[Federal Register Volume 73, Number 29 (Tuesday, February 12, 2008)]
[Proposed Rules]
[Pages 8111-8183]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-2375]



[[Page 8111]]

-----------------------------------------------------------------------

Part II





Department of Health and Human Services





-----------------------------------------------------------------------



42 CFR Part 3



Patient Safety and Quality Improvement; Proposed Rule

Federal Register / Vol. 73, No. 29 / Tuesday, February 12, 2008 / 
Proposed Rules

[[Page 8112]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

42 CFR Part 3

RIN 0919-AA01


Patient Safety and Quality Improvement

AGENCY: Agency for Healthcare Research and Quality, Office for Civil 
Rights, HHS.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This document proposes regulations to implement certain 
aspects of the Patient Safety and Quality Improvement Act of 2005 
(Patient Safety Act). The proposed regulations establish a framework by 
which hospitals, doctors, and other health care providers may 
voluntarily report information to Patient Safety Organizations (PSOs), 
on a privileged and confidential basis, for analysis of patient safety 
events. The proposed regulations also outline the requirements that 
entities must meet to become PSOs and the processes for the Secretary 
to review and accept certifications and to list PSOs.
    In addition, the proposed regulation establishes the 
confidentiality protections for the information that is assembled and 
developed by providers and PSOs, termed ``patient safety work product'' 
by the Patient Safety Act, and the procedures for the imposition of 
civil money penalties for the knowing or reckless impermissible 
disclosure of patient safety work product.

DATES: Comments on the proposed rule will be considered if we receive 
them at the appropriate address, as provided below, no later than April 
14, 2008.

ADDRESSES: Interested persons are invited to submit written comments by 
any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Comments should include agency name and ``RIN 0919-AA01''.
     Mail: Center for Quality Improvement and Patient Safety, 
Attention: Patient Safety Act NPRM Comments, AHRQ, 540 Gaither Road, 
Rockville, MD 20850.
     Hand Delivery/Courier: Center for Quality Improvement and 
Patient Safety, Attention: Patient Safety Act NPRM Comments, Agency for 
Healthcare Research and Quality, 540 Gaither Road, Rockville, MD 20850.
    Instructions: Because of staff and resource limitations, we cannot 
accept comments by facsimile (FAX) transmission or electronic mail. For 
detailed instructions on submitting comments and additional information 
on the rulemaking process, see the ``Public Participation'' heading of 
the SUPPLEMENTARY INFORMATION section of this document. Comments will 
be available for public inspection at the AHRQ Information Resources 
Center at the above-cited address between 8:30 a.m. and 5 p.m. Eastern 
Time on federal business days (Monday through Friday).

FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare 
Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-
1111 or (866) 403-3697.

SUPPLEMENTARY INFORMATION:

Public Participation

    We welcome comments from the public on all issues set forth in this 
proposed rule to assist us in fully considering issues and developing 
policies. You can assist us by referencing the RIN number (RIN: 0919-
0AA01) and by preceding your discussion of any particular provision 
with a citation to the section of the proposed rule being discussed.

A. Inspection of Public Comments

    All comments (electronic, mail, and hand delivery/courier) received 
in a timely manner will be available for public inspection as they are 
received, generally beginning approximately 6 weeks after publication 
of this document, at the mail address provided above, Monday through 
Friday of each week from 8:30 a.m. to 5 p.m. To schedule an appointment 
to view public comments, call Susan Grinder, (301) 427-1111 or (866) 
403-3697.
    Comments submitted electronically will be available for viewing at 
the Federal eRulemaking Portal.

B. Electronic Comments

    We will consider all electronic comments that include the full 
name, postal address, and affiliation (if applicable) of the sender and 
are submitted through the Federal eRulemaking Portal identified in the 
ADDRESSES section of this preamble. Copies of electronically submitted 
comments will be available for public inspection as soon as practicable 
at the address provided, and subject to the process described, in the 
preceding paragraph.

C. Mailed Comments and Hand Delivered/Couriered Comments

    Mailed comments may be subject to delivery delays due to security 
procedures. Please allow sufficient time for mailed comments to be 
timely received in the event of delivery delays. Comments mailed to the 
address indicated for hand or courier delivery may be delayed and could 
be considered late.

D. Copies

    To order copies of the Federal Register containing this document, 
send your request to: New Orders, Superintendent of Documents, P.O. Box 
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue 
requested and enclose a check or money order payable to the 
Superintendent of Documents, or enclose your Visa or Master Card number 
and expiration date. Credit card orders can also be placed by calling 
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by 
faxing to (202) 512-2250. The cost for each copy is $10. As an 
alternative, you may view and photocopy the Federal Register document 
at most libraries designated as Federal Depository Libraries and at 
many other public and academic libraries throughout the country that 
receive the Federal Register.

E. Electronic Access

    This Federal Register document is available from the Federal 
Register online database through GPO Access, a service of the U.S. 
Government Printing Office. The Web site address is: http://www.gpoaccess.gov/nara/index.html. This document is available 
electronically at the following Web site of the Department of Health 
and Human Services (HHS): http://www.ahrq.gov/.

F. Response to Comments

    Because of the large number of public comments we normally receive 
on Federal Register documents, we are not able to acknowledge or 
respond to them individually. We will consider all comments we receive 
in accordance with the methods described above and by the date 
specified in the DATES section of this preamble. When we proceed with a 
final rule, we will respond to comments in the preamble to that rule.

I. Background

A. Purpose and Basis

    This proposed rule establishes the authorities, processes, and 
rules necessary to implement the Patient Safety and Quality Improvement 
Act of 2005 (Patient Safety Act), (Pub. L. 109-41), that amended the 
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting new 
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.
    Much of the impetus for this legislation can be traced to the 
publication of the landmark report, ``To

[[Page 8113]]

Err Is Human'' \1\, by the Institute of Medicine in 1999 (Report). The 
Report cited studies that found that at least 44,000 people and 
potentially as many as 98,000 people die in U.S. hospitals each year as 
a result of preventable medical errors.\2\ Based on these studies and 
others, the Report estimated that the total national costs of 
preventable adverse events, including lost income, lost household 
productivity, permanent and temporary disability, and health care costs 
to be between $17 billion and $29 billion, of which health care costs 
represent one-half.\3\ One of the main conclusions was that the 
majority of medical errors do not result from individual recklessness 
or the actions of a particular group; rather, most errors are caused by 
faulty systems, processes, and conditions that lead people to make 
mistakes or fail to prevent adverse events.\4\ Thus, the Report 
recommended mistakes can best be prevented by designing the health care 
system at all levels to improve safety--making it harder to do 
something wrong and easier to do something right.\5\
---------------------------------------------------------------------------

    \1\ Institute of Medicine, ``To Err is Human: Building a Safer 
Health System'', 1999.
    \2\ Id. at 31.
    \3\ Id. at 42.
    \4\ Id. at 49-66.
    \5\ Id.
---------------------------------------------------------------------------

    As compared to other high-risk industries, the health care system 
is behind in its attention to ensuring basic safety.\6\ The reasons for 
this lag are complex and varied. Providers are often reluctant to 
participate in quality review activities for fear of liability, 
professional sanctions, or injury to their reputations. Traditional 
state-based legal protections for such health care quality improvement 
activities, collectively known as peer review protections, are limited 
in scope: They do not exist in all States; typically they only apply to 
peer review in hospitals and do not cover other health care settings, 
and seldom enable health care systems to pool data or share experience 
between facilities. If peer review protected information is transmitted 
outside an individual hospital, the peer review privilege for that 
information is generally considered to be waived. This limits the 
potential for aggregation of a sufficient number of patient safety 
events to permit the identification of patterns that could suggest the 
underlying causes of risks and hazards that then can be used to improve 
patient safety.
---------------------------------------------------------------------------

    \6\ Id. at 75.
---------------------------------------------------------------------------

    The Report outlined a comprehensive strategy to improve patient 
safety by which public officials, health care providers, industry, and 
consumers could reduce preventable medical errors. The Report 
recommended that, in order to reduce medical errors appreciably in the 
U.S., a balance be struck between regulatory and market-based 
initiatives and between the roles of professionals and organizations. 
It recognized a need to enhance knowledge and tools to improve patient 
safety and break down legal and cultural barriers that impede such 
improvement.
    Drawing upon the broad framework advanced by the Institute of 
Medicine, the Patient Safety Act specifically addresses a number of 
these long-recognized impediments to improving the quality, safety, and 
outcomes of health care services. For that reason, implementation of 
this proposed rule can be expected to accelerate the development of 
new, voluntary, provider-driven opportunities for improvement, increase 
the willingness of health care providers to participate in such 
efforts, and, most notably, set the stage for breakthroughs in our 
understanding of how best to improve patient safety.
    These outcomes will be advanced, in large measure, through 
implementation of this proposed rule of strong Federal confidentiality 
and privilege protections for information that is patient safety work 
product under the Patient Safety Act. For the first time, there will 
now be a uniform set of Federal protections that will be available in 
all states and U.S. territories and that extend to all health care 
practitioners and institutional providers. These protections will 
enable all health care providers, including multi-facility health care 
systems, to share data within a protected legal environment, both 
within and across states, without the threat of information being used 
against the subject providers.
    Pursuant to the Patient Safety Act, this proposed rule will also 
encourage the formation of new organizations with expertise in patient 
safety, known as patient safety organizations (PSOs), which can provide 
confidential, expert advice to health care providers in the analysis of 
patient safety events.\7\ The confidentiality and privilege protections 
of this statute attach to ``patient safety work product.'' This term as 
defined in the Patient Safety Act and this proposed rule means that 
patient safety information that is collected or developed by a provider 
and reported to a PSO, or that is developed by a PSO when conducting 
defined ``patient safety activities,'' or that reveals the 
deliberations of a provider or PSO within a patient safety evaluation 
system is protected. Thus, the proposed rule will enable health care 
providers to protect their internal deliberations and analysis of 
patient safety information because this type of information is patient 
safety work product.
---------------------------------------------------------------------------

    \7\ As we use the term, patient safety event means an incident 
that occurred during the delivery of a health care service and that 
harmed, or could have resulted in harm to, a patient. A patient 
safety event may include an error of omission or commission, 
mistake, or malfunction in a patient care process; it may also 
involve an input to such process (such as a drug or device) or the 
environment in which such process occurs. Our use of the term 
patient safety event in place of the more limited concept of medical 
error to describe the work that providers and PSOs may undertake 
reflects the evolution in the field of patient safety. It is 
increasingly recognized that important insights can be derived from 
the study of patient care processes and their organizational context 
and environment in order to prevent harm to patients. We note that 
patient safety in the context of this term also encompasses the 
safety of a person who is a subject in a research study conducted by 
a health care provider. In addition, the flexible concept of a 
patient safety event is applicable in any setting in which health 
care is delivered: A health care facility that is mobile (e.g., 
ambulance), fixed and free-standing (e.g., hospital), attached to 
another entity (e.g., school clinic), as well as the patient's home 
or workplace, whether or not a health care provider is physically 
present.
---------------------------------------------------------------------------

    The statute and the proposed rule seek to ensure that the 
confidentiality provisions (as defined in these proposed regulations) 
will be taken seriously by making breaches of the protections 
potentially subject to a civil money penalty of up to $10,000. The 
combination of strong Federal protections for patient safety work 
product and the potential penalties for violation of these protections 
should give providers the assurances they need to participate in 
patient safety improvement initiatives and should spur the growth of 
such initiatives.
    Patient safety experts have long recognized that the underlying 
causes of risks and hazards in patient care can best be recognized 
through the aggregation of significant numbers of individual events; in 
some cases, it may require the aggregation of thousands of individual 
patient safety events before underlying patterns are apparent. It is 
hoped that this proposed rule will foster routine reporting to PSOs of 
data on patient safety events in sufficient numbers for valid and 
reliable analyses. Analysis of such large volumes of patient safety 
events is expected to significantly advance our understanding of the 
patterns and commonalities in the underlying causes of risks and 
hazards in the delivery of patient care. These insights should enable 
providers to more effectively and efficiently target their efforts to 
improve patient safety.
    We recognize that risks and hazards can occur in a variety of 
environments, such as inpatient, outpatient, long-term

[[Page 8114]]

care, rehabilitation, research, or other health care settings. In many 
of these settings, patient safety analysis is a nascent enterprise that 
will benefit significantly from the routine, voluntary reporting and 
analysis of patient safety events. Accordingly, we strive in the 
proposed rule to avoid imposing limitations that might preclude 
innovative approaches to the identification of, and elimination of, 
risks and hazards in specific settings for the delivery of care, 
specific health care specialties, or in research settings. We defer to 
those creating PSOs and the health care providers that enter ongoing 
relationships with them to determine the scope of patient safety events 
that will be addressed.
    Finally, we note that the statute is quite specific that these 
protections do not relieve a provider from its obligation to comply 
with other legal, regulatory, accreditation, licensure, or other 
accountability requirements that it would otherwise need to meet. The 
fact that information is collected, developed, or analyzed under the 
protections of the Patient Safety Act does not shield a provider from 
needing to undertake similar activities, if applicable, outside the 
ambit of the statute, so that the provider can meet its obligations 
with non-patient safety work product. The Patient Safety Act, while 
precluding other organizations and entities from requiring providers to 
provide them with patient safety work product, recognizes that the data 
underlying patient safety work product remains available in most 
instances for the providers to meet these other information 
requirements.
    In summary, this proposed rule implements the Patient Safety Act 
and facilitates its goals by allowing the health care industry 
voluntarily to avail itself of this framework in the best manner it 
determines feasible. At the same time, it seeks to ensure that those 
who do avail themselves of this framework will be afforded the legal 
protections that Congress intended and that anyone who breaches those 
protections will be penalized commensurately with the violation.

B. Listening Sessions

    We held three listening sessions for the general public (March 8, 
13, and 16, 2006) which helped us better understand the thinking and 
plans of interested parties, including providers considering the use of 
PSO services and entities that anticipate establishing PSOs. As stated 
in the Federal Register notice 71 FR 37 (February 24, 2006) that 
announced the listening sessions, we do not regard the presentations or 
comments made at these sessions as formal comments and, therefore, they 
are not discussed in this document.

C. Comment Period

    The comment period is sixty (60) days following the publication of 
the proposed rule.

II. Overview of Proposed Rule

    We are proposing a new Part 3 to Title 42 of the Code of Federal 
Regulations to implement the Patient Safety Act. As described above, 
the Patient Safety Act is an attempt to address the barriers to patient 
safety and health care quality improvement activities in the U.S. In 
implementing the Patient Safety Act, this proposed rule encourages the 
development of provider-driven, voluntary opportunities for improving 
patient safety; this initiative is neither funded, nor controlled by 
the Federal Government.
    Under the proposal, a variety of types of organizations--public, 
private, for-profit, and not-for-profit--can become PSOs, and offer 
their consultative expertise to providers regarding patient safety 
events and quality improvement initiatives. There will be a process for 
certification and listing of PSOs, which will be implemented by the 
Agency for Healthcare Research and Quality (AHRQ), and providers can 
work voluntarily with PSOs to obtain confidential, expert advice in 
analyzing the patient safety event and other information they collect 
or develop at their offices, facilities, or institutions. PSOs may also 
provide feedback and recommendations regarding effective strategies to 
improve patient safety as well as proven approaches for implementation 
of such strategies. In addition, to encourage providers to undertake 
patient safety activities, the regulation is very specific that patient 
safety work product is subject to confidentiality and privilege 
protections, and persons that breach the confidentiality provisions may 
be subject to a $10,000 civil money penalty, to be enforced by the 
Office for Civil Rights (OCR).
    The provisions of this proposed rule greatly expand the potential 
for participation in patient safety activities. The proposal, among 
other things, enables providers across the health care industry to 
report information to a PSO and obtain the benefit of these new 
confidentiality and privilege protections. This proposal minimizes the 
barriers to entry for listing as a PSO by creating a review process 
that is both simple and efficient. As a result, we expect a broad range 
of organizations to seek listing by the Secretary as PSOs. Listing will 
not entitle these entities to Federal funding or subsidies, but it will 
enable these PSOs to offer individual and institutional providers the 
benefits of review and analysis of patient safety work product that is 
protected by strong Federal confidentiality and privilege protections.
    Our proposed regulation will enable and assist data aggregation by 
PSOs to leverage the possibility of learning from numerous patient 
safety events across the health care system and to facilitate the 
identification and correction of systemic and other errors. For 
example, PSOs are required to seek contracts with multiple providers, 
and proposed Subpart C permits them, with certain limitations, to 
aggregate patient safety work product from their multiple clients and 
with other PSOs. In addition, the Secretary will implement other 
provisions of the Patient Safety Act that, independent of this proposed 
rule, require the Secretary to facilitate the development of a network 
of patient safety databases for the aggregation of nonidentifiable 
patient safety work product and the development of consistent 
definitions and common formats for collecting and reporting patient 
safety work product. These measures will facilitate a new level of data 
aggregation that patient safety experts deem essential to maximize the 
benefits of the Patient Safety Act.
    The Patient Safety Act gives considerable attention to the 
relationship between it and the Standards for the Privacy of 
Individually Identifiable Health Information under the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA Privacy Rule). We 
caution that the opportunity for a provider to report identifiable 
patient safety work product to a PSO does not relieve a provider that 
is a HIPAA covered entity of its obligations under the HIPAA Privacy 
Rule. In fact, the Patient Safety Act indicates that PSOs are deemed to 
be business associates of providers that are HIPAA covered entities. 
Thus, providers who are HIPAA covered entities will need to enter into 
business associate agreements with PSOs in accordance with their HIPAA 
Privacy Rule obligations. If such a provider also chooses to enter a 
PSO contract, we believe that such contracts could be entered into 
simultaneously as an agreement for the conduct of patient safety 
activities. However, the Patient Safety Act does not require a provider 
to enter a contract with a PSO to receive the protections of the 
Patient Safety Act.
    Proposed Subpart A, General Provisions, sets forth the purpose of 
the provisions and the definitions

[[Page 8115]]

applicable to the subparts that follow. Proposed Subpart B, PSO 
Requirements and Agency Procedures, sets forth the requirements for 
PSOs and describes how the Secretary will review, accept, revoke, and 
deny certifications for listing and continued listing of entities as 
PSOs and other required submissions. Proposed Subpart C, 
Confidentiality and Privilege Protections of Patient Safety Work 
Product, describes the provisions that relate to the confidentiality 
protections and permissible disclosure exceptions for patient safety 
work product. Proposed Subpart D, Enforcement Program, includes 
provisions that relate to activities for determining compliance, such 
as investigations of and cooperation by providers, PSOs, and others; 
the imposition of civil money penalties; and hearing procedures.

III. Section by Section Description of the Proposed Rule

A. Subpart A--General Provision

1. Proposed Sec.  3.10--Purpose
    The purpose of this proposed Part is to implement the Patient 
Safety and Quality Improvement Act of 2005 (Pub. L. 109-41), which 
amended the Public Health Service Act (42 U.S.C. 299 et seq.) by 
inserting new sections 921 through 926, 42 U.S.C. 299b-21 through 299b-
26.
2. Proposed Sec.  3.20--Definitions
    Section 921 of the Public Health Service Act, 42 U.S.C. 299b-21, 
defines several terms, and our proposed rules would, for the most part, 
restate the law. In some instances, we propose to clarify definitions 
to fit within the proposed framework. We also propose some new 
definitions for convenience and to clarify the application and 
operation of this proposed rule. Moreover, we reference terms defined 
under the HIPAA Privacy Rule for ease of interpretation and 
consistency, given the overlap between the Patient Safety Act 
protections of patient-identifiable patient safety work product 
(discussed below) and the HIPAA Privacy Rule.
    Proposed Sec.  3.20 would establish the basic definitions 
applicable to this proposed rule, as follows:
    AHRQ stands for the Agency for Healthcare Research and Quality in 
the U.S. Department of Health and Human Services (HHS). This definition 
is added for convenience.
    ALJ stands for an Administrative Law Judge at HHS. This definition 
is added for convenience in describing the process for appealing civil 
money penalty determinations.
    Board would mean the members of the HHS Departmental Appeals Board. 
This definition is added for convenience in providing for appeals of 
civil money penalty determinations.
    Bona fide contract would mean (a) a written contract between a 
provider and a PSO that is executed in good faith by officials 
authorized to execute such contract; or (b) a written agreement (such 
as a memorandum of understanding or equivalent recording of mutual 
commitments) between a Federal, State, local, or Tribal provider and a 
Federal, State, local, or Tribal PSO that is executed in good faith by 
officials authorized to execute such agreement.
    In addition to the primary interpretation of an enforceable 
contract under applicable law as proposed under paragraph (a) of this 
definition, we propose to make the scope of the term broad enough to 
encompass agreements between health care providers and PSOs that are 
components of Federal, State, local or Tribal governments or government 
agencies. Such entities could clearly perform the same data collection 
and analytic functions as performed by other providers and PSOs that 
the Patient Safety Act seeks to foster. Thus, paragraph (b) of the 
definition recognizes that certain government entities may not enter a 
formal contract with each other, but may only make a commitment with 
other agencies through the mechanism of some other type of agreement.
    We note that proposed Sec.  3.102(a)(2) incorporates the statutory 
restriction that a health insurance issuer and a component of a health 
insurance issuer may not become a PSO. That section also proposes to 
prohibit the listing of public and private entities that conduct 
regulatory oversight of health care providers, including accreditation 
and licensure.
    Complainant would mean a person who files a complaint with the 
Secretary pursuant to proposed Sec.  3.306.
    Component Organization would mean an entity that is either: (a) A 
unit or division of a corporate organization or of a multi-
organizational enterprise; or (b) a separate organization, whether 
incorporated or not, that is owned, managed or controlled by one or 
more other organizations (i.e., its parent organization(s)). We discuss 
our preliminary interpretation of the terms ``owned,'' ``managed,'' or 
``controlled'' in the definition of parent organization. Multi-
organizational enterprise, as used here, means a common business or 
professional undertaking in which multiple entities participate as well 
as governmental agencies or Tribal entities in which there are multiple 
components.\8\
---------------------------------------------------------------------------

    \8\ The concept of multi-organizational enterprise as used in 
this regulation, in case law, and in a legal reference works such as 
Blumberg on Corporate Groups, Sec.  6.04 (2d ed. 2007 Supplement) 
refers to multi-organizational undertakings with separate 
corporations or organizations that are integrated in a common 
business activity. The component entities are often, but not 
necessarily, characterized by interdependence and some form of 
common control, typically by agreement. Blumberg notes that health 
care providers increasingly are integrated in various forms of 
multi-organizational enterprises.
---------------------------------------------------------------------------

    We anticipate that PSOs may be established by a wide array of 
health-related organizations and quality improvement enterprises, 
including hospitals, nursing homes and health care provider systems, 
health care professional societies, academic and commercial research 
organizations, Federal, State, local, and Tribal governmental units 
that are not subject to the proposed restriction on listing in proposed 
Sec.  3.102(a)(2), as well as joint undertakings by combinations of 
such organizations. One effect of defining component organization as we 
propose is that, pursuant to section 924 of the Patient Safety Act, 42 
U.S.C. 299b-24, all applicant PSOs that fall within the scope of the 
definition of component organization must certify to the separation of 
confidential patient safety work product and staff from the rest of any 
organization or multi-organizational enterprise of which they (in the 
conduct of their work) are a part. Component organizations must also 
certify that their stated mission can be accomplished without 
conflicting with the rest of their parent organization(s).
    A subsidiary corporation may, in certain circumstances, be viewed 
as part of a multi-organizational enterprise with its parent 
corporation and would be so regarded under the proposed regulation. 
Thus, an entity, such as a PSO that is set up as a subsidiary by a 
hospital chain, would be considered a component of the corporate chain 
and a component PSO for purposes of this proposed rule. Considering a 
subsidiary of a corporation to be a ``component'' of its parent 
organization may seem contrary to the generally understood separateness 
of a subsidiary in its corporate relationship with its parent.\9\

[[Page 8116]]

That is, where two corporate entities are legally separate, one entity 
would ordinarily not be considered a component of the other entity, 
even when that other entity has a controlling interest or exercises 
some management control. However, we have preliminarily determined that 
viewing a subsidiary entity that seeks to be a PSO as a component of 
its parent organization(s) would be consistent with the objectives of 
the section on certifications required of component organizations in 
the Patient Safety Act and appears to be consistent with trends in the 
law discussed below. We invite comment on our interpretation.
---------------------------------------------------------------------------

    \9\ Corporations are certain types of organizations that are 
given legal independence and rights, (e.g. the right to litigate). 
Subsidiary corporations are corporations in which a majority of the 
shares are owned by another corporation, known as a parent 
corporation. Thus, subsidiaries are independent corporate entities 
in a formal legal sense, yet, at the same time, they are controlled, 
to some degree, by their parent by virtue of stock ownership and 
control. Both corporations and subsidiaries are legal constructs 
designed to foster investment and commerce by limiting 
entrepreneurial risks and corporate liabilities. In recognition of 
the legitimate utility of these objectives, courts have generally 
respected the separateness of parent corporations and subsidiaries, 
(e.g., courts do not ordinarily allow the liabilities of a 
subsidiary to be attributed to its parent corporation, despite the 
fact that by definition, parent corporations have a measure of 
control over a subsidiary). However, courts have looked behind the 
separate legal identities that separate parent and subsidiary to 
impose liability when individuals in litigation can establish that 
actual responsibility rests with a parent corporation by virtue of 
the degree and manner in which it has exercised control over its 
subsidiary. Under these circumstances, courts permit ``the corporate 
veil to be pierced.''
---------------------------------------------------------------------------

    Corporations law or ``entity law,'' which emphasizes the 
separateness and distinct rights and obligations of a corporation, has 
been supplemented by the development of ``relational law'' when 
necessary (e.g., to address evolving organizational arrangements such 
as multi-organizational enterprises). To determine rights and 
obligations in these circumstances, courts weigh the relationships of 
separate corporations that are closely related by virtue of 
participating in the same enterprise, (i.e., a common chain of economic 
activity fostering and characterized by interdependence).\10\ There has 
been a growing trend in various court decisions to attribute legal 
responsibilities based on actual behavior in organizational 
relationships, rather than on corporate formalities.
---------------------------------------------------------------------------

    \10\ See Phillip I. Blumberg Et Al., Blumberg On Corporate 
Groups Sec. Sec.  6.01 and 6.02.
---------------------------------------------------------------------------

    We stress that neither the statute nor the proposed regulation 
imposes any legal responsibilities, obligations, or liability on the 
organization(s) of which a component PSO is a part. The focus of the 
Patient Safety Act and the regulation is principally on the entity that 
voluntarily seeks listing by the Secretary as a PSO.
    We note that two of the three certifications that the Patient 
Safety Act and the proposed regulation requires component entities to 
make--relating to the security and confidentiality of patient safety 
work product--are essentially duplicative of attestations that are 
required of all entities seeking listing or continued listing as a PSO 
(certifications made under section 924(a)(1)(A) and (a)(2)(A) of the 
Public Health Service Act, 42 U.S.C. 299b-24(a)(1)(A) and (a)(2)(A) 
with respect to patient safety activities described in section 
921(5)(E) and (F) of the Public Health Service Act, 42 U.S.C. 299b-
21(5)(E) and (F)). That is, under the Patient Safety Act, all PSOs have 
to attest that they have in place policies and procedures to, and 
actually do, perform patient safety activities, which include the 
maintenance of procedures to preserve patient safety work product 
confidentiality and the provision of appropriate security measures for 
patient safety work product. The overlapping nature of these 
confidentiality and security requirements on components suggests 
heightened congressional concern and emphasis regarding the need to 
maintain a strong ``firewall'' between a component PSO and its parent 
organization, which might have the opportunity and potential to access 
sensitive patient safety work product the component PSO assembles, 
develops, and maintains. A similar concern arises in the context of a 
PSO that is a unit of a corporate parent, a subsidiary or an entity 
affiliated with other organizations in a multi-organizational 
enterprise.
    Requiring entities seeking listing to disclose whether they have a 
parent organization or are part of a multi-organizational enterprise 
does not involve ``piercing the corporate veil'' as discussed in the 
footnote above. The Department would not be seeking this information to 
hold a parent liable for actions of the PSO, but to ensure full 
disclosure to the Department about the organizational relationships of 
an entity seeking to be listed as a PSO. Accordingly, we propose that 
an entity seeking listing as a PSO must do so as a component 
organization if it has one or more parent organizations (as described 
here and in the proposed definition of that term) or is part of a 
multi-organizational enterprise, and it must provide the names of its 
parent entities. If it has a parent or several parent organizations, as 
defined by the proposed regulation, the entity seeking to be listed 
must provide the additional certifications mandated by the statute and 
by the proposed regulation at Sec.  3.102(c) to maintain the 
separateness of its patient safety work product from its parent(s) and 
from other components or affiliates\11\ of its parent(s). Such 
certifications are consistent with the above-cited body of case law 
that permits and makes inquiries about organizational relationships and 
practices for purposes of carrying out statutes and statutory 
objectives.
---------------------------------------------------------------------------

    \11\ Corporate affiliates are commonly controlled corporations; 
sharing a corporate parent, they are sometimes referred to as sister 
corporations. Separate corporations that are part of a multi-
organizational enterprise are also referred to by the common terms 
``affiliates'' or ``affiliated organizations''.
---------------------------------------------------------------------------

    It may be helpful to illustrate how a potential applicant for 
listing should apply these principles in determining whether to seek 
listing as a component PSO. The fundamental principle is that if there 
is a parent organization relationship present and the entity is not 
prohibited from seeking listing by proposed Sec.  3.102(a)(2), the 
entity must seek listing as a component PSO. In determining whether an 
entity must seek listing as a component organization, we note that it 
does not matter whether the entity is a component of a provider or a 
non-provider organization and, if it is a component of a provider 
organization, whether it will undertake patient safety activities for 
the parent organization's providers or providers that have no 
relationship with its parent organization(s). The focus here is 
primarily on establishing the separateness of the entity's operation 
from any type of parent organization. Examples of entities that would 
need to seek listing as a component organization include: A division of 
a provider or non-provider organization; a subsidiary entity created by 
a provider or non-provider organization; or a joint venture created by 
several organizations (which could include provider organizations, non-
provider organizations, or a mix of such organizations) where any or 
all of the organizations have a measure of control over the joint 
venture.
    Other examples of entities that would need to seek listing as a 
component PSO include: a division of a nursing home chain; a subsidiary 
entity created by a large academic health center or health system; or a 
joint venture created by several organizations to seek listing as a PSO 
where any or all of the organizations have a measure of control over 
the joint venture.
    Component PSO would mean a PSO listed by the Secretary that is a 
component organization.
    Confidentiality provisions would mean any requirement or 
prohibition concerning confidentiality established by Sections 921 and 
922(b)-(d), (g) and (i) of the Public Health Service Act, 42

[[Page 8117]]

U.S.C. 299b-21 and 299b-22(b)-(d), (g) and (i), and the proposed 
provisions, at Sec. Sec.  3.206 and 3.208, by which we propose to 
implement the prohibition on disclosure of identifiable patient safety 
work product. We proposed to define this new term to provide an easy 
way to reference the provisions in the Patient Safety Act and in the 
proposed rule that implements the confidentiality protections of the 
Patient Safety Act for use in the enforcement and penalty provisions of 
this proposed rule. We found this a useful approach in the HIPAA 
Enforcement Rule, where we defined ``administrative simplification 
provision'' for that purpose. In determining how to define 
``confidentiality provisions'' that could be violated, we considered 
the statutory enforcement provision at section 922(f) of the Public 
Health Service Act, 42 U.S.C. 299b-22(f), which incorporates by 
reference section 922(b) and (c).\12\ Thus, the enforcement authority 
clearly implicates sections 922(b) and (c) of the Patient Safety Act, 
42 U.S.C. 299b-22(b) and (c), which are implemented in proposed Sec.  
3.206. Section 922(d) of the Patient Safety Act, 42 U.S.C. 299b-22(d), 
is entitled the ``Continued Protection of Information After 
Disclosure'' and sets forth continued confidentiality protections for 
patient safety work product after it has been disclosed under section 
922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), with 
certain exceptions. Thus, section 922(d) of the Public Health Service 
Act, 42 U.S.C. 299b-22(d), is a continuation of the confidentiality 
protections provided for in section 922(b) of the Public Health Service 
Act, 42 U.S.C. 299b-22(b). Therefore, we also consider the continued 
confidentiality provision at proposed Sec.  3.208 herein to be one of 
the confidentiality provisions. In addition, our understanding of these 
provisions is based on the rule of construction in section 922(g) of 
the Public Health Service Act, 42 U.S.C. 299b-22(g), and the 
clarification with respect to HIPAA in section 922(i) of the Public 
Health Service Act, 42 U.S.C. 299b-22(i); accordingly, these provisions 
are included in the definition.
---------------------------------------------------------------------------

    \12\ Section 922(f) of the Public Health Service Act, 42 U.S.C. 
299b-22(f), states that ``subject to paragraphs (2) and (3), a 
person who discloses identifiable patient safety work product in 
knowing or reckless violation of subsection (b) shall be subject to 
a civil money penalty of not more than $10,000 for each act 
constituting such violation'' (emphasis added). Subsection (b) of 
section 922 of the Public Health Service Act, 42 U.S.C. 299b-22(b), 
is entitled, ``Confidentiality of Patient Safety Work Product'' and 
states, ``Notwithstanding any other provision of Federal, State, or 
local law, and subject to subsection (c), patient safety work 
product shall be confidential and shall not be disclosed'' (emphasis 
added). Section 922(c) of the Public Health Service Act, 42 U.S.C. 
299b-22(c), in turn, contains the exceptions to confidentiality and 
privilege protections.
---------------------------------------------------------------------------

    In contrast to the confidentiality provisions, the privilege 
provisions in the Patient Safety Act will be enforced by the tribunals 
or agencies that are subject to them; the Patient Safety Act does not 
authorize the imposition of civil money penalties for breach of such 
provisions. We note, however, that to the extent a breach of privilege 
is also a breach of confidentiality, the Secretary would enforce the 
confidentiality breach under 42 U.S.C. 299b-22(f).
    Disclosure would mean the release, transfer, provision of access 
to, or divulging in any other manner of patient safety work product by 
a person holding patient safety work product to another person. An 
impermissible disclosure (i.e., a disclosure of patient safety work 
product in violation of the confidentiality provisions) is the action 
upon which potential liability for a civil money penalty rests. 
Generally, if the person holding patient safety work product is an 
entity, disclosure occurs when the information is shared with another 
entity or a natural person outside the entity. We do not propose to 
hold entities liable for uses of the information within the entity, 
(i.e., when this information is exchanged or shared among the workforce 
members of the entity) except as noted below concerning component PSOs. 
If a natural person holds patient safety work product, except in the 
capacity as a workforce member, a disclosure occurs whenever exchange 
occurs to any other person or entity. In light of this definition, we 
note that a disclosure to a contractor that is under the direct control 
of an entity (i.e., a workforce member) would be a use of the 
information within the entity and, therefore, not a disclosure for 
which a permission is needed. However, a disclosure to an independent 
contractor would not be a disclosure to a workforce member, and thus, 
would be a disclosure for purposes of this proposed rule and the 
proposed enforcement provisions under Subpart D.
    For component PSOs, we propose to recognize as a disclosure the 
sharing or transfer of patient safety work product outside of the legal 
entity, as described above, and between the component PSO and the rest 
of the organization (i.e., parent organization) of which the component 
PSO is a part. The Patient Safety Act demonstrates a strong desire for 
the separation of patient safety work product between a component PSO 
and the rest of the organization. See section 924(b)(2) of the Public 
Health Service Act, 42 U.S.C. 299b-24(b)(2). Because we propose to 
recognize component organizations as component PSOs which exist within, 
but distinct from, a single legal entity, and such a component 
organization as a component PSO would be required to certify to limit 
access to patient safety work product under proposed Sec.  3.102(c), 
the release, transfer, provision of access to, or divulging in any 
other manner of patient safety work product from a component PSO to the 
rest of the organization will be recognized as a disclosure for 
purposes of this proposed rule and the proposed enforcement provisions 
under Subpart D.
    We considered whether or not we should hold entities liable for 
disclosures that occur within that entity (uses) by defining disclosure 
more discretely, (i.e., as between persons within an entity). If we 
were to define disclosure in this manner, it may promote better 
safeguarding against inappropriate uses of patient safety work product 
by providers and PSOs. It may also allow better control of uses by 
third parties to whom patient safety work product is disclosed, and it 
would create additional enforcement situations which could lead to 
additional potential civil money penalties. We note that HIPAA 
authorized the Department to regulate both the uses and disclosures of 
individually identifiable health information and, thus, the HIPAA 
Privacy Rule regulates both the uses and disclosures of such 
information by HIPAA covered entities. See section 264(b) and (c)(1) of 
HIPAA, Public Law 104-191. The Patient Safety Act, on the other hand, 
addresses disclosures and authorizes the Secretary to penalize 
disclosures of patient safety work product.
    Nonetheless, we do not propose to regulate the use, transfer or 
sharing by internal disclosure, of patient safety work product within a 
legal entity. We also decline to propose to regulate uses because we 
would consider regulating uses within providers and PSOs to be 
intrusive into their internal affairs. This would be especially the 
case given that this is a voluntary program. Moreover, we do not 
believe that regulating uses would further the statutory goal of 
facilitating the sharing of patient safety work product with PSOs. In 
other words, regulating uses would not advance the ability of any 
entity to share patient safety work product for patient safety 
activities. Finally, we presume that there are sufficient incentives in 
place for providers and PSOs to prudently manage the uses of sensitive 
patient safety work product.

[[Page 8118]]

    We are not regulating uses, whether in a provider, PSO, or any 
other entity that obtains patient safety work product. Because we are 
not proposing to regulate uses, there will be no federal sanction based 
on use of this information. If a provider or other entity wants to 
limit the uses or further disclosures (beyond the regulatory 
permissions) by a PSO or any future recipient, a disclosing entity is 
free to do so by contract. See section 922(g)(4) of the Public Health 
Service Act, 42 U.S.C. 299b-22(g)(4), and proposed Sec.  3.206(e). We 
seek comment about whether this strikes the right balance.
    The proposed definition mirrors the definition of disclosure used 
in the HIPAA Privacy Rule concerning disclosures of protected health 
information. Although we do not propose to regulate the use of patient 
safety work product, HIPAA covered entities that possess patient safety 
work product which contains protected health information must comply 
with the use and disclosure requirements of the HIPAA Privacy Rule with 
respect to the protected health information. Patient safety work 
product containing protected health information could only be used in 
accordance with the HIPAA Privacy Rule use permissions, including the 
minimum necessary requirement.
    Entity would mean any organization, regardless of whether the 
organization is public, private, for-profit, or not-for-profit. The 
statute permits any entity to seek listing as a PSO by the Secretary 
except a health insurance issuer and any component of a health 
insurance issuer and Sec.  3.102(a)(2) proposes, in addition, to 
prohibit public or private sector entities that conduct regulatory 
oversight of providers.
    Group health plan would mean an employee welfare benefit plan (as 
defined in section 3(1) of the Employee Retirement Income Security Act 
of 1974 (ERISA) to the extent that the plan provides medical care (as 
defined in paragraph (2) of section 2791(a) of the Public Health 
Service Act, 42 U.S.C. 300gg-91(a)(1)) and including items and services 
paid for as medical care) to employees or their dependents (as defined 
under the terms of the plan) directly or through insurance, 
reimbursement, or otherwise. Section 2791(b)(2) of the Public Health 
Service Act, 42 U.S.C. 300gg-91(b)(2) excludes group health plans from 
the defined class of `health insurance issuer.' Therefore, a group 
health plan may establish a PSO unless the plan could be considered a 
component of a health insurance issuer, in which case such a plan would 
be precluded from being a PSO by the Patient Safety Act.
    Health insurance issuer would mean an insurance company, insurance 
service, or insurance organization (including a health maintenance 
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed 
to engage in the business of insurance in a State and which is subject 
to State law which regulates insurance (within the meaning of 29 U.S.C. 
1144(b)(2)). The term, as defined in the Public Health Service Act, 
does not include a group health plan.
    Health maintenance organization would mean (1) a Federally 
qualified health maintenance organization (as defined in 42 U.S.C. 
300e(a)); (2) an organization recognized under State law as a health 
maintenance organization; or (3) a similar organization regulated under 
State law for solvency in the same manner and to the same extent as 
such a health maintenance organization. Because the ERISA definition 
relied upon by the Patient Safety Act includes health maintenance 
organizations in the definition of health insurance issuer, an HMO may 
not be, control, or manage the operation of a PSO.
    HHS stands for the United States Department of Health and Human 
Services. This definition is added for convenience.
    HIPAA Privacy Rule would mean the regulations promulgated under 
section 264(c) of the Health Insurance Portability and Accountability 
Act of 1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 
164.
    Identifiable Patient Safety Work Product would mean patient safety 
work product that:
    (1) Is presented in a form and manner that allows the 
identification of any provider that is a subject of the work product, 
or any providers that participate in activities that are a subject of 
the work product;
    (2) Constitutes individually identifiable health information as 
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
    (3) Is presented in a form and manner that allows the 
identification of an individual who in good faith reported information 
directly to a PSO, or to a provider with the intention of having the 
information reported to a PSO (``reporter'').
    Identifiable patient safety work product is not patient safety work 
product that meets the nonidentification standards proposed for 
``nonidentifiable patient safety work product''.
    Nonidentifiable Patient Safety Work Product would mean patient 
safety work product that is not identifiable in accordance with the 
nonidentification standards proposed at Sec.  3.212. Because the 
privilege and confidentiality protections of the Patient Safety Act and 
this Part do not apply to nonidentifiable patient safety work product 
once disclosed, the restrictions and data protection rules in this 
proposed rule phrased as pertaining to patient safety work product 
generally only apply to identifiable patient safety work product.
    OCR stands for the Office for Civil Rights in HHS. This definition 
is added for convenience.
    Parent organization would mean a public or private sector 
organization that, alone or with others, either owns a provider entity 
or a component PSO, or has the authority to control or manage agenda 
setting, project management, or day-to-day operations of the component, 
or the authority to review and override decisions of a component PSO. 
We have not proposed to define the term ``owns.'' We propose to use the 
term ``own a provider entity'' to mean a governmental agency or Tribal 
entity that controls or manages a provider entity as well as an 
organization having a controlling interest in a provider entity or a 
component PSO, for example, owning a majority or more of the stock of 
the owned entity, and expressly ask for comment on whether our further 
definition of controlling interest as follows below is appropriate.
    Under the proposed regulation, if an entity that seeks to be a PSO 
has a parent organization, that entity will be required to seek listing 
as a component PSO and must provide certifications set forth in 
proposed Sec.  3.102(c), which indicate that the entity maintains 
patient safety work product separately from the rest of the 
organization(s) and establishes security measures to maintain the 
confidentiality of patient safety work product, the entity does not 
make an unauthorized disclosure of patient safety work product to the 
rest of the organization(s), and the entity does not create a conflict 
of interest with the rest of the organization(s).
    Traditionally, a parent corporation is defined as a corporation 
that holds a controlling interest in one or more subsidiaries. By 
contrast, parent organization, as used in this proposed rule, is a more 
inclusive term and is not limited to definitions used in corporations 
law. Accordingly, the proposed definition emphasizes a parent 
organization's control (or influence) over a PSO that may or may not be 
based on stock ownership.\13\ Our

[[Page 8119]]

approach to interpreting the statutory reference in section 924(b)(2) 
of the Patient Safety Act, 42 U.S.C. 299b-24(b)(2) to ``another 
organization'' in which an entity is a ``component'' (i.e., a ``parent 
organization'') is analogous to the growing attention in both statutory 
and case law, to the nature and conduct of business organizational 
relationships, including multi-organizational enterprises. As discussed 
above in the definition of ``component,'' the emphasis on actual 
organizational control, rather than the organization's structure, has 
numerous legal precedents in legislation implementing statutory 
programs and objectives and courts upholding such programs and 
objectives.\14\ Therefore, the definition of a ``parent organization,'' 
as used in the proposed regulation would encompass an affiliated 
organization that participates in a common enterprise with an entity 
seeking listing, and that owns, manages or exercises control over the 
entity seeking to be listed as a PSO. As indicated above, affiliated 
corporations have been legally defined to mean those who share a 
corporate parent or are part of a common corporate enterprise.\15\
---------------------------------------------------------------------------

    \13\ Cf. 17 CFR 240.12b-2 (defining ``control'' broadly as ``* * 
* the power to direct or cause the direction of the management and 
policies of an * * * [entity] whether through the ownership of 
voting securities, by contract, or otherwise.'')
    \14\ Blumberg on Corporate Groups Sec.  13 notes that, where 
applications for licenses are in a regulated industry, information 
is required by states about the applicant as well as corporate 
parents, subsidiaries and affiliates. In the proposed regulation, 
pursuant to the Patient Safety Act, information about parent 
organizations with potentially conflicting missions would be 
obtained to ascertain that component entities seeking to be PSOs 
have measures in place to protect the confidentiality of patient 
safety work product and the independent conduct of impartial 
scientific analyses by PSOs.
    \15\ See for example the definition of affiliates in regulations 
jointly promulgated by the Comptroller of the Currency, the Federal 
Reserve board, the FDIC, and the Office of Thrift Supervision to 
implement privacy provisions of Gramm Leach Bliley legislation using 
provisions of the Fair Credit Reporting Act (dealing with 
information sharing among affiliates): ``any company that is related 
or affiliated by common ownership, or affiliated by corporate 
control or common corporate control with another company.'' 
Blumberg, supra note 2, at Sec.  122.09[A] (citing 12 CFR pt.41.3, 
12 CFR pt.222.3(1), 12 CFR pt.334.3(b) and 12 CFR pt.571.3(1) 
(2004)).
---------------------------------------------------------------------------

    Parent organization is defined to include affiliates primarily in 
recognition of the prospect that otherwise unrelated organizations 
might affiliate to jointly establish a PSO. We can foresee such an 
enterprise because improving patient safety through expert analysis of 
aggregated patient safety data could logically be a common and 
efficient objective shared by multiple potential cofounders of a PSO. 
It is fitting, in our view, that a component entity certify, as we 
propose in Sec.  3.102(c), that there is ``no conflict'' between its 
mission as a PSO and all of the rest of the parent or affiliated 
organizations that undertake a jointly sponsored PSO enterprise.\16\ 
Similarly, it is also appropriate that the additional certifications 
required of component entities in proposed Sec.  3.102(c) regarding 
separation of patient safety work product and the use of separate staff 
be required of an entity that has several co-founder parent 
organizations that exercise ownership, management or control, (i.e. to 
assure that the intended ``firewalls'' exist between the component 
entity and the rest of any affiliated organization that might exercise 
ownership, management or control over a PSO).
---------------------------------------------------------------------------

    \16\ We note that the certifications from a jointly established 
PSO could be supported or substantiated with references to 
protective procedural or policy walls that have been established to 
preclude a conflict of these organizations' other missions with the 
scientific analytic mission of the PSO.
---------------------------------------------------------------------------

    To recap this part of the discussion, we would consider an entity 
seeking listing as a PSO to have a parent organization, and such entity 
would seek listing as a component organization, under the following 
circumstances: (a) The entity is a unit in a corporate organization or 
a controlling interest in the entity is owned by another corporation; 
or (b) the entity is a distinct organizational part of a multi-
organizational enterprise and one or more affiliates in the enterprise 
own, manage, or control the entity seeking listing as a PSO. An example 
of an entity described in (b) would be an entity created by a joint 
venture in which the entity would be managed or controlled by several 
co-founding parent organizations.
    The definition of provider in the proposed rule (which will be 
discussed below) includes the parent organization of any provider 
entity. Correspondingly, our definition of parent organization includes 
any organization that ``owns a provider entity.'' This is designed to 
provide an option for the holding company of a corporate health care 
system to enter a multi-facility or system-wide contract with a PSO.
    Patient Safety Act would mean the Patient Safety and Quality 
Improvement Act of 2005 (Pub. L. 109-41), which amended Title IX of the 
Public Health Service Act (42 U.S.C. 299 et seq.) by inserting a new 
Part C, sections 921 through 926, which are codified at 42 U.S.C. 299b-
21 through 299b-26.
    Patient safety activities would mean the following activities 
carried out by or on behalf of a PSO or a provider:
    (1) Efforts to improve patient safety and the quality of health 
care delivery;
    (2) The collection and analysis of patient safety work product;
    (3) The development and dissemination of information with respect 
to improving patient safety, such as recommendations, protocols, or 
information regarding best practices;
    (4) The utilization of patient safety work product for the purposes 
of encouraging a culture of safety and of providing feedback and 
assistance to effectively minimize patient risk;
    (5) The maintenance of procedures to preserve confidentiality with 
respect to patient safety work product;
    (6) The provision of appropriate security measures with respect to 
patient safety work product;
    (7) The utilization of qualified staff; and
    (8) Activities related to the operation of a patient safety 
evaluation system and to the provision of feedback to participants in a 
patient safety evaluation system.
    This definition is taken from the Patient Safety Act. See section 
921(5) of the Public Health Service Act, 42 U.S.C. 299b-21(5). Patient 
safety activities is used as a key reference term for other provisions 
in the proposed rule and those provisions provide descriptions related 
to patient safety activities. See proposed requirements for PSOs at 
Sec. Sec.  3.102 and 3.106 and the proposed confidentiality disclosure 
permission at Sec.  3.206(b)(4).
    Patient safety evaluation system would mean the collection, 
management, or analysis of information for reporting to or by a PSO. 
The patient safety evaluation system is a core concept of the Patient 
Safety Act through which information, including data, reports, 
memoranda, analyses, and/or written or oral statements, is collected, 
maintained, analyzed, and communicated. When a provider engages in 
patient safety activities for the purpose of reporting to a PSO or a 
PSO engages in these activities with respect to information for patient 
safety purposes, a patient safety evaluation system exists regardless 
of whether the provider or PSO has formally identified a ``patient 
safety evaluation system''. For example, when a provider collects 
information for the purpose of reporting to a PSO and reports the 
information to a PSO to generate patient safety work product, the 
provider is collecting and reporting through its patient safety 
evaluation system (see definition of patient safety work product ). 
Although we do not propose to require providers or PSOs formally to 
identify or define their patient safety evaluation system--because such 
systems exist by virtue of the providers or PSOs undertaking certain 
patient safety activities--a patient safety evaluation system can be

[[Page 8120]]

formally designated by a provider or PSO to establish a secure space in 
which these activities may take place.
    The formal identification or designation of a patient safety 
evaluation system could give structure to the various functions served 
by a patient safety evaluation system. These possible functions are:
    1. For reporting information by a provider to a PSO in order to 
generate patient safety work product and to protect the fact of 
reporting such information to a PSO (see section 921(6) and 
(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-21(6) and 
(7)(A)(i)(I));
    2. For communicating feedback concerning patient safety events 
between PSOs and providers (see section 921(5)(H) of the Public Health 
Service Act, 42 U.S.C. 299b-21(5)(H));
    3. For creating and identifying the space within which 
deliberations and analyses of information and patient safety work 
product are conducted (see section 921(7)(A)(ii) of the Public Health 
Service Act, 42 U.S.C. 299b-21(7)(A)(ii));
    4. For separating patient safety work product and information 
collected, maintained, or developed for reporting to a PSO distinct and 
apart from information collected, maintained, or developed for other 
purposes (see section 921(7)(B)(ii) of the Public Health Service Act, 
42 U.S.C. 299b-21(7)(B)(ii)); and,
    5. For identifying patient safety work product to maintain its 
privileged status and confidentiality, and to avoid impermissible 
disclosures (see section 922(b) of the Public Health Service Act, 42 
U.S.C. 299b-22(b)).
    A provider or PSO need not engage in all of the above-mentioned 
functions in order to establish or maintain a patient safety evaluation 
system. A patient safety evaluation system is flexible and scalable to 
the individual needs of a provider or PSO and may be modified as 
necessary to support the activities and level of engagement in the 
activities by a particular provider or PSO.
    Documentation. Because a patient safety evaluation system is 
critical in identifying and protecting patient safety work product, we 
encourage providers and PSOs to document what constitutes their patient 
safety evaluation system. We recommend that providers and PSOs consider 
documenting the following:
     How information enters the patient safety evaluation 
system;
     What processes, activities, physical space(s) and 
equipment comprise or are used by the patient safety evaluation system;
     Which personnel or categories of personnel need access to 
patient safety work product to carry out their duties involving 
operation of, or interaction with the patient safety evaluation system, 
and for each such person or category of persons, the category of 
patient safety work product to which access is needed and any 
conditions appropriate to such access; and,
     What procedures or mechanisms the patient safety 
evaluation system uses to report information to a PSO or disseminate 
information outside of the patient safety evaluation system.
    A documented patient safety evaluation system, as opposed to an 
undocumented or poorly documented patient safety evaluation system, may 
accrue many benefits to the operating provider or PSO. Providers or 
PSOs that have a documented patient safety evaluation system will have 
substantial proof to support claims of privilege and confidentiality 
when resisting requests for production of, or subpoenas for, 
information constituting patient safety work product or when making 
requests for protective orders against requests or subpoenas for such 
patient safety work product. Documentation of a patient safety 
evaluation system will enable a provider or PSO to provide supportive 
evidence to a court when claiming privilege protections for patient 
safety work product. This may be particularly critical since the same 
activities can be done inside and outside of a patient safety 
evaluation system.
    A documented and established patient safety evaluation system also 
gives notice to employees of the privileged and confidential nature of 
the information within a patient safety evaluation system in order to 
generate awareness, greater care in handling such information and more 
caution to prevent unintended or impermissible disclosures of patient 
safety work product. For providers with many employees, an established 
and documented patient safety evaluation system can serve to separate 
access to privileged and confidential patient safety work product from 
employees that have no need for patient safety work product. 
Documentation can serve to limit access by non-essential employees. By 
limiting who may access patient safety work product, a provider may 
reduce its exposure to the risks of inappropriate disclosures.
    Given all of the benefits, documentation of a patient safety 
evaluation system would be a prudent business practice. Moreover, as 
part of our enforcement program, we would expect entities to be 
following sound business practices in maintaining adequate 
documentation regarding their patient safety evaluation systems to 
demonstrate their compliance with the confidentiality provisions. 
Absent this type of documentation, it may be difficult for entities to 
satisfy the Secretary that they have met and are in compliance with 
their confidentiality obligations. While we believe it is a sound and 
prudent business practice, we have not required a patient safety 
evaluation system to be documented, and we do not believe it is 
required by the Patient Safety Act. We seek comment as to these issues.
    Patient Safety Organization (PSO) would mean a private or public 
entity or component thereof that is listed as a PSO by the Secretary in 
accordance with proposed Sec.  3.102.
    Patient Safety Work Product is a defined term in the Patient Safety 
Act that identifies the information to which the privilege and 
confidentiality protections apply. This proposed rule imports the 
statutory definition of patient safety work product specifically for 
the purpose of implementing the confidentiality protections under the 
Patient Safety Act. The proposed rule provides that, with certain 
exceptions, patient safety work product would mean any data, reports, 
records, memoranda, analyses (such as root cause analyses), or written 
or oral statements (or copies of any of this material) (A) which could 
result in improved patient safety, health care quality, or health care 
outcomes and either (i) is assembled or developed by a provider for 
reporting to a PSO and is reported to a PSO; or (ii) is developed by a 
PSO for the conduct of patient safety activities; or (B) which 
identifies or constitutes the deliberations or analysis of, or 
identifies the fact of reporting pursuant to, a patient safety 
evaluation system. The proposed rule excludes from patient safety work 
product a patient's original medical record, billing and discharge 
information, or any other original patient or provider information and 
any information that is collected, maintained, or developed separately, 
or exists separately, from a patient safety evaluation system. Such 
separate information or a copy thereof reported to a PSO does not by 
reason of its reporting become patient safety work product. The 
separately collected and maintained information remains available, for 
example, for public health reporting or disclosures pursuant to court 
order. The information contained in a provider's or PSO's patient 
safety evaluation system is protected, would be privileged and 
confidential, and may not be disclosed absent a statutory or regulatory 
permission.

