[Federal Register Volume 73, Number 226 (Friday, November 21, 2008)]
[Rules and Regulations]
[Pages 70731-70814]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-27475]



[[Page 70731]]

-----------------------------------------------------------------------

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



42 CFR Part 3



Patient Safety and Quality Improvement; Final Rule

Federal Register / Vol. 73, No. 226 / Friday, November 21, 2008 / 
Rules and Regulations

[[Page 70732]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

42 CFR Part 3

RIN 0919-AA01


Patient Safety and Quality Improvement

AGENCY: Agency for Healthcare Research and Quality, Office for Civil 
Rights, Department of Health and Human Services.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Health and Human Services is adopting rules 
to implement certain aspects of the Patient Safety and Quality 
Improvement Act of 2005, Pub. L. 109-41, 42 U.S.C. 299b-21--b-26 
(Patient Safety Act). The final rule establishes a framework by which 
hospitals, doctors, and other health care providers may voluntarily 
report information to Patient Safety Organizations (PSOs), on a 
privileged and confidential basis, for the aggregation and analysis of 
patient safety events.
    The final rule outlines the requirements that entities must meet to 
become PSOs and the processes by which the Secretary will review and 
accept certifications and list PSOs. It also describes the privilege 
and confidentiality protections for the information that is assembled 
and developed by providers and PSOs, the exceptions to these privilege 
and confidentiality protections, and the procedures for the imposition 
of civil money penalties for the knowing or reckless impermissible 
disclosure of patient safety work product.

DATES: The final rule is effective on January 19, 2009.

FOR FURTHER INFORMATION CONTACT: Susan Grinder, Agency for Healthcare 
Research and Quality, 540 Gaither Road, Rockville, MD 20850, (301) 427-
1111 or (866) 403-3697.

SUPPLEMENTARY INFORMATION: On February 12, 2008, the Department of 
Health and Human Services (HHS) published a Notice of Proposed 
Rulemaking (proposed rule) at 73 FR 8112 proposing to implement the 
Patient Safety Act. The comment period closed on April 14, 2008. One-
hundred-sixty-one comments were received during the comment period.

I. Background

Statutory Background

    This final rule establishes the authorities, processes, and rules 
necessary to implement the Patient Safety Act that amended the Public 
Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 
921 through 926, 42 U.S.C. 299b-21 through 299b-26.\1\ The Patient 
Safety Act focuses on creating a voluntary program through which health 
care providers can share information relating to patient safety events 
with PSOs, with the aim of improving patient safety and the quality of 
care nationwide. The statute attaches privilege and confidentiality 
protections to this information, termed ``patient safety work 
product,'' to encourage providers to share this information without 
fear of liability and creates PSOs to receive this protected 
information and analyze patient safety events. These protections will 
enable all health care providers, including multi-facility health care 
systems, to share data within a protected legal environment, both 
within and across states, without the threat that the information will 
be used against the subject providers.
---------------------------------------------------------------------------

    \1\ All citations to provisions in the Patient Safety Act will 
be to the sections in the Public Health Service Act or to its 
location in the U.S. Code.
---------------------------------------------------------------------------

    However, we note that section 922(g)(2) of the Public Health 
Service Act is quite specific that these protections do not relieve a 
provider from its obligation to comply with other Federal, State, or 
local laws pertaining to information that is not privileged or 
confidential under the Patient Safety Act: section 922(g)(5) of the 
Public Health Service Act states that the Patient Safety Act does not 
affect any State law requiring a provider to report information that is 
not patient safety work product. The fact that information is 
collected, developed, or analyzed under the protections of the Patient 
Safety Act does not shield a provider from needing to undertake similar 
activities, if applicable, outside the ambit of the statute, so that 
the provider can meet its obligations with non-patient safety work 
product. The Patient Safety Act, while precluding other organizations 
and entities from requiring providers to provide them with patient 
safety work product, recognizes that the original records underlying 
patient safety work product remain available in most instances for the 
providers to meet these other reporting requirements.
    We note also that the Patient Safety Act references the Standards 
for the Privacy of Individually Identifiable Health Information under 
the Health Insurance Portability and Accountability Act of 1996 (HIPAA 
Privacy Rule), 45 CFR parts 160 and 164. Many health care providers 
participating in this program will be covered entities under the HIPAA 
Privacy Rule and will be required to comply with the HIPAA Privacy Rule 
when they disclose patient safety work product that contains protected 
health information. The Patient Safety Act is clear that it is not 
intended to interfere with the implementation of any provision of the 
HIPAA Privacy Rule. See 42 U.S.C. 299b-22(g)(3). The statute also 
provides that civil money penalties cannot be imposed under both the 
Patient Safety Act and the HIPAA Privacy Rule for a single violation. 
See 42 U.S.C. 299b-22(f). In addition, the statute states that PSOs 
shall be treated as business associates, and patient safety activities 
are deemed to be health care operations under the HIPAA Privacy Rule. 
See 42 U.S.C. 299b and 299-22(i). Since patient safety activities are 
deemed to be health care operations, the HIPAA Privacy Rule does not 
require covered providers to obtain patient authorizations to disclose 
patient safety work product containing protected health information to 
PSOs. Additionally, as business associates of providers, PSOs must 
abide by the terms of their HIPAA business associate contracts, which 
require them to notify the provider of any impermissible use or 
disclosure of the protected health information of which they are aware. 
See 45 CFR 164.504(e)(2)(ii)(C).

II. Overview of the Proposed and Final Rules

A. The Proposed Rule

    The proposed rule sought to implement the Patient Safety Act to 
create a voluntary system through which providers could share sensitive 
information relating to patient safety events without fear of 
liability, which should lead to improvements in patient safety and in 
the quality of patient care. The proposal reflected an approach to the 
implementation of the Patient Safety Act intended to ensure adequate 
flexibility within the bounds of the statutory provisions and to 
encourage providers to participate in this voluntary program. The 
proposed rule emphasized that this program is not federally funded and 
will be put into operation by the providers and PSOs that wish to 
participate with little direct federal involvement. However, the 
process for certification and listing of PSOs will be implemented and 
overseen by the Agency for Healthcare Research and Quality (AHRQ), 
while compliance with the confidentiality provisions will be 
investigated and enforced by the Office for Civil Rights (OCR).
    Subpart A of the proposed rule set forth the definitions of 
essential terms,

[[Page 70733]]

such as patient safety work product, patient safety evaluation system, 
and PSO. In order to facilitate the sharing of patient safety work 
product and the analysis of patient safety events, Subpart B of the 
proposed rule implemented the statutory requirements for the listing of 
PSOs, the entities that will offer their expert advice in analyzing the 
patient safety events and other information they collect or develop to 
provide feedback and recommendations to providers. The proposed rule 
established the criteria and set forth a process for certification and 
listing of PSOs and described how the Secretary would review, accept, 
condition, deny, or revoke certifications for listing and continued 
listing of entities as PSOs.
    Based on the statutory mandates in the Patient Safety Act, Subpart 
C of the proposed rule set forth the privilege and confidentiality 
protections that attach to patient safety work product; it also set 
forth the exceptions to these protections. The proposed rule provided 
that patient safety work product generally continues to be protected as 
privileged and confidential following a disclosure and set certain 
limitations on redisclosure of patient safety work product.
    Subpart D of the proposed rule established a framework to enable 
the Secretary to monitor and ensure compliance with this Part, a 
process for imposing a civil money penalty for breach of the 
confidentiality provisions, and procedures for a hearing contesting the 
imposition of a civil money penalty. These provisions were modeled 
largely on the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D 
and E.

B. The Final Rule

    We received over 150 comments on the proposed rule from a variety 
of entities, including small providers and large institutional 
providers, hospital associations, medical associations, accrediting 
bodies, medical liability insurers, and state and federal agencies. 
Many of the commenters expressed support for the proposed rule and the 
protections it granted to sensitive information related to patient 
safety events.
    Based upon the comments received, the final rule adopts most of the 
provisions of the proposed rule without modification; however, several 
significant changes to certain provisions of the proposed rule have 
been made in response to these comments. Changes to Subpart A include 
the addition of a definition of affiliated provider. The definitions of 
component organization, parent organization, and provider were modified 
for clarity, and the definition of disclosure was modified to clarify 
that the sharing of patient safety work product, between a component 
PSO and the entity of which it is a part, qualifies as a disclosure, 
while the sharing of patient safety work product between a physician 
with staff privileges and the entity with which it holds privileges is 
not a disclosure. We have also modified the definition of patient 
safety work product to include information that, while not yet reported 
to a PSO, is documented as being within a provider's patient safety 
evaluation system and that will be reported to a PSO. This modification 
allows for providers to voluntarily remove, and document the removal 
of, information from the patient safety evaluation system that has not 
yet been reported to a PSO, in which case, the information is no longer 
patient safety work product.
    The most significant modifications to Subpart B include the 
following. With respect to the listing of PSOs, we have broadened the 
list of excluded entities at Sec.  3.102(a)(2)(ii), required PSOs at 
Sec.  3.102(b)(1)(i)(B) to notify reporting providers of inappropriate 
disclosures or security breaches related to the information they 
reported, specified compliance with the requirement regarding the 
collection of patient safety work product in Sec.  3.102(b)(2)(iii), 
eliminated the requirements for separate information systems and 
restrictions on shared staff for most component PSOs but added 
additional restrictions and limitations for PSOs that are components of 
excluded entities at Sec.  3.102(c), and narrowed and clarified the 
disclosure requirements that PSOs must file regarding contracting 
providers with whom they have additional relationships at Sec.  
3.102(d)(2). We have modified the security requirement to provide 
flexibility for PSOs to determine whether to maintain patient safety 
work product separately from unprotected information. The final rule 
includes a new expedited revocation process at Sec.  3.108(e) for 
exceptional circumstances that require prompt action, and eliminates 
implied voluntary relinquishment, providing instead in Sec.  3.104(e) 
that a PSO's listing automatically expires at the end of three years, 
unless it is revoked for cause, voluntarily relinquished, or its 
certifications for continued listing are approved.
    Changes to proposed Subpart C include the addition of language in 
Sec.  3.206(b)(2) that requires a reporter seeking equitable relief to 
obtain a protective order to protect the confidentiality of patient 
safety work product during the course of the proceedings. Proposed 
Sec.  3.206(b)(4) has been amended to allow disclosures of 
identifiable, non-anonymized patient safety work product among 
affiliated providers for patient safety activities. In addition, 
proposed Sec.  3.206(b)(7) has been modified to make clear that the 
provision permits disclosures to and among FDA, entities required to 
report to FDA, and their contractors. We also have modified proposed 
Sec.  3.206(b)(8) to require providers voluntarily disclosing patient 
safety work product to accrediting bodies either to obtain the 
agreement of identified non-disclosing providers or to anonymize the 
information with respect to the non-disclosing providers prior to 
disclosure. Finally, we modified Sec. Sec.  3.204(c), 3.206(d), and 
3.210 to allow disclosures of patient safety work product to or by the 
Secretary for the purposes of determining compliance with not only the 
Patient Safety Act, but also the HIPAA Privacy Rule.
    In Subpart D, we adopt the proposed provisions except, where 
reference was made in the proposed rule to provisions of the HIPAA 
Privacy Rule, the final rule includes the text of such provisions for 
convenience of the reader.
    We describe more fully these provisions, the comments received, and 
our responses to these comments below in the section-by-section 
description of the final rule below.

III. Section-by-Section Description of Final Rule and Response to 
Comments

A. Subpart A--General Provisions

1. Section 3.10--Purpose
    Proposed Rule: Proposed Sec.  3.10 provided that the purpose of 
proposed Part 3 is to implement the Patient Safety and Quality 
Improvement Act of 2005 (Pub. L. 109-41), which amended the Public 
Health Service Act (42 U.S.C. 299 et seq.) by inserting new sections 
921 through 926, 42 U.S.C. 299b-21 through 299b-26.
    Overview of Public Comments: No comments were received pertaining 
to this section.
    Final Rule: The Department adopts the proposed provision without 
modification.
2. Section 3.20--Definitions
    Proposed Rule: Proposed Sec.  3.20 provided for definitions 
applicable to Part 3. Some definitions were restatements of the 
definitions at section 921 of the Public Health Service Act, 42 U.S.C. 
299b-21, and other definitions were provided for convenience or to 
clarify the application and operation of the proposed rule.

[[Page 70734]]

    Overview of Public Comments: With respect to the definitions for 
AHRQ, ALJ, Board, complainant, component PSO, confidentiality 
provisions, entity, group health plan, health maintenance organization, 
HHS, HIPAA Privacy Rule, identifiable patient safety work product, 
nonidentifiable patient safety work product, OCR, Patient Safety Act, 
patient safety activities, patient safety organization, person, 
research, respondent, responsible person, and workforce, we received no 
comments.
    We received a number of comments on the various other definitions 
and these comments will be addressed below in reference to the specific 
term.
    Final Rule: The Department adopts the above definitions as 
proposed. Certain definitions were added for convenience or clarity of 
the reader.
Response to Public Comments
    Comment: Commenters requested definitions for accrediting body, 
reporter, redisclosure, impermissible disclosure, use, evaluation and 
demonstration projects, and legislatively created PSO.
    Response: The Department does not agree that the additional 
definitions requested by commenters are necessary. Some definitions 
requested have generally accepted meanings and we do not believe there 
is benefit in imposing more limitations on such terms. Some terms such 
as legislatively created PSO are not used within the final rule. Other 
terms such as impermissible disclosure, use, and reporter are readily 
understood from the context of the final rule and do not need 
definitions.
(A) Section 3.20--New Definition of Affiliated Provider
    Final Rule: The proposed rule did not include a definition for 
affiliated provider. The Department adopts the term affiliated provider 
to mean, with respect to a provider, a legally separate provider that 
is the parent organization of the provider, is under common ownership, 
management, or control with the provider, or is owned, managed, or 
controlled by the provider. The Department includes this term to 
identify to whom patient safety work product may be disclosed pursuant 
to a clarification of the disclosure permission for patient safety 
activities.
    Overview of Comments: Several commenters were concerned about 
limitations of disclosures for patient safety activities among 
providers. Commenters raised concerns that limitations may inhibit the 
sharing and learning among providers of the analysis of patient safety 
events. Other commenters viewed the disclosure limitations as 
restricting a provider's use of its own data. These comments are 
addressed more fully below as part of the discussion of the patient 
safety activities disclosure permission.
(B) Section 3.20--Definition of Bona Fide Contract
    Proposed Rule: Proposed Sec.  3.20 provided that bona fide contract 
would mean a written contract between a provider and a PSO that is 
executed in good faith or a written agreement between a Federal, State, 
local, or Tribal provider and a Federal, State, local, or Tribal PSO.
    Overview of Public Comments: One comment was received noting that 
``good faith'' need not be a part of a bona fide contract.
    Final Rule: Because meeting the minimum contract requirement is 
essential for a PSO to remain listed by the Secretary, the Department 
believes that the requirement that contracts to be entered in good 
faith should be retained. We also note that Federal, State, local or 
Tribal providers are free to enter into an agreement with any PSO that 
would serve their needs; thus, they can enter bona fide contracts with 
PSOs pursuant to paragraph (1) of the definition, or enter comparable 
arrangements with a Federal, State, local or Tribal PSO pursuant to 
paragraph (2). The Department adopts the proposed provision without 
modification.
(C) Section 3.20--Definition of Component Organization
    Proposed Rule: Proposed Sec.  3.20 provided that component 
organization would mean an entity that is either: (a) A unit or 
division of a corporate organization or of a multi-organizational 
enterprise; or (b) a separate organization, whether incorporated or 
not, that is owned, managed or controlled by one or more other 
organizations, i.e., its parent organization(s). Because this 
definition used terms in a manner that was broader than traditional 
usage, the proposed rule sought comment on whether it was appropriate 
for purposes of the regulation to consider a subsidiary, an otherwise 
legally independent entity, as a component organization.
    With respect to the terms ``owned, managed, or controlled,'' the 
preamble directed readers to our description of these concepts in our 
discussion of the term ``parent organization.'' The preamble to the 
proposed rule discussed the various ways that an organization may be 
controlled by others. In particular, there was a discussion of multi-
organizational enterprises and the variety of management relationships 
or forms of control that such enterprises can create that might impact 
component entities. The preamble also discussed the traditional meaning 
of subsidiaries as being separate legal entities and, therefore, not 
within the ordinary meaning of the term ``component.'' However, the 
approach of the proposed rule was to express the Department's intention 
to encourage all forms of PSO organizational arrangements including the 
ownership of PSOs as subsidiaries. At the same time, we wanted to be 
able to accurately determine and to indicate to providers which PSOs 
should be considered components of other entities and the identity of a 
component PSO's parent organization. We explained our intent was not to 
limit our approach to corporate forms of organizations.
    Overview of Public Comments: The majority of commenters supported 
our proposal to consider subsidiaries as component organizations for 
the purposes of this rule. Several commenters sought reassurance that 
our interpretation does not impose additional legal liability on the 
parent organization.
    Concern was expressed that our approach suggested an over-reliance 
on the corporate model and the definition needed to reflect other types 
of legally recognized entities. One comment reflected concern that our 
reference to ``multi-organizational enterprise'' in the definition was 
unnecessarily confusing because it was not commonly used. Another 
commenter disagreed with our approach entirely, arguing that the scope 
of our definition was overly broad and unnecessary.
    Final Rule: The final rule now defines ``component organization'' 
to mean an entity that: ``(1) is a unit or division of a legal entity 
(including a corporation, partnership, or a Federal, State, local or 
Tribal agency or organization); or
    (2) Is owned, managed, or controlled by one or more legally 
separate parent organizations.''
    The definition of component organization is intended to be read 
with a focus on management or control by others as its defining 
feature. The definition must be read in conjunction with the 
complementary definition of ``parent organization.'' While our approach 
remains little changed, we have rearranged and streamlined the text of 
the definition of component in response to the comments and concerns we 
received on it. For example, there is no longer an explicit reference 
in the definition of component to multi-organizational enterprises, 
which are undertakings with separate corporations or organizations that 
are integrated in a common business activity. The revised

[[Page 70735]]

definition, however, is sufficiently broad to apply to components of 
such enterprises. In response to concerns that the earlier definition 
was too focused on corporate organizations, we have incorporated an 
explicit reference to ``other legal entities'' besides corporations. In 
addition, specific references have been added to more clearly 
accommodate possible organizational relationships of public agencies, 
such as the Department of Defense (DoD), Department of Veterans Affairs 
(VA), the Indian Health Service (IHS), and other State, local, and 
Tribal organizations that manage or deliver health care services.
    In the scenario envisioned by the first prong of the definition, 
the legal entity is a parent organization and the component 
organization is a unit or division within the parent organization. An 
underlying assumption of the modified paragraph (1) is that a unit or 
division of a legal entity may be managed or controlled by one or more 
parent organizations. Consistent with this paragraph, a component PSO 
may be managed or controlled by the legal entity of which it is a part 
or by another unit or division of that entity. It could also be 
controlled by a legally separate entity under the second paragraph of 
the definition.
    The first prong of the definition encompasses a component PSO that 
is a unit of a governmental agency that is a legal entity. This could 
include a component organization managed by another division of such a 
governmental agency, e.g., a health care division of VA or DoD. Thus, a 
component PSO could be a unit or component of a Federal agency that is 
a legal entity and it could at the same time be a component of another 
unit or division of that agency which controls and directs or manages 
its operation. So too in the private sector, a component PSO could have 
more than one parent and thus be a component, for example, of a 
professional society as well as a component of the unit or division of 
the professional society that controls or manages the PSO.
    The second prong of the definition addresses a variety of 
organizational relationships that could arise between component PSOs 
and legally separate parent organizations that manage or control them. 
Under paragraph (2), a subsidiary PSO could be managed or controlled by 
its legally separate parent organization. In addition, we note that a 
component PSO could be managed or controlled by another unit or 
division of its legally separate parent, e.g., if this unit or division 
uses its knowledge and skills to control or manage certain aspects of 
the component's operations. If that occurs, we would consider the 
sibling subsidiary that exercises control or management over the PSO as 
another parent organization of the PSO.
    Obtaining the identity and contact information of an entity's 
parent organizations is useful for the purpose of letting providers 
know who may be managing or controlling a PSO. This information also 
will be useful in implementing the certification and listing process 
for PSOs described in the rule which, for instance, excludes any health 
insurance issuer from becoming a PSO and excludes a component of a 
health insurance issuer from becoming a PSO.
    In response to commenters concerned about the legal liability for 
parent organizations of component PSOs, we note that the preamble to 
the proposed rule stated as follows: ``We stress that neither the 
statute nor the proposed regulation imposes any legal responsibilities, 
obligations, or liability on the organization(s) of which it [the PSO] 
is a part.'' The Department reaffirms its position. At the same time, 
we note that the rule, at Sec.  3.402(b), recognizes, provides for, and 
does not alter the liability of principals based on Federal common law.
Response to Other Public Comments
    Comment: One concern that was expressed by several commenters 
pertained to whether or not a health system that has a component or 
subsidiary health insurance issuer, e.g., a group health plan offered 
to the public, would be precluded from having a component PSO as well.
    Response: So long as the component health insurance issuer does not 
come within the definition of a parent organization of the PSO, i.e., 
own a controlling or majority interest in, manage, or control the 
health system's component PSO (i.e., the PSO would not be a component 
of the health insurance issuer), the parent health system could 
establish a component PSO.
    Comment: It was asserted that including subsidiaries as components 
would require a PSO that is not controlled by another parent 
organization, but itself has a subsidiary, to seek listing as a 
component PSO.
    Response: The revised definition of component organization 
emphasizes that a component is an organization that is controlled by 
another entity. It is not the Department's intention to require a PSO 
that is not controlled by another entity to seek listing as a component 
PSO. For this reason, the fact that a PSO has a subsidiary does not 
trigger the requirement to seek listing as a component organization.
    Comment: It was suggested that the inclusion of subsidiaries within 
the meaning of component would require a health system that wished to 
create a PSO to create it as a component.
    Response: There are several issues that a health system needs to 
consider in determining whether and how to create a PSO, but the 
inclusion of subsidiary within the meaning of component is not 
necessarily determinative. The statute requires the improvement of 
quality and patient safety to be the primary activity of the entity 
seeking listing. Since few multifaceted health system organizations 
will meet this requirement, existing organizations will have an 
incentive to create single-purpose component organizations that clearly 
meet the requirement. The second issue is whether to create a PSO as an 
internal component organization or as a separate legal entity. Because 
the final rule requires each PSO to enter two contracts, provider 
organizations may find it useful for its component PSO to be a separate 
legal entity. Otherwise, the component PSO may be precluded from 
contracting with its parent organization.
    Comment: There was a request for a definition of ``own'' with a 
suggestion for reference to Internal Revenue Code 26 I.R.C. Sec.  1563 
to clarify its meaning and the meaning of having a controlling 
interest. This same commenter sought strong separation requirements 
between a component PSO and any parent organization.
    Response: We have reviewed the cited regulation but conclude that 
the approach presented is unlikely to clarify the meaning of ``own'' or 
``having a controlling interest'' for purposes of the regulation. 
Accordingly, the definition of component in the final rule will use the 
term ``owns,'' but it should be read in conjunction with the phrase 
``owns a controlling or majority interest in'' that is used in the 
related definition of ``parent organization.'' This will indicate that 
the definition of component uses the term ``owns'' to mean having a 
sufficient ownership interest to control or manage a PSO. The holder of 
a controlling or majority interest in the entity seeking to be listed 
should be identified as a parent organization.
    Comment: Components of government entities should not be listed as 
PSOs.
    Response: The Patient Safety Act specifically permits public sector 
entities, and components of public sector entities, to seek listing as 
a PSO. We have incorporated several exclusions, however, of entities 
with

[[Page 70736]]

regulatory authority and those administering mandatory state reporting 
programs because these activities are incompatible with fostering a 
non-punitive culture of safety among providers. As we explain in Sec.  
3.102(a)(2)(ii), we conclude that it is not necessary to exclude 
components of such entities but have adopted additional restrictions 
and requirements in Sec.  3.102(c) for such component entities.
(D) Section 3.20--Definition of Disclosure
    Proposed Rule: Proposed Sec.  3.20 provided that disclosure would 
mean the release, transfer, provision of access to, or divulging in any 
other manner of patient safety work product by a person holding patient 
safety work product to another person.
    We did not generally propose to regulate uses of patient safety 
work product within an entity, i.e., when this information is exchanged 
or shared among the workforce members of an entity. We believe that 
regulating uses within providers and PSOs would be unnecessarily 
intrusive given the voluntary aspect of participation with a PSO. We 
believe that regulating uses would not further the statutory goal of 
facilitating the sharing of patient safety work product with PSOs and 
that sufficient incentives exist for providers and PSOs to prudently 
manage the internal sharing of sensitive patient safety work product. 
However, based on the statutory provision, we did propose that we would 
recognize as a disclosure the sharing of patient safety work product 
between a component PSO and the organization of which it is a 
component. Such sharing would, absent the statutory provision and the 
proposed regulation, be a use within the larger organization because 
the component PSO is not a separate entity. The Patient Safety Act 
supports this position by demonstrating a strong desire for the 
protection of patient safety work product from the rest of the 
organization of which the PSO is a part. We sought public comment on 
whether the decision to not regulate uses was appropriate.
    The proposed rule discussed that sharing patient safety work 
product with a contractor that is under the direct control of an 
entity, i.e., a workforce member, would not be a disclosure, but rather 
a use within the entity. However, sharing patient safety work product 
with an independent contractor would be a disclosure requiring an 
applicable disclosure permission.
    Overview of Public Comments: Some commenters supported the proposed 
definition of disclosure. No commenters opposed the proposed definition 
or requested further clarification.
    Most commenters that responded to the question whether uses of 
patient safety work product should be regulated supported the decision 
not to regulate uses. Those commenters agreed that regulating uses 
would be overly intrusive without significant benefit and that entities 
are free to enter into agreements with greater protections. Other 
commenters disagreed with the Department's proposal and stated that 
regulation of uses would improve confidentiality and thereby increase 
provider participation.
    No commenters opposed the proposal that sharing of patient safety 
work product from a component PSO to the rest of the parent entity of 
which it is a part would be a disclosure for purposes of enforcement 
rather than a use internal to the entity.
    Final Rule: The Department adopts the provision with modifications. 
In general, the modified definition of disclosure means the release of, 
transfer of, provision of access to, or divulging in any other manner 
of, patient safety work product by an entity or natural person holding 
the patient safety work product to another legally separate entity or 
natural person, other than a workforce member of, or a physician 
holding privileges with, the entity holding the patient safety work 
product. Additionally, we have defined as a disclosure the release of, 
transfer of, provision of access to, or divulging in any other manner 
of, patient safety work product by a component PSO to another entity or 
natural person outside the component PSO.
    We have modified the language for clarity to distinguish the 
actions that are a disclosure for a natural person and an entity, 
separately. We have also included language in the definition that makes 
clear that sharing of patient safety work product from a component PSO 
to the entity of which it is a part is a disclosure even though the 
disclosure would be internal to an entity and generally permitted. 
Finally, we have added language to clearly indicate that the sharing of 
patient safety work product between a health care provider with 
privileges and the entity with which it holds privileges does not 
constitute a disclosure, consistent with the treatment of patient 
safety work product shared among workforce members.
Response to Other Public Comments
    Comment: Commenters asked that the Department clarify the terms 
``disclosure'' and ``use''. Commenters stated that the terms were used 
interchangeably and this caused confusion.
    Response: The term ``disclosure'' describes the scope of the 
confidentiality protections and the manner in which patient safety work 
product may be shared. ``Disclosure'' is also employed by the Patient 
Safety Act when describing the assessment of civil money penalties for 
the failure to maintain confidentiality (see 42 U.S.C. 299b-22(f)(1)). 
Although the Patient Safety Act employs the term ``use'' in several 
provisions, we did not interpret those provisions to include a 
restriction on the use of patient safety work product based on the 
confidentiality protections.
    Because the focus of the proposed rule was on disclosures, we did 
not believe that defining the term ``use'' was helpful; nor did we 
believe the terms would be confusing. Use of patient safety work 
product is the sharing within a legal entity, such as between members 
of the workforce, which is not a disclosure. By contrast, a disclosure 
is the sharing or release of information outside of the entity for 
which a specific disclosure permission must be applicable.
    Comment: One commenter requested clarification regarding the 
sharing of patient safety work product among legally separate 
participants that join to form a single joint venture component PSO.
    Response: The Department distinguishes between the disclosure of 
patient safety work product between legal entities and the use of 
patient safety work product internal to a single legal entity. If a 
component PSO is part of a multi-organizational enterprise, uses of 
patient safety work product internal to the component PSO are not 
regulated by this final rule, but sharing of patient safety work 
product between the component PSO and another entity or with a parent 
organization are considered disclosures for which a disclosure 
permission must apply.
    Comment: One commenter raised concerns that the final rule would 
restrict a provider's use of its own data and thereby discourage 
collaboration with other care givers.
    Response: The Department believes that the final rule balances the 
interests between the privacy of identified providers, patients and 
reporters and the need to aggregate and share patient safety work 
product to improve patient safety among all providers. The final rule 
does not limit the sharing of patient safety work product within an 
entity and permits sharing among providers under certain conditions. 
Affiliated

[[Page 70737]]

providers may share patient safety work product for patient safety 
activities and non-affiliated providers may share anonymized patient 
safety work product. A provider may also share patient safety work 
product with a health care provider that has privileges to practice at 
the provider facility. Further, if all identified providers are in 
agreement regarding the need to share identifiable patient safety work 
product, each provider may authorize and thereby permit a disclosure.
    Comment: Several commenters asked whether uses were restricted 
based upon the purpose for which the patient safety work product is 
being shared internally.
    Response: The final rule does not limit the purpose for which 
patient safety work product may be shared internal to an entity. 
Entities should consider the extent to which sensitive patient safety 
work product is available to members of its workforce as a good 
business practice.
(E) Section 3.20--Definition of Entity
    Proposed Rule: Proposed Sec.  3.20 provided that entity would mean 
any organization or organizational unit, regardless of whether the 
entity is public, private, for-profit, or not-for-profit.
    Overview of Public Comments: One comment was received suggesting 
that the terms ``governmental'' or ``body politic'' should be added to 
clarify that the term ``public'' includes Federal, State, or local 
government as well as public corporations.
    Final Rule: The term ``public'' has long been used throughout Title 
42 of the Code of Federal Regulations as encompassing governmental 
agencies; therefore we do not believe that the addition is necessary. 
The Department adopts the proposed provision without modification.
(F) Section 3.20--Definition of Health Insurance Issuer
    Proposed Rule: Proposed Sec.  3.20 provided that health insurance 
issuer would mean an insurance company, insurance service, or insurance 
organization (including a health maintenance organization, as defined 
in 42 U.S.C. 300gg-91(b)(3)) which is licensed to engage in the 
business of insurance in a State and which is subject to State law 
which regulates insurance (within the meaning of 29 U.S.C. 1144(b)(2). 
The definition specifically excluded group health plans from the 
meaning of the term.
    Overview of Public Comments: Several commenters expressed concern 
that the Department needed to be vigilant in its exclusion of health 
insurance issuers and components of health insurance issuers, urging 
that HHS clearly define health insurance issuers in the final rule. 
Another commenter sought clarification regarding risk management 
service companies, i.e., those that offer professional liability 
insurance, reinsurance, or consulting services.
    Final Rule: The Department has reviewed the definition of ``health 
insurance issuer'' and determined that the definition is clear. Because 
the reference to group health plans could be a source of confusion, we 
note that we have defined the term above. Accordingly, the Department 
adopts the proposed provision without modification.
    In response to several comments regarding the scope of the term 
health insurance issuer, the Department has concluded that, for 
purposes of this rule, risk management service companies, professional 
liability insurers and reinsurers do not fall within the definition of 
health insurance issuer.
Response to Other Public Comments
    Comment: One commenter asked if a provider system that was owned as 
a subsidiary by an HMO could create a component PSO.
    Response: Section 3.102(a)(2)(i) excludes a health insurance 
issuer, a unit or division of a health insurance issuer, or an entity 
that is owned, managed, or controlled by a health insurance issuer from 
seeking listing as a PSO. In this case, the HMO is considered a health 
insurance issuer and the provider system would be a component of the 
health insurance issuer. Under the rule, the HMO and the provider 
system may not seek listing as a PSO, and the entity created by the 
provider system could not seek listing as a component PSO if it is 
owned, managed or controlled by the provider system or the HMO.
    Comment: One commenting organization requested discussion of what 
organizational structure might allow a health insurance issuer to 
participate in the patient safety work of an independent PSO.
    Response: The statutory exclusion means that the following entities 
may not seek listing: a health insurance issuer or a component of a 
health insurance issuer.
(G) Section 3.20--Definition of Parent Organization
    Proposed Rule: Proposed Sec.  3.20 provided that ``parent 
organization'' would mean an entity, that alone or with others, either 
owns a provider entity or a component organization, or has the 
authority to control or manage agenda setting, project management, or 
day-to-day operations of the component, or the authority to review and 
override decisions of a component organization. The proposed rule did 
not provide a definition of ``owned'' but provided controlling interest 
(holding enough stock in an entity to control it) as an example of 
ownership in the preamble discussion of the term, ``parent 
organization.'' The proposed rule specifically sought comment on our 
use of the term ``controlling interest,'' whether it was appropriate, 
and whether we needed to further define ``owns.'' The remaining terms, 
``manage or control,'' were explained in the proposed rule's definition 
of ``parent organization,'' as having ``the authority to control or 
manage agenda setting, project management, or day-to-day operations of 
the component, or the authority to review and override decisions of a 
component organization.''
    Overview of Public Comments: We received eight comments on the 
question of ``controlling interest'' and there was no consensus among 
the commenters. Four commenters thought our discussion was appropriate. 
Another agreed with the concept of controlling interest but wanted to 
limit its application to a provider who reported patient safety work 
product to the entity. One commenter cautioned that the term 
``controlling interest'' was open to various interpretations and the 
final rule should provide additional guidance. Another commenter 
suggested ``controlling interest'' was worrisome but did not provide a 
rationale for this assessment. One commenter supported additional 
protections, contending that it was appropriate for HHS to pierce the 
corporate veil when there was fraud or collusion, and recommended the 
preamble outline situations in which HHS would pierce the corporate 
veil.
    We received no negative comments on our proposed interpretation of 
what it means to manage or control another entity. One commenter 
suggested that the definition should recognize the significant 
authority or control of a provider entity or component organization 
through reserve powers, by agreement, statute, or both.
    Final Rule: While approximately half of the comments supported our 
approach, there was not a clear consensus in the comments we reviewed. 
So the approach we have taken with the definition of ``parent 
organization'' was to strive for greater clarity, taking into account 
its interaction with our definition of

[[Page 70738]]

``component organization,'' described above.
    The definition of ``parent organization'' in the final rule retains 
the basic framework of the proposed rule definition: an organization is 
a parent if it owns a component organization, has the ability to manage 
or control a component, or has the authority to review and overrule the 
component's decisions.
    The language of the proposed rule used only the term ``own'' while 
the preamble cited the example of stock ownership. Without further 
specification, we were concerned that this approach could have been 
interpreted to mean that an organization owning just a few shares of 
stock of a component organization would be considered a parent 
organization. This is not our intent. For clarity, we have modified the 
text to read ``owns a controlling or majority interest.''
    We have also removed the phrase ``alone or with others'' from the 
first clause. We did so for two reasons. First, it is unnecessary since 
it does not matter whether ownership is shared with other 
organizations, as in a joint venture. An entity seeking listing as a 
PSO will use this definition solely to determine if it has any parent 
organizations and, if it does, it must seek listing as a component 
organization and disclose the names and contact information for each of 
its parent organizations. Second, we have tried to make it as clear as 
possible that any organization that has controlling ownership 
interests, or management or control authority over a PSO, should be 
considered, and reported in accordance with the requirements of Sec.  
3.102(c)(1)(i), as a parent organization.
    For similar reasons, we have removed the reference to provider from 
the first part of the definition and instead consistently used the term 
``component organization'' with respect to each characteristic of a 
parent organization. We added a second sentence to clarify that a 
provider could be the component organization in all three descriptive 
examples given of parental authority.
    In response to one commenter's concern, we believe that the phrase 
``has the authority'' as used in the definition is sufficiently broad 
to encompass reserve powers.
(H) Section 3.20--Definition of Patient Safety Evaluation System
    Proposed Rule: Proposed Sec.  3.20 provided that patient safety 
evaluation system would mean the collection, management, or analysis of 
information for reporting to or by a PSO. The patient safety evaluation 
system would be the mechanism through which information can be 
collected, maintained, analyzed, and communicated. The proposed rule 
discussed that a patient safety evaluation system would not need to be 
documented because it exists whenever a provider engages in patient 
safety activities for the purpose of reporting to a PSO or a PSO 
engages in these activities with respect to information for patient 
safety purposes. The proposed rule provided that formal documentation 
of a patient safety evaluation system could designate secure physical 
and electronic space for the conduct of patient safety activities and 
better delineate various functions of a patient safety evaluation 
system, such as when and how information would be reported by a 
provider to a PSO, how feedback concerning patient safety events would 
be communicated between PSOs and providers, within what space 
deliberations and analyses of information are conducted, and how 
protected information would be identified and separated from 
information collected, maintained, or developed for purposes other than 
reporting to a PSO.
    The Department recommended that a provider consider documentation 
of a patient safety evaluation system to support the identification and 
protection of patient safety work product. Documentation may provide 
substantial proof to support claims of privilege and confidentiality 
and will give notice to, will limit access to, and will create 
awareness among employees of, the privileged and confidential nature of 
the information within a patient safety evaluation system which may 
prevent unintended or impermissible disclosures.
    We recommended that providers and PSOs consider documenting how 
information enters the patient safety evaluation system; what 
processes, activities, physical space(s) and equipment comprise or are 
used by the patient safety evaluation system; which personnel or 
categories of personnel need access to patient safety work product to 
carry out their duties involving operation of, or interaction with, the 
patient safety evaluation system; the category of patient safety work 
product to which access is needed and any conditions appropriate to 
such access; and what procedures the patient safety evaluation system 
uses to report information to a PSO or disseminate information outside 
of the patient safety evaluation system.
    The proposed rule sought comment about whether a patient safety 
evaluation system should be required to be documented.
    Overview of Public Comments: Several commenters supported the 
efforts to enable the patient safety evaluation system to be flexible 
and scalable to individual provider operations. Most commenters that 
responded to the question whether a patient safety evaluation system 
should be documented supported the decision to not require 
documentation. Commenters stated that requiring documentation would 
inhibit the flexibility in the design of patient safety evaluation 
systems and the ability of providers to design systems best suited for 
their specific practices and settings. Documentation would also be 
burdensome to providers and should ultimately be left to the discretion 
of individual providers based on their needs. Other commenters 
supported a requirement for documentation, suggesting that 
documentation would go further in ensuring compliance with the 
confidentiality provisions and the protection of information, thereby 
encouraging provider participation.
    Final Rule: The Department adopts the proposed provision without 
modification. Based on the comments, we have not modified the proposed 
decision to not require documentation. We have, as described in the 
definition of patient safety work product below, clarified how 
documentation of a patient safety evaluation system clearly establishes 
when information is patient safety work product. We encourage providers 
to document their patient safety evaluation systems for the benefits 
mentioned above. We believe documentation is a best practice.
Response to Other Public Comments
    Comment: Two commenters raised concerns about how a patient safety 
evaluation system operates within a multi-hospital system comprised of 
a parent corporation and multiple hospitals that are separately 
incorporated and licensed. One commenter asked whether a parent 
corporation can establish a single patient safety evaluation system in 
which all hospitals participate. The other commenter recommended that 
individual institutional affiliates of a multi-hospital system be part 
of a single patient safety evaluation system.
    Response: For a multi-provider entity, the final rule permits 
either the establishment of a single patient safety evaluation system 
or permits the sharing of patient safety work product as a patient 
safety activity among affiliated providers. For example, a hospital 
chain that operates multiple hospitals may include the parent 
organization along with each hospital in a single patient

