42CFR Part 3 - Patient Safety and QI

8/3/2019 42CFR Part 3 - Patient Safety and QI

http://slidepdf.com/reader/full/42cfr-part-3-patient-safety-and-qi 1/84

Friday,

November 21, 2008

Part III

Department of Health and Human Services42 CFR Part 3

Patient Safety and Quality Improvement;Final Rule

VerDate Aug<31>2005 15:22 Nov 20, 2008 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\21NOR3.SGM 21NOR3



70732 Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008/ Rules and Regulations

1All citations to provisions in the Patient SafetyAct will be to the sections in the Public HealthService Act or to its location in the U.S. Code.

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

42 CFR Part 3

RIN 0919–AA01

Patient Safety and QualityImprovement

AGENCY: Agency for Healthcare Researchand Quality, Office for Civil Rights,Department of Health and HumanServices.ACTION: Final rule.

SUMMARY: The Secretary of Health andHuman Services is adopting rules toimplement certain aspects of the PatientSafety and Quality Improvement Act of 2005, Pub. L. 109–41, 42 U.S.C. 299b–21—b–26 (Patient Safety Act). The finalrule establishes a framework by whichhospitals, doctors, and other health careproviders may voluntarily reportinformation to Patient SafetyOrganizations (PSOs), on a privilegedand confidential basis, for theaggregation and analysis of patientsafety events.

The final rule outlines therequirements that entities must meet to

become PSOs and the processes bywhich the Secretary will review andaccept certifications and list PSOs. Italso describes the privilege andconfidentiality protections for theinformation that is assembled anddeveloped by providers and PSOs, theexceptions to these privilege andconfidentiality protections, and the

procedures for the imposition of civilmoney penalties for the knowing orreckless impermissible disclosure of patient safety work product.DATES: The final rule is effective on

January 19, 2009.FOR FURTHER INFORMATION CONTACT:Susan Grinder, Agency for HealthcareResearch and Quality, 540 Gaither Road,Rockville, MD 20850, (301) 427–1111 or(866) 403–3697.SUPPLEMENTARY INFORMATION: OnFebruary 12, 2008, the Department of Health and Human Services (HHS)published a Notice of Proposed

Rulemaking (proposed rule) at 73 FR8112 proposing to implement thePatient Safety Act. The comment periodclosed on April 14, 2008. One-hundred-sixty-one comments were receivedduring the comment period.

I. Background

Statutory Background

This final rule establishes theauthorities, processes, and rulesnecessary to implement the PatientSafety Act that amended the Public

Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 921through 926, 42 U.S.C. 299b–21 through299b–26.1 The Patient Safety Actfocuses on creating a voluntary programthrough which health care providers canshare information relating to patientsafety events with PSOs, with the aimof improving patient safety and the

quality of care nationwide. The statuteattaches privilege and confidentialityprotections to this information, termed‘‘patient safety work product,’’ toencourage providers to share thisinformation without fear of liability andcreates PSOs to receive this protectedinformation and analyze patient safetyevents. These protections will enable allhealth care providers, including multi-facility health care systems, to sharedata within a protected legalenvironment, both within and acrossstates, without the threat that theinformation will be used against the

subject providers.However, we note that section922(g)(2) of the Public Health ServiceAct is quite specific that theseprotections do not relieve a providerfrom its obligation to comply with otherFederal, State, or local laws pertainingto information that is not privileged orconfidential under the Patient SafetyAct: section 922(g)(5) of the PublicHealth Service Act states that thePatient Safety Act does not affect anyState law requiring a provider to reportinformation that is not patient safetywork product. The fact that informationis collected, developed, or analyzedunder the protections of the PatientSafety Act does not shield a providerfrom needing to undertake similaractivities, if applicable, outside theambit of the statute, so that the providercan meet its obligations with non-patient safety work product. The PatientSafety Act, while precluding otherorganizations and entities fromrequiring providers to provide themwith patient safety work product,recognizes that the original recordsunderlying patient safety work productremain available in most instances forthe providers to meet these other

reporting requirements.We note also that the Patient Safety

Act references the Standards for thePrivacy of Individually IdentifiableHealth Information under the HealthInsurance Portability andAccountability Act of 1996 (HIPAAPrivacy Rule), 45 CFR parts 160 and164. Many health care providersparticipating in this program will be

covered entities under the HIPAAPrivacy Rule and will be required tocomply with the HIPAA Privacy Rulewhen they disclose patient safety workproduct that contains protected healthinformation. The Patient Safety Act isclear that it is not intended to interferewith the implementation of anyprovision of the HIPAA Privacy Rule.

See 42 U.S.C. 299b–22(g)(3). The statutealso provides that civil money penaltiescannot be imposed under both thePatient Safety Act and the HIPAAPrivacy Rule for a single violation. See42 U.S.C. 299b–22(f). In addition, thestatute states that PSOs shall be treatedas business associates, and patientsafety activities are deemed to be healthcare operations under the HIPAAPrivacy Rule. See 42 U.S.C. 299b and299–22(i). Since patient safety activitiesare deemed to be health care operations,the HIPAA Privacy Rule does notrequire covered providers to obtain

patient authorizations to disclosepatient safety work product containingprotected health information to PSOs.Additionally, as business associates of providers, PSOs must abide by the termsof their HIPAA business associatecontracts, which require them to notifythe provider of any impermissible use ordisclosure of the protected healthinformation of which they are aware.See 45 CFR 164.504(e)(2)(ii)(C).

II. Overview of the Proposed and FinalRules

A. The Proposed Rule

The proposed rule sought toimplement the Patient Safety Act tocreate a voluntary system throughwhich providers could share sensitiveinformation relating to patient safetyevents without fear of liability, whichshould lead to improvements in patientsafety and in the quality of patient care.The proposal reflected an approach tothe implementation of the Patient SafetyAct intended to ensure adequateflexibility within the bounds of thestatutory provisions and to encourageproviders to participate in thisvoluntary program. The proposed rule

emphasized that this program is notfederally funded and will be put intooperation by the providers and PSOsthat wish to participate with little directfederal involvement. However, theprocess for certification and listing of PSOs will be implemented and overseen

by the Agency for Healthcare Researchand Quality (AHRQ), while compliancewith the confidentiality provisions will

be investigated and enforced by theOffice for Civil Rights (OCR).

Subpart A of the proposed rule setforth the definitions of essential terms,




70733Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008/ Rules and Regulations

such as patient safety work product,patient safety evaluation system, andPSO. In order to facilitate the sharing of patient safety work product and theanalysis of patient safety events,Subpart B of the proposed ruleimplemented the statutory requirementsfor the listing of PSOs, the entities thatwill offer their expert advice in

analyzing the patient safety events andother information they collect ordevelop to provide feedback andrecommendations to providers. Theproposed rule established the criteriaand set forth a process for certificationand listing of PSOs and described howthe Secretary would review, accept,condition, deny, or revoke certificationsfor listing and continued listing of entities as PSOs.

Based on the statutory mandates inthe Patient Safety Act, Subpart C of theproposed rule set forth the privilege andconfidentiality protections that attach to

patient safety work product; it also setforth the exceptions to theseprotections. The proposed rule providedthat patient safety work productgenerally continues to be protected asprivileged and confidential following adisclosure and set certain limitations onredisclosure of patient safety workproduct.

Subpart D of the proposed ruleestablished a framework to enable theSecretary to monitor and ensurecompliance with this Part, a process forimposing a civil money penalty for

breach of the confidentiality provisions,and procedures for a hearing contesting

the imposition of a civil money penalty.These provisions were modeled largelyon the HIPAA Enforcement Rule at 45CFR part 160, subparts C, D and E.

B. The Final Rule

We received over 150 comments onthe proposed rule from a variety of entities, including small providers andlarge institutional providers, hospitalassociations, medical associations,accrediting bodies, medical liabilityinsurers, and state and federal agencies.Many of the commenters expressedsupport for the proposed rule and the

protections it granted to sensitiveinformation related to patient safetyevents.

Based upon the comments received,the final rule adopts most of theprovisions of the proposed rule withoutmodification; however, severalsignificant changes to certain provisionsof the proposed rule have been made inresponse to these comments. Changes toSubpart A include the addition of adefinition of affiliated provider. Thedefinitions of component organization,

parent organization, and provider were

modified for clarity, and the definitionof disclosure was modified to clarifythat the sharing of patient safety workproduct, between a component PSO andthe entity of which it is a part, qualifiesas a disclosure, while the sharing of patient safety work product between aphysician with staff privileges and theentity with which it holds privileges is

not a disclosure. We have also modifiedthe definition of patient safety work

product to include information that,while not yet reported to a PSO, isdocumented as being within aprovider’s patient safety evaluationsystem and that will be reported to aPSO. This modification allows forproviders to voluntarily remove, anddocument the removal of, informationfrom the patient safety evaluationsystem that has not yet been reported toa PSO, in which case, the informationis no longer patient safety work product.

The most significant modifications to

Subpart B include the following. Withrespect to the listing of PSOs, we have broadened the list of excluded entitiesat § 3.102(a)(2)(ii), required PSOs at§ 3.102(b)(1)(i)(B) to notify reportingproviders of inappropriate disclosuresor security breaches related to theinformation they reported, specifiedcompliance with the requirementregarding the collection of patient safetywork product in §3.102(b)(2)(iii),eliminated the requirements for separateinformation systems and restrictions onshared staff for most component PSOs

but added additional restrictions andlimitations for PSOs that are

components of excluded entities at§ 3.102(c), and narrowed and clarifiedthe disclosure requirements that PSOsmust file regarding contractingproviders with whom they haveadditional relationships at §3.102(d)(2).We have modified the securityrequirement to provide flexibility forPSOs to determine whether to maintainpatient safety work product separatelyfrom unprotected information. The finalrule includes a new expeditedrevocation process at § 3.108(e) forexceptional circumstances that requireprompt action, and eliminates implied

voluntary relinquishment, providinginstead in §3.104(e) that a PSO’s listingautomatically expires at the end of threeyears, unless it is revoked for cause,voluntarily relinquished, or itscertifications for continued listing areapproved.

Changes to proposed Subpart Cinclude the addition of language in§ 3.206(b)(2) that requires a reporterseeking equitable relief to obtain aprotective order to protect theconfidentiality of patient safety workproduct during the course of the

proceedings. Proposed §3.206(b)(4) has been amended to allow disclosures of identifiable, non-anonymized patientsafety work product among affiliatedproviders for patient safety activities. Inaddition, proposed §3.206(b)(7) has

been modified to make clear that theprovision permits disclosures to andamong FDA, entities required to report

to FDA, and their contractors. We alsohave modified proposed § 3.206(b)(8) torequire providers voluntarily disclosingpatient safety work product toaccrediting bodies either to obtain theagreement of identified non-disclosingproviders or to anonymize theinformation with respect to the non-disclosing providers prior to disclosure.Finally, we modified §§3.204(c),3.206(d), and 3.210 to allow disclosuresof patient safety work product to or bythe Secretary for the purposes of determining compliance with not onlythe Patient Safety Act, but also the

HIPAA Privacy Rule.In Subpart D, we adopt the proposed

provisions except, where reference wasmade in the proposed rule to provisionsof the HIPAA Privacy Rule, the finalrule includes the text of such provisionsfor convenience of the reader.

We describe more fully theseprovisions, the comments received, andour responses to these comments belowin the section-by-section description of the final rule below.

III. Section-by-Section Description of Final Rule and Response to Comments

A. Subpart A—General Provisions1. Section 3.10—Purpose

Proposed Rule: Proposed § 3.10provided that the purpose of proposedPart 3 is to implement the Patient Safetyand Quality Improvement Act of 2005(Pub. L. 109–41), which amended thePublic Health Service Act (42 U.S.C. 299et seq.) by inserting new sections 921through 926, 42 U.S.C. 299b–21 through299b–26.

Overview of Public Comments: Nocomments were received pertaining tothis section.

Final Rule: The Department adoptsthe proposed provision withoutmodification.

2. Section 3.20—Definitions

Proposed Rule: Proposed § 3.20provided for definitions applicable toPart 3. Some definitions wererestatements of the definitions at section921 of the Public Health Service Act, 42U.S.C. 299b–21, and other definitionswere provided for convenience or toclarify the application and operation of the proposed rule.





Overview of Public Comments: Withrespect to the definitions for AHRQ,ALJ, Board, complainant, componentPSO, confidentiality provisions, entity,group health plan, health maintenanceorganization, HHS, HIPAA Privacy Rule,identifiable patient safety work product,nonidentifiable patient safety workproduct, OCR, Patient Safety Act,

patient safety activities, patient safetyorganization, person, research,respondent, responsible person, andworkforce, we received no comments.

We received a number of commentson the various other definitions andthese comments will be addressed

below in reference to the specific term.Final Rule: The Department adopts

the above definitions as proposed.Certain definitions were added forconvenience or clarity of the reader.

Response to Public Comments

Comment: Commenters requesteddefinitions for accrediting body,reporter, redisclosure, impermissibledisclosure, use, evaluation anddemonstration projects, and legislativelycreated PSO.

Response: The Department does notagree that the additional definitionsrequested by commenters are necessary.Some definitions requested havegenerally accepted meanings and we donot believe there is benefit in imposingmore limitations on such terms. Someterms such as legislatively created PSOare not used within the final rule. Otherterms such as impermissible disclosure,use, and reporter are readily understood

from the context of the final rule and donot need definitions.

(A) Section 3.20—New Definition of Affiliated Provider

Final Rule: The proposed rule did notinclude a definition for affiliatedprovider. The Department adopts theterm affiliated provider to mean, withrespect to a provider, a legally separateprovider that is the parent organizationof the provider, is under commonownership, management, or controlwith the provider, or is owned,managed, or controlled by the provider.

The Department includes this term toidentify to whom patient safety workproduct may be disclosed pursuant to aclarification of the disclosurepermission for patient safety activities.

Overview of Comments: Severalcommenters were concerned aboutlimitations of disclosures for patientsafety activities among providers.Commenters raised concerns thatlimitations may inhibit the sharing andlearning among providers of the analysisof patient safety events. Othercommenters viewed the disclosure

limitations as restricting a provider’suse of its own data. These comments areaddressed more fully below as part of the discussion of the patient safetyactivities disclosure permission.

(B) Section 3.20—Definition of BonaFide Contract

Proposed Rule: Proposed § 3.20

provided that bona fide contract wouldmean a written contract between aprovider and a PSO that is executed ingood faith or a written agreement

between a Federal, State, local, or Tribalprovider and a Federal, State, local, orTribal PSO.

Overview of Public Comments: Onecomment was received noting that‘‘good faith’’ need not be a part of a bonafide contract.

Final Rule: Because meeting theminimum contract requirement isessential for a PSO to remain listed bythe Secretary, the Department believesthat the requirement that contracts to beentered in good faith should be retained.We also note that Federal, State, local orTribal providers are free to enter into anagreement with any PSO that wouldserve their needs; thus, they can enter

bona fide contracts with PSOs pursuantto paragraph (1) of the definition, orenter comparable arrangements with aFederal, State, local or Tribal PSOpursuant to paragraph (2). TheDepartment adopts the proposedprovision without modification.

(C) Section 3.20—Definition of Component Organization

Proposed Rule: Proposed § 3.20provided that component organizationwould mean an entity that is either: (a)A unit or division of a corporateorganization or of a multi-organizationalenterprise; or (b) a separateorganization, whether incorporated ornot, that is owned, managed orcontrolled by one or more otherorganizations, i.e., its parentorganization(s). Because this definitionused terms in a manner that was broaderthan traditional usage, the proposed rulesought comment on whether it wasappropriate for purposes of the

regulation to consider a subsidiary, anotherwise legally independent entity, asa component organization.

With respect to the terms ‘‘owned,managed, or controlled,’’ the preambledirected readers to our description of these concepts in our discussion of theterm ‘‘parent organization.’’ Thepreamble to the proposed rule discussedthe various ways that an organizationmay be controlled by others. Inparticular, there was a discussion of multi-organizational enterprises and thevariety of management relationships or

forms of control that such enterprisescan create that might impact componententities. The preamble also discussedthe traditional meaning of subsidiariesas being separate legal entities and,therefore, not within the ordinarymeaning of the term ‘‘component.’’However, the approach of the proposedrule was to express the Department’s

intention to encourage all forms of PSOorganizational arrangements includingthe ownership of PSOs as subsidiaries.At the same time, we wanted to be ableto accurately determine and to indicateto providers which PSOs should beconsidered components of other entitiesand the identity of a component PSO’sparent organization. We explained ourintent was not to limit our approach tocorporate forms of organizations.

Overview of Public Comments: Themajority of commenters supported ourproposal to consider subsidiaries ascomponent organizations for the

purposes of this rule. Severalcommenters sought reassurance that ourinterpretation does not imposeadditional legal liability on the parentorganization.

Concern was expressed that ourapproach suggested an over-reliance onthe corporate model and the definitionneeded to reflect other types of legallyrecognized entities. One commentreflected concern that our reference to‘‘multi-organizational enterprise’’ in thedefinition was unnecessarily confusing

because it was not commonly used.Another commenter disagreed with ourapproach entirely, arguing that the

scope of our definition was overly broadand unnecessary.

Final Rule: The final rule now defines‘‘component organization’’ to mean anentity that: ‘‘(1) is a unit or division of a legal entity (including a corporation,partnership, or a Federal, State, local orTribal agency or organization); or

(2) Is owned, managed, or controlled by one or more legally separate parentorganizations.’’

The definition of componentorganization is intended to be read witha focus on management or control byothers as its defining feature. The

definition must be read in conjunctionwith the complementary definition of ‘‘parent organization.’’ While ourapproach remains little changed, wehave rearranged and streamlined thetext of the definition of component inresponse to the comments and concernswe received on it. For example, there isno longer an explicit reference in thedefinition of component to multi-organizational enterprises, which areundertakings with separate corporationsor organizations that are integrated in acommon business activity. The revised





definition, however, is sufficiently broad to apply to components of suchenterprises. In response to concerns thatthe earlier definition was too focused oncorporate organizations, we haveincorporated an explicit reference to‘‘other legal entities’’ besidescorporations. In addition, specificreferences have been added to more

clearly accommodate possibleorganizational relationships of publicagencies, such as the Department of Defense (DoD), Department of VeteransAffairs (VA), the Indian Health Service(IHS), and other State, local, and Tribalorganizations that manage or deliverhealth care services.

In the scenario envisioned by the firstprong of the definition, the legal entityis a parent organization and thecomponent organization is a unit ordivision within the parent organization.An underlying assumption of themodified paragraph (1) is that a unit or

division of a legal entity may bemanaged or controlled by one or moreparent organizations. Consistent withthis paragraph, a component PSO may

be managed or controlled by the legalentity of which it is a part or by anotherunit or division of that entity. It couldalso be controlled by a legally separateentity under the second paragraph of thedefinition.

The first prong of the definitionencompasses a component PSO that isa unit of a governmental agency that isa legal entity. This could include acomponent organization managed byanother division of such a governmental

agency, e.g., a health care division of VAor DoD. Thus, a component PSO could

be a unit or component of a Federalagency that is a legal entity and it couldat the same time be a component of another unit or division of that agencywhich controls and directs or managesits operation. So too in the privatesector, a component PSO could havemore than one parent and thus be acomponent, for example, of aprofessional society as well as acomponent of the unit or division of theprofessional society that controls ormanages the PSO.

The second prong of the definitionaddresses a variety of organizationalrelationships that could arise betweencomponent PSOs and legally separateparent organizations that manage orcontrol them. Under paragraph (2), asubsidiary PSO could be managed orcontrolled by its legally separate parentorganization. In addition, we note thata component PSO could be managed orcontrolled by another unit or division of its legally separate parent, e.g., if thisunit or division uses its knowledge andskills to control or manage certain

aspects of the component’s operations.If that occurs, we would consider thesibling subsidiary that exercises controlor management over the PSO as anotherparent organization of the PSO.

Obtaining the identity and contactinformation of an entity’s parentorganizations is useful for the purposeof letting providers know who may be

managing or controlling a PSO. Thisinformation also will be useful inimplementing the certification andlisting process for PSOs described in therule which, for instance, excludes anyhealth insurance issuer from becominga PSO and excludes a component of ahealth insurance issuer from becominga PSO.

In response to commenters concernedabout the legal liability for parentorganizations of component PSOs, wenote that the preamble to the proposedrule stated as follows: ‘‘We stress thatneither the statute nor the proposed

regulation imposes any legalresponsibilities, obligations, or liabilityon the organization(s) of which it [thePSO] is a part.’’ The Departmentreaffirms its position. At the same time,we note that the rule, at § 3.402(b),recognizes, provides for, and does notalter the liability of principals based onFederal common law.

Response to Other Public Comments

Comment: One concern that wasexpressed by several commenterspertained to whether or not a healthsystem that has a component orsubsidiary health insurance issuer, e.g.,

a group health plan offered to thepublic, would be precluded from havinga component PSO as well.

Response: So long as the componenthealth insurance issuer does not comewithin the definition of a parentorganization of the PSO, i.e., own acontrolling or majority interest in,manage, or control the health system’scomponent PSO (i.e., the PSO wouldnot be a component of the healthinsurance issuer), the parent healthsystem could establish a componentPSO.

Comment: It was asserted that

including subsidiaries as componentswould require a PSO that is notcontrolled by another parentorganization, but itself has a subsidiary,to seek listing as a component PSO.

Response: The revised definition of component organization emphasizesthat a component is an organization thatis controlled by another entity. It is notthe Department’s intention to require aPSO that is not controlled by anotherentity to seek listing as a componentPSO. For this reason, the fact that a PSOhas a subsidiary does not trigger the

requirement to seek listing as acomponent organization.

Comment: It was suggested that theinclusion of subsidiaries within themeaning of component would require ahealth system that wished to create aPSO to create it as a component.

Response: There are several issuesthat a health system needs to consider

in determining whether and how tocreate a PSO, but the inclusion of subsidiary within the meaning of component is not necessarilydeterminative. The statute requires theimprovement of quality and patientsafety to be the primary activity of theentity seeking listing. Since fewmultifaceted health systemorganizations will meet thisrequirement, existing organizations willhave an incentive to create single-purpose component organizations thatclearly meet the requirement. Thesecond issue is whether to create a PSOas an internal component organizationor as a separate legal entity. Because thefinal rule requires each PSO to enter twocontracts, provider organizations mayfind it useful for its component PSO to

be a separate legal entity. Otherwise, thecomponent PSO may be precluded fromcontracting with its parent organization.

Comment: There was a request for adefinition of ‘‘own’’ with a suggestionfor reference to Internal Revenue Code26 I.R.C. §1563 to clarify its meaningand the meaning of having a controllinginterest. This same commenter soughtstrong separation requirements betweena component PSO and any parent

organization.Response: We have reviewed the cited

regulation but conclude that theapproach presented is unlikely to clarifythe meaning of ‘‘own’’ or ‘‘having acontrolling interest’’ for purposes of theregulation. Accordingly, the definitionof component in the final rule will usethe term ‘‘owns,’’ but it should be readin conjunction with the phrase ‘‘owns acontrolling or majority interest in’’ thatis used in the related definition of ‘‘parent organization.’’ This willindicate that the definition of component uses the term ‘‘owns’’ to

mean having a sufficient ownershipinterest to control or manage a PSO. Theholder of a controlling or majorityinterest in the entity seeking to be listedshould be identified as a parentorganization.

Comment: Components of governmententities should not be listed as PSOs.

Response: The Patient Safety Actspecifically permits public sectorentities, and components of publicsector entities, to seek listing as a PSO.We have incorporated severalexclusions, however, of entities with





regulatory authority and thoseadministering mandatory state reportingprograms because these activities areincompatible with fostering a non-punitive culture of safety amongproviders. As we explain in§ 3.102(a)(2)(ii), we conclude that it isnot necessary to exclude components of such entities but have adopted

additional restrictions and requirementsin §3.102(c) for such componententities.

(D) Section 3.20—Definition of Disclosure

Proposed Rule: Proposed § 3.20provided that disclosure would meanthe release, transfer, provision of accessto, or divulging in any other manner of patient safety work product by a personholding patient safety work product toanother person.

We did not generally propose toregulate uses of patient safety workproduct within an entity, i.e., when thisinformation is exchanged or sharedamong the workforce members of anentity. We believe that regulating useswithin providers and PSOs would beunnecessarily intrusive given thevoluntary aspect of participation with aPSO. We believe that regulating useswould not further the statutory goal of facilitating the sharing of patient safetywork product with PSOs and thatsufficient incentives exist for providersand PSOs to prudently manage theinternal sharing of sensitive patientsafety work product. However, based onthe statutory provision, we did propose

that we would recognize as a disclosurethe sharing of patient safety workproduct between a component PSO andthe organization of which it is acomponent. Such sharing would, absentthe statutory provision and theproposed regulation, be a use within thelarger organization because thecomponent PSO is not a separate entity.The Patient Safety Act supports thisposition by demonstrating a strongdesire for the protection of patient safetywork product from the rest of theorganization of which the PSO is a part.We sought public comment on whether

the decision to not regulate uses wasappropriate.The proposed rule discussed that

sharing patient safety work productwith a contractor that is under the directcontrol of an entity, i.e., a workforcemember, would not be a disclosure, butrather a use within the entity. However,sharing patient safety work productwith an independent contractor would

be a disclosure requiring an applicabledisclosure permission.

Overview of Public Comments: Somecommenters supported the proposed

definition of disclosure. No commentersopposed the proposed definition orrequested further clarification.

Most commenters that responded tothe question whether uses of patientsafety work product should be regulatedsupported the decision not to regulateuses. Those commenters agreed thatregulating uses would be overly

intrusive without significant benefit andthat entities are free to enter intoagreements with greater protections.Other commenters disagreed with theDepartment’s proposal and stated thatregulation of uses would improveconfidentiality and thereby increaseprovider participation.

No commenters opposed the proposalthat sharing of patient safety workproduct from a component PSO to therest of the parent entity of which it isa part would be a disclosure forpurposes of enforcement rather than ause internal to the entity.

Final Rule: The Department adoptsthe provision with modifications. Ingeneral, the modified definition of disclosure means the release of, transferof, provision of access to, or divulgingin any other manner of, patient safetywork product by an entity or naturalperson holding the patient safety workproduct to another legally separateentity or natural person, other than aworkforce member of, or a physicianholding privileges with, the entityholding the patient safety work product.Additionally, we have defined as adisclosure the release of, transfer of,provision of access to, or divulging in

any other manner of, patient safety workproduct by a component PSO to anotherentity or natural person outside thecomponent PSO.

We have modified the language forclarity to distinguish the actions that area disclosure for a natural person and anentity, separately. We have alsoincluded language in the definition thatmakes clear that sharing of patientsafety work product from a componentPSO to the entity of which it is a partis a disclosure even though thedisclosure would be internal to an entityand generally permitted. Finally, we

have added language to clearly indicatethat the sharing of patient safety workproduct between a health care providerwith privileges and the entity withwhich it holds privileges does notconstitute a disclosure, consistent withthe treatment of patient safety workproduct shared among workforcemembers.


Comment: Commenters asked that theDepartment clarify the terms‘‘disclosure’’ and ‘‘use’’. Commenters

stated that the terms were usedinterchangeably and this causedconfusion.

Response: The term ‘‘disclosure’’describes the scope of theconfidentiality protections and themanner in which patient safety workproduct may be shared. ‘‘Disclosure’’ isalso employed by the Patient Safety Act

when describing the assessment of civilmoney penalties for the failure tomaintain confidentiality (see 42 U.S.C.299b–22(f)(1)). Although the PatientSafety Act employs the term ‘‘use’’ inseveral provisions, we did not interpretthose provisions to include a restrictionon the use of patient safety workproduct based on the confidentialityprotections.

Because the focus of the proposedrule was on disclosures, we did not

believe that defining the term ‘‘use’’ washelpful; nor did we believe the termswould be confusing. Use of patientsafety work product is the sharingwithin a legal entity, such as betweenmembers of the workforce, which is nota disclosure. By contrast, a disclosure isthe sharing or release of informationoutside of the entity for which a specificdisclosure permission must beapplicable.

Comment: One commenter requestedclarification regarding the sharing of patient safety work product amonglegally separate participants that join toform a single joint venture componentPSO.

Response: The Departmentdistinguishes between the disclosure of

patient safety work product betweenlegal entities and the use of patientsafety work product internal to a singlelegal entity. If a component PSO is partof a multi-organizational enterprise,uses of patient safety work productinternal to the component PSO are notregulated by this final rule, but sharingof patient safety work product betweenthe component PSO and another entityor with a parent organization areconsidered disclosures for which adisclosure permission must apply.

Comment: One commenter raisedconcerns that the final rule would

restrict a provider’s use of its own dataand thereby discourage collaborationwith other care givers.

Response: The Department believesthat the final rule balances the interests

between the privacy of identifiedproviders, patients and reporters andthe need to aggregate and share patientsafety work product to improve patientsafety among all providers. The finalrule does not limit the sharing of patientsafety work product within an entityand permits sharing among providersunder certain conditions. Affiliated





providers may share patient safety workproduct for patient safety activities andnon-affiliated providers may shareanonymized patient safety workproduct. A provider may also sharepatient safety work product with ahealth care provider that has privilegesto practice at the provider facility.Further, if all identified providers are in

agreement regarding the need to shareidentifiable patient safety work product,each provider may authorize andthereby permit a disclosure.

Comment: Several commenters askedwhether uses were restricted basedupon the purpose for which the patientsafety work product is being sharedinternally.

Response: The final rule does notlimit the purpose for which patientsafety work product may be sharedinternal to an entity. Entities shouldconsider the extent to which sensitivepatient safety work product is available

to members of its workforce as a good business practice.

(E) Section 3.20—Definition of Entity

Proposed Rule: Proposed § 3.20provided that entity would mean anyorganization or organizational unit,regardless of whether the entity ispublic, private, for-profit, or not-for-profit.

Overview of Public Comments: Onecomment was received suggesting thatthe terms ‘‘governmental’’ or ‘‘bodypolitic’’ should be added to clarify thatthe term ‘‘public’’ includes Federal,State, or local government as well as

public corporations.Final Rule: The term ‘‘public’’ has

long been used throughout Title 42 of the Code of Federal Regulations asencompassing governmental agencies;therefore we do not believe that theaddition is necessary. The Departmentadopts the proposed provision withoutmodification.

(F) Section 3.20—Definition of HealthInsurance Issuer

Proposed Rule: Proposed § 3.20provided that health insurance issuerwould mean an insurance company,

insurance service, or insuranceorganization (including a healthmaintenance organization, as defined in42 U.S.C. 300gg–91(b)(3)) which islicensed to engage in the business of insurance in a State and which issubject to State law which regulatesinsurance (within the meaning of 29U.S.C. 1144(b)(2). The definitionspecifically excluded group health plansfrom the meaning of the term.

Overview of Public Comments:Several commenters expressed concernthat the Department needed to be

vigilant in its exclusion of healthinsurance issuers and components of health insurance issuers, urging thatHHS clearly define health insuranceissuers in the final rule. Anothercommenter sought clarificationregarding risk management servicecompanies, i.e., those that offerprofessional liability insurance,

reinsurance, or consulting services.Final Rule: The Department has

reviewed the definition of ‘‘healthinsurance issuer’’ and determined thatthe definition is clear. Because thereference to group health plans could bea source of confusion, we note that wehave defined the term above.Accordingly, the Department adopts theproposed provision withoutmodification.

In response to several commentsregarding the scope of the term healthinsurance issuer, the Department hasconcluded that, for purposes of this

rule, risk management servicecompanies, professional liabilityinsurers and reinsurers do not fallwithin the definition of healthinsurance issuer.


Comment: One commenter asked if aprovider system that was owned as asubsidiary by an HMO could create acomponent PSO.

Response: Section 3.102(a)(2)(i)excludes a health insurance issuer, aunit or division of a health insuranceissuer, or an entity that is owned,managed, or controlled by a health

insurance issuer from seeking listing asa PSO. In this case, the HMO isconsidered a health insurance issuerand the provider system would be acomponent of the health insuranceissuer. Under the rule, the HMO and theprovider system may not seek listing asa PSO, and the entity created by theprovider system could not seek listingas a component PSO if it is owned,managed or controlled by the providersystem or the HMO.

Comment: One commentingorganization requested discussion of what organizational structure might

allow a health insurance issuer toparticipate in the patient safety work of an independent PSO.

Response: The statutory exclusionmeans that the following entities maynot seek listing: a health insuranceissuer or a component of a healthinsurance issuer.

(G) Section 3.20—Definition of ParentOrganization

Proposed Rule: Proposed § 3.20provided that ‘‘parent organization’’would mean an entity, that alone or

with others, either owns a providerentity or a component organization, orhas the authority to control or manageagenda setting, project management, orday-to-day operations of the component,or the authority to review and overridedecisions of a component organization.The proposed rule did not provide adefinition of ‘‘owned’’ but provided

controlling interest (holding enoughstock in an entity to control it) as anexample of ownership in the preamblediscussion of the term, ‘‘parentorganization.’’ The proposed rulespecifically sought comment on our useof the term ‘‘controlling interest,’’whether it was appropriate, andwhether we needed to further define‘‘owns.’’ The remaining terms, ‘‘manageor control,’’ were explained in theproposed rule’s definition of ‘‘parentorganization,’’ as having ‘‘the authorityto control or manage agenda setting,project management, or day-to-day

operations of the component, or theauthority to review and overridedecisions of a component organization.’’

Overview of Public Comments: Wereceived eight comments on thequestion of ‘‘controlling interest’’ andthere was no consensus among thecommenters. Four commenters thoughtour discussion was appropriate.Another agreed with the concept of controlling interest but wanted to limitits application to a provider whoreported patient safety work product tothe entity. One commenter cautionedthat the term ‘‘controlling interest’’ wasopen to various interpretations and the

final rule should provide additionalguidance. Another commenter suggested‘‘controlling interest’’ was worrisome

but did not provide a rationale for thisassessment. One commenter supportedadditional protections, contending thatit was appropriate for HHS to pierce thecorporate veil when there was fraud orcollusion, and recommended thepreamble outline situations in whichHHS would pierce the corporate veil.

We received no negative comments onour proposed interpretation of what itmeans to manage or control anotherentity. One commenter suggested that

the definition should recognize thesignificant authority or control of aprovider entity or componentorganization through reserve powers, byagreement, statute, or both.

Final Rule: While approximately half of the comments supported ourapproach, there was not a clearconsensus in the comments wereviewed. So the approach we havetaken with the definition of ‘‘parentorganization’’ was to strive for greaterclarity, taking into account itsinteraction with our definition of





‘‘component organization,’’ describedabove.

The definition of ‘‘parentorganization’’ in the final rule retainsthe basic framework of the proposedrule definition: an organization is aparent if it owns a componentorganization, has the ability to manageor control a component, or has the

authority to review and overrule thecomponent’s decisions.

The language of the proposed ruleused only the term ‘‘own’’ while thepreamble cited the example of stockownership. Without furtherspecification, we were concerned thatthis approach could have beeninterpreted to mean that an organizationowning just a few shares of stock of acomponent organization would beconsidered a parent organization. Thisis not our intent. For clarity, we havemodified the text to read ‘‘owns acontrolling or majority interest.’’

We have also removed the phrase‘‘alone or with others’’ from the firstclause. We did so for two reasons. First,it is unnecessary since it does not matterwhether ownership is shared with otherorganizations, as in a joint venture. Anentity seeking listing as a PSO will usethis definition solely to determine if ithas any parent organizations and, if itdoes, it must seek listing as acomponent organization and disclosethe names and contact information foreach of its parent organizations. Second,we have tried to make it as clear aspossible that any organization that hascontrolling ownership interests, or

management or control authority over aPSO, should be considered, andreported in accordance with therequirements of §3.102(c)(1)(i), as aparent organization.

For similar reasons, we have removedthe reference to provider from the firstpart of the definition and insteadconsistently used the term ‘‘componentorganization’’ with respect to eachcharacteristic of a parent organization.We added a second sentence to clarifythat a provider could be the componentorganization in all three descriptiveexamples given of parental authority.

In response to one commenter’sconcern, we believe that the phrase ‘‘hasthe authority’’ as used in the definitionis sufficiently broad to encompassreserve powers.

(H) Section 3.20—Definition of PatientSafety Evaluation System

Proposed Rule: Proposed § 3.20provided that patient safety evaluationsystem would mean the collection,management, or analysis of informationfor reporting to or by a PSO. The patientsafety evaluation system would be the

mechanism through which informationcan be collected, maintained, analyzed,and communicated. The proposed rulediscussed that a patient safetyevaluation system would not need to bedocumented because it exists whenevera provider engages in patient safetyactivities for the purpose of reporting toa PSO or a PSO engages in these

activities with respect to information forpatient safety purposes. The proposedrule provided that formaldocumentation of a patient safetyevaluation system could designatesecure physical and electronic space forthe conduct of patient safety activitiesand better delineate various functions of a patient safety evaluation system, suchas when and how information would bereported by a provider to a PSO, howfeedback concerning patient safetyevents would be communicated

between PSOs and providers, withinwhat space deliberations and analyses

of information are conducted, and howprotected information would beidentified and separated frominformation collected, maintained, ordeveloped for purposes other thanreporting to a PSO.

The Department recommended that aprovider consider documentation of apatient safety evaluation system tosupport the identification andprotection of patient safety workproduct. Documentation may providesubstantial proof to support claims of privilege and confidentiality and willgive notice to, will limit access to, andwill create awareness among employees

of, the privileged and confidentialnature of the information within apatient safety evaluation system whichmay prevent unintended orimpermissible disclosures.

We recommended that providers andPSOs consider documenting howinformation enters the patient safetyevaluation system; what processes,activities, physical space(s) andequipment comprise or are used by thepatient safety evaluation system; whichpersonnel or categories of personnelneed access to patient safety workproduct to carry out their duties

involving operation of, or interactionwith, the patient safety evaluationsystem; the category of patient safetywork product to which access is neededand any conditions appropriate to suchaccess; and what procedures the patientsafety evaluation system uses to reportinformation to a PSO or disseminateinformation outside of the patient safetyevaluation system.

The proposed rule sought commentabout whether a patient safetyevaluation system should be required to

be documented.

Overview of Public Comments:Several commenters supported theefforts to enable the patient safetyevaluation system to be flexible andscalable to individual provideroperations. Most commenters thatresponded to the question whether apatient safety evaluation system should

be documented supported the decision

to not require documentation.Commenters stated that requiringdocumentation would inhibit theflexibility in the design of patient safetyevaluation systems and the ability of providers to design systems best suitedfor their specific practices and settings.Documentation would also be

burdensome to providers and shouldultimately be left to the discretion of individual providers based on theirneeds. Other commenters supported arequirement for documentation,suggesting that documentation would gofurther in ensuring compliance with the

confidentiality provisions and theprotection of information, therebyencouraging provider participation.

Final Rule: The Department adoptsthe proposed provision withoutmodification. Based on the comments,we have not modified the proposeddecision to not require documentation.We have, as described in the definitionof patient safety work product below,clarified how documentation of apatient safety evaluation system clearlyestablishes when information is patientsafety work product. We encourageproviders to document their patientsafety evaluation systems for the

benefits mentioned above. We believedocumentation is a best practice.


Comment: Two commenters raisedconcerns about how a patient safetyevaluation system operates within amulti-hospital system comprised of aparent corporation and multiplehospitals that are separatelyincorporated and licensed. Onecommenter asked whether a parentcorporation can establish a singlepatient safety evaluation system inwhich all hospitals participate. The

other commenter recommended thatindividual institutional affiliates of amulti-hospital system be part of a singlepatient safety evaluation system.

Response: For a multi-provider entity,the final rule permits either theestablishment of a single patient safetyevaluation system or permits the sharingof patient safety work product as apatient safety activity among affiliatedproviders. For example, a hospital chainthat operates multiple hospitals mayinclude the parent organization alongwith each hospital in a single patient





safety evaluation system. Thus, eachhospital may share patient safety workproduct with the parent organizationand the patient safety evaluation systemmay exist within the parent organizationas well as the individual hospitals.

There may be situations whereestablishing a single patient safetyevaluation system may be burdensome

or a poor solution to exchanging patientsafety work product among memberhospitals. To address this concern, wehave modified the disclosurepermission for patient safety activitiesto permit affiliated providers to disclosepatient safety work product with eachother based on commonality of ownership.

Comment: One commenter asked howa patient safety evaluation system existswithin an institutional provider.

Response: A patient safety evaluationsystem is unique and specific to aprovider. The final rule retains adefinition of a patient safety evaluationsystem that is flexible and scalable tomeet the specific needs of particularproviders.

With respect to a single institutionalprovider, such as a hospital, a providermay establish a patient safety evaluationsystem that exists only within aparticular office or that exists atparticular points within the institution.The decisions as to how a patient safetyevaluation system operates will dependupon the functions the institutionalprovider desires the patient safetyevaluation system to perform and itstolerances regarding access to the

sensitive information contained withinthe system. Providers should considerhow a patient safety evaluation systemis constructed, carefully weighing the

balance between coordination andfragmentation of a provider’s activities.

Comment: Some commenters wereconcerned that the patient safetyevaluation system provided a loopholefor providers to avoid transparency of operations and hide information aboutpatient safety events. Some commenterssuggested that a provider may establisha patient safety evaluation system that isinside of a PSO, thus stashing away

harmful documents and information.Response: The Department does not believe that the patient safety evaluationsystem enables providers to avoidtransparency. A patient safetyevaluation system provides a protectedspace for the candid consideration of quality and safety. Nonetheless, thePatient Safety Act and the final rulehave carefully assured that informationgenerally available today remainsavailable, such as medical records,original provider documents, and

business records. Providers must fulfill

external reporting obligations withinformation that is not patient safetywork product. Further, a provider maynot maintain a patient safety evaluationsystem within a PSO.

Comment: One commenter askedwhether all information in a patientsafety evaluation system is protected.

Response: Information collected

within a patient safety evaluationsystem that has been collected for thepurpose of reporting to a PSO is patientsafety work product if documented ascollected for reporting to a PSO. This isdiscussed more fully at the definition of patient safety work product below.Information that is reported to a PSO isalso protected, as discussed more fullyat the definition of patient safety workproduct below.

Comment: One commenter wasconcerned that the lack of a frameworkand too much flexibility may interferewith interoperability and data

aggregation at a later date.Response: The Department believesthat a patient safety evaluation systemmust of necessity be flexible andscalable to meet the needs of specificproviders and PSOs. Without suchflexibility, a provider may notparticipate, which may, lessen theoverall richness of the information thatcould be obtained about patient safetyevents. The Department recognizes thevalue of aggregated data and has,pursuant to the Patient Safety Act,

begun the process of identifyingstandard data reporting terms tofacilitate aggregation and

interoperability. Further, the PatientSafety Act requires that PSOs, to theextent practical and appropriate, collectpatient safety work product in astandardized manner (see 42 U.S.C.299b–24(b)(1)(F)). The Departmenthopes that, by permitting the widestrange possible of providers toparticipate in the gathering and analysisof patient safety events, increasedparticipation will generate more dataand greater movement towardsaddressing patient safety issues.

Comment: Many commentersencouraged the Department to provide

technical assistance to providers andPSOs on the structuring and operationof a patient safety evaluation system.

Response: The Department expects toprovide such guidance on the operationand activities of patient safetyevaluation systems as it determines isnecessary.

(I) Section 3.20—Definition of PatientSafety Work Product

Proposed Rule: Proposed § 3.20adopted the statutory definition of patient safety work product as defined

in the Patient Safety Act. The proposedrule provided that many types of information can become patient safetywork product to foster robust exchanges

between providers and PSOs. Anyinformation must be collected ordeveloped for the purpose of reportingto a PSO.

Three provisions identified how

information becomes patient safetywork product. First, information may

become patient safety work product if itis assembled or developed by a providerfor the purpose of reporting to a PSOand is reported to a PSO. Second,patient safety work product isinformation developed by a PSO for theconduct of patient safety activities.Third, patient safety work product isinformation that constitutes thedeliberations or analysis of, or identifiesthe fact of reporting pursuant to, apatient safety evaluation system.

The proposed rule provided thatreporting means the actual transmissionor transfer of information to a PSO. Werecognized that requiring thetransmission of every piece of paper orelectronic file to a PSO could imposesignificant transmission, management,and storage burdens on providers andPSOs. The proposed rule soughtcomment on whether alternatives foractual reporting should be recognized assufficient to meet the reportingrequirement. For example, the proposedrule suggested that a provider thatcontracts with a PSO may functionallyreport information to a PSO byproviding access and control of

information to a PSO without needing tophysically transmit information. Theproposed rule also sought comment onwhether additional terms andconditions should be required to permitfunctional reporting and whetherfunctional reporting should bepermitted only after an initial actualreport of information related to anevent.

The proposed rule also soughtcomment on whether a short period of protection for information assembled

but not yet reported is necessary forflexibility or for providers to efficiently

report information to a PSO. We alsosought comment on an appropriate timeperiod for such protection and whethera provider must demonstrate intent toreport in order to obtain protection.

The proposed rule also soughtcomment on when a provider could

begin collecting information for thepurpose of reporting to a PSO such thatit is not excluded from becoming patientsafety work product because it wascollected, maintained or developedseparately from a patient safetyevaluation system.





The proposed rule indicated that, if aPSO is delisted for cause, a providerwould be able to continue to report tothat PSO for 30 days after the date of delisting and the information reportedwould be treated as patient safety workproduct (section 924(f)(1) of the PublicHealth Service Act). However, afterdelisting, the proposed rule indicated

that the former PSO may not generatepatient safety work product bydeveloping information for the conductof patient safety activities or throughdeliberations and analysis of information. Even though a PSO maynot generate new patient safety workproduct after delisting, it may stillpossess patient safety work product,which must be kept confidential and bedisposed of in accordance withrequirements in Subpart B.

The proposed rule also describedwhat is not patient safety work product,such as a patient’s original medical

record, billing and dischargeinformation, or any other originalpatient or provider record. Patient safetywork product does not includeinformation that is collected,maintained, or developed separately orexists separately from, a patient safetyevaluation system. This distinction ismade because these and similar recordsmust be maintained by providers forother purposes.

The proposed rule also discussed thatexternal reporting obligations as well asvoluntary reporting activities that occurfor the purpose of maintainingaccountability in the health care system

cannot be satisfied with patient safetywork product. Thus, information that iscollected to comply with externalobligations is not patient safety workproduct. The proposed rule providedthat such activities include: stateincident reporting requirements;adverse drug event informationreporting to the Food and DrugAdministration (FDA); certification orlicensing records for compliance withhealth oversight agency requirements;reporting to the National PractitionerData Bank of physician disciplinaryactions; or complying with required

disclosures by particular providers orsuppliers pursuant to Medicare’sconditions of participation or conditionsof coverage.

The proposed rule also addressed theissue that external authorities may seekinformation about how effectively aprovider has instituted corrective actionfollowing identification of a threat to thequality or safety of patient care. ThePatient Safety Act does not relieve aprovider of its responsibility to respondto such requests for information or toundertake or provide to external

authorities evaluations of theeffectiveness of corrective action, butthe provider must respond withinformation that is not patient safetywork product. The proposed ruleprovided that recommendations forchanges from the provider’s patientsafety evaluation system or the PSO arepatient safety work product. However,

the actual changes that the providerimplements to improve how it managesor delivers health care services are notpatient safety work product, and itwould be virtually impossible to keepsuch changes confidential.

Overview of Public Comments:Commenters raised a significant numberof concerns regarding how information

becomes patient safety work productunder particular provisions of thedefinition.

Functional Reporting

We received significant feedback fromcommenters in support of recognizingalternative reporting methods. Mostcommenters agreed that an alternativereporting arrangement should bepermitted to promote efficiency andrelieve providers of the burden of continued transmission. Twocommenters opposed permittingalternative reporting methods based onthe concern that a shared resource mayconfuse clear responsibility for a breachof information and that a PSO that hasaccess to a provider information systemmay also have access to patient recordsand similar information for which

access may not be appropriate.Most commenters rejected the

suggestion that functional reportingshould be limited to subsequent reportsof information rather than allowingfunctional reports for the first report of an event. Commenters believed thatsuch a limitation would inhibitparticipation and offset the benefits of allowing functional reporting.Commenters also believed such alimitation would create an artificialdistinction between information that isinitially and subsequently reported to aPSO. Some commenters believed that

details regarding functional reportingare better left to agreement between theprovider and PSO engaging infunctional reporting. Two commentersdid support restricting functionalreporting to subsequent information, butdid not provide any rationale or concernto support their comment.

No commenters identified additionalrequirements or criteria that should beimposed beyond a formal contract oragreement. Thus, the final rule permitsfunctional reporting.

When Is Information Protected

Commenters raised significant andsubstantial concerns regarding when theprotections for patient safety workproduct begins, how existing patientsafety processes will occur given theprotections for patient safety workproduct, and the likelihood that

providers may need to maintainseparate systems with substantiallyduplicate information. A significantmajority of commenters responded tothe concern regarding the status of information collected, but not yetreported to a PSO. Most commentersagreed with concerns raised by theDepartment that early protection couldease the burden on providers,preventing a race to report to a PSO.These commenters recommended thatinformation be protected uponcollection and prior to reporting.Protection during this time wouldpermit providers to investigate an event

and conduct preliminary analysesregarding causes of the event or whetherto report information to a PSO. Manycommenters were concerned thatinformation related to patient safetyevents be protected at the same time theinformation is preserved for other uses.Some providers indicated that if duplication of information is required,providers may opt to not participate dueto costs and burdens. Three commentersindicated that there should be noprotection until information is reportedto a PSO. One commenter wasconcerned that early protection may

interfere with State reportingrequirements because informationneeded to report to a State may becomeprotected and unavailable for Statereporting. Another commenter statedthat earlier protection would notalleviate the concerns regardingprotection prior to reporting.

Commenters provided a wide range of recommendations in response to whenprotection of information should beginprior to creation of patient safety workproduct. Commenters suggested thatinformation be protected prior toreporting for as little as 24 hours from

an event up to 12 months. Othercommenters suggested that a timeframe be reasonable and based upon relevantfactors such as the complexity of factsand circumstances surrounding anevent.

State Reporting

One of the most significant areas of comment was how processes to createpatient safety work product may operatealongside similar processes within aprovider. Commenters were particularlyconcerned that information collected for





similar purposes, such as for reportingto a PSO and for reporting to a Statehealth authority, would need to bemaintained in separate systems, therebyincreasing the burden on providers. Themost significant comments receivedrelated to how information related topatient safety events may be protected atthe same time the information is

preserved for other uses. Someproviders indicated that if duplication isrequired, provider may opt to notparticipate due to costs and burdens.

Earliest Time for Collection of Information

Few commenters responded to therequest for comment on the earliest dateinformation could be collected forpurposes of reporting to a PSO, arequirement for information to becomepatient safety work product. Fourcommenters recommended thatinformation collection be permitted

back to the passage of the Patient SafetyAct. Four commenters recommendedthat the earliest date of collection bedependent upon each provider’s goodfaith and intent to collect informationfor reporting to a PSO.

Final Rule: The Department adoptsthe proposed provision with somemodification.

Functional Reporting

The Department recognizes theconcerns raised by commentersregarding the functional reportingproposal, but believes the benefitsoutweigh the potential negative

consequences; the relief of burden, andthe flexibility that derives from notadhering to a narrow reading of thereporting requirement. First, werecognize that a provider and PSOengaging in this alternative method of reporting have an establishedrelationship for the reporting of information and have spent some timeconsidering how best to achieve amutually useful and suitable reportingrelationship. That relationship willnecessitate consideration of whatinformation is necessary and notnecessary to achieve the purpose of

reporting. Neither a provider nor a PSOis required to accept an alternativereporting mechanism. Further,providers continue to be under the sameobligations to protect patient and othermedical records from inappropriateaccess from others, including the PSO,without exception. Second, such arelationship should establish clearly themechanism for control of informationreported or to which the PSO will haveaccess, and the scope of PSO authorityto use the information. In addition, theassessment of liability should be

addressed and need be no morecomplex than exists in provider settingstoday with shared resources andintegrated services.

We agree with commenters thatlimitations regarding the initial orsubsequent reporting of information are

better left to the providers and PSOsengaging in the practice and that

providers and PSOs should be permittedto design the appropriately flexiblereporting mechanism befitting thecircumstances of their practice setting.We further agree that additionallimitations on the ability to usefunctional reporting are unwarranted,absent clear identification of risks orconcerns to be addressed by furtherlimitations.

For these reasons, we clarify thatreporting of information to a PSO for thepurposes of creating patient safety workproduct may include authorizing PSOaccess, pursuant to a contract orequivalent agreement between aprovider and a PSO, to specificinformation in a patient safetyevaluation system and authority toprocess and analyze that information,e.g., comparable to the authority a PSOwould have if the information werephysically transmitted to the PSO. Wedo not believe a formal change in theregulatory text is necessitated by thisclarification.

When Is Information Protected

The Department recognizes that thePatient Safety Act’s protections are thefoundation to furthering the overall goal

of the statute to develop a nationalsystem for analyzing and learning frompatient safety events. To encouragevoluntary reporting of patient safetyevents by providers, the protectionsmust be substantial and broad enoughso that providers can participate in thesystem without fear of liability or harmto reputation. Further, we believe theprotections should attach in a mannerthat is as administratively flexible aspermitted to accommodate the manyvaried business processes and systemsof providers and to not run afoul of thestatute’s express intent to not interfere

with other Federal, State or localreporting obligations on providers.The proposed rule required that

information must be reported to a PSO before the information may becomepatient safety work product under thereporting provision of the definition of patient safety work product. However,this standard left information collected,

but not yet reported to a PSO,unprotected, a cause of significantcommenter concern. This standard alsomight encourage providers to race toreport information indiscriminately to

obtain protection in situations where areport ultimately may be unhelpful,causing the expenditure of scarceresources both by a provider and a PSOto secure the information as patientsafety work product. The proposed rulealso may have caused some providers tochoose between not participating ordeveloping dual systems for handling

similar information at increased costs.We believe it is important to address

the shortcomings of a strict reportingrequirement through the followingmodification. The final rule providesthat information documented ascollected within a patient safetyevaluation system by a provider shall beprotected as patient safety workproduct. A provider would documentthat the information was collected forreporting to a PSO and the date of collection. The information would

become patient safety work productupon collection. Additionally, a

provider may document that the sameinformation is being voluntarilyremoved from the patient safetyevaluation system and that the providerno longer intends to report theinformation to a PSO, in which casethere are no protections. If a providerfails to document this information, theDepartment will presume the intent toreport information in the patient safetyevaluation system to the PSO is present,absent evidence to the contrary.

We believe this modificationaddresses the concerns raised by thecommenters. Protection that begins fromthe time of collection will encourage

participation by providers withoutcausing significant administrative

burden. The alternative is a system thatencourages providers toindiscriminately report information toPSOs in a race for protection, resultingin PSOs receiving large volumes of unimportant information. By offeringproviders the ability to examine patientsafety event reports in the patient safetyevaluation system without requiringthat all such information beimmediately reported to a PSO, and byproviding a means to remove suchinformation from the patient safety

evaluation system and end its status aspatient safety work product, the finalrule permits providers to maximizeorganizational and system efficienciesand lessens the need to maintainduplicate information for differentneeds. Because documentation will becrucial to the protection of patient safetywork product at collection, providersare encouraged to document theirpatient safety evaluation system. Wenote, however, that a provider shouldnot place information into its patientsafety evaluation system unless it





intends for that information to bereported to the PSO.