[[Page 8121]]

    What can become patient safety work product. The definition of 
patient safety work product lists the types of information that are 
likely to be exchanged between a provider and PSO to generate patient 
safety work product: ``Any data, reports, records, memoranda, analyses 
(such as root cause analyses), or written or oral statements'' 
(collectively referred to below as ``information'' for brevity). 
Congress intended the fostering of robust patient safety evaluation 
systems for exchanges between providers and PSOs. We expect this 
expansive list will maximize provider flexibility in operating its 
patient safety evaluation system by enabling the broadest possible 
incorporation and protection of information by providers and PSOs.
    In addition, information must be collected or developed for the 
purpose of reporting to a PSO. Records collected or developed for a 
purpose other than for reporting to a PSO, such as to support internal 
risk management activities or to fulfill external reporting 
obligations, cannot become patient safety work product. However, copies 
of information collected for another purpose may become patient safety 
work product if, for example, the copies are made for the purpose of 
reporting to a PSO. This issue is discussed more fully below regarding 
information that cannot become patient safety work product.
    When information is reported by a provider to a PSO or when a PSO 
develops information for patient safety activities, the definition 
assumes that the protections apply to information that ``could result 
in improved patient safety, health care quality, or health care 
outcomes.'' This phrase imposes few practical limits on the type of 
information that can be protected since a broad range of clinical and 
non-clinical factors could have a beneficial impact on the safety, 
quality, or outcomes of patient care. Because the Patient Safety Act 
does not impose a narrow limitation, such as requiring information to 
relate solely, for example, to particular adverse or ``sentinel'' 
incidents or even to the safety of patient care, we conclude Congress 
intended providers to be able to cast a broad net in their data 
gathering and analytic efforts to identify causal factors or 
relationships that might impact patient safety, quality and outcomes. 
In addition, we note that the phrase ``could result in improved'' 
requires only potential utility, not proven utility, thereby allowing 
more information to become patient safety work product.
    How information becomes patient safety work product. Paragraphs 
(1)(i)(A), (1)(i)(B), and (1)(ii) of the proposed regulatory definition 
indicate three ways for information to become patient safety work 
product and therefore subject to the confidentiality and privilege 
protections of the Patient Safety Act.
    Information assembled or developed and reported by providers. By 
law and as set forth in our proposal, information that is assembled or 
developed by a provider for the purpose of reporting to a PSO and is 
reported to a PSO is patient safety work product. Section 
921(7)(A)(i)(I) of the Public Health Service Act, 42 U.S.C. 299b-
21(7)(A)(i)(I).
    As noted, to become patient safety work product under this section 
of the definition, information must be reported by a provider to a PSO. 
For purposes of paragraph (1)(i)(A) of this definition, ``reporting'' 
generally means the actual transmission or transfer of information, as 
described above, to a PSO. We recognize, however, that requiring the 
transmission of every piece of paper or electronic file to a PSO could 
impose significant transmission, management, and storage burdens on 
providers and PSOs. In many cases, providers engaged in their own 
investigations may desire to avoid continued transmission of additional 
related information as its work proceeds.
    To alleviate the burden of reporting every piece of information 
assembled by a provider related to a particular patient safety event, 
we are interested in public comment regarding an alternative for 
providers that have established relationships with PSOs. We note that 
the reporting and generation of patient safety work product does not 
require a contract or any other relationship for a PSO to receive 
reports from a provider, for a PSO to examine patient safety work 
product, or for a PSO to provide feedback to a provider based upon the 
examination of reported information. Nonetheless, we anticipate that 
providers who are committed to patient safety improvements will 
establish a contractual or similar relationship with a PSO to report 
and receive feedback about patient safety incidents and adverse events. 
Such a contract or relationship would provide a basis to allow 
providers and PSOs to establish customized alternative arrangements for 
reporting.
    For providers that have established contracts with PSOs for the 
review and receipt of patient safety work product, we seek comment on 
whether a provider should be able to ``report'' to the PSO by providing 
its contracted PSO access to any information it intends to report 
(i.e., ``functional reporting''). For example, a provider and a PSO may 
establish, by contract, that information put into a database shared by 
the provider and the PSO is sufficient to report information to the PSO 
in lieu of the actual transmission requirement. We believe that 
functional reporting would be a valuable mechanism for the efficient 
reporting of information from a provider to a PSO. We are seeking 
public comment about what terms and conditions may be necessary to 
provide access to a PSO to be recognized as functional reporting. We 
also seek comment about whether this type of functional reporting 
arrangement should only be available for subsequent related information 
once an initial report on a specific topic or incident has been 
transmitted to a PSO.
    We do not intend a PSO to have an unfettered right of access to any 
provider information. Providers and PSOs are free to engage in 
alternative reporting arrangements under the proposed rule, and we 
solicit comments on the appropriate lines to be drawn around the 
arrangements that should be recognized under the proposed rule. 
However, our proposals should not be construed to suggest or propose 
that a PSO has a superior right to access information held by a 
provider based upon a reporting relationship. If a PSO believes 
information reported by a provider is insufficient, a PSO is free to 
request additional information from a provider or to indicate 
appropriate limitations to the conclusions or analyses based on 
insufficient or incomplete information.
    We seek public comment on two additional aspects regarding the 
timing of the obligation of a provider to report to a PSO in order for 
information to become protected patient safety work product and for the 
confidentiality protections to attach. The first issue relates to the 
timing between assembly or development of information for reporting and 
actual reporting under the proposed definition of patient safety work 
product. As currently proposed, information assembled or developed by a 
provider is not protected until the moment it is reported, (i.e., 
transmitted or transferred to a PSO). We are considering whether there 
is a need for a short period of protection for information assembled 
but not yet reported. We note that in such situations, a provider 
creates and operates a patient safety evaluation system. (See 
discussion of the definition of patient safety evaluation system at 
proposed Sec.  3.20.) We further note that even without such short 
period of

[[Page 8122]]

protection, information assembled or developed by a provider but not 
yet reported may be subject to other protections in the proposed rule 
(e.g., see section 921(7)(A)(ii) of the Public Health Service Act, 42 
U.S.C. 299b-21(7)(A)(ii)).
    Our intent is not to relieve the provider of the statutory 
requirement for reporting pursuant to section 921(7)(A)(i) of the 
Public Health Service Act, 42 U.S.C. 299b-21(7)(A)(i), but to extend to 
providers flexibility to efficiently transmit or transfer information 
to a PSO for protection. A short period of protection for information 
assembled but not yet reported could result in greater operational 
efficiency for a provider by allowing information to be compiled and 
reported to a PSO in batches. It could also alleviate the uncertainty 
regarding the status of information that is assembled, but not yet 
reported for administrative reasons. If we do address this issue in the 
final rule, we seek input on the appropriate time period for such 
protection and whether a provider must demonstrate an intent to report 
in order to obtain protections. If we do not address this issue in the 
final rule, such information held by a provider would not be 
confidential until it is actually transmitted to a PSO under this prong 
of the definition of patient safety work product.
    Second, for information to become patient safety work product under 
this prong of the definition, it must be assembled or developed for the 
purpose of reporting to a PSO and actually reported. We solicit comment 
on the point in time at which it can be established that information is 
being collected for the purpose of reporting to a PSO such that it is 
not excluded from the definition of patient safety work product as a 
consequence of it being collected, maintained or developed separately 
from a patient safety evaluation system. See section 921(7)(B)(ii) of 
the Public Health Service Act, 42 U.S.C. 299b-21(7)(B)(ii). To assemble 
information with the purpose of reporting to a PSO, a PSO must 
potentially exist, and thus, we believe that collection efforts cannot 
predate the passage of the Patient Safety Act on July 29, 2005.
    Information that is developed by a PSO for the conduct of patient 
safety activities. By law and as set forth in our proposal, information 
that is developed by a PSO for patient safety activities is patient 
safety work product. Section 921(7)(A)(i)(II) of the Public Health 
Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II). This section of the 
definition does not address information discussed in the previous 
section that is assembled or developed by a provider and is reported to 
a PSO which becomes patient safety work product under that section. 
Rather, this section addresses other information that a PSO collects 
for development from third parties, non-providers and other PSOs for 
patient safety activities.
    For example, a PSO may be asked to assist a provider in analyzing a 
complex adverse event that took place. The initial information from the 
provider is protected because it was reported. If the PSO determines 
that the information is insufficient and conducts interviews with 
affected patients or collects additional data, that information is an 
example of the type of information that would be protected under this 
section of the definition. Even if the PSO ultimately decided not to 
analyze such information, the fact that the PSO collected and evaluated 
the information is a form of ``development'' transforming the 
information into patient safety work product. Such patient safety work 
product would be subject to confidentiality protections, and thus, the 
PSO would need safe disposal methods for any such information in 
accordance with its confidentiality obligations.
    Information that constitutes the deliberations or analysis of, or 
identifies the fact of reporting pursuant to, a patient safety 
evaluation system. By law and as set forth in our proposal, information 
that constitutes the deliberations or analysis of, or identifies the 
fact of reporting pursuant to, a patient safety evaluation system is 
patient safety work product. Section 921(7)(A)(ii) of the Public Health 
Service Act, 42 U.S.C. 299b-21(7)(A)(ii). This provision extends 
patient safety work product protections to any information that would 
identify the fact of reporting pursuant to a patient safety evaluation 
system or that constitutes the deliberations or analyses that take 
place within such a system. The fact of reporting through a patient 
safety evaluation system (e.g., a fax cover sheet, an e-mail 
transmitting data, and an oral transmission of information to a PSO) is 
patient safety work product.
    With regard to providers, deliberations and analyses are protected 
while they are occurring provided they are done within a patient safety 
evaluation system. We are proposing that under paragraph (1)(ii) of 
this definition, any ``deliberations or analysis'' performed within the 
patient safety evaluation system becomes patient safety work product. 
In other words, to determine whether protections apply, the primary 
question is whether a patient safety evaluation system, which by law 
and as set forth in this proposed rule, is the collection, management, 
or analysis of information for reporting to a PSO, was in existence at 
the time of the deliberations and analysis.
    To determine whether a provider had a patient safety evaluation 
system at the time that the deliberations or analysis took place, we 
propose to consider whether a provider had certain indicia of a patient 
safety evaluation system, such as the following: (1) The provider has a 
contract with a PSO for the receipt and review of patient safety work 
product that is in effect at the time of the deliberations and 
analysis; (2) the provider has documentation for a patient safety 
evaluation system demonstrating the capacity to report to a PSO at the 
time of the deliberations and analysis; (3) the provider had reported 
information to the PSO either under paragraph (1)(i)(A) of the proposed 
definition of patient safety work product or with respect to 
deliberations and analysis; or (4) the provider has actually reported 
the underlying information that was the basis of the deliberations or 
analysis to a PSO. For example, if a provider claimed protection for 
information as the deliberation of a patient safety evaluation system, 
and had a contract with the PSO at the time the deliberations took 
place, it would be reasonable to believe that the deliberations and 
analysis were related to the provider's PSO reporting activities. This 
is not an exclusive list. We note therefore that a provider may still 
be able to show that information was patient safety work product using 
other indications.
    We note that the statutory protections for deliberations and 
analysis in a patient safety evaluation system apply without regard to 
the status of the underlying information being considered (i.e., it 
does not matter whether the underlying information being considered is 
patient safety work product or not). A provider can fully protect 
internal deliberations in its patient safety evaluation system over 
whether to report information to a PSO. The deliberations and analysis 
are protected, whether the provider chooses to report the underlying 
information to a PSO or not. However, the underlying information, 
separate and apart from the analysis or deliberation, becomes protected 
only when reported to a PSO. See section 921(7)(A)(i)(1) of the Public 
Health Service Act, 42 U.S.C. 299b-21(7)(A)(i)(1).
    To illustrate, consider a hospital that is reviewing a list of all 
near-misses

[[Page 8123]]

reported within the past 30 days. The purpose of the hospital's review 
is to analyze whether to report any or part of the list to a PSO. The 
analyses (or any deliberations the provider undertakes) are fully 
protected whether the provider reports any near-misses or not. The 
status of the near-misses list does not change because the 
deliberations took place. The fact that the provider deliberated over 
reporting the list does not constitute reporting and does not change 
the protected status of the list. Separate and apart from the analysis, 
this list of near misses is not protected unless it is reported. By 
contrast, this provision fully protects the provider's deliberations 
and analyses in its patient safety evaluation system regarding the 
list.
    Delisting. In the event that a PSO is delisted for cause under 
proposed Sec.  3.108(b)(1), a provider may continue to report to that 
PSO for 30 days after the delisting and the reported information will 
be patient safety work product. Section 924(f)(1) of the Public Health 
Service Act, 42 U.S.C. 299b-24(f)(1). Information reported to a 
delisted PSO after the 30-day period will not be patient safety work 
product. However, after a PSO is delisted, the delisted entity may not 
continue to generate patient safety work product by developing 
information for the conduct of patient safety activities or through 
deliberations and analysis of information. Any patient safety work 
product held or generated by a PSO prior to its delisting remains 
protected even after the PSO is delisted. See discussion in the 
preamble regarding proposed Sec.  3.108(b)(2) for more information.
    We note that proposed Sec.  3.108(c) outlines the process for 
delisting based upon an entity's voluntary relinquishment of its PSO 
listing. As we discuss in the accompanying preamble, we tentatively 
conclude that the statutory provision for a 30-day period of continued 
protection does not apply after delisting due to voluntary 
relinquishment.
    Even though a PSO may not generate new patient safety work product 
after delisting, it may still have in its possession patient safety 
work product, which it must keep confidential. The statute establishes 
requirements, incorporated in proposed Sec.  3.108(b)(2) and (b)(3), 
that a PSO delisted for cause must meet regarding notification of 
providers and disposition of patient safety work product. We propose in 
Sec.  3.108(c) to implement similar notification and disposition 
measures for a PSO that voluntarily relinquishes its listing. For 
further discussion of the obligations of a delisted PSO, see proposed 
Sec.  3.108(b)(2), (b)(3), and (c).
    What is not patient safety work product. By law, and as set forth 
in this proposed rule, patient safety work product does not include a 
patient's original medical record, billing and discharge information, 
or any other original patient or provider record; nor does it include 
information that is collected, maintained, or developed separately or 
exists separately from, a patient safety evaluation system. Such 
separate information or a copy thereof reported to a PSO shall not by 
reason of its reporting be considered patient safety work product.
    The specific examples cited in the Patient Safety Act of what is 
not patient safety work product--the patient's original medical record, 
billing and discharge information, or any other original patient 
record--are illustrative of the types of information that providers 
routinely assemble, develop, or maintain for purposes and obligations 
other than those of the Patient Safety Act. The Patient Safety Act also 
states that information that is collected, maintained, or developed 
separately, or exists separately from a patient safety evaluation 
system, is not patient safety work product. Therefore, if records are 
collected, maintained, or developed for a purpose other than for 
reporting to a PSO, those records cannot be patient safety work 
product. However, if, for example, a copy of such record is made for 
reporting to a PSO, the copy and the fact of reporting become patient 
safety work product. Thus, a provider could collect incident reports 
for internal quality assurance purposes, and later, determine that one 
incident report is relevant to a broader patient safety activity. If 
the provider then reports a copy of the incident report to a PSO, the 
copy of the incident report received by the PSO is protected as is the 
copy of the incident report as reported to the PSO that is maintained 
by the provider, while the original incident report collected for 
internal quality assurance purposes is not protected.
    The proposed rule sets forth the statutory rule of construction 
that prohibits construing anything in this Part from limiting (1) the 
discovery of or admissibility of information that is not patient safety 
work product in a criminal, civil, or administrative proceeding; (2) 
the reporting of information that is not patient safety work product to 
a Federal, State, or local governmental agency for public health 
surveillance, investigation, or other public health purposes or health 
oversight purposes; or (3) a provider's recordkeeping obligation with 
respect to information that is not patient safety work product under 
Federal, State or local law. Section 921(7)(B)(iii) of the Public 
Health Service Act, 42 U.S.C. 299b-21(7)(B)(iii). Even when laws or 
regulations require the reporting of the information regarding the type 
of events also reported to PSOs, the Patient Safety Act does not shield 
providers from their obligation to comply with such requirements.
    As the Patient Safety Act states more than once, these external 
obligations must be met with information that is not patient safety 
work product, and, in accordance with the confidentiality provisions, 
patient safety work product cannot be disclosed for these purposes. We 
note that the Patient Safety Act clarifies that nothing in this Part 
prohibits any person from conducting additional analyses for any 
purpose regardless of whether such additional analysis involves issues 
identical to or similar to those for which information was reported to 
or assessed by a PSO or a patient safety evaluation system. Section 
922(h) of the Public Health Service Act, 42 U.S.C. 299b-22(h). A copy 
of information generated for such purposes may be entered into the 
provider's patient safety evaluation system for patient safety purposes 
although the originals of the information generated to meet external 
obligations do not become patient safety work product.
    Thus, information that is collected to comply with external 
obligations is not patient safety work product. Such activities may 
include: State incident reporting requirements; adverse drug event 
information reporting to the Food and Drug Administration (FDA); 
certification or licensing records for compliance with health oversight 
agency requirements; reporting to the National Practitioner Data Bank 
of physician disciplinary actions; or complying with required 
disclosures by particular providers or suppliers pursuant to Medicare's 
conditions of participation or conditions of coverage. In addition, the 
proposed rule does not change the law with respect to an employee's 
ability to file a complaint with Federal or State authorities regarding 
quality of care, or with respect to any prohibition on a provider's 
threatening or carrying out retaliation against an individual for doing 
so; the filing of any such complaint would not be deemed to be a 
violation of the Patient Safety Act, unless patient safety work product 
was improperly disclosed in such filing.
    Health Care Oversight Reporting and Patient Safety Work Product. 
The Patient Safety Act establishes a

[[Page 8124]]

protected space or system of protected information in order to allow 
frank discussion about causes and remediation of threats to patient 
safety. As described above, this protected system is separate, 
distinct, and resides alongside but does not replace other information 
collection activities mandated by laws, regulations, and accrediting 
and licensing requirements as well as voluntary reporting activities 
that occur for the purpose of maintaining accountability in the health 
care system. Information collection activities performed by the 
provider for purposes other than for reporting to a PSO by itself do 
not create patient safety work product. In anticipation of questions 
about how mandatory and voluntary reporting will continue to be 
possible, a brief explanation may be helpful regarding how this new 
patient safety framework would operate in relation to health care 
oversight activities (e.g., public health reporting, corrective 
actions, etc.).
    Situations may occur when the original (whether print or 
electronic) of information that is not patient safety work product is 
needed for a disclosure outside of the entity but cannot be located 
while a copy of the needed information resides in the patient safety 
evaluation system. If the reason for which the original information is 
being sought does not align with one of the permissible disclosures, 
discussed in proposed Subpart C, the protected copy may not be 
released. Nevertheless, this does not preclude efforts to reconstruct 
the information outside of the patient safety evaluation system from 
information that is not patient safety work product. Those who 
participated in the collection, development, analysis, or review of the 
missing information or have knowledge of its contents can fully 
disclose what they know or reconstruct an analysis outside of the 
patient safety evaluation system.
    The issue of how effectively a provider has instituted corrective 
action following identification of a threat to the quality or safety of 
patient care might lead to requests for information from external 
authorities. The Patient Safety Act does not relieve a provider of its 
responsibility to respond to such requests for information or to 
undertake or provide to external authorities evaluations of the 
effectiveness of corrective action, but the provider must respond with 
information that is not patient safety work product.
    To illustrate the distinction, consider the following example. We 
would expect that a provider's patient safety evaluation system or a 
PSO with which the provider works may make recommendations from time to 
time to the provider for changes it should make in the way it manages 
and delivers health care. The list of recommendations for changes, 
whether they originate from the provider's patient safety evaluation 
system or the PSO with which it is working, are always patient safety 
work product. We would also note that not all of these recommendations 
will address corrective actions (i.e., correcting a process, policy, or 
situation that poses a threat to patients). It is also possible that a 
provider with an exemplary quality and safety record is seeking advice 
on how to perform even better. Whatever the case, the feedback from the 
provider's patient safety evaluation system or PSO may not be disclosed 
to external authorities unless permitted by the disclosures specified 
in Subpart C of this proposed rule.
    The provider may choose to reject the recommendations it receives 
or implement some or all of the proposed changes. While the 
recommendations always remain protected, whether they are adopted or 
rejected by a provider, the actual changes that the provider implements 
to improve how it manages or delivers health care services (including 
changes in its organizational management or its care environments, 
structures, and processes) are not patient safety work product. In a 
practical sense, it would be virtually impossible to keep such changes 
confidential in any event, and we stress that if there is any 
distinction between the change that was adopted and the recommendation 
that the provider received, the provider can only describe the change 
that was implemented. The recommendation remains protected. Thus, if 
external authorities request a list of corrective actions that a 
provider has implemented, the provider has no basis for refusing the 
request. Even though the actions are based on protected information, 
the corrective actions themselves are not patient safety work product. 
On the other hand, if an external authority asks for a list of the 
recommendations that the provider did not implement or whether and how 
any implemented change differed from the recommendation the provider 
received, the provider must refuse the request; the recommendations 
themselves remain protected.
    Person would mean a natural person, trust or estate, partnership, 
corporation, professional association or corporation, or other entity, 
public or private. We propose to define ``person'' because the Patient 
Safety Act requires that civil money penalties be imposed against 
``person[s]'' that violate the confidentiality provisions. However, the 
Patient Safety Act does not provide a definition of ``person''. The 
Definition Act at 1 U.S.C. 1 provides, ``in determining any Act of 
Congress, unless the context indicates otherwise * * * the words 
`person' and `whoever' include corporations, companies, associations, 
firms, partnerships, societies, and joint stock companies, as well as 
individuals'' (emphasis added). The Patient Safety Act indicates that 
States and other government entities may hold patient safety work 
product with the protections and liabilities attached, which is an 
expansion of the Definition Act provision. For this reason, we propose 
the broader definition of the term ``person''. We note that this 
proposed approach is consistent with the HHS Office of Inspector 
General (OIG) regulations, 42 CFR 1003.101, and the HIPAA Enforcement 
Rule, 45 CFR 160.103.
    Provider would mean any individual or entity licensed or otherwise 
authorized under State law to provide health care services. The list of 
specific providers in the proposed rule includes the following: 
institutional providers, such as a hospital, nursing facility, 
comprehensive outpatient rehabilitation facility, home health agency, 
hospice program, renal dialysis facility, ambulatory surgical center, 
pharmacy, physician or health care practitioner's office (including a 
group practice), long term care facility, behavior health residential 
treatment facility, clinical laboratory, or health center; or 
individual clinicians, such as a physician, physician assistant, 
registered nurse, nurse practitioner, clinical nurse specialist, 
certified registered nurse anesthetist, certified nurse midwife, 
psychologist, certified social worker, registered dietitian or 
nutrition professional, physical or occupational therapist, pharmacist, 
or other individual health care practitioner. This list is merely 
illustrative; an individual or entity that is not listed here but meets 
the test of state licensure or authorization to provide health care 
services is a provider for the purpose of this proposed rule.
    The statute also authorizes the Secretary to expand the definition 
of providers. Under this authority, we propose to add the following to 
this list of providers:
    (a) Agencies, organizations, and individuals within Federal, State, 
local, or Tribal governments that deliver health care, organizations 
engaged as contractors by the Federal, State, local or Tribal 
governments to deliver health care, and individual health care

[[Page 8125]]

practitioners employed or engaged as contractors by the Federal 
government to deliver health care. It appears that all of these 
agencies, organizations, and individuals could participate in, and 
could benefit from, working with a PSO.
    (b) A corporate parent organization for one or more entities 
licensed or otherwise authorized to provide health care services under 
state law. Without this addition, hospital or other provider systems 
that are controlled by a parent organization that is not recognized as 
a provider under State law might be precluded from entering into 
system-wide contracts with PSOs. This addition furthers the goals of 
the statute to encourage aggregation of patient safety data and a 
coordinated approach for assessing and improving patient safety. We 
particularly seek comments regarding any concerns or operational issues 
that might result from this addition, and note that a PSO entering one 
system-wide contract still needs to meet the two contract minimum 
requirement based on section 924(b)(1)(C) of the Public Health Service 
Act, 42 U.S.C. 299b-24(b)(1)(C), and set out and discussed in proposed 
Sec.  3.102(b). The PSO can do this by entering into two contracts with 
different providers within the system.
    (c) A Federal, State, local, or Tribal government unit that manages 
or controls one or more health care providers described in the 
definition of provider at (1)(i) and (2). We propose this addition to 
the definition of ``provider'' for the same reason that we proposed the 
addition of parent organization that has a controlling interest in one 
or more entities licensed or otherwise authorized to provide health 
care services under state law.
    Research would have the same meaning as that term is defined in the 
HIPAA Privacy Rule at 45 CFR 164.501. In the HIPAA Privacy Rule, 
research means a systematic investigation, including research 
development, testing, and evaluation, designed to develop or contribute 
to generalizable knowledge. This definition is used to describe the 
scope of the confidentiality exception at proposed Sec.  3.206(b)(6). 
We propose to use the same definition as in the HIPAA Privacy Rule to 
improve the level of coordination and to reduce the burden of 
compliance. At the same time, if there is a modification to the 
definition in the HIPAA Privacy Rule, the definition herein will 
automatically change with such regulatory action.
    Respondent would mean a provider, PSO, or responsible person who is 
the subject of a complaint or a compliance review.
    Responsible person would mean a person, other than a provider or 
PSO, who has possession or custody of identifiable patient safety work 
product and is subject to the confidentiality provisions. We note that 
because the Patient Safety Act has continued confidentiality protection 
at 42 U.S.C. 299b-22(d), many entities other than providers and PSOs 
may be subject to the confidentiality provisions. Thus, for example, 
researchers or law enforcement officials who obtain patient safety work 
product under one of the exceptions to confidentiality would be 
considered a ``responsible person''.
    Workforce would mean employees, volunteers, trainees, contractors, 
and other persons whose conduct, in the performance of work for a 
provider, PSO or responsible person, is under the direct control of 
such provider, PSO or responsible person, whether or not they are paid 
by the provider, PSO or responsible person. We use the term workforce 
member in several contexts in the proposed rule. Importantly, in 
proposed Sec.  3.402 where we discuss principal liability, we propose 
that an agent for which a principal may be liable can be a workforce 
member. We have included the term ``contractors'' in the definition of 
workforce member to clarify that such permitted sharing may occur with 
contractors who are under the direct control of the provider, PSO, or 
responsible person. For example, a patient safety activity disclosure 
by a provider to a PSO may be made directly to the PSO or to a 
consultant, as a workforce member, contracted by the PSO to help it 
carry out patient safety activities.

B. Subpart B--PSO Requirements and Agency Procedures

    Proposed Subpart (B) sets forth requirements for Patient Safety 
Organizations (PSOs). This proposed Subpart specifies the certification 
and notification requirements that PSOs must meet, the actions that the 
Secretary may and will take relating to PSOs, the requirements that 
PSOs must meet for the security of patient safety work product, the 
processes governing correction of PSO deficiencies, revocation, and 
voluntary relinquishment, and related administrative authorities and 
implementation responsibilities. The requirements of this proposed 
Subpart would apply to PSOs, their workforce, a PSO's contractors when 
they hold patient safety work product, and the Secretary.
    This proposed Subpart is intended to provide the foundation for 
new, voluntary opportunities to improve the safety, quality, and 
outcomes of patient care. The Patient Safety Act does not require a 
provider to contract with a PSO, and the proposed rule does not include 
such a requirement. However, we expect that most providers will enter 
into contracts with PSOs when seeking the confidentiality and privilege 
protections of the statute. Contracts offer providers greater certainty 
that a provider's claim to these statutory protections will be 
sustained, if challenged. For example, the statutory definition of 
patient safety work product describes the nature and purpose of 
information that can be protected, the circumstances under which 
deliberations or analyses are protected, and the requirement that 
certain information be reported to a PSO. Pursuant to a contractual 
arrangement, providers can require and receive assistance from PSOs to 
ensure that these requirements are fully met. Contracts can provide 
clear evidence that a provider is taking all reasonable measures to 
operate under the ambit of the statute in collecting, developing, and 
maintaining patient safety work product. Contracts enable providers to 
specify even stronger confidentiality protections in how they report 
information to a PSO or how the PSO handles and uses the information.
    Contracts can also give providers greater assurance that they will 
have access to the expertise of the PSO to provide feedback regarding 
their patient safety events. While some providers may have patient 
safety expertise in-house, a PSO has the potential to offer providers 
considerable additional insight as a result of its expertise and 
ability to aggregate and analyze data from multiple providers and 
multiple PSOs. Experience has demonstrated that such aggregation and 
analysis of large volumes of data, such as a PSO has the ability to do, 
will often yield insights into the underlying causes of the hazards and 
risks associated with patient care that are simply not apparent when 
these analyses are limited to the information available from only one 
office, clinic, facility, or system.
    Pursuant to a contract with a PSO, a provider may also be able to 
obtain from a PSO operational guidance or best practices with respect 
to operation of a patient safety evaluation system. Such a contract 
also provides a mechanism for a provider to control the nature and 
extent of a PSO's aggregation of its data with those of other providers 
or PSOs, and the nature of related analysis and discussion of such 
data. A provider can also require, pursuant to its contract with a PSO, 
that the PSO will notify the provider if improper disclosures are

[[Page 8126]]

made of patient safety work product relating to that provider.
    This proposed Subpart enables a broad variety of health care 
providers to work voluntarily with entities that have certified to the 
Secretary that they have the ability and expertise to carry out broadly 
defined patient safety activities of the Patient Safety Act and, 
therefore, to serve as consultants to eligible providers to improve 
patient care. In accordance with the Patient Safety Act, we propose an 
attestation-based process for initial and continued listing of an 
entity as a PSO. This includes an attestation-based approach for 
meeting the statutory requirement that each PSO, within 24 months of 
being listed and in each sequential 24-month period thereafter, must 
have bona fide contracts with more than one provider for the receipt 
and review of patient safety work product.
    This streamlined approach of the statute and the proposed rule is 
intended to encourage the rapid development of expertise in health care 
improvement. This framework allows the marketplace to be the principal 
arbiter of the capabilities of each PSO. Listing as a PSO by the 
Secretary does not entitle an entity to Federal funding. The financial 
viability of most PSOs will derive from their ability to attract and 
retain contracts with providers or to attract financial support from 
other organizations, such as charitable foundations dedicated to health 
system improvement. Even when a provider organization considers 
establishing a PSO (what this proposed rule terms a component PSO) to 
serve the needs of its organization, we expect it will weigh the value 
of, and the business case for, such a PSO.
    Proposed Subpart B attempts to minimize regulatory burden while 
fostering transparency to enhance the ability of providers to assess 
the strengths and weaknesses of their choice of PSOs. For example, we 
encourage, but do not require, an entity seeking listing to develop and 
post on their own Web sites narrative statements describing the 
expertise of the personnel the entity will have at its disposal, and 
outlining the way it will approach its mission and comply with the 
statute's certification requirements.
    We similarly propose to apply transparency to our implementation of 
the statute's requirement for disclosure by PSOs of potential conflicts 
of interest with their provider clients. While the statute only 
requires public release of the findings of the Secretary after review 
of such disclosures, we propose to make public, consistent with 
applicable law, including the Freedom of Information Act, a PSO's 
disclosure statements as well. In our view, in addition to having the 
benefit of the Secretary's determination, a provider, as the 
prospective consumer of PSO services, should be able to make its own 
determination regarding the appropriateness of the relationships that a 
PSO has with its other provider clients and the impact those 
relationships might have on its particular needs. For example, a 
provider might care if a PSO--despite the Secretary's determination 
that it had been established with sufficient operational and other 
independence to qualify for listing as a PSO--was owned, operated, or 
managed by the provider's major competitor.
    The provisions of this proposed Subpart also emphasize the need for 
vigilance in providing security for patient safety work product. To 
achieve the widespread provider participation intended by this statute, 
PSOs must foster and maintain the confidence of providers in the 
security of patient safety work product in which providers and patients 
are identified. Therefore, we propose to require a security framework, 
which each PSO must address with standards it determines appropriate to 
the size and complexity of its organization, pertaining to the 
separation of data and systems and to security management control, 
monitoring, and assessment.
    The Patient Safety Act recognizes that PSOs will need to enter 
business associate agreements to receive protected health information 
from providers that are covered entities under the HIPAA Privacy Rule. 
As a business associate of such a provider, a PSO will have to meet 
certain contractual requirements on the use and disclosure of protected 
health information for compliance with the HIPAA Privacy Rule that are 
in addition to the requirements set forth in this proposed rule. Those 
requirements include the notification of a covered entity when 
protected health information is inappropriately disclosed in violation 
of the HIPAA Privacy Rule.
    We do not propose to require reporting of impermissible disclosures 
of other patient safety work product that does not contain protected 
health information. We solicit comments on whether to parallel the 
business associate requirements of the HIPAA Privacy Rule. Such a 
requirement, if implemented, would require a PSO to notify the 
organizational source of patient safety work product if the information 
it shared has been impermissibly used or disclosed. Note that such 
reporting requirements could be voluntarily agreed to by contract 
between providers and their PSO.
    Section 924(b)(2)(A) and (B) of the Public Health Service Act, 42 
U.S.C. 299b-24(b)(2)(A) and (B), suggests Congressional concern that a 
strong firewall must be maintained between a component PSO and the rest 
of the organization(s) of which it is a part. This proposed subpart 
proposes specific safeguards that such component PSOs must implement to 
effectively address those concerns.
    As this discussion suggests, in developing this proposed Subpart, 
we have proposed the most specific requirements in the areas of 
security and disclosure of potential conflicts of interest. We expect 
to offer technical assistance and encourage transparency wherever 
possible to promote implementation, compliance, and correction of 
deficiencies. At the same time, this proposed Subpart establishes 
processes that will permit the Secretary promptly to revoke a PSO's 
certification and remove it from listing, if such action proves 
necessary.
1. Proposed Sec.  3.102--Process and Requirements for Initial and 
Continued Listing of PSOs
    Proposed Sec.  3.102 sets out: The submissions that the Department, 
in carrying out its responsibilities, proposes to require, consistent 
with the Patient Safety Act, for initial and continued listing as a 
PSO; the certifications that all entities must make as part of the 
listing process; the additional certifications that component 
organizations must make as part of the listing process; the requirement 
for biennial submission of a certification that the PSO has entered 
into the required number of contracts; and the circumstances under 
which a PSO must submit a disclosure statement regarding the 
relationships it has with its contracting providers.
(A) Proposed Sec.  3.102(a)--Eligibility and Process for Initial and 
Continued Listing
    In this section, we propose to establish a streamlined 
certification process that minimizes barriers to entry for a broad 
variety of entities seeking to be listed as a PSO. With several 
exceptions, any entity--public or private, for-profit or not-for 
profit--may seek initial or continued listing by the Secretary as a 
PSO. The statute precludes a health insurance issuer and a component of 
a health insurance issuer from becoming a PSO (section 924(b)(1)(D) of 
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(D)).
    In addition, we propose to preclude any other entity, public or 
private, from

[[Page 8127]]

seeking listing as a PSO if the entity conducts regulatory oversight of 
health care providers, including accreditation or licensure. We propose 
this restriction for consistency with the statute, which seeks to 
foster a ``culture of safety'' in which health care providers are 
confident that the patient safety events that they report will be used 
for learning and improvement, not oversight, penalties, or punishment. 
Listing organizations with regulatory authority as PSOs would be likely 
to undermine provider confidence that adequate separation of PSO and 
regulatory activities would be maintained.
    We note that the Patient Safety Act permits a component 
organization of an entity to seek listing as a PSO if the component 
organization establishes a strong firewall between its activities as a 
PSO and the rest of the organization(s) of which it is a part. As 
drafted, this proposed regulation permits a component organization of 
an entity with any degree of regulatory authority to seek listing as a 
component PSO. We have not proposed any restrictions on such component 
organizations for several reasons. First, we expect that the statutory 
requirement for a strong firewall between a component PSO and its 
parent organization(s) with respect to its activities as a PSO and the 
protected information it holds will provide adequate safeguards. 
Second, providers will have access to the names of parent organizations 
of component PSOs. We propose in Sec.  3.102(c) that any component 
organization must disclose the name of its parent organization(s) (see 
the proposed definitions of component and parent organizations in Sec.  
3.20). We intend to make this information publicly available and expect 
to post it on the PSO Web site we plan to establish (see the preamble 
discussion regarding proposed Sec.  3.104(d)). This will provide 
transparency and enable providers to determine whether the 
organizational affiliation(s) of a component PSO are of concern. 
Finally, we believe that allowing the marketplace to determine whether 
a component PSO has acceptable or unacceptable ties to an entity with 
regulatory authority is consistent with our overall approach to 
regulation of PSOs.
    At the same time, we recognize that some organizations exercise a 
considerable level of regulatory oversight over providers and there may 
be concerns that such organizations could circumvent the firewalls 
proposed below in Sec.  3.102(c) or might attempt to require providers 
to work with a component PSO that the regulatory entity creates. 
Accordingly, we specifically seek comment on the approach we have 
proposed and whether we should consider a broader restriction on 
component organizations of entities that are regulatory. For example, 
should components of state health departments be precluded from seeking 
listing because of the broad authority of such departments to regulate 
provider behavior? If a broader restriction is proposed, we would 
especially welcome suggestions on clear, unambiguous criteria for its 
implementation.
    We will develop certification forms for entities seeking initial 
and continued listing that contain or restate the respective 
certifications described in proposed Sec.  3.102(b) and Sec.  3.102(c). 
An individual with authority to make commitments on behalf of the 
entity seeking listing would be required to acknowledge each of the 
certification requirements, attest that the entity meets each of the 
certification requirements on the form, and provide contact information 
for the entity. The certification form would also require an 
attestation that the entity is not subject to the limitation on listing 
proposed in this subsection and an attestation that, once listed as a 
PSO, it will notify the Secretary if it is no longer able to meet the 
requirements of proposed Sec.  3.102(b) and Sec.  3.102(c).
    To facilitate the development of a marketplace for the services of 
PSOs, entities are encouraged, but not required, to develop and post on 
their own Web sites narratives that specify how the entity will 
approach its mission, how it will comply with the certification 
requirements, and describe the qualifications of the entity's 
personnel. With appropriate disclaimers of any implied endorsement, we 
expect to post citations or links to the Web sites of all listed 
entities on the PSO Web site that we plan to establish pursuant to 
proposed Sec.  3.104(d). We believe that clear narratives of how PSOs 
will meet their statutory and regulatory responsibilities will help 
providers, who are seeking the services of a PSO, to assess their 
options. The Department's PSO Web site address will be identified in 
the final rule and will be available from AHRQ upon request.
(B) Proposed Sec.  3.102(b)--Fifteen General Certification Requirements
    In accordance with section 924(a) of the Public Health Service Act, 
42 U.S.C. 299b-24(a), the proposed rule would require all entities 
seeking initial or continued listing as a PSO to meet 15 general 
certification requirements: eight requirements related to patient 
safety activities and seven criteria governing their operation. At 
initial listing, the entity would be required to certify that it has 
policies and procedures in place to carry out the eight patient safety 
activities defined in the Patient Safety Act and incorporated in 
proposed Sec.  3.20, and upon listing, would meet the seven criteria 
specified in proposed Sec.  3.102 (b)(2). Submissions for continued 
listing would require certifications that the PSO is performing, and 
will continue to perform, the eight patient safety activities and is 
complying with, and would continue to comply with, the seven criteria.
(1) Proposed Sec.  3.102(b)(1)--Required Certification Regarding Eight 
Patient Safety Activities
    Proposed Sec.  3.102(b)(1) addresses the eight required patient 
safety activities that are listed in the definition of patient safety 
activities at proposed Sec.  3.20 (section 921(5) of the Public Health 
Service Act, 42 U.S.C. 299b-21(5)). Because certification relies 
primarily upon attestations by entities seeking listing, rather than 
submission and review of documentation, it is critical that entities 
seeking listing have a common and shared understanding of what each 
certification requirement entails. We conclude that five of the eight 
required patient safety activities need no elaboration. These five 
patient safety activities include: Efforts to improve patient safety 
and quality; the collection and analysis of patient safety work 
product; the development and dissemination of information with respect 
to improving patient safety; the utilization of patient safety work 
product for the purposes of encouraging a culture of safety and 
providing feedback and assistance; and the utilization of qualified 
staff.
    We address a sixth patient safety activity, related to the 
operation of a patient safety evaluation system, in the discussion of 
the definition of that term in proposed Sec.  3.20. We provide greater 
clarity here regarding the actions that an entity must take to comply 
with the remaining two patient safety activities, which involve the 
preservation of confidentiality of patient safety work product and the 
provision of appropriate security measures for patient safety work 
product.
    We interpret the certification to preserve confidentiality of 
patient safety work product to require conformance with the 
confidentiality provisions of proposed Subpart C as well as the 
requirements of the Patient Safety Act. Certification to provide 
appropriate security measures require PSOs, their workforce members, 
and their

[[Page 8128]]

contractors when they hold patient safety work product to conform to 
the requirements of proposed Sec.  3.106, as well as the provisions of 
the Patient Safety Act.
(2) Proposed Sec.  3.102(b)(2)--Required Certification Regarding Seven 
PSO Criteria
    Proposed Sec.  3.102(b)(2) lists seven criteria that are drawn from 
the Patient Safety Act (section 924(b) of the Public Health Service 
Act, 42 U.S.C. 299b-24(b)), which an entity must meet during its period 
of listing. We conclude that the statutory language for three of the 
seven required criteria is clear and further elaboration is not 
required. These three criteria include: The mission and primary 
activity of the entity is patient safety, the entity has appropriately 
qualified staff, and the entity utilizes patient safety work product 
for provision of direct feedback and assistance to providers to 
effectively minimize patient risk.
    Two of the criteria are addressed elsewhere in the proposed rule: 
the exclusion of health insurance issuer or components of health 
insurance issuers from being PSOs is discussed above in the context of 
the definition of that term in proposed Sec.  3.20 and the requirements 
for submitting disclosure statements are addressed in the preamble 
discussion below regarding proposed Sec.  3.102(d)(2) (the proposed 
criteria against which the Secretary will review the disclosure 
statements are set forth in Sec.  3.104(c)). The remaining two PSO 
criteria--the minimum contract requirement and the collection of data 
in a standardized manner--are discussed here.
    The Minimum Contracts Requirement. First, we propose to clarify the 
requirement in section 924(b)(1)(C) of the Public Health Service Act, 
42 U.S.C. 299b-24(b)(1)(C) that a PSO must enter into bona fide 
contracts with more than one provider for the receipt and review of 
patient safety work product within every 24-month period after the 
PSO's initial date of listing.
    We note that the statutory language establishes four conditions 
that must be met for a PSO to be in compliance with this requirement. 
We propose to interpret two of them for purposes of clarity in the 
final rule: (1) The PSO must have contracts with more than one 
provider, and (2) the contract period must be for ``a reasonable period 
of time.'' Most contracts will easily meet the third requirement: that 
contracts must be ``bona fide'' (our definition is in proposed Sec.  
3.20). Finally, the fourth requirement, that contracts must involve the 
receipt and review of patient safety work product, does not require 
elaboration.
    We propose that a PSO would meet the requirement for ``contracts 
with more than one provider'' if it enters a minimum of two contracts 
within each 24-month period that begins with its initial date of 
listing. We note that the statutory requirement in section 924(b)(1)(C) 
of the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(C), 
unambiguously requires multiple contracts (i.e., more than one). One 
contract with two or more providers would not fully meet the statute's 
requirement. To illustrate, one contract with a 50-hospital system 
would not meet the requirement; two 25-hospital contracts with that 
same hospital system would meet the requirement. We believe that the 
statutory requirement was intended to encourage PSOs to aggregate data 
from multiple providers, in order to expand the volume of their data, 
thereby improving the basis on which patterns of errors and the causes 
for those errors can be identified. This statutory objective is worth 
noting as a goal for PSOs. A PSO can achieve this goal by aggregating 
data from multiple providers or by pooling or comparing data with other 
PSOs, subject to statutory, regulatory, and contractual limitations.
    The statute requires that these contracts must be ``for a 
reasonable period of time.'' We propose to clarify in the final rule 
when a PSO would be in compliance with this statutory requirement. The 
approach could be time-based (e.g., a specific number of months), task-
based (e.g., the contract duration is linked to completion of specific 
tasks but, under this option, the final rule would not set a specific 
time period), or provide both options. We seek comments on the 
operational implications of these alternative approaches and the 
specific standard(s) for each option that we should consider. By 
establishing standard(s) in the final rule, we intend to create 
certainty for contracting providers and PSOs as to whether the duration 
requirement has been met. We note that whatever requirement is 
incorporated in the final rule will apply only to the two required 
contracts. A PSO can enter other contracts, whether time-based or task-
based, without regard to the standard(s) for the two required 
contracts.
    Apart from the requirements outlined above, there are no limits on 
the types of contracts that a PSO can enter; its contracts can address 
all or just one of the required patient safety activities, assist 
providers in addressing all, or just a specialized range, of patient 
safety topics, or the PSO can specialize in assisting specific types of 
providers, specialty societies, or provider membership organizations. 
Because of the limits on the extraterritorial application of U.S. law 
and the fact that privilege protections are limited to courts in the 
United States (Federal, State, etc.), the protections in the proposed 
rule apply only to protected data shared between PSOs and providers 
within the United States and its territories; there is only this one 
geographical limitation on a PSO's operations.
    If they choose to do so, providers and PSOs may enter into 
contracts that specify stronger confidentiality protections than those 
specified in this proposed rule and the Patient Safety Act (section 
922(g)(4) of the Public Health Service Act, 42 U.S.C. 299b-22 (g)(3)). 
For example, a provider could choose to de-identify or anonymize 
information it reports to a PSO.
    We note that the Secretary proposes to exercise his authority to 
extend the definition of ``provider'' for the purposes of this statute 
to include a provider's ``parent organization'' (both terms are defined 
in proposed Sec.  3.20). This proposed addition is intended to provide 
an option for health systems (e.g., holding companies or a state 
system) to enter system-wide contracts with PSOs if they choose to do 
so. This option would not be available in the absence of this provision 
because the parent organizations of many health care systems are often 
corporate management entities or governmental entities that are not 
considered licensed or authorized health care providers under state 
law.
    Collecting data in a standardized manner. Section 924(b)(1)(F) of 
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(F), requires 
PSOs, to the extent practical and appropriate, to collect patient 
safety work product from providers in a standardized manner, to permit 
valid comparisons of similar cases among similar providers. One of the 
goals of the legislation is to facilitate a PSO aggregating sufficient 
data to identify and to address underlying causal factors of patient 
safety problems. A PSO is more valuable if it is able to aggregate 
patient safety work product it receives directly from multiple 
providers, and if it chooses to do so, aggregate its data with patient 
safety work product received from other PSOs and/or share 
nonidentifiable patient safety work product with a network of patient 
safety databases described in section 923 of the Public Health Service 
Act, 42 U.S.C. 299b-23. We recognize that if patient safety work 
product is not collected initially using common data

[[Page 8129]]

elements and consistent definitions, it may be difficult to aggregate 
such data subsequently in order to develop valid comparisons across 
providers and potentially, PSOs. We also recognize, however, that the 
providers who work with PSOs may have varying levels of sophistication 
with respect to patient safety issues and that reporting patient safety 
work product to a PSO in a standardized manner or using standardized 
reporting formats may not be initially practicable for certain 
providers or in certain circumstances. The discussion which follows 
outlines the timetable and the process to which we are committed.
    The Secretary intends to provide ongoing guidance to PSOs on 
formats and definitions that would facilitate the ability of PSOs to 
aggregate patient safety work product. We expect to provide initial 
guidance beginning with the most common types of patient safety events, 
before the final rule is issued, to facilitate the ability of PSOs to 
develop valid comparisons among providers. The Department will make 
such formats and definitions available for public comment in a non-
regulatory format via publication in the Federal Register. We are 
considering, and we seek comment on, including a clarification in the 
final rule, that compliance with this certification requirement would 
mean that a PSO, to the extent practical and appropriate, will 
aggregate patient safety work product consistent with the Secretary's 
guidance regarding reporting formats and definitions when such guidance 
becomes available.
    The process for developing and maintaining common formats. AHRQ has 
established a process to develop common formats that: (1) Is evidence-
based; (2) harmonizes across governmental health agencies; (3) 
incorporates feedback from the public, professional associations/
organizations, and users; and (4) permits timely updating of these 
clinically-sensitive formats.
    In anticipation of the need for common formats, AHRQ began the 
process of developing them in 2005. That process consists of the 
following steps: (1) Develop an inventory of functioning patient safety 
reporting systems to inform the construction of the common formats (an 
evidence base). Included in this inventory, now numbering 64 systems, 
are the major Centers for Disease Control and Prevention (CDC) and Food 
and Drug Administration (FDA) reporting systems as well as many from 
the private sector. (2) Convene an interagency Patient Safety Work 
Group (PSWG) to develop draft formats. Included are major health 
agencies within the Department--CDC, Centers for Medicare and Medicaid 
Services, FDA, Health Resources and Services Administration, the Indian 
Health Service (IHS), the National Institutes of Health--as well as the 
Department of Defense (DoD) and the Veterans Administration (VA). (3) 
Pilot test draft formats--to be conducted in February-March of 2008 in 
DoD, IHS, and VA facilities. (4) Publish version 0.1 (beta) of the 
formats in the Federal Register, along with explanatory material, and 
solicit public comment--planned for July/August 2008. (5) Let a task 
order contract (completed) with the National Quality Forum (NQF) to 
solicit input from the private sector regarding the formats. NQF's role 
will be periodically to solicit input from the private sector to assist 
the Department in updating its versions of the formats. NQF will begin 
with version 0.1 (beta) of the common formats and solicit public 
comments (including from providers, professional organizations, the 
general public, and PSOs), triage them in terms of immediacy of 
importance, set priorities, and convene expert panel(s) to offer advice 
on updates to the formats. This process will be a continuing one, 
guiding periodic updates of the common formats. (6) Accept input from 
the NQF, revise the formats in consultation with the PSWG, and publish 
subsequent versions in the Federal Register. Comments will be accepted 
at all times from public and governmental sources, as well as the NQF, 
and used in updating of the formats.
    This process ensures intergovernmental consistency as well as input 
from the private sector, including, most importantly, those who may use 
the common formats. This latter group, the users, will be the most 
sensitive to and aware of needed updates/improvements to the formats. 
The PSWG, acting as the fulcrum for original development and continuing 
upgrading/maintenance, assures consistency of definitions/formats among 
government agencies. For instance, the current draft formats follow CDC 
definitions of healthcare associated infections and FDA definitions of 
adverse drug events. AHRQ has been careful to promote consensus among 
Departmental agencies on all draft common formats developed to date. 
The NQF is a respected private sector organization that is suited to 
solicit and analyze input from the private sector.
    We welcome comments on our proposed approach to meeting statutory 
objectives.
(C) Proposed Sec.  3.102(c)--Additional Certifications Required of 
Component Organizations
    Section 924(b)(2) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(2) and the proposed definition of component organization in 
proposed Sec.  3.20 requires an entity that is a component of another 
organization or multi-organizational enterprise that seeks initial or 
continued listing to certify that it will meet three requirements in 
addition to certifying that it will meet the 15 general requirements 
specified in proposed Sec.  3.102(b). We have indicated the types of 
entities that would be required to seek listing as a component 
organization in our discussion of the proposed definitions in proposed 
Sec.  3.20 of the terms ``component organization'' and ``parent 
organization.'' To be listed as a component PSO, an entity would also 
be required to make three additional certifications regarding the 
entity's independent operation and separateness from the larger 
organization or enterprise of which it is a part: the entity would 
certify to (1) the secure maintenance of documents and information 
separate from the rest of the organization(s) or enterprise of which it 
is a part; (2) the avoidance of unauthorized disclosures to the 
organization(s) or enterprise of which it is a part; and (3) the 
absence of a conflict between its mission and the rest of the 
organization(s) or enterprise of which it is a part. We propose in 
Sec.  3.102(c) specific requirements that will ensure that such 
component PSOs implement the type of safeguards for patient safety work 
product that the three additional statutory certification requirements 
for component organizations are intended to provide.
    First, the statute requires a component PSO to maintain patient 
safety work product separate from the rest of the organization(s) or 
enterprise of which it is a part (section 924(b)(2)(A) of the Public 
Health Service Act, 42 U.S.C. 299b-24(b)(2)(A)). To ensure compliance 
with this statutory requirement, we considered, but did not include 
here, a proposal to prohibit a component PSO from contracting, 
subcontracting, or entering any agreement with any part of the 
organization(s) or enterprise of which it is a part for the performance 
of any work involving the use of patient safety work product. We seek 
comment on the limited exception proposed in Sec.  3.102(c) here that 
would permit such contracts or subcontracts only if they can be carried 
out in a manner that is consistent with the statutory