[[Page 70739]]

safety evaluation system. Thus, each hospital may share patient safety 
work product with the parent organization and the patient safety 
evaluation system may exist within the parent organization as well as 
the individual hospitals.
    There may be situations where establishing a single patient safety 
evaluation system may be burdensome or a poor solution to exchanging 
patient safety work product among member hospitals. To address this 
concern, we have modified the disclosure permission for patient safety 
activities to permit affiliated providers to disclose patient safety 
work product with each other based on commonality of ownership.
    Comment: One commenter asked how a patient safety evaluation system 
exists within an institutional provider.
    Response: A patient safety evaluation system is unique and specific 
to a provider. The final rule retains a definition of a patient safety 
evaluation system that is flexible and scalable to meet the specific 
needs of particular providers.
    With respect to a single institutional provider, such as a 
hospital, a provider may establish a patient safety evaluation system 
that exists only within a particular office or that exists at 
particular points within the institution. The decisions as to how a 
patient safety evaluation system operates will depend upon the 
functions the institutional provider desires the patient safety 
evaluation system to perform and its tolerances regarding access to the 
sensitive information contained within the system. Providers should 
consider how a patient safety evaluation system is constructed, 
carefully weighing the balance between coordination and fragmentation 
of a provider's activities.
    Comment: Some commenters were concerned that the patient safety 
evaluation system provided a loophole for providers to avoid 
transparency of operations and hide information about patient safety 
events. Some commenters suggested that a provider may establish a 
patient safety evaluation system that is inside of a PSO, thus stashing 
away harmful documents and information.
    Response: The Department does not believe that the patient safety 
evaluation system enables providers to avoid transparency. A patient 
safety evaluation system provides a protected space for the candid 
consideration of quality and safety. Nonetheless, the Patient Safety 
Act and the final rule have carefully assured that information 
generally available today remains available, such as medical records, 
original provider documents, and business records. Providers must 
fulfill external reporting obligations with information that is not 
patient safety work product. Further, a provider may not maintain a 
patient safety evaluation system within a PSO.
    Comment: One commenter asked whether all information in a patient 
safety evaluation system is protected.
    Response: Information collected within a patient safety evaluation 
system that has been collected for the purpose of reporting to a PSO is 
patient safety work product if documented as collected for reporting to 
a PSO. This is discussed more fully at the definition of patient safety 
work product below. Information that is reported to a PSO is also 
protected, as discussed more fully at the definition of patient safety 
work product below.
    Comment: One commenter was concerned that the lack of a framework 
and too much flexibility may interfere with interoperability and data 
aggregation at a later date.
    Response: The Department believes that a patient safety evaluation 
system must of necessity be flexible and scalable to meet the needs of 
specific providers and PSOs. Without such flexibility, a provider may 
not participate, which may, lessen the overall richness of the 
information that could be obtained about patient safety events. The 
Department recognizes the value of aggregated data and has, pursuant to 
the Patient Safety Act, begun the process of identifying standard data 
reporting terms to facilitate aggregation and interoperability. 
Further, the Patient Safety Act requires that PSOs, to the extent 
practical and appropriate, collect patient safety work product in a 
standardized manner (see 42 U.S.C. 299b-24(b)(1)(F)). The Department 
hopes that, by permitting the widest range possible of providers to 
participate in the gathering and analysis of patient safety events, 
increased participation will generate more data and greater movement 
towards addressing patient safety issues.
    Comment: Many commenters encouraged the Department to provide 
technical assistance to providers and PSOs on the structuring and 
operation of a patient safety evaluation system.
    Response: The Department expects to provide such guidance on the 
operation and activities of patient safety evaluation systems as it 
determines is necessary.
(I) Section 3.20--Definition of Patient Safety Work Product
    Proposed Rule: Proposed Sec.  3.20 adopted the statutory definition 
of patient safety work product as defined in the Patient Safety Act. 
The proposed rule provided that many types of information can become 
patient safety work product to foster robust exchanges between 
providers and PSOs. Any information must be collected or developed for 
the purpose of reporting to a PSO.
    Three provisions identified how information becomes patient safety 
work product. First, information may become patient safety work product 
if it is assembled or developed by a provider for the purpose of 
reporting to a PSO and is reported to a PSO. Second, patient safety 
work product is information developed by a PSO for the conduct of 
patient safety activities. Third, patient safety work product is 
information that constitutes the deliberations or analysis of, or 
identifies the fact of reporting pursuant to, a patient safety 
evaluation system.
    The proposed rule provided that reporting means the actual 
transmission or transfer of information to a PSO. We recognized that 
requiring the transmission of every piece of paper or electronic file 
to a PSO could impose significant transmission, management, and storage 
burdens on providers and PSOs. The proposed rule sought comment on 
whether alternatives for actual reporting should be recognized as 
sufficient to meet the reporting requirement. For example, the proposed 
rule suggested that a provider that contracts with a PSO may 
functionally report information to a PSO by providing access and 
control of information to a PSO without needing to physically transmit 
information. The proposed rule also sought comment on whether 
additional terms and conditions should be required to permit functional 
reporting and whether functional reporting should be permitted only 
after an initial actual report of information related to an event.
    The proposed rule also sought comment on whether a short period of 
protection for information assembled but not yet reported is necessary 
for flexibility or for providers to efficiently report information to a 
PSO. We also sought comment on an appropriate time period for such 
protection and whether a provider must demonstrate intent to report in 
order to obtain protection.
    The proposed rule also sought comment on when a provider could 
begin collecting information for the purpose of reporting to a PSO such 
that it is not excluded from becoming patient safety work product 
because it was collected, maintained or developed separately from a 
patient safety evaluation system.

[[Page 70740]]

    The proposed rule indicated that, if a PSO is delisted for cause, a 
provider would be able to continue to report to that PSO for 30 days 
after the date of delisting and the information reported would be 
treated as patient safety work product (section 924(f)(1) of the Public 
Health Service Act). However, after delisting, the proposed rule 
indicated that the former PSO may not generate patient safety work 
product by developing information for the conduct of patient safety 
activities or through deliberations and analysis of information. Even 
though a PSO may not generate new patient safety work product after 
delisting, it may still possess patient safety work product, which must 
be kept confidential and be disposed of in accordance with requirements 
in Subpart B.
    The proposed rule also described what is not patient safety work 
product, such as a patient's original medical record, billing and 
discharge information, or any other original patient or provider 
record. Patient safety work product does not include information that 
is collected, maintained, or developed separately or exists separately 
from, a patient safety evaluation system. This distinction is made 
because these and similar records must be maintained by providers for 
other purposes.
    The proposed rule also discussed that external reporting 
obligations as well as voluntary reporting activities that occur for 
the purpose of maintaining accountability in the health care system 
cannot be satisfied with patient safety work product. Thus, information 
that is collected to comply with external obligations is not patient 
safety work product. The proposed rule provided that such activities 
include: state incident reporting requirements; adverse drug event 
information reporting to the Food and Drug Administration (FDA); 
certification or licensing records for compliance with health oversight 
agency requirements; reporting to the National Practitioner Data Bank 
of physician disciplinary actions; or complying with required 
disclosures by particular providers or suppliers pursuant to Medicare's 
conditions of participation or conditions of coverage.
    The proposed rule also addressed the issue that external 
authorities may seek information about how effectively a provider has 
instituted corrective action following identification of a threat to 
the quality or safety of patient care. The Patient Safety Act does not 
relieve a provider of its responsibility to respond to such requests 
for information or to undertake or provide to external authorities 
evaluations of the effectiveness of corrective action, but the provider 
must respond with information that is not patient safety work product. 
The proposed rule provided that recommendations for changes from the 
provider's patient safety evaluation system or the PSO are patient 
safety work product. However, the actual changes that the provider 
implements to improve how it manages or delivers health care services 
are not patient safety work product, and it would be virtually 
impossible to keep such changes confidential.
    Overview of Public Comments: Commenters raised a significant number 
of concerns regarding how information becomes patient safety work 
product under particular provisions of the definition.
Functional Reporting
    We received significant feedback from commenters in support of 
recognizing alternative reporting methods. Most commenters agreed that 
an alternative reporting arrangement should be permitted to promote 
efficiency and relieve providers of the burden of continued 
transmission. Two commenters opposed permitting alternative reporting 
methods based on the concern that a shared resource may confuse clear 
responsibility for a breach of information and that a PSO that has 
access to a provider information system may also have access to patient 
records and similar information for which access may not be 
appropriate.
    Most commenters rejected the suggestion that functional reporting 
should be limited to subsequent reports of information rather than 
allowing functional reports for the first report of an event. 
Commenters believed that such a limitation would inhibit participation 
and offset the benefits of allowing functional reporting. Commenters 
also believed such a limitation would create an artificial distinction 
between information that is initially and subsequently reported to a 
PSO. Some commenters believed that details regarding functional 
reporting are better left to agreement between the provider and PSO 
engaging in functional reporting. Two commenters did support 
restricting functional reporting to subsequent information, but did not 
provide any rationale or concern to support their comment.
    No commenters identified additional requirements or criteria that 
should be imposed beyond a formal contract or agreement. Thus, the 
final rule permits functional reporting.
When Is Information Protected
    Commenters raised significant and substantial concerns regarding 
when the protections for patient safety work product begins, how 
existing patient safety processes will occur given the protections for 
patient safety work product, and the likelihood that providers may need 
to maintain separate systems with substantially duplicate information. 
A significant majority of commenters responded to the concern regarding 
the status of information collected, but not yet reported to a PSO. 
Most commenters agreed with concerns raised by the Department that 
early protection could ease the burden on providers, preventing a race 
to report to a PSO. These commenters recommended that information be 
protected upon collection and prior to reporting. Protection during 
this time would permit providers to investigate an event and conduct 
preliminary analyses regarding causes of the event or whether to report 
information to a PSO. Many commenters were concerned that information 
related to patient safety events be protected at the same time the 
information is preserved for other uses. Some providers indicated that 
if duplication of information is required, providers may opt to not 
participate due to costs and burdens. Three commenters indicated that 
there should be no protection until information is reported to a PSO. 
One commenter was concerned that early protection may interfere with 
State reporting requirements because information needed to report to a 
State may become protected and unavailable for State reporting. Another 
commenter stated that earlier protection would not alleviate the 
concerns regarding protection prior to reporting.
    Commenters provided a wide range of recommendations in response to 
when protection of information should begin prior to creation of 
patient safety work product. Commenters suggested that information be 
protected prior to reporting for as little as 24 hours from an event up 
to 12 months. Other commenters suggested that a timeframe be reasonable 
and based upon relevant factors such as the complexity of facts and 
circumstances surrounding an event.
State Reporting
    One of the most significant areas of comment was how processes to 
create patient safety work product may operate alongside similar 
processes within a provider. Commenters were particularly concerned 
that information collected for

[[Page 70741]]

similar purposes, such as for reporting to a PSO and for reporting to a 
State health authority, would need to be maintained in separate 
systems, thereby increasing the burden on providers. The most 
significant comments received related to how information related to 
patient safety events may be protected at the same time the information 
is preserved for other uses. Some providers indicated that if 
duplication is required, provider may opt to not participate due to 
costs and burdens.
Earliest Time for Collection of Information
    Few commenters responded to the request for comment on the earliest 
date information could be collected for purposes of reporting to a PSO, 
a requirement for information to become patient safety work product. 
Four commenters recommended that information collection be permitted 
back to the passage of the Patient Safety Act. Four commenters 
recommended that the earliest date of collection be dependent upon each 
provider's good faith and intent to collect information for reporting 
to a PSO.
    Final Rule: The Department adopts the proposed provision with some 
modification.
Functional Reporting
    The Department recognizes the concerns raised by commenters 
regarding the functional reporting proposal, but believes the benefits 
outweigh the potential negative consequences; the relief of burden, and 
the flexibility that derives from not adhering to a narrow reading of 
the reporting requirement. First, we recognize that a provider and PSO 
engaging in this alternative method of reporting have an established 
relationship for the reporting of information and have spent some time 
considering how best to achieve a mutually useful and suitable 
reporting relationship. That relationship will necessitate 
consideration of what information is necessary and not necessary to 
achieve the purpose of reporting. Neither a provider nor a PSO is 
required to accept an alternative reporting mechanism. Further, 
providers continue to be under the same obligations to protect patient 
and other medical records from inappropriate access from others, 
including the PSO, without exception. Second, such a relationship 
should establish clearly the mechanism for control of information 
reported or to which the PSO will have access, and the scope of PSO 
authority to use the information. In addition, the assessment of 
liability should be addressed and need be no more complex than exists 
in provider settings today with shared resources and integrated 
services.
    We agree with commenters that limitations regarding the initial or 
subsequent reporting of information are better left to the providers 
and PSOs engaging in the practice and that providers and PSOs should be 
permitted to design the appropriately flexible reporting mechanism 
befitting the circumstances of their practice setting. We further agree 
that additional limitations on the ability to use functional reporting 
are unwarranted, absent clear identification of risks or concerns to be 
addressed by further limitations.
    For these reasons, we clarify that reporting of information to a 
PSO for the purposes of creating patient safety work product may 
include authorizing PSO access, pursuant to a contract or equivalent 
agreement between a provider and a PSO, to specific information in a 
patient safety evaluation system and authority to process and analyze 
that information, e.g., comparable to the authority a PSO would have if 
the information were physically transmitted to the PSO. We do not 
believe a formal change in the regulatory text is necessitated by this 
clarification.
When Is Information Protected
    The Department recognizes that the Patient Safety Act's protections 
are the foundation to furthering the overall goal of the statute to 
develop a national system for analyzing and learning from patient 
safety events. To encourage voluntary reporting of patient safety 
events by providers, the protections must be substantial and broad 
enough so that providers can participate in the system without fear of 
liability or harm to reputation. Further, we believe the protections 
should attach in a manner that is as administratively flexible as 
permitted to accommodate the many varied business processes and systems 
of providers and to not run afoul of the statute's express intent to 
not interfere with other Federal, State or local reporting obligations 
on providers.
    The proposed rule required that information must be reported to a 
PSO before the information may become patient safety work product under 
the reporting provision of the definition of patient safety work 
product. However, this standard left information collected, but not yet 
reported to a PSO, unprotected, a cause of significant commenter 
concern. This standard also might encourage providers to race to report 
information indiscriminately to obtain protection in situations where a 
report ultimately may be unhelpful, causing the expenditure of scarce 
resources both by a provider and a PSO to secure the information as 
patient safety work product. The proposed rule also may have caused 
some providers to choose between not participating or developing dual 
systems for handling similar information at increased costs.
    We believe it is important to address the shortcomings of a strict 
reporting requirement through the following modification. The final 
rule provides that information documented as collected within a patient 
safety evaluation system by a provider shall be protected as patient 
safety work product. A provider would document that the information was 
collected for reporting to a PSO and the date of collection. The 
information would become patient safety work product upon collection. 
Additionally, a provider may document that the same information is 
being voluntarily removed from the patient safety evaluation system and 
that the provider no longer intends to report the information to a PSO, 
in which case there are no protections. If a provider fails to document 
this information, the Department will presume the intent to report 
information in the patient safety evaluation system to the PSO is 
present, absent evidence to the contrary.
    We believe this modification addresses the concerns raised by the 
commenters. Protection that begins from the time of collection will 
encourage participation by providers without causing significant 
administrative burden. The alternative is a system that encourages 
providers to indiscriminately report information to PSOs in a race for 
protection, resulting in PSOs receiving large volumes of unimportant 
information. By offering providers the ability to examine patient 
safety event reports in the patient safety evaluation system without 
requiring that all such information be immediately reported to a PSO, 
and by providing a means to remove such information from the patient 
safety evaluation system and end its status as patient safety work 
product, the final rule permits providers to maximize organizational 
and system efficiencies and lessens the need to maintain duplicate 
information for different needs. Because documentation will be crucial 
to the protection of patient safety work product at collection, 
providers are encouraged to document their patient safety evaluation 
system. We note, however, that a provider should not place information 
into its patient safety evaluation system unless it

[[Page 70742]]

intends for that information to be reported to the PSO.
    Although this approach substantially addresses commenter concerns, 
three issues do cause concern. First, because information may be 
protected back to the time of collection, providers are no longer 
required to promptly report information to a PSO to ensure protection. 
Although we believe this is an unavoidable result of the modification, 
we believe the likely impact may be rare because providers are likely 
to engage PSOs for their expertise which requires such reporting. 
Second, the requirement to document collection in a patient safety 
evaluation system and, potentially, removal from a patient safety 
evaluation system could be burdensome to a provider. However, we 
believe these are important requirements particularly in light of the 
enforcement role OCR will play. A provider will need to substantiate 
that information is patient safety work product, or OCR will be unable 
to determine the status of information potentially leaving sensitive 
information unprotected--or subjecting the provider to penalties for 
improperly disclosing patient safety work product. Third, the ability 
of a provider to remove information from a patient safety evaluation 
system raises concern that a provider may circumvent the intent of a 
provider employee to obtain protection for information when reporting 
to the provider's patient safety evaluation system. For providers that 
engage in functional reporting, the concern is substantially mitigated 
because, under functional reporting, information is reported to a PSO 
when it is transmitted to the patient safety evaluation system to which 
the PSO has access, and, thus, protected. Alternatively, a provider 
employee may report as permitted directly to a PSO. Ultimately, this 
issue is to be settled between a provider that wishes to encourage 
reports that may not otherwise come to light and its employees who must 
be confident that reporting will not result in adverse consequences.
    For these reasons, the Department modifies the definition of 
patient safety work product to include additional language in the first 
provision of the definition that protects information based upon 
reporting to a PSO.
State Reporting
    To address commenter concerns about the duplication of resources 
for similar patient safety efforts and the lack of protection upon 
collection, we have clarified the requirements for how information 
becomes patient safety work product when reported to a PSO. Generally, 
information may become patient safety work product when reported to a 
PSO. Information may also become patient safety work product upon 
collection within a patient safety evaluation system. Such information 
may be voluntarily removed from a patient safety evaluation system if 
it has not been reported and would no longer be patient safety work 
product. As a result, providers need not maintain duplicate systems to 
separate information to be reported to a PSO from information that may 
be required to fulfill state reporting obligations. All of this 
information, collected in one patient safety evaluation system, is 
protected as patient safety work product unless the provider determines 
that certain information must be removed from the patient safety 
evaluation system for reporting to the state. Once removed from the 
patient safety evaluation system, this information is no longer patient 
safety work product.
Earliest Time for Collection of Information
    The Department believes that a clear indication of a specific time 
when information may first be collected is beneficial to providers by 
reducing the complexity and ambiguity concerning when information is 
protected as patient safety work product. Although each provider 
collecting information for reporting to a PSO may need to support the 
purpose of information collection at the time of collection, such a 
standard may be overly burdensome. The Department agrees that 
information may have been collected for the purpose of reporting to a 
PSO beginning from passage of the Patient Safety Act. Information that 
existed prior to the passage of the Patient Safety Act may be 
subsequently collected for reporting to a PSO, but the original record 
remains unprotected. This clarification does not require any regulatory 
language change in the proposed rule.
What Is Not Patient Safety Work Product
    We reaffirm that patient safety work product does not include a 
patient's original medical record, billing and discharge information, 
or any other original patient or provider record; nor does it include 
information that is collected, maintained, or developed separately or 
exists separately from, a patient safety evaluation system. The final 
rule includes the statutory provision that prohibits construing 
anything in this Part from limiting (1) the discovery of or 
admissibility of information that is not patient safety work product in 
a criminal, civil, or administrative proceeding; (2) the reporting of 
information that is not patient safety work product to a Federal, 
State, or local governmental agency for public health surveillance, 
investigation, or other public health purposes or health oversight 
purposes; or (3) a provider's recordkeeping obligation with respect to 
information that is not patient safety work product under Federal, 
State or local law. Section 921(7)(B)(iii) of the Public Health Service 
Act, 42 U.S.C. 299b-21(7)(B)(iii). The final rule does not limit 
persons from conducting additional analyses for any purpose regardless 
of whether such additional analyses involve issues identical to or 
similar to those for which information was reported to or assessed by a 
PSO or a patient safety evaluation system. Section 922(h) of the Public 
Health Service Act, 42 U.S.C. 299b-22(h).
    Even when laws or regulations require the reporting of the 
information regarding the type of events also reported to PSOs, the 
Patient Safety Act does not shield providers from their obligation to 
comply with such requirements. These external obligations must be met 
with information that is not patient safety work product and oversight 
entities continue to have access to this original information in the 
same manner as such entities have had access prior to the passage of 
the Patient Safety Act. Providers should carefully consider the need 
for this information to meet their external reporting or health 
oversight obligations, such as for meeting public health reporting 
obligations. Providers have the flexibility to protect this information 
as patient safety work product within their patient safety evaluation 
system while they consider whether the information is needed to meet 
external reporting obligations. Information can be removed from the 
patient safety evaluation system before it is reported to a PSO to 
fulfill external reporting obligations. Once the information is 
removed, it is no longer patient safety work product and is no longer 
subject to the confidentiality provisions.
    The Patient Safety Act establishes a protected space or system that 
is separate, distinct, and resides alongside but does not replace other 
information collection activities mandated by laws, regulations, and 
accrediting and licensing requirements as well as voluntary reporting 
activities that occur for the purpose of maintaining accountability in 
the health care system. Information is not patient safety work product 
if it is collected to comply with external obligations, such as: state 
incident reporting requirements;

[[Page 70743]]

adverse drug event information reporting to the Food and Drug 
Administration (FDA); certification or licensing records for compliance 
with health oversight agency requirements; reporting to the National 
Practitioner Data Bank of physician disciplinary actions; complying 
with required disclosures by particular providers or suppliers pursuant 
to Medicare's conditions of participation or conditions of coverage; or 
provision of access to records by Protection and Advocacy organizations 
as required by law.
Response to Other Public Comments
    Comment: One commenter in responding to questions about timing and 
early protection interpreted the timing concern to be an expiration of 
an allowed period of time to report, such that an event must be 
reported within a certain number of days or it may not become 
protected.
    Response: As noted above, the timing issues in the final rule 
relate to when information may have been collected for reporting to a 
PSO. There is no expiration date for an event that would prohibit 
future protection of a report of it as patient safety work product so 
long as the protection of the information is pursuant to the final 
rule.
    Comment: One commenter suggested that event registries may seek to 
become PSOs because the model is well positioned to allow for tracking 
and identification of patients that require follow-up.
    Response: The Department recognizes that event registries may have 
particular benefits that may be helpful in the analysis of patient 
safety events, but we caution any holder of patient safety work product 
that future disclosure of patient safety work product must be done 
pursuant to the disclosure permissions. Thus, while it may be 
appropriate for event registries to identify and track patients who may 
require follow-up care, the final rule would generally not permit 
disclosure of patient safety work product to patients for such a 
purpose. Accordingly, while there may be benefits to an event registry 
becoming a PSO, a registry should take into consideration the 
limitations on disclosure of patient safety work product, and what 
impact such limits would have on its mission, prior to seeking listing.
    Comment: Several commenters sought clarification whether 
information underlying analyses within a patient safety evaluation 
system was protected. One commenter suggested that data used to conduct 
an analysis should be protected at the same time as the analysis.
    Response: As indicated in the definition of patient safety work 
product, information that constitutes the deliberation or analysis 
within a patient safety evaluation system is protected. Information 
underlying the analysis may have been either reported to a PSO and 
protected or collected in a patient safety evaluation system. 
Information documented as collected within a patient safety evaluation 
system is protected based on the modification to the definition of 
patient safety work product. Thus, information underlying an analysis 
may be protected. However, underlying information that is original 
medical records may not be protected if it is excluded by the 
definition of patient safety work product.
    Comment: Two commenters raised concerns that PSOs do not have 
discretion regarding the receipt of unsolicited information reported to 
PSOs from providers. One commenter was concerned about the burden on a 
PSO receiving unsolicited reports and the obligation a PSO may have 
regarding unsolicited reports. Another commenter was concerned that 
unsolicited reports may be materially flawed or contain incorrect 
information.
    Response: The Department does not agree that this is a major issue 
for PSOs or that PSOs need some regulatory ability to reject reported 
information. If a PSO receives information from a provider that was 
collected by that provider for the purposes of sending to a PSO, then 
the information is patient safety work product. PSOs may use or analyze 
the information, but must protect it as patient safety work product and 
dispose of the information properly. However, there is no requirement 
that a PSO maintain or analyze the information. For these reasons, we 
do not modify the proposed rule position regarding these issues.
    Comment: Some commenters were concerned that recommendations of 
PSOs may be treated as a standard of care. Commenters recommended that 
recommendations from PSOs be protected as patient safety work product.
    Response: The Department stated in the proposed rule that PSO 
recommendations are patient safety work product, but the changes 
undertaken by a provider based upon a PSO's recommendations are not 
patient safety work product. With respect to the concern that PSO 
recommendations may establish a standard of care, the issue is not 
within the scope of the Patient Safety Act and not appropriate for the 
regulation to address. Generally, the establishment of a standard of 
care is a function of courts and entities that have jurisdiction over 
the issue for which a standard of care is relevant. The introduction of 
patient safety work product as information that may help establish a 
standard of care is highly unlikely given the limited disclosure 
permissions. For these reasons, we make no modifications in the final 
rule.
    Comment: Several commenters raised concerns about the distinction 
between original documents and copies of original documents. One 
commenter stated that it was an artificial distinction in an electronic 
environment.
    Response: The Patient Safety Act and the final rule distinguish 
certain original records from information collected for reporting to a 
PSO. Because information contained in these original records may be 
valuable to the analysis of a patient safety event, the important 
information must be allowed to be incorporated into patient safety work 
product. However, the original information must be kept and maintained 
separately to preserve the original records for their intended 
purposes. If the information were to become patient safety work 
product, it could only be disclosed pursuant to the confidentiality 
protections.
    Comment: One commenter was concerned that information collected for 
reporting to a PSO may be the same information providers collect for 
reporting to a state regulatory agency. The commenter suggested that 
protections should only attach to information after state-mandated 
reporting requirements have been fulfilled. The commenter was concerned 
that the confidentiality protections may impede state data collection, 
surveillance and enforcement efforts. A separate commenter requested 
clarification that if patient safety work product is reported under a 
state mandated incident reporting system, the patient safety work 
product continues to be protected.
    Response: The final rule is clear that providers must comply with 
applicable regulatory requirements and that the protection of 
information as patient safety work product does not relieve a provider 
of any obligation to maintain information separately. The Department 
believes that some providers, such as hospitals, have been operating in 
similar circumstances previously when conducting peer review activities 
under state peer review law protections. For patient safety work 
product to be disclosed, even to a State entity, the discloser must 
have an applicable disclosure permission. While the Patient Safety Act 
does not preempt state laws that require providers to report

[[Page 70744]]

information that is not patient safety work product, a State may not 
require that patient safety work product be disclosed.
    Comment: One commenter advised that the final rule should build on 
existing infrastructure for reporting and examination of patient safety 
events to minimize duplication of resources and maximize existing 
efforts.
    Response: The Department has modified the proposed rule to address 
the potential issue of duplicated resources by allowing providers the 
flexibility to collect and review information within a patient safety 
evaluation system to determine if the information is needed to fulfill 
external reporting obligations as addressed above. The Department 
recognizes the high costs of health care, both in dollars and in the 
health of individuals. The final rule establishes a workable and 
flexible framework to permit providers that have mature patient safety 
efforts to fully participate as well as for providers with no patient 
safety activities to be encouraged to begin patient safety efforts.
    Comment: One commenter asked whether multiple PSOs can establish a 
single reporting portal for receiving reports from providers.
    Response: The final rule does not address procedures regarding how 
a PSO receives information. Providers must meet any requirements 
regarding sharing information that is protected health information, 
such as the HIPAA Privacy Rule, in any circumstances when reporting 
information to a PSO or joint PSO portal.
    Comment: Several commenters asked whether retrospective analyses 
could be included as patient safety work product.
    Response: The final rule permits any data, which is a term that is 
broadly defined and would include retrospective analyses, to become 
patient safety work product. The fact that information was developed 
prior to the collection for reporting to a PSO does not bar a provider 
from reporting an analysis to a PSO and creating patient safety work 
product. Providers should be cautioned to consider whether there are 
other purposes for which an analysis may be used to determine whether 
protection as patient safety work product is necessary or warranted. 
Further, the definition of patient safety work product is clear that 
information collected for a purpose other than for reporting to a PSO 
may not become patient safety work product only based upon the 
reporting of that information to a PSO. Such information, particularly 
information collected or developed prior to the passage of the Patient 
Safety Act, may become protected as a copy, but the original document 
remains unprotected.
(J) Section 3.20--Definition of Provider
    Proposed Rule: Proposed Sec.  3.20 would have divided the meaning 
of provider into three categories. The first paragraph included ``an 
individual or entity licensed or otherwise authorized under State law 
to provide health care services, including'' and this introductory 
language was followed by a list of institutional health care providers 
in subparagraph (1) and a list of individual health care practitioners 
in subparagraph (2). The preamble indicated that these statutory lists 
were illustrative.
    Under the Secretary's authority to expand the list of providers in 
the statutory definition, the proposed rule would have added two 
categories to the list of providers. The second paragraph would have 
covered agencies, organizations, and individuals within Federal, State, 
local, or Tribal governments that deliver health care, the contractors 
these entities engage, and individual health care practitioners 
employed or engaged as contractors by these entities. We included this 
addition because public health care entities and their staff are not 
always authorized or licensed by state law to provide their services 
and, therefore, might not be included within the terms of the original 
statutory definition.
    The third paragraph would have included a parent organization that 
has a controlling interest in one or more entities described in 
paragraph (1)(i) of this definition or a Federal, State, local, or 
Tribal government unit that manages or controls one or more entities 
described in (1)(i) or (2) of this definition. This addition was 
intended to permit the parent organization of a health care provider 
system to enter a system-wide contract with a PSO. The parent of a 
health system also may not be licensed or authorized by state law to 
provide health care services as required by the statutory definition.
    Overview of Public Comments: There were a number of comments with 
respect to the entities and individuals that are identified as 
providers in the subparagraphs of paragraph (1). For example, one 
commenter sought clarification that ``assisted living residential care 
and other community based care'' providers are included in the broader 
term ``long term care facilities'' as identified in the list of covered 
providers. A number of other individual commenters each identified 
entities that the Secretary should include in the definition of 
providers: medical product vendors, pharmaceutical companies, medical 
device manufacturers, risk retention groups, and captive professional 
liability insurance companies that are controlled by risk retention 
groups.
    There was general support for the inclusion of parent organizations 
of private and public sector providers in paragraph (3), although two 
commenters disagreed. One commenter argued that naming the parent 
organization as a provider suggested a ``one size fits all'' solution 
and suggested that eligibility should be linked to whether the parent 
organization is involved in the patient safety evaluation system for 
its subsidiaries. Other commenters, while not objecting, worried that 
this addition could open the door for organizations such as health 
insurance issuers, including Health Maintenance Organizations, 
regulatory and accrediting entities to qualify as component PSOs. One 
commenter suggested that by using the phrase ``controlling interest'' 
with respect to private sector parent organizations, the focus of this 
part of the proposed paragraph was inappropriately narrow, appearing to 
emphasize a corporate parent, and that the language needed to reflect a 
broader array of potential parent organizations, such as partnerships 
or limited liability companies.
    Several commenters expressed concern that by encompassing entities 
that are not traditionally providers, under HIPAA or other rules, our 
definition of ``provider'' would lead to confusion. One commenter 
suggested it would be appropriate for the commentary accompanying the 
final rule to address the two terms, emphasize the differences, and 
clarify the obligations.
    Final Rule: We have modified the definition of provider in the 
final rule in response to several comments. The first modification is a 
non-substantive substitution of the term behavioral health for behavior 
health. In response to the comments we received and to ensure clarity, 
we reiterate what we stated in the proposed rule that a list preceded 
by ``including'' is an illustrative list, not an exhaustive list.
    In general, the question of whether any private sector individual 
or entity, such as assisted living residential care and other 
community-based care providers, comes within the rule's meaning of 
``provider'' is determined by whether the individual or entity is 
licensed or otherwise authorized under state law to deliver health care 
services. We note that paragraphs (2) and (3) of the definition address 
public sector

[[Page 70745]]

providers and parent organizations of health care providers.
    We have not adopted any of the other recommendations for additions 
to the list of providers. The statute provides confidentiality and 
privilege protections for reporting by individuals and entities that 
actually provide health care services to patients. In our view, it was 
not intended to apply to those who manufacture or supply materials used 
in treatments or to entities that provide fiscal or administrative 
support to those providing health care services.
    With respect to paragraph (3) of the definition, the use of the 
term parent organization here should conform to our definition of 
``parent organization'' above. Therefore, we have streamlined the 
language, deleting unnecessary text that might suggest that we were 
applying a different definition.
    The Department does not share the concerns of commenters that 
incorporating a broader definition of ``provider'' in this rule will 
cause confusion in the marketplace, because its use will be limited. 
The application of the term ``provider'' in this rule is intended to 
give the full range of health care providers the ability to report 
information to, and work with, PSOs and receive confidentiality and 
privilege protections as set forth in the Patient Safety Act and this 
rule. Although we appreciate the administrative benefits of uniformity, 
and have tried to maximize the consistency or interoperability of this 
rule with the HIPAA Privacy and Security Rules, it would not be 
appropriate in this rule to adhere to any less inclusive definition of 
provider used in other regulations.
    We did not condition the designation of provider status for a 
parent organization on its involvement in a patient safety evaluation 
system. We expect that most parent organizations will, in fact, be a 
part of a system-wide patient safety evaluation system if they choose 
to pursue PSO services. However, establishing such a requirement now, 
when it is unclear what types of innovative arrangements and effective 
strategies might emerge, might prove more detrimental than helpful.
Response to Other Public Comments
    Comment: One commenter raised concerns that paragraph (2) may not 
include Indian tribes that operate or contract for their own health 
care systems under the Indian Self-Determination and Education 
Assistance Act (ISDEAA), rather than relying upon the Indian Health 
Service.
    Response: Tribal organizations carrying out self-determination 
contracts or compacts under the ISDEAA to deliver health care fall 
squarely within paragraph (2) of the definition of provider because 
they are organizations engaged as contractors by the Federal government 
to deliver health care. Additionally, the workforce of a provider 
covered under the rule, by definition, includes employees, volunteers, 
trainees, contractors, and other persons, whether or not paid by the 
provider, that perform work under the direct control of that provider. 
Federal employees detailed to a tribe or Tribal organization carrying 
out an ISDEAA contract would be covered under paragraph (2) in the 
definition of provider, even if they were not part of the Tribal 
organization's workforce. Therefore, no change is needed in response to 
this comment.

