested in: (1) Establishing a component organization   to seek certification as a PSO; or (2) contracting with a PSO. Using   data from the 2004 American Hospital Association, AHRQ conducted an   analysis of the burden hours and likely costs associated with reporting   patient safety event information to a PSO. See below.    [[Page 8167]]    Costs      The proposed rule enables providers to receive Federal protections   for information on patient safety events that the providers choose to   collect, analyze, and report in conformity with the requirements of the   Patient Safety Act and the proposed rule. The proposed rule, consistent   with the Patient Safety Act, does not require any entity to seek   listing as a PSO and does not require any provider to work with a PSO.   While all holders of patient safety work product must avoid   impermissible disclosures of patient safety work product, we do not   impose any specific requirements that holders must meet to comply with   this obligation. The requirements of the proposed rule apply only to   entities that choose to seek listing by the Secretary as a PSO.   Similarly, the proposed rule does not impose requirements on States or   private sector entities (including small businesses) that would result   in additional spending, that is, the government is not imposing any   direct costs on States or the private sector.      The Patient Safety Act, and therefore, the proposed rule, does   impose obligations on entities that are listed by the Secretary as   PSOs. Every PSO must carry out eight patient safety activities and   comply with seven statutory criteria during its period of listing,   including requirements related to the provision of security for patient   safety work product, the ability to receive and analyze data from   providers and assist them in implementing system improvements to   mitigate or eliminate potential risk or harm to patients from the   delivery of health care services.\19\ Because this is a new, untested,   and voluntary initiative--coupled with the fact that PSOs currently do   not exist--AHRQ does not have data on PSO fees, income, or expenses to   estimate the precise monetized and non-monetized costs and benefits of   the proposed rule. The following estimates reflect the cost of all   incremental activities required (or contemplated) by the proposed rule.  ---------------------------------------------------------------------------        \19\ These 15 requirements from the Patient Safety Act are   discussed in proposed Sec.  3.102(b). The eight patient safety   activities are defined in proposed Sec.  3.20 and the seven criteria   are specified in proposed Sec.  3.102(b)(2).  ---------------------------------------------------------------------------        For entities that seek to be listed as a PSO by the Secretary, AHRQ   assumes that most of the total costs incurred will be for the   establishment of a new organizational structure. AHRQ expects such   costs to vary considerably based on the types of entities that request   PSO listing (e.g., size; geographic location; setting; academic,   professional, or business affiliation; and whether or not the entity is   a component of a parent organization). It is anticipated that the   proposed rule's cost to a PSO will likely be highest in the first year   due to start-up and initial operational costs and establishment of   policies and procedures for complying with PSO regulations. PSO   operational costs will include the hiring of qualified staff, setting   up data collection and reporting systems, establishing policies and   procedures for ensuring data security and confidentiality, maintaining   a patient safety evaluation system as required by the Patient Safety   Act, and receiving and generating patient safety work product. The fact   that PSOs are new entities for which there are no existing financial   data means that estimates of the cost or charges for PSO services are a   matter of speculation at this time. Additionally, the degree to which   PSOs will exercise market power, what services they will offer, and the   impact of a competitive environment is not yet known. Based on   discussions with stakeholder groups, we believe that there will be a   number of business models that emerge for PSOs. We anticipate that many   PSOs will be components of existing organizations, which will likely   subsidize the operations of their component PSOs for some time. Despite   these limitations, AHRQ believes it can construct reasonable estimates   of the costs and benefits of the Patient Safety Act. See ``Provider--  PSO Costs and Charges'' for an explanation of why the above-mentioned   uncertainties do not preclude AHRQ from calculating overall costs,   benefits, and net benefits of the Patient Safety Act.      As noted above, the proposed rule does not require providers to   establish internal reporting or analytic systems. AHRQ expects,   however, that many providers will do so in order to take full advantage   of the protections of the Patient Safety Act. As a result, our   estimates reflect an upper bound on the potential costs associated with   implementation by assuming that all providers that choose to   participate will establish robust internal reporting and analytic   systems.      AHRQ recognizes that many state governments, public and private   health care purchasers, and private accrediting and certifying   organizations already employ voluntary and/or mandatory patient safety   event reporting systems. As health care organizations increasingly   focus on the monitoring of adverse events, the use of voluntary   reporting systems to detect, evaluate, and track such events has also   increased. Preliminary findings from AHRQ's Adverse Event Reporting   Survey, conducted by the RAND Corporation (RAND) and the Joint   Commission on Accreditation of Healthcare Organizations (JCAHO), show   that 98 percent of hospitals are already reporting adverse medical   events.\20\ This survey was administered to a representative sample of   2,000 hospitals, with an 81 percent response rate. Thus, it is   anticipated that the associated costs of the proposed rule for   hospitals with existing patient safety event reporting systems will be   very minimal, because the majority of these organizations already have   the institutional infrastructure and operations to carry out the data   collection activities of the proposed rule. AHRQ assumes that the   estimated 2 percent of hospitals that currently have no reporting   system are unlikely to initiate a new reporting system based on the   proposed rule, at least in the first year that PSOs are operational.  ---------------------------------------------------------------------------        \20\ RAND and Joint Commission on Accreditation of Healthcare   Organizations. Survey on Hospital Adverse Event Reporting Systems:   Briefing on Baseline Data. August 16, 2006 Briefing.  ---------------------------------------------------------------------------    Hospital Costs      We extrapolated findings from the RAND-JCAHO survey in order to   calculate the burden hours and monetized costs associated with the   proposed rule, using data from the American Hospital Association's 2004   \21\ annual survey of hospitals in the United States \22\ to estimate   the number of hospitals nationwide. This figure served as the   denominator in our analysis. We acknowledge that, over time, not all   providers working with PSOs will be hospitals; however, it is   reasonable to use hospitals as a basis for our initial estimates, given   the preliminary indications that hospitals will be the predominant, if   not exclusive, providers submitting information to PSOs during the   early years in which PSOs are operational.  ---------------------------------------------------------------------------        \21\ American Hospital Association. Fast Facts on U.S. Hospitals   from AHA Hospital Statistics. November 14, 2005. Available at:   http://www.aha.org/aha/resource_center/fastfacts/fast_facts_US_hospitals.html.   Web Page.        \22\ The 2005 survey results will likely be release in November   2006.  ---------------------------------------------------------------------------        Based on American Hospital Association data, there are 5,759   registered U.S. hospitals--including community hospitals, Federal   hospitals, non-Federal psychiatric hospitals, non-Federal long-term   care hospitals, and hospital units of institutions--in which there are   955,768 staffed operational beds. Based on the RAND-JCAHO finding   regarding event reporting in hospitals, AHRQ calculates that 98 percent   of the 5,759 hospitals (5,644 hospitals with 936,653 staffed beds)    [[Page 8168]]    already have, and are supporting the costs of, a centralized patient   safety event reporting system.      AHRQ assumed that an institution will report an average of one   patient safety event (including no harm events and close calls) per bed   per month. Based on this assumption, AHRQ estimates that all hospitals   nationwide are currently completing a total of 11,239,832 patient   safety event reports per year. Based on the assumption that it takes 15   minutes to complete each patient safety event report, we estimate that   hospitals are already spending 2,809,958 hours per year on this   activity. At a Full-Time Equivalent (FTE) rate of $80 per hour, we   estimate that all hospitals nationwide are currently spending   approximately $224,796,634 per year on patient safety event reporting   activities.      AHRQ estimates that, once collected, it will take an additional   five minutes for hospital staff to submit patient safety event   information to a PSO. We, therefore, estimate that the total burden   hours for all hospitals nationwide to submit patient safety event   information to a PSO totals 936,653 hours annually with an associated   cost of $74,932,211 based on the assumption that all hospitals   nationwide reported all possible patient safety events (using the   heuristic of one event per bed per month).      During the first year following publication of the final rule PSOs   will be forming themselves into organizations and engaging in startup   activities. We assume that there will be a gradual increase in the   number of entities seeking listing as PSOs, beginning with a 10 percent   participation rate. We assume as many as 25 percent of hospitals may   enter into arrangements with PSOs by the end of the first year;   however, the overall effective participation rate will only average 10   percent. This assumption translates to 93,665 hours of additional   burden for hospitals to report patient safety event information to PSOs   with an estimated cost of $7,493,221. Assuming a 40 percent   participation rate of all hospitals nationwide during the second year   that PSOs are operational, there would be 374,660 burden hours with an   estimated cost of $29,972,884. Assuming there is 60 percent   participation rate of all hospitals nationwide during the third year   that PSOs are operational, there would be 561,990 burden hours   nationwide with an estimated cost of $44,959,326. (See Table 1).      In summary, the direct costs--which would be voluntarily incurred   if all hospitals nationwide that choose to work with PSOs during the   first five years also chose to establish systematic reporting systems--  are projected to range from approximately $7.5 million to nearly $63.7   million in any single year, based on 10 percent to 85 percent   participation rate among hospitals. These cost estimates may be high if   provider institutions, such as hospitals, do not submit all the patient   safety data they collect to a PSO. If only a fraction of the data is   reported to a PSO, the cost estimates and burden will be   proportionately reduced.                      Table 1.--Estimated Hospitals Costs To Submit Information to PSOs: 2008-2012  ----------------------------------------------------------------------------------------------------------------               Year                     2008             2009            2010            2011            2012  ----------------------------------------------------------------------------------------------------------------  Hospital Penetration Rate.....  10%............  40%............  60%...........  75%...........  85%.  Hospital Cost.................  $7.5 M.........  $30.0 M........  $45.0 M.......  $56.2 M.......  $63.7 M.  ----------------------------------------------------------------------------------------------------------------    PSO Costs      A second category of costs, in addition to incremental costs borne   by hospitals, is that of the PSOs themselves. PSO cost estimates are   based on estimates of organizational and consulting capabilities and   statutory requirements. We followed the standard accounting format for   calculating ``independent government cost estimates,'' although the   categories did not seem entirely appropriate for the private sector. In   order to estimate PSO costs over a five-year period, we made several   assumptions about the size and operations of new PSOs. Specifically, we   assumed that PSOs would be staffed modestly, relying on existing   hospital activities in reporting adverse events, and that a significant   proportion of PSOs are likely to be component PSOs, with support and   expertise provided by a parent organization. Our assumptions are that   PSOs will hire dedicated staff of from 1.5 to 4 FTEs, assuming an   average salary rate of $67/hour. We estimate that a significant   overhead figure of 100%, coupled with 20% for General and   Administrative (G&A) expenses, will cover the appreciable costs   anticipated for legal, security, travel, and miscellaneous PSO   expenses.      Although we believe that the above estimates may be conservative,   we also believe that PSOs will become more effective over time without   increasing staff size. Finally, we estimate that the number of PSOs   will increase from 50 to 100 during the first three years in which the   Secretary lists PSOs and remain at 100 PSOs in subsequent years. Table   2 summarizes PSO operational costs for the first five years based on   these estimates.                                    Table 2.--Total PSO Operational Costs: 2008-2012  ----------------------------------------------------------------------------------------------------------------               Year                     2008             2009            2010            2011            2012  ----------------------------------------------------------------------------------------------------------------  Number of PSOs................  50.............  75.............  100...........  100...........  100.  PSO Cost......................  $61.4 M........  $92.1 M........  $122.8 M......  $122.8 M......  $122.8 M.  ----------------------------------------------------------------------------------------------------------------        Table 3 presents the total estimated incremental costs related to   implementation of the Patient Safety Act, based on new activities on   the part of hospitals and the formation of new entities, PSOs, from   2008-2012. Estimates for total Patient Safety Act costs are $80 million   in Year 1, increasing to $186.5 million in Year 5.    [[Page 8169]]                   Table 3.--Total Patient Safety Act Costs Including Hospital Costs and PSO Costs: 2008-2012  ----------------------------------------------------------------------------------------------------------------               Year                     2008             2009            2010            2011            2012  ----------------------------------------------------------------------------------------------------------------  Hospital Penetration Rate.....  10%............  40%............  60%...........  75%...........  85%.  Hospital Cost.................  $7.5 M.........  $30.0 M........  $45.0 M.......  $56.2 M.......  $63.7 M.  PSO Cost......................  $61.4 M........  $92.1 M........  $122.8 M......  $122.8 M......  $122.8 M.                                 ---------------------------------------------------------------------------------      Total Cost................  $68.9 M........  $122.1 M.......  $167.8 M......  $179.0 M......  $186.5 M.  ----------------------------------------------------------------------------------------------------------------    Provider--PSO Costs and Charges      We have not figured into our calculations any estimates for the   price of PSO services, amounts paid by hospitals and other health care   providers to PSOs, PSO revenues, or PSO break-even analyses. We have   not speculated about subsidies or business models. Regardless of what   the costs and charges are between providers and PSOs, they will cancel   each other out, as expenses to providers will become revenue to PSOs.  Benefits      The primary benefit of the proposed rule is to provide the   foundation for new, voluntary opportunities for health care providers   to improve the safety, quality, and outcomes of patient care. The non-  monetized benefits to public health from the proposed rule are clear,   translating to improvements in patient safety, although such benefits   are intangible and difficult to quantify, not only in monetary terms   but also with respect to outcome measures such as years added or years   with improved quality-of-life. Although AHRQ is unable to quantify the   net benefits of this proposed rule precisely, it believes firmly that   the proposed rule will be effective in addressing costly medical care   problems in the health system that adversely affect patients, their   families, their employees, and society in general. Finally, estimating   the impact of the proposed rule in terms of measurable monetized and   non-monetized benefits is a challenge due to a lack of baseline data on   the incidence and prevalence of patient safety events themselves. In   fact, one of the intended benefits of the Patient Safety Act is to   provide more objective data in this important area, which will begin to   allow tracking of improvement.      AHRQ has relied on key findings from the medical professional   literature to provide a qualitative description of the scope of the   problem. The Institute of Medicine reports that 44,000 to 98,000 people   die in hospitals each year as a result of adverse events.\23\ The   Harvard Medical Practice Study found a rate of 3.7 adverse events per   100 hospital admissions.\24\ Similar results were found in a   replication of this study in Colorado and Utah; adverse events were   reported at a rate of 2.9 per 100 admissions.\25\ Adverse events do not   occur only in hospitals; they also occur in physician's offices,   nursing homes, pharmacies, urgent care centers, ambulatory care   settings, and care delivered in the home.  ---------------------------------------------------------------------------        \23\ Institute of Medicine, ``To Err Is Human: Building a Safer   Health System'', 1999.      \24\ Brennan TA, Leape LL, Laird NM, et al. Incidence of Adverse   Events and Negligence in Hospitalized Patients. New England Journal   of Medicine. 1991. 324: 370-76.      \25\ Thomas EJ, Studdert DM, Burstin HR, et al. Incidence and   Types of Adverse Events and Negligent Care in Utah and Colorado.   Medical Care. 2000. 38: 261-71.  ---------------------------------------------------------------------------        The importance of evaluating the incidence and cost of adverse   events cannot be underestimated. They are not only related to possible   morbidity and mortality, but also impose a significant economic burden   on both society and the individual (patient, family, health care   workers) in terms of consumption of health care resources and lost   productivity, and in many cases avoidable pain and suffering. However,   to prevent adverse events, it may take many years for the proposed rule   to achieve its full beneficial effects, and it will remain a challenge   to track the effect of the proposed rule on the patient population and   society, generally.      It may be possible to measure improvements in patient safety in   general descriptive terms regarding improved health outcomes. However,   it is more difficult to translate such improvements to direct monetary   savings or outcome measures that can be integrated into a single   numerical index (e.g., units of health improvement, years of life   gained). By analyzing patient safety event information, PSOs will be   able to identify patterns of failures in the health care system and   propose measures to eliminate patient safety risks and hazards as a   means to improve patient outcomes. As more information is learned about   patient safety events through data collection by the PSOs, the care   delivery environment can be redesigned to prevent adverse events in the   future. However, PSOs will not have the necessary authority to   implement recommended changes to improve patient safety in providers'   health care delivery organizations. It will be up to the providers   themselves to bring about the changes that will result in a reduction   in adverse events and a resultant improvement in the quality of care   delivered.      The submission of more comprehensive information by health care   providers regarding patient risks and hazards will likely increase the   understanding of the factors that contribute to events that adversely   affect patients. The expected benefit of this information would be   improvements in patient safety event reports and analyses, which would   translate to better patient outcomes and possible economic savings   attributable to the more efficient use of health care services. Due to   the uncertainty of the benefits and costs associated with the proposed   rule as delineated above, it is then possible only to make general   estimates of the monetary values of expected improvements in patient   outcomes, that is, savings to the healthcare system.      We can estimate monetized benefits by referring to the Institute of   Medicine report, To Err Is Human,\26\ which estimates total national   costs of preventable adverse events to be between $17 billion and $29   billion, of which direct health care costs represent over one-half   (totaling between $8.5 billion and $14.5 billion). Based on the   assumption that PSOs may be able to reduce the preventable adverse   events by between one percent and three percent within their first five   years of operation, this reduction would amount to be between $85   million--$145 million in savings at the 1 percent level if the whole   nation were affected, and $255 million--$435 million at the 3 percent   level, if the whole nation were affected. Applying a median figure from   the Institute of Medicine range to PSOs, based on an increasing impact   from 1%-3% as it grows over the first five    [[Page 8170]]    years, we see progressively growing savings as shown in Table 4. It   should be noted that we are estimating savings by assuming a percentage   reduction of adverse events from the overall occurrence rate delineated   by the Institute of Medicine report. We are not tying the estimated   reduction to those events specifically reported to PSOs. Events that   have already occurred do not represent a potential for savings. The   presumption behind the estimated savings is that the reporting,   analysis, and institution of ameliorating policies and procedures will   result in fewer adverse events going forward because of such PSO   activities.  ---------------------------------------------------------------------------        \26\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T.,   Pike, K. C., for the Committee on Quality of Health Care in America.   To Err Is Human: Building a Safer Health System. Washington, DC:   National Academy Press; 2000.               Table 4.--Total Estimated Cost Savings by Percent Reduction in Adverse Events: 2008-2012 *  ----------------------------------------------------------------------------------------------------------------               Year                   2008            2009            2010              2011             2012  ----------------------------------------------------------------------------------------------------------------  Hospital Penetration Rate....  10%...........  40%...........  60%...........  75%..............  85%.  Percent Reduction in Adverse   1%............  1.5%..........  2%............  2.5%.............  3%.   Events.  Savings......................  $11.5 M.......  $69 M.........  $138 M........  $215.625 M.......  $293.25 M.  ----------------------------------------------------------------------------------------------------------------  * Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with    preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point    figures.        It is assumed that when the proposed rule is implemented, it will   have a beneficial effect on patient outcomes. Eliminating adverse   events would help to ensure the greatest value possible from the   billions of dollars spent on medical care in the United States.\27\   AHRQ concludes that the potential benefits of the Patient Safety Act--  which encourages hospitals, doctors, and other health care providers to   work voluntarily with PSOs by reporting of health care errors and   enabling PSOs to analyze them to improve health care quality and   safety--would justify the costs of the proposed rule.  ---------------------------------------------------------------------------        \27\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T.,   Pike, K. C., for the Committee on Quality of Health Care in America.   To Err Is Human: Building a Safer Health System. Washington, DC:   National Academy Press; 2000.  ---------------------------------------------------------------------------        During the first five operational years of PSOs, we calculated the   net benefits based on total costs and benefits. (See Table 5.) We   estimate that costs of implementing the Patient Safety Act will reach   break-even after 2010 and provide progressively greater benefits   thereafter.                                                                Table 5.--Net Benefits: 2008-2012  --------------------------------------------------------------------------------------------------------------------------------------------------------                 Year                          2008                    2009                    2010                    2011                   2012  --------------------------------------------------------------------------------------------------------------------------------------------------------  Total Benefits....................  $11.5 M...............  $69 M.................  $138 M................  $215.625 M...........  $293.25 M.  Total Costs.......................  $68.9 M...............  $122.1 M..............  $167.8 M..............  $179.0 M.............  $186.5 M.  Net Benefits......................  ($57.4) M.............  ($53.1) M.............  ($29.8) M.............  $36.625 M............  $106.75 M.  Discounted net present value at 3%  ($55.7) M.............  ($50.0) M.............  ($27.3) M.............  $32.5 M..............  $92.1 M.  Discounted net present value at 7%  ($53.6) M.............  ($46.4) M.............  ($24.3) M.............  $27.9 M..............  $76.1 M.  --------------------------------------------------------------------------------------------------------------------------------------------------------    Confidentiality Rule      The confidentiality provisions are included in the Patient Safety   Act to encourage provider participation. Without such protections,   providers will be reluctant to participate in the expanded reporting   and analysis of patient safety events, and low participation will   severely inhibit the opportunity to reap the benefits from efforts to   improve patient safety. The proposed rule requires any holder of   patient safety work product to maintain its confidentiality but, with   the exception of PSOs, the appropriate security measures are left to   the holder's discretion. Proposed Sec.  3.106 establishes a security   framework that PSOs must address but, even then, PSOs are given   discretion to establish the specific security standards most   appropriate to their organization. Violation of the confidentiality   provisions under the proposed rule creates a risk of liability for a   substantial civil money penalty. If a person makes a knowing or   reckless disclosure in violation of the confidentiality provisions,   that person will be subject to the enforcement process, and subject to   costs including participation in an investigation and payment of a   civil money penalty, if imposed.      While participating providers may incur some costs associated with   maintaining the confidentiality of patient safety work product (e.g.,   developing policies/procedures to keep information confidential,   safeguarding the information, training staff, etc.), those activities   and associated costs are not required by the proposed rule and are   likely minimal in light of existing procedures to meet existing   requirements on providers to maintain sensitive information as   confidential. We are proposing a scheme that places the least possible   amount of regulatory burden on participants while simultaneously   ensuring that the confidentiality provisions are effectively   implemented and balanced with the objective of encouraging the maximum   amount of participation possible. We were mindful of not placing   unnecessary regulatory requirements on participating entities because   this is a voluntary initiative, and we did not want entities interested   in participating to forego participation because of concerns about the   associated risk of liability for civil money penalties.    Regulatory Flexibility Act Analysis        The Regulatory Flexibility Act requires agencies to analyze   regulatory options that would minimize any significant impact of a rule   on small entities. Because the Patient Safety Act enables a broad   spectrum of entities--public, private, for-profit, and not-for-profit--  to seek certification as a PSO, there may be many different types of   organizations interested in becoming certified as a PSO that would be   affected by the proposed rule. The proposed rule minimizes possible   barriers to entry and creates a review process that is both simple and   quick. As a result, AHRQ expects that a broad range of health care   provider systems, medical specialty societies, and provider-based   membership organizations will seek listing as a PSO by the Secretary.      