[[Page 8130]]

requirements of this section. This means that, while a component PSO 
could enter such arrangements involving the use of patient safety work 
product with a unit of the organization(s) or enterprise of which it is 
a part, the component PSO would maintain the patient safety work 
product and be responsible for its security (i.e., control the access 
and use of it by the contracting unit). In addition, under our 
proposal, while allowing access to the contracting unit of the 
identifiable patient safety work product necessary to carry out the 
contractual assignment would be a permissible disclosure, the component 
PSO would remain responsible for ensuring that the contracting unit 
does not violate the prohibitions related to unauthorized disclosures 
required under 924(b)(2)(B) of the PHS Act, 42 U.S.C. 299b-24(b)(2)(B), 
(i.e., disclosures to other units of the organization or enterprise) 
and that there is no conflict between the mission of the component PSO 
and the contracting unit, as required under 924(b)(2)(C) of the PHS 
Act, 42 U.S.C. 299b-24(b)(2)(C). We invite comment on whether such a 
limited exception is necessary or appropriate and, if so, the 
appropriateness of the restrictions we have proposed.
    Second, a component PSO would not be permitted to have a shared 
information system with the rest of the organization(s) since this 
might provide unauthorized access to patient safety work product. For 
example, we intend to prohibit a component PSO from storing any patient 
safety work product in information systems or databases to which the 
rest of the organization(s) or enterprise of which it is a part would 
have access or the ability to remove or transmit a copy. We 
preliminarily conclude that most security measures, such as password 
protection of the component PSO's information, are too easily 
circumvented.
    Third, the proposed rule provides that the workforce of the 
component PSO must not engage in work for the rest of the 
organization(s) if such work could be informed or influenced by the 
individual's knowledge of identifiable patient safety work product. For 
example, a component PSO could share accounting or administrative 
support staff under our proposal because the work of these individuals 
for the rest of the organization(s) would not be informed or influenced 
by their knowledge of patient safety work product. By contrast, if the 
rest of the organization provides health care services, a physician who 
served on a parent organization's credentialing, hiring, or 
disciplinary committee(s) could not also work for the PSO. Knowledge of 
confidential patient safety work product could influence his or her 
decisions regarding credentialing, hiring, or disciplining of providers 
who are identifiable in the patient safety work product.
    We provide one exception to the last prohibition. It is not our 
intent to prohibit a clinician, whose work for the rest of the 
organization is solely the provision of patient care, from undertaking 
work for the component PSO. We see no conflict if the patient care 
provided by the clinician is informed by the clinical insights that 
result from his or her work for the component PSO. If a clinician has 
duties beyond patient care, this exception only applies if the other 
duties do not violate the general prohibition (i.e., that the other 
duties for the rest of the organization(s) cannot be informed by 
knowledge of patient safety work product).
    As part of the requirement that the PSO must certify that there is 
no conflict between its mission and the rest of the organization(s), we 
propose that the certification form will require the PSO to provide the 
name(s) of the organization(s) or enterprise of which it is a part (see 
the discussions of our definitions of parent and component 
organizations in proposed Sec.  3.20).
    We have not proposed specific standards to determine whether 
conflicts exist between a PSO and other components of the organization 
or enterprise of which it is a part. We recognize that some industries 
and particular professions, such as the legal profession through state-
based codes of professional responsibility, have specific standards or 
tests for determining whether a conflict exists. We request comments on 
whether the final rule should include any specific standards, and, if 
so, what criteria should be put in place to determine whether a 
conflict exists.
(D) Proposed Sec.  3.102(d)--Required Notifications
    Proposed Sec.  3.102(d) establishes in regulation two required 
notifications that implement two statutory provisions: a notification 
to the Secretary certifying whether the PSO has met the biennial 
requirement for bona fide contracts with more than one provider 
(section 924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(C)); and the submission of a disclosure statement to the 
Secretary whenever a PSO has established specific types of 
relationships (discussed below) with a contracting provider, in 
particular where a PSO is not managed or controlled independently from, 
or if it does not operate independently from, a contracting provider 
(section 924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(E)).
(1) Proposed Sec.  3.102(d)(1)--Notification Regarding PSO Compliance 
With the Minimum Contract Requirement
    Proposed Sec.  3.102(d)(1) requires a PSO to notify the Secretary 
whether it has entered at least two bona fide contracts that meet the 
requirements of proposed Sec.  3.102(b)(2). The notification 
requirement implements the statutory requirement in section 
924(b)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(C), that a PSO must have contracts with more than one 
provider. Notification to the Secretary will be by attestation on a 
certification form developed pursuant to proposed Sec.  3.112. Prompt 
notification of the Secretary that a PSO has entered two or more 
contracts will result in earlier publication of that information by the 
Secretary and this may be to the PSO's benefit.
    We propose that the Secretary receive initial notification from a 
PSO no later than 45 calendar days before the last day of the period 
that is 24 months after the date of its initial listing and 45 calendar 
days prior to the last day of every 24-month period thereafter. While 
each PSO will have the full statutory period of 24 months to comply 
with this requirement, we propose an earlier date for notification of 
the Secretary to harmonize this notification requirement with the 
requirement, established by section 924(e) of the Public Health Service 
Act, 42 U.S.C. 299b-24(e), that the Secretary provide each PSO with a 
period of time to correct a deficiency. If the Secretary were to 
provide a period for correction that begins after the 24-month period 
has ended, the result would be that some PSOs would be granted 
compliance periods that extend beyond the unambiguous statutory 
deadline for compliance. To avoid this unfair result, we propose that a 
PSO certify to the Secretary whether it has complied with this 
requirement 45 calendar days in advance of the final day of its 
applicable 24-month period.
    If a PSO notifies the Secretary that it cannot certify compliance 
or fails to submit the required notification, the Secretary, pursuant 
to proposed Sec.  3.108(a)(2), will then issue a preliminary finding of 
deficiency and provide a period for correction that extends until 
midnight of the last day of the applicable 24-month assessment period 
for the PSO. In this way, the requirement for an opportunity for 
correction can be met without granting any PSO a period for compliance 
that

[[Page 8131]]

exceeds the statutory limit. We invite comments on alternative 
approaches to harmonize these two potentially conflicting requirements.
    We note that contracts that are entered into after midnight on the 
last day of the applicable 24-month period do not count toward meeting 
the two-contract requirement for that 24-month assessment period. If a 
PSO does not meet the requirement by midnight of the last day of the 
applicable 24-month assessment period, the Secretary will issue a 
notice of revocation and delisting pursuant to proposed Sec.  
3.108(a)(3).
(2) Proposed Sec.  3.102(d)(2)--Notification Regarding PSO's 
Relationships With Its Contracting Providers
    Proposed Sec.  3.102(d)(2) establishes the circumstances under 
which a PSO must submit a disclosure statement to the Secretary 
regarding its relationship(s) with any contracting provider(s) and the 
deadline for such required submissions.
    The purpose of this disclosure requirement is illuminated by the 
statutory obligation of the Secretary, set forth in section 924(c)(3) 
of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), to review 
the disclosure statements and make public findings ``whether the entity 
can fairly and accurately perform the patient safety activities of a 
patient safety organization.'' To provide the Secretary with the 
information necessary to make such a judgment, section 924(b)(1)(E) of 
the Public Health Service Act, 42 U.S.C. 299b-24(b)(1)(E), requires a 
PSO to fully disclose information to the Secretary if the PSO has 
certain types of relationships with a contracting provider and, if 
applicable, whether the PSO is not independently managed or controlled, 
or if it does not operate independently from, the contracting provider.
    The statutory requirement for a PSO to submit a disclosure 
statement applies only when a PSO has entered into a contract with a 
provider; if there is no contractual relationship between the PSO and a 
provider pursuant to the Patient Safety Act, a disclosure statement is 
not required. Even when a PSO has entered a contract with a provider, 
we propose that a PSO would need to file a disclosure statement 
regarding a contracting provider only when the circumstances, specified 
in section 924(c)(3) of the Public Health Service Act, 42 U.S.C. 299-
24(c)(3), and discussed here, are present.
    A PSO is first required to assess whether a disclosure statement 
must be submitted to the Secretary when the PSO enters a contract with 
a provider, but we note that the disclosure requirement remains in 
effect during the entire contract period. Even when a disclosure 
statement is not required at the outset of the contract period, if the 
circumstances discussed here arise, a disclosure statement must be 
submitted at that time to the Secretary for review.
    With respect to a provider with which it has entered a contract, a 
PSO is required to submit a disclosure statement to the Secretary only 
if either or both of the following circumstances are present. First, a 
disclosure statement must be filed if the PSO has any financial, 
reporting, or contractual relationships with a contracting provider 
(other than the contract entered into pursuant to the Patient Safety 
Act). Second, taking into account all relationships that the PSO has 
with that contracting provider, a PSO must file a disclosure statement 
if it is not independently managed or controlled, or if it does not 
operate independently from, the contracting provider.
    With respect to financial, reporting or contractual relationships, 
the proposed rule states that contractual relationships that must be 
disclosed are not limited to formal contracts but encompass any oral or 
written arrangement that imposes responsibilities on the PSO. For 
example, the provider may already have a contract or other arrangement 
with the PSO for assistance in implementation of proven patient safety 
interventions and is now seeking additional help from the PSO for the 
review of patient safety work product. A financial relationship 
involves almost any direct or indirect ownership or investment 
relationship between the PSO and the contracting provider, shared or 
common financial interests, or direct or indirect compensation 
arrangement, whether in cash or in-kind. A reporting relationship 
includes a relationship that gives the provider access to information 
that the PSO holds that is not available to other contracting providers 
or control, directly or indirectly, over the work of the PSO that is 
not available to other contracting providers. If any such relationships 
are present, the PSO must file a disclosure statement and describe 
fully all of these relationships.
    The other circumstance that triggers the requirement to disclose 
information to the Secretary is the provision of the Patient Safety Act 
that requires the entity to fully disclose ``if applicable, the fact 
that the entity is not managed, controlled, and operated independently 
from any provider that contracts with the entity.'' See section 
924(b)(1)(E) of the Public Health Service Act, 42 U.S.C. 299b-
24(b)(1)(E). We propose to interpret this provision as noted above 
because we believe that the adverb ``independently'' modifies all three 
verbs--that is, that the entity is required to disclose when it is not 
managed independently from, is not controlled independently from, or is 
not operated independently from, any provider that contracts with the 
entity.
    Disclosure would be required, for example, if the contracting 
provider created the PSO and exercises a degree of management or 
control over the PSO, such as overseeing the establishment of its 
budget or fees, hiring decisions, or staff assignments. Another example 
of such a relationship that would require disclosure would be the 
existence of any form of inter-locking governance structure. We 
recognize that contracts, by their very nature, will enable a 
contracting provider to specify tasks that the PSO undertakes or to 
direct the PSO to review specific cases and not others. These types of 
requirements reflect the nature of any contractual relationship and do 
not trigger a requirement to file such a disclosure statement. The 
focus of this provision as indicated in section 924(c)(3) of the Public 
Health Service Act, 42 U.S.C. 299b-24(c)(3), and here is on the 
exercise of the type of control that could compromise the ability of 
the PSO to fairly and accurately carry out patient safety activities. 
If the contracting provider exercises this type of influence over the 
PSO, the PSO must file a disclosure statement and fully disclose the 
nature of the influence exercised by the contracting provider.
    To meet the statutory requirement for full disclosure, a PSO's 
submission should attempt to put the significance of the financial, 
reporting, or contractual relationship in perspective (e.g., relative 
to other sources of PSO revenue or other types of contractual or 
reporting relationships). We would also encourage PSOs to list any 
agreements, stipulations, or procedural safeguards that might offset 
the influence of the provider and that might protect the ability of the 
PSO to operate independently. By doing so, a PSO can ensure that its 
disclosure statements present a full and, if applicable, balanced 
picture of the relationships and degree of independence that exist 
between the PSO and its contracting provider(s).
    We propose to require that, whenever a PSO determines that it must 
file a statement based upon these requirements, the Secretary must 
receive the disclosure statement within 45 calendar days. The PSO must 
make an initial determination on the date on which a contract is 
entered. If the PSO determines that it must file a disclosure

[[Page 8132]]

statement, the Secretary must receive the disclosure statement no later 
than 45 days after the date on which the contract was entered. During 
the contract period, the Secretary must receive a disclosure statement 
within 45 calendar days of the date on which either or both of the 
circumstances described above arise. If the Secretary determines, after 
the applicable 45-day period, that a required disclosure statement was 
not received from a PSO, the Secretary may issue to the PSO a notice of 
a preliminary finding of deficiency, the first step in the revocation 
process established by proposed Sec.  3.108.
2. Proposed Sec.  3.104--Secretarial Actions
    Proposed Sec.  3.104 describes the actions that the Secretary may 
and will take regarding certification submissions for listing or 
continued listing, the required notification certifying that the PSO 
has entered the required minimum of two contracts, and disclosure 
statements, including the criteria that the Secretary will use in 
reviewing such statements and the determinations the Secretary may 
make. This proposed section also outlines the types of information that 
the Secretary will make public regarding PSOs, specifies how, and for 
what period of time, the Secretary will list a PSO whose certification 
he has accepted and establishes an effective date for Secretarial 
actions under this proposed subpart. See section 924(c) of the Public 
Health Service Act, 42 U.S.C. 299b-24(c).
(A) Proposed Sec.  3.104(a)--Actions in Response to Certification 
Submissions for Initial and Continued Listing as a PSO
    Proposed Sec.  3.104(a) describes the actions that the Secretary 
may and will take in response to certification for initial or continued 
listing as a PSO (section 924(c)(1)-(2) of the Public Health Service 
Act, 42 U.S.C. 299b-24(c)(1)-(2)), submitted to the Secretary pursuant 
to the requirements of proposed Sec.  3.102. The decision on whether 
and how to list an entity as a PSO will be based upon a determination 
of whether the entity meets the applicable requirements of the Patient 
Safety Act and this proposed part. In most cases, it is anticipated 
that the Secretary will either accept the submission and list the 
entity or deny the listing on this basis.
    In determining whether to list an entity as a PSO, the proposed 
rule requires the Secretary to consider the submitted certification and 
any relevant history, such as prior actions the Secretary has taken 
regarding the entity or PSO including delisting, any history of or 
current non-compliance by the entity or PSO with statutory or 
regulatory requirements or requests by the Secretary, relationships of 
the entity or PSO with providers and any findings by the Secretary in 
accordance with proposed Sec.  3.104(c). Initially, the Secretary will 
rely solely on the submitted certification; entities seeking listing 
will not have any applicable history of the type specified for the 
Secretary to consider. Even over time, we anticipate that the Secretary 
would normally rely upon the submitted certification in making a 
listing determination.
    There may be occasions in future years when the Secretary may need 
to take into account the history of an entity or PSO in making a 
determination for initial or continued listing. Examples of such 
situations might include: A PSO seeking continued listing that has a 
history of deficiencies; an entity seeking initial listing may be a 
renamed former PSO whose certifications had been revoked for cause by 
the Secretary; or the leadership of an entity seeking listing may have 
played a leadership role in a former PSO that failed to meet its 
obligations to providers during voluntary relinquishment (see proposed 
Sec.  3.108(c)). In such circumstances, it may not be prudent for the 
Secretary to rely solely upon the certification submitted by the entity 
or PSO and this proposed subsection would enable the Secretary to seek 
additional information or assurances before reaching a determination on 
whether to list an entity. To ensure that the Secretary is aware of any 
relevant history before making a listing determination, without 
imposing additional burden on most entities seeking listing, we propose 
to include an attestation on the certification form that would require 
acknowledgement if the entity (under its current name or another) or 
any member of its workforce have been party to a delisting 
determination by the Secretary. We welcome comment on this proposal, or 
alternative approaches, for ensuring that the Secretary can carry out 
the requirements of this proposed section.
    The Secretary also has the authority, under certain circumstances, 
to condition the listing of a PSO under section 924(c)(3) of the Public 
Health Service Act, 42 U.S.C. 299b-24(c)(3). The Secretary may 
establish conditions on the listing of a PSO following a determination, 
pursuant to proposed Sec.  3.104(c), that such conditions are necessary 
to ensure that the PSO can fairly and accurately perform patient safety 
activities. A decision to impose such conditions will typically occur 
after the listing of a PSO, when the PSO submits a disclosure statement 
about its relationships with a contracting provider. It also could 
occur at the time of initial or continued listing based upon a 
Secretarial review of a disclosure statement submitted 
contemporaneously with the review of an entity's certification 
submission.
    The Secretary expects to be able to conclude review of an 
application for initial or continued listing within 30 days of receipt 
unless additional information or assurances, as described above in the 
paragraph discussing the history of an entity or PSO, are required, or 
the application as initially submitted is incomplete. The Secretary 
will notify each entity that requests listing of the action taken on 
its certification submission for initial or continued listing. The 
Secretary will provide reasons when an entity's certification is not 
accepted and, if the listing is conditioned based upon a determination 
made pursuant to proposed Sec.  3.104(c), the reasons for imposing 
conditions.
(B) Proposed Sec.  3.104(b)--Actions Regarding PSO Compliance With the 
Minimum Contract Requirement
    Proposed Sec.  3.104(b) sets forth the required Secretarial action 
regarding PSO compliance with the requirement of the proposed rule for 
a minimum of two bona fide contracts. If a PSO attests, in the 
notification required by proposed Sec.  3.102(d)(1), that it has met 
the requirement, the Secretary will acknowledge in writing receipt of 
the attestation and include information on the list established 
pursuant to proposed Sec.  3.104(d) that the PSO has certified that it 
has met the requirement. If the PSO notifies the Secretary that it has 
not yet met the requirement, or if notification is not received from 
the PSO by the date required under proposed Sec.  3.102(d)(1), the 
Secretary, pursuant to proposed Sec.  3.108(a)(2), will issue a notice 
of a preliminary finding of deficiency to the PSO and provide an 
opportunity for correction that will extend no later than midnight of 
the last day of its applicable 24-month assessment period. Under this 
authority, the Secretary will require notification of correction and 
compliance from a PSO by midnight of the final day of the applicable 
24-month period. If the deficiency has not been corrected by that date, 
the Secretary will issue promptly a notice of proposed revocation and 
delisting pursuant to the requirements of proposed Sec.  3.108(a)(3).

[[Page 8133]]

(C) Proposed Sec.  3.104(c)--Actions Regarding Required Disclosures by 
PSOs of Relationships With Contracting Providers.
    Proposed Sec.  3.104(c) establishes criteria that the Secretary 
will use to evaluate a disclosure statement submitted pursuant to 
proposed Sec.  3.102(d)(2), specifies the determinations the Secretary 
may make based upon evaluation of any disclosure statement, and 
proposes public release, consistent with the Freedom of Information 
Act, of disclosure statements submitted by PSOs as well as the 
Secretary's findings (see section 924(c)(3) of the Public Health 
Service Act, 42 U.S.C. 299b-24(c)(3)).
    In reviewing disclosure statements and making public findings, we 
propose that the Secretary consider the nature, significance, and 
duration of the relationship between the PSO and the contracting 
provider. We seek input on other appropriate factors to consider.
    Following review of the disclosure statement, the Secretary will 
make public findings regarding the ability of the PSO to carry out 
fairly and accurately defined patient safety activities as required by 
the Patient Safety Act. The Secretary may conclude that the disclosures 
require no action on his part or, depending on whether the entity is 
listed or seeking listing, may condition his listing of the PSO, 
exercise his authority under proposed Sec.  3.104(a) to refuse to list, 
or exercise his authority under proposed Sec.  3.108 to revoke the 
listing of the entity. The Secretary will notify each entity of his 
findings and decision regarding each disclosure statement.
    This subsection proposes to make this process transparent, 
recognizing that providers seeking to contract with a PSO may want to 
make their own judgments regarding the appropriateness of the disclosed 
relationships. Therefore, with the exception of information, such as 
information that would be exempt from disclosure under the Freedom of 
Information Act, we propose to make public each disclosure statement 
received from a PSO by including it on the list of PSOs maintained 
pursuant to proposed Sec.  3.104(d) and we may post such statements on 
the PSO Web site we plan to establish. Public release of PSO disclosure 
statements would be in addition to the statutory requirement in section 
924(c)(3) of the Public Health Service Act, 42 U.S.C. 299b-24(c)(3), 
that the Secretary's findings regarding disclosure statements must be 
made public. Greater transparency is intended to promote more informed 
decision making by providers, who are the primary customers for PSO 
services.
(D) Proposed Sec.  3.104(d)--Maintaining a List of PSOs
    Proposed Sec.  3.104(d) implements the statutory requirement in 
section 924(d) of the Public Health Service Act, 42 U.S.C. 299b-24(d), 
that the Secretary compile and maintain a list of those entities whose 
PSO certifications have been accepted in accordance with proposed Sec.  
3.104(a) and which certifications have not been revoked or voluntarily 
relinquished in accordance with proposed Sec.  3.108(b) or (c). The 
list will include contact information for each PSO, the effective date 
and time of listing of the PSO, a copy of each certification form and 
disclosure statement that the Secretary receives from the entity, and 
information on whether the PSO has certified that it has met the two 
contract requirement in each 24-month assessment period. The list will 
also include a copy of the Secretary's findings regarding any 
disclosure statements filed by each PSO, including whether any 
conditions have been placed on the listing of the entity as a PSO, and 
other information that this proposed subpart authorizes the Secretary 
to make public. To facilitate the development of a marketplace for the 
services of PSOs, we plan to establish a PSO Web site (or a future 
technological equivalent) and expect to post the list of PSOs on the 
PSO Web site, reserving the right to exclude information contained in 
disclosure statements that would be exempt from disclosure under the 
Freedom of Information Act. We seek comment on whether there are 
specific types of information that the Secretary should consider 
posting routinely on this Web site for the benefit of PSOs, providers, 
and other consumers of PSO services.
(E) Proposed Sec.  3.104(e)--Three-Year Period of Listing
    Proposed Sec.  3.104(e) states that, when the Secretary has 
accepted certification submitted for initial or continued listing, the 
entity will be listed as a PSO for a period of three years (section 
924(a)(2) of the Public Health Service Act, 42 U.S.C. 299b-24(a)(2)), 
unless the Secretary revokes the listing or the Secretary determines 
that the entity has voluntarily relinquished its status as a PSO (see 
proposed Sec.  3.108).
    This subsection also provides that the Secretary will send a 
written notice of imminent expiration to a PSO no later than 45 
calendar days before the date on which the PSO's three-year period of 
listing expires if the Secretary has not received a certification 
seeking continued listing. This notice is intended to ensure that a PSO 
does not let its listing lapse inadvertently. We expect that the 
Secretary will include in the notice a date by which the PSO should 
submit its certifications to ensure that the Secretary has sufficient 
time to act before the current period of listing expires.
    We are considering including in the final rule, and seek comment 
on, a requirement that the Secretary include information on the public 
list of PSOs maintained pursuant to Sec.  3.104(d), that identifies the 
PSOs to which a notice of imminent expiration has been sent. The intent 
of such a requirement would be to ensure that a provider reporting data 
to such a PSO has adequate notice and time to ascertain, if it chooses 
to do so, whether that PSO intends to seek continued listing and, if 
not, to make alternative arrangements for reporting data to another 
PSO.
(F) Proposed Sec.  3.104(f)--Effective Date of Secretarial Actions
    Proposed Sec.  3.104(f) states that, unless otherwise specified, 
the effective date of each action by the Secretary pursuant to this 
proposed subpart will be specified in the written notice that is sent 
to the entity. To ensure that an entity receives prompt notification, 
the Department anticipates sending such a notice by electronic mail or 
other electronic means in addition to a hard copy version. We are 
confident that any entity seeking listing as a PSO will have electronic 
mail capacity. For listing and delisting, the Secretary will specify 
both an effective time and date for such actions in the written notice. 
Our intent is to ensure clarity regarding when the entity can receive 
information that will be protected as patient safety work product.
3. Proposed Sec.  3.106--Security Requirements
    Proposed Sec.  3.106 identifies the entities and individuals that 
are subject to the security requirements of this section and 
establishes the considerations that entities and individuals specified 
in subsection (a) should address to secure patient safety work product 
in their possession. This section provides a common framework for 
compliance with the requirement in section 921(5)(F) of the Public 
Health Service Act, 42 U.S.C. 299b-21(5)(F), that a PSO provide 
appropriate security measures with respect to patient safety work 
product. In light of the importance of data security to those who 
supply patient safety work product to any PSO, maintenance of data 
security will be a high and ongoing priority for PSOs.

[[Page 8134]]

(A) Proposed Sec.  3.106(a)--Application
    Proposed Sec.  3.106(a) states that the security requirements in 
proposed Sec.  3.106(b) apply to each PSO, its workforce members, and 
its contractors when the contractors hold patient safety work product. 
This proposed subsection applies the requirements at all times and at 
any location at which patient safety work product is held. We expect 
that it will be more efficient for most PSOs to contract for at least a 
portion of the expertise they need to carry out patient safety 
activities, including the evaluation of certain types of patient safety 
events. In such situations, when a PSO discloses patient safety work 
product to a contractor to assist the PSO in carrying out patient 
safety activities and the contractor maintains such patient safety work 
product at locations other than those controlled by the PSO, our intent 
is to ensure that these same security requirements apply. We recognize 
that some contractors that a PSO chooses to employ may not want to, or 
may not have the resources to, meet these requirements at other 
locations. In such circumstances, the contractors will need to perform 
their services at locations at which the PSO can ensure that these 
security requirements can be met.
    We note that this regulation does not impose these requirements on 
providers, but agreements between PSOs and providers may by contract 
call for providers to adopt equivalent standards.
(B) Proposed Sec.  3.106(b)--Security Framework
    Proposed Sec.  3.106(b) establishes a framework consisting of four 
categories for the security of patient safety work product that a PSO 
must consider, including security management, separation of systems, 
security control and monitoring, and security assessment.
    This framework is consistent with the standards of the National 
Institute of Standards and Technology (NIST) that federal agencies must 
follow but this section does not impose on PSOs the specific NIST 
standards that Federal agencies must meet. We recognize that it is not 
likely that PSOs will have the scale of operation or the resources to 
comply with Federal data security standards. Instead, we propose to 
require that each PSO must consider the four categories of the NIST 
framework set forth in this section by developing appropriate and 
scalable standards that are suitable for the size and complexity of its 
organization. We seek comment on the extent to which this proposal 
adequately and appropriately identifies the most significant security 
issues, with respect to patient safety work product that PSOs receive, 
develop, or maintain, and which PSOs should be expected to address with 
due diligence, and the extent to which our approach provides PSOs with 
sufficient flexibility to develop scalable standards.
(1) Proposed Sec.  3.106(b)(1)--Security Management
    Proposed Sec.  3.106(b)(1) requires the PSO to approach its 
security requirements by: documenting its security requirements for 
patient safety work product; taking steps to ensure that its workforce 
and contractors as specified in proposed Sec.  3.106(a) understand 
their responsibilities regarding patient safety work product and the 
confidentiality requirements of the statute, including the potential 
imposition of civil money penalties for impermissible disclosures; and 
monitoring and improving the effectiveness of its security policies and 
procedures.
(2) Proposed Sec.  3.106(b)(2)--Separation of Systems
    Under the statute, to preserve the confidentiality of patient 
safety work product, it is important to maintain a clear separation 
between patient safety work product and information that is not 
protected, and a clear separation between patient safety activities and 
other activities. As a result, we have incorporated requirements in 
proposed Sec.  3.106(b)(2) that PSOs must ensure such separation. The 
specific requirements for which a PSO must develop appropriate 
standards include: maintaining functional and physical separation of 
patient safety work product from other systems of records; protection 
of patient safety work product while it is held by the PSO; appropriate 
disposal or sanitization of media that have contained patient safety 
work product; and preventing physical access to patient safety work 
product by unauthorized users or recipients.
(3) Proposed Sec.  3.106(b)(3)--Security Control and Monitoring
    Proposed Sec.  3.106(b)(3) requires that policies and procedures 
adopted by a PSO related to security control and monitoring must enable 
the PSO to identify and authenticate users of patient safety work 
product and must create an audit capacity to detect unlawful, 
unauthorized, or inappropriate activities involving access to patient 
safety work product. To ensure accountability, controls should be 
designed to preclude unauthorized removal, transmission or disclosures 
of patient safety work product.
(4) Proposed Sec.  3.106(b)(4)--Security Assessment
    Proposed Sec.  3.106(b)(4) requires a PSO to develop policies and 
procedures that permit it to assess periodically the effectiveness and 
weaknesses of its overall approach to security of patient safety work 
product. A PSO needs to determine the frequency of security 
assessments, determine when it needs to undertake a risk assessment 
exercise so that the leadership and the workforce of the PSO are aware 
of the risks to PSO assets from security lapses, and specify how it 
will assess and adjust its procedures to ensure the security of its 
communications involving patient safety work product to and from 
providers and other authorized parties. Such communications are 
potentially vulnerable weak points for any security system and require 
ongoing special attention by a PSO.
4. Proposed Sec.  3.108--Correction of Deficiencies, Revocation and 
Voluntary Relinquishment
    Proposed Sec.  3.108 describes the process by which PSOs will be 
given an opportunity to correct deficiencies, the process for 
revocation of acceptance of the certification submitted by an entity 
for cause and its removal from the list of PSOs, and specifies the 
circumstances under which an entity will be considered to have 
voluntarily relinquished its status as a PSO.
    This section would establish procedural opportunities for a PSO to 
respond during the process that might lead to revocation. When the 
Secretary identifies a possible deficiency, the PSO would be given an 
opportunity to correct the record if it can demonstrate that the 
information regarding a deficiency is erroneous, and if the existence 
of a deficiency is uncontested, an opportunity to correct it. The PSO 
is encouraged to alert the Department if it faces unanticipated 
challenges in correcting the deficiency; we propose that the Secretary 
will consider such information in determining whether the PSO has acted 
in good faith, whether the deadline for corrective action should be 
extended, or whether the required corrective action should be modified. 
If the Secretary determines that the PSO has not timely corrected the 
deficiency and issues a notice of proposed revocation and delisting, 
the PSO will be given an automatic right of appeal to present its case 
in writing.
    If the Secretary makes a decision to revoke acceptance of the 
entity's certification and remove it from the list

[[Page 8135]]

of PSOs, this proposed section specifies the required actions that the 
Secretary and the entity must take following such a decision. The 
proposed rule implements the statutory requirements for the 
establishment of a limited period during which providers can continue 
to report information to the former PSO and receive patient safety work 
product protections for these data, and establishes a framework for 
appropriate disposition of patient safety work product or data held by 
the former PSO. See section 924(e)-(g) of the Public Health Service 
Act, 42 U.S.C. 299b-24(e)-(g).
    This section also describes two circumstances under which an entity 
will be considered to have voluntarily relinquished its status as a 
PSO: (1) Notification of the Secretary in writing by the PSO of its 
intent to relinquish its status voluntarily; and (2) if a PSO lets its 
period of listing expire without submission of a certification for 
continued listing that the Secretary has accepted. In both 
circumstances, we propose that such a PSO consult with the source of 
the patient safety work product in its possession to provide notice of 
its intention to cease operations and provide for appropriate 
disposition of such patient safety work product. When the Secretary 
removes a PSO from listing as a result of revocation for cause or 
voluntarily relinquishment, the Secretary is required to provide public 
notice of the action.
    We note that section 921 of the Public Health Service Act, 42 
U.S.C. 299b-21, and, therefore, the proposed rule, defines a PSO as an 
entity that is listed by the Secretary pursuant to the requirements of 
the statute that are incorporated into this proposed rule. This means 
that an entity remains a PSO for its three-year period of listing 
unless the Secretary removes the entity from the list of PSOs because 
he revokes acceptance of its certification and listing for cause or 
because the entity voluntarily relinquishes its status as described 
below. Accordingly, even when a deficiency is identified publicly or 
the proposed requirements of this section have been initiated, we 
stress that an entity remains a PSO until the date and time at which 
the Secretary's removal of the entity from listing is effective. Until 
then, data that is reported to a listed entity by providers shall be 
considered patient safety work product and the protections accorded 
patient safety work product continue to apply following the delisting 
of the PSO.
(A) Proposed Sec.  3.108(a)--Process for Correction of a Deficiency and 
Revocation
    Proposed Sec.  3.108(a) describes the process by which the 
Secretary would provide an opportunity for a PSO to correct identified 
deficiencies and, if not timely corrected or if the deficiencies cannot 
be ``cured,'' the process that can lead to a determination by the 
Secretary to revoke acceptance of a PSO's certification. This section 
proposes a two-stage process. The first stage would provide an 
opportunity to correct a deficiency. Under the proposal, when the 
Secretary identifies a deficiency, the Secretary would send the PSO a 
notice of preliminary determination of a deficiency. The PSO would then 
have an opportunity to demonstrate that the information on which the 
notice was based is incorrect. The notice would include a timetable for 
correction of the deficiency and may specify the specific corrective 
action and the documentation that the Secretary would need to determine 
if the deficiency has been corrected. The PSO would be encouraged to 
provide information for the administrative record on unexpected 
challenges in correcting the deficiency, since the Secretary has great 
flexibility to work with a PSO to facilitate correction of 
deficiencies. We anticipate that most PSO deficiencies would be 
resolved at this stage.
    Under the proposal, the second stage would occur when the Secretary 
would conclude that a PSO has not timely corrected a deficiency or has 
a pattern of non-compliance and issues the PSO a notice of proposed 
revocation and delisting. Rather than requiring a PSO to seek an 
opportunity to appeal, the proposed rule would provide an automatic 
period of 30 days for a PSO to be heard in writing by submitting a 
rebuttal to the findings in the Secretary's notice of revocation and 
delisting. The Secretary may then affirm, modify, or reverse the notice 
of revocation and delisting.
    In light of the procedures in the proposed rule to ensure due 
process, we have not proposed to incorporate any further internal 
administrative appeal process beyond the Secretary's determination 
regarding a notice of proposed revocation and delisting pursuant to 
proposed Sec.  3.108(a)(5). We invite comments on our proposed 
approach.
(1) Proposed Sec.  3.108(a)(1)--Circumstances Leading to Revocation
    Proposed Sec.  3.108(a)(1) lists four circumstances, each of which 
is statutorily based, that may lead the Secretary to revoke acceptance 
of a PSO's certification and delist the entity: the PSO is not meeting 
the obligations to which it certified its compliance as required by 
proposed Sec.  3.102; the PSO has not certified to the Secretary that 
it has entered the required minimum of two contracts within the 
applicable 24-month period pursuant to proposed Sec.  3.102(d)(1); the 
Secretary, after reviewing a PSO's disclosure statement submitted 
pursuant to proposed Sec.  3.102(d)(2), determines that the PSO cannot 
fairly and accurately perform its duties pursuant to proposed Sec.  
3.104(c); or the PSO is not in compliance with any other provision of 
the Patient Safety Act or this proposed part. (See section 924(c) and 
(e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and (e).)
(2) Proposed Sec.  3.108(a)(2)--Notice of Preliminary Finding of 
Deficiency and Establishment of an Opportunity for Correction of a 
Deficiency
    Under proposed Sec.  3.108(a)(2), when the Secretary has reason to 
believe that a PSO is not in compliance with the requirements of the 
statute and the final rule, the Secretary would send a written notice 
of a preliminary finding of deficiency to the PSO (see section 924(c) 
and (e) of the Public Health Service Act, 42 U.S.C. 299b-24(c) and 
(e)). The notice would specifically state the actions or inactions that 
describe the deficiency, outline the evidence that a deficiency exists, 
specify the possible and/or required corrective action(s) that must be 
taken, establish an opportunity for correction and a date by which the 
corrective action(s) must be completed, and, in certain circumstances, 
specify the documentation that the PSO would be required to submit to 
demonstrate that the deficiency has been corrected.
    We propose that, absent other evidence of actual receipt, we would 
assume that the notice of a preliminary finding of deficiency has been 
received 5 calendar days after it was sent. Under the proposal, if a 
PSO submits evidence to the Secretary that demonstrates to the 
Secretary that the preliminary finding is factually incorrect within 14 
calendar days following receipt of this notice, the preliminary finding 
of deficiency would be withdrawn; otherwise, it would be the basis for 
a finding of deficiency. We stress that this would not be an 
opportunity to file an appeal regarding the proposed corrective 
actions, the period allotted for correcting the deficiency, or the time 
to provide explanations regarding why a deficiency exists. This 14-day 
period would only ensure that the PSO has an opportunity,

[[Page 8136]]

if the information on which the notice is based is not accurate, to 
correct the record immediately. For example, a notice of a preliminary 
finding of deficiency may be based on the fact that the Secretary has 
no record that the PSO has entered the required two contracts. In this 
case, if a PSO can attest that it submitted the certification as 
required or can attest that it has entered the required two contracts 
consistent with the requirements of proposed Sec.  3.102(d)(1), the 
Secretary would then withdraw the notice. If a notice of deficiency is 
based on the failure of the PSO to submit a required disclosure 
statement within 45 days, the PSO might submit evidence that the 
required statement had been sent as required. If the evidence is 
convincing, the Secretary would withdraw the notice of preliminary 
finding of deficiency. If the Secretary does not consider the evidence 
convincing, the Secretary would so notify the PSO and the notice would 
remain in effect. The PSO would then need to demonstrate that it has 
met the requirements of the notice regarding correction of the 
deficiency.
    We anticipate that in the vast majority of circumstances in which 
the Secretary believes there is a deficiency, the deficiency can and 
will be corrected by the PSO. In those cases, as discussed above, the 
PSO will be given an opportunity to take the appropriate action to 
correct the deficiency, and avoid revocation and delisting. However, we 
can anticipate situations in which a PSO's conduct is so egregious that 
the Secretary's acceptance of the PSO's certification should be revoked 
without the opportunity to cure because there is no meaningful cure. An 
example would be where a PSO has a policy and practice of knowingly and 
inappropriately selling patient safety work product or where the PSO is 
repeatedly deficient and this conduct continues despite previous 
opportunities to cure. We are considering adding a provision whereby an 
opportunity to ``cure'' would not be available in this type of 
situation. Providing the PSO with an opportunity for correction, as 
provided in the Patient Safety Act, would entail providing an 
opportunity to correct the preliminary factual findings of the 
Department. Thus, the PSO would have the chance to demonstrate that we 
have the facts wrong or there are relevant facts we are overlooking. We 
invite comments regarding this approach and how best to characterize 
the situations in which the opportunity to ``cure'' (e.g., to change 
policies, practices or procedures, sanction employees, send out 
correction notices) would not be sufficient, meaningful, or 
appropriate.
(3) Proposed Sec.  3.108(a)(3)--Determination of Correction of a 
Deficiency
    Proposed section Sec.  3.108(a)(3) addresses the determination of 
whether a deficiency has been corrected, including the time frame for 
submission of the required documentation that the deficiency has been 
corrected, and the actions the Secretary may take after review of the 
documentation and any site visit(s) the Secretary deems necessary or 
appropriate (see sections 924(c) and (e) of the Public Health Service 
Act, 42 U.S.C. 299b-24(c) and (e)).
    Under the proposal, during the period of correction, we would 
encourage the PSO to keep the Department apprised in writing of its 
progress, especially with respect to any challenges it faces in 
implementing the required corrective actions. Such communications would 
become part of the administrative record. Until there is additional 
experience with the operational challenges that PSOs face in 
implementing specific types of corrective actions, such information, if 
submitted, would be especially helpful for ensuring that the time 
frames and the corrective actions specified by the Secretary are 
reasonable and appropriate. As noted below, such information would be 
considered by the Secretary in making a determination regarding a PSO's 
compliance with the correction of a deficiency. Unless the Secretary 
specifies a different submission date, or approves such a request from 
the PSO, we propose that documentation submitted by the PSO to 
demonstrate correction of the deficiency must be received by the 
Secretary no later than 5 calendar days after the final day of the 
correction period.
    Under the proposed rule, in making a determination, the Secretary 
would consider the documentation and other information submitted by the 
PSO, the findings of any site visit that might have been conducted, 
recommendations of program staff, and any other information available 
regarding the PSO that the Secretary deems appropriate. After 
completing his review, the Secretary may make one of the following 
determinations: (1) The action(s) taken by the PSO have corrected any 
deficiency, in which case the Secretary will withdraw the notice of 
deficiency and so notify the PSO; (2) the PSO has acted in good faith 
to correct the deficiency but an additional period of time is necessary 
to achieve full compliance and/or the required corrective action 
specified in the notice of a preliminary finding of deficiency needs to 
be modified in light of the actions undertaken by the PSO so far, in 
which case the Secretary will extend the period for correction and/or 
modify the specific corrective action required; or (3) the PSO has not 
completed the corrective action because it has not acted with 
reasonable diligence or timeliness to ensure that the corrective action 
was completed within the allotted time, in which case the Secretary 
will issue to the PSO a notice of proposed revocation and delisting.
    When the Secretary issues a notice of proposed revocation and 
delisting, this notice would include those deficiencies that have not 
been timely corrected. The notice would be accompanied by information 
concerning the manner in which the PSO may exercise its opportunity to 
be heard in writing to respond to the deficiency findings described in 
the notice.
(4) Proposed Sec.  3.108(a)(4)--Opportunity to be Heard in Writing 
Following a Notice of Proposed Revocation and Delisting
    Proposed Sec.  3.108(a)(4) sets forth our approach to meeting the 
statutory requirement established in section 924(e) of the Public 
Health Service Act, 42 U.S.C. 299b-24(e), for a PSO to have an 
opportunity to dispute the findings of deficiency in a notice of 
proposed revocation and delisting.
    Absent other evidence of actual receipt, we would assume that the 
notice of proposed revocation and delisting has been received by a PSO 
five calendar days after it was sent. Under the proposed rule, unless a 
PSO chooses to waive its right to contest a notice of proposed 
revocation and delisting and so notifies the Secretary, a PSO would not 
need to request an opportunity to appeal a notice of proposed 
revocation and delisting. A PSO would automatically have 30 calendar 
days, beginning the day the notice is deemed to be received, to 
exercise its opportunity to be heard in writing. The Secretary would 
consider, and include in the administrative record, any written 
information submitted by the PSO within this 30-day period that 
responds to the deficiency findings in the notice of proposed 
revocation and delisting. If a PSO does not take advantage of the 
opportunity to submit a substantive response in writing within 30 
calendar days of receipt of the notice of proposed revocation and 
delisting, the notice would become final as a matter of law at midnight 
of the date specified by the Secretary in the notice. The Secretary

[[Page 8137]]

would provide the PSO with policies and rules of procedures that govern 
the form or transmission of the written response to the notice of 
proposed revocation and delisting.
    We are considering incorporating in the final rule an exception to 
our proposed policy of automatically providing a PSO with a 30-day 
period in which to submit a written response to a notice of proposed 
revocation and delisting. The one exception we are considering relates 
to failure to meet the requirement for a minimum of two contracts. The 
statutory requirement is unambiguous that this requirement must be met 
within every 24-month period after the initial date of listing of the 
PSO. We propose elsewhere that a PSO submit its notification 45 
calendar days early so that a period for correction can be established 
that concludes at midnight of the last day of the applicable 24-month 
period established by the statute for compliance. The Secretary would 
then need to receive notification from a PSO that this requirement has 
been met no later than midnight of that last day (see proposed Sec.  
3.102(d)(1) and proposed Sec.  3.104(b)). Other than verifying that the 
PSO has not entered into and reported the required two bona fide 
contracts by midnight on the last day of the applicable 24-month 
period, we see no basis for a written rebuttal of such a deficiency 
determination. The language we are considering, therefore, would 
authorize the Secretary, when the basis for a notice of proposed 
revocation and delisting is the failure of a PSO to meet this very 
specific requirement, to proceed to revocation and delisting five 
calendar days after the notice of proposed revocation and delisting 
would be deemed to have been received.
(5) Proposed Sec.  3.108(a)(5)--The Secretary's Decision Regarding 
Revocation
    If a written response to the deficiency findings of a notice of 
proposed revocation and delisting is submitted by a PSO, proposed Sec.  
3.108(a)(5) provides that the Secretary will review the entire 
administrative record pertaining to the notice of proposed revocation 
and delisting and any written materials submitted by the PSO under 
proposed Sec.  3.108(a)(4). The Secretary may affirm, reverse, or 
modify the notice of proposed revocation and delisting. The Secretary 
will notify the PSO in writing of his decision with respect to any 
revocation of the acceptance of its certification and its continued 
listing as a PSO. (See section 924(e) of the Public Health Service Act, 
42 U.S.C. 299b-24(e).)
(B) Proposed Sec.  3.108(b)--Revocation of the Secretary's Acceptance 
of a PSO's Certification
    When the Secretary makes a determination to remove the listing of a 
PSO for cause pursuant to proposed Sec.  3.108(a), proposed Sec.  
3.108(b) specifies the actions that the Secretary and the entity must 
take, and implements the protections that the statute affords to data 
submitted to such an entity.
(1) Proposed Sec.  3.108(b)(1)--Establishing Revocation for Cause
    Under our proposal, after following the requirements of proposed 
Sec.  3.108(a), if the Secretary determines pursuant to paragraph 
(a)(5) of this section that revocation of the acceptance of a PSO's 
certification is warranted for failure to comply with the requirements 
of the Patient Safety Act, or the regulations implementing the Patient 
Safety Act, the Secretary would establish, and notify the PSO of, the 
date and time at which the Secretary will revoke the acceptance of its 
certification and remove the entity from the list of PSOs. The 
Secretary may include information in the notice on the statutory 
requirements, incorporated in proposed Sec.  3.108(b)(2) and Sec.  
3.108 (b)(4) and discussed below, that apply to the entity following 
the Secretary's actions, and the Secretary would provide public notice 
as required by proposed Sec.  3.108(d).
(2) Proposed Sec.  3.108(b)(2)--Required Notification of Providers and 
Status of Data
    Proposed Sec.  3.108(b)(2) incorporates in the proposed rule the 
statutory requirements that are intended to ensure that providers 
receive a reasonable amount of notice that the PSO with which they are 
working is being removed from the list of PSOs (section 924(e)(2) of 
the Public Health Service Act, 42 U.S.C. 299b-24(e)(2)) and to clarify 
the status of data submitted by providers to a PSO whose listing has 
been revoked (section 924(f) of the Public Health Service Act, 42 
U.S.C. 299b-24(f)).
    As required by the statute, within 15 calendar days of the date 
established in the Secretary's notification of action under paragraph 
(b)(1) of this section, the entity subject to proposed Sec.  
3.108(b)(1) shall confirm to the Secretary that it has taken all 
reasonable actions to notify each provider whose patient safety work 
product has been collected or analyzed by the PSO that the entity has 
been removed from the list of PSOs. We would recommend, but do not 
propose to require, that PSOs make a priority of notifying providers 
who report most frequently to the PSO, especially providers with 
contracts with the PSO. These providers would need to close out any 
current contract they have with the PSO, determine if they wish to 
enter a contract with another PSO, and if so, they would need time to 
identify another PSO and then negotiate another contract.
    We also recognize that, even when this statutory notification 
requirement is met, the notification period is short. While we do not 
have the authority to require a PSO to undertake notification of 
providers more quickly than the statute specifies, we invite comment on 
whether there are any other steps the Secretary should take to ensure 
that affected providers receive timely notice. We are considering 
requiring notice by electronic or priority mail if no notice has been 
given at the end of seven days.
    Confidentiality and privilege protections that applied to patient 
safety work product while the former PSO was listed continue to apply 
after the entity is removed from listing. Furthermore, section 
924(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-24(f)(1) 
provides that data submitted to an entity within 30 calendar days of 
the date on which acceptance of its certification is revoked and it is 
removed from the list of PSOs, shall have the same status as data 
submitted while the entity was still listed. Thus, data that would 
otherwise be patient safety work product had it been submitted while 
the PSO was listed, will be protected as patient safety work product if 
submitted during this 30-day period after delisting.
    We stress that the statutory language in section 924(f)(1) of the 
Public Health Service Act, 42 U.S.C. 299b-24(f)(1), pertains only to 
data submitted to such an entity within 30 calendar days after such 
revocation and removal. This provision does not enable an entity that 
has been removed from listing to generate patient safety work product 
on its own pursuant to section 921(7)(A)(i)(II) of the Public Health 
Service Act, 42 U.S.C. 299b-21(7)(A)(i)(II); the entity loses that 
authority on the effective date and time of the Secretary's action to 
remove it from listing.
(3) Proposed Sec.  3.108(b)(3)--Disposition of Patient Safety Work 
Product and Data
    Proposed Sec.  3.108(e) incorporates in the proposed rule statutory 
requirements regarding the disposition of patient safety work product 
or data following revocation and delisting of a PSO (section 924(g) of 
the Public Health Service Act, 42 U.S.C. 299b-24(g)). This proposed 
subsection would require that the former PSO provide for the