Although this approach substantiallyaddresses commenter concerns, threeissues do cause concern. First, becauseinformation may be protected back tothe time of collection, providers are nolonger required to promptly reportinformation to a PSO to ensure

protection. Although we believe this isan unavoidable result of themodification, we believe the likelyimpact may be rare because providersare likely to engage PSOs for theirexpertise which requires such reporting.Second, the requirement to documentcollection in a patient safety evaluationsystem and, potentially, removal from apatient safety evaluation system could

be burdensome to a provider. However,we believe these are importantrequirements particularly in light of theenforcement role OCR will play. Aprovider will need to substantiate that

information is patient safety workproduct, or OCR will be unable todetermine the status of informationpotentially leaving sensitive informationunprotected—or subjecting the providerto penalties for improperly disclosingpatient safety work product. Third, theability of a provider to removeinformation from a patient safetyevaluation system raises concern that aprovider may circumvent the intent of aprovider employee to obtain protectionfor information when reporting to theprovider’s patient safety evaluationsystem. For providers that engage infunctional reporting, the concern is

substantially mitigated because, underfunctional reporting, information isreported to a PSO when it is transmittedto the patient safety evaluation systemto which the PSO has access, and, thus,protected. Alternatively, a provideremployee may report as permitteddirectly to a PSO. Ultimately, this issueis to be settled between a provider thatwishes to encourage reports that maynot otherwise come to light and itsemployees who must be confident thatreporting will not result in adverseconsequences.

For these reasons, the Department

modifies the definition of patient safetywork product to include additionallanguage in the first provision of thedefinition that protects information

based upon reporting to a PSO.

State Reporting

To address commenter concerns aboutthe duplication of resources for similarpatient safety efforts and the lack of protection upon collection, we haveclarified the requirements for howinformation becomes patient safetywork product when reported to a PSO.

Generally, information may becomepatient safety work product whenreported to a PSO. Information may also

become patient safety work productupon collection within a patient safetyevaluation system. Such informationmay be voluntarily removed from apatient safety evaluation system if it hasnot been reported and would no longer

be patient safety work product. As aresult, providers need not maintainduplicate systems to separateinformation to be reported to a PSOfrom information that may be requiredto fulfill state reporting obligations. Allof this information, collected in onepatient safety evaluation system, isprotected as patient safety work productunless the provider determines thatcertain information must be removedfrom the patient safety evaluationsystem for reporting to the state. Onceremoved from the patient safetyevaluation system, this information is

no longer patient safety work product.Earliest Time for Collection of Information

The Department believes that a clearindication of a specific time wheninformation may first be collected is

beneficial to providers by reducing thecomplexity and ambiguity concerningwhen information is protected as patientsafety work product. Although eachprovider collecting information forreporting to a PSO may need to supportthe purpose of information collection atthe time of collection, such a standardmay be overly burdensome. The

Department agrees that information mayhave been collected for the purpose of reporting to a PSO beginning frompassage of the Patient Safety Act.Information that existed prior to thepassage of the Patient Safety Act may besubsequently collected for reporting to aPSO, but the original record remainsunprotected. This clarification does notrequire any regulatory language changein the proposed rule.

What Is Not Patient Safety WorkProduct

We reaffirm that patient safety work

product does not include a patient’soriginal medical record, billing anddischarge information, or any otheroriginal patient or provider record; nordoes it include information that iscollected, maintained, or developedseparately or exists separately from, apatient safety evaluation system. Thefinal rule includes the statutoryprovision that prohibits construinganything in this Part from limiting (1)the discovery of or admissibility of information that is not patient safetywork product in a criminal, civil, or

administrative proceeding; (2) thereporting of information that is notpatient safety work product to a Federal,State, or local governmental agency forpublic health surveillance,investigation, or other public healthpurposes or health oversight purposes;or (3) a provider’s recordkeepingobligation with respect to information

that is not patient safety work productunder Federal, State or local law.Section 921(7)(B)(iii) of the PublicHealth Service Act, 42 U.S.C. 299b–21(7)(B)(iii). The final rule does notlimit persons from conductingadditional analyses for any purposeregardless of whether such additionalanalyses involve issues identical to orsimilar to those for which informationwas reported to or assessed by a PSO ora patient safety evaluation system.Section 922(h) of the Public HealthService Act, 42 U.S.C. 299b–22(h).

Even when laws or regulations require

the reporting of the informationregarding the type of events alsoreported to PSOs, the Patient Safety Actdoes not shield providers from theirobligation to comply with suchrequirements. These external obligationsmust be met with information that is notpatient safety work product andoversight entities continue to haveaccess to this original information in thesame manner as such entities have hadaccess prior to the passage of the PatientSafety Act. Providers should carefullyconsider the need for this information tomeet their external reporting or healthoversight obligations, such as for

meeting public health reportingobligations. Providers have theflexibility to protect this information aspatient safety work product within theirpatient safety evaluation system whilethey consider whether the informationis needed to meet external reportingobligations. Information can be removedfrom the patient safety evaluationsystem before it is reported to a PSO tofulfill external reporting obligations.Once the information is removed, it isno longer patient safety work productand is no longer subject to theconfidentiality provisions.

The Patient Safety Act establishes aprotected space or system that isseparate, distinct, and resides alongside

but does not replace other informationcollection activities mandated by laws,regulations, and accrediting andlicensing requirements as well asvoluntary reporting activities that occurfor the purpose of maintainingaccountability in the health care system.Information is not patient safety workproduct if it is collected to comply withexternal obligations, such as: stateincident reporting requirements;





adverse drug event informationreporting to the Food and DrugAdministration (FDA); certification orlicensing records for compliance withhealth oversight agency requirements;reporting to the National PractitionerData Bank of physician disciplinaryactions; complying with requireddisclosures by particular providers or

suppliers pursuant to Medicare’sconditions of participation or conditionsof coverage; or provision of access torecords by Protection and Advocacyorganizations as required by law.


Comment: One commenter inresponding to questions about timingand early protection interpreted thetiming concern to be an expiration of anallowed period of time to report, suchthat an event must be reported within acertain number of days or it may not

become protected.

Response: As noted above, the timingissues in the final rule relate to wheninformation may have been collected forreporting to a PSO. There is noexpiration date for an event that wouldprohibit future protection of a report of it as patient safety work product so longas the protection of the information ispursuant to the final rule.

Comment: One commenter suggestedthat event registries may seek to becomePSOs because the model is wellpositioned to allow for tracking andidentification of patients that requirefollow-up.

Response: The Department recognizesthat event registries may have particular benefits that may be helpful in theanalysis of patient safety events, but wecaution any holder of patient safetywork product that future disclosure of patient safety work product must bedone pursuant to the disclosurepermissions. Thus, while it may beappropriate for event registries toidentify and track patients who mayrequire follow-up care, the final rulewould generally not permit disclosureof patient safety work product topatients for such a purpose.Accordingly, while there may be

benefits to an event registry becoming aPSO, a registry should take intoconsideration the limitations ondisclosure of patient safety workproduct, and what impact such limitswould have on its mission, prior toseeking listing.

Comment: Several commenters soughtclarification whether informationunderlying analyses within a patientsafety evaluation system was protected.One commenter suggested that dataused to conduct an analysis should be

protected at the same time as theanalysis.

Response: As indicated in thedefinition of patient safety workproduct, information that constitutes thedeliberation or analysis within a patientsafety evaluation system is protected.Information underlying the analysismay have been either reported to a PSO

and protected or collected in a patientsafety evaluation system. Informationdocumented as collected within apatient safety evaluation system isprotected based on the modification tothe definition of patient safety workproduct. Thus, information underlyingan analysis may be protected. However,underlying information that is originalmedical records may not be protected if it is excluded by the definition of patient safety work product.

Comment: Two commenters raisedconcerns that PSOs do not havediscretion regarding the receipt of unsolicited information reported toPSOs from providers. One commenterwas concerned about the burden on aPSO receiving unsolicited reports andthe obligation a PSO may have regardingunsolicited reports. Another commenterwas concerned that unsolicited reportsmay be materially flawed or containincorrect information.

Response: The Department does notagree that this is a major issue for PSOsor that PSOs need some regulatoryability to reject reported information. If a PSO receives information from aprovider that was collected by thatprovider for the purposes of sending to

a PSO, then the information is patientsafety work product. PSOs may use oranalyze the information, but mustprotect it as patient safety work productand dispose of the information properly.However, there is no requirement that aPSO maintain or analyze theinformation. For these reasons, we donot modify the proposed rule positionregarding these issues.

Comment: Some commenters wereconcerned that recommendations of PSOs may be treated as a standard of care. Commenters recommended thatrecommendations from PSOs be

protected as patient safety workproduct.Response: The Department stated in

the proposed rule that PSOrecommendations are patient safetywork product, but the changesundertaken by a provider based upon aPSO’s recommendations are not patientsafety work product. With respect to theconcern that PSO recommendationsmay establish a standard of care, theissue is not within the scope of thePatient Safety Act and not appropriatefor the regulation to address. Generally,

the establishment of a standard of careis a function of courts and entities thathave jurisdiction over the issue forwhich a standard of care is relevant. Theintroduction of patient safety workproduct as information that may helpestablish a standard of care is highlyunlikely given the limited disclosurepermissions. For these reasons, we make

no modifications in the final rule.Comment: Several commenters raised

concerns about the distinction betweenoriginal documents and copies of original documents. One commenterstated that it was an artificial distinctionin an electronic environment.

Response: The Patient Safety Act andthe final rule distinguish certain originalrecords from information collected forreporting to a PSO. Because informationcontained in these original records may

be valuable to the analysis of a patientsafety event, the important informationmust be allowed to be incorporated intopatient safety work product. However,the original information must be keptand maintained separately to preservethe original records for their intendedpurposes. If the information were to

become patient safety work product, itcould only be disclosed pursuant to theconfidentiality protections.

Comment: One commenter wasconcerned that information collected forreporting to a PSO may be the sameinformation providers collect forreporting to a state regulatory agency.The commenter suggested thatprotections should only attach toinformation after state-mandated

reporting requirements have beenfulfilled. The commenter was concernedthat the confidentiality protections mayimpede state data collection,surveillance and enforcement efforts. Aseparate commenter requestedclarification that if patient safety workproduct is reported under a statemandated incident reporting system, thepatient safety work product continues to

be protected.Response: The final rule is clear that

providers must comply with applicableregulatory requirements and that theprotection of information as patient

safety work product does not relieve aprovider of any obligation to maintaininformation separately. The Department

believes that some providers, such ashospitals, have been operating in similarcircumstances previously whenconducting peer review activities understate peer review law protections. Forpatient safety work product to bedisclosed, even to a State entity, thediscloser must have an applicabledisclosure permission. While the PatientSafety Act does not preempt state lawsthat require providers to report





information that is not patient safetywork product, a State may not requirethat patient safety work product bedisclosed.

Comment: One commenter advisedthat the final rule should build onexisting infrastructure for reporting andexamination of patient safety events tominimize duplication of resources and

maximize existing efforts.Response: The Department has

modified the proposed rule to addressthe potential issue of duplicatedresources by allowing providers theflexibility to collect and reviewinformation within a patient safetyevaluation system to determine if theinformation is needed to fulfill externalreporting obligations as addressedabove. The Department recognizes thehigh costs of health care, both in dollarsand in the health of individuals. Thefinal rule establishes a workable andflexible framework to permit providersthat have mature patient safety efforts tofully participate as well as for providerswith no patient safety activities to beencouraged to begin patient safetyefforts.

Comment: One commenter askedwhether multiple PSOs can establish asingle reporting portal for receivingreports from providers.

Response: The final rule does notaddress procedures regarding how aPSO receives information. Providersmust meet any requirements regardingsharing information that is protectedhealth information, such as the HIPAAPrivacy Rule, in any circumstances

when reporting information to a PSO orjoint PSO portal.

Comment: Several commenters askedwhether retrospective analyses could beincluded as patient safety work product.

Response: The final rule permits anydata, which is a term that is broadlydefined and would includeretrospective analyses, to becomepatient safety work product. The factthat information was developed prior tothe collection for reporting to a PSOdoes not bar a provider from reportingan analysis to a PSO and creatingpatient safety work product. Providers

should be cautioned to considerwhether there are other purposes forwhich an analysis may be used todetermine whether protection as patientsafety work product is necessary orwarranted. Further, the definition of patient safety work product is clear thatinformation collected for a purposeother than for reporting to a PSO maynot become patient safety work productonly based upon the reporting of thatinformation to a PSO. Such information,particularly information collected ordeveloped prior to the passage of the

Patient Safety Act, may becomeprotected as a copy, but the originaldocument remains unprotected.

(J) Section 3.20—Definition of Provider

Proposed Rule: Proposed §3.20 wouldhave divided the meaning of providerinto three categories. The first paragraphincluded ‘‘an individual or entity

licensed or otherwise authorized underState law to provide health careservices, including’’ and thisintroductory language was followed bya list of institutional health careproviders in subparagraph (1) and a listof individual health care practitioners insubparagraph (2). The preambleindicated that these statutory lists wereillustrative.

Under the Secretary’s authority toexpand the list of providers in thestatutory definition, the proposed rulewould have added two categories to thelist of providers. The second paragraphwould have covered agencies,organizations, and individuals withinFederal, State, local, or Tribalgovernments that deliver health care,the contractors these entities engage,and individual health care practitionersemployed or engaged as contractors bythese entities. We included this addition

because public health care entities andtheir staff are not always authorized orlicensed by state law to provide theirservices and, therefore, might not beincluded within the terms of theoriginal statutory definition.

The third paragraph would haveincluded a parent organization that has

a controlling interest in one or moreentities described in paragraph (1)(i) of this definition or a Federal, State, local,or Tribal government unit that managesor controls one or more entitiesdescribed in (1)(i) or (2) of thisdefinition. This addition was intendedto permit the parent organization of ahealth care provider system to enter asystem-wide contract with a PSO. Theparent of a health system also may not

be licensed or authorized by state law toprovide health care services as required

by the statutory definition.Overview of Public Comments: There

were a number of comments withrespect to the entities and individualsthat are identified as providers in thesubparagraphs of paragraph (1). Forexample, one commenter soughtclarification that ‘‘assisted livingresidential care and other community

based care’’ providers are included inthe broader term ‘‘long term carefacilities’’ as identified in the list of covered providers. A number of otherindividual commenters each identifiedentities that the Secretary shouldinclude in the definition of providers:

medical product vendors,pharmaceutical companies, medicaldevice manufacturers, risk retentiongroups, and captive professionalliability insurance companies that arecontrolled by risk retention groups.

There was general support for theinclusion of parent organizations of private and public sector providers in

paragraph (3), although two commentersdisagreed. One commenter argued thatnaming the parent organization as aprovider suggested a ‘‘one size fits all’’solution and suggested that eligibilityshould be linked to whether the parentorganization is involved in the patientsafety evaluation system for itssubsidiaries. Other commenters, whilenot objecting, worried that this additioncould open the door for organizationssuch as health insurance issuers,including Health MaintenanceOrganizations, regulatory andaccrediting entities to qualify as

component PSOs. One commentersuggested that by using the phrase‘‘controlling interest’’ with respect toprivate sector parent organizations, thefocus of this part of the proposedparagraph was inappropriately narrow,appearing to emphasize a corporateparent, and that the language needed toreflect a broader array of potentialparent organizations, such aspartnerships or limited liabilitycompanies.

Several commenters expressedconcern that by encompassing entitiesthat are not traditionally providers,under HIPAA or other rules, our

definition of ‘‘provider’’ would lead toconfusion. One commenter suggested itwould be appropriate for thecommentary accompanying the finalrule to address the two terms,emphasize the differences, and clarifythe obligations.

Final Rule: We have modified thedefinition of provider in the final rulein response to several comments. Thefirst modification is a non-substantivesubstitution of the term behavioralhealth for behavior health. In responseto the comments we received and toensure clarity, we reiterate what we

stated in the proposed rule that a listpreceded by ‘‘including’’ is anillustrative list, not an exhaustive list.

In general, the question of whetherany private sector individual or entity,such as assisted living residential careand other community-based careproviders, comes within the rule’smeaning of ‘‘provider’’ is determined bywhether the individual or entity islicensed or otherwise authorized understate law to deliver health care services.We note that paragraphs (2) and (3) of the definition address public sector





providers and parent organizations of health care providers.

We have not adopted any of the otherrecommendations for additions to thelist of providers. The statute providesconfidentiality and privilege protectionsfor reporting by individuals and entitiesthat actually provide health careservices to patients. In our view, it was

not intended to apply to those whomanufacture or supply materials used intreatments or to entities that providefiscal or administrative support to thoseproviding health care services.

With respect to paragraph (3) of thedefinition, the use of the term parentorganization here should conform to ourdefinition of ‘‘parent organization’’above. Therefore, we have streamlinedthe language, deleting unnecessary textthat might suggest that we wereapplying a different definition.

The Department does not share theconcerns of commenters thatincorporating a broader definition of ‘‘provider’’ in this rule will causeconfusion in the marketplace, becauseits use will be limited. The applicationof the term ‘‘provider’’ in this rule isintended to give the full range of healthcare providers the ability to reportinformation to, and work with, PSOsand receive confidentiality and privilegeprotections as set forth in the PatientSafety Act and this rule. Although weappreciate the administrative benefits of uniformity, and have tried to maximizethe consistency or interoperability of this rule with the HIPAA Privacy andSecurity Rules, it would not be

appropriate in this rule to adhere to anyless inclusive definition of providerused in other regulations.

We did not condition the designationof provider status for a parentorganization on its involvement in apatient safety evaluation system. Weexpect that most parent organizationswill, in fact, be a part of a system-widepatient safety evaluation system if theychoose to pursue PSO services.However, establishing such arequirement now, when it is unclearwhat types of innovative arrangementsand effective strategies might emerge,

might prove more detrimental thanhelpful.


Comment: One commenter raisedconcerns that paragraph (2) may notinclude Indian tribes that operate orcontract for their own health caresystems under the Indian Self-Determination and EducationAssistance Act (ISDEAA), rather thanrelying upon the Indian Health Service.

Response: Tribal organizationscarrying out self-determination

contracts or compacts under theISDEAA to deliver health care fallsquarely within paragraph (2) of thedefinition of provider because they areorganizations engaged as contractors bythe Federal government to deliverhealth care. Additionally, the workforceof a provider covered under the rule, bydefinition, includes employees,

volunteers, trainees, contractors, andother persons, whether or not paid bythe provider, that perform work underthe direct control of that provider.Federal employees detailed to a tribe orTribal organization carrying out anISDEAA contract would be coveredunder paragraph (2) in the definition of provider, even if they were not part of the Tribal organization’s workforce.Therefore, no change is needed inresponse to this comment.

B. Subpart B—PSO Requirements and Agency Procedures

Proposed Subpart B would have setforth requirements for Patient SafetyOrganizations (PSOs) including thecertification and notificationrequirements that PSOs must meet, theactions that the Secretary may and willtake relating to PSOs, the requirementsthat PSOs must meet for the security of patient safety work product, theprocesses governing correction of PSOdeficiencies, revocation, and voluntaryrelinquishment, and relatedadministrative authorities andimplementation responsibilities. Therequirements of the proposed Subpartwould have applied to entities that seek

to be listed as PSOs, PSOs, theirworkforce, a PSO’s contractors whenthey hold patient safety work product,and the Secretary.

The proposed rule did not require aprovider to contract with a PSO toobtain the protections of the PatientSafety Act; however, we noted that weanticipate that most providers wouldenter into contracts with PSOs whenseeking the confidentiality and privilegeprotections of the statute. We proposedto enable a broad variety of health careproviders to work voluntarily withentities that would be listed as PSOs by

the Secretary based upon theircertifications that, among other things,state that they have the ability andexpertise to carry out the broadlydefined patient safety activities of thePatient Safety Act and, therefore, toserve as consultants to eligible providersto improve patient care. In accordancewith the Patient Safety Act, theproposed rule set out an attestation-

based process to qualify for 3-yearrenewable periods of listing as a PSO.Proposed Subpart B attempted tominimize regulatory burden, while

fostering transparency to enhance theability of providers to assess thestrengths and weaknesses of their choiceof PSOs.

We proposed a security frameworkpertaining to the separation of data andsystems and to security management,control, monitoring, and assessment.Thus, each PSO would address the

framework with standards it determinesappropriate to the size and complexityof its organization. We proposedadditional requirements to ensure that astrong firewall would be maintained

between a component PSO and the restof the organization(s) of which it is apart.

We noted that we expect to offertechnical assistance and encouragetransparency wherever possible topromote implementation, compliance,and correction of deficiencies. At thesame time, this proposed Subpartestablished processes that would permitthe Secretary promptly to revoke aPSO’s certification and remove it fromlisting, if such action proves necessary.

1. Section 3.102—Process andRequirements for Initial and ContinuedListing of PSOs

Proposed Rule: The proposed rule in§ 3.102 addressed the eligibility of, andthe processes and requirements for, anentity seeking a three-year period of listing by the Secretary as a PSO anddescribed the timing and requirementsof notifications that a PSO must submitto the Secretary during its period of listing. The proposed rule described our

intention to minimize barriers to entryfor entities seeking listing and createmaximum transparency to create arobust marketplace for PSO services.The Patient Safety Act set forth limitedprerequisites that must be met to belisted by the Secretary as a PSO, whichthe regulation incorporates. TheDepartment expects that providers will

be the ultimate arbiters of the quality of services that an individual PSOprovides.

Overview of Public Comments: Thefollowing discussion focuses on the

broad comments we received

concerning our overall approach toinitial and continued listing of PSOs.These comments do not address specificprovisions of the proposed rule. Publiccomments that address specificprovisions of §3.102 are addressed inthe individual subsection discussionsthat follow. Questions and situation-specific comments are addressed belowunder the heading of ‘‘Response toOther Public Comments.’’

The Department received generallyfavorable comment on our proposedapproach in this section, which





emphasizes a streamlined certificationprocess, and public release of documentation submitted by PSOswhenever appropriate. There were,however, two broad sets of concernsexpressed about our overall approach.

The first concern related to thepotential number of PSOs that might belisted by the Secretary as a result of the

Department’s proposed ‘‘ease of entry’’approach. These comments focused onthe importance of PSOs being able toaggregate significant amounts of dataacross multiple providers to developmeaningful analyses. Noting that patientsafety events are often rare events, onecommenter noted that in some cases itmay be necessary to aggregate data foran entire state in order to developinsights regarding the underlying causesof such events. Another commenternoted that if every hospital in the stateestablished its own component PSO, thepotential impact of PSO analyses could

be minimal. Because most PSOs will bedependent upon revenue from providerssubmitting data, one commenterworried that too many PSOs could alsoaffect the ability of individual PSOs toobtain adequate funding to performtheir analytic functions and toimplement potentially costly securityrequirements.

These concerns led some commentersto suggest inclusion in the final rule of a limitation on the number of PSOs thatthe Secretary would list. Onecommenter asked whether it would bepossible for the Department to list one

national PSO, noting this could improveefficiency for providers. Anothercommenter suggested listing of 2–4PSOs per state using a competitiveprocess or limiting the number of PSOs

by increasing the number of requiredprovider contracts that each PSO musthave. Most commenters who favoredlimiting the number of listed PSOs didnot suggest a specific approach.

A second broad set of recommendations focused on the needfor periodic or ongoing evaluation of theeffectiveness of PSOs that could belinked to, or be separate from, the

evaluation of certifications forcontinued listing. Some commentersrecommended that the Departmentroutinely collect information from PSOsto evaluate whether the individual andcollective work of PSOs is actuallyreducing medical errors and improvingthe quality of care that is delivered. Onecommenter stressed the importance of establishing in the final ruleexpectations related to PSOperformance and demonstrated resultsand provided draft language forinclusion in the final rule.

Final Rule: The Department has notmodified the approach taken in theproposed rule in response to thesecomments. With respect to limiting thenumber of PSOs that are listed by theSecretary, the statutory language is clearthat any entity, public or private, thatcan meet the stated requirements iseligible for listing by the Secretary.

While the Department understands theconcerns of the commenters that a verylarge number of PSOs could frustrate thestatutory goal of data aggregation acrossmultiple providers, we believe that thisscenario is unlikely for several reasons.

First, a provider does not need toshoulder the financial burden alone tosupport a full-time PSO. Providers enjoythe same protections under the PatientSafety Act when they contract with anindependent PSO or when they create acomponent organization to seek listingas a PSO. A provider that establishes aworking relationship with a PSO can

have a division of labor between theanalyses that its staff undertakes in-house within its patient safetyevaluation system and the tasks itassigns to the PSO. In bothcircumstances, the statutory protectionsapply. Thus, for a provider, establishingits own PSO is an option, not anecessity.

Second, there are important insightsinto patient safety that can only bederived from aggregating data acrossmultiple providers. Given the lowfrequency of some patient safety events,even larger health systems are likely toderive additional benefits from working

with PSOs that have multiple and,potentially, diverse clients.

A final limiting factor is the shortageof personnel who are well-trained orexperienced in the use of themethodologies of patient safetyanalyses. While the marketplace willrespond to the need for the developmentof additional training and certificationprograms, the availability of highly-skilled staff will be a constraining factorinitially. In combination, these threefactors should provide a naturalconstraint on the number of single-provider PSOs.

Regarding the other general set of comments related to the listing process,the Department has considered thesesuggestions and has determined not toincorporate in the final rulerequirements for an ongoing evaluationprocess or the routine collection of datafrom PSOs. PSOs are not a Federalprogram in the traditional sense. Mostsignificantly, they are not Federallyfunded. Their project goals, priorities,and the specific analyses that theyundertake are not Federally directed.The value and impact of an individual

PSO will be determined primarily bythe providers that use its services on anongoing basis.

It is unclear at this point howproviders will choose to use PSOs. Onlywith experience will it become clearwhich analyses a provider will chooseto undertake in its own patient safetyevaluation system and which analyses a

provider will rely upon a PSO toundertake. The mix and balance of activities between a provider’s patientsafety evaluation system and its PSO (orPSOs) will undoubtedly shift over timeas the working relationships betweenproviders and PSOs evolve towardgreater efficiency. Thus, we remainconvinced that providers are in the bestposition to assess the value of a PSOand its ability to contribute toimproving the quality and safety of patient care.


Comment: While contracts are notrequired between PSOs and providers toobtain protections, the Departmentstated that it anticipates most providerswill enter contracts with providers. Inlight of this expectation, one commenterurged the Department to develop andmake available a model contract.

Response: We do not think a modelcontract can be developed easily. Theissues that need to be addressed willvary significantly based upon the natureof the relationship. Therefore, we do notexpect to be developing and releasing amodel contract.

Comment: One commenter suggested

that the final rule should explain howAHRQ will publish the results fromwhich providers and others can evaluatea PSO before entering a contract.

Response: For the reasons discussedabove, AHRQ will not require or releasePSO-specific performance information.

Comment: One commenter suggestedthat AHRQ should ensure that PSOsshould not be able to make commercialgain from the knowledge it derives as aPSO.

Response: The statute permits alltypes of private and public entities toseek listing as a PSO; it does not limit

private entities to not-for-profits. Thefinal rule mirrors that formulation. TheDepartment concludes that the statutedoes not invite us to impose suchrestrictions and expects that providers’decisions will determine theacceptability of for-profit PSOs.

Comment: One commenter suggestedthat providers should only be permittedto submit data to one PSO.

Response: The Patient Safety Act’sframework for PSO-providerrelationships is voluntary from a publicpolicy perspective. In our view, it





would be inconsistent with section922(e)(1)(B) of the Public Health ServiceAct for the Department or any entity touse the authority of law or regulation tolimit or direct provider reporting.

Comment: One commenter suggestedthat the final rule should require PSOsto share aggregated, non-identifiablepatient safety work product with state

regulatory authorities.Response: The Department does not

agree that it is appropriate to place suchan unfunded mandate upon PSOs.

Comment: One commenter stated thatit is a waste of effort and expense tocreate new government entities to workwith providers when currentorganizations can do that just as well.The commenter also asked whetheranyone has estimated the 10-year costs.

Response: As this final rule makesclear, these entities are not governmententities and will not receive Federalfunding. While we expectimplementation will spur thedevelopment of new entities, we alsoexpect that existing entities will be ableto expand their current patient safetyimprovement efforts if they seek listingand are able to offer the confidentialityand privilege protections provided bythe Patient Safety Act. While we havenot done a 10-year cost estimate, ourregulatory impact statement at the endof the preamble projects net savings of $76 to $92 million in 2012, dependingupon whether the net present valuediscount rate is estimated at 7% or 3%.

(A) Section 3.102(a)—Eligibility and

Process for ListingProposed Rule: Section 3.102(a) of theproposed rule would have providedthat, with several exceptions discussed

below, any entity—public or private,for-profit or not-for profit—that canmeet the statutory and regulatoryrequirements may seek initial orcontinued listing by the Secretary as aPSO. The Department proposed toestablish a streamlined certificationprocess for entities seeking initial orcontinued listing that relied uponattestations that the entities metstatutory and regulatory requirements.

To foster informed provider choice,entities were encouraged, but would not be required, to post narratives on theirrespective Web sites that explained howeach entity intended to comply withthese requirements and carry out itsmission.

The proposed rule incorporated astatutory prohibition that precludes ahealth insurance issuer and acomponent of a health insurance issuerfrom becoming a PSO. The Departmentalso proposed to exclude any entity,public or private, that conducts

regulatory oversight of health careproviders, which included organizationsthat accredit or license providers. Weproposed this restriction for consistencywith the statute, which seeks to foster a‘‘culture of safety’’ in which health careproviders are confident that the patientsafety events that they report will beused for learning and improvement, not

oversight, penalties, or punishment. Theproposed rule would permit acomponent organization of such anentity to seek listing as a PSO. To ensurethat providers would know the parentorganizations of such PSOs, weproposed that certifications include thename(s) of its parent organization(s),which the Secretary would release tothe public. We sought comment onwhether we should consider broaderrestrictions on eligibility.

The proposed rule would permit adelisted entity, whether delisted forcause or because of voluntary

relinquishment of its status,subsequently to seek a new listing as aPSO. To ensure that the Secretary would

be able to take into account the historyof such entities, we proposed suchentities submit this information withtheir certifications for listing.

Overview of Public Comments: TheDepartment received generally favorablecomments on our proposal to adopt astreamlined attestation-based approachto initial listing of PSOs. A number of commenters expressed concern aboutour attestation-based approach,however, arguing for a more in-depthassessment to ensure that an entity had

the capability to carry out its statutoryand regulatory responsibilities and meetthe patient safety objectives of thestatute. Some believed that the privatemarketplace is not necessarily well-equipped to judge which organizationscan most effectively meet theserequirements. Arguing that onemisguided or fraudulent organizationcould taint the entire enterprise foryears, a few commenters suggested thatwe require interested organizations atinitial listing to submit documentationof their ability to meet their statutoryand regulatory responsibilities.

Most commenters who urged astronger approach to the evaluation of certifications for listing acknowledgedthe value of an expedited process forinitial listing and instead focused theirrecommendations on the importance of creating a more rigorous process forcontinued listing. A commonrecommendation was to require, inaddition to the proposed certificationsfor continued listing, that a PSO berequired to submit documentation thatdescribed in detail how it is complyingwith the requirements underlying its

certifications and urged the Departmentto arrange for independent review of such documentation, coupled with anaudit process that would ensurecompliance.

The comments we received weresupportive of including a requirementthat entities certify whether there is anyrelevant history regarding delisting

about which the Secretary needs to beaware. Several commenters suggestedthat the entity seeking to be relistedshould be required to include reason(s)for any prior delisting. Anothersuggestion was that the Secretary shouldhave discretion in relisting an entity notto release the names of officials who hadpositions of responsibility in apreviously delisted entity.

The proposed restrictions oneligibility engendered considerablecomment. With respect to the statutoryrestriction on health insurance issuers,concerns and questions were raisedregarding whether the exclusion appliedto self-insured providers or malpracticeliability insurers and whether healthsystems that include a subsidiary that isa health insurance issuer could establisha component PSO.

We received a significant level of comment regarding our proposedrestriction on listing of regulatoryoversight bodies. While the majority of commenters supported the proposedexclusion, some commenters took issuewith various aspects of our proposal.

Commenters engaged in accreditationactivities generally criticized ourcharacterization of these activities as

regulatory. They pointed out that theproposed rule did not take into accountthe distinction between voluntary andmandatory accreditation and, in theirview, most accreditation was voluntary.They also noted that accreditationactivities were initially developed toensure the quality and safety of patientcare and that accreditation entities,unlike licensure agencies, have greaterdiscretion in addressing any problemsthat they identify with a provider’soperations in a non-punitive way. Forthese commenters, accreditationactivities were not inconsistent with

fostering a ‘‘culture of safety.’’ Bycontrast, most provider commentssupported the exclusion, and singledout accreditation entities as warrantingexclusion.

State health departments and state-created entities expressed concern aboutan outright prohibition on their beinglisted as PSOs, noting that theprohibition could disrupt effectivepatient safety initiatives now underway.A number of specific state-sanctionedpatient safety initiatives were describedin their submissions. Commenters





pointed to the fact that state healthdepartments have both regulatory andnon-regulatory elements to theirauthority, have routinely demonstratedthat they can effectively keep theseelements separate, and thus, they sawno reason for the Department to doubtthat state agencies could continue to doso effectively if they were permitted to

operate PSOs.Other commenters suggested

extending the prohibition to other typesof entities (such as purchasers of healthcare or agents of regulatory entities) andraised questions regarding the scope of the exclusion.

We received a significant number of comments in response to a specificquestion raised in the proposed rulewhether the exclusion of regulatoryentities should be extended tocomponents of such organizations.Commenters that supported extension of the prohibition generally argued that thefirewalls that the statute requires acomponent PSO to maintain betweenitself and its parent organization(s)could be circumvented, that theflexibility in the proposed rule to enablea component PSO to draw upon theexpertise of its parent organization(s)would be inappropriate in this situation,and there was a significant possibilitythat such a parent organization coulduse its position of authority to attemptto coerce providers into reportingpatient safety work product to itscomponent PSO.

A majority of commenters, however,opposed expanding the exclusion to

components of such regulatoryorganizations. They contend that thestatutorily required separations betweena component PSO and its parentorganization(s) would provide adequateprotection against improper access andadverse use of confidential patientsafety work product by the excludedentities with which such a componentPSO is affiliated. A number of commenters noted that an expansion of the exclusion to components of suchentities would have unintendedconsequences. For example, anincreasing number of medical specialty

societies operate, or are in the processof developing, accreditation programsfor their members in response togrowing public and private sectorpressure for quality improvement. Theseorganizations see the creation of specialty-specific component PSOs asan important complement to their otherquality improvement activities.Similarly, some commenters contendthat widespread patient safetyimprovements require coordination andcommunication across the public andprivate sectors. These commenters

argued that a broader exclusion could both disrupt existing, effective publicsector patient safety initiatives andpreclude opportunities for the publicsector to play a meaningful role.

Many commenters that opposedextending the exclusion to componentorganizations nevertheless suggestedadditional restrictions to strengthen the

separation of activities betweencomponent PSOs and these types of parent organizations. Their suggestionsare discussed below with respect to§ 3.102(c).

Final Rule: The Departmentconsidered whether to modify theattestation process either for initial orcontinued listing of PSOs or both butultimately concluded that streamlinedattestations should be retained for both.Given the voluntary, unfunded nature of this initiative and the centrality of theclient-consultant paradigm of provider-PSO relationships, an approach thatrequires documentation and routineaudits is likely to be costly and

burdensome, both to entities seekinglisting and the Department. Moreimportantly, such an approach isunlikely to achieve its intendedobjective, for the reasons discussed

below.There are limitations of a

documentation approach to ensuring thecapabilities and compliance of PSOswith the requirements for listing, andsuch an approach is unlikely to yieldthe types of information that providerswill need in selecting a PSO. Consider,for example, two of these requirements:

the criterion that requires that a PSOhave qualified staff, including licensedor certified medical professionals, andthe patient safety activity that requiresthe provision of feedback to participantsin a (provider’s) patient safetyevaluation system. Documentation,through submission of resumes orsummaries of the credentials of professional staff, can demonstrate thatthe PSO meets the statutoryrequirement. What each provider reallyneeds to assess, however, is whether theskill sets of the professional staff employed by or under contract to the

PSO are an appropriate match for thespecific tasks that led the provider toseek a PSO’s assistance. Dependingupon the analytic tasks, a provider mayneed expertise that is setting-specific,e.g., nursing homes versus acute caresettings, technology-specific, specialty-specific, or, may require expertiseoutside the traditional scope of healthcare. Thus, there is not a single templateagainst which the expertise of a PSO’sprofessional staff can be judged. Inaddition, we anticipate that PSOsseeking additional clients (providers)

will post on their websites, or otherwiseadvertise, the names and qualificationsof their top staff experts andconsultants. Their Web site locationswill be on the AHRQ PSO Web site.

Similarly, documentation candemonstrate that a PSO has providedfeedback to participants in a provider’spatient safety evaluation system and

thereby met the statutory requirement.But the most relevant questions arewhether the feedback reflected a validanalysis of the provider’s patient safetywork product and existing scientificknowledge, and whether the feedbackwas framed in ways that made itunderstandable, ‘‘actionable,’’ andappropriate to the nature of theprovider’s operation. The answers tothese questions cannot be assessed bythe Department readily through thelisting process.

As a result, in many cases, theprovider-client, rather than theDepartment, will be better able todetermine whether the outcomes of aPSO’s conduct of patient safetyactivities meet its needs in a meaningfulway. The Department believes thatproviders, especially institutionalproviders, will have access to theexpertise to make them especiallysophisticated customers for PSOservices. Providers are likely to assessvery carefully the capabilities of a PSOand will be in a position to requestappropriate documentation, if necessary, to assess a PSO’s ability tomeet their specific requirements.Therefore, the Department does not see

a compelling public policy rationale forsubstituting its judgment for that of aprovider. Providers can demandreferences and evidence of relevantaccomplishments, and effectivelyevaluate the adequacy and suitability of a PSO’s expertise and experience. Insummary, a listing process that imposesdocumentation and audit requirementson each PSO will impose a significant

burden on all parties, but yield onlymarginally useful information toprospective clients.

Accordingly, we believe the approachoutlined in the proposed rule offers a

more efficient and effective approach.The approach does include authority forspot-checking compliance outlined in§ 3.110, responding to complaints orconcerns, and enabling the Secretary, inmaking listing decisions (see §3.104(b)),to take into consideration the history of an entity and its key officials and seniormanagers. This approach will be

buttressed with a program of technicalassistance for PSOs administered byAHRQ. In addition, the final ruleincorporates a new expedited revocationprocess that can be used when the





Secretary determines that there would be serious adverse consequences if aPSO were to remain listed. Falsestatements contained in a PSO’ssubmitted certifications can result in aloss of listing or other possible penaltiesunder other laws.

For convenience and clarity, we haverestructured §3.102(a)(1) to provide a

unified list of the certifications andinformation that an entity must submitfor listing as a PSO. Sections3.102(a)(1)(i) through 3.102(a)(1)(vii) setforth and cross-reference therequirements of the final rule. Two of these requirements are new. Section3.102(a)(1)(iv) cross-references theadditional requirements in§ 3.102(c)(1)(ii) that components of entities that are excluded from listingmust meet in order for such componentsto be listed. Section 3.102(a)(1)(v)incorporates our proposal, for whichcomments were supportive, to require

disclosure to the Secretary if the entityseeking listing (under its current nameor another) has ever been denied listingor delisted or if the officials or seniormanagers of the entity now seekinglisting have held comparable positionsin a PSO that the Secretary delisted orrefused to list.

We have not adoptedrecommendations that we requireexplanations for the historical situationsencompassed by §3.102(a)(1)(v).Instead, we require that the name(s) of any delisted PSO or of any entity thatwas denied listing be included with thecertifications. The Department can then

search its records for backgroundinformation. In response to concernsregarding public disclosure of the namesof the officials or senior managers thatwould trigger the notificationrequirement, we do not requiresubmission of the names of theindividuals with the certifications. Withrespect to the workforce of the entity,we note that we have narrowed therequirement in two ways. First, we havenarrowed the focus from ‘‘any’’employee to officials and seniormanagers. Second, the requirement todisclose only applies when officials or

senior managers of the entity seekinglisting also held comparable positions of responsibility in the entity that wasdelisted or refused listing.

Restructured §3.102(a)(2) retains thestatutory exclusion from listing of health insurance issuers andcomponents of health insurance issuersin subparagraph (i). For greater clarity,we have restated the exclusion to reflectthe rule’s definition of component so itnow references: a health insuranceissuer; a unit or division of a healthinsurance issuer; or an entity that is

owned, managed, or controlled by ahealth insurance issuer. Newsubparagraph (ii) modifies and restatesthe exclusion from listing of any entitythat: (1) Accredits or licenses healthcare providers; (2) oversees or enforcesstatutory or regulatory requirementsgoverning the delivery of health careservices; (3) acts as an agent of a

regulatory entity by assisting in theconduct of that entity’s oversight orenforcement responsibilities vis-a-visthe delivery of health care services; or(4) operates a Federal, State, local orTribal patient safety reporting system towhich health care providers (other thanmembers of the entity’s workforce orhealth care providers holding privilegeswith the entity) are required to reportinformation by law or regulation.

In reviewing the comments on theproposed regulatory exclusion, we didnot find the arguments for narrowingthe prohibition compelling. Almost

every provider group expressed concernregarding the possible operation of PSOs

by entities that accredit or licenseproviders as well as possible operationof PSOs by regulatory entities. We sharetheir concerns that entities with thepotential to compel or penalize provider

behavior cannot create the ‘‘culture of safety’’ (which emphasizescommunication and cooperation ratherthan a culture of blame andpunishment) that is envisioned by thestatute.

We also concluded that it is difficultto draw a ‘‘bright-line’’ distinction

between voluntary and mandatoryaccreditation as several of thecommenters from accreditationorganizations proposed. While mostaccreditation is technically voluntaryfrom the standpoint of manyaccreditation entities, its mandatoryaspect generally derives fromrequirements established by, or its use

by, other entities such as payers. Thus,if we were to incorporate such adistinction that permitted the listing of organizations that provide voluntaryaccreditation today, its voluntary naturecould disappear over time if other

organizations mandated use of itsaccreditation services. Thus, a listedPSO might need to be delisted at somepoint in the future solely because of theactions of a third party mandating thatorganization’s accreditation as arequirement. Therefore, we haveretained the prohibition onaccreditation and licensure entities andhave not incorporated any distinctionsregarding voluntary versus mandatoryaccreditation in the final rule. We havereformulated the exclusion and nolonger include accreditation or licensure

activities as examples of regulatoryactivities.

Similarly, we have retained the broadexclusion from listing of regulatoryentities, by which we mean public orprivate entities that oversee or enforcestatutory or regulatory requirementsgoverning the delivery of health careservices. Their defining characteristic is

that these entities have the authority todiscipline institutional or individualproviders for the failure to comply withstatutory or regulatory requirements, bywithholding, limiting, or revokingauthority to deliver health care services,

by denying payment for such services,or through fines or other sanctions.

We consider entities with a mix of regulatory and non-regulatory authorityand activities also to be appropriatelyexcluded from being listed. Weacknowledge that health departmentsand other entities with regulatoryauthority may undertake a mix of regulatory and non-regulatory functions.It may also be true, as several commentsreflected, that state health departmentshave experience, and a track record, formaintaining information separately andsecurely from the regulatory portions of their operations when necessary.However, we note that the final ruleretains the proposed approach not toregulate uses of patient safety workproduct within a PSO. However, thefinal rule retains the ability of a statehealth department to establish acomponent organization that could seeklisting as a PSO, subject to theadditional restrictions discussed in

§ 3.102(c) below. The benefit of thisapproach is that providers will have thereassurance that the penalties under thePatient Safety Act and the final rule willapply to any impermissible disclosuresof patient safety work product fromsuch a PSO to the rest of the state healthdepartment.

We have not included the proposal of several commenters to excludepurchasers of health care from becomingPSOs. Commenters did not suggest acompelling public policy case for theexclusion of any particular type of purchasers. Given the vagueness and

potential scope of such a prohibition,the potential for unintendedconsequences is simply too great towarrant its inclusion. For example,health care institutions in their role asemployers can also be consideredpurchasers of health care.

We have incorporated two additionalexclusions. First, based uponrecommendation from commenters, weexclude from listing entities that serveas the agents of a regulatory entity, e.g.

by conducting site visits orinvestigations for the regulatory entity.





While we understand that such agentsgenerally do not take action directlyagainst providers, their findings orrecommendations serve as the basis forpotential punitive actions againstproviders. As a result, we believe thatthe rationale we outlined in theproposed rule regarding the exclusion of regulatory bodies is also applicable to

agents of regulatory entities helping tocarry out these regulatory functions.

Second, as we considered commentsseeking clarification on the eligibility of entities that operate certain mandatoryor voluntary patient safety reportingsystems to seek listing as PSOs, weconcluded that mandatory systems, towhich some or all health care providersare required by law or regulation toreport patient safety information to adesignated entity, were inconsistentwith the voluntary nature of theactivities which the Patient Safety Actsought to foster. However, this

exclusion does not apply to mandatoryreporting systems operated by Federal,State, local or Tribal entities if thereporting requirements only affect theirown workforce as defined in §3.20 andhealth care providers holding privilegeswith the entity. The exception isintended to apply to Federal, State, localor Tribal health care facilities in whichthe reporting requirement applies onlyto its workforce and health careproviders holding privileges with thefacility or health care system. Thisexception ensures that, with respect toeligibility for listing as a PSO, entitiesthat administer an internal patient

safety reporting system within a publicor private section health care facility orhealth care system are treatedcomparably under the rule and would

be eligible to seek listing as a PSO.The final rule retains the ability of

components of the four categories of excluded entities in § 3.102(a)(2)(ii) toseek listing as a component PSO. Aftercareful review, the Departmentconcluded that there was a significantdegree of congruence in the concernsexpressed by both proponents andopponents of extending the exclusion tosuch components. The opponents of

extending the exclusion routinelysuggested that the Department addresstheir core concerns by adoptingadditional protections, rather than the

blunt tool of a broader exclusion. Wehave adopted this approach, and wehave incorporated in §3.102(c)additional requirements and limitationsfor components of excluded entities.

In addition, we have incorporated anew requirement in §3.102(a)(3) thatsubmissions for continued listing must

be received by the Secretary no laterthan 75 days before the expiration of a

PSO’s three-year period of listing. Thisrequirement derives from our concernfor protecting providers if a PSO decidesnot to seek continued listing and simplylets its certifications expire at the end of a three-year period of listing. Topreclude an inadvertent lapse, theproposed rule included a provision tosend PSOs a notice of imminent

expiration shortly before the end of itsperiod of listing and sought comment onposting that notice publicly so thatproviders reporting patient safety workproduct could take appropriate action.Section 3.104(e)(2) states that theSecretary will send a notice of imminentexpiration to a PSO at least 60 days

before its last day of listing if certifications for continued listing havenot been received. However, the failureof the Secretary to send this notice doesnot relieve the PSO of itsresponsibilities regarding continuedlisting. The requirement to submit

certifications 75 days in advance isintended to ensure that such a notice isnot sent or publicly posted until afterthe submissions are expected by theDepartment.


Comment: One commenter urged theSecretary not to require organizations tohave specific infrastructure andtechnology in place before they could belisted.

Response: The Department has notproposed any specific infrastructure ortechnology requirements. However, thestatute and the final rule require a PSO

at initial listing to certify that it haspolicies and procedures in place toensure the security of patient safetywork product. The final rule requiresthat those policies and procedures beconsistent with the frameworkestablished by §3.106. The Departmentinterprets the statute to require a listedPSO to be able to provide security forpatient safety work product during itsentire period of listing, which includesits first day of listing.

Comment: Two commenters agreedthat PSOs should be encouraged, but notrequired, to post on their Web sites

narrative statements regarding theircapabilities.Response: The Department continues

to encourage PSOs to develop and postsuch narrative statements.

Comment: One commenter suggestedthat the listing process should includean opportunity for the Secretary toreceive public comment before makinga listing decision, especially in the caseof continued listing, when providersmay want to share their experienceswith the Secretary regarding a specificPSO.

Response: While we expect customersatisfaction evaluations of PSOs willdevelop naturally in the private sector,the Department has not incorporatedthis recommendation in the listingprocess. If a provider or any individual

believes that a PSO’s performance is notin compliance with the requirements of the rule, this concern can be

communicated to AHRQ at any time.Improper disclosures may also bereported to the Office for Civil Rights inaccordance with Subpart D.Incorporation of a public consultationprocess poses a number of implementation issues. For example, itcould potentially delay a time sensitiveSecretarial determination regardingcontinued listing (which must be made

before expiration of a PSO’s currentperiod of listing) and could require theDepartment to assess the validity of each specific complaint, e.g., the extentto which dissatisfaction with an

analysis reflects the competence withwhich it was performed or a lack of precision in the assignment to the PSO.

Comment: One commenter suggestedthat state-sanctioned patient safetyorganizations should be deemed to meetthe requirements for listing.

Response: The Department does not believe that the Patient Safety Act givesthe Secretary authority to delegatelisting decisions to states. Moreover, thestatute establishes the requirements thatan entity must meet for listing as a PSO;automatically deeming state-sanctionedorganizations to be PSOs wouldinappropriately override federal

statutory requirements and mandate theSecretary to list PSOs that may not bein compliance with all the statutoryrequirements. Accordingly, the finalrule does not include such a provision.

Comment: Several commenters askedif the exclusion on health insuranceissuers precludes a self-insured entityfrom seeking listing.

Response: The Department hasexamined this issue and concluded thatthe exclusion of health insuranceissuers does not apply to self-insuredorganizations that provide health benefitplans to their employees. The statutory

exclusion contained in section924(b)(1)(D) of the Public Health ServiceAct incorporates by reference thedefinition of health insurance issuer insection 2971 of the Public HealthService Act and that definitionexplicitly excludes health benefit plansthat a health care provider organizationoffers to its employees.

Comment: Several commentersinquired whether organizations thatprovide professional liability insurancecoverage (also referred to as medicalliability insurance or malpractice





liability insurance) for health careproviders are covered by the healthinsurance issuer exclusion. Thecommenters uniformly argued that theexclusion should not apply. Severalcommenters noted their intent to havetheir ‘‘captive’’ liability insurer seeklisting as a PSO. Another commentersought assurances that if a captive

liability insurer sought listing as a PSO,the PSO would not be considered acomponent of the providerorganizations that owned the liabilityinsurer.

Response: The Department notes thatthere is some ambiguity in the statutorylanguage but concludes that the healthinsurance issuer exclusion does notapply to such organizations.

While the health insurance issuerexclusion does not apply, theDepartment notes that the statute andthe final rule require that an entityseeking listing must attest that itsmission and primary activity is theimprovement of patient safety. That testis readily met when an organization,such as a captive liability insurer,creates a component organization sincethe creation of a distinct new entity can

be established in a manner that clearlyaddresses and meets the ‘‘primaryactivity’’ criterion. The Department hasthe authority to review all applications,including those from organizations withmultiple activities, and to look behindthe attestations to determine whetherthe applicant meets the ‘‘primaryactivity’’ criterion.

We note that a captive entity meets

the definition of a componentorganization in this rule. Therefore, if the captive organization is eligible forlisting because it meets the ‘‘primaryactivity’’ criterion, it must seek listing asa component organization and clearlywould be subject to the requirements oncomponent PSOs. If the captiveorganization does not meet the primaryactivity criterion for listing, it is free tocreate a component organization to seeklisting. Once again, however, theadditional requirements for acomponent PSO apply.

Comment: Several commenters asked

whether the health insurance issuerexclusion prevents a health system thathas subsidiaries that include providersand a health insurance issuer, fromestablishing a component organizationto seek listing as a PSO.

Response: As described by severalcommenters, the PSO and the healthinsurance issuer would be affiliates in a‘‘brother-sister’’ relationship within theparent organization. As long as thehealth insurance issuer does not havethe authority to control or manage thePSO, the health system is not precluded

from having both a health insuranceissuer subsidiary and a component PSO.

Comment: Several commenters raisedquestions from different perspectivesregarding situations in which providersmight be required to report data to aPSO. Some commenters suggested thatthe final rule should prohibit a facilityor health care delivery system from

requiring individual clinicians (who areemployed, under contract, or haveprivileges at the facility or within thesystem) to report data to a specific PSO.Others raised questions regarding theeligibility for listing of existing Federal,state, local or Tribal patient safetyreporting systems that are administered

by an entity without regulatoryauthority.

Response: While the Patient SafetyAct does not require any provider toreport data to a PSO, the statute is silenton whether others (such as institutionalproviders or other public entities) canimpose such requirements on providers.The Department makes a distinction

based upon the source of reportingrequirements and the extent to whichthe requirement can be viewed asconsistent with the statutory goal of fostering a ‘‘culture of safety.’’ Thus, theDepartment has declined to include inthe final rule any restriction on theability of a multi-facility health caresystem to require its facilities to reportto a designated PSO or of a providerpractice, facility, or health care systemto require reporting data to a designatedPSO by those providing health careservices under its aegis, whether as

employees, contractors, or providerswho have been granted privileges topractice. A patient safety eventreporting requirement as a condition of employment or practice can beconsistent with the statutory goal of encouraging institutional ororganizational providers to develop aprotected confidential sphere forexamination of patient safety issues.While an employer may require itsproviders to make reports through itspatient safety evaluation system, section922(e)(1)(B) prohibits an employer fromtaking an adverse employment action

against an individual based upon theindividual’s reporting information ingood faith directly to a PSO.

By contrast, the Department viewsmandatory reporting requirements thatare applicable to providers that are notworkforce members and that are basedin law or regulation, regardless of whether the specific data collected bythese systems is anonymous oridentifiable, as incompatible with theintent of the Patient Safety Act to fostervoluntary patient safety reportingactivities. In these situations, provider

failure to make legally required reportscan potentially result in a loss of individual or institutional licensure andthe ability to practice or deliver healthcare services. Accordingly, we haveadded to the list of entities excludedfrom listing in § 3.102(b)(2)(ii) entitiesthat administer such mandatory patientsafety reporting systems.

A voluntary Federal, state, local, orTribal patient safety reporting systemcan seek listing as a PSO. This meansthat the entity administering thereporting system does not have statutoryor regulatory authority to requireproviders to submit data to theadministering organization, and thatorganization is not required by statute orregulation to make the collectedidentifiable data available in ways thatwould be incompatible with thelimitations on disclosure discussed inSubpart C.

Comment: Two commentersaddressed the issue of whether QualityImprovement Organizations (QIOs),which are organizations that havecontracts with Medicare and often withother payers or purchasers to reviewcompliance with regulatory orcontractual requirements and makereports that may adversely impactproviders financially, can seek listing asPSOs.