B. Subpart B--PSO Requirements and Agency Procedures

    Proposed Subpart B would have set forth requirements for Patient 
Safety Organizations (PSOs) including the certification and 
notification requirements that PSOs must meet, the actions that the 
Secretary may and will take relating to PSOs, the requirements that 
PSOs must meet for the security of patient safety work product, the 
processes governing correction of PSO deficiencies, revocation, and 
voluntary relinquishment, and related administrative authorities and 
implementation responsibilities. The requirements of the proposed 
Subpart would have applied to entities that seek to be listed as PSOs, 
PSOs, their workforce, a PSO's contractors when they hold patient 
safety work product, and the Secretary.
    The proposed rule did not require a provider to contract with a PSO 
to obtain the protections of the Patient Safety Act; however, we noted 
that we anticipate that most providers would enter into contracts with 
PSOs when seeking the confidentiality and privilege protections of the 
statute. We proposed to enable a broad variety of health care providers 
to work voluntarily with entities that would be listed as PSOs by the 
Secretary based upon their certifications that, among other things, 
state that they have the ability and expertise to carry out the broadly 
defined patient safety activities of the Patient Safety Act and, 
therefore, to serve as consultants to eligible providers to improve 
patient care. In accordance with the Patient Safety Act, the proposed 
rule set out an attestation-based process to qualify for 3-year 
renewable periods of listing as a PSO. Proposed Subpart B attempted to 
minimize regulatory burden, while fostering transparency to enhance the 
ability of providers to assess the strengths and weaknesses of their 
choice of PSOs.
    We proposed a security framework pertaining to the separation of 
data and systems and to security management, control, monitoring, and 
assessment. Thus, each PSO would address the framework with standards 
it determines appropriate to the size and complexity of its 
organization. We proposed additional requirements to ensure that a 
strong firewall would be maintained between a component PSO and the 
rest of the organization(s) of which it is a part.
    We noted that we expect to offer technical assistance and encourage 
transparency wherever possible to promote implementation, compliance, 
and correction of deficiencies. At the same time, this proposed Subpart 
established processes that would permit the Secretary promptly to 
revoke a PSO's certification and remove it from listing, if such action 
proves necessary.
1. Section 3.102--Process and Requirements for Initial and Continued 
Listing of PSOs
    Proposed Rule: The proposed rule in Sec.  3.102 addressed the 
eligibility of, and the processes and requirements for, an entity 
seeking a three-year period of listing by the Secretary as a PSO and 
described the timing and requirements of notifications that a PSO must 
submit to the Secretary during its period of listing. The proposed rule 
described our intention to minimize barriers to entry for entities 
seeking listing and create maximum transparency to create a robust 
marketplace for PSO services. The Patient Safety Act set forth limited 
prerequisites that must be met to be listed by the Secretary as a PSO, 
which the regulation incorporates. The Department expects that 
providers will be the ultimate arbiters of the quality of services that 
an individual PSO provides.
    Overview of Public Comments: The following discussion focuses on 
the broad comments we received concerning our overall approach to 
initial and continued listing of PSOs. These comments do not address 
specific provisions of the proposed rule. Public comments that address 
specific provisions of Sec.  3.102 are addressed in the individual 
subsection discussions that follow. Questions and situation-specific 
comments are addressed below under the heading of ``Response to Other 
Public Comments.''
    The Department received generally favorable comment on our proposed 
approach in this section, which

[[Page 70746]]

emphasizes a streamlined certification process, and public release of 
documentation submitted by PSOs whenever appropriate. There were, 
however, two broad sets of concerns expressed about our overall 
approach.
    The first concern related to the potential number of PSOs that 
might be listed by the Secretary as a result of the Department's 
proposed ``ease of entry'' approach. These comments focused on the 
importance of PSOs being able to aggregate significant amounts of data 
across multiple providers to develop meaningful analyses. Noting that 
patient safety events are often rare events, one commenter noted that 
in some cases it may be necessary to aggregate data for an entire state 
in order to develop insights regarding the underlying causes of such 
events. Another commenter noted that if every hospital in the state 
established its own component PSO, the potential impact of PSO analyses 
could be minimal. Because most PSOs will be dependent upon revenue from 
providers submitting data, one commenter worried that too many PSOs 
could also affect the ability of individual PSOs to obtain adequate 
funding to perform their analytic functions and to implement 
potentially costly security requirements.
    These concerns led some commenters to suggest inclusion in the 
final rule of a limitation on the number of PSOs that the Secretary 
would list. One commenter asked whether it would be possible for the 
Department to list one national PSO, noting this could improve 
efficiency for providers. Another commenter suggested listing of 2-4 
PSOs per state using a competitive process or limiting the number of 
PSOs by increasing the number of required provider contracts that each 
PSO must have. Most commenters who favored limiting the number of 
listed PSOs did not suggest a specific approach.
    A second broad set of recommendations focused on the need for 
periodic or ongoing evaluation of the effectiveness of PSOs that could 
be linked to, or be separate from, the evaluation of certifications for 
continued listing. Some commenters recommended that the Department 
routinely collect information from PSOs to evaluate whether the 
individual and collective work of PSOs is actually reducing medical 
errors and improving the quality of care that is delivered. One 
commenter stressed the importance of establishing in the final rule 
expectations related to PSO performance and demonstrated results and 
provided draft language for inclusion in the final rule.
    Final Rule: The Department has not modified the approach taken in 
the proposed rule in response to these comments. With respect to 
limiting the number of PSOs that are listed by the Secretary, the 
statutory language is clear that any entity, public or private, that 
can meet the stated requirements is eligible for listing by the 
Secretary. While the Department understands the concerns of the 
commenters that a very large number of PSOs could frustrate the 
statutory goal of data aggregation across multiple providers, we 
believe that this scenario is unlikely for several reasons.
    First, a provider does not need to shoulder the financial burden 
alone to support a full-time PSO. Providers enjoy the same protections 
under the Patient Safety Act when they contract with an independent PSO 
or when they create a component organization to seek listing as a PSO. 
A provider that establishes a working relationship with a PSO can have 
a division of labor between the analyses that its staff undertakes in-
house within its patient safety evaluation system and the tasks it 
assigns to the PSO. In both circumstances, the statutory protections 
apply. Thus, for a provider, establishing its own PSO is an option, not 
a necessity.
    Second, there are important insights into patient safety that can 
only be derived from aggregating data across multiple providers. Given 
the low frequency of some patient safety events, even larger health 
systems are likely to derive additional benefits from working with PSOs 
that have multiple and, potentially, diverse clients.
    A final limiting factor is the shortage of personnel who are well-
trained or experienced in the use of the methodologies of patient 
safety analyses. While the marketplace will respond to the need for the 
development of additional training and certification programs, the 
availability of highly-skilled staff will be a constraining factor 
initially. In combination, these three factors should provide a natural 
constraint on the number of single-provider PSOs.
    Regarding the other general set of comments related to the listing 
process, the Department has considered these suggestions and has 
determined not to incorporate in the final rule requirements for an 
ongoing evaluation process or the routine collection of data from PSOs. 
PSOs are not a Federal program in the traditional sense. Most 
significantly, they are not Federally funded. Their project goals, 
priorities, and the specific analyses that they undertake are not 
Federally directed. The value and impact of an individual PSO will be 
determined primarily by the providers that use its services on an 
ongoing basis.
    It is unclear at this point how providers will choose to use PSOs. 
Only with experience will it become clear which analyses a provider 
will choose to undertake in its own patient safety evaluation system 
and which analyses a provider will rely upon a PSO to undertake. The 
mix and balance of activities between a provider's patient safety 
evaluation system and its PSO (or PSOs) will undoubtedly shift over 
time as the working relationships between providers and PSOs evolve 
toward greater efficiency. Thus, we remain convinced that providers are 
in the best position to assess the value of a PSO and its ability to 
contribute to improving the quality and safety of patient care.
Response to Other Public Comments
    Comment: While contracts are not required between PSOs and 
providers to obtain protections, the Department stated that it 
anticipates most providers will enter contracts with providers. In 
light of this expectation, one commenter urged the Department to 
develop and make available a model contract.
    Response: We do not think a model contract can be developed easily. 
The issues that need to be addressed will vary significantly based upon 
the nature of the relationship. Therefore, we do not expect to be 
developing and releasing a model contract.
    Comment: One commenter suggested that the final rule should explain 
how AHRQ will publish the results from which providers and others can 
evaluate a PSO before entering a contract.
    Response: For the reasons discussed above, AHRQ will not require or 
release PSO-specific performance information.
    Comment: One commenter suggested that AHRQ should ensure that PSOs 
should not be able to make commercial gain from the knowledge it 
derives as a PSO.
    Response: The statute permits all types of private and public 
entities to seek listing as a PSO; it does not limit private entities 
to not-for-profits. The final rule mirrors that formulation. The 
Department concludes that the statute does not invite us to impose such 
restrictions and expects that providers' decisions will determine the 
acceptability of for-profit PSOs.
    Comment: One commenter suggested that providers should only be 
permitted to submit data to one PSO.
    Response: The Patient Safety Act's framework for PSO-provider 
relationships is voluntary from a public policy perspective. In our 
view, it

[[Page 70747]]

would be inconsistent with section 922(e)(1)(B) of the Public Health 
Service Act for the Department or any entity to use the authority of 
law or regulation to limit or direct provider reporting.
    Comment: One commenter suggested that the final rule should require 
PSOs to share aggregated, non-identifiable patient safety work product 
with state regulatory authorities.
    Response: The Department does not agree that it is appropriate to 
place such an unfunded mandate upon PSOs.
    Comment: One commenter stated that it is a waste of effort and 
expense to create new government entities to work with providers when 
current organizations can do that just as well. The commenter also 
asked whether anyone has estimated the 10-year costs.
    Response: As this final rule makes clear, these entities are not 
government entities and will not receive Federal funding. While we 
expect implementation will spur the development of new entities, we 
also expect that existing entities will be able to expand their current 
patient safety improvement efforts if they seek listing and are able to 
offer the confidentiality and privilege protections provided by the 
Patient Safety Act. While we have not done a 10-year cost estimate, our 
regulatory impact statement at the end of the preamble projects net 
savings of $76 to $92 million in 2012, depending upon whether the net 
present value discount rate is estimated at 7% or 3%.
(A) Section 3.102(a)--Eligibility and Process for Listing
    Proposed Rule: Section 3.102(a) of the proposed rule would have 
provided that, with several exceptions discussed below, any entity--
public or private, for-profit or not-for profit--that can meet the 
statutory and regulatory requirements may seek initial or continued 
listing by the Secretary as a PSO. The Department proposed to establish 
a streamlined certification process for entities seeking initial or 
continued listing that relied upon attestations that the entities met 
statutory and regulatory requirements. To foster informed provider 
choice, entities were encouraged, but would not be required, to post 
narratives on their respective Web sites that explained how each entity 
intended to comply with these requirements and carry out its mission.
    The proposed rule incorporated a statutory prohibition that 
precludes a health insurance issuer and a component of a health 
insurance issuer from becoming a PSO. The Department also proposed to 
exclude any entity, public or private, that conducts regulatory 
oversight of health care providers, which included organizations that 
accredit or license providers. We proposed this restriction for 
consistency with the statute, which seeks to foster a ``culture of 
safety'' in which health care providers are confident that the patient 
safety events that they report will be used for learning and 
improvement, not oversight, penalties, or punishment. The proposed rule 
would permit a component organization of such an entity to seek listing 
as a PSO. To ensure that providers would know the parent organizations 
of such PSOs, we proposed that certifications include the name(s) of 
its parent organization(s), which the Secretary would release to the 
public. We sought comment on whether we should consider broader 
restrictions on eligibility.
    The proposed rule would permit a delisted entity, whether delisted 
for cause or because of voluntary relinquishment of its status, 
subsequently to seek a new listing as a PSO. To ensure that the 
Secretary would be able to take into account the history of such 
entities, we proposed such entities submit this information with their 
certifications for listing.
    Overview of Public Comments: The Department received generally 
favorable comments on our proposal to adopt a streamlined attestation-
based approach to initial listing of PSOs. A number of commenters 
expressed concern about our attestation-based approach, however, 
arguing for a more in-depth assessment to ensure that an entity had the 
capability to carry out its statutory and regulatory responsibilities 
and meet the patient safety objectives of the statute. Some believed 
that the private marketplace is not necessarily well-equipped to judge 
which organizations can most effectively meet these requirements. 
Arguing that one misguided or fraudulent organization could taint the 
entire enterprise for years, a few commenters suggested that we require 
interested organizations at initial listing to submit documentation of 
their ability to meet their statutory and regulatory responsibilities.
    Most commenters who urged a stronger approach to the evaluation of 
certifications for listing acknowledged the value of an expedited 
process for initial listing and instead focused their recommendations 
on the importance of creating a more rigorous process for continued 
listing. A common recommendation was to require, in addition to the 
proposed certifications for continued listing, that a PSO be required 
to submit documentation that described in detail how it is complying 
with the requirements underlying its certifications and urged the 
Department to arrange for independent review of such documentation, 
coupled with an audit process that would ensure compliance.
    The comments we received were supportive of including a requirement 
that entities certify whether there is any relevant history regarding 
delisting about which the Secretary needs to be aware. Several 
commenters suggested that the entity seeking to be relisted should be 
required to include reason(s) for any prior delisting. Another 
suggestion was that the Secretary should have discretion in relisting 
an entity not to release the names of officials who had positions of 
responsibility in a previously delisted entity.
    The proposed restrictions on eligibility engendered considerable 
comment. With respect to the statutory restriction on health insurance 
issuers, concerns and questions were raised regarding whether the 
exclusion applied to self-insured providers or malpractice liability 
insurers and whether health systems that include a subsidiary that is a 
health insurance issuer could establish a component PSO.
    We received a significant level of comment regarding our proposed 
restriction on listing of regulatory oversight bodies. While the 
majority of commenters supported the proposed exclusion, some 
commenters took issue with various aspects of our proposal.
    Commenters engaged in accreditation activities generally criticized 
our characterization of these activities as regulatory. They pointed 
out that the proposed rule did not take into account the distinction 
between voluntary and mandatory accreditation and, in their view, most 
accreditation was voluntary. They also noted that accreditation 
activities were initially developed to ensure the quality and safety of 
patient care and that accreditation entities, unlike licensure 
agencies, have greater discretion in addressing any problems that they 
identify with a provider's operations in a non-punitive way. For these 
commenters, accreditation activities were not inconsistent with 
fostering a ``culture of safety.'' By contrast, most provider comments 
supported the exclusion, and singled out accreditation entities as 
warranting exclusion.
    State health departments and state-created entities expressed 
concern about an outright prohibition on their being listed as PSOs, 
noting that the prohibition could disrupt effective patient safety 
initiatives now underway. A number of specific state-sanctioned patient 
safety initiatives were described in their submissions. Commenters

[[Page 70748]]

pointed to the fact that state health departments have both regulatory 
and non-regulatory elements to their authority, have routinely 
demonstrated that they can effectively keep these elements separate, 
and thus, they saw no reason for the Department to doubt that state 
agencies could continue to do so effectively if they were permitted to 
operate PSOs.
    Other commenters suggested extending the prohibition to other types 
of entities (such as purchasers of health care or agents of regulatory 
entities) and raised questions regarding the scope of the exclusion.
    We received a significant number of comments in response to a 
specific question raised in the proposed rule whether the exclusion of 
regulatory entities should be extended to components of such 
organizations. Commenters that supported extension of the prohibition 
generally argued that the firewalls that the statute requires a 
component PSO to maintain between itself and its parent organization(s) 
could be circumvented, that the flexibility in the proposed rule to 
enable a component PSO to draw upon the expertise of its parent 
organization(s) would be inappropriate in this situation, and there was 
a significant possibility that such a parent organization could use its 
position of authority to attempt to coerce providers into reporting 
patient safety work product to its component PSO.
    A majority of commenters, however, opposed expanding the exclusion 
to components of such regulatory organizations. They contend that the 
statutorily required separations between a component PSO and its parent 
organization(s) would provide adequate protection against improper 
access and adverse use of confidential patient safety work product by 
the excluded entities with which such a component PSO is affiliated. A 
number of commenters noted that an expansion of the exclusion to 
components of such entities would have unintended consequences. For 
example, an increasing number of medical specialty societies operate, 
or are in the process of developing, accreditation programs for their 
members in response to growing public and private sector pressure for 
quality improvement. These organizations see the creation of specialty-
specific component PSOs as an important complement to their other 
quality improvement activities. Similarly, some commenters contend that 
widespread patient safety improvements require coordination and 
communication across the public and private sectors. These commenters 
argued that a broader exclusion could both disrupt existing, effective 
public sector patient safety initiatives and preclude opportunities for 
the public sector to play a meaningful role.
    Many commenters that opposed extending the exclusion to component 
organizations nevertheless suggested additional restrictions to 
strengthen the separation of activities between component PSOs and 
these types of parent organizations. Their suggestions are discussed 
below with respect to Sec.  3.102(c).
    Final Rule: The Department considered whether to modify the 
attestation process either for initial or continued listing of PSOs or 
both but ultimately concluded that streamlined attestations should be 
retained for both. Given the voluntary, unfunded nature of this 
initiative and the centrality of the client-consultant paradigm of 
provider-PSO relationships, an approach that requires documentation and 
routine audits is likely to be costly and burdensome, both to entities 
seeking listing and the Department. More importantly, such an approach 
is unlikely to achieve its intended objective, for the reasons 
discussed below.
    There are limitations of a documentation approach to ensuring the 
capabilities and compliance of PSOs with the requirements for listing, 
and such an approach is unlikely to yield the types of information that 
providers will need in selecting a PSO. Consider, for example, two of 
these requirements: the criterion that requires that a PSO have 
qualified staff, including licensed or certified medical professionals, 
and the patient safety activity that requires the provision of feedback 
to participants in a (provider's) patient safety evaluation system. 
Documentation, through submission of resumes or summaries of the 
credentials of professional staff, can demonstrate that the PSO meets 
the statutory requirement. What each provider really needs to assess, 
however, is whether the skill sets of the professional staff employed 
by or under contract to the PSO are an appropriate match for the 
specific tasks that led the provider to seek a PSO's assistance. 
Depending upon the analytic tasks, a provider may need expertise that 
is setting-specific, e.g., nursing homes versus acute care settings, 
technology-specific, specialty-specific, or, may require expertise 
outside the traditional scope of health care. Thus, there is not a 
single template against which the expertise of a PSO's professional 
staff can be judged. In addition, we anticipate that PSOs seeking 
additional clients (providers) will post on their websites, or 
otherwise advertise, the names and qualifications of their top staff 
experts and consultants. Their Web site locations will be on the AHRQ 
PSO Web site.
    Similarly, documentation can demonstrate that a PSO has provided 
feedback to participants in a provider's patient safety evaluation 
system and thereby met the statutory requirement. But the most relevant 
questions are whether the feedback reflected a valid analysis of the 
provider's patient safety work product and existing scientific 
knowledge, and whether the feedback was framed in ways that made it 
understandable, ``actionable,'' and appropriate to the nature of the 
provider's operation. The answers to these questions cannot be assessed 
by the Department readily through the listing process.
    As a result, in many cases, the provider-client, rather than the 
Department, will be better able to determine whether the outcomes of a 
PSO's conduct of patient safety activities meet its needs in a 
meaningful way. The Department believes that providers, especially 
institutional providers, will have access to the expertise to make them 
especially sophisticated customers for PSO services. Providers are 
likely to assess very carefully the capabilities of a PSO and will be 
in a position to request appropriate documentation, if necessary, to 
assess a PSO's ability to meet their specific requirements. Therefore, 
the Department does not see a compelling public policy rationale for 
substituting its judgment for that of a provider. Providers can demand 
references and evidence of relevant accomplishments, and effectively 
evaluate the adequacy and suitability of a PSO's expertise and 
experience. In summary, a listing process that imposes documentation 
and audit requirements on each PSO will impose a significant burden on 
all parties, but yield only marginally useful information to 
prospective clients.
    Accordingly, we believe the approach outlined in the proposed rule 
offers a more efficient and effective approach. The approach does 
include authority for spot-checking compliance outlined in Sec.  3.110, 
responding to complaints or concerns, and enabling the Secretary, in 
making listing decisions (see Sec.  3.104(b)), to take into 
consideration the history of an entity and its key officials and senior 
managers. This approach will be buttressed with a program of technical 
assistance for PSOs administered by AHRQ. In addition, the final rule 
incorporates a new expedited revocation process that can be used when 
the

[[Page 70749]]

Secretary determines that there would be serious adverse consequences 
if a PSO were to remain listed. False statements contained in a PSO's 
submitted certifications can result in a loss of listing or other 
possible penalties under other laws.
    For convenience and clarity, we have restructured Sec.  3.102(a)(1) 
to provide a unified list of the certifications and information that an 
entity must submit for listing as a PSO. Sections 3.102(a)(1)(i) 
through 3.102(a)(1)(vii) set forth and cross-reference the requirements 
of the final rule. Two of these requirements are new. Section 
3.102(a)(1)(iv) cross-references the additional requirements in Sec.  
3.102(c)(1)(ii) that components of entities that are excluded from 
listing must meet in order for such components to be listed. Section 
3.102(a)(1)(v) incorporates our proposal, for which comments were 
supportive, to require disclosure to the Secretary if the entity 
seeking listing (under its current name or another) has ever been 
denied listing or delisted or if the officials or senior managers of 
the entity now seeking listing have held comparable positions in a PSO 
that the Secretary delisted or refused to list.
    We have not adopted recommendations that we require explanations 
for the historical situations encompassed by Sec.  3.102(a)(1)(v). 
Instead, we require that the name(s) of any delisted PSO or of any 
entity that was denied listing be included with the certifications. The 
Department can then search its records for background information. In 
response to concerns regarding public disclosure of the names of the 
officials or senior managers that would trigger the notification 
requirement, we do not require submission of the names of the 
individuals with the certifications. With respect to the workforce of 
the entity, we note that we have narrowed the requirement in two ways. 
First, we have narrowed the focus from ``any'' employee to officials 
and senior managers. Second, the requirement to disclose only applies 
when officials or senior managers of the entity seeking listing also 
held comparable positions of responsibility in the entity that was 
delisted or refused listing.
    Restructured Sec.  3.102(a)(2) retains the statutory exclusion from 
listing of health insurance issuers and components of health insurance 
issuers in subparagraph (i). For greater clarity, we have restated the 
exclusion to reflect the rule's definition of component so it now 
references: a health insurance issuer; a unit or division of a health 
insurance issuer; or an entity that is owned, managed, or controlled by 
a health insurance issuer. New subparagraph (ii) modifies and restates 
the exclusion from listing of any entity that: (1) Accredits or 
licenses health care providers; (2) oversees or enforces statutory or 
regulatory requirements governing the delivery of health care services; 
(3) acts as an agent of a regulatory entity by assisting in the conduct 
of that entity's oversight or enforcement responsibilities vis-a-vis 
the delivery of health care services; or (4) operates a Federal, State, 
local or Tribal patient safety reporting system to which health care 
providers (other than members of the entity's workforce or health care 
providers holding privileges with the entity) are required to report 
information by law or regulation.
    In reviewing the comments on the proposed regulatory exclusion, we 
did not find the arguments for narrowing the prohibition compelling. 
Almost every provider group expressed concern regarding the possible 
operation of PSOs by entities that accredit or license providers as 
well as possible operation of PSOs by regulatory entities. We share 
their concerns that entities with the potential to compel or penalize 
provider behavior cannot create the ``culture of safety'' (which 
emphasizes communication and cooperation rather than a culture of blame 
and punishment) that is envisioned by the statute.
    We also concluded that it is difficult to draw a ``bright-line'' 
distinction between voluntary and mandatory accreditation as several of 
the commenters from accreditation organizations proposed. While most 
accreditation is technically voluntary from the standpoint of many 
accreditation entities, its mandatory aspect generally derives from 
requirements established by, or its use by, other entities such as 
payers. Thus, if we were to incorporate such a distinction that 
permitted the listing of organizations that provide voluntary 
accreditation today, its voluntary nature could disappear over time if 
other organizations mandated use of its accreditation services. Thus, a 
listed PSO might need to be delisted at some point in the future solely 
because of the actions of a third party mandating that organization's 
accreditation as a requirement. Therefore, we have retained the 
prohibition on accreditation and licensure entities and have not 
incorporated any distinctions regarding voluntary versus mandatory 
accreditation in the final rule. We have reformulated the exclusion and 
no longer include accreditation or licensure activities as examples of 
regulatory activities.
    Similarly, we have retained the broad exclusion from listing of 
regulatory entities, by which we mean public or private entities that 
oversee or enforce statutory or regulatory requirements governing the 
delivery of health care services. Their defining characteristic is that 
these entities have the authority to discipline institutional or 
individual providers for the failure to comply with statutory or 
regulatory requirements, by withholding, limiting, or revoking 
authority to deliver health care services, by denying payment for such 
services, or through fines or other sanctions.
    We consider entities with a mix of regulatory and non-regulatory 
authority and activities also to be appropriately excluded from being 
listed. We acknowledge that health departments and other entities with 
regulatory authority may undertake a mix of regulatory and non-
regulatory functions. It may also be true, as several comments 
reflected, that state health departments have experience, and a track 
record, for maintaining information separately and securely from the 
regulatory portions of their operations when necessary. However, we 
note that the final rule retains the proposed approach not to regulate 
uses of patient safety work product within a PSO. However, the final 
rule retains the ability of a state health department to establish a 
component organization that could seek listing as a PSO, subject to the 
additional restrictions discussed in Sec.  3.102(c) below. The benefit 
of this approach is that providers will have the reassurance that the 
penalties under the Patient Safety Act and the final rule will apply to 
any impermissible disclosures of patient safety work product from such 
a PSO to the rest of the state health department.
    We have not included the proposal of several commenters to exclude 
purchasers of health care from becoming PSOs. Commenters did not 
suggest a compelling public policy case for the exclusion of any 
particular type of purchasers. Given the vagueness and potential scope 
of such a prohibition, the potential for unintended consequences is 
simply too great to warrant its inclusion. For example, health care 
institutions in their role as employers can also be considered 
purchasers of health care.
    We have incorporated two additional exclusions. First, based upon 
recommendation from commenters, we exclude from listing entities that 
serve as the agents of a regulatory entity, e.g. by conducting site 
visits or investigations for the regulatory entity.

[[Page 70750]]

While we understand that such agents generally do not take action 
directly against providers, their findings or recommendations serve as 
the basis for potential punitive actions against providers. As a 
result, we believe that the rationale we outlined in the proposed rule 
regarding the exclusion of regulatory bodies is also applicable to 
agents of regulatory entities helping to carry out these regulatory 
functions.
    Second, as we considered comments seeking clarification on the 
eligibility of entities that operate certain mandatory or voluntary 
patient safety reporting systems to seek listing as PSOs, we concluded 
that mandatory systems, to which some or all health care providers are 
required by law or regulation to report patient safety information to a 
designated entity, were inconsistent with the voluntary nature of the 
activities which the Patient Safety Act sought to foster. However, this 
exclusion does not apply to mandatory reporting systems operated by 
Federal, State, local or Tribal entities if the reporting requirements 
only affect their own workforce as defined in Sec.  3.20 and health 
care providers holding privileges with the entity. The exception is 
intended to apply to Federal, State, local or Tribal health care 
facilities in which the reporting requirement applies only to its 
workforce and health care providers holding privileges with the 
facility or health care system. This exception ensures that, with 
respect to eligibility for listing as a PSO, entities that administer 
an internal patient safety reporting system within a public or private 
section health care facility or health care system are treated 
comparably under the rule and would be eligible to seek listing as a 
PSO.
    The final rule retains the ability of components of the four 
categories of excluded entities in Sec.  3.102(a)(2)(ii) to seek 
listing as a component PSO. After careful review, the Department 
concluded that there was a significant degree of congruence in the 
concerns expressed by both proponents and opponents of extending the 
exclusion to such components. The opponents of extending the exclusion 
routinely suggested that the Department address their core concerns by 
adopting additional protections, rather than the blunt tool of a 
broader exclusion. We have adopted this approach, and we have 
incorporated in Sec.  3.102(c) additional requirements and limitations 
for components of excluded entities.
    In addition, we have incorporated a new requirement in Sec.  
3.102(a)(3) that submissions for continued listing must be received by 
the Secretary no later than 75 days before the expiration of a PSO's 
three-year period of listing. This requirement derives from our concern 
for protecting providers if a PSO decides not to seek continued listing 
and simply lets its certifications expire at the end of a three-year 
period of listing. To preclude an inadvertent lapse, the proposed rule 
included a provision to send PSOs a notice of imminent expiration 
shortly before the end of its period of listing and sought comment on 
posting that notice publicly so that providers reporting patient safety 
work product could take appropriate action. Section 3.104(e)(2) states 
that the Secretary will send a notice of imminent expiration to a PSO 
at least 60 days before its last day of listing if certifications for 
continued listing have not been received. However, the failure of the 
Secretary to send this notice does not relieve the PSO of its 
responsibilities regarding continued listing. The requirement to submit 
certifications 75 days in advance is intended to ensure that such a 
notice is not sent or publicly posted until after the submissions are 
expected by the Department.
Response to Other Public Comments
    Comment: One commenter urged the Secretary not to require 
organizations to have specific infrastructure and technology in place 
before they could be listed.
    Response: The Department has not proposed any specific 
infrastructure or technology requirements. However, the statute and the 
final rule require a PSO at initial listing to certify that it has 
policies and procedures in place to ensure the security of patient 
safety work product. The final rule requires that those policies and 
procedures be consistent with the framework established by Sec.  3.106. 
The Department interprets the statute to require a listed PSO to be 
able to provide security for patient safety work product during its 
entire period of listing, which includes its first day of listing.
    Comment: Two commenters agreed that PSOs should be encouraged, but 
not required, to post on their Web sites narrative statements regarding 
their capabilities.
    Response: The Department continues to encourage PSOs to develop and 
post such narrative statements.
    Comment: One commenter suggested that the listing process should 
include an opportunity for the Secretary to receive public comment 
before making a listing decision, especially in the case of continued 
listing, when providers may want to share their experiences with the 
Secretary regarding a specific PSO.
    Response: While we expect customer satisfaction evaluations of PSOs 
will develop naturally in the private sector, the Department has not 
incorporated this recommendation in the listing process. If a provider 
or any individual believes that a PSO's performance is not in 
compliance with the requirements of the rule, this concern can be 
communicated to AHRQ at any time. Improper disclosures may also be 
reported to the Office for Civil Rights in accordance with Subpart D. 
Incorporation of a public consultation process poses a number of 
implementation issues. For example, it could potentially delay a time 
sensitive Secretarial determination regarding continued listing (which 
must be made before expiration of a PSO's current period of listing) 
and could require the Department to assess the validity of each 
specific complaint, e.g., the extent to which dissatisfaction with an 
analysis reflects the competence with which it was performed or a lack 
of precision in the assignment to the PSO.
    Comment: One commenter suggested that state-sanctioned patient 
safety organizations should be deemed to meet the requirements for 
listing.
    Response: The Department does not believe that the Patient Safety 
Act gives the Secretary authority to delegate listing decisions to 
states. Moreover, the statute establishes the requirements that an 
entity must meet for listing as a PSO; automatically deeming state-
sanctioned organizations to be PSOs would inappropriately override 
federal statutory requirements and mandate the Secretary to list PSOs 
that may not be in compliance with all the statutory requirements. 
Accordingly, the final rule does not include such a provision.
    Comment: Several commenters asked if the exclusion on health 
insurance issuers precludes a self-insured entity from seeking listing.
    Response: The Department has examined this issue and concluded that 
the exclusion of health insurance issuers does not apply to self-
insured organizations that provide health benefit plans to their 
employees. The statutory exclusion contained in section 924(b)(1)(D) of 
the Public Health Service Act incorporates by reference the definition 
of health insurance issuer in section 2971 of the Public Health Service 
Act and that definition explicitly excludes health benefit plans that a 
health care provider organization offers to its employees.
    Comment: Several commenters inquired whether organizations that 
provide professional liability insurance coverage (also referred to as 
medical liability insurance or malpractice

[[Page 70751]]

liability insurance) for health care providers are covered by the 
health insurance issuer exclusion. The commenters uniformly argued that 
the exclusion should not apply. Several commenters noted their intent 
to have their ``captive'' liability insurer seek listing as a PSO. 
Another commenter sought assurances that if a captive liability insurer 
sought listing as a PSO, the PSO would not be considered a component of 
the provider organizations that owned the liability insurer.
    Response: The Department notes that there is some ambiguity in the 
statutory language but concludes that the health insurance issuer 
exclusion does not apply to such organizations.
    While the health insurance issuer exclusion does not apply, the 
Department notes that the statute and the final rule require that an 
entity seeking listing must attest that its mission and primary 
activity is the improvement of patient safety. That test is readily met 
when an organization, such as a captive liability insurer, creates a 
component organization since the creation of a distinct new entity can 
be established in a manner that clearly addresses and meets the 
``primary activity'' criterion. The Department has the authority to 
review all applications, including those from organizations with 
multiple activities, and to look behind the attestations to determine 
whether the applicant meets the ``primary activity'' criterion.
    We note that a captive entity meets the definition of a component 
organization in this rule. Therefore, if the captive organization is 
eligible for listing because it meets the ``primary activity'' 
criterion, it must seek listing as a component organization and clearly 
would be subject to the requirements on component PSOs. If the captive 
organization does not meet the primary activity criterion for listing, 
it is free to create a component organization to seek listing. Once 
again, however, the additional requirements for a component PSO apply.
    Comment: Several commenters asked whether the health insurance 
issuer exclusion prevents a health system that has subsidiaries that 
include providers and a health insurance issuer, from establishing a 
component organization to seek listing as a PSO.
    Response: As described by several commenters, the PSO and the 
health insurance issuer would be affiliates in a ``brother-sister'' 
relationship within the parent organization. As long as the health 
insurance issuer does not have the authority to control or manage the 
PSO, the health system is not precluded from having both a health 
insurance issuer subsidiary and a component PSO.
    Comment: Several commenters raised questions from different 
perspectives regarding situations in which providers might be required 
to report data to a PSO. Some commenters suggested that the final rule 
should prohibit a facility or health care delivery system from 
requiring individual clinicians (who are employed, under contract, or 
have privileges at the facility or within the system) to report data to 
a specific PSO. Others raised questions regarding the eligibility for 
listing of existing Federal, state, local or Tribal patient safety 
reporting systems that are administered by an entity without regulatory 
authority.
    Response: While the Patient Safety Act does not require any 
provider to report data to a PSO, the statute is silent on whether 
others (such as institutional providers or other public entities) can 
impose such requirements on providers. The Department makes a 
distinction based upon the source of reporting requirements and the 
extent to which the requirement can be viewed as consistent with the 
statutory goal of fostering a ``culture of safety.'' Thus, the 
Department has declined to include in the final rule any restriction on 
the ability of a multi-facility health care system to require its 
facilities to report to a designated PSO or of a provider practice, 
facility, or health care system to require reporting data to a 
designated PSO by those providing health care services under its aegis, 
whether as employees, contractors, or providers who have been granted 
privileges to practice. A patient safety event reporting requirement as 
a condition of employment or practice can be consistent with the 
statutory goal of encouraging institutional or organizational providers 
to develop a protected confidential sphere for examination of patient 
safety issues. While an employer may require its providers to make 
reports through its patient safety evaluation system, section 
922(e)(1)(B) prohibits an employer from taking an adverse employment 
action against an individual based upon the individual's reporting 
information in good faith directly to a PSO.
    By contrast, the Department views mandatory reporting requirements 
that are applicable to providers that are not workforce members and 
that are based in law or regulation, regardless of whether the specific 
data collected by these systems is anonymous or identifiable, as 
incompatible with the intent of the Patient Safety Act to foster 
voluntary patient safety reporting activities. In these situations, 
provider failure to make legally required reports can potentially 
result in a loss of individual or institutional licensure and the 
ability to practice or deliver health care services. Accordingly, we 
have added to the list of entities excluded from listing in Sec.  
3.102(b)(2)(ii) entities that administer such mandatory patient safety 
reporting systems.
    A voluntary Federal, state, local, or Tribal patient safety 
reporting system can seek listing as a PSO. This means that the entity 
administering the reporting system does not have statutory or 
regulatory authority to require providers to submit data to the 
administering organization, and that organization is not required by 
statute or regulation to make the collected identifiable data available 
in ways that would be incompatible with the limitations on disclosure 
discussed in Subpart C.
    Comment: Two commenters addressed the issue of whether Quality 
Improvement Organizations (QIOs), which are organizations that have 
contracts with Medicare and often with other payers or purchasers to 
review compliance with regulatory or contractual requirements and make 
reports that may adversely impact providers financially, can seek 
listing as PSOs.
    Response: QIOs are precluded from seeking listing as PSOs. The 
final rule precludes agents of a regulatory entity from seeking listing 
and QIOs serve as agents of Medicare. Some QIOs also serve in similar 
capacities as agents of state regulatory bodies. As noted above, an 
agent of a regulator may create a component organization that would be 
eligible to seek listing as a PSO, provided such a component 
organization meets the additional requirements of Sec.  
3.102(c)(1)(ii).
    Comment: Several commenters asked if the proposed exclusions of 
entities applied to State Boards of Health, programs offering providers 
certifications, and physician specialty boards.
    Response: With respect to State Boards of Health, there are two 
issues regarding their potential ineligibility for becoming PSOs. The 
first, raised by the commenter, is whether these boards can be 
considered regulatory entities and in most cases they would be. While 
State Boards of Health provide leadership and policy coordination for 
state health policies, they generally have the power to oversee, 
enforce or administer regulations governing the delivery of health care 
services and would, therefore, be ineligible to be listed as a PSO. The 
second issue is whether such a board with its multiple