[[Page 8138]]

disposition of patient safety work product or data in its possession in 
accordance with one or more of three alternatives described in section 
924(g) of the Public Health Service Act, 42 U.S.C. 299b-24(g). The 
three alternatives include: transfer of the patient safety work product 
with the approval of the source from which it was received to a PSO 
which has agreed to accept it; return of the patient safety work 
product or data to the source from which it was received; or, if return 
is not practicable, destroy such work product or data.
    The text of the proposed rule refers to the ``source'' of the 
patient safety work product or data that is held by the former PSO, 
which is a broader formulation than the statutory phrase ``received 
from another entity.'' While the statutory requirement encompasses PSOs 
as well as institutional providers, we tentatively conclude that the 
underlying intent of this statutory provision is to require the 
appropriate disposition of patient safety work product from all 
sources, not merely institutional sources. We note that the statute, 
and therefore the proposed rule, permits individual providers to report 
data to PSOs and individual providers are able to enter the same type 
of ongoing arrangements, or contractual arrangements, as institutional 
providers. Moreover, proposed Sec.  3.108(b)(2) would require PSOs to 
notify all providers (individual as well as institutional providers) 
from whom they receive data about the Secretary's revocation and 
delisting decision. We preliminarily conclude, therefore, that it is 
consistent with the statute that a former PSO consult with all sources 
(individuals as well as entities) regarding the appropriate disposition 
of the patient safety work product or data that they supplied. 
Moreover, it is a good business practice. If workforce members of a 
former PSO retain possession of any patient safety work product, they 
would incur obligations and potential liability if it is impermissibly 
disclosed. We welcome comments on our interpretation.
    The statutory provision indicates that these requirements apply to 
both patient safety work product or 'data' described in 924(f)(1) of 
the Public Health Service Act, 42 U.S.C. 299b-24(f)(1). Subsection 
(f)(1), entitled 'new data' and incorporated in proposed Sec.  
3.108(b)(2), describes data submitted to an entity within 30 calendar 
days after the entity is removed from listing as a PSO and provides 
that this data ``shall have the same status as data submitted while the 
entity was still listed.'' The proposed regulation mirrors this 
formulation.
    While the statute and this proposed rule would permit destruction 
of patient safety work product, we would encourage entities that have 
their listing as a PSO revoked to work with providers to ensure that 
patient safety work product remains available for aggregation and 
further analysis whenever possible, either by returning it to the 
provider or, with concurrence of the provider, transferring it to a PSO 
willing to accept it.
    The statute does not establish a time frame for a PSO subject to 
revocation and delisting to complete the disposition of the patient 
safety work product or data in its possession. We invite comment on 
whether we should include a date by which this requirement must be 
completed (for example, a specific number of months after the date of 
revocation and delisting).
(C) Proposed Sec.  3.108(c)--Voluntary Relinquishment
    The statute recognizes the right of an entity to relinquish 
voluntarily its status as a PSO, in which case the Secretary will 
remove the entity from the list of PSOs. See section 924(d) of the 
Public Health Service Act, 42 U.S.C. 299b-24(d).
    We stress that, if the Secretary determines that an entity has 
relinquished voluntarily its status as a PSO and removes the entity 
from listing, the confidentiality and privilege protections that 
applied to patient safety work product while the former PSO was listed 
continue to apply after the entity is removed from listing.
(1) Proposed Sec.  3.108(c)(1)--Circumstances Constituting Voluntary 
Relinquishment
    Proposed Sec.  3.108(c)(1) provides that an entity would be 
considered to have relinquished voluntarily its status as a PSO under 
two circumstances: when a PSO advises the Secretary in writing that it 
no longer wishes to be a PSO, and when a PSO permits its three-year 
period of listing to expire without timely submission of the required 
certification to the Secretary for continued listing. To ensure that 
such a lapse is not inadvertent, we provide in proposed Sec.  
3.104(e)(2) that the Secretary would send a notice of imminent 
expiration to any PSO from which the Secretary has not received a 
certification for continued listing by the date that is 45 calendar 
days before the expiration of its current period of listing. This 
notice is intended to ensure that the PSO has sufficient time to submit 
a certification for continued listing if it chooses to do so and that, 
if a lapse occurs, it is not inadvertent.
(2) Proposed Sec.  3.108(c)(2)--Notification of Voluntary 
Relinquishment
    Proposed Sec.  3.108(c)(2) would require an entity that seeks to 
relinquish voluntarily its status as a PSO to include attestations in 
its notice to the Secretary that it has made all reasonable efforts to 
provide for the orderly termination of the PSO. First, the PSO must 
attest that it has made--or will have made within 15 calendar days of 
the date of this notification to the Secretary--all reasonable efforts 
to notify organizations or individuals who have submitted data to the 
PSO of its intent to cease operation and to alert providers that they 
should cease reporting or submitting any further information as quickly 
as possible.
    We preliminarily conclude that, when a PSO voluntarily relinquishes 
its status, data submitted by providers to the entity after the date on 
which the Secretary removes it from listing is not patient safety work 
product. The statutory provision, incorporated in the proposed rule at 
Sec.  3.108(b)(2), that permits providers to submit data to an entity 
for an additional 30 days after the date of its removal from listing 
applies only to PSOs for which the Secretary has revoked acceptance of 
its certification for cause. It does not apply to a PSO that 
voluntarily relinquishes its status. We welcome comment on our 
interpretation.
    Second, the PSO would be required to attest that, in consultation 
with the organizations or individuals who submitted the patient safety 
work product in its possession, it has established--or will have made 
all reasonable efforts within 15 calendar days of the date of this 
notification to establish--a plan for the appropriate disposition of 
such work product, consistent to the extent possible with the statutory 
requirements incorporated in proposed Sec.  3.108(b)(3). Finally, the 
individual submitting the notification of voluntary relinquishment 
would provide appropriate contact information for further 
communications that the Secretary deems necessary.
    We caution any PSO considering voluntary relinquishment that its 
status remains in effect until the Secretary removes the entity from 
listing. The PSO's responsibilities, including those related to the 
confidentiality and security of the patient safety work product or data 
in its possession, are not discharged by the decision of a PSO to cease 
operations. Accordingly, we urge PSOs that are experiencing financial 
distress or other circumstances that may

[[Page 8139]]

lead to voluntary relinquishment, to contact AHRQ program staff as 
early as possible so that the PSO's obligations can be appropriately 
discharged.
(3) Proposed Sec.  3.108(c)(3)--Response to Notification of Voluntary 
Relinquishment
    In response to the submission of a notification of voluntary 
relinquishment, proposed Sec.  3.108(c)(3) provides that the Secretary 
would respond in writing and indicate whether the proposed voluntary 
relinquishment is accepted. We anticipate that the Secretary would 
normally approve such requests but the text provides the Secretary with 
discretion to accept or reject such a request from a PSO that seeks 
voluntary relinquishment during or immediately after revocation 
proceedings. Our proposal is intended to recognize that, in certain 
circumstances, for example, when the deficiencies of the PSO are 
significant or reflect a pattern of non-compliance with the Patient 
Safety Act or the proposed rule, the Secretary may decide that giving 
precedence to the revocation process may be more appropriate.
(4) Proposed Sec.  3.108(c)(4)--Implied Voluntary Relinquishment
    Proposed Sec.  3.108(c)(4) enables the Secretary to determine that 
implied voluntary relinquishment has taken place if a PSO permits its 
period of listing to expire without receipt and acceptance by the 
Secretary of a certification for continued listing. In our view, the 
statute does not permit an entity to function as a PSO beyond its 3-
year period of listing unless it has submitted, and the Secretary has 
accepted, a certification for a 3-year period of continued listing. To 
ensure that such a lapse is not inadvertent, we propose a requirement 
in Sec.  3.104(e)(2) that the Secretary would send a notice of imminent 
expiration to any PSO from which the Secretary has not received the 
required certification for continued listing by the date that is 45 
calendar days prior to the last date of the PSOs current period of 
listing. Accordingly, we propose that the Secretary would determine 
that a PSO under these circumstances has relinquished voluntarily its 
status at midnight on the last day of its current period of listing, 
remove the entity from the list of PSOs at midnight on that day, make 
reasonable efforts to notify the entity in writing of the action taken, 
and promptly provide public notice in accordance with proposed Sec.  
3.108(d).
    Under the proposed rule, the notice of delisting would request that 
the entity make reasonable efforts to comply with the requirements of 
proposed Sec.  3.108(c)(2). Compliance with these requirements in this 
circumstance would mean that the former PSO would be required to notify 
individuals and organizations that routinely reported data to the 
entity during its period of listing that it has voluntarily 
relinquished its status as a PSO and that they should no longer report 
or submit data, and make reasonable efforts to provide for the 
disposition of patient safety work product or data in consultation with 
the sources from which such information was received in compliance with 
the statutory requirements incorporated in proposed Sec.  
3.108(b)(3)(i)-(iii). The former PSO would also be expected to provide 
appropriate contact information for further communications from the 
Secretary.
    We are aware that, if a PSO does not give appropriate notice to 
providers from which it receives data, that it does not intend to seek 
continued listing, this could jeopardize protections for data that 
these providers continue to report. To address this issue, we are 
seeking comment in proposed Sec.  3.104(e) on a proposal that would 
ensure that providers have advance notice that a PSO is approaching the 
end of its period of listing but has not yet sought continued listing.
(5) Proposed Sec.  3.108(c)(5)--Non-Applicability of Certain Procedures 
and Requirements
    Proposed Sec.  3.108(c)(5) provides that neither a decision by a 
PSO to notify the Secretary that it wishes to relinquish voluntarily 
its status as a PSO, nor a situation in which a PSO lets its period of 
listing lapse, constitutes a deficiency as referenced in the discussion 
regarding proposed Sec.  3.108(a). As a result, neither the procedures 
and requirements that apply to the Secretary or a PSO subject to the 
revocation process outlined in that proposed subsection, nor the 
requirements that apply to the Secretary or a PSO following action by 
the Secretary pursuant to proposed Sec.  3.108(b)(1), would apply in 
cases of voluntary relinquishment. Adoption of this proposal would mean 
that a PSO has no basis for appealing decisions of the Secretary in 
response to a request for voluntary relinquishment or challenging its 
removal from listing if its period of listing lapses and the Secretary 
determines that implied voluntary relinquishment has occurred. We 
specifically welcome comment on this proposal.
(D) Proposed Sec.  3.108(d)--Public Notice of Delisting Regarding 
Removal From Listing
    Proposed Sec.  3.108(d) incorporates in the proposed rule the 
statutory requirement that the Secretary must publish a notice in the 
Federal Register regarding the revocation of acceptance of 
certification of a PSO and its removal from listing pursuant to 
proposed Sec.  3.108(b)(1) (see section 924(e)(3) of the Public Health 
Service Act, 42 U.S.C. 299b-24(e)(3)). This proposal also would require 
the Secretary to publish such a notice if delisting results from a 
determination of voluntary relinquishment pursuant to proposed Sec.  
3.108(c)(3) or (c)(4). The Secretary would specify the effective date 
and time of the actions in these notices.
5. Proposed Sec.  3.110--Assessment of PSO Compliance
    Proposed Sec.  3.110 provides that the Secretary may request 
information or conduct spot-checks (reviews or site visits to PSOs that 
may be unannounced) to assess or verify PSO compliance with the 
requirements of the statute and this proposed subpart. We anticipate 
that such spot checks will involve no more than 5-10% of PSOs in any 
year. The legislative history of patient safety legislation in the 
108th and 109th Congress suggests that the Senate Health, Education, 
Labor and Pensions (HELP) Committee assumed that the Secretary had the 
inherent authority to undertake inspections as necessary to ensure that 
PSOs were meeting their obligations under the statute. In fact, in 
reporting legislation in 2004, the Senate HELP Committee justified its 
proposal for an expedited process for listing PSOs--that is 
substantially the same as the one incorporated in the Patient Safety 
Act that was enacted in 2005 and is incorporated in this proposed 
rule--on the basis that the Secretary could and would be able to 
conduct such inspections.
    The ability of the Secretary to ``examine any organization at any 
time to see whether it in fact is performing those required 
activities'' the Senate HELP Committee wrote, enables the Committee to 
``strike the right balance'' in adopting an expedited process for the 
listing of PSOs by the Secretary (Senate Report 108-196). Accordingly, 
we tentatively conclude that this proposed authority for undertaking 
inspections on a spot-check basis is consistent with Congressional 
intent and the overall approach of the proposed rule of using 
regulatory authority sparingly.

[[Page 8140]]

    While patient safety work product would not be a focus of 
inspections conducted under this proposed authority, we recognize that 
it may not be possible to assess a PSO's compliance with required 
patient safety activities without access to all of a PSO's records, 
including some patient safety work product. This proposed section 
references the broader authority of the Department to access patient 
safety work product as part of its proposed implementation and 
enforcement of the Patient Safety Act.
    We also note that the inspection authority of this proposed subpart 
is limited to PSOs and does not extend to providers.
6. Proposed Sec.  3.112--Submissions and Forms
    Paragraphs (a) and (b) of proposed Sec.  3.112 explain how to 
obtain forms and how to submit applications and other information under 
the proposed regulations. Also, to help ensure the timely resolution of 
incomplete submissions, proposed paragraph (c) of this section would 
provide for requests for additional information if a submission is 
incomplete or additional information is needed to enable the Secretary 
to make a determination on the submission.

C. Subpart C--Confidentiality and Privilege Protections of Patient 
Safety Work Product

    Proposed Subpart C would establish the general confidentiality 
protections for patient safety work product, the permitted disclosures, 
and the conditions under which the specific protections no longer 
apply. The proposed Subpart also establishes the conditions under which 
a provider, PSO, or responsible person must disclose patient safety 
work product to the Secretary in the course of compliance activities, 
and what the Secretary may do with such information. Finally, proposed 
Subpart C establishes the standards for nonidentifiable patient safety 
work product.
    The privilege and confidentiality protections set forth in this 
proposed Subpart apply to the PSO framework established by the Patient 
Safety Act and this proposed Part, which will involve providers, PSOs, 
and responsible persons who possess patient safety work product. The 
Patient Safety Act and this proposed Subpart seek to balance key 
objectives. First, it seeks to address provider concerns about the 
potential for damage from unauthorized release of such information, 
including the potential for the information to serve as a roadmap for 
provider liability from negative patient outcomes. Second, it seeks to 
promote the sharing of information about adverse patient safety events 
among providers and PSOs for the purpose of learning from those events 
to improve patient safety and creating a culture of safety. To address 
these objectives, the Patient Safety Act established that patient 
safety work product would be confidential and privileged, with certain 
exceptions. Thus, the Patient Safety Act allows sharing of patient 
safety work product for certain purposes, including for patient safety 
activities, but simultaneously attaches strict confidentiality and 
privilege protections for that patient safety work product. To further 
strengthen the confidentiality protections, the Patient Safety Act 
imposes significant monetary penalties for violation of the 
confidentiality provisions, as set forth in proposed Subpart D.
    Moreover, patient safety work product that is disclosed generally 
continues to be privileged and confidential, that is, it may only be 
permissibly disclosed by the receiving entity or person for a purpose 
permitted by the Patient Safety Act and this proposed Subpart. The only 
way that patient safety work product is no longer confidential is if 
the patient safety work product disclosed is nonidentifiable or when an 
exception to continued confidentiality exists. See section 922(d)(2)(B) 
of the Public Health Service Act, 42 U.S.C. 299b-22(d)(2)(B). A person 
disclosing such work product outside of these statutory permissions in 
violation of the Patient Safety Act and this proposed Subpart may be 
subject to civil money penalties.
    Proposed Sec.  3.204, among other provisions, provides that patient 
safety work product is privileged and generally shall not be admitted 
as evidence in Federal, State, local, or Tribal civil, criminal or 
administrative proceedings and shall not be subject to a subpoena or 
order, unless an exception to the privilege applies; the exceptions are 
discussed in proposed Sec.  3.204(b). Proposed Sec.  3.206 provides 
that patient safety work product is confidential and shall not be 
disclosed except as permitted in accordance with the disclosures 
described in proposed Sec. Sec.  3.206(b)-(e), 3.208 and 3.210. Under 
proposed Sec.  3.208, patient safety work product continues to be 
privileged and confidential after disclosure with certain exceptions. 
Under proposed Sec.  3.210, providers, PSOs, and responsible persons 
must disclose to the Secretary such patient safety work product as 
required by the Secretary for the purposes of investigating or 
determining compliance with this proposed Part, enforcing the 
confidentiality provisions, or making determinations on certifying and 
listing PSOs. Proposed Sec.  3.210 also provides for disclosure to the 
Secretary. Proposed Sec.  3.212 describes the standard for determining 
that patient safety work product is nonidentifiable.
    Throughout the proposed rule, the term patient safety work product 
means both identifiable patient safety work product and nonidentifiable 
patient safety work product, unless otherwise specified. In addition, 
if a disclosure is made by or to a workforce member of an entity, it 
will be considered a disclosure by or to the entity itself.
    Finally, throughout our discussion we note the relationship between 
the Patient Safety Act and the HIPAA Privacy Rule. Several provisions 
of the Patient Safety Act recognize that the patient safety regulatory 
scheme will exist alongside other requirements for the use and 
disclosure of protected health information under the HIPAA Privacy 
Rule. For example, the Patient Safety Act establishes that PSOs will be 
business associates of providers, incorporates individually 
identifiable health information under the HIPAA Privacy Rule as an 
element of identifiable patient safety work product, and adopts a rule 
of construction that states the intention not to alter or affect any 
HIPAA Privacy Rule implementation provision (see section 922(g)(3) of 
the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). We anticipate 
that most providers reporting to PSOs will be HIPAA covered entities 
under the HIPAA Privacy Rule, and as such, will be required to 
recognize when requirements of the HIPAA Privacy Rule apply. Because 
this proposed rule focuses on disclosures of identifiable patient 
safety work product which may include protected health information, we 
discuss where appropriate the overlaps between the proposed Patient 
Safety Act permitted disclosures and the existing HIPAA Privacy Rule 
use and disclosure permissions.
1. Proposed Sec.  3.204--Privilege of Patient Safety Work Product
    Proposed Sec.  3.204 describes the privilege protections of patient 
safety work product and when the privilege protections do not apply. 
The Patient Safety Act does not give authority to the Secretary to 
enforce breaches of privilege protections. Rather, we anticipate that 
the tribunals, agencies or professional disciplinary bodies before whom 
these proceedings take place will

[[Page 8141]]

adjudicate the application of privilege as set forth in section 
922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-
22(a)(1)-(5). Even though the privilege protections will be enforced 
through the court systems, and not by the Secretary, we repeat the 
statutory privilege provisions and exceptions for convenience. We note, 
however, that the same exceptions are repeated in the confidentiality 
context, which the Secretary does enforce; so these are repeated at 
proposed Sec.  3.206 and such impermissible disclosure may be penalized 
under proposed Subpart D.
    To determine the permissible scope of disclosures under the Patient 
Safety Act, it is important to understand the application of the 
privilege protection and its exceptions described in conjunction with 
the related proposed confidentiality disclosures. The admission of 
patient safety work product as evidence in a proceeding or through a 
subpoena, court order or any other exception to privilege, whether 
permissibly or not, amounts to a disclosure of that patient safety work 
product to all parties receiving or with access to the patient safety 
work product admitted. Thus, we use the term disclosure to describe the 
transfer of patient safety work product pursuant to an exception to 
privilege, as well as to an exception to confidentiality. In addition, 
although the Secretary does not have authority to impose civil money 
penalties for violations of the privilege protection, a violation of 
privilege may also be a violation of the confidentiality provisions. 
For these reasons, we include the privilege language in the proposed 
implementing regulations.
    Finally, as discussed in proposed Sec.  3.204(c), we include a 
regulatory exception to privilege for disclosures to the Secretary for 
the purpose of enforcing the confidentiality provisions and for making 
or supporting PSO certification or listing decisions.
(A) Proposed Sec.  3.204(a)--Privilege
    Proposed Sec.  3.204(a) would repeat the statutory language at 
section 922(a) of the Public Health Service Act, 42 U.S.C. 299b-22(a), 
establishing the general principle that patient safety work product is 
privileged and is not subject to Federal, State or local civil, 
criminal or administrative proceedings or orders; is not subject to 
disclosure under the Freedom of Information Act or similar Federal, 
State or local laws; and may not be admitted into evidence in any 
Federal, State or local civil, criminal or administrative proceeding or 
the proceedings of a disciplinary body established or specifically 
authorized under State law. In addition, we have clarified that patient 
safety work product shall be privileged and not subject to use in 
Tribal courts or administrative proceedings. Because the Patient Safety 
Act is a statute of general applicability, it applies to Indian Tribes. 
In addition, the application of the Federal privilege to Tribal 
proceedings implements the strong privilege protections intended under 
section 922 of the Public Health Service Act, 42 U.S.C. 299b-22. (See 
section 922(g)(1)-(2) of the Public Health Service Act, 42 U.S.C. 299b-
22(g)(1)-(2), preserving more stringent Federal, State, and local 
confidentiality laws).
(B) Proposed Sec.  3.204(b)--Exceptions to Privilege
    Proposed Sec.  3.204(b) describes the exceptions to the privilege 
protection at proposed Sec.  3.204(a) that are established in section 
922(c) of the Public Health Service Act, 42 U.S.C. 299b-22(c), as added 
by the Patient Safety Act. When the conditions set forth in proposed 
Sec.  3.204(b) are met, then privilege does not apply and would not 
prevent the patient safety work product from, for example, being 
entered into evidence in a proceeding or subject to discovery. In all 
cases, the exceptions from privilege are also exceptions from 
confidentiality. For proposed Sec.  3.204(b)(1)-(4) and Sec.  3.204(c), 
we discuss the scope of the applicable confidentiality protection in 
proposed Sec.  3.206(b) and Sec.  3.206(d).
(1) Proposed Sec.  3.204(b)(1)--Criminal Proceedings
    Proposed Sec.  3.204(b)(1) would permit disclosure of identifiable 
patient safety work product for use in a criminal proceeding, as 
provided in section 922(c)(1)(A) of the Public Health Service Act, 42 
U.S.C. 299b-22(c)(1)(A). Such patient safety work product is not 
subject to the privilege prohibitions described in proposed Sec.  
3.204(a) or the confidentiality protection described in proposed Sec.  
3.206(a). See proposed Sec.  3.206(b)(1). Prior to a court determining 
that an exception to privilege applies pursuant to this provision, a 
court must make an in camera determination that the identifiable 
patient safety work product sought for disclosure contains evidence of 
a criminal act, is material to the proceeding, and is not reasonably 
available from other sources. See section 922(c)(1)(A) of the Public 
Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). We discuss in full the 
requirements of this disclosure under the confidentiality disclosure 
discussion below.
(2) Proposed Sec.  3.204(b)(2)--Equitable Relief for Reporters
    Proposed Sec.  3.204(b)(2) permits the disclosure of identifiable 
patient safety work product to the extent required to carry out the 
securing and provision of specified equitable relief as provided for 
under section 922(f)(4)(A) of the Public Health Service Act, 42 U.S.C. 
299b-22(f)(4)(A). This exception is based on section 922(c)(1)(B) of 
the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(B). The Patient 
Safety Act permits this disclosure as an exception to privilege and 
confidentiality to effectuate the provision that authorizes equitable 
relief for an employee who has been subjected to an adverse employment 
action for good faith reporting of information to a PSO directly or to 
a provider for the intended report to a PSO. We discuss in full the 
requirements of this disclosure under the confidentiality disclosure 
discussion below.
(3) Proposed Sec.  3.204(b)(3)--Authorized by Identified Providers
    Proposed Sec.  3.204(b)(3) describes when identifiable patient 
safety work product may be excepted from privilege when each of the 
providers identified in the patient safety work product authorizes the 
disclosure. This provision is based on section 922(c)(1)(C) of the 
Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). Such patient 
safety work product is also not subject to the confidentiality 
protections described in proposed Sec.  3.206(a). We discuss in full 
the requirements of this disclosure under the confidentiality 
disclosure discussion below.
(4) Proposed Sec.  3.2049(b)(4)--Nonidentifiable Patient Safety Work 
Product
    Proposed Sec.  3.204(b)(4) permits patient safety work product to 
be excepted from privilege when disclosed in nonidentifiable form. This 
provision is based on section 922(c)(3) of the Public Health Service 
Act, 42 U.S.C. 299b-22(c)(3). As with other privilege protections, we 
expect the tribunals for which the information is sought to adjudicate 
the application of this exception. We discuss in full the requirements 
of this disclosure in the confidentiality disclosure discussion below.
(C) Proposed Sec.  3.204(c)--Implementation and Enforcement of the 
Patient Safety Act
    Proposed Sec.  3.204(c) excepts from privilege disclosures of 
relevant patient safety work product to or by the Secretary as needed 
for investigation or determining compliance with this Part

[[Page 8142]]

or for enforcement of the confidentiality provisions, or for making or 
supporting PSO certification or listing decisions, under the Patient 
Safety Act. We propose that the Secretary may use and disclose patient 
safety work product when pursuing civil money penalties for 
impermissible disclosures. This is a privilege exception in the same 
manner as exceptions listed in proposed Sec.  3.204(b), but we state it 
separately to provide specific emphasis for the inclusion of this 
exception to privilege by the Secretary for enforcement activities. 
This information is also a permissible disclosure under proposed Sec.  
3.206(d), discussed below.
    The Patient Safety Act provides for broad privilege and 
confidentiality protections, as well as the authority for the Secretary 
to impose civil money penalties on persons who knowingly or recklessly 
disclose identifiable patient safety work product in violation of those 
protections. However, in order to perform investigations and compliance 
reviews to determine whether a violation has occurred, the Secretary 
may need to have access to privileged and confidential patient safety 
work product.
    We believe that Congress could not have intended that the privilege 
and confidentiality protections afforded to patient safety work product 
operate to frustrate the sole enforcement mechanism Congress provided 
for the punishment of impermissible disclosures and to preclude the 
imposition of civil money penalties. As a matter of public policy, the 
creation of a confidentiality protection is meaningless without the 
capacity to enforce a breach of those protections. For these reasons, 
we propose a privilege exception narrowly drawn to permit the Secretary 
to perform the enforcement and operational duties required by the 
Patient Safety Act, which include the submission of patient safety work 
product to administrative law judges (ALJs), the Departmental Appeals 
Board (Board), and the courts.
    This proposed provision would permit the disclosure of patient 
safety work product to the Secretary or disclosure by the Secretary so 
long as such disclosure is for the purpose of implementation and 
enforcement of these proposed regulations. Such disclosure would 
include the introduction of patient safety work product into 
proceedings before ALJs or the Board under proposed Subpart D by the 
Secretary, as well as the disclosure during investigations by OCR or 
activities in reviewing PSO certifications by AHRQ. Moreover, 
disclosures of patient safety work product made to the Board or other 
parts of the Department that are received by workforce members, such as 
contractors operating electronic web portals or mail sorting and paper 
scanning services, would be permitted as a disclosure to the Secretary 
under this proposed provision. This provision would also permit the 
Board to disclose any patient safety work product in order to properly 
review determinations or to provide records for court review.
    Patient safety work product disclosed under this exception remains 
protected by both privilege and confidentiality protections as proposed 
in Sec.  3.208. This exception does not limit the ability of the 
Secretary to disclose patient safety work product in accordance with 
the exceptions under proposed Sec.  3.206(b) or this Part. Rather, this 
proposed section provides a specific permission by which patient safety 
work product may be disclosed to the Secretary and the Secretary may 
further disclose such patient safety work product for compliance and 
enforcement purposes.
    We believe strongly in the protection of patient safety work 
product as provided in the Patient Safety Act and the proposed 
regulation, and seek to minimize the risk of improper disclosure of 
patient safety work product by using and disclosing patient safety work 
product only in limited and necessary circumstances. We intend that any 
disclosure made pursuant to this proposed provision be limited in the 
amount of patient safety work product disclosed to accomplish the 
purpose of implementation, compliance, and enforcement. Proposed Sec.  
3.312 discusses the limitations on what the Secretary may do with any 
patient safety work product obtained pursuant to an investigation or 
compliance review under proposed Subpart D. As discussed in the 
preamble to proposed Sec.  3.312, section 922(g)(3) of the Public 
Health Service Act, 42 U.S.C. 299b-22(g)(3), provides that the Patient 
Safety Act does not affect the implementation of the HIPAA 
confidentiality regulations. Accordingly, the privilege provisions in 
the Patient Safety Act would not bar the Secretary from introducing 
patient safety work product in a HIPAA enforcement proceeding.
2. Proposed Sec.  3.206--Confidentiality of Patient Safety Work Product
    Proposed Sec.  3.206 describes the confidentiality protection of 
patient safety work product as well as exceptions from confidentiality 
protection. The following discussion generally refers to an act that 
falls within an exception from confidentiality as a permissible 
disclosure.
(A) Proposed Sec.  3.206(a)--Confidentiality
    Proposed Sec.  3.206(a) would establish the overarching general 
principle that patient safety work product is confidential and shall 
not be disclosed. The principle applies to patient safety work product 
held by anyone. This provision is based on section 922(b) of the Public 
Health Service Act, 42 U.S.C. 299b-22(b).
(B) Proposed Sec.  3.206(b)--Exceptions to Confidentiality
    Proposed Sec.  3.206(b) describes the exceptions to 
confidentiality, or the permitted disclosures. Certain overarching 
principles apply to the proposed confidentiality standards. First, we 
consider these exceptions to be ``permissions'' to disclose patient 
safety work product and the holder of the patient safety work product 
retains full discretion whether or not to disclose. Thus, similar to 
the disclosures permitted under the HIPAA Privacy Rule, we are defining 
a uniform federal baseline of protection that is enforceable by 
federally imposed civil money penalties. We are not encouraging or 
requiring disclosures, except to the Secretary as provided in this 
proposed rule. Therefore, a provider, PSO, or responsible person, may 
create confidentiality policies and procedures with respect to patient 
safety work product that are more stringent than these proposed rules 
and are free to otherwise condition the release of patient safety work 
product that comes within these exceptions by contract, employment 
relationship, or other means. See, for example, section 922(g)(4) of 
the Public Health Service Act, 42 U.S.C. 299b-22(g)(4). However, the 
Secretary will not enforce such policies or private agreements.
    Second, when exercising the discretion to disclose patient safety 
work product, we encourage providers, PSOs, and responsible persons to 
consider the purposes for which the disclosures are made. Disclosures 
should be narrow and consistent with the overarching goals of the 
privilege and confidentiality protections, even though these 
protections generally continue to apply to patient safety work product 
after disclosure. We encourage any entity or person making a disclosure 
to consider both the amount of patient safety work product that is 
being disclosed, as well as the amount of identifiable information 
disclosed. Even though not required, entities or persons should attempt 
to disclose the amount of information commensurate with the

[[Page 8143]]

purposes for which a disclosure is made. We encourage the disclosure of 
the least amount of identifiable patient safety work product that is 
appropriate for the purpose of the disclosure, which might mean the 
disclosure of less information than all of the information that would 
be permitted to be disclosed under the confidentiality provisions. We 
also encourage the removal of identifiable information when feasible 
regardless of whether protection under this rule continues. While a 
provider, PSO, or responsible person need not designate a workforce 
member to determine when a disclosure of patient safety work product is 
permitted, such a designation may be a best practice to ensure that a 
disclosure complies with the confidentiality provisions, and contains 
the least amount of patient safety work product necessary.
    Third, we have addressed the scope of redisclosure by persons 
receiving patient safety work product. Persons receiving patient safety 
work product would only be allowed to redisclose that information to 
the extent permitted by the proposed regulation. For example, we 
propose that accrediting bodies receiving patient safety work product 
pursuant to the accrediting body disclosure at proposed Sec.  
3.206(b)(8) may not further disclose that patient safety work product. 
We seek public comment on the subject of whether there are any negative 
implications associated with limiting redisclosures in this way.
    Additionally, agencies subject to both the Patient Safety Act and 
the Privacy Act, 5 U.S.C. 552a, must comply with both statutes when 
disclosing patient safety work product. Under the Patient Safety Act, 
see section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-
22(b), if another law, such as the Privacy Act, permits or requires the 
disclosure of patient safety work product, disclosure of this 
information would be in violation of the Patient Safety Act unless the 
Patient Safety Act also permits this disclosure. However, if the 
Privacy Act prohibits the disclosure of information that is patient 
safety work product, the permissible disclosure of this information 
under the Patient Safety Act would be in violation of the Privacy Act. 
Therefore, for agencies subject to both statutes, patient safety work 
product must be disclosed in a manner that is permissible under both 
statutes. The Privacy Act does permit agencies to make disclosures 
pursuant to established routine uses. See 5 U.S.C. 552a(a)(7); 
552a(b)(3); and 552a(e)(4)(D). We recommend that Federal agencies that 
maintain a Privacy Act system of records containing information that is 
patient safety work product include routine uses that will permit 
disclosures allowed by the Patient Safety Act.
    Finally, for HIPAA covered entities, when individually identifiable 
health information is encompassed within the patient safety work 
product, the disclosure must also comply with the HIPAA Privacy Rule. 
Thus, for patient safety work product disclosures that contain 
individually identifiable health information, as defined in 45 CFR 
160.103, we note some of the comparable HIPAA Privacy Rule permissions 
for consideration.
(1) Proposed Sec.  3.206(b)(1)--Criminal Proceeding
    Proposed Sec.  3.206(b)(1) would establish the permitted criminal 
proceeding disclosure which parallels the privilege exception 
disclosure for use in a criminal proceeding, proposed Sec.  
3.204(b)(1). Proposed Sec.  3.206(b)(1) would permit disclosure of 
identifiable patient safety work product for use in a criminal 
proceeding. Prior to a court determining that an exception to privilege 
applies pursuant to this provision, a court must make an in camera 
determination that the identifiable patient safety work product sought 
for disclosure contains evidence of a criminal act, is material to the 
proceeding, and is not reasonably available from other sources. See 
section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(A).
    After such determinations by a court, the patient safety work 
product may be permissibly disclosed within the criminal proceeding. 
This provision and these limitations are based on section 922(c)(1)(A) 
of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A). When 
considering claims that confidentiality protection has been breached, 
we intend to defer to, and not review, the court's in camera 
determinations made in context of determining the privilege exception. 
The Secretary has not been authorized to enforce the underlying 
privilege protection or make determinations regarding its 
applicability. The Secretary's authority is limited to investigating 
and enforcing violations of the confidentiality protections parallel to 
this privilege exception at proposed Sec.  3.206(b)(1).
    The Patient Safety Act establishes that patient safety work 
product, once disclosed, will generally continue to be privileged and 
confidential as discussed in proposed Sec.  3.208. See section 
922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1). 
However, the Patient Safety Act limits the continued protection of the 
specific patient safety work product disclosed for use in a criminal 
proceeding. Patient safety work product disclosed for use in a criminal 
proceeding continues to be privileged and cannot be reused as evidence 
or in any context prohibited by the privilege protection, but is no 
longer confidential. See section 922(d)(2)(A) of the Public Health 
Service Act, 42 U.S.C. 299b-22(d)(2)(A). For example, law enforcement 
personnel who obtain patient safety work product used in a criminal 
proceeding may further disclose that patient safety work product 
because the confidentiality protection does not apply. However, if law 
enforcement sought to enter the information into another criminal 
proceeding, it would need a new in camera determination for the new 
criminal proceeding. For a further discussion of continued 
confidentiality, see discussion of proposed Sec.  3.208 below.
    For entities that are subject to the HIPAA Privacy Rule and this 
Part, disclosures must conform to 45 CFR 164.512(e) of the HIPAA 
Privacy Rule. We expect that court rulings following an in camera 
determination would be issued as a court order, which would satisfy the 
requirements of 45 CFR 164.512(e). So long as such legal process is in 
compliance with 45 CFR 164.512(e), the disclosure would be permissible 
under the HIPAA Privacy Rule.
(2) Proposed Sec.  3.206(b)(2)--Equitable Relief for Reporters
    Proposed Sec.  3.206(b)(2) would permit the disclosure of 
identifiable patient safety work product to the extent required to 
carry out equitable relief as provided for under section 922(f)(4)(A) 
of the Public Health Service Act, 42 U.S.C. 299b-22(f)(4)(A). See 
section 922(c)(1)(B) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(B). This proposed provision parallels the privilege exception 
to carry out equitable relief at proposed Sec.  3.204(b)(2). The 
Patient Safety Act permits this disclosure to effectuate the provision 
that authorizes an employee to seek redress for adverse employment 
actions for good faith reporting of information to a PSO directly or to 
a provider with the intended disclosure to a PSO.
    The Patient Safety Act prohibits a provider from taking an adverse 
employment action against an individual who, in good faith, reports 
information to the provider for subsequent reporting to a PSO, or to a 
PSO directly. See section 922(e)(1) of the Public Health Service Act, 
42 U.S.C. 299b-22(e)(1). Adverse employment actions are described at 
section 922(e)(2)

[[Page 8144]]

of the Public Health Service Act, 42 U.S.C. 299b-22(e)(2), and include 
loss of employment, failure to promote, or adverse evaluations or 
decisions regarding credentialing or licensing. The Patient Safety Act 
provides adversely affected reporters a civil right of action to enjoin 
such adverse employment actions and obtain other equitable relief, 
including back pay or reinstatement, to redress the prohibited actions. 
As part of that right to seek equitable relief, the Patient Safety Act 
provides that patient safety work product is not subject to the 
privilege protections described in section 922(a) of the Public Health 
Service Act, 42 U.S.C. 299b-22(a), and as similarly described in 
proposed Sec.  3.204(a), or to the confidentiality protection in 
section 922(b) of the Public Health Service Act, 42 U.S.C. 299b-22(b), 
and as similarly described in proposed Sec.  3.206(a), to the extent 
such patient safety work product is necessary to carry out the 
equitable relief.
    Although such disclosure is excepted from both confidentiality and 
privilege as to efforts to seek equitable relief, the identifiable 
patient safety work product remains subject to confidentiality and 
privilege protection in the hands of all subsequent holders and the 
protections apply to all subsequent potential disclosures. See section 
922(d)(1) of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1). 
Thus, even though the reporter is afforded discretion to disclose the 
relevant patient safety work product to seek and obtain equitable 
relief, all subsequent holders receiving the patient safety work 
product from the reporter are bound by the continued privilege and 
confidentiality protections.
    Thus, this provision would allow the reporter seeking equitable 
relief from an adverse employment action to include patient safety work 
product in briefs and in open court. To protect the patient safety work 
product as much as possible in these circumstances, we could condition 
the disclosure of identifiable patient safety work product in these 
circumstances on a party's, most likely the reporter's, obtaining of a 
protective order in these types of proceedings. Such a protective order 
could take many forms that preserve the confidentiality of patient 
safety work product. For example, it could limit the use of the 
information to case preparation, but not make it evidentiary. Such an 
order might prohibit the disclosure of the patient safety work product 
in publicly accessible proceedings and in court records to prevent 
liability from moving to a myriad of unsuspecting parties (for example, 
parties in a courtroom may not know that they may be liable for civil 
money penalties if they share the patient safety work product they 
hear). We solicit comments on whether a protective order should be a 
condition for this disclosure, imposed by regulation, or whether 
instead we should require a good faith effort to obtain a protective 
order as a condition for this disclosure and use our enforcement 
discretion to consider whether to assess a penalty for anyone who 
cannot obtain such an order and thus breaches the statutory continued 
confidentiality protection of this information. See discussion below at 
proposed Sec.  3.402(a).
    We also address the intersection of the HIPAA Privacy Rule herein 
because identifiable patient safety work product may contain 
individually identifiable health information and be sought for 
disclosure under this exception from a HIPAA covered entity or that 
HIPAA covered entity's business associate. Under the HIPAA Privacy Rule 
at 45 CFR 164.512(e), when protected health information is sought to be 
disclosed in a judicial proceeding via subpoenas and discovery requests 
without a court order, the disclosing HIPAA covered entity must seek 
satisfactory assurances that the party requesting the information has 
made reasonable efforts to provide written notice to the individual who 
is the subject of the protected health information or to secure a 
qualified protective order. A protective order that meets the qualified 
protective order under 45 CFR 164.512(e) would be permissible under the 
HIPAA Privacy Rule and render a disclosure under this exception in 
compliance with the HIPAA Privacy Rule.
(3) Proposed Sec.  3.206(b)(3)--Authorized by Identified Providers
    Proposed Sec.  3.206(b)(3) would establish a permitted disclosure 
parallel to the privilege exception at proposed Sec.  3.204(b)(3), when 
each of the providers identified in the patient safety work product 
authorizes the disclosure in question. This provision is based on 
section 922(c)(1)(C) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(C). In these circumstances, patient safety work product may be 
disclosed, not withstanding the privilege protections described in 
proposed Sec.  3.204(a) or the confidentiality protections described in 
proposed Sec.  3.206(a). However, patient safety work product disclosed 
under this exception continues to be confidential pursuant to the 
continued confidentiality provisions at section 922(d)(1) of the Public 
Health Service Act, 42 U.S.C. 299b-22(d)(1), and persons are subject to 
liability for further disclosures in violation of that confidentiality.
    This exception applies to patient safety work product that contains 
identifiable provider information. Under the proposed language, each 
provider identified in the patient safety work product sought to be 
disclosed must separately authorize the disclosure. For example, if 
patient safety work product sought to be disclosed by an entity or 
person pursuant to this exception describes an incident involving three 
physicians, each physician would need to authorize disclosure of the 
patient safety work product, in order for the entity or person to 
disclose it. Making information regarding one provider nonidentifiable 
in lieu of obtaining an authorization is not sufficient.
    We considered whether the rule should allow a provider to 
nonidentify the patient safety work product with respect to a 
nonauthorizing provider and disclose the patient safety work product 
with respect to the remaining authorizing providers. However, we 
rejected that approach as being impracticable. In light of the 
contextual nonidentification standard proposed in Sec.  3.212, it would 
seem that there would be very few, if any, situations in which a 
nonauthorizing provider could be nonidentified without also needing to 
nonidentify, or nearly so, an authorizing provider in the same patient 
safety work product. Unless we adopt a less stringent nonidentification 
standard, disclosing persons can either totally nonidentify patient 
safety work product and disclose under proposed Sec.  3.206(b)(5), or 
disclose the patient safety work product only if all identified 
providers in patient safety work product authorize its disclosure.
    When all identified providers authorize the disclosure of patient 
safety work product, the Patient Safety Act permits such disclosure, 
but remains silent about the identification of patients or reporters in 
such patient safety work product. As to other persons that make patient 
safety work product identifiable, i.e., patients and reporters, the 
Patient Safety Act does not provide a separate right of authorization. 
However, as one of the core principles underlying the Patient Safety 
Act is the protection of the privacy and confidentiality concerns of 
certain persons in connection with specific patient safety work product 
(i.e., providers, patients and reporters), we encourage persons 
disclosing patient safety work product to exercise discretion in the 
scope of patient safety work product disclosed, even though neither 
patient nor reporter authorization is required. Disclosers are

[[Page 8145]]

encouraged to consider whether the disclosure of identifying 
information regarding patients and reporters is necessary to accomplish 
the particular purpose of the disclosure. As discussed below, if the 
disclosing entity is a HIPAA covered entity, the HIPAA Privacy Rule, 
including the minimum necessary standard when applicable, would apply 
to the disclosure of protected health information contained within the 
patient safety work product. We seek public comment as to whether the 
proposed approach is sufficient to protect the interests of reporters 
and patients identified in the patient safety work product permitted to 
be disclosed pursuant to identifiable provider authorizations. Does 
this approach sufficiently balance the interests of the patients and 
reporters and their confidentiality versus the purposes for which the 
providers are authorizing the disclosures?
    The Patient Safety Act does not specify the form of the 
authorization by a provider to come within this disclosure exception or 
a timeframe for recordkeeping. We propose that an authorization be in 
writing, be signed by the authorizing provider, and give adequate 
notice to the provider of the nature and scope of the disclosures 
authorized. The content of the authorization should fairly inform the 
provider as to the nature and scope of the identifiable patient safety 
work product to be disclosed to ensure the provider is making a knowing 
authorization. We do not intend that each authorization identify the 
specific patient safety work product to be disclosed. Such a 
requirement would be unworkable in complex health care arrangements 
existing today. Rather, an authorization can be general, (e.g., 
referring to categories of patient safety work product) and even to 
patient safety work product to be created in the future, so long as the 
authorization can be determined to have reasonably informed the 
authorizing provider of the scope of the authorized disclosure. The 
authorization requirement also enables providers to place limits on 
disclosures made pursuant to this proposed exception regarding patient 
safety work product identifying the provider. Any disclosure must be 
made in accordance with the terms of the signed authorization, but we 
do not require that any specific terms be included, only that such 
terms regarding the scope of the authorized disclosure of patient 
safety work product be adhered to. We seek public comment on whether a 
more stringent standard would be prudent and workable, such as an 
authorization process that is disclosure specific (i.e., no future 
application or a one time disclosure only authorization).
    We also propose that any authorization be maintained by the 
disclosing entity or person for a period of six years from the date of 
the last disclosure made in reliance on the authorization, the limit of 
time within which the Secretary must initiate an enforcement action. 
While we recognize that a prudent person disclosing patient safety work 
product under this disclosure will likely maintain records in order to 
support a claim that such disclosure was permissible, nonetheless we 
require a six year retention of authorizations so that, if challenged, 
the Secretary may examine authorizations to determine whether a 
disclosure was valid pursuant to this disclosure provision. While we 
would not be monitoring or penalizing a person for lack of maintenance 
of an authorization, the failure to present a valid authorization will 
raise significant concerns regarding the permissibility of a disclosure 
pursuant to this permission.
    With respect to compliance with the HIPAA Privacy Rule for patient 
safety work product that contains individually identifiable health 
information, authorization by a provider pursuant to this permitted 
disclosure does not permit a HIPAA covered entity or such a HIPAA 
covered entity's business associate to release such protected health 
information contained in the patient safety work product under the 
HIPAA Privacy Rule. Therefore, either the individually identifiable 
health information must be de-identified or the release of the 
individually identifiable health information must otherwise be 
permitted under the HIPAA Privacy Rule. Because this disclosure does 
not limit the purposes for which identifiable patient safety work 
product may be released with the provider's authorization, a HIPAA 
covered entity would need to review releases on a case-by-case basis to 
determine if there is an applicable provision in the HIPAA Privacy Rule 
that would otherwise permit such disclosure.
(4) Proposed Sec.  3.206(b)(4)--Patient Safety Activities
    Section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 
299b-22(c)(2)(A), permits the disclosure of identifiable patient safety 
work product for patient safety activities. Proposed Sec.  3.206(b)(4) 
permits the disclosure of identifiable patient safety work product for 
patient safety activities (i) by a provider to a PSO or by a PSO to 
that disclosing provider; or (ii) by a provider or a PSO to a 
contractor of the provider or PSO; or (iii) by a PSO to another PSO or 
to another provider that has reported to the PSO, or by a provider to 
another provider, provided, in both cases, certain direct identifiers 
are removed. Patient safety activities are the core mechanism by which 
providers may disclose patient safety work product to obtain external 
expertise from PSOs. PSOs may aggregate information from multiple 
providers, and communicate feedback and analyses to providers. 
Ultimately, it is through such communications that much of the 
improvement in patient safety may occur. Thus, the rule needs to 
facilitate the communication between a provider and one or more PSOs.
    To further this essential statutory purpose, we propose to allow 
providers to disclose identifiable patient safety work product to PSOs; 
one of the ways that information can become patient safety work product 
is through reporting of it to a PSO. We also propose to allow PSOs to 
reciprocally disclose patient safety work product back to such 
providers for patient safety activities. This free flow of information 
will ensure that the statute's goals of collecting, aggregating, and 
analyzing patient safety event information as well as disseminating 
recommendations for safety and quality improvements are achieved. Such 
a dialogue will allow both providers and PSOs to take a shared role in 
the advancement of patient safety improvements.
    In addition, we recognize that there may be situations where 
providers and PSOs want to engage contractors who are not agents to 
carry out patient safety activities. Thus, the proposal would allow 
disclosures by providers to their contractors who are not workforce 
members and by PSOs to their contractors who are not workforce members. 
Contractors may not further disclose patient safety work product, 
except to the entity from which they first received the information. We 
note that this limitation does not preclude a provider or PSO from 
exercising its authority under section 922(g)(4) of the Public Health 
Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power 
to the contractor to make other disclosures. Although we do not require 
a contract between a provider or PSO and its contractor, we expect that 
most providers and PSOs will engage in prudent practices when 
disclosing confidential patient safety work product for patient safety 
activities, (i.e., ensuring such information is narrowly used by the 
contractor solely for the purpose for which disclosed and

[[Page 8146]]

adequately protected from wrongful disclosure).
    While the permission allows the necessary communication as between 
a single provider and its PSO, such exchanges may not be sufficient. It 
is possible to conceive of meaningful patient safety activities 
occurring between two PSOs or between a PSO and a provider that is 
different than the original reporting provider, or between two 
providers. For example, PSOs may be able to more effectively aggregate 
patient safety work product if such expanded sharing of information is 
permitted. Aggregation may help PSOs pool sufficient information to 
achieve contextual nonidentification, in accordance with Sec.  
3.212(a)(ii), but keep meaningful data in the information when 
disclosing to the network of patient safety databases contemplated in 
section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. 
Providers may be able to collaborate and learn more efficiently about 
patient safety solutions if such sharing is permitted. At the same 
time, we are concerned that, without any limitation on such sharing, 
providers may be not only reluctant to disclose patient safety work 
product, but also potentially reticent to participate at all in patient 
safety activities, given the sensitive nature of the information, and 
the potential lack of certainty with respect to where the information 
might ultimately be disclosed.
    Balancing these concerns, we are proposing that other than the 
reporting relationship between a provider and a PSO, PSOs be permitted 
to disclose patient safety work product to other PSOs or to other 
providers that have reported to the PSO, and providers be permitted to 
make disclosures to other providers, for patient safety activities, 
with provider and reporter identifiers in an anonymized (i.e., with 
certain direct identifiers removed, but not nonidentifiable under the 
proposed rule) or encrypted but not fully nonidentified form. For 
patient identifiers, the HIPAA Privacy Rule limited data set standard 
would apply. See 45 CFR 164.514(e). To anonymize the provider or 
reporter identifiers in the patient safety work product, the disclosing 
entity must remove the following direct identifiers of any providers 
and of affiliated organizations, corporate parents, subsidiaries, 
practice partners, employers, members of the workforce, or household 
members of such providers: (1) Names; (2) Postal address information, 
other than town or city, State and zip code; (3) Telephone numbers; (4) 
Fax numbers; (5) Electronic mail addresses; (6) Social security numbers 
or taxpayer identification numbers; (7) Provider or practitioner 
credentialing or DEA numbers; (8) National provider identification 
number; (9) Certificate/license numbers; (10) Web Universal Resource 
Locators (URLs); (11) Internet Protocol (IP) address numbers; (12) 
Biometric identifiers, including finger and voice prints; and (13) Full 
face photographic images and any comparable images. Removal of such 
identifiers may be absolute or may be done through encryption, provided 
that the disclosing entity does not disclose the key to the encryption 
or the mechanism for re-identification.
    We have not proposed an unrestricted disclosure of identifiable 
patient safety work product to any person for patient safety 
activities. It is our understanding that disclosures to persons other 
than those proposed above do not need identifiable patient safety work 
product and that sufficient information may be communicated with 
nonidentifiable patient safety work product; we seek comment on this 
issue. Similarly, we recognize that nonidentifiable patient safety work 
product may have more limited usefulness due to the removal of key 
elements of identification; however, we have no basis for opening the 
patient safety activity disclosure permission further without specific 
examples of beneficial disclosures prohibited by our proposal.
    The exchange of patient safety work product for patient safety 
activities permits extensive sharing among both providers and PSOs 
interested in improving patient safety. As patient safety work product 
is disclosed, however, it continues to be protected by the 
confidentiality provisions. The permission allows continual exchange of 
information without breach of confidentiality. At any time and as 
needed, information may be nonidentified, and the patient safety 
activities disclosure may be employed for this purpose.
    Moreover, providers and PSOs are capable of imposing greater 
confidentiality requirements for the future use and disclosure of the 
patient safety work product through private agreements (see section 
922(g)(4) of the Public Heath Service Act, 42 U.S.C. 299b-22(g)(4)). 
However, we note that the government would not be permitted to apply 
civil money penalties under this Part based on a violation of a private 
agreement that was not a violation of the confidentiality provisions.

Compliance With the HIPAA Privacy Rule

    With respect to compliance with the HIPAA Privacy Rule, the Patient 
Safety Act establishes that PSOs shall be treated as business 
associates; and patient safety activities performed by, or on behalf 
of, a covered provider by a PSO are deemed health care operations as 
defined by the HIPAA Privacy Rule. A HIPAA covered entity is permitted 
to use or disclose protected health information as defined at 45 CFR 
160.103 without an individual's authorization for its own health care 
operations and, in certain circumstances (which would include patient 
safety activities), for the health care operations of another HIPAA 
covered entity (e.g., HIPAA covered provider) under 45 CFR 164.506. To 
share protected health information with another HIPAA covered entity 
for that entity's health care operations, both HIPAA covered entities 
must share a patient relationship with the individual who is the 
subject of the protected health information and the protected health 
information that is shared must pertain to that relationship.
    In addition, in cases where providers and PSOs share anonymized 
patient safety work product, providers may disclose a limited data set 
of patient information. Under 45 CFR 164.514(e)(3), a HIPAA covered 
entity may use or disclose a limited data set for the purpose of health 
care operations, including patient safety activities. Such disclosures, 
however, must be accompanied by a data use agreement, ensuring that the 
limited data set recipient will only use or disclose the protected 
health information for limited purposes. See 45 CFR 164.514(e)(4).
    We seek comment regarding whether the HIPAA Privacy Rule definition 
for health care operations should contain a specific reference to 
patient safety activities conducted pursuant to this regulatory scheme. 
A health care provider that is a HIPAA covered entity may not disclose 
identifiable patient safety work product that is protected health 
information to a PSO unless that PSO is performing patient safety 
activities (as a health care operation) for that provider. Under this 
exception for patient safety activities, a health care provider that is 
a HIPAA covered entity may disclose identifiable patient safety work 
product that is protected health information to another provider (1) 
for the sending provider's patient safety activities; (2) for the 
patient safety activities of an organized health care arrangement 
(OHCA) (as defined at 45

[[Page 8147]]

CFR 160.103) if both the sending and receiving provider participate in 
the OHCA; or (3) to another provider for the receiving provider's 
patient safety activities if the protected health information relates 
to a common patient (including to determine that there is a common 
patient). We further seek comment regarding whether the provision 
permitting the disclosure of protected health information for health 
care operations at 45 CFR 164.506 should be modified to conform to the 
patient safety work product disclosures for patient safety activities 
set forth herein.
(5) Proposed Sec.  3.206(b)(5)--Disclosure of Nonidentifiable Patient 
Safety Work Product
    Proposed Sec.  3.206(b)(5) permits the disclosure of 
nonidentifiable patient safety work product when the patient safety 
work product meets the standard for nonidentification in proposed Sec.  
3.212. This implements section 922(c)(2)(B) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under proposed Sec.  
3.206(b)(5), nonidentifiable patient safety work product may be 
disclosed by any entity or person that holds the nonidentifiable 
patient safety work product without violating the confidentiality 
provisions. Moreover, any provider, PSO or responsible person may 
nonidentify patient safety work product. As described in proposed Sec.  
3.208(b)(ii), nonidentifiable patient safety work product, once 
disclosed, loses its privilege and confidentiality protection. Thus, it 
may be redisclosed by its recipient without any Patient Safety Act 
limitations.