Response: QIOs are precluded fromseeking listing as PSOs. The final ruleprecludes agents of a regulatory entityfrom seeking listing and QIOs serve asagents of Medicare. Some QIOs alsoserve in similar capacities as agents of

state regulatory bodies. As noted above,an agent of a regulator may create acomponent organization that would beeligible to seek listing as a PSO,provided such a componentorganization meets the additionalrequirements of §3.102(c)(1)(ii).

Comment: Several commenters askedif the proposed exclusions of entitiesapplied to State Boards of Health,programs offering providerscertifications, and physician specialty

boards.Response: With respect to State

Boards of Health, there are two issues

regarding their potential ineligibility for becoming PSOs. The first, raised by thecommenter, is whether these boards can

be considered regulatory entities and inmost cases they would be. While StateBoards of Health provide leadership andpolicy coordination for state healthpolicies, they generally have the powerto oversee, enforce or administerregulations governing the delivery of health care services and would,therefore, be ineligible to be listed as aPSO. The second issue is whether sucha board with its multiple





and use of evidence from existingreporting systems. The process weoutlined for private sector consultationwas viewed positively. We receivedseveral comments andrecommendations related to this processthat were outside the scope of the ruleand, therefore, are not addressed below.

Final Rule: For convenience and

clarity, we have modified the text in thefinal rule to separate initial andcontinued listing within §3.102(b)(1),which states the required certificationsfor the eight patient safety activities andwithin §3.102(b)(2), which states therequired certifications for the seven PSOcriteria. This modification does notreflect a substantive change.

We have incorporated in§ 3.102(b)(1)(B) of the final rule oneadditional requirement, posed as aquestion in the proposed rule andstrongly supported by commenters, thata PSO must inform the provider fromwhich it received patient safety workproduct if the work product submitted

by that provider is inappropriatelydisclosed or its security is breached.The Department recognizes that incertain cases a PSO may not know theidentity of the provider that submittedpatient safety work product, e.g.,anonymous submissions, or it might not

be possible to contact the provider, e.g.,if the provider has gone out of businessor retired. In these cases, theDepartment would expect the PSO to beable to demonstrate, if selected for a‘‘spot check,’’ that it made a good faitheffort to reach every provider that

submitted the work product subject toan inappropriate disclosure or a security

breach. We also note that thisrequirement only requires the PSO tocontact the provider that submitted theinformation; the PSO is not expected tocontact providers or others whosenames are included in the patient safetywork product. As a business associate of a provider covered by the HIPAAPrivacy Rule, the PSO must abide by its

business associate contract with thatprovider, obligating it to notify theprovider if it becomes aware of animpermissible disclosure of protected

health information. See 45 CFR164.504(e)(2)(ii)(C). Once the PSO hasinformed the provider of theimpermissible disclosure, the HIPAAPrivacy Rule requires the provider tomitigate the harmful effects of animpermissible disclosure. See 45 CFR164.530(f).

We have also incorporated in§ 3.102(b)(2)(i)(C) a minor modificationin the text of the criterion relating to therequired two contracts. The text in theproposed rule stated that a PSO ‘‘musthave entered into two bona fide

contracts’’ with different providers; wehave deleted the words ‘‘entered into.’’Our intent in the proposed rule text wasto encourage PSOs to enter long-termcontracts with providers by enabling amulti-year contract to be countedtoward the two contract minimum ineach of the 24-month periods duringwhich the contract was in effect. By

deleting the words ‘‘entered into,’’ thetext of the final rule more clearlyreflects our original intent.

We also provide clarification here,which we did not consider necessary toinclude in the rule text, regarding theobligations of a PSO. The certificationsfor initial listing regarding patient safetyactivities track the statute and require aPSO to have policies and procedures inplace to perform patient safetyactivities. At continued listing, PSOswill be expected to have performed alleight patient safety activities. Some of the required patient safety activities

must be performed at all times, such asutilizing qualified staff, having effectivepolicies and systems to protect thesecurity and confidentiality of patientsafety work product when the PSOreceives work product, undertakingefforts to improve the quality and safetyof patient care, and developing anddisseminating information to improvepatient safety. Other required patientsafety activities can only be performedwhen the PSO is working with aprovider (such as providing feedback toparticipants in a patient safetyevaluation system) and receiving patientsafety work product from providers

(such as utilization of patient safetywork product to develop a culture of safety).

The Department recognizes that, forany given contractual arrangement,providers, not PSOs, will determine thetasks PSOs undertake and for whichthey will be compensated. Therefore,our approach to assessing compliancewill be as follows. If subject to a spotcheck for compliance, a PSO must beable to demonstrate that it hasperformed all eight patient safety workproducts at some point during its three-year period of listing. However, we will

expect a PSO to demonstrate that itperforms throughout its period of listingthe patient safety activities that are notdependent upon a relationship with aprovider or receipt of patient safetywork product. We will expectcompliance with the other patient safetyactivities consistent with the contractsor agreements that the PSO has withproviders. A component PSO that isestablished by a health care provider,and for which the parent-providerorganization is a primary client, wouldnot be dependent on external contracts

and would be expected to be incompliance with all eight patient safetyactivities during its entire period of listing.

In response to commenters whosought clarification on what is meant bycompliance with the two-contractrequirement, we reaffirm that thestatutory requirement is clear. There

must be two written contracts; a singlecontract with multiple providers canonly be counted as one contract. Weinterpret the requirement that thecontracts must be with ‘‘different’’providers straight-forwardly. The onlyrequirement is that the bona fidecontracts must be with individuals orinstitutions that are providers as definedin the rule. We have imposed no otherrequirements; the contracts can be withan institutional provider and anindividual clinician, or with twoentities within the same or differentsystem(s).

After careful consideration of thecomments we received, the Departmenthas concluded that we will notincorporate an interpretation of the term‘‘each for a reasonable period of time’’regarding the required contracts. As wenoted in the proposed rule, our intent inproposing to interpret the language wasto give providers increased certaintythat the listing of the PSO to which theyare reporting data could not bechallenged on the basis that its requiredcontracts were not for a reasonableperiod of time. However, the providercommunity opposed interpreting theprovision, fearing that it would limit

their ability to customize contracts tomeet their analytic needs and urged theDepartment to rely upon themarketplace to interpret thisrequirement. With no empirical basis forchoosing one standard or one timeframe over another, and given theinability to anticipate what types of contractual relationships will evolveunder the final rule, the Departmentconcluded that incorporating a standardat this time could have unintendednegative consequences and has chosennot to do so. As a result, a PSO will berequired to have two contracts in effect

at some point during each 24-monthreporting period established by thestatute but the contracts are not requiredto cover a specific or minimum timeperiod and they are not required to bein effect at the same time.

While we received overwhelminglyfavorable support for requiringcompliance with the Secretary’sguidance on common definitions andreporting formats (common formats) forthe collection of patient safety workproduct, we recognize that theDepartment’s efforts to develop





at least before submitting certificationsfor listing. Another example posed by acommenter—an entity that providesgeneral health education to providers—would appear to require furtherdiscussion. As presented, general healtheducation would appear to have a linkto, but an inadequate emphasis on, theanalytic focus of a PSO’s mandatory

patient safety and quality improvementactivities. The health education entitycan certainly avail itself of the option toestablish a component organization toseek listing.

Comment: One commenter askedwhat is meant by the concept of carryingout patient safety activities. Does thismean that patient safety activities must

be performed and, if so, when?Response: We note that this obligation

rests with a PSO, not providers. Therequirement means that a PSO mustperform all eight patient safety activitiesduring its period of listing. We clarify

how the Department will assess PSOcompliance with this requirement in thediscussion of the final rule above.

Comment: One commenter asked if aPSO could meet the minimum contractrequirement by entering a contract witha 50-hospital system and oneindependent practitioner (either with aphysician or nurse practitioner).

Response: To meet the requirement, aPSO must have at least two contractswith different providers. In this case, acontract with a solo health carepractitioner (such as a physician or anurse practitioner) would meet therequirement for the second contract.

Comment: One commenter asked if acontract between the parent of a healthsystem and a PSO is tantamount toentering a contract with each providerthat comprises the health system.

Response: Such an arrangement doesnot meet the requirement; therequirement focuses on the number of contracts, not the number of providersthat are involved with any contract. Therule, based on the terms of section924(b)(1)(C) of the Public Health ServiceAct, requires two contracts.

Comment: Can providers within thesame system count as different

providers for meeting the minimumcontract requirement?Response: The answer to this question

is yes if the PSO has separate contractswith at least two different providers.Whether the providers have a commonorganizational affiliation is not relevant.The only requirements are that theindividuals or facilities must beproviders as defined in § 3.20 of the ruleand that there are at least two contractswith different providers. Once again, thefocus of the requirement is the numberof contracts.

Comment: A commenter asked if theestablishment of a ‘‘relationship’’ with aprovider is sufficient to meet theminimum contract requirement.

Response: No. The rule requires two bona fide contracts, as defined insection 3.20, meeting the requirementsof the rule.

Comment: One commenter expressed

concern about the ability of his agencyto meet the minimum contractrequirement. His agency administers apublic patient safety reporting system towhich hospitals are required to report

by state law. His concern was that thehospitals might see no need to entercontracts with his agency if it werelisted as a PSO.

Response: The modifications to thefinal rule in § 3.102(a)(2)(ii) preclude anentity that manages or operates amandatory patient safety reportingsystem from seeking listing as a PSO.

Comment: One commenter urged that

the final rule not marginalize Statemandatory reporting systems throughthe separation of provider reporting toPSOs. The commenter recommendedthat the final rule permit States to

become listed as PSOs or enter intocollaborative arrangements with PSOs toshare data and staff.

Response: While we believe that anentity that operates a Federal, state,local, or Tribal mandatory patient safetyreporting system should not be listed asa PSO, the rule does permit acomponent of such an entity to seeklisting. A PSO that is a component of an

excluded entity is prohibited fromsharing staff with the excluded entityand has limitations on its ability tocontract with such a parent organization(see §3.102(c)(4)). However, thecomponent PSO could enter into sometypes of limited collaboration with anexcluded entity. For example, a PSOmay accept additional data from anexcluded entity for inclusion in itsanalyses with the understanding thatthe PSO may only share its findingspursuant to one of the permissibledisclosures in Subpart C, e.g., if thefindings are made non-identifiable. Inaddition, other PSOs similarly mayshare their nonidentifiable findings withmandatory state patient safety reportingsystems and to the extent permitted bystate law the state systems might givedata to completely separate PSOs foranalysis and reports in nonidentifiableterms.

Comment: Several commenterssuggested that excluded entities might

become members of a PSO as long asthey were not vertically linked to thePSO, although they did not explainwhat they meant by the term, members.

Response: It is not clear what thecommenters mean by a ‘‘member’’ of aPSO in this context. To the extent thatthe comments are referring to a possiblejoint venture that creates a PSO, thereare few productive roles that anexcluded entity could play. Suchexcluded entities could not have orexercise any level of control over the

activities or operation of a PSO. Thus,they could not have access to patientsafety work product. As a result, thepotential for involvement of anexcluded entity with a PSO would bevery limited.

We note, however, that a componentof an entity excluded by § 3.102(a)(2)(ii)can seek listing. These types of component organizations must meetadditional requirements set forth in§ 3.102(c)(1).

Comment: One commenter requestedclarification regarding the required

patient safety activity to providefeedback and assistance to providers toeffectively minimize patient risk.

Response: We recognize that theperformance of some patient safetyactivities will be dependent upon aPSO’s arrangements with its clients. Aswe noted in our discussion of the finalrule, we will interpret a PSO to be incompliance with this requirement if thefeedback and assistance is performed atsome point during the PSO’s period of listing.

Comment: Two commenters pointedto the importance of the use of

contracted staff to enable a PSO to carryout its duties, especially in rural or lowpopulation density areas. In suchcircumstances, a PSO needs to drawupon competencies and skills as neededand asked that we clarify that suchcontractors, whether paid or volunteer,could enable a PSO to meet thequalified staff requirement.

Response: The Department assumesthat many PSOs, especially componentPSOs, will use a mix of full-timepersonnel and individuals from whomthey seek services as needed, whetherpaid or on a volunteer or shared basis.That is why we have incorporated a

broad definition of ‘‘workforce’’ in therule that encompasses employees,volunteers, trainees, contractors, andother persons whether or not they arepaid by the PSO. As defined in this rule,workforce refers to persons whoseperformance of activities for the PSO isunder the direct control of the PSO. Inaddition, however, a PSO is free to entercontracts for specific or specializedservices, subject to other requirementsof the rule.





(C) Section 3.102(c)—AdditionalCertifications Required of ComponentOrganizations

Proposed Rule: Along with the 15requirements under subsection (b) thatall PSOs would have to meet, §3.102(c)of the proposed rule would require anentity that is a component of anotherorganization to make three additionalcertifications regarding: (1) The securemaintenance of patient safety workproduct separate from the rest of theorganization(s) of which it is a part; (2)the avoidance of unauthorizeddisclosures of patient safety workproduct to the rest of the organization(s)of which it is a part; and (3) the missionof the component organization notcreating a conflict of interest with therest of the organization(s) of which it isa part.

We proposed two additionalrequirements that would interpret thesestatutory provisions: (1) A component

PSO could not have a sharedinformation system with the rest of theorganization(s) of which it is a part; and(2) the workforce of the component PSOcould not engage in work for the rest of the organization(s) if such work could

be informed or influenced by theindividual’s knowledge of identifiablepatient safety work product (except if the work for the rest of the organizationis solely the provision of patient care).The proposed rule did not propose aninterpretation, but sought publiccomment, on the requirement that acomponent organization not create a

conflict of interest with the rest of theorganization(s) of which it is a part.

We proposed, and sought commenton, a limited option for a componentPSO to take advantage of the expertiseof the rest of its parent organization(s)to assist the PSO in carrying out patientsafety activities. Under this proposal, acomponent PSO could enter into awritten agreement with individuals orunits of the rest of the organizationinvolving the use of patient safety workproduct, subject to specifiedrequirements.

Overview of Public Comments:

Numerous commenters stronglydisagreed with the Department’sproposal that PSOs must maintainseparate information systems. Thesecommenters argued that it wouldimpose a tremendous financial andadministrative burden to establishseparate information systems. A numberof commenters suggested alternativeapproaches that could achieve the samegoal. For example, one commenterrecommended that HHS adopt a non-directive concept of functionalseparation and require PSOs to submit

with their certifications for listing adescription of how they intend to meetthe requirement for technological andother controls to ensure that there is aneffective protection againstinappropriate access to the patientsafety work product held by thecomponent PSO.

There was significant concern with

the proposal to limit the sharing of employees between the parentorganization(s) and the component PSOif the employee’s work could beinformed by knowledge of a provider’sidentifiable patient safety work product.Some commenters argued that theprohibition was too broad, that it should

be narrowed, or that the standard wastoo vague and had the potential forcreating confusion. A number of commenters recognized the merits of theintended prohibition but thought thatthe proposed rule’s formulation was sovague that it might limit the ability of

any physician in an academic healthcenter to assist the component PSO if the physician supervised and evaluatedinterns and residents during theirtraining, presuming this to be anunintended result.

Several alternative approaches weresuggested, including: (1) Limit theprohibition to staff in the parentorganization who would use patientsafety work product for non-patientsafety activities; (2) obtain pledges bystaff not to use patient safety workproduct for ‘‘facility administrativefunctions;’’ (3) limit the prohibition topersons with disciplinary/credentialing

functions; (4) require management staff to sign agreements not to use patientsafety work product in hiring/firing,credential/privilege decisions; and (5)permit shared staff for specific types of entities, such as state hospitalassociations, but not others.

Our proposal to provide a limitedoption for a component PSO to drawupon the expertise of its parentorganization(s) to assist the PSO incarrying out patient safety activities waswell received. Most commenters weresupportive of the flexibility provided bythis provision although one commenter

suggested deleting it. Severalcommenters stressed that a ‘‘substantialfirewall’’ should be maintained and thatsuch contracting should only be allowed‘‘for clearly defined and limited staff services.’’ One commenter urged thatsuch contracts or agreements should besubmitted to the Secretary in advance sothat they ‘‘can be scrutinized by HHS toassess whether confidentiality orprivilege protections can practicallyremain intact.’’

In our discussion regarding entitiesexcluded from listing in §3.102(a)(2)(ii),

we noted that a number of commentersthat supported permitting componentsof such entities to seek listing,suggested, nevertheless, that weestablish additional limitations andrequirements. Their suggestionsincluded requiring that such acomponent organization seeking listingmust: Specifically identify its parent

organization as a regulator and specifythe scope of the parent organization’sregulatory authority; submit to theSecretary attestations from providerschoosing to report to the PSO that theyhave been informed of the scope of regulatory authority of the parentorganization; and provide assurances tothe Secretary that the parentorganization has no policies that compelproviders to report patient safety workproduct to its component PSO. Theyalso suggested such a PSO not bepermitted to share staff with the parentorganization and not be able to take

advantage of the proposed limitedprovision that would permit acomponent PSO to contract with itsparent organization for assistance in thereview of patient safety work product.

The proposed rule did not propose aninterpretation but sought comment onthe circumstances under which themission of a component PSO couldcreate a conflict of interest for the restof the parent organization(s) of which itis a part. The recommendations of commenters reflected a variety of perspectives: One view was that the ruleshould not adopt a general standard; acomponent organization should disclose

what it believes may be its conflicts andthat this disclosure should be deemedsufficient to have cured the conflict;another said the Department shouldundertake case-by-case analysis; and athird suggested the Department shouldadopt guidance, not regulatory language.

Another commenter wrote that therecould be no conflict of interest if theparent organization is a provider; otherssuggested that certain types of parentorganizations posed conflicts of interest,such as when the parent organization isan investor-owned hospital or if thereare certain legal relationships which

providers have with a parentorganization or its subsidiaries.Similarly, one commenter suggestedthat not-for-profit status of a PSO should

be an indicator that there is no conflictof interest. In a parallel vein, anothercommenter argued that if the PSO coulduse or sell its information forcommercial gain, this was a conflict.This commenter also argued that if aPSO could be used to create an oasissolely for protection of informationreported by the system that created it,this represented a conflict; the





information held by a PSO must bemade available at minimal or no cost forfurther aggregation. Another commentersuggested that a component PSO shouldnever evaluate patient safety workproduct of an affiliated organization; if it does so, this creates a conflict-of-interest.

Finally, several commenters also

suggested that there must be no conflict between patient safety work productand non-patient safety work productfunctions. A similar comment fromanother entity argued that a PSO mustcertify that members of the componentPSO workforce are not engaged in workfor the parent organization that conflictswith the mission of the PSO.

Final Rule: After careful considerationof the extensive number of commentsreceived regarding componentorganizations, the Department hasmodified and restructured the text for§ 3.102(c) in the following ways.

We have restructured §3.102(c) intofour separate paragraphs. New§ 3.102(c)(1)(i) lists the provisions withwhich different componentorganizations must comply. Thissubparagraph sets forth therequirements that all componentorganizations must meet. The languageof this subparagraph is retained from theproposed rule but includes arequirement that all componentorganizations must submit with theircertifications contact information fortheir parent organization(s) and providean update to the Secretary in a timelymanner if the information changes. This

requirement was proposed in thepreamble but was not incorporated inthe text of the proposed rule. Many of the commenters noted the importance toproviders of having informationregarding the parent organization of acomponent PSO and, therefore, we haveincorporated the provision.

New §3.102(c)(1)(ii) outlines therequirements for components of entitiesexcluded from listing under§ 3.102(a)(2)(ii) of this section. Thesecomponents must meet therequirements for all component PSOs in§ 3.102(c)(1)(i) as well as submit the

additional certifications andinformation and adhere to the furtherlimitations set forth in §3.102(c)(4) thatare discussed below.

New §3.102(c)(2) restates the threeadditional statutory certifications thatmust be made by all componentorganizations seeking listing. We havedeleted two requirements forcomponent entities from the text of theproposed rule that were intended tointerpret these statutory requirements:the requirement for separate informationsystems and the restriction on the use of

shared staff. The final rule does notimpose these proposed requirements onmost component organizations.However, as discussed below regarding§ 3.102(c)(4), we have retained theprohibition on shared staff only withrespect to components of entities thatare excluded from listing and, for suchcomponent PSOs, narrowed the

circumstances when contracting with aparent organization is permissible onlywith respect to components of entitiesthat are excluded from listing.

With respect to separate informationsystems, the Department has concluded,

based upon the information that wasincluded by commenters, that there area number of cost-effective alternativesfor achieving the statutory goal of separate maintenance of patient safetywork product. Accordingly, we haveincluded new language that requires acomponent PSO to ensure that theinformation system in which patient

safety work product is maintained mustnot permit unauthorized access by anyindividuals in, or units of, the rest of theparent organization(s) of which it is apart.

Similarly, after careful considerationof the comments, we have eliminatedthe proposed restriction on the use of shared staff for most component PSOs.The Department has concluded thatthere are significant incentives forcomponent PSOs and parentorganizations to be very cautious intheir use of shared personnel, protectingagainst inappropriate disclosures, andthe disclosure of patient safety work

product. A number of commentersappeared to appreciate the importanceof maintaining separation between theirpatient safety activities and internaldisciplinary, privileges, andcredentialing decisions, which were thefocus of our concern.

Our review has led us to concludethat the potential negative consequencesfor providers, independent of any fear of Department action, lessens the need forthe rule to address this issue. Forexample, institutional providers arelikely to find it difficult to developrobust reporting systems if the

clinicians on their staff learn or evensuspect that the same individualsinvolved in analysis of patient safetywork product play key roles inadministrative decisions that can lead toadverse personnel decisions. This maylead to decreased reporting of patientsafety events. The suspicion of contamination between the processescould also provide a new basis forchallenging adverse employmentactions, which could require providersto prove that their actions were notinfluenced by inappropriate use of

patient safety work product. Finally,there is the right of action that thestatute grants to individual providerswho believe and allege that theiremployer took an adverse employmentaction against them based upon theirproviding information to the employer’spatient safety evaluation system forreporting to the PSO or based upon their

providing information directly to thePSO. Given the importance to providersof maintaining protections for theirwork product, we conclude that it isunlikely that a parent organization willintentionally jeopardize thoseprotections. Therefore, we haveeliminated the proposed restriction onthe use of shared staff, except forcomponents of entities excluded fromlisting as discussed below regarding§ 3.102(c)(4). In its place, we haverestated the statutory requirement thatthe component organization (and itsworkforce and contractors) may not

make unauthorized disclosures to therest of the organization(s) of which thePSO is a part.

We have retained without change in§ 3.102(c)(2)(iii) the proposed rule textprohibiting the pursuit of the mission of the PSO from creating a conflict of interest with the rest of theorganization(s) of which it is a part. Tothe extent that individuals or units of the rest of the parent organization(s)have obligations and responsibilitiesthat are inconsistent with the ‘‘cultureof safety’’ that the statute seeks to foster,a component PSO could create a conflictof interest by sharing identifiable

patient safety work product with themas shared staff or under a writtenagreement pursuant to §3.102(c)(3),discussed below. On the other hand, thecomponent PSO could draw upon theexpertise of these same individuals inother capacities in which identifiablework product is not shared and, thereby,avoid creating conflicts of interest.Thus, we would interpret permitting thecreation of conflicting situations for staff or units of the parent organization(s) asinconsistent with a component PSO’sattestation.

Section 3.102(c)(3) retains without

substantive change the provision in theproposed rule to enable a componentPSO, within limits, to take advantage of the expertise of the rest of theorganization of which it is part. Inresponse to concerns expressed by somecommenters, we stress the statutoryrequirement for the PSO to maintainpatient safety work product separatelyfrom the rest of the organization. In suchcircumstances, it cannot be transferredto individuals or units of the rest of theorganization except as permitted by therule. As a practical matter, if the parent





organization is a provider organizationand the component PSO is evaluatingthe parent organization’s data, theparent-provider is likely to have a copyof all of the data transmitted to thecomponent PSO.

We do not dismiss the concerns of commenters that this contractingauthority could be used inappropriately.

We remind each component PSO thatthe statute requires it to maintainpatient safety work product separatelyfrom the rest of the organization(s) of which the component PSO is a part andprohibits unauthorized disclosures tothe rest of the organization(s) of whichthey are a part. Therefore, it may not beappropriate for its parent organization toserve as its main provider of analytic ordata services if such arrangementswould effectively confound statutoryintent for a firewall between acomponent PSO and the rest of theorganization(s) of which it is a part. The

flexibility provided by the rule to usein-house expertise is intended tosupplement, not replace, the PSO’sauthority to contract with externalexpert individuals and organizations.

Section 3.102(c)(4) incorporates newrequirements, drawn from our review of public comments, that only apply toorganizations that are components of entities excluded from listing under§ 3.102(a)(2)(ii). Thus, these componentorganizations have three sets of requirements to meet: The 15 generalcertification requirements in§§ 3.102(b)(1) and 3.102 (b)(2); therequirements that all component PSOs

must meet in §§ 3.102(c)(1)(i) and3.102(c)(2); and the requirements thatare established by §3.102(c)(4).

Section 3.102(c)(4) establishes arequirement for additional informationand certifications that must besubmitted with the componentorganization’s certifications for listingand it establishes two additionalrestrictions with which a componentorganization must comply during itsperiod of listing. The additionalinformation and certifications require acomponent PSO of an entity describedin § 3.102(a)(2)(ii) to:

1. Describe the parent organization’srole, and the scope of the parentorganization’s authority, with respect tothe activities which are the basis of theparent organization’s exclusion from

being listed under §3.102(a)(2)(ii).2. Certify that the parent organization

has no policies or procedures thatwould require or induce providers toreport patient safety work product to thecomponent organization once it is listedas a PSO, and affirm that the componentPSO will notify the Secretary if theparent organization takes any such

actions during its period of listing. Anexample of an inducement would be if a parent organization that accredited orlicensed providers awarded specialscoring consideration to providersreporting to the parent organization’scomponent PSO; additional scoringconsideration for reporting to any PSO,

by contrast, would not violate this

restriction.3. Certify that the component PSO

will include information on its websiteand in any promotional materials forproviders describing the activitieswhich were the basis of the parentorganization’s exclusion under§ 3.102(a)(2)(ii).

We have incorporated theseadditional requirements for informationand attestations to address widespreadconcerns among commenters that anexcluded parent organization mightattempt to compel providers to reportdata to its component PSO andcircumvent the firewalls for access tothat data. These extra requirements forsuch component PSOs will strengthentransparency and the additionalstatements submitted with thecomponent organization’s certificationswill be posted on the AHRQ PSO Website along with all its othercertifications. Our intent is to ensurethat such a component organization’swebsite and its promotional materialsfor providers will inform providersregarding the nature and role of itsparent organization. The rule isemphatically clear that the Departmentwill take prompt action to revoke and

delist a component organization whoseexcluded parent organization attemptsto compel providers to report data to itscomponent PSO. New § 3.108(e)(1) listsspecific circumstances, including thissituation, in which revocation anddelisting will take place on an expedited

basis.During its period of listing, the final

rule also prohibits a PSO that is acomponent organization of an entityexcluded from listing to share staff withthe rest of the organization(s) of whichit is a part. Such a component PSO mayenter into contracts or written

agreements with the rest of theorganization(s) under the authorityprovided to all component PSOs by§ 3.102(c)(3) but with one additionallimitation. Such contracts or writtenagreements are limited to units orindividuals of the parent organization(s)whose responsibilities do not involvethe activities that are the basis of theparent organization’s exclusion under§ 3.102(a)(2)(ii). If the parentorganization’s sole activity is the reasonfor its exclusion, the componentorganization could never enter a

contract or written agreement to havestaff from the rest of the organizationassist the PSO in carrying out patientsafety activities. If the parentorganization engages in a mix of activities, some of which are not a basisfor exclusion from listing, thecomponent organization will be able totake advantage of this contracting

option, subject to our caveat above.


Comment: One commenter asked usto confirm that component PSOs canmaintain patient safety work product

behind secure firewalls using existinginformation systems.

Response: The modifications we haveadopted and discussed above meansthat the final rule permits this approach.

Comment: Several commenterssuggested that it was unrealistic for thecomponent PSO to maintain patientsafety work product separately from its

parent organization if the parentorganization is a provider reporting datato the component PSO.

Response: The Patient Safety Actrequires a component PSO maintainpatient safety work product separatelyfrom the rest of the organization(s) of which it is a part; therefore, we cannotremove the restriction. While contracts

between a PSO and a provider are likelyto address the extent to which aprovider has access to information held

by a PSO, we caution contracting partiesto be mindful of this statutoryrestriction in crafting their contracts.The requirement for separation does notmean that the component organizationcannot share information with a parentorganization but any sharing must beconsistent with the permissibledisclosures of this rule.

(D) Section 3.102(d) RequiredNotifications

(1) Section 3.102(d)(1)—NotificationRegarding PSO Compliance WithMinimum Contract Requirement

Proposed Rule: Section 3.102(d)(1) of the proposed rule would require PSOsto attest within every 24-month period,

beginning with its initial date of listing,that the PSO has met the two-contractrequirement. We proposed to requirenotification of the Secretary 45 days

before the end of the applicable 24-month period. Early notification wouldenable the Department to meet anotherstatutory requirement to provide PSOswith an opportunity to correct adeficiency. If the requirement is not yetmet, this would enable the Secretary toestablish an opportunity for correctionthat ends at midnight on the last day of the 24-month period.





Overview of Public Comments: Thecomments we received endorsed ourproposed approach. One commentersuggested we should consider requiringnotification 60 days in advance.

Final Rule: We expect that, in mostcircumstances, contracts will be theprimary source of revenue for PSOs. Inlight of the fact that only two contracts

are required, we do not anticipate thatmany PSOs will reach this point in theirperiod of listing without meeting therequirement. We have not accepted therecommendation to require notificationsooner. The Department adopts theprovision as recommended in theproposed rule without modification.

(2) Section 3.102(d)(2)—NotificationRegarding a PSO’s Relationships WithIts Contracting Providers

Proposed Rule: The proposed ruleincorporated in §3.102(d)(2) thestatutory requirement that a PSO wouldmake disclosures to the Secretaryregarding its relationship(s) with anyprovider(s) with whom the PSO entersa contract pursuant to the Patient SafetyAct (Patient Safety Act contract). Thestatute requires PSOs to disclosewhether a PSO has any financial,contractual, or reporting relationshipswith this contracting provider and, if applicable, whether the PSO is notmanaged, controlled, or operatedindependently of this contractingprovider.

The proposed rule noted that a PSOwould need to make this assessmentwhen it enters a contract with a

provider and, if disclosures arerequired, submit a disclosure statementwithin 45 days of the effective date of the contract. If relationships ariseduring the contract period, submissionwould be required within 45 days of thedate the relationships are established.

The proposed rule would haveprovided guidance on our interpretationof financial, contractual, and reportingrelationships and emphasized that thestatute required a PSO to ‘‘fullydisclose’’ the relationships. We notedthat disclosure would be required onlywhen the PSO entered a Patient Safety

Act contract with a provider and therewere relationships that requireddisclosure. We also encouraged, but didnot require, PSOs to list any agreements,stipulations, or procedural safeguardsthat might offset the influence of theprovider and that might protect theability of the PSO to operateindependently.

Overview of Public Comments:Commenters expressed concern that theproposed rule was not sufficientlyspecific with respect to the requireddisclosure statements. They suggested

that the emphasis in the proposed ruleon the statutory requirement for fulldisclosure, without a correspondingdiscussion of the parameters for thecontents and level of detail of thestatements, raised the prospect thatPSOs would feel compelled to developdisproportionately detailed informationthat might not be germane. One

commenter suggested what was mostimportant is awareness of thefundamental relationship(s) that exist,not the specific details, suggesting thatif the provider in question is the parententity of the PSO, it should be sufficientto know that the parent-provider is thesource of financial support to the PSO,employs its workforce, and providesmanagement to its activities.

In addition, there was concern thatsince the disclosure statements aregoing to be made public, detailedsubmissions regarding the financial andcontractual obligations would make it

difficult to maintain the confidentialityof potentially sensitive businessinformation. Several commenters notedthat it is not unusual for certain typesof contractual work with commerciallysensitive implications to includeconfidentiality agreements and onecommenter suggested that the processpermit a PSO to request that theSecretary not disclose specificinformation under certaincircumstances.

A number of commenters expressedconcern about the potential unintendedconsequences of disclosure, especiallywith respect to the identity of providers.

One commenter raised concern that therequirement would lead to‘‘differential’’ disclosure, by which thecommenter meant that, of the totalnumber of providers with which a PSOenters contracts, only those with otherrelationships would have their namesdisclosed and the other providers wouldnot have their names made knownthrough the proposed public release of disclosure statements by the Secretary.

Final Rule: After careful review of thecomments, the Department hasreconsidered its approach to thisdisclosure requirement and has made

modifications to the text that areincorporated in the final rule. Basedupon this review, we have shifted theemphasis of the term ‘‘fully disclose’’from stressing the level of detail that aPSO must provide in describing each of the other types of relationships (listed

below) that the PSO has with acontracting provider to an emphasis onrequiring that the PSO disclose clearlyand concisely every relationship thatrequires disclosure. This shift inemphasis remains consistent with ouroverall emphasis on transparency;

without being burdensome, it enables both the Secretary and providersconsidering contracts with a PSO torequest additional information regardingany relationships of concern. We haveadopted a clearer and narrowerinterpretation of the disclosures of relationships that must be made in viewof concerns expressed by commenters

about the scope of the required reports.In response to requests for moreguidance on the required submissions,this final rule calls for a two-partdisclosure statement and describes whatmust be included in each part.

These modifications to the final rulereflect several considerations. TheDepartment has concluded that thePatient Safety Act does not provideincentives for a provider to control ormanipulate the findings of a PSO withrespect to its own patient safetyinformation. A PSO’s conclusions andrecommendations are patient safety

work product and, whether the PSO iscritical or complimentary of theprovider or the provider agrees ordisagrees with the PSO, the PSOanalysis and guidance remainsconfidential and privileged under theAct, which means that there areconstraints on the ability of a providerto disclose the PSO’s conclusions andrecommendations. Even when they can

be disclosed, calling the public’sattention to positive findings is likely toengender scrutiny of the extent to whichthe provider’s relationship with its PSOis truly an arms-length relationship. Insum, providers have little to gain under

the statute’s framework from attemptingto control or manipulate the analysesand findings of a PSO.

At the same time, the Departmentexpects the statutory disclosurerequirements, coupled with publicrelease of disclosure statements and theSecretary’s findings as provided by§ 3.104(b), will provide important anduseful information to providers seekingto contract with a PSO. As we pointedout in the proposed rule, a providerseeking to contract with a PSO will haveits own standards for what other PSOrelationships it considers to be

acceptable. Therefore, the submissionand public release of this informationshould improve the efficiency of thesearch process by providers.

In light of these considerations, theDepartment has determined that themost appropriate interpretation of thestatutory requirement to ‘‘fully disclose’’other relationships is to emphasize theneed to require the disclosure of everypertinent relationship specified by thestatute. Providers that are consideringentering a contract with a PSO candetermine for themselves if any





task, such as providing assistance inimplementing and evaluating a processimprovement, should only be listedonce; we are not suggesting that PSOsreport separately on the differentelements of a single unified project.

To apply these concepts, consider ahospital that was one of five hospitalsthat invested in the creation of a PSO

and the hospital subsequently enters aPatient Safety Act contract with thePSO. If this investment is the onlyobligation other than the Patient SafetyAct contract that exists between the PSOand the provider, the PSO’s disclosurestatement would include only oneobligation and it could be described ina single paragraph. Within thatparagraph, the PSO shouldsystematically address the requiredstatutory disclosures or note that theyare not present. In addressing financialrelationships, the PSO should notinclude the amount of the investment or

specific terms. In this case, the requiredparagraph would describe the essentialnature of the financial relationship, e.g.,it is a loan requiring repayment over Xyears; it is a long-term investmentrequiring the payment of dividends,etc., whether it was formalized by acontract, whether a reportingrelationship exists, e.g., the provider hasaccess to internal quarterly financialstatements not available to otherproviders, and whether the obligationgives the provider any ability to controlor manage the PSO’s operations, e.g., theprovider has a seat on the board orreview or veto authority over new

clients, specific contracts, budgets, staff hiring, etc.

If the PSO is a subsidiary of a healthsystem, the paragraph could indicatethat PSO is a subsidiary of the provider,the provider is the primary source of revenue for the component PSO, thetypes of internal PSO information towhich the provider has access, e.g., allfinancial, personnel, administrativeinternal information, and that theprovider manages or controls (or hasreview and approval authority) of day-to-day decision-making, hiring andfiring decisions, etc. By incorporating

the required statutory disclosures into asuccinct discussion of the obligationsthat a PSO has with this provider, weanticipate that the descriptions will bemore comprehensible.

Part II of a disclosure statement mustdescribe why or how the PSO, given thedisclosures in part I, can fairly andaccurately perform patient safetyactivities. The PSO must address: Thepolicies and procedures that the PSOhas in place to ensure adherence toprofessional analytic standards andobjectivity in the analyses it undertakes;

and any other policies, procedures, oragreements that ensure that the PSO canfairly and accurately perform patientsafety activities.

Section 3.102(d)(2)(iii) of the ruleretains the deadlines for submission of disclosure statements that wereincluded in the proposed rule.


Comment: One commenter asked thatwe exempt a PSO with fewer than 5clients from releasing the names of itsclients.

Response: We note that a PSO neverhas to reveal the names of its clients(providers) as long as the PSO does nothave the other types of relationshipsdescribed in this subsection with thoseproviders. However, when suchrelationships are present, the statutedoes not provide authority for us tocreate such exceptions.

Comment: One commenter asked thatwe clarify that the required disclosurescan be made in a way that the PSO doesnot breach the confidentialityrequirements that may be a part of another contractual arrangement with acontracting provider.

Response: The Department cannotmake a definitive statement that suchconfidentiality agreements can always

be honored; this requires a case-by-casedetermination. A PSO is encouraged todiscuss the issue with AHRQ staff

before submitting a disclosurestatement. As noted above, the agency’spublic disclosures are constrained by 18U.S.C. 1905, but agency officials have

some discretion with respect todetermining what information would berestricted under that statute. We notealso that the agency has the discretionto deny Freedom of Information Actrequests for information it regards asconfidential commercial information (5U.S.C. 552(b)(4)). Agencydeterminations will be assisted byexplanations of what is viewed by asubmitter as confidential commercialinformation and the reasons why that isthe case.

Comment: One commenter posed aseries of questions related to an entity

that seeks listing that receives generalmembership dues or assessments, i.e.,whether such general dues orassessments would be consideredfinancial relationships and, therefore,require the filing of disclosurestatements. The commenter also asked if disclosure of such membership dues orassessments is required under any othersection of the rule.

Response: The Department hasdetermined that membership dues orgeneral assessments applied to allmembers do not constitute ‘‘financial

relationships’’ between a provider and aPSO. There is no other section of therule that would require disclosure of membership dues or assessments.Before seeking listing, however, amembership organization shouldcarefully assess whether it meets thestatutory requirement that its primaryactivity must be the conduct of activities

to improve patient safety and the qualityof health care delivery.

2. Section 3.104—Secretarial Actions

(A) Section 3.104(a)—Actions inResponse to Certification Submissionsfor Initial and Continued Listing as aPSO

Proposed Rule: Section 3.104(a)described the actions that the Secretarycould and will take in response to thecertification material submitted forinitial or continued listing as a PSO. Weproposed that, in making a listingdetermination, the Secretary would

consider the submitted certifications,issues related to the history of theentity, and any findings by the Secretaryregarding disclosure statements. Theproposed rule also included authorityfor the Secretary, under certaincircumstances, to condition the listingof a PSO. We did not propose a deadlinefor Secretarial review of certificationssubmitted, but noted that we expect theSecretary to be able to conclude reviewwithin 30 days of receipt unlessadditional information or assurances arerequired.

Overview of Public Comments: We

received several comments pertaining tothis section. One comment endorsed theproposed provision. Another requestedthat we modify the rule to requireSecretarial action within 60 days. Athird commenter recommended that theSecretary establish timetables for allactions and opposed open-endedtimeframes.

Final Rule: We have retained the textfrom the proposed rule with twomodifications. The text of § 3.104(a)(1)(iii) of the proposed rulestated that the Secretary may requireconditions for listing as part of his

review of disclosure statementssubmitted pursuant to § 3.102(d)(2); thattext has been retained. We also noted inthe preamble discussing proposed§ 3.104(a) that there may be certaincircumstances in which the Secretarydetermines that it would not be prudentto rely solely on the certifications forlisting submitted by an entity that waspreviously revoked and delisted forcause or previously refused listing bythe Secretary. In such limitedcircumstances, we suggested theSecretary may seek additional





assurances from the PSO that wouldincrease the Secretary’s confidence that,despite the history of the entity and itsofficers and senior staff, the entity couldnow be relied upon to comply with itsstatutory and regulatory obligations. Toreflect the potential need for assurancesin such cases, and to better align the textwith the preamble discussion of the

proposed rule, we have modified thetext of §3.104(a)(1)(iii) to permit theSecretary to condition the listing of aPSO in this limited circumstance toensure that such a PSO honors theassurances it makes in seeking listing.

The second change is a conformingmodification to the basis for theSecretary’s determination in§ 3.104(a)(2), which specificallyrecognizes the right of the Secretary totake into account any history of orcurrent non-compliance withrequirements of the rule by officials andsenior managers of the entity. This

change also mirrors the requirement in§ 3.102(a)(1) that entities seeking listinginform the Secretary if their officials orsenior managers held comparablepositions in a PSO that was delisted orwith an entity that was denied listing bythe Secretary.

We have not accepted thecommenter’s recommendation toestablish a regulatory deadline of 60days for Secretarial action. This is anovel initiative and without a bettersense of the potential issues that mayarise, such as when a delisted PSO seeksa new listing, we are reluctant tocircumscribe the flexibility that the

statute and the proposed rule providedthe Secretary. In addition, the statuterequires an affirmative acceptance andlisting action by the Secretary. Listingcannot occur as a result of any failureto meet a deadline. Accordingly, wehave not adopted the recommendation.

(B) Section 3.104(b)—Actions RegardingPSO Compliance With the MinimumContract Requirement

Proposed Rule: Section 3.104(b) of theproposed rule stated that, afterreviewing the required notification froma PSO regarding its compliance with the

minimum contract requirement, theSecretary would, for a PSO that atteststhat it has met the requirement, wouldacknowledge in writing receipt of theattestation and include information onthe list of PSOs. If the PSO notifies theSecretary that it has not yet met therequirement, or if notification is notreceived from the PSO by the requireddate, the proposed rule stated that theSecretary would promptly issue a noticeof a preliminary finding of deficiencyand provide the PSO an opportunity forcorrection that will extend no later than

midnight of the last day of its applicable24-month assessment period. If theSecretary verifies that the PSO has notmet the requirement by the last day of the 24-month period, he would issue anotice of proposed revocation anddelisting.

Overview of Public Comments: Wereceived no comments on this

subsection.Final Rule: The final rule incorporates

the substance of the NPRM text withoutmodification but restructures the text forclarity. The restructured text clarifiesthat the Secretary will only issue anotice of a preliminary finding of deficiency after the date on which aPSO’s notification to the Secretary isrequired by § 3.102(d)(1).

(C) Section 3.104(c)—Actions RegardingRequired Disclosures by PSOs of Relationships With ContractingProviders

Proposed Rule: Section 3.104(c) of theproposed rule stated that the Secretarywould evaluate a disclosure statementsubmitted by a PSO regarding itsrelationships with contracting providers

by considering the nature, significance,and duration of the relationships

between the PSO and the contractingprovider. We sought public comment onother appropriate factors to consider.The statute requires disclosure of theSecretary’s findings, and we proposedpublic release, consistent with theFreedom of Information Act and 18U.S.C. 1905, of PSO disclosurestatements as well.

This proposed section also listed thestatutorily permissible actions that theSecretary could take following hisreview: Conclude that the disclosedrelationships require no action on hispart or, depending on whether the entityis listed or seeking listing, condition hislisting of the PSO, exercise his authorityto refuse to list, or exercise his authorityto revoke the listing of the entity. TheSecretary would notify each entity of hisfindings and decisions.

Overview of Public Comments: Onecommenter suggested that our proposalthat the Secretary consider the nature,

significance, and duration of therelationship in evaluating therelationships had no statutoryfoundation. Another commentersuggested that we take into accountcorrective action. Several commentersproposed that we rely upon the inter-agency work group that is assistingAHRQ in developing common formatsand definitions for reporting patientsafety work product to assist indeveloping disclosure statements. Onecommenter suggested that we create a‘‘safe harbor’’ for multi-hospital parent

organization systems that contract witha PSO on behalf of some or all of itshospitals so that a disclosure statementwould not be required, deeming that thecomponent PSO of a multi-hospitalorganization can perform patient safetyactivities fairly and accurately. Anothersuggestion was that the Secretary shouldadopt a standard requiring that there be

no conflicts of interests.Final Rule: We have retained much of

the text from the proposed rule but havemodified the paragraph setting forth the

basis for the Secretary’s findingsregarding disclosure statements. In lightof the comments, we have deleted thereference to ‘‘nature, significance, andduration’’ as not appropriate in everycircumstance. The modification to therule now requires the Secretary toconsider the disclosures made by thePSO and an explanatory statement fromthe PSO making the case for why thePSO can fairly and accurately perform

patient safety activities.We have not adopted the other

suggestions. As we discuss above, withrespect to §3.102(d)(2), we agree withthe commenter that there is little reasonfor a provider organization to exertinappropriate control over itscomponent PSO. At the same time wedo not believe the statute permits us towaive Secretarial review under any setof circumstances.

We do not agree with commentersthat the common formats inter-agencywork group is the appropriate group toaddress disclosure statements. At this

time, their informatics and clinicalexpertise and responsibilities are notcongruent with assisting in the design orsubstantive requirements for disclosurestatements.

(D) Section 3.104(d)—Maintaining a Listof PSOs

Proposed Rule: The proposed rulesought to incorporate in § 3.104(d) thestatutory requirement that the Secretarycompile and maintain a list of thoseentities whose PSO certifications have

been accepted and which certificationshave not been revoked or voluntarily

relinquished. We proposed that the listwould include information related tocertifications for listing, disclosurestatements, compliance with theminimum contract requirement, and anyother information required by thisSubpart. We noted that we expected topost this information on the AHRQ PSOWeb site, and sought comment onwhether there are specific types of information that the Secretary shouldconsider posting routinely on this Website for the benefit of PSOs, providers,and other consumers of PSO services.





Overview of Public Comments: Inaddition to the list in the proposed rule,several commenters urged that we postthe contact information for the parentorganizations, subsidiaries, andaffiliates, a list of states in which theparent organization does business, andthe business objectives of the parentorganizations, and whether each parent

organization is for-profit or not-for-profit.

Two commenters suggested that theSecretary’s guidance on commonreporting formats and definitions should

be available on the PSO Web site. Onecommenter urged that the final rule andcontact information for AHRQ staff should also be available there. Anothercommenter suggested that, since AHRQ works with PSOs, the value toprospective providers would beincreased if we posted information onareas of specialization of individualPSOs and use the Web site as one tool

for facilitating confirming analyses byother PSOs of initial work.Final Rule: The final rule incorporates

the proposed rule text withoutmodification. We have not modified thetext of the rule because most of therecommendations relate to informationthat AHRQ will be receiving orproducing for PSOs and can be postedto the Web site without additions orchanges to the rule text.Recommendations to post informationrelated to AHRQ staff and the final rulecan be done without regulation as well.As AHRQ provides technical assistanceto PSOs and works with the provider

community to encourage the use of PSOservices, we expect to publishinformation on the Web site that PSOsand the provider community request. Inaddition, the names and contactinformation of parent organizations of component PSOs and other informationsubmitted at listing will be posted inaccordance with the proposed rule text.

Commenters urged us to post someinformation that we have no plans tocollect, and, therefore, we have notaccepted their recommendations. Mostof these recommendations related to the

business objectives, or the for-profit or

not-for-profit status of parentorganizations of component PSOs. Inour view, requiring componentorganizations to submit suchinformation would be burdensome andunnecessary. Providers will be able tofind that information by using thepublished contact information on PSOsand parent organizations.

(E) Section 3.104(e)—Three-Year Periodof Listing

Proposed Rule: Section 3.104(e)proposed that listing as a PSO would be

for three years, unless the Secretaryrevokes the listing or the PSOvoluntarily relinquished its status. Wealso proposed that the Secretary wouldsend a written notice of imminentexpiration to a PSO no later than 45calendar days before its listing expiresif the Secretary has not received acertification seeking continued listing.

We sought comment on a requirementthat the Secretary publicly post thenames of PSOs to which a notice of imminent expiration has been sent.

Overview of Public Comments:Commenters were virtually unanimousthat, at the time we send a PSO a noticeof imminent expiration, we should postsimilar information on the AHRQ PSOwebsite. Several commenters suggestedthat PSOs should be required to notifyproviders that the PSO has received anotice of imminent expiration andexpressing concerns about the timeneeded for providers to make alternative

arrangements. One commentersuggested that notice to providersshould be a part of the contract with thePSO. Another suggested that theDepartment establish an email listservthat providers could join for alerts suchas this. One commenter opposed publicnotice and one expressed conditionalsupport, provided the Departmentensured the accuracy of the informationon the Web site.

Final Rule: We have modified andredrafted § 3.104(e) of the final rule. Thefinal rule retains the proposed provisionthat the period of listing will be forthree years, unless revoked or

relinquished. The first modification isthat this section now explicitly providesfor the automatic expiration of a PSO’slisting at the end of three years, unlessthe Secretary approves its certificationfor continued listing before the date of expiration. By incorporating thismodification and making the processautomatic, we have been able toeliminate the proposal in §3.108(c) fora process we termed ‘‘implied voluntaryrelinquishment.’’ In comparison withthe proposed rule approach, whichrequired the Secretary to takeaffirmative action to delist a PSO that let

its certifications lapse, this automaticapproach simplifies the administrativeprocess.

We have modified subparagraph3.104(e)(2) in two ways. We will send aPSO a notice of imminent expirationeven earlier—at least 60 days ratherthan 45 days—before its certificationsexpire. We adopted the earliernotification date in response to generalconcerns reflected in the commentsabout the time a provider needed tomake alternative arrangements and toensure sufficient time for the Secretary

to review and make a determinationregarding certifications for continuedlisting. The second modificationincorporates our proposal to post anotice on the AHRQ PSO website, forwhich commenters expressed strongsupport. In combination, we expectthese modifications will provide boththe PSO and the providers from which

it receives data sufficient notice that theentity’s period of listing is drawing to aclose.

We have not incorporated therecommendation to require PSOsreceiving the notice to contact allproviders. We expect most providersand PSOs to take advantage of AHRQ’sexisting listserv that will provideelectronic notice to all subscribers whena notice such as this is posted on theAHRQ PSO website. Providers will also

be able to sign up on the web site toreceive individual emails if their PSO

becomes delisted. In this way, we can be

assured that notification is sent to, andreceived by, all interested parties.

(F) Section 3.104(f)—Effective Date of Secretarial Actions

Proposed Rule: The proposed rule insection 3.104(f) states that, unlessotherwise specified, the effective date of each action by the Secretary would bespecified in the written notice that issent to the entity. We noted that theDepartment anticipates sending notices

by electronic mail or other electronicmeans in addition to a hard copyversion. We also pointed out that forlisting and delisting decisions, the

Secretary would specify both aneffective time and date for such actionsin the written notice to ensure clarityregarding when information received bythe entity will be protected as patientsafety work product.

Overview of Public Comments: Wereceived no public comments on thissubsection.

Final Rule: The final rule incorporatesthe proposed rule text withoutmodification.

3. Section 3.106—SecurityRequirements

Proposed Rule: Section 3.106 of theproposed rule outlined a frameworkconsisting of four categories for thesecurity of patient safety work productthat PSOs would consider in developingpolicies and procedures for theprotection of data. Because §3.106contains only two subsections and wereceived few comments, we will discuss

both subsections of the rule together.Section 3.106(a) proposed that the

security requirements of this sectionwould apply to each PSO, its workforcemembers, and its contractors whenever





the contractors hold patient safety workproduct. If contractors cannot meetthese security requirements, weproposed that their tasks be performedat locations at which the PSO can meetthese requirements. We stated that therule does not impose these requirementson providers; this Subpart would onlyapply to PSOs.

Proposed §3.106(b) would haveestablished a framework consisting of four categories for the security of patientsafety work product that a PSO mustconsider. We proposed that each PSOdevelop appropriate and scalablestandards that are suitable for the sizeand complexity of its organization.

The four categories of the frameworkwould have included: Securitymanagement issues (documenting itssecurity requirements, ensuring that itsworkforce and contractors understandthe requirements, and monitoring andimproving the effectiveness of itspolicies and procedures); separation of systems (required physical separation of patient safety work product, appropriatedisposal or sanitization of media, andpreventing physical access to patientsafety work product by unauthorizedusers or recipients); security control andmonitoring controls (ability to identifyand authenticate users, an auditcapacity to detect unlawful,unauthorized, or inappropriateactivities, and controls to precludeunauthorized removal, transmission ordisclosures); and policies andprocedures for periodic assessment of the effectiveness and weaknesses of its

overall approach to security (determinewhen it needs to undertake riskassessment exercises and specify how itwould assess and adjust its proceduresto ensure the security of itscommunications involving patientsafety work product to and fromproviders and other authorized parties).

Overview of Public Comments: Therewere no public comments thatspecifically addressed § 3.106(a) of therule. Commenters focused instead onthe overall security frameworkestablished by §3.106(b). The majorityof commenters supported the proposed

requirements and emphasized theconcepts of scalability and flexibilitythat were reflected in the proposed rule.Two commenters urged the Departmentto adopt the HIPAA Security Ruleinstead. Another commenter suggestedthat the final rule should emphasize theneed for PSOs to maintain up-to-datesecurity processes and urged that thefinal rule specifically recognize thatPSOs can include HIPAA Security Rulerequirements in their business associatecontracts with providers that arecovered entities.

While there were few commentsoverall on this section of the rule, thespecific provision that elicited the mostconcern was the requirement in§ 3.106(b)(2) that patient safety workproduct needed to be maintainedsecurely separate from other systems of records. As discussed above withrespect to obligations of component

organizations, commenters expressedconcern regarding the potential burdenof such a requirement and severalpointed to the analytic benefits of beingable to readily merge data sets forspecific analyses. It was recommendedthat the final rule permit the patientsafety work product and non-patientsafety work product to be stored in thesame database as long as the securityrequirements are implemented for thedatabase as a whole.

Another commenter pointed to theconfusion, inconsistency, and errorsthat were likely to result from the rule

text in which each paragraph beganwith the words that a PSO ‘‘mustaddress’’ each security issue within theframework while introductoryparagraph (b) indicated that PSOsmerely needed to ‘‘consider’’ thesecurity framework.

Final Rule: We have modified the textof § 3.106 both to improve its clarity innon-substantive ways and to incorporateseveral substantive modifications inresponse to the comments we received.The changes to §3.106(a) are for clarity.For uniformity and brevity, throughout§ 3.106, we have standardizedreferences regarding the application of

security requirements to the ‘‘receipt,access, and handling’’ of patient safetywork product. The rule text defines‘‘handling’’ of patient safety workproduct as including its processing,development, use, maintenance, storage,removal, disclosure, transmission anddestruction.