[[Page 70752]]

responsibilities could attest that the conduct of activities to improve 
patient safety and health care quality is its primary activity.
    With respect to entities that offer certifications, physician 
specialty boards, or similar activities, we would use a fact-based 
approach that assesses the activities in light of the exclusions in the 
rule at Sec.  3.102(a)(2)(ii).
    Comment: One commenter questioned whether the proposed requirement 
that a PSO notify the Secretary if it can no longer meet the 
requirements for listing essentially meant that the PSO was admitting a 
deficiency.
    Response: We expect this requirement to operate prospectively so 
that the Secretary can evaluate whether the changed circumstances may 
still be cured. While it is possible that this requirement in some 
situations would be the equivalent of a PSO admitting a current, rather 
than prospective deficiency, we note two aspects of the process 
outlined here. First, the correction of deficiencies is not a punitive 
process. Second, the obligation to inform the Secretary of changes is a 
companion element to the Department's approach in listing entities 
based upon attestations.
(B) Section 3.102(b)--Fifteen General PSO Certification Requirements
    Proposed Rule: Section 3.102(b) of the proposed rule incorporated 
the 15 requirements specified in the Patient Safety Act that every 
entity must meet for listing as a PSO. These 15 requirements are 
comprised of eight patient safety activities and seven other criteria. 
At initial listing, an entity would certify that it has policies and 
procedures in place to perform the eight specified patient safety 
activities and, upon listing, would comply with the seven other 
criteria during its period of listing. At continued listing, the PSO 
would certify that it has performed during its period of listing, and 
would continue to perform, all eight patient safety activities and 
that, it has complied with, and would continue to comply with, the 
seven other statutory criteria during its next period of listing.
    We proposed to define the confidentiality and security requirements 
that are part of the patient safety activities that PSOs must carry out 
as requiring compliance with the confidentiality provisions of Subpart 
C and the security measures required by Sec.  3.106. We did not propose 
that, but sought comment on whether the final rule should include a 
requirement that a PSO inform any provider from which it received 
patient safety work product if there are impermissible disclosures of, 
or security breaches occur, with respect to the provider's patient 
safety work product.
    A PSO would meet the minimum contract requirement under the 
proposed rule with two contracts, each with a different provider, at 
some point during a PSO's sequential 24-month periods of listing. The 
proposed rule sought comment on how to interpret the requirement that 
the required contracts must be ``for a reasonable period of time,'' 
asking whether the final rule should use a standard that was time-
based, task-based, or include both options.
    The proposed rule noted that PSOs are required by the statute, to 
the extent practical and appropriate, to collect patient safety work 
product from providers in a standardized manner that permits valid 
comparisons of similar cases among similar providers. We stated that we 
were considering including in the final rule, and sought comment on, a 
clarification that compliance would mean that a PSO, to the extent 
practical and appropriate, will collect patient safety work product 
consistent with guidance that the Secretary is developing regarding 
reporting formats and common definitions when the guidance becomes 
available. We also sought comment on the process for the development of 
common formats and definitions.
    Overview of Public Comment: Most of the comments we received on 
this subsection focused on the contract requirement and the specific 
questions posed by the proposed rule. Nearly all of the commenters who 
addressed the issue supported the inclusion in the final rule of a 
requirement that PSOs must notify a provider if the work product 
submitted by the provider was inappropriately disclosed or its security 
was breached. Those favoring the inclusion of the requirement cited 
concern about the sensitivity of patient safety work product and the 
importance of ensuring that providers know if the PSO to which they 
reported data was living up to its obligations to protect the security 
and confidentiality of their data. They noted that the HIPAA Privacy 
and Security Rules will not always be applicable: That some providers 
will not be considered covered entities and identifiable patient safety 
work product may not always contain protected health information.
    Those opposed to the requirement argued that most patient safety 
work product will contain protected health information and providers 
reporting to a PSO are likely to be covered entities. Thus, the HIPAA 
Privacy Rule will cover most situations and, if providers had 
additional concerns, they could address them contractually. It was also 
suggested that the preamble to the final rule should carefully describe 
a PSO's obligations when the HIPAA Privacy and Security Rules apply and 
the requirements to report impermissible disclosures even when 
protected health information is not involved.
    With respect to the statutory requirement for contracts with more 
than one provider, several commenters proposed that one contract with 
multiple providers should be deemed to meet the statutory requirement. 
These commenters often argued that it was inefficient to require a PSO 
to enter multiple contracts when the statutory intent of collecting 
data from multiple providers could be met through a single contract. 
Several commenters alleged that the proposed rule did not interpret the 
requirement that contracts be entered with ``different providers'' and 
sought clarification in the final rule.
    The vast majority of commenters opposed including any standard in 
the final rule for determining when one of the required contracts was 
``for a reasonable period of time.'' Many argued that this decision 
should be left to the marketplace, permitting providers and PSOs to 
enter customized arrangements. A few commenters supported incorporation 
of a time-based standard, ranging from 3-12 months. One commenter 
recommended incorporating both time-based and task-based standards.
    In response to our specific request for comment on whether the 
final rule should reference the Secretary's guidance on common formats 
and definitions, the vast preponderance of comments were supportive, 
with many detailing reasons why use of common formats was important. 
Several organizations offered caveats to their support, such as concern 
that the development of Secretarial guidance might slow the process and 
may further interfere with innovation. Many organizations offered 
suggestions to the Department such as: Allowing private sector 
feedback; harmonizing with other data reporting requirements; allowing 
collection of data in addition to the common formats, particularly for 
use at the local level; and allowing time to phase in use of common 
formats.
    Virtually all comments were supportive of the process by which the 
Department was developing guidance on common formats. Many commenters 
suggested steps that they wished the Department to take such as: 
Greater or earlier involvement of the private sector; transparency in 
the process; acceptance of comments from outside government;

[[Page 70753]]

and use of evidence from existing reporting systems. The process we 
outlined for private sector consultation was viewed positively. We 
received several comments and recommendations related to this process 
that were outside the scope of the rule and, therefore, are not 
addressed below.
    Final Rule: For convenience and clarity, we have modified the text 
in the final rule to separate initial and continued listing within 
Sec.  3.102(b)(1), which states the required certifications for the 
eight patient safety activities and within Sec.  3.102(b)(2), which 
states the required certifications for the seven PSO criteria. This 
modification does not reflect a substantive change.
    We have incorporated in Sec.  3.102(b)(1)(B) of the final rule one 
additional requirement, posed as a question in the proposed rule and 
strongly supported by commenters, that a PSO must inform the provider 
from which it received patient safety work product if the work product 
submitted by that provider is inappropriately disclosed or its security 
is breached. The Department recognizes that in certain cases a PSO may 
not know the identity of the provider that submitted patient safety 
work product, e.g., anonymous submissions, or it might not be possible 
to contact the provider, e.g., if the provider has gone out of business 
or retired. In these cases, the Department would expect the PSO to be 
able to demonstrate, if selected for a ``spot check,'' that it made a 
good faith effort to reach every provider that submitted the work 
product subject to an inappropriate disclosure or a security breach. We 
also note that this requirement only requires the PSO to contact the 
provider that submitted the information; the PSO is not expected to 
contact providers or others whose names are included in the patient 
safety work product. As a business associate of a provider covered by 
the HIPAA Privacy Rule, the PSO must abide by its business associate 
contract with that provider, obligating it to notify the provider if it 
becomes aware of an impermissible disclosure of protected health 
information. See 45 CFR 164.504(e)(2)(ii)(C). Once the PSO has informed 
the provider of the impermissible disclosure, the HIPAA Privacy Rule 
requires the provider to mitigate the harmful effects of an 
impermissible disclosure. See 45 CFR 164.530(f).
    We have also incorporated in Sec.  3.102(b)(2)(i)(C) a minor 
modification in the text of the criterion relating to the required two 
contracts. The text in the proposed rule stated that a PSO ``must have 
entered into two bona fide contracts'' with different providers; we 
have deleted the words ``entered into.'' Our intent in the proposed 
rule text was to encourage PSOs to enter long-term contracts with 
providers by enabling a multi-year contract to be counted toward the 
two contract minimum in each of the 24-month periods during which the 
contract was in effect. By deleting the words ``entered into,'' the 
text of the final rule more clearly reflects our original intent.
    We also provide clarification here, which we did not consider 
necessary to include in the rule text, regarding the obligations of a 
PSO. The certifications for initial listing regarding patient safety 
activities track the statute and require a PSO to have policies and 
procedures in place to perform patient safety activities. At continued 
listing, PSOs will be expected to have performed all eight patient 
safety activities. Some of the required patient safety activities must 
be performed at all times, such as utilizing qualified staff, having 
effective policies and systems to protect the security and 
confidentiality of patient safety work product when the PSO receives 
work product, undertaking efforts to improve the quality and safety of 
patient care, and developing and disseminating information to improve 
patient safety. Other required patient safety activities can only be 
performed when the PSO is working with a provider (such as providing 
feedback to participants in a patient safety evaluation system) and 
receiving patient safety work product from providers (such as 
utilization of patient safety work product to develop a culture of 
safety).
    The Department recognizes that, for any given contractual 
arrangement, providers, not PSOs, will determine the tasks PSOs 
undertake and for which they will be compensated. Therefore, our 
approach to assessing compliance will be as follows. If subject to a 
spot check for compliance, a PSO must be able to demonstrate that it 
has performed all eight patient safety work products at some point 
during its three-year period of listing. However, we will expect a PSO 
to demonstrate that it performs throughout its period of listing the 
patient safety activities that are not dependent upon a relationship 
with a provider or receipt of patient safety work product. We will 
expect compliance with the other patient safety activities consistent 
with the contracts or agreements that the PSO has with providers. A 
component PSO that is established by a health care provider, and for 
which the parent-provider organization is a primary client, would not 
be dependent on external contracts and would be expected to be in 
compliance with all eight patient safety activities during its entire 
period of listing.
    In response to commenters who sought clarification on what is meant 
by compliance with the two-contract requirement, we reaffirm that the 
statutory requirement is clear. There must be two written contracts; a 
single contract with multiple providers can only be counted as one 
contract. We interpret the requirement that the contracts must be with 
``different'' providers straight-forwardly. The only requirement is 
that the bona fide contracts must be with individuals or institutions 
that are providers as defined in the rule. We have imposed no other 
requirements; the contracts can be with an institutional provider and 
an individual clinician, or with two entities within the same or 
different system(s).
    After careful consideration of the comments we received, the 
Department has concluded that we will not incorporate an interpretation 
of the term ``each for a reasonable period of time'' regarding the 
required contracts. As we noted in the proposed rule, our intent in 
proposing to interpret the language was to give providers increased 
certainty that the listing of the PSO to which they are reporting data 
could not be challenged on the basis that its required contracts were 
not for a reasonable period of time. However, the provider community 
opposed interpreting the provision, fearing that it would limit their 
ability to customize contracts to meet their analytic needs and urged 
the Department to rely upon the marketplace to interpret this 
requirement. With no empirical basis for choosing one standard or one 
time frame over another, and given the inability to anticipate what 
types of contractual relationships will evolve under the final rule, 
the Department concluded that incorporating a standard at this time 
could have unintended negative consequences and has chosen not to do 
so. As a result, a PSO will be required to have two contracts in effect 
at some point during each 24-month reporting period established by the 
statute but the contracts are not required to cover a specific or 
minimum time period and they are not required to be in effect at the 
same time.
    While we received overwhelmingly favorable support for requiring 
compliance with the Secretary's guidance on common definitions and 
reporting formats (common formats) for the collection of patient safety 
work product, we recognize that the Department's efforts to develop

[[Page 70754]]

guidance will take time. We issued common formats in August 2008 
addressing all patient safety events in acute-care hospitals; AHRQ has 
made the common formats available on its Web site to facilitate their 
use by providers with varying levels of sophistication as well as by 
PSOs. The guidance will be expanded over time to other settings of 
care. Because we anticipate that some PSOs may choose to concentrate 
their work in areas for which guidance from the Secretary is not yet 
available, we have modified the text of the rule by incorporating a new 
paragraph (iii) that interprets compliance in the following way.
    At initial listing, the requirement will be interpreted as a 
commitment by the entity seeking listing to adopt the Secretary's 
recommended formats and definitions by the time it seeks continued 
listing ``to the extent practical and appropriate.'' During the initial 
three-year period of listing, AHRQ will not issue a preliminary finding 
of deficiency to any PSO that has not adopted the Secretary's 
recommended formats and definitions.
    At continued listing, a PSO will be required to: (1) Certify that 
the PSO is using the Secretary's guidance for common formats and 
definitions; (2) certify that the PSO is using an alternative system of 
formats and definitions that permits valid comparisons of similar cases 
among similar providers; or (3) provide a clear explanation for why it 
is not practical or appropriate for the PSO to comply with options (1) 
or (2) at this time. The Secretary will consider a PSO to be in 
compliance if it is using the Secretary's guidance, satisfactorily 
demonstrates that the alternative system it is using permits valid 
comparisons of similar cases among similar providers, or satisfactorily 
demonstrates why neither option is practical or appropriate at this 
time. An example of a satisfactory justification might be that the PSO 
specializes in analyses in a specific niche of health care delivery in 
which there remains significant controversy over relevant reporting 
formats and definitions and/or the Secretary has not recommended any 
relevant common formats or definitions. The Secretary, if he determines 
that the PSO is otherwise eligible for continued listing, but has not 
satisfactorily demonstrated that it meets one of the three requirements 
in Sec.  3.102(b)(2)(iii), may exercise his discretion to continue the 
listing of the PSO and use the process for correction of deficiencies 
in Sec.  3.108(a) to bring the PSO into compliance after its listing 
has been continued.
    We believe this approach effectively balances the statutory goal of 
promoting the ability to aggregate, and learn from, patient safety work 
product, while recognizing the statutory caveat that this requirement 
applies ``to the extent practical and appropriate.'' Our approach 
ensures that PSOs will take the requirement seriously and that a PSO's 
statement that it is not ``practical or appropriate'' to comply at this 
time is well-founded.
Response to Other Public Comments.
    Comment: Several commenters suggested that the final rule include a 
requirement that entities provide assurances that they are financially 
viable.
    Response: The Department has not adopted this proposal. We do not 
believe that assuring the financial viability of PSOs is either an 
authorized or an appropriate Federal task in carrying out the Patient 
Safety Act. The statutory framework leaves this inquiry and 
determination to prospective clients in the market for PSO services. 
PSOs will learn to address this concern routinely if required by 
providers to do so.
    Comment: One commenter suggested that the final rule include a 
provision to require PSOs to have policies and procedures in place to 
safeguard the privacy and confidentiality of a staff member of a PSO, 
who is identified in patient safety work product.
    Response: The Department agrees that PSOs should consider and 
address issues of confidentiality, including those of its workforce 
members. However, we do not believe it is appropriate or necessary to 
mandate how a PSO addresses this issue.
    Comment: Several commenters raised concerns regarding the statutory 
requirement that ``the mission and primary activity of a PSO must be to 
conduct activities that are to improve patient safety and the quality 
of health care delivery'' might make it difficult for existing 
organizations with multiple activities to qualify for listing. One 
commenter suggested that the requirement be altered so that the mission 
and primary activity ``includes'' quality improvement and patient 
safety. Questions were also raised whether organizations that currently 
undertake other activities such as provider education or other 
collections and analyses of clinical data to improve the quality, 
safety, and efficiency of health care would meet the requirement.
    Response: It is important to recognize that the language at issue 
was incorporated into the proposed rule directly from the statute. 
Accordingly, it has been retained. We note that this statutory language 
imposes a dual requirement: improvement of patient safety and the 
quality of health care delivery must be reflected in the entity's 
mission and this improvement activity must constitute the entity's 
primary activity. Since many organizations could reasonably claim that 
improvement of the quality of health care and patient safety are 
fundamental to their missions and even have these words in their 
mission statements, the critical and distinguishing requirement in this 
statutorily-based criterion is that such improvement activities must be 
the entity's primary activity.
    While we understand the rationale of the commenter--many of the 
organizations interested in becoming PSOs will have difficulty 
attesting that this is their primary activity--the Department does not 
have the authority to alter this statutory requirement by making 
improvement of health care delivery and patient safety one of any 
number of significant activities that an organization performs. The 
statute effectively recognizes this dilemma and provides an option in 
this situation. An entity can create a component organization, 
discussed in the next subsection, to seek listing. Such a new component 
created for this exclusive purpose or with this purpose as its primary 
activity would inherently meet this requirement.
    It is likely that some providers will find it more reassuring to 
work with a PSO that is focused solely on the statutorily mandated 
objectives. If an organization with other activities and personnel is 
listed in its entirety as a PSO, it can share a provider's identifiable 
patient safety work product throughout the legal entity, including with 
individuals who are not involved in the work of the PSO, without 
violating the disclosure restrictions of the statute and without 
triggering Federal enforcement action pursuant to subparts C and D of 
the rule. We expect many providers will prefer that their protected 
information be closely held. Thus, existing organizations have other 
reasons, in addition to the mission and primary activity criterion, to 
consider the option of establishing a PSO as a component organization.
    In response to an example posed in two separate comments, if an 
entity's primary activity is the collection and analysis of clinical 
data to improve the quality, safety, and efficiency, the Department 
would consider these activities consistent with the statutory 
requirement. Other situations may warrant discussion with AHRQ staff 
during the planning stage of a PSO or

[[Page 70755]]

at least before submitting certifications for listing. Another example 
posed by a commenter--an entity that provides general health education 
to providers--would appear to require further discussion. As presented, 
general health education would appear to have a link to, but an 
inadequate emphasis on, the analytic focus of a PSO's mandatory patient 
safety and quality improvement activities. The health education entity 
can certainly avail itself of the option to establish a component 
organization to seek listing.
    Comment: One commenter asked what is meant by the concept of 
carrying out patient safety activities. Does this mean that patient 
safety activities must be performed and, if so, when?
    Response: We note that this obligation rests with a PSO, not 
providers. The requirement means that a PSO must perform all eight 
patient safety activities during its period of listing. We clarify how 
the Department will assess PSO compliance with this requirement in the 
discussion of the final rule above.
    Comment: One commenter asked if a PSO could meet the minimum 
contract requirement by entering a contract with a 50-hospital system 
and one independent practitioner (either with a physician or nurse 
practitioner).
    Response: To meet the requirement, a PSO must have at least two 
contracts with different providers. In this case, a contract with a 
solo health care practitioner (such as a physician or a nurse 
practitioner) would meet the requirement for the second contract.
    Comment: One commenter asked if a contract between the parent of a 
health system and a PSO is tantamount to entering a contract with each 
provider that comprises the health system.
    Response: Such an arrangement does not meet the requirement; the 
requirement focuses on the number of contracts, not the number of 
providers that are involved with any contract. The rule, based on the 
terms of section 924(b)(1)(C) of the Public Health Service Act, 
requires two contracts.
    Comment: Can providers within the same system count as different 
providers for meeting the minimum contract requirement?
    Response: The answer to this question is yes if the PSO has 
separate contracts with at least two different providers. Whether the 
providers have a common organizational affiliation is not relevant. The 
only requirements are that the individuals or facilities must be 
providers as defined in Sec.  3.20 of the rule and that there are at 
least two contracts with different providers. Once again, the focus of 
the requirement is the number of contracts.
    Comment: A commenter asked if the establishment of a 
``relationship'' with a provider is sufficient to meet the minimum 
contract requirement.
    Response: No. The rule requires two bona fide contracts, as defined 
in section 3.20, meeting the requirements of the rule.
    Comment: One commenter expressed concern about the ability of his 
agency to meet the minimum contract requirement. His agency administers 
a public patient safety reporting system to which hospitals are 
required to report by state law. His concern was that the hospitals 
might see no need to enter contracts with his agency if it were listed 
as a PSO.
    Response: The modifications to the final rule in Sec.  
3.102(a)(2)(ii) preclude an entity that manages or operates a mandatory 
patient safety reporting system from seeking listing as a PSO.
    Comment: One commenter urged that the final rule not marginalize 
State mandatory reporting systems through the separation of provider 
reporting to PSOs. The commenter recommended that the final rule permit 
States to become listed as PSOs or enter into collaborative 
arrangements with PSOs to share data and staff.
    Response: While we believe that an entity that operates a Federal, 
state, local, or Tribal mandatory patient safety reporting system 
should not be listed as a PSO, the rule does permit a component of such 
an entity to seek listing. A PSO that is a component of an excluded 
entity is prohibited from sharing staff with the excluded entity and 
has limitations on its ability to contract with such a parent 
organization (see Sec.  3.102(c)(4)). However, the component PSO could 
enter into some types of limited collaboration with an excluded entity. 
For example, a PSO may accept additional data from an excluded entity 
for inclusion in its analyses with the understanding that the PSO may 
only share its findings pursuant to one of the permissible disclosures 
in Subpart C, e.g., if the findings are made non-identifiable. In 
addition, other PSOs similarly may share their nonidentifiable findings 
with mandatory state patient safety reporting systems and to the extent 
permitted by state law the state systems might give data to completely 
separate PSOs for analysis and reports in nonidentifiable terms.
    Comment: Several commenters suggested that excluded entities might 
become members of a PSO as long as they were not vertically linked to 
the PSO, although they did not explain what they meant by the term, 
members.
    Response: It is not clear what the commenters mean by a ``member'' 
of a PSO in this context. To the extent that the comments are referring 
to a possible joint venture that creates a PSO, there are few 
productive roles that an excluded entity could play. Such excluded 
entities could not have or exercise any level of control over the 
activities or operation of a PSO. Thus, they could not have access to 
patient safety work product. As a result, the potential for involvement 
of an excluded entity with a PSO would be very limited.
    We note, however, that a component of an entity excluded by Sec.  
3.102(a)(2)(ii) can seek listing. These types of component 
organizations must meet additional requirements set forth in Sec.  
3.102(c)(1).
    Comment: One commenter requested clarification regarding the 
required patient safety activity to provide feedback and assistance to 
providers to effectively minimize patient risk.
    Response: We recognize that the performance of some patient safety 
activities will be dependent upon a PSO's arrangements with its 
clients. As we noted in our discussion of the final rule, we will 
interpret a PSO to be in compliance with this requirement if the 
feedback and assistance is performed at some point during the PSO's 
period of listing.
    Comment: Two commenters pointed to the importance of the use of 
contracted staff to enable a PSO to carry out its duties, especially in 
rural or low population density areas. In such circumstances, a PSO 
needs to draw upon competencies and skills as needed and asked that we 
clarify that such contractors, whether paid or volunteer, could enable 
a PSO to meet the qualified staff requirement.
    Response: The Department assumes that many PSOs, especially 
component PSOs, will use a mix of full-time personnel and individuals 
from whom they seek services as needed, whether paid or on a volunteer 
or shared basis. That is why we have incorporated a broad definition of 
``workforce'' in the rule that encompasses employees, volunteers, 
trainees, contractors, and other persons whether or not they are paid 
by the PSO. As defined in this rule, workforce refers to persons whose 
performance of activities for the PSO is under the direct control of 
the PSO. In addition, however, a PSO is free to enter contracts for 
specific or specialized services, subject to other requirements of the 
rule.

[[Page 70756]]

(C) Section 3.102(c)--Additional Certifications Required of Component 
Organizations
    Proposed Rule: Along with the 15 requirements under subsection (b) 
that all PSOs would have to meet, Sec.  3.102(c) of the proposed rule 
would require an entity that is a component of another organization to 
make three additional certifications regarding: (1) The secure 
maintenance of patient safety work product separate from the rest of 
the organization(s) of which it is a part; (2) the avoidance of 
unauthorized disclosures of patient safety work product to the rest of 
the organization(s) of which it is a part; and (3) the mission of the 
component organization not creating a conflict of interest with the 
rest of the organization(s) of which it is a part.
    We proposed two additional requirements that would interpret these 
statutory provisions: (1) A component PSO could not have a shared 
information system with the rest of the organization(s) of which it is 
a part; and (2) the workforce of the component PSO could not engage in 
work for the rest of the organization(s) if such work could be informed 
or influenced by the individual's knowledge of identifiable patient 
safety work product (except if the work for the rest of the 
organization is solely the provision of patient care). The proposed 
rule did not propose an interpretation, but sought public comment, on 
the requirement that a component organization not create a conflict of 
interest with the rest of the organization(s) of which it is a part.
    We proposed, and sought comment on, a limited option for a 
component PSO to take advantage of the expertise of the rest of its 
parent organization(s) to assist the PSO in carrying out patient safety 
activities. Under this proposal, a component PSO could enter into a 
written agreement with individuals or units of the rest of the 
organization involving the use of patient safety work product, subject 
to specified requirements.
    Overview of Public Comments: Numerous commenters strongly disagreed 
with the Department's proposal that PSOs must maintain separate 
information systems. These commenters argued that it would impose a 
tremendous financial and administrative burden to establish separate 
information systems. A number of commenters suggested alternative 
approaches that could achieve the same goal. For example, one commenter 
recommended that HHS adopt a non-directive concept of functional 
separation and require PSOs to submit with their certifications for 
listing a description of how they intend to meet the requirement for 
technological and other controls to ensure that there is an effective 
protection against inappropriate access to the patient safety work 
product held by the component PSO.
    There was significant concern with the proposal to limit the 
sharing of employees between the parent organization(s) and the 
component PSO if the employee's work could be informed by knowledge of 
a provider's identifiable patient safety work product. Some commenters 
argued that the prohibition was too broad, that it should be narrowed, 
or that the standard was too vague and had the potential for creating 
confusion. A number of commenters recognized the merits of the intended 
prohibition but thought that the proposed rule's formulation was so 
vague that it might limit the ability of any physician in an academic 
health center to assist the component PSO if the physician supervised 
and evaluated interns and residents during their training, presuming 
this to be an unintended result.
    Several alternative approaches were suggested, including: (1) Limit 
the prohibition to staff in the parent organization who would use 
patient safety work product for non-patient safety activities; (2) 
obtain pledges by staff not to use patient safety work product for 
``facility administrative functions;'' (3) limit the prohibition to 
persons with disciplinary/credentialing functions; (4) require 
management staff to sign agreements not to use patient safety work 
product in hiring/firing, credential/privilege decisions; and (5) 
permit shared staff for specific types of entities, such as state 
hospital associations, but not others.
    Our proposal to provide a limited option for a component PSO to 
draw upon the expertise of its parent organization(s) to assist the PSO 
in carrying out patient safety activities was well received. Most 
commenters were supportive of the flexibility provided by this 
provision although one commenter suggested deleting it. Several 
commenters stressed that a ``substantial firewall'' should be 
maintained and that such contracting should only be allowed ``for 
clearly defined and limited staff services.'' One commenter urged that 
such contracts or agreements should be submitted to the Secretary in 
advance so that they ``can be scrutinized by HHS to assess whether 
confidentiality or privilege protections can practically remain 
intact.''
    In our discussion regarding entities excluded from listing in Sec.  
3.102(a)(2)(ii), we noted that a number of commenters that supported 
permitting components of such entities to seek listing, suggested, 
nevertheless, that we establish additional limitations and 
requirements. Their suggestions included requiring that such a 
component organization seeking listing must: Specifically identify its 
parent organization as a regulator and specify the scope of the parent 
organization's regulatory authority; submit to the Secretary 
attestations from providers choosing to report to the PSO that they 
have been informed of the scope of regulatory authority of the parent 
organization; and provide assurances to the Secretary that the parent 
organization has no policies that compel providers to report patient 
safety work product to its component PSO. They also suggested such a 
PSO not be permitted to share staff with the parent organization and 
not be able to take advantage of the proposed limited provision that 
would permit a component PSO to contract with its parent organization 
for assistance in the review of patient safety work product.
    The proposed rule did not propose an interpretation but sought 
comment on the circumstances under which the mission of a component PSO 
could create a conflict of interest for the rest of the parent 
organization(s) of which it is a part. The recommendations of 
commenters reflected a variety of perspectives: One view was that the 
rule should not adopt a general standard; a component organization 
should disclose what it believes may be its conflicts and that this 
disclosure should be deemed sufficient to have cured the conflict; 
another said the Department should undertake case-by-case analysis; and 
a third suggested the Department should adopt guidance, not regulatory 
language.
    Another commenter wrote that there could be no conflict of interest 
if the parent organization is a provider; others suggested that certain 
types of parent organizations posed conflicts of interest, such as when 
the parent organization is an investor-owned hospital or if there are 
certain legal relationships which providers have with a parent 
organization or its subsidiaries. Similarly, one commenter suggested 
that not-for-profit status of a PSO should be an indicator that there 
is no conflict of interest. In a parallel vein, another commenter 
argued that if the PSO could use or sell its information for commercial 
gain, this was a conflict. This commenter also argued that if a PSO 
could be used to create an oasis solely for protection of information 
reported by the system that created it, this represented a conflict; 
the

[[Page 70757]]

information held by a PSO must be made available at minimal or no cost 
for further aggregation. Another commenter suggested that a component 
PSO should never evaluate patient safety work product of an affiliated 
organization; if it does so, this creates a conflict-of-interest.
    Finally, several commenters also suggested that there must be no 
conflict between patient safety work product and non-patient safety 
work product functions. A similar comment from another entity argued 
that a PSO must certify that members of the component PSO workforce are 
not engaged in work for the parent organization that conflicts with the 
mission of the PSO.
    Final Rule: After careful consideration of the extensive number of 
comments received regarding component organizations, the Department has 
modified and restructured the text for Sec.  3.102(c) in the following 
ways.
    We have restructured Sec.  3.102(c) into four separate paragraphs. 
New Sec.  3.102(c)(1)(i) lists the provisions with which different 
component organizations must comply. This subparagraph sets forth the 
requirements that all component organizations must meet. The language 
of this subparagraph is retained from the proposed rule but includes a 
requirement that all component organizations must submit with their 
certifications contact information for their parent organization(s) and 
provide an update to the Secretary in a timely manner if the 
information changes. This requirement was proposed in the preamble but 
was not incorporated in the text of the proposed rule. Many of the 
commenters noted the importance to providers of having information 
regarding the parent organization of a component PSO and, therefore, we 
have incorporated the provision.
    New Sec.  3.102(c)(1)(ii) outlines the requirements for components 
of entities excluded from listing under Sec.  3.102(a)(2)(ii) of this 
section. These components must meet the requirements for all component 
PSOs in Sec.  3.102(c)(1)(i) as well as submit the additional 
certifications and information and adhere to the further limitations 
set forth in Sec.  3.102(c)(4) that are discussed below.
    New Sec.  3.102(c)(2) restates the three additional statutory 
certifications that must be made by all component organizations seeking 
listing. We have deleted two requirements for component entities from 
the text of the proposed rule that were intended to interpret these 
statutory requirements: the requirement for separate information 
systems and the restriction on the use of shared staff. The final rule 
does not impose these proposed requirements on most component 
organizations. However, as discussed below regarding Sec.  3.102(c)(4), 
we have retained the prohibition on shared staff only with respect to 
components of entities that are excluded from listing and, for such 
component PSOs, narrowed the circumstances when contracting with a 
parent organization is permissible only with respect to components of 
entities that are excluded from listing.
    With respect to separate information systems, the Department has 
concluded, based upon the information that was included by commenters, 
that there are a number of cost-effective alternatives for achieving 
the statutory goal of separate maintenance of patient safety work 
product. Accordingly, we have included new language that requires a 
component PSO to ensure that the information system in which patient 
safety work product is maintained must not permit unauthorized access 
by any individuals in, or units of, the rest of the parent 
organization(s) of which it is a part.
    Similarly, after careful consideration of the comments, we have 
eliminated the proposed restriction on the use of shared staff for most 
component PSOs. The Department has concluded that there are significant 
incentives for component PSOs and parent organizations to be very 
cautious in their use of shared personnel, protecting against 
inappropriate disclosures, and the disclosure of patient safety work 
product. A number of commenters appeared to appreciate the importance 
of maintaining separation between their patient safety activities and 
internal disciplinary, privileges, and credentialing decisions, which 
were the focus of our concern.
    Our review has led us to conclude that the potential negative 
consequences for providers, independent of any fear of Department 
action, lessens the need for the rule to address this issue. For 
example, institutional providers are likely to find it difficult to 
develop robust reporting systems if the clinicians on their staff learn 
or even suspect that the same individuals involved in analysis of 
patient safety work product play key roles in administrative decisions 
that can lead to adverse personnel decisions. This may lead to 
decreased reporting of patient safety events. The suspicion of 
contamination between the processes could also provide a new basis for 
challenging adverse employment actions, which could require providers 
to prove that their actions were not influenced by inappropriate use of 
patient safety work product. Finally, there is the right of action that 
the statute grants to individual providers who believe and allege that 
their employer took an adverse employment action against them based 
upon their providing information to the employer's patient safety 
evaluation system for reporting to the PSO or based upon their 
providing information directly to the PSO. Given the importance to 
providers of maintaining protections for their work product, we 
conclude that it is unlikely that a parent organization will 
intentionally jeopardize those protections. Therefore, we have 
eliminated the proposed restriction on the use of shared staff, except 
for components of entities excluded from listing as discussed below 
regarding Sec.  3.102(c)(4). In its place, we have restated the 
statutory requirement that the component organization (and its 
workforce and contractors) may not make unauthorized disclosures to the 
rest of the organization(s) of which the PSO is a part.
    We have retained without change in Sec.  3.102(c)(2)(iii) the 
proposed rule text prohibiting the pursuit of the mission of the PSO 
from creating a conflict of interest with the rest of the 
organization(s) of which it is a part. To the extent that individuals 
or units of the rest of the parent organization(s) have obligations and 
responsibilities that are inconsistent with the ``culture of safety'' 
that the statute seeks to foster, a component PSO could create a 
conflict of interest by sharing identifiable patient safety work 
product with them as shared staff or under a written agreement pursuant 
to Sec.  3.102(c)(3), discussed below. On the other hand, the component 
PSO could draw upon the expertise of these same individuals in other 
capacities in which identifiable work product is not shared and, 
thereby, avoid creating conflicts of interest. Thus, we would interpret 
permitting the creation of conflicting situations for staff or units of 
the parent organization(s) as inconsistent with a component PSO's 
attestation.
    Section 3.102(c)(3) retains without substantive change the 
provision in the proposed rule to enable a component PSO, within 
limits, to take advantage of the expertise of the rest of the 
organization of which it is part. In response to concerns expressed by 
some commenters, we stress the statutory requirement for the PSO to 
maintain patient safety work product separately from the rest of the 
organization. In such circumstances, it cannot be transferred to 
individuals or units of the rest of the organization except as 
permitted by the rule. As a practical matter, if the parent

[[Page 70758]]

organization is a provider organization and the component PSO is 
evaluating the parent organization's data, the parent-provider is 
likely to have a copy of all of the data transmitted to the component 
PSO.
    We do not dismiss the concerns of commenters that this contracting 
authority could be used inappropriately. We remind each component PSO 
that the statute requires it to maintain patient safety work product 
separately from the rest of the organization(s) of which the component 
PSO is a part and prohibits unauthorized disclosures to the rest of the 
organization(s) of which they are a part. Therefore, it may not be 
appropriate for its parent organization to serve as its main provider 
of analytic or data services if such arrangements would effectively 
confound statutory intent for a firewall between a component PSO and 
the rest of the organization(s) of which it is a part. The flexibility 
provided by the rule to use in-house expertise is intended to 
supplement, not replace, the PSO's authority to contract with external 
expert individuals and organizations.
    Section 3.102(c)(4) incorporates new requirements, drawn from our 
review of public comments, that only apply to organizations that are 
components of entities excluded from listing under Sec.  
3.102(a)(2)(ii). Thus, these component organizations have three sets of 
requirements to meet: The 15 general certification requirements in 
Sec. Sec.  3.102(b)(1) and 3.102 (b)(2); the requirements that all 
component PSOs must meet in Sec. Sec.  3.102(c)(1)(i) and 3.102(c)(2); 
and the requirements that are established by Sec.  3.102(c)(4).
    Section 3.102(c)(4) establishes a requirement for additional 
information and certifications that must be submitted with the 
component organization's certifications for listing and it establishes 
two additional restrictions with which a component organization must 
comply during its period of listing. The additional information and 
certifications require a component PSO of an entity described in Sec.  
3.102(a)(2)(ii) to:
    1. Describe the parent organization's role, and the scope of the 
parent organization's authority, with respect to the activities which 
are the basis of the parent organization's exclusion from being listed 
under Sec.  3.102(a)(2)(ii).
    2. Certify that the parent organization has no policies or 
procedures that would require or induce providers to report patient 
safety work product to the component organization once it is listed as 
a PSO, and affirm that the component PSO will notify the Secretary if 
the parent organization takes any such actions during its period of 
listing. An example of an inducement would be if a parent organization 
that accredited or licensed providers awarded special scoring 
consideration to providers reporting to the parent organization's 
component PSO; additional scoring consideration for reporting to any 
PSO, by contrast, would not violate this restriction.
    3. Certify that the component PSO will include information on its 
website and in any promotional materials for providers describing the 
activities which were the basis of the parent organization's exclusion 
under Sec.  3.102(a)(2)(ii).
    We have incorporated these additional requirements for information 
and attestations to address widespread concerns among commenters that 
an excluded parent organization might attempt to compel providers to 
report data to its component PSO and circumvent the firewalls for 
access to that data. These extra requirements for such component PSOs 
will strengthen transparency and the additional statements submitted 
with the component organization's certifications will be posted on the 
AHRQ PSO Web site along with all its other certifications. Our intent 
is to ensure that such a component organization's website and its 
promotional materials for providers will inform providers regarding the 
nature and role of its parent organization. The rule is emphatically 
clear that the Department will take prompt action to revoke and delist 
a component organization whose excluded parent organization attempts to 
compel providers to report data to its component PSO. New Sec.  
3.108(e)(1) lists specific circumstances, including this situation, in 
which revocation and delisting will take place on an expedited basis.
    During its period of listing, the final rule also prohibits a PSO 
that is a component organization of an entity excluded from listing to 
share staff with the rest of the organization(s) of which it is a part. 
Such a component PSO may enter into contracts or written agreements 
with the rest of the organization(s) under the authority provided to 
all component PSOs by Sec.  3.102(c)(3) but with one additional 
limitation. Such contracts or written agreements are limited to units 
or individuals of the parent organization(s) whose responsibilities do 
not involve the activities that are the basis of the parent 
organization's exclusion under Sec.  3.102(a)(2)(ii). If the parent 
organization's sole activity is the reason for its exclusion, the 
component organization could never enter a contract or written 
agreement to have staff from the rest of the organization assist the 
PSO in carrying out patient safety activities. If the parent 
organization engages in a mix of activities, some of which are not a 
basis for exclusion from listing, the component organization will be 
able to take advantage of this contracting option, subject to our 
caveat above.
Response to Other Public Comments
    Comment: One commenter asked us to confirm that component PSOs can 
maintain patient safety work product behind secure firewalls using 
existing information systems.
    Response: The modifications we have adopted and discussed above 
means that the final rule permits this approach.
    Comment: Several commenters suggested that it was unrealistic for 
the component PSO to maintain patient safety work product separately 
from its parent organization if the parent organization is a provider 
reporting data to the component PSO.
    Response: The Patient Safety Act requires a component PSO maintain 
patient safety work product separately from the rest of the 
organization(s) of which it is a part; therefore, we cannot remove the 
restriction. While contracts between a PSO and a provider are likely to 
address the extent to which a provider has access to information held 
by a PSO, we caution contracting parties to be mindful of this 
statutory restriction in crafting their contracts. The requirement for 
separation does not mean that the component organization cannot share 
information with a parent organization but any sharing must be 
consistent with the permissible disclosures of this rule.
(D) Section 3.102(d) Required Notifications
(1) Section 3.102(d)(1)--Notification Regarding PSO Compliance With 
Minimum Contract Requirement
    Proposed Rule: Section 3.102(d)(1) of the proposed rule would 
require PSOs to attest within every 24-month period, beginning with its 
initial date of listing, that the PSO has met the two-contract 
requirement. We proposed to require notification of the Secretary 45 
days before the end of the applicable 24-month period. Early 
notification would enable the Department to meet another statutory 
requirement to provide PSOs with an opportunity to correct a 
deficiency. If the requirement is not yet met, this would enable the 
Secretary to establish an opportunity for correction that ends at 
midnight on the last day of the 24-month period.