Nonidentification Standard

    The nonidentification standard is proposed at Sec.  3.212. However, 
we will discuss that standard at this point in the preamble due to its 
connection with the disclosure permission for nonidentifiable patient 
safety work product at proposed Sec.  3.206(b)(5). Proposed Sec.  3.212 
would establish the standard by which patient safety work product will 
be determined nonidentifiable. The determination of what constitutes 
nonidentifiable patient safety work product is important because the 
standard for nonidentification effectively creates the boundary between 
protected and unprotected patient safety work product.
    Under the Patient Safety Act and this Part, identifiable patient 
safety work product includes information that identifies any provider 
or reporter or contains individually identifiable health information 
under the HIPAA Privacy Rule (see 45 CFR 160.103). See section 921(2) 
of the Public Health Service Act, 42 U.S.C. 299b-21(2). By contrast, 
nonidentifiable patient safety work product does not include 
information that permits identification of any provider, reporter or 
subject of individually identifiable health information. See section 
921(3) of the Public Health Service Act, 42 U.S.C. 299b-21(3).
    Because individually identifiable health information as defined in 
the HIPAA Privacy Rule is one element of identifiable patient safety 
work product, the de-identification standard provided in the HIPAA 
Privacy Rule applies with respect to the patient-identifiable 
information in the patient safety work product. Therefore, where 
patient safety work product contains individually identifiable health 
information, that information must be de-identified in accordance with 
45 CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work 
product with respect to individually identifiable health information 
under the Patient Safety Act.
    We propose that patient safety work product be contextually 
nonidentifiable in order to be considered nonidentifiable for the 
purposes of this rule. Contextual nonidentification of both providers 
and reporters would match the standard of de-identification in the 
HIPAA Privacy Rule. We are proposing two methods by which 
nonidentification can be accomplished which are similar to the 
standards for de-identification under the HIPAA Privacy Rule: (1) A 
statistical method of nonidentification and (2) the removal of 15 
specified categories of direct identifiers of providers or reporters 
and of parties related to the providers and reporters, including 
corporate parents, subsidiaries, practice partners, employers, 
workforce members, or household members, and that the discloser have no 
actual knowledge that the remaining information, alone or in 
combination with other information reasonably available to the intended 
recipient, could be used to identify any provider or reporter (i.e., a 
contextual nonidentification standard).
    In proposed Sec.  3.212(a)(1), the first method for rendering 
patient safety work product nonidentifiable with respect to a provider 
or reporter, we propose that patient safety work product can be 
nonidentified if a person with appropriate knowledge of and experience 
with generally accepted statistical and scientific principles and 
methods for rendering information not individually identifiable 
applying such principles and methods, determines that the risk is very 
small that the information could be used, alone or in combination with 
other reasonably available information, by an anticipated recipient to 
identify an identified provider or reporter.
    We believe that this method of nonidentification may sometimes be 
preferable to the safeharbor method proposed in Sec.  3.212(a)(2) 
discussed below and may be especially useful when aggregating data for 
populating the network of patient safety databases referenced in 
section 923 of the Public Health Service Act, 42 U.S.C. 299b-23. Under 
this proposal, if a statistician makes a determination as described 
above and documents the analysis, patient safety work product could be 
labeled as nonidentifiable even though it contains detailed clinical 
information and some potentially identifiable information such as zip 
codes.
    In proposed Sec.  3.212(a)(2), the second method for rendering 
patient safety work product nonidentifiable with respect to a provider 
or reporter, we outline a process as a safeharbor requiring that the 
disclosing entity remove a list of specific typical identifiers and 
have no actual knowledge that the information to be disclosed could be 
used, alone or in combination with other information that is reasonably 
available to the intended recipient, to identify the particular 
provider or reporter. We have limited the knowledge component to that 
which is known to be reasonably available to the intended recipient in 
order to provide data custodians with a workable knowledge standard. 
With the contextual nonidentification standard in place, providers will 
have the most confidence that their identities will not be derived from 
nonidentifiable information and will be more likely to participate in 
the program. Moreover, requiring that patient safety work product be 
contextually nonidentifiable is consistent with the de-identification 
standard for patient identities, as described above.
    We recognize that the more stringent the nonidentifiable patient 
safety work product standard is, the more cost, burden, and risk of 
error in nonidentification there will be to the disclosing entity. We 
also acknowledge that our proposal introduces uncertainty and 
subjectivity into the standard, making it a harder standard to enforce. 
The proposed standard may require the removal of more clinical and 
demographic information than would be removed in the absence of the 
contextual nonidentification requirement, and the resulting information 
would likely be less useful

[[Page 8148]]

to a recipient. This outcome would particularly impact the network of 
patient safety databases of nonidentifiable patient safety work product 
to be established under section 923 of the Public Health Service Act, 
42 U.S.C. 299b-23. In particular, the information that ultimately 
resides in the network may have reduced utility and a reduced capacity 
to contribute to the evaluation of patient safety issues.
    To mitigate these concerns, this standard would work in conjunction 
with a separate permission for sharing identifiable patient safety work 
product through the patient safety activities disclosure. Disclosures 
as patient safety activities should enable the aggregation of 
sufficient patient safety work product to allow contextual 
nonidentification without the removal of all important specific 
clinical and demographic details. We invite comment on the proposed 
standards and approaches. For example, we are interested in knowing 
whether, under a contextual nonidentification standard, it is possible 
to have any geographical identifiers; and if so, at what level of 
detail (state, county, zip code). We are also interested in public 
comments regarding whether there are alternative approaches to 
standards for entities determining when health information can 
reasonably be considered nonidentifiable.
Re-identification
    We permit a provider, PSO, or other disclosing entity or person to 
assign a code or other means of record identification to allow 
information made nonidentifiable to be re-identified by the disclosing 
person, provided certain conditions that further the goal of 
confidentiality are met regarding such code or other means of record 
identification. Further, a discloser may not release any key or other 
information that would enable a recipient to re-identify any provider 
or reporter or subject of individual identifiable health information. 
We propose to permit a re-identification mechanism to facilitate 
follow-up inquiries regarding, and analysis of, nonidentified patient 
safety work product that has been disclosed, such as from users of the 
network of patient safety databases when analyzing national and 
regional statistics. Such keys would not be for the purpose of 
permitting re-identification of patient safety work product obtained 
through the network of databases. Rather, such keys would facilitate 
the investigation of data anomalies reported to the network, correction 
of nonidentifiable records, and the potential to avoid duplicate 
records when richer information may be made available due to 
aggregation. Finally, with respect to HIPAA compliance, we note that, 
because nonidentified patient safety work product will, by definition, 
be de-identified information under the HIPAA Privacy Rule, a disclosure 
under Sec.  3.206(b)(5) will not violate the HIPAA Privacy Rule.
(6) Proposed Sec.  3.206(b)(6)--For Research
    Proposed Sec.  3.206(b)(6) describes the disclosure of identifiable 
patient safety work product to entities carrying out research, 
evaluations, or demonstration projects that are funded, certified, or 
otherwise sanctioned by rule or other means by the Secretary. This 
disclosure is not for general research. Any research for which patient 
safety work product is disclosed under this exception must be 
sanctioned by the Secretary. See section 922(c)(2)(C) of the Public 
Health Service Act, 42 U.S.C. 299b-22(c)(2)(C). Research that is not 
sanctioned by the Secretary is insufficient to be a basis for the 
disclosure of patient safety work product under this exception. 
Further, although disclosure can be made for any research, evaluation, 
or demonstration project sanctioned by the Secretary, we expect that 
most research that may be subject to this disclosure permission will be 
related to the methodologies, analytic processes, and interpretation, 
feedback and quality improvement results from PSOs, rather than general 
medical, or even health services, research. Patient safety work product 
disclosed for research under this provision continues to be 
confidential and privileged.
    Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 
299b-22(c)(2)(C), requires that patient safety work product which 
identifies patients may only be released to the extent that protected 
health information would be disclosable for research purposes under the 
HIPAA Privacy Rule. Under 45 CFR 164.512(i), a HIPAA covered entity may 
use or disclose protected health information for research, without the 
individual's authorization, provided that there is a waiver (or 
alteration of waiver) of authorization by either an Institutional 
Review Board (IRB) or a Privacy Board. The IRB/Privacy Board evaluates 
the request against various criteria that measure the privacy risk to 
the individuals who are the subjects of the protected health 
information.\17\ The HIPAA Privacy Rule only operates with respect to 
the identifiable health information of patients when held by a HIPAA 
covered entity or its business associate, and does not address the 
rights of individuals who may otherwise be the subject of the research.
---------------------------------------------------------------------------

    \17\ The following are the waiver criteria at 45 CFR 
164.512(i)(2)(ii):
    (A) The use or disclosure of protected health information 
involves no more than a minimal risk to the privacy of individuals, 
based on, at least, the presence of the following elements:
    a. An adequate plan to protect the identifiers from improper use 
and disclosure;
    b. An adequate plan to destroy the identifiers at the earliest 
opportunity consistent with conduct of the research, unless there is 
a health or research justification for retaining the identifiers or 
such retention is otherwise required by law; and
    c. Adequate written assurances that the protected health 
information will not be reused or disclosed to any other person or 
entity, except as required by law, for authorized oversight of the 
research study, or for other research for which the use or 
disclosure of protected health information would be permitted by 
this subpart;
    (B) The research could not practicably be conducted without the 
waiver or alteration; and
    (C) The research could not practicably be conducted without 
access to and use of the protected health information.
---------------------------------------------------------------------------

    We tentatively conclude that the language in the Patient Safety Act 
that applies the exception ``to the extent that disclosure of protected 
health information would be allowed for research purposes under the 
HIPAA [Privacy Rule]'' is intended to apply the HIPAA Privacy Rule 
research provisions at 45 CFR 164.512(i) only to HIPAA covered entities 
when they release identifiable patient safety work product containing 
protected health information for research. This interpretation would 
result in the HIPAA Privacy Rule research standards being preserved in 
their application to HIPAA covered entities without burdening non-
covered entities with HIPAA compliance.
    We note that our interpretation of section 922(c)(2)(C) of the 
Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(C), is not a bar to 
the disclosure of identifiable patient safety work product by entities 
or persons that are not HIPAA covered entities. We further note that 
for providers, reporters and other persons identified in patient safety 
work product disclosed for research purposes, the Common Rule, which is 
applicable to research conducted or supported by the Secretary, and the 
FDA human subjects protection regulations will provide appropriate 
protections to any natural persons who would be deemed subjects of the 
research.
    With regard to research, the incorporation by reference of the 
HIPAA Privacy Rule should provide for the proper alignment of 
disclosures for research purposes. However, the exception under the 
Patient Safety Act also refers to evaluations and demonstration 
projects. Some of these activities may meet the definition of research 
under the HIPAA Privacy Rule, while other activities may not result in 
generalizable knowledge, but may

[[Page 8149]]

nonetheless meet the definition of health care operations under the 
HIPAA Privacy Rule. Where the disclosure of protected health 
information for evaluations and demonstration projects are permitted as 
health care operations under the HIPAA Privacy Rule, HIPAA covered 
entities disclosing patient safety work product that includes protected 
health information under this exception could do so without violation 
of the HIPAA Privacy Rule.
(7) Proposed Sec.  3.206(b)(7)--To the Food and Drug Administration
    Section 922(c)(2)(D) of the Public Health Service Act, 42 U.S.C. 
299b-22(c)(2)(D) permits the disclosure by a provider to the FDA with 
respect to a product or activity regulated by the FDA. Proposed Sec.  
3.206(b)(7) permits the disclosing by providers of patient safety work 
product concerning products or activities regulated by the Food and 
Drug Administration (FDA) to the FDA or to an entity required to report 
to the FDA concerning the quality, safety, or effectiveness of an FDA-
regulated product or activity. For example, hospitals and health care 
professionals may disclose patient safety work product concerning the 
safety of drugs, medical devices, biological products, and dietary 
supplements, or vaccine and medical device adverse experiences to the 
FDA as part of an FDA monitoring or alert system. The proposed 
provision also permits sharing between the FDA, entities required to 
report to the FDA concerning the quality, safety, or effectiveness of 
an FDA-regulated product or activity, and their contractors for the 
same purposes. Patient safety work product disclosed pursuant to this 
disclosure permission continues to be confidential and privileged.
    The FDA has monitoring and alert systems in place to assure the 
safety of FDA regulated products. These systems rely heavily on 
voluntary reports from providers, such as hospitals and health care 
professionals. Most reports that hospitals and health care 
professionals make directly to the FDA today concerning drugs, medical 
devices, biological products, and dietary supplements are voluntary, 
although health care professionals are required to report to the FDA 
certain vaccine adverse experiences, and user facilities such as 
hospitals must report to FDA some medical device adverse experiences. 
Manufacturers of drugs, devices, and biological products are required 
to report to the FDA concerning adverse experiences, but the 
manufacturers themselves must rely on information provided voluntarily 
by product users, including hospitals and health care professionals. 
There are three provisions of the Patient Safety Act that are 
implicated for reporting to the FDA: (1) The disclosure for reporting 
to the FDA (section 922(c)(2)(D) of the Public Health Service Act, 42 
U.S.C. 299b-22(c)(2)(D)); (2) the clarification as to what is not 
patient safety work product which states that information ``collected, 
maintained, or developed separately, or [that] exists separately, from 
a [patient safety evaluation system]'' is not patient safety work 
product, and which, accordingly, can be reported for public health 
purposes (section 921(7)(B) of the Public Health Service Act, 42 U.S.C. 
299b-21(7)(B)); and (3) the rule of construction which preserves 
required reporting to the FDA (section 922(g)(6) of the Public Health 
Service Act, 42 U.S.C. 299b-22(g)(6)).
    The FDA disclosure provision at proposed Sec.  3.206(b)(7) would be 
applicable when patient safety work product is at issue. For example, 
the analysis of events by the provider or PSO that constitutes patient 
safety work product may generate information that should be reported to 
the FDA because it relates to the safety or effectiveness of an FDA-
regulated product or activity. The exception would allow this patient 
safety work product to be disclosed to the FDA. Privilege and 
confidentiality protections would attach to the patient safety work 
product disclosed when received by FDA and continue to apply to any 
future disclosures by the FDA.
    We tentatively conclude that the statutory language concerning 
reporting ``to the FDA'' includes reporting by the provider to the 
persons or entities regulated by the FDA and that are required to 
report to the FDA concerning the quality, safety, or effectiveness of 
an FDA-regulated product or activity. We propose this interpretation to 
allow providers to report to manufacturers who are required to report 
to the FDA, such as drug manufacturers, without violating this rule. 
This interpretation reflects both the rule of construction which 
preserves required reporting to the FDA and the goals of this statute 
which are to improve patient safety.
    We further propose at Sec.  3.206(b)(7)(ii) that the FDA and 
entities required to report to the FDA may only further disclose 
patient safety work product for the purpose of evaluating the quality, 
safety, or effectiveness of that product or activity; such further 
disclosures are only permitted between the FDA, entities required to 
report to the FDA, their contractors, and disclosing providers. This 
permission is crucial to the effective operation of the FDA's 
activities and to facilitate the purpose for which the report was made 
initially. Thus, the FDA or a drug manufacturer receiving adverse drug 
event information that is patient safety work product may engage in 
further communications with the disclosing provider(s), for the purpose 
of evaluating the quality, safety, or effectiveness of the particular 
regulated product or activity, or may work with their contractors. 
Moreover, an entity regulated by the FDA may further disclose the 
information to the FDA; without this provision, such reporting would 
not meet the regulatory intent that disclosures be to the FDA and a 
narrow interpretation could impede the FDA's ability to effectuate 
improvements through the use of patient safety work product.
    We recognize that there may be situations where the FDA or entities 
required to report to the FDA want to engage contractors who are not 
agents for the purpose of evaluating the quality, safety, or 
effectiveness of that product or activity. Thus, the proposal would 
allow disclosures to contractors who are not workforce members. 
Contractors may not further disclose patient safety work product, 
except to the entity from which they first received the information.
    Because Congress did not expressly include disclosure to FDA-
regulated entities, we seek public comment on our proposal related to 
this interpretation of section 922(c)(2)(D) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(2)(D). In particular, we question 
whether this interpretation will cause any unintended consequences to 
disclosing providers.
    The HIPAA Privacy Rule at 45 CFR 164.512(b) permits HIPAA covered 
entities to disclose protected health information concerning FDA-
regulated activities and products to persons responsible for collection 
of information about the quality, safety, and effectiveness of those 
FDA-regulated activities and products. Therefore, disclosures under 
this exception of patient safety work product containing protected 
health information would be permitted under the HIPAA Privacy Rule.
(8) Proposed Sec.  3.206(b)(8)--Voluntary Disclosure to an Accrediting 
Body
    Proposed Sec.  3.206(b)(8) permits the voluntary disclosure of 
identifiable patient safety work product by a provider to an 
accrediting body that accredits the disclosing provider. Voluntary 
means not compelled, a disclosure that the provider affirmatively chose 
to make. Patient

[[Page 8150]]

safety work product disclosed pursuant to this proposed exception 
continues to be privileged and confidential.
    Under this proposed disclosure, the identifiable patient safety 
work product that would be permitted to be disclosed must identify the 
disclosing provider, given the Patient Safety Act's explicit linkage of 
the disclosing provider to a body that accredits that specific provider 
in this permitted disclosure. We believe that the only information that 
would be relevant to that provider's accreditation would be information 
about the disclosing provider (i.e., actions or inactions of the 
disclosing provider), and not information about the provider's 
colleagues or any other accredited provider. Thus, a provider may not 
use this exception to disclose patient safety work product that is 
unrelated to the actual actions of the disclosing provider, such as 
information about the provider's colleagues or any other accredited 
individual or entity.
    An issue arises concerning the identities of other providers, 
reporters, or patients contained within the disclosed patient safety 
work product. We considered whether to require the patient safety work 
product to be nonidentifiable as to providers other than the disclosing 
provider, since incidental disclosures of patient safety work product 
identifying other providers, especially if they were also accredited by 
the same accrediting institution, would not be a voluntary disclosure 
by those other providers. However, we do not believe that such an 
approach is necessary.
    We understand that most providers that are accredited are large 
institutions, and in general their accreditors seek vast amounts of 
data during the accreditation process, some of which may include 
identifiers of practitioners who work in such institutions. We have 
preliminarily concluded that the disclosure of patient safety work 
product including practitioners in such circumstances will be harmless 
because, in many cases, the providers will not be accredited by the 
institution's accrediting body.
    Even in circumstances where a non-disclosing provider identified by 
a provider voluntarily disclosing to an accrediting body is subject to 
the accrediting body, we believe the accrediting body will not use the 
information. First, we believe it is unlikely that a provider may have 
or seek to disclose patient safety work product containing information 
about the actions or inactions of a provider also accredited by the 
same accrediting body. Second, even if such a disclosure occurs, 
although it may not be voluntary as to the non-disclosing provider, we 
do not believe the accrediting body will use such information to take 
accrediting actions against the non-disclosing provider. We would 
expect that an accrediting body may ignore or give little weight to 
information about providers not disclosing information directly to the 
accrediting body. Such second hand information may be incomplete and 
incorrect. We anticipate that accrediting bodies would seek to obtain 
information about a provider's actions directly from the subject 
provider rather than second hand.
    Furthermore, we propose to limit the accrediting body's permission 
to further redisclose such patient safety work product. To ensure that 
any patient safety work product in the hands of an accrediting body 
that contains provider identifiers of a provider who did not 
voluntarily disclose to such body, Sec.  3.206(b)(7)(i) proposes that 
an accrediting body may not further disclose the patient safety work 
product that was originally voluntarily disclosed. As an alternative to 
this approach, we could, as proposed in the patient safety activities 
disclosure, require that information with respect to non-disclosing 
providers be anonymized. See preamble discussion at proposed Sec.  
3.206(b)(4). We seek comments as to whether the problem of information 
being disclosed non-voluntarily to an accrediting body by non-
disclosing providers requires rendering such information anonymized.
    The accrediting body takes the patient safety work product subject 
to the confidentiality protection, and would therefore be subject to 
civil money penalties for any re-disclosure. The patient safety work 
product disclosed under this permission in the hands of the accrediting 
body remains privileged and confidential, in accordance with the 
continued confidentiality provisions at proposed Sec.  3.208. Thus, it 
is incumbent upon the accrediting body to handle and maintain the 
patient safety work product in a way that preserves its confidential 
status. Such safeguards may include maintaining this information 
separately from other accrediting information in a confidential file, 
if the other information is not similarly held confidential.
    Additionally, the Patient Safety Act includes strong provisions 
limiting the disclosure of patient safety work product to accrediting 
bodies and limiting the actions an accrediting body may take to seek 
patient safety work product. Proposed Sec.  3.206(b)(8)(ii) provides 
that an accrediting body may not take an accreditation action against a 
provider based on that provider's participation, in good faith, in the 
collection, reporting or development of patient safety work product. 
Accrediting bodies are also prohibited from requiring a provider to 
reveal its communications with any PSO, without regard to whether such 
provider actually reports information to a PSO. Thus, a provider may 
disclose patient safety work product to an accrediting body 
voluntarily, but cannot be compelled or required as a condition of 
accreditation to divulge patient safety work product or communications 
with a PSO. This subsection is based on the statutory requirements at 
section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-
22(d)(4)(B).
    Under the HIPAA Privacy Rule, a HIPAA covered entity may disclose 
protected health information to an accrediting body for the HIPAA 
covered entity's own health care operations, provided there is a 
business associate agreement with the accrediting body. Such health 
care operations include the activity of accreditation for the HIPAA 
covered entity as well as the accreditation of workforce members. Thus, 
providers that are HIPAA covered entities or are workforce members of a 
HIPAA covered entity that hold the protected health information may 
voluntarily disclose identifiable patient safety work product 
containing individually identifiable health information to an 
accrediting body that accredits that provider, provided there is a 
business associate agreement between the HIPAA covered entity and the 
accreditation organization.
(9) Proposed Sec.  3.206(b)(9)--Business Operations
    Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 
299b-22(c)(2)(F), gives the Secretary authority to designate additional 
disclosures as permissible exceptions to the confidentiality protection 
if such disclosures are necessary for business operations and are 
consistent with the goals of the Patient Safety Act. Any patient safety 
work product disclosed pursuant to a business operations exception so 
designated by the Secretary continues to be confidential and 
privileged.
    We propose to allow disclosures of patient safety work product by a 
provider or a PSO to professionals such as attorneys and accountants 
for the business operations purposes of the provider or PSO. A 
disclosure to an attorney may be necessary when a provider is seeking 
outside legal advice in defending against a malpractice claim or other 
litigation, even though the

[[Page 8151]]

information would not be admissible as part of a legal proceeding. A 
provider might also need to disclose patient safety work product to an 
attorney in the case of due diligence related to a merger, sale or 
acquisition. Similarly, a provider may need to disclose patient safety 
work product to an accountant who is auditing the books and records of 
providers and PSOs. In order to ensure that such routine business 
operations are possible, we propose to allow disclosures by providers 
and PSOs for business operations to attorneys, accountants, and other 
professionals. Professionals such as those identified are usually bound 
by professional ethics to maintain the confidences of their clients. 
Such contractors may not further disclose patient safety work product, 
except to the entity from which it received the information. We note 
that this limitation does not preclude a provider or PSO from 
exercising its authority under section 922(g)(4) of the Public Health 
Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power 
to the contractor to make other disclosures.
    We note that if a provider or PSO were to disclose relevant patient 
safety work product to such professionals, we would rely upon the 
professional's legal and ethical constraints not to disclose the 
information for any unauthorized purpose. Our presumption is that 
professionals are generally subject to a set of governing rules. 
Nonetheless, we expect that providers and PSOs who disclose privileged 
and confidential information to attorneys, accountants or other 
ethically bound professionals for business purposes will engage in the 
prudent practice of ensuring such information is narrowly used by the 
contractor solely for the purpose for which it was disclosed and 
adequately protected from wrongful disclosure.
    Because patient safety work product is specialized and highly 
confidential information, we have not conceived of any other third 
parties to whom it would be appropriate to disclose patient safety work 
product as a business operations disclosure. Because we are not 
regulating uses, any business operations need within the entity could 
occur unimpeded. Although we considered whether to adopt an exception 
for activities in the operation of a patient safety evaluation system, 
we believe these activities are within the definition of patient safety 
activities and, thus, within the confidentiality exception proposed at 
Sec.  3.206(b)(4). We seek public comment regarding whether there are 
any other consultants or contractors to whom a business operations 
disclosure should also be permitted, or whether there are any 
additional exceptions for the Secretary's consideration under this 
authority.
    Under the HIPAA Privacy Rule, at 45 CFR 164.506, HIPAA covered 
entities are permitted to disclose protected health information for the 
HIPAA covered entity's own health care operations. ``Health care 
operations'' are certain activities of a HIPAA covered entity that are 
necessary to run its business and to support the core functions of 
treatment and payment, including ``conducting or arranging for medical 
review, legal services, and auditing functions * * *.'' 45 CFR 164.501. 
Thus, a business operation designation by the Secretary that enables a 
HIPAA covered entity to disclose patient safety work product containing 
protected health information to professionals is permissible as health 
care operations disclosures under the HIPAA Privacy Rule. Generally 
such professionals would fall within the definition of business 
associate at 45 CFR 160.103 and would require a business associate 
agreement.
The Secretary's Business Operations Exception Designation Authority
    Section 922(c)(2)(F) of the Public Health Service Act, 42 U.S.C. 
299b-22(c)(2)(F), gives the Secretary broad authority to designate 
additional exceptions that are necessary for business operations and 
are consistent with the goals of the Patient Safety Act. At this point, 
we plan to designate additional exceptions only through regulation. 
Although the Patient Safety Act establishes that other means are 
available for adoption by the Secretary, which we interpret as 
including the publication of letters, notice within the Federal 
Register or publication on the Department Web site, we believe these 
methods may not provide for sufficient opportunity for public comment 
or transparency in the development of other business operations 
exceptions. Moreover, because an impermissible disclosure that violates 
a business operations exception can result in a civil money penalty, we 
believe it is important that any proposed business operations exception 
be implemented in a way that is unquestionably binding on both the 
public and the Department. We invite public comments with respect to 
whether the Secretary should incorporate or preserve other mechanisms 
for the adoption of business operations exceptions, given that we 
cannot anticipate all potential business operations needs at this time.
(10) Proposed Sec.  3.206(b)(10)--Disclosure to Law Enforcement
    Proposed Sec.  3.206(b)(10) permits the disclosure of identifiable 
patient safety work product to law enforcement authorities, so long as 
the person making the disclosure believes--and that belief is 
reasonable under the circumstances--that the patient safety work 
product disclosed relates to a crime and is necessary for criminal law 
enforcement purposes. Under proposed Sec.  3.208, the disclosed patient 
safety work product would continue to be privileged and confidential.
    We view this exception as permitting, for example, a disclosure by 
a whistleblower who would initiate the disclosure to law enforcement. 
The focus of this exception is the state of mind of the subject 
discloser. In making a disclosure, the discloser must reasonably 
believe that the event constitutes a crime and that the patient safety 
work product disclosed is necessary for criminal law enforcement 
purposes. The discloser need not be correct in these determinations, 
but his beliefs must be objectively reasonable. This standard provides 
some constraint on the discloser, and further protects against a 
release merely in response to a request by law enforcement.
    Patient safety work product received by law enforcement under this 
exception continues to be confidential and privileged. The law 
enforcement entity receiving the patient safety work product may use 
the patient safety work product to pursue any law enforcement purposes; 
however, because the patient safety work product disclosed to law 
enforcement entities under the Patient Safety Act and proposed Sec.  
3.206(b)(10) remains privileged and confidential, the law enforcement 
entity can only disclose such patient safety work product--including in 
a court proceeding--as permitted by this proposed rule.
    We further propose that a law enforcement entity be permitted to 
redisclose the patient safety work product it receives under this 
exception to other law enforcement entities as needed for law 
enforcement activities related to the event that gave rise to the 
disclosure. We seek comment regarding whether these provisions allow 
for legitimate law enforcement needs, while ensuring appropriate 
protections.
    We note that disclosure pursuant to this exception does not except 
patient safety work product from the privilege protection. Thus, 
patient safety work product cannot be subpoenaed, ordered, or entered 
into evidence in a criminal or civil proceeding through this exception;

[[Page 8152]]

nor should a discloser rely solely on a law enforcement agent's 
statement that such information is necessary for law enforcement 
purposes. As already discussed, the Patient Safety Act framework 
permits an exception from privilege protection or law enforcement 
compulsion only in very narrow circumstances (see above privilege 
exception discussion). Under section 922(c)(1)(A) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(1)(A), patient safety work product 
may be disclosed for use in a criminal proceeding, but only after a 
judge has determined by means of an in camera review that the patient 
safety work product is material to a criminal proceeding and not 
reasonably available from any other source. Even after its use in such 
a criminal proceeding, and the lifting of the confidentiality 
protections with respect to such patient safety work product, the 
privilege protection continues. In light of the strict privilege 
protections for this information, we do not interpret this law 
enforcement disclosure exception as allowing the disclosure of patient 
safety work product based on a less compelling request by law 
enforcement for its release. The decision as to whether a discloser 
reasonably believes that the patient safety work product is necessary 
for a law enforcement purpose is the discloser's decision alone, 
provided that the decision is reasonable.
    While the HIPAA Privacy Rule permits disclosures by HIPAA covered 
entities to law enforcement under a variety of circumstances, few align 
well with the proposed interpretation of this exception as being 
limited to disclosures to law enforcement initiated by the HIPAA 
covered entity. Although there is a very narrow set of HIPAA Privacy 
Rule permissions under which a HIPAA covered entity as a holder of 
patient safety work product would be allowed to release patient safety 
work product that contains protected health information to law 
enforcement, we note that a HIPAA covered entity would be permitted to 
de-identify the protected health information, in which case only the 
Patient Safety Act would apply to the disclosure of the patient safety 
work product. If the protected health information is needed by law 
enforcement, the HIPAA Privacy Rule has standards that permit the 
release of protected health information in response to certain law 
enforcement processes. If such information is not patient safety work 
product, it would not be subject to the privilege protections of the 
Patient Safety Act.
(C) Proposed Sec.  3.206(c)--Safe Harbor
    Proposed Sec.  3.206(c) is based on section 922(c)(2)(H) of the 
Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(H). This provision 
permits the disclosure of identifiable patient safety work product when 
that information does not include oral or written materials that either 
contain an assessment of the quality of care of an identifiable 
provider or describe or pertain to the actions or failure to act of an 
identifiable provider. The use of this exception is limited to persons 
other than PSOs. This provision essentially prohibits the disclosure of 
a subject provider's identity with information, whether oral or 
written, that: (1) Assesses that provider's quality of care; or (2) 
identifies specific acts attributable to such provider. Thus, a 
permissible disclosure may include a provider's identity, so long as no 
``quality information'' about the subject provider is also disclosed 
and so long as it does not describe or pertain to an action or failure 
to act by the subject provider.
    We propose that the provider identity element under this exception 
means the identity of any provider that is a subject of the patient 
safety work product. In other words, if the patient safety work product 
does not contain quality information about a particular provider or 
describe or pertain to any actions or failures to act by the provider, 
such provider could be identifiable within the patient safety work 
product disclosed pursuant to this exception. For example, if a nurse 
reports a patient safety event, but was not otherwise involved in the 
occurrence of that event, the nurse could be named in the disclosure. 
Providers that cannot be identified are those about whom the patient 
safety work product assesses the quality of care or describes or 
pertains to actions or failures to act of that provider. We propose 
that the threshold for identification of a provider will be determined 
in accordance with the nonidentification standard set forth in proposed 
Sec.  3.210. Thus, confidential patient safety work product disclosed 
under this exception may identify providers, reporters or patients so 
long as the provider(s) that are the subject of the actions described 
are nonidentified.
    In general, the determination with respect to the content of 
quality information is straightforward. We also interpret quality 
information to include the fact that patient safety work product 
exists, without the specifics of the patient safety event at issue. For 
example, if a provider employee discloses to a friend that a particular 
surgeon had an incident reported to the PSO, without actually 
describing this incident, the fact that the surgeon was associated with 
patient safety work product would be a prohibited disclosure.
    This is the only exception that defines prohibited conduct, rather 
than permitted conduct. We recognize that institutional providers, even 
practitioners offices, are communities unto themselves. We 
preliminarily interpret this exception as creating a narrow safe harbor 
for disclosures, possibly inadvertent, which may occur by a provider or 
other responsible person, when the patient safety work product does not 
reveal a link between a subject provider and the provider's quality of 
care or an action or failure to act by that subject provider. By 
proposing this provision as a safe harbor, we seek to have it available 
to mitigate harmless errors, rather than as a disclosure permission 
that may render all other disclosure permissions practically 
meaningless.
    Under the HIPAA Privacy Rule, HIPAA covered entities are broadly 
permitted to disclose protected health information for the HIPAA 
covered entity's treatment, payment or health care operations. 
Otherwise, specific standards are described that limit the use and 
disclosure of protected health information. If such disclosure is made 
by a HIPAA covered entity, it is possible that the disclosure of 
protected health information would be permissible as a health care 
operation, or as incidental to another permitted disclosure. 
Nevertheless, examination of whether a HIPAA Privacy Rule standard has 
been violated will need to be made on a case-by-case basis.
(D) Proposed Sec.  3.206(d)--Implementation and Enforcement of the 
Patient Safety Act
    Proposed Sec.  3.206(d) permits the disclosure of relevant patient 
safety work product to or by the Secretary as needed for investigating 
or determining compliance with this Part or for enforcement of the 
confidentiality provisions of this Subpart or in making or supporting 
PSO certification or listing decisions under the Patient Safety Act and 
Subpart B of this regulation. This disclosure parallels the privilege 
exception under proposed Sec.  3.204(c). Patient safety work product 
disclosed under this exception remains confidential. This exception 
does not limit the ability of the Secretary to disclose patient safety 
work product in accordance with the exceptions under proposed Sec.  
3.206(b) or this Part. Rather, this proposed section provides a 
specific permission pursuant to which

[[Page 8153]]

patient safety work product may be disclosed to the Secretary and the 
Secretary may further use such disclosed patient safety work product 
for compliance and enforcement purposes.
    We propose to permit a disclosure of patient safety work product in 
order to allow the Secretary to obtain such information as is needed to 
implement and enforce this program, both for the purposes of enforcing 
the confidentiality of patient safety work product and for the 
oversight of PSOs. Enforcement of the confidentiality provisions 
includes the imposition of civil money penalties and adherence to the 
prohibition against imposing a civil money penalty for a single act 
that violates both the Patient Safety Act and the HIPAA Privacy Rule. 
This exception ensures that there will not be a conflict between the 
confidentiality obligations of a holder of patient safety work product 
and other provisions that allow the Secretary access to protected 
information and/or require disclosure to the Secretary for enforcement 
purposes. See proposed Sec. Sec.  3.110, 3.210, and 3.310. Although the 
statute does not explicitly address this disclosure, we believe that 
the authority to disclose to the Secretary for these purposes is 
inherent in the statute, and that this disclosure is permitted and 
necessary to meaningfully exercise our authority to enforce against 
breaches of confidentiality as well as to ensure that PSOs meet their 
certification attestations if needed. Proposed Sec.  3.312(c) discusses 
the limitations on what the Secretary may do with any patient safety 
work product obtained pursuant to an investigation or compliance review 
regarding an alleged impermissible disclosure.
    This proposed provision would permit the disclosure of patient 
safety work product to the Secretary or disclosure by the Secretary so 
long as such disclosure is limited to the purpose of implementation and 
enforcement of these proposed regulations. Such disclosure would 
include the introduction of patient safety work product into 
proceedings before ALJs or the Board under proposed Subpart D by the 
Secretary, as well as the disclosure during investigations by the 
Secretary, or activities in reviewing PSO certifications by AHRQ. 
Disclosures of patient safety work product made to the Board or other 
parts of the Department that are received by workforce members, such as 
contractors operating electronic web portals or mail sorting and paper 
scanning services, would be permitted as a disclosure to the Secretary 
under this proposed provision. This provision would also permit the 
Board to disclose any patient safety work product in order to properly 
review determinations or to provide records for court review.
    We believe strongly in the protection of patient safety work 
product as provided in the Patient Safety Act and the proposed 
regulations, and seek to minimize the risk of improper disclosure of 
patient safety work product by using and disclosing patient safety work 
product only in limited and necessary circumstances. With respect to 
disclosures to an ALJ or the Board, we note that the Board has numerous 
administrative, technical and physical safeguards available to protect 
sensitive information. For example, the Board has the authority to: 
Enter protective orders; hold closed hearings; redact records; 
anonymize names of cases and parties prior to publishing opinions; and 
put records under seal. It routinely maintains a controlled 
environment; trains staff about proper handling of confidential 
information; flags confidential information in records prior to 
archiving cases and shreds copies of case files, etc. Most importantly, 
understanding that any patient safety work product that is used in an 
enforcement proceeding is sensitive, the Board would seek to include 
only information in an opinion that is necessary to the decision, and 
omit any extraneous sensitive information that is not needed for its 
judgments.
    This proposed provision also requires that patient safety work 
product disclosed to or by the Secretary must be necessary for the 
purpose for which the disclosure is made. We intend that any disclosure 
made pursuant to this proposed provision be limited in the amount of 
patient safety work product disclosed to accomplish the purpose of 
implementation, compliance, and enforcement. We discuss our anticipated 
uses and protections further in proposed Subpart D.
(E) Proposed Sec.  3.206(e)--No Limitation on Authority To Limit or 
Delegate Disclosure or Use
    Proposed Sec.  3.206(e) reflects the Patient Safety Act's rule of 
construction in section 922(g)(4) of the Public Health Service Act, 42 
U.S.C. 299b-22(g)(4), establishing that a person holding patient safety 
work product may enter into a contract that requires greater 
confidentiality protections or may delegate its authority to make a 
disclosure in accordance with this Subpart. For example, a provider may 
delegate its permission (which it may have as a provider) to disclose 
to the FDA under proposed Sec.  3.206(b)(7) to a PSO through a 
contractual arrangement. In such a case, the PSO would be acting on 
behalf of the provider in making disclosures to the FDA. Without the 
delegated permission, it would, in this scenario, be impermissible for 
the PSO to disclose identifiable patient safety work product to the 
FDA, and a PSO that made such a disclosure could be subject to a civil 
money penalty. However, if a delegation of disclosing authority exists, 
the delegating person would be responsible for the disclosures of the 
delegee. Thus, in the example above, if the PSO made an impermissible 
disclosure, the delegating provider could be liable under the principle 
of principal liability for the acts of its agent. The PSO making the 
disclosure could also be liable. See discussion in proposed Sec.  
3.402(b). Neither the statute nor the proposed rule limits the 
authority of a provider to place limitations on disclosures or uses. 
For example, a provider may require that a PSO remove all employee 
names prior to disclosing any patient safety work product despite such 
disclosure being permissible under this Subpart with the names 
included.
3. Proposed Sec.  3.208--Continued Protection of Patient Safety Work 
Product
    Proposed Sec.  3.208 provides that the privilege and 
confidentiality protections continue to apply to patient safety work 
product when disclosed and describes the narrow circumstances when the 
protections terminate. Generally, when identifiable patient safety work 
product is disclosed, whether pursuant to a permitted exception to 
privilege and/or confidentiality or disclosed impermissibly, that 
patient safety work product continues to be privileged and 
confidential. Any person receiving such patient safety work product 
receives that patient safety work product pursuant to the privilege and 
confidentiality protections. The receiving person holds the patient 
safety work product subject to these protections and is generally bound 
by the same limitations on disclosure and the potential civil money 
penalty liability if he or she discloses the patient safety work 
product in a manner that warrants imposition of a civil money penalty 
under proposed Subpart D.
    An example would be if identifiable patient safety work product is 
disclosed to a provider's employee for patient safety activities, the 
identifiable patient safety work product disclosed to the employee 
would be confidential and the employee would be subject to civil money 
penalty liability for any knowing

[[Page 8154]]

or reckless disclosure of the patient safety work product in 
identifiable form not permitted by the exceptions. Similarly, if 
confidential patient safety work product is received impermissibly, 
such as by an unauthorized computer access (i.e., hacker), the 
impermissible disclosure, even when unintentional, does not terminate 
the confidentiality. Thus, the hacker may be subject to civil money 
penalty liability for impermissible disclosures of that information.
    We do not require that notification of the privilege and 
confidentiality of patient safety work product be made with each 
disclosure. We also note that the Secretary does not have authority to 
impose a civil money penalty for an impermissible breach of the 
privilege protection. Rather, any breach of privilege, permissible or 
not, would encompass a disclosure and concurrent breach of 
confidentiality, subject to penalty under the CMP provisions of the 
Patient Safety Act and this proposed rule, unless a confidentiality 
exception applied. See the discussion above of confidentiality 
protections at proposed Sec.  3.206 and the discussion of the 
enforcement provisions at proposed Subpart D.
    Nor do we require notification of either the confidentiality of 
patient safety work product or the fact that patient safety work 
product is being disclosed. The Secretary's authority to impose a civil 
money penalty is not dependent upon whether the disclosing entity or 
person knows that the information being disclosed is patient safety 
work product or whether patient safety work product is confidential 
(see discussion under proposed Subpart D). Thus, we do not require that 
the disclosure of patient safety work product be accompanied by a 
notice as to either the fact that the information disclosed is patient 
safety work product or that it is confidential. Labeling does not make 
information protected patient safety work product, and the failure to 
label patient safety work product does not remove the protection. 
However, we do believe that such a notification would be beneficial to 
the recipient to alert such recipient to the fact that the information 
received should be held in a confidential manner and that knowing or 
reckless disclosure in violation of the confidentiality protection may 
subject a discloser to civil money penalties. Labeling patient safety 
work product may also make it easier for the provider to establish that 
such information is privileged patient safety work product. Also, a 
notification may also be prudent management for providers, PSOs, and 
responsible persons who could be subject to liability under agency 
principles for actions of disclosing agents. Moreover, such a 
notification policy may serve as a mitigating factor under the factors 
outlined under proposed Subpart D. Similarly, labeling of patient 
safety work product may be a good practice for the internal management 
of information by an entity that holds protected patient safety work 
product.
    There are two exceptions to the continued protection of patient 
safety work product which terminate either the confidentiality or both 
the privilege and confidentiality under section 922(d)(2) of the Public 
Health Service Act, 42 U.S.C. 299b-22(d)(2). The first exception to 
continued protection is an exception to continued confidentiality when 
patient safety work product is disclosed for use in a criminal 
proceeding, pursuant to proposed Sec. Sec.  3.204(b)(1) and 
3.206(b)(1). Proposed Sec.  3.204(b)(1) is an exception to privilege 
for the particular proceeding at issue and does not permit the use of 
such patient safety work product in other proceedings or otherwise 
remove the privilege protection afforded such information. Thus, in the 
case of a criminal proceeding disclosure, the privilege continues even 
though the confidentiality terminates. In other words, when a court 
makes an in camera determination that patient safety work product can 
be entered into a criminal proceeding, that information remains 
privileged for any future proceedings, but is no longer confidential 
and may be further disclosed without restriction.
    The second exception to continued protection is when patient safety 
work product is disclosed in nonidentifiable form, pursuant to proposed 
Sec. Sec.  3.204(b)(4) and 3.206(b)(5). Under both of these exceptions, 
the patient safety work product disclosed is no longer confidential, 
and may be further disclosed without restriction. The termination of 
the continued protections is based on section 922(d)(2) of the Public 
Health Service Act, 42 U.S.C. 299b-22(d)(2).
4. Proposed Sec.  3.210--Required Disclosure of Patient Safety Work 
Product to the Secretary
    We are proposing in Sec.  3.210 that providers, PSOs, and other 
persons that hold patient safety work product be required to disclose 
such patient safety work product to the Secretary upon a determination 
by the Secretary that such patient safety work product is needed for 
the investigation and enforcement activities related to this Part, or 
is needed in seeking and imposing civil money penalties. Such patient 
safety work product disclosed to the Secretary will be excepted from 
privilege and confidentiality protections insofar as the Secretary has 
a need to use such patient safety work product for the above purposes 
which include: accepting, conditioning, or revoking acceptance of PSO 
certification or in supporting such actions. See proposed Sec.  
3.206(d).
5. Proposed Sec.  3.212--Nonidentification of Patient Safety Work 
Product
    Proposed Sec.  3.210 establishes the standard by which patient 
safety work product will be determined nonidentifiable. For the ease of 
the reader, we have discussed this standard within the context of 
proposed Sec.  3.206(b)(5), the confidentiality disclosure exception 
for nonidentifiable patient safety work product.

D. Subpart D--Enforcement Program

    The authority of the Secretary to enforce the confidentiality 
provisions of the Patient Safety Act is intended to deter impermissible 
disclosures of patient safety work product. Proposed Subpart D would 
establish a framework to enable the Secretary to monitor and ensure 
compliance with this Part, procedures for imposing a civil money 
penalty for breach of confidentiality, and procedures for a hearing 
contesting a civil money penalty.
    The proposed enforcement program has been designed to provide 
maximum flexibility to the Secretary in addressing violations of the 
confidentiality provisions to encourage participation in patient safety 
activities and achieve the goals of the Patient Safety Act while 
safeguarding the confidentiality and protected nature of patient safety 
work product under the Patient Safety Act and this part. Failures to 
maintain confidentiality may be serious, deleterious and broad-ranging, 
and, if unpunished, may discourage participation by providers in the 
PSO voluntary reporting system. The Secretary's enforcement authority 
will be exercised commensurately to respond to the nature of any such 
failure and the resulting harm from such failures. The proposed 
regulations seek to provide the Secretary with reasonable discretion, 
particularly in areas where the exercise of judgment is called for by 
the statute or proposed rules, and to avoid being overly prescriptive 
in areas and causing unintended adverse effects where it would be 
helpful to gain experience with the practical impact of the proposed 
rules.
    The provisions of section 1128A of the Social Security Act, 42 
U.S.C. 1320a-7a, apply to the imposition of a

[[Page 8155]]

civil money penalty under section 922(f) of the Public Health Service 
Act, 42 U.S.C. 299b-22(f), ``in the same manner as'' they apply to the 
imposition of civil money penalties under section 1128A itself. Section 
1128A(1) of the Social Security Act, 42 U.S.C. 1320a-7a(l), provides 
that a principal is liable for penalties for the actions of its agents 
acting within the scope of their agency. Therefore, a provider or PSO 
will be responsible for the actions of a workforce member when such 
member discloses patient safety work product in violation of the 
confidentiality provisions while acting within the scope of the 
member's agency relationship.
    Proposed Sec. Sec.  3.304 through 3.314 are designed to enable the 
Secretary to assist with, monitor, and investigate alleged failures 
with respect to compliance with the confidentiality provisions. 
Proposed Sec. Sec.  3.304 through 3.314 would establish the processes 
and procedures for the Secretary to provide technical assistance with 
compliance, for filing complaints with the Secretary, and for 
investigations and compliance reviews performed by the Secretary. 
Proposed Sec. Sec.  3.402 through 3.426 would provide the legal basis 
for imposing a civil money penalty, determining the amount of a civil 
money penalty, implementing the prohibition on the imposition of a 
civil money penalty under both HIPAA and the Patient Safety Act, and 
issuing a notice of proposed determination to impose a civil money 
penalty and establishing the process that would be relevant subsequent 
to the issuance of such a notice, whether or not a hearing follows the 
issuance of the notice of proposed determination. These sections also 
would contain provisions on the statute of limitations, authority to 
settle, collection of any penalty imposed for violation of the 
confidentiality provisions, and public notice of the imposition of such 
penalties. Finally, proposed Sec.  3.504 addresses the administrative 
hearing phase of the enforcement process, including provisions for 
appellate review within HHS of a hearing decision and burden of proof 
in such proceedings.
    Generally, proposed Subpart D is based on the HIPAA Enforcement 
Rule, 45 CFR Part 160, Subparts C, D and E. We have closely followed 
the HIPAA Enforcement Rule for several reasons. First, because civil 
money penalties under both the HIPAA Enforcement Rule and Patient 
Safety Act are based on section 1128A of the Social Security Act, 42 
U.S.C. 1320a-7a, we believe there is benefit in maintaining a common 
approach to enforcement and appeals of such civil money penalty 
determinations. Second, we believe that these procedures set forth in 
the HIPAA Enforcement Rule, which in turn are based on the procedures 
established by the OIG, work and satisfactorily address issues raised 
and addressed in prior rulemakings by the Department and the OIG. We do 
not reiterate those concerns, or their resolutions, here, but they have 
informed our decision making on these proposed rules.
    Proposed Sec. Sec.  3.504(b)-(d), (f)-(g), (i)-(k), (m), (n), (t), 
(w) and (x) of the proposed rule are unchanged from, or incorporate the 
provisions of, the HIPAA Enforcement Rule. For a full discussion of the 
basis for these proposed sections, please refer to the proposed and 
final HIPAA Enforcement Rule, published on April 18, 2005, at 70 FR 
20224 (proposed) and on February 16, 2006, at 71 FR 8390 (final). 
Although the preamble discussion of the HIPAA Enforcement Rule pertains 
to the HIPAA Administrative Simplification provisions, HIPAA covered 
entities, and protected health information under HIPAA, we believe the 
same interpretations and analyses are applicable to the Patient Safety 
Act confidentiality provisions, providers, PSOs, and responsible 
persons, and patient safety work product.
    Proposed Sec. Sec.  3.424 and 3.504(a), (e), (h), (l), (o)-(s), (u) 
and (v) of the proposed rule also are based on, or incorporate, the 
HIPAA Enforcement Rule, but include technical changes made in order to 
adapt these provisions to the Patient Safety Act confidentiality 
provisions. We discuss these technical changes below but refer to the 
proposed and final HIPAA Enforcement Rule for a substantive discussion 
of these proposed sections.
    For the above proposed sections, while we have chosen not to repeat 
our discussion of the rationale for these regulations, we invite 
comments regarding whether any further substantive or technical changes 
are needed to adapt these provisions to the Patient Safety Act 
confidentiality provisions.
    The remaining sections in Subpart D of the proposed rule reprint 
HIPAA Enforcement Rule provisions in their entirety or constitute 
substantive changes from the analogous provisions of the HIPAA 
Enforcement Rule. We discuss these proposed sections in full below.
1. Proposed Sec.  3.304--Principles for Achieving Compliance
    Proposed Sec.  3.304(a) would establish the principle that the 
Secretary will seek the cooperation of providers, PSOs, and responsible 
persons in maintaining and preserving the confidentiality of patient 
safety work product, relying on the civil money penalty authority when 
appropriate to remediate violations. Proposed Sec.  3.304(b) provides 
that the Secretary may provide technical assistance to providers, PSOs, 
and responsible persons to help them comply with the confidentiality 
provisions.
    We will seek to achieve compliance through technical assistance and 
outreach so that providers, PSOs, and responsible persons that hold 
patient safety work product may better understand the requirements of 
the confidentiality provisions and, thus, may voluntarily comply by 
preventing breaches. However, we believe that the types of events that 
are likely to trigger complaints are actual breaches of confidentiality 
which will need remedial action (such events cannot be mitigated 
through preventive measures alone). Given the existing framework of 
peer review systems and other similar processes, we believe that most 
providers and patient safety experts already have well-established 
mechanisms for using sensitive information while respecting its 
confidentiality. Moreover, such persons will have incentives to 
maintain the confidentiality of patient safety work product each such 
person possesses in the future. Thus, while there may be situations 
where an issue may be resolved through technical assistance and 
corrective action, we anticipate that the resolution of complaints of 
breaches of confidentiality may warrant imposition of a civil money 
penalty to deter future non-compliance and similar violations. This 
Subpart preserves the discretion of the Secretary to enforce 
confidentiality in the manner that best fits the situation.
    The Secretary will exercise discretion in developing a technical 
assistance program that may include the provision of written material 
when appropriate to assist persons in achieving compliance. We 
encourage persons to share ``best practices'' for the confidential 
utilization of patient safety work product. However, the absence of 
technical assistance or guidance may not be raised as a defense to 
civil money penalty liability.
2. Proposed Sec.  3.306--Complaints to the Secretary
    We are proposing in Sec.  3.306 that any person may file a 
complaint with the Secretary if the person believes that a provider, 
PSO or responsible person has disclosed patient safety work product in 
violation of the confidentiality

[[Page 8156]]

provisions. A complaint-driven process would provide helpful 
information about the handling and disclosure of patient safety work 
product and could serve to identify particularly troublesome compliance 
problems on an early basis.
    The procedures proposed in this section are modeled on those used 
for the HIPAA Enforcement Rule. We would require: complaints to be in 
writing; complainants to identify the person(s), and describe the acts, 
alleged to be out of compliance; and that the complainant file such 
complaint within 180 days of when the complainant knew or should have 
known that the act complained of occurred, unless this time limit is 
waived by the Secretary for good cause shown. We have tried to keep the 
requirements for filing complaints as minimal as possible to facilitate 
use of this process. The Secretary would also attempt to keep the 
identity of complainants confidential, if possible. However, we 
recognize that it could be necessary to disclose the identity of a 
complainant in order to investigate the substance of the complaint, and 
the rules proposed below would permit such disclosures.
    For the same reason that the HIPAA Enforcement Rule adopted the 
``known or should have known'' standard for filing a complaint, we 
require that complaints be filed within 180 days of when the 
complainant knew or should have known that the violation complained of 
occurred unless this time limit is waived by the Secretary for good 
cause shown. We believe that an investigation of a complaint is likely 
to be most effective if persons can be interviewed and documents 
reviewed as close to the time of the alleged violation as possible. 
Requiring that complaints generally be filed within a certain period of 
time increases the likelihood that the Secretary will be able to obtain 
necessary and reliable information in order to investigate allegations. 
Moreover, we are taking this approach in order to encourage 
complainants to file complaints as soon as possible. By receiving 
complaints in a timely fashion, we can, if such complaints prove valid, 
reduce the harm caused by the violation.
    In most cases, we expect that the providers, PSOs, responsible 
persons, and/or their employees will be aware of disclosures of patient 
safety work product. Nevertheless, other persons may become aware of 
the wrongful disclosure of patient safety work product as well. For 
these reasons, we do not limit who may file a complaint. We will accept 
complaints alleging violations from any person.
    Once a complaint is received, the Secretary will notify the 
provider, PSO, or responsible person(s) against whom the complaint has 
been filed (i.e., the respondent), investigate and seek resolution to 
any violations based on the circumstances of the violation, in 
accordance with the principles for achieving compliance. In enforcing 
the confidentiality provisions of the Patient Safety Act, the Secretary 
will generally inform the respondent of the nature of any complaints 
received against the respondent. The Secretary will also generally 
afford the entity an opportunity to share information with the 
Secretary that may result in an early resolution.
3. Proposed Sec.  3.308--Compliance Reviews
    We are proposing in Sec.  3.308 that the Secretary could conduct 
compliance reviews to determine whether a provider, PSO, or responsible 
person is in compliance. A compliance review could be based on 
information indicating a possible violation of the confidentiality 
provisions even though a formal complaint has not been filed. As is the 
case with a complaint investigation, a compliance review may examine 
the policies, practices or procedures of a respondent and may result in 
voluntary compliance or in a finding of a violation or no violation 
finding.
    We believe the Secretary's ability to conduct compliance reviews 
should be flexible and unobstructed by limitations or required links to 
ongoing investigations. We do not establish any affirmative criteria 
for the conduct of a compliance review. Compliance reviews may be 
undertaken without regard to ongoing investigations or prior conduct. 
We recognize that cooperating with compliance reviews may create some 
burden and expense. However, the Secretary needs to maintain the 
flexibility to conduct whatever reviews are necessary to ensure 
compliance with the rule.
    We note that, at least in the short term, HHS will be taking a 
case-based, complaint-driven approach to investigations and 
enforcement, rather than focusing resources on compliance reviews 
unrelated to any information or allegations of confidentiality 
violations.
4. Proposed Sec.  3.310--Responsibilities of Respondents
    Proposed Sec.  3.310 establishes certain obligations for 
respondents that would be necessary to enable the Secretary to carry 
out the statutory role to determine their compliance with the 
requirements of the confidentiality provisions. Respondents would be 
required to maintain records as proposed in this proposed rule, 
participate as required in investigations and compliance reviews, and 
provide information to the Secretary upon demand. Respondents would 
also be required to disclose patient safety work product to the 
Secretary for investigations and compliance activities. We interpret 
the enforcement provision at section 922(f) of the Patient Safety Act, 
42 U.S.C. 299b-22(f), to allow for such disclosure to the Secretary for 
the purpose of enforcing the confidentiality provisions.
    Proposed Sec.  3.310(b) would require cooperation by respondents 
with investigations as well as compliance reviews.
    Proposed Sec.  3.310(c) would provide that the Secretary must be 
provided access to a respondent's facilities, books, records, accounts, 
and other sources of information, including patient safety work 
product. Ordinarily, the Secretary will provide notice requesting 
access during normal business hours. However, if exigent circumstances 
exist, such as where documents might be hidden or destroyed, the 
Secretary may require access at any time and without notice. The 
Secretary will consider alternative approaches, such as subpoenas or 
search warrants, in seeking information from respondents that are not 
providers, PSOs, or a member of their workforce.
5. Proposed Sec.  3.312--Secretarial Action Regarding Complaints and 
Compliance Reviews
    Proposed Sec.  3.312(a) provides that, if a complaint investigation 
or compliance review indicates noncompliance, the Secretary may attempt 
to resolve the matter by informal means. If the Secretary determines 
that the matter cannot be resolved by informal means, the Secretary 
will issue findings to the respondent and, if applicable, the 
complainant.
    Proposed Sec.  3.312(a)(1) provides that, where noncompliance is 
indicated, the Secretary could seek to reach a resolution of the matter 
satisfactory to the Secretary by informal means. Informal means would 
include demonstrated compliance or a completed corrective action plan 
or other agreement. Under this provision, entering into a corrective 
action plan or other agreement would not, in and of itself, resolve the 
noncompliance; rather, the full performance by the respondent of its 
obligations under the corrective action plan or other agreement would 
be necessary to resolve the noncompliance.