AHRQ preliminarily determines that the proposed rule does not have   a    [[Page 8171]]    significant impact on small businesses because it does not impose a   mandatory regulatory burden, and because the Department has made a   significant effort to promulgate regulations that are the minimum   necessary to interpret and implement the law. As stated previously,   working with PSOs is completely voluntary; the proposed rule provides   benefits in the form of legal protections that are expected to outweigh   the cost of participation from the perspective of participating   providers. AHRQ believes that the proposed rule will not have a   significant impact on a substantial number of small entities because   the proposed rules do not place small entities at a significant   competitive disadvantage to large entities. AHRQ does not anticipate   that there will be a disproportional effect on profits, costs, or net   revenues for a substantial number of small entities. The proposed rule   will not significantly reduce profit for a substantial number of small   entities.  Impacts on Small Entities  1. The Need for and the Objectives of the Proposed Rule      The proposed rule establishes the authorities, processes, and   requirements necessary to implement the Patient Safety Act, sections   921-926 of the Public Health Service Act, 42 U.S.C. 299b-21 to 299b-26.   The proposed rules seek to establish a streamlined process for the   Department to accept certification by entities seeking to become PSOs.   Under the proposal, PSOs will be available voluntarily to enter into   arrangements with health care providers and provide expert advice   regarding the causes and prevention of adverse patient safety events.   Information collected or developed by a health care provider or PSO,   and reported to or by a PSO, that relate to a patient safety event   would become privileged and confidential. Related deliberations would   also be protected. Persons who breached the confidentiality provisions   of the rule could be subject to civil money penalties of up to $10,000.  2. Description and Estimate of the Number of Small Entities Affected      For purposes of the Regulatory Flexibility Act, small entities   include small businesses, non-profit organizations, and government   jurisdictions. Most hospitals and many other health care providers and   suppliers are small entities, either because they are nonprofit   organizations or because they generate revenues of $6.5 million to   $31.5 million in any one year. Individuals and States are not included   in the definition of a small entity. The proposed rule would affect   most hospitals, and other health care delivery entities, plus all small   entities that are interested in becoming certified PSOs. Based on   various stakeholder meetings, AHRQ estimates that approximately 50-100   entities may be interested in becoming listed as PSOs during the first   three years following publication of the final rule. This figure is   likely to stabilize over time, as some new PSOs form and some existing   PSOs cease operations.  3. Impact on Small Entities      AHRQ believes that the proposed rule will not have a significant   impact on a substantial number of small provider or PSO entities   because the proposed rule does not place a substantial number of small   entities at a significant competitive disadvantage to large entities.   AHRQ does not anticipate that there will be a disproportional effect on   profits, costs, or net revenues for a substantial number of small   entities. The proposed rule will not significantly reduce profit for a   substantial number of small entities. In fact, when fully implemented,   we expect that the benefits and/or provider savings will outweigh the   costs.      Compliance requirements for small entities under this proposed rule   are the same as those described above for other affected entities. AHRQ   has proposed only those regulations that are necessary to comply with   provisions and goals of the Patient Safety Act, with the objective of   encouraging the maximum participation possible. The proposed rule was   written to minimize the regulatory and economic burden on any entity   that seeks to be listed as a PSO by the Secretary, regardless of size.   It is impossible for AHRQ to develop alternatives to the proposed rule   for small entities, as the proposed rule must adhere to statutory   requirements. For example, the proposed rule requires confidentiality   and privilege protections and places the least amount of regulatory   burden on participating players--while simultaneously ensuring that the   goals of confidentiality are effectively implemented--with the   objective of encouraging the maximum participation possible. In   addition, the proposed rule was written recognizing that many providers   will be HIPAA covered entities, and many PSOs will be business   associates, which entails certain obligations under the HIPAA Privacy   Rule. Thus, this proposed rule is coordinated with existing law, to   minimize the burden of compliance.      AHRQ believes that the proposed rule will not have a significant   impact on small providers. The proposed rule does not impose any costs   directly on providers, large or small, that choose to work with a PSO.   To the extent that providers hold patient safety work product, they   must prevent impermissible disclosures; however, the proposed rule does   not establish requirements for how providers must meet this   requirement.      Finally, it is the statutory and supporting regulatory guarantee of   the confidentiality of the reporting of adverse events that will enable   PSOs to operate and perform their function. Thus, while the compliance   costs in the form of start-up operational costs may be substantial, the   benefits that will be generated as a result of these costs will exceed   the actual costs, as illustrated in Table 5.      The Secretary certifies that the proposed rule will not have a   significant economic impact on a substantial number of small entities.    List of Subjects in 42 CFR Part 3        Administrative practice and procedure, Civil money penalty,   Confidentiality, Conflict of interests, Courts, Freedom of information,   Health, Health care, Health facilities, Health insurance, Health   professions, Health records, Hospitals, Investigations, Law   enforcement, Medical research, Organization and functions, Patient,   Patient safety, Privacy, Privilege, Public health, Reporting and   recordkeeping requirements, Safety, State and local governments,   Technical assistance.        For the reasons stated in the preamble, the Department of Health   and Human Services proposes to amend Title 42 of the Code of Federal   Regulations by adding a new part 3 to read as follows:    PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK   PRODUCT    Subpart A--General Provisions  Sec.  3.10 Purpose.  3.20 Definitions.  Subpart B--PSO Requirements and Agency Procedures  3.102 Process and requirements for initial and continued listing of   PSOs.  3.104 Secretarial actions.  3.106 Security requirements.  3.108 Correction of deficiencies, revocation, and voluntary   relinquishment.  3.110 Assessment of PSO compliance.  3.112 Submissions and forms.    [[Page 8172]]    Subpart C--Confidentiality and Privilege Protections of Patient Safety   Work Product  3.204 Privilege of Patient Safety Work Product.  3.206 Confidentiality of Patient Safety Work Product.  3.208 Continued protection of Patient Safety Work Product.  3.210 Required disclosure of Patient Safety Work Product to the   Secretary  3.212 Nonidentification of Patient Safety Work Product.  Subpart D--Enforcement Program  3.304 Principles for achieving compliance.  3.306 Complaints to the Secretary.  3.308 Compliance reviews.  3.310 Responsibilities of respondents.  3.312 Secretarial action regarding complaints and compliance   reviews.  3.314 Investigational subpoenas and inquiries.  3.402 Basis for a civil money penalty.  3.404 Amount of a civil money penalty.  3.408 Factors considered in determining the amount of a civil money   penalty.  3.414 Limitations.  3.416 Authority to settle.  3.418 Exclusivity of penalty.  3.420 Notice of proposed determination.  3.422 Failure to request a hearing.  3.424 Collection of penalty.  3.426 Notification of the public and other agencies.  3.504 Procedures for hearings.        Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C.   299c-6    Subpart A--General Provisions      Sec.  3.10  Purpose.        The purpose of this Part is to implement the Patient Safety and   Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title   IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding   sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.      Sec.  3.20  Definitions.        As used in this Part, the terms listed alphabetically below have   the meanings set forth as follows:      AHRQ stands for the Agency for Healthcare Research and Quality in   HHS.      ALJ stands for an Administrative Law Judge of HHS.      Board means the members of the HHS Departmental Appeals Board, in   the Office of the Secretary, who issue decisions in panels of three.      Bona fide contract means:      (1) A written contract between a provider and a PSO that is   executed in good faith by officials authorized to execute such   contract; or      (2) A written agreement (such as a memorandum of understanding or   equivalent recording of mutual commitments) between a Federal, State,   Local, or Tribal provider and a Federal, State, Local, or Tribal PSO   that is executed in good faith by officials authorized to execute such   agreement.      Complainant means a person who files a complaint with the Secretary   pursuant to Sec.  3.306.      Component organization means an entity that is either:      (1) A unit or division of a corporate organization or of a multi-  organizational enterprise; or      (2) A separate organization, whether incorporated or not, that is   owned, managed or controlled by one or more other organization(s),   i.e., its parent organization(s).      Component PSO means a PSO listed by the Secretary that is a   component organization.      Confidentiality provisions means for purposes of Subparts C and D,   any requirement or prohibition concerning confidentiality established   by section 921 and 922(b), (d), (g) and (i) of the Public Health   Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the   provisions, at Sec. Sec.  3.206 and 3.208, that implement the statutory   prohibition on disclosure of identifiable patient safety work product.      Disclosure means the release, transfer, provision of access to, or   divulging in any other manner of patient safety work product by a   person holding the patient safety work product to another.      Entity means any organization or organizational unit, regardless of   whether the organization is public, private, for-profit, or not-for-  profit.      Group health plan means employee welfare benefit plan (as defined   in section 3(1) of the Employee Retirement Income Security Act of 1974   (ERISA)) to the extent that the plan provides medical care (as defined   in paragraph (2) of section 2791(a) of the Public Health Service Act,   including items and services paid for as medical care) to employees or   their dependents (as defined under the terms of the plan) directly or   through insurance, reimbursement, or otherwise.      Health insurance issuer means an insurance company, insurance   service, or insurance organization (including a health maintenance   organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed   to engage in the business of insurance in a State and which is subject   to State law which regulates insurance (within the meaning of 29 U.S.C.   1144(b)(2)). The term does not include a group health plan.      Health maintenance organization means:      (1) A Federally qualified health maintenance organization (HMO) (as   defined in 42 U.S.C. 300e(a)),      (2) An organization recognized under State law as a health   maintenance organization, or      (3) A similar organization regulated under State law for solvency   in the same manner and to the same extent as such a health maintenance   organization.      HHS stands for the United States Department of Health and Human   Services.      HIPAA Privacy Rule means the regulations promulgated under section   264(c) of the Health Insurance Portability and Accountability Act of   1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.      Identifiable patient safety work product means patient safety work   product that:      (1) Is presented in a form and manner that allows the   identification of any provider that is a subject of the work product,   or any providers that participate in, or are responsible for,   activities that are a subject of the work product;      (2) Constitutes individually identifiable health information as   that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or      (3) Is presented in a form and manner that allows the   identification of an individual who in good faith reported information   directly to a PSO or to a provider with the intention of having the   information reported to a PSO (``reporter'').      Nonidentifiable patient safety work product means patient safety   work product that is not identifiable patient safety work product in   accordance with the nonidentification standards set forth at Sec.    3.212.      OCR stands for the Office for Civil Rights in HHS.      Parent organization means an entity that, alone or with others,   either owns a provider entity or a component organization, or has the   authority to control or manage agenda setting, project management, or   day-to-day operations, or the authority to review and override   decisions of a component organization.      Patient Safety Act means the Patient Safety and Quality Improvement   Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public   Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C,   sections 921 through 926, which are codified at 42 U.S.C. 299b-21   through 299b-26.      Patient safety activities means the following activities carried   out by or on behalf of a PSO or a provider:      (1) Efforts to improve patient safety and the quality of health   care delivery;      (2) The collection and analysis of patient safety work product;    [[Page 8173]]        (3) The development and dissemination of information with respect   to improving patient safety, such as recommendations, protocols, or   information regarding best practices;      (4) The utilization of patient safety work product for the purposes   of encouraging a culture of safety and of providing feedback and   assistance to effectively minimize patient risk;      (5) The maintenance of procedures to preserve confidentiality with   respect to patient safety work product;      (6) The provision of appropriate security measures with respect to   patient safety work product;      (7) The utilization of qualified staff; and      (8) Activities related to the operation of a patient safety   evaluation system and to the provision of feedback to participants in a   patient safety evaluation system.      