[[Page 70759]]

    Overview of Public Comments: The comments we received endorsed our 
proposed approach. One commenter suggested we should consider requiring 
notification 60 days in advance.
    Final Rule: We expect that, in most circumstances, contracts will 
be the primary source of revenue for PSOs. In light of the fact that 
only two contracts are required, we do not anticipate that many PSOs 
will reach this point in their period of listing without meeting the 
requirement. We have not accepted the recommendation to require 
notification sooner. The Department adopts the provision as recommended 
in the proposed rule without modification.
(2) Section 3.102(d)(2)--Notification Regarding a PSO's Relationships 
With Its Contracting Providers
    Proposed Rule: The proposed rule incorporated in Sec.  3.102(d)(2) 
the statutory requirement that a PSO would make disclosures to the 
Secretary regarding its relationship(s) with any provider(s) with whom 
the PSO enters a contract pursuant to the Patient Safety Act (Patient 
Safety Act contract). The statute requires PSOs to disclose whether a 
PSO has any financial, contractual, or reporting relationships with 
this contracting provider and, if applicable, whether the PSO is not 
managed, controlled, or operated independently of this contracting 
provider.
    The proposed rule noted that a PSO would need to make this 
assessment when it enters a contract with a provider and, if 
disclosures are required, submit a disclosure statement within 45 days 
of the effective date of the contract. If relationships arise during 
the contract period, submission would be required within 45 days of the 
date the relationships are established.
    The proposed rule would have provided guidance on our 
interpretation of financial, contractual, and reporting relationships 
and emphasized that the statute required a PSO to ``fully disclose'' 
the relationships. We noted that disclosure would be required only when 
the PSO entered a Patient Safety Act contract with a provider and there 
were relationships that required disclosure. We also encouraged, but 
did not require, PSOs to list any agreements, stipulations, or 
procedural safeguards that might offset the influence of the provider 
and that might protect the ability of the PSO to operate independently.
    Overview of Public Comments: Commenters expressed concern that the 
proposed rule was not sufficiently specific with respect to the 
required disclosure statements. They suggested that the emphasis in the 
proposed rule on the statutory requirement for full disclosure, without 
a corresponding discussion of the parameters for the contents and level 
of detail of the statements, raised the prospect that PSOs would feel 
compelled to develop disproportionately detailed information that might 
not be germane. One commenter suggested what was most important is 
awareness of the fundamental relationship(s) that exist, not the 
specific details, suggesting that if the provider in question is the 
parent entity of the PSO, it should be sufficient to know that the 
parent-provider is the source of financial support to the PSO, employs 
its workforce, and provides management to its activities.
    In addition, there was concern that since the disclosure statements 
are going to be made public, detailed submissions regarding the 
financial and contractual obligations would make it difficult to 
maintain the confidentiality of potentially sensitive business 
information. Several commenters noted that it is not unusual for 
certain types of contractual work with commercially sensitive 
implications to include confidentiality agreements and one commenter 
suggested that the process permit a PSO to request that the Secretary 
not disclose specific information under certain circumstances.
    A number of commenters expressed concern about the potential 
unintended consequences of disclosure, especially with respect to the 
identity of providers. One commenter raised concern that the 
requirement would lead to ``differential'' disclosure, by which the 
commenter meant that, of the total number of providers with which a PSO 
enters contracts, only those with other relationships would have their 
names disclosed and the other providers would not have their names made 
known through the proposed public release of disclosure statements by 
the Secretary.
    Final Rule: After careful review of the comments, the Department 
has reconsidered its approach to this disclosure requirement and has 
made modifications to the text that are incorporated in the final rule. 
Based upon this review, we have shifted the emphasis of the term 
``fully disclose'' from stressing the level of detail that a PSO must 
provide in describing each of the other types of relationships (listed 
below) that the PSO has with a contracting provider to an emphasis on 
requiring that the PSO disclose clearly and concisely every 
relationship that requires disclosure. This shift in emphasis remains 
consistent with our overall emphasis on transparency; without being 
burdensome, it enables both the Secretary and providers considering 
contracts with a PSO to request additional information regarding any 
relationships of concern. We have adopted a clearer and narrower 
interpretation of the disclosures of relationships that must be made in 
view of concerns expressed by commenters about the scope of the 
required reports. In response to requests for more guidance on the 
required submissions, this final rule calls for a two-part disclosure 
statement and describes what must be included in each part.
    These modifications to the final rule reflect several 
considerations. The Department has concluded that the Patient Safety 
Act does not provide incentives for a provider to control or manipulate 
the findings of a PSO with respect to its own patient safety 
information. A PSO's conclusions and recommendations are patient safety 
work product and, whether the PSO is critical or complimentary of the 
provider or the provider agrees or disagrees with the PSO, the PSO 
analysis and guidance remains confidential and privileged under the 
Act, which means that there are constraints on the ability of a 
provider to disclose the PSO's conclusions and recommendations. Even 
when they can be disclosed, calling the public's attention to positive 
findings is likely to engender scrutiny of the extent to which the 
provider's relationship with its PSO is truly an arms-length 
relationship. In sum, providers have little to gain under the statute's 
framework from attempting to control or manipulate the analyses and 
findings of a PSO.
    At the same time, the Department expects the statutory disclosure 
requirements, coupled with public release of disclosure statements and 
the Secretary's findings as provided by Sec.  3.104(b), will provide 
important and useful information to providers seeking to contract with 
a PSO. As we pointed out in the proposed rule, a provider seeking to 
contract with a PSO will have its own standards for what other PSO 
relationships it considers to be acceptable. Therefore, the submission 
and public release of this information should improve the efficiency of 
the search process by providers.
    In light of these considerations, the Department has determined 
that the most appropriate interpretation of the statutory requirement 
to ``fully disclose'' other relationships is to emphasize the need to 
require the disclosure of every pertinent relationship specified by the 
statute. Providers that are considering entering a contract with a PSO 
can determine for themselves if any

[[Page 70760]]

disclosed relationships pose concerns. If so, they can then request 
further detailed information as they see fit. This approach has the 
further benefit of limiting the potential for inappropriate release of 
proprietary or commercial information, another matter of concern to 
commenters. The Department will protect confidential commercial 
information as permitted by the Freedom of Information Act and in 
accordance with 18 U.S.C. 1905.
    Thus, in making his required determination, the Secretary will both 
give great weight to, and hold a PSO accountable for, its attestation 
that it will fully disclose all relationships required to be reported 
and whether the PSO's operations, management, and control are not 
independent of any provider with whom it has entered a Patient Safety 
Act contract. The Secretary retains the authority to require an entity 
to provide more detailed information if necessary to make his required 
determination under 42 U.S.C. 299b-24(c)(3) regarding the ability of 
the PSO to fairly and accurately perform its patient safety activities 
in light of any reported relationships.
    The final rule retains the general framework of the proposed rule 
for a PSO to use in determining when a disclosure statement must be 
submitted. The two thresholds remain unchanged. The disclosure 
requirement only applies when a PSO has entered a contract that 
provides the protections of the Patient Safety Act, i.e., a Patient 
Safety Act contract, and the PSO has other relationships with that 
contracting provider of the types specified below. A disclosure 
statement is not required if the PSO has a Patient Safety contract with 
a provider and the relationships described below are not present, nor 
is a disclosure statement required if the relationships are present but 
there is no Patient Safety Act contract.
    We have restructured the text in the final rule. There are now 
three paragraphs: A restatement of the requirement in paragraph (i), a 
description of the required content of a disclosure statement in 
paragraph (ii), and the deadlines for submission of disclosure 
statements set forth in paragraph (iii).
    Section 3.102(d)(2)(i) contains the following substantive changes. 
Compared with the requirements of the proposed rule, this paragraph 
eliminates the need to submit a disclosure statement if the PSO's only 
other relationships with this contracting provider are limited to 
Patient Safety Act contracts.
    In response to commenters' questions and concerns, we have modified 
the text describing the statutory list of disclosures: contractual, 
financial, and reporting relationships are incorporated in 
subparagraphs (A)-(C) and control, management, and operation of the 
PSO, independent from the provider, is incorporated in subparagraph 
(D). We have narrowed the language in paragraphs (A)-(C) by limiting 
the required disclosures to current contractual, financial, and 
reporting relationships and restating the requirements to emphasize 
that disclosure is only required for relationships other than those in 
Patient Safety Act contract(s). We have restated and streamlined the 
language of subparagraph (A) to emphasize contracts and arrangements 
that impose obligations on the PSO.
    We have retained the substantive requirements for financial 
relationships. Based upon comments received, we have determined that if 
the PSO is a membership organization, the Department does not consider 
dues or other assessments applied to all members to constitute a 
financial relationship for this purpose. The rule narrows the scope of 
subparagraph (C), where the text narrows the definition of reporting 
relationships to those in which this contracting provider has access to 
information about the work and internal operation of the PSO that is 
not available to other contracting providers. By focusing on this 
particular aspect of reporting relationships, we have tried to make 
plain that it is not our intent to collect information regarding the 
multiple ordinary types of reporting relationships that exist routinely 
between contracting parties. We have made the requirement narrower both 
for clarity and simplicity. The deleted reference to control is 
addressed by subparagraph (D), which we have narrowed to simply restate 
the statutory language on what must be disclosed or reported regarding 
management, control, and operation independent of the contracting 
provider. We deleted the language requiring a PSO to assess whether any 
of the relationships in what is now subparagraph (D) might impair its 
ability to perform patient safety activities fairly and accurately 
because PSOs will now address these issues in the required narrative 
that comprises the second part of the disclosure statement, described 
below.
    New Sec.  3.102(d)(2)(ii) specifies the two required parts of a 
disclosure statement. The first part must disclose in summary form 
succinct descriptions of all of the obligations that the PSO has with 
this provider. The second part must be a related short narrative (we 
recommend no more than 1,000 words) that addresses the issues described 
below and is intended to explain the measures taken by the PSO to 
assure that its analyses and findings are fair and accurate.
    We use the term ``obligations''--rather than the statutory term 
``relationships''--in Sec.  3.102(d)(2)(ii) of the rule for the 
following reason. If a PSO has multiple relationships with a provider, 
many of these relationships are likely to be both contractual and 
financial (and may involve other relationships for which the statute 
requires disclosure). A disclosure statement that was organized by the 
four types of relationships that require disclosure (subparagraphs (A)-
(D) discussed above) would be confusing and difficult to interpret 
since items in different categories would be related. For example, if 
the PSO already has a contract with a provider to render a service for 
which it is paid, we do not see the benefit of having the contract 
listed in one reporting category and the financial relationship in 
another reporting category since they are clearly related.
    Therefore, in drafting the required disclosure statement, a PSO 
should address the four statutorily-required disclosures discussed 
above as aspects of the separate obligations or arrangements that exist 
between a PSO and the provider with which the PSO is entering or has a 
Patient Safety Act contract. A PSO should focus on clarity and brevity 
in explaining each obligation in a single paragraph: A sentence or two 
describing the nature of the obligation, and the remainder of the 
paragraph should address each of the four required disclosures that are 
present and specifically note any of the four that are not.
    As we use the term, an obligation is not limited to services that a 
PSO renders to a provider (such as developing information and 
undertaking analyses or providing a service or technical assistance). 
An obligation could also reflect a PSO's relationship with an investor 
or owner and any arrangement that affects the PSO's independence or 
involves any of the statutorily-required disclosures described above. 
In developing its list, a PSO should not combine separate and distinct 
obligations such as more than one contract, nor should it disaggregate 
a single obligation. For example, if a PSO undertakes technology 
assessments and has three separate contracts for different assessments, 
these would be three separate obligations and should be reported 
separately. On the other hand, an obligation that has more than one

[[Page 70761]]

task, such as providing assistance in implementing and evaluating a 
process improvement, should only be listed once; we are not suggesting 
that PSOs report separately on the different elements of a single 
unified project.
    To apply these concepts, consider a hospital that was one of five 
hospitals that invested in the creation of a PSO and the hospital 
subsequently enters a Patient Safety Act contract with the PSO. If this 
investment is the only obligation other than the Patient Safety Act 
contract that exists between the PSO and the provider, the PSO's 
disclosure statement would include only one obligation and it could be 
described in a single paragraph. Within that paragraph, the PSO should 
systematically address the required statutory disclosures or note that 
they are not present. In addressing financial relationships, the PSO 
should not include the amount of the investment or specific terms. In 
this case, the required paragraph would describe the essential nature 
of the financial relationship, e.g., it is a loan requiring repayment 
over X years; it is a long-term investment requiring the payment of 
dividends, etc., whether it was formalized by a contract, whether a 
reporting relationship exists, e.g., the provider has access to 
internal quarterly financial statements not available to other 
providers, and whether the obligation gives the provider any ability to 
control or manage the PSO's operations, e.g., the provider has a seat 
on the board or review or veto authority over new clients, specific 
contracts, budgets, staff hiring, etc.
    If the PSO is a subsidiary of a health system, the paragraph could 
indicate that PSO is a subsidiary of the provider, the provider is the 
primary source of revenue for the component PSO, the types of internal 
PSO information to which the provider has access, e.g., all financial, 
personnel, administrative internal information, and that the provider 
manages or controls (or has review and approval authority) of day-to-
day decision-making, hiring and firing decisions, etc. By incorporating 
the required statutory disclosures into a succinct discussion of the 
obligations that a PSO has with this provider, we anticipate that the 
descriptions will be more comprehensible.
    Part II of a disclosure statement must describe why or how the PSO, 
given the disclosures in part I, can fairly and accurately perform 
patient safety activities. The PSO must address: The policies and 
procedures that the PSO has in place to ensure adherence to 
professional analytic standards and objectivity in the analyses it 
undertakes; and any other policies, procedures, or agreements that 
ensure that the PSO can fairly and accurately perform patient safety 
activities.
    Section 3.102(d)(2)(iii) of the rule retains the deadlines for 
submission of disclosure statements that were included in the proposed 
rule.
Response to Other Public Comments
    Comment: One commenter asked that we exempt a PSO with fewer than 5 
clients from releasing the names of its clients.
    Response: We note that a PSO never has to reveal the names of its 
clients (providers) as long as the PSO does not have the other types of 
relationships described in this subsection with those providers. 
However, when such relationships are present, the statute does not 
provide authority for us to create such exceptions.
    Comment: One commenter asked that we clarify that the required 
disclosures can be made in a way that the PSO does not breach the 
confidentiality requirements that may be a part of another contractual 
arrangement with a contracting provider.
    Response: The Department cannot make a definitive statement that 
such confidentiality agreements can always be honored; this requires a 
case-by-case determination. A PSO is encouraged to discuss the issue 
with AHRQ staff before submitting a disclosure statement. As noted 
above, the agency's public disclosures are constrained by 18 U.S.C. 
1905, but agency officials have some discretion with respect to 
determining what information would be restricted under that statute. We 
note also that the agency has the discretion to deny Freedom of 
Information Act requests for information it regards as confidential 
commercial information (5 U.S.C. 552(b)(4)). Agency determinations will 
be assisted by explanations of what is viewed by a submitter as 
confidential commercial information and the reasons why that is the 
case.
    Comment: One commenter posed a series of questions related to an 
entity that seeks listing that receives general membership dues or 
assessments, i.e., whether such general dues or assessments would be 
considered financial relationships and, therefore, require the filing 
of disclosure statements. The commenter also asked if disclosure of 
such membership dues or assessments is required under any other section 
of the rule.
    Response: The Department has determined that membership dues or 
general assessments applied to all members do not constitute 
``financial relationships'' between a provider and a PSO. There is no 
other section of the rule that would require disclosure of membership 
dues or assessments. Before seeking listing, however, a membership 
organization should carefully assess whether it meets the statutory 
requirement that its primary activity must be the conduct of activities 
to improve patient safety and the quality of health care delivery.
2. Section 3.104--Secretarial Actions
(A) Section 3.104(a)--Actions in Response to Certification Submissions 
for Initial and Continued Listing as a PSO
    Proposed Rule: Section 3.104(a) described the actions that the 
Secretary could and will take in response to the certification material 
submitted for initial or continued listing as a PSO. We proposed that, 
in making a listing determination, the Secretary would consider the 
submitted certifications, issues related to the history of the entity, 
and any findings by the Secretary regarding disclosure statements. The 
proposed rule also included authority for the Secretary, under certain 
circumstances, to condition the listing of a PSO. We did not propose a 
deadline for Secretarial review of certifications submitted, but noted 
that we expect the Secretary to be able to conclude review within 30 
days of receipt unless additional information or assurances are 
required.
    Overview of Public Comments: We received several comments 
pertaining to this section. One comment endorsed the proposed 
provision. Another requested that we modify the rule to require 
Secretarial action within 60 days. A third commenter recommended that 
the Secretary establish timetables for all actions and opposed open-
ended timeframes.
    Final Rule: We have retained the text from the proposed rule with 
two modifications. The text of Sec.  3.104(a)(1)(iii) of the proposed 
rule stated that the Secretary may require conditions for listing as 
part of his review of disclosure statements submitted pursuant to Sec.  
3.102(d)(2); that text has been retained. We also noted in the preamble 
discussing proposed Sec.  3.104(a) that there may be certain 
circumstances in which the Secretary determines that it would not be 
prudent to rely solely on the certifications for listing submitted by 
an entity that was previously revoked and delisted for cause or 
previously refused listing by the Secretary. In such limited 
circumstances, we suggested the Secretary may seek additional

[[Page 70762]]

assurances from the PSO that would increase the Secretary's confidence 
that, despite the history of the entity and its officers and senior 
staff, the entity could now be relied upon to comply with its statutory 
and regulatory obligations. To reflect the potential need for 
assurances in such cases, and to better align the text with the 
preamble discussion of the proposed rule, we have modified the text of 
Sec.  3.104(a)(1)(iii) to permit the Secretary to condition the listing 
of a PSO in this limited circumstance to ensure that such a PSO honors 
the assurances it makes in seeking listing.
    The second change is a conforming modification to the basis for the 
Secretary's determination in Sec.  3.104(a)(2), which specifically 
recognizes the right of the Secretary to take into account any history 
of or current non-compliance with requirements of the rule by officials 
and senior managers of the entity. This change also mirrors the 
requirement in Sec.  3.102(a)(1) that entities seeking listing inform 
the Secretary if their officials or senior managers held comparable 
positions in a PSO that was delisted or with an entity that was denied 
listing by the Secretary.
    We have not accepted the commenter's recommendation to establish a 
regulatory deadline of 60 days for Secretarial action. This is a novel 
initiative and without a better sense of the potential issues that may 
arise, such as when a delisted PSO seeks a new listing, we are 
reluctant to circumscribe the flexibility that the statute and the 
proposed rule provided the Secretary. In addition, the statute requires 
an affirmative acceptance and listing action by the Secretary. Listing 
cannot occur as a result of any failure to meet a deadline. 
Accordingly, we have not adopted the recommendation.
(B) Section 3.104(b)--Actions Regarding PSO Compliance With the Minimum 
Contract Requirement
    Proposed Rule: Section 3.104(b) of the proposed rule stated that, 
after reviewing the required notification from a PSO regarding its 
compliance with the minimum contract requirement, the Secretary would, 
for a PSO that attests that it has met the requirement, would 
acknowledge in writing receipt of the attestation and include 
information on the list of PSOs. If the PSO notifies the Secretary that 
it has not yet met the requirement, or if notification is not received 
from the PSO by the required date, the proposed rule stated that the 
Secretary would promptly issue a notice of a preliminary finding of 
deficiency and provide the PSO an opportunity for correction that will 
extend no later than midnight of the last day of its applicable 24-
month assessment period. If the Secretary verifies that the PSO has not 
met the requirement by the last day of the 24-month period, he would 
issue a notice of proposed revocation and delisting.
    Overview of Public Comments: We received no comments on this 
subsection.
    Final Rule: The final rule incorporates the substance of the NPRM 
text without modification but restructures the text for clarity. The 
restructured text clarifies that the Secretary will only issue a notice 
of a preliminary finding of deficiency after the date on which a PSO's 
notification to the Secretary is required by Sec.  3.102(d)(1).
(C) Section 3.104(c)--Actions Regarding Required Disclosures by PSOs of 
Relationships With Contracting Providers
    Proposed Rule: Section 3.104(c) of the proposed rule stated that 
the Secretary would evaluate a disclosure statement submitted by a PSO 
regarding its relationships with contracting providers by considering 
the nature, significance, and duration of the relationships between the 
PSO and the contracting provider. We sought public comment on other 
appropriate factors to consider. The statute requires disclosure of the 
Secretary's findings, and we proposed public release, consistent with 
the Freedom of Information Act and 18 U.S.C. 1905, of PSO disclosure 
statements as well.
    This proposed section also listed the statutorily permissible 
actions that the Secretary could take following his review: Conclude 
that the disclosed relationships require no action on his part or, 
depending on whether the entity is listed or seeking listing, condition 
his listing of the PSO, exercise his authority to refuse to list, or 
exercise his authority to revoke the listing of the entity. The 
Secretary would notify each entity of his findings and decisions.
    Overview of Public Comments: One commenter suggested that our 
proposal that the Secretary consider the nature, significance, and 
duration of the relationship in evaluating the relationships had no 
statutory foundation. Another commenter suggested that we take into 
account corrective action. Several commenters proposed that we rely 
upon the inter-agency work group that is assisting AHRQ in developing 
common formats and definitions for reporting patient safety work 
product to assist in developing disclosure statements. One commenter 
suggested that we create a ``safe harbor'' for multi-hospital parent 
organization systems that contract with a PSO on behalf of some or all 
of its hospitals so that a disclosure statement would not be required, 
deeming that the component PSO of a multi-hospital organization can 
perform patient safety activities fairly and accurately. Another 
suggestion was that the Secretary should adopt a standard requiring 
that there be no conflicts of interests.
    Final Rule: We have retained much of the text from the proposed 
rule but have modified the paragraph setting forth the basis for the 
Secretary's findings regarding disclosure statements. In light of the 
comments, we have deleted the reference to ``nature, significance, and 
duration'' as not appropriate in every circumstance. The modification 
to the rule now requires the Secretary to consider the disclosures made 
by the PSO and an explanatory statement from the PSO making the case 
for why the PSO can fairly and accurately perform patient safety 
activities.
    We have not adopted the other suggestions. As we discuss above, 
with respect to Sec.  3.102(d)(2), we agree with the commenter that 
there is little reason for a provider organization to exert 
inappropriate control over its component PSO. At the same time we do 
not believe the statute permits us to waive Secretarial review under 
any set of circumstances.
    We do not agree with commenters that the common formats inter-
agency work group is the appropriate group to address disclosure 
statements. At this time, their informatics and clinical expertise and 
responsibilities are not congruent with assisting in the design or 
substantive requirements for disclosure statements.
(D) Section 3.104(d)--Maintaining a List of PSOs
    Proposed Rule: The proposed rule sought to incorporate in Sec.  
3.104(d) the statutory requirement that the Secretary compile and 
maintain a list of those entities whose PSO certifications have been 
accepted and which certifications have not been revoked or voluntarily 
relinquished. We proposed that the list would include information 
related to certifications for listing, disclosure statements, 
compliance with the minimum contract requirement, and any other 
information required by this Subpart. We noted that we expected to post 
this information on the AHRQ PSO Web site, and sought comment on 
whether there are specific types of information that the Secretary 
should consider posting routinely on this Web site for the benefit of 
PSOs, providers, and other consumers of PSO services.

[[Page 70763]]

    Overview of Public Comments: In addition to the list in the 
proposed rule, several commenters urged that we post the contact 
information for the parent organizations, subsidiaries, and affiliates, 
a list of states in which the parent organization does business, and 
the business objectives of the parent organizations, and whether each 
parent organization is for-profit or not-for-profit.
    Two commenters suggested that the Secretary's guidance on common 
reporting formats and definitions should be available on the PSO Web 
site. One commenter urged that the final rule and contact information 
for AHRQ staff should also be available there. Another commenter 
suggested that, since AHRQ works with PSOs, the value to prospective 
providers would be increased if we posted information on areas of 
specialization of individual PSOs and use the Web site as one tool for 
facilitating confirming analyses by other PSOs of initial work.
    Final Rule: The final rule incorporates the proposed rule text 
without modification. We have not modified the text of the rule because 
most of the recommendations relate to information that AHRQ will be 
receiving or producing for PSOs and can be posted to the Web site 
without additions or changes to the rule text. Recommendations to post 
information related to AHRQ staff and the final rule can be done 
without regulation as well. As AHRQ provides technical assistance to 
PSOs and works with the provider community to encourage the use of PSO 
services, we expect to publish information on the Web site that PSOs 
and the provider community request. In addition, the names and contact 
information of parent organizations of component PSOs and other 
information submitted at listing will be posted in accordance with the 
proposed rule text.
    Commenters urged us to post some information that we have no plans 
to collect, and, therefore, we have not accepted their recommendations. 
Most of these recommendations related to the business objectives, or 
the for-profit or not-for-profit status of parent organizations of 
component PSOs. In our view, requiring component organizations to 
submit such information would be burdensome and unnecessary. Providers 
will be able to find that information by using the published contact 
information on PSOs and parent organizations.
(E) Section 3.104(e)--Three-Year Period of Listing
    Proposed Rule: Section 3.104(e) proposed that listing as a PSO 
would be for three years, unless the Secretary revokes the listing or 
the PSO voluntarily relinquished its status. We also proposed that the 
Secretary would send a written notice of imminent expiration to a PSO 
no later than 45 calendar days before its listing expires if the 
Secretary has not received a certification seeking continued listing. 
We sought comment on a requirement that the Secretary publicly post the 
names of PSOs to which a notice of imminent expiration has been sent.
    Overview of Public Comments: Commenters were virtually unanimous 
that, at the time we send a PSO a notice of imminent expiration, we 
should post similar information on the AHRQ PSO website. Several 
commenters suggested that PSOs should be required to notify providers 
that the PSO has received a notice of imminent expiration and 
expressing concerns about the time needed for providers to make 
alternative arrangements. One commenter suggested that notice to 
providers should be a part of the contract with the PSO. Another 
suggested that the Department establish an email listserv that 
providers could join for alerts such as this. One commenter opposed 
public notice and one expressed conditional support, provided the 
Department ensured the accuracy of the information on the Web site.
    Final Rule: We have modified and redrafted Sec.  3.104(e) of the 
final rule. The final rule retains the proposed provision that the 
period of listing will be for three years, unless revoked or 
relinquished. The first modification is that this section now 
explicitly provides for the automatic expiration of a PSO's listing at 
the end of three years, unless the Secretary approves its certification 
for continued listing before the date of expiration. By incorporating 
this modification and making the process automatic, we have been able 
to eliminate the proposal in Sec.  3.108(c) for a process we termed 
``implied voluntary relinquishment.'' In comparison with the proposed 
rule approach, which required the Secretary to take affirmative action 
to delist a PSO that let its certifications lapse, this automatic 
approach simplifies the administrative process.
    We have modified subparagraph 3.104(e)(2) in two ways. We will send 
a PSO a notice of imminent expiration even earlier--at least 60 days 
rather than 45 days--before its certifications expire. We adopted the 
earlier notification date in response to general concerns reflected in 
the comments about the time a provider needed to make alternative 
arrangements and to ensure sufficient time for the Secretary to review 
and make a determination regarding certifications for continued 
listing. The second modification incorporates our proposal to post a 
notice on the AHRQ PSO website, for which commenters expressed strong 
support. In combination, we expect these modifications will provide 
both the PSO and the providers from which it receives data sufficient 
notice that the entity's period of listing is drawing to a close.
    We have not incorporated the recommendation to require PSOs 
receiving the notice to contact all providers. We expect most providers 
and PSOs to take advantage of AHRQ's existing listserv that will 
provide electronic notice to all subscribers when a notice such as this 
is posted on the AHRQ PSO website. Providers will also be able to sign 
up on the web site to receive individual emails if their PSO becomes 
delisted. In this way, we can be assured that notification is sent to, 
and received by, all interested parties.
(F) Section 3.104(f)--Effective Date of Secretarial Actions
    Proposed Rule: The proposed rule in section 3.104(f) states that, 
unless otherwise specified, the effective date of each action by the 
Secretary would be specified in the written notice that is sent to the 
entity. We noted that the Department anticipates sending notices by 
electronic mail or other electronic means in addition to a hard copy 
version. We also pointed out that for listing and delisting decisions, 
the Secretary would specify both an effective time and date for such 
actions in the written notice to ensure clarity regarding when 
information received by the entity will be protected as patient safety 
work product.
    Overview of Public Comments: We received no public comments on this 
subsection.
    Final Rule: The final rule incorporates the proposed rule text 
without modification.
3. Section 3.106--Security Requirements
    Proposed Rule: Section 3.106 of the proposed rule outlined a 
framework consisting of four categories for the security of patient 
safety work product that PSOs would consider in developing policies and 
procedures for the protection of data. Because Sec.  3.106 contains 
only two subsections and we received few comments, we will discuss both 
subsections of the rule together.
    Section 3.106(a) proposed that the security requirements of this 
section would apply to each PSO, its workforce members, and its 
contractors whenever

[[Page 70764]]

the contractors hold patient safety work product. If contractors cannot 
meet these security requirements, we proposed that their tasks be 
performed at locations at which the PSO can meet these requirements. We 
stated that the rule does not impose these requirements on providers; 
this Subpart would only apply to PSOs.
    Proposed Sec.  3.106(b) would have established a framework 
consisting of four categories for the security of patient safety work 
product that a PSO must consider. We proposed that each PSO develop 
appropriate and scalable standards that are suitable for the size and 
complexity of its organization.
    The four categories of the framework would have included: Security 
management issues (documenting its security requirements, ensuring that 
its workforce and contractors understand the requirements, and 
monitoring and improving the effectiveness of its policies and 
procedures); separation of systems (required physical separation of 
patient safety work product, appropriate disposal or sanitization of 
media, and preventing physical access to patient safety work product by 
unauthorized users or recipients); security control and monitoring 
controls (ability to identify and authenticate users, an audit capacity 
to detect unlawful, unauthorized, or inappropriate activities, and 
controls to preclude unauthorized removal, transmission or 
disclosures); and policies and procedures for periodic assessment of 
the effectiveness and weaknesses of its overall approach to security 
(determine when it needs to undertake risk assessment exercises and 
specify how it would assess and adjust its procedures to ensure the 
security of its communications involving patient safety work product to 
and from providers and other authorized parties).
    Overview of Public Comments: There were no public comments that 
specifically addressed Sec.  3.106(a) of the rule. Commenters focused 
instead on the overall security framework established by Sec.  
3.106(b). The majority of commenters supported the proposed 
requirements and emphasized the concepts of scalability and flexibility 
that were reflected in the proposed rule. Two commenters urged the 
Department to adopt the HIPAA Security Rule instead. Another commenter 
suggested that the final rule should emphasize the need for PSOs to 
maintain up-to-date security processes and urged that the final rule 
specifically recognize that PSOs can include HIPAA Security Rule 
requirements in their business associate contracts with providers that 
are covered entities.
    While there were few comments overall on this section of the rule, 
the specific provision that elicited the most concern was the 
requirement in Sec.  3.106(b)(2) that patient safety work product 
needed to be maintained securely separate from other systems of 
records. As discussed above with respect to obligations of component 
organizations, commenters expressed concern regarding the potential 
burden of such a requirement and several pointed to the analytic 
benefits of being able to readily merge data sets for specific 
analyses. It was recommended that the final rule permit the patient 
safety work product and non-patient safety work product to be stored in 
the same database as long as the security requirements are implemented 
for the database as a whole.
    Another commenter pointed to the confusion, inconsistency, and 
errors that were likely to result from the rule text in which each 
paragraph began with the words that a PSO ``must address'' each 
security issue within the framework while introductory paragraph (b) 
indicated that PSOs merely needed to ``consider'' the security 
framework.
    Final Rule: We have modified the text of Sec.  3.106 both to 
improve its clarity in non-substantive ways and to incorporate several 
substantive modifications in response to the comments we received. The 
changes to Sec.  3.106(a) are for clarity. For uniformity and brevity, 
throughout Sec.  3.106, we have standardized references regarding the 
application of security requirements to the ``receipt, access, and 
handling'' of patient safety work product. The rule text defines 
``handling'' of patient safety work product as including its 
processing, development, use, maintenance, storage, removal, 
disclosure, transmission and destruction.
    We have incorporated several modifications to the text of Sec.  
3.106(b). We have both simplified the text of the opening paragraph of 
this subsection and substituted the requirement that ``PSOs must have 
written policies and procedures that address'' for the language of the 
proposed rule that stated the ``PSO must consider.'' We agree with the 
commenter that retention of the proposed rule language would create 
confusion regarding what is required of a PSO. By retaining the 
language that permits a PSO to develop specific standards that address 
the security framework in this section with standards that are 
appropriate and scalable, we intend to retain flexibility for PSOs to 
determine how they will address each element of the security framework.
    The most significant substantive change in the security framework 
is in Sec.  3.106(b)(2), which had required the separation of patient 
safety work product from non-patient safety work product at all times. 
Based on comments received, we have modified both the title of Sec.  
3.106(b)(2) and the text of Sec.  3.106(b)(2)(i). Section 3.106(b)(2) 
is now entitled ``Distinguishing Patient Safety Work Product,'' rather 
than ``Separation of Systems,'' and Sec.  3.106(b)(2)(i) recognizes 
that the security of patient safety work product can be maintained 
either when patient safety work product is maintained separately from 
non-patient safety work product or when it is co-located with non-
patient safety work product, provided that the patient safety work 
product is distinguishable. This will ensure that the appropriate form 
and level of security can be maintained. This change responds to 
several comments that opposed the absolute requirement for separation 
in the proposed rule.
    While we have, thus, allowed greater procedural flexibility, we 
caution PSOs to be attentive to ensuring that patient safety work 
product remains distinguishable at all times if it is not kept 
separated. To the extent that patient safety work product becomes co-
mingled with non-protected information, there is increased risk of 
impermissible disclosures and violations of the confidentiality 
requirements of the rule and the Patient Safety Act.
    We have also eliminated a reference to a PSO determination of 
appropriateness that was in the text of the proposed rule in Sec.  
3.106(b)(4)(i) as redundant, since the rule permits a PSO to develop 
appropriate and scalable standards for each element of the security 
framework, including this element.
    Given the strong support for our flexible and scalable framework, 
we have not adopted recommendations of two commenters to substitute the 
HIPAA Security Rule for these provisions. We would expect that PSOs 
that are familiar with, and have existing rules that implement, the 
HIPAA Security Rule will incorporate those standards as appropriate, 
when they develop their written policies and procedures to implement 
security for the patient safety work product they receive, access and 
handle. The security framework presented here does not impose any 
limitations on the ability of PSOs to incorporate or address additional 
security requirements or issues as the PSO determines to be 
appropriate. The flexible approach we have adopted should minimize the

[[Page 70765]]

potential for conflict with the requirements of other programs. By 
taking advantage of this flexibility, and ensuring that its security 
requirements also address the requirements of the HIPAA Security Rule, 
a PSO should be able to meet its obligations as a business associate of 
any provider that is also a ``covered entity'' under HIPAA regulations.
4. Section 3.108--Correction of Deficiencies, Revocation and Voluntary 
Relinquishment
    Section 3.108 establishes the processes and procedures related to 
correction of deficiencies, revocation, and voluntary relinquishment. 
Section 3.108(a) establishes the processes and procedures for 
correction of deficiencies by PSOs and, when deficiencies have not been 
timely corrected, the process leading to a decision by the Secretary to 
revoke his acceptance of the entity's certification and delist a PSO. 
Section 3.108(b) sets forth the actions that the Secretary and a PSO 
must take following a decision by the Secretary to revoke his 
acceptance of the entity's certification and delist the entity. Section 
3.108(c) establishes the process by which an entity can voluntarily 
relinquish its status as a PSO. Section 3.108(d) requires publication 
of notices in the Federal Register whenever an entity is being removed 
from listing. New Sec.  3.108(e) establishes an expedited process for 
revoking the Secretary's acceptance of the entity's certification under 
certain circumstances.
(A) Section 3.108(a)--Process for Correction of a Deficiency and 
Revocation
    Proposed Rule: Section 3.108(a) listed in paragraph (a)(1) the 
circumstances that could lead to revocation and delisting and the 
remaining subsections set forth our proposed process for correction by 
a PSO of a deficiency identified by the Secretary and, if the 
deficiencies are not timely corrected or cannot be ``cured,'' the 
process that could lead to the revocation and delisting. We review the 
entirety of Sec.  3.108(a) here.
    Once the Secretary believes that a PSO is deficient in meeting its 
requirements, proposed Sec.  3.108(a)(2) outlined the processes he 
would follow. First, the Secretary would send a written notice of a 
preliminary finding of deficiency; the contents of the deficiency 
notice are specified in the rule. Following receipt of the notice, a 
PSO would have 14 days to correct the record by submitting evidence 
that the information on which the preliminary finding had been based 
was factually incorrect. The Secretary could then withdraw the notice 
or require the PSO to proceed with correction. The preamble sought 
comment on whether there should be an expedited revocation process when 
deficiencies are not, or cannot, be cured. Public comment and the 
provisions of the final rule are discussed below in new subsection (e), 
expedited revocation.
    Following the correction period, proposed Sec.  3.108(a)(3) would 
have required the Secretary to determine whether a deficiency has been 
corrected. The Secretary could determine: (1) The deficiency is 
corrected and withdraw the notice of deficiency; (2) additional time 
for, or modification of, the required corrective action is warranted; 
or (3) the deficiency is not corrected, the PSO has not acted with 
reasonable diligence or timeliness, and issue a Notice of Proposed 
Revocation and Delisting.
    Section 3.108(a)(4) would have provided an automatic 30 calendar 
day period, unless waived by the PSO, for it to respond in writing to 
the proposed revocation and delisting. If a PSO fails to submit a 
written response, the Secretary would revoke his acceptance of its 
certification, and delist the entity. After review of the response and 
other relevant information, Sec.  3.108(a)(5) proposed that the 
Secretary could affirm, reverse, or modify the notice of proposed 
revocation and delisting, and notify the PSO in writing of his decision 
with respect to any revocation of his prior acceptance of its 
certification and delisting. We noted that the proposed rule did not 
include an administrative process for appealing the Secretary's 
decision to revoke his acceptance of the entity's certification and 
delist a PSO, and specifically sought public comment on our approach.
    Overview of Public Comments: Commenters focused on the due process 
aspects of subsection (a). While most commenters commended the proposed 
rule for its focus on working with PSOs to resolve deficiencies and its 
inclusion of due process elements throughout the process, the 
commenters recommended that the final rule incorporate an additional 
opportunity for an administrative appeal of a revocation and delisting 
decision and expressed concern that the final rule should not limit the 
due process rights and opportunities that had been proposed.
    For example, while several commenters endorsed our overall 
approach, no commenter specifically stated agreement with our decision 
not to include an administrative appeal mechanism following a decision 
by the Secretary to revoke his acceptance of the entity's certification 
and delist a PSO for cause. The eight commenters that specifically 
addressed the issue recommended inclusion of such a mechanism.
    Final Rule: The final rule incorporates only technical 
modifications to the text of subsection 3.108(a). The deletion of text 
in Sec.  3.108(a)(1)(ii) is intended to clarify that the basis for 
revocation and delisting matches our intent in the proposed rule, i.e., 
the failure to meet the two-contract requirement, not the failure to 
timely notify the Secretary that the requirement had been met. In 
addition, we have incorporated a related new Sec.  3.108(e) that 
establishes a new expedited revocation process to be used in 
exceptional circumstances.
    Despite the strong support by commenters that we incorporate in the 
final rule an opportunity for an administrative appeal when the 
Secretary decides to revoke his acceptance of a PSO's certification and 
delist a PSO for cause, we have not modified the rule. The process 
described in Sec.  3.108(a) permits an early response to findings of 
deficiency and where facts cited by the Secretary are correct, the 
process emphasizes the Department will work with PSOs to correct 
deficiencies, rather than punishing PSOs for deficiencies. Given the 
flexibility and extensive nature of the communication and correction 
opportunities and procedures outlined in 3.108(a), we expect that the 
revocation process will be utilized rarely, and only after significant 
efforts have been made to bring a PSO back into compliance. However, if 
a PSO is not working with us in good faith to correct any remaining 
deficiencies, there must be a timely finality to the process. For this 
system to work, providers must have confidence that the Department will 
act in a timely manner when a PSO chooses not to meet its statutory and 
regulatory obligations.
Response to Other Public Comments
    Comment: One commenter recommended that the rule provide some 
degree of transparency regarding PSOs that have received notice of 
deficiencies by posting some limited information about this on the PSO 
Web site.
    Response: The Department gave careful consideration to this comment 
because of our overall commitment to providing transparency wherever 
possible. Our conclusion is that we will not post information on 
deficiencies because of our concern that this will undermine another of 
our objectives, which is to promote and permit correction of 
deficiencies in a non-