We have incorporated severalmodifications to the text of §3.106(b).We have both simplified the text of theopening paragraph of this subsectionand substituted the requirement that‘‘PSOs must have written policies andprocedures that address’’ for the

language of the proposed rule that statedthe ‘‘PSO must consider.’’ We agreewith the commenter that retention of theproposed rule language would createconfusion regarding what is required of a PSO. By retaining the language thatpermits a PSO to develop specificstandards that address the securityframework in this section withstandards that are appropriate andscalable, we intend to retain flexibilityfor PSOs to determine how they willaddress each element of the securityframework.

The most significant substantivechange in the security framework is in§ 3.106(b)(2), which had required theseparation of patient safety workproduct from non-patient safety workproduct at all times. Based on commentsreceived, we have modified both thetitle of § 3.106(b)(2) and the text of § 3.106(b)(2)(i). Section 3.106(b)(2) is

now entitled ‘‘Distinguishing PatientSafety Work Product,’’ rather than‘‘Separation of Systems,’’ and§ 3.106(b)(2)(i) recognizes that thesecurity of patient safety work productcan be maintained either when patientsafety work product is maintainedseparately from non-patient safety workproduct or when it is co-located withnon-patient safety work product,provided that the patient safety workproduct is distinguishable. This willensure that the appropriate form andlevel of security can be maintained. Thischange responds to several comments

that opposed the absolute requirementfor separation in the proposed rule.While we have, thus, allowed greater

procedural flexibility, we caution PSOsto be attentive to ensuring that patientsafety work product remainsdistinguishable at all times if it is notkept separated. To the extent thatpatient safety work product becomes co-mingled with non-protectedinformation, there is increased risk of impermissible disclosures andviolations of the confidentialityrequirements of the rule and the PatientSafety Act.

We have also eliminated a reference

to a PSO determination of appropriateness that was in the text of the proposed rule in § 3.106(b)(4)(i) asredundant, since the rule permits a PSOto develop appropriate and scalablestandards for each element of thesecurity framework, including thiselement.

Given the strong support for ourflexible and scalable framework, wehave not adopted recommendations of two commenters to substitute theHIPAA Security Rule for theseprovisions. We would expect that PSOsthat are familiar with, and have existing

rules that implement, the HIPAASecurity Rule will incorporate thosestandards as appropriate, when theydevelop their written policies andprocedures to implement security forthe patient safety work product theyreceive, access and handle. The securityframework presented here does notimpose any limitations on the ability of PSOs to incorporate or addressadditional security requirements orissues as the PSO determines to beappropriate. The flexible approach wehave adopted should minimize the





potential for conflict with therequirements of other programs. Bytaking advantage of this flexibility, andensuring that its security requirementsalso address the requirements of theHIPAA Security Rule, a PSO should beable to meet its obligations as a businessassociate of any provider that is also a‘‘covered entity’’ under HIPAA

regulations.4. Section 3.108—Correction of Deficiencies, Revocation and VoluntaryRelinquishment

Section 3.108 establishes theprocesses and procedures related tocorrection of deficiencies, revocation,and voluntary relinquishment. Section3.108(a) establishes the processes andprocedures for correction of deficiencies

by PSOs and, when deficiencies havenot been timely corrected, the processleading to a decision by the Secretary torevoke his acceptance of the entity’scertification and delist a PSO. Section3.108(b) sets forth the actions that theSecretary and a PSO must takefollowing a decision by the Secretary torevoke his acceptance of the entity’scertification and delist the entity.Section 3.108(c) establishes the process

by which an entity can voluntarilyrelinquish its status as a PSO. Section3.108(d) requires publication of noticesin the Federal Register whenever anentity is being removed from listing.New §3.108(e) establishes an expeditedprocess for revoking the Secretary’sacceptance of the entity’s certificationunder certain circumstances.

(A) Section 3.108(a)—Process forCorrection of a Deficiency andRevocation

Proposed Rule: Section 3.108(a) listedin paragraph (a)(1) the circumstancesthat could lead to revocation anddelisting and the remaining subsectionsset forth our proposed process forcorrection by a PSO of a deficiencyidentified by the Secretary and, if thedeficiencies are not timely corrected orcannot be ‘‘cured,’’ the process thatcould lead to the revocation anddelisting. We review the entirety of

§ 3.108(a) here.Once the Secretary believes that aPSO is deficient in meeting itsrequirements, proposed §3.108(a)(2)outlined the processes he would follow.First, the Secretary would send awritten notice of a preliminary findingof deficiency; the contents of thedeficiency notice are specified in therule. Following receipt of the notice, aPSO would have 14 days to correct therecord by submitting evidence that theinformation on which the preliminaryfinding had been based was factually

incorrect. The Secretary could thenwithdraw the notice or require the PSOto proceed with correction. Thepreamble sought comment on whetherthere should be an expedited revocationprocess when deficiencies are not, orcannot, be cured. Public comment andthe provisions of the final rule arediscussed below in new subsection (e),

expedited revocation.Following the correction period,

proposed §3.108(a)(3) would haverequired the Secretary to determinewhether a deficiency has beencorrected. The Secretary coulddetermine: (1) The deficiency iscorrected and withdraw the notice of deficiency; (2) additional time for, ormodification of, the required correctiveaction is warranted; or (3) the deficiencyis not corrected, the PSO has not actedwith reasonable diligence or timeliness,and issue a Notice of ProposedRevocation and Delisting.

Section 3.108(a)(4) would haveprovided an automatic 30 calendar dayperiod, unless waived by the PSO, for itto respond in writing to the proposedrevocation and delisting. If a PSO failsto submit a written response, theSecretary would revoke his acceptanceof its certification, and delist the entity.After review of the response and otherrelevant information, § 3.108(a)(5)proposed that the Secretary couldaffirm, reverse, or modify the notice of proposed revocation and delisting, andnotify the PSO in writing of his decisionwith respect to any revocation of hisprior acceptance of its certification and

delisting. We noted that the proposedrule did not include an administrativeprocess for appealing the Secretary’sdecision to revoke his acceptance of theentity’s certification and delist a PSO,and specifically sought public commenton our approach.

Overview of Public Comments:Commenters focused on the due processaspects of subsection (a). While mostcommenters commended the proposedrule for its focus on working with PSOsto resolve deficiencies and its inclusionof due process elements throughout theprocess, the commenters recommended

that the final rule incorporate anadditional opportunity for anadministrative appeal of a revocationand delisting decision and expressedconcern that the final rule should notlimit the due process rights andopportunities that had been proposed.

For example, while severalcommenters endorsed our overallapproach, no commenter specificallystated agreement with our decision notto include an administrative appealmechanism following a decision by theSecretary to revoke his acceptance of the

entity’s certification and delist a PSO forcause. The eight commenters thatspecifically addressed the issuerecommended inclusion of such amechanism.

Final Rule: The final rule incorporatesonly technical modifications to the textof subsection 3.108(a). The deletion of text in §3.108(a)(1)(ii) is intended to

clarify that the basis for revocation anddelisting matches our intent in theproposed rule, i.e., the failure to meetthe two-contract requirement, not thefailure to timely notify the Secretarythat the requirement had been met. Inaddition, we have incorporated a relatednew §3.108(e) that establishes a newexpedited revocation process to be usedin exceptional circumstances.

Despite the strong support bycommenters that we incorporate in thefinal rule an opportunity for anadministrative appeal when theSecretary decides to revoke hisacceptance of a PSO’s certification anddelist a PSO for cause, we have notmodified the rule. The processdescribed in §3.108(a) permits an earlyresponse to findings of deficiency andwhere facts cited by the Secretary arecorrect, the process emphasizes theDepartment will work with PSOs tocorrect deficiencies, rather thanpunishing PSOs for deficiencies. Giventhe flexibility and extensive nature of the communication and correctionopportunities and procedures outlinedin 3.108(a), we expect that therevocation process will be utilizedrarely, and only after significant efforts

have been made to bring a PSO backinto compliance. However, if a PSO isnot working with us in good faith tocorrect any remaining deficiencies,there must be a timely finality to theprocess. For this system to work,providers must have confidence that theDepartment will act in a timely mannerwhen a PSO chooses not to meet itsstatutory and regulatory obligations.


Comment: One commenterrecommended that the rule providesome degree of transparency regarding

PSOs that have received notice of deficiencies by posting some limitedinformation about this on the PSO Website.

Response: The Department gavecareful consideration to this comment

because of our overall commitment toproviding transparency whereverpossible. Our conclusion is that we willnot post information on deficiencies

because of our concern that this willundermine another of our objectives,which is to promote and permitcorrection of deficiencies in a non-





punitive manner. Providers consideringentering a contract with a specific PSOare, of course, free to seek informationfrom the PSO regarding whether it hasreceived deficiency notices and iscurrently under an obligation to takecorrective actions.

Comment: Another commentersuggested that the final rule specifically

recognize the authority of the Secretary,if warranted by the circumstances thatled to the delisting of a PSO, to debarthe entity from seeking a new listing fora period of time.

Response: We have not adopted thisspecific suggestion, but we note that theSecretary is not required to relist anentity automatically. The Secretary canand will take into account the reasonsfor the revocation and delisting and theentity’s compliance with its obligationsfollowing revocation and delisting.

Comment: Several commenterssuggested that the period of timeprovided to the PSO to submit a writtenresponse to a notice of proposedrevocation and delisting should beexpanded from 30 days to 45 days.

Response: We have not accepted thisrecommendation. We recognize theimportance of striking a balance

between providing an entity sufficienttime to respond to such a notice andensuring that providers can haveconfidence that the Department will actin a timely manner when a PSO do notmeet its obligations. It is important torealize that by the time the PSO receivesa notice of proposed revocation anddelisting under the process set forth in

§ 3.108(a)(3), the Department hasalready worked with the PSO to correctthe deficiencies and has indicatedremaining problems so the PSO willhave reason to anticipate any suchnotice of proposed revocation inadvance of its issuance. Thus the PSO,realistically, will have more than 30days to prepare its response to aproposed revocation.

Comment: One commenter suggestedthat, if the Secretary determines that thePSO has conflicts of interest, this shouldserve as a basis for proceeding directlyto revocation.

Response: The Department recognizesthe commenter’s underlying point thatconflicts of interest may, in fact, not becurable and thus, in certaincircumstances, may warrant proceedingdirectly to revocation. To the extent thatsuch a conflict of interest provides a

basis for the Secretary determining thatcontinued listing would have seriousadverse consequences, we could addressit under §3.108(e), the subsectionestablishing the new expeditedrevocation process. We should note that,in crafting that new authority, the

Department believed that it had anobligation to establish a process for trulyexceptional circumstances. We do notintend to use this authority as asubstitute for the normal processestablished by subsection (a). Thus, if aconflict-of-interest does not raise theprospect of serious adverseconsequences for providers or others, it

is our intention to use the correctionprocesses of subsection (a).

Comment: Would a provider’s patientsafety work product be at risk if theDepartment failed to alert the providerin a timely manner of a deficiency in itsPSO?

Response: No. As we pointed out inthe preamble discussion of § 3.108 inthe proposed rule, the presence of deficiencies or the fact that an entity isundergoing revocation has no impact onthe information submitted to the entity

by providers until the date and time thatan entity is revoked and removed from

listing. If the PSO is revoked anddelisted for cause, the statute providesan additional 30-day period that beginsat the time of delisting during whichdata reported to the former PSO receivesthe same protections as patient safetywork product.

(B) Section 3.108(b)—Revocation of theSecretary’s Acceptance of a PSO’sCertification

Proposed Rule: When the Secretarymakes a determination to remove thelisting of a PSO for cause, proposed§ 3.108(b)(1) required the Secretary to

establish, and notify the entity, of theeffective date and time of its delistingand inform the entity of its obligationsunder §§3.108(b)(2) and 3.108(b)(3).

Section 3.108(b)(2) proposed toimplement two statutory provisions.First, the former PSO would be requiredto notify providers with which it has

been working of its removal from listingand confirm to the Secretary within 15days of the date of revocation anddelisting that it has done so. In light of the brief notification period, we soughtcomment on whether there are othersteps the Secretary should take to

ensure that affected providers receivetimely notice. Second, this subsectionwould have reaffirmed the continuedprotection of patient safety workproduct received while the entity waslisted. In addition, any data received bythe former PSO from a provider in the30 days following the date of revocationand delisting would be accorded thesame protections as patient safety workproduct. We noted that this additionalperiod of protection was only for the

benefit of providers reporting data; itwould not permit a former PSO to

continue to generate new patient safetywork product.

Section 3.108(b)(3) proposed toimplement the statutory requirementsregarding the disposition of patientsafety work product or data followingrevocation and delisting of a PSO. Thethree alternatives provided by thestatute are: Transfer of the patient safety

work product with the approval of thesource from which it was received to aPSO which has agreed to accept it;return of the patient safety work productor data to the source from which it wasreceived; or, if return is not practicable,destruction of such work product ordata. We noted that the text of theproposed rule refers to the ‘‘source’’ of the patient safety work product or data;this would be a broader formulationthan the statutory language and includesindividuals. The statute does notestablish a time frame for a PSO tocomply with disposition requirements;

we sought comment on setting adeadline.Overview of Public Comments: Most

commenters addressed the specificquestions raised in the proposed rule,although a few commenters raisedquestions and offered recommendationsrelated to the requirements fordisposition of patient safety workproduct. In response to theDepartment’s question in the proposedrule of whether there were other stepsthat the Secretary could take to ensurethat providers were informed when aPSO to which they reported data wasrevoked and delisted, many commenters

concluded that the statutoryrequirement for notification by theformer PSO was sufficient. Others urgedAHRQ to post notices of revocation anddelisting on the PSO website. Severalcommenters urged the Secretary torequire the former PSO to provideAHRQ with a list of its providers whenit submits its required confirmation 15days after revocation that it has notifiedproviders. Presumably, the intent was topermit the Secretary to follow up withthese providers to confirm that they had

been notified.There were only three comments in

response to our question in theproposed rule whether it wasappropriate to require disposition of patient safety work product that wasreceived from all sources. Twocomments supported our interpretationof the statutory requirement. Onecommenter raised concerns that thisrequirement could be difficult toaccomplish.

Commenters strongly supportedinclusion in the final rule of a deadline

by which former PSOs needed tocomplete their disposition of patient





safety work product. Some commenterssuggested that we follow existingHIPAA guidelines and others suggestedthat the rule set a deadline, ranging from90 days to 180 days following the dateof revocation. One commenter suggestedsetting standards linked to the volumeof patient safety work product held bythe former PSO.

The options for disposition of patientsafety work product elicited a number of comments. Some noted the difficulty of returning patient safety work product toits source as the former PSO closes itsoperations and expressed concern thatdestruction was not an option until thePSO concluded that returning the workproduct was not possible. In the view of this commenter, this could lead a PSOto simply abandon the patient safetywork product since it may have neithertime nor resources to contact thesources of the work product. However,most commenters focused on the

importance of identifying ways to avoiddestruction of patient safety workproduct.

Final Rule: Section 3.108(b) has beenmodified in several ways. The firstchanges, in §3.108(b)(1), are technicalchanges. The first change renames thesection to more accurately describe itsprovisions. The second technical changeincorporates two additional cross-references to the ability of the Secretaryto revoke his acceptance of a PSO’scertifications and delist an entitypursuant to the new expeditedrevocation process established in§ 3.108(e).

We have not imposed any newrequirements on the Department in§ 3.108(b)(2) to notify providers. Manycommenters did not see the need foradditional intervention by theDepartment and several commenterssuggested additional steps that we canand will take independent of the rule.For example, AHRQ has alreadyestablished an e-mail-based listserv forindividuals interested in electronicalerts regarding the agency’simplementation of the Patient SafetyAct. Following publication of the finalrule, AHRQ will encourage all

interested providers and PSOs to addtheir names to the listserv, which willprovide immediate notification whenthe Secretary takes actions related to thelisting and delisting of PSOs or postssignificant new information on AHRQ’sPSO Web site. Providers will also beable to signup on the Web site to receiveindividual e-mails if their PSO becomesdelisted.

We have modified § 3.108(b)(2) inanother way. This paragraph retains therestatement that was in the proposedrule of the statutory assurances

regarding the continued protections forpatient safety work product reported toa PSO before the effective date of arevocation and delisting action by theSecretary and the protections for datareported to the former PSO during the30-day period following the date of delisting. The modification requires theformer PSO to include this information

in its notices to providers regarding itsdelisting. We incorporated thismodification to better effectuate thestatutory purpose by ensuring that theproviders contacted by the former PSOare aware of these protections for thedata they may still want to report duringthe 30-day period.

Several commenters sought ways topreserve patient safety work productand data for continued learning.However, the requirements fordisposition of patient safety workproduct and ‘‘data’’ in the finalregulation follow the statutory

formulation. We note that ‘‘data’’ in thiscontext refers to information submittedto a former PSO in the 30 days followingits delisting. Some amount of patientsafety work product can be preserved if the PSO shares or discloses thisinformation prior to the effective date of its revocation as permitted by the rule,e.g., to other PSOs in non-identifiable oranonymized form.

We have modified the text of § 3.108(b)(3) in one respect. In responseto comments, we require the dispositionrequirement to be completed within 90days. Some commenters suggested thatwe follow existing HIPAA guidelines in

establishing deadlines for thedisposition of patient safety workproduct. Neither the HIPAA PrivacyRule nor the HIPAA Security Rule havedeadlines for the disposition of protected health information. Providersare, of course, free to establish in theircontracts an earlier date for dispositionof their patient safety work product ordata and may provide priorauthorization for transfer to anotherPSO.


Comment: One commenter asked

whether the disposition requirementapplies to non-identifiable patient safetywork product, such as data reportedanonymously by hospitals.

Response: The statutory section ondisposition of patient safety workproduct does not make an explicitdistinction between disposition of identifiable and non-identifiable patientsafety work product and data, nor doesthe final rule in the dispositionrequirements. The Department readsthis disposition requirement as applyingto both identifiable and non-identifiable

patient safety work product and data.We note that Subpart C permitsdisclosure of non-identifiable patientsafety work product at any time by aPSO. However, after the date and timethat the Secretary sets for revocationand delisting, the former PSO mustfollow the prescribed dispositionrequirements. Thus, prior to the

effective date and time of a PSO’sdelisting, the PSO can transfer toanother PSO non-identifiable andanonymized patient safety workproduct, without consent of thesource(s) of that information.

Comment: One commenter suggestedthat there may be good business reasonsfor a former PSO that has been delistedto retain patient safety work productand asked that we provide that option.

Response: The statutory dispositionrequirement does not permit such anoption for an entity that is revoked anddelisted for cause, and the final rule

mirrors this limitation. A PSO thatvoluntarily relinquishes its status isrequired to attest that it has made allreasonable efforts to comply with thedisposition requirements.

Comment: One commenter noted thatthe disposition options appear to bepremised on a concept of the source’sownership interest in the patient safetywork product provided to the PSO.Noting that as PSOs continue toaggregate data from multiple providersor through the sharing of work productwith other PSOs, the commenterasserted that at some point the PSO’s

work product becomes its own. Thequestion to consider is whether thisdistinction can be made in applying thedisposition requirement.

Response: The Department reads thedisposition requirement of the PatientSafety Act to apply to all patient safetywork product and data held by aninvoluntarily delisted former PSO. Mostwork product created by PSOs will be

based upon reports from providers.While the commenter points to repeatedaggregation of data from larger andlarger numbers of providers as makingthe linkage to the reporting providersmore tenuous, in our view the linkageremains as long as there is informationthat identifies any source of the data inthe analysis. The linkage is only brokenwhen the source(s) is (are) truly non-identifiable. As we noted above, thestatute does not make a distinction

between identifiable and non-identifiable information, so thedisposition requirements apply to both.

Comment: One commenter noted thatcertain public PSO entities may faceconflicts with state laws or regulationsthat establish requirements for the





disposition of information that theyhold.

Response: The final rule’srequirements for disposition of patientsafety work product would preemptconflicting state statutory requirementsfor disposition of information when it ispatient safety work product.

Comment: What are the

responsibilities of a contractor holdingpatient safety work product undercontract with a PSO that is revoked anddelisted for cause?

Response: The contractor must returnthe former PSO’s patient safety workproduct that it is holding for dispositionas required by the rule.

(C) Section 3.108(c)—VoluntaryRelinquishment

Proposed Rule: Section 3.108(c)(1)proposed two circumstances underwhich a PSO would be considered tohave voluntarily relinquished its statusas a PSO: When a PSO advises the

Secretary in writing that it no longerwishes to be a PSO, and when a PSOpermits its three-year period of listing toexpire. To ensure that such a lapse isnot inadvertent, the proposed rulewould require the Secretary to send anotice of imminent expiration 45calendar days before the expiration of its period of listing.

We proposed in §3.108(c)(2) that aPSO seeking to relinquish its listingshould include in its notification to theSecretary attestations regarding itscompliance with the providernotification and patient safety work

product disposition requirements, andwould have required appropriatecontact information for furthercommunications from the Secretary.The Secretary would be authorized by§ 3.108(c)(3) to accept or reject thePSO’s notification. We sought commenton our preliminary conclusion that,when a PSO voluntarily relinquishes itsstatus, the statutory provisionsproviding protections for an additional30 days for data submitted to the formerPSO by providers do not apply.

Section 3.108(c)(4) would haveenabled the Secretary to determine that

implied voluntary relinquishment hastaken place when a PSO permits itslisting to expire. The Secretary wouldremove the entity from the list of PSOsat midnight on that day, notify theentity, and request that the entity makereasonable efforts to comply with theprovider notification and patient safetywork product disposition requirements,and to provide appropriate contactinformation. Finally, §3.108(c)(5)proposed that voluntary relinquishmentwould not constitute a deficiency asreferenced in subsection (a).

Overview of Public Comments: Publiccomment on the proposed provisions forvoluntary relinquishment focusedprimarily on the two questions raised inthe proposed rule.

Two commenters agreed with ourinterpretation that the statute limitedthe application of the additionalprotections for data submitted by

providers to a former PSO in the 30-dayperiod following the date and time of revocation and delisting to situations inwhich the PSO had been revoked anddelisted for cause. A number of commenters argued for inclusion of a30-day period of continued reporting forPSOs that voluntarily relinquished theirstatus. They noted the importance of comparability but did not provide alegal rationale for reading the statutedifferently.

The second question posed by theproposed rule was the appropriatenessof paragraph (c)(5) which wouldeliminate the right to challenge anydecision by the Secretary regardingvoluntary relinquishment. Several largeprovider groups supported our positionwhile others argued that a PSO shouldalways have the right to challenge orappeal any decision by the Secretary.

Final Rule: We have modified andnarrowed the scope of voluntaryrelinquishment in the final rule. Wehave eliminated from this section theapplication of voluntary relinquishmentto situations in which a PSO has let itscertifications lapse. As noted above, wehave modified §3.104(e) to makeexpiration of a PSO’s listing automatic

in these circumstances. Revised§ 3.108(c) provides for voluntaryrelinquishment in only onecircumstance: When a PSO writes theSecretary seeking to relinquish itslisting as a PSO.

We have carefully reviewed again thestatutory authority that enables PSOsthat have their listing revoked for causeto continue to receive data for 30 daysfollowing the date and time of revocation and delisting that will betreated as patient safety work product.We reaffirm our interpretation that thestatutory authority does not apply to an

entity seeking to voluntarily relinquishits status as a PSO. Commentersprovided no basis for a different readingof the statute. Accordingly, we have notincorporated any change in the rule.

We have also deleted inappropriatereferences to ‘‘patient safety workproduct and data’’ in § 3.108(c)(2) andreplaced them with a reference only topatient safety work product. As wenoted above, the term ‘‘data’’ in thiscontext refers only to informationreceived by a former PSO in the 30-dayperiod following revocation for cause

and is not applicable here. The onlyother modifications are deletions of textrelating to implied voluntaryrelinquishment and a conformingchange in a cross-reference.

We have not accepted the views of commenters supporting appeals of relinquishment determinations by theSecretary in light of our decision to

narrow the scope of voluntaryrelinquishment to situations in whichthe PSO has requested relinquishment.The comments regarding due process forthose who voluntarily relinquish theirstatus would no longer be apt.

(D) Section 3.108(d)—Public Notice of Delisting Regarding Removal FromListing

Proposed Rule: Proposed § 3.108(d)would have incorporated the statutoryrequirement that the Secretary mustpublish a notice in the Federal Registerregarding the revocation of acceptance

of certification of a PSO and its removalfrom listing. The proposed rule wouldhave broadened the requirement toinclude publication of such a notice if delisting results from a determination of voluntary relinquishment.

Overview of Public Comments: Wereceived no comments on thissubsection.

Final Rule: We have modified§ 3.108(d) in the final rule to reflect ourchanges to subsection (c) that narrowedthe scope of voluntary relinquishment.We also added a new reference thatrequires the Secretary to publish a

notice when a PSO’s listing terminatesautomatically at the end of thestatutorily based three-year period,pursuant to §3.104(e).

(E) Section 3.108(e)—ExpeditedRevocation

Proposed Rule: The proposed rule didnot contain a proposed § 3.108(e). Theproposed rule did include in subsection(a) a request for comment about thepossible inclusion in the final rule of anexpedited revocation process. We notedthat, while we anticipate that in the vastmajority of circumstances, the PSO’s

deficiency(ies) can and will becorrected, there may be situations inwhich a PSO’s conduct is so egregiousthat the Secretary’s acceptance of thePSO’s certification should be revokedwithout the opportunity to cure becausethere is no meaningful cure. We invitedcomments regarding this approach andhow best to characterize the situationsin which the opportunity to ‘‘cure,’’ e.g.,to change policies, practices orprocedures, sanction employees, sendout correction notices, would not besufficient, meaningful, or appropriate.





Overview of Public Comments:Several commenters expressed concern,requested that we define the term‘‘egregious,’’ and opposed theelimination of a right for the PSO torespond to the proposed expeditedrevocation action. One commentersuggested that our proposal wasappropriate in situations involving

multiple willful violations and in whichimmediate action is necessary to protectpatients and providers from furtherimproper actions by the PSO.

Only one commenter addressed, andopposed, our suggestion that we mighteliminate in the final rule theopportunity for a PSO to contestrevocation when the entity hadverifiably failed to meet the statutoryminimum contract requirement.

Final Rule: The Department hasmodified the rule to include a new§ 3.108(e) to provide for expeditedrevocation in a limited number of circumstances. In deciding to includethis new subsection, we considered allof the comments received regardingSubpart B, not only those discussedhere. There was a strong overallsentiment that the Secretary must bevigilant in ensuring that PSOs meettheir obligations to protect theconfidentiality of patient safety workproduct. These concerns were especiallystrong in response to our proposal topermit components of excluded entitiesto seek listing. We also received supportfor prompt Secretarial action formultiple willful violations and whenproviders and patients are at risk

because of a PSO’s actions. Accordingly,we have incorporated an expeditedrevocation process based around theseconcerns.

New §3.108(e)(1) lists threecircumstances in which the Secretarymay use an expedited process forrevocation. The first two circumstancesreflect commenter concern regardingexcluded entities. The first of these,specified in §3.108(e)(1)(i), is if theSecretary determines that a PSO is, or isabout to become, an entity excludedfrom listing by § 3.102(a)(2). Thatsection excludes from listing: A health

insurance issuer; a unit or division of ahealth insurance issuer; an entity that isowned, managed or controlled by ahealth insurance issuer; entities thataccredit or license health care providers;entities that oversee or enforce statutoryor regulatory requirements governingthe delivery of health care services;agents of an entity that oversees orenforces statutory or regulatoryrequirements governing the delivery of health care services; or entities thatoperate a Federal, State, Local, or Tribalpatient safety reporting system to which

health care providers (other thanmembers of the entity’s workforce orhealth care providers holding privilegeswith the entity) are required to reportinformation by law or regulation.

Because the certifications for listingspecifically require an entity to attestthat it is not excluded from seekinglisting, this situation would mean that

the PSO had either filed a falsecertification, or that the nature of theentity had significantly changed duringthe course of its listing. An example of an entity ‘‘about to become an excludedentity’’ would be when there is advancenotice of a merger of the parentorganization of a component PSO witha health insurance issuer. A healthinsurance issuer is the only excludedentity that may not have a component

become a PSO. If the Secretary learnsthat a PSO is about to become acomponent of a health insurance issuer,this is one circumstance under which

we believe prompt action by theSecretary is essential.The second circumstance, specified in

§ 3.108(e)(1)(ii), is when the parentorganization of a PSO is an excludedentity and the parent organization usesits authority over providers to require orinduce them to use the patient safetyservices of its component PSO. This wasa major concern of commenters inpermitting components of accreditation,licensure and regulatory entities to seeklisting; the final rule in § 3.102(c)permits such a component to be listedonly if it can certify that its parentorganization does not impose such

requirements on providers. When anexcluded entity attempts to require orinduce providers to report informationto its component PSO, there isreasonable cause for concern regardingthe integrity of the firewall between thecomponent PSO and its parentorganization. Given the potential harmto providers if their identifiable patientsafety work product is made available tothe excluded entity, the Departmentconcludes that the need for promptaction is compelling.

The third circumstance specified in§ 3.108(e)(1)(iii) of the rule is when the

Secretary has determined that thefailure to act promptly would lead toserious adverse consequences. Wewould expect to use this authoritysparingly. Despite the confidential andprotected nature of patient safety workproduct, we remain concerned thatthere can still be serious harm toproviders, patients, and reporters namedin patient safety work product if a PSOdemonstrates reckless or willfulmisconduct in its protection or use of the work product with which it isentrusted, especially when there is

reason to believe there have beenrepeated deficiencies, or when the PSOengages in fraudulent or illegal conduct.In light of these risks, we believe it isonly prudent to give the Secretary theauthority to respond promptly tosituations where there is a risk of serious adverse harm, even if we cannotadequately foresee all of the specific

situations that might require promptaction.

We note that we have accepted theposition of another commenter that wenot include failure to meet theminimum contract requirement as a

basis for expedited revocation. Ourintent is to limit expedited revocation tothose situations which pose a risk toproviders or others.

To accomplish expeditious remedialrevocation action, § 3.108(e)(2) waivesthe procedures in §§3.108(a)(2) through3.108(a)(5) for correction of deficiencies,determinations regarding correction of deficiencies, processes related to theopportunity for a written response bythe PSO to a notice of proposedrevocation and delisting, and finaldetermination by the Secretaryregarding revocation and delisting of thePSO. Instead, the provisions of § 3.108(e)(3) apply.

Under §3.108(e)(3) of the expeditedrevocation process, the Secretary wouldissue a notice of deficiency andexpedited revocation that identifies theevidence that the circumstances forexpedited revocation exist and indicatesany corrective action the PSO can takeif the Secretary determines that

corrective action may resolve the matterso that revocation and delisting could beavoided. Absent evidence of actualreceipt of this notice of deficiency andexpedited revocation, the Secretary’snotice will be deemed to be receivedfive days after it was sent.

In developing this process, we havetaken note of commenters’ concern thatas a general matter, a PSO alleged to bedeficient in compliance should have anopportunity to be heard and haveprovided the PSO with an opportunityto respond as part of the expeditedrevocation process. The Secretary must

receive a response from the PSO within14 days of actual or constructive receiptof the notice, whichever is longer. In itswritten response, the PSO can correctthe alleged facts or argue theapplicability of the legal basis given forexpedited revocation and delisting andoffer reasons that would support its casefor not being delisted.

If the PSO does not submit a writtenresponse, the Secretary may revoke anddelist the PSO. Provided the PSOresponds within the required time, theSecretary may withdraw the notice,





grant the PSO with additional time toresolve the matter, or revoke and delistthe PSO. If the Secretary decides torevoke and delist the PSO, we note thatthe requirements of §3.108(b) discussedabove apply. These requirements relateto notification of the providers whohave reported patient safety workproduct to the PSO, disposition of the

PSO’s patient safety work product anddata, and the ability of providers tocontinue to report data to the formerPSO for 30 calendar days following theeffective date and time of delisting andhave these data protected as patientsafety work product.

5. Section 3.110—Assessment of PSOCompliance

Proposed Rule: Section 3.110proposed the framework by which theSecretary would assess compliance of PSOs with the requirements of thestatute and the rule. This sectionprovided that the Secretary may requestinformation or conduct spot-checks(reviews or site visits to PSOs,announced or unannounced) to assessor verify PSO compliance with therequirements of the statute and thisproposed subpart. We noted that weanticipate that such spot checks wouldinvolve no more than 5–10% of PSOs inany year. We also noted that this sectionwould reference the Department’soverall authority to have access topatient safety work product, if necessary, as part of its implementationand enforcement of the Patient SafetyAct.

Overview of Public Comments: Therewere few comments on this section.Commenters agreed that AHRQ’sauthority under this section should belimited to PSOs. Several commentersexpressed concern about our discussionthat we only anticipated spot-checking5%–10% of PSOs for compliance in anygiven year. The projected number of spot checks in their view would not beadequate to maintain providerconfidence and PSO compliance.Another commenter asked whichagency would be delegated the task andidentified entities within HHS to which

the Secretary should not delegate thisresponsibility.Final Rule: We have made no

substantive modifications to §3.110 inthe final rule. We note in response tothe commenters that urged a higherlevel of spot checks and inspections thatthe rule does not limit the ability of theDepartment to increase the number if warranted. However, we have no basisfor assuming that higher levels of spotchecks or inspections are warranted inlight of the fact that Patient SafetyOrganizations are not federally funded

or controlled and a provider’s decisionto work with a PSO is voluntary.Therefore, we intend to maintain theapproach outlined in the proposed rule.In response to another commenter, theauthority to implement Subpart B restssquarely within the authorities to fosterpatient safety and health care qualityimprovement of the Agency for

Healthcare Research and Quality, andthere is no reason to expect it to bedelegated to another part of theDepartment.

6. Section 3.112—Submissions andForms

Proposed Rule: Proposed § 3.112would have provided instructions forobtaining required forms and thesubmission of materials, would haveprovided contact information for AHRQ (mailing address, Web site, and e-mailaddress), and would have authorizedthe Department to request additional

information if a submission isincomplete or additional information isneeded to enable the Secretary to makea determination on any submission.

Overview of Public Comments: Wereceived no comments on this section.

Final Rule: We have made nosubstantive modifications to thissection. We have made technicalchanges and incorporated citations forthe AHRQ PSO Web site address andcorrected the e-mail address.

C. Subpart C—Confidentiality and Privilege Protections of Patient Safety Work Product

Proposed Subpart C would havedescribed the general privilege andconfidentiality protections for patientsafety work product, the permitteddisclosures, and the conditions underwhich the specific protections no longerapply. The proposed Subpart alsowould have established the conditionsunder which a provider, PSO, orresponsible person must disclosepatient safety work product to theSecretary in the course of complianceand enforcement activities, and whatthe Secretary may do with suchinformation. Moreover, the proposed

subpart would have established thestandards for nonidentifiable patientsafety work product.

Proposed Subpart C sought to balancekey objectives of the Patient Safety Act.First, the proposal sought to addressprovider concerns about the potentialfor damage from unauthorized release of information, including the potential forthe information to serve as a roadmapfor provider liability from negativepatient outcomes. It also promoted thesharing of information about adversepatient safety events among providers

and PSOs for the purpose of learningfrom those events to improve patientsafety and the quality of care. Toachieve these objectives, Subpart Cproposed that patient safety workproduct would be privileged andconfidential, except in the certainlimited circumstances identified by thePatient Safety Act and as needed by the

Department to implement and enforcethe Patient Safety Act. In addition,proposed Subpart C provided, inaccordance with the Patient Safety Act,that patient safety work product that isdisclosed generally would continue to

be privileged and confidential, subjectto the delineated exceptions. Thus,under the proposal, an entity or personreceiving patient safety work productonly would be able to disclose suchinformation for a purpose permitted bythe Patient Safety Act and the proposedrule, or if patient safety work productwas no longer confidential because it

was nonidentifiable or subject to anexception to confidentiality. Providers,PSOs, and responsible persons whofailed to adhere to these confidentialityrules would be subject to enforcement

by the Department, including theimposition of civil money penalties, if appropriate, as provided in Subpart D of the proposed rule.

The proposed rule also explained thatseveral provisions of the Patient SafetyAct recognize that the patient safetyregulatory scheme will exist alongsideother requirements for the use anddisclosure of protected health

information under the HIPAA PrivacyRule. For example, the Patient SafetyAct establishes that PSOs will be

business associates of providers and thepatient safety activities they conductwill be health care operations of theproviders, incorporates individuallyidentifiable health information underthe HIPAA Privacy Rule as an elementof identifiable patient safety workproduct, and adopts a rule of construction that states the intention notto alter or affect any HIPAA PrivacyRule implementation provision (seesection 922(g)(3) of the Public Health

Service Act, 42 U.S.C. 299b–22(g)(3)).As we explained in the proposed rule,we anticipate that most providersreporting to PSOs will be HIPAAcovered entities under the HIPAAPrivacy Rule, and as such, will berequired to recognize and comply withthe requirements of the HIPAA PrivacyRule when disclosing identifiablepatient safety work product thatincludes protected health information.As Subpart C addresses disclosure of patient safety work product that mayinclude protected health information,





we discuss, where appropriate, theoverlap between this rule and theHIPAA Privacy Rule in the preambledescription of this Subpart, as we did inthe proposed rule.

1. Section 3.204—Privilege of PatientSafety Work Product

Proposed §3.204 described the

privilege protections of patient safetywork product and the exceptions toprivilege. As we explained in theproposed rule, the Patient Safety Actdoes not give authority to the Secretaryto enforce breaches of the privilegeprotections, as it does with respect to

breaches of the confidentialityprovisions. Rather, we anticipate thatthe tribunals, agencies or professionaldisciplinary bodies before whom theproceedings take place and beforewhich patient safety work product issought, will adjudicate the applicationof the privilege provisions of the Patient

Safety Act at section 922(a)(1)–(5) of thePublic Health Service Act, 42 U.S.C.299b–22(a)(1)–(5) and the exceptions toprivilege at section 922(c)(1) of thePublic Health Service Act, 42 U.S.C.299b–22(c)(1). Even though the privilegeprotections will be enforced through thecourt systems, and not by the Secretary,we repeat the statutory privilegeprotections and exceptions in this finalrule, as we did in the proposed rule.This is done both for convenience andcompleteness, as well as because thesame exceptions in the privilegeprovisions are repeated in the

confidentiality provisions and the term‘‘disclosure’’ in the final rule describes both the transfer of patient safety workproduct pursuant to a privilegeexception as well as a confidentialityexception. Thus, a disclosure of patientsafety work product that is a violationof privilege may also be a violation of confidentiality, which the Secretarydoes have authority to enforce and forwhich he can impose a civil moneypenalty, if appropriate.

We also proposed to include at§ 3.204(c) a regulatory exception toprivilege for disclosures to the Secretary

for the purpose of enforcing theconfidentiality provisions and formaking or supporting PSO certificationor listing decisions. In the final rule, weadopt this proposed provision but alsoadd language to make clear that theexception also applies to disclosures tothe Secretary for HIPAA Privacy Ruleenforcement, given the significantoverlap with respect to disclosuresunder the two rules. We discuss thatchange, as well as the public commentsand our responses with respect to theother privilege provisions, below.

(A) Section 3.204(a)—Privilege

Proposed Rule: Proposed § 3.204(a)would have described the general rulethat, notwithstanding any otherprovision of Federal, State, local, orTribal law, patient safety work productis privileged and shall not be: (1)Subject to Federal, State, local, or Tribal

civil, criminal, or administrativesubpoena or order, including in adisciplinary proceeding against aprovider; (2) subject to discovery inconnection with a Federal, State, local,or Tribal civil, criminal, oradministrative proceeding, including adisciplinary proceeding against aprovider; (3) subject to disclosure underthe Freedom of Information Act (section552 of Title 5, United States Code) orsimilar Federal, State, local, or Triballaw; (4) admitted as evidence in anyFederal, State, local, or Tribalgovernmental civil proceeding, criminalproceeding, administrative rulemaking

proceeding, or administrativeadjudicatory proceeding, including anysuch proceeding against a provider; or(5) admitted in a professionaldisciplinary proceeding of aprofessional disciplinary bodyestablished or specifically authorizedunder State law. The proposedprovision generally repeated thestatutory language at section 922(a) of the Public Health Service Act, 42 U.S.C.299b–22(a) but also clarified thatprivilege would have applied to protectagainst use of the information in Tribalcourts and administrative proceedings.

Overview of Public Comments: Wereceived no comments opposed to thisproposed provision.

Final Rule: The final rule adopts thisproposed provision.

Response to Other Public CommentsComment: Several commenters

expressed concern about the lack of detailed explanation and informationabout the privilege protections ascompared to the confidentialityprovisions in the proposed rule. Somecommenters asked for clarificationabout how breaches of privilege can beenforced and who can assert privilege

protection. Two commenters askedwhether hospital peer reviewcommittees established under state lawqualify as disciplinary bodies forpurposes of the privilege protection andif there is a distinction betweendiscipline by a state licensing body anddiscipline by an internal peer reviewcommittee.

Response: The Secretary does nothave the authority to interpret andenforce the privilege protections of thestatute, and thus, the proposed rule didnot contain a detailed discussion of

these provisions nor can we providefurther explanation or interpretation inthis final rule. Rather, as describedabove, the privilege provisions areincluded only for convenience andcompleteness, and because the privilegeexceptions mirror exceptions toconfidentiality. The privilegeprotections attach to patient safety work

product, and we expect that theprivilege of patient safety work productwill be adjudicated and enforced by thetribunals, agencies or professionaldisciplinary bodies before which theinformation is sought and before whomthe proceedings take place. A providerfacing an opposing party who seeks tointroduce patient safety work product incourt may seek to enforce the privilege

by filing the appropriate motions withthe court asserting the privilege toexclude the patient safety work productfrom the proceeding.

(B) Section 3.204(b)—Exceptions to

privilegeProposed Rule: Proposed § 3.204(b)

described the exceptions to privilegeestablished at section 922(c) of thePublic Health Service Act, 42 U.S.C.299b–22c, thereby permitting disclosureof patient safety work product undersuch circumstances. In all cases, theexceptions to privilege were alsoproposed as exceptions toconfidentiality at §3.206(b). Proposed§ 3.204(b)(1) would have permitted thedisclosure of relevant patient safetywork product for use in a criminalproceeding after a court makes an in

camera determination that the patientsafety work product contains evidenceof a criminal act, is material to theproceeding, and is not reasonablyavailable from any other source.Proposed §3.204(b)(2) would havepermitted disclosure of identifiablepatient safety work product to the extentrequired to carry out the securing andprovision of equitable relief as providedunder section 922(f)(4)(A) of the PublicHealth Service Act, 42 U.S.C. 299b–22(f)(4)(A). Proposed §3.204(b)(3)would have permitted disclosure of identifiable patient safety work product

when each of the identified providersauthorized the disclosure. Finally,proposed §3.204(b)(4) would haveexcepted patient safety work productfrom privilege when disclosed innonidentifiable form.

Overview of Public Comments: Somecommenters expressed concern thatallowing exceptions to privilege maynot adequately protect patient safetywork product.

Final Rule: The final rule adopts theproposed provisions. The statuteexplicitly provides for these limited





exceptions to privilege and thus, theyare included in this final rule.


Comment: One commenter asked thatthe final rule align the privilegeexceptions in §3.204(b) with thepermitted disclosures to lawenforcement in the HIPAA Privacy Rule

at 45 CFR 164.512(f).Response: We do not agree thatexpanding the exceptions to privilege insuch a manner is appropriate orprudent. Congress expressly limited theexceptions to privilege to those we haverepeated in the final rule. As relevant tolaw enforcement, the Patient Safety Actpermits an exception from privilegeprotection for law enforcement purposesin only very narrow circumstances—that is, patient safety work product may

be used in a criminal proceeding, butonly after a judge makes an in cameradetermination that the informationcontains evidence of a criminal act, ismaterial to the proceeding, and is notreasonably available from any othersource. See §3.204(b)(1). We do nothave authority to further expand orinterpret the exceptions to privilegeprovided for in the statute. Further, we

believe strong privilege protections areessential to ensuring the goals of thestatute are met by encouragingmaximum provider participation inpatient safety reporting. We note that§ 3.206(c)(10) permits the disclosure of patient safety work product relating toan event that either constitutes thecommission of a crime, or for which the

disclosing person reasonably believesconstitutes the commission of a crime,to law enforcement, provided that thedisclosing person believes, reasonablyunder the circumstances, that thepatient safety work product that isdisclosed is necessary for criminal lawenforcement purposes. In other caseswhere law enforcement needs access toinformation that is contained withinpatient safety work product, weemphasize that the definition of ‘‘patient safety work product’’specifically excludes a patient’s medicalor billing record or other original patient

information. See §3.20, paragraph (2)(i)of the definition of ‘‘patient safety workproduct.’’ Thus, such original patientinformation remains available to lawenforcement in accordance with theconditions set out in the HIPAA PrivacyRule, if applicable.

(C) Section 3.204(c)—Implementationand Enforcement of the Patient SafetyAct

Proposed Rule: Proposed § 3.204(c)would have excepted from privilegedisclosures of relevant patient safety

work product to or by the Secretary asneeded for investigating or determiningcompliance, or seeking or imposing civilmoney penalties, with respect to thisrule or for making or supporting PSOcertification or listing decisions underthe Patient Safety Act. We proposed thatthese disclosures also be permitted as anexception to confidentiality at

§ 3.206(d). We explained that, in orderto perform investigations andcompliance reviews to determinewhether a violation occurred, theSecretary may need to have access toprivileged and confidential patientsafety work product and that we believeCongress could not have intended theprivilege and confidentiality protectionsof the Patient Safety Act to impede suchenforcement by prohibiting access tonecessary information by the Secretary.Thus, the proposed provision wouldhave allowed disclosure of patientsafety work product to and by the

Secretary for enforcement purposes,including the introduction of suchinformation into ALJ or Boardproceedings, disclosure by the Board toproperly review determinations or toprovide records for court review, as wellas disclosure during investigations byOCR or activities in reviewing PSOcertifications by AHRQ. Patient safetywork product disclosed under thisproposed exception would haveremained privileged and confidentialpursuant to proposed § 3.208, andproposed §3.312 limited the Secretaryto only disclosing identifiable patientsafety work product obtained in

connection with an investigation orcompliance review for enforcementpurposes or as otherwise permitted bythe proposed rule or Patient Safety Act.

We also explained in the preamble tothe proposed rule that the privilegeprovisions in the Patient Safety Actwould not bar the Secretary from usingpatient safety work product forcompliance and enforcement activitiesrelated to the HIPAA Privacy Rule. Thisinterpretation was based on thestatutory provision at section 922(g)(3)of the Public Health Service Act, 42U.S.C. 299b–22(g)(3), which provides

that the Patient Safety Act does notaffect the implementation of the HIPAAPrivacy Rule.

Overview of Public Comments: Wereceived one comment in support of andno comments opposed to this proposedprovision.

Final Rule: The final rule adopts theproposed provision, but expands it toexpressly provide that patient safetywork product also may be disclosed toor by the Secretary as needed toinvestigate or determine compliancewith or to impose a civil money penalty

under the HIPAA Privacy Rule. Thisnew language implements the statutoryprovision at section 922(g)(3) of thePublic Health Service Act, 42 U.S.C.299b–22(g)(3), which, as explainedabove, makes clear that the PatientSafety Act is not intended to affectimplementation of the HIPAA PrivacyRule. Given the significant potential for

an alleged impermissible disclosure toimplicate both this rule’s confidentialityprovisions, as well as the HIPAAPrivacy Rule, the Secretary may requireaccess to privileged patient safety workproduct for purposes of determiningcompliance with the HIPAA PrivacyRule. The Secretary will use suchinformation consistent with thestatutory prohibition against imposingcivil money penalties under bothauthorities for the same act.

With respect to this rule, theprovision, as it did in the proposed rule,makes clear that privilege does not

apply to patient safety work productdisclosed to or by the Secretary if needed to investigate or determinecompliance with this rule, or to make orsupport decisions with respect to listingof a PSO. This may include access toand disclosure of patient safety workproduct to enforce the confidentialityprovisions of the rule, to make orsupport decisions regarding theacceptance of certification and listing asa PSO, or to revoke such acceptance andto delist a PSO, or to assess or verifyPSO compliance with the rule.

2. Section 3.206—Confidentiality of

Patient Safety Work ProductProposed §3.206 described the

confidentiality protection of patientsafety work product, as well as theexceptions from confidentialityprotection.

(A) Section 3.206(a)—Confidentiality

Proposed Rule: Proposed § 3.206(a)would have established the generalprinciple that patient safety workproduct is confidential and shall not bedisclosed by anyone holding the patientsafety work product, except aspermitted or required by the rule.

Overview of Public Comments: Wereceived no comments directly inreference to this provision.

Final Rule: The final rule adopts thisproposed provision.

(B) Section 3.206(b)—Exceptions toconfidentiality

Proposed Rule: Proposed § 3.206(b)described the exceptions toconfidentiality, or permitteddisclosures. The preamble to theproposed rule explained that there wereseveral overarching principles that





applied to these exceptions fromconfidentiality. First, these exceptionswere ‘‘permissions’’ to disclose patientsafety work product and the holder of the information retained full discretionwhether to disclose. Further, as theproposed rule was a Federal baseline of protection, a provider, PSO, orresponsible person could impose more

stringent confidentiality policies andprocedures on patient safety workproduct and condition the release of patient safety work product within theseexceptions by contract, employmentrelationship, or other means. However,the Secretary would not enforce suchpolicies or private agreements. Second,when exercising discretion to disclosepatient safety work product, weencouraged providers, PSOs, andresponsible persons to attempt todisclose the amount of informationcommensurate with the purpose of thedisclosure and to disclose the least

amount of identifiable patient safetywork product appropriate for thedisclosure even if that was less thanwhat would otherwise be permitted bythe rule and regardless of whether theinformation continued to be protectedunder the rule after the disclosure.Third, the proposal prohibited personsreceiving patient safety work productfrom redisclosing it except as permitted

by the rule, and we requested commenton whether there were any negativeimplications of limiting redisclosures insuch a manner.

We also described how the proposalwould work with respect to entities also

subject to the Privacy Act and/or theHIPAA Privacy Rule. We explained thatagencies subject to the Patient SafetyAct and the Privacy Act, 5 U.S.C. 552a,must comply with both statutes whendisclosing patient safety work product.This means that, for agencies subject to

both laws, a disclosure of patient safetywork product could only be made if permitted by both laws. The Privacy Actpermits agencies to make disclosurespursuant to established routine uses.See 5 U.S.C. 552a(a)(7); 552a(b)(3); and552a(e)(4)(D). Accordingly, werecommended that Federal agencies that

maintain a Privacy Act system of records containing information that ispatient safety work product includeroutine uses that will permit thedisclosures allowed by the PatientSafety Act. For HIPAA covered entities,we explained that when a patient’sprotected health information isencompassed within patient safety workproduct, any disclosure of suchinformation also must comply with theHIPAA Privacy Rule.

Overview of Public Comments: Somecommenters expressed general support

for the narrowly drawn exceptions toconfidentiality in the proposed rule,while one commenter expressedconcern that the exceptions wereunnecessarily complex to accomplishtheir purpose. Several commentersasked that the final rule includeadditional exceptions to confidentialityor disclosure permissions. For example,

some commenters suggested that thefinal rule permit the disclosure of patient safety work product to federal,state, and local agencies to fulfillmandatory reporting requirements.Other commenters suggested anexception be created to permit thedisclosure of patient safety workproduct to state survey agencies,regulatory bodies, or to any federal orstate agency for oversight purposes.Another commenter requested that thefinal rule include a disclosurepermission for emergencycircumstances similar to the HIPAA

Privacy Rule disclosure at 54 CFR164.512(j), allowing a PSO to disclosepatient safety work product if itdetermines a pattern of harm and thatdisclosure is necessary to prevent anindividual from harming a person or thepublic. One commenter, however,

believed the proposed rule containedtoo many exceptions to confidentiality,and thus, did not adequately protectpatient safety work product; thiscommenter suggested that somedisclosure permissions be eliminated inthe final rule but did not recommendwhich ones.

Several commenters responded to the

question regarding whether there wereany negative implications of limitingredisclosures as outlined in theproposed rule. These commenterssupported the limitations onredisclosures of patient safety workproduct in the proposed rule; wereceived no comments identifying anynegative implications of this limitation.One commenter, however, noted thatthe redisclosures should be governed bythe HIPAA Privacy and Security Rules.

Finally, some commenters soughtclarification regarding preemption.Several commenters asked whether the

federal patient safety work productprotections preempted existing Statelaw that permitted or requireddisclosure of similar types of records.Other commenters asked whethergreater State law protections continue toexist alongside patient safety workproduct protections, stating that someproviders may decide not to participatewith a PSO if they would lose existingState law protections.

Final Rule: The final rule generallyadopts the proposed provisions, withsome modifications as explained below

in the specific discussions of theindividual disclosure permissions. Thedisclosure permissions in this sectionreflect those provided by the statute,and the Secretary has no authority toeliminate or neglect to implementcertain of the provisions. Further, thestatute provides only limited authorityto the Secretary to expand the

disclosure permissions. See, forexample, section 922(c)(2)(F) of thePublic Health Service Act, 42 U.S.C.299b–22(c)(2)(F), providing theSecretary with authority to createpermissions for disclosures that theSecretary may determine, by rule orother means, are necessary for businessoperations and are consistent with thegoals of the statute. Thus, the final ruledoes not create any new, or eliminateany proposed, categories of disclosurepermissions.

With respect to those commenterswho requested a disclosure permission

be added to allow for the disclosure of patient safety work product to federal,state, and local agencies to fulfillmandatory reporting requirements or foroversight purposes, we disagree thatsuch a modification is necessary. Thefinal rule gives providers muchflexibility in defining and structuringtheir patient safety evaluation system, aswell as determining what information isto become patient safety work productand, thus, protected from disclosure.Providers can structure their systems ina manner that allows for the use of information that is not patient safety

work product to fulfill their mandatoryreporting obligations. See the discussionregarding the definition of ‘‘patientsafety work product’’ in this preamblefor more information. Further, asoriginal medical and other records areexpressly excepted from the definitionof ‘‘patient safety work product,’’providers always have the option of using those records to generate thereports necessary for their mandatoryreporting obligations to federal, state,and local agencies.

With respect to disclosures foremergency circumstances, the Patient

Safety Act provides no generalexception for such disclosures.However, patient safety work productmay be disclosed under § 3.206(b)(10) tolaw enforcement if the disclosing partyreasonably believes the patient safetywork product contains information thatconstitutes a crime. For emergencycircumstances that do not rise to thelevel of criminal conduct, theinformation necessary to identify andaddress such emergencies should bereadily available and accessible inmedical records and other original





documents that are not protected aspatient safety work product.

The final rule also adopts theredisclosure limitations of the proposedrule. As described above, commenterslargely supported, and did not identifynegative implications of, theserestrictions. We discuss the individualredisclosure limitations below in the

specific discussions regarding thedisclosure permissions to which theyapply. We note that the HIPAA Privacyand Security Rules will governredisclosures of patient safety workproduct only to the extent that theredisclosures are made by a HIPAAcovered entity and the patient safetywork product encompasses protectedhealth information.