Patient safety evaluation system means the collection, management,   or analysis of information for reporting to or by a PSO.      Patient safety organization (PSO) means a private or public entity   or component thereof that currently is listed as a PSO by the Secretary   in accordance with Subpart B. A health insurance issuer or a component   organization of a health insurance issuer may not be a PSO. See also   the exclusion in proposed Sec.  3.102 of this Part.      Patient safety work product (PSWP).      (1) Except as provided in paragraph (2) of this definition, patient   safety work product means any data, reports, records, memoranda,   analyses (such as root cause analyses), or written or oral statements   (or copies of any of this material)      (i)(A) Which are assembled or developed by a provider for reporting   to a PSO and are reported to a PSO; or      (B) Are developed by a PSO for the conduct of patient safety   activities; and which could improve patient safety, health care   quality, or health care outcomes; or      (ii) Which identify or constitute the deliberations or analysis of,   or identify the fact of reporting pursuant to, a patient safety   evaluation system.      (2)(i) Patient safety work product does not include a patient's   medical record, billing and discharge information, or any other   original patient or provider information; nor does it include   information that is collected, maintained, or developed separately, or   exists separately, from a patient safety evaluation system. Such   separate information or a copy thereof reported to a PSO shall not by   reason of its reporting be considered patient safety work product.      (ii) Nothing in this part shall be construed to limit information   that is not patient safety work product from being:      (A) Discovered or admitted in a criminal, civil or administrative   proceeding;      (B) Reported to a Federal, State, local or tribal governmental   agency for public health or health oversight purposes; or      (C) Maintained as part of a provider's recordkeeping obligation   under Federal, State, local or tribal law.      Person means a natural person, trust or estate, partnership,   corporation, professional association or corporation, or other entity,   public or private.      Provider means:      (1) An individual or entity licensed or otherwise authorized under   State law to provide health care services, including--      (i) A hospital, nursing facility, comprehensive outpatient   rehabilitation facility, home health agency, hospice program, renal   dialysis facility, ambulatory surgical center, pharmacy, physician or   health care practitioner's office (includes a group practice), long   term care facility, behavior health residential treatment facility,   clinical laboratory, or health center; or      (ii) A physician, physician assistant, registered nurse, nurse   practitioner, clinical nurse specialist, certified registered nurse   anesthetist, certified nurse midwife, psychologist, certified social   worker, registered dietitian or nutrition professional, physical or   occupational therapist, pharmacist, or other individual health care   practitioner;      (2) Agencies, organizations, and individuals within Federal, State,   local, or Tribal governments that deliver health care, organizations   engaged as contractors by the Federal, State, local, or Tribal   governments to deliver health care, and individual health care   practitioners employed or engaged as contractors by the Federal State,   local, or Tribal governments to deliver health care; or      (3) A parent organization that has a controlling interest in one or   more entities described in paragraph (1)(i) of this definition or a   Federal, State, local, or Tribal government unit that manages or   controls one or more entities described in (1)(i) or (2) of this   definition.      Research has the same meaning as the term is defined in the HIPAA   Privacy Rule at 45 CFR 164.501.      Respondent means a provider, PSO, or responsible person who is the   subject of a complaint or a compliance review.      Responsible person means a person, other than a provider or a PSO,   who has possession or custody of identifiable patient safety work   product and is subject to the confidentiality provisions.      Workforce means employees, volunteers, trainees, contractors, and   other persons whose conduct, in the performance of work for a provider,   PSO or responsible person, is under the direct control of such   provider, PSO or responsible person, whether or not they are paid by   the provider, PSO or responsible person.    Subpart B--PSO Requirements and Agency Procedures      Sec.  3.102  Process and requirements for initial and continued listing   of PSOs.        (a) Eligibility and process for initial and continued listing.      (1) Submission of Certification. Any entity, except as specified in   paragraph (a)(2) of this section, may request from the Secretary an   initial or continued listing as a PSO by submitting a completed   certification form that meets the requirements of this section, in   accordance with the submission requirements at Sec.  3.112. An   individual with authority to make commitments on behalf of the entity   seeking listing will be required to acknowledge each of the   certification requirements, attest that the entity meets each   requirement, provide contact information for the entity, and certify   that the PSO will promptly notify the Secretary during its period of   listing if it can no longer comply with any of the criteria in this   section.      (2) Restrictions on certain entities. Entities that may not seek   listing as a PSO include: health insurance issuers or components of   health insurance issuers. Any other entity, public or private, that   conducts regulatory oversight of health care providers, such as   accreditation or licensure, may not seek listing, except that a   component of such an entity may seek listing as a component PSO. An   applicant completing the required certification forms described in   paragraph (a)(1) of this section will be required to attest that the   entity is not subject to the restrictions of this paragraph.      (b) Fifteen general PSO certification requirements. The   certifications submitted to the Secretary in accordance with paragraph   (a)(1) of this section must conform to the following 15 requirements:      (1) Required certification regarding eight patient safety   activities. An entity seeking initial listing as a PSO must certify   that it has written policies and procedures in place to perform each of   the eight patient safety activities,    [[Page 8174]]    defined in Sec.  3.20. Such policies and procedures will provide for   compliance with the confidentiality provisions of subpart C of this   part and the appropriate security measures required by Sec.  3.106 of   this subpart. A PSO seeking continued listing must certify that it is   performing, and will continue to perform, each of the patient safety   activities, and is and will continue to comply with subpart C of this   part and the security requirements referenced in the preceding   sentence.      (2) Required certification regarding seven PSO criteria. In its   initial certification submission, an entity must also certify that it   will comply with the additional seven requirements in paragraphs   (b)(2)(i) through (b)(2)(vii) of this section. A PSO seeking continued   listing must certify that it is complying with, and will continue to   comply with, the requirements of this paragraph.      (i) The mission and primary activity of a PSO must be to conduct   activities that are to improve patient safety and the quality of health   care delivery.      (ii) The PSO must have appropriately qualified workforce members,   including licensed or certified medical professionals.      (iii) The PSO, within the 24-month period that begins on the date   of its initial listing as a PSO, and within each sequential 24-month   period thereafter, must have entered into 2 bona fide contracts, each   of a reasonable period of time, each with a different provider for the   purpose of receiving and reviewing patient safety work product.      (iv) The PSO is not a health insurance issuer, and is not a   component of a health insurance issuer.      (v) The PSO must make disclosures to the Secretary as required   under Sec.  3.102(d), in accordance with Sec.  3.112 of this subpart.      (vi) To the extent practical and appropriate, the PSO must collect   patient safety work product from providers in a standardized manner   that permits valid comparisons of similar cases among similar   providers.      (vii) The PSO must utilize patient safety work product for the   purpose of providing direct feedback and assistance to providers to   effectively minimize patient risk.      (c) Additional certifications required of component organizations.   In addition to meeting the 15 general PSO certification requirements of   paragraph (b) of this section, an entity seeking initial listing that   is a component of another organization or enterprise must certify that   it will comply with the requirements of paragraphs (c)(1) through   (c)(3) of this section. A component PSO seeking continued listing must   certify that it is complying with, and will continue to comply with,   the requirements of this paragraph.      (1) Separation of patient safety work product.      (i) A component PSO must:      (A) Maintain patient safety work product separately from the rest   of the parent organization(s) of which it is a part; and      (B) Not have a shared information system that could permit access   to its patient safety work product to an individual(s) in, or unit(s)   of, the rest of the parent organization(s) of which it is a part.      (ii) Notwithstanding the requirements of paragraph (c)(1)(i) of   this section, a component PSO may provide access to identifiable   patient safety work product to an individual(s) in, or a unit(s) of,   the rest of the parent organization(s) of which it is a part if the   component PSO enters into a written agreement with such individuals or   units that requires that:      (A) The component PSO will only provide access to identifiable   patient safety work product to enable such individuals or units to   assist the component PSO in its conduct of patient safety activities,   and      (B) Such individuals or units that receive access to identifiable   patient safety work product pursuant to such written agreement will   only use or disclose such information as specified by the component PSO   to assist the component PSO in its conduct of patient safety   activities, will take appropriate security measures to prevent   unauthorized disclosures and will comply with the other certifications   the component has made pursuant to paragraphs (c)(2) and (c)(3) of this   section regarding unauthorized disclosures and conflicts with the   mission of the component PSO.      (2) Nondisclosure of patient safety work product. A component PSO   must require that members of its workforce and any other contractor   staff, or individuals in, or units of, its parent organization(s) that   receive access in accordance with paragraph (c)(1)(ii) of this section   to its identifiable patient safety work product, not be engaged in work   for the parent organization(s) of which it is a part, if the work could   be informed or influenced by such individuals' knowledge of   identifiable patient safety work product, except for individuals whose   other work for the rest of the parent organization(s) is solely the   provision of clinical care.      (3) No conflict of interest. The pursuit of the mission of a   component PSO must not create a conflict of interest with the rest of   the parent organization(s) of which it is a part.      (d) Required notifications. PSOs must meet the following   notification requirements:      (1) Notification regarding PSO compliance with the minimum contract   requirement. No later than 45 calendar days prior to the last day of   the applicable 24-month assessment period, specified in paragraph   (b)(2)(iii) of this section, the Secretary must receive from a PSO a   certification that states whether it has met the requirement of that   paragraph regarding two bona fide contracts, in accordance with Sec.    3.112 of this subpart.      (2) Notification regarding a PSO's relationships with its   contracting providers. A PSO must submit to the Secretary a disclosure   statement, in accordance with Sec.  3.112 of this subpart, regarding   its relationships with each provider with which the PSO has a contract   pursuant to the Patient Safety Act if the circumstances described in   either paragraph (d)(2)(i) or (d)(2)(ii) of this section are   applicable. The Secretary must receive a disclosure statement within 45   days of the date on which a PSO enters a contract with a provider if   the circumstances are met on the date the contract is entered. During   the contract period, if a PSO subsequently enters one or more   relationships with a contracting provider that create the circumstances   described in paragraph (d)(2)(i) of this section or a provider exerts   any control over the PSO of the type described in paragraph (d)(2)(ii)   of this section, the Secretary must receive a disclosure statement from   the PSO within 45 days of the date that the PSO entered each new   relationship or of the date on which the provider imposed control of   the type described in paragraph (d)(2)(ii).      (i) Taking into account all relationships that the PSO has with the   provider, other than the bona fide contract entered into pursuant to   the Patient Safety Act, the PSO must fully disclose any other   contractual, financial, or reporting relationships described below that   it has with that provider.      (A) Contractual relationships which are not limited to   relationships based on formal contracts but also encompass   relationships based on any oral or written agreement or any arrangement   that imposes responsibilities on the PSO.      (B) Financial relationships including any direct or indirect   ownership or investment relationship between the PSO and the   contracting provider, shared or common financial interests or direct or   indirect compensation    [[Page 8175]]    arrangement, whether in cash or in-kind.      (C) Reporting relationships including any relationship that gives   the provider access to information or control, directly or indirectly,   over the work of the PSO that is not available to other contracting   providers.      (ii) Taking into account all relationships that the PSO has with   the provider, the PSO must fully disclose if it is not independently   managed or controlled, or if it does not operate independently from,   the contracting provider. In particular, the PSO must further disclose   whether the contracting provider has exercised or imposed any type of   management control that could limit the PSO's ability to fairly and   accurately perform patient safety activities and fully describe such   control(s).      (iii) PSOs may also describe or include in their disclosure   statements, as applicable, any agreements, stipulations, or procedural   safeguards that have been created to protect the ability of the PSO to   operate independently or information that indicates the limited impact   or insignificance of its financial, reporting, or contractual   relationships with a contracting provider.      Sec.  3.104  Secretarial actions.        (a) Actions in response to certification submissions for initial   and continued listing as a PSO. (1) In response to an initial or   continued certification submission by an entity, pursuant to the   requirements of Sec.  3.102 of this subpart, the Secretary may--      (i) Accept the certification submission and list the entity as a   PSO, or maintain the listing of a PSO, if the Secretary determines that   the entity meets the applicable requirements of the Patient Safety Act   and this subpart;      (ii) Deny acceptance of a certification submission and, in the case   of a currently listed PSO, remove the entity from the list if the   entity does not meet the applicable requirements of the Patient Safety   Act and this subpart; or      (iii) Condition the listing of an entity, or continued listing of a   PSO, following a determination made pursuant to paragraph (c) of this   section.      (2) Basis of determination. In making a determination regarding   listing, the Secretary will consider the certification submission; any   prior actions by the Secretary regarding the entity or PSO including   delisting; any history of or current non-compliance by the entity or   the PSO with statutory or regulatory requirements or requests from the   Secretary; the relationships of the entity or PSO with providers; and   any findings made by the Secretary in accordance with paragraph (c) of   this section.      (3) Notification. The Secretary will notify in writing each entity   of action taken on its certification submission for initial or   continued listing. The Secretary will provide reasons when an entity's   certification is conditionally accepted and the entity is conditionally   listed, when an entity's certification is not accepted and the entity   is not listed, or when acceptance of its certification is revoked and   the entity is delisted.      (b) Actions regarding PSO compliance with the minimum contract   requirement. When the Secretary receives notification required by Sec.    3.102(d)(1) of this subpart that the PSO has met the minimum contract   requirement, the Secretary will acknowledge in writing receipt of the   notification and add information to the list established pursuant to   paragraph (d) of this section stating that the PSO has certified that   it has met the requirement. If the PSO states that it has not yet met   the minimum contract requirement, or if notice is not received by the   date specified in Sec.  3.102(d)(1) of this subpart, the Secretary will   issue to the PSO a notice of a preliminary finding of deficiency as   specified in Sec.  3.108(a)(2) and establish a period for correction   that extends until midnight of the last day of the PSO's applicable 24-  month period of assessment. Immediately thereafter, if the requirement   has not been met, the Secretary will provide the PSO a written notice   of proposed revocation and delisting in accordance with Sec.    3.108(a)(3) of this subpart.      (c) Actions regarding required disclosures by PSOs of relationships   with contracting providers. The Secretary will review and make findings   regarding each disclosure statement submitted by a PSO, pursuant to   Sec.  3.102(d)(2) of this subpart, regarding its relationships with   contracting provider(s), determine whether such findings warrant action   regarding the listing of the PSO, and make the findings public.      (1) Basis of findings regarding PSO disclosure statements. In   reviewing disclosure statements, submitted pursuant to Sec.    3.102(d)(2) of this subpart, the Secretary will consider the nature,   significance, and duration of the disclosed relationship(s) between the   PSO and the contracting provider and will determine whether the PSO can   fairly and accurately perform the required patient safety activities.      (2) Determination by the Secretary. Based on the Secretary's review   and findings, he may choose to take any of the following actions:      (i) For an entity seeking an initial or continued listing, the   Secretary may list or continue the listing of an entity without   conditions, list the entity subject to conditions, or deny the entity's   certification for initial or continued listing; or      (ii) For a listed PSO, the Secretary may determine that the entity   will remain listed without conditions, continue the entity's listing   subject to conditions, or remove the entity from listing.      (3) Release of disclosure statements and Secretarial findings.      (i) Subject to paragraph (c)(3)(ii) of this section, the Secretary   will make disclosure statements available to the public along with   related findings that are made available in accordance with paragraph   (c) of this section.      (ii) The Secretary may withhold information that is exempt from   public disclosure under the Freedom of Information Act.      (d) Maintaining a list of PSOs. The Secretary will compile and   maintain a publicly available list of entities whose certifications as   PSOs have been accepted. The list will include contact information for   each entity, a copy of all certification forms and disclosure   statements submitted by each entity, the effective date of the PSO's   listing, and information on whether a PSO has certified that it has met   the two-contract requirement. The list also will include a copy of the   Secretary's findings regarding each disclosure statement submitted by   an entity, information describing any related conditions that have been   placed by the Secretary on the listing of an entity as a PSO, and other   information that this Subpart states may be made public. AHRQ will   establish a PSO Web site (or a comparable future form of public notice)   and may post the list on this Web site.      (e) Three-year period of listing. (1) The period of listing of a   PSO will be for a three-year period, unless the listing is revoked or   relinquished prior to the expiration of the three-year period, in   accordance with Sec.  3.108 of this subpart.      (2) The Secretary will send a written notice of imminent expiration   to a PSO at least 45 calendar days prior to the date on which its   three-year period of listing expires if the Secretary has not received   a certification for continued listing.      (f) Effective dates of Secretarial actions. Unless otherwise   stated, the effective date of each action by the Secretary pursuant to   this subpart will be specified in the written notice of such action   that is sent to the entity. When the Secretary sends a notice that   addresses acceptance or revocation of an    [[Page 8176]]    entity's certifications or voluntary relinquishment by an entity of its   status as a PSO, the notice will specify the effective date and time of   listing or delisting.      Sec.  3.106  Security requirements.        (a) Application. A PSO must provide security for patient safety   work product that conforms to the security requirements of paragraph   (b) of this section. These requirements must be met at all times and at   any location at which the PSO, its workforce members, or its   contractors hold patient safety work product.      (b) Security framework. PSOs must consider the following framework   for the security of patient safety work product. The framework includes   four elements: security management, separation of systems, security   monitoring and control, and system assessment. To address the four   elements of this framework, a PSO must develop appropriate and scalable   security standards, policies, and procedures that are suitable for the   size and complexity of its organization.      (1) Security management. A PSO must address:      (i) Maintenance and effective implementation of written policies   and procedures that conform to the requirements of this section to   protect the confidentiality, integrity, and availability of the patient   safety work product that is processed, stored, and transmitted; and to   monitor and improve the effectiveness of such policies and procedures,   and      (ii) Training of the PSO workforce and PSO contractors who access   or hold patient safety work product regarding the requirements of the   Patient Safety Act, this Part, and the PSO's policies and procedures   regarding the confidentiality and security of patient safety work   product.      (2) Separation of Systems. A PSO must address:      (i) Maintenance of patient safety work product, whether in   electronic or other media, physically and functionally separate from   any other system of records;      (ii) Protection of the media, whether in electronic, paper, or   other format, that contain patient safety work product, limiting access   to authorized users, and sanitizing and destroying such media before   disposal or release for reuse; and      (iii) Physical and environmental protection, to control and limit   physical and virtual access to places and equipment where patient   safety work product is stored or used.      (3) Security control and monitoring. A PSO must address:      (i) Identification of those authorized to have access to patient   safety work product and an audit capacity to detect unlawful,   unauthorized, or inappropriate access to patient safety work product,   and      (ii) Measures to prevent unauthorized removal, transmission or   disclosure of patient safety work product.      (4) Security assessment. A PSO must address:      (i) Periodic assessments of security risks and controls, as   determined appropriate by the PSO, to establish if its controls are   effective, to correct any deficiency identified, and to reduce or   eliminate any vulnerabilities.      (ii) System and communications protection, to monitor, control, and   protect PSO uses, communications, and transmissions involving patient   safety work product to and from providers and any other responsible   persons.      Sec.  3.108  Correction of deficiencies, revocation, and voluntary   relinquishment.        (a) Process for correction of a deficiency and revocation--(1)   Circumstances leading to revocation. The Secretary may revoke his   acceptance of an entity's certification and delist the entity as a PSO   if he determines--      (i) The PSO is not fulfilling the certifications it made to the   Secretary that are set forth in Sec.  3.102 of this subpart;      (ii) The PSO has not timely notified the Secretary that it has met   the two contract requirement, as required by Sec.  3.102(d)(1) of this   subpart;      (iii) The Secretary, based on a PSO's disclosures made pursuant to   Sec.  3.102(d)(2) of this subpart, makes a public finding that the   entity cannot fairly and accurately perform the patient safety   activities of a PSO; or      (iv) The PSO is not in compliance with any other provision of the   Patient Safety Act or this Part.      (2) Notice of preliminary finding of deficiency and establishment   of an opportunity for correction of a deficiency. (i) If the Secretary   determines that a PSO is not in compliance with its obligations under   the Patient Safety Act or this Subpart, the Secretary must send a PSO   written notice of the preliminary finding of deficiency. The notice   must state the actions or inactions that encompass the deficiency   finding, outline the evidence that the deficiency exists, specify the   possible and/or required corrective actions that must be taken, and   establish a date by which the deficiency must be corrected. The   Secretary may specify in the notice the level of documentation required   to demonstrate that the deficiency has been corrected.      (ii) The notice of a preliminary finding of deficiency is presumed   received five days after it is sent, absent evidence of the actual   receipt date. If a PSO does not submit evidence to the Secretary within   14 calendar days of actual or constructive receipt of such notice,   whichever is longer, which demonstrates that the preliminary finding is   factually incorrect, the preliminary finding will be the basis for a   finding of deficiency.      (3) Determination of correction of a deficiency. (i) Unless the   Secretary specifies another date, the Secretary must receive   documentation to demonstrate that the PSO has corrected the deficiency   no later than five calendar days following the last day of the   correction period, that is specified by the Secretary in the notice of   preliminary finding of deficiency.      (ii) In making a determination regarding the correction of any   deficiency, the Secretary will consider the documentation submitted by   the PSO, the findings of any site visit that he determines is necessary   or appropriate, recommendations of program staff, and any other   information available regarding the PSO that the Secretary deems   appropriate and relevant to the PSO's implementation of the terms of   its certification.      (iii) After completing his review, the Secretary may make one of   the following determinations:      (A) The action(s) taken by the PSO have corrected any deficiency,   in which case the Secretary will withdraw the notice of deficiency and   so notify the PSO;      (B) The PSO has acted in good faith to correct the deficiency but   the Secretary finds an additional period of time is necessary to   achieve full compliance and/or the required corrective action specified   in the notice of a preliminary finding of deficiency needs to be   modified in light of the experience of the PSO in attempting to   implement the corrective action, in which case the Secretary will   extend the period for correction and/or modify the specific corrective   action required; or      (C) The PSO has not completed the corrective action because it has   not acted with reasonable diligence or speed to ensure that the   corrective action was completed within the allotted time, in which case   the Secretary will issue to the PSO a notice of proposed revocation and   delisting.      (iv) When the Secretary issues a written notice of proposed   revocation and delisting, the notice will specify the    [[Page 8177]]    deficiencies that have not been timely corrected and will detail the   manner in which the PSO may exercise its opportunity to be heard in   writing to respond to the deficiencies specified in the notice.      (4) Opportunity to be heard in writing following a notice of   proposed revocation and delisting. The Secretary will afford a PSO an   opportunity to be heard in writing, as specified in paragraph (a)(4)(i)   of this section, to provide a substantive response to the deficiency   finding(s) set forth in the notice of proposed revocation and   delisting.      (i) The notice of proposed revocation and delisting is presumed   received five days after it is sent, absent evidence of actual receipt.   