[[Page 70766]]

punitive manner. Providers considering entering a contract with a 
specific PSO are, of course, free to seek information from the PSO 
regarding whether it has received deficiency notices and is currently 
under an obligation to take corrective actions.
    Comment: Another commenter suggested that the final rule 
specifically recognize the authority of the Secretary, if warranted by 
the circumstances that led to the delisting of a PSO, to debar the 
entity from seeking a new listing for a period of time.
    Response: We have not adopted this specific suggestion, but we note 
that the Secretary is not required to relist an entity automatically. 
The Secretary can and will take into account the reasons for the 
revocation and delisting and the entity's compliance with its 
obligations following revocation and delisting.
    Comment: Several commenters suggested that the period of time 
provided to the PSO to submit a written response to a notice of 
proposed revocation and delisting should be expanded from 30 days to 45 
days.
    Response: We have not accepted this recommendation. We recognize 
the importance of striking a balance between providing an entity 
sufficient time to respond to such a notice and ensuring that providers 
can have confidence that the Department will act in a timely manner 
when a PSO do not meet its obligations. It is important to realize that 
by the time the PSO receives a notice of proposed revocation and 
delisting under the process set forth in Sec.  3.108(a)(3), the 
Department has already worked with the PSO to correct the deficiencies 
and has indicated remaining problems so the PSO will have reason to 
anticipate any such notice of proposed revocation in advance of its 
issuance. Thus the PSO, realistically, will have more than 30 days to 
prepare its response to a proposed revocation.
    Comment: One commenter suggested that, if the Secretary determines 
that the PSO has conflicts of interest, this should serve as a basis 
for proceeding directly to revocation.
    Response: The Department recognizes the commenter's underlying 
point that conflicts of interest may, in fact, not be curable and thus, 
in certain circumstances, may warrant proceeding directly to 
revocation. To the extent that such a conflict of interest provides a 
basis for the Secretary determining that continued listing would have 
serious adverse consequences, we could address it under Sec.  3.108(e), 
the subsection establishing the new expedited revocation process. We 
should note that, in crafting that new authority, the Department 
believed that it had an obligation to establish a process for truly 
exceptional circumstances. We do not intend to use this authority as a 
substitute for the normal process established by subsection (a). Thus, 
if a conflict-of-interest does not raise the prospect of serious 
adverse consequences for providers or others, it is our intention to 
use the correction processes of subsection (a).
    Comment: Would a provider's patient safety work product be at risk 
if the Department failed to alert the provider in a timely manner of a 
deficiency in its PSO?
    Response: No. As we pointed out in the preamble discussion of Sec.  
3.108 in the proposed rule, the presence of deficiencies or the fact 
that an entity is undergoing revocation has no impact on the 
information submitted to the entity by providers until the date and 
time that an entity is revoked and removed from listing. If the PSO is 
revoked and delisted for cause, the statute provides an additional 30-
day period that begins at the time of delisting during which data 
reported to the former PSO receives the same protections as patient 
safety work product.
(B) Section 3.108(b)--Revocation of the Secretary's Acceptance of a 
PSO's Certification
    Proposed Rule: When the Secretary makes a determination to remove 
the listing of a PSO for cause, proposed Sec.  3.108(b)(1) required the 
Secretary to establish, and notify the entity, of the effective date 
and time of its delisting and inform the entity of its obligations 
under Sec. Sec.  3.108(b)(2) and 3.108(b)(3).
    Section 3.108(b)(2) proposed to implement two statutory provisions. 
First, the former PSO would be required to notify providers with which 
it has been working of its removal from listing and confirm to the 
Secretary within 15 days of the date of revocation and delisting that 
it has done so. In light of the brief notification period, we sought 
comment on whether there are other steps the Secretary should take to 
ensure that affected providers receive timely notice. Second, this 
subsection would have reaffirmed the continued protection of patient 
safety work product received while the entity was listed. In addition, 
any data received by the former PSO from a provider in the 30 days 
following the date of revocation and delisting would be accorded the 
same protections as patient safety work product. We noted that this 
additional period of protection was only for the benefit of providers 
reporting data; it would not permit a former PSO to continue to 
generate new patient safety work product.
    Section 3.108(b)(3) proposed to implement the statutory 
requirements regarding the disposition of patient safety work product 
or data following revocation and delisting of a PSO. The three 
alternatives provided by the statute are: Transfer of the patient 
safety work product with the approval of the source from which it was 
received to a PSO which has agreed to accept it; return of the patient 
safety work product or data to the source from which it was received; 
or, if return is not practicable, destruction of such work product or 
data. We noted that the text of the proposed rule refers to the 
``source'' of the patient safety work product or data; this would be a 
broader formulation than the statutory language and includes 
individuals. The statute does not establish a time frame for a PSO to 
comply with disposition requirements; we sought comment on setting a 
deadline.
    Overview of Public Comments: Most commenters addressed the specific 
questions raised in the proposed rule, although a few commenters raised 
questions and offered recommendations related to the requirements for 
disposition of patient safety work product. In response to the 
Department's question in the proposed rule of whether there were other 
steps that the Secretary could take to ensure that providers were 
informed when a PSO to which they reported data was revoked and 
delisted, many commenters concluded that the statutory requirement for 
notification by the former PSO was sufficient. Others urged AHRQ to 
post notices of revocation and delisting on the PSO website. Several 
commenters urged the Secretary to require the former PSO to provide 
AHRQ with a list of its providers when it submits its required 
confirmation 15 days after revocation that it has notified providers. 
Presumably, the intent was to permit the Secretary to follow up with 
these providers to confirm that they had been notified.
    There were only three comments in response to our question in the 
proposed rule whether it was appropriate to require disposition of 
patient safety work product that was received from all sources. Two 
comments supported our interpretation of the statutory requirement. One 
commenter raised concerns that this requirement could be difficult to 
accomplish.
    Commenters strongly supported inclusion in the final rule of a 
deadline by which former PSOs needed to complete their disposition of 
patient

[[Page 70767]]

safety work product. Some commenters suggested that we follow existing 
HIPAA guidelines and others suggested that the rule set a deadline, 
ranging from 90 days to 180 days following the date of revocation. One 
commenter suggested setting standards linked to the volume of patient 
safety work product held by the former PSO.
    The options for disposition of patient safety work product elicited 
a number of comments. Some noted the difficulty of returning patient 
safety work product to its source as the former PSO closes its 
operations and expressed concern that destruction was not an option 
until the PSO concluded that returning the work product was not 
possible. In the view of this commenter, this could lead a PSO to 
simply abandon the patient safety work product since it may have 
neither time nor resources to contact the sources of the work product. 
However, most commenters focused on the importance of identifying ways 
to avoid destruction of patient safety work product.
    Final Rule: Section 3.108(b) has been modified in several ways. The 
first changes, in Sec.  3.108(b)(1), are technical changes. The first 
change renames the section to more accurately describe its provisions. 
The second technical change incorporates two additional cross-
references to the ability of the Secretary to revoke his acceptance of 
a PSO's certifications and delist an entity pursuant to the new 
expedited revocation process established in Sec.  3.108(e).
    We have not imposed any new requirements on the Department in Sec.  
3.108(b)(2) to notify providers. Many commenters did not see the need 
for additional intervention by the Department and several commenters 
suggested additional steps that we can and will take independent of the 
rule. For example, AHRQ has already established an e-mail-based 
listserv for individuals interested in electronic alerts regarding the 
agency's implementation of the Patient Safety Act. Following 
publication of the final rule, AHRQ will encourage all interested 
providers and PSOs to add their names to the listserv, which will 
provide immediate notification when the Secretary takes actions related 
to the listing and delisting of PSOs or posts significant new 
information on AHRQ's PSO Web site. Providers will also be able to 
signup on the Web site to receive individual e-mails if their PSO 
becomes delisted.
    We have modified Sec.  3.108(b)(2) in another way. This paragraph 
retains the restatement that was in the proposed rule of the statutory 
assurances regarding the continued protections for patient safety work 
product reported to a PSO before the effective date of a revocation and 
delisting action by the Secretary and the protections for data reported 
to the former PSO during the 30-day period following the date of 
delisting. The modification requires the former PSO to include this 
information in its notices to providers regarding its delisting. We 
incorporated this modification to better effectuate the statutory 
purpose by ensuring that the providers contacted by the former PSO are 
aware of these protections for the data they may still want to report 
during the 30-day period.
    Several commenters sought ways to preserve patient safety work 
product and data for continued learning. However, the requirements for 
disposition of patient safety work product and ``data'' in the final 
regulation follow the statutory formulation. We note that ``data'' in 
this context refers to information submitted to a former PSO in the 30 
days following its delisting. Some amount of patient safety work 
product can be preserved if the PSO shares or discloses this 
information prior to the effective date of its revocation as permitted 
by the rule, e.g., to other PSOs in non-identifiable or anonymized 
form.
    We have modified the text of Sec.  3.108(b)(3) in one respect. In 
response to comments, we require the disposition requirement to be 
completed within 90 days. Some commenters suggested that we follow 
existing HIPAA guidelines in establishing deadlines for the disposition 
of patient safety work product. Neither the HIPAA Privacy Rule nor the 
HIPAA Security Rule have deadlines for the disposition of protected 
health information. Providers are, of course, free to establish in 
their contracts an earlier date for disposition of their patient safety 
work product or data and may provide prior authorization for transfer 
to another PSO.
Response to Other Public Comments
    Comment: One commenter asked whether the disposition requirement 
applies to non-identifiable patient safety work product, such as data 
reported anonymously by hospitals.
    Response: The statutory section on disposition of patient safety 
work product does not make an explicit distinction between disposition 
of identifiable and non-identifiable patient safety work product and 
data, nor does the final rule in the disposition requirements. The 
Department reads this disposition requirement as applying to both 
identifiable and non-identifiable patient safety work product and data. 
We note that Subpart C permits disclosure of non-identifiable patient 
safety work product at any time by a PSO. However, after the date and 
time that the Secretary sets for revocation and delisting, the former 
PSO must follow the prescribed disposition requirements. Thus, prior to 
the effective date and time of a PSO's delisting, the PSO can transfer 
to another PSO non-identifiable and anonymized patient safety work 
product, without consent of the source(s) of that information.
    Comment: One commenter suggested that there may be good business 
reasons for a former PSO that has been delisted to retain patient 
safety work product and asked that we provide that option.
    Response: The statutory disposition requirement does not permit 
such an option for an entity that is revoked and delisted for cause, 
and the final rule mirrors this limitation. A PSO that voluntarily 
relinquishes its status is required to attest that it has made all 
reasonable efforts to comply with the disposition requirements.
    Comment: One commenter noted that the disposition options appear to 
be premised on a concept of the source's ownership interest in the 
patient safety work product provided to the PSO. Noting that as PSOs 
continue to aggregate data from multiple providers or through the 
sharing of work product with other PSOs, the commenter asserted that at 
some point the PSO's work product becomes its own. The question to 
consider is whether this distinction can be made in applying the 
disposition requirement.
    Response: The Department reads the disposition requirement of the 
Patient Safety Act to apply to all patient safety work product and data 
held by an involuntarily delisted former PSO. Most work product created 
by PSOs will be based upon reports from providers. While the commenter 
points to repeated aggregation of data from larger and larger numbers 
of providers as making the linkage to the reporting providers more 
tenuous, in our view the linkage remains as long as there is 
information that identifies any source of the data in the analysis. The 
linkage is only broken when the source(s) is (are) truly non-
identifiable. As we noted above, the statute does not make a 
distinction between identifiable and non-identifiable information, so 
the disposition requirements apply to both.
    Comment: One commenter noted that certain public PSO entities may 
face conflicts with state laws or regulations that establish 
requirements for the

[[Page 70768]]

disposition of information that they hold.
    Response: The final rule's requirements for disposition of patient 
safety work product would preempt conflicting state statutory 
requirements for disposition of information when it is patient safety 
work product.
    Comment: What are the responsibilities of a contractor holding 
patient safety work product under contract with a PSO that is revoked 
and delisted for cause?
    Response: The contractor must return the former PSO's patient 
safety work product that it is holding for disposition as required by 
the rule.
(C) Section 3.108(c)--Voluntary Relinquishment
    Proposed Rule: Section 3.108(c)(1) proposed two circumstances under 
which a PSO would be considered to have voluntarily relinquished its 
status as a PSO: When a PSO advises the Secretary in writing that it no 
longer wishes to be a PSO, and when a PSO permits its three-year period 
of listing to expire. To ensure that such a lapse is not inadvertent, 
the proposed rule would require the Secretary to send a notice of 
imminent expiration 45 calendar days before the expiration of its 
period of listing.
    We proposed in Sec.  3.108(c)(2) that a PSO seeking to relinquish 
its listing should include in its notification to the Secretary 
attestations regarding its compliance with the provider notification 
and patient safety work product disposition requirements, and would 
have required appropriate contact information for further 
communications from the Secretary. The Secretary would be authorized by 
Sec.  3.108(c)(3) to accept or reject the PSO's notification. We sought 
comment on our preliminary conclusion that, when a PSO voluntarily 
relinquishes its status, the statutory provisions providing protections 
for an additional 30 days for data submitted to the former PSO by 
providers do not apply.
    Section 3.108(c)(4) would have enabled the Secretary to determine 
that implied voluntary relinquishment has taken place when a PSO 
permits its listing to expire. The Secretary would remove the entity 
from the list of PSOs at midnight on that day, notify the entity, and 
request that the entity make reasonable efforts to comply with the 
provider notification and patient safety work product disposition 
requirements, and to provide appropriate contact information. Finally, 
Sec.  3.108(c)(5) proposed that voluntary relinquishment would not 
constitute a deficiency as referenced in subsection (a).
    Overview of Public Comments: Public comment on the proposed 
provisions for voluntary relinquishment focused primarily on the two 
questions raised in the proposed rule.
    Two commenters agreed with our interpretation that the statute 
limited the application of the additional protections for data 
submitted by providers to a former PSO in the 30-day period following 
the date and time of revocation and delisting to situations in which 
the PSO had been revoked and delisted for cause. A number of commenters 
argued for inclusion of a 30-day period of continued reporting for PSOs 
that voluntarily relinquished their status. They noted the importance 
of comparability but did not provide a legal rationale for reading the 
statute differently.
    The second question posed by the proposed rule was the 
appropriateness of paragraph (c)(5) which would eliminate the right to 
challenge any decision by the Secretary regarding voluntary 
relinquishment. Several large provider groups supported our position 
while others argued that a PSO should always have the right to 
challenge or appeal any decision by the Secretary.
    Final Rule: We have modified and narrowed the scope of voluntary 
relinquishment in the final rule. We have eliminated from this section 
the application of voluntary relinquishment to situations in which a 
PSO has let its certifications lapse. As noted above, we have modified 
Sec.  3.104(e) to make expiration of a PSO's listing automatic in these 
circumstances. Revised Sec.  3.108(c) provides for voluntary 
relinquishment in only one circumstance: When a PSO writes the 
Secretary seeking to relinquish its listing as a PSO.
    We have carefully reviewed again the statutory authority that 
enables PSOs that have their listing revoked for cause to continue to 
receive data for 30 days following the date and time of revocation and 
delisting that will be treated as patient safety work product. We 
reaffirm our interpretation that the statutory authority does not apply 
to an entity seeking to voluntarily relinquish its status as a PSO. 
Commenters provided no basis for a different reading of the statute. 
Accordingly, we have not incorporated any change in the rule.
    We have also deleted inappropriate references to ``patient safety 
work product and data'' in Sec.  3.108(c)(2) and replaced them with a 
reference only to patient safety work product. As we noted above, the 
term ``data'' in this context refers only to information received by a 
former PSO in the 30-day period following revocation for cause and is 
not applicable here. The only other modifications are deletions of text 
relating to implied voluntary relinquishment and a conforming change in 
a cross-reference.
    We have not accepted the views of commenters supporting appeals of 
relinquishment determinations by the Secretary in light of our decision 
to narrow the scope of voluntary relinquishment to situations in which 
the PSO has requested relinquishment. The comments regarding due 
process for those who voluntarily relinquish their status would no 
longer be apt.
(D) Section 3.108(d)--Public Notice of Delisting Regarding Removal From 
Listing
    Proposed Rule: Proposed Sec.  3.108(d) would have incorporated the 
statutory requirement that the Secretary must publish a notice in the 
Federal Register regarding the revocation of acceptance of 
certification of a PSO and its removal from listing. The proposed rule 
would have broadened the requirement to include publication of such a 
notice if delisting results from a determination of voluntary 
relinquishment.
    Overview of Public Comments: We received no comments on this 
subsection.
    Final Rule: We have modified Sec.  3.108(d) in the final rule to 
reflect our changes to subsection (c) that narrowed the scope of 
voluntary relinquishment. We also added a new reference that requires 
the Secretary to publish a notice when a PSO's listing terminates 
automatically at the end of the statutorily based three-year period, 
pursuant to Sec.  3.104(e).
(E) Section 3.108(e)--Expedited Revocation
    Proposed Rule: The proposed rule did not contain a proposed Sec.  
3.108(e). The proposed rule did include in subsection (a) a request for 
comment about the possible inclusion in the final rule of an expedited 
revocation process. We noted that, while we anticipate that in the vast 
majority of circumstances, the PSO's deficiency(ies) can and will be 
corrected, there may be situations in which a PSO's conduct is so 
egregious that the Secretary's acceptance of the PSO's certification 
should be revoked without the opportunity to cure because there is no 
meaningful cure. We invited comments regarding this approach and how 
best to characterize the situations in which the opportunity to 
``cure,'' e.g., to change policies, practices or procedures, sanction 
employees, send out correction notices, would not be sufficient, 
meaningful, or appropriate.

[[Page 70769]]

    Overview of Public Comments: Several commenters expressed concern, 
requested that we define the term ``egregious,'' and opposed the 
elimination of a right for the PSO to respond to the proposed expedited 
revocation action. One commenter suggested that our proposal was 
appropriate in situations involving multiple willful violations and in 
which immediate action is necessary to protect patients and providers 
from further improper actions by the PSO.
    Only one commenter addressed, and opposed, our suggestion that we 
might eliminate in the final rule the opportunity for a PSO to contest 
revocation when the entity had verifiably failed to meet the statutory 
minimum contract requirement.
    Final Rule: The Department has modified the rule to include a new 
Sec.  3.108(e) to provide for expedited revocation in a limited number 
of circumstances. In deciding to include this new subsection, we 
considered all of the comments received regarding Subpart B, not only 
those discussed here. There was a strong overall sentiment that the 
Secretary must be vigilant in ensuring that PSOs meet their obligations 
to protect the confidentiality of patient safety work product. These 
concerns were especially strong in response to our proposal to permit 
components of excluded entities to seek listing. We also received 
support for prompt Secretarial action for multiple willful violations 
and when providers and patients are at risk because of a PSO's actions. 
Accordingly, we have incorporated an expedited revocation process based 
around these concerns.
    New Sec.  3.108(e)(1) lists three circumstances in which the 
Secretary may use an expedited process for revocation. The first two 
circumstances reflect commenter concern regarding excluded entities. 
The first of these, specified in Sec.  3.108(e)(1)(i), is if the 
Secretary determines that a PSO is, or is about to become, an entity 
excluded from listing by Sec.  3.102(a)(2). That section excludes from 
listing: A health insurance issuer; a unit or division of a health 
insurance issuer; an entity that is owned, managed or controlled by a 
health insurance issuer; entities that accredit or license health care 
providers; entities that oversee or enforce statutory or regulatory 
requirements governing the delivery of health care services; agents of 
an entity that oversees or enforces statutory or regulatory 
requirements governing the delivery of health care services; or 
entities that operate a Federal, State, Local, or Tribal patient safety 
reporting system to which health care providers (other than members of 
the entity's workforce or health care providers holding privileges with 
the entity) are required to report information by law or regulation.
    Because the certifications for listing specifically require an 
entity to attest that it is not excluded from seeking listing, this 
situation would mean that the PSO had either filed a false 
certification, or that the nature of the entity had significantly 
changed during the course of its listing. An example of an entity 
``about to become an excluded entity'' would be when there is advance 
notice of a merger of the parent organization of a component PSO with a 
health insurance issuer. A health insurance issuer is the only excluded 
entity that may not have a component become a PSO. If the Secretary 
learns that a PSO is about to become a component of a health insurance 
issuer, this is one circumstance under which we believe prompt action 
by the Secretary is essential.
    The second circumstance, specified in Sec.  3.108(e)(1)(ii), is 
when the parent organization of a PSO is an excluded entity and the 
parent organization uses its authority over providers to require or 
induce them to use the patient safety services of its component PSO. 
This was a major concern of commenters in permitting components of 
accreditation, licensure and regulatory entities to seek listing; the 
final rule in Sec.  3.102(c) permits such a component to be listed only 
if it can certify that its parent organization does not impose such 
requirements on providers. When an excluded entity attempts to require 
or induce providers to report information to its component PSO, there 
is reasonable cause for concern regarding the integrity of the firewall 
between the component PSO and its parent organization. Given the 
potential harm to providers if their identifiable patient safety work 
product is made available to the excluded entity, the Department 
concludes that the need for prompt action is compelling.
    The third circumstance specified in Sec.  3.108(e)(1)(iii) of the 
rule is when the Secretary has determined that the failure to act 
promptly would lead to serious adverse consequences. We would expect to 
use this authority sparingly. Despite the confidential and protected 
nature of patient safety work product, we remain concerned that there 
can still be serious harm to providers, patients, and reporters named 
in patient safety work product if a PSO demonstrates reckless or 
willful misconduct in its protection or use of the work product with 
which it is entrusted, especially when there is reason to believe there 
have been repeated deficiencies, or when the PSO engages in fraudulent 
or illegal conduct. In light of these risks, we believe it is only 
prudent to give the Secretary the authority to respond promptly to 
situations where there is a risk of serious adverse harm, even if we 
cannot adequately foresee all of the specific situations that might 
require prompt action.
    We note that we have accepted the position of another commenter 
that we not include failure to meet the minimum contract requirement as 
a basis for expedited revocation. Our intent is to limit expedited 
revocation to those situations which pose a risk to providers or 
others.
    To accomplish expeditious remedial revocation action, Sec.  
3.108(e)(2) waives the procedures in Sec. Sec.  3.108(a)(2) through 
3.108(a)(5) for correction of deficiencies, determinations regarding 
correction of deficiencies, processes related to the opportunity for a 
written response by the PSO to a notice of proposed revocation and 
delisting, and final determination by the Secretary regarding 
revocation and delisting of the PSO. Instead, the provisions of Sec.  
3.108(e)(3) apply.
    Under Sec.  3.108(e)(3) of the expedited revocation process, the 
Secretary would issue a notice of deficiency and expedited revocation 
that identifies the evidence that the circumstances for expedited 
revocation exist and indicates any corrective action the PSO can take 
if the Secretary determines that corrective action may resolve the 
matter so that revocation and delisting could be avoided. Absent 
evidence of actual receipt of this notice of deficiency and expedited 
revocation, the Secretary's notice will be deemed to be received five 
days after it was sent.
    In developing this process, we have taken note of commenters' 
concern that as a general matter, a PSO alleged to be deficient in 
compliance should have an opportunity to be heard and have provided the 
PSO with an opportunity to respond as part of the expedited revocation 
process. The Secretary must receive a response from the PSO within 14 
days of actual or constructive receipt of the notice, whichever is 
longer. In its written response, the PSO can correct the alleged facts 
or argue the applicability of the legal basis given for expedited 
revocation and delisting and offer reasons that would support its case 
for not being delisted.
    If the PSO does not submit a written response, the Secretary may 
revoke and delist the PSO. Provided the PSO responds within the 
required time, the Secretary may withdraw the notice,

[[Page 70770]]

grant the PSO with additional time to resolve the matter, or revoke and 
delist the PSO. If the Secretary decides to revoke and delist the PSO, 
we note that the requirements of Sec.  3.108(b) discussed above apply. 
These requirements relate to notification of the providers who have 
reported patient safety work product to the PSO, disposition of the 
PSO's patient safety work product and data, and the ability of 
providers to continue to report data to the former PSO for 30 calendar 
days following the effective date and time of delisting and have these 
data protected as patient safety work product.
5. Section 3.110--Assessment of PSO Compliance
    Proposed Rule: Section 3.110 proposed the framework by which the 
Secretary would assess compliance of PSOs with the requirements of the 
statute and the rule. This section provided that the Secretary may 
request information or conduct spot-checks (reviews or site visits to 
PSOs, announced or unannounced) to assess or verify PSO compliance with 
the requirements of the statute and this proposed subpart. We noted 
that we anticipate that such spot checks would involve no more than 5-
10% of PSOs in any year. We also noted that this section would 
reference the Department's overall authority to have access to patient 
safety work product, if necessary, as part of its implementation and 
enforcement of the Patient Safety Act.
    Overview of Public Comments: There were few comments on this 
section. Commenters agreed that AHRQ's authority under this section 
should be limited to PSOs. Several commenters expressed concern about 
our discussion that we only anticipated spot-checking 5%-10% of PSOs 
for compliance in any given year. The projected number of spot checks 
in their view would not be adequate to maintain provider confidence and 
PSO compliance. Another commenter asked which agency would be delegated 
the task and identified entities within HHS to which the Secretary 
should not delegate this responsibility.
    Final Rule: We have made no substantive modifications to Sec.  
3.110 in the final rule. We note in response to the commenters that 
urged a higher level of spot checks and inspections that the rule does 
not limit the ability of the Department to increase the number if 
warranted. However, we have no basis for assuming that higher levels of 
spot checks or inspections are warranted in light of the fact that 
Patient Safety Organizations are not federally funded or controlled and 
a provider's decision to work with a PSO is voluntary. Therefore, we 
intend to maintain the approach outlined in the proposed rule. In 
response to another commenter, the authority to implement Subpart B 
rests squarely within the authorities to foster patient safety and 
health care quality improvement of the Agency for Healthcare Research 
and Quality, and there is no reason to expect it to be delegated to 
another part of the Department.
6. Section 3.112--Submissions and Forms
    Proposed Rule: Proposed Sec.  3.112 would have provided 
instructions for obtaining required forms and the submission of 
materials, would have provided contact information for AHRQ (mailing 
address, Web site, and e-mail address), and would have authorized the 
Department to request additional information if a submission is 
incomplete or additional information is needed to enable the Secretary 
to make a determination on any submission.
    Overview of Public Comments: We received no comments on this 
section.
    Final Rule: We have made no substantive modifications to this 
section. We have made technical changes and incorporated citations for 
the AHRQ PSO Web site address and corrected the e-mail address.

C. Subpart C--Confidentiality and Privilege Protections of Patient 
Safety Work Product

    Proposed Subpart C would have described the general privilege and 
confidentiality protections for patient safety work product, the 
permitted disclosures, and the conditions under which the specific 
protections no longer apply. The proposed Subpart also would have 
established the conditions under which a provider, PSO, or responsible 
person must disclose patient safety work product to the Secretary in 
the course of compliance and enforcement activities, and what the 
Secretary may do with such information. Moreover, the proposed subpart 
would have established the standards for nonidentifiable patient safety 
work product.
    Proposed Subpart C sought to balance key objectives of the Patient 
Safety Act. First, the proposal sought to address provider concerns 
about the potential for damage from unauthorized release of 
information, including the potential for the information to serve as a 
roadmap for provider liability from negative patient outcomes. It also 
promoted the sharing of information about adverse patient safety events 
among providers and PSOs for the purpose of learning from those events 
to improve patient safety and the quality of care. To achieve these 
objectives, Subpart C proposed that patient safety work product would 
be privileged and confidential, except in the certain limited 
circumstances identified by the Patient Safety Act and as needed by the 
Department to implement and enforce the Patient Safety Act. In 
addition, proposed Subpart C provided, in accordance with the Patient 
Safety Act, that patient safety work product that is disclosed 
generally would continue to be privileged and confidential, subject to 
the delineated exceptions. Thus, under the proposal, an entity or 
person receiving patient safety work product only would be able to 
disclose such information for a purpose permitted by the Patient Safety 
Act and the proposed rule, or if patient safety work product was no 
longer confidential because it was nonidentifiable or subject to an 
exception to confidentiality. Providers, PSOs, and responsible persons 
who failed to adhere to these confidentiality rules would be subject to 
enforcement by the Department, including the imposition of civil money 
penalties, if appropriate, as provided in Subpart D of the proposed 
rule.
    The proposed rule also explained that several provisions of the 
Patient Safety Act recognize that the patient safety regulatory scheme 
will exist alongside other requirements for the use and disclosure of 
protected health information under the HIPAA Privacy Rule. For example, 
the Patient Safety Act establishes that PSOs will be business 
associates of providers and the patient safety activities they conduct 
will be health care operations of the providers, incorporates 
individually identifiable health information under the HIPAA Privacy 
Rule as an element of identifiable patient safety work product, and 
adopts a rule of construction that states the intention not to alter or 
affect any HIPAA Privacy Rule implementation provision (see section 
922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3)). 
As we explained in the proposed rule, we anticipate that most providers 
reporting to PSOs will be HIPAA covered entities under the HIPAA 
Privacy Rule, and as such, will be required to recognize and comply 
with the requirements of the HIPAA Privacy Rule when disclosing 
identifiable patient safety work product that includes protected health 
information. As Subpart C addresses disclosure of patient safety work 
product that may include protected health information,

[[Page 70771]]

we discuss, where appropriate, the overlap between this rule and the 
HIPAA Privacy Rule in the preamble description of this Subpart, as we 
did in the proposed rule.
1. Section 3.204--Privilege of Patient Safety Work Product
    Proposed Sec.  3.204 described the privilege protections of patient 
safety work product and the exceptions to privilege. As we explained in 
the proposed rule, the Patient Safety Act does not give authority to 
the Secretary to enforce breaches of the privilege protections, as it 
does with respect to breaches of the confidentiality provisions. 
Rather, we anticipate that the tribunals, agencies or professional 
disciplinary bodies before whom the proceedings take place and before 
which patient safety work product is sought, will adjudicate the 
application of the privilege provisions of the Patient Safety Act at 
section 922(a)(1)-(5) of the Public Health Service Act, 42 U.S.C. 299b-
22(a)(1)-(5) and the exceptions to privilege at section 922(c)(1) of 
the Public Health Service Act, 42 U.S.C. 299b-22(c)(1). Even though the 
privilege protections will be enforced through the court systems, and 
not by the Secretary, we repeat the statutory privilege protections and 
exceptions in this final rule, as we did in the proposed rule. This is 
done both for convenience and completeness, as well as because the same 
exceptions in the privilege provisions are repeated in the 
confidentiality provisions and the term ``disclosure'' in the final 
rule describes both the transfer of patient safety work product 
pursuant to a privilege exception as well as a confidentiality 
exception. Thus, a disclosure of patient safety work product that is a 
violation of privilege may also be a violation of confidentiality, 
which the Secretary does have authority to enforce and for which he can 
impose a civil money penalty, if appropriate.
    We also proposed to include at Sec.  3.204(c) a regulatory 
exception to privilege for disclosures to the Secretary for the purpose 
of enforcing the confidentiality provisions and for making or 
supporting PSO certification or listing decisions. In the final rule, 
we adopt this proposed provision but also add language to make clear 
that the exception also applies to disclosures to the Secretary for 
HIPAA Privacy Rule enforcement, given the significant overlap with 
respect to disclosures under the two rules. We discuss that change, as 
well as the public comments and our responses with respect to the other 
privilege provisions, below.
(A) Section 3.204(a)--Privilege
    Proposed Rule: Proposed Sec.  3.204(a) would have described the 
general rule that, notwithstanding any other provision of Federal, 
State, local, or Tribal law, patient safety work product is privileged 
and shall not be: (1) Subject to Federal, State, local, or Tribal 
civil, criminal, or administrative subpoena or order, including in a 
disciplinary proceeding against a provider; (2) subject to discovery in 
connection with a Federal, State, local, or Tribal civil, criminal, or 
administrative proceeding, including a disciplinary proceeding against 
a provider; (3) subject to disclosure under the Freedom of Information 
Act (section 552 of Title 5, United States Code) or similar Federal, 
State, local, or Tribal law; (4) admitted as evidence in any Federal, 
State, local, or Tribal governmental civil proceeding, criminal 
proceeding, administrative rulemaking proceeding, or administrative 
adjudicatory proceeding, including any such proceeding against a 
provider; or (5) admitted in a professional disciplinary proceeding of 
a professional disciplinary body established or specifically authorized 
under State law. The proposed provision generally repeated the 
statutory language at section 922(a) of the Public Health Service Act, 
42 U.S.C. 299b-22(a) but also clarified that privilege would have 
applied to protect against use of the information in Tribal courts and 
administrative proceedings.
    Overview of Public Comments: We received no comments opposed to 
this proposed provision.
    Final Rule: The final rule adopts this proposed provision.
    Response to Other Public Comments
    Comment: Several commenters expressed concern about the lack of 
detailed explanation and information about the privilege protections as 
compared to the confidentiality provisions in the proposed rule. Some 
commenters asked for clarification about how breaches of privilege can 
be enforced and who can assert privilege protection. Two commenters 
asked whether hospital peer review committees established under state 
law qualify as disciplinary bodies for purposes of the privilege 
protection and if there is a distinction between discipline by a state 
licensing body and discipline by an internal peer review committee.
    Response: The Secretary does not have the authority to interpret 
and enforce the privilege protections of the statute, and thus, the 
proposed rule did not contain a detailed discussion of these provisions 
nor can we provide further explanation or interpretation in this final 
rule. Rather, as described above, the privilege provisions are included 
only for convenience and completeness, and because the privilege 
exceptions mirror exceptions to confidentiality. The privilege 
protections attach to patient safety work product, and we expect that 
the privilege of patient safety work product will be adjudicated and 
enforced by the tribunals, agencies or professional disciplinary bodies 
before which the information is sought and before whom the proceedings 
take place. A provider facing an opposing party who seeks to introduce 
patient safety work product in court may seek to enforce the privilege 
by filing the appropriate motions with the court asserting the 
privilege to exclude the patient safety work product from the 
proceeding.
(B) Section 3.204(b)--Exceptions to privilege
    Proposed Rule: Proposed Sec.  3.204(b) described the exceptions to 
privilege established at section 922(c) of the Public Health Service 
Act, 42 U.S.C. 299b-22c, thereby permitting disclosure of patient 
safety work product under such circumstances. In all cases, the 
exceptions to privilege were also proposed as exceptions to 
confidentiality at Sec.  3.206(b). Proposed Sec.  3.204(b)(1) would 
have permitted the disclosure of relevant patient safety work product 
for use in a criminal proceeding after a court makes an in camera 
determination that the patient safety work product contains evidence of 
a criminal act, is material to the proceeding, and is not reasonably 
available from any other source. Proposed Sec.  3.204(b)(2) would have 
permitted disclosure of identifiable patient safety work product to the 
extent required to carry out the securing and provision of equitable 
relief as provided under section 922(f)(4)(A) of the Public Health 
Service Act, 42 U.S.C. 299b-22(f)(4)(A). Proposed Sec.  3.204(b)(3) 
would have permitted disclosure of identifiable patient safety work 
product when each of the identified providers authorized the 
disclosure. Finally, proposed Sec.  3.204(b)(4) would have excepted 
patient safety work product from privilege when disclosed in 
nonidentifiable form.
    Overview of Public Comments: Some commenters expressed concern that 
allowing exceptions to privilege may not adequately protect patient 
safety work product.
    Final Rule: The final rule adopts the proposed provisions. The 
statute explicitly provides for these limited