In response to the comments andquestions regarding preemption, wenote that the Patient Safety Act providesthat, notwithstanding any otherprovision of Federal, State, or local law,and subject to the prescribedexceptions, patient safety work productshall be privileged and confidential. Seesections 922(a) and (b) of the PublicHealth Service Act, 42 U.S.C. 299b–22(a) and (b). The statute also providesas rules of construction the following:(1) that the Patient Safety Act does notlimit the application of other Federal,State, or local laws that provide greaterprivilege or confidentiality protectionsthan those provided by the PatientSafety Act; and (2) the Patient SafetyAct does not preempt or otherwise affectany State law requiring a provider toreport information that is not patient

safety work product. See section 922(g)of the Public Health Service Act, 42U.S.C. 299b–22(g). Thus, the patientsafety work product protectionsprovided for under the statute generallypreempt State or other laws that wouldpermit or require disclosure of information contained within patientsafety work product. However, Statelaws that provide for greater protectionof patient safety work product are notpreempted and continue to apply.


Comment: Several commenters asked

that the final rule discuss redisclosuresin more detail and further explain theconsequences of redisclosures.

Response: A redisclosure, or ‘‘furtherdisclosure’’ as described in theregulatory text, of patient safety workproduct, like a disclosure, is the release,transfer, provision of access to, ordivulging in any other manner of patientsafety work product by an entity ornatural person holding the patient safetywork product to another legally separateentity or natural person outside theentity holding the patient safety work

product. Natural persons or entities whoreceive patient safety work productgenerally may further disclose suchinformation pursuant to any of thedisclosure permissions in the final ruleat § 3.206, except where expresslylimited pursuant to the provision underwhich the natural person or entityreceived the information. These

restrictions on further disclosures may be found at §§ 3.206(b)(4)(ii) (disclosureto a contractor of a provider or PSO forpatient safety activities), 3.206(b)(7)(disclosure to the Food and DrugAdministration (FDA) and entitiesrequired to report to FDA), 3.206(b)(8)(voluntary disclosure to an accrediting

body), 3.206(b)(9) (business operations),and 3.206(b)(10) (disclosure to lawenforcement). These limitations aredescribed more fully below in thediscussions concerning the disclosurepermissions to which they apply. Aswith an impermissible disclosure,

impermissible redisclosures are subjectto enforcement by the Secretary andpotential civil money penalties.

Comment: Two commenters askedthat we monitor the impact of the ruleto ensure that it does not improperlyimpede the necessary sharing of patientsafety work product.

Response: As the rule is implemented,we will monitor its impact and considerwhether any concerns that are raised byproviders, PSOs, and others should beaddressed through future modificationto the rule or guidance, as appropriate.

(1) Section 3.206(b)(1)—Criminal

ProceedingsProposed Rule: Proposed § 3.206(b)(1)would have permitted the disclosure of identifiable patient safety work productfor use in a criminal proceeding, if acourt makes an in camera determinationthat the identifiable patient safety workproduct sought for disclosure containsevidence of a criminal act, is material tothe proceeding, and is not reasonablyavailable from other sources. See section922(c)(1)(A) of the Public Health ServiceAct, 42 U.S.C. 299b–22(c)(1)(A). Theproposed provision paralleled theexception to privilege at proposed

§ 3.204(b)(1).As we explained in the proposed rule,the Patient Safety Act establishes thatpatient safety work product generallywill continue to be privileged andconfidential upon disclosure. Seesection 922(d)(1) of the Public HealthService Act, 42 U.S.C. 299b–22(d)(1)and § 3.208 of this rule. However, thePatient Safety Act limits the continuedprotection of patient safety workproduct disclosed for use in a criminalproceeding pursuant to this provision.In particular, patient safety work

product disclosed pursuant to thisprovision continues to be privilegedafter disclosure but is no longerconfidential. See section 922(d)(2)(A) of the Public Health Service Act, 42 U.S.C.299b–22(d)(2)(A). We explained thatthis would mean, for example, that lawenforcement personnel who obtainpatient safety work product used in a

criminal proceeding could furtherdisclose that information becauseconfidentiality protection would notapply; however, law enforcement couldnot seek to introduce the patient safetywork product in another proceedingwithout a new in camera determinationthat would have complied with theprivilege exception at proposed§ 3.204(b)(1).

We also reminded entities that aresubject to the HIPAA Privacy Rule thatany disclosures pursuant to thisprovision that encompass protectedhealth information also would need to

comply with the HIPAA Privacy Rule’sprovision at 45 CFR 164.512(e) fordisclosures pursuant to judicialproceedings. We explained that weexpected court rulings following an incamera determination to be issued as acourt order, which would satisfy theHIPAA Privacy Rule’s requirements.

Overview of Public Comments: Wereceived no comments opposed to thisprovision.

Final Rule: The final rule adopts theproposed provision.


Comment: One commenter asked that

the final rule make clear that patientsafety work product disclosed underthis provision continues to be privilegedand cannot be used or reused asevidence in any civil proceeding eventhough the information is no longerconfidential.

Response: The final rule makes thisclear. See §3.208(b)(1).

(2) Section 3.206(b)(2)—Equitable Relief for Reporters

Proposed Rule: The Patient Safety Actprohibits a provider from taking anadverse employment action against an

individual who, in good faith, reportsinformation to the provider forsubsequent reporting to a PSO or to aPSO directly. See section 922(e)(1) of the Public Health Service Act, 42 U.S.C.299b–22(e)(1). For purposes of thisprovision, adverse employment actionsinclude loss of employment, failure topromote, or adverse evaluations ordecisions regarding credentialing orlicensing. See 922(e)(2) of the PublicHealth Service Act, 42 U.S.C. 299b–22(e)(2). The Patient Safety Act providesadversely affected reporters a civil right





of action to enjoin such adverseemployment actions and obtain otherequitable relief, including back pay orreinstatement, to redress the prohibitedactions. See 922(f)(4) of the PublicHealth Service Act, 42 U.S.C. 299b–22(f)(4). To effectuate the obtaining of equitable relief under this provision, thePatient Safety Act provides that patient

safety work product is not subject to theprivilege protections or to theconfidentiality protections. Thus,proposed §3.206(b)(2) would havepermitted the disclosure of identifiablepatient safety work product by anemployee seeking redress for adverseemployment actions to the extent thatthe information is necessary to permitthe equitable relief. This proposedprovision paralleled the privilegeexception to permit equitable relief atproposed §3.204(b)(2). Also, inaccordance with the statute, weproposed that once patient safety work

product is disclosed pursuant to thisprovision, it would have remainedsubject to confidentiality and privilegeprotection in the hands of allsubsequent holders and could not befurther disclosed except as otherwisepermitted by the rule.

We also provided guidance withrespect to the application of the HIPAAPrivacy Rule if a covered entity (or its

business associate) was making thedisclosure and the patient safety workproduct included protected healthinformation. In that regard, weexplained that, under the HIPAAPrivacy Rule at 45 CFR 164.512(e),

when protected health information issought to be disclosed in a judicialproceeding via subpoenas and discoveryrequests without a court order, thedisclosing HIPAA covered entity mustseek satisfactory assurances that theparty requesting the information hasmade reasonable efforts to providewritten notice to the individual who isthe subject of the protected healthinformation or to secure a qualifiedprotective order.

Finally, the proposed rule solicitedcomments on whether the obtaining of a protective order should be a condition

of the disclosure under this provision orwhether, instead, the final rule shouldrequire only a good faith effort to obtaina protective order as a condition of thisdisclosure.

Overview of Public Comments: Twocommenters expressed general supportfor the proposed provision, stating thatit struck the appropriate balance

between maintaining the confidentialityand privilege protections on patientsafety work product and allowingreporters of patient safety work productto seek redress for adverse employment

actions based upon their good faithreporting of this information to a PSO.Several commenters responded to thequestion posed in the proposed ruleasking whether a protective ordershould be a condition of disclosureunder this provision or if a good faitheffort in obtaining a protective ordershould be sufficient. All of these

commenters agreed that the obtaining of a protective order should be a conditionof disclosure of patient safety workproduct under this provision.

Final Rule: The final rule adopts theproposed disclosure permission at§ 3.206(b)(2) but conditions thepermitted disclosure for equitable relief on the provision of a protective order bythe court or administrative tribunal toprotect the confidentiality of the patientsafety work product during the course of the proceeding. Although patient safetywork product remains confidential andprivileged in the hands of all recipients

after disclosure under this provision, werecognize that the sensitive nature of thepatient safety work product warrantsrequiring a protective order asadditional protection on thisinformation. Because some participantsand observers of a proceeding involvingequitable relief for an adverseemployment action may not be awarethat certain information is protected aspatient safety work product to whichpenalties attach for impermissibledisclosures, requiring a protective orderis prudent to ensure that patient safetywork product is adequately protectedand that individuals are put on notice

of its protected status. As we explainedin the proposed rule, such a protectiveorder could take many forms thatpreserve the confidentiality of patientsafety work product. For example, theorder could limit the use of theinformation to case preparation, but notmake it evidentiary. Or, the order mightprohibit the disclosure of the patientsafety work product in publiclyaccessible proceedings and in courtrecords to prevent liability from movingto a myriad of unsuspecting parties.

We recognize that, in some cases, areporter seeking equitable relief may be

unable to obtain a protective order froma court prior to making a necessarydisclosure of patient safety workproduct, despite the reporter’s goodfaith and diligent effort to obtain one. If the Secretary receives a complaint thatpatient safety work product wasdisclosed by a reporter seeking equitablerelief, the Secretary has discretion not toimpose a civil money penalty, if appropriate. While the final rulerequires a protective order as acondition of disclosure, it is not theSecretary’s intent to frustrate the

obtaining of equitable relief provided forunder the statute. Thus, the Secretarywill review the circumstances of suchcomplaints to determine whether toexercise his enforcement discretion tonot pursue a civil money penalty.

(3) Section 3.206(b)(3)—Authorized byIdentified Providers

Proposed Rule: Proposed § 3.206(b)(3)would have permitted a disclosure of patient safety work product when eachprovider identified in the patient safetywork product separately authorized thedisclosure. This provision paralleled theprivilege exception at proposed§ 3.204(b)(3) and was based on section922(c)(1)(C) of the Public Health ServiceAct, 42 U.S.C. 299b–22(c)(1)(C). Theproposed rule explained that patientsafety work product disclosed underthis exception would continue to beconfidential pursuant to the continuedconfidentiality provisions at section

922(d)(1) of the Public Health ServiceAct, 42 U.S.C. 299b–22(d)(1), andpersons would be subject to liability forfurther disclosures in violation of thatconfidentiality.

We also explained that it would beinsufficient to make identifiableinformation regarding a nonauthorizingprovider nonidentifiable in lieu of obtaining an authorization. While weconsidered such an approach, werejected it as impractical given that itseemed there would be very few, if any,situations in which a nonauthorizingprovider could be nonidentified without

also needing to nonidentify, or nearlyso, an authorizing provider in the samepatient safety work product.

We encouraged persons disclosingpatient safety work product to exercisediscretion with respect to the scope of patient safety work product disclosedand to consider whether identifyinginformation regarding reporters orpatients was necessary, even though thestatute required neither patient norreporter authorization under thisprovision. We also explained that, if thedisclosing entity is a HIPAA coveredentity (or business associate), the

HIPAA Privacy Rule, including theminimum necessary standard whenapplicable, would apply to thedisclosure of protected healthinformation contained within thepatient safety work product. Further, if the disclosure was not also permittedunder the HIPAA Privacy Rule, thepatient information would need to bede-identified. We sought publiccomment as to whether the proposedapproach was sufficient to protect theinterests of reporters and patientsidentified in the patient safety work





product permitted to be disclosedpursuant to this provision.

While the Patient Safety Act does notspecify the form of the authorizationunder this exception, we proposed thatan authorization be in writing, be signed

by the authorizing provider, and containsufficient detail to fairly inform theprovider of the nature and scope of the

disclosures being authorized. Theproposed rule would not have requiredthat any specific terms be included inthe authorization, only that disclosures

be made in accordance with the termsof the authorization, whatever they may

be. We sought public comment onwhether a more stringent standardwould be prudent and workable, such asan authorization process that isdisclosure specific.

We also proposed that anyauthorization be maintained by thedisclosing entity or person for a periodof six years from the date of the lastdisclosure made in reliance on theauthorization, the limit of time withinwhich the Secretary must initiate anenforcement action.

Overview of Public Comments:Several commenters responded thatpatients and reporters identified inpatient safety work product areadequately protected by this regulationand by the HIPAA Privacy Rule forcovered entities. Some commenters,however, suggested that the HIPAAPrivacy Rule’s minimum necessarystandard be applied to disclosuresunder this provision so that only theminimum necessary amount of patient

safety work product would be permittedto be disclosed.

Several commenters also responded tothe question of whether a stricter ormore prescribed standard for theauthorizations should be included inthe final rule, the majority of whomstated that the authorizationrequirements outlined in the proposedrule were adequate. One commenterrecommended that the final rule notregulate the terms of the providerauthorization and that such terms be leftto the parties. Another commentersuggested that provider authorizations

be time-limited, while othercommenters asked for a modelauthorization form and that the finalrule provide a process for revocation of authorizations.

Final Rule: The final rule adopts theproposed provision. Thus, a provider,PSO, or responsible person may discloseidentifiable patient safety work productif a valid authorization is obtained fromeach identified provider and thedisclosure is consistent with suchauthorization. As in the proposed rule,such authorizations must be retained by

the disclosing entity for six years fromthe date of the last disclosure made inreliance on the authorization and madeavailable to the Secretary upon request.Further, as the Department agrees withthose commenters who believed thespecific terms of the providerauthorizations should be left to theparties, the final rule, as in the proposed

rule, requires only that the authorizationof each of the identified providers be inwriting and signed, and containsufficient detail to fairly inform theprovider of the nature and scope of thedisclosures being authorized. Thus, theparties are free to define their ownspecific terms for providerauthorizations, including any timelimitations and to what extent and theprocess through which suchauthorizations are revocable. Given thefinal rule does not prescribe a particularform or the terms of providerauthorizations under this provision, we

do not believe providing a modelauthorization form is appropriate orfeasible.

With respect to patient and reporteridentifiers, we continue to stronglyencourage disclosers to consider howmuch patient safety work product isnecessary, and whether patient orreporter identifiers are necessary, toaccomplish the purpose of theauthorized disclosure. However, thisfinal rule does not include specificlimitations on the disclosure of patientand reporter identifiers under thisprovision, so long as the disclosure is inaccordance with the terms of the

provider authorizations. In addition, theHIPAA Privacy Rule, including theminimum necessary or de-identificationstandard, as appropriate, continues toapply to the disclosure of any protectedhealth information contained within thepatient safety work product.


Comment: One commenter asked forclarification as to whether state lawsrequiring greater protection for patientsafety work product would apply todisclosures pursuant to this provision.

Response: Section 922(g)(1) of the

Public Health Service Act, 42 U.S.C.299b–22(g)(1), provides that the PatientSafety Act does not limit the applicationof other Federal, State, or local laws thatprovide greater privilege orconfidentiality protections thanprovided by the Act. Thus, state lawsproviding greater protection for patientsafety work product are not preemptedand would apply to disclosures of patient safety work product.

Comment: One commenter expressedconcern that this disclosure permissionconflicts with the disclosure permission

for patient safety activities at proposed§ 3.206(b)(4) because this disclosurepermission does not allow the sharing of any provider information, even if madenonidentifiable, unless all providersidentified in the patient safety workproduct authorize the disclosure, whilethe disclosure permission for patientsafety activities allows the sharing of

provider information between PSOs and between providers, as long as it isanonymized.

Response: These disclosurepermissions are separate andindependent of one another and servedifferent purposes. Disclosures of patient safety work product may bemade pursuant to either permission,provided the relevant conditions aremet.

Comment: One commenter expressedconcern about the disclosurepermission’s prohibition on disclosingpatient safety work product innonidentifiable form with respect to aprovider who has not authorized thedisclosure of the information, statingthat this construct would make theprovision difficult to implement.

Response: The final rule adopts theprovisions of the proposed rule anddoes not permit patient safety workproduct to be disclosed if theinformation is rendered nonidentifiablewith respect to a nonauthorizingprovider. As explained above, there arelikely few situations in which anonauthorizing provider could benonidentified without having to alsononidentify the authorizing providers in

the patient safety work product to bedisclosed under this provision.Therefore, allowing nonidentification of the nonauthorizing provider isimpractical.

Comment: One commenterrecommended that a copy of theprovider authorization be kept in apatient’s file, if the provider’sauthorized disclosure of patient safetywork product resulted in a disclosure of the patient’s protected healthinformation, so that these disclosurescan be tracked and included in anaccounting of disclosures as required by

45 CFR 164.528 of the HIPAA PrivacyRule.Response: While the commenter’s

suggestion may assist in complying withthe HIPAA Privacy Rule’s accounting of disclosures standard, we do not includesuch a requirement in the final rule.Given that the authorizations providedfor under this provision are focused onthe disclosure of the provider’sidentifiable information and that thespecific terms of such authorizationswill vary based on the circumstances of the disclosure and the parties, it is





unlikely that such authorizations willcontain the information necessary for aHIPAA covered entity to meet itsaccounting obligations to the individualpatient. Further, HIPAA covered entitiesare free to design and use approachesfor compliance with the HIPAA PrivacyRule’s accounting standard that are bestsuited to their business needs and

information systems.(4) Section 3.206(b)(4)—Patient SafetyActivities

Proposed Rule: Proposed § 3.206(b)(4)would have permitted the disclosure of identifiable patient safety work productfor patient safety activities (i) by aprovider to a PSO or by a PSO to thatdisclosing provider; or (ii) by a provideror a PSO to a contractor of the provideror PSO; or (iii) by a PSO to another PSOor to another provider that has reportedto the PSO, or by a provider to anotherprovider, provided, in both cases,certain direct identifiers are removed.This proposed permissible disclosureprovision was based on section922(c)(2)(A) of the Public Health ServiceAct, 42 U.S.C. 299b–22(c)(2)(A), whichpermits the disclosure of identifiablepatient safety work product for patientsafety activities. The proposed ruleprovided that, consistent with thestatute, patient safety work productwould remain privileged andconfidential once disclosed under thisprovision.

We explained in the proposed rulethat patient safety activities are the coremechanism by which providers may

disclose patient safety work product toobtain external expertise from PSOs andthrough which PSOs may aggregateinformation from multiple providers,and communicate feedback andanalyses back to providers. Thus, therule needs to facilitate suchcommunications so that improvementsin patient safety can occur. To realizethis goal, the proposed rule at§ 3.206(b)(4)(i) would have allowed forthe disclosure of identifiable patientsafety work product reciprocally

between providers and the PSOs towhich they have reported. This would

allow PSOs to collect, aggregate, andanalyze patient safety event informationand disseminate findings andrecommendations for safety and qualityimprovements.

The proposed rule at §3.206(b)(4)(ii)also would have allowed for disclosures

by providers and PSOs to theircontractors who are not workforcemembers, recognizing that there may besituations where providers and PSOswant to engage contractors who are notagents to carry out patient safetyactivities. However, to ensure patient

safety work product remainedadequately protected in such cases, theproposed rule would have prohibitedcontractors from further disclosingpatient safety work product, except tothe provider or PSO from which theyfirst received the information. Weexplained in the proposed rule that thislimitation would not, however, preclude

a provider or PSO from exercising itsauthority under section 922(g)(4) of thePublic Health Service Act, 42 U.S.C.299b–22(g)(4), to separately delegate itspower to the contractor to make otherdisclosures. We also stated that,although the proposed rule did notrequire a contract between the provideror PSO and the contractor, we fullyexpected the parties to engage inprudent practices to ensure patientsafety work product remainedconfidential.

Further, to allow for more effectiveaggregation of patient safety work

product, the proposal at §3.206(b)(4)(iii)would have allowed PSOs to disclosepatient safety work product to otherPSOs or to other providers that havereported to the PSO (but not about thespecific event(s) to which the patientsafety work product relates), andproviders to disclose patient safety workproduct to other providers, for patientsafety activities, as long as the patientsafety work product was anonymizedthrough the removal of direct identifiersof providers and patients. See proposed§ 3.206(b)(4)(iii)(A). In particular, toanonymize provider identifiers, the

proposed rule would have required theremoval of the following directidentifiers of any providers and of affiliated organizations, corporateparents, subsidiaries, practice partners,employers, members of the workforce,or household members of suchproviders: (1) Names; (2) postal addressinformation, other than town or city,State and zip code; (3) telephonenumbers; (4) fax numbers; (5) electronicmail addresses; (6) social securitynumbers or taxpayer identificationnumbers; (7) provider or practitionercredentialing or DEA numbers; (8)

national provider identification number;(9) certificate/license numbers; (10) webuniversal resource locators; (11) internetprotocol (IP) address numbers; (12)

biometric identifiers, including fingerand voice prints; and (13) full facephotographic images and anycomparable images. For patientidentifiers, the proposed rule wouldhave applied the HIPAA Privacy Rulelimited data set standard. See 45 CFR164.514(e). We explained in theproposed rule that removal of therequired identifiers could be absolute or

be done through encryption, providedthe disclosing entity did not disclose thekey to the encryption or the mechanismfor re-identification.

Recognizing that fully nonidentifiablepatient safety work product may havelimited usefulness due to the removal of key elements of identification, theproposed rule specifically sought public

comment on whether there were anyentities other than providers, PSOs, ortheir contractors that would need fullyidentifiable or anonymized patientsafety work product for patient safetyactivities.

The proposed rule also explained theintersection with the HIPAA PrivacyRule with respect to these disclosures,and noted that, as provided by thestatute, PSOs would be treated as

business associates and patient safetyactivities performed by, or on behalf of,a covered provider by a PSO would bedeemed health care operations asdefined by the HIPAA Privacy Rule. Fora more detailed discussion of theapplication of the HIPAA Privacy Rulewith respect to disclosures under thisproposed provision, see the preamble tothe proposed rule at 73 FR 8146–8147.The proposed rule sought publiccomment on whether the HIPAAPrivacy Rule definition of ‘‘health careoperations’’ should be modified toinclude a specific reference to patientsafety activities and whether the HIPAAPrivacy Rule disclosure permission forhealth care operations should bemodified to include a reference topatient safety activities.

Overview of Public Comments: Thecommenters expressed general supportfor the reciprocal disclosure of patientsafety work product between providersand PSOs for patient safety activities.Additionally, commenters expressedgeneral support for the disclosure of patient safety work product by a PSO orprovider to its contractor to carry outpatient safety activities.

Commenters also generally supportedthe proposed permissible disclosure of patient safety work product betweenPSOs for patient safety activities,

between PSOs and other providers that

have reported to that PSO, and betweenproviders. However, many commentersexpressed concern about the proposedrule requirement at § 3.206(b)(4)(iii) toanonymize patient safety work productprior to disclosure. Some commentersstated that this requirementinappropriately limited a PSO’s abilityto share this information with otherPSOs and could prevent PSOs from

being able to identify duplicate reportsof a single event coming fromindependent sources in the patientsafety work product received from other





PSOs. One suggested that PSOs be ableto share identifiable patient safety workproduct with other PSOs, while anothercommenter stated that provider names,addresses, and phone numbers should

be included in patient safety workproduct to permit follow up contactwith the provider and as a way toidentify duplicate adverse event reports.

This commenter suggested that PSOs beable to contract with other PSOs as theircontractors so that they could sharepatient safety information that has not

been anonymized with one anothersubject to § 3.206(b)(4)(ii), oralternatively, that the final rule allowPSOs to share patient safety workproduct identifying providers with otherPSOs if a contract ensuring theconfidentiality of this information is inplace between the PSOs. Othercommenters expressed concern that theanonymization requirement limited theability of providers to use and disclose

patient safety work product to otherproviders or students for educational,academic, or professional purposes.These commenters feared that theproposed rule would inhibit providers’ability to consult with other providersabout patient safety events andrequested clarification from theDepartment that the rule would notprohibit the disclosure of patient safetywork product among physicians andother health care professionals,particularly for education purposes orfor preventing or ameliorating harm.

Many commenters also responded tothe question in the proposed rule

regarding whether the patient safetyactivities disclosure permission should

be expanded to encompass additionalentities. Commenters identified noadditional entities to include in thisdisclosure permission; however, somecommenters suggested that theDepartment monitor this provision sothat exceptions for disclosures toadditional entities may be made in thefuture if necessary.

Final Rule: The final rule adoptswithout modification proposed§ 3.206(b)(4)(i) and § 3.206(b)(4)(ii),permitting disclosure of patient safety

work product for patient safety activities between providers and PSOs, and between providers or PSOs and theircontractors that undertake patient safetyactivities on their behalf. In addition,the final rule modifies proposed§ 3.206(b)(4)(iii) with respect todisclosures to another PSO or provider,redesignates the provision as§ 3.206(b)(4)(iv), and adds a new§ 3.206(b)(4)(iii).

New §3.206(b)(4)(iii) of the final rulepermits disclosure of identifiablepatient safety work product among

affiliated providers for patient safetyactivities. Unlike disclosures betweenproviders in § 3.206(b)(4)(iv), the patientsafety work product disclosed pursuantto this permission need not beanonymized prior to disclosure. Anaffiliated provider is defined in the finalrule as ‘‘with respect to a provider, alegally separate provider that is the

parent organization of the provider, isunder common ownership,management, or control with theprovider, or is owned, managed, orcontrolled by the provider.’’ See §3.20.This addition to the final rule isincluded in recognition that certainprovider entities with a commoncorporate affiliation, such as integratedhealth systems, may have a need, just asa single legal entity, to share identifiableand non-anonymized patient safetywork product among the variousprovider affiliates and their parentorganization for patient safety activities

and to facilitate, if desired, onecorporate patient safety evaluationsystem. We emphasize that providerentities can choose not to use thisdisclosure mechanism if they believethat doing so would adversely affectprovider participation, given thatpatient safety work product would beshared more broadly across the affiliatedentities.

The final rule adopts the disclosurepermission for patient safety workproduct proposed at §3.206(b)(4)(iii) inthe proposed rule; however, the finalrule relocates this disclosure permissionto § 3.206(b)(4)(iv) and retitles this

section for clarity. This disclosurepermission requires that patient safetywork product disclosed for patientsafety activities by a PSO to anotherPSO or to another provider that hasreported to the PSO or by a provider toanother provider must be anonymizedthrough the removal of certain provider-related direct identifiers listed in§ 3.206(b)(4)(iii)(A), as well as theremoval of patient direct identifierspursuant to the HIPAA Privacy Rule’slimited data set standard at 45 CFR164.514(e)(2).

Although the final rule includes a

provision for disclosure of fullyidentifiable patient safety work productamong affiliated providers, we believe itis unnecessary to provide a similarprovision that would allow for thesharing of identifiable and non-anonymized patient safety work product

between PSOs since the final ruleincludes multiple avenues for secondaryPSOs, i.e., those PSOs that do not havethe direct reporting relationship withthe provider, to receive provideridentifiable data, if needed. Inparticular, the final rule allows: (1) A

PSO receiving patient safety workproduct from a provider to contact thatprovider and recommend that theprovider also report the patient safetywork product to an additional PSO; (2)a provider reporting to a PSO to delegateits authority to the PSO to report itspatient safety work product to anadditional PSO; (3) a PSO to hire

another PSO as a consultant to assist inthe evaluation of patient safety workproduct received from a reportingprovider, pursuant to §3.206(b)(4)(ii);and (4) a PSO to disclose identifiableand non-anonymized patient safetywork product to another PSO if it hasobtained authorization to do so fromeach provider identified in the patientsafety work product. See § 3.206(b)(3).

To address the concerns of providersgenerally that the rule would prohibitthe disclosure of patient safety workproduct among physicians and otherhealth care professionals, particularly

for educational purposes or forpreventing or ameliorating patient harm,we emphasize that the rule does notregulate uses of patient safety workproduct within a single legal entity.(However, we note that we haveexpressly defined as a disclosure thesharing of patient safety work product

between a component PSO and the restof the legal entity of which it is a part.)Thus, consistent with this policy,providers within a single legal entity arefree to discuss and share patient safetywork product in identifiable and non-anonymized form for educational,academic, or other professional

purposes. We have made this policyclear in the final rule by modifying thedefinition of disclosure to apply only tothe release, transfer, provision of accessto, or divulging in any other manner of patient safety work product by: (1) anentity or natural person holding thepatient safety work product to anotherlegally separate entity or natural personoutside the entity holding the patientsafety work product; or (2) a componentPSO to another entity or natural personoutside the component organization.Further, as described above, the newprovision at § 3.206(b)(4)(iii) allows the

sharing of fully identifiable patientsafety work product among affiliatedproviders. However, if providers wish todisclose patient safety work product toother providers outside of their legalentity or to non-affiliated providers, theinformation must be anonymizedsubject to §3.206(b)(4)(iv)(A) and (B) ordisclosed subject to another applicabledisclosure permission.


Comment: One commenter asked thatthe final rule prohibit the





contract, but we leave the terms of thoserelationships up to the parties. We note,though, that if a HIPAA covered entityhires a contractor to conduct patientsafety activities on its behalf, whichrequires access to protected healthinformation, the HIPAA Privacy Rulewould require that a business associateagreement be in place prior to any

disclosure of such information to thecontractor. See 45 CFR 164.502(e) and164.504(e).

Comment: Some commenters askedthat the final rule provide clarificationregarding the circumstances underwhich PSOs can disclose patient safetywork product to other PSOs to aggregatethis information for patient safetyactivities purposes.

Response: Section 3.206(b)(4)(iv) of the final rule permits such disclosures,provided the patient safety workproduct is anonymized by removal of the direct identifiers of both providersand patients. Also, the final rule permitsa PSO to disclose patient safety workproduct to another PSO if authorized bythe identified providers as provided in§ 3.206(b)(3) or in non-identifiable formin accordance with §3.206(b)(5).Finally, a provider reporting to a PSOmay delegate its authority to the PSO toreport its patient safety work product toan additional PSO, as provided by§ 3.206(e).

Comment: A commenter suggestedthat a data use agreement be requiredwhen any information, includingindividually identifiable healthinformation, is being shared through a

limited data set.Response: If a HIPAA covered entity

is sharing a limited data set, as defined by the HIPAA Privacy Rule, the coveredentity must enter into a data useagreement with the recipient of theinformation. See 45 CFR 164.504(e). Forentities that are not covered by theHIPAA Privacy Rule, the final rule doesnot include such a requirement;however, we encourage such parties toengage in these and similar practices tofurther protect patient safety workproduct.

Comment: Two commenters asked for

clarification in the final rule aboutwhether patient safety work productdisclosed by a provider to a PSO or bya PSO to a provider can identify otherproviders regardless of whether theyhave also reported to that PSO. Onecommenter asked if the rule requiresthat authorization from all the identifiedproviders is required before thisdisclosure can be made.

Response: The final rule at§ 3.206(b)(4)(i) allows the disclosure of patient safety work product inidentifiable form reciprocally between

the provider and the PSO to which itreports. This information can containinformation identifying other providers.If the patient safety work product is

being disclosed between PSOs, betweenunaffiliated providers, or between a PSOand other providers that have reportedto it, then the information must beanonymized prior to disclosure subject

to § 3.206(b)(4)(iv)(A) and (B). Inaddition, if a provider or PSO obtainsauthorizations from all providersidentified in the patient safety workproduct, or if the patient safety workproduct is being shared among affiliatedproviders, then such information may

be disclosed in identifiable form under§ 3.206(b)(3) and 3.206(b)(4)(iii).

Comment: Several commentersexpressed concern about theanonymization requirement at proposed§ 3.206(b)(4)(iii)(A) and stated that aprovider may be identifiable even if thepatient safety work product is

anonymized. One commenter suggestedthat zip codes should be included in thelist of identifiers that must be removedfrom the patient safety work product.Other commenters felt that theanonymization standard was too strict.

Response: We believe theanonymization standard in the final ruleat §3.206(b)(4)(iv)(A) strikes theappropriate balance between the need toprotect patient safety work product andthe need for broader sharing of suchinformation at an aggregate level,outside of the direct provider and PSOrelationship, to achieve the goals of thestatute and improve patient safety.

Comment: We received severalcomments in response to the questionsasked in the proposed rule aboutwhether the HIPAA Privacy Ruledefinition of ‘‘health care operations’’should include a specific reference topatient safety activities and whether thePrivacy Rule disclosure permission forhealth care operations should bemodified to conform to the disclosurefor patient safety activities. Thesecommenters expressed overwhelmingsupport for modifying the HIPAAPrivacy Rule’s definition of ‘‘health careoperations’’ to include such a specific

reference and to aligning the disclosurepermission for health care operationswith that for patient safety activities.The commenters stated that includingsuch specific references would make theintersection of both regulations clear,and would encourage patient safetydiscourse among providers and PSOs.One commenter stated that there was noneed to modify the definition of ‘‘healthcare operations’’ because it alreadyunambiguously encompassed patientsafety activities. No commenterssuggested that modifications to the

Privacy Rule were necessary to addressany workability issues.

Response: OCR will consider thesecomments and will seek opportunity toaddress them in regulation or inguidance.

(5) Section 3.206(b)(5)—Disclosure of Nonidentifiable Patient Safety WorkProduct

Proposed Rule: Proposed § 3.206(b)(5)would have permitted the disclosure of nonidentifiable patient safety workproduct if the patient safety workproduct met the standard fornonidentification in proposed §3.212.See section 922(c)(2)(B) of the PublicHealth Service Act, 42 U.S.C. 299b-22(c)(2)(B). As described in proposed§ 3.208(b)(ii), nonidentifiable patientsafety work product, once disclosed,would no longer be privileged andconfidential and thus, could beredisclosed by a recipient without any

Patient Safety Act limitations orliability. Any provider, PSO orresponsible person could nonidentifypatient safety work product. See thediscussion regarding §3.212 for moreinformation about the nonidentificationstandard.

Overview of Public Comments: Wereceived no comments opposed to thisproposed provision.



Comment: One commenter asked thatthe final rule require data use

agreements for disclosures of nonidentifiable patient safety workproduct in cases where there is a chancefor identification or reidentification of provider identities.

Response: We emphasize that patientsafety work product is considerednonidentifiable only if, either: (1) thestatistical method at §3.212(a)(1) is usedand there is a very small risk that theinformation could be used, alone or incombination with other reasonablyavailable information, by an anticipatedrecipient to identify an identifiedprovider; or (2) the identifiers listed at

§ 3.212(a)(2) are stripped and the personmaking the disclosure does not haveactual knowledge that the remaininginformation could be used, alone or incombination with other information thatis reasonably available to the intendedrecipient, to identify a provider. Thus,the commenter should consider whetherthe information about which it isconcerned would be nonidentifiable forpurposes of this rule. Further, while thefinal rule does not require that thedisclosure of nonidentifiable patientsafety work product be conditioned on





an agreement between the parties to thedisclosure, we note that providers,PSOs, and responsible persons are freeto contract or enter into agreements thatplace further conditions on the releaseof patient safety work product,including in nonidentifiable form, thanrequired by the final rule. See §3.206(e).

Comment: Several commenters stated

that identifiable information aboutnondisclosing providers should not bedisclosed and that adequate safeguardsshould be in place to ensure thatinformation identifying nondisclosingproviders is not released. Thesecommenters also suggested that AHRQ set up a workgroup to evaluate thestandards and approaches set forth inthe proposed rule.

Response: The nonidentificationstandard at §3.212 of the final ruleaddresses the commenters’ concern byrequiring either that: (1) a statisticiandetermine, with respect to information,that the risk is very small that theinformation could be used, alone or incombination with other reasonablyavailable information, by an anticipatedrecipient to identify an identifiedprovider; or (2) all of the provider-related identifiers listed at §3.212(a)(2)

be removed and the provider, PSO, orresponsible person making thedisclosure not have actual knowledgethat the information could be used,alone or in combination with otherinformation that is reasonably availableto the intended recipient, to identify theparticular provider.

(6) Section 3.206(b)(6)—For ResearchProposed Rule: Proposed § 3.206(b)(6)would have allowed the disclosure of identifiable patient safety work productto entities carrying out research,evaluations, or demonstration projectsthat are funded, certified, or otherwisesanctioned by rule or other means bythe Secretary. See section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C.299b-22(c)(2)(C). We explained in theproposed rule that this disclosurepermission was only for researchsanctioned by the Secretary. We alsoexplained that we expected that most

research that may be subject to thisdisclosure permission would be relatedto the methodologies, analyticprocesses, and interpretation, feedbackand quality improvement results fromPSOs, rather than general medical, oreven health services, research. Patientsafety work product disclosed forresearch under this provision wouldcontinue to be confidential andprivileged.

Section 922(c)(2)(C) of the PublicHealth Service Act, 42 U.S.C. 299b-22(c)(2)(C), requires that patient safety

work product which identifies patientsmay only be released to the extent thatprotected health information would bedisclosable for research purposes underthe HIPAA Privacy Rule. We interpretedthis provision as requiring HIPAAcovered entities to ensure anydisclosures of patient safety workproduct under this provision that also

include protected health informationcomply with the HIPAA Privacy Rule’sresearch provisions. Accordingly, theproposal incorporated by reference 45CFR 164.512(i) of the HIPAA PrivacyRule, which generally requires acovered entity to obtain documentationof a waiver (or alteration of waiver) of authorization by either an InstitutionalReview Board (IRB) or a Privacy Boardprior to using or disclosing protectedhealth information without theindividual’s authorization.

We noted that our interpretation of the statute would not impact the

disclosure of identifiable patient safetywork product by entities or persons thatare not HIPAA covered entities. We alsoexplained that the incorporation byreference of the HIPAA Privacy Ruleshould provide for the proper alignmentof disclosures for research purposesunder the two rules. However, theexception under the Patient Safety Actalso refers to evaluations anddemonstration projects, some of whichmay not meet the definition of researchunder the HIPAA Privacy Rule becausethey may not result in generalizableknowledge but rather may fall withinthe HIPAA Privacy Rule’s definition of

‘‘health care operations.’’ We stated that,in such cases, HIPAA covered entitiesdisclosing patient safety work productthat includes protected healthinformation under this exception coulddo so without violation of the HIPAAPrivacy Rule. See the definition of ‘‘health care operations’’ at 45 CFR164.501 of the HIPAA Privacy Rule.

Overview of Public Comments: Wereceived no comments in reference tothis provision.

Final Rule: The final rule adopts theproposed provision, except that thespecific reference to ‘‘45 CFR

164.512(i)’’ is deleted. We haveincluded only a general reference to theHIPAA Privacy Rule in recognition of the fact that disclosures of patient safetywork product containing protectedhealth information pursuant to thisprovision could be permissible underthe HIPAA Privacy Rule underprovisions other than 45 CFR 164.512(i),such as, for example, disclosures forhealth care operations pursuant to 45CFR 164.506, or disclosures of a limiteddata set for research purposes pursuantto 45 CFR 164.514(e).

(7) Section 3.206(b)(7)—To the Foodand Drug Administration

Proposed Rule: Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C.299b-22(c)(2)(D), permits the disclosure

by a provider to the Food and DrugAdministration (FDA) with respect to aproduct or activity regulated by theFDA. Proposed § 3.206(b)(7) would haveimplemented this provision bypermitting providers to disclose patientsafety work product concerningproducts or activities regulated by theFDA to the FDA or to an entity requiredto report to the FDA concerning thequality, safety, or effectiveness of anFDA-regulated product or activity. Theproposed rule also would havepermitted the sharing of patient safetywork product between the FDA, entitiesrequired to report to the FDA, and theircontractors concerning the quality,safety, or effectiveness of an FDA-regulated product or activity. Patient

safety work product disclosed pursuantto this disclosure permission wouldcontinue to be privileged andconfidential.

We specifically sought publiccomment on our interpretation that thestatutory language concerning reporting‘‘to the FDA’’ included reporting by theprovider to persons or entities regulated

by the FDA and that are required toreport to the FDA concerning thequality, safety, or effectiveness of anFDA-regulated product or activity. Weproposed this interpretation to allowproviders to report to entities that are

required to report to the FDA, such asdrug manufacturers, without violatingthis rule, and asked if including suchlanguage would bring about anyunintended consequences for providers.

We further proposed at§ 3.206(b)(7)(ii) that the FDA andentities required to report to the FDAmay only further disclose patient safetywork product for the purpose of evaluating the quality, safety, oreffectiveness of that product or activityand such further disclosures would only

be permitted between the FDA, entitiesrequired to report to the FDA, their

contractors, and the disclosingproviders. Thus, for example, the FDAor a drug manufacturer receivingadverse drug event information that ispatient safety work product may engagein further communications with thedisclosing provider(s), for the purposeof evaluating the quality, safety, oreffectiveness of the particular regulatedproduct or activity, or may work withtheir contractors. Moreover, an entityregulated by the FDA may furtherdisclose the information to the FDA.The proposed provision also would





have prohibited contractors receivingpatient safety work product under thisprovision from further disclosing suchinformation, except to the entity fromwhich they received the information.

Finally, we explained that the HIPAAPrivacy Rule at 45 CFR 164.512(b)permits HIPAA covered entities todisclose protected health information

concerning FDA-regulated activities andproducts to persons responsible forcollection of information about thequality, safety, and effectiveness of those FDA-regulated activities andproducts. Therefore, disclosures underthis exception of patient safety workproduct containing protected healthinformation would be permitted underthe HIPAA Privacy Rule.

Overview of Public Comments: Wereceived general support in the publiccomments for the express reference toFDA-regulated entities within thisdisclosure permission; only onecommenter opposed this provision.Some commenters asked that the finalrule provide examples of the types of disclosures that might occur to FDA-regulated entities, and one commentersuggested that if such disclosures arepermitted, the final rule should includea comprehensive list of acceptabledisclosures to these entities. Anothercommenter noted that if disclosures toFDA-regulated entities are permittedunder this disclosure permission, thefinal rule should limit the use of patientsafety work product to the purposesstated in the statute and should prohibitthe use of this information for marketing

purposes. No commenters identified anyunintended consequences of includingFDA-regulated entities within thedisclosure permission.

Final Rule: The final rule adopts theprovisions of the proposed rule at§ 3.206(b)(7), including the expressreference to FDA-regulated entities. Wealso modify the title of the provision toreflect that disclosures to such entitiesare encompassed within the disclosurepermission. As explained in theproposed rule, we believe includingFDA-regulated entities within the scopeof the disclosure permission is

consistent with both the rule of construction in the statute whichpreserves required reporting to the FDA,as well as the goals of the statute whichare to improve patient safety. Seesection 922(g)(6) of the Public HealthService Act, 42 U.S.C. 299b-22(g)(6). Inaddition, the final rule includesmodifications to more clearly indicatewho can receive patient safety workproduct under this provision, as well aswhat further disclosures may be made of such information. Specifically,§ 3.206(b)(7)(i) now makes clear that a

provider may disclose patient safetywork product concerning an FDA-regulated product or activity to the FDA,an entity required to report to the FDAconcerning the quality, safety, oreffectiveness of an FDA-regulatedproduct or activity, or a contractoracting on behalf of FDA or such entityfor these purposes. Further,

§ 3.206(b)(7)(ii) clarifies that the FDA,its regulated entity entitled to receiveinformation under this provision, andtheir contractors may share patientsafety work product received under thisprovision for the purpose of evaluatingthe quality, safety, or effectiveness of that product or activity amongthemselves, as well as with thedisclosing provider.

We do not include a comprehensivelist of acceptable disclosures to FDA-regulated entities as it would beimpractical to do so. As we explained inthe proposed rule, drug, device, and

biological product manufacturers arerequired to report adverse experiencesto the FDA and currently rely onvoluntary reports from product users,including providers. Further, theanalysis of events by a provider or PSOthat constitutes patient safety workproduct may generate information thatshould be reported to the FDA or FDA-regulated entity because it relates to thesafety or effectiveness of an FDA-regulated product or activity. Thisprovision allows providers to reportsuch information without violating theconfidentiality provisions of the statuteor rule. However, we emphasize that,

despite this disclosure permission, weexpect that most reporting to the FDAand its regulated entities will be donewith information that is not patientsafety work product, as is done today.This disclosure permission is intendedto allow for reporting to the FDA orFDA-regulated entity in those specialcases where, only after an analysis of patient safety work product, does aprovider realize it should make a report.As in the proposed rule, patient safetywork product disclosed pursuant to thisprovision remains privileged andconfidential.


Comment: Five commenters askedthat the final rule allow PSOs as well asproviders to disclose or report patientsafety work product to the FDA or to anentity that is required to report to theFDA.

Response: We do not modify theprovision as there is no statutoryauthority to allow PSOs to report patientsafety work product to the FDA or to anentity required to report to the FDA.However, the statute does permit

providers to report patient safety workproduct to the FDA or to an entityrequired to report to the FDA.

Comment: One commenter asked forclarification as to whether lot numbersand device identifiers and serialnumbers may be reported to the FDAunder this disclosure permission.

Response: Section 3.206(b)(7) would

allow such information containedwithin patient safety work product to bereported to FDA provided it concernedan FDA-regulated product or activity.

(8) Section 3.206(b)(8)—VoluntaryDisclosure to an Accrediting Body

Proposed Rule: Proposed § 3.206(b)(8)would have permitted the voluntarydisclosure of identifiable patient safetywork product by a provider to anaccrediting body that accredits thatdisclosing provider. See section922(c)(2)(E) of the Public Health ServiceAct, 42 U.S.C. 299b-22(c)(2)(E). Patientsafety work product disclosed pursuantto this proposed exception wouldremain privileged and confidential.

This provision would have allowed aprovider to disclose patient safety workproduct that identifies that disclosingprovider. Further, the proposed rulewould not have required that patientsafety work product be nonidentifiableas to nondisclosing providers. Theproposed rule specifically sought publiccomment on whether patient safetywork product should be anonymizedwith respect to nondisclosing providersprior to disclosure to an accrediting

body under this provision.

The proposed rule also provided thatan accrediting body could not take anaccreditation action against a provider

based on that provider’s participation,in good faith, in the collection, reportingor development of patient safety workproduct. It also would have prohibitedaccrediting bodies from requiring aprovider to reveal its communicationswith any PSO.

Overview of Public Comments:Several commenters responded to thequestion of whether the final ruleshould require the anonymization of patient safety work product with respect

to nondisclosing providers, all of whichsupported such a requirement. Anothercommenter noted that the final ruleshould expressly prohibit accrediting

bodies from taking accreditation actionsagainst nondisclosing providers basedupon the patient safety work productreported to them by disclosingproviders.

Final Rule: In light of the commentsreceived, the final rule modifies theproposed provision at § 3.206(b)(8) tocondition the voluntary disclosure by aprovider of patient safety work product





to an accrediting body that accredits theprovider on either: (1) the agreement of the nondisclosing providers to thedisclosure; or (2) the anonymization of the patient safety work product withrespect to any nondisclosing providersidentified in the patient safety workproduct, by removal of the directidentifiers listed at §3.206(b)(4)(iv)(A).

Direct identifiers of the disclosingproviders do not need to be removed.We also note that the final rule does notprescribe the form of the agreementobtained from non-disclosing providers.Providers are free to design their ownpolicies for obtaining such agreements.Some institutional providers may, forexample, make it a condition of employment or privileges that providersagree to the disclosure of patient safetywork product to accrediting bodies. Inaddition, unlike the provision at§ 3.206(b)(3) of the final rule, withrespect to any of the non-disclosing

providers identified in the patient safetywork product, the disclosing providerneed obtain either the provider’sagreement or anonymize the provider’sinformation.


Comment: Several commenters statedthat they did not support this disclosurepermission allowing voluntarydisclosures of patient safety workproduct to accrediting bodies due topossible unintended consequences of these disclosures. Another commenterasked that we be aware of punitiveactions by regulatory organizations as a

result of voluntary disclosures toaccrediting bodies and monitor thisprocess carefully for any unintendedconsequences.

Response: The disclosure permissionallowing providers to voluntarilydisclose patient safety work product toaccrediting bodies is prescribed by thestatute and thus, is included in this finalrule. However, as described above, thefinal rule requires either anonymizationor agreement with respect to non-disclosing providers as a condition of the disclosure. This provision, alongwith the express prohibition at

§ 3.206(b)(8)(iii) on an accrediting bodytaking an accrediting action against aprovider based on a good faithparticipation of the provider in thecollection, development, reporting, ormaintenance of patient safety workproduct should alleviate commenterconcerns.

Comment: One commenter asked if the regulation allowed accrediting

bodies to disclose patient safety workproduct to CMS as part a commitmentto advise CMS of adverse accreditationdecisions.

Response: The final rule prohibitsaccrediting bodies from furtherdisclosing patient safety work productthey have voluntarily received fromproviders under §3.206(b)(8).

Comment: One commenter asked if survey and licensure bodies wereconsidered to be accrediting bodies andthus, precluded from taking action

against providers who voluntarilysubmit patient safety work product tothem.

Response: Survey and licensure bodies are not accrediting bodies andare not treated as such under thisprovision. Thus, such entities are notentitled to receive patient safety workproduct voluntarily from providersunder this provision.

Comment: Two commentersexpressed concern about this disclosurepermission for accrediting bodies thatcreate component PSOs. Onecommenter stated that allowingaccrediting bodies to create componentPSOs creates a potential conflict of interest that may adversely affectprovider organizations. If an accrediting

body’s component organization is aPSO, the commenter asked how OCRwill determine whether the componentorganization improperly disclosedinformation or whether the accrediting

body received the informationvoluntarily from a provider.

Response: Providers are free to choosethe PSOs with which they want to work.We expect that any selection by aprovider will involve a thorough vettingand consideration of a number of

factors, including whether the PSO is acomponent of an accrediting body andif so, what assurances are in place toprotect against improper access by theaccrediting body to patient safety workproduct. Component organizations haveclear requirements to maintain patientsafety work product separately fromparent organizations. Further, the finalrule recognizes that a disclosure from acomponent organization to a parentorganization is a disclosure which must

be made pursuant to one of thepermissions set forth in the statute andhere; disclosures for which there is no

permission are subject to enforcement by the Department and imposition of civil money penalties, as well as mayadversely impact on the PSO’scontinued listing by the Secretary as aPSO. Should OCR receive a complaintor conduct a compliance review thatimplicates an impermissible disclosure

by a component PSO of an accrediting body, OCR will investigate and reviewthe particular facts and circumstancessurrounding the alleged impermissibledisclosure, including, if appropriate,whether the accrediting body received

the patient safety work product directlyfrom a provider pursuant to§ 3.206(b)(8).

Comment: One commenter asked thatthe final rule allow accrediting bodies touse voluntarily reported patient safetywork product in accreditation decisions,or that the final rule give accrediting

bodies immunity from liability that

might arise from their failure to take thispatient safety work product into accountin its accreditation decisions. Thiscommenter also stated that, sinceaccrediting bodies cannot take action

based on information voluntarilydisclosed pursuant to this provision, thefinal rule should make clear thataccrediting bodies cannot be heldresponsible for decisions that mighthave been different if the accrediting

body had been able to act based on thepatient safety work product received.

Response: We clarify that the finalrule, as the proposed rule, does notprohibit an accrediting body from usingpatient safety work product voluntarilyreported by a provider pursuant to thisprovision in its accreditations decisionswith respect to that provider. Thus, it isnot necessary nor is it appropriate forthe Secretary to give accrediting bodiesimmunity from liability. However, anaccrediting body may not require aprovider to disclose patient safety workproduct, or take an accrediting actionagainst a provider who refuses todisclose patient safety work product, tothe accrediting body. See section922(d)(4)(B) of the Public Health ServiceAct, 42 U.S.C. 299b-22(d)(4)(B), and

§ 3.206(b)(8)(iii), which expresslyprohibits an accrediting body fromtaking an accrediting action against aprovider based on the good faithparticipation of the provider in thecollection, development, reporting, ormaintenance of patient safety workproduct in accordance with the statute.

Comment: One commenter asked if the limitation on redisclosure of voluntarily reported patient safety workproduct received by an accrediting bodyapplies if the information sent to theaccrediting body was not patient safetywork product at the time the accrediting

body received the information, but waslater reported, by the provider to a PSOand became protected.

Response: If the informationsubmitted to an accrediting body wasnot patient safety work product asdefined at §3.20 at the time it wasreported, then § 3.206(b)(8), includingthe redisclosure limitation, does notapply to such information.

Comment: One commenter asked thatthe final rule clarify that the disclosureof patient safety work product to anaccrediting body is voluntary.





Response: Section 3.208(b)(8)expressly provides only for thevoluntary reporting of patient safetywork product, provided the conditionsare met. We do not see a need for furtherclarification.

(9) Section 3.206(b)(9)—BusinessOperations

Proposed Rule: Proposed § 3.206(b)(9)would have allowed disclosures of patient safety work product by aprovider or a PSO to professionals suchas attorneys and accountants for the

business operations purposes of theprovider or PSO. See section922(c)(2)(F) of the Public Health ServiceAct, 42 U.S.C. 299b–22(c)(2)(F). Underthe proposed rule, such contractorscould not further disclose patient safetywork product, except to the entity fromwhich it received the information.However, the proposed rule made clearthat a provider or PSO still would havehad the authority to delegate its powerto the contractor to make otherdisclosures. In addition, the proposedrule provided that any patient safetywork product disclosed pursuant to thisprovision continued to be privilegedand confidential.

The Patient Safety Act gives theSecretary authority to designateadditional exceptions as necessary

business operations that are consistentwith the goals of the statute. Theproposed rule sought public commentregarding whether there are any otherconsultants or contractors, to whom a

business operations disclosure should

also be permitted, or whether theSecretary should consider anyadditional exceptions under thisauthority. The proposed rule noted thatthe Secretary would designateadditional exceptions only throughregulation; however, it asked if othermechanisms for the adoption of

business operations exceptions should be adopted or incorporated.

The proposed rule also explained thata business operations designation by theSecretary that enables a HIPAA coveredentity to disclose patient safety workproduct containing protected health

information to professionals ispermissible as a health care operationsdisclosure under the HIPAA PrivacyRule. See 45 CFR 164.506. Generally,such professionals will be businessassociates of the covered entity, whichwill require that a business associateagreement be in place. See 45 CFR160.103, 164.502(e), and 164.504(e).

Overview of Public Comments:Several commenters expressed generalsupport for the business operationsdisclosures to attorneys, accountants,and other professionals in the proposed

rule. We also received several responsesto the question asking if the final ruleshould allow for any additionaldisclosures under the businessoperations provision. Three commentersstated that the final rule should notinclude any additional businessoperations disclosures. Others askedthat the business operations disclosure

permission be broad enough toencompass all the activities defined as‘‘health care operations’’ in the HIPAAPrivacy Rule, which would then includedisclosures to entities such asphotocopy shops, document storageservices, shredding companies, ITsupport companies, and other entitiesinvolved in a PSO’s management oradministration. Other commenterssuggested that disclosures of patientsafety work product to independentcontractors, professional liabilityinsurance companies, captives, and riskretention groups be included as

disclosures for business operationsunder this provision in the final rule.All commenters responding to the

question about how the Secretaryshould adopt additional businessoperations stated that additional

business operations should be adoptedonly through the rulemaking process.