[[Page 8157]]

    Proposed Sec. Sec.  3.312(a)(2) and (3) address what notifications 
would be provided by the Secretary where noncompliance is indicated, 
based on an investigation or compliance review. Notification under 
these paragraphs would not be required where the only contacts made 
were with the complainant to determine whether the complaint warrants 
investigation. Section 3.312(a)(2) proposes written notice to the 
respondent and, if the matter arose from a complaint, the complainant, 
where the matter is resolved by informal means. If the matter is not 
resolved by informal means, proposed Sec.  3.312(a)(3)(i) would require 
the Secretary to so inform the respondent and provide the respondent 30 
days in which to raise any mitigating factors the Secretary should 
consider in imposing a civil money penalty. Section 3.312(a)(3)(ii) 
proposes that, where a matter is not resolved by informal means and the 
Secretary decides that imposition of a civil money penalty is warranted 
based upon a response from the respondent or expiration of the 30 day 
response time limit, the formal finding would be contained in the 
notice of proposed determination issued under proposed Sec.  3.420.
    Proposed Sec.  3.312(b) provides that, if the Secretary finds, 
after an investigation or compliance review, no further action is 
warranted, the Secretary will so inform the respondent and, if the 
matter arose from a complaint, the complainant. This section does not 
apply where no investigation or compliance review has been initiated, 
such as where a complaint has been dismissed due to lack of 
jurisdiction.
    Proposed Sec.  3.312(c) addresses how the Secretary will handle 
information obtained during the course of an investigation or 
compliance review. Under proposed Sec.  3.312(c)(1), identifiable 
patient safety work product obtained by the Secretary in connection 
with an investigation or compliance review under this Part remains 
subject to the privilege and confidentiality protections and will not 
be disclosed except in accordance with proposed Sec.  3.206(d), if 
necessary for ascertaining or enforcing compliance with this part, or 
as permitted by this Part or the Patient Safety Act. In other words, 
the Secretary, as with any other entity or person, would receive 
patient safety work product subject to the confidentiality and 
privilege requirements and protections. The proposed rule strikes a 
balance between these protections and enforcement, providing that the 
Secretary would not disclose such patient safety work product, except 
as may be necessary to enable the Secretary to ascertain compliance 
with this Part, in enforcement proceedings, or as otherwise permitted 
by this Part. We note that, pursuant to section 922(g)(3) of the Public 
Health Service Act, 42 U.S.C. 299b-22(g)(3), as added by the Patient 
Safety Act, the Patient Safety Act does not affect the implementation 
of the HIPAA confidentiality regulations (known as the HIPAA Privacy 
Rule). Accordingly, we propose that the Secretary may use patient 
safety work product obtained in connection with an investigation 
hereunder to enforce the HIPAA confidentiality regulations.
    Proposed Sec.  3.312(c)(2) provides that, except for patient safety 
work product, testimony and other evidence obtained in connection with 
an investigation or compliance review may be used by HHS in any of its 
activities and may be used or offered into evidence in any 
administrative or judicial proceeding. Such information would include 
that which is obtained from investigational subpoenas and inquiries 
under proposed Sec.  3.314. The Department generally seeks to protect 
the privacy of individuals to the fullest extent possible, while 
permitting the exchange of records required to fulfill its 
administrative and programmatic responsibilities. The Freedom of 
Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 
CFR Part 5, provide substantial protection for records about 
individuals where disclosure would constitute an unwarranted invasion 
of their personal privacy. Moreover, in enforcing the Patient Safety 
Act and its implementing regulations, OCR plans to continue its current 
practice of protecting its complaint files from disclosure. These 
files, thus, would constitute investigatory records compiled for law 
enforcement purposes, one of the exemptions to disclosure under the 
Freedom of Information Act. In the case of patient safety work product 
that is not otherwise subject to a statutory exception permitting 
disclosure, the Patient Safety Act prohibits the disclosure of such 
information in response to a Freedom of Information Act request. See 
section 922(a)(3) of the Public Health Service Act, 42 U.S.C. 299b-
22(a)(3).
    The Secretary continues to be subject to the existing HIPAA 
Enforcement Rule with respect to the use and disclosure of protected 
health information received by the Secretary in connection with a HIPAA 
Privacy Rule investigation or compliance review (see 45 CFR 
160.310(c)(3)); these proposed provisions do not modify those 
regulations.
6. Proposed Sec.  3.314--Investigational Subpoenas and Inquiries
    Proposed Sec.  3.314 provides procedures for the issuance of 
subpoenas to require the attendance and testimony of witnesses and the 
production of any other evidence, including patient safety work 
product, during an investigation or compliance review. We propose to 
issue subpoenas in the same manner as 45 CFR 160.314(a)(1)-(5) of the 
HIPAA Enforcement Rule, except that the term ``this part'' shall refer 
to 42 CFR Part 3. The language modification is necessary to reference 
the appropriate authority.
    We also propose that the Secretary is permitted to conduct 
investigational inquiries in the same manner as the provisions of 45 
CFR 160.314(b)(1)-(9) of the HIPAA Enforcement Rule. The referenced 
provisions describe the manner in which investigational inquiries will 
be conducted.
7. Proposed Sec.  3.402--Basis for a Civil Money Penalty
    Under proposed Sec.  3.402, a person who discloses identifiable 
patient safety work product in knowing or reckless violation of the 
confidentiality provisions shall be subject to a civil money penalty of 
not more than $10,000 for each act constituting a violation. See 
section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-
22(f)(1).
(A) Proposed Sec.  3.402(a)--General Rule
    Proposed Sec.  3.402(a) would allow the Secretary to impose a civil 
money penalty on any person which the Secretary determines has 
knowingly or recklessly violated the confidentiality provisions. This 
provision is based on the language in section 922(f) of the Public 
Health Service Act, 42 U.S.C. 299b-22(f), that ``a person who discloses 
identifiable patient safety work product in knowing or reckless 
violation of subsection (b) shall be subject to a civil money penalty 
of not more than $10,000 for each act constituting such violation.''
    A civil money penalty may only be imposed if the Secretary first 
establishes a wrongful disclosure (i.e., (1) the information disclosed 
was identifiable patient safety work product; (2) the information was 
disclosed; and (3) the manner of the disclosure does not fit within any 
permitted exception). If a wrongful disclosure is established, the 
Secretary must then determine whether the person making the disclosure 
acted ``knowingly'' or ``recklessly.''
    The applicable law on the issue of ``knowing'' provides that 
``unless the

[[Page 8158]]

text of the statute dictates a different result, the term `knowingly' 
merely requires proof of knowledge of the facts that constitute the 
offense [rather than] a culpable state of mind or [] knowledge of the 
law.'' Bryan v. United States, 524 U.S. 184 (1998) (emphasis added). 
Applying this meaning in the context of the Patient Safety Act, the 
Secretary would not need to prove that the person making the disclosure 
knew the law (i.e., knew that the disclosed information constituted 
identifiable patient safety work product or that such disclosure did 
not meet one of the standards for a permissive disclosure in the 
Patient Safety Act). Rather, the Secretary would only need to show that 
the person knew a disclosure was being made. Although knowledge that 
disclosed information is patient safety work product is not required, 
circumstances in which a person can show no such knowledge and no 
reason to know such knowledge may warrant discretion by the Secretary. 
By contrast, as a person's opportunity for knowledge and disregard of 
that opportunity increases, the Secretary's compulsion to exercise 
discretion not to impose a penalty declines.
    Where a ``knowing'' violation cannot be established, the Secretary 
can still impose a civil money penalty by showing that the person was 
reckless in making the disclosure of identifiable patient safety work 
product. A person acts recklessly if they are aware, or a reasonable 
person in their situation should be aware, that their conduct creates a 
substantial risk of disclosure of information and to disregard such 
risk constitutes a gross deviation from reasonable conduct. A 
``substantial risk'' represents a significant threshold, more than the 
mere possibility of disclosure of patient safety work product. Whether 
a risk is ``substantial'' is a fact-specific inquiry. Additionally, 
whether a reasonable person in the situation should know of a risk is 
based on context. For example, an employee whose job duties regularly 
involve working with sensitive patient information may be expected to 
know of disclosure risks of which other types of employees may 
reasonably be unaware.
    Finally, the disregarding of the risk must be a gross deviation 
from reasonable conduct. This gross deviation standard is commonly used 
to describe reckless conduct. See, e.g., Model Penal Code Sec.  
2A1.4(2006), definition of ``reckless'' for purposes of involuntary 
manslaughter; Black's Law Dictionary (8th ed., 2004). This does not 
mean that the conduct itself must be a gross deviation from reasonable 
conduct. Rather, the standard is whether the disregarding of the risk 
was a gross deviation (i.e., whether a reasonable person who is aware 
of the substantial risk of making an impermissible disclosure would 
find going forward despite the risk to be grossly unreasonable). Thus, 
disclosures that violate this Part and occur because an individual 
acted despite knowing of, or having reason to know of, a grossly 
unreasonable risk of disclosure are punishable by civil money penalty, 
regardless of whether such conduct may otherwise be widespread in the 
industry.
    An example of a reckless disclosure of identifiable patient safety 
work product would be leaving a laptop unattended in a public area and 
accessible to unauthorized persons with identifiable patient safety 
work product displayed on the laptop screen. Such a situation would be 
reckless because it would create a substantial risk of disclosure of 
the information displayed on the laptop screen. If a person did not 
remove the identifiable patient safety work product from the laptop 
screen or take other measures to prevent the public view of the laptop 
screen, then leaving the laptop unattended would be a disregard for the 
substantial risk of disclosure that would be a gross deviation from 
reasonable conduct. Under these circumstances, the person leaving the 
laptop unattended could be liable for a civil money penalty.
    The use of the term ``shall be subject to'' in section 922(f) of 
the Public Health Service Act, 42 U.S.C. 299b-22(f), conveys authority 
to the Secretary to exercise discretion as to whether to impose a 
penalty for a knowing or reckless violation of the confidentiality 
provisions. Based on the nature and circumstances of a violation and 
whether such violation was done in a knowing or reckless manner, the 
Secretary may impose a civil money penalty, require a corrective action 
plan, or seek voluntary compliance with these regulations.
    Even in cases that constitute violations of the confidentiality 
provisions, the Secretary may exercise discretion. For example, in a 
situation where a provider makes a good faith attempt to assert the 
patient safety work product privilege, but is nevertheless ordered by a 
court to make a disclosure, and the provider does so, the Secretary 
could elect not to impose a civil money penalty. Thus, for example, it 
is not the Secretary's intention to impose a civil money penalty on a 
provider ordered by a court to produce patient safety work product 
where the provider has deliberately and in good faith undertaken 
reasonable steps to avoid such production and is, nevertheless, faced 
with compelled production or being held in contempt of court.
    Similarly, an individual may innocently come into possession of 
information, unaware of the fact that the information is patient safety 
work product, and may innocently share the information in a manner not 
permitted by the confidentiality provisions. In such circumstances, the 
Secretary would look at the facts and circumstances of the case and 
could elect not to impose a penalty. Relevant facts and circumstances 
might include the individual's relationship with the source of the 
information (e.g., whether the information originated with a health 
care provider or a patient safety organization for which the individual 
was employed); whether, and the extent to which, the individual had a 
basis to know the information was patient safety work product or to 
know that the information was confidential; to whom the information was 
disclosed; and the intent of the individual in making the disclosure.
(B) Proposed Sec.  3.402(b)--Violations Attributed to a Principal
    The proposed rule includes a provision, at proposed Sec.  3.402(b), 
that addresses the liability of a principal for a violation by a 
principal's agent. Proposed Sec.  3.402(b) adopts the principle that 
the federal common law of agency applies when addressing the liability 
of a principal for the acts of his or her agent. Under this principle, 
a provider, PSO or responsible person generally can be held liable for 
a violation based on the actions of any agent, including an employee or 
other workforce member, acting within the scope of the agency or 
employment. This liability is separate from the underlying liability 
attributable to the agent and could result in a separate and exclusive 
civil money penalty. In other words, a principal may be liable for a 
$10,000 civil money penalty and an agent may be liable for a separate 
$10,000 civil money penalty arising from the same act that is a 
violation.
    Section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-
22(f)(2), provides that ``the provisions of section 1128A * * * shall 
apply to civil money penalties under this subsection [of the Patient 
Safety Act] in the same manner as such provisions apply to a penalty or 
proceeding under section 1128A.'' Section 1128A(l) of the Social 
Security Act, 42 U.S.C. 1320a-7a(l), establishes that ``a principal is 
liable for penalties * * * under this section for the actions of the 
principal's agents acting within the scope of the agency.'' This is 
similar

[[Page 8159]]

to the traditional rule of agency in which principals are vicariously 
liable for the acts of their agents acting within the scope of their 
authority. See Meyer v. Holley, 537 U.S. 280 (2003). Therefore, a 
provider, PSO or responsible person generally will be responsible for 
the actions of its workforce members within the scope of agency, such 
as where an employee discloses confidential patient safety work product 
in violation of the confidentiality provisions during the course of his 
or her employment.
    The determination of whether or not a principal is responsible for 
a violation would be based on two fact-dependent determinations. First, 
the Secretary must find that a principal-agent relationship exists 
between the person doing the violative act and the principal. If a 
principal-agent relationship is established, then a second 
determination, whether the act in violation of the confidentiality 
provisions was within the scope of the agency, must be made. The 
determination as to whether an agent's conduct is outside the scope of 
the agency will be dependent upon the application of the federal common 
law of agency to the facts.
    The purpose of applying the federal common law of agency to 
determine when a provider, PSO, or responsible person is vicariously 
liable for the acts of its agents is to achieve nationwide uniformity 
in the implementation of the confidentiality provisions and nationwide 
consistency in the enforcement of these rules by OCR. Reliance on State 
law could introduce inconsistency in the implementation of the patient 
safety work product confidentiality provisions by persons or entities 
in different States.
Federal Common Law of Agency
    A principal's liability for the actions of its agents is generally 
governed by State law. However, the U.S. Supreme Court has provided 
that the federal common law of agency may be applied where there is a 
strong governmental interest in nationwide uniformity and a predictable 
standard, and when the federal rule in question is interpreting a 
federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).
    The confidentiality and enforcement provisions of this regulation 
interpret a federal statute, the Patient Safety Act. Under the Patient 
Safety Act, there is a strong interest in nationwide uniformity in the 
confidentiality provisions and how those provisions are enforced. The 
fundamental goal of the Patient Safety Act is to promote the 
examination and correction of patient safety events in order to improve 
patient safety and create a culture of patient safety in the health 
care system. Therefore, it is essential for the Secretary to apply one 
consistent body of law regardless of where an agent is employed, an 
alleged violation occurred, or an action is brought. The same 
considerations support a strong federal interest in the predictable 
operation of the confidentiality provisions, to ensure that persons 
using patient safety work product can do so consistently so as to 
facilitate the appropriate exchange of information. Thus, the tests for 
application of the federal common law of agency are met.
    Where the federal common law of agency applies, the courts often 
look to the Restatement (Second) of Agency (1958) (Restatement) as a 
basis for explaining the common law's application. While the 
determination of whether an agent is acting within the scope of its 
authority must be decided on a case-by-case basis, the Restatement 
provides guidelines for this determination. Section 229 of the 
Restatement provides:
    (1) To be within the scope of the employment, conduct must be of 
the same general nature as that authorized, or incidental to the 
conduct authorized.
    (2) In determining whether or not the conduct, although not 
authorized, is nevertheless so similar to or incidental to the conduct 
authorized as to be within the scope of employment, the following 
matters of fact are to be considered;
    (a) Whether or not the act is one commonly done by such servants;
    (b) The time, place and purpose of the act;
    (c) The previous relations between the master and the servant;
    (d) The extent to which the business of the master is apportioned 
between different servants;
    (e) Whether or not the act is outside the enterprise of the master 
or, if within the enterprise, has not been entrusted to any servant;
    (f) Whether or not the master has reason to expect that such an act 
will be done;
    (g) The similarity in quality of the act done to the act 
authorized;
    (h) Whether or not the instrumentality by which the harm is done 
has been furnished by the master to the servant;
    (i) The extent of departure from the normal method of accomplishing 
an authorized result; and
    (j) Whether or not the act is seriously criminal.
    In some cases, under federal agency law, a principal may be liable 
for an agent's acts even if the agent acts outside the scope of its 
authority. Restatement (Second) of Agency section 219 (1958). However, 
proposed Sec.  3.402(b) would follow section 1128A(l) of the Social 
Security Act, 42 U.S.C. 1320a-7a(l), which limits liability for the 
actions of an agent to those actions that are within the scope of the 
agency.
Agents
    Various categories of persons may be agents of a provider, PSO, or 
responsible person. These persons include workforce members. We propose 
a slightly expanded definition of ``workforce'' from the term defined 
in the HIPAA Privacy Rule. The proposed definition of ``workforce'' 
includes employees, volunteers, trainees, contractors, and other 
persons whose conduct, in the performance of work for a provider, PSO 
or responsible person, is under the direct control of such principal, 
whether or not they are paid by the principal. Because of the ``direct 
control'' language of the proposed rule, we believe that all workforce 
members, including those who are not employees, are agents of a 
principal. Under the proposed rule, a principal could be liable for a 
violation based on an act that is a violation by any workforce member 
acting within the scope of employment or agency. The determinative 
issue is whether a person is sufficiently under the control of a person 
or entity and acting within the scope of the agency. Proposed Sec.  
3.402(b) creates a presumption that a workforce member is an agent of 
an employer.
8. Proposed Sec.  3.404--Amount of Civil Money Penalty
    Proposed Sec.  3.404, the amount of the civil money penalty, is 
determined in accordance with section 922(f) of the Public Health 
Service Act, 42 U.S.C. 299b-22(f), and the provisions of this Part. 
Section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b-
22(f)(1), establishes a maximum penalty amount for violations of ``not 
more than $10,000'' per person for each violation. The statutory cap is 
reflected in proposed Sec.  3.404(b).
    The statute establishes only maximum penalty amounts, so the 
Secretary has the discretion to impose penalties that are less than the 
statutory maximum. This proposed regulation would not establish minimum 
penalties. Under proposed Sec.  3.404(a), the penalty amount would be 
determined using the factors set forth in proposed Sec.  3.408, subject 
to the statutory maximum reflected in proposed Sec.  3.404(b).
    As stated in the discussion under proposed Sec.  3.402(b), a 
principal can be

[[Page 8160]]

held liable for the acts of its agent acting within the scope of the 
agency. Read together, with proposed Sec.  3.404(b), if a principal and 
an agent are determined to be liable for a single act that is a 
violation, the Secretary may impose a penalty of up to $10,000 against 
each separately. That is, the $10,000 limit applies to each person 
separately, not the act that was a violation. Thus, in the circumstance 
where an agent and a principal are determined to have violated the 
confidentiality provisions, the Secretary may impose a civil money 
penalty of up to $10,000 against the agent and a civil money penalty of 
up to $10,000 against the principal, for a total of $20,000 for a 
single act that is a violation.
9. Proposed Sec.  3.408--Factors Considered in Determining the Amount 
of a Civil Money Penalty
    Section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d), 
made applicable to the imposition of civil money penalties by section 
922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2), 
requires that, in determining the amount of ``any penalty,'' the 
Secretary shall take into account: (1) The nature of the claims and the 
circumstances under which they were presented, (2) the degree of 
culpability, history of prior offenses, and financial condition of the 
person presenting the claims, and (3) such other matters as justice may 
require. This language establishes factors to be considered in 
determining the amount of a civil money penalty.
    This approach is taken in other regulations that cross-reference 
section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, which 
rely on these factors for purposes of determining civil money penalty 
amounts. See, for example, 45 CFR 160.408. The factors listed in 
section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d), 
were drafted to apply to violations involving claims for payment under 
federally funded health programs. Because Patient Safety Act violations 
will not be about specific claims, we propose to tailor the section 
1128A(d) factors to violations of the confidentiality provisions and 
further particularize the statutory factors by providing discrete 
criteria, as done in the HIPAA Enforcement Rule and the OIG regulations 
that implement section 1128A of the Social Security Act, 42 U.S.C. 
1320a-7a. Consistent with these other regulations, and to provide more 
guidance to providers, PSOs, and responsible persons as to the factors 
that would be used in calculating civil money penalties, we propose the 
following detailed factors:
    (1) The nature of the violation.
    (2) The circumstances and consequences of the violation, including 
the time period during which the violation occurred; and whether the 
violation caused physical or financial harm or reputational damage.
    (3) The degree of culpability of the respondent, including whether 
the violation was intentional, and whether the violation was beyond the 
direct control of the respondent.
    (4) Any history of prior compliance with the confidentiality 
provisions, including violations, by the respondent, and whether the 
current violation is the same as or similar to prior violation(s), 
whether and to what extent the respondent has attempted to correct 
previous violations, how the respondent has responded to technical 
assistance from the Secretary provided in the context of a compliance 
effort, and how the respondent has responded to prior complaints.
    (5) The financial condition of the respondent, including whether 
the respondent had financial difficulties that affected its ability to 
comply, whether the imposition of a civil money penalty would 
jeopardize the ability of the respondent to continue to provide health 
care or patient safety activities, and the size of the respondent.
    (6) Such other matters as justice may require.
    For further discussion of these factors, please see the preambles 
to the Interim Final Rule and the Final Rule for the HIPAA Enforcement 
Rule at 70 FR 20235-36, Apr. 18, 2005, and 71 FR 8407-09, Feb. 16, 
2006. Meeting certain conditions, such as financial condition, is a 
fact-specific determination based upon the individual circumstances of 
the situation presented.
    We seek comments regarding whether the above list of factors should 
be expanded to expressly include a factor for persons who self-report 
disclosures that may potentially violate the confidentiality provisions 
such that voluntary self-reporting would be a mitigating consideration 
when assessing a civil money penalty. Voluntary self-reporting may 
encourage persons to report breaches of confidentiality, particularly 
breaches that may otherwise go unnoticed, and to demonstrate the 
security practices that led to the discovery of the breach and how the 
breach has been remedied. However, including self-reporting as a factor 
may be viewed incorrectly as an additional reporting obligation to 
report every potentially impermissible disclosure, thereby, 
unnecessarily increasing administrative burdens on the Department and 
the individuals or entities making the self-reporting, or it may 
interfere with obligations to identified persons, particularly when a 
negotiated, contractual relationship between a provider and a PSO 
exists that addresses how the parties are to deal with breaches.
    Respondents are responsible for raising any issues that pertain to 
any of the factors to the Secretary within 30 days after receiving 
notice from the Secretary that informal resolution attempts have not 
resolved the issue in accordance with proposed Sec.  3.312(a)(3)(i). 
The Secretary is under no obligation to affirmatively raise any 
mitigating factor if a respondent fails to identify the issue. See 
proposed Sec.  3.504(p).
    In many regulations that implement section 1128A of the Social 
Security Act, 42 U.S.C. 1320a-7a, the statutory factors and/or the 
discrete criteria are designated as either aggravating or mitigating. 
For example, at 42 CFR 1003.106(b)(3) of the OIG regulations, ``history 
of prior offenses'' is listed as an aggravating factor and is 
applicable as a factor to a narrow range of prohibited conduct. 
However, because proposed Sec.  3.408 will apply to a variety of 
persons and circumstances, we propose that factors may be aggravating 
or mitigating, depending on the context. For example, the factor ``time 
period during which the violation(s) occurred'' could be an aggravating 
factor if the respondent's violation went undetected for a long period 
of time or undetected actions resulted in multiple violations, but 
could be a mitigating factor if a violation was detected and corrected 
quickly. This approach is consistent with other regulations 
implementing section 1128A of the Social Security Act, 42 U.S.C. 1320a-
7a. See, for example, 45 CFR 160.408.
    We propose to leave to the Secretary's discretion the decision 
regarding when aggravating and mitigating factors will be taken into 
account in determining the amount of a civil money penalty. The facts 
of each violation will drive the determination of whether a particular 
factor is aggravating or mitigating.
10. Proposed Sec.  3.414--Limitations
    Proposed Sec.  3.414 sets forth the 6-year limitations period on 
initiating an action for imposition of a civil money penalty provided 
for by section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a-
7a(c)(1). We propose the date of the occurrence of the violation be the 
date from which the limitation period begins.

[[Page 8161]]

11. Proposed Sec.  3.416--Authority to Settle
    Proposed Sec.  3.416 states the authority of the Secretary to 
settle any issue or case or to compromise any penalty during the 
process addressed in this Part, including cases that are in hearing. 
The first sentence of section 1128A(f) of the Social Security Act, 42 
U.S.C. 1320a-7a(f), made applicable by section 922(f)(2) of the Public 
Health Service Act, 42 U.S.C. 299b-22(f)(2), states, in part, ``civil 
money penalties * * * imposed under this section may be compromised by 
the Secretary.'' This authority to settle is the same as that set forth 
in 45 CFR 160.416 of the HIPAA Enforcement Rule.
12. Proposed Sec.  3.418--Exclusivity of Penalty
    Proposed Sec.  3.418 makes clear that, except as noted below, 
penalties imposed under this Part are not intended to be exclusive 
where a violation under this Part may also be a violation of, and 
subject the respondent to, penalties under another federal or State 
law. This provision is modeled on 42 CFR 1003.108 of the OIG 
regulations.
    Proposed Sec.  3.418(b) repeats the statutory prohibition against 
imposing a penalty under both the Patient Safety Act and under HIPAA 
for a single act or omission that constitutes a violation of both the 
Patient Safety Act and HIPAA. Congress recognized that there could be 
overlap between the confidentiality provisions and the HIPAA Privacy 
Rule. Because identifiable patient safety work product includes 
individually identifiable health information as defined under the HIPAA 
Privacy Rule, HIPAA covered entities could be liable for violations of 
the HIPAA Privacy Rule based upon a single disclosure of identifiable 
patient safety work product. We tentatively interpret the Patient 
Safety Act as only prohibiting the imposition of a civil money penalty 
under the Patient Safety Act when there have been civil, as opposed to 
criminal, penalties imposed on the respondent under the HIPAA Privacy 
Rule for the same single act or omission. In other words, a person 
could have a civil money penalty imposed against him under the Patient 
Safety Act as well as a criminal penalty under HIPAA for the same act 
or omission. However, an act that amounts to a civil violation of both 
the confidentiality provisions and the HIPAA Privacy Rule would be 
enforceable under either authority, but not both.
    The decision regarding which statute applies to a particular 
situation will be made based upon the facts of individual situations. 
HIPAA covered entities that seek to disclose confidential patient 
safety work product that contains protected health information must 
know when such disclosure is permissible under both statutes.
13. Proposed Sec.  3.420--Notice of Proposed Determination
    Proposed Sec.  3.420 sets forth the requirements for the notice to 
a respondent sent when the Secretary proposes a penalty under this 
Part. This notice implements the requirement for notice contained in 
section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a-
7a(c)(1). These requirements are substantially the same as those in the 
HIPAA Enforcement Rule at 45 CFR 160.420, except for the removal of 
provisions related to statistical sampling.
    The notice provided for in this section must be given whenever a 
civil money penalty is proposed. The proposed requirements of this 
section serve to inform any person under investigation of the basis for 
the Secretary's proposed civil money penalty determination. These 
requirements include the statutory basis for a penalty, a description 
of the findings of fact regarding the violation, the reasons the 
violation causes liability, the amount of the proposed penalty, factors 
considered under proposed Sec.  3.408 in determining the amount of the 
penalty, and instructions for responding to the notice, including the 
right to a hearing.
    At this point in the process, the Secretary may also send a notice 
of proposed determination to a principal based upon liability for a 
violation under proposed Sec.  3.402(b).
14. Proposed Sec.  3.422--Failure To Request a Hearing
    Under proposed Sec.  3.422, when a respondent does not timely 
request a hearing on a proposed civil money penalty, the Secretary may 
impose the civil money penalty or any less severe civil money penalty 
permitted by section 1128A(d)(5) of the Social Security Act, 42 U.S.C. 
1320a-7a(d)(5). Once the time has expired for the respondent to file 
for an appeal, the Secretary will decide whether to impose the civil 
money penalty and provide notice to the respondent of the civil money 
penalty. If the Secretary does pursue a civil money penalty, the civil 
money penalty is final, and the respondent has no right to appeal a 
civil money penalty imposed under these circumstances. This section is 
similar to 45 CFR 160.422 of the HIPAA Enforcement Rule.
    For purposes of determining when subsequent actions may commence, 
such as collection of an imposed civil money penalty, we propose that 
the penalty be final upon receipt of a penalty notice sent by certified 
mail return receipt requested.
15. Proposed Sec.  3.424--Collection of Penalty
    Proposed Sec.  3.424 provides that once a determination to impose a 
civil money penalty has become final, the civil money penalty must be 
collected by the Secretary, unless compromised, and prescribes the 
methods for collection. We propose that civil money penalties be 
collected as set forth under the HIPAA Enforcement Rule at 45 CFR 
160.424, except that the term ``this part'' shall refer to 42 CFR Part 
3. The modification is made for the provision to refer to the 
appropriate authority.
16. Proposed Sec.  3.426--Notification of the Public and Other Agencies
    Proposed Sec.  3.426 would implement section 1128A(h) of the Social 
Security Act, 42 U.S.C. 1320a-7a(h). When a civil money penalty 
proposed by the Secretary becomes final, section 1128A(h) of the Social 
Security Act, 42 U.S.C. 1320a-7a(h), directs the Secretary to notify 
appropriate State or local agencies, organizations, and associations 
and to provide the reasons for the civil money penalty. We propose to 
add the public generally as a group that may receive notice, in order 
to make the information available to anyone who must make decisions 
with respect to persons that have had a civil money penalty imposed for 
violation of the confidentiality provisions. For instance, knowledge of 
the imposition of a civil money penalty for violation of the Patient 
Safety Act could be important to hospitals, other health care 
organizations, health care consumers, as well as to current and future 
business partners throughout the industry.
    The basis for this public notice portion lies in the Freedom of 
Information Act, 5 U.S.C. 552. The Freedom of Information Act requires 
final opinions and orders made in adjudication cases to be made 
available for public inspection and copying. See 5 U.S.C. 552(a)(2)(A). 
While it is true that section 1128A(h) of the Social Security Act, 42 
U.S.C. 1320a-7a(h), does not require that such notice be given to the 
public, neither does it prohibit such wider dissemination of that 
information, and nothing in section 1128A(h) of the Social Security 
Act, 42 U.S.C. 1320a-7a(h), suggests that it modifies the Secretary's 
obligations under the Freedom of Information Act.

[[Page 8162]]

The Freedom of Information Act requires making final orders or opinions 
available for public inspection and copying by ``computer 
telecommunication * * * or other electronic means,'' which would 
encompass a display on the Department's Web site. See 5 U.S.C. 
552(a)(2).
    A civil money penalty is considered to be final, for purposes of 
notification, when it is a final agency action (i.e., the time for 
administrative appeal has run or the adverse administrative finding has 
otherwise become final). The final opinion or order that is subject to 
the notification provisions of this section is the notice of proposed 
determination, if a request for hearing is not timely filed, the 
decision of the ALJ, if that is not appealed, or the final decision of 
the Board.
    Currently final decisions of the ALJs and the Board are made public 
via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such 
postings, however, would not include penalties that become final 
because a request for hearing was not filed under proposed Sec.  
3.504(a). Under proposed Sec.  3.426, notices of proposed determination 
under proposed Sec.  3.420 that become final because a hearing has not 
been timely requested, would also be made available for public 
inspection and copying as final orders, with appropriate redaction of 
any patient safety work product or other confidential information, via 
OCR's Web site. See the OCR patient safety Web site at http://www.hhs.gov/ocr/PSQIA. By making the entire final opinion or order 
available to the public, the facts underlying the penalty determination 
and the law applied to those facts will be apparent. Given that 
information, the public may discern the nature and extent of the 
violation as well as the basis for imposition of the civil money 
penalty.
    The regulatory language would provide for notification in such 
manner as the Secretary deems appropriate. Posting to a Department Web 
site and/or the periodic publication of a notice in the Federal 
Register are among the methods which the Secretary is considering using 
for the efficient dissemination of such information. These methods 
would avoid the need for the Secretary to determine which entities, 
among a potentially large universe, should be notified and would also 
permit the general public served by providers, PSOs, and responsible 
persons upon whom civil money penalties have been imposed--as well as 
their business partners--to be apprised of this fact, where that 
information is of interest to them. While the Secretary could provide 
notice to individual agencies where desired, the Secretary could, at 
his option, use a single public method of notice, such as posting to a 
Department Web site, to satisfy the obligation to notify the specified 
agencies and the public.
17. Proposed Sec.  3.504--Procedures for Hearings
    Proposed Sec.  3.504 is a compilation of procedures related to 
administrative hearings on civil money penalties imposed by the 
Secretary. The proposed section sets forth the authority of the ALJ, 
the rights and burdens of proof of the parties, requirements for the 
exchange of information and pre-hearing, hearing, and post-hearing 
processes. These individual sections are described in greater detail 
below.
    This proposed section cross-references the HIPAA Enforcement Rule 
extensively due to the similar nature of the enforcement and appeal 
procedures, the nature of the issues and substance presented, and the 
parties most affected by these proposed regulations. We intend that the 
provisions of the HIPAA Enforcement Rule will be applied to the 
imposition of civil money penalties under this Subpart in the same 
manner as they are applied to violations of the HIPAA administrative 
simplification provisions, subject to any modifications set forth in 
proposed Sec.  3.504. We believe the best and most efficient manner of 
achieving this result is through explicitly referencing and adopting 
the relevant provisions of the HIPAA Enforcement Rule. Where 
modifications are necessary to address the differences between the 
appeals of determinations under the HIPAA Enforcement Rule and the 
Patient Safety Act, we have made specific exceptions that we discuss 
below.
    We note that the recently published Notice of Proposed Rulemaking 
entitled ``Revisions to Procedures for the Departmental Appeals Board 
and Other Departmental Hearings'' (see 72 FR 73708 (December 28, 2007)) 
proposes to modify the HIPAA Enforcement Rule, which we reference 
extensively in this proposed rule. Our intent for the patient safety 
regulations would be to maintain the alignment between the patient 
safety enforcement process and the HIPAA Enforcement Rule, as stated 
previously. Should the amendments to the HIPAA Enforcement Rule become 
final based on that Notice of Proposed Rulemaking, our intent would be 
to incorporate those changes in any final rulemaking here. That Notice 
of Proposed Rulemaking proposes to amend 45 CFR 160.508(c) and 45 CFR 
160.548, and to add a new provision, 45 CFR 160.554, providing that the 
Secretary may review all ALJ decisions that the Board has declined to 
review and all Board decisions for error in applying statutes, 
regulations or interpretive policy.
18. Proposed Sec.  3.504(a)--Hearings Before an ALJ
    Proposed Sec.  3.504(a) provides the time and manner in which a 
hearing must be requested, or dismissed when not timely requested. This 
proposed section applies the same regulations as the HIPAA Enforcement 
Rule cited at 45 CFR 160.504(a)-(d), except that the language in 
paragraph (c) of 45 CFR 160.504 following and including ``except that'' 
does not apply. The excluded provision refers to the ability of 
respondents to raise an affirmative defense under 45 CFR 160.410(b)(1) 
for which we have not adopted a comparable provision because the 
provision implements a statutory defense unique to HIPAA.
19. Proposed Sec.  3.504(b)--Rights of the Parties
    Proposed Sec.  3.504(b) provides that the rights of the parties not 
specifically provided elsewhere in this Part shall be the same as those 
provided in 45 CFR 160.506 of the HIPAA Enforcement Rule.
20. Proposed Sec.  3.504(c)--Authority of the ALJ
    Proposed Sec.  3.504(c) provides that the general guidelines and 
authority of the ALJ shall be the same as provided in the HIPAA 
Enforcement Rule at 45 CFR 160.508(a)-(c)(4). We exclude the provision 
at 45 CFR 160.508(c)(5) because there is no requirement under the 
Patient Safety Act for remedied violations based on reasonable cause to 
be insulated from liability for a civil money penalty.
21. Proposed Sec.  3.504(d)--Ex parte Contacts
    Proposed Sec.  3.504(d) is designed to ensure the fairness of the 
hearing by prohibiting ex-parte contacts with the ALJ on matters at 
issue. We propose to incorporate the same restrictions as provided for 
in the HIPAA Enforcement Rule at 45 CFR 160.510.
22. Proposed Sec.  3.504(e)--Prehearing Conferences
    Proposed Sec.  3.504(e) adopts the same provisions as govern 
prehearing conferences in the HIPAA Enforcement Rule at 45 CFR 160.512, 
except that the term ``identifiable patient safety work product'' is 
substituted for ``individually identifiable health

[[Page 8163]]

information.'' Under this proposed provision, the ALJ is required to 
schedule at least one prehearing conference, in order to narrow the 
issues to be addressed at the hearing and, thus, expedite the formal 
hearing process, and to prescribe a timeframe for prehearings.
23. Proposed Sec.  3.504(f)--Authority To Settle
    Proposed Sec.  3.504(f) adopts 45 CFR 160.514 of the HIPAA 
Enforcement Rule. This proposal provides that the Secretary has 
exclusive authority to settle any issue or case at any time and need 
not obtain the consent of the ALJ.
24. Proposed Sec.  3.504(g)--Discovery
    We propose in Sec.  3.504(g) to adopt the discovery procedures as 
provided for in the HIPAA Enforcement Rule at 45 CFR 160.516. These 
provisions allow limited discovery in the form of the production for 
inspection and copying of documents that are relevant and material to 
the issues before the ALJ. These provisions do not authorize other 
forms of discovery, such as depositions and interrogatories.
    Although the adoption of 45 CFR 160.516 would permit parties to 
raise claims of privilege and permit an ALJ to deny a motion to compel 
privileged information, a respondent could not claim privilege, and an 
ALJ could not deny a motion to compel, if the Secretary seeks patient 
safety work product relevant to the alleged confidentiality violation 
because the patient safety work product would not be privileged under 
proposed Sec.  3.204(c).
    Under this proposal, a respondent concerned with potential public 
access to patient safety work product may raise the issue before the 
ALJ and seek a protective order. The ALJ may, for good cause shown, 
order appropriate redactions made to the record after hearing. See 
proposed Sec.  3.504(s).
25. Proposed Sec.  3.504(h)--Exchange of Witness Lists, Witness 
Statements, and Exhibits
    Proposed Sec.  3.504(h) provides for the prehearing exchange of 
certain documents, including witness lists, copies of prior statements 
of witnesses, and copies of hearing exhibits. We propose that the 
requirements set forth in 45 CFR 160.518 of the HIPAA Enforcement Rule 
shall apply, except that the language in paragraph (a) of 45 CFR 
160.518 following and including ``except that'' shall not apply. We 
exclude the provisions relating to the provision of a statistical 
expert's report not less than 30 days before a scheduled hearing 
because we do not propose language permitting the use of statistical 
sampling to estimate the number of violations.
26. Proposed Sec.  3.504(i)--Subpoenas for Attendance at Hearing
    Proposed Sec.  3.504(i) provides procedures for the ALJ to issue 
subpoenas for witnesses to appear at a hearing and for parties and 
prospective witnesses to contest such subpoenas. We propose to adopt 
the same regulations as provided at 45 CFR 160.520 of the HIPAA 
Enforcement Rule.
27. Proposed Sec.  3.504(j)--Fees
    Proposed Sec.  3.504(j) provides for the payment of witness fees by 
the party requesting a subpoena. We propose that the fees requirements 
be the same as those provided in 45 CFR 160.522 of the HIPAA 
Enforcement Rule.
28. Proposed Sec.  3.504(k)--Form, Filing and Service of Papers
    Proposed Sec.  3.504(k) provides requirements for documents filed 
with the ALJ. We propose to adopt the requirements of 45 CFR 160.524 of 
the HIPAA Enforcement Rule.
29. Proposed Sec.  3.504(l)--Computation of Time
    Proposed Sec.  3.504(l) provides the method for computing time 
periods under this Part. We propose to adopt the requirements of 45 CFR 
160.526 of the HIPAA Enforcement Rule, except the term ``this subpart'' 
shall refer to 42 CFR Part 3, Subpart D and the citation ``Sec.  
3.504(a) of 42 CFR Part 3'' shall be substituted for the citation 
``Sec.  160.504.''
30. Proposed Sec.  3.504(m)--Motions
    Proposed Sec.  3.504(m) provides requirements for the content of 
motions and the time allowed for responses. We propose to adopt the 
requirements of 45 CFR 160.528 of the HIPAA Enforcement Rule.
31. Proposed Sec.  3.504(n)--Sanctions
    Proposed Sec.  3.504(n) provides the sanctions an ALJ may impose on 
parties and their representatives for failing to comply with an order 
or procedure, failing to defend an action, or other misconduct. We 
propose to adopt the provisions of 45 CFR 160.530 of the HIPAA 
Enforcement Rule.
32. Proposed Sec.  3.504(o)--Collateral Estoppel
    Proposed Sec.  3.504(o) would adopt the doctrine of collateral 
estoppel with respect to a final decision of an administrative agency. 
Collateral estoppel means that determinations made with respect to 
issues litigated and determined in a proceeding between two parties 
will bind the respective parties in later disputes concerning the same 
issues and parties. We propose to adopt the provisions of 45 CFR 
160.532 of the HIPAA Enforcement Rule, except that the term ``a 
confidentiality provision'' shall be substituted for the term ``an 
administrative simplification provision''.
33. Proposed Sec.  3.504(p)--The Hearing
    Proposed Sec.  3.504(p) provides for a public hearing on the 
record, the burden of proof at the hearing and the admission of 
rebuttal evidence. We propose to adopt the provisions of 45 CFR 160.534 
of the HIPAA Enforcement Rule, except the following text shall be 
substituted for Sec.  160.534(b)(1): ``The respondent has the burden of 
going forward and the burden of persuasion with respect to any 
challenge to the amount of a proposed penalty pursuant to Sec. Sec.  
3.404-3.408 of 42 CFR Part 3, including any factors raised as 
mitigating factors.'' We propose to adopt this new language for Sec.  
160.534(b)(1) because references to affirmative defenses in the 
excluded text are not applicable in the context of the Patient Safety 
Act as such defenses are under the HIPAA Enforcement Rule; nor does the 
Patient Safety Act include provisions for the waiver or reduction of a 
civil money penalty in accordance with 45 CFR 160.412.
    45 CFR 160.534(c) states that the hearing must be open to the 
public unless otherwise ordered by the ALJ for good cause shown. In 
proposed Sec.  3.504(p) of this Subpart, we propose that good cause 
shown under 45 CFR 160.534(c) may be that identifiable patient safety 
work product has been introduced into evidence or is expected to be 
introduced into evidence. Protecting patient safety work product is 
important and is an issue about which all parties and the ALJ should be 
concerned.
34. Proposed Sec.  3.504(q)--Witnesses
    Under proposed Sec.  3.504(q), the ALJ may allow oral testimony to 
be admitted or provided in the form of a written statement or 
deposition so long as the opposing party has a sufficient opportunity 
to subpoena the person whose statement is being offered. We propose to 
adopt the provisions of 45 CFR 160.538 of the HIPAA Enforcement Rule, 
except that the citation ``Sec.  3.504(h) of 42 CFR Part 3'' shall be 
substituted for the citation ``Sec.  160.518.''

[[Page 8164]]

35. Proposed Sec.  3.504(r)--Evidence
    Proposed Sec.  3.504(r) would provide guidelines for the acceptance 
of evidence in hearings. We propose to adopt the provisions of 45 CFR 
160.540 of the HIPAA Enforcement Rule, except that the citation ``Sec.  
3.420 of 42 CFR Part 3'' shall be substituted for the citation ``Sec.  
160.420 of this part''.
    In the same manner as the exception to privilege for enforcement 
activities under Sec.  3.204(c) applies to proposed Sec.  3.504(g), the 
exception to privilege applies under proposed Sec.  3.504(r) as well. 
Although the adoption of 45 CFR 160.540(e) would permit parties to 
raise claims of privilege and permit an ALJ to exclude from evidence 
privileged information, a respondent could not claim privilege and an 
ALJ could not exclude identifiable patient safety work product if the 
Secretary seeks to introduce that patient safety work product because 
disclosure of the patient safety work product would not be a violation 
of the privilege and confidentiality provisions under proposed Sec.  
3.204(c).
36. Proposed Sec.  3.504(s)--The Record
    Proposed Sec.  3.504(s) provides for recording and transcription of 
the hearing, and for the record to be available for inspection and 
copying by any person. We propose to adopt the provisions at 45 CFR 
160.542 of the HIPAA Enforcement Rule. We also propose to provide that 
good cause for making appropriate redactions includes the presence of 
identifiable patient safety work product in the record.
37. Proposed Sec.  3.504(t)--Post-Hearing Briefs
    Proposed Sec.  3.504(t) provides that the ALJ has the discretion to 
order post-hearing briefs, although the parties may file post-hearing 
briefs in any event if they desire. We propose to adopt the provisions 
of 45 CFR 160.544 of the HIPAA Enforcement Rule.
38. Proposed Sec.  3.504(u)--ALJ's Decision
    Proposed Sec.  3.504(u) provides that not later than 60 days after 
the filing of post-hearing briefs, the ALJ shall serve on the parties a 
decision making specific findings of fact and conclusions of law. The 
ALJ's decision is the final decision of the Secretary, and will be 
final and binding on the parties 60 days from the date of service of 
the ALJ decision, unless it is timely appealed by either party. We 
propose to adopt the provisions of 45 CFR 160.546 of the HIPAA 
Enforcement Rule, except the citation ``Sec.  3.504(v) of 42 CFR Part 
3'' shall be substituted for ``Sec.  160.548.''
39. Proposed Sec.  3.504(v)--Appeal of the ALJ's Decision
    Proposed Sec.  3.504(v) provides for manner and time for review of 
an ALJ's decision regarding penalties imposed under this Part and 
subsequent judicial review. We propose to adopt the same provisions as 
45 CFR 160.548 of the HIPAA Enforcement Rule, except the following 
language in paragraph (e) of 45 CFR 160.548 shall not apply: ``Except 
for an affirmative defense under Sec.  160.410(b)(1) of this part.'' We 
exclude this language because the Patient Safety Act does not provide 
for affirmative defenses in the same manner as HIPAA.
40. Proposed Sec.  3.504(w)--Stay of the Secretary's Decision
    Proposed Sec.  3.504(w) provides that a respondent may request a 
stay of the effective date of a penalty pending judicial review. We 
propose to adopt the provisions of 45 CFR 160.550 of the HIPAA 
Enforcement Rule to govern this process.
41. Proposed Sec.  3.504(x)--Harmless Error
    Proposed Sec.  3.504(x) adopts the ``harmless error'' standard as 
expressed in the HIPAA Enforcement Rule at 45 CFR 160.522. This 
proposed rule provides that the ALJ and the Board at every stage of the 
proceeding will disregard any error or defect in the proceeding that 
does not affect the substantial rights of the parties.

IV. Impact Statement and Other Required Analyses

Unfunded Mandates Reform Act

    Section 202 of the Unfunded Mandates Reform Act requires that a 
covered agency prepare a budgetary impact statement before promulgating 
a rule that includes any Federal mandate that may result in the 
expenditure by State, local, and Tribal governments, in the aggregate, 
or by the private sector, of $100 million or more in any one year. The 
Department has determined that this proposed rule would not impose a 
mandate that will result in the expenditure by State, Local, and Tribal 
governments, in the aggregate, or by the private sector, of more than 
$100 million in any one year.

Paperwork Reduction Act

    This notice of proposed rulemaking adding a new Part 3 to volume 42 
of the Code of Federal Regulations contains information collection 
requirements. This summary includes the estimated costs and assumptions 
for the paperwork requirements related to this proposed rule. A copy of 
the information collection request will be available on the PSO Web 
site (www.pso.ahrq.gov) and can be obtained in hardcopy by contacting 
Susan Grinder at the Center for Quality Improvement and Patient Safety, 
AHRQ, (301) 427-1111 (o); (301) 427-1341 (fax). These paperwork 
requirements have been submitted to the Office of Management and Budget 
for review under number xxxx-xxxx as required by 44 U.S.C. 
3507(a)(1)(c) of the Paperwork Reduction Act of 1995, as amended (PRA). 
Respondents are not required to respond to any collection of 
information unless it displays a current valid OMB control number.
    With respect to proposed Sec.  3.102 concerning the submission of 
certifications for initial and continued listing as a PSO, and of 
updated information, all such information would be submitted on Form 
SF-XXXX. To maintain its listing, a PSO must also submit a brief 
attestation, once every 24-month period after its initial date of 
listing, submitted on Form SF-XXXX, stating that it has entered 
contracts with two providers. We estimate that the proposed rule would 
create an average burden of 30 minutes annually for each entity that 
seeks to become a PSO to complete the necessary certification forms. 
Table 1 summarizes burden hours.