[[Page 70772]]

exceptions to privilege and thus, they are included in this final rule.
Response to Other Public Comments
    Comment: One commenter asked that the final rule align the 
privilege exceptions in Sec.  3.204(b) with the permitted disclosures 
to law enforcement in the HIPAA Privacy Rule at 45 CFR 164.512(f).
    Response: We do not agree that expanding the exceptions to 
privilege in such a manner is appropriate or prudent. Congress 
expressly limited the exceptions to privilege to those we have repeated 
in the final rule. As relevant to law enforcement, the Patient Safety 
Act permits an exception from privilege protection for law enforcement 
purposes in only very narrow circumstances--that is, patient safety 
work product may be used in a criminal proceeding, but only after a 
judge makes an in camera determination that the information contains 
evidence of a criminal act, is material to the proceeding, and is not 
reasonably available from any other source. See Sec.  3.204(b)(1). We 
do not have authority to further expand or interpret the exceptions to 
privilege provided for in the statute. Further, we believe strong 
privilege protections are essential to ensuring the goals of the 
statute are met by encouraging maximum provider participation in 
patient safety reporting. We note that Sec.  3.206(c)(10) permits the 
disclosure of patient safety work product relating to an event that 
either constitutes the commission of a crime, or for which the 
disclosing person reasonably believes constitutes the commission of a 
crime, to law enforcement, provided that the disclosing person 
believes, reasonably under the circumstances, that the patient safety 
work product that is disclosed is necessary for criminal law 
enforcement purposes. In other cases where law enforcement needs access 
to information that is contained within patient safety work product, we 
emphasize that the definition of ``patient safety work product'' 
specifically excludes a patient's medical or billing record or other 
original patient information. See Sec.  3.20, paragraph (2)(i) of the 
definition of ``patient safety work product.'' Thus, such original 
patient information remains available to law enforcement in accordance 
with the conditions set out in the HIPAA Privacy Rule, if applicable.
(C) Section 3.204(c)--Implementation and Enforcement of the Patient 
Safety Act
    Proposed Rule: Proposed Sec.  3.204(c) would have excepted from 
privilege disclosures of relevant patient safety work product to or by 
the Secretary as needed for investigating or determining compliance, or 
seeking or imposing civil money penalties, with respect to this rule or 
for making or supporting PSO certification or listing decisions under 
the Patient Safety Act. We proposed that these disclosures also be 
permitted as an exception to confidentiality at Sec.  3.206(d). We 
explained that, in order to perform investigations and compliance 
reviews to determine whether a violation occurred, the Secretary may 
need to have access to privileged and confidential patient safety work 
product and that we believe Congress could not have intended the 
privilege and confidentiality protections of the Patient Safety Act to 
impede such enforcement by prohibiting access to necessary information 
by the Secretary. Thus, the proposed provision would have allowed 
disclosure of patient safety work product to and by the Secretary for 
enforcement purposes, including the introduction of such information 
into ALJ or Board proceedings, disclosure by the Board to properly 
review determinations or to provide records for court review, as well 
as disclosure during investigations by OCR or activities in reviewing 
PSO certifications by AHRQ. Patient safety work product disclosed under 
this proposed exception would have remained privileged and confidential 
pursuant to proposed Sec.  3.208, and proposed Sec.  3.312 limited the 
Secretary to only disclosing identifiable patient safety work product 
obtained in connection with an investigation or compliance review for 
enforcement purposes or as otherwise permitted by the proposed rule or 
Patient Safety Act.
    We also explained in the preamble to the proposed rule that the 
privilege provisions in the Patient Safety Act would not bar the 
Secretary from using patient safety work product for compliance and 
enforcement activities related to the HIPAA Privacy Rule. This 
interpretation was based on the statutory provision at section 
922(g)(3) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(3), 
which provides that the Patient Safety Act does not affect the 
implementation of the HIPAA Privacy Rule.
    Overview of Public Comments: We received one comment in support of 
and no comments opposed to this proposed provision.
    Final Rule: The final rule adopts the proposed provision, but 
expands it to expressly provide that patient safety work product also 
may be disclosed to or by the Secretary as needed to investigate or 
determine compliance with or to impose a civil money penalty under the 
HIPAA Privacy Rule. This new language implements the statutory 
provision at section 922(g)(3) of the Public Health Service Act, 42 
U.S.C. 299b-22(g)(3), which, as explained above, makes clear that the 
Patient Safety Act is not intended to affect implementation of the 
HIPAA Privacy Rule. Given the significant potential for an alleged 
impermissible disclosure to implicate both this rule's confidentiality 
provisions, as well as the HIPAA Privacy Rule, the Secretary may 
require access to privileged patient safety work product for purposes 
of determining compliance with the HIPAA Privacy Rule. The Secretary 
will use such information consistent with the statutory prohibition 
against imposing civil money penalties under both authorities for the 
same act.
    With respect to this rule, the provision, as it did in the proposed 
rule, makes clear that privilege does not apply to patient safety work 
product disclosed to or by the Secretary if needed to investigate or 
determine compliance with this rule, or to make or support decisions 
with respect to listing of a PSO. This may include access to and 
disclosure of patient safety work product to enforce the 
confidentiality provisions of the rule, to make or support decisions 
regarding the acceptance of certification and listing as a PSO, or to 
revoke such acceptance and to delist a PSO, or to assess or verify PSO 
compliance with the rule.
2. Section 3.206--Confidentiality of Patient Safety Work Product
    Proposed Sec.  3.206 described the confidentiality protection of 
patient safety work product, as well as the exceptions from 
confidentiality protection.
(A) Section 3.206(a)--Confidentiality
    Proposed Rule: Proposed Sec.  3.206(a) would have established the 
general principle that patient safety work product is confidential and 
shall not be disclosed by anyone holding the patient safety work 
product, except as permitted or required by the rule.
    Overview of Public Comments: We received no comments directly in 
reference to this provision.
    Final Rule: The final rule adopts this proposed provision.
(B) Section 3.206(b)--Exceptions to confidentiality
    Proposed Rule: Proposed Sec.  3.206(b) described the exceptions to 
confidentiality, or permitted disclosures. The preamble to the proposed 
rule explained that there were several overarching principles that

[[Page 70773]]

applied to these exceptions from confidentiality. First, these 
exceptions were ``permissions'' to disclose patient safety work product 
and the holder of the information retained full discretion whether to 
disclose. Further, as the proposed rule was a Federal baseline of 
protection, a provider, PSO, or responsible person could impose more 
stringent confidentiality policies and procedures on patient safety 
work product and condition the release of patient safety work product 
within these exceptions by contract, employment relationship, or other 
means. However, the Secretary would not enforce such policies or 
private agreements. Second, when exercising discretion to disclose 
patient safety work product, we encouraged providers, PSOs, and 
responsible persons to attempt to disclose the amount of information 
commensurate with the purpose of the disclosure and to disclose the 
least amount of identifiable patient safety work product appropriate 
for the disclosure even if that was less than what would otherwise be 
permitted by the rule and regardless of whether the information 
continued to be protected under the rule after the disclosure. Third, 
the proposal prohibited persons receiving patient safety work product 
from redisclosing it except as permitted by the rule, and we requested 
comment on whether there were any negative implications of limiting 
redisclosures in such a manner.
    We also described how the proposal would work with respect to 
entities also subject to the Privacy Act and/or the HIPAA Privacy Rule. 
We explained that agencies subject to the Patient Safety Act and the 
Privacy Act, 5 U.S.C. 552a, must comply with both statutes when 
disclosing patient safety work product. This means that, for agencies 
subject to both laws, a disclosure of patient safety work product could 
only be made if permitted by both laws. The Privacy Act permits 
agencies to make disclosures pursuant to established routine uses. See 
5 U.S.C. 552a(a)(7); 552a(b)(3); and 552a(e)(4)(D). Accordingly, we 
recommended that Federal agencies that maintain a Privacy Act system of 
records containing information that is patient safety work product 
include routine uses that will permit the disclosures allowed by the 
Patient Safety Act. For HIPAA covered entities, we explained that when 
a patient's protected health information is encompassed within patient 
safety work product, any disclosure of such information also must 
comply with the HIPAA Privacy Rule.
    Overview of Public Comments: Some commenters expressed general 
support for the narrowly drawn exceptions to confidentiality in the 
proposed rule, while one commenter expressed concern that the 
exceptions were unnecessarily complex to accomplish their purpose. 
Several commenters asked that the final rule include additional 
exceptions to confidentiality or disclosure permissions. For example, 
some commenters suggested that the final rule permit the disclosure of 
patient safety work product to federal, state, and local agencies to 
fulfill mandatory reporting requirements. Other commenters suggested an 
exception be created to permit the disclosure of patient safety work 
product to state survey agencies, regulatory bodies, or to any federal 
or state agency for oversight purposes. Another commenter requested 
that the final rule include a disclosure permission for emergency 
circumstances similar to the HIPAA Privacy Rule disclosure at 54 CFR 
164.512(j), allowing a PSO to disclose patient safety work product if 
it determines a pattern of harm and that disclosure is necessary to 
prevent an individual from harming a person or the public. One 
commenter, however, believed the proposed rule contained too many 
exceptions to confidentiality, and thus, did not adequately protect 
patient safety work product; this commenter suggested that some 
disclosure permissions be eliminated in the final rule but did not 
recommend which ones.
    Several commenters responded to the question regarding whether 
there were any negative implications of limiting redisclosures as 
outlined in the proposed rule. These commenters supported the 
limitations on redisclosures of patient safety work product in the 
proposed rule; we received no comments identifying any negative 
implications of this limitation. One commenter, however, noted that the 
redisclosures should be governed by the HIPAA Privacy and Security 
Rules.
    Finally, some commenters sought clarification regarding preemption. 
Several commenters asked whether the federal patient safety work 
product protections preempted existing State law that permitted or 
required disclosure of similar types of records. Other commenters asked 
whether greater State law protections continue to exist alongside 
patient safety work product protections, stating that some providers 
may decide not to participate with a PSO if they would lose existing 
State law protections.
    Final Rule: The final rule generally adopts the proposed 
provisions, with some modifications as explained below in the specific 
discussions of the individual disclosure permissions. The disclosure 
permissions in this section reflect those provided by the statute, and 
the Secretary has no authority to eliminate or neglect to implement 
certain of the provisions. Further, the statute provides only limited 
authority to the Secretary to expand the disclosure permissions. See, 
for example, section 922(c)(2)(F) of the Public Health Service Act, 42 
U.S.C. 299b-22(c)(2)(F), providing the Secretary with authority to 
create permissions for disclosures that the Secretary may determine, by 
rule or other means, are necessary for business operations and are 
consistent with the goals of the statute. Thus, the final rule does not 
create any new, or eliminate any proposed, categories of disclosure 
permissions.
    With respect to those commenters who requested a disclosure 
permission be added to allow for the disclosure of patient safety work 
product to federal, state, and local agencies to fulfill mandatory 
reporting requirements or for oversight purposes, we disagree that such 
a modification is necessary. The final rule gives providers much 
flexibility in defining and structuring their patient safety evaluation 
system, as well as determining what information is to become patient 
safety work product and, thus, protected from disclosure. Providers can 
structure their systems in a manner that allows for the use of 
information that is not patient safety work product to fulfill their 
mandatory reporting obligations. See the discussion regarding the 
definition of ``patient safety work product'' in this preamble for more 
information. Further, as original medical and other records are 
expressly excepted from the definition of ``patient safety work 
product,'' providers always have the option of using those records to 
generate the reports necessary for their mandatory reporting 
obligations to federal, state, and local agencies.
    With respect to disclosures for emergency circumstances, the 
Patient Safety Act provides no general exception for such disclosures. 
However, patient safety work product may be disclosed under Sec.  
3.206(b)(10) to law enforcement if the disclosing party reasonably 
believes the patient safety work product contains information that 
constitutes a crime. For emergency circumstances that do not rise to 
the level of criminal conduct, the information necessary to identify 
and address such emergencies should be readily available and accessible 
in medical records and other original

[[Page 70774]]

documents that are not protected as patient safety work product.
    The final rule also adopts the redisclosure limitations of the 
proposed rule. As described above, commenters largely supported, and 
did not identify negative implications of, these restrictions. We 
discuss the individual redisclosure limitations below in the specific 
discussions regarding the disclosure permissions to which they apply. 
We note that the HIPAA Privacy and Security Rules will govern 
redisclosures of patient safety work product only to the extent that 
the redisclosures are made by a HIPAA covered entity and the patient 
safety work product encompasses protected health information.
    In response to the comments and questions regarding preemption, we 
note that the Patient Safety Act provides that, notwithstanding any 
other provision of Federal, State, or local law, and subject to the 
prescribed exceptions, patient safety work product shall be privileged 
and confidential. See sections 922(a) and (b) of the Public Health 
Service Act, 42 U.S.C. 299b-22(a) and (b). The statute also provides as 
rules of construction the following: (1) that the Patient Safety Act 
does not limit the application of other Federal, State, or local laws 
that provide greater privilege or confidentiality protections than 
those provided by the Patient Safety Act; and (2) the Patient Safety 
Act does not preempt or otherwise affect any State law requiring a 
provider to report information that is not patient safety work product. 
See section 922(g) of the Public Health Service Act, 42 U.S.C. 299b-
22(g). Thus, the patient safety work product protections provided for 
under the statute generally preempt State or other laws that would 
permit or require disclosure of information contained within patient 
safety work product. However, State laws that provide for greater 
protection of patient safety work product are not preempted and 
continue to apply.
Response to Other Public Comments
    Comment: Several commenters asked that the final rule discuss 
redisclosures in more detail and further explain the consequences of 
redisclosures.
    Response: A redisclosure, or ``further disclosure'' as described in 
the regulatory text, of patient safety work product, like a disclosure, 
is the release, transfer, provision of access to, or divulging in any 
other manner of patient safety work product by an entity or natural 
person holding the patient safety work product to another legally 
separate entity or natural person outside the entity holding the 
patient safety work product. Natural persons or entities who receive 
patient safety work product generally may further disclose such 
information pursuant to any of the disclosure permissions in the final 
rule at Sec.  3.206, except where expressly limited pursuant to the 
provision under which the natural person or entity received the 
information. These restrictions on further disclosures may be found at 
Sec. Sec.  3.206(b)(4)(ii) (disclosure to a contractor of a provider or 
PSO for patient safety activities), 3.206(b)(7) (disclosure to the Food 
and Drug Administration (FDA) and entities required to report to FDA), 
3.206(b)(8) (voluntary disclosure to an accrediting body), 3.206(b)(9) 
(business operations), and 3.206(b)(10) (disclosure to law 
enforcement). These limitations are described more fully below in the 
discussions concerning the disclosure permissions to which they apply. 
As with an impermissible disclosure, impermissible redisclosures are 
subject to enforcement by the Secretary and potential civil money 
penalties.
    Comment: Two commenters asked that we monitor the impact of the 
rule to ensure that it does not improperly impede the necessary sharing 
of patient safety work product.
    Response: As the rule is implemented, we will monitor its impact 
and consider whether any concerns that are raised by providers, PSOs, 
and others should be addressed through future modification to the rule 
or guidance, as appropriate.
(1) Section 3.206(b)(1)--Criminal Proceedings
    Proposed Rule: Proposed Sec.  3.206(b)(1) would have permitted the 
disclosure of identifiable patient safety work product for use in a 
criminal proceeding, if a court makes an in camera determination that 
the identifiable patient safety work product sought for disclosure 
contains evidence of a criminal act, is material to the proceeding, and 
is not reasonably available from other sources. See section 
922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(1)(A). The proposed provision paralleled the exception to 
privilege at proposed Sec.  3.204(b)(1).
    As we explained in the proposed rule, the Patient Safety Act 
establishes that patient safety work product generally will continue to 
be privileged and confidential upon disclosure. See section 922(d)(1) 
of the Public Health Service Act, 42 U.S.C. 299b-22(d)(1) and Sec.  
3.208 of this rule. However, the Patient Safety Act limits the 
continued protection of patient safety work product disclosed for use 
in a criminal proceeding pursuant to this provision. In particular, 
patient safety work product disclosed pursuant to this provision 
continues to be privileged after disclosure but is no longer 
confidential. See section 922(d)(2)(A) of the Public Health Service 
Act, 42 U.S.C. 299b-22(d)(2)(A). We explained that this would mean, for 
example, that law enforcement personnel who obtain patient safety work 
product used in a criminal proceeding could further disclose that 
information because confidentiality protection would not apply; 
however, law enforcement could not seek to introduce the patient safety 
work product in another proceeding without a new in camera 
determination that would have complied with the privilege exception at 
proposed Sec.  3.204(b)(1).
    We also reminded entities that are subject to the HIPAA Privacy 
Rule that any disclosures pursuant to this provision that encompass 
protected health information also would need to comply with the HIPAA 
Privacy Rule's provision at 45 CFR 164.512(e) for disclosures pursuant 
to judicial proceedings. We explained that we expected court rulings 
following an in camera determination to be issued as a court order, 
which would satisfy the HIPAA Privacy Rule's requirements.
    Overview of Public Comments: We received no comments opposed to 
this provision.
    Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
    Comment: One commenter asked that the final rule make clear that 
patient safety work product disclosed under this provision continues to 
be privileged and cannot be used or reused as evidence in any civil 
proceeding even though the information is no longer confidential.
    Response: The final rule makes this clear. See Sec.  3.208(b)(1).
(2) Section 3.206(b)(2)--Equitable Relief for Reporters
    Proposed Rule: The Patient Safety Act prohibits a provider from 
taking an adverse employment action against an individual who, in good 
faith, reports information to the provider for subsequent reporting to 
a PSO or to a PSO directly. See section 922(e)(1) of the Public Health 
Service Act, 42 U.S.C. 299b-22(e)(1). For purposes of this provision, 
adverse employment actions include loss of employment, failure to 
promote, or adverse evaluations or decisions regarding credentialing or 
licensing. See 922(e)(2) of the Public Health Service Act, 42 U.S.C. 
299b-22(e)(2). The Patient Safety Act provides adversely affected 
reporters a civil right

[[Page 70775]]

of action to enjoin such adverse employment actions and obtain other 
equitable relief, including back pay or reinstatement, to redress the 
prohibited actions. See 922(f)(4) of the Public Health Service Act, 42 
U.S.C. 299b-22(f)(4). To effectuate the obtaining of equitable relief 
under this provision, the Patient Safety Act provides that patient 
safety work product is not subject to the privilege protections or to 
the confidentiality protections. Thus, proposed Sec.  3.206(b)(2) would 
have permitted the disclosure of identifiable patient safety work 
product by an employee seeking redress for adverse employment actions 
to the extent that the information is necessary to permit the equitable 
relief. This proposed provision paralleled the privilege exception to 
permit equitable relief at proposed Sec.  3.204(b)(2). Also, in 
accordance with the statute, we proposed that once patient safety work 
product is disclosed pursuant to this provision, it would have remained 
subject to confidentiality and privilege protection in the hands of all 
subsequent holders and could not be further disclosed except as 
otherwise permitted by the rule.
    We also provided guidance with respect to the application of the 
HIPAA Privacy Rule if a covered entity (or its business associate) was 
making the disclosure and the patient safety work product included 
protected health information. In that regard, we explained that, under 
the HIPAA Privacy Rule at 45 CFR 164.512(e), when protected health 
information is sought to be disclosed in a judicial proceeding via 
subpoenas and discovery requests without a court order, the disclosing 
HIPAA covered entity must seek satisfactory assurances that the party 
requesting the information has made reasonable efforts to provide 
written notice to the individual who is the subject of the protected 
health information or to secure a qualified protective order.
    Finally, the proposed rule solicited comments on whether the 
obtaining of a protective order should be a condition of the disclosure 
under this provision or whether, instead, the final rule should require 
only a good faith effort to obtain a protective order as a condition of 
this disclosure.
    Overview of Public Comments: Two commenters expressed general 
support for the proposed provision, stating that it struck the 
appropriate balance between maintaining the confidentiality and 
privilege protections on patient safety work product and allowing 
reporters of patient safety work product to seek redress for adverse 
employment actions based upon their good faith reporting of this 
information to a PSO. Several commenters responded to the question 
posed in the proposed rule asking whether a protective order should be 
a condition of disclosure under this provision or if a good faith 
effort in obtaining a protective order should be sufficient. All of 
these commenters agreed that the obtaining of a protective order should 
be a condition of disclosure of patient safety work product under this 
provision.
    Final Rule: The final rule adopts the proposed disclosure 
permission at Sec.  3.206(b)(2) but conditions the permitted disclosure 
for equitable relief on the provision of a protective order by the 
court or administrative tribunal to protect the confidentiality of the 
patient safety work product during the course of the proceeding. 
Although patient safety work product remains confidential and 
privileged in the hands of all recipients after disclosure under this 
provision, we recognize that the sensitive nature of the patient safety 
work product warrants requiring a protective order as additional 
protection on this information. Because some participants and observers 
of a proceeding involving equitable relief for an adverse employment 
action may not be aware that certain information is protected as 
patient safety work product to which penalties attach for impermissible 
disclosures, requiring a protective order is prudent to ensure that 
patient safety work product is adequately protected and that 
individuals are put on notice of its protected status. As we explained 
in the proposed rule, such a protective order could take many forms 
that preserve the confidentiality of patient safety work product. For 
example, the order could limit the use of the information to case 
preparation, but not make it evidentiary. Or, the order might prohibit 
the disclosure of the patient safety work product in publicly 
accessible proceedings and in court records to prevent liability from 
moving to a myriad of unsuspecting parties.
    We recognize that, in some cases, a reporter seeking equitable 
relief may be unable to obtain a protective order from a court prior to 
making a necessary disclosure of patient safety work product, despite 
the reporter's good faith and diligent effort to obtain one. If the 
Secretary receives a complaint that patient safety work product was 
disclosed by a reporter seeking equitable relief, the Secretary has 
discretion not to impose a civil money penalty, if appropriate. While 
the final rule requires a protective order as a condition of 
disclosure, it is not the Secretary's intent to frustrate the obtaining 
of equitable relief provided for under the statute. Thus, the Secretary 
will review the circumstances of such complaints to determine whether 
to exercise his enforcement discretion to not pursue a civil money 
penalty.
(3) Section 3.206(b)(3)--Authorized by Identified Providers
    Proposed Rule: Proposed Sec.  3.206(b)(3) would have permitted a 
disclosure of patient safety work product when each provider identified 
in the patient safety work product separately authorized the 
disclosure. This provision paralleled the privilege exception at 
proposed Sec.  3.204(b)(3) and was based on section 922(c)(1)(C) of the 
Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(C). The proposed 
rule explained that patient safety work product disclosed under this 
exception would continue to be confidential pursuant to the continued 
confidentiality provisions at section 922(d)(1) of the Public Health 
Service Act, 42 U.S.C. 299b-22(d)(1), and persons would be subject to 
liability for further disclosures in violation of that confidentiality.
    We also explained that it would be insufficient to make 
identifiable information regarding a nonauthorizing provider 
nonidentifiable in lieu of obtaining an authorization. While we 
considered such an approach, we rejected it as impractical given that 
it seemed there would be very few, if any, situations in which a 
nonauthorizing provider could be nonidentified without also needing to 
nonidentify, or nearly so, an authorizing provider in the same patient 
safety work product.
    We encouraged persons disclosing patient safety work product to 
exercise discretion with respect to the scope of patient safety work 
product disclosed and to consider whether identifying information 
regarding reporters or patients was necessary, even though the statute 
required neither patient nor reporter authorization under this 
provision. We also explained that, if the disclosing entity is a HIPAA 
covered entity (or business associate), the HIPAA Privacy Rule, 
including the minimum necessary standard when applicable, would apply 
to the disclosure of protected health information contained within the 
patient safety work product. Further, if the disclosure was not also 
permitted under the HIPAA Privacy Rule, the patient information would 
need to be de-identified. We sought public comment as to whether the 
proposed approach was sufficient to protect the interests of reporters 
and patients identified in the patient safety work

[[Page 70776]]

product permitted to be disclosed pursuant to this provision.
    While the Patient Safety Act does not specify the form of the 
authorization under this exception, we proposed that an authorization 
be in writing, be signed by the authorizing provider, and contain 
sufficient detail to fairly inform the provider of the nature and scope 
of the disclosures being authorized. The proposed rule would not have 
required that any specific terms be included in the authorization, only 
that disclosures be made in accordance with the terms of the 
authorization, whatever they may be. We sought public comment on 
whether a more stringent standard would be prudent and workable, such 
as an authorization process that is disclosure specific.
    We also proposed that any authorization be maintained by the 
disclosing entity or person for a period of six years from the date of 
the last disclosure made in reliance on the authorization, the limit of 
time within which the Secretary must initiate an enforcement action.
    Overview of Public Comments: Several commenters responded that 
patients and reporters identified in patient safety work product are 
adequately protected by this regulation and by the HIPAA Privacy Rule 
for covered entities. Some commenters, however, suggested that the 
HIPAA Privacy Rule's minimum necessary standard be applied to 
disclosures under this provision so that only the minimum necessary 
amount of patient safety work product would be permitted to be 
disclosed.
    Several commenters also responded to the question of whether a 
stricter or more prescribed standard for the authorizations should be 
included in the final rule, the majority of whom stated that the 
authorization requirements outlined in the proposed rule were adequate. 
One commenter recommended that the final rule not regulate the terms of 
the provider authorization and that such terms be left to the parties. 
Another commenter suggested that provider authorizations be time-
limited, while other commenters asked for a model authorization form 
and that the final rule provide a process for revocation of 
authorizations.
    Final Rule: The final rule adopts the proposed provision. Thus, a 
provider, PSO, or responsible person may disclose identifiable patient 
safety work product if a valid authorization is obtained from each 
identified provider and the disclosure is consistent with such 
authorization. As in the proposed rule, such authorizations must be 
retained by the disclosing entity for six years from the date of the 
last disclosure made in reliance on the authorization and made 
available to the Secretary upon request. Further, as the Department 
agrees with those commenters who believed the specific terms of the 
provider authorizations should be left to the parties, the final rule, 
as in the proposed rule, requires only that the authorization of each 
of the identified providers be in writing and signed, and contain 
sufficient detail to fairly inform the provider of the nature and scope 
of the disclosures being authorized. Thus, the parties are free to 
define their own specific terms for provider authorizations, including 
any time limitations and to what extent and the process through which 
such authorizations are revocable. Given the final rule does not 
prescribe a particular form or the terms of provider authorizations 
under this provision, we do not believe providing a model authorization 
form is appropriate or feasible.
    With respect to patient and reporter identifiers, we continue to 
strongly encourage disclosers to consider how much patient safety work 
product is necessary, and whether patient or reporter identifiers are 
necessary, to accomplish the purpose of the authorized disclosure. 
However, this final rule does not include specific limitations on the 
disclosure of patient and reporter identifiers under this provision, so 
long as the disclosure is in accordance with the terms of the provider 
authorizations. In addition, the HIPAA Privacy Rule, including the 
minimum necessary or de-identification standard, as appropriate, 
continues to apply to the disclosure of any protected health 
information contained within the patient safety work product.
Response to Other Public Comments
    Comment: One commenter asked for clarification as to whether state 
laws requiring greater protection for patient safety work product would 
apply to disclosures pursuant to this provision.
    Response: Section 922(g)(1) of the Public Health Service Act, 42 
U.S.C. 299b-22(g)(1), provides that the Patient Safety Act does not 
limit the application of other Federal, State, or local laws that 
provide greater privilege or confidentiality protections than provided 
by the Act. Thus, state laws providing greater protection for patient 
safety work product are not preempted and would apply to disclosures of 
patient safety work product.
    Comment: One commenter expressed concern that this disclosure 
permission conflicts with the disclosure permission for patient safety 
activities at proposed Sec.  3.206(b)(4) because this disclosure 
permission does not allow the sharing of any provider information, even 
if made nonidentifiable, unless all providers identified in the patient 
safety work product authorize the disclosure, while the disclosure 
permission for patient safety activities allows the sharing of provider 
information between PSOs and between providers, as long as it is 
anonymized.
    Response: These disclosure permissions are separate and independent 
of one another and serve different purposes. Disclosures of patient 
safety work product may be made pursuant to either permission, provided 
the relevant conditions are met.
    Comment: One commenter expressed concern about the disclosure 
permission's prohibition on disclosing patient safety work product in 
nonidentifiable form with respect to a provider who has not authorized 
the disclosure of the information, stating that this construct would 
make the provision difficult to implement.
    Response: The final rule adopts the provisions of the proposed rule 
and does not permit patient safety work product to be disclosed if the 
information is rendered nonidentifiable with respect to a 
nonauthorizing provider. As explained above, there are likely few 
situations in which a nonauthorizing provider could be nonidentified 
without having to also nonidentify the authorizing providers in the 
patient safety work product to be disclosed under this provision. 
Therefore, allowing nonidentification of the nonauthorizing provider is 
impractical.
    Comment: One commenter recommended that a copy of the provider 
authorization be kept in a patient's file, if the provider's authorized 
disclosure of patient safety work product resulted in a disclosure of 
the patient's protected health information, so that these disclosures 
can be tracked and included in an accounting of disclosures as required 
by 45 CFR 164.528 of the HIPAA Privacy Rule.
    Response: While the commenter's suggestion may assist in complying 
with the HIPAA Privacy Rule's accounting of disclosures standard, we do 
not include such a requirement in the final rule. Given that the 
authorizations provided for under this provision are focused on the 
disclosure of the provider's identifiable information and that the 
specific terms of such authorizations will vary based on the 
circumstances of the disclosure and the parties, it is

[[Page 70777]]

unlikely that such authorizations will contain the information 
necessary for a HIPAA covered entity to meet its accounting obligations 
to the individual patient. Further, HIPAA covered entities are free to 
design and use approaches for compliance with the HIPAA Privacy Rule's 
accounting standard that are best suited to their business needs and 
information systems.
(4) Section 3.206(b)(4)--Patient Safety Activities
    Proposed Rule: Proposed Sec.  3.206(b)(4) would have permitted the 
disclosure of identifiable patient safety work product for patient 
safety activities (i) by a provider to a PSO or by a PSO to that 
disclosing provider; or (ii) by a provider or a PSO to a contractor of 
the provider or PSO; or (iii) by a PSO to another PSO or to another 
provider that has reported to the PSO, or by a provider to another 
provider, provided, in both cases, certain direct identifiers are 
removed. This proposed permissible disclosure provision was based on 
section 922(c)(2)(A) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(2)(A), which permits the disclosure of identifiable patient 
safety work product for patient safety activities. The proposed rule 
provided that, consistent with the statute, patient safety work product 
would remain privileged and confidential once disclosed under this 
provision.
    We explained in the proposed rule that patient safety activities 
are the core mechanism by which providers may disclose patient safety 
work product to obtain external expertise from PSOs and through which 
PSOs may aggregate information from multiple providers, and communicate 
feedback and analyses back to providers. Thus, the rule needs to 
facilitate such communications so that improvements in patient safety 
can occur. To realize this goal, the proposed rule at Sec.  
3.206(b)(4)(i) would have allowed for the disclosure of identifiable 
patient safety work product reciprocally between providers and the PSOs 
to which they have reported. This would allow PSOs to collect, 
aggregate, and analyze patient safety event information and disseminate 
findings and recommendations for safety and quality improvements.
    The proposed rule at Sec.  3.206(b)(4)(ii) also would have allowed 
for disclosures by providers and PSOs to their contractors who are not 
workforce members, recognizing that there may be situations where 
providers and PSOs want to engage contractors who are not agents to 
carry out patient safety activities. However, to ensure patient safety 
work product remained adequately protected in such cases, the proposed 
rule would have prohibited contractors from further disclosing patient 
safety work product, except to the provider or PSO from which they 
first received the information. We explained in the proposed rule that 
this limitation would not, however, preclude a provider or PSO from 
exercising its authority under section 922(g)(4) of the Public Health 
Service Act, 42 U.S.C. 299b-22(g)(4), to separately delegate its power 
to the contractor to make other disclosures. We also stated that, 
although the proposed rule did not require a contract between the 
provider or PSO and the contractor, we fully expected the parties to 
engage in prudent practices to ensure patient safety work product 
remained confidential.
    Further, to allow for more effective aggregation of patient safety 
work product, the proposal at Sec.  3.206(b)(4)(iii) would have allowed 
PSOs to disclose patient safety work product to other PSOs or to other 
providers that have reported to the PSO (but not about the specific 
event(s) to which the patient safety work product relates), and 
providers to disclose patient safety work product to other providers, 
for patient safety activities, as long as the patient safety work 
product was anonymized through the removal of direct identifiers of 
providers and patients. See proposed Sec.  3.206(b)(4)(iii)(A). In 
particular, to anonymize provider identifiers, the proposed rule would 
have required the removal of the following direct identifiers of any 
providers and of affiliated organizations, corporate parents, 
subsidiaries, practice partners, employers, members of the workforce, 
or household members of such providers: (1) Names; (2) postal address 
information, other than town or city, State and zip code; (3) telephone 
numbers; (4) fax numbers; (5) electronic mail addresses; (6) social 
security numbers or taxpayer identification numbers; (7) provider or 
practitioner credentialing or DEA numbers; (8) national provider 
identification number; (9) certificate/license numbers; (10) web 
universal resource locators; (11) internet protocol (IP) address 
numbers; (12) biometric identifiers, including finger and voice prints; 
and (13) full face photographic images and any comparable images. For 
patient identifiers, the proposed rule would have applied the HIPAA 
Privacy Rule limited data set standard. See 45 CFR 164.514(e). We 
explained in the proposed rule that removal of the required identifiers 
could be absolute or be done through encryption, provided the 
disclosing entity did not disclose the key to the encryption or the 
mechanism for re-identification.
    Recognizing that fully nonidentifiable patient safety work product 
may have limited usefulness due to the removal of key elements of 
identification, the proposed rule specifically sought public comment on 
whether there were any entities other than providers, PSOs, or their 
contractors that would need fully identifiable or anonymized patient 
safety work product for patient safety activities.
    The proposed rule also explained the intersection with the HIPAA 
Privacy Rule with respect to these disclosures, and noted that, as 
provided by the statute, PSOs would be treated as business associates 
and patient safety activities performed by, or on behalf of, a covered 
provider by a PSO would be deemed health care operations as defined by 
the HIPAA Privacy Rule. For a more detailed discussion of the 
application of the HIPAA Privacy Rule with respect to disclosures under 
this proposed provision, see the preamble to the proposed rule at 73 FR 
8146-8147. The proposed rule sought public comment on whether the HIPAA 
Privacy Rule definition of ``health care operations'' should be 
modified to include a specific reference to patient safety activities 
and whether the HIPAA Privacy Rule disclosure permission for health 
care operations should be modified to include a reference to patient 
safety activities.
    Overview of Public Comments: The commenters expressed general 
support for the reciprocal disclosure of patient safety work product 
between providers and PSOs for patient safety activities. Additionally, 
commenters expressed general support for the disclosure of patient 
safety work product by a PSO or provider to its contractor to carry out 
patient safety activities.
    Commenters also generally supported the proposed permissible 
disclosure of patient safety work product between PSOs for patient 
safety activities, between PSOs and other providers that have reported 
to that PSO, and between providers. However, many commenters expressed 
concern about the proposed rule requirement at Sec.  3.206(b)(4)(iii) 
to anonymize patient safety work product prior to disclosure. Some 
commenters stated that this requirement inappropriately limited a PSO's 
ability to share this information with other PSOs and could prevent 
PSOs from being able to identify duplicate reports of a single event 
coming from independent sources in the patient safety work product 
received from other

[[Page 70778]]