Final Rule: The final rule adopts theproposed provision, allowing disclosureof patient safety work product by aprovider or a PSO for businessoperations to attorneys, accountants,and other professionals. The final ruleallows disclosure of patient safety workproduct to these professionals who are

bound by legal and ethical duties tomaintain the confidence of their clientsand the confidentiality of clientinformation, including patient safetywork product. These professionals willprovide a broad array of services to andfunctions for the providers and PSOswith whom they are contracted and willneed access to patient safety workproduct to perform their duties. We arenot persuaded by the comments of aneed to expand, at this time, thedisclosure permission to encompassother categories of persons or entities.However, as described in the proposed

rule, should the Secretary seek in thefuture to designate additional businessoperations exceptions to beencompassed within this disclosurepermission, he will do so throughregulation to provide adequateopportunity for public comment.

With respect to many of the otherentities identified by the commenters,we note that, to the extent the servicesprovided by such entities are necessaryfor the maintenance of patient safetywork product or the operation of apatient safety evaluation system, or

otherwise support activities included inthe definition of ‘‘patient safetyactivities’’ at §3.20 of this rule, thesedisclosures may be made to suchcontractors pursuant to §3.206(b)(4)(ii).


Comment: Two commenters suggestedthat the final rule include a requirement

for a contract between providers orPSOs and their attorneys, accountants,and other professionals to whom patientsafety work product will be disclosed asa business operation.

Response: We do not require acontract as a condition of disclosure inthe final rule. However, we agree that acontract between these parties is aprudent business practice and expectthat parties will enter into appropriateagreements to ensure patient safetywork product remains protected.Further, where HIPAA covered entitiesare concerned, we note that the HIPAAPrivacy Rule requires that such entitieshave a business associate agreement inplace with professionals providingservices that require access to protectedhealth information.

(10) Section 3.206(b)(10)—Disclosure toLaw Enforcement

Proposed Rule: Proposed§ 3.206(b)(10) would have permitted thedisclosure of identifiable patient safetywork product to law enforcementauthorities, so long as the personmaking the disclosure believes—andthat belief is reasonable under thecircumstances—that the patient safety

work product disclosed relates to acrime and is necessary for criminal lawenforcement purposes. See section922(c)(2)(G) of the Public Health ServiceAct, 42 U.S.C. 299b–22(c)(2)(G). Theproposed rule provided that patientsafety work product disclosed underthis provision would remain privilegedand confidential.

The proposed rule also provided thatthe law enforcement entity receiving thepatient safety work product could usethe patient safety work product topursue any law enforcement purposes;however, the recipient law enforcement

entity could only redisclose theinformation to other law enforcementauthorities as needed for lawenforcement activities related to theevent that necessitated the originaldisclosure. The proposed rule soughtcomment regarding whether theseprovisions would allow for legitimatelaw enforcement needs, while ensuringappropriate protections.

Overview of Public Comments:Commenters responding to the questionin the proposed rule regarding whetherthis disclosure permission would allow





for legitimate law enforcement needswhile ensuring that information remainappropriately protected stated that theproposed disclosure permission wasappropriate and did permit legitimatedisclosures to law enforcement.

Final Rule: The final rule adopts theproposed provision with slightmodification for purposes of

clarification only. We add the word‘‘only’’ to the final rule to clarify thatlaw enforcement receiving patient safetywork product pursuant to this exceptionmay only further disclose thisinformation to other law enforcementauthorities as needed for lawenforcement activities related to theevent that gave rise to the originaldisclosure.


Comment: Two commenters suggestedthat the statutory standard of reasonable

belief was vague and that clarity wasneeded to reduce the uncertainty of disclosures and to further define whatcould constitute a reasonable belief.Another commenter noted that thephrase ‘‘relates to a crime and isnecessary for criminal law enforcementpurposes’’ is too broad and leaves toomuch discretion to entities such asPSOs.

Response: The final rule provision at§ 3.206(b)(10) generally repeats thestatutory provision upon which it is

based, which provides that thedisclosure of patient safety workproduct be permitted if it relates to thecommission of a crime and the person

making the disclosure believes,reasonably under the circumstances,that the patient safety work product isnecessary for criminal law enforcementpurposes. See section 922(c)(2)(G) of thePublic Health Service Act, 42 U.S.C.299b–22(c)(2)(G).

Comment: One commenter expressedconcern regarding the redisclosure of patient safety work product to lawenforcement under this disclosurepermission. The commenter stated thatthere could be successive disclosures of protected information to lawenforcement without consideration of

whether there is a reasonable belief thatthe redisclosure is necessary forcriminal law enforcement purposes.Another commenter recommended thatthis disclosure permission shouldexpressly prohibit patient safety workproduct from being used againstpatients who are identified in thepatient safety work product but who arenot the subject of the criminal act forwhich the information was originallydisclosed.

Response: We believe § 3.206(b)(10)addresses the commenters’ concerns by

expressly limiting law enforcement’sredisclosure of patient safety workproduct received pursuant to theprovision to other law enforcementauthorities as needed for lawenforcement activities related to theevent that gave rise to the initialdisclosure. Thus, law enforcement is notpermitted to further disclose the patient

safety work product for the enforcementof a crime unrelated to the crime forwhich the patient safety work productwas originally disclosed to the lawenforcement entity.

Comment: One commenter stated thatthe proposed rule represented anexpansion of the statutory language

because it allowed persons to disclosepatient safety work product to lawenforcement entities in the absence of an active law enforcement investigationand in the absence of a request for thisinformation by law enforcement.

Response: The statute does not

require that a law enforcement entity beinvolved in an active investigation orthat a law enforcement entity requestinformation prior to a person making adisclosure of patient safety workproduct to a law enforcement entitypursuant to this disclosure permission.See 922(c)(2)(G) of the Public HealthService Act, 42 U.S.C. 299b–22(c)(2)(G).

(C) Section 3.206(c)—Safe Harbor

Proposed Rule: Proposed § 3.206(c)would have prohibited the disclosure of a subject provider’s identity withinformation, whether oral or written,that: (1) assesses that provider’s quality

of care; or (2) identifies specific actsattributable to such provider. Seesection 922(c)(2)(H) of the Public HealthService Act, 42 U.S.C. 299b–22(c)(2)(H).This provision would have been onlyapplicable to providers. Patient safetywork product disclosed under thisexception could identify providers,reporters or patients so long as theprovider(s) that were the subject of theactions described were nonidentified.The proposed rule would have requiredthat nonidentification be accomplishedin accordance with thenonidentification standard set forth in

proposed § 3.212.Overview of Public Comments: Wereceived no comments opposed to thisprovision.



Comment: Several commenterssuggested that the safe harbor provision

be extended to PSOs as well asproviders. One commenter noted thatthere was no reason to exclude PSOsfrom this provision and including PSOs

would provide them with the sameleeway for inadvertent disclosures of patient safety work product asproviders.

Response: The statute expressly limitsthe safe harbor provision to providers.Therefore, we do not have the authorityto extend this provision to PSOs.

(D) Section 3.206(d)—Implementationand Enforcement of the Patient Safety Act

Proposed Rule: Proposed § 3.206(d)would have permitted the disclosure of relevant patient safety work product toor by the Secretary as needed forinvestigating or determining compliancewith or to seek or impose civil moneypenalties with respect to this Part or formaking or supporting PSO certificationor listing decisions, under the PatientSafety Act. Patient safety work productdisclosed under this exception wouldremain confidential.

Overview of Public Comments: Wereceived no comments in reference tothis provision.

Final Rule: Consistent with thechanges made to §3.204(c) with respectto privilege, the final rule adopts theproposed provision, but expands it toexpressly provide that patient safetywork product also may be disclosed toor by the Secretary as needed toinvestigate or determine compliancewith or to impose a civil money penaltyunder the HIPAA Privacy Rule. Thisnew language implements the statutoryprovision at section 922(g)(3) of thePublic Health Service Act, 42 U.S.C.

299b–22(g)(3), which makes clear thatthe Patient Safety Act is not intended toaffect implementation of the HIPAAPrivacy Rule. As in the privilegecontext, given the significant potentialfor an alleged impermissible disclosureto implicate both this rule’sconfidentiality provisions, as well as theHIPAA Privacy Rule, the Secretary mayrequire access to confidential patientsafety work product for purposes of determining compliance with theHIPAA Privacy Rule. The Secretary willuse such information consistent withthe statutory prohibition against

imposing civil money penalties under both authorities for the same act.With respect to this rule, the final

rule, as in the proposed rule, makesclear that disclosures of patient safetywork product to or by the Secretary arepermitted to investigate or determinecompliance with this rule, or to make orsupport decisions with respect to listingof a PSO. This may include access toand disclosure of patient safety workproduct to enforce the confidentialityprovisions of the rule, to make orsupport decisions regarding the





acceptance of certification and listing asa PSO, or to revoke such acceptance andto delist a PSO, or to assess or verifyPSO compliance with the rule.


Comment: Several commenters askedthe Secretary to use judicious restraintwhen requesting patient safety work

product for compliance andenforcement activities. Some of thesecommenters also asked that theSecretary reserve his full enforcementpower for only the most egregiousviolations of the confidentialityprovisions.

Response: We acknowledge thecommenters’ concerns regarding thedisclosure of patient safety workproduct for enforcement purposes. Aswe explained in the proposed rule, westrongly believe in the protection of patient safety work product as provided

by the Patient Safety Act. However,confidentiality protections aremeaningless without the ability toenforce breaches of the protections,investigations of which may requireaccess to confidential patient safetywork product. Further, §3.310 of thefinal rule provides the Secretary withauthority to obtain access to only thatpatient safety work product and otherinformation that is pertinent toascertaining compliance with the rule’sconfidentiality provisions.

Also, as we explained in the proposedrule, we will seek to minimize the riskof improper disclosure of patient safetywork product by using and disclosing

patient safety work product only inlimited and necessary circumstances,and by limiting the amount of patientsafety work product disclosed to thatnecessary to accomplish the purpose.Further, §3.312 of the final ruleexpressly prohibits the Secretary fromdisclosing identifiable patient safetywork product obtained by the Secretaryin connection with an investigation orcompliance review except as permitted

by §3.206(d) for compliance andenforcement or as otherwise permitted

by the rule or the Patient Safety Act.See the discussion of the provisions of

Subpart D of the final rule for moreinformation on how the Secretary mayexercise discretion in enforcement.

(E) Section 3.206(e)—No Limitation onAuthority To Limit or DelegateDisclosure or use

Proposed Rule: Proposed § 3.206(e)would have established that a personholding patient safety work productmay enter into a contract that requiresgreater confidentiality protections ormay delegate its authority to make adisclosure in accordance with this

Subpart. Neither the statute nor theproposed rule limited the authority of aprovider to place limitations ondisclosures or uses.



Response to Other Public CommentsComment: One commenter suggestedthat providers and PSOs should not beable to enter into agreements that wouldprohibit the disclosure of patient safetywork product to report a crime or tocomply with state reportingrequirements.

Response: The Patient Safety Actexpressly provides that it does notpreempt or otherwise affect any Statelaw requiring a provider to reportinformation that is not patient safetywork product. See section 922(g)(5) of the Public Health Service Act, 42 U.S.C.299b–22(g)(5). Further, patient safetywork product does not include originalmedical and other records. Thus,nothing in the final rule or the statuterelieves a provider from his or herobligation to disclose information fromsuch original records or otherinformation that is not patient safetywork product to comply with statereporting or other laws. Moreover, thefinal rule at §3.206(b)(10)(i) permitsproviders and PSOs to disclose patientsafety work product to report a crime toa law enforcement authority providedthat the disclosing person reasonably

believes that the patient safety work

product that is disclosed is necessary forcriminal law enforcement purposes.However, the Department cannot,through this rule, prevent suchagreements because the Patient SafetyAct, at section 922(g)(4) of the PublicHealth Service Act, 42 U.S.C. 299b–22(g)(4), specifically provides that theAct cannot be construed ‘‘to limit theauthority of any provider, patient safetyorganization, or other entity to enterinto a contract requiring greaterconfidentiality’’ than that providedunder the Act.

3. Section 3.208—Continued Protection

of Patient Safety Work ProductProposed Rule: Proposed § 3.208

provided that the privilege andconfidentiality protections wouldcontinue to apply to patient safety workproduct following disclosure and alsodescribed the narrow circumstanceswhen the protections terminate. Seesection 922(d) of the Public HealthService Act, 42 U.S.C. 299b–22(d). Inparticular, the proposed rule wouldhave provided two exceptions to thecontinued protection of patient safety

work product. The first was anexception to continued confidentialityprotection when patient safety workproduct is disclosed for use in acriminal proceeding, pursuant to§ 3.206(b)(1). See section 922(d)(2)(A),42 U.S.C. 299b–22(d)(2)(A). The secondexception to continued protection wasin circumstances where patient safety

work product is disclosed innonidentifiable form, pursuant to§§ 3.204(b)(4) and 3.206(b)(5). Seesection 922(d)(2)(B), 42 U.S.C. 299b–22(d)(2)(B).

The proposed rule would not haverequired the labeling of information aspatient safety work product or thatdisclosure of patient safety workproduct be accompanied by a notice asto either the fact that the informationdisclosed is patient safety work productor that it is confidential. The proposedrule did acknowledge that bothpractices may be prudent business

practices.Overview of Public Comments: Wereceived several comments suggestingthat the final rule require that patientsafety work product be labeled as suchor that a recipient of patient safety workproduct be given notice of the protectedstatus of the information received.Commenters suggested that puttingrecipients of patient safety work producton notice about the sensitive andconfidential nature of the informationwould assure and encourage appropriatetreatment of this information.

Final Rule: The final rule adopts thisproposed provision but does not require

that patient safety work product belabeled or that disclosing partiesprovide recipients of patient safety workproduct with notice that they arereceiving protected information. We

believe imposing a labeling or noticerequirement would be overly

burdensome on entities. We do,however, expect providers, PSOs, andresponsible persons holding patientsafety work product to treat andsafeguard such sensitive informationappropriately and encourage suchpersons to consider whether labeling ornotice may be an appropriate safeguard

in certain circumstances. Further, wenote that the final rule provides thatinformation that is documented aswithin a patient safety evaluationsystem for reporting to a PSO is patientsafety work product. In addition, thefinal rule allows patient safety workproduct to be removed from a patientsafety evaluation system and no longerconsidered patient safety work productif it has not yet been reported to a PSOand its removal is documented. See thedefinition of ‘‘patient safety workproduct’’ at § 3.20. These





documentation provisions may assist inidentifying, and putting persons onnotice as to, what is and is not protectedinformation.


Comment: With respect to§§ 3.206(b)(2), 3.206(b)(3), 3.206(b)(8),3.206(b)(9), and 3.206(b)(10),

commenters asked that the final ruleemphasize the fact that subsequentholders of patient safety work productare subject to the privilege andconfidentiality provisions when theyreceive the patient safety work productpursuant to a privilege or confidentialityexception and that this patient safetywork product cannot be subpoenaed,ordered, or entered into evidence in acivil or criminal proceeding through anyof these exceptions.

Response: Section 3.208 makes clearthat, with limited exceptions, patientsafety work product continues to beprivileged and confidential upondisclosure.

Comment: One commenter expressedconcern over the proposed rule’sstatement that an impermissibledisclosure of patient safety workproduct, even if unintentional, does notterminate the confidentiality of theinformation and that individuals andentities receiving this patient safetywork product may be subject to civilmoney penalties. The commenter statedthat the applicability of this broadstatement to third and fourth partyrecipients of patient safety work productcould violate the First Amendment and

expressed concern with the possibilitythat the Secretary would seek to imposea civil money penalty upon a newspaperfor printing patient safety information.

Response: Section 3.208 implementsthe statutory provision that patientsafety work product continues to beprivileged and confidential upondisclosure, including when in thepossession of the person to whom thedisclosure was made. See section 922(d)of the Public Health Service Act, 42U.S.C. 299b–22(d). To encourageprovider reporting of sensitive patientsafety information, Congress saw a need

for strong privilege and confidentialityprotections that continue to applydownstream even after disclosure,regardless of who holds the information.With respect to the commenter’sconcern regarding ‘‘unintentional’’disclosures, we note that the Secretaryhas discretion to elect not to imposecivil money penalties for animpermissible disclosure of patientsafety work product, in appropriatecircumstances. Thus, if it is determined,through a complaint investigation or acompliance review, that an

impermissible disclosure of patientsafety work product has been made, theSecretary will examine each situation

based on the individual circumstancesand make an appropriate determinationabout whether to impose a civil moneypenalty. See the discussion regardingSubpart D of this final rule for a moreextensive discussion of the Secretary’s

enforcement discretion. Finally, withrespect to the commenter’s FirstAmendment concerns, we do not

believe the confidentiality provisionsafforded to patient safety work productin the statute and the rule contravenethe First Amendment.

4. Section 3.210—Required Disclosureof Patient Safety Work Product to theSecretary

Proposed Rule: Proposed § 3.210would have required providers, PSOs,and other persons holding patient safetywork product to disclose such

information to the Secretary upon adetermination by the Secretary that suchpatient safety work product is neededfor the investigation and enforcementactivities related to this Part, or isneeded in seeking and imposing civilmoney penalties.


Final Rule: The final rule adopts theproposed provision but expands it toencompass disclosures of patient safetywork product needed for investigationand enforcement activities with respectto the HIPAA Privacy Rule, consistent

with changes made to §§3.204(c) and3.206(d). As in the proposed rule, thefinal rule makes clear that, with respectto this rule, providers, PSOs, andresponsible persons must disclosepatient safety work product to theSecretary upon request when needed toinvestigate or determine compliancewith this rule, or to make or supportdecisions with respect to listing of aPSO. This may include disclosure of patient safety work product to theSecretary as necessary to enforce theconfidentiality provisions of the rule, tomake or support decisions regarding the

acceptance of certification and listing asa PSO, or to revoke such acceptance andto delist a PSO, or to assess or verifyPSO compliance with the rule.


Comment: Several commenterssuggested that disclosures to theSecretary be limited to only the patientsafety work product that is needed forthe Secretary’s activities.

Response: Section 3.210 requiresdisclosure of patient safety workproduct only in those cases where the

Secretary has determined that suchinformation is needed for compliance orenforcement of this rule or the HIPAAPrivacy Rule or for PSO certification orlisting. Further, during an investigationor compliance review, §3.310(c)requires a respondent to provide theSecretary with access to only thatinformation, including patient safety

work product, that is pertinent toascertaining compliance with this rule.

5. Section 3.212—Nonidentification of Patient Safety Work Product

Proposed Rule: Proposed § 3.212would have established the standard bywhich patient safety work productwould be rendered nonidentifiable,implementing section 922(c)(2)(B) of thePublic Health Service Act, 42 U.S.C.299b–22(c)(2)(B). Under the PatientSafety Act and this Part, identifiablepatient safety work product includesinformation that identifies any provideror reporter or contains individuallyidentifiable health information underthe HIPAA Privacy Rule (see 45 CFR160.103). See section 921(2) of thePublic Health Service Act, 42 U.S.C.299b–21(2). By contrast, nonidentifiablepatient safety work product does notinclude information that permitsidentification of any provider, reporteror subject of individually identifiablehealth information. See section 921(3) of the Public Health Service Act, 42 U.S.C.299b–21(3).

The proposed rule explained that because individually identifiable healthinformation as defined in the HIPAA

Privacy Rule is one element of identifiable patient safety work product,the de-identification standard providedin the HIPAA Privacy Rule would applywith respect to the patient-identifiableinformation in the patient safety workproduct. Therefore, where patient safetywork product contained individuallyidentifiable health information, theproposal would have required that theinformation be de-identified inaccordance with 45 CFR 164.514(a)–(c)to qualify as nonidentifiable patientsafety work product with respect toindividually identifiable health

information under the Patient SafetyAct.Further, with respect to providers and

reporters, the proposal imported andadapted the HIPAA Privacy Rule’sstandards for de-identification. Inparticular, the proposal included twomethods by which nonidentificationcould be accomplished: (1) A statisticalmethod of nonidentification and (2) theremoval of 15 specified categories of direct identifiers of providers orreporters and of parties related to theproviders and reporters, including





Subpart D are modeled largely on theHIPAA Enforcement Rule at 45 CFR Part160, Subparts C, D and E. This willmaintain a common approach toenforcement and appeals of civil moneypenalty determinations based on section1128A of the Social Security Act, 42U.S.C. 1320a–7a, upon which both theHIPAA and Patient Safety Act penalties

are based, as well as minimizecomplexity for entities that are subjectto both regulatory schemes. Thisenforcement scheme also provides theSecretary maximum flexibility toaddress confidentiality violations so asto encourage participation in patientsafety activities and achieve the goals of the Patient Safety Act.

General Comments: Severalcommenters expressed support for thedecision to base this rule’s enforcementregime on the HIPAA Enforcement Ruleand noted that the HIPAA EnforcementRule was properly adapted to the

patient safety context. However, twocommenters expressed concern that basing the enforcement regime in thisrule on the HIPAA Enforcement Rulewill be insufficient to adequatelyaddress and penalize violations of theconfidentiality provisions because of theDepartment’s approach to enforcementof the HIPAA Privacy Rule. Onecommenter argued that this might causeproviders to decide against reporting themost serious patient safety events, andtherefore, would undermine the purposeof the statute.

Response to General Comments: TheDepartment believes that modeling this

rule’s enforcement provisions on theexisting HIPAA Enforcement Rule isprudent and appropriate. As notedabove, such an approach grants theSecretary maximum flexibility toaddress violations of the confidentialityprovisions, relies on an existing andestablished enforcement regime, andminimizes complexity for entitiessubject to both the Patient Safety Actand HIPAA.

1. Sections 3.304, 3.306, 3.308, 3.310,3.312, 3.314—Compliance andInvestigations

Proposed Rule: Sections 3.304–3.314of the proposed rule provided theframework by which the Secretarywould seek compliance by providers,PSOs, and responsible persons with theconfidentiality provisions of the rule.These proposed requirements included:(1) Provisions for the Secretary to seekcooperation from these entities inobtaining compliance and to providetechnical assistance (proposed §3.304);(2) procedures for any person who

believes there has been a violation of theconfidentiality provisions to file a

complaint with the Secretary andprovisions for the Secretary toinvestigate such complaints (proposed§ 3.306); (3) provisions for the Secretaryto conduct compliance reviews(proposed §3.308); (4) provisionsestablishing responsibilities of respondents with respect to cooperatingwith the Secretary during investigations

or compliance reviews and providingaccess to information necessary andpertinent to the Secretary determiningcompliance (proposed § 3.310); (5)provisions describing the Secretary’scourse of action during complaints andcompliance reviews, including thecircumstances under which theSecretary may attempt to resolvecompliance matters by informal meansor issue a notice of proposeddetermination, as well as thecircumstances under which theSecretary may use or discloseinformation, including identifiable

patient safety work product, obtainedduring an investigation or compliancereview (proposed §3.312); and (6)provisions and procedures for theSecretary to issue subpoenas to requirewitness testimony and the production of evidence and to conduct investigationalinquiries (proposed §3.314).

Overview of Public Comments: Wereceived no comments opposed to theproposed provisions.

Final Rule: The final rule adopts theprovisions of the proposed rule, except,where reference was made in theproposed rule to provisions of theHIPAA Enforcement Rule, the final rule

includes the text of such provisions forconvenience of the reader.


Comment: One commenter asked howand when the Secretary will providetechnical assistance to providers, PSOs,and responsible persons regardingcompliance with the confidentialityprovisions.

Response: The Secretary intends toprovide technical assistance through avariety of mechanisms. First, asauthorized by the Patient Safety Act, theSecretary intends, as practical, to

convene annual meetings for PSOs todiscuss methodology, communication,data collection, privacy concerns, orother issues relating to their patientsafety systems. See section 925 of thePublic Health Service Act, 42 U.S.C.299b–25. Second, the Secretary intendsto exercise his discretion under §3.304

by, when practicable and appropriate,providing technical assistance toaffected persons and entities both on anindividual basis when such persons orentities are involved in complaintinvestigations or compliance reviews, as

well as more generally throughpublished guidance that addressescommon compliance or other questionsabout the rule. As we noted in thepreamble to the proposed rule, however,the absence of technical assistance orguidance by the Secretary may not beraised as a defense to civil moneypenalty liability. We also encourage

persons participating in patient safetyactivities and subject to this rule todevelop and share with others similarlysituated in the industry ‘‘best practices’’for the confidentiality of patient safetywork product.

Comment: One commenter requestedthat the final rule provide additionaldetail on the consideration that will gointo the determination of whether topursue an investigation or to conduct acompliance review.

Response: We do not believe thatincluding additional detail in the finalrule regarding when we will investigateor conduct compliance reviews isprudent or feasible. The decision of whether to conduct an investigation orcompliance review is left to thediscretion of the Secretary and will bemade based on the specificcircumstances of each individual case.The decision to investigate a complaintis necessarily fact specific. For example,some complaints may not allege factsthat fall within the Secretary’sjurisdiction or that constitute a violationif true. With respect to compliancereviews, the Secretary needs to maintainflexibility to conduct whatever reviewsare necessary to ensure compliance.

Compliance reviews may be initiated based on, for example, information thatcomes to the Department’s attentionoutside of the formal complaint process,or trends the Department is seeing as aresult of its enforcement activities. Itwould be premature at this time toindicate the specific circumstancesunder which such reviews may beconducted, given the absence of anycompliance and enforcement experiencewith the rule. Further, making publicthe Department’s considerations in thisarea may undermine the effectiveness of such reviews. Thus, we did not propose

and do not include in this final ruleaffirmative criteria for conductingcompliance reviews.

Comment: One commenter requestedclarification that the Secretary may onlyrequire respondents to produce records,

books, and accounts that are reasonablyrelated to an investigation.

Response: Section 3.310(c) of theproposed rule, which the final ruleadopts, provided that a respondent mustpermit the Secretary access to theinformation that is pertinent toascertaining compliance with the





2For more information and guidance aboutviolations of the rule attributed to a principal basedon the federal common law of agency, see thepreamble to the proposed rule at 73 FR 8158–8159.

confidentiality provisions of the rule.Given this provision in the final rule,we do not see a need to provide furtherclarification.

2. Sections 3.402, 3.404, 3.408, 3.414,3.416, 3.418, 3.420, 3.422, 3.424,3.426—Civil Money Penalties

Proposed Rule: Sections 3.402–3.426

of the proposed rule provided theprocess for the Secretary to impose acivil money penalty for noncompliance

by a PSO, provider, or responsibleperson with the confidentialityprovisions of the rule. These proposedprovisions: (1) Described the basis forimposing a civil money penalty on aperson who discloses identifiablepatient safety work product in knowingor reckless violation of theconfidentiality provisions, as well as ona principal, in accordance with thefederal common law of agency 2, basedon the act of its agent acting within the

scope of the agency (proposed § 3.402);(2) described how a penalty amountwould be determined, and provided thestatutory cap of any such penalty(proposed §3.404); (3) provided the listof factors the Secretary may consider asaggravating or mitigating, asappropriate, in determining the amountof a civil money penalty, including thenature and circumstances of theviolation and the degree of culpabilityof the respondent (proposed §3.408); (4)set forth the 6-year limitations period onthe Secretary initiating an action forimposition of a civil money penalty(proposed §3.414); (5) set out theSecretary’s authority to settle any issueor case or to compromise any penalty(proposed §3.416); (6) provided that acivil money penalty imposed under thisrule would be in addition to any otherpenalty prescribed by law, except that acivil money penalty may not beimposed both under this rule and theHIPAA Privacy Rule for the same act(proposed §3.418); (7) required that theSecretary provide a respondent withwritten notice of his intent to impose acivil money penalty, prescribe thecontents of such notice, and provide therespondent with a right to request a

hearing before an ALJ to contest theproposed penalty (proposed §3.420); (8)provided that if the respondent fails totimely request a hearing and the matteris not settled by the Secretary, theSecretary may impose the proposedpenalty (or any lesser penalty) and willnotify the respondent of any penaltyimposed, and that the respondent has

no right to appeal such penalty(proposed §3.422); (9) provided thatonce the penalty becomes final, it will

be collected by the Secretary, unlesscompromised, and describes themethods for collection (proposed§ 3.424); and (10) provided that theSecretary will notify the public and theappropriate State or local medical or

professional organizations, appropriateState agencies administering orsupervising the administration of Statehealth care programs, appropriateutilization and quality control peerreview organizations, and appropriateState or local licensing agencies ororganizations, of a final penalty and thereason it was imposed (proposed§ 3.426).

In addition, with respect to the factorsat proposed §3.408, we specificallysought comment on whether the factorsshould be expanded to expresslyinclude a factor for persons who self-

report disclosures that may potentiallyviolate the confidentiality provisionssuch that voluntary self-reporting would

be a mitigating consideration whenassessing a civil money penalty.

Overview of Public Comments: Wereceived no comments opposed to theseproposed provisions. With respect toproposed §3.408, commenters generallysupported the list of detailed factors,which may be aggravating or mitigatingdepending on the context, for use by theSecretary in determining the amount of a civil money penalty. In response to thequestion in the proposed rule regardingwhether the final rule should include a

factor for persons who self-reportdisclosures that may be potentialviolations, some commenters opposedsuch an expansion, arguing that such aprovision could be viewed as anadditional reporting obligation onpersons and entities. Several othercommenters expressed general supportfor the consideration of such amitigating factor in the determination of any penalty, and one commenterspecifically recommended expandingthe list of factors to include self-reporting.

Final Rule: The final rule adopts the

provisions of the proposed rule except,where reference was made in theproposed rule to provisions of theHIPAA Enforcement Rule, the final ruleincludes the text of such provisions forconvenience of the reader. We do notexpand the list of factors at § 3.408 toinclude the fact of self-reporting by arespondent in the final rule. As wenoted in the preamble to the proposedrule, while including a factor forvoluntary self-reporting may encouragepersons to report breaches of confidentiality, particularly those that

may otherwise go unnoticed, as well asdemonstrate the security practices thatled to the discovery of the breach andhow the breach was remedied, we agreewith those commenters who argued thatincluding such a factor may be viewedincorrectly as an additional and ongoingreporting obligation on providers, PSOs,and others to report every potentially

impermissible disclosure. This wouldunnecessarily increase administrative

burden both on the Department and thereporting persons. Additionally,inclusion of such a factor may interferewith contractual relationships betweenproviders and PSOs that address howparties are to deal with breaches.

However, we note that even thoughwe are not expressly including a self-reporting factor in the list at § 3.408, theSecretary retains discretion to considerself-reports on a case-by-case basisunder §3.408(f), which permits theSecretary to consider ‘‘such other

matters as justice may require’’ indetermining the amount of a civilmoney penalty.


Comment: One commenter supportedthe knowing or reckless standard forestablishing the basis for imposing acivil money penalty for a confidentialityviolation but also stated that every effortshould be made to reduce the risk of liability and to encourage providerparticipation. Another commentersupported the Secretary’s ability toexercise discretion in determiningwhether to impose a civil money

penalty for a knowing or recklessviolation of the confidentialityprovisions but also suggested that, incases where a PSO is compelled todisclose patient safety work product bya court and has, in good faith, attemptedto assert the privilege protection, thePSO automatically should be excusedfrom a civil money penalty for theimpermissible disclosure of patientsafety work product to the court.

Response: We agree that theappropriate basis for imposing a civilmoney penalty is for knowing orreckless disclosures of identifiable

patient safety work product in violationof the confidentiality provisions of therule and that it is important theSecretary ultimately retain discretion asto whether to impose a penalty pursuantto this standard. This provision is basedon section 922(f) of the Public HealthService Act, 42 U.S.C. 299b–22(f). Wealso agree that provider participation isessential to meeting the overall goal of the statute to improve patient safety andquality of care, and we believe thatstrong privilege and confidentialityprotections for patient safety work





product are fundamental to ensuringthis participation. As we explained inthe preamble to the proposed rule, acivil money penalty under § 3.402 mayonly be imposed if the Secretary firstestablishes a wrongful disclosure—thatis, the information disclosed wasidentifiable patient safety work productand the manner of the disclosure does

not fit within any permitted exception.The Secretary must then determinewhether a person making the disclosureacted ‘‘knowingly’’ or ‘‘recklessly.’’ Todo so, the Secretary must prove eitherthat: (1) The person making thedisclosure knew a disclosure was beingmade (not that the person knew he orshe was disclosing identifiable patientsafety work product in violation of therule or statute); or (2) the person actedrecklessly in making the disclosure, thatis, the person was aware, or a reasonableperson in his or her situation shouldhave been aware, that his or her conduct

created a substantial risk of disclosureof information and to disregard suchrisk constituted a gross deviation fromreasonable conduct. For more guidanceon this standard or the knowing orreckless standard, see the preamble tothe proposed rule at 73 FR 8157–8158.Once a knowing or reckless violationhas been established, the Secretary stillretains discretion as to whether toimpose a penalty for a violation andmay elect not to do so. Thus, we believethe standard at §3.402 of the final rulestrikes the right balance in ensuringthose who are culpable are subject topenalties, while still encouraging

maximum participation by providers.For example, circumstances where a

person who disclosed identifiablepatient safety work product in violationof the rule can show he or she did notknow and had no reason to know thatthe information was patient safety workproduct may warrant discretion by theSecretary. Further, as we stated in thepreamble to the proposed rule, theSecretary may exercise discretion andnot pursue a civil money penalty againsta respondent ordered by a court toproduce patient safety work productwhere the respondent has in good faith

undertaken reasonable steps to avoidproduction and is, nevertheless,compelled to produce the informationor be held in contempt of court. We donot, however, agree that an automaticexception from liability for respondentsin such circumstances is appropriate ornecessary. The Secretary will examineeach situation based on the individualcircumstances and make an appropriatedetermination about whether to imposea civil money penalty.

Comment: One commenter asked thatthe final rule state that inappropriate

disclosures to, for example, the media orto the public, would result in civilmoney penalties.

Response: Section 3.402(a) of the finalrule provides that persons who discloseidentifiable patient safety work productin knowing or reckless violation of theconfidentiality provisions are subject tocivil money penalty liability for such

violations. This liability would includedisclosures to the media or public, tothe extent the knowing or recklessstandard of §3.402(a) is met.

Comment: We received two commentsstating that the maximum penalty of $10,000 for a single violation isinsufficient to serve as a deterrentagainst impermissible disclosures. Incontrast, one commenter expressedconcern that the maximum penaltywould be far too severe for some smallproviders and in cases in which theimpermissible disclosure was incidentalor accidental.

Response: In response to thosecommenters who believe the penaltyamount is not high enough, the $10,000maximum penalty for each actconstituting a violation is prescribed bythe statute and thus, cannot beincreased by the Secretary in this rule.We expect, however, that there will becases where multiple related acts are atissue as discrete violations, each of which could result in separate penaltiesup to $10,000. The preamble to theproposed rule indicated that the PatientSafety Act provides that a person whoviolates the Patient Safety Act shall besubject to a civil money penalty of ‘‘not

more than $10,000’’ for each actconstituting such violation. We notethat pursuant to the Federal CivilPenalties Inflation Adjustment Act of 1990, as amended by the DebtCollection Improvement Act of 1996,the Department will be required toadjust this civil money penalty amount

based on increases in the consumerprice index (CPI). The Department hasup to four years to update the civilmoney penalty amount, and theadjustment will be based on the percentincrease in the CPI from the time thePatient Safety Act was enacted, in

accordance with the cost-of-livingadjustment set forth at the Federal CivilPenalties Inflation Adjustment Act of 1990 § 5, at 28 U.S.C. 2461 note.However, the first adjustment may notexceed ten percent of the penalty. Thus,pursuant to this statute, the $10,000maximum penalty will be adjustedupwards periodically to account forinflation.

With respect to those commenterswho were concerned that the $10,000penalty may be too severe in certaincircumstances, we emphasize that the

$10,000 amount is a maximum penaltyand the Secretary has discretion toimpose penalties that are less than thatamount or can elect not to impose apenalty at all for a violation, dependingon the circumstances. In particular,§ 3.404 provides that the amount of anypenalty will be determined using thefactors at §3.408, which include such

factors as the nature and circumstancesof the violation, the degree of culpability of the respondent includingwhether the violation was intentional,as well as the financial condition andsize of the respondent.

Comment: Several commenters askedfor clarification regarding theSecretary’s authority to levy separatefines under the Patient Safety Act andHIPAA. Many of these commentersargued that the Secretary should be ableto impose penalties under bothauthorities for the same act to maximizethe enforcement tools at his disposal

and to effectively penalize bad behavior.In contrast, one commenter supportedthe statutory mandate that civil moneypenalties not be imposed under both thePatient Safety Act and HIPAA for asingle violation. One commenter askedfor clarification as to how civil moneypenalties may be imposed under boththe Patient Safety Act and HIPAA whena PSO is a business associate of acovered entity for HIPAA Privacy Rulepurposes.

Response: The final rule at §3.418reflects the statutory prohibition againstthe Secretary imposing civil money

penalties under both the Patient SafetyAct and HIPAA for a single act thatconstitutes a violation. As the preambleto the proposed rule explained,Congress recognized that, becausepatient safety work product includesindividually identifiable healthinformation about patients, a HIPAAcovered entity making a disclosure of patient safety work product could beliable for a violation under both thePatient Safety Act and HIPAA, andmade such penalties mutuallyexclusive. Thus, in situations in whicha single violation could qualify as both

a violation of the Patient Safety Act andHIPAA, the Secretary has discretion toimpose a civil money penalty undereither regulatory scheme, not both.However, as we explained in theproposed rule, we interpreted thePatient Safety Act as only prohibitingthe imposition of a civil money penaltyunder the Patient Safety Act when therehas been a civil, as opposed to criminal,penalty imposed under HIPAA for thesame act. Therefore, a person couldhave a civil money penalty imposedunder the Patient Safety Act as well as





a criminal penalty under HIPAA for thesame act.

With respect to the commenter whorequested clarification about penaltiesrelating to a PSO that is a businessassociate of a HIPAA covered entity, wenote that it is possible for a civil moneypenalty to be imposed under both thePatient Safety Act and HIPAA, where

such penalty is imposed againstdifferent entities. Thus, for example,

because a PSO will be a businessassociate of a covered entity underHIPAA, any violation involving patientsafety work product that containsprotected health information by the PSOwill be a violation of the Patient SafetyAct and not HIPAA, since the PSO isnot a covered entity. However, if thePSO notifies the covered entity of theimpermissible disclosure (as required bythe business associate contract underHIPAA), and the covered entity does nottake the appropriate steps to mitigate

and address the consequences of theimpermissible disclosure of protectedhealth information, the covered entitymay then be liable for a penalty underHIPAA.

3. Section 3.504—Procedures forHearings

Proposed Rule: Proposed § 3.504provided the procedures for anadministrative hearing to contest a civilmoney penalty. The proposed sectionset forth the authority of the ALJ, therights and burdens of proof of theparties, requirements for the exchangeof information and pre-hearing, hearing,

and post-hearing processes. This sectioncross-referenced the relevant provisionsof the HIPAA Enforcement Ruleextensively. Specifically, §§3.504(b),(d), (f)–(g), (i)–(k), (m), (n), (t), (w) and(x) of the proposed rule incorporatedunchanged the provisions of the HIPAAEnforcement Rule. Sections 3.504(a), (c),(e), (h), (l), (o)–(s), (u) and (v) of theproposed rule incorporated the HIPAAEnforcement Rule but includedtechnical changes to adapt theseprovisions to the Patient Safety Actconfidentiality provisions. Thesetechnical changes addressed the

following: (1) Proposed §§ 3.504(a) and3.504 (v) excluded language from 45CFR 160.504(c) and 160.548(e),respectively, relating to an affirmativedefense under 45 CFR 160.410(b)(1),which is a defense unique to HIPAAand not included in the Patient SafetyAct; (2) proposed §3.504(c) excludedthe provision at 45 CFR 160.508(c)(5) forremedied violations based on reasonablecause to be insulated from liability fora civil money penalty because there isno such requirement under the PatientSafety Act; (3) proposed §3.504(e)

substituted the term ‘‘identifiablepatient safety work product’’ for‘‘individually identifiable healthinformation’’; (4) proposed §3.504(h)excluded the language in 45 CFR160.518(a) relating to the provision of astatistical expert’s report not less than30 days before a scheduled hearing

because we did not propose language

permitting use of statistical sampling toestimate the number of violations; (5)proposed §3.504(o) substituted ‘‘aconfidentiality provision’’ for ‘‘anadministrative simplification provision’’in 45 CFR 160.532; (6) proposed§ 3.504(p) substituted, for language notrelevant to the Patient Safety Act in 45CFR 160.534(b)(1), new language statingthat the respondent has the burden of going forward and the burden of persuasion with respect to anychallenge to the amount of a proposedcivil money penalty, including anymitigating factors raised, and provided

that good cause shown under 45 CFR160.534(c) may be that identifiablepatient safety work product has beenintroduced into evidence or is expectedto be introduced into evidence; (7)proposed §3.504(s) added language toprovide that good cause for makingredactions to the record would includethe presence of identifiable patientsafety work product; and (8) proposed§§ 3.504(l), (q), (r), and (u) substitutedcitations to subpart D of the PatientSafety rule, as appropriate.

We also explained in the proposedrule that we intended to maintain thealignment between these provisions and

the HIPAA Enforcement Rule byincorporating any changes to the HIPAAEnforcement Rule that would becomefinal based on the Department’s Noticeof Proposed Rulemaking entitled,‘‘Revisions to Procedures for theDepartmental Appeals Board and OtherDepartmental Hearings’’ (see 72 FR73708 (December 28, 2007)). ThatNotice of Proposed Rulemakingproposed to amend the HIPAAEnforcement Rule at 45 CFR 160.508(c)and 160.548, and add a new provisionat 160.554, providing that the Secretarymay review all ALJ decisions that the

Board has declined to review and allBoard decisions for error in applyingstatutes, regulations, or interpretivepolicy. As of the publication date of thisfinal rule, however, that regulation isnot final.

Overview of Public Comments: Wereceived no comments opposed to theseprovisions.

Final Rule: The final rule adopts theproposed provisions, except renumbersthem into individual sections andrepublishes the referenced provisions of the HIPAA Enforcement Rule, as

modified by the technical changesdescribed above to adapt the provisionsto the Patient Safety Act confidentialityprovisions. The final rule includes thefull text of such provisions forconvenience of the reader.

Also, we incorporate one additionaltechnical change to better adapt thelanguage to this rule’s confidentiality

provisions, as well as one conformingchange. In particular, at §3.512(b)(11),we replace the term ‘‘privacy of’’ with‘‘confidentiality of’’ in addition toreplacing ‘‘individually identifiablehealth information’’ with ‘‘identifiablepatient safety work product.’’ Inaddition, at §3.504(b), we replace theterm ‘‘90 days’’ with ‘‘60 days.’’ Weproposed at §3.420(a)(6) to include in anotice of proposed determination astatement that a respondent mustrequest a hearing within 60 days or loseits right to a hearing under §3.504.However, we inadvertently omitted

from § 3.504 a conforming change to thelanguage incorporated from 45 CFR160.504(b) to change the hearing requestdeadline from 90 days to 60 days. Thus,this change is necessary to align the twoprovisions.


Comment: One commenter asked thatthe final rule clarify the involvement of the Departmental Appeals Board duringthe hearings and appeals processes aswell as whether the Secretary hasauthority to review ALJ decisions.

Response: Sections 3.504–3.552 of thefinal rule incorporate the provisions of

the HIPAA Enforcement Rule, which layout the hearings and appeals process.The current process provides that anyparty, including the Secretary, mayappeal a decision of the ALJ to theDepartmental Appeals Board, as well asfile a reconsideration request with theBoard following any Board decision.Unless the ALJ decision is timelyappealed, such decision becomes finaland binding on the parties 60 days fromthe date of service of the ALJ’s decision.

Comment: One commenter asked thatthe final rule provide no restrictions tofull judicial review for appeals and

hearing requests.Response: Section 3.548(k) providesrespondents the right to petition forjudicial review of the final decision of the Secretary once all administrativeappeals have been exhausted, that is,once the Departmental Appeals Boardhas rendered a decision on appeal orreconsideration that has become thefinal decision of the Secretary, asappropriate.

Comment: One commenter suggestedthat any time patient safety workproduct could be disclosed in an ALJ





proceeding, the proceeding should beclosed to the public.

Response: The final rule at § 3.534(c)expressly provides that the ALJ mayclose a proceeding to the public for goodcause shown, which may include thepotential for patient safety work productto be introduced as evidence in theproceeding. We do not see a need to

require that proceedings be closedunder such circumstances but ratherwill continue to rely on the experienceddiscretion of the ALJ in determiningsuch matters.

IV. Impact Statement and OtherRequired Analyses

Regulatory Impact Analysis

AHRQ has previously analyzed thepotential economic impact of this ruleas part of its February 2008 Notice of Proposed Rulemaking (proposed rule) asrequired by Executive Order 12866(September 1993, Regulatory Planning

and Review), the Regulatory FlexibilityAct (RFA) (September 16, 1980, Pub. L.96–354), section 1102(b) of the SocialSecurity Act, the Unfunded MandatesReform Act of 1995 (Pub. L. 104–4), andExecutive Order 13132. This analysiscan be found on pages 8164 to 8171 of the proposed rule, which was publishedin the Federal Register on February 12,2008.

Executive Order 12866 (as amended by Executive Order 13258, February2002, and Executive Order 13422,

January 2007), directs agencies to assessall costs and benefits of available

regulatory alternatives and, if regulationis necessary, to select regulatoryapproaches that maximize net benefits(including potential economic,

environmental, public health and safetyeffects, distributive impacts, andequity). A regulatory impact analysis(RIA) must be prepared for major ruleswith economically significant effects($100 million or more in any 1 year).Although we cannot determine thespecific economic impact of this finalrule, we believe that the economic

impact may approach $100 million.HHS has determined that the rule is‘‘significant’’ because it raises novellegal and policy issues with theestablishment of a new regulatoryframework, authorized by the PatientSafety Act, and imposes requirements,albeit voluntary, on entities that had not

been subject to regulation in this area.

In preparing the regulatory impactanalysis for inclusion in the proposedrule, AHRQ did not develop analternative to the statutorily authorizedvoluntary framework. In light of theapproach taken in the proposed rule,

alternatives would have been mandatoryor more proscriptive as well asinconsistent with statutory intent. Theproposed rule established a system inwhich entities would voluntarily seekdesignation (or ‘‘listing’’) by theSecretary as a Patient SafetyOrganization (PSO), most PSOrequirements would be met byattestation and overall complianceassessed by spot-checks rather thandocument submission or routine audits,and the Department would look to themarketplace to assess the quality andvalue of each PSO. PSOs will not be

Federally funded nor directed; theirfunding and activities will bedetermined by health care providerswho seek their expert assistance in

identifying the underlying causes of,and the best strategies for reducing oreliminating, medical errors. Theproposed rule provided a foundation of confidentiality and privilege protectionsfor information developed andexchanged when health care providersvoluntarily choose to work with a PSO.We proposed that health care providers

could receive the confidentiality andprivilege protections of the statute byreporting information to a PSOoccasionally, without entering contractsor incurring significant costs. Otherhealth care providers could developmore costly internal systems that wouldserve as the hub of the provider’sinteractions with a PSO with which theprovider had a contractual relationship;such structured, documented internalsystems with dedicated personnelwould be more costly. To create an‘‘upper bound’’ on the analyses in theproposed rule, we assumed that all

providers that would choose to workwith PSOs would follow this morecostly approach. It should be noted thatmost hospital providers already havepatient safety reporting activities inplace (98% according to a 2006 AHRQ survey). While documenting theseactivities and, it is hoped, expandingthem through participation with a PSOwill result in increased costs, thatincrease will be marginal, not complete,in the hospital community.

A summary of the AHRQ analysis of costs and benefits of Patient Safety Actcosts and benefits from the proposed

rule follows below. For a full discussionof the assumptions underlying theseestimates, please refer to the proposedrule.

TABLE 3—TOTAL PATIENT SAFETY ACT COSTS INCLUDING HOSPITAL COSTS AND PSO COSTS: 2009–2013

Year

2009 2010 2011 2012 2013

Hospital Penetration Rate .................................................... 10% 40% 60% 75% 85%Hospital Cost ........................................................................ $7.5 M $30.0 M $45.0 M $56.2 M $63.7 MPSO Cost ............................................................................. $61.4 M $92.1 M $122.8 M $122.8 M $122.8 M

Total cost ...................................................................... $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M

Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112–8183.

Costs for PSO implementation werecalculated by considering twocomponents: Costs incurred by hospitalsin engaging in PSO activities and costsof PSOs themselves. It was assumed thatin early years of PSO operation, thehospital would be the primary site of PSO-related activity. Hospital costswere assumed to be incremental, giventhat a previously-completed surveyfunded by AHRQ revealed that 98% of

U.S. hospitals already have adverseevent reporting systems, and virtuallyall hospitals have a safety/qualityfunction. We assumed that PSOs would

be staffed modestly, relying on existinghospital activities in reporting adverseevents, and that a significant proportionof PSOs are likely to be componentPSOs, with support and expertiseprovided by a parent organization. Ourassumptions were that PSOs will hire

dedicated staff of 1.5 to 4 FTEs,assuming an average salary rate of $67/hour. We also estimated that asignificant overhead figure of 100%,coupled with 20% for General andAdministrative (G&A) expenses, willcover the appreciable costs anticipatedfor legal, security, travel, andmiscellaneous PSO expenses.





Provider—PSO Costs and Charges

We have not figured into ourcalculations any estimates for the priceof PSO services, amounts paid by

hospitals and other health careproviders to PSOs, PSO revenues, orPSO break-even analyses. We have notspeculated about subsidies or businessmodels. Regardless of what the costs

and charges are between providers andPSOs, they will cancel each other out,as expenses to providers will becomerevenue to PSOs.

TABLE 4—TOTAL ESTIMATED COST SAVINGS BY PERCENT REDUCTION IN ADVERSE EVENTS: 2009–2013 *

Year

2009 2010 2011 2012 2013

Hospital Penetration Rate .................................................... 10% 40% 60% 75% 85%Percent Reduction in Adverse Events ................................. 1% 1.5% 2% 2.5% 3%Savings ................................................................................ $11.5 M $69 M $138 M $215.625 M $293.25 M

* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with preventable adverse events(between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point figures.

TABLE 5—NET BENEFITS: 2009–2013

Year

2009 2010 2011 2012 2013

Total Benefits ....................................................................... $11.5 M $69 M $138 M $215.625 M $293.25 MTotal Costs ........................................................................... $68.9 M $122.1 M $167.8 M $179.0 M $186.5 M

Net Benefits ......................................................................... ($57.4) M ($53.1) M ($29.8) M $36.625 M $106.75 MDiscounted net present value at 3% ................................... ($55.7) M ($50.0) M ($27.3) M $32.5 M $92.1 MDiscounted net present value at 7% ................................... ($53.6) M ($46.4) M ($24.3) M $27.9 M $76.1 M

The final rule includes severalmodifications that could alter the actualeconomic impact of the Patient SafetyAct, but AHRQ concludes that thesechanges will not exceed the ‘‘upper

bound’’ established in our previousanalysis, and we anticipate that theactual economic impact may be less.Several changes incorporated in thefinal rule are likely to lower the costs of

implementation. For example, the finalrule has removed a requirement thatPSOs that are components of otherexisting organizations must maintainseparate information systems and, for all

but a small category of componentPSOs, we have removed restrictions onthe use of shared staff. As we noted inour economic analysis, we expect themost common type of PSO to be onesthat are established by one or moreexisting organizations. As commenterspointed out, personnel costs are likelyto be the most significant cost facing aPSO, and the ability to share personnel

means that skilled personnel areavailable at significantly less cost, andin some cases at no cost, than the PSOwould pay to hire or externally contractfor personnel. Similarly, the costs andadministrative burdens associated withthe development and maintenance werea major focus of commenters. These twochanges are likely to have the greatestimpact on reducing costs for PSOs.

There are two changes in the finalrule that might increase costs slightly

but selectively. The final rule parallelsa HIPAA Privacy Rule requirement that

business associates of covered entitiesmust notify the covered entity if any of its protected health information has

been inappropriately disclosed or itssecurity breached. The final rulerequires PSOs to notify the providersthat submitted patient safety workproduct to the PSO if the work productit submitted has been disclosed or itssecurity breached. As we noted in the

proposed rule, the vast majority of providers reporting data will be coveredentities under HIPAA and will need toinclude such notification requirementsin the business associate agreementsthey will enter with PSOs. In addition,the HIPAA requirement is likely toapply in many disclosure or security

breach situations because most workproduct is expected to contain protectedhealth information. Nevertheless, thisrequirement may increase costs to theextent that PSOs receive work productfrom non-covered entities, althoughthese potential increased costs will be

dependent upon the vigilance withwhich the providers and PSOs meettheir confidentiality and securityrequirements.

With respect to health care providers,the final rule does not imposerequirements. The final rule does affordincreased flexibility and protections toproviders that voluntarily choose to

both establish and document a morestructured process for working with aPSO, i.e., what the rule terms a patientsafety evaluation system, and documentthe flow of information into and out of

the patient safety evaluation system. Forproviders who choose this option, theinformation they assemble and developwithin their patient safety evaluationsystem will be accorded privilege andconfidentiality, contingent upon theinformation ultimately being reported toa PSO, from the outset. To the extentthat this encourages providers, whowould not otherwise have done so, to

establish a structured, documentedpatient safety evaluation system, therewould be an increase in costs. As notedabove, this should not significantlyaffect our previous analysis since weassumed all providers working with aPSO would have established adocumented patient safety evaluationsystem.

Taking advantage of this option willalso enable health care providers withintegrated health informationtechnology systems to avoid therequirement in the proposed rule thatthey maintain the assembly and

development of patient safety workproduct separately from their routinedata collection activities, which wouldhave required a number of providers toestablish dual information systems.While we expect that the costs of developing dual information collectionsystems would exceed the costs of developing and maintaining astructured, documented patient safetyevaluation system, we do not estimateany savings because we cannot be clearhow many providers would haveincurred the dual health information





technology systems costs or would havesimply chosen to forego participation.

After considering the impact of theincreased flexibility in the final rule forPSOs and health care providers, we nowexpect the implementation costs will belower than those in our previousanalysis.

Final Regulatory Flexibility AnalysisSince formation of a PSO is voluntary,

formation is not likely to occur unlessthe organization believes it is aneconomically viable endeavor.Furthermore, PSOs are not likely toundertake tasks that will provideinsufficient payment to cover theircosts. Therefore, the Secretary certifiesthat the regulation will not impose asignificant economic burden on asubstantial number of small entities.

Unfunded Mandates Reform Act

Section 202 of the Unfunded

Mandates Reform Act requires that acovered agency prepare a budgetaryimpact statement before promulgating arule that includes any Federal mandatethat may result in the expenditure byState, local, and Tribal governments, inthe aggregate, or by the private sector, of $100 million or more in any one year.The Department has determined thatthis final rule will not impose amandate that will result in theexpenditure by State, Local, and Tribalgovernments, in the aggregate, or by theprivate sector, of more than $100million in any one year.

Paperwork Reduction Act

This final rule adding a new Part 3 tovolume 42 of the Code of FederalRegulations contains informationcollection requirements. This summaryincludes the estimated costs andassumptions for the paperworkrequirements related to the final rule.