The Secretary will provide a PSO with a period of time, beginning with   the date of receipt of the notice of proposed revocation and delisting   of which there is evidence, or the presumed date of receipt if there is   no evidence of earlier receipt, and ending at midnight 30 calendar days   thereafter, during which the PSO can submit a substantive response to   the deficiency findings in writing.      (ii) The Secretary will provide to the PSO rules of procedure   governing the form or transmission of the written response to the   notice of proposed revocation and delisting. The Rules may also be   posted on the AHRQ PSO Web site or published in the Federal Register.      (iii) If a PSO does not submit a written response to the deficiency   finding(s) within 30 calendar days of receipt of the notice of proposed   revocation and delisting, the notice of proposed revocation becomes   final as a matter of law and the basis for Secretarial action under   paragraph (b)(1) of this section.      (5) The Secretary's decision regarding revocation. The Secretary   will review the entire administrative record pertaining to a notice of   proposed revocation and delisting and any written materials submitted   by the PSO under paragraph (a)(4) of this section. The Secretary may   affirm, reverse, or modify the notice of proposed revocation and   delisting and will make a determination with respect to the continued   listing of the PSO.      (b) Revocation of the Secretary's acceptance of a PSO's   certifications--(1) Establishing revocation for cause. When the   Secretary concludes, in accordance with a decision made under paragraph   (a)(5) of this section, that revocation of the acceptance of a PSO's   certification is warranted for its failure to comply with requirements   of the Patient Safety Act or of this Subpart, the Secretary will   establish the time and date for the prompt revocation and removal of   the entity from the list of PSOs, so notify the PSO in writing, and   provide the relevant public notice required by Sec.  3.108(d) of this   subpart.      (2) Required notification of providers and status of data. Within   15 days of being notified of the Secretary's action pursuant to   paragraph (b)(1) of this section, an entity subject to paragraph (b)(1)   of this section will submit to the Secretary confirmation that it has   taken all reasonable actions to notify each provider, whose patient   safety work product it collected or analyzed, of the Secretary's   action(s). Confidentiality and privilege protections that applied to   patient safety work product while the former PSO was listed continue to   apply after the entity is removed from listing. Data submitted by   providers to the former PSO within 30 calendar days of the date on   which it is removed from the list of PSOs pursuant to paragraph (b)(1)   of this section will have the same status as data submitted while the   entity was still listed.      (3) Disposition of patient safety work product and data. Following   revocation and delisting pursuant to paragraph (b)(1) of this section,   the former PSO will take one or more of the following measures:      (i) Transfer such patient safety work product or data, with the   approval of the source from which it was received, to a PSO that has   agreed to receive such patient safety work product or data;      (ii) Return such work product or data to the source from which it   was submitted; or      (iii) If returning such patient safety work product or data to its   source is not practicable, destroy such patient safety work product or   data.      (c) Voluntary relinquishment--(1) Circumstances constituting   voluntary relinquishment. A PSO will be considered to have voluntarily   relinquished its status as a PSO if the Secretary accepts a   notification from a PSO that it wishes to relinquish voluntarily its   listing as a PSO or the Secretary determines that an implied voluntary   relinquishment has taken place because the period of listing of a PSO   has expired without receipt of a timely submission of certifications   for continued listing.      (2) Notification of voluntary relinquishment. A PSO's notification   of voluntary relinquishment to the Secretary must include the   following:      (i) An attestation that all reasonable efforts have been made, or   will have been made by a PSO within 15 calendar days of this statement,   to notify the sources from which it received patient safety work   product or data of the PSO's intention to cease operations, to   relinquish voluntarily its status as a PSO, to request that these other   entities cease reporting or submitting any further information to the   PSO as soon as possible, and inform them that any data submitted after   the effective date and time of delisting, that the Secretary sets   pursuant to paragraph (c)(3) of this section, will not be protected as   patient safety work product under the Patient Safety Act based upon   such submissions;      (ii) An attestation that the entity has established a plan, or   within 15 calendar days of this statement, will have made all   reasonable efforts to establish a plan, in consultation with the   sources from which it received patient safety work product or data,   that provides for the disposition of such patient safety work product   or data consistent with, to the extent practicable, the statutory   options for disposition of patient safety work product or data as set   out in paragraphs (b)(3)(i) through (iii) of this section; and      (iii) Appropriate contact information for further communications   from the Secretary.      (3) Response to notification of voluntary relinquishment. (i) After   a PSO provides the notification required by paragraph (c)(2) of this   section, the Secretary will respond in writing to the entity indicating   whether the proposed voluntary relinquishment of its PSO status is   accepted. If the voluntary relinquishment is accepted, the Secretary's   response will indicate an effective date and time for the entity's   removal from the list of PSOs and will provide public notice of the   delisting, in accordance with Sec.  3.108(d) of this subpart.      (ii) If the Secretary receives a notification of voluntary   relinquishment during or immediately after revocation proceedings for   cause under paragraphs (a)(4) and (a)(5) of this section, the   Secretary, as a matter of discretion, may accept voluntary   relinquishment in accordance with the preceding paragraph or decide not   to accept the entity's proposed voluntary relinquishment and proceed   with the revocation for cause and delisting pursuant to paragraph   (b)(1) of this section.      (4) Implied voluntary relinquishment. (i) If the period of listing   of a PSO lapses without timely receipt and acceptance by the Secretary   of a certification seeking continued listing or timely receipt of a   notification of voluntary relinquishment of its PSO status in   accordance with paragraph (c)(2) of this section, the Secretary will   determine that voluntary relinquishment has    [[Page 8178]]    occurred and will remove the entity from the list of PSOs effective as   of midnight on the last day of its three-year period of listing. The   Secretary will take reasonable measures to notify the entity of its   delisting and will provide public notice of the delisting in accordance   with Sec.  3.108(d) of this subpart.      (ii) The Secretary will request in the notice to the entity that it   make reasonable efforts to comply with the requirements of paragraph   (c)(2) of this section with respect to notification, appropriate   disposition of patient safety work product, and the provision of   contact information to the Secretary.      (5) Non-applicability of certain procedures and requirements. (i) A   decision by the Secretary to accept a request by a PSO to relinquish   voluntarily its status as a PSO pursuant to paragraph (c)(2) of this   section or a decision that voluntary relinquishment has occurred   pursuant to paragraph (c)(4) of this section does not constitute a   determination of a deficiency in PSO compliance with the Patient Safety   Act or with this Subpart and no opportunity for corrective action by   the PSO is required.      (ii) The procedures and requirements of Sec.  3.108(a) of this   subpart regarding deficiencies including the opportunity to be heard in   writing, and those that are based upon determinations of the Secretary   pursuant to Sec.  3.108(b)(1) of this subpart are not applicable to   determinations of the Secretary made pursuant to paragraph (c) of this   section.      (d) Public notice of delisting regarding removal from listing. If   the Secretary removes an entity from the list of PSOs following   revocation of acceptance of the entity's certification pursuant to   Sec.  3.108(b)(1) of this subpart or following a determination of   voluntary relinquishment pursuant to Sec.  3.108(c)(3) or (c)(4) of   this subpart, the Secretary will promptly publish in the Federal   Register and on the AHRQ PSO Web site, or in a comparable future form   of public notice, established pursuant to Sec.  3.104(d) of this   subpart, a notice of the actions taken and the effective dates.      Sec.  3.110  Assessment of PSO compliance.        The Secretary may request information or conduct announced or   unannounced reviews of or site visits to PSOs, to assess or verify PSO   compliance with the requirements of this subpart and for these purposes   will be allowed to inspect the physical or virtual sites maintained or   controlled by the PSO. The Secretary will be allowed to inspect and/or   be given or sent copies of any PSO records deemed necessary and   requested by the Secretary to implement the provisions of this subpart.   Such PSO records may include patient safety work product in accordance   with Sec.  3.206(d) of this subpart.      Sec.  3.112  Submissions and forms.        (a) Forms referred to in this subpart may be obtained on the AHRQ   PSO Web site or a comparable future form of public notice or by   requesting them in writing by e-mail at psimplement@ahrq.hhs.gov, or by   mail from the Agency for Healthcare Research and Quality, CQuIPS, PSO   Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any   required attachments) must be submitted in accordance with the   accompanying instructions.      (b) Information submitted to AHRQ in writing, but not required to   be on a form, and requests for information from AHRQ, may be submitted   by mail or other delivery to the Agency for Healthcare Research and   Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850, by   facsimile at (301) 427-1341, or by e-mail at psimplement@ahrq.hhs.gov.      (c) If a submission to the Secretary is incomplete or additional   information is needed to allow a determination to be made under this   subpart, the submitter will be notified if any additional information   is required.    Subpart C--Confidentiality and Privilege Protections of Patient   Safety Work Product      Sec.  3.204  Privilege of Patient Safety Work Product        (a) Privilege. Notwithstanding any other provision of Federal,   State, local, or tribal law and subject to paragraph (b) of this   section and Sec.  3.208 of this subpart, patient safety work product   shall be privileged and shall not be:      (1) Subject to a Federal, State, local, or tribal civil, criminal,   or administrative subpoena or order, including in a Federal, State,   local, or tribal civil or administrative disciplinary proceeding   against a provider;      (2) Subject to discovery in connection with a Federal, State,   local, or tribal civil, criminal, or administrative proceeding,   including in a Federal, State, local, or tribal civil or administrative   disciplinary proceeding against a provider;      (3) Subject to disclosure pursuant to section 552 of Title 5,   United States Code (commonly known as the Freedom of Information Act)   or any other similar Federal, State, local, or tribal law;      (4) Admitted as evidence in any Federal, State, local, or tribal   governmental civil proceeding, criminal proceeding, administrative   rulemaking proceeding, or administrative adjudicatory proceeding,   including any such proceeding against a provider; or      (5) Admitted in a professional disciplinary proceeding of a   professional disciplinary body established or specifically authorized   under State law.      (b) Exceptions to privilege. Privilege shall not apply to (and   shall not be construed to prohibit) one or more of the following   disclosures:      (1) Disclosure of relevant patient safety work product for use in a   criminal proceeding, subject to the conditions at Sec.  3.206(b)(1) of   this subpart.      (2) Disclosure to the extent required to permit equitable relief   subject to the conditions at Sec.  3.206(b)(2) of this subpart.      (3) Disclosure pursuant to provider authorizations subject to the   conditions at Sec.  3.206(b)(3) of this subpart.      (4) Disclosure of non-identifiable patient safety work product   subject to the conditions at Sec.  3.206(b)(5) of this subpart.      (c) Implementation and Enforcement of the Patient Safety Act.   Privilege shall not apply to (and shall not be construed to prohibit)   disclosures of relevant patient safety work product to or by the   Secretary if such patient safety work product is needed to investigate   or determine compliance with this part or is needed in seeking or   imposing civil money penalties, or in making or supporting PSO   certification or listing decisions, under the Patient Safety Act.      Sec.  3.206  Confidentiality of Patient Safety Work Product.        (a) Confidentiality. Subject to paragraphs (b) through (e) of this   section, and Sec. Sec.  3.208 and 3.210 of this subpart, patient safety   work product shall be confidential and shall not be disclosed.      (b) Exceptions to confidentiality. The confidentiality provisions   shall not apply to (and shall not be construed to prohibit) one or more   of the following disclosures:      (1) Criminal proceedings. Disclosure of relevant patient safety   work product for use in a criminal proceeding, but only after a court   makes an in camera determination that:      (i) Such patient safety work product contains evidence of a   criminal act;      (ii) Such patient safety work product is material to the   proceeding; and      (iii) Such patient safety work product is not reasonably available   from any other source.      (2) Equitable relief for reporters. Disclosure of patient safety   work    [[Page 8179]]    product to the extent required to permit equitable relief under section   922 (f)(4)(A) of the Public Health Service Act.      (3) Authorized by identified providers. (i) Disclosure of   identifiable patient safety work product consistent with a valid   authorization if such authorization is obtained from each provider   identified in such work product prior to disclosure. A valid   authorization must:      (A) Be in writing and signed by the provider from whom   authorization is sought; and      (B) Contain sufficient detail to fairly inform the provider of the   nature and scope of the disclosures being authorized;      (ii) A valid authorization must be retained by the disclosing   entity for six years from the date of the last disclosure made in   reliance on the authorization and made available to the Secretary upon   request.      (4) Patient safety activities--(i) Disclosure between a provider   and a PSO. Disclosure of patient safety work product for patient safety   activities by a provider to a PSO or by a PSO to that disclosing   provider.      (ii) Disclosure to a contractor of a provider or a PSO. A provider   or a PSO may disclose patient safety work product for patient safety   activities to an entity with which it has contracted to undertake   patient safety activities on its behalf. A contractor receiving patient   safety work product for patient safety activities may not further   disclose patient safety work product, except to the entity with which   it is contracted.      (iii) Disclosure by a PSO to another PSO or by a provider to   another provider. Disclosure of patient safety work product for patient   safety activities by a PSO to another PSO or to another provider that   has reported to the PSO, or by a provider to another provider,   provided:      (A) The following direct identifiers of any providers and of   affiliated organizations, corporate parents, subsidiaries, practice   partners, employers, members of the workforce, or household members of   such providers are removed:      (1) Names;      (2) Postal address information, other than town or city, State and   zip code;      (3) Telephone numbers;      (4) Fax numbers;      (5) Electronic mail addresses;      (6) Social security numbers or taxpayer identification numbers;      (7) Provider or practitioner credentialing or DEA numbers;      (8) National provider identification number;      (9) Certificate/license numbers;      (10) Web Universal Resource Locators (URLs);      (11) Internet Protocol (IP) address numbers;      (12) Biometric identifiers, including finger and voice prints; and      (13) Full face photographic images and any comparable images; and      (B) With respect to any individually identifiable health   information in such patient safety work product, the direct identifiers   listed at 45 CFR 164.514(e)(2) have been removed.      (5) Disclosure of nonidentifiable patient safety work product.   Disclosure of nonidentifiable patient safety work product when patient   safety work product meets the standard for nonidentification in   accordance with Sec.  3.212 of this subpart.      (6) For research. (i) Disclosure of patient safety work product to   persons carrying out research, evaluation or demonstration projects   authorized, funded, certified, or otherwise sanctioned by rule or other   means by the Secretary, for the purpose of conducting research.      (ii) If the patient safety work product disclosed pursuant to   paragraph (b)(6)(i) of this section is by a HIPAA covered entity as   defined at 45 CFR 160.103 and contains protected health information as   defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient   safety work product may only be disclosed under this exception in the   same manner as would be permitted under the HIPAA Privacy Rule at 45   CFR 164.512(i).      (7) To the Food and Drug Administration (FDA).      (i) Disclosure by a provider of patient safety work product   concerning an FDA-regulated product or activity to the FDA or to an   entity required to report to the FDA concerning the quality, safety, or   effectiveness of an FDA-regulated product or activity.      (ii) The FDA and any entity receiving patient safety work product   pursuant to paragraph (b)(7)(i) of this section may only further   disclose such patient safety work product for the purpose of evaluating   the quality, safety, or effectiveness of that product or activity   between each other, their contractors, and the disclosing provider. A   contractor receiving patient safety work product pursuant to this   paragraph may not further disclose patient safety work product, except   to the entity from which it received the patient safety work product.      (8) Voluntary disclosure to an accrediting body.      (i) Voluntary disclosure by a provider of patient safety work   product that identifies that provider to an accrediting body that   accredits that provider. Such accrediting body may not further disclose   such patient safety work product.      (ii) An accrediting body may not take an accrediting action against   a provider based on a good faith participation of the provider in the   collection, development, reporting, or maintenance of patient safety   work product in accordance with this Part. An accrediting body may not   require a provider to reveal its communications with any PSO.      (9) Business operations. (i) Disclosure of patient safety work   product by a provider or a PSO for business operations to attorneys,   accountants, and other professionals. Such contractors may not further   disclose patient safety work product, except to the entity from which   they received the information.      (ii) Disclosure of patient safety work product for such other   business operations that the Secretary may prescribe by regulation as   consistent with the goals of this part.      (10) Disclosure to law enforcement.      (i) Disclosure of patient safety work product to an appropriate law   enforcement authority relating to an event that either constitutes the   commission of a crime, or for which the disclosing person reasonably   believes constitutes the commission of a crime, provided that the   disclosing person believes, reasonably under the circumstances, that   the patient safety work product that is disclosed is necessary for   criminal law enforcement purposes.      (ii) Law enforcement personnel receiving patient safety work   product pursuant to paragraph (b)(10)(i) of this section may disclose   that patient safety work product to other law enforcement authorities   as needed for law enforcement activities related to the event that gave   rise to the disclosure under paragraph (b)(10)(i) of this section.      (c) Safe harbor. A provider or responsible person, but not a PSO,   is not considered to have violated the requirements of this subpart if   a member of its workforce discloses patient safety work product,   provided that the disclosure does not include materials, including oral   statements, that:      (1) Assess the quality of care of an identifiable provider; or      (2) Describe or pertain to one or more actions or failures to act   by an identifiable provider.      (d) Implementation and Enforcement of the Patient Safety Act. The   confidentiality provisions shall not apply to (and shall not be   construed to    [[Page 8180]]    prohibit) disclosures of relevant patient safety work product to or by   the Secretary if such patient safety work product is needed to   investigate or determine compliance with this part or is needed in   seeking and imposing civil money penalties, or in making or supporting   PSO certification or listing decisions, under the Patient Safety Act.      (e) No limitation on authority to limit or delegate disclosure or   use. Nothing in subpart C of this part shall be construed to limit the   authority of any person to enter into a contract requiring greater   confidentiality or delegating authority to make a disclosure or use in   accordance with this subpart.      Sec.  3.208  Continued protection of Patient Safety Work Product.        (a) Except as provided in paragraph (b) of this section, patient   safety work product disclosed in accordance with this subpart, or   disclosed impermissibly, shall continue to be privileged and   confidential.      (b)(1) Patient safety work product disclosed for use in a criminal   proceeding pursuant to section 922(c)(1)(A) of the Public Health   Service Act and/or pursuant to Sec.  3.206(b)(1) of this subpart   continues to be privileged, but is no longer confidential.      (2) Non-identifiable patient safety work product that is disclosed   is no longer privileged or confidential and not subject to the   regulations under this part.      (3) Paragraph (b) of this section applies only to the specific   patient safety work product disclosed.      Sec.  3.210  Required disclosure of Patient Safety Work Product to the   Secretary.        Providers, PSOs, and responsible persons must disclose patient   safety work product upon request by the Secretary when the Secretary   determines such patient safety work product is needed to investigate or   determine compliance with this part or is needed in seeking and   imposing civil money penalties or making determinations on certifying   and listing PSOs.      Sec.  3.212  Nonidentification of Patient Safety Work Product.        (a) Patient safety work product is nonidentifiable with respect to   a particular identified provider or a particular identified reporter   if:      (1) A person with appropriate knowledge of and experience with   generally accepted statistical and scientific principles and methods   for rendering information not individually identifiable:      (i) Applying such principles and methods, determines that the risk   is very small that the information could be used, alone or in   combination with other reasonably available information, by an   anticipated recipient to identify an identified provider or reporter;   and      (ii) Documents the methods and results of the analysis that justify   such determination; or      (2)(i) The following identifiers of such provider or reporter and   of affiliated organizations, corporate parents, subsidiaries, practice   partners, employers, members of the workforce, or household members of   such providers or reporters are removed:      (A) Names;      (B) Geographic subdivisions smaller than a State, including street   address, city, county, precinct, zip code and equivalent geocodes,   except for the initial three digits of a zip code if, according to the   current publicly available data from the Bureau of the Census, the   geographic unit formed by combining all zip codes with the same three   initial digits contains more than 20,000 people;      (C) All elements of dates (except year) for dates directly related   to a patient safety incident or event;      (D) Telephone numbers;      (E) Fax numbers;      (F) Electronic mail addresses;      (G) Social security numbers or taxpayer identification numbers;      (H) Provider or practitioner credentialing or DEA numbers;      (I) National provider identification number;      (J) Certificate/license numbers;      (K) Web Universal Resource Locators (URLs);      (L) Internet Protocol (IP) address numbers;      (M) Biometric identifiers, including finger and voice prints;      (N) Full face photographic images and any comparable images; and,      (O) Any other unique identifying number, characteristic, or code   except as permitted for re-identification; and      (ii) The provider, PSO or responsible person making the disclosure   does not have actual knowledge that the information could be used,   alone or in combination with other information that is reasonably   available to the intended recipient, to identify the particular   provider or reporter.      (3) Re-identification. A provider, PSO, or responsible person may   assign a code or other means of record identification to allow   information made nonidentifiable under this section to be re-identified   by such provider, PSO, or responsible person, provided that:      (i) The code or other means of record identification is not derived   from or related to information about the provider or reporter and is   not otherwise capable of being translated so as to identify the   provider or reporter; and      (ii) The provider, PSO, or responsible person does not use or   disclose the code or other means of record identification for any other   purpose, and does not disclose the mechanism for re-identification.      (b) Patient safety work product is non-identifiable with respect a   particular patient only if the individually identifiable health   information regarding that patient is de-identified in accordance with   the HIPAA Privacy Rule standard and implementation specifications for   the de-identification at 45 CFR 164.514 (a) through (c).    Subpart D--Enforcement Program      Sec.  3.304  Principles for achieving compliance.        (a) Cooperation. The Secretary will, to the extent practicable,   seek the cooperation of providers, PSOs, and responsible persons in   obtaining compliance with the applicable confidentiality provisions.      (b) Assistance. The Secretary may provide technical assistance to   providers, PSOs, and responsible persons to help them comply   voluntarily with the applicable confidentiality provisions.      Sec.  3.306  Complaints to the Secretary.        (a) Right to file a complaint. A person who believes that patient   safety work product has been disclosed in violation of the   confidentiality provisions may file a complaint with the Secretary.      (b) Requirements for filing complaints. Complaints under this   section must meet the following requirements:      (1) A complaint must be filed in writing, either on paper or   electronically.      (2) A complaint must name the person that is the subject of the   complaint and describe the act(s) believed to be in violation of the   applicable confidentiality provision(s).      (3) A complaint must be filed within 180 days of when the   complainant knew or should have known that the act complained of   occurred, unless this time limit is waived by the Secretary for good   cause shown.      (4) The Secretary may prescribe additional procedures for the   filing of complaints, as well as the place and manner of filing, by   notice in the Federal Register.      (c) Investigation. The Secretary may investigate complaints filed   under this section. Such investigation may include    [[Page 8181]]    a review of the pertinent policies, procedures, or practices of the   respondent and of the circumstances regarding any alleged violation. At   the time of initial written communication with the respondent about the   complaint, the Secretary will describe the act(s) that are the basis of   the complaint.      Sec.  3.308  Compliance reviews.        The Secretary may conduct compliance reviews to determine whether a   respondent is complying with the applicable confidentiality provisions.      Sec.  3.310  Responsibilities of respondents.        (a) Provide records and compliance reports. A respondent must keep   such records and submit such compliance reports, in such time and   manner and containing such information, as the Secretary may determine   to be necessary to enable the Secretary to ascertain whether the   respondent has complied or is complying with the applicable   confidentiality provisions.      (b) Cooperate with complaint investigations and compliance reviews.   A respondent must cooperate with the Secretary, if the Secretary   undertakes an investigation or compliance review of the policies,   procedures, or practices of the respondent to determine whether it is   complying with the applicable confidentiality provisions.      (c) Permit access to information. (1) A respondent must permit   access by the Secretary during normal business hours to its facilities,   books, records, accounts, and other sources of information, including   patient safety work product, that are pertinent to ascertaining   compliance with the applicable confidentiality provisions. If the   Secretary determines that exigent circumstances exist, such as when   documents may be hidden or destroyed, a respondent must permit access   by the Secretary at any time and without notice.      (2) If any information required of a respondent under this section   is in the exclusive possession of any other agency, institution, or   person, and the other agency, institution, or person fails or refuses   to furnish the information, the respondent must so certify and set   forth what efforts it has made to obtain the information.      Sec.  3.312  Secretarial action regarding complaints and compliance   reviews.        (a) Resolution when noncompliance is indicated. (1) If an   investigation of a complaint pursuant to Sec.  3.306 of this subpart or   a compliance review pursuant to Sec.  3.308 of this subpart indicates   noncompliance, the Secretary may attempt to reach a resolution of the   matter satisfactory to the Secretary by informal means. Informal means   may include demonstrated compliance or a completed corrective action   plan or other agreement.      (2) If the matter is resolved by informal means, the Secretary will   so inform the respondent and, if the matter arose from a complaint, the   complainant, in writing.      (3) If the matter is not resolved by informal means, the Secretary   will--      (i) So inform the respondent and provide the respondent an   opportunity to submit written evidence of any mitigating factors. The   respondent must submit any evidence to the Secretary within 30 days   (computed in the same manner as prescribed under Sec.  3.504(l) of this   subpart) of receipt of such notification; and      (ii) If, following action pursuant to paragraph (a)(3)(i) of this   section, the Secretary decides that a civil money penalty should be   imposed, inform the respondent of such finding in a notice of proposed   determination in accordance with Sec.  3.420 of this subpart.      (b) Resolution when no violation is found. If, after an   investigation pursuant to Sec.  3.306 of this subpart or a compliance   review pursuant to Sec.  3.308 of this subpart, the Secretary   determines that further action is not warranted, the Secretary will so   inform the respondent and, if the matter arose from a complaint, the   complainant, in writing.      (c) Uses and disclosures of information obtained. (1) Identifiable   patient safety work product obtained by the Secretary in connection   with an investigation or compliance review under this subpart will not   be disclosed by the Secretary, except in accordance with Sec.  3.206(d)   of this subpart, or if otherwise permitted by this part or the Patient   Safety Act.      (2) Except as provided for in paragraph (c)(1) of this section,   information, including testimony and other evidence, obtained by the   Secretary in connection with an investigation or compliance review   under this subpart may be used by HHS in any of its activities and may   be used or offered into evidence in any administrative or judicial   proceeding.      Sec.  3.314  Investigational subpoenas and inquiries.        (a) The Secretary may issue subpoenas in accordance with 42 U.S.C.   405(d) and (e), and 1320a-7a(j), to require the attendance and   testimony of witnesses and the production of any other evidence   including patient safety work product during an investigation or   compliance review pursuant to this part. The Secretary will issue and   serve subpoenas pursuant to this subpart in accordance with 45 CFR   160.314(a)(1) through (5), except the term ``this part'' shall refer to   42 CFR part 3.      (b) Investigational inquiries are non-public investigational   proceedings conducted by the Secretary. The Secretary will conduct   investigational proceedings in accordance with 45 CFR 160.314(b)(1)   through (9).      Sec.  3.402  Basis for a civil money penalty.        (a) General rule. A person who discloses identifiable patient   safety work product in knowing or reckless violation of the   confidentiality provisions shall be subject to a civil money penalty   for each act constituting such violation.      (b) Violation attributed to a principal. A principal is   independently liable, in accordance with the federal common law of   agency, for a civil money penalty based on the act of the principal's   agent, including a workforce member, acting within the scope of the   agency if such act could give rise to a civil money penalty in   accordance with Sec.  3.402(a) of this subpart.      Sec.  3.404  Amount of a civil money penalty.        (a) The amount of a civil money penalty will be determined in   accordance with paragraph (b) of this section and Sec.  3.408 of this   subpart.      (b) The Secretary may impose a civil money penalty in the amount of   not more than $10,000.      Sec.  3.408  Factors considered in determining the amount of a civil   money penalty.        In determining the amount of any civil money penalty, the Secretary   may consider as aggravating or mitigating factors, as appropriate, any   of the following:      (a) The nature of the violation.      (b) The circumstances, including the consequences, of the   violation, including:      (1) The time period during which the violation(s) occurred; and      (2) Whether the violation caused physical or financial harm or   reputational damage;      (c) The degree of culpability of the respondent, including:      (1) Whether the violation was intentional; and      (2) Whether the violation was beyond the direct control of the   respondent.      (d) Any history of prior compliance with the Patient Safety Act,   including violations, by the respondent, including:      (1) Whether the current violation is the same or similar to prior   violation(s);    [[Page 8182]]        (2) Whether and to what extent the respondent has attempted to   correct previous violations;      (3) How the respondent has responded to technical assistance from   the Secretary provided in the context of a compliance effort; and      (4) How the respondent has responded to prior complaints.      (e) The financial condition of the respondent, including:      (1) Whether the respondent had financial difficulties that affected   its ability to comply;      (2) Whether the imposition of a civil money penalty would   jeopardize the ability of the respondent to continue to provide health   care or patient safety activities; and      (3) The size of the respondent.      (f) Such other matters as justice may require.      Sec.  3.414  Limitations.        No action under this subpart may be entertained unless commenced by   the Secretary, in accordance with Sec.  3.420 of this subpart, within 6   years from the date of the occurrence of the violation.      Sec.  3.416  Authority to settle.        Nothing in this subpart limits the authority of the Secretary to   settle any issue or case or to compromise any penalty.      Sec.  3.418  Exclusivity of penalty.        (a) Except as otherwise provided by paragraph (b) of this section,   a penalty imposed under this part is in addition to any other penalty   prescribed by law.      (b) Civil money penalties shall not be imposed both under this part   and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).      Sec.  3.420  Notice of proposed determination.        (a) If a penalty is proposed in accordance with this part, the   Secretary must deliver, or send by certified mail with return receipt   requested, to the respondent, written notice of the Secretary's intent   to impose a penalty. This notice of proposed determination must   include:      (1) Reference to the statutory basis for the penalty;      (2) A description of the findings of fact regarding the violations   with respect to which the penalty is proposed;      (3) The reason(s) why the violation(s) subject(s) the respondent to   a penalty;      (4) The amount of the proposed penalty;      (5) Any factors described in Sec.  3.408 of this subpart that were   considered in determining the amount of the proposed penalty; and      (6) Instructions for responding to the notice, including a   statement of the respondent's right to a hearing, a statement that   failure to request a hearing within 60 days permits the imposition of   the proposed penalty without the right to a hearing under Sec.  3.504   of this subpart or a right of appeal under Sec.  3.504(v) of this   subpart, and the address to which the hearing request must be sent.      (b) The respondent may request a hearing before an ALJ on the   proposed penalty by filing a request in accordance with Sec.  3.504 of   this subpart.      Sec.  3.422  Failure to request a hearing.        If the respondent does not request a hearing within the time   prescribed by Sec.  3.504 of this subpart and the matter is not settled   pursuant to Sec.  3.416 of this subpart, the Secretary may impose the   proposed penalty or any lesser penalty permitted by 42 U.S.C. 299b-21   through 299b-26. The Secretary will notify the respondent by certified   mail, return receipt requested, of any penalty that has been imposed   and of the means by which the respondent may satisfy the penalty, and   the penalty is final on receipt of the notice. The respondent has no   right to appeal a penalty under Sec.  3.504(v) of this subpart with   respect to which the respondent has not timely requested a hearing.      Sec.  3.424  Collection of penalty.        Once a determination of the Secretary to impose a penalty has   become final, the penalty will be collected by the Secretary in   accordance with 45 CFR 160.424, except the term ``this part'' shall   refer to 42 CFR Part 3.      Sec.  3.426  Notification of the public and other agencies.        Whenever a proposed penalty becomes final, the Secretary will   notify, in such manner as the Secretary deems appropriate, the public   and the following organizations and entities thereof and the reason it   was imposed: The appropriate State or local medical or professional   organization, the appropriate State agency or agencies administering or   supervising the administration of State health care programs (as   defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and   quality control peer review organization, and the appropriate State or   local licensing agency or organization (including the agency specified   in 42 U.S.C. 1395aa(a), 1396a(a)(33)).      Sec.  3.504  Procedures for hearings.        (a) Hearings before an ALJ. A respondent may request a hearing   before an ALJ. Hearings must be requested in accordance with 45 CFR   160.504(a) through (c), except the language in paragraph (c) following   and including ``except that'' shall not apply. The ALJ must dismiss a   hearing request in accordance with 45 CFR 160.504(d).      (b) Rights of the parties. The hearing rights of the parties will   be determined in accordance with 45 CFR 160.506.      (c) Authority of the ALJ. The ALJ will conduct a fair and impartial   hearing in accordance with 45 CFR 160.508(a) through (c)(4).      (d) Ex parte contacts. Ex parte contacts are prohibited in   accordance with 45 CFR 160.510.      (e) Prehearing conferences. Prehearing conferences will be   conducted in accordance with 45 CFR 160.512, except the term   ``identifiable patient safety work product'' shall apply in place of   the term ``individually identifiable health information.''      (f) Authority to settle. The Secretary has authority to settle   issues in accordance with 45 CFR 160.514.      (g) Discovery. Discovery will proceed in accordance with 45 CFR   160.516.      (h) Exchange of witness lists, witness statements, and exhibits.   The parties will exchange hearing material in accordance with 45 CFR   160.518, except the language in paragraph (a) following and including   ``except that'' shall not apply.      (i) Subpoenas for attendance at hearing. The ALJ will issue a   subpoena for the appearance and testimony of any person at the hearing   in accordance with 45 CFR 160.520.      (j) Fees. Fees and mileage for subpoenaed witnesses will be paid in   accordance with 45 CFR 160.522.      (k) Form, filing, and service of papers. Hearing documents will be   filed and serviced in accordance with 45 CFR 160.524.      (l) Computation of time. Computation of time shall be in accordance   with 45 CFR 160.526, except the term ``this subpart'' shall refer to 42   CFR part 3, Subpart D, and the citation ``Sec.  3.504(a) of 42 CFR part   3'' shall apply in place of the citation ``Sec.  160.504.''      (m) Motions. Procedures for the filing and disposition of motions   will be in accordance with 45 CFR 160.528.      (n) Sanctions. The ALJ may sanction a person in accordance with   authorities at 45 CFR 160.530.      (o) Collateral estoppel. Collateral estoppel will apply to hearings   conducted pursuant to this subpart in accordance with 45 CFR 160.532,   except the term ``a confidentiality provision'' shall apply in place of   the term ``an administrative simplification provision.''      (p) The hearing. Hearings will be conducted in accordance with 45   CFR    [[Page 8183]]    160.534, except the following text shall apply in place of Sec.    160.534(b)(1): ``The respondent has the burden of going forward and the   burden of persuasion with respect to any challenge to the amount of a   proposed penalty pursuant to Sec. Sec.  3.404-3.408 of 42 CFR part 3,   including any factors raised as mitigating factors.'' Good cause shown   under 45 CFR 160.534(c) may be that identifiable patient safety work   product has been introduced into evidence or is expected to be   introduced into evidence.      (q) Witnesses. The testimony of witnesses will be handled in   accordance with 45 CFR 160.538, except that the citation ``Sec.    3.504(h) of 42 CFR part 3'' shall apply in place of the citation   ``Sec.  160.518.''      (r) Evidence. The ALJ will determine the admissibility of evidence   in accordance with 45 CFR 160.540, except that the citation ``Sec.    3.420 of 42 CFR part 3'' shall apply in place of the citation ``Sec.    160.420 of this part.''      (s) The record. The record of the hearing will be created and made   available in accordance with 45 CFR 160.542. Good cause under 45 CFR   160.542(c) through (d) may include the presence in the record of   identifiable patient safety work product.      (t) Post hearing briefs. Post-hearing briefs, if required by the   ALJ, will be filed in accordance with 45 CFR 160.544.      (u) ALJ's decision. The ALJ will issue a decision in accordance   with 45 CFR 160.546, except the citation ``Sec.  3.504(v) of 42 CFR   part 3'' shall apply in place of ``Sec.  160.548.''      (v) Appeal of the ALJ's decision. Any party may appeal the decision   of the ALJ in accordance with 45 CFR 160.548, except the following   language in paragraph (e) shall not apply: ``Except for an affirmative   defense under Sec.  160.410(b)(1) of this part.''      (w) Stay of the Secretary's decision. Pending judicial review, a   stay of the Secretary's decision may be requested in accordance with 45   CFR 160.550.      (x) Harmless error. Harmless errors will be handled in accordance   with 45 CFR 160.552.        Dated: October 5, 2007.  Michael O. Levitt,  Secretary.   [FR Doc. E8-2375 Filed 2-11-08; 8:45 am]    BILLING CODE 4153-01-P