PSOs. One suggested that PSOs be able to share identifiable patient 
safety work product with other PSOs, while another commenter stated 
that provider names, addresses, and phone numbers should be included in 
patient safety work product to permit follow up contact with the 
provider and as a way to identify duplicate adverse event reports. This 
commenter suggested that PSOs be able to contract with other PSOs as 
their contractors so that they could share patient safety information 
that has not been anonymized with one another subject to Sec.  
3.206(b)(4)(ii), or alternatively, that the final rule allow PSOs to 
share patient safety work product identifying providers with other PSOs 
if a contract ensuring the confidentiality of this information is in 
place between the PSOs. Other commenters expressed concern that the 
anonymization requirement limited the ability of providers to use and 
disclose patient safety work product to other providers or students for 
educational, academic, or professional purposes. These commenters 
feared that the proposed rule would inhibit providers' ability to 
consult with other providers about patient safety events and requested 
clarification from the Department that the rule would not prohibit the 
disclosure of patient safety work product among physicians and other 
health care professionals, particularly for education purposes or for 
preventing or ameliorating harm.
    Many commenters also responded to the question in the proposed rule 
regarding whether the patient safety activities disclosure permission 
should be expanded to encompass additional entities. Commenters 
identified no additional entities to include in this disclosure 
permission; however, some commenters suggested that the Department 
monitor this provision so that exceptions for disclosures to additional 
entities may be made in the future if necessary.
    Final Rule: The final rule adopts without modification proposed 
Sec.  3.206(b)(4)(i) and Sec.  3.206(b)(4)(ii), permitting disclosure 
of patient safety work product for patient safety activities between 
providers and PSOs, and between providers or PSOs and their contractors 
that undertake patient safety activities on their behalf. In addition, 
the final rule modifies proposed Sec.  3.206(b)(4)(iii) with respect to 
disclosures to another PSO or provider, redesignates the provision as 
Sec.  3.206(b)(4)(iv), and adds a new Sec.  3.206(b)(4)(iii).
    New Sec.  3.206(b)(4)(iii) of the final rule permits disclosure of 
identifiable patient safety work product among affiliated providers for 
patient safety activities. Unlike disclosures between providers in 
Sec.  3.206(b)(4)(iv), the patient safety work product disclosed 
pursuant to this permission need not be anonymized prior to disclosure. 
An affiliated provider is defined in the final rule as ``with respect 
to a provider, a legally separate provider that is the parent 
organization of the provider, is under common ownership, management, or 
control with the provider, or is owned, managed, or controlled by the 
provider.'' See Sec.  3.20. This addition to the final rule is included 
in recognition that certain provider entities with a common corporate 
affiliation, such as integrated health systems, may have a need, just 
as a single legal entity, to share identifiable and non-anonymized 
patient safety work product among the various provider affiliates and 
their parent organization for patient safety activities and to 
facilitate, if desired, one corporate patient safety evaluation system. 
We emphasize that provider entities can choose not to use this 
disclosure mechanism if they believe that doing so would adversely 
affect provider participation, given that patient safety work product 
would be shared more broadly across the affiliated entities.
    The final rule adopts the disclosure permission for patient safety 
work product proposed at Sec.  3.206(b)(4)(iii) in the proposed rule; 
however, the final rule relocates this disclosure permission to Sec.  
3.206(b)(4)(iv) and retitles this section for clarity. This disclosure 
permission requires that patient safety work product disclosed for 
patient safety activities by a PSO to another PSO or to another 
provider that has reported to the PSO or by a provider to another 
provider must be anonymized through the removal of certain provider-
related direct identifiers listed in Sec.  3.206(b)(4)(iii)(A), as well 
as the removal of patient direct identifiers pursuant to the HIPAA 
Privacy Rule's limited data set standard at 45 CFR 164.514(e)(2).
    Although the final rule includes a provision for disclosure of 
fully identifiable patient safety work product among affiliated 
providers, we believe it is unnecessary to provide a similar provision 
that would allow for the sharing of identifiable and non-anonymized 
patient safety work product between PSOs since the final rule includes 
multiple avenues for secondary PSOs, i.e., those PSOs that do not have 
the direct reporting relationship with the provider, to receive 
provider identifiable data, if needed. In particular, the final rule 
allows: (1) A PSO receiving patient safety work product from a provider 
to contact that provider and recommend that the provider also report 
the patient safety work product to an additional PSO; (2) a provider 
reporting to a PSO to delegate its authority to the PSO to report its 
patient safety work product to an additional PSO; (3) a PSO to hire 
another PSO as a consultant to assist in the evaluation of patient 
safety work product received from a reporting provider, pursuant to 
Sec.  3.206(b)(4)(ii); and (4) a PSO to disclose identifiable and non-
anonymized patient safety work product to another PSO if it has 
obtained authorization to do so from each provider identified in the 
patient safety work product. See Sec.  3.206(b)(3).
    To address the concerns of providers generally that the rule would 
prohibit the disclosure of patient safety work product among physicians 
and other health care professionals, particularly for educational 
purposes or for preventing or ameliorating patient harm, we emphasize 
that the rule does not regulate uses of patient safety work product 
within a single legal entity. (However, we note that we have expressly 
defined as a disclosure the sharing of patient safety work product 
between a component PSO and the rest of the legal entity of which it is 
a part.) Thus, consistent with this policy, providers within a single 
legal entity are free to discuss and share patient safety work product 
in identifiable and non-anonymized form for educational, academic, or 
other professional purposes. We have made this policy clear in the 
final rule by modifying the definition of disclosure to apply only to 
the release, transfer, provision of access to, or divulging in any 
other manner of patient safety work product by: (1) an entity or 
natural person holding the patient safety work product to another 
legally separate entity or natural person outside the entity holding 
the patient safety work product; or (2) a component PSO to another 
entity or natural person outside the component organization. Further, 
as described above, the new provision at Sec.  3.206(b)(4)(iii) allows 
the sharing of fully identifiable patient safety work product among 
affiliated providers. However, if providers wish to disclose patient 
safety work product to other providers outside of their legal entity or 
to non-affiliated providers, the information must be anonymized subject 
to Sec.  3.206(b)(4)(iv)(A) and (B) or disclosed subject to another 
applicable disclosure permission.
Response to Other Public Comments
    Comment: One commenter asked that the final rule prohibit the

[[Page 70779]]

recommendations made by a PSO from being introduced as evidence of a 
standard of care or for other purposes in a judicial or administrative 
proceeding.
    Response: A recommendation made by a PSO is patient safety work 
product to which the privilege and confidentiality protections attach. 
Therefore, the information can only be disclosed through an applicable 
disclosure permission. However, as we explained in the proposed rule, 
while the recommendations themselves are protected, the corrective 
actions implemented by a provider, even if based on the protected 
recommendations from a PSO, are not patient safety work product.
    Comment: One commenter asked if permissible disclosures of patient 
safety work product for patient safety activities under this disclosure 
permission could include disclosures for credentialing, disciplinary, 
and peer review purposes.
    Response: The disclosure permission at Sec.  3.206(b)(4) of the 
final rule for patient safety activities does not encompass the 
disclosure of patient safety work product to an external entity or 
within an administrative proceeding for credentialing, disciplinary, or 
peer review purposes. However, as explained above, uses of patient 
safety work product within a legal entity are not regulated and thus, 
patient safety work product may be used within an entity for any 
purpose, including those described by the commenter, so long as such 
use does not run afoul of the statutory prohibition on a provider 
taking an adverse employment action against an individual based on the 
fact that the individual in good faith reported information either to 
the provider with the intention of having the information reported to a 
PSO or directly to a PSO. (Note, though, that we have expressly defined 
as a disclosure the sharing of patient safety work product between a 
component PSO and the rest of the legal entity of which it is a part.)
    Comment: One commenter suggested that PSOs should be required to 
maintain an accounting of all disclosures of patient safety work 
product containing individually identifiable health information in 
parallel to the HIPAA Privacy Rule requirement for covered entities. In 
order to further protect patient privacy, this commenter suggested that 
patients be made third party beneficiaries of the contracts between 
providers and PSOs.
    Response: A HIPAA covered entity is responsible for ensuring that 
disclosures of protected health information made by a PSO, as its 
business associate, are included in an accounting of disclosures to the 
extent such disclosures are subject to an accounting at 45 CFR 164.528. 
Further, the HIPAA Privacy Rule provides that a contract between a 
HIPAA covered entity and its business associate must require the 
business associate to make available to the covered entity the 
information it needs to comply with the HIPAA Privacy Rule's accounting 
standard. See 45 CFR 164.504(e). However, we expect that most 
permissible disclosures of patient safety work product that include 
protected health information will not be subject to the HIPAA Privacy 
Rule's accounting requirements. The HIPAA Privacy Rule's accounting 
standard does not require that disclosures made for health care 
operations be included in an accounting. See 45 CFR 164.528(a)(1)(i). 
Thus, because disclosures for patient safety activities at Sec.  
3.206(b)(4), business operations at Sec.  3.206(b)(9), or accreditation 
purposes at Sec.  3.206(b)(8) will generally be for the provider's 
health care operations, the provider does not need to account for these 
disclosures. Additionally, for disclosures of patient safety work 
product that are subject to the HIPAA Privacy Rule's accounting 
requirement, such as disclosures to the FDA and entities required to 
report to the FDA at Sec.  3.206(b)(7), the HIPAA Privacy Rule offers 
enough flexibility for a provider generally to provide an accounting of 
those disclosures without revealing the existence of patient safety 
work product. Therefore, we do not believe including a requirement 
directly on PSOs with respect to the HIPAA Privacy Rule's accounting 
standard is needed or appropriate. Nor do we agree that contracts 
between providers and PSOs should designate individuals as third party 
beneficiaries of such contracts. We believe the HIPAA Privacy Rule's 
existing provisions provide adequate protections for identifiable 
patient information that may be encompassed within patient safety work 
product; however, we also expect PSOs generally to disclose anonymized 
and nonidentifiable patient safety work product.
    Comment: Another commenter suggested that patient safety work 
product should be able to be used and disclosed in the same 
circumstances that protected health information can be used and 
disclosed under the HIPAA Privacy Rule for health care operations.
    Response: The final rule does not regulate ``uses'' of patient 
safety work product within a legal entity; thus, a provider, PSO, or 
responsible person may use patient safety work product for any purpose 
within the legal entity, including those considered ``health care 
operations'' for purposes of the HIPAA Privacy Rule. With respect to 
disclosures, however, we do not agree that expanding the disclosure 
permission in the manner suggested by the commenter is appropriate. The 
disclosure permissions in the final rule are carefully crafted to 
balance the need for the information to remain confidential with the 
need to disclose patient safety work product to effectuate the goals of 
the statute or for other limited purposes provided by the statute. With 
respect to disclosures for patient safety activities, while it is clear 
that patient safety activities are health care operations under the 
HIPAA Privacy Rule, only a subset of activities within the definition 
of ``health care operations'' are relevant to patient safety.
    Comment: One commenter asked for clarification about whether a 
provider can report a single patient safety event to multiple PSOs.
    Response: Providers are free to report patient safety work product 
to, and have relationships with, multiple PSOs.
    Comment: A commenter asked that the final rule explain the process 
for disclosing patient safety work product to the National Patient 
Safety Databank.
    Response: The Department intends to provide further guidance and 
information regarding the creation of and reporting to and among the 
network of patient safety databases, as part of implementation of 
section 923 of the Public Health Service Act, including information on 
common formats for collecting and disclosing nonidentifiable patient 
safety work product for such purposes. The Department announced the 
availability of, and sought comment on, common formats for common 
hospital-based patient safety events in the Federal Register on August 
29, 2008 (http://www.pso.ahrq.gov/formats/commonfmt.htm).
    Comment: One commenter suggested that the final rule require 
providers and PSOs to have written contracts in place with contractors 
who are not their agents but who will carry out patient safety 
activities on their behalf. Another commenter asked if the final rule 
will include a requirement similar to a business associate contract 
under the HIPAA Privacy Rule between PSOs and its contractors.
    Response: The final rule does not require providers and PSOs to 
have written contracts in place with contractors who are not their 
agents but who will carry out patient safety activities on their 
behalf. However, we expect that, in practice, such relationships will 
be governed by

[[Page 70780]]

contract, but we leave the terms of those relationships up to the 
parties. We note, though, that if a HIPAA covered entity hires a 
contractor to conduct patient safety activities on its behalf, which 
requires access to protected health information, the HIPAA Privacy Rule 
would require that a business associate agreement be in place prior to 
any disclosure of such information to the contractor. See 45 CFR 
164.502(e) and 164.504(e).
    Comment: Some commenters asked that the final rule provide 
clarification regarding the circumstances under which PSOs can disclose 
patient safety work product to other PSOs to aggregate this information 
for patient safety activities purposes.
    Response: Section 3.206(b)(4)(iv) of the final rule permits such 
disclosures, provided the patient safety work product is anonymized by 
removal of the direct identifiers of both providers and patients. Also, 
the final rule permits a PSO to disclose patient safety work product to 
another PSO if authorized by the identified providers as provided in 
Sec.  3.206(b)(3) or in non-identifiable form in accordance with Sec.  
3.206(b)(5). Finally, a provider reporting to a PSO may delegate its 
authority to the PSO to report its patient safety work product to an 
additional PSO, as provided by Sec.  3.206(e).
    Comment: A commenter suggested that a data use agreement be 
required when any information, including individually identifiable 
health information, is being shared through a limited data set.
    Response: If a HIPAA covered entity is sharing a limited data set, 
as defined by the HIPAA Privacy Rule, the covered entity must enter 
into a data use agreement with the recipient of the information. See 45 
CFR 164.504(e). For entities that are not covered by the HIPAA Privacy 
Rule, the final rule does not include such a requirement; however, we 
encourage such parties to engage in these and similar practices to 
further protect patient safety work product.
    Comment: Two commenters asked for clarification in the final rule 
about whether patient safety work product disclosed by a provider to a 
PSO or by a PSO to a provider can identify other providers regardless 
of whether they have also reported to that PSO. One commenter asked if 
the rule requires that authorization from all the identified providers 
is required before this disclosure can be made.
    Response: The final rule at Sec.  3.206(b)(4)(i) allows the 
disclosure of patient safety work product in identifiable form 
reciprocally between the provider and the PSO to which it reports. This 
information can contain information identifying other providers. If the 
patient safety work product is being disclosed between PSOs, between 
unaffiliated providers, or between a PSO and other providers that have 
reported to it, then the information must be anonymized prior to 
disclosure subject to Sec.  3.206(b)(4)(iv)(A) and (B). In addition, if 
a provider or PSO obtains authorizations from all providers identified 
in the patient safety work product, or if the patient safety work 
product is being shared among affiliated providers, then such 
information may be disclosed in identifiable form under Sec.  
3.206(b)(3) and 3.206(b)(4)(iii).
    Comment: Several commenters expressed concern about the 
anonymization requirement at proposed Sec.  3.206(b)(4)(iii)(A) and 
stated that a provider may be identifiable even if the patient safety 
work product is anonymized. One commenter suggested that zip codes 
should be included in the list of identifiers that must be removed from 
the patient safety work product. Other commenters felt that the 
anonymization standard was too strict.
    Response: We believe the anonymization standard in the final rule 
at Sec.  3.206(b)(4)(iv)(A) strikes the appropriate balance between the 
need to protect patient safety work product and the need for broader 
sharing of such information at an aggregate level, outside of the 
direct provider and PSO relationship, to achieve the goals of the 
statute and improve patient safety.
    Comment: We received several comments in response to the questions 
asked in the proposed rule about whether the HIPAA Privacy Rule 
definition of ``health care operations'' should include a specific 
reference to patient safety activities and whether the Privacy Rule 
disclosure permission for health care operations should be modified to 
conform to the disclosure for patient safety activities. These 
commenters expressed overwhelming support for modifying the HIPAA 
Privacy Rule's definition of ``health care operations'' to include such 
a specific reference and to aligning the disclosure permission for 
health care operations with that for patient safety activities. The 
commenters stated that including such specific references would make 
the intersection of both regulations clear, and would encourage patient 
safety discourse among providers and PSOs. One commenter stated that 
there was no need to modify the definition of ``health care 
operations'' because it already unambiguously encompassed patient 
safety activities. No commenters suggested that modifications to the 
Privacy Rule were necessary to address any workability issues.
    Response: OCR will consider these comments and will seek 
opportunity to address them in regulation or in guidance.
(5) Section 3.206(b)(5)--Disclosure of Nonidentifiable Patient Safety 
Work Product
    Proposed Rule: Proposed Sec.  3.206(b)(5) would have permitted the 
disclosure of nonidentifiable patient safety work product if the 
patient safety work product met the standard for nonidentification in 
proposed Sec.  3.212. See section 922(c)(2)(B) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(2)(B). As described in proposed Sec.  
3.208(b)(ii), nonidentifiable patient safety work product, once 
disclosed, would no longer be privileged and confidential and thus, 
could be redisclosed by a recipient without any Patient Safety Act 
limitations or liability. Any provider, PSO or responsible person could 
nonidentify patient safety work product. See the discussion regarding 
Sec.  3.212 for more information about the nonidentification standard.
    Overview of Public Comments: We received no comments opposed to 
this proposed provision.
    Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
    Comment: One commenter asked that the final rule require data use 
agreements for disclosures of nonidentifiable patient safety work 
product in cases where there is a chance for identification or 
reidentification of provider identities.
    Response: We emphasize that patient safety work product is 
considered nonidentifiable only if, either: (1) the statistical method 
at Sec.  3.212(a)(1) is used and there is a very small risk that the 
information could be used, alone or in combination with other 
reasonably available information, by an anticipated recipient to 
identify an identified provider; or (2) the identifiers listed at Sec.  
3.212(a)(2) are stripped and the person making the disclosure does not 
have actual knowledge that the remaining information could be used, 
alone or in combination with other information that is reasonably 
available to the intended recipient, to identify a provider. Thus, the 
commenter should consider whether the information about which it is 
concerned would be nonidentifiable for purposes of this rule. Further, 
while the final rule does not require that the disclosure of 
nonidentifiable patient safety work product be conditioned on

[[Page 70781]]

an agreement between the parties to the disclosure, we note that 
providers, PSOs, and responsible persons are free to contract or enter 
into agreements that place further conditions on the release of patient 
safety work product, including in nonidentifiable form, than required 
by the final rule. See Sec.  3.206(e).
    Comment: Several commenters stated that identifiable information 
about nondisclosing providers should not be disclosed and that adequate 
safeguards should be in place to ensure that information identifying 
nondisclosing providers is not released. These commenters also 
suggested that AHRQ set up a workgroup to evaluate the standards and 
approaches set forth in the proposed rule.
    Response: The nonidentification standard at Sec.  3.212 of the 
final rule addresses the commenters' concern by requiring either that: 
(1) a statistician determine, with respect to information, that the 
risk is very small that the information could be used, alone or in 
combination with other reasonably available information, by an 
anticipated recipient to identify an identified provider; or (2) all of 
the provider-related identifiers listed at Sec.  3.212(a)(2) be removed 
and the provider, PSO, or responsible person making the disclosure not 
have actual knowledge that the information could be used, alone or in 
combination with other information that is reasonably available to the 
intended recipient, to identify the particular provider.
(6) Section 3.206(b)(6)--For Research
    Proposed Rule: Proposed Sec.  3.206(b)(6) would have allowed the 
disclosure of identifiable patient safety work product to entities 
carrying out research, evaluations, or demonstration projects that are 
funded, certified, or otherwise sanctioned by rule or other means by 
the Secretary. See section 922(c)(2)(C) of the Public Health Service 
Act, 42 U.S.C. 299b-22(c)(2)(C). We explained in the proposed rule that 
this disclosure permission was only for research sanctioned by the 
Secretary. We also explained that we expected that most research that 
may be subject to this disclosure permission would be related to the 
methodologies, analytic processes, and interpretation, feedback and 
quality improvement results from PSOs, rather than general medical, or 
even health services, research. Patient safety work product disclosed 
for research under this provision would continue to be confidential and 
privileged.
    Section 922(c)(2)(C) of the Public Health Service Act, 42 U.S.C. 
299b-22(c)(2)(C), requires that patient safety work product which 
identifies patients may only be released to the extent that protected 
health information would be disclosable for research purposes under the 
HIPAA Privacy Rule. We interpreted this provision as requiring HIPAA 
covered entities to ensure any disclosures of patient safety work 
product under this provision that also include protected health 
information comply with the HIPAA Privacy Rule's research provisions. 
Accordingly, the proposal incorporated by reference 45 CFR 164.512(i) 
of the HIPAA Privacy Rule, which generally requires a covered entity to 
obtain documentation of a waiver (or alteration of waiver) of 
authorization by either an Institutional Review Board (IRB) or a 
Privacy Board prior to using or disclosing protected health information 
without the individual's authorization.
    We noted that our interpretation of the statute would not impact 
the disclosure of identifiable patient safety work product by entities 
or persons that are not HIPAA covered entities. We also explained that 
the incorporation by reference of the HIPAA Privacy Rule should provide 
for the proper alignment of disclosures for research purposes under the 
two rules. However, the exception under the Patient Safety Act also 
refers to evaluations and demonstration projects, some of which may not 
meet the definition of research under the HIPAA Privacy Rule because 
they may not result in generalizable knowledge but rather may fall 
within the HIPAA Privacy Rule's definition of ``health care 
operations.'' We stated that, in such cases, HIPAA covered entities 
disclosing patient safety work product that includes protected health 
information under this exception could do so without violation of the 
HIPAA Privacy Rule. See the definition of ``health care operations'' at 
45 CFR 164.501 of the HIPAA Privacy Rule.
    Overview of Public Comments: We received no comments in reference 
to this provision.
    Final Rule: The final rule adopts the proposed provision, except 
that the specific reference to ``45 CFR 164.512(i)'' is deleted. We 
have included only a general reference to the HIPAA Privacy Rule in 
recognition of the fact that disclosures of patient safety work product 
containing protected health information pursuant to this provision 
could be permissible under the HIPAA Privacy Rule under provisions 
other than 45 CFR 164.512(i), such as, for example, disclosures for 
health care operations pursuant to 45 CFR 164.506, or disclosures of a 
limited data set for research purposes pursuant to 45 CFR 164.514(e).
(7) Section 3.206(b)(7)--To the Food and Drug Administration
    Proposed Rule: Section 922(c)(2)(D) of the Public Health Service 
Act, 42 U.S.C. 299b-22(c)(2)(D), permits the disclosure by a provider 
to the Food and Drug Administration (FDA) with respect to a product or 
activity regulated by the FDA. Proposed Sec.  3.206(b)(7) would have 
implemented this provision by permitting providers to disclose patient 
safety work product concerning products or activities regulated by the 
FDA to the FDA or to an entity required to report to the FDA concerning 
the quality, safety, or effectiveness of an FDA-regulated product or 
activity. The proposed rule also would have permitted the sharing of 
patient safety work product between the FDA, entities required to 
report to the FDA, and their contractors concerning the quality, 
safety, or effectiveness of an FDA-regulated product or activity. 
Patient safety work product disclosed pursuant to this disclosure 
permission would continue to be privileged and confidential.
    We specifically sought public comment on our interpretation that 
the statutory language concerning reporting ``to the FDA'' included 
reporting by the provider to persons or entities regulated by the FDA 
and that are required to report to the FDA concerning the quality, 
safety, or effectiveness of an FDA-regulated product or activity. We 
proposed this interpretation to allow providers to report to entities 
that are required to report to the FDA, such as drug manufacturers, 
without violating this rule, and asked if including such language would 
bring about any unintended consequences for providers.
    We further proposed at Sec.  3.206(b)(7)(ii) that the FDA and 
entities required to report to the FDA may only further disclose 
patient safety work product for the purpose of evaluating the quality, 
safety, or effectiveness of that product or activity and such further 
disclosures would only be permitted between the FDA, entities required 
to report to the FDA, their contractors, and the disclosing providers. 
Thus, for example, the FDA or a drug manufacturer receiving adverse 
drug event information that is patient safety work product may engage 
in further communications with the disclosing provider(s), for the 
purpose of evaluating the quality, safety, or effectiveness of the 
particular regulated product or activity, or may work with their 
contractors. Moreover, an entity regulated by the FDA may further 
disclose the information to the FDA. The proposed provision also would

[[Page 70782]]

have prohibited contractors receiving patient safety work product under 
this provision from further disclosing such information, except to the 
entity from which they received the information.
    Finally, we explained that the HIPAA Privacy Rule at 45 CFR 
164.512(b) permits HIPAA covered entities to disclose protected health 
information concerning FDA-regulated activities and products to persons 
responsible for collection of information about the quality, safety, 
and effectiveness of those FDA-regulated activities and products. 
Therefore, disclosures under this exception of patient safety work 
product containing protected health information would be permitted 
under the HIPAA Privacy Rule.
    Overview of Public Comments: We received general support in the 
public comments for the express reference to FDA-regulated entities 
within this disclosure permission; only one commenter opposed this 
provision. Some commenters asked that the final rule provide examples 
of the types of disclosures that might occur to FDA-regulated entities, 
and one commenter suggested that if such disclosures are permitted, the 
final rule should include a comprehensive list of acceptable 
disclosures to these entities. Another commenter noted that if 
disclosures to FDA-regulated entities are permitted under this 
disclosure permission, the final rule should limit the use of patient 
safety work product to the purposes stated in the statute and should 
prohibit the use of this information for marketing purposes. No 
commenters identified any unintended consequences of including FDA-
regulated entities within the disclosure permission.
    Final Rule: The final rule adopts the provisions of the proposed 
rule at Sec.  3.206(b)(7), including the express reference to FDA-
regulated entities. We also modify the title of the provision to 
reflect that disclosures to such entities are encompassed within the 
disclosure permission. As explained in the proposed rule, we believe 
including FDA-regulated entities within the scope of the disclosure 
permission is consistent with both the rule of construction in the 
statute which preserves required reporting to the FDA, as well as the 
goals of the statute which are to improve patient safety. See section 
922(g)(6) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(6). In 
addition, the final rule includes modifications to more clearly 
indicate who can receive patient safety work product under this 
provision, as well as what further disclosures may be made of such 
information. Specifically, Sec.  3.206(b)(7)(i) now makes clear that a 
provider may disclose patient safety work product concerning an FDA-
regulated product or activity to the FDA, an entity required to report 
to the FDA concerning the quality, safety, or effectiveness of an FDA-
regulated product or activity, or a contractor acting on behalf of FDA 
or such entity for these purposes. Further, Sec.  3.206(b)(7)(ii) 
clarifies that the FDA, its regulated entity entitled to receive 
information under this provision, and their contractors may share 
patient safety work product received under this provision for the 
purpose of evaluating the quality, safety, or effectiveness of that 
product or activity among themselves, as well as with the disclosing 
provider.
    We do not include a comprehensive list of acceptable disclosures to 
FDA-regulated entities as it would be impractical to do so. As we 
explained in the proposed rule, drug, device, and biological product 
manufacturers are required to report adverse experiences to the FDA and 
currently rely on voluntary reports from product users, including 
providers. Further, the analysis of events by a provider or PSO that 
constitutes patient safety work product may generate information that 
should be reported to the FDA or FDA-regulated entity because it 
relates to the safety or effectiveness of an FDA-regulated product or 
activity. This provision allows providers to report such information 
without violating the confidentiality provisions of the statute or 
rule. However, we emphasize that, despite this disclosure permission, 
we expect that most reporting to the FDA and its regulated entities 
will be done with information that is not patient safety work product, 
as is done today. This disclosure permission is intended to allow for 
reporting to the FDA or FDA-regulated entity in those special cases 
where, only after an analysis of patient safety work product, does a 
provider realize it should make a report. As in the proposed rule, 
patient safety work product disclosed pursuant to this provision 
remains privileged and confidential.
Response to Other Public Comments
    Comment: Five commenters asked that the final rule allow PSOs as 
well as providers to disclose or report patient safety work product to 
the FDA or to an entity that is required to report to the FDA.
    Response: We do not modify the provision as there is no statutory 
authority to allow PSOs to report patient safety work product to the 
FDA or to an entity required to report to the FDA. However, the statute 
does permit providers to report patient safety work product to the FDA 
or to an entity required to report to the FDA.
    Comment: One commenter asked for clarification as to whether lot 
numbers and device identifiers and serial numbers may be reported to 
the FDA under this disclosure permission.
    Response: Section 3.206(b)(7) would allow such information 
contained within patient safety work product to be reported to FDA 
provided it concerned an FDA-regulated product or activity.
(8) Section 3.206(b)(8)--Voluntary Disclosure to an Accrediting Body
    Proposed Rule: Proposed Sec.  3.206(b)(8) would have permitted the 
voluntary disclosure of identifiable patient safety work product by a 
provider to an accrediting body that accredits that disclosing 
provider. See section 922(c)(2)(E) of the Public Health Service Act, 42 
U.S.C. 299b-22(c)(2)(E). Patient safety work product disclosed pursuant 
to this proposed exception would remain privileged and confidential.
    This provision would have allowed a provider to disclose patient 
safety work product that identifies that disclosing provider. Further, 
the proposed rule would not have required that patient safety work 
product be nonidentifiable as to nondisclosing providers. The proposed 
rule specifically sought public comment on whether patient safety work 
product should be anonymized with respect to nondisclosing providers 
prior to disclosure to an accrediting body under this provision.
    The proposed rule also provided that an accrediting body could not 
take an accreditation action against a provider based on that 
provider's participation, in good faith, in the collection, reporting 
or development of patient safety work product. It also would have 
prohibited accrediting bodies from requiring a provider to reveal its 
communications with any PSO.
    Overview of Public Comments: Several commenters responded to the 
question of whether the final rule should require the anonymization of 
patient safety work product with respect to nondisclosing providers, 
all of which supported such a requirement. Another commenter noted that 
the final rule should expressly prohibit accrediting bodies from taking 
accreditation actions against nondisclosing providers based upon the 
patient safety work product reported to them by disclosing providers.
    Final Rule: In light of the comments received, the final rule 
modifies the proposed provision at Sec.  3.206(b)(8) to condition the 
voluntary disclosure by a provider of patient safety work product

[[Page 70783]]

to an accrediting body that accredits the provider on either: (1) the 
agreement of the nondisclosing providers to the disclosure; or (2) the 
anonymization of the patient safety work product with respect to any 
nondisclosing providers identified in the patient safety work product, 
by removal of the direct identifiers listed at Sec.  
3.206(b)(4)(iv)(A). Direct identifiers of the disclosing providers do 
not need to be removed. We also note that the final rule does not 
prescribe the form of the agreement obtained from non-disclosing 
providers. Providers are free to design their own policies for 
obtaining such agreements. Some institutional providers may, for 
example, make it a condition of employment or privileges that providers 
agree to the disclosure of patient safety work product to accrediting 
bodies. In addition, unlike the provision at Sec.  3.206(b)(3) of the 
final rule, with respect to any of the non-disclosing providers 
identified in the patient safety work product, the disclosing provider 
need obtain either the provider's agreement or anonymize the provider's 
information.
Response to Other Public Comments
    Comment: Several commenters stated that they did not support this 
disclosure permission allowing voluntary disclosures of patient safety 
work product to accrediting bodies due to possible unintended 
consequences of these disclosures. Another commenter asked that we be 
aware of punitive actions by regulatory organizations as a result of 
voluntary disclosures to accrediting bodies and monitor this process 
carefully for any unintended consequences.
    Response: The disclosure permission allowing providers to 
voluntarily disclose patient safety work product to accrediting bodies 
is prescribed by the statute and thus, is included in this final rule. 
However, as described above, the final rule requires either 
anonymization or agreement with respect to non-disclosing providers as 
a condition of the disclosure. This provision, along with the express 
prohibition at Sec.  3.206(b)(8)(iii) on an accrediting body taking an 
accrediting action against a provider based on a good faith 
participation of the provider in the collection, development, 
reporting, or maintenance of patient safety work product should 
alleviate commenter concerns.
    Comment: One commenter asked if the regulation allowed accrediting 
bodies to disclose patient safety work product to CMS as part a 
commitment to advise CMS of adverse accreditation decisions.
    Response: The final rule prohibits accrediting bodies from further 
disclosing patient safety work product they have voluntarily received 
from providers under Sec.  3.206(b)(8).
    Comment: One commenter asked if survey and licensure bodies were 
considered to be accrediting bodies and thus, precluded from taking 
action against providers who voluntarily submit patient safety work 
product to them.
    Response: Survey and licensure bodies are not accrediting bodies 
and are not treated as such under this provision. Thus, such entities 
are not entitled to receive patient safety work product voluntarily 
from providers under this provision.
    Comment: Two commenters expressed concern about this disclosure 
permission for accrediting bodies that create component PSOs. One 
commenter stated that allowing accrediting bodies to create component 
PSOs creates a potential conflict of interest that may adversely affect 
provider organizations. If an accrediting body's component organization 
is a PSO, the commenter asked how OCR will determine whether the 
component organization improperly disclosed information or whether the 
accrediting body received the information voluntarily from a provider.
    Response: Providers are free to choose the PSOs with which they 
want to work. We expect that any selection by a provider will involve a 
thorough vetting and consideration of a number of factors, including 
whether the PSO is a component of an accrediting body and if so, what 
assurances are in place to protect against improper access by the 
accrediting body to patient safety work product. Component 
organizations have clear requirements to maintain patient safety work 
product separately from parent organizations. Further, the final rule 
recognizes that a disclosure from a component organization to a parent 
organization is a disclosure which must be made pursuant to one of the 
permissions set forth in the statute and here; disclosures for which 
there is no permission are subject to enforcement by the Department and 
imposition of civil money penalties, as well as may adversely impact on 
the PSO's continued listing by the Secretary as a PSO. Should OCR 
receive a complaint or conduct a compliance review that implicates an 
impermissible disclosure by a component PSO of an accrediting body, OCR 
will investigate and review the particular facts and circumstances 
surrounding the alleged impermissible disclosure, including, if 
appropriate, whether the accrediting body received the patient safety 
work product directly from a provider pursuant to Sec.  3.206(b)(8).
    Comment: One commenter asked that the final rule allow accrediting 
bodies to use voluntarily reported patient safety work product in 
accreditation decisions, or that the final rule give accrediting bodies 
immunity from liability that might arise from their failure to take 
this patient safety work product into account in its accreditation 
decisions. This commenter also stated that, since accrediting bodies 
cannot take action based on information voluntarily disclosed pursuant 
to this provision, the final rule should make clear that accrediting 
bodies cannot be held responsible for decisions that might have been 
different if the accrediting body had been able to act based on the 
patient safety work product received.
    Response: We clarify that the final rule, as the proposed rule, 
does not prohibit an accrediting body from using patient safety work 
product voluntarily reported by a provider pursuant to this provision 
in its accreditations decisions with respect to that provider. Thus, it 
is not necessary nor is it appropriate for the Secretary to give 
accrediting bodies immunity from liability. However, an accrediting 
body may not require a provider to disclose patient safety work 
product, or take an accrediting action against a provider who refuses 
to disclose patient safety work product, to the accrediting body. See 
section 922(d)(4)(B) of the Public Health Service Act, 42 U.S.C. 299b-
22(d)(4)(B), and Sec.  3.206(b)(8)(iii), which expressly prohibits an 
accrediting body from taking an accrediting action against a provider 
based on the good faith participation of the provider in the 
collection, development, reporting, or maintenance of patient safety 
work product in accordance with the statute.
    Comment: One commenter asked if the limitation on redisclosure of 
voluntarily reported patient safety work product received by an 
accrediting body applies if the information sent to the accrediting 
body was not patient safety work product at the time the accrediting 
body received the information, but was later reported, by the provider 
to a PSO and became protected.
    Response: If the information submitted to an accrediting body was 
not patient safety work product as defined at Sec.  3.20 at the time it 
was reported, then Sec.  3.206(b)(8), including the redisclosure 
limitation, does not apply to such information.
    Comment: One commenter asked that the final rule clarify that the 
disclosure of patient safety work product to an accrediting body is 
voluntary.

[[Page 70784]]

    Response: Section 3.208(b)(8) expressly provides only for the 
voluntary reporting of patient safety work product, provided the 
conditions are met. We do not see a need for further clarification.
(9) Section 3.206(b)(9)--Business Operations
    Proposed Rule: Proposed Sec.  3.206(b)(9) would have allowed 
disclosures of patient safety work product by a provider or a PSO to 
professionals such as attorneys and accountants for the business 
operations purposes of the provider or PSO. See section 922(c)(2)(F) of 
the Public Health Service Act, 42 U.S.C. 299b-22(c)(2)(F). Under the 
proposed rule, such contractors could not further disclose patient 
safety work product, except to the entity from which it received the 
information. However, the proposed rule made clear that a provider or 
PSO still would have had the authority to delegate its power to the 
contractor to make other disclosures. In addition, the proposed rule 
provided that any patient safety work product disclosed pursuant to 
this provision continued to be privileged and confidential.
    The Patient Safety Act gives the Secretary authority to designate 
additional exceptions as necessary business operations that are 
consistent with the goals of the statute. The proposed rule sought 
public comment regarding whether there are any other consultants or 
contractors, to whom a business operations disclosure should also be 
permitted, or whether the Secretary should consider any additional 
exceptions under this authority. The proposed rule noted that the 
Secretary would designate additional exceptions only through 
regulation; however, it asked if other mechanisms for the adoption of 
business operations exceptions should be adopted or incorporated.
    The proposed rule also explained that a business operations 
designation by the Secretary that enables a HIPAA covered entity to 
disclose patient safety work product containing protected health 
information to professionals is permissible as a health care operations 
disclosure under the HIPAA Privacy Rule. See 45 CFR 164.506. Generally, 
such professionals will be business associates of the covered entity, 
which will require that a business associate agreement be in place. See 
45 CFR 160.103, 164.502(e), and 164.504(e).
    Overview of Public Comments: Several commenters expressed general 
support for the business operations disclosures to attorneys, 
accountants, and other professionals in the proposed rule. We also 
received several responses to the question asking if the final rule 
should allow for any additional disclosures under the business 
operations provision. Three commenters stated that the final rule 
should not include any additional business operations disclosures. 
Others asked that the business operations disclosure permission be 
broad enough to encompass all the activities defined as ``health care 
operations'' in the HIPAA Privacy Rule, which would then include 
disclosures to entities such as photocopy shops, document storage 
services, shredding companies, IT support companies, and other entities 
involved in a PSO's management or administration. Other commenters 
suggested that disclosures of patient safety work product to 
independent contractors, professional liability insurance companies, 
captives, and risk retention groups be included as disclosures for 
business operations under this provision in the final rule.
    All commenters responding to the question about how the Secretary 
should adopt additional business operations stated that additional 
business operations should be adopted only through the rulemaking 
process.
    Final Rule: The final rule adopts the proposed provision, allowing 
disclosure of patient safety work product by a provider or a PSO for 
business operations to attorneys, accountants, and other professionals. 
The final rule allows disclosure of patient safety work product to 
these professionals who are bound by legal and ethical duties to 
maintain the confidence of their clients and the confidentiality of 
client information, including patient safety work product. These 
professionals will provide a broad array of services to and functions 
for the providers and PSOs with whom they are contracted and will need 
access to patient safety work product to perform their duties. We are 
not persuaded by the comments of a need to expand, at this time, the 
disclosure permission to encompass other categories of persons or 
entities. However, as described in the proposed rule, should the 
Secretary seek in the future to designate additional business 
operations exceptions to be encompassed within this disclosure 
permission, he will do so through regulation to provide adequate 
opportunity for public comment.
    With respect to many of the other entities identified by the 
commenters, we note that, to the extent the services provided by such 
entities are necessary for the maintenance of patient safety work 
product or the operation of a patient safety evaluation system, or 
otherwise support activities included in the definition of ``patient 
safety activities'' at Sec.  3.20 of this rule, these disclosures may 
be made to such contractors pursuant to Sec.  3.206(b)(4)(ii).
Response to Other Public Comments
    Comment: Two commenters suggested that the final rule include a 
requirement for a contract between providers or PSOs and their 
attorneys, accountants, and other professionals to whom patient safety 
work product will be disclosed as a business operation.
    Response: We do not require a contract as a condition of disclosure 
in the final rule. However, we agree that a contract between these 
parties is a prudent business practice and expect that parties will 
enter into appropriate agreements to ensure patient safety work product 
remains protected. Further, where HIPAA covered entities are concerned, 
we note that the HIPAA Privacy Rule requires that such entities have a 
business associate agreement in place with professionals providing 
services that require access to protected health information.
(10) Section 3.206(b)(10)--Disclosure to Law Enforcement
    Proposed Rule: Proposed Sec.  3.206(b)(10) would have permitted the 
disclosure of identifiable patient safety work product to law 
enforcement authorities, so long as the person making the disclosure 
believes--and that belief is reasonable under the circumstances--that 
the patient safety work product disclosed relates to a crime and is 
necessary for criminal law enforcement purposes