With respect to §3.102 concerning thesubmission of certifications for initialand continued listing as a PSO, and of updated information, all suchinformation would be submitted on the‘‘Patient Safety Organization:

Certification for Initial Listing’’ form. Tomaintain its listing, a PSO must alsosubmit a brief attestation, once every 24-month period after its initial date of listing, submitted on the ‘‘AttestationRegarding the Two Bona Fide ContractsRequirement’’ form, stating that it hasentered contracts with two providers.We estimate that the final rule willcreate an average burden of 30 minutesannually for each entity that seeks to

become a PSO to complete the necessarycertification forms. Table 1 summarizes

burden hours.

TABLE 1—TOTAL BURDEN HOURS RELATED TO CERTIFICATION FORMS [Summary of all burden hours, by provision,

for PSOs]

ProvisionAnnualized

burden hours

3.112 ................................ 30 minutes.

Under 5 CFR 1320.3(c), a coveredcollection of information includes therequirement by an agency of adisclosure of information to thirdparties by means of identical reporting,recordkeeping, or disclosurerequirements, imposed on ten or morepersons. The final rule reflects thepreviously established reportingrequirements for breach of confidentiality applicable to businessassociates under HIPAA regulationsrequiring contracts to contain aprovision requiring the businessassociate (in this case, the PSO) to notify

providers of breaches of theiridentifiable patient data’sconfidentiality or security. Accordingly,this reporting requirement referenced inthe regulation previously metPaperwork Reduction Act reviewrequirements.

The final rule requires in § 3.108(c)that a PSO notify the Secretary if itintends to relinquish voluntarily itsstatus as a PSO. The entity is requiredto notify the Secretary that it has, or willsoon, alert providers and otherorganizations from which it hasreceived patient safety work product or

data of its intention and provide for theappropriate disposition of the data inconsultation with each source of patientsafety work product or data held by theentity. In addition, the entity is asked toprovide the Secretary with currentcontact information for furthercommunication from the Secretary asthe entity ceases operations. Thereporting aspect of this requirement isessentially an attestation that isequivalent to the requirements forlisting, continued listing, and meetingthe minimum contracts requirement.This minimal data requirement wouldcome within 5 CFR 1320.3(h)(1) whichprovides an exception from PRArequirements for affirmations,certifications, or acknowledgments aslong as they entail no burden other thanthat necessary to identify therespondent, the date, the respondent’saddress, and the nature of theinstrument. In this case, the nature of the instrument is an attestation that thePSO is working with its providers forthe orderly cessation of activities. Thefollowing other collections of information that are required by the

final regulation under §3.108 are alsoexempt from PRA requirementspursuant to an exception in 5 CFR1320.4 for information gathered as partof administrative investigations andactions regarding specific parties:information supplied in response topreliminary agency determinations of PSO deficiencies or in response to

proposed revocation and delisting, e.g.,information providing the agency withcorrect facts, reporting correctiveactions taken, or appealing proposedagency revocation decisions.

AHRQ and OCR published in theFederal Register their proposedinformation collection forms onFebruary 20, 2008. Following the first,60-day comment period, the forms wereagain published in the Federal Registeron April 21, 2008, to begin the second,30-day comment period. The forms werenot changed following the first commentperiod, and they and the one comment

received were sent to OMB, whichreceived them on April 25, 2008. Minorchanges to the proposed forms will benecessary to align them with the finalrule. AHRQ and OCR will work withOMB to ensure that the forms needed toimplement the Patient Safety Actconform to the requirements of the finalrule.

Federalism

Executive Order 13132 establishescertain requirements that an agencymust meet when it promulgates a finalrule that imposes substantial directrequirement costs on state and local

governments, preempts State law, orotherwise has Federalism implications.The Patient Safety Act upon which thefinal regulation is based makes patientsafety work product confidential andprivileged. To the extent this isinconsistent with any state law,including court decisions, the Federalstatute preempts such state law or courtorder. The final rule will not have anygreater preemptive effect on state orlocal governments than that imposed bythe statute. While the Patient Safety Actdoes establish new Federalconfidentiality and privilege protections

for certain information, theseprotections only apply when health careproviders work with PSOs and newprocesses, such as patient safetyevaluation systems, that do notcurrently exist. These Federal dataprotections provide a mechanism forprotection of sensitive information thatcould improve the quality, safety, andoutcomes of health care by fostering anon-threatening environment in whichinformation about adverse medicalevents and near misses can bediscussed. It is hoped that confidential





analysis of patient safety events willreduce the occurrence of adversemedical events and, thereby, reduce thecosts arising from such events,including costs incurred by state andlocal governments attributable to suchevents. In addition, the Patient SafetyAct and the final rule do not relievehealth care providers of their

responsibilities to comply with statereporting requirements.

AHRQ, in conjunction with OCR, heldthree public listening sessions prior todrafting the proposed rule.Representatives of several statesparticipated in these sessions. Inparticular, states that had begun tocollect and analyze patient safety eventinformation spoke about their relatedexperiences and plans. Followingpublication of the proposed rule, AHRQ consulted with state officials andorganizations to review the scope of theproposed rule and to specifically seek

input on federalism issues and aproposal in the rule at proposed§ 3.102(a)(2) that would limit the ability

of public or private sector regulatoryentities to seek listing as a PSO. AHRQ received no expressions of concernsregarding the Federalism aspects of theproposed rule although several Statehealth departments and commissionssubmitted written comments regardingthe PSO eligibility criteria in theproposed rule.

OMB Accounting Statement

The table below summarizes theestimated costs and benefits of implementing the Patient Safety andQuality Improvement Act for the nextfive years, beginning with January 1,2009, by which time it is expected thatthe rule will be effective.

The figures in the table are derivedfrom the regulatory impact analysesoutlined above and, more completely, inthe February 12, 2008 NPRM publishedin the Federal Register, on pages 8164to 8171. As in the previous analyses, the

range of benefits derives directly fromthe range of potentially-avoidableincidents cited (estimated) in IOM

Report, To Err Is Human. The range of costs is the same as was included in theNPRM, where minimum and maximumestimates were calculated as 10% aboveand 10% below the Agency’s primaryestimate of costs.

All figures are calculated at twodiscount rates, 7% and 3%, and dollars

are held constant at the 2008 level. Thediscount rates, 3% or 7%, represent tworates of return that might be expectedfrom government investments. Thepurpose is to project the expected futurecosts and benefits in today’s dollars.(Future dollars will be worth less thantoday’s dollars, barring appropriateinvestments.) Figures are annualized,that is average-per-year over the fiveyears. The discount rates, 3% or 7%,represent two rates of return that might

be expected from governmentinvestments. The purpose is to projectthe expected future costs and benefits in

today’s dollars. (Future dollars will beworth less than today’s dollars, barringappropriate investments.)

OMB #: Agency/Program Office: AHRQ

Rule Title: Patient Safety and Quality Improvement Act

RIN #: Date: 8/25/2008

CATEGORY Primaryestimate(millions)

Minimumestimate(millions)

Maximumestimate(millions)

Source citation(RIA, preamble,

etc.)

BENEFITS .................................................................................................... $145.5 $107.5 $183.4 AHRQ Analysis.

Annualized discounted (5 years):

@ 7% ..................................................................................................... 111.5 82.4 140.5@ 3% ..................................................................................................... 129.4 95.7 163.2COSTS .......................................................................................................... 144.9 130.4 159.3 AHRQ Analysis.Annualized discounted (5 years):

@ 7% ..................................................................................................... 115.5 104.0 127.1@ 3% ..................................................................................................... 131.1 118.0 144.2

Transfers ....................................................................................................... N/AEffects on small businesses ......................................................................... N/AEffects on States and tribes ......................................................................... N/A

List of Subjects in 42 CFR Part 3

Administrative practice andprocedure, Civil money penalty,Confidentiality, Conflict of interests,

Courts, Freedom of information, Health,Health care, Health facilities, Healthinsurance, Health professions, Healthrecords, Hospitals, Investigations, Lawenforcement, Medical research,Organization and functions, Patient,Patient safety, Privacy, Privilege, Publichealth, Reporting and recordkeepingrequirements, Safety, State and localgovernments, Technical assistance.

■ For the reasons stated in the preamble,the Department of Health and HumanServices amends Title 42 of the Code of

Federal Regulations by adding a newpart 3 to read as follows:

PART 3—PATIENT SAFETY

ORGANIZATIONS AND PATIENTSAFETY WORK PRODUCT

Subpart A—General Provisions

Sec.3.10 Purpose.3.20 Definitions.

Subpart B—PSO Requirements and AgencyProcedures

3.102 Process and requirements for initialand continued listing of PSOs.

3.104 Secretarial actions.3.106 Security requirements.

3.108 Correction of deficiencies, revocation,and voluntary relinquishment.

3.110 Assessment of PSO compliance.3.112 Submissions and forms.

Subpart C—Confidentiality and PrivilegeProtections of Patient Safety Work Product

3.204 Privilege of patient safety workproduct.

3.206 Confidentiality of patient safety workproduct.

3.208 Continued protection of patient safetywork product.

3.210 Required disclosure of patient safetywork product to the Secretary.

3.212 Nonidentification of patient safetywork product.

Subpart D—Enforcement Program

3.304 Principles for achieving compliance.





3.306 Complaints to the Secretary.3.308 Compliance reviews.3.310 Responsibilities of respondents.3.312 Secretarial action regarding

complaints and compliance reviews.3.314 Investigational subpoenas and

inquiries.3.402 Basis for a civil money penalty.3.404 Amount of a civil money penalty.3.408 Factors considered in determining the

amount of a civil money penalty.3.414 Limitations.3.416 Authority to settle.3.418 Exclusivity of penalty.3.420 Notice of proposed determination.3.422 Failure to request a hearing.3.424 Collection of penalty.3.426 Notification of the public and other

agencies.3.504 Hearings before an ALJ.3.506 Rights of the parties.3.508 Authority of the ALJ.3.510 Ex parte contacts.3.512 Prehearing conferences.3.514 Authority to settle.3.516 Discovery.3.518 Exchange of witness lists, witness

statements, and exhibits.3.520 Subpoenas for attendance at hearing.3.522 Fees.3.524 Form, filing, and service of papers.3.526 Computation of time.3.528 Motions.3.530 Sanctions.3.532 Collateral estoppel.3.534 The hearing.3.538 Witnesses.3.540 Evidence.3.542 The record.3.544 Post hearing briefs.3.546 ALJ’s decision.3.548 Appeal of the ALJ’s decision.3.550 Stay of the Secretary’s decision.3.552 Harmless error.

Authority: 42 U.S.C. 216, 299b–21 through299b–26; 42 U.S.C. 299c–6.

Subpart A—General Provisions

§3.10 Purpose.

The purpose of this Part is toimplement the Patient Safety andQuality Improvement Act of 2005 (Pub.L. 109–41), which amended Title IX of the Public Health Service Act (42 U.S.C.299 et seq.) by adding sections 921through 926, 42 U.S.C. 299b–21 through299b–26.

§ 3.20 Definitions.

As used in this Part, the terms listedalphabetically below have the meaningsset forth as follows:

Affiliated provider means, withrespect to a provider, a legally separateprovider that is the parent organizationof the provider, is under commonownership, management, or controlwith the provider, or is owned,managed, or controlled by the provider.

AHRQ stands for the Agency forHealthcare Research and Quality inHHS.

ALJ stands for an Administrative Law Judge of HHS.

Board means the members of the HHSDepartmental Appeals Board, in theOffice of the Secretary, which issuesdecisions in panels of three.

Bona fide contract means:(1) A written contract between a

provider and a PSO that is executed in

good faith by officials authorized toexecute such contract; or

(2) A written agreement (such as amemorandum of understanding orequivalent recording of mutualcommitments) between a Federal, State,local, or Tribal provider and a Federal,State, local, or Tribal PSO that isexecuted in good faith by officialsauthorized to execute such agreement.

Complainant means a person whofiles a complaint with the Secretarypursuant to § 3.306.

Component organization means anentity that:

(1) Is a unit or division of a legalentity (including a corporation,partnership, or a Federal, State, local orTribal agency or organization); or

(2) Is owned, managed, or controlled by one or more legally separate parentorganizations.

Component PSO means a PSO listed by the Secretary that is a componentorganization.

Confidentiality provisions means forpurposes of Subparts C and D, anyrequirement or prohibition concerningconfidentiality established by sections921 and 922(b)–(d), (g) and (i) of thePublic Health Service Act, 42 U.S.C.

299b–21, 299b–22(b)–(d), (g) and (i) andthe provisions, at §§3.206 and 3.208,that implement the statutory prohibitionon disclosure of identifiable patientsafety work product.

Disclosure means the release, transfer,provision of access to, or divulging inany other manner of patient safety workproduct by:

(1) An entity or natural personholding the patient safety work productto another legally separate entity ornatural person, other than a workforcemember of, or a health care providerholding privileges with, the entity

holding the patient safety work product;or(2) A component PSO to another

entity or natural person outside thecomponent PSO and within the legalentity of which the component PSO isa part.

Entity means any organization ororganizational unit, regardless of whether the organization is public,private, for-profit, or not-for-profit.

Group health plan means anemployee welfare benefit plan (asdefined in section 3(1) of the Employee

Retirement Income Security Act of 1974(ERISA)) to the extent that the planprovides medical care (as defined inparagraph (2) of section 2791(a) of thePublic Health Service Act, includingitems and services paid for as medicalcare) to employees or their dependents(as defined under the terms of the plan)directly or through insurance,

reimbursement, or otherwise.Health insurance issuer means an

insurance company, insurance service,or insurance organization (including ahealth maintenance organization, asdefined in 42 U.S.C. 300gg–91(b)(3))which is licensed to engage in the

business of insurance in a State andwhich is subject to State law whichregulates insurance (within the meaningof 29 U.S.C. 1144(b)(2)). This term doesnot include a group health plan.

Health maintenance organizationmeans:

(1) A Federally qualified health

maintenance organization (HMO) (asdefined in 42 U.S.C. 300e(a));(2) An organization recognized under

State law as a health maintenanceorganization; or

(3) A similar organization regulatedunder State law for solvency in the samemanner and to the same extent as sucha health maintenance organization.

HHS stands for the United StatesDepartment of Health and HumanServices.

HIPAA Privacy Rule means theregulations promulgated under section264(c) of the Health InsurancePortability and Accountability Act of

1996 (HIPAA), at 45 CFR part 160 andSubparts A and E of Part 164.

Identifiable patient safety work product means patient safety workproduct that:

(1) Is presented in a form and mannerthat allows the identification of anyprovider that is a subject of the workproduct, or any providers thatparticipate in, or are responsible for,activities that are a subject of the workproduct;

(2) Constitutes individuallyidentifiable health information as thatterm is defined in the HIPAA Privacy

Rule at 45 CFR 160.103; or(3) Is presented in a form and mannerthat allows the identification of anindividual who in good faith reportedinformation directly to a PSO or to aprovider with the intention of havingthe information reported to a PSO(‘‘reporter’’).

Nonidentifiable patient safety work product means patient safety workproduct that is not identifiable patientsafety work product in accordance withthe nonidentification standards set forthat §3.212.





OCR stands for the Office for CivilRights in HHS.

Parent organization means anorganization that: owns a controllinginterest or a majority interest in acomponent organization; has theauthority to control or manage agendasetting, project management, or day-to-day operations; or the authority to

review and override decisions of acomponent organization. Thecomponent organization may be aprovider.

Patient Safety Act means the PatientSafety and Quality Improvement Act of 2005 (Pub. L. 109–41), which amendedTitle IX of the Public Health Service Act(42 U.S.C. 299 et seq.) by inserting anew Part C, sections 921 through 926,which are codified at 42 U.S.C. 299b–21through 299b–26.

Patient safety activities means thefollowing activities carried out by or on

behalf of a PSO or a provider:

(1) Efforts to improve patient safetyand the quality of health care delivery;(2) The collection and analysis of

patient safety work product;(3) The development and

dissemination of information withrespect to improving patient safety, suchas recommendations, protocols, orinformation regarding best practices;

(4) The utilization of patient safetywork product for the purposes of encouraging a culture of safety and of providing feedback and assistance toeffectively minimize patient risk;

(5) The maintenance of procedures topreserve confidentiality with respect to

patient safety work product;(6) The provision of appropriate

security measures with respect topatient safety work product;

(7) The utilization of qualified staff;and

(8) Activities related to the operationof a patient safety evaluation system andto the provision of feedback toparticipants in a patient safetyevaluation system.

Patient safety evaluation systemmeans the collection, management, oranalysis of information for reporting toor by a PSO.

Patient safety organization (PSO)means a private or public entity orcomponent thereof that is listed as aPSO by the Secretary in accordancewith Subpart B. A health insuranceissuer or a component organization of ahealth insurance issuer may not be aPSO. See also the exclusions in §3.102of this Part.

Patient safety work product:(1) Except as provided in paragraph

(2) of this definition, patient safety workproduct means any data, reports,records, memoranda, analyses (such as

root cause analyses), or written or oralstatements (or copies of any of thismaterial)

(i) Which could improve patientsafety, health care quality, or health careoutcomes; and

(A) Which are assembled ordeveloped by a provider for reporting toa PSO and are reported to a PSO, which

includes information that isdocumented as within a patient safetyevaluation system for reporting to aPSO, and such documentation includesthe date the information entered thepatient safety evaluation system; or

(B) Are developed by a PSO for theconduct of patient safety activities; or

(ii) Which identify or constitute thedeliberations or analysis of, or identifythe fact of reporting pursuant to, apatient safety evaluation system.

(2)(i) Patient safety work product doesnot include a patient’s medical record,

billing and discharge information, or

any other original patient or providerinformation; nor does it includeinformation that is collected,maintained, or developed separately, orexists separately, from a patient safetyevaluation system. Such separateinformation or a copy thereof reportedto a PSO shall not by reason of itsreporting be considered patient safetywork product.

(ii) Patient safety work productassembled or developed by a providerfor reporting to a PSO may be removedfrom a patient safety evaluation systemand no longer considered patient safetywork product if:

(A) The information has not yet beenreported to a PSO; and

(B) The provider documents the actand date of removal of such informationfrom the patient safety evaluationsystem.

(iii) Nothing in this part shall beconstrued to limit information that isnot patient safety work product from

being:(A) Discovered or admitted in a

criminal, civil or administrativeproceeding;

(B) Reported to a Federal, State, localor Tribal governmental agency for

public health or health oversightpurposes; or(C) Maintained as part of a provider’s

recordkeeping obligation under Federal,State, local or Tribal law.

Person means a natural person, trustor estate, partnership, corporation,professional association or corporation,or other entity, public or private.

Provider means:(1) An individual or entity licensed or

otherwise authorized under State law toprovide health care services,including—

(i) A hospital, nursing facility,comprehensive outpatient rehabilitationfacility, home health agency, hospiceprogram, renal dialysis facility,ambulatory surgical center, pharmacy,physician or health care practitioner’soffice (includes a group practice), longterm care facility, behavior healthresidential treatment facility, clinical

laboratory, or health center; or(ii) A physician, physician assistant,

registered nurse, nurse practitioner,clinical nurse specialist, certifiedregistered nurse anesthetist, certifiednurse midwife, psychologist, certifiedsocial worker, registered dietitian ornutrition professional, physical oroccupational therapist, pharmacist, orother individual health carepractitioner;

(2) Agencies, organizations, andindividuals within Federal, State, local,or Tribal governments that deliverhealth care, organizations engaged as

contractors by the Federal, State, local,or Tribal governments to deliver healthcare, and individual health carepractitioners employed or engaged ascontractors by the Federal State, local,or Tribal governments to deliver healthcare; or

(3) A parent organization of one ormore entities described in paragraph(1)(i) of this definition or a Federal,State, local, or Tribal government unitthat manages or controls one or moreentities described in paragraphs (1)(i) or(2) of this definition.

Research has the same meaning as theterm is defined in the HIPAA PrivacyRule at 45 CFR 164.501.

Respondent means a provider, PSO,or responsible person who is the subjectof a complaint or a compliance review.

Responsible person means a person,other than a provider or a PSO, who haspossession or custody of identifiablepatient safety work product and issubject to the confidentiality provisions.

Workforce means employees,volunteers, trainees, contractors, orother persons whose conduct, in theperformance of work for a provider, PSOor responsible person, is under thedirect control of such provider, PSO or

responsible person, whether or not theyare paid by the provider, PSO orresponsible person.

Subpart B—PSO Requirements andAgency Procedures

§ 3.102 Process and requirements forinitial and continued listing of PSOs.

(a) Eligibility and process for initial and continued listing —(1) Submissionof certification. Any entity, except asspecified in paragraph (a)(2) of thissection, may request from the Secretary





an initial or continued listing as a PSO by submitting a completed certificationform that meets the requirements of thissection, in accordance with § 3.112. Anindividual with authority to makecommitments on behalf of the entityseeking listing will be required tosubmit contact information for theentity and:

(i) Attest that the entity is not subjectto any exclusion in paragraph (a)(2) of this section;

(ii) Provide certifications that theentity meets each requirement for PSOsin paragraph (b) of this section;

(iii) If the entity is a component of another organization, provide theadditional certifications that the entitymeets the requirements of paragraph(c)(1)(i) of this section;

(iv) If the entity is a component of anexcluded entity described in paragraph(a)(2)(ii), provide the additionalcertifications and information required

by paragraph (c)(1)(ii) of this section;(v) Attest that the entity has disclosedif the Secretary has ever delisted thisentity (under its current name or anyother) or refused to list the entity orwhether any of its officials or seniormanagers held comparable positions of responsibility in an entity that wasdenied listing or delisted and, if any of these circumstances apply, submit withits certifications and related disclosures,the name of the entity or entities thatthe Secretary declined to list or delisted;

(vi) Attest that the PSO will promptlynotify the Secretary during its period of listing if it can no longer comply with

any of its attestations and the applicablerequirements in §§3.102(b) and 3.102(c)or if there have been any changes in theaccuracy of the information submittedfor listing, along with the pertinentchanges; and

(vii) Provide other information thatthe Secretary determines to be necessaryto make the requested listingdetermination.

(2) Exclusion of certain entities. Thefollowing types of entities may not seeklisting as a PSO:

(i) A health insurance issuer; a unit ordivision of a health insurance issuer; or

an entity that is owned, managed, orcontrolled by a health insurance issuer;(ii) (A) An entity that accredits or

licenses health care providers;(B) An entity that oversees or enforces

statutory or regulatory requirementsgoverning the delivery of health careservices;

(C) An agent of an entity that overseesor enforces statutory or regulatoryrequirements governing the delivery of health care services; or

(D) An entity that operates a Federal,state, local or Tribal patient safety

reporting system to which health careproviders (other than members of theentity’s workforce or health careproviders holding privileges with theentity) are required to reportinformation by law or regulation.

(iii) A component of an entity listedin paragraph (a)(2)(ii) may seek listingas a component PSO subject to the

requirements and restrictions of paragraph (c)(1)(ii) of this section.

(3) Submission of certification for continued listing. To facilitate a timelySecretarial determination regardingacceptance of its certification forcontinued listing, a PSO must submitthe required certification no later than75 days before the expiration of a PSO’sthree-year period of listing.

(b) Fifteen general PSO certificationrequirements. The certificationssubmitted to the Secretary inaccordance with paragraph (a)(1)(ii) of this section must conform to the

following 15 requirements:(1) Required certification regarding

eight patient safety activities.(i) Initial listing. An entity seeking

initial listing as a PSO must certify thatit has written policies and procedures inplace to perform each of the eightpatient safety activities, defined in§ 3.20. With respect to paragraphs (5)and (6) in the definition of patient safetyactivities regarding confidentiality andsecurity, the policies and proceduresmust include and provide for:

(A) Compliance with theconfidentiality provisions of Subpart C

of this part and with appropriatesecurity measures as required by § 3.106of this subpart.

(B) Notification of each provider thatsubmitted patient safety work productor data as described in § 3.108(b)(2) tothe entity if the submitted work productor data was subject to an unauthorizeddisclosure or its security was breached.

(ii) Continued Listing. A PSO seekingcontinued listing must certify that it isperforming, and will continue toperform, each of the patient safetyactivities defined in §3.20, and is andwill continue to comply with therequirements of paragraphs (b)(1)(i)(A)and (B) of this section.

(2) Required certification regarding seven PSO criteria.

(i) Initial Listing. In its initialcertification submission, an entity mustalso certify that, if listed as a PSO, itwill comply with the sevenrequirements in paragraphs (b)(2)(i)(A)through (G) of this section.

(A) The mission and primary activityof the PSO must be to conduct activitiesthat are to improve patient safety andthe quality of health care delivery.

(B) The PSO must have appropriatelyqualified workforce members, includinglicensed or certified medicalprofessionals.

(C) The PSO, within the 24-monthperiod that begins on the date of itsinitial listing as a PSO, and within eachsequential 24-month period thereafter,must have 2 bona fide contracts, each of

a reasonable period of time, each witha different provider for the purpose of receiving and reviewing patient safetywork product.

(D) The PSO is not a health insuranceissuer, and is not a component of ahealth insurance issuer.

(E) The PSO must make disclosures tothe Secretary as required under§ 3.102(d), in accordance with § 3.112 of this subpart.

(F) To the extent practical andappropriate, the PSO must collectpatient safety work product fromproviders in a standardized manner that

permits valid comparisons of similarcases among similar providers.

(G) The PSO must utilize patientsafety work product for the purpose of providing direct feedback and assistanceto providers to effectively minimizepatient risk.

(ii) Continued Listing. A PSO seekingcontinued listing must certify that it iscomplying with, and will continue tocomply with, the requirements of paragraphs (b)(2)(i)(A) through (G) of this section.

(iii) Compliance with the criterion for collecting patient safety work product in

a standardized manner to the extent practical and appropriate. With respectto paragraph (b)(2)(i)(F) of this section,the Secretary will assess compliance bya PSO in the following manner.

(A) A PSO seeking continued listingmust:

(1) Certify that the PSO is using theSecretary’s published guidance forcommon formats and definitions in itscollection of patient safety work product(option (I));

(2) Certify that the PSO is using analternative system of formats anddefinitions that permits validcomparisons of similar cases amongsimilar providers (option (II)); or

(3) Provide a clear explanation forwhy it is not practical or appropriate forthe PSO to comply with options (I) or(II) at this time.

(B) The Secretary will consider a PSOto be in compliance if the entitycomplies with option (I), satisfactorilydemonstrates that option (II) permitsvalid comparisons of similar casesamong similar providers, orsatisfactorily demonstrates that it is notpractical or appropriate for the PSO to





comply with options (I) or (II) at thistime.

(c) Additional certifications required of component organizations—(1)Requirements when seeking listing —(i)Requirements that all component organizations must meet. In addition tomeeting the 15 general PSO certificationrequirements of paragraph (b) of this

section, an entity seeking initial listingthat is a component of anotherorganization must certify that it willcomply with the requirements of paragraph (c)(2) of this section. Acomponent PSO seeking continuedlisting must certify that it is complyingwith, and will continue to comply with,the requirements of this same paragraph(c)(2). At initial and continued listing, acomponent entity must attach to itscertifications for listing contactinformation for its parentorganization(s).

(ii) Additional requirements and limitations applicable to components of entities that are excluded from listing.In addition to the requirements underparagraph (c)(1)(i) of this section, acomponent of an organization excludedfrom listing under paragraph (a)(2)(ii) of this section must submit the additionalcertifications and specified informationfor initial and continued listing andcomply with paragraph (c)(4) of thissection.

(2) Required component certifications—(i) Separation of patient safety work product. A component PSOmust maintain patient safety workproduct separately from the rest of the

parent organization(s) of which it is apart, and establish appropriate securitymeasures to maintain the confidentialityof patient safety work product. Theinformation system in which thecomponent PSO maintains patientsafety work product must not permitunauthorized access by one or moreindividuals in, or by units of, the rest of the parent organization(s) of which it isa part.

(ii) Nondisclosure of patient safety work product. A component PSO mustrequire that members of its workforceand any other contractor staff not make

unauthorized disclosures of patientsafety work product to the rest of theparent organization(s) of which it is apart.

(iii) No conflict of interest. Thepursuit of the mission of a componentPSO must not create a conflict of interest with the rest of the parentorganization(s) of which it is a part.

(3) Written agreements for assisting acomponent PSO in the conduct of

patient safety activities.Notwithstanding the requirements of paragraph (c)(2) of this section, a

component PSO may provide access toidentifiable patient safety work productto one or more individuals in, or to oneor more units of, the rest of the parentorganization(s) of which it is a part, if the component PSO enters into awritten agreement with suchindividuals or units which requires that:

(i) The component PSO will only

provide access to identifiable patientsafety work product to enable suchindividuals or units to assist thecomponent PSO in its conduct of patient safety activities, and

(ii) Such individuals or units thatreceive access to identifiable patientsafety work product pursuant to suchwritten agreement will only use ordisclose such information as specified

by the component PSO to assist thecomponent PSO in its conduct of patient safety activities, will takeappropriate security measures toprevent unauthorized disclosures andwill comply with the other certificationsthe component has made pursuant toparagraph (c)(2) of this section regardingunauthorized disclosures andconducting the mission of the PSOwithout creating conflicts of interest.

(4) Required attestations, informationand operational limitations for components of entities excluded fromlisting. A component organization of anentity that is subject to the restrictionsof paragraph (a)(2)(ii) of this sectionmust:

(i) Submit the following informationwith its certifications for listing:

(A) A statement describing its parent

organization’s role, and the scope of theparent organization’s authority, withrespect to any of the following thatapply: Accreditation or licensure of health care providers, oversight orenforcement of statutory or regulatoryrequirements governing the delivery of health care services, serving as an agentof such a regulatory oversight orenforcement authority, or administeringa public mandatory patient safetyreporting system;

(B) An attestation that the parentorganization has no policies orprocedures that would require or induce

providers to report patient safety workproduct to their component organizationonce listed as a PSO and that thecomponent PSO will notify theSecretary within 5 calendar days of thedate on which the componentorganization has knowledge of theadoption by the parent organization of such policies or procedures, and anacknowledgment that the adoption of such policies or procedures by theparent organization during thecomponent PSO’s period of listing willresult in the Secretary initiating an

expedited revocation process inaccordance with §3.108(e); and

(C) An attestation that the componentorganization will prominently postnotification on its Web site and publishin any promotional materials fordissemination to providers, a summaryof the information that is required byparagraph (c)(4)(i)(A) of this section.

(ii) Comply with the followingrequirements during its period of listing:

(A) The component organization maynot share staff with its parentorganization(s).

(B) The component organization mayenter into a written agreement pursuantto paragraph (c)(3) but such agreementsare limited to units or individuals of theparent organization(s) whoseresponsibilities do not involve theactivities specified in the restrictions inparagraph (a)(2)(ii) of this section.

(d) Required notifications. Uponlisting, PSOs must meet the followingnotification requirements:

(1) Notification regarding PSOcompliance with the minimum contract requirement. No later than 45 calendardays prior to the last day of thepertinent 24-month assessment period,specified in paragraph (b)(2)(iii)(C) of this section, the Secretary must receivefrom a PSO a certification that stateswhether it has met the requirement of that paragraph regarding two bona fidecontracts, submitted in accordance with§ 3.112 of this subpart.

(2) Notification regarding a PSO’srelationships with its contracting

providers.

(i) Requirement. A PSO must file adisclosure statement regarding aprovider with which it has a contractthat provides the confidentiality andprivilege protections of the PatientSafety Act (hereinafter referred to as aPatient Safety Act contract) if the PSOhas any other relationships with thisprovider that are described inparagraphs (d)(2)(i)(A) through (D) of this section. The PSO must disclose allsuch relationships. A disclosurestatement is not required if all of itsother relationships with the provider arelimited to Patient Safety Act contracts.

(A) The provider and PSO havecurrent contractual relationships, otherthan those arising from any PatientSafety Act contracts, including formalcontracts or agreements that imposeobligations on the PSO.

(B) The provider and PSO havecurrent financial relationships otherthan those arising from any PatientSafety Act contracts. A financialrelationship may include any direct orindirect ownership or investmentrelationship between the PSO and thecontracting provider, shared or common





financial interests or direct or indirectcompensation arrangements whether incash or in-kind.

(C) The PSO and provider havecurrent reporting relationships otherthan those arising from any PatientSafety Act contracts, by which theprovider has access to informationregarding the work and operation of the

PSO that is not available to othercontracting providers.

(D) Taking into account allrelationships that the PSO has with theprovider, the PSO is not independentlymanaged or controlled, or the PSO doesnot operate independently from, thecontracting provider.

(ii) Content. A PSO must submit tothe Secretary the required attestationform for disclosures with theinformation specified below inaccordance with §3.112 and thissection. The substantive informationthat must be included with eachsubmission has two required parts:

(A) The Required Disclosures. Thefirst part of the substantive informationmust provide a succinct list of obligations between the PSO and thecontracting provider apart from theirPatient Safety Act contract(s) that create,or contain, any of the types of relationships that must be disclosed

based upon the requirements of paragraphs (d)(2)(i)(A) through (D) of this section. Each reportable obligationor discrete set of obligations that thePSO has with this contracting providershould be listed only once; noting thespecific aspects of the obligation(s) that

reflect contractual or financialrelationships, involve access toinformation that is not available to otherproviders, or affect the independence of PSO operations, management, orcontrol.

(B) An Explanatory Narrative. Thesecond required part of the substantiveinformation must provide a brief explanatory narrative succinctlydescribing: The policies and proceduresthat the PSO has in place to ensureadherence to objectivity andprofessionally recognized analyticstandards in the assessments it

undertakes; and any other policies orprocedures, or agreements with thisprovider, that the PSO has in place toensure that it can fairly and accuratelyperform patient safety activities.

(iii) Deadlines for submission. TheSecretary must receive a disclosurestatement within 45 days of the date onwhich a PSO enters a contract with aprovider if the circumstances describedin any of the paragraphs (d)(2)(i)(A)through (D) of this section are met onthe date the contract is entered. Duringthe contract period, if these

circumstances subsequently arise, theSecretary must receive a disclosurestatement from the PSO within 45 daysof the date that any disclosurerequirement in paragraph (d)(2)(i) of thissection first applies.

§ 3.104 Secretarial actions.

(a) Actions in response to certification

submissions for initial and continued listing as a PSO. (1) In response to aninitial or continued certificationsubmission by an entity, pursuant to therequirements of §3.102 of this subpart,the Secretary may—

(i) Accept the certification submissionand list the entity as a PSO, or maintainthe listing of a PSO, if the Secretarydetermines that the entity meets theapplicable requirements of the PatientSafety Act and this subpart;

(ii) Deny acceptance of a certificationsubmission and, in the case of acurrently listed PSO, remove the entityfrom the list if the entity does not meetthe applicable requirements of thePatient Safety Act and this subpart; or

(iii) Condition the listing of an entityor the continued listing of a PSO,following a determination madepursuant to paragraph (c) of this sectionor a determination after review of thepertinent history of an entity that has

been delisted or refused listing and itsofficials and senior managers.

(2) Basis for determination. In makinga determination regarding listing, theSecretary will consider the certificationsubmission; any prior actions by theSecretary regarding the entity or PSO

including delisting; any history of orcurrent non-compliance by the entity orthe PSO or its officials or seniormanagers with statutory or regulatoryrequirements or requests from theSecretary; the relationships of the entityor PSO with providers; and any findingsmade by the Secretary in accordancewith paragraph (c) of this section.

(3) Notification. The Secretary willnotify in writing each entity of actiontaken on its certification submission forinitial or continued listing. TheSecretary will provide reasons when anentity’s certification is conditionally

accepted and the entity is conditionallylisted, when an entity’s certification isnot accepted and the entity is not listed,or when acceptance of its certification isrevoked and the entity is delisted.

(b) Actions regarding PSO compliancewith the minimum contract requirement. After the date on whichthe Secretary, under §3.102(d)(1) of thissubpart, must receive notificationregarding compliance of a PSO with theminimum contract requirement—

(1) If the PSO has met the minimumcontract requirement, the Secretary will

acknowledge in writing receipt of thenotification and add information to thelist established pursuant to paragraph(d) of this section stating that the PSOhas certified that it has met therequirement.

(2) If the PSO states that it has not yetmet the minimum contract requirement

by the date specified in § 3.102(d)(1), or

if notice is not received by that date, theSecretary will issue to the PSO a noticeof a preliminary finding of deficiency asspecified in §3.108(a)(2) and establish aperiod for correction that extends untilmidnight of the last day of the PSO’sapplicable 24-month period of assessment. Thereafter, if therequirement has not been met, theSecretary will provide the PSO a writtennotice of proposed revocation anddelisting in accordance with§ 3.108(a)(3).

(c) Actions regarding required disclosures by PSOs of relationshipswith contracting providers. TheSecretary will review and make findingsregarding each disclosure statementsubmitted by a PSO, pursuant to§ 3.102(d)(2), regarding its relationshipswith contracting provider(s), determinewhether such findings warrant actionregarding the listing of the PSO inaccordance with paragraph (c)(2) of thissection, and make the findings public.

(1) Basis of findings regarding PSOdisclosure statements. In reviewingdisclosure statements, submittedpursuant to §3.102(d)(2) of this subpart,the Secretary will consider the disclosedrelationship(s) between the PSO and the

contracting provider and the statementsand material submitted by the PSOdescribing the policies and proceduresthat the PSO has in place to determinewhether the PSO can fairly andaccurately perform the required patientsafety activities.

(2) Determination by the Secretary.Based on the Secretary’s review andfindings, he may choose to take any of the following actions:

(i) For an entity seeking an initial orcontinued listing, the Secretary may listor continue the listing of an entitywithout conditions, list the entity

subject to conditions, or deny theentity’s certification for initial orcontinued listing; or

(ii) For a listed PSO, the Secretarymay determine that the entity willremain listed without conditions,continue the entity’s listing subject toconditions, or remove the entity fromthe list of PSOs.

(3) Release of disclosure statementsand Secretarial findings. (i) Subject toparagraph (c)(3)(ii) of this section, theSecretary will make disclosurestatements available to the public along





with related findings that are madeavailable in accordance with paragraph(c) of this section.

(ii) The Secretary may withholdinformation that is exempt from publicdisclosure under the Freedom of Information Act, e.g., trade secrets orconfidential commercial informationthat are subject to the restrictions of 18

U.S.C. 1905.(d) Maintaining a list of PSOs. The

Secretary will compile and maintain apublicly available list of entities whosecertifications as PSOs have beenaccepted. The list will include contactinformation for each entity, a copy of allcertification forms and disclosurestatements submitted by each entity inaccordance with paragraph (c)(3)(ii) of this section, the effective date of thePSO’s listing, and information onwhether a PSO has certified that it hasmet the two contract requirement. Thelist also will include a copy of the

Secretary’s findings regarding eachdisclosure statement submitted by anentity, information describing anyrelated conditions that have been placed

by the Secretary on the listing of anentity as a PSO, and other informationthat this Subpart states may be madepublic. AHRQ may maintain a PSOwebsite (or a comparable future form of public notice) and may post the list onthis website.

(e) Three-year period of listing. (1)The three-year period of listing of a PSOwill automatically expire at midnight of the last day of this period, unless the

listing had been revoked or relinquishedearlier in accordance with §3.108 of thissubpart, or if, prior to this automaticexpiration, the PSO seeks a new three-year listing, in accordance with § 3.102,and the Secretary accepts the PSO’scertification for a new three-year listing,in accordance with §3.104(a).

(2) The Secretary plans to send awritten notice of imminent expiration toa PSO at least 60 calendar days prior tothe date on which its three-year periodof listing expires if the Secretary has notyet received a certification for continuedlisting. The Secretary plans to indicate,on the AHRQ PSO website, the PSOsfrom whom certifications for continuedlisting have not been timely received.

(f) Effective dates of Secretarial actions. Unless otherwise stated, theeffective date of each action by theSecretary pursuant to this subpart will

be specified in the written notice of such action that is sent to the entity.When the Secretary sends a notice thataddresses acceptance or revocation of anentity’s certifications or voluntaryrelinquishment by an entity of its statusas a PSO, the notice will specify the

effective date and time of listing ordelisting.

§ 3.106 Security requirements.

(a) Application. A PSO must securepatient safety work product inconformance with the securityrequirements of paragraph (b) of thissection. These requirements must be

met at all times and at any location atwhich the PSO, its workforce members,or its contractors receive, access, orhandle patient safety work product.Handling patient safety work productincludes its processing, development,use, maintenance, storage, removal,disclosure, transmission anddestruction.

(b) Security framework. A PSO musthave written policies and proceduresthat address each of the considerationsspecified in this subsection. Inaddressing the framework that follows,the PSO may develop appropriate and

scalable security standards, policies,and procedures that are suitable for thesize and complexity of its organization.

(1) Security management. A PSO mustaddress:

(i) Maintenance and effectiveimplementation of written policies andprocedures that conform to therequirements of this section to protectthe confidentiality, integrity, andavailability of the patient safety workproduct that is received, accessed, orhandled; and to monitor and improvethe effectiveness of such policies andprocedures, and

(ii) Training of the PSO workforce and

PSO contractors who receive, access, orhandle patient safety work productregarding the requirements of thePatient Safety Act, this Part, and thePSO’s policies and procedures regardingthe confidentiality and security of patient safety work product.

(2) Distinguishing patient safety work product. A PSO must address:

(i) Maintenance of the security of patient safety work product, whether inelectronic or other media, through eitherphysical separation from non-patientsafety work product, or if co-locatedwith non-patient safety work product,

by making patient safety work productdistinguishable so that the appropriateform and level of security can beapplied and maintained;

(ii) Protection of the media, whetherin electronic, paper, or other media orformat, that contain patient safety workproduct, limiting access to authorizedusers, and sanitizing and destroyingsuch media before their disposal orrelease for reuse; and

(iii) Physical and environmentalprotection, to control and limit physicaland virtual access to places and

equipment where patient safety workproduct is received, accessed, orhandled.

(3) Security control and monitoring. APSO must address:

(i) Identification of those authorizedto receive, access, or handle patientsafety work product and an auditcapacity to detect unlawful,

unauthorized, or inappropriate receipt,access, or handling of patient safetywork product, and

(ii) Methods to prevent unauthorizedreceipt, access, or handling of patientsafety work product.

(4) Security assessment. A PSO mustaddress:

(i) Periodic assessments of securityrisks and controls to establish if itscontrols are effective, to correct anydeficiency identified, and to reduce oreliminate any vulnerabilities.

(ii) System and communicationsprotection, to monitor, control, and

protect PSO receipt, access, or handlingof patient safety work product withparticular attention to the transmissionof patient safety work product to andfrom providers, other PSOs, contractorsor any other responsible persons.

§ 3.108 Correction of deficiencies,revocation, and voluntary relinquishment.

(a) Process for correction of adeficiency and revocation—(1)Circumstances leading to revocation.The Secretary may revoke hisacceptance of an entity’s certification(‘‘revocation’’) and delist the entity as aPSO if he determines—

(i) The PSO is not fulfilling thecertifications made to the Secretary asrequired by § 3.102;

(ii) The PSO has not met the twocontract requirement, as required by§ 3.102(d)(1);

(iii) Based on a PSO’s disclosuresmade pursuant to §3.102(d)(2) , that theentity cannot fairly and accuratelyperform the patient safety activities of aPSO with a public finding to that effect;or

(iv) The PSO is not in compliancewith any other provision of the PatientSafety Act or this Part.

(2) Notice of preliminary finding of deficiency and establishment of anopportunity for correction of adeficiency. (i) Except as provided byparagraph (e) of this section, if theSecretary determines that a PSO is notin compliance with its obligations underthe Patient Safety Act or this Subpart,the Secretary must send a PSO writtennotice of the preliminary finding of deficiency. The notice must state theactions or inactions that encompass thedeficiency finding, outline the evidencethat the deficiency exists, specify the





possible and/or required correctiveactions that must be taken, and establisha date by which the deficiency must becorrected. The Secretary may specify inthe notice the form of documentationrequired to demonstrate that thedeficiency has been corrected.

(ii) The notice of a preliminaryfinding of deficiency is presumed

received five days after it is sent, absentevidence of the actual receipt date. If aPSO does not submit evidence to theSecretary within 14 calendar days of actual or constructive receipt of suchnotice, whichever is longer, whichdemonstrates that the preliminaryfinding is factually incorrect, thepreliminary finding will be the basis fora finding of deficiency.

(3) Determination of correction of adeficiency. (i) Unless the Secretaryspecifies another date, the Secretarymust receive documentation todemonstrate that the PSO has correctedany deficiency cited in the preliminaryfinding of deficiency no later than fivecalendar days following the last day of the correction period that is specified bythe Secretary in such notice.

(ii) In making a determinationregarding the correction of anydeficiency, the Secretary will considerthe documentation submitted by thePSO, any assessments under §3.110,recommendations of program staff, andany other information availableregarding the PSO that the Secretarydeems appropriate and relevant to thePSO’s implementation of the terms of itscertification.

(iii) After completing his review, theSecretary may make one of thefollowing determinations:

(A) The action(s) taken by the PSOhave corrected any deficiency, in whichcase the Secretary will withdraw thenotice of deficiency and so notify thePSO;

(B) The PSO has acted in good faithto correct the deficiency, but theSecretary finds an additional period of time is necessary to achieve fullcompliance and/or the requiredcorrective action specified in the noticeof a preliminary finding of deficiency

needs to be modified in light of theexperience of the PSO in attempting toimplement the corrective action, inwhich case the Secretary will extend theperiod for correction and/or modify thespecific corrective action required; or

(C) The PSO has not completed thecorrective action because it has notacted with reasonable diligence or speedto ensure that the corrective action wascompleted within the allotted time, inwhich case the Secretary will issue tothe PSO a notice of proposed revocationand delisting.

(iv) When the Secretary issues awritten notice of proposed revocationand delisting, the notice will specify thedeficiencies that have not been timelycorrected and will detail the manner inwhich the PSO may exercise itsopportunity to be heard in writing torespond to the deficiencies specified inthe notice.

(4) Opportunity to be heard in writing following a notice of proposed revocation and delisting. The Secretarywill afford a PSO an opportunity to beheard in writing, as specified inparagraph (a)(4)(i) of this section, toprovide a substantive response to thedeficiency finding(s) set forth in thenotice of proposed revocation anddelisting.

(i) The notice of proposed revocationand delisting is presumed received fivedays after it is sent, absent evidence of actual receipt. The Secretary willprovide a PSO with a period of time,

beginning with the date of receipt of thenotice of proposed revocation anddelisting of which there is evidence, orthe presumed date of receipt if there isno evidence of earlier receipt, andending at midnight 30 calendar daysthereafter, during which the PSO maysubmit a substantive response to thedeficiency findings in writing.

(ii) The Secretary will provide to thePSO any rules of procedure governingthe form or transmission of the writtenresponse to the notice of proposedrevocation and delisting. Such rulesmay also be posted on the AHRQ PSOWeb site or published in the Federal

Register.(iii) If a PSO does not submit a written

response to the deficiency finding(s)within 30 calendar days of receipt of thenotice of proposed revocation anddelisting, the notice of proposedrevocation becomes final as a matter of law and the basis for Secretarial actionunder paragraph (b)(1) of this section.

(5) The Secretary’s decision regarding revocation. The Secretary will reviewthe entire administrative recordpertaining to a notice of proposedrevocation and delisting and any writtenmaterials submitted by the PSO under

paragraph (a)(4) of this section. TheSecretary may affirm, reverse, or modifythe notice of proposed revocation anddelisting and will make a determinationwith respect to the continued listing of the PSO.

(b) Revocation of the Secretary’sacceptance of a PSO’s certifications—(1)Establishing the date and time of revocation and delisting. When theSecretary concludes, in accordance witha decision made under paragraphs(a)(5), (e)(3)(iii) or (e)(3)(iv)(C) of thissection, that revocation of the

acceptance of a PSO’s certification iswarranted for its failure to comply withrequirements of the Patient Safety Act orof this Part, the Secretary will establishthe effective time and date for suchprompt revocation and removal of theentity from the list of PSOs, so notifythe PSO in writing, and provide therelevant public notice required by

§ 3.108(d) of this subpart.(2) Required notification of providers

and status of data. (i) Upon beingnotified of the Secretary’s actionpursuant to paragraph (b)(1) of thissection, the former PSO will take allreasonable actions to notify eachprovider, whose patient safety workproduct it collected or analyzed, of theSecretary’s action(s) and the followingstatutory information: Confidentialityand privilege protections that applied topatient safety work product while theformer PSO was listed continue to applyafter the entity is removed from listing.

Data submitted by providers to theformer PSO for 30 calendar daysfollowing the date and time on whichthe entity was removed from the list of PSOs pursuant to paragraph (b)(1) of this section will have the same status asdata submitted while the entity was stilllisted.

(ii) Within 15 days of being notifiedof the Secretary’s action pursuant toparagraph (b)(1) of this section, theformer PSO shall submit to theSecretary confirmation that it has takenthe actions in paragraph (b)(2)(i) of thissection.

(3) Disposition of patient safety work product and data. Within 90 daysfollowing the effective date of revocation and delisting pursuant toparagraph (b)(1) of this section, theformer PSO will take one or more of thefollowing measures in regard to patientsafety work product and data describedin paragraph (b)(2)(i) of this section:

(i) Transfer such patient safety workproduct or data, with the approval of thesource from which it was received, to aPSO that has agreed to receive suchpatient safety work product or data;

(ii) Return such work product or datato the source from which it wassubmitted; or

(iii) If returning such patient safetywork product or data to its source is notpracticable, destroy such patient safetywork product or data.

(c) Voluntary relinquishment —(1)Circumstances constituting voluntary relinquishment. A PSO will beconsidered to have voluntarilyrelinquished its status as a PSO if theSecretary accepts a notification from aPSO that it wishes to relinquishvoluntarily its listing as a PSO.





(2) Notification of voluntary relinquishment. A PSO’s notification of voluntary relinquishment to theSecretary must include the following:

(i) An attestation that all reasonableefforts have been made, or will have

been made by a PSO within 15 calendardays of this statement, to notify thesources from which it received patient

safety work product of the PSO’sintention to cease PSO operations andactivities, to relinquish voluntarily itsstatus as a PSO, to request that theseother entities cease reporting orsubmitting any further information tothe PSO as soon as possible, and informthem that any information reported afterthe effective date and time of delistingthat the Secretary sets pursuant toparagraph (c)(3) of this section will not

be protected as patient safety workproduct under the Patient Safety Act.

(ii) An attestation that the entity hasestablished a plan, or within 15calendar days of this statement, willhave made all reasonable efforts toestablish a plan, in consultation withthe sources from which it receivedpatient safety work product, thatprovides for the disposition of thepatient safety work product held by thePSO consistent with, to the extentpracticable, the statutory options fordisposition of patient safety workproduct as set out in paragraph (b)(3) of this section; and

(iii) Appropriate contact informationfor further communications from theSecretary.

(3) Response to notification of

voluntary relinquishment. (i) After aPSO provides the notification required

by paragraph (c)(2) of this section, theSecretary will respond in writing to theentity indicating whether the proposedvoluntary relinquishment of its PSOstatus is accepted. If the voluntaryrelinquishment is accepted, theSecretary’s response will indicate aneffective date and time for the entity’sremoval from the list of PSOs and willprovide public notice of the voluntaryrelinquishment and the effective dateand time of the delisting, in accordancewith §3.108(d) of this subpart.

(ii) If the Secretary receives anotification of voluntary relinquishmentduring or immediately after revocationproceedings for cause under paragraphs(a)(4) and (a)(5) of this section, theSecretary, as a matter of discretion, mayaccept voluntary relinquishment inaccordance with the precedingparagraph or decide not to accept theentity’s proposed voluntaryrelinquishment and proceed with therevocation for cause and delistingpursuant to paragraph (b)(1) of thissection.

(4) Non-applicability of certain procedures and requirements. (i) Adecision by the Secretary to accept arequest by a PSO to relinquishvoluntarily its status as a PSO pursuantto paragraph (c)(2) of this section doesnot constitute a determination of adeficiency in PSO compliance with thePatient Safety Act or with this Subpart.

(ii) The procedures and requirementsof § 3.108(a) of this subpart regardingdeficiencies including the opportunityto correct deficiencies and to be heardin writing, and the procedures andrequirements of §3.108(b) are notapplicable to determinations of theSecretary made pursuant to thissubsection.

(d) Public notice of delisting regarding removal from listing. If the Secretaryremoves an entity from the list of PSOsfollowing revocation of acceptance of the entity’s certification pursuant to§ 3.108(b)(1), voluntary relinquishment

pursuant to § 3.108(c)(3), or expirationof an entity’s period of listing pursuantto § 3.104(e)(1), the Secretary willpromptly publish in the FederalRegister and on the AHRQ PSO website,or in a comparable future form of publicnotice, a notice of the actions taken andthe effective dates.

(e) Expedited revocation and delisting —(1) Basis for expedited revocation. Notwithstanding any otherprovision of this section, the Secretarymay use the expedited revocationprocess described in paragraph (e)(3) of this section if he determines—

(i) The PSO is not in compliance with

this Part because it is or is about to become an entity described in§ 3.102(a)(2).

(ii) The parent organization of thePSO is an entity described in§ 3.102(a)(2) and requires or induceshealth care providers to report patientsafety work product to its componentPSO; or

(iii) The circumstances for revocationin paragraph (a)(1) of this section exist,and the Secretary has determined thatthere would be serious adverseconsequences if the PSO were to remainlisted.

(2) Applicable provisions. If theSecretary uses the expedited revocationprocess described in paragraph (e)(3) of this section, the procedures inparagraphs (a)(2) through (5) of thissection shall not apply and paragraph(a)(1) and paragraphs (b) and (d) of thissection shall apply.

(3) Expedited revocation process. (i)The Secretary must send the PSO awritten notice of deficiency that:

(A) Identifies the evidence that thecircumstances for revocation anddelisting under paragraph (a)(1) of this

section exist, and any corrective actionthat the PSO must take if the Secretarydetermines that corrective action mayresolve the matter so that the entitywould not be delisted; and

(B) Provides an opportunity for thePSO to respond in writing to correct thefacts or the legal bases for delistingfound in the notice, and to offer any

other grounds for its not being delisted.(ii) The notice of deficiency will be

presumed to be received five days afterit is sent, absent evidence of the actualreceipt date.

(iii) If the PSO does not submit awritten response to the Secretary within14 calendar days of actual orconstructive receipt of such notice,whichever is longer, the Secretary mayrevoke his acceptance of the PSO’scertifications and remove the entityfrom the list of PSOs.

(iv) If the PSO responds in writingwithin the required 14-day time period,

the Secretary may take any of thefollowing actions:

(A) Withdraw the notice of deficiency;(B) Provide the PSO with more time

to resolve the matter to the Secretary’ssatisfaction; or

(C) Revoke his acceptance of thePSO’s certifications and remove theentity from the list of PSOs.

§ 3.110 Assessment of PSO compliance.

The Secretary may requestinformation or conduct announced orunannounced reviews of, or site visitsto, PSOs, to assess or verify PSO

compliance with the requirements of this subpart and for these purposes will

be allowed to inspect the physical orvirtual sites maintained or controlled bythe PSO. The Secretary will be allowedto inspect and/or be given or sent copiesof any PSO records deemed necessaryand requested by the Secretary toimplement the provisions of thissubpart. Such PSO records may includepatient safety work product inaccordance with §3.206(d) of this part.