       Table 1.--Total Burden Hours Related to Certification Forms
          [Summary of all burden hours, by Provision, for PSOs]
------------------------------------------------------------------------
                 Provision                     Annualized burden hours
------------------------------------------------------------------------
3.112.....................................  30 minutes.
------------------------------------------------------------------------

    HHS is working with OMB to obtain approval of the associated burden 
in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3507(d)) before the effective date of the final rule. Comments on this 
proposed information collection should be directed to Susan Grinder, by 
sending an e-mail to [email protected] or sending a fax to (301) 
427-1341.
    Under 5 CFR 1320.3(c), a covered collection of information includes 
the requirement by an agency of a disclosure of information to third 
parties by means of identical reporting, recordkeeping, or disclosure 
requirements, imposed on ten or more persons. The proposed rule 
reflects the previously established reporting requirements for breach 
of confidentiality applicable to business associates under HIPAA 
regulations requiring contracts top contain a provision requiring the 
business associate (in this case, the PSO) to notify

[[Page 8165]]

providers of breaches of their identifiable patient data's 
confidentiality or security. Accordingly, this reporting requirement 
referenced in the regulation previously met Paperwork Reduction Act 
review requirements.
    The proposed rule requires in proposed Sec.  3.108(c) that a PSO 
notify the Secretary if it intends to relinquish voluntarily its status 
as a PSO. The entity would be required to notify the Secretary that it 
has, or will soon, alert providers and other organizations from which 
it has received patient safety work product or data of its intention 
and provide for the appropriate disposition of the data in consultation 
with each source of patient safety work product or data held by the 
entity. In addition, the entity is asked to provide the Secretary with 
current contact information for further communication from the 
Secretary as the entity ceases operations. The reporting aspect of this 
requirement is essentially an attestation that is equivalent to the 
requirements for listing, continued listing, and meeting the minimum 
contracts requirement. This minimal data requirement would come within 
5 CFR 1320.3(h)(1) which provides an exception from PRA requirements 
for affirmations, certifications, or acknowledgments as long as they 
entail no burden other than that necessary to identify the respondent, 
the date, the respondent's address, and the nature of the instrument. 
In this case, the nature of the instrument would be an attestation that 
the PSO is working with its providers for the orderly cessation of 
activities. The following other collections of information that would 
be required by the proposed regulation under proposed Sec.  3.108 are 
also exempt from PRA requirements pursuant to an exception in 5 CFR 
1320.4 for information gathered as part of administrative 
investigations and actions regarding specific parties: information 
supplied in response to preliminary agency determinations of PSO 
deficiencies or in response to proposed revocation and delisting (e.g., 
information providing the agency with correct facts, reporting 
corrective actions taken, or appealing proposed agency revocation 
decisions).

Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts State law, or otherwise has Federalism 
implications. The Patient Safety Act upon which the proposed regulation 
is based makes patient safety work product confidential and privileged. 
To the extent this would not be consistent with any state law, 
including court decisions, the Federal statute would preempt such state 
law or court order. The proposed rule (and subsequent final rule) will 
not have any greater preemptive effect on state or local governments 
than that imposed by the statute. While the Patient Safety Act does 
establish new Federal confidentiality and privilege protections for 
certain information, these protections only apply when health care 
providers work with PSOs and new processes, such as patient safety 
evaluation systems, that do not currently exist. These Federal data 
protections provide a mechanism for protection of sensitive information 
that could improve the quality, safety, and outcomes of health care by 
fostering a non-threatening environment in which information about 
adverse medical events and near misses can be discussed. It is hoped 
that confidential analysis of patient safety events will reduce the 
occurrence of adverse medical events and, thereby, reduce the costs 
arising from such events, including costs incurred by state and local 
governments attributable to such events.
    AHRQ, in conjunction with OCR, held three public listening sessions 
prior to drafting the proposed rule. Representatives of several states 
participated in these sessions. In particular, states that had begun to 
collect and analyze patient safety event information spoke about their 
related experiences and plans. Following publication of the NPRM, AHRQ 
will consult with appropriate state officials and organizations to 
review the scope of the proposed rule and to specifically seek input on 
federalism issues and a proposal in the rule at proposed Sec.  
3.102(a)(2) that would limit the ability of public or private sector 
regulatory entities to seek listing as a PSO.

Regulatory Impact Analysis

    Under Executive Order 12866 (58 FR 51735, October 4, 1993), Federal 
Agencies must determine whether a regulatory action is ``significant'' 
and, therefore, subject to OMB review and the requirements of the 
Executive Order. Executive Order 12866 defines ``significant regulatory 
action'' as one that is likely to result in a rule that may:
    1. Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy, a sector of the 
economy, productivity, competition, jobs, the environment, public 
health or safety, or state, local, or tribal government or communities.
    2. Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another agency.
    3. Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs or the rights and obligations of recipients 
thereof.
    4. Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
the Executive Order.
    AHRQ has accordingly examined the impact of the proposed rule under 
Executive Order 12866, the Regulatory Flexibility Act (5 U.S.C. 601-
612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4). 
Executive Order 12866 directs agencies to assess all costs and benefits 
of available regulatory alternatives and, when regulation is necessary, 
to select regulatory approaches that maximize net benefits (including 
potential economic, environmental, public health and safety, and other 
advantages; distributive impacts; and equity). A regulatory impact 
analysis must be prepared for major rules with economically significant 
effects ($100 million or more in any one year). In the course of 
developing the proposed rule, AHRQ has considered the rule's costs and 
benefits, as mandated by Executive Order 12866. Although we cannot 
determine with precision the aggregate economic impact of the proposed 
rule, we believe that the impact may approach $100 million or more 
annually. HHS has determined that the proposed rule is ``significant'' 
also because it raises novel legal and policy issues with the 
establishment of a new regulatory framework, authorized by the Patient 
Safety Act, and imposes requirements, albeit voluntary, on entities 
that had not previously been subject to regulation in this area. 
Consequently, as required under Executive Order 12866, AHRQ conducted 
an analysis of the economic impact of the proposed rule.
Background
    The Patient Safety Act establishes a framework for health care 
providers voluntarily to report information on the safety, quality, and 
outcomes of patient care that to PSOs listed by HHS. The main 
objectives of the Patient Safety Act are to: (1) Encourage health care 
providers to collect and examine patient safety events more freely and 
consistently than they do now, (2) encourage many provider arrangements 
or contracts with expert PSOs to receive, aggregate, and analyze data 
on patient

[[Page 8166]]

safety events so that PSOs may provide feedback and assistance to the 
provider to improve patient safety and (3) allow the providers to 
improve the quality of care delivered and reduce patient risk. The 
Patient Safety Act provides privilege from legal discovery for patient 
safety work product, as well as confidentiality protections in order to 
foster a culture of patient safety. The Patient Safety Act does not 
contain mandatory reporting requirements. It does, however, require 
information submissions by entities that voluntarily seek to be 
recognized, (i.e., listed) as PSOs by the Secretary.
    The cost of an adverse patient safety event can be very high in 
terms of human life, and it also often carries a significant financial 
cost. The Institute of Medicine report, To Err is Human: Building a 
Safer Health Care System, estimates that adverse events cost the United 
States approximately $37.6 billion to $50 billion each year. ``Total 
national costs (lost income, lost household production, disability, and 
health care costs) of preventable adverse events (medical errors 
resulting in injury) are estimated to be between $17 billion and $29 
billion, of which health care costs represent over one-half.'' \18\
---------------------------------------------------------------------------

    \18\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T., 
Pike, K. C., for the Committee on Quality of Health Care in America. 
To Err is Human: Building a Safer Health System. Washington, DC.: 
National Academy Press; 2000.
---------------------------------------------------------------------------

    The proposed rule was written to minimize the regulatory and 
economic burden on an entity that seeks certification as a PSO in order 
to collect, aggregate, and analyze confidential information reported by 
health care providers. Collecting, aggregating, and analyzing 
information on adverse events will allow problems to be identified, 
addressed, and eventually prevented. This, in turn, will help improve 
patient safety and the quality of care, while also reducing medical 
costs. The following analysis of costs and benefits--both quantitative 
and qualitative--includes estimates based on the best available health 
care data and demonstrates that the benefits of the proposed regulation 
justify the costs involved in its implementation.
    The economic impact of an alternative to the proposed rule is not 
discussed in the following analysis because an alternative to the 
statutorily authorized voluntary framework is the existence of no new 
program, which would produce no economic change or have no economic 
impact, or--alternatively--a mandatory regulatory program for all 
health care providers, which is not authorized by the Patient Safety 
Act and which is necessarily not a realistic alternative and would 
likely be much more expensive. (A guiding principle of those drafting 
the regulation was to minimize the economic and regulatory burden on 
those entities seeking to be PSOs and providers choosing to work with 
PSOs, within the limits of the Patient Safety Act. Hence this proposed 
rule represents the Department's best effort at minimal impact while 
still meeting statutory provisions.)
    AHRQ has relied on key findings from the literature to provide 
baseline measures for estimating the likely costs and benefits of the 
proposed rule. We believe that the costs of becoming a PSO (i.e., the 
costs of applying to be listed by the Secretary) will be relatively 
small, and the costs of operating a PSO will be small, in relation to 
the possible cost savings that will be derived from reducing the number 
of preventable adverse medical events each year.
    The direct costs to individual providers of working with PSOs will 
vary considerably. For an institutional or individual provider that 
chooses to report readily accessible information to a PSO occasionally, 
costs may be negligible. The proposed rule does not require a provider 
to enter into a contract with a PSO, establish internal reporting or 
analytic systems, or meet specific security requirements for patient 
safety work product. A provider's costs will derive from its own choice 
whether to undertake and, if so, whether to conduct or contract for 
data collection, information development, or analytic functions. Such 
decisions will be based on the provider's assessment of the cost and 
benefits it expects to incur and achieve. As we discuss below, 
hospitals in particular have developed, and can be expected to take 
advantage of the protections afforded by the Patient Safety Act by 
expanding data collection, information development, and analytic 
functions at their institutions. We anticipate that many providers will 
choose to enter into contracts with PSOs voluntarily. If providers 
choose to report data routinely to a PSO, a contract will be a good 
business practice. It provides greater assurance that a provider can 
demonstrate, if its claims of protections are challenged, that it is 
operating in full compliance with the statute. It enables the provider 
to exert greater control over the use and sharing of its data and, in 
the case of a provider that is a covered entity under the HIPAA Privacy 
Rule, the provider will need to enter a business associate agreement 
with a PSO for compliance with that regulation if the reported data 
includes protected health information.
    The following cost estimates represent an effort to develop an 
``upper bound'' on the cost impact of the proposed rule by assuming 
that providers choosing to work with PSOs will follow best business 
practices, take full advantage of the Patient Safety Act's protections, 
and develop robust internal reporting and analytic systems, rather than 
meeting the minimal requirements of the proposed rule. The cost 
estimates below are based on existing hospital-based activities for 
reporting patient safety events, which are likely to be similar to most 
events that a PSO will analyze (namely quality and safety activities 
within hospitals). While the Patient Safety Act is not limited to 
hospitals, AHRQ has received indications from various stakeholder 
groups that hospital providers will be the predominant provider type 
initially interested in working with PSOs.
Affected Entities
    To date, AHRQ has no hard information on the exact number of 
interested parties that may wish to become a PSO. AHRQ estimates, 
however, that 50 to 100 entities may request to become a listed PSO by 
the Secretary during the first three years after publication of the 
final rule. AHRQ anticipates a gradual increase in the number of 
entities seeking listing as a PSO and estimates that roughly 50 
entities will seek PSO certification during Year 1, 25 entities during 
Year 2, and an additional 25 entities during Year 3, totaling 100 PSOs 
by the end of Year 3. After Year 3, we anticipate that the number of 
PSOs will remain about constant, with the number of new entrants 
roughly equivalent to the number of PSOs that cease to operate.
    Healthcare providers, especially hospitals, currently assume some 
level of burden to collect, develop, and analyze patient safety event 
information similar to the information that will be reported to PSOs. 
We note that most institutional providers (especially larger ones) 
already do some of this data gathering. AHRQ anticipates that entities 
that currently operate internal patient safety event reporting systems 
either may be interested in: (1) Establishing a component organization 
to seek certification as a PSO; or (2) contracting with a PSO. Using 
data from the 2004 American Hospital Association, AHRQ conducted an 
analysis of the burden hours and likely costs associated with reporting 
patient safety event information to a PSO. See below.

[[Page 8167]]

Costs
    The proposed rule enables providers to receive Federal protections 
for information on patient safety events that the providers choose to 
collect, analyze, and report in conformity with the requirements of the 
Patient Safety Act and the proposed rule. The proposed rule, consistent 
with the Patient Safety Act, does not require any entity to seek 
listing as a PSO and does not require any provider to work with a PSO. 
While all holders of patient safety work product must avoid 
impermissible disclosures of patient safety work product, we do not 
impose any specific requirements that holders must meet to comply with 
this obligation. The requirements of the proposed rule apply only to 
entities that choose to seek listing by the Secretary as a PSO. 
Similarly, the proposed rule does not impose requirements on States or 
private sector entities (including small businesses) that would result 
in additional spending, that is, the government is not imposing any 
direct costs on States or the private sector.
    The Patient Safety Act, and therefore, the proposed rule, does 
impose obligations on entities that are listed by the Secretary as 
PSOs. Every PSO must carry out eight patient safety activities and 
comply with seven statutory criteria during its period of listing, 
including requirements related to the provision of security for patient 
safety work product, the ability to receive and analyze data from 
providers and assist them in implementing system improvements to 
mitigate or eliminate potential risk or harm to patients from the 
delivery of health care services.\19\ Because this is a new, untested, 
and voluntary initiative--coupled with the fact that PSOs currently do 
not exist--AHRQ does not have data on PSO fees, income, or expenses to 
estimate the precise monetized and non-monetized costs and benefits of 
the proposed rule. The following estimates reflect the cost of all 
incremental activities required (or contemplated) by the proposed rule.
---------------------------------------------------------------------------

    \19\ These 15 requirements from the Patient Safety Act are 
discussed in proposed Sec.  3.102(b). The eight patient safety 
activities are defined in proposed Sec.  3.20 and the seven criteria 
are specified in proposed Sec.  3.102(b)(2).
---------------------------------------------------------------------------

    For entities that seek to be listed as a PSO by the Secretary, AHRQ 
assumes that most of the total costs incurred will be for the 
establishment of a new organizational structure. AHRQ expects such 
costs to vary considerably based on the types of entities that request 
PSO listing (e.g., size; geographic location; setting; academic, 
professional, or business affiliation; and whether or not the entity is 
a component of a parent organization). It is anticipated that the 
proposed rule's cost to a PSO will likely be highest in the first year 
due to start-up and initial operational costs and establishment of 
policies and procedures for complying with PSO regulations. PSO 
operational costs will include the hiring of qualified staff, setting 
up data collection and reporting systems, establishing policies and 
procedures for ensuring data security and confidentiality, maintaining 
a patient safety evaluation system as required by the Patient Safety 
Act, and receiving and generating patient safety work product. The fact 
that PSOs are new entities for which there are no existing financial 
data means that estimates of the cost or charges for PSO services are a 
matter of speculation at this time. Additionally, the degree to which 
PSOs will exercise market power, what services they will offer, and the 
impact of a competitive environment is not yet known. Based on 
discussions with stakeholder groups, we believe that there will be a 
number of business models that emerge for PSOs. We anticipate that many 
PSOs will be components of existing organizations, which will likely 
subsidize the operations of their component PSOs for some time. Despite 
these limitations, AHRQ believes it can construct reasonable estimates 
of the costs and benefits of the Patient Safety Act. See ``Provider--
PSO Costs and Charges'' for an explanation of why the above-mentioned 
uncertainties do not preclude AHRQ from calculating overall costs, 
benefits, and net benefits of the Patient Safety Act.
    As noted above, the proposed rule does not require providers to 
establish internal reporting or analytic systems. AHRQ expects, 
however, that many providers will do so in order to take full advantage 
of the protections of the Patient Safety Act. As a result, our 
estimates reflect an upper bound on the potential costs associated with 
implementation by assuming that all providers that choose to 
participate will establish robust internal reporting and analytic 
systems.
    AHRQ recognizes that many state governments, public and private 
health care purchasers, and private accrediting and certifying 
organizations already employ voluntary and/or mandatory patient safety 
event reporting systems. As health care organizations increasingly 
focus on the monitoring of adverse events, the use of voluntary 
reporting systems to detect, evaluate, and track such events has also 
increased. Preliminary findings from AHRQ's Adverse Event Reporting 
Survey, conducted by the RAND Corporation (RAND) and the Joint 
Commission on Accreditation of Healthcare Organizations (JCAHO), show 
that 98 percent of hospitals are already reporting adverse medical 
events.\20\ This survey was administered to a representative sample of 
2,000 hospitals, with an 81 percent response rate. Thus, it is 
anticipated that the associated costs of the proposed rule for 
hospitals with existing patient safety event reporting systems will be 
very minimal, because the majority of these organizations already have 
the institutional infrastructure and operations to carry out the data 
collection activities of the proposed rule. AHRQ assumes that the 
estimated 2 percent of hospitals that currently have no reporting 
system are unlikely to initiate a new reporting system based on the 
proposed rule, at least in the first year that PSOs are operational.
---------------------------------------------------------------------------

    \20\ RAND and Joint Commission on Accreditation of Healthcare 
Organizations. Survey on Hospital Adverse Event Reporting Systems: 
Briefing on Baseline Data. August 16, 2006 Briefing.
---------------------------------------------------------------------------

Hospital Costs
    We extrapolated findings from the RAND-JCAHO survey in order to 
calculate the burden hours and monetized costs associated with the 
proposed rule, using data from the American Hospital Association's 2004 
\21\ annual survey of hospitals in the United States \22\ to estimate 
the number of hospitals nationwide. This figure served as the 
denominator in our analysis. We acknowledge that, over time, not all 
providers working with PSOs will be hospitals; however, it is 
reasonable to use hospitals as a basis for our initial estimates, given 
the preliminary indications that hospitals will be the predominant, if 
not exclusive, providers submitting information to PSOs during the 
early years in which PSOs are operational.
---------------------------------------------------------------------------

    \21\ American Hospital Association. Fast Facts on U.S. Hospitals 
from AHA Hospital Statistics. November 14, 2005. Available at: 
http://www.aha.org/aha/resource_center/fastfacts/fast_facts_US_hospitals.html. Web Page.
    \22\ The 2005 survey results will likely be release in November 
2006.
---------------------------------------------------------------------------

    Based on American Hospital Association data, there are 5,759 
registered U.S. hospitals--including community hospitals, Federal 
hospitals, non-Federal psychiatric hospitals, non-Federal long-term 
care hospitals, and hospital units of institutions--in which there are 
955,768 staffed operational beds. Based on the RAND-JCAHO finding 
regarding event reporting in hospitals, AHRQ calculates that 98 percent 
of the 5,759 hospitals (5,644 hospitals with 936,653 staffed beds)

[[Page 8168]]

already have, and are supporting the costs of, a centralized patient 
safety event reporting system.
    AHRQ assumed that an institution will report an average of one 
patient safety event (including no harm events and close calls) per bed 
per month. Based on this assumption, AHRQ estimates that all hospitals 
nationwide are currently completing a total of 11,239,832 patient 
safety event reports per year. Based on the assumption that it takes 15 
minutes to complete each patient safety event report, we estimate that 
hospitals are already spending 2,809,958 hours per year on this 
activity. At a Full-Time Equivalent (FTE) rate of $80 per hour, we 
estimate that all hospitals nationwide are currently spending 
approximately $224,796,634 per year on patient safety event reporting 
activities.
    AHRQ estimates that, once collected, it will take an additional 
five minutes for hospital staff to submit patient safety event 
information to a PSO. We, therefore, estimate that the total burden 
hours for all hospitals nationwide to submit patient safety event 
information to a PSO totals 936,653 hours annually with an associated 
cost of $74,932,211 based on the assumption that all hospitals 
nationwide reported all possible patient safety events (using the 
heuristic of one event per bed per month).
    During the first year following publication of the final rule PSOs 
will be forming themselves into organizations and engaging in startup 
activities. We assume that there will be a gradual increase in the 
number of entities seeking listing as PSOs, beginning with a 10 percent 
participation rate. We assume as many as 25 percent of hospitals may 
enter into arrangements with PSOs by the end of the first year; 
however, the overall effective participation rate will only average 10 
percent. This assumption translates to 93,665 hours of additional 
burden for hospitals to report patient safety event information to PSOs 
with an estimated cost of $7,493,221. Assuming a 40 percent 
participation rate of all hospitals nationwide during the second year 
that PSOs are operational, there would be 374,660 burden hours with an 
estimated cost of $29,972,884. Assuming there is 60 percent 
participation rate of all hospitals nationwide during the third year 
that PSOs are operational, there would be 561,990 burden hours 
nationwide with an estimated cost of $44,959,326. (See Table 1).
    In summary, the direct costs--which would be voluntarily incurred 
if all hospitals nationwide that choose to work with PSOs during the 
first five years also chose to establish systematic reporting systems--
are projected to range from approximately $7.5 million to nearly $63.7 
million in any single year, based on 10 percent to 85 percent 
participation rate among hospitals. These cost estimates may be high if 
provider institutions, such as hospitals, do not submit all the patient 
safety data they collect to a PSO. If only a fraction of the data is 
reported to a PSO, the cost estimates and burden will be 
proportionately reduced.

                  Table 1.--Estimated Hospitals Costs To Submit Information to PSOs: 2008-2012
----------------------------------------------------------------------------------------------------------------
             Year                     2008             2009            2010            2011            2012
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate.....  10%............  40%............  60%...........  75%...........  85%.
Hospital Cost.................  $7.5 M.........  $30.0 M........  $45.0 M.......  $56.2 M.......  $63.7 M.
----------------------------------------------------------------------------------------------------------------

PSO Costs
    A second category of costs, in addition to incremental costs borne 
by hospitals, is that of the PSOs themselves. PSO cost estimates are 
based on estimates of organizational and consulting capabilities and 
statutory requirements. We followed the standard accounting format for 
calculating ``independent government cost estimates,'' although the 
categories did not seem entirely appropriate for the private sector. In 
order to estimate PSO costs over a five-year period, we made several 
assumptions about the size and operations of new PSOs. Specifically, we 
assumed that PSOs would be staffed modestly, relying on existing 
hospital activities in reporting adverse events, and that a significant 
proportion of PSOs are likely to be component PSOs, with support and 
expertise provided by a parent organization. Our assumptions are that 
PSOs will hire dedicated staff of from 1.5 to 4 FTEs, assuming an 
average salary rate of $67/hour. We estimate that a significant 
overhead figure of 100%, coupled with 20% for General and 
Administrative (G&A) expenses, will cover the appreciable costs 
anticipated for legal, security, travel, and miscellaneous PSO 
expenses.
    Although we believe that the above estimates may be conservative, 
we also believe that PSOs will become more effective over time without 
increasing staff size. Finally, we estimate that the number of PSOs 
will increase from 50 to 100 during the first three years in which the 
Secretary lists PSOs and remain at 100 PSOs in subsequent years. Table 
2 summarizes PSO operational costs for the first five years based on 
these estimates.

                                Table 2.--Total PSO Operational Costs: 2008-2012
----------------------------------------------------------------------------------------------------------------
             Year                     2008             2009            2010            2011            2012
----------------------------------------------------------------------------------------------------------------
Number of PSOs................  50.............  75.............  100...........  100...........  100.
PSO Cost......................  $61.4 M........  $92.1 M........  $122.8 M......  $122.8 M......  $122.8 M.
----------------------------------------------------------------------------------------------------------------

    Table 3 presents the total estimated incremental costs related to 
implementation of the Patient Safety Act, based on new activities on 
the part of hospitals and the formation of new entities, PSOs, from 
2008-2012. Estimates for total Patient Safety Act costs are $80 million 
in Year 1, increasing to $186.5 million in Year 5.

[[Page 8169]]



           Table 3.--Total Patient Safety Act Costs Including Hospital Costs and PSO Costs: 2008-2012
----------------------------------------------------------------------------------------------------------------
             Year                     2008             2009            2010            2011            2012
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate.....  10%............  40%............  60%...........  75%...........  85%.
Hospital Cost.................  $7.5 M.........  $30.0 M........  $45.0 M.......  $56.2 M.......  $63.7 M.
PSO Cost......................  $61.4 M........  $92.1 M........  $122.8 M......  $122.8 M......  $122.8 M.
                               ---------------------------------------------------------------------------------
    Total Cost................  $68.9 M........  $122.1 M.......  $167.8 M......  $179.0 M......  $186.5 M.
----------------------------------------------------------------------------------------------------------------

Provider--PSO Costs and Charges
    We have not figured into our calculations any estimates for the 
price of PSO services, amounts paid by hospitals and other health care 
providers to PSOs, PSO revenues, or PSO break-even analyses. We have 
not speculated about subsidies or business models. Regardless of what 
the costs and charges are between providers and PSOs, they will cancel 
each other out, as expenses to providers will become revenue to PSOs.
Benefits
    The primary benefit of the proposed rule is to provide the 
foundation for new, voluntary opportunities for health care providers 
to improve the safety, quality, and outcomes of patient care. The non-
monetized benefits to public health from the proposed rule are clear, 
translating to improvements in patient safety, although such benefits 
are intangible and difficult to quantify, not only in monetary terms 
but also with respect to outcome measures such as years added or years 
with improved quality-of-life. Although AHRQ is unable to quantify the 
net benefits of this proposed rule precisely, it believes firmly that 
the proposed rule will be effective in addressing costly medical care 
problems in the health system that adversely affect patients, their 
families, their employees, and society in general. Finally, estimating 
the impact of the proposed rule in terms of measurable monetized and 
non-monetized benefits is a challenge due to a lack of baseline data on 
the incidence and prevalence of patient safety events themselves. In 
fact, one of the intended benefits of the Patient Safety Act is to 
provide more objective data in this important area, which will begin to 
allow tracking of improvement.
    AHRQ has relied on key findings from the medical professional 
literature to provide a qualitative description of the scope of the 
problem. The Institute of Medicine reports that 44,000 to 98,000 people 
die in hospitals each year as a result of adverse events.\23\ The 
Harvard Medical Practice Study found a rate of 3.7 adverse events per 
100 hospital admissions.\24\ Similar results were found in a 
replication of this study in Colorado and Utah; adverse events were 
reported at a rate of 2.9 per 100 admissions.\25\ Adverse events do not 
occur only in hospitals; they also occur in physician's offices, 
nursing homes, pharmacies, urgent care centers, ambulatory care 
settings, and care delivered in the home.
---------------------------------------------------------------------------

    \23\ Institute of Medicine, ``To Err Is Human: Building a Safer 
Health System'', 1999.
    \24\ Brennan TA, Leape LL, Laird NM, et al. Incidence of Adverse 
Events and Negligence in Hospitalized Patients. New England Journal 
of Medicine. 1991. 324: 370-76.
    \25\ Thomas EJ, Studdert DM, Burstin HR, et al. Incidence and 
Types of Adverse Events and Negligent Care in Utah and Colorado. 
Medical Care. 2000. 38: 261-71.
---------------------------------------------------------------------------

    The importance of evaluating the incidence and cost of adverse 
events cannot be underestimated. They are not only related to possible 
morbidity and mortality, but also impose a significant economic burden 
on both society and the individual (patient, family, health care 
workers) in terms of consumption of health care resources and lost 
productivity, and in many cases avoidable pain and suffering. However, 
to prevent adverse events, it may take many years for the proposed rule 
to achieve its full beneficial effects, and it will remain a challenge 
to track the effect of the proposed rule on the patient population and 
society, generally.
    It may be possible to measure improvements in patient safety in 
general descriptive terms regarding improved health outcomes. However, 
it is more difficult to translate such improvements to direct monetary 
savings or outcome measures that can be integrated into a single 
numerical index (e.g., units of health improvement, years of life 
gained). By analyzing patient safety event information, PSOs will be 
able to identify patterns of failures in the health care system and 
propose measures to eliminate patient safety risks and hazards as a 
means to improve patient outcomes. As more information is learned about 
patient safety events through data collection by the PSOs, the care 
delivery environment can be redesigned to prevent adverse events in the 
future. However, PSOs will not have the necessary authority to 
implement recommended changes to improve patient safety in providers' 
health care delivery organizations. It will be up to the providers 
themselves to bring about the changes that will result in a reduction 
in adverse events and a resultant improvement in the quality of care 
delivered.
    The submission of more comprehensive information by health care 
providers regarding patient risks and hazards will likely increase the 
understanding of the factors that contribute to events that adversely 
affect patients. The expected benefit of this information would be 
improvements in patient safety event reports and analyses, which would 
translate to better patient outcomes and possible economic savings 
attributable to the more efficient use of health care services. Due to 
the uncertainty of the benefits and costs associated with the proposed 
rule as delineated above, it is then possible only to make general 
estimates of the monetary values of expected improvements in patient 
outcomes, that is, savings to the healthcare system.
    We can estimate monetized benefits by referring to the Institute of 
Medicine report, To Err Is Human,\26\ which estimates total national 
costs of preventable adverse events to be between $17 billion and $29 
billion, of which direct health care costs represent over one-half 
(totaling between $8.5 billion and $14.5 billion). Based on the 
assumption that PSOs may be able to reduce the preventable adverse 
events by between one percent and three percent within their first five 
years of operation, this reduction would amount to be between $85 
million--$145 million in savings at the 1 percent level if the whole 
nation were affected, and $255 million--$435 million at the 3 percent 
level, if the whole nation were affected. Applying a median figure from 
the Institute of Medicine range to PSOs, based on an increasing impact 
from 1%-3% as it grows over the first five

[[Page 8170]]

years, we see progressively growing savings as shown in Table 4. It 
should be noted that we are estimating savings by assuming a percentage 
reduction of adverse events from the overall occurrence rate delineated 
by the Institute of Medicine report. We are not tying the estimated 
reduction to those events specifically reported to PSOs. Events that 
have already occurred do not represent a potential for savings. The 
presumption behind the estimated savings is that the reporting, 
analysis, and institution of ameliorating policies and procedures will 
result in fewer adverse events going forward because of such PSO 
activities.
---------------------------------------------------------------------------

    \26\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T., 
Pike, K. C., for the Committee on Quality of Health Care in America. 
To Err Is Human: Building a Safer Health System. Washington, DC: 
National Academy Press; 2000.

           Table 4.--Total Estimated Cost Savings by Percent Reduction in Adverse Events: 2008-2012 *
----------------------------------------------------------------------------------------------------------------
             Year                   2008            2009            2010              2011             2012
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate....  10%...........  40%...........  60%...........  75%..............  85%.
Percent Reduction in Adverse   1%............  1.5%..........  2%............  2.5%.............  3%.
 Events.
Savings......................  $11.5 M.......  $69 M.........  $138 M........  $215.625 M.......  $293.25 M.
----------------------------------------------------------------------------------------------------------------
* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with
  preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point
  figures.

    It is assumed that when the proposed rule is implemented, it will 
have a beneficial effect on patient outcomes. Eliminating adverse 
events would help to ensure the greatest value possible from the 
billions of dollars spent on medical care in the United States.\27\ 
AHRQ concludes that the potential benefits of the Patient Safety Act--
which encourages hospitals, doctors, and other health care providers to 
work voluntarily with PSOs by reporting of health care errors and 
enabling PSOs to analyze them to improve health care quality and 
safety--would justify the costs of the proposed rule.
---------------------------------------------------------------------------

    \27\ Corrigan, J. M., Donaldson, M. S., Kohn, L. T., McKay, T., 
Pike, K. C., for the Committee on Quality of Health Care in America. 
To Err Is Human: Building a Safer Health System. Washington, DC: 
National Academy Press; 2000.
---------------------------------------------------------------------------

    During the first five operational years of PSOs, we calculated the 
net benefits based on total costs and benefits. (See Table 5.) We 
estimate that costs of implementing the Patient Safety Act will reach 
break-even after 2010 and provide progressively greater benefits 
thereafter.

                                                            Table 5.--Net Benefits: 2008-2012
--------------------------------------------------------------------------------------------------------------------------------------------------------
               Year                          2008                    2009                    2010                    2011                   2012
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total Benefits....................  $11.5 M...............  $69 M.................  $138 M................  $215.625 M...........  $293.25 M.
Total Costs.......................  $68.9 M...............  $122.1 M..............  $167.8 M..............  $179.0 M.............  $186.5 M.
Net Benefits......................  ($57.4) M.............  ($53.1) M.............  ($29.8) M.............  $36.625 M............  $106.75 M.
Discounted net present value at 3%  ($55.7) M.............  ($50.0) M.............  ($27.3) M.............  $32.5 M..............  $92.1 M.
Discounted net present value at 7%  ($53.6) M.............  ($46.4) M.............  ($24.3) M.............  $27.9 M..............  $76.1 M.
--------------------------------------------------------------------------------------------------------------------------------------------------------

Confidentiality Rule
    The confidentiality provisions are included in the Patient Safety 
Act to encourage provider participation. Without such protections, 
providers will be reluctant to participate in the expanded reporting 
and analysis of patient safety events, and low participation will 
severely inhibit the opportunity to reap the benefits from efforts to 
improve patient safety. The proposed rule requires any holder of 
patient safety work product to maintain its confidentiality but, with 
the exception of PSOs, the appropriate security measures are left to 
the holder's discretion. Proposed Sec.  3.106 establishes a security 
framework that PSOs must address but, even then, PSOs are given 
discretion to establish the specific security standards most 
appropriate to their organization. Violation of the confidentiality 
provisions under the proposed rule creates a risk of liability for a 
substantial civil money penalty. If a person makes a knowing or 
reckless disclosure in violation of the confidentiality provisions, 
that person will be subject to the enforcement process, and subject to 
costs including participation in an investigation and payment of a 
civil money penalty, if imposed.
    While participating providers may incur some costs associated with 
maintaining the confidentiality of patient safety work product (e.g., 
developing policies/procedures to keep information confidential, 
safeguarding the information, training staff, etc.), those activities 
and associated costs are not required by the proposed rule and are 
likely minimal in light of existing procedures to meet existing 
requirements on providers to maintain sensitive information as 
confidential. We are proposing a scheme that places the least possible 
amount of regulatory burden on participants while simultaneously 
ensuring that the confidentiality provisions are effectively 
implemented and balanced with the objective of encouraging the maximum 
amount of participation possible. We were mindful of not placing 
unnecessary regulatory requirements on participating entities because 
this is a voluntary initiative, and we did not want entities interested 
in participating to forego participation because of concerns about the 
associated risk of liability for civil money penalties.

Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act requires agencies to analyze 
regulatory options that would minimize any significant impact of a rule 
on small entities. Because the Patient Safety Act enables a broad 
spectrum of entities--public, private, for-profit, and not-for-profit--
to seek certification as a PSO, there may be many different types of 
organizations interested in becoming certified as a PSO that would be 
affected by the proposed rule. The proposed rule minimizes possible 
barriers to entry and creates a review process that is both simple and 
quick. As a result, AHRQ expects that a broad range of health care 
provider systems, medical specialty societies, and provider-based 
membership organizations will seek listing as a PSO by the Secretary.
    AHRQ preliminarily determines that the proposed rule does not have 
a

[[Page 8171]]

significant impact on small businesses because it does not impose a 
mandatory regulatory burden, and because the Department has made a 
significant effort to promulgate regulations that are the minimum 
necessary to interpret and implement the law. As stated previously, 
working with PSOs is completely voluntary; the proposed rule provides 
benefits in the form of legal protections that are expected to outweigh 
the cost of participation from the perspective of participating 
providers. AHRQ believes that the proposed rule will not have a 
significant impact on a substantial number of small entities because 
the proposed rules do not place small entities at a significant 
competitive disadvantage to large entities. AHRQ does not anticipate 
that there will be a disproportional effect on profits, costs, or net 
revenues for a substantial number of small entities. The proposed rule 
will not significantly reduce profit for a substantial number of small 
entities.
Impacts on Small Entities
1. The Need for and the Objectives of the Proposed Rule
    The proposed rule establishes the authorities, processes, and 
requirements necessary to implement the Patient Safety Act, sections 
921-926 of the Public Health Service Act, 42 U.S.C. 299b-21 to 299b-26. 
The proposed rules seek to establish a streamlined process for the 
Department to accept certification by entities seeking to become PSOs. 
Under the proposal, PSOs will be available voluntarily to enter into 
arrangements with health care providers and provide expert advice 
regarding the causes and prevention of adverse patient safety events. 
Information collected or developed by a health care provider or PSO, 
and reported to or by a PSO, that relate to a patient safety event 
would become privileged and confidential. Related deliberations would 
also be protected. Persons who breached the confidentiality provisions 
of the rule could be subject to civil money penalties of up to $10,000.
2. Description and Estimate of the Number of Small Entities Affected
    For purposes of the Regulatory Flexibility Act, small entities 
include small businesses, non-profit organizations, and government 
jurisdictions. Most hospitals and many other health care providers and 
suppliers are small entities, either because they are nonprofit 
organizations or because they generate revenues of $6.5 million to 
$31.5 million in any one year. Individuals and States are not included 
in the definition of a small entity. The proposed rule would affect 
most hospitals, and other health care delivery entities, plus all small 
entities that are interested in becoming certified PSOs. Based on 
various stakeholder meetings, AHRQ estimates that approximately 50-100 
entities may be interested in becoming listed as PSOs during the first 
three years following publication of the final rule. This figure is 
likely to stabilize over time, as some new PSOs form and some existing 
PSOs cease operations.
3. Impact on Small Entities
    AHRQ believes that the proposed rule will not have a significant 
impact on a substantial number of small provider or PSO entities 
because the proposed rule does not place a substantial number of small 
entities at a significant competitive disadvantage to large entities. 
AHRQ does not anticipate that there will be a disproportional effect on 
profits, costs, or net revenues for a substantial number of small 
entities. The proposed rule will not significantly reduce profit for a 
substantial number of small entities. In fact, when fully implemented, 
we expect that the benefits and/or provider savings will outweigh the 
costs.
    Compliance requirements for small entities under this proposed rule 
are the same as those described above for other affected entities. AHRQ 
has proposed only those regulations that are necessary to comply with 
provisions and goals of the Patient Safety Act, with the objective of 
encouraging the maximum participation possible. The proposed rule was 
written to minimize the regulatory and economic burden on any entity 
that seeks to be listed as a PSO by the Secretary, regardless of size. 
It is impossible for AHRQ to develop alternatives to the proposed rule 
for small entities, as the proposed rule must adhere to statutory 
requirements. For example, the proposed rule requires confidentiality 
and privilege protections and places the least amount of regulatory 
burden on participating players--while simultaneously ensuring that the 
goals of confidentiality are effectively implemented--with the 
objective of encouraging the maximum participation possible. In 
addition, the proposed rule was written recognizing that many providers 
will be HIPAA covered entities, and many PSOs will be business 
associates, which entails certain obligations under the HIPAA Privacy 
Rule. Thus, this proposed rule is coordinated with existing law, to 
minimize the burden of compliance.
    AHRQ believes that the proposed rule will not have a significant 
impact on small providers. The proposed rule does not impose any costs 
directly on providers, large or small, that choose to work with a PSO. 
To the extent that providers hold patient safety work product, they 
must prevent impermissible disclosures; however, the proposed rule does 
not establish requirements for how providers must meet this 
requirement.
    Finally, it is the statutory and supporting regulatory guarantee of 
the confidentiality of the reporting of adverse events that will enable 
PSOs to operate and perform their function. Thus, while the compliance 
costs in the form of start-up operational costs may be substantial, the 
benefits that will be generated as a result of these costs will exceed 
the actual costs, as illustrated in Table 5.
    The Secretary certifies that the proposed rule will not have a 
significant economic impact on a substantial number of small entities.

List of Subjects in 42 CFR Part 3

    Administrative practice and procedure, Civil money penalty, 
Confidentiality, Conflict of interests, Courts, Freedom of information, 
Health, Health care, Health facilities, Health insurance, Health 
professions, Health records, Hospitals, Investigations, Law 
enforcement, Medical research, Organization and functions, Patient, 
Patient safety, Privacy, Privilege, Public health, Reporting and 
recordkeeping requirements, Safety, State and local governments, 
Technical assistance.

    For the reasons stated in the preamble, the Department of Health 
and Human Services proposes to amend Title 42 of the Code of Federal 
Regulations by adding a new part 3 to read as follows:

PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK 
PRODUCT

Subpart A--General Provisions
Sec.
3.10 Purpose.
3.20 Definitions.
Subpart B--PSO Requirements and Agency Procedures
3.102 Process and requirements for initial and continued listing of 
PSOs.
3.104 Secretarial actions.
3.106 Security requirements.
3.108 Correction of deficiencies, revocation, and voluntary 
relinquishment.
3.110 Assessment of PSO compliance.
3.112 Submissions and forms.

[[Page 8172]]

Subpart C--Confidentiality and Privilege Protections of Patient Safety 
Work Product
3.204 Privilege of Patient Safety Work Product.
3.206 Confidentiality of Patient Safety Work Product.
3.208 Continued protection of Patient Safety Work Product.
3.210 Required disclosure of Patient Safety Work Product to the 
Secretary
3.212 Nonidentification of Patient Safety Work Product.
Subpart D--Enforcement Program
3.304 Principles for achieving compliance.
3.306 Complaints to the Secretary.
3.308 Compliance reviews.
3.310 Responsibilities of respondents.
3.312 Secretarial action regarding complaints and compliance 
reviews.
3.314 Investigational subpoenas and inquiries.
3.402 Basis for a civil money penalty.
3.404 Amount of a civil money penalty.
3.408 Factors considered in determining the amount of a civil money 
penalty.
3.414 Limitations.
3.416 Authority to settle.
3.418 Exclusivity of penalty.
3.420 Notice of proposed determination.
3.422 Failure to request a hearing.
3.424 Collection of penalty.
3.426 Notification of the public and other agencies.
3.504 Procedures for hearings.

    Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C. 
299c-6

Subpart A--General Provisions


Sec.  3.10  Purpose.

    The purpose of this Part is to implement the Patient Safety and 
Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title 
IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding 
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.


Sec.  3.20  Definitions.

    As used in this Part, the terms listed alphabetically below have 
the meanings set forth as follows:
    AHRQ stands for the Agency for Healthcare Research and Quality in 
HHS.
    ALJ stands for an Administrative Law Judge of HHS.
    Board means the members of the HHS Departmental Appeals Board, in 
the Office of the Secretary, who issue decisions in panels of three.
    Bona fide contract means:
    (1) A written contract between a provider and a PSO that is 
executed in good faith by officials authorized to execute such 
contract; or
    (2) A written agreement (such as a memorandum of understanding or 
equivalent recording of mutual commitments) between a Federal, State, 
Local, or Tribal provider and a Federal, State, Local, or Tribal PSO 
that is executed in good faith by officials authorized to execute such 
agreement.
    Complainant means a person who files a complaint with the Secretary 
pursuant to Sec.  3.306.
    Component organization means an entity that is either:
    (1) A unit or division of a corporate organization or of a multi-
organizational enterprise; or
    (2) A separate organization, whether incorporated or not, that is 
owned, managed or controlled by one or more other organization(s), 
i.e., its parent organization(s).
    Component PSO means a PSO listed by the Secretary that is a 
component organization.
    Confidentiality provisions means for purposes of Subparts C and D, 
any requirement or prohibition concerning confidentiality established 
by section 921 and 922(b), (d), (g) and (i) of the Public Health 
Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the 
provisions, at Sec. Sec.  3.206 and 3.208, that implement the statutory 
prohibition on disclosure of identifiable patient safety work product.
    Disclosure means the release, transfer, provision of access to, or 
divulging in any other manner of patient safety work product by a 
person holding the patient safety work product to another.
    Entity means any organization or organizational unit, regardless of 
whether the organization is public, private, for-profit, or not-for-
profit.
    Group health plan means employee welfare benefit plan (as defined 
in section 3(1) of the Employee Retirement Income Security Act of 1974 
(ERISA)) to the extent that the plan provides medical care (as defined 
in paragraph (2) of section 2791(a) of the Public Health Service Act, 
including items and services paid for as medical care) to employees or 
their dependents (as defined under the terms of the plan) directly or 
through insurance, reimbursement, or otherwise.
    Health insurance issuer means an insurance company, insurance 
service, or insurance organization (including a health maintenance 
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed 
to engage in the business of insurance in a State and which is subject 
to State law which regulates insurance (within the meaning of 29 U.S.C. 
1144(b)(2)). The term does not include a group health plan.
    Health maintenance organization means:
    (1) A Federally qualified health maintenance organization (HMO) (as 
defined in 42 U.S.C. 300e(a)),
    (2) An organization recognized under State law as a health 
maintenance organization, or
    (3) A similar organization regulated under State law for solvency 
in the same manner and to the same extent as such a health maintenance 
organization.
    HHS stands for the United States Department of Health and Human 
Services.
    HIPAA Privacy Rule means the regulations promulgated under section 
264(c) of the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), at 45 CFR Part 160 and Subparts A and E of Part 164.
    Identifiable patient safety work product means patient safety work 
product that:
    (1) Is presented in a form and manner that allows the 
identification of any provider that is a subject of the work product, 
or any providers that participate in, or are responsible for, 
activities that are a subject of the work product;
    (2) Constitutes individually identifiable health information as 
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
    (3) Is presented in a form and manner that allows the 
identification of an individual who in good faith reported information 
directly to a PSO or to a provider with the intention of having the 
information reported to a PSO (``reporter'').
    Nonidentifiable patient safety work product means patient safety 
work product that is not identifiable patient safety work product in 
accordance with the nonidentification standards set forth at Sec.  
3.212.
    OCR stands for the Office for Civil Rights in HHS.
    Parent organization means an entity that, alone or with others, 
either owns a provider entity or a component organization, or has the 
authority to control or manage agenda setting, project management, or 
day-to-day operations, or the authority to review and override 
decisions of a component organization.
    Patient Safety Act means the Patient Safety and Quality Improvement 
Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public 
Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, 
sections 921 through 926, which are codified at 42 U.S.C. 299b-21 
through 299b-26.
    Patient safety activities means the following activities carried 
out by or on behalf of a PSO or a provider:
    (1) Efforts to improve patient safety and the quality of health 
care delivery;
    (2) The collection and analysis of patient safety work product;

[[Page 8173]]

    (3) The development and dissemination of information with respect 
to improving patient safety, such as recommendations, protocols, or 
information regarding best practices;
    (4) The utilization of patient safety work product for the purposes 
of encouraging a culture of safety and of providing feedback and 
assistance to effectively minimize patient risk;
    (5) The maintenance of procedures to preserve confidentiality with 
respect to patient safety work product;
    (6) The provision of appropriate security measures with respect to 
patient safety work product;
    (7) The utilization of qualified staff; and
    (8) Activities related to the operation of a patient safety 
evaluation system and to the provision of feedback to participants in a 
patient safety evaluation system.
    Patient safety evaluation system means the collection, management, 
or analysis of information for reporting to or by a PSO.
    Patient safety organization (PSO) means a private or public entity 
or component thereof that currently is listed as a PSO by the Secretary 
in accordance with Subpart B. A health insurance issuer or a component 
organization of a health insurance issuer may not be a PSO. See also 
the exclusion in proposed Sec.  3.102 of this Part.
    Patient safety work product (PSWP).
    (1) Except as provided in paragraph (2) of this definition, patient 
safety work product means any data, reports, records, memoranda, 
analyses (such as root cause analyses), or written or oral statements 
(or copies of any of this material)
    (i)(A) Which are assembled or developed by a provider for reporting 
to a PSO and are reported to a PSO; or
    (B) Are developed by a PSO for the conduct of patient safety 
activities; and which could improve patient safety, health care 
quality, or health care outcomes; or
    (ii) Which identify or constitute the deliberations or analysis of, 
or identify the fact of reporting pursuant to, a patient safety 
evaluation system.
    (2)(i) Patient safety work product does not include a patient's 
medical record, billing and discharge information, or any other 
original patient or provider information; nor does it include 
information that is collected, maintained, or developed separately, or 
exists separately, from a patient safety evaluation system. Such 
separate information or a copy thereof reported to a PSO shall not by 
reason of its reporting be considered patient safety work product.
    (ii) Nothing in this part shall be construed to limit information 
that is not patient safety work product from being:
    (A) Discovered or admitted in a criminal, civil or administrative 
proceeding;
    (B) Reported to a Federal, State, local or tribal governmental 
agency for public health or health oversight purposes; or
    (C) Maintained as part of a provider's recordkeeping obligation 
under Federal, State, local or tribal law.
    Person means a natural person, trust or estate, partnership, 
corporation, professional association or corporation, or other entity, 
public or private.
    Provider means:
    (1) An individual or entity licensed or otherwise authorized under 
State law to provide health care services, including--
    (i) A hospital, nursing facility, comprehensive outpatient 
rehabilitation facility, home health agency, hospice program, renal 
dialysis facility, ambulatory surgical center, pharmacy, physician or 
health care practitioner's office (includes a group practice), long 
term care facility, behavior health residential treatment facility, 
clinical laboratory, or health center; or
    (ii) A physician, physician assistant, registered nurse, nurse 
practitioner, clinical nurse specialist, certified registered nurse 
anesthetist, certified nurse midwife, psychologist, certified social 
worker, registered dietitian or nutrition professional, physical or 
occupational therapist, pharmacist, or other individual health care 
practitioner;
    (2) Agencies, organizations, and individuals within Federal, State, 
local, or Tribal governments that deliver health care, organizations 
engaged as contractors by the Federal, State, local, or Tribal 
governments to deliver health care, and individual health care 
practitioners employed or engaged as contractors by the Federal State, 
local, or Tribal governments to deliver health care; or
    (3) A parent organization that has a controlling interest in one or 
more entities described in paragraph (1)(i) of this definition or a 
Federal, State, local, or Tribal government unit that manages or 
controls one or more entities described in (1)(i) or (2) of this 
definition.
    Research has the same meaning as the term is defined in the HIPAA 
Privacy Rule at 45 CFR 164.501.
    Respondent means a provider, PSO, or responsible person who is the 
subject of a complaint or a compliance review.
    Responsible person means a person, other than a provider or a PSO, 
who has possession or custody of identifiable patient safety work 
product and is subject to the confidentiality provisions.
    Workforce means employees, volunteers, trainees, contractors, and 
other persons whose conduct, in the performance of work for a provider, 
PSO or responsible person, is under the direct control of such 
provider, PSO or responsible person, whether or not they are paid by 
the provider, PSO or responsible person.

Subpart B--PSO Requirements and Agency Procedures


Sec.  3.102  Process and requirements for initial and continued listing 
of PSOs.