§ 3.112 Submissions and forms.

(a) Forms referred to in this subpart

may be obtained on the PSO Web site(http://www.pso.ahrq.gov ) maintainedfor the Secretary by AHRQ or asuccessor agency or on successorpublication technology or by requestingthem in writing by e-mail at

[email protected] , or by mail from theAgency for Healthcare Research andQuality, CQuIPS, PSO Liaison, 540Gaither Road, Rockville, MD 20850. Aform (including any requiredattachments) must be submitted inaccordance with the accompanyinginstructions.


http://www.pso.ahrq.gov/


mailto:[email protected]







(b) Information submitted to AHRQ inwriting, but not required to be on orattached to a form, and requests forinformation from AHRQ, may besubmitted by mail or other delivery tothe Agency for Healthcare Research andQuality, CQuIPS, PSO Liaison, 540Gaither Road, Rockville, MD 20850, byfacsimile at (301) 427–1341, or by e-mail

at [email protected]. (c) If a submission to the Secretary is

incomplete or additional information isneeded to allow a determination to bemade under this subpart, the submitterwill be notified if any additionalinformation is required.

Subpart C—Confidentiality andPrivilege Protections of Patient SafetyWork Product

§ 3.204 Privilege of patient safety work product.

(a) Privilege. Notwithstanding anyother provision of Federal, State, local,or Tribal law and subject to paragraph(b) of this section and § 3.208 of thissubpart, patient safety work productshall be privileged and shall not be:

(1) Subject to a Federal, State, local,or Tribal civil, criminal, oradministrative subpoena or order,including in a Federal, State, local, orTribal civil or administrativedisciplinary proceeding against aprovider;

(2) Subject to discovery in connectionwith a Federal, State, local, or Tribalcivil, criminal, or administrativeproceeding, including in a Federal,

State, local, or Tribal civil oradministrative disciplinary proceedingagainst a provider;

(3) Subject to disclosure pursuant tosection 552 of Title 5, United StatesCode (commonly known as the Freedomof Information Act) or any other similarFederal, State, local, or Tribal law;

(4) Admitted as evidence in anyFederal, State, local, or Tribalgovernmental civil proceeding, criminalproceeding, administrative rulemakingproceeding, or administrativeadjudicatory proceeding, including anysuch proceeding against a provider; or

(5) Admitted in a professionaldisciplinary proceeding of aprofessional disciplinary bodyestablished or specifically authorizedunder State law.

(b) Exceptions to privilege. Privilegeshall not apply to (and shall not beconstrued to prohibit) one or more of the following disclosures:

(1) Disclosure of relevant patientsafety work product for use in acriminal proceeding, subject to theconditions at §3.206(b)(1) of thissubpart.

(2) Disclosure to the extent required topermit equitable relief subject to theconditions at §3.206(b)(2) of thissubpart.

(3) Disclosure pursuant to providerauthorizations subject to the conditionsat § 3.206(b)(3) of this subpart.

(4) Disclosure of non-identifiablepatient safety work product subject to

the conditions at §3.206(b)(5) of thissubpart.

(c) Implementation and enforcement by the Secretary. Privilege shall notapply to (and shall not be construed toprohibit) disclosures of relevant patientsafety work product to or by theSecretary if such patient safety workproduct is needed to investigate ordetermine compliance, or to seek orimpose civil money penalties, withrespect to this part or the HIPAAPrivacy Rule, or to make or supportdecisions with respect to listing of aPSO.

§ 3.206 Confidentiality of patient safetywork product.

(a) Confidentiality. Subject toparagraphs (b) through (e) of thissection, and §§3.208 and 3.210 of thissubpart, patient safety work productshall be confidential and shall not bedisclosed.

(b) Exceptions to confidentiality. Theconfidentiality provisions shall notapply to (and shall not be construed toprohibit) one or more of the followingdisclosures:

(1) Disclosure in criminal

proceedings. Disclosure of relevantpatient safety work product for use in acriminal proceeding, but only after acourt makes an in-camera determinationthat:

(i) Such patient safety work productcontains evidence of a criminal act;

(ii) Such patient safety work productis material to the proceeding; and

(iii) Such patient safety work productis not reasonably available from anyother source.

(2) Disclosure to permit equitablerelief for reporters. Disclosure of patientsafety work product to the extentrequired to permit equitable relief undersection 922 (f)(4)(A) of the Public HealthService Act, provided the court oradministrative tribunal has issued aprotective order to protect theconfidentiality of the patient safetywork product in the course of theproceeding.

(3) Disclosure authorized by identified providers. (i) Disclosure of identifiablepatient safety work product consistentwith a valid authorization if suchauthorization is obtained from eachprovider identified in such work

product prior to disclosure. A validauthorization must:

(A) Be in writing and signed by theprovider from whom authorization issought; and

(B) Contain sufficient detail to fairlyinform the provider of the nature andscope of the disclosures beingauthorized;

(ii) A valid authorization must beretained by the disclosing entity for sixyears from the date of the last disclosuremade in reliance on the authorizationand made available to the Secretaryupon request.

(4) Disclosure for patient safety activities—(i) Disclosure between a

provider and a PSO. Disclosure of patient safety work product for patientsafety activities by a provider to a PSOor by a PSO to that disclosing provider.

(ii) Disclosure to a contractor of a provider or a PSO. A provider or a PSOmay disclose patient safety work

product for patient safety activities to anentity with which it has contracted toundertake patient safety activities on its

behalf. A contractor receiving patientsafety work product for patient safetyactivities may not further disclosepatient safety work product, except tothe provider or PSO with which it iscontracted.

(iii) Disclosure among affiliated providers. Disclosure of patient safetywork product for patient safety activities

by a provider to an affiliated provider.(iv) Disclosure to another PSO or

provider. Disclosure of patient safetywork product for patient safety activities

by a PSO to another PSO or to anotherprovider that has reported to the PSO,or, except as otherwise permitted inparagraph (b)(4)(iii) of this section, by aprovider to another provider, provided:

(A) The following direct identifiers of any providers and of affiliatedorganizations, corporate parents,subsidiaries, practice partners,employers, members of the workforce,or household members of suchproviders are removed:

(1) Names;(2) Postal address information, other

than town or city, State and zip code;

(3) Telephone numbers;(4) Fax numbers;(5) Electronic mail addresses;(6) Social security numbers or

taxpayer identification numbers;(7 ) Provider or practitioner

credentialing or DEA numbers;(8) National provider identification

number;(9) Certificate/license numbers;(10) Web Universal Resource Locators

(URLs);(11) Internet Protocol (IP) address

numbers;







(12) Biometric identifiers, includingfinger and voice prints; and

(13) Full face photographic imagesand any comparable images; and

(B) With respect to any individuallyidentifiable health information in suchpatient safety work product, the directidentifiers listed at 45 CFR 164.514(e)(2)have been removed.

(5) Disclosure of nonidentifiable patient safety work product. Disclosureof nonidentifiable patient safety workproduct when patient safety workproduct meets the standard fornonidentification in accordance with§ 3.212 of this subpart.

(6) Disclosure for research. (i)Disclosure of patient safety workproduct to persons carrying outresearch, evaluation or demonstrationprojects authorized, funded, certified, orotherwise sanctioned by rule or othermeans by the Secretary, for the purposeof conducting research.

(ii) If the patient safety work productdisclosed pursuant to paragraph (b)(6)(i)of this section is by a HIPAA coveredentity as defined at 45 CFR 160.103 andcontains protected health information asdefined by the HIPAA Privacy Rule at45 CFR 160.103, such patient safetywork product may only be disclosedunder this exception in the samemanner as would be permitted underthe HIPAA Privacy Rule.

(7) Disclosure to the Food and Drug Administration (FDA) and entitiesrequired to report to FDA. (i) Disclosure

by a provider of patient safety work

product concerning an FDA-regulatedproduct or activity to the FDA, an entityrequired to report to the FDAconcerning the quality, safety, oreffectiveness of an FDA-regulatedproduct or activity, or a contractoracting on behalf of FDA or such entityfor these purposes.

(ii) Any person permitted to receivepatient safety work product pursuant toparagraph (b)(7)(i) of this section mayonly further disclose such patient safetywork product for the purpose of evaluating the quality, safety, oreffectiveness of that product or activityto another such person or the disclosingprovider.

(8) Voluntary disclosure to anaccrediting body. (i) Voluntarydisclosure by a provider of patientsafety work product to an accrediting

body that accredits that provider,provided, with respect to any identifiedprovider other than the provider makingthe disclosure:

(A) The provider agrees to thedisclosure; or

(B) The identifiers at§ 3.206(b)(4)(iv)(A) are removed.

(ii) An accrediting body may notfurther disclose patient safety workproduct it receives pursuant toparagraph (b)(8)(i) of this section.

(iii) An accrediting body may not takean accrediting action against a provider

based on a good faith participation of the provider in the collection,development, reporting, or maintenance

of patient safety work product inaccordance with this Part. Anaccrediting body may not require aprovider to reveal its communicationswith any PSO.

(9) Disclosure for business operations.(i) Disclosure of patient safety workproduct by a provider or a PSO for

business operations to attorneys,accountants, and other professionals.Such contractors may not furtherdisclose patient safety work product,except to the entity from which theyreceived the information.

(ii) Disclosure of patient safety work

product for such other businessoperations that the Secretary mayprescribe by regulation as consistentwith the goals of this part.

(10) Disclosure to law enforcement. (i)Disclosure of patient safety workproduct to an appropriate lawenforcement authority relating to anevent that either constitutes thecommission of a crime, or for which thedisclosing person reasonably believesconstitutes the commission of a crime,provided that the disclosing person

believes, reasonably under thecircumstances, that the patient safetywork product that is disclosed is

necessary for criminal law enforcementpurposes.

(ii) Law enforcement personnelreceiving patient safety work productpursuant to paragraph (b)(10)(i) of thissection only may disclose that patientsafety work product to other lawenforcement authorities as needed forlaw enforcement activities related to theevent that gave rise to the disclosureunder paragraph (b)(10)(i) of thissection.

(c) Safe harbor. A provider orresponsible person, but not a PSO, is notconsidered to have violated the

requirements of this subpart if a memberof its workforce discloses patient safetywork product, provided that thedisclosure does not include materials,including oral statements, that:

(1) Assess the quality of care of anidentifiable provider; or

(2) Describe or pertain to one or moreactions or failures to act by anidentifiable provider.

(d) Implementation and enforcement by the Secretary. The confidentialityprovisions shall not apply to (and shallnot be construed to prohibit) disclosures

of relevant patient safety work productto or by the Secretary if such patientsafety work product is needed toinvestigate or determine compliance orto seek or impose civil money penalties,with respect to this part or the HIPAAPrivacy Rule, or to make or supportdecisions with respect to listing of aPSO.

(e) No limitation on authority to limit or delegate disclosure or use. Nothing insubpart C of this part shall be construedto limit the authority of any person toenter into a contract requiring greaterconfidentiality or delegating authority tomake a disclosure or use in accordancewith this subpart.

§ 3.208 Continued protection of patientsafety work product.

(a) Except as provided in paragraph(b) of this section, patient safety workproduct disclosed in accordance withthis subpart, or disclosed

impermissibly, shall continue to beprivileged and confidential.(b)(1) Patient safety work product

disclosed for use in a criminalproceeding pursuant to section922(c)(1)(A) of the Public Health ServiceAct, 42 U.S.C. 299b–22(c)(1)(A), and/orpursuant to §3.206(b)(1) of this subpartcontinues to be privileged, but is nolonger confidential.

(2) Non-identifiable patient safetywork product that is disclosed is nolonger privileged or confidential and notsubject to the regulations under thispart.

(3) Paragraph (b) of this sectionapplies only to the specific patientsafety work product disclosed.

§ 3.210 Required disclosure of patientsafety work product to the Secretary.

Notwithstanding any other provisionin this part, providers, PSOs, andresponsible persons must disclosepatient safety work product uponrequest by the Secretary when theSecretary determines such patient safetywork product is needed to investigate ordetermine compliance or to seek orimpose civil money penalties, withrespect to this part or the HIPAA

Privacy Rule, or to make or supportdecisions with respect to listing of aPSO.

§ 3.212 Nonidentification of patient safetywork product.

(a) Patient safety work product isnonidentifiable with respect to aparticular identified provider or aparticular identified reporter if:

(1) A person with appropriateknowledge of and experience withgenerally accepted statistical andscientific principles and methods for





rendering information not individuallyidentifiable:

(i) Applying such principles andmethods, determines that the risk isvery small that the information could beused, alone or in combination withother reasonably available information,

by an anticipated recipient to identifyan identified provider or reporter; and

(ii) Documents the methods andresults of the analysis that justify suchdetermination; or

(2)(i) The following identifiers of suchprovider or reporter and of affiliatedorganizations, corporate parents,subsidiaries, practice partners,employers, members of the workforce,or household members of suchproviders or reporters are removed:

(A) The direct identifiers listed at§ 3.206(b)(4)(iv)(A)(1) through (13) of this subpart;

(B) Geographic subdivisions smallerthan a State, including street address,

city, county, precinct, zip code andequivalent geocodes, except for theinitial three digits of a zip code if,according to the current publiclyavailable data from the Bureau of theCensus, the geographic unit formed bycombining all zip codes with the samethree initial digits contains more than20,000 people;

(C) All elements of dates (except year)for dates directly related to a patientsafety incident or event; and

(D) Any other unique identifyingnumber, characteristic, or code exceptas permitted for re-identification; and

(ii) The provider, PSO or responsible

person making the disclosure does nothave actual knowledge that theinformation could be used, alone or incombination with other information thatis reasonably available to the intendedrecipient, to identify the particularprovider or reporter.

(3) Re-identification. A provider, PSO,or responsible person may assign a codeor other means of record identificationto allow information madenonidentifiable under this section to bere-identified by such provider, PSO, orresponsible person, provided that:

(i) The code or other means of record

identification is not derived from orrelated to information about theprovider or reporter and is nototherwise capable of being translated soas to identify the provider or reporter;and

(ii) The provider, PSO, or responsibleperson does not use or disclose the codeor other means of record identificationfor any other purpose, and does notdisclose the mechanism for re-identification.

(b) Patient safety work product is non-identifiable with respect to a particular

patient only if the individuallyidentifiable health informationregarding that patient is de-identified inaccordance with the HIPAA PrivacyRule standard and implementationspecifications for the de-identification at45 CFR 164.514(a) through (c).

Subpart D—Enforcement Program

§ 3.304 Principles for achievingcompliance.

(a) Cooperation. The Secretary will, tothe extent practicable, seek thecooperation of providers, PSOs, andresponsible persons in obtainingcompliance with the applicableconfidentiality provisions.

(b) Assistance. The Secretary mayprovide technical assistance toproviders, PSOs, and responsiblepersons to help them complyvoluntarily with the applicableconfidentiality provisions.

§ 3.306 Complaints to the Secretary.(a) Right to file a complaint . A person

who believes that patient safety workproduct has been disclosed in violationof the confidentiality provisions mayfile a complaint with the Secretary.

(b) Requirements for filing complaints. Complaints under thissection must meet the followingrequirements:

(1) A complaint must be filed inwriting, either on paper orelectronically.

(2) A complaint must name the personthat is the subject of the complaint anddescribe the act(s) believed to be inviolation of the applicableconfidentiality provision(s).

(3) A complaint must be filed within180 days of when the complainant knewor should have known that the actcomplained of occurred, unless thistime limit is waived by the Secretary forgood cause shown.

(4) The Secretary may prescribeadditional procedures for the filing of complaints, as well as the place andmanner of filing, by notice in theFederal Register.

(c) Investigation. The Secretary mayinvestigate complaints filed under this

section. Such investigation may includea review of the pertinent policies,procedures, or practices of therespondent and of the circumstancesregarding any alleged violation. At thetime of initial written communicationwith the respondent about thecomplaint, the Secretary will describethe act(s) that are the basis of thecomplaint.

§ 3.308 Compliance reviews.

The Secretary may conductcompliance reviews to determine

whether a respondent is complying withthe applicable confidentialityprovisions.

§ 3.310 Responsibilities of respondents.

(a) Provide records and compliancereports. A respondent must keep suchrecords and submit such compliancereports, in such time and manner and

containing such information, as theSecretary may determine to be necessaryto enable the Secretary to ascertainwhether the respondent has complied oris complying with the applicableconfidentiality provisions.

(b) Cooperate with complaint investigations and compliance reviews.A respondent must cooperate with theSecretary, if the Secretary undertakes aninvestigation or compliance review of the policies, procedures, or practices of the respondent to determine whether itis complying with the applicableconfidentiality provisions.

(c) Permit access to information. (1) Arespondent must permit access by theSecretary during normal business hoursto its facilities, books, records, accounts,and other sources of information,including patient safety work product,that are pertinent to ascertainingcompliance with the applicableconfidentiality provisions. If theSecretary determines that exigentcircumstances exist, such as whendocuments may be hidden or destroyed,a respondent must permit access by theSecretary at any time and withoutnotice.

(2) If any information required of arespondent under this section is in theexclusive possession of any otheragency, institution, or person, and theother agency, institution, or person failsor refuses to furnish the information, therespondent must so certify and set forthwhat efforts it has made to obtain theinformation.

§ 3.312 Secretarial action regardingcomplaints and compliance reviews.

(a) Resolution when noncompliance isindicated . (1) If an investigation of acomplaint pursuant to § 3.306 of thissubpart or a compliance reviewpursuant to §3.308 of this subpartindicates noncompliance, the Secretarymay attempt to reach a resolution of thematter satisfactory to the Secretary byinformal means. Informal means mayinclude demonstrated compliance or acompleted corrective action plan orother agreement.

(2) If the matter is resolved byinformal means, the Secretary will soinform the respondent and, if the matterarose from a complaint, thecomplainant, in writing.





(3) If the matter is not resolved byinformal means, the Secretary will—

(i) So inform the respondent andprovide the respondent an opportunityto submit written evidence of anymitigating factors. The respondent mustsubmit any evidence to the Secretarywithin 30 days (computed in the samemanner as prescribed under §3.526 of this subpart) of receipt of suchnotification; and

(ii) If, following action pursuant toparagraph (a)(3)(i) of this section, theSecretary decides that a civil moneypenalty should be imposed, inform therespondent of such finding in a noticeof proposed determination inaccordance with §3.420 of this subpart.

(b) Resolution when no violation is found . If, after an investigation pursuantto § 3.306 of this subpart or acompliance review pursuant to § 3.308of this subpart, the Secretary determinesthat further action is not warranted, theSecretary will so inform the respondentand, if the matter arose from acomplaint, the complainant, in writing.

(c) Uses and disclosures of information obtained . (1) Identifiablepatient safety work product obtained bythe Secretary in connection with aninvestigation or compliance reviewunder this subpart will not be disclosed

by the Secretary, except in accordancewith §3.206(d) of this subpart, or if otherwise permitted by this part or thePatient Safety Act.

(2) Except as provided for inparagraph (c)(1) of this section,information, including testimony andother evidence, obtained by theSecretary in connection with aninvestigation or compliance reviewunder this subpart may be used by HHSin any of its activities and may be usedor offered into evidence in anyadministrative or judicial proceeding.

§ 3.314 Investigational subpoenas andinquiries.

(a) The Secretary may issuesubpoenas in accordance with 42 U.S.C.405(d) and (e), and 1320a–7a(j), torequire the attendance and testimony of

witnesses and the production of anyother evidence including patient safetywork product during an investigation orcompliance review pursuant to this part.

(1) A subpoena issued under thisparagraph must—

(i) State the name of the person(including the entity, if applicable) towhom the subpoena is addressed;

(ii) State the statutory authority forthe subpoena;

(iii) Indicate the date, time, and placethat the testimony will take place;

(iv) Include a reasonably specificdescription of any documents or itemsrequired to be produced; and

(v) If the subpoena is addressed to anentity, describe with reasonableparticularity the subject matter onwhich testimony is required. In thatevent, the entity must designate one ormore natural persons who will testify on

its behalf, and must state as to each suchperson that person’s name and addressand the matters on which he or she willtestify. The designated person musttestify as to matters known orreasonably available to the entity.

(2) A subpoena under this sectionmust be served by—

(i) Delivering a copy to the naturalperson named in the subpoena or to theentity named in the subpoena at its lastprincipal place of business; or

(ii) Registered or certified mailaddressed to the natural person at his orher last known dwelling place or to the

entity at its last known principal placeof business.(3) A verified return by the natural

person serving the subpoena settingforth the manner of service or, in thecase of service by registered or certifiedmail, the signed return post officereceipt, constitutes proof of service.

(4) Witnesses are entitled to the samefees and mileage as witnesses in thedistrict courts of the United States (28U.S.C. 1821 and 1825). Fees need not bepaid at the time the subpoena is served.

(5) A subpoena under this section isenforceable through the district court of the United States for the district where

the subpoenaed natural person residesor is found or where the entity transacts

business.(b) Investigational inquiries are non-

public investigational proceedingsconducted by the Secretary.

(1) Testimony at investigationalinquiries will be taken under oath oraffirmation.

(2) Attendance of non-witnesses isdiscretionary with the Secretary, exceptthat a witness is entitled to beaccompanied, represented, and advised

by an attorney.(3) Representatives of the Secretary

are entitled to attend and ask questions.(4) A witness will have theopportunity to clarify his or her answerson the record following questioning bythe Secretary.

(5) Any claim of privilege must beasserted by the witness on the record.

(6) Objections must be asserted on therecord. Errors of any kind that might becorrected if promptly presented will bedeemed to be waived unless reasonableobjection is made at the investigationalinquiry. Except where the objection ison the grounds of privilege, the question

will be answered on the record, subjectto objection.

(7) If a witness refuses to answer anyquestion not privileged or to producerequested documents or items, orengages in conduct likely to delay orobstruct the investigational inquiry, theSecretary may seek enforcement of thesubpoena under paragraph (a)(5) of this

section.(8) The proceedings will be recorded

and transcribed. The witness is entitledto a copy of the transcript, uponpayment of prescribed costs, exceptthat, for good cause, the witness may belimited to inspection of the officialtranscript of his or her testimony.

(9)(i) The transcript will be submittedto the witness for signature.

(A) Where the witness will beprovided a copy of the transcript, thetranscript will be submitted to thewitness for signature. The witness maysubmit to the Secretary written

proposed corrections to the transcript,with such corrections attached to thetranscript. If the witness does not returna signed copy of the transcript orproposed corrections within 30 days(computed in the same manner asprescribed under §3.526 of this part) of its being submitted to him or her forsignature, the witness will be deemed tohave agreed that the transcript is trueand accurate.

(B) Where, as provided in paragraph(b)(8) of this section, the witness islimited to inspecting the transcript, thewitness will have the opportunity at thetime of inspection to propose

corrections to the transcript, withcorrections attached to the transcript.The witness will also have theopportunity to sign the transcript. If thewitness does not sign the transcript oroffer corrections within 30 days(computed in the same manner asprescribed under §3.526 of this part) of receipt of notice of the opportunity toinspect the transcript, the witness will

be deemed to have agreed that thetranscript is true and accurate.

(ii) The Secretary’s proposedcorrections to the record of transcriptwill be attached to the transcript.

§ 3.402 Basis for a civil money penalty.

(a) General rule. A person whodiscloses identifiable patient safetywork product in knowing or recklessviolation of the confidentialityprovisions shall be subject to a civilmoney penalty for each act constitutingsuch violation.

(b) Violation attributed to a principal .A principal is independently liable, inaccordance with the federal commonlaw of agency, for a civil money penalty

based on the act of the principal’s agent,





including a workforce member, actingwithin the scope of the agency if suchact could give rise to a civil moneypenalty in accordance with § 3.402(a) of this subpart.

§ 3.404 Amount of a civil money penalty.

(a) The amount of a civil moneypenalty will be determined in

accordance with paragraph (b) of thissection and §3.408 of this subpart.

(b) The Secretary may impose a civilmoney penalty in the amount of notmore than $10,000.

§ 3.408 Factors considered in determiningthe amount of a civil money penalty.

In determining the amount of anycivil money penalty, the Secretary mayconsider as aggravating or mitigatingfactors, as appropriate, any of thefollowing:

(a) The nature of the violation.(b) The circumstances, including the

consequences, of the violation,including:

(1) The time period during which theviolation(s) occurred; and

(2) Whether the violation causedphysical or financial harm orreputational damage;

(c) The degree of culpability of therespondent, including:

(1) Whether the violation wasintentional; and

(2) Whether the violation was beyondthe direct control of the respondent.

(d) Any history of prior compliancewith the Patient Safety Act, includingviolations, by the respondent, including:

(1) Whether the current violation isthe same or similar to prior violation(s);

(2) Whether and to what extent therespondent has attempted to correctprevious violations;

(3) How the respondent hasresponded to technical assistance fromthe Secretary provided in the context of a compliance effort; and

(4) How the respondent hasresponded to prior complaints.

(e) The financial condition of therespondent, including:

(1) Whether the respondent hadfinancial difficulties that affected its

ability to comply;(2) Whether the imposition of a civilmoney penalty would jeopardize theability of the respondent to continue toprovide health care or patient safetyactivities; and

(3) The size of the respondent.(f) Such other matters as justice may

require.

§ 3.414 Limitations.

No action under this subpart may beentertained unless commenced by theSecretary, in accordance with § 3.420 of

this subpart, within 6 years from thedate of the occurrence of the violation.

§ 3.416 Authority to settle.

Nothing in this subpart limits theauthority of the Secretary to settle anyissue or case or to compromise anypenalty.

§ 3.418 Exclusivity of penalty.

(a) Except as otherwise provided byparagraph (b) of this section, a penaltyimposed under this part is in additionto any other penalty prescribed by law.

(b) Civil money penalties shall not beimposed both under this part and underthe HIPAA Privacy Rule (45 CFR parts160 and 164).

§ 3.420 Notice of proposed determination.

(a) If a penalty is proposed inaccordance with this part, the Secretarymust deliver, or send by certified mailwith return receipt requested, to therespondent, written notice of the

Secretary’s intent to impose a penalty.This notice of proposed determinationmust include:

(1) Reference to the statutory basis forthe penalty;

(2) A description of the findings of fact regarding the violations withrespect to which the penalty isproposed;

(3) The reason(s) why the violation(s)subject(s) the respondent to a penalty;

(4) The amount of the proposedpenalty;

(5) Any factors described in §3.408 of this subpart that were considered in

determining the amount of the proposedpenalty; and

(6) Instructions for responding to thenotice, including a statement of therespondent’s right to a hearing, astatement that failure to request ahearing within 60 days permits theimposition of the proposed penaltywithout the right to a hearing under§ 3.504 of this subpart or a right of appeal under §3.548 of this subpart,and the address to which the hearingrequest must be sent.

(b) The respondent may request ahearing before an ALJ on the proposed

penalty by filing a request in accordancewith § 3.504 of this subpart.

§ 3.422 Failure to request a hearing.

If the respondent does not request ahearing within the time prescribed by§ 3.504 of this subpart and the matter isnot settled pursuant to § 3.416 of thissubpart, the Secretary may impose theproposed penalty or any lesser penaltypermitted by sections 921 through 926of the Public Health Service Act, 42U.S.C. 299b–21 through 299b–26. TheSecretary will notify the respondent by

certified mail, return receipt requested,of any penalty that has been imposedand of the means by which therespondent may satisfy the penalty, andthe penalty is final on receipt of thenotice. The respondent has no right toappeal a penalty under § 3.548 of thissubpart with respect to which therespondent has not timely requested a

hearing.

§ 3.424 Collection of penalty.

(a) Once a determination of theSecretary to impose a penalty has

become final, the penalty will becollected by the Secretary, subject to thefirst sentence of 42 U.S.C. 1320a–7a(f).

(b) The penalty may be recovered ina civil action brought in the UnitedStates district court for the districtwhere the respondent resides, is found,or is located.

(c) The amount of a penalty, whenfinally determined, or the amount

agreed upon in compromise, may bededucted from any sum then or laterowing by the United States, or by a Stateagency, to the respondent.

(d) Matters that were raised or thatcould have been raised in a hearing

before an ALJ, or in an appeal under 42U.S.C. 1320a–7a(e), may not be raised asa defense in a civil action by the UnitedStates to collect a penalty under thispart.

§ 3.426 Notification of the public and otheragencies.

Whenever a proposed penalty becomes final, the Secretary will notify,

in such manner as the Secretary deemsappropriate, the public and thefollowing organizations and entitiesthereof and the reason it was imposed:The appropriate State or local medicalor professional organization, theappropriate State agency or agenciesadministering or supervising theadministration of State health careprograms (as defined in 42 U.S.C.1320a–7(h)), the appropriate utilizationand quality control peer revieworganization, and the appropriate Stateor local licensing agency or organization(including the agency specified in 42

U.S.C. 1395aa(a), 1396a(a)(33)).§ 3.504 Hearings before an ALJ.

(a) A respondent may request ahearing before an ALJ. The parties to thehearing proceeding consist of—

(1) The respondent; and(2) The officer(s) or employee(s) of

HHS to whom the enforcementauthority involved has been delegated.

(b) The request for a hearing must bemade in writing signed by therespondent or by the respondent’sattorney and sent by certified mail,





return receipt requested, to the addressspecified in the notice of proposeddetermination. The request for a hearingmust be mailed within 60 days afternotice of the proposed determination isreceived by the respondent. Forpurposes of this section, therespondent’s date of receipt of thenotice of proposed determination is

presumed to be 5 days after the date of the notice unless the respondent makesa reasonable showing to the contrary tothe ALJ.

(c) The request for a hearing mustclearly and directly admit, deny, orexplain each of the findings of factcontained in the notice of proposeddetermination with regard to which therespondent has any knowledge. If therespondent has no knowledge of aparticular finding of fact and so states,the finding shall be deemed denied. Therequest for a hearing must also state thecircumstances or arguments that the

respondent alleges constitute thegrounds for any defense and the factualand legal basis for opposing the penalty.

(d) The ALJ must dismiss a hearingrequest where—

(1) On motion of the Secretary, theALJ determines that the respondent’shearing request is not timely filed asrequired by paragraph (b) or does notmeet the requirements of paragraph (c)of this section;

(2) The respondent withdraws therequest for a hearing;

(3) The respondent abandons therequest for a hearing; or

(4) The respondent’s hearing request

fails to raise any issue that may properly be addressed in a hearing.

§ 3.506 Rights of the parties.

(a) Except as otherwise limited by thissubpart, each party may—

(1) Be accompanied, represented, andadvised by an attorney;

(2) Participate in any conference held by the ALJ;

(3) Conduct discovery of documentsas permitted by this subpart;

(4) Agree to stipulations of fact or lawthat will be made part of the record;

(5) Present evidence relevant to theissues at the hearing;

(6) Present and cross-examinewitnesses;(7) Present oral arguments at the

hearing as permitted by the ALJ; and(8) Submit written briefs and

proposed findings of fact andconclusions of law after the hearing.

(b) A party may appear in person or by a representative. Natural personswho appear as an attorney or otherrepresentative must conform to thestandards of conduct and ethicsrequired of practitioners before thecourts of the United States.

(c) Fees for any services performed on behalf of a party by an attorney are notsubject to the provisions of 42 U.S.C.406, which authorizes the Secretary tospecify or limit their fees.

§ 3.508 Authority of the ALJ.

(a) The ALJ must conduct a fair andimpartial hearing, avoid delay, maintain

order, and ensure that a record of theproceeding is made.

(b) The ALJ may—(1) Set and change the date, time and

place of the hearing upon reasonablenotice to the parties;

(2) Continue or recess the hearing inwhole or in part for a reasonable periodof time;

(3) Hold conferences to identify orsimplify the issues, or to consider othermatters that may aid in the expeditiousdisposition of the proceeding;

(4) Administer oaths and affirmations;(5) Issue subpoenas requiring the

attendance of witnesses at hearings andthe production of documents at or inrelation to hearings;

(6) Rule on motions and otherprocedural matters;

(7) Regulate the scope and timing of documentary discovery as permitted bythis subpart;

(8) Regulate the course of the hearingand the conduct of representatives,parties, and witnesses;

(9) Examine witnesses;(10) Receive, rule on, exclude, or limit

evidence;(11) Upon motion of a party, take

official notice of facts;

(12) Conduct any conference,argument or hearing in person or, uponagreement of the parties, by telephone;and

(13) Upon motion of a party, decidecases, in whole or in part, by summaryjudgment where there is no disputedissue of material fact. A summaryjudgment decision constitutes a hearingon the record for the purposes of thissubpart.

(c) The ALJ—(1) May not find invalid or refuse to

follow Federal statutes, regulations, orSecretarial delegations of authority and

must give deference to publishedguidance to the extent not inconsistentwith statute or regulation;

(2) May not enter an order in thenature of a directed verdict;

(3) May not compel settlementnegotiations; or

(4) May not enjoin any act of theSecretary.

§ 3.510 Ex parte contacts.

No party or person (except employeesof the ALJ’s office) may communicate inany way with the ALJ on any matter at

issue in a case, unless on notice andopportunity for both parties toparticipate. This provision does notprohibit a party or person frominquiring about the status of a case orasking routine questions concerningadministrative functions or procedures.

§ 3.512 Prehearing conferences.

(a) The ALJ must schedule at least oneprehearing conference, and mayschedule additional prehearingconferences as appropriate, uponreasonable notice, which may not beless than 14 business days, to theparties.

(b) The ALJ may use prehearingconferences to discuss the following—

(1) Simplification of the issues;(2) The necessity or desirability of

amendments to the pleadings, includingthe need for a more definite statement;

(3) Stipulations and admissions of factor as to the contents and authenticity of

documents;(4) Whether the parties can agree tosubmission of the case on a stipulatedrecord;

(5) Whether a party chooses to waiveappearance at an oral hearing and tosubmit only documentary evidence(subject to the objection of the otherparty) and written argument;

(6) Limitation of the number of witnesses;

(7) Scheduling dates for the exchangeof witness lists and of proposedexhibits;

(8) Discovery of documents aspermitted by this subpart;

(9) The time and place for the hearing;(10) The potential for the settlement

of the case by the parties; and(11) Other matters as may tend to

encourage the fair, just and expeditiousdisposition of the proceedings,including the protection of confidentiality of identifiable patientsafety work product that may besubmitted into evidence or otherwiseused in the proceeding, if appropriate.

(c) The ALJ must issue an ordercontaining the matters agreed upon bythe parties or ordered by the ALJ at aprehearing conference.

§ 3.514 Authority to settle.

The Secretary has exclusive authorityto settle any issue or case without theconsent of the ALJ.

§3.516 Discovery.

(a) A party may make a request toanother party for production of documents for inspection and copyingthat are relevant and material to theissues before the ALJ.

(b) For the purpose of this section, theterm ‘‘documents’’ includes





information, reports, answers, records,accounts, papers and other data anddocumentary evidence. Nothingcontained in this section may beinterpreted to require the creation of adocument, except that requested datastored in an electronic data storagesystem must be produced in a formaccessible to the requesting party.

(c) Requests for documents, requestsfor admissions, written interrogatories,depositions and any forms of discovery,other than those permitted underparagraph (a) of this section, are notauthorized.

(d) This section may not be construedto require the disclosure of interviewreports or statements obtained by anyparty, or on behalf of any party, of persons who will not be called aswitnesses by that party, or analyses andsummaries prepared in conjunctionwith the investigation or litigation of thecase, or any otherwise privileged

documents.(e)(1) When a request for productionof documents has been received, within30 days the party receiving that requestmust either fully respond to the request,or state that the request is being objectedto and the reasons for that objection. If objection is made to part of an item orcategory, the part must be specified.Upon receiving any objections, the partyseeking production may then, within 30days or any other time frame set by theALJ, file a motion for an ordercompelling discovery. The partyreceiving a request for production mayalso file a motion for protective orderany time before the date the productionis due.

(2) The ALJ may grant a motion forprotective order or deny a motion for anorder compelling discovery if the ALJfinds that the discovery sought—

(i) Is irrelevant;(ii) Is unduly costly or burdensome;(iii) Will unduly delay the

proceeding; or(iv) Seeks privileged information.(3) The ALJ may extend any of the

time frames set forth in paragraph (e)(1)of this section.

(4) The burden of showing that

discovery should be allowed is on theparty seeking discovery.

§ 3.518 Exchange of witness lists, witnessstatements, and exhibits.

(a) The parties must exchange witnesslists, copies of prior written statementsof proposed witnesses, and copies of proposed hearing exhibits, includingcopies of any written statements that theparty intends to offer in lieu of livetestimony in accordance with §3.538,not more than 60, and not less than 15,days before the scheduled hearing.

(b)(1) If, at any time, a party objectsto the proposed admission of evidencenot exchanged in accordance withparagraph (a) of this section, the ALJmust determine whether the failure tocomply with paragraph (a) of thissection should result in the exclusion of that evidence.

(2) Unless the ALJ finds that

extraordinary circumstances justifiedthe failure timely to exchange theinformation listed under paragraph (a)of this section, the ALJ must excludefrom the party’s case-in-chief—

(i) The testimony of any witnesswhose name does not appear on thewitness list; and

(ii) Any exhibit not provided to theopposing party as specified in paragraph(a) of this section.

(3) If the ALJ finds that extraordinarycircumstances existed, the ALJ mustthen determine whether the admissionof that evidence would cause substantial

prejudice to the objecting party.(i) If the ALJ finds that there is nosubstantial prejudice, the evidence may

be admitted.(ii) If the ALJ finds that there is

substantial prejudice, the ALJ mayexclude the evidence, or, if he or shedoes not exclude the evidence, mustpostpone the hearing for such time as isnecessary for the objecting party toprepare and respond to the evidence,unless the objecting party waivespostponement.

(c) Unless the other party objectswithin a reasonable period of time

before the hearing, documents

exchanged in accordance withparagraph (a) of this section will bedeemed to be authentic for the purposeof admissibility at the hearing.

§ 3.520 Subpoenas for attendance athearing.

(a) A party wishing to procure theappearance and testimony of any personat the hearing may make a motionrequesting the ALJ to issue a subpoenaif the appearance and testimony arereasonably necessary for thepresentation of a party’s case.

(b) A subpoena requiring the

attendance of a person in accordancewith paragraph (a) of this section mayalso require the person (whether or notthe person is a party) to producerelevant and material evidence at or

before the hearing.(c) When a subpoena is served by a

respondent on a particular employee orofficial or particular office of HHS, theSecretary may comply by designatingany knowledgeable HHS representativeto appear and testify.

(d) A party seeking a subpoena mustfile a written motion not less than 30

days before the date fixed for thehearing, unless otherwise allowed bythe ALJ for good cause shown. Thatmotion must—

(1) Specify any evidence to beproduced;

(2) Designate the witnesses; and(3) Describe the address and location

with sufficient particularity to permit

those witnesses to be found.(e) The subpoena must specify the

time and place at which the witness isto appear and any evidence the witnessis to produce.

(f) Within 15 days after the writtenmotion requesting issuance of asubpoena is served, any party may filean opposition or other response.

(g) If the motion requesting issuanceof a subpoena is granted, the partyseeking the subpoena must serve it bydelivery to the person named, or bycertified mail addressed to that personat the person’s last dwelling place or

principal place of business.(h) The person to whom the subpoenais directed may file with the ALJ amotion to quash the subpoena within 10days after service.

(i) The exclusive remedy forcontumacy by, or refusal to obey asubpoena duly served upon, any personis specified in 42 U.S.C. 405(e).

§3.522 Fees.

The party requesting a subpoena mustpay the cost of the fees and mileage of any witness subpoenaed in the amountsthat would be payable to a witness in aproceeding in United States District

Court. A check for witness fees andmileage must accompany the subpoenawhen served, except that, when asubpoena is issued on behalf of theSecretary, a check for witness fees andmileage need not accompany thesubpoena.

§ 3.524 Form, filing, and service of papers.

(a) Forms. (1) Unless the ALJ directsthe parties to do otherwise, documentsfiled with the ALJ must include anoriginal and two copies.

(2) Every pleading and paper filed inthe proceeding must contain a caption

setting forth the title of the action, thecase number, and a designation of thepaper, such as motion to quashsubpoena.

(3) Every pleading and paper must besigned by and must contain the addressand telephone number of the party orthe person on whose behalf the paperwas filed, or his or her representative.

(4) Papers are considered filed whenthey are mailed.

(b) Service. A party filing a documentwith the ALJ or the Board must, at thetime of filing, serve a copy of the





document on the other party. Serviceupon any party of any document must

be made by delivering a copy, or placinga copy of the document in the UnitedStates mail, postage prepaid andaddressed, or with a private deliveryservice, to the party’s last knownaddress. When a party is represented byan attorney, service must be made upon

the attorney in lieu of the party.(c) Proof of service. A certificate of the

natural person serving the document bypersonal delivery or by mail, settingforth the manner of service, constitutesproof of service.

§ 3.526 Computation of time.

(a) In computing any period of timeunder this subpart or in an order issuedthereunder, the time begins with the dayfollowing the act, event or default, andincludes the last day of the periodunless it is a Saturday, Sunday, or legalholiday observed by the Federal

Government, in which event it includesthe next business day.(b) When the period of time allowed

is less than 7 days, intermediateSaturdays, Sundays, and legal holidaysobserved by the Federal Governmentmust be excluded from the computation.

(c) Where a document has been servedor issued by placing it in the mail, anadditional 5 days must be added to thetime permitted for any response. Thisparagraph does not apply to requests forhearing under §3.504.

§3.528 Motions.

(a) An application to the ALJ for an

order or ruling must be by motion.Motions must state the relief sought, theauthority relied upon and the factsalleged, and must be filed with the ALJand served on all other parties.

(b) Except for motions made during aprehearing conference or at the hearing,all motions must be in writing. The ALJmay require that oral motions bereduced to writing.

(c) Within 10 days after a writtenmotion is served, or such other time asmay be fixed by the ALJ, any party mayfile a response to the motion.

(d) The ALJ may not grant a written

motion before the time for filingresponses has expired, except uponconsent of the parties or following ahearing on the motion, but may overruleor deny the motion without awaiting aresponse.

(e) The ALJ must make a reasonableeffort to dispose of all outstandingmotions before the beginning of thehearing.

§ 3.530 Sanctions.

The ALJ may sanction a person,including any party or attorney, for

failing to comply with an order orprocedure, for failing to defend anaction or for other misconduct thatinterferes with the speedy, orderly orfair conduct of the hearing. Thesanctions must reasonably relate to theseverity and nature of the failure ormisconduct. The sanctions mayinclude—

(a) In the case of refusal to provide orpermit discovery under the terms of thispart, drawing negative factual inferencesor treating the refusal as an admission

by deeming the matter, or certain facts,to be established;

(b) Prohibiting a party fromintroducing certain evidence orotherwise supporting a particular claimor defense;

(c) Striking pleadings, in whole or inpart;

(d) Staying the proceedings;(e) Dismissal of the action;(f) Entering a decision by default;

(g) Ordering the party or attorney topay the attorney’s fees and other costscaused by the failure or misconduct;and

(h) Refusing to consider any motion orother action that is not filed in a timelymanner.

§ 3.532 Collateral estoppel.

When a final determination that therespondent violated a confidentialityprovision has been rendered in anyproceeding in which the respondentwas a party and had an opportunity to

be heard, the respondent is bound bythat determination in any proceeding

under this part.

§ 3.534 The hearing.

(a) The ALJ must conduct a hearingon the record in order to determinewhether the respondent should befound liable under this part.

(b)(1) The respondent has the burdenof going forward and the burden of persuasion with respect to anychallenge to the amount of a proposedpenalty pursuant to §§3.404 and 3.408,including any factors raised asmitigating factors.

(2) The Secretary has the burden of

going forward and the burden of persuasion with respect to all otherissues, including issues of liability andthe existence of any factors consideredas aggravating factors in determining theamount of the proposed penalty.

(3) The burden of persuasion will bejudged by a preponderance of theevidence.

(c) The hearing must be open to thepublic unless otherwise ordered by theALJ for good cause shown, which may

be that identifiable patient safety workproduct has been introduced into

evidence or is expected to be introducedinto evidence.

(d)(1) Subject to the 15-day rule under§ 3.518(a) and the admissibility of evidence under §3.540, either partymay introduce, during its case in chief,items or information that arose or

became known after the date of theissuance of the notice of proposed

determination or the request for hearing,as applicable. Such items andinformation may not be admitted intoevidence, if introduced—

(i) By the Secretary, unless they arematerial and relevant to the acts oromissions with respect to which thepenalty is proposed in the notice of proposed determination pursuant to§ 3.420 of this part, includingcircumstances that may increasepenalties; or

(ii) By the respondent, unless they arematerial and relevant to an admission,denial or explanation of a finding of fact

in the notice of proposed determinationunder §3.420 of this part, or to aspecific circumstance or argumentexpressly stated in the request forhearing under § 3.504, includingcircumstances that may reducepenalties.

(2) After both parties have presentedtheir cases, evidence may be admitted inrebuttal even if not previouslyexchanged in accordance with §3.518.

§3.538 Witnesses.

(a) Except as provided in paragraph(b) of this section, testimony at the

hearing must be given orally bywitnesses under oath or affirmation.(b) At the discretion of the ALJ,

testimony of witnesses other than thetestimony of expert witnesses may beadmitted in the form of a writtenstatement. The ALJ may, at his or herdiscretion, admit prior sworn testimonyof experts that has been subject toadverse examination, such as adeposition or trial testimony. Any suchwritten statement must be provided tothe other party, along with the lastknown address of the witness, in amanner that allows sufficient time forthe other party to subpoena the witnessfor cross-examination at the hearing.Prior written statements of witnessesproposed to testify at the hearing must

be exchanged as provided in §3.518.(c) The ALJ must exercise reasonable

control over the mode and order of interrogating witnesses and presentingevidence so as to:

(1) Make the interrogation andpresentation effective for theascertainment of the truth;

(2) Avoid repetition or needlessconsumption of time; and





(3) Protect witnesses from harassmentor undue embarrassment.

(d) The ALJ must permit the parties toconduct cross-examination of witnessesas may be required for a full and truedisclosure of the facts.

(e) The ALJ may order witnessesexcluded so that they cannot hear thetestimony of other witnesses, except

that the ALJ may not order to beexcluded—

(1) A party who is a natural person;(2) In the case of a party that is not

a natural person, the officer or employeeof the party appearing for the entity prose or designated as the party’srepresentative; or

(3) A natural person whose presenceis shown by a party to be essential to thepresentation of its case, including aperson engaged in assisting the attorneyfor the Secretary.

§3.540 Evidence.

(a) The ALJ must determine the

admissibility of evidence.(b) Except as provided in this subpart,

the ALJ is not bound by the FederalRules of Evidence. However, the ALJmay apply the Federal Rules of Evidence where appropriate, forexample, to exclude unreliableevidence.

(c) The ALJ must exclude irrelevant orimmaterial evidence.

(d) Although relevant, evidence may be excluded if its probative value issubstantially outweighed by the dangerof unfair prejudice, confusion of theissues, or by considerations of unduedelay or needless presentation of cumulative evidence.

(e) Although relevant, evidence must be excluded if it is privileged underFederal law.

(f) Evidence concerning offers of compromise or settlement isinadmissible to the extent provided inRule 408 of the Federal Rules of Evidence.

(g) Evidence of crimes, wrongs, or actsother than those at issue in the instantcase is admissible in order to showmotive, opportunity, intent, knowledge,preparation, identity, lack of mistake, orexistence of a scheme. This evidence is

admissible regardless of whether thecrimes, wrongs, or acts occurred duringthe statute of limitations periodapplicable to the acts or omissions thatconstitute the basis for liability in thecase and regardless of whether theywere referenced in the Secretary’s noticeof proposed determination under§ 3.420.

(h) The ALJ must permit the parties tointroduce rebuttal witnesses andevidence.

(i) All documents and other evidenceoffered or taken for the record must be

open to examination by both parties,unless otherwise ordered by the ALJ forgood cause shown.

§ 3.542 The record.

(a) The hearing must be recorded andtranscribed. Transcripts may beobtained following the hearing from theALJ. A party that requests a transcript of

hearing proceedings must pay the costof preparing the transcript unless, forgood cause shown by the party, thepayment is waived by the ALJ or theBoard, as appropriate.

(b) The transcript of the testimony,exhibits, and other evidence admitted atthe hearing, and all papers and requestsfiled in the proceeding constitute therecord for decision by the ALJ and theSecretary.

(c) The record may be inspected andcopied (upon payment of a reasonablefee) by any person, unless otherwiseordered by the ALJ for good causeshown, which may include the presence

in the record of identifiable patientsafety work product.

(d) For good cause, which mayinclude the presence in the record of identifiable patient safety work product,the ALJ may order appropriateredactions made to the record.

§ 3.544 Post hearing briefs.

The ALJ may require the parties to filepost-hearing briefs. In any event, anyparty may file a post-hearing brief. TheALJ must fix the time for filing the

briefs. The time for filing may notexceed 60 days from the date the partiesreceive the transcript of the hearing or,if applicable, the stipulated record. The

briefs may be accompanied by proposedfindings of fact and conclusions of law.The ALJ may permit the parties to filereply briefs.

§ 3.546 ALJ’s decision.

(a) The ALJ must issue a decision, based only on the record, which mustcontain findings of fact and conclusionsof law.

(b) The ALJ may affirm, increase, orreduce the penalties imposed by theSecretary.

(c) The ALJ must issue the decision to

both parties within 60 days after thetime for submission of post-hearing briefs and reply briefs, if permitted, hasexpired. If the ALJ fails to meet thedeadline contained in this paragraph, heor she must notify the parties of thereason for the delay and set a newdeadline.

(d) Unless the decision of the ALJ istimely appealed as provided for in§ 3.548, the decision of the ALJ will befinal and binding on the parties 60 daysfrom the date of service of the ALJ’sdecision.

§ 3.548 Appeal of the ALJ’s decision.

(a) Any party may appeal the decisionof the ALJ to the Board by filing a noticeof appeal with the Board within 30 daysof the date of service of the ALJdecision. The Board may extend theinitial 30 day period for a period of timenot to exceed 30 days if a party fileswith the Board a request for an

extension within the initial 30 dayperiod and shows good cause.

(b) If a party files a timely notice of appeal with the Board, the ALJ mustforward the record of the proceeding tothe Board.

(c) A notice of appeal must beaccompanied by a written brief specifying exceptions to the initialdecision and reasons supporting theexceptions. Any party may file a brief inopposition to the exceptions, whichmay raise any relevant issue notaddressed in the exceptions, within 30days of receiving the notice of appeal

and the accompanying brief. The Boardmay permit the parties to file reply briefs.

(d) There is no right to appearpersonally before the Board or to appealto the Board any interlocutory ruling bythe ALJ.

(e) The Board may not consider anyissue not raised in the parties’ briefs,nor any issue in the briefs that couldhave been raised before the ALJ but wasnot.

(f) If any party demonstrates to thesatisfaction of the Board that additionalevidence not presented at such hearingis relevant and material and that there

were reasonable grounds for the failureto adduce such evidence at the hearing,the Board may remand the matter to theALJ for consideration of such additionalevidence.

(g) The Board may decline to reviewthe case, or may affirm, increase,reduce, reverse or remand any penaltydetermined by the ALJ.

(h) The standard of review on adisputed issue of fact is whether theinitial decision of the ALJ is supported

by substantial evidence on the wholerecord. The standard of review on adisputed issue of law is whether the

decision is erroneous.(i) Within 60 days after the time forsubmission of briefs and reply briefs, if permitted, has expired, the Board mustserve on each party to the appeal a copyof the Board’s decision and a statementdescribing the right of any respondentwho is penalized to seek judicialreview.

(j)(1) The Board’s decision underparagraph (i) of this section, includinga decision to decline review of theinitial decision, becomes the finaldecision of the Secretary 60 days after





the date of service of the Board’sdecision, except with respect to adecision to remand to the ALJ or if reconsideration is requested under thisparagraph.

(2) The Board will reconsider itsdecision only if it determines that thedecision contains a clear error of fact orerror of law. New evidence will not be

a basis for reconsideration unless theparty demonstrates that the evidence isnewly discovered and was notpreviously available.

(3) A party may file a motion forreconsideration with the Board beforethe date the decision becomes finalunder paragraph (j)(1) of this section. Amotion for reconsideration must beaccompanied by a written brief specifying any alleged error of fact orlaw and, if the party is relying onadditional evidence, explaining why theevidence was not previously available.Any party may file a brief in opposition

within 15 days of receiving the motionfor reconsideration and theaccompanying brief unless this timelimit is extended by the Board for goodcause shown. Reply briefs are notpermitted.

(4) The Board must rule on the motionfor reconsideration not later than 30days from the date the opposition brief is due. If the Board denies the motion,the decision issued under paragraph (i)of this section becomes the finaldecision of the Secretary on the date of service of the ruling. If the Board grantsthe motion, the Board will issue a

reconsidered decision, after such

procedures as the Board determinesnecessary to address the effect of anyerror. The Board’s decision onreconsideration becomes the finaldecision of the Secretary on the date of service of the decision, except withrespect to a decision to remand to theALJ.

(5) If service of a ruling or decision

issued under this section is by mail, thedate of service will be deemed to be 5days from the date of mailing.

(k)(1) A respondent’s petition forjudicial review must be filed within 60days of the date on which the decisionof the Board becomes the final decisionof the Secretary under paragraph (j) of this section.

(2) In compliance with 28 U.S.C.2112(a), a copy of any petition forjudicial review filed in any U.S. Courtof Appeals challenging the finaldecision of the Secretary must be sent

by certified mail, return receiptrequested, to the General Counsel of HHS. The petition copy must be a copyshowing that it has been time-stamped

by the clerk of the court when theoriginal was filed with the court.

(3) If the General Counsel of HHSreceived two or more petitions within10 days after the final decision of theSecretary, the General Counsel willnotify the U.S. Judicial Panel onMultidistrict Litigation of any petitionsthat were received within the 10 dayperiod.

§ 3.550 Stay of the Secretary’s decision.

(a) Pending judicial review, the

respondent may file a request for stay of

the effective date of any penalty withthe ALJ. The request must beaccompanied by a copy of the notice of appeal filed with the Federal court. Thefiling of the request automatically staysthe effective date of the penalty untilsuch time as the ALJ rules upon therequest.

(b) The ALJ may not grant arespondent’s request for stay of anypenalty unless the respondent posts a

bond or provides other adequatesecurity.

(c) The ALJ must rule upon arespondent’s request for stay within 10days of receipt.

§ 3.552 Harmless error.

No error in either the admission or theexclusion of evidence, and no error ordefect in any ruling or order or in anyact done or omitted by the ALJ or by anyof the parties is ground for vacating,

modifying or otherwise disturbing anotherwise appropriate ruling or order oract, unless refusal to take such actionappears to the ALJ or the Boardinconsistent with substantial justice.The ALJ and the Board at every stage of the proceeding must disregard any erroror defect in the proceeding that does notaffect the substantial rights of theparties.

Dated: September 2, 2008.

Michael O. Leavitt,

Secretary.

[FR Doc. E8–27475 Filed 11–20–08; 8:45 am]

BILLING CODE 4150–28–P

42CFR Part 3 - Patient Safety and QI

Documents

Transcript of 42CFR Part 3 - Patient Safety and QI