    (a) Eligibility and process for initial and continued listing.
    (1) Submission of Certification. Any entity, except as specified in 
paragraph (a)(2) of this section, may request from the Secretary an 
initial or continued listing as a PSO by submitting a completed 
certification form that meets the requirements of this section, in 
accordance with the submission requirements at Sec.  3.112. An 
individual with authority to make commitments on behalf of the entity 
seeking listing will be required to acknowledge each of the 
certification requirements, attest that the entity meets each 
requirement, provide contact information for the entity, and certify 
that the PSO will promptly notify the Secretary during its period of 
listing if it can no longer comply with any of the criteria in this 
section.
    (2) Restrictions on certain entities. Entities that may not seek 
listing as a PSO include: health insurance issuers or components of 
health insurance issuers. Any other entity, public or private, that 
conducts regulatory oversight of health care providers, such as 
accreditation or licensure, may not seek listing, except that a 
component of such an entity may seek listing as a component PSO. An 
applicant completing the required certification forms described in 
paragraph (a)(1) of this section will be required to attest that the 
entity is not subject to the restrictions of this paragraph.
    (b) Fifteen general PSO certification requirements. The 
certifications submitted to the Secretary in accordance with paragraph 
(a)(1) of this section must conform to the following 15 requirements:
    (1) Required certification regarding eight patient safety 
activities. An entity seeking initial listing as a PSO must certify 
that it has written policies and procedures in place to perform each of 
the eight patient safety activities,

[[Page 8174]]

defined in Sec.  3.20. Such policies and procedures will provide for 
compliance with the confidentiality provisions of subpart C of this 
part and the appropriate security measures required by Sec.  3.106 of 
this subpart. A PSO seeking continued listing must certify that it is 
performing, and will continue to perform, each of the patient safety 
activities, and is and will continue to comply with subpart C of this 
part and the security requirements referenced in the preceding 
sentence.
    (2) Required certification regarding seven PSO criteria. In its 
initial certification submission, an entity must also certify that it 
will comply with the additional seven requirements in paragraphs 
(b)(2)(i) through (b)(2)(vii) of this section. A PSO seeking continued 
listing must certify that it is complying with, and will continue to 
comply with, the requirements of this paragraph.
    (i) The mission and primary activity of a PSO must be to conduct 
activities that are to improve patient safety and the quality of health 
care delivery.
    (ii) The PSO must have appropriately qualified workforce members, 
including licensed or certified medical professionals.
    (iii) The PSO, within the 24-month period that begins on the date 
of its initial listing as a PSO, and within each sequential 24-month 
period thereafter, must have entered into 2 bona fide contracts, each 
of a reasonable period of time, each with a different provider for the 
purpose of receiving and reviewing patient safety work product.
    (iv) The PSO is not a health insurance issuer, and is not a 
component of a health insurance issuer.
    (v) The PSO must make disclosures to the Secretary as required 
under Sec.  3.102(d), in accordance with Sec.  3.112 of this subpart.
    (vi) To the extent practical and appropriate, the PSO must collect 
patient safety work product from providers in a standardized manner 
that permits valid comparisons of similar cases among similar 
providers.
    (vii) The PSO must utilize patient safety work product for the 
purpose of providing direct feedback and assistance to providers to 
effectively minimize patient risk.
    (c) Additional certifications required of component organizations. 
In addition to meeting the 15 general PSO certification requirements of 
paragraph (b) of this section, an entity seeking initial listing that 
is a component of another organization or enterprise must certify that 
it will comply with the requirements of paragraphs (c)(1) through 
(c)(3) of this section. A component PSO seeking continued listing must 
certify that it is complying with, and will continue to comply with, 
the requirements of this paragraph.
    (1) Separation of patient safety work product.
    (i) A component PSO must:
    (A) Maintain patient safety work product separately from the rest 
of the parent organization(s) of which it is a part; and
    (B) Not have a shared information system that could permit access 
to its patient safety work product to an individual(s) in, or unit(s) 
of, the rest of the parent organization(s) of which it is a part.
    (ii) Notwithstanding the requirements of paragraph (c)(1)(i) of 
this section, a component PSO may provide access to identifiable 
patient safety work product to an individual(s) in, or a unit(s) of, 
the rest of the parent organization(s) of which it is a part if the 
component PSO enters into a written agreement with such individuals or 
units that requires that:
    (A) The component PSO will only provide access to identifiable 
patient safety work product to enable such individuals or units to 
assist the component PSO in its conduct of patient safety activities, 
and
    (B) Such individuals or units that receive access to identifiable 
patient safety work product pursuant to such written agreement will 
only use or disclose such information as specified by the component PSO 
to assist the component PSO in its conduct of patient safety 
activities, will take appropriate security measures to prevent 
unauthorized disclosures and will comply with the other certifications 
the component has made pursuant to paragraphs (c)(2) and (c)(3) of this 
section regarding unauthorized disclosures and conflicts with the 
mission of the component PSO.
    (2) Nondisclosure of patient safety work product. A component PSO 
must require that members of its workforce and any other contractor 
staff, or individuals in, or units of, its parent organization(s) that 
receive access in accordance with paragraph (c)(1)(ii) of this section 
to its identifiable patient safety work product, not be engaged in work 
for the parent organization(s) of which it is a part, if the work could 
be informed or influenced by such individuals' knowledge of 
identifiable patient safety work product, except for individuals whose 
other work for the rest of the parent organization(s) is solely the 
provision of clinical care.
    (3) No conflict of interest. The pursuit of the mission of a 
component PSO must not create a conflict of interest with the rest of 
the parent organization(s) of which it is a part.
    (d) Required notifications. PSOs must meet the following 
notification requirements:
    (1) Notification regarding PSO compliance with the minimum contract 
requirement. No later than 45 calendar days prior to the last day of 
the applicable 24-month assessment period, specified in paragraph 
(b)(2)(iii) of this section, the Secretary must receive from a PSO a 
certification that states whether it has met the requirement of that 
paragraph regarding two bona fide contracts, in accordance with Sec.  
3.112 of this subpart.
    (2) Notification regarding a PSO's relationships with its 
contracting providers. A PSO must submit to the Secretary a disclosure 
statement, in accordance with Sec.  3.112 of this subpart, regarding 
its relationships with each provider with which the PSO has a contract 
pursuant to the Patient Safety Act if the circumstances described in 
either paragraph (d)(2)(i) or (d)(2)(ii) of this section are 
applicable. The Secretary must receive a disclosure statement within 45 
days of the date on which a PSO enters a contract with a provider if 
the circumstances are met on the date the contract is entered. During 
the contract period, if a PSO subsequently enters one or more 
relationships with a contracting provider that create the circumstances 
described in paragraph (d)(2)(i) of this section or a provider exerts 
any control over the PSO of the type described in paragraph (d)(2)(ii) 
of this section, the Secretary must receive a disclosure statement from 
the PSO within 45 days of the date that the PSO entered each new 
relationship or of the date on which the provider imposed control of 
the type described in paragraph (d)(2)(ii).
    (i) Taking into account all relationships that the PSO has with the 
provider, other than the bona fide contract entered into pursuant to 
the Patient Safety Act, the PSO must fully disclose any other 
contractual, financial, or reporting relationships described below that 
it has with that provider.
    (A) Contractual relationships which are not limited to 
relationships based on formal contracts but also encompass 
relationships based on any oral or written agreement or any arrangement 
that imposes responsibilities on the PSO.
    (B) Financial relationships including any direct or indirect 
ownership or investment relationship between the PSO and the 
contracting provider, shared or common financial interests or direct or 
indirect compensation

[[Page 8175]]

arrangement, whether in cash or in-kind.
    (C) Reporting relationships including any relationship that gives 
the provider access to information or control, directly or indirectly, 
over the work of the PSO that is not available to other contracting 
providers.
    (ii) Taking into account all relationships that the PSO has with 
the provider, the PSO must fully disclose if it is not independently 
managed or controlled, or if it does not operate independently from, 
the contracting provider. In particular, the PSO must further disclose 
whether the contracting provider has exercised or imposed any type of 
management control that could limit the PSO's ability to fairly and 
accurately perform patient safety activities and fully describe such 
control(s).
    (iii) PSOs may also describe or include in their disclosure 
statements, as applicable, any agreements, stipulations, or procedural 
safeguards that have been created to protect the ability of the PSO to 
operate independently or information that indicates the limited impact 
or insignificance of its financial, reporting, or contractual 
relationships with a contracting provider.


Sec.  3.104  Secretarial actions.

    (a) Actions in response to certification submissions for initial 
and continued listing as a PSO. (1) In response to an initial or 
continued certification submission by an entity, pursuant to the 
requirements of Sec.  3.102 of this subpart, the Secretary may--
    (i) Accept the certification submission and list the entity as a 
PSO, or maintain the listing of a PSO, if the Secretary determines that 
the entity meets the applicable requirements of the Patient Safety Act 
and this subpart;
    (ii) Deny acceptance of a certification submission and, in the case 
of a currently listed PSO, remove the entity from the list if the 
entity does not meet the applicable requirements of the Patient Safety 
Act and this subpart; or
    (iii) Condition the listing of an entity, or continued listing of a 
PSO, following a determination made pursuant to paragraph (c) of this 
section.
    (2) Basis of determination. In making a determination regarding 
listing, the Secretary will consider the certification submission; any 
prior actions by the Secretary regarding the entity or PSO including 
delisting; any history of or current non-compliance by the entity or 
the PSO with statutory or regulatory requirements or requests from the 
Secretary; the relationships of the entity or PSO with providers; and 
any findings made by the Secretary in accordance with paragraph (c) of 
this section.
    (3) Notification. The Secretary will notify in writing each entity 
of action taken on its certification submission for initial or 
continued listing. The Secretary will provide reasons when an entity's 
certification is conditionally accepted and the entity is conditionally 
listed, when an entity's certification is not accepted and the entity 
is not listed, or when acceptance of its certification is revoked and 
the entity is delisted.
    (b) Actions regarding PSO compliance with the minimum contract 
requirement. When the Secretary receives notification required by Sec.  
3.102(d)(1) of this subpart that the PSO has met the minimum contract 
requirement, the Secretary will acknowledge in writing receipt of the 
notification and add information to the list established pursuant to 
paragraph (d) of this section stating that the PSO has certified that 
it has met the requirement. If the PSO states that it has not yet met 
the minimum contract requirement, or if notice is not received by the 
date specified in Sec.  3.102(d)(1) of this subpart, the Secretary will 
issue to the PSO a notice of a preliminary finding of deficiency as 
specified in Sec.  3.108(a)(2) and establish a period for correction 
that extends until midnight of the last day of the PSO's applicable 24-
month period of assessment. Immediately thereafter, if the requirement 
has not been met, the Secretary will provide the PSO a written notice 
of proposed revocation and delisting in accordance with Sec.  
3.108(a)(3) of this subpart.
    (c) Actions regarding required disclosures by PSOs of relationships 
with contracting providers. The Secretary will review and make findings 
regarding each disclosure statement submitted by a PSO, pursuant to 
Sec.  3.102(d)(2) of this subpart, regarding its relationships with 
contracting provider(s), determine whether such findings warrant action 
regarding the listing of the PSO, and make the findings public.
    (1) Basis of findings regarding PSO disclosure statements. In 
reviewing disclosure statements, submitted pursuant to Sec.  
3.102(d)(2) of this subpart, the Secretary will consider the nature, 
significance, and duration of the disclosed relationship(s) between the 
PSO and the contracting provider and will determine whether the PSO can 
fairly and accurately perform the required patient safety activities.
    (2) Determination by the Secretary. Based on the Secretary's review 
and findings, he may choose to take any of the following actions:
    (i) For an entity seeking an initial or continued listing, the 
Secretary may list or continue the listing of an entity without 
conditions, list the entity subject to conditions, or deny the entity's 
certification for initial or continued listing; or
    (ii) For a listed PSO, the Secretary may determine that the entity 
will remain listed without conditions, continue the entity's listing 
subject to conditions, or remove the entity from listing.
    (3) Release of disclosure statements and Secretarial findings.
    (i) Subject to paragraph (c)(3)(ii) of this section, the Secretary 
will make disclosure statements available to the public along with 
related findings that are made available in accordance with paragraph 
(c) of this section.
    (ii) The Secretary may withhold information that is exempt from 
public disclosure under the Freedom of Information Act.
    (d) Maintaining a list of PSOs. The Secretary will compile and 
maintain a publicly available list of entities whose certifications as 
PSOs have been accepted. The list will include contact information for 
each entity, a copy of all certification forms and disclosure 
statements submitted by each entity, the effective date of the PSO's 
listing, and information on whether a PSO has certified that it has met 
the two-contract requirement. The list also will include a copy of the 
Secretary's findings regarding each disclosure statement submitted by 
an entity, information describing any related conditions that have been 
placed by the Secretary on the listing of an entity as a PSO, and other 
information that this Subpart states may be made public. AHRQ will 
establish a PSO Web site (or a comparable future form of public notice) 
and may post the list on this Web site.
    (e) Three-year period of listing. (1) The period of listing of a 
PSO will be for a three-year period, unless the listing is revoked or 
relinquished prior to the expiration of the three-year period, in 
accordance with Sec.  3.108 of this subpart.
    (2) The Secretary will send a written notice of imminent expiration 
to a PSO at least 45 calendar days prior to the date on which its 
three-year period of listing expires if the Secretary has not received 
a certification for continued listing.
    (f) Effective dates of Secretarial actions. Unless otherwise 
stated, the effective date of each action by the Secretary pursuant to 
this subpart will be specified in the written notice of such action 
that is sent to the entity. When the Secretary sends a notice that 
addresses acceptance or revocation of an

[[Page 8176]]

entity's certifications or voluntary relinquishment by an entity of its 
status as a PSO, the notice will specify the effective date and time of 
listing or delisting.


Sec.  3.106  Security requirements.

    (a) Application. A PSO must provide security for patient safety 
work product that conforms to the security requirements of paragraph 
(b) of this section. These requirements must be met at all times and at 
any location at which the PSO, its workforce members, or its 
contractors hold patient safety work product.
    (b) Security framework. PSOs must consider the following framework 
for the security of patient safety work product. The framework includes 
four elements: security management, separation of systems, security 
monitoring and control, and system assessment. To address the four 
elements of this framework, a PSO must develop appropriate and scalable 
security standards, policies, and procedures that are suitable for the 
size and complexity of its organization.
    (1) Security management. A PSO must address:
    (i) Maintenance and effective implementation of written policies 
and procedures that conform to the requirements of this section to 
protect the confidentiality, integrity, and availability of the patient 
safety work product that is processed, stored, and transmitted; and to 
monitor and improve the effectiveness of such policies and procedures, 
and
    (ii) Training of the PSO workforce and PSO contractors who access 
or hold patient safety work product regarding the requirements of the 
Patient Safety Act, this Part, and the PSO's policies and procedures 
regarding the confidentiality and security of patient safety work 
product.
    (2) Separation of Systems. A PSO must address:
    (i) Maintenance of patient safety work product, whether in 
electronic or other media, physically and functionally separate from 
any other system of records;
    (ii) Protection of the media, whether in electronic, paper, or 
other format, that contain patient safety work product, limiting access 
to authorized users, and sanitizing and destroying such media before 
disposal or release for reuse; and
    (iii) Physical and environmental protection, to control and limit 
physical and virtual access to places and equipment where patient 
safety work product is stored or used.
    (3) Security control and monitoring. A PSO must address:
    (i) Identification of those authorized to have access to patient 
safety work product and an audit capacity to detect unlawful, 
unauthorized, or inappropriate access to patient safety work product, 
and
    (ii) Measures to prevent unauthorized removal, transmission or 
disclosure of patient safety work product.
    (4) Security assessment. A PSO must address:
    (i) Periodic assessments of security risks and controls, as 
determined appropriate by the PSO, to establish if its controls are 
effective, to correct any deficiency identified, and to reduce or 
eliminate any vulnerabilities.
    (ii) System and communications protection, to monitor, control, and 
protect PSO uses, communications, and transmissions involving patient 
safety work product to and from providers and any other responsible 
persons.


Sec.  3.108  Correction of deficiencies, revocation, and voluntary 
relinquishment.

    (a) Process for correction of a deficiency and revocation--(1) 
Circumstances leading to revocation. The Secretary may revoke his 
acceptance of an entity's certification and delist the entity as a PSO 
if he determines--
    (i) The PSO is not fulfilling the certifications it made to the 
Secretary that are set forth in Sec.  3.102 of this subpart;
    (ii) The PSO has not timely notified the Secretary that it has met 
the two contract requirement, as required by Sec.  3.102(d)(1) of this 
subpart;
    (iii) The Secretary, based on a PSO's disclosures made pursuant to 
Sec.  3.102(d)(2) of this subpart, makes a public finding that the 
entity cannot fairly and accurately perform the patient safety 
activities of a PSO; or
    (iv) The PSO is not in compliance with any other provision of the 
Patient Safety Act or this Part.
    (2) Notice of preliminary finding of deficiency and establishment 
of an opportunity for correction of a deficiency. (i) If the Secretary 
determines that a PSO is not in compliance with its obligations under 
the Patient Safety Act or this Subpart, the Secretary must send a PSO 
written notice of the preliminary finding of deficiency. The notice 
must state the actions or inactions that encompass the deficiency 
finding, outline the evidence that the deficiency exists, specify the 
possible and/or required corrective actions that must be taken, and 
establish a date by which the deficiency must be corrected. The 
Secretary may specify in the notice the level of documentation required 
to demonstrate that the deficiency has been corrected.
    (ii) The notice of a preliminary finding of deficiency is presumed 
received five days after it is sent, absent evidence of the actual 
receipt date. If a PSO does not submit evidence to the Secretary within 
14 calendar days of actual or constructive receipt of such notice, 
whichever is longer, which demonstrates that the preliminary finding is 
factually incorrect, the preliminary finding will be the basis for a 
finding of deficiency.
    (3) Determination of correction of a deficiency. (i) Unless the 
Secretary specifies another date, the Secretary must receive 
documentation to demonstrate that the PSO has corrected the deficiency 
no later than five calendar days following the last day of the 
correction period, that is specified by the Secretary in the notice of 
preliminary finding of deficiency.
    (ii) In making a determination regarding the correction of any 
deficiency, the Secretary will consider the documentation submitted by 
the PSO, the findings of any site visit that he determines is necessary 
or appropriate, recommendations of program staff, and any other 
information available regarding the PSO that the Secretary deems 
appropriate and relevant to the PSO's implementation of the terms of 
its certification.
    (iii) After completing his review, the Secretary may make one of 
the following determinations:
    (A) The action(s) taken by the PSO have corrected any deficiency, 
in which case the Secretary will withdraw the notice of deficiency and 
so notify the PSO;
    (B) The PSO has acted in good faith to correct the deficiency but 
the Secretary finds an additional period of time is necessary to 
achieve full compliance and/or the required corrective action specified 
in the notice of a preliminary finding of deficiency needs to be 
modified in light of the experience of the PSO in attempting to 
implement the corrective action, in which case the Secretary will 
extend the period for correction and/or modify the specific corrective 
action required; or
    (C) The PSO has not completed the corrective action because it has 
not acted with reasonable diligence or speed to ensure that the 
corrective action was completed within the allotted time, in which case 
the Secretary will issue to the PSO a notice of proposed revocation and 
delisting.
    (iv) When the Secretary issues a written notice of proposed 
revocation and delisting, the notice will specify the

[[Page 8177]]

deficiencies that have not been timely corrected and will detail the 
manner in which the PSO may exercise its opportunity to be heard in 
writing to respond to the deficiencies specified in the notice.
    (4) Opportunity to be heard in writing following a notice of 
proposed revocation and delisting. The Secretary will afford a PSO an 
opportunity to be heard in writing, as specified in paragraph (a)(4)(i) 
of this section, to provide a substantive response to the deficiency 
finding(s) set forth in the notice of proposed revocation and 
delisting.
    (i) The notice of proposed revocation and delisting is presumed 
received five days after it is sent, absent evidence of actual receipt. 
The Secretary will provide a PSO with a period of time, beginning with 
the date of receipt of the notice of proposed revocation and delisting 
of which there is evidence, or the presumed date of receipt if there is 
no evidence of earlier receipt, and ending at midnight 30 calendar days 
thereafter, during which the PSO can submit a substantive response to 
the deficiency findings in writing.
    (ii) The Secretary will provide to the PSO rules of procedure 
governing the form or transmission of the written response to the 
notice of proposed revocation and delisting. The Rules may also be 
posted on the AHRQ PSO Web site or published in the Federal Register.
    (iii) If a PSO does not submit a written response to the deficiency 
finding(s) within 30 calendar days of receipt of the notice of proposed 
revocation and delisting, the notice of proposed revocation becomes 
final as a matter of law and the basis for Secretarial action under 
paragraph (b)(1) of this section.
    (5) The Secretary's decision regarding revocation. The Secretary 
will review the entire administrative record pertaining to a notice of 
proposed revocation and delisting and any written materials submitted 
by the PSO under paragraph (a)(4) of this section. The Secretary may 
affirm, reverse, or modify the notice of proposed revocation and 
delisting and will make a determination with respect to the continued 
listing of the PSO.
    (b) Revocation of the Secretary's acceptance of a PSO's 
certifications--(1) Establishing revocation for cause. When the 
Secretary concludes, in accordance with a decision made under paragraph 
(a)(5) of this section, that revocation of the acceptance of a PSO's 
certification is warranted for its failure to comply with requirements 
of the Patient Safety Act or of this Subpart, the Secretary will 
establish the time and date for the prompt revocation and removal of 
the entity from the list of PSOs, so notify the PSO in writing, and 
provide the relevant public notice required by Sec.  3.108(d) of this 
subpart.
    (2) Required notification of providers and status of data. Within 
15 days of being notified of the Secretary's action pursuant to 
paragraph (b)(1) of this section, an entity subject to paragraph (b)(1) 
of this section will submit to the Secretary confirmation that it has 
taken all reasonable actions to notify each provider, whose patient 
safety work product it collected or analyzed, of the Secretary's 
action(s). Confidentiality and privilege protections that applied to 
patient safety work product while the former PSO was listed continue to 
apply after the entity is removed from listing. Data submitted by 
providers to the former PSO within 30 calendar days of the date on 
which it is removed from the list of PSOs pursuant to paragraph (b)(1) 
of this section will have the same status as data submitted while the 
entity was still listed.
    (3) Disposition of patient safety work product and data. Following 
revocation and delisting pursuant to paragraph (b)(1) of this section, 
the former PSO will take one or more of the following measures:
    (i) Transfer such patient safety work product or data, with the 
approval of the source from which it was received, to a PSO that has 
agreed to receive such patient safety work product or data;
    (ii) Return such work product or data to the source from which it 
was submitted; or
    (iii) If returning such patient safety work product or data to its 
source is not practicable, destroy such patient safety work product or 
data.
    (c) Voluntary relinquishment--(1) Circumstances constituting 
voluntary relinquishment. A PSO will be considered to have voluntarily 
relinquished its status as a PSO if the Secretary accepts a 
notification from a PSO that it wishes to relinquish voluntarily its 
listing as a PSO or the Secretary determines that an implied voluntary 
relinquishment has taken place because the period of listing of a PSO 
has expired without receipt of a timely submission of certifications 
for continued listing.
    (2) Notification of voluntary relinquishment. A PSO's notification 
of voluntary relinquishment to the Secretary must include the 
following:
    (i) An attestation that all reasonable efforts have been made, or 
will have been made by a PSO within 15 calendar days of this statement, 
to notify the sources from which it received patient safety work 
product or data of the PSO's intention to cease operations, to 
relinquish voluntarily its status as a PSO, to request that these other 
entities cease reporting or submitting any further information to the 
PSO as soon as possible, and inform them that any data submitted after 
the effective date and time of delisting, that the Secretary sets 
pursuant to paragraph (c)(3) of this section, will not be protected as 
patient safety work product under the Patient Safety Act based upon 
such submissions;
    (ii) An attestation that the entity has established a plan, or 
within 15 calendar days of this statement, will have made all 
reasonable efforts to establish a plan, in consultation with the 
sources from which it received patient safety work product or data, 
that provides for the disposition of such patient safety work product 
or data consistent with, to the extent practicable, the statutory 
options for disposition of patient safety work product or data as set 
out in paragraphs (b)(3)(i) through (iii) of this section; and
    (iii) Appropriate contact information for further communications 
from the Secretary.
    (3) Response to notification of voluntary relinquishment. (i) After 
a PSO provides the notification required by paragraph (c)(2) of this 
section, the Secretary will respond in writing to the entity indicating 
whether the proposed voluntary relinquishment of its PSO status is 
accepted. If the voluntary relinquishment is accepted, the Secretary's 
response will indicate an effective date and time for the entity's 
removal from the list of PSOs and will provide public notice of the 
delisting, in accordance with Sec.  3.108(d) of this subpart.
    (ii) If the Secretary receives a notification of voluntary 
relinquishment during or immediately after revocation proceedings for 
cause under paragraphs (a)(4) and (a)(5) of this section, the 
Secretary, as a matter of discretion, may accept voluntary 
relinquishment in accordance with the preceding paragraph or decide not 
to accept the entity's proposed voluntary relinquishment and proceed 
with the revocation for cause and delisting pursuant to paragraph 
(b)(1) of this section.
    (4) Implied voluntary relinquishment. (i) If the period of listing 
of a PSO lapses without timely receipt and acceptance by the Secretary 
of a certification seeking continued listing or timely receipt of a 
notification of voluntary relinquishment of its PSO status in 
accordance with paragraph (c)(2) of this section, the Secretary will 
determine that voluntary relinquishment has

[[Page 8178]]

occurred and will remove the entity from the list of PSOs effective as 
of midnight on the last day of its three-year period of listing. The 
Secretary will take reasonable measures to notify the entity of its 
delisting and will provide public notice of the delisting in accordance 
with Sec.  3.108(d) of this subpart.
    (ii) The Secretary will request in the notice to the entity that it 
make reasonable efforts to comply with the requirements of paragraph 
(c)(2) of this section with respect to notification, appropriate 
disposition of patient safety work product, and the provision of 
contact information to the Secretary.
    (5) Non-applicability of certain procedures and requirements. (i) A 
decision by the Secretary to accept a request by a PSO to relinquish 
voluntarily its status as a PSO pursuant to paragraph (c)(2) of this 
section or a decision that voluntary relinquishment has occurred 
pursuant to paragraph (c)(4) of this section does not constitute a 
determination of a deficiency in PSO compliance with the Patient Safety 
Act or with this Subpart and no opportunity for corrective action by 
the PSO is required.
    (ii) The procedures and requirements of Sec.  3.108(a) of this 
subpart regarding deficiencies including the opportunity to be heard in 
writing, and those that are based upon determinations of the Secretary 
pursuant to Sec.  3.108(b)(1) of this subpart are not applicable to 
determinations of the Secretary made pursuant to paragraph (c) of this 
section.
    (d) Public notice of delisting regarding removal from listing. If 
the Secretary removes an entity from the list of PSOs following 
revocation of acceptance of the entity's certification pursuant to 
Sec.  3.108(b)(1) of this subpart or following a determination of 
voluntary relinquishment pursuant to Sec.  3.108(c)(3) or (c)(4) of 
this subpart, the Secretary will promptly publish in the Federal 
Register and on the AHRQ PSO Web site, or in a comparable future form 
of public notice, established pursuant to Sec.  3.104(d) of this 
subpart, a notice of the actions taken and the effective dates.


Sec.  3.110  Assessment of PSO compliance.

    The Secretary may request information or conduct announced or 
unannounced reviews of or site visits to PSOs, to assess or verify PSO 
compliance with the requirements of this subpart and for these purposes 
will be allowed to inspect the physical or virtual sites maintained or 
controlled by the PSO. The Secretary will be allowed to inspect and/or 
be given or sent copies of any PSO records deemed necessary and 
requested by the Secretary to implement the provisions of this subpart. 
Such PSO records may include patient safety work product in accordance 
with Sec.  3.206(d) of this subpart.


Sec.  3.112  Submissions and forms.

    (a) Forms referred to in this subpart may be obtained on the AHRQ 
PSO Web site or a comparable future form of public notice or by 
requesting them in writing by e-mail at [email protected], or by 
mail from the Agency for Healthcare Research and Quality, CQuIPS, PSO 
Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any 
required attachments) must be submitted in accordance with the 
accompanying instructions.
    (b) Information submitted to AHRQ in writing, but not required to 
be on a form, and requests for information from AHRQ, may be submitted 
by mail or other delivery to the Agency for Healthcare Research and 
Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, MD 20850, by 
facsimile at (301) 427-1341, or by e-mail at [email protected].
    (c) If a submission to the Secretary is incomplete or additional 
information is needed to allow a determination to be made under this 
subpart, the submitter will be notified if any additional information 
is required.

Subpart C--Confidentiality and Privilege Protections of Patient 
Safety Work Product


Sec.  3.204  Privilege of Patient Safety Work Product

    (a) Privilege. Notwithstanding any other provision of Federal, 
State, local, or tribal law and subject to paragraph (b) of this 
section and Sec.  3.208 of this subpart, patient safety work product 
shall be privileged and shall not be:
    (1) Subject to a Federal, State, local, or tribal civil, criminal, 
or administrative subpoena or order, including in a Federal, State, 
local, or tribal civil or administrative disciplinary proceeding 
against a provider;
    (2) Subject to discovery in connection with a Federal, State, 
local, or tribal civil, criminal, or administrative proceeding, 
including in a Federal, State, local, or tribal civil or administrative 
disciplinary proceeding against a provider;
    (3) Subject to disclosure pursuant to section 552 of Title 5, 
United States Code (commonly known as the Freedom of Information Act) 
or any other similar Federal, State, local, or tribal law;
    (4) Admitted as evidence in any Federal, State, local, or tribal 
governmental civil proceeding, criminal proceeding, administrative 
rulemaking proceeding, or administrative adjudicatory proceeding, 
including any such proceeding against a provider; or
    (5) Admitted in a professional disciplinary proceeding of a 
professional disciplinary body established or specifically authorized 
under State law.
    (b) Exceptions to privilege. Privilege shall not apply to (and 
shall not be construed to prohibit) one or more of the following 
disclosures:
    (1) Disclosure of relevant patient safety work product for use in a 
criminal proceeding, subject to the conditions at Sec.  3.206(b)(1) of 
this subpart.
    (2) Disclosure to the extent required to permit equitable relief 
subject to the conditions at Sec.  3.206(b)(2) of this subpart.
    (3) Disclosure pursuant to provider authorizations subject to the 
conditions at Sec.  3.206(b)(3) of this subpart.
    (4) Disclosure of non-identifiable patient safety work product 
subject to the conditions at Sec.  3.206(b)(5) of this subpart.
    (c) Implementation and Enforcement of the Patient Safety Act. 
Privilege shall not apply to (and shall not be construed to prohibit) 
disclosures of relevant patient safety work product to or by the 
Secretary if such patient safety work product is needed to investigate 
or determine compliance with this part or is needed in seeking or 
imposing civil money penalties, or in making or supporting PSO 
certification or listing decisions, under the Patient Safety Act.


Sec.  3.206  Confidentiality of Patient Safety Work Product.

    (a) Confidentiality. Subject to paragraphs (b) through (e) of this 
section, and Sec. Sec.  3.208 and 3.210 of this subpart, patient safety 
work product shall be confidential and shall not be disclosed.
    (b) Exceptions to confidentiality. The confidentiality provisions 
shall not apply to (and shall not be construed to prohibit) one or more 
of the following disclosures:
    (1) Criminal proceedings. Disclosure of relevant patient safety 
work product for use in a criminal proceeding, but only after a court 
makes an in camera determination that:
    (i) Such patient safety work product contains evidence of a 
criminal act;
    (ii) Such patient safety work product is material to the 
proceeding; and
    (iii) Such patient safety work product is not reasonably available 
from any other source.
    (2) Equitable relief for reporters. Disclosure of patient safety 
work

[[Page 8179]]

product to the extent required to permit equitable relief under section 
922 (f)(4)(A) of the Public Health Service Act.
    (3) Authorized by identified providers. (i) Disclosure of 
identifiable patient safety work product consistent with a valid 
authorization if such authorization is obtained from each provider 
identified in such work product prior to disclosure. A valid 
authorization must:
    (A) Be in writing and signed by the provider from whom 
authorization is sought; and
    (B) Contain sufficient detail to fairly inform the provider of the 
nature and scope of the disclosures being authorized;
    (ii) A valid authorization must be retained by the disclosing 
entity for six years from the date of the last disclosure made in 
reliance on the authorization and made available to the Secretary upon 
request.
    (4) Patient safety activities--(i) Disclosure between a provider 
and a PSO. Disclosure of patient safety work product for patient safety 
activities by a provider to a PSO or by a PSO to that disclosing 
provider.
    (ii) Disclosure to a contractor of a provider or a PSO. A provider 
or a PSO may disclose patient safety work product for patient safety 
activities to an entity with which it has contracted to undertake 
patient safety activities on its behalf. A contractor receiving patient 
safety work product for patient safety activities may not further 
disclose patient safety work product, except to the entity with which 
it is contracted.
    (iii) Disclosure by a PSO to another PSO or by a provider to 
another provider. Disclosure of patient safety work product for patient 
safety activities by a PSO to another PSO or to another provider that 
has reported to the PSO, or by a provider to another provider, 
provided:
    (A) The following direct identifiers of any providers and of 
affiliated organizations, corporate parents, subsidiaries, practice 
partners, employers, members of the workforce, or household members of 
such providers are removed:
    (1) Names;
    (2) Postal address information, other than town or city, State and 
zip code;
    (3) Telephone numbers;
    (4) Fax numbers;
    (5) Electronic mail addresses;
    (6) Social security numbers or taxpayer identification numbers;
    (7) Provider or practitioner credentialing or DEA numbers;
    (8) National provider identification number;
    (9) Certificate/license numbers;
    (10) Web Universal Resource Locators (URLs);
    (11) Internet Protocol (IP) address numbers;
    (12) Biometric identifiers, including finger and voice prints; and
    (13) Full face photographic images and any comparable images; and
    (B) With respect to any individually identifiable health 
information in such patient safety work product, the direct identifiers 
listed at 45 CFR 164.514(e)(2) have been removed.
    (5) Disclosure of nonidentifiable patient safety work product. 
Disclosure of nonidentifiable patient safety work product when patient 
safety work product meets the standard for nonidentification in 
accordance with Sec.  3.212 of this subpart.
    (6) For research. (i) Disclosure of patient safety work product to 
persons carrying out research, evaluation or demonstration projects 
authorized, funded, certified, or otherwise sanctioned by rule or other 
means by the Secretary, for the purpose of conducting research.
    (ii) If the patient safety work product disclosed pursuant to 
paragraph (b)(6)(i) of this section is by a HIPAA covered entity as 
defined at 45 CFR 160.103 and contains protected health information as 
defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient 
safety work product may only be disclosed under this exception in the 
same manner as would be permitted under the HIPAA Privacy Rule at 45 
CFR 164.512(i).
    (7) To the Food and Drug Administration (FDA).
    (i) Disclosure by a provider of patient safety work product 
concerning an FDA-regulated product or activity to the FDA or to an 
entity required to report to the FDA concerning the quality, safety, or 
effectiveness of an FDA-regulated product or activity.
    (ii) The FDA and any entity receiving patient safety work product 
pursuant to paragraph (b)(7)(i) of this section may only further 
disclose such patient safety work product for the purpose of evaluating 
the quality, safety, or effectiveness of that product or activity 
between each other, their contractors, and the disclosing provider. A 
contractor receiving patient safety work product pursuant to this 
paragraph may not further disclose patient safety work product, except 
to the entity from which it received the patient safety work product.
    (8) Voluntary disclosure to an accrediting body.
    (i) Voluntary disclosure by a provider of patient safety work 
product that identifies that provider to an accrediting body that 
accredits that provider. Such accrediting body may not further disclose 
such patient safety work product.
    (ii) An accrediting body may not take an accrediting action against 
a provider based on a good faith participation of the provider in the 
collection, development, reporting, or maintenance of patient safety 
work product in accordance with this Part. An accrediting body may not 
require a provider to reveal its communications with any PSO.
    (9) Business operations. (i) Disclosure of patient safety work 
product by a provider or a PSO for business operations to attorneys, 
accountants, and other professionals. Such contractors may not further 
disclose patient safety work product, except to the entity from which 
they received the information.
    (ii) Disclosure of patient safety work product for such other 
business operations that the Secretary may prescribe by regulation as 
consistent with the goals of this part.
    (10) Disclosure to law enforcement.
    (i) Disclosure of patient safety work product to an appropriate law 
enforcement authority relating to an event that either constitutes the 
commission of a crime, or for which the disclosing person reasonably 
believes constitutes the commission of a crime, provided that the 
disclosing person believes, reasonably under the circumstances, that 
the patient safety work product that is disclosed is necessary for 
criminal law enforcement purposes.
    (ii) Law enforcement personnel receiving patient safety work 
product pursuant to paragraph (b)(10)(i) of this section may disclose 
that patient safety work product to other law enforcement authorities 
as needed for law enforcement activities related to the event that gave 
rise to the disclosure under paragraph (b)(10)(i) of this section.
    (c) Safe harbor. A provider or responsible person, but not a PSO, 
is not considered to have violated the requirements of this subpart if 
a member of its workforce discloses patient safety work product, 
provided that the disclosure does not include materials, including oral 
statements, that:
    (1) Assess the quality of care of an identifiable provider; or
    (2) Describe or pertain to one or more actions or failures to act 
by an identifiable provider.
    (d) Implementation and Enforcement of the Patient Safety Act. The 
confidentiality provisions shall not apply to (and shall not be 
construed to

[[Page 8180]]

prohibit) disclosures of relevant patient safety work product to or by 
the Secretary if such patient safety work product is needed to 
investigate or determine compliance with this part or is needed in 
seeking and imposing civil money penalties, or in making or supporting 
PSO certification or listing decisions, under the Patient Safety Act.
    (e) No limitation on authority to limit or delegate disclosure or 
use. Nothing in subpart C of this part shall be construed to limit the 
authority of any person to enter into a contract requiring greater 
confidentiality or delegating authority to make a disclosure or use in 
accordance with this subpart.


Sec.  3.208  Continued protection of Patient Safety Work Product.

    (a) Except as provided in paragraph (b) of this section, patient 
safety work product disclosed in accordance with this subpart, or 
disclosed impermissibly, shall continue to be privileged and 
confidential.
    (b)(1) Patient safety work product disclosed for use in a criminal 
proceeding pursuant to section 922(c)(1)(A) of the Public Health 
Service Act and/or pursuant to Sec.  3.206(b)(1) of this subpart 
continues to be privileged, but is no longer confidential.
    (2) Non-identifiable patient safety work product that is disclosed 
is no longer privileged or confidential and not subject to the 
regulations under this part.
    (3) Paragraph (b) of this section applies only to the specific 
patient safety work product disclosed.


Sec.  3.210  Required disclosure of Patient Safety Work Product to the 
Secretary.

    Providers, PSOs, and responsible persons must disclose patient 
safety work product upon request by the Secretary when the Secretary 
determines such patient safety work product is needed to investigate or 
determine compliance with this part or is needed in seeking and 
imposing civil money penalties or making determinations on certifying 
and listing PSOs.


Sec.  3.212  Nonidentification of Patient Safety Work Product.

    (a) Patient safety work product is nonidentifiable with respect to 
a particular identified provider or a particular identified reporter 
if:
    (1) A person with appropriate knowledge of and experience with 
generally accepted statistical and scientific principles and methods 
for rendering information not individually identifiable:
    (i) Applying such principles and methods, determines that the risk 
is very small that the information could be used, alone or in 
combination with other reasonably available information, by an 
anticipated recipient to identify an identified provider or reporter; 
and
    (ii) Documents the methods and results of the analysis that justify 
such determination; or
    (2)(i) The following identifiers of such provider or reporter and 
of affiliated organizations, corporate parents, subsidiaries, practice 
partners, employers, members of the workforce, or household members of 
such providers or reporters are removed:
    (A) Names;
    (B) Geographic subdivisions smaller than a State, including street 
address, city, county, precinct, zip code and equivalent geocodes, 
except for the initial three digits of a zip code if, according to the 
current publicly available data from the Bureau of the Census, the 
geographic unit formed by combining all zip codes with the same three 
initial digits contains more than 20,000 people;
    (C) All elements of dates (except year) for dates directly related 
to a patient safety incident or event;
    (D) Telephone numbers;
    (E) Fax numbers;
    (F) Electronic mail addresses;
    (G) Social security numbers or taxpayer identification numbers;
    (H) Provider or practitioner credentialing or DEA numbers;
    (I) National provider identification number;
    (J) Certificate/license numbers;
    (K) Web Universal Resource Locators (URLs);
    (L) Internet Protocol (IP) address numbers;
    (M) Biometric identifiers, including finger and voice prints;
    (N) Full face photographic images and any comparable images; and,
    (O) Any other unique identifying number, characteristic, or code 
except as permitted for re-identification; and
    (ii) The provider, PSO or responsible person making the disclosure 
does not have actual knowledge that the information could be used, 
alone or in combination with other information that is reasonably 
available to the intended recipient, to identify the particular 
provider or reporter.
    (3) Re-identification. A provider, PSO, or responsible person may 
assign a code or other means of record identification to allow 
information made nonidentifiable under this section to be re-identified 
by such provider, PSO, or responsible person, provided that:
    (i) The code or other means of record identification is not derived 
from or related to information about the provider or reporter and is 
not otherwise capable of being translated so as to identify the 
provider or reporter; and
    (ii) The provider, PSO, or responsible person does not use or 
disclose the code or other means of record identification for any other 
purpose, and does not disclose the mechanism for re-identification.
    (b) Patient safety work product is non-identifiable with respect a 
particular patient only if the individually identifiable health 
information regarding that patient is de-identified in accordance with 
the HIPAA Privacy Rule standard and implementation specifications for 
the de-identification at 45 CFR 164.514 (a) through (c).

Subpart D--Enforcement Program


Sec.  3.304  Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable, 
seek the cooperation of providers, PSOs, and responsible persons in 
obtaining compliance with the applicable confidentiality provisions.
    (b) Assistance. The Secretary may provide technical assistance to 
providers, PSOs, and responsible persons to help them comply 
voluntarily with the applicable confidentiality provisions.


Sec.  3.306  Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes that patient 
safety work product has been disclosed in violation of the 
confidentiality provisions may file a complaint with the Secretary.
    (b) Requirements for filing complaints. Complaints under this 
section must meet the following requirements:
    (1) A complaint must be filed in writing, either on paper or 
electronically.
    (2) A complaint must name the person that is the subject of the 
complaint and describe the act(s) believed to be in violation of the 
applicable confidentiality provision(s).
    (3) A complaint must be filed within 180 days of when the 
complainant knew or should have known that the act complained of 
occurred, unless this time limit is waived by the Secretary for good 
cause shown.
    (4) The Secretary may prescribe additional procedures for the 
filing of complaints, as well as the place and manner of filing, by 
notice in the Federal Register.
    (c) Investigation. The Secretary may investigate complaints filed 
under this section. Such investigation may include

[[Page 8181]]

a review of the pertinent policies, procedures, or practices of the 
respondent and of the circumstances regarding any alleged violation. At 
the time of initial written communication with the respondent about the 
complaint, the Secretary will describe the act(s) that are the basis of 
the complaint.


Sec.  3.308  Compliance reviews.

    The Secretary may conduct compliance reviews to determine whether a 
respondent is complying with the applicable confidentiality provisions.


Sec.  3.310  Responsibilities of respondents.

    (a) Provide records and compliance reports. A respondent must keep 
such records and submit such compliance reports, in such time and 
manner and containing such information, as the Secretary may determine 
to be necessary to enable the Secretary to ascertain whether the 
respondent has complied or is complying with the applicable 
confidentiality provisions.
    (b) Cooperate with complaint investigations and compliance reviews. 
A respondent must cooperate with the Secretary, if the Secretary 
undertakes an investigation or compliance review of the policies, 
procedures, or practices of the respondent to determine whether it is 
complying with the applicable confidentiality provisions.
    (c) Permit access to information. (1) A respondent must permit 
access by the Secretary during normal business hours to its facilities, 
books, records, accounts, and other sources of information, including 
patient safety work product, that are pertinent to ascertaining 
compliance with the applicable confidentiality provisions. If the 
Secretary determines that exigent circumstances exist, such as when 
documents may be hidden or destroyed, a respondent must permit access 
by the Secretary at any time and without notice.
    (2) If any information required of a respondent under this section 
is in the exclusive possession of any other agency, institution, or 
person, and the other agency, institution, or person fails or refuses 
to furnish the information, the respondent must so certify and set 
forth what efforts it has made to obtain the information.


Sec.  3.312  Secretarial action regarding complaints and compliance 
reviews.

    (a) Resolution when noncompliance is indicated. (1) If an 
investigation of a complaint pursuant to Sec.  3.306 of this subpart or 
a compliance review pursuant to Sec.  3.308 of this subpart indicates 
noncompliance, the Secretary may attempt to reach a resolution of the 
matter satisfactory to the Secretary by informal means. Informal means 
may include demonstrated compliance or a completed corrective action 
plan or other agreement.
    (2) If the matter is resolved by informal means, the Secretary will 
so inform the respondent and, if the matter arose from a complaint, the 
complainant, in writing.
    (3) If the matter is not resolved by informal means, the Secretary 
will--
    (i) So inform the respondent and provide the respondent an 
opportunity to submit written evidence of any mitigating factors. The 
respondent must submit any evidence to the Secretary within 30 days 
(computed in the same manner as prescribed under Sec.  3.504(l) of this 
subpart) of receipt of such notification; and
    (ii) If, following action pursuant to paragraph (a)(3)(i) of this 
section, the Secretary decides that a civil money penalty should be 
imposed, inform the respondent of such finding in a notice of proposed 
determination in accordance with Sec.  3.420 of this subpart.
    (b) Resolution when no violation is found. If, after an 
investigation pursuant to Sec.  3.306 of this subpart or a compliance 
review pursuant to Sec.  3.308 of this subpart, the Secretary 
determines that further action is not warranted, the Secretary will so 
inform the respondent and, if the matter arose from a complaint, the 
complainant, in writing.
    (c) Uses and disclosures of information obtained. (1) Identifiable 
patient safety work product obtained by the Secretary in connection 
with an investigation or compliance review under this subpart will not 
be disclosed by the Secretary, except in accordance with Sec.  3.206(d) 
of this subpart, or if otherwise permitted by this part or the Patient 
Safety Act.
    (2) Except as provided for in paragraph (c)(1) of this section, 
information, including testimony and other evidence, obtained by the 
Secretary in connection with an investigation or compliance review 
under this subpart may be used by HHS in any of its activities and may 
be used or offered into evidence in any administrative or judicial 
proceeding.


Sec.  3.314  Investigational subpoenas and inquiries.

    (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 
405(d) and (e), and 1320a-7a(j), to require the attendance and 
testimony of witnesses and the production of any other evidence 
including patient safety work product during an investigation or 
compliance review pursuant to this part. The Secretary will issue and 
serve subpoenas pursuant to this subpart in accordance with 45 CFR 
160.314(a)(1) through (5), except the term ``this part'' shall refer to 
42 CFR part 3.
    (b) Investigational inquiries are non-public investigational 
proceedings conducted by the Secretary. The Secretary will conduct 
investigational proceedings in accordance with 45 CFR 160.314(b)(1) 
through (9).


Sec.  3.402  Basis for a civil money penalty.

    (a) General rule. A person who discloses identifiable patient 
safety work product in knowing or reckless violation of the 
confidentiality provisions shall be subject to a civil money penalty 
for each act constituting such violation.
    (b) Violation attributed to a principal. A principal is 
independently liable, in accordance with the federal common law of 
agency, for a civil money penalty based on the act of the principal's 
agent, including a workforce member, acting within the scope of the 
agency if such act could give rise to a civil money penalty in 
accordance with Sec.  3.402(a) of this subpart.


Sec.  3.404  Amount of a civil money penalty.

    (a) The amount of a civil money penalty will be determined in 
accordance with paragraph (b) of this section and Sec.  3.408 of this 
subpart.
    (b) The Secretary may impose a civil money penalty in the amount of 
not more than $10,000.


Sec.  3.408  Factors considered in determining the amount of a civil 
money penalty.

    In determining the amount of any civil money penalty, the Secretary 
may consider as aggravating or mitigating factors, as appropriate, any 
of the following:
    (a) The nature of the violation.
    (b) The circumstances, including the consequences, of the 
violation, including:
    (1) The time period during which the violation(s) occurred; and
    (2) Whether the violation caused physical or financial harm or 
reputational damage;
    (c) The degree of culpability of the respondent, including:
    (1) Whether the violation was intentional; and
    (2) Whether the violation was beyond the direct control of the 
respondent.
    (d) Any history of prior compliance with the Patient Safety Act, 
including violations, by the respondent, including:
    (1) Whether the current violation is the same or similar to prior 
violation(s);

[[Page 8182]]

    (2) Whether and to what extent the respondent has attempted to 
correct previous violations;
    (3) How the respondent has responded to technical assistance from 
the Secretary provided in the context of a compliance effort; and
    (4) How the respondent has responded to prior complaints.
    (e) The financial condition of the respondent, including:
    (1) Whether the respondent had financial difficulties that affected 
its ability to comply;
    (2) Whether the imposition of a civil money penalty would 
jeopardize the ability of the respondent to continue to provide health 
care or patient safety activities; and
    (3) The size of the respondent.
    (f) Such other matters as justice may require.


Sec.  3.414  Limitations.

    No action under this subpart may be entertained unless commenced by 
the Secretary, in accordance with Sec.  3.420 of this subpart, within 6 
years from the date of the occurrence of the violation.


Sec.  3.416  Authority to settle.

    Nothing in this subpart limits the authority of the Secretary to 
settle any issue or case or to compromise any penalty.


Sec.  3.418  Exclusivity of penalty.

    (a) Except as otherwise provided by paragraph (b) of this section, 
a penalty imposed under this part is in addition to any other penalty 
prescribed by law.
    (b) Civil money penalties shall not be imposed both under this part 
and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).


Sec.  3.420  Notice of proposed determination.

    (a) If a penalty is proposed in accordance with this part, the 
Secretary must deliver, or send by certified mail with return receipt 
requested, to the respondent, written notice of the Secretary's intent 
to impose a penalty. This notice of proposed determination must 
include:
    (1) Reference to the statutory basis for the penalty;
    (2) A description of the findings of fact regarding the violations 
with respect to which the penalty is proposed;
    (3) The reason(s) why the violation(s) subject(s) the respondent to 
a penalty;
    (4) The amount of the proposed penalty;
    (5) Any factors described in Sec.  3.408 of this subpart that were 
considered in determining the amount of the proposed penalty; and
    (6) Instructions for responding to the notice, including a 
statement of the respondent's right to a hearing, a statement that 
failure to request a hearing within 60 days permits the imposition of 
the proposed penalty without the right to a hearing under Sec.  3.504 
of this subpart or a right of appeal under Sec.  3.504(v) of this 
subpart, and the address to which the hearing request must be sent.
    (b) The respondent may request a hearing before an ALJ on the 
proposed penalty by filing a request in accordance with Sec.  3.504 of 
this subpart.


Sec.  3.422  Failure to request a hearing.

    If the respondent does not request a hearing within the time 
prescribed by Sec.  3.504 of this subpart and the matter is not settled 
pursuant to Sec.  3.416 of this subpart, the Secretary may impose the 
proposed penalty or any lesser penalty permitted by 42 U.S.C. 299b-21 
through 299b-26. The Secretary will notify the respondent by certified 
mail, return receipt requested, of any penalty that has been imposed 
and of the means by which the respondent may satisfy the penalty, and 
the penalty is final on receipt of the notice. The respondent has no 
right to appeal a penalty under Sec.  3.504(v) of this subpart with 
respect to which the respondent has not timely requested a hearing.


Sec.  3.424  Collection of penalty.

    Once a determination of the Secretary to impose a penalty has 
become final, the penalty will be collected by the Secretary in 
accordance with 45 CFR 160.424, except the term ``this part'' shall 
refer to 42 CFR Part 3.


Sec.  3.426  Notification of the public and other agencies.

    Whenever a proposed penalty becomes final, the Secretary will 
notify, in such manner as the Secretary deems appropriate, the public 
and the following organizations and entities thereof and the reason it 
was imposed: The appropriate State or local medical or professional 
organization, the appropriate State agency or agencies administering or 
supervising the administration of State health care programs (as 
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and 
quality control peer review organization, and the appropriate State or 
local licensing agency or organization (including the agency specified 
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).


Sec.  3.504  Procedures for hearings.

    (a) Hearings before an ALJ. A respondent may request a hearing 
before an ALJ. Hearings must be requested in accordance with 45 CFR 
160.504(a) through (c), except the language in paragraph (c) following 
and including ``except that'' shall not apply. The ALJ must dismiss a 
hearing request in accordance with 45 CFR 160.504(d).
    (b) Rights of the parties. The hearing rights of the parties will 
be determined in accordance with 45 CFR 160.506.
    (c) Authority of the ALJ. The ALJ will conduct a fair and impartial 
hearing in accordance with 45 CFR 160.508(a) through (c)(4).
    (d) Ex parte contacts. Ex parte contacts are prohibited in 
accordance with 45 CFR 160.510.
    (e) Prehearing conferences. Prehearing conferences will be 
conducted in accordance with 45 CFR 160.512, except the term 
``identifiable patient safety work product'' shall apply in place of 
the term ``individually identifiable health information.''
    (f) Authority to settle. The Secretary has authority to settle 
issues in accordance with 45 CFR 160.514.
    (g) Discovery. Discovery will proceed in accordance with 45 CFR 
160.516.
    (h) Exchange of witness lists, witness statements, and exhibits. 
The parties will exchange hearing material in accordance with 45 CFR 
160.518, except the language in paragraph (a) following and including 
``except that'' shall not apply.
    (i) Subpoenas for attendance at hearing. The ALJ will issue a 
subpoena for the appearance and testimony of any person at the hearing 
in accordance with 45 CFR 160.520.
    (j) Fees. Fees and mileage for subpoenaed witnesses will be paid in 
accordance with 45 CFR 160.522.
    (k) Form, filing, and service of papers. Hearing documents will be 
filed and serviced in accordance with 45 CFR 160.524.
    (l) Computation of time. Computation of time shall be in accordance 
with 45 CFR 160.526, except the term ``this subpart'' shall refer to 42 
CFR part 3, Subpart D, and the citation ``Sec.  3.504(a) of 42 CFR part 
3'' shall apply in place of the citation ``Sec.  160.504.''
    (m) Motions. Procedures for the filing and disposition of motions 
will be in accordance with 45 CFR 160.528.
    (n) Sanctions. The ALJ may sanction a person in accordance with 
authorities at 45 CFR 160.530.
    (o) Collateral estoppel. Collateral estoppel will apply to hearings 
conducted pursuant to this subpart in accordance with 45 CFR 160.532, 
except the term ``a confidentiality provision'' shall apply in place of 
the term ``an administrative simplification provision.''
    (p) The hearing. Hearings will be conducted in accordance with 45 
CFR

[[Page 8183]]

160.534, except the following text shall apply in place of Sec.  
160.534(b)(1): ``The respondent has the burden of going forward and the 
burden of persuasion with respect to any challenge to the amount of a 
proposed penalty pursuant to Sec. Sec.  3.404-3.408 of 42 CFR part 3, 
including any factors raised as mitigating factors.'' Good cause shown 
under 45 CFR 160.534(c) may be that identifiable patient safety work 
product has been introduced into evidence or is expected to be 
introduced into evidence.
    (q) Witnesses. The testimony of witnesses will be handled in 
accordance with 45 CFR 160.538, except that the citation ``Sec.  
3.504(h) of 42 CFR part 3'' shall apply in place of the citation 
``Sec.  160.518.''
    (r) Evidence. The ALJ will determine the admissibility of evidence 
in accordance with 45 CFR 160.540, except that the citation ``Sec.  
3.420 of 42 CFR part 3'' shall apply in place of the citation ``Sec.  
160.420 of this part.''
    (s) The record. The record of the hearing will be created and made 
available in accordance with 45 CFR 160.542. Good cause under 45 CFR 
160.542(c) through (d) may include the presence in the record of 
identifiable patient safety work product.
    (t) Post hearing briefs. Post-hearing briefs, if required by the 
ALJ, will be filed in accordance with 45 CFR 160.544.
    (u) ALJ's decision. The ALJ will issue a decision in accordance 
with 45 CFR 160.546, except the citation ``Sec.  3.504(v) of 42 CFR 
part 3'' shall apply in place of ``Sec.  160.548.''
    (v) Appeal of the ALJ's decision. Any party may appeal the decision 
of the ALJ in accordance with 45 CFR 160.548, except the following 
language in paragraph (e) shall not apply: ``Except for an affirmative 
defense under Sec.  160.410(b)(1) of this part.''
    (w) Stay of the Secretary's decision. Pending judicial review, a 
stay of the Secretary's decision may be requested in accordance with 45 
CFR 160.550.
    (x) Harmless error. Harmless errors will be handled in accordance 
with 45 CFR 160.552.

    Dated: October 5, 2007.
Michael O. Levitt,
Secretary.
 [FR Doc. E8-2375 Filed 2-11-08; 8:45 am]
BILLING CODE 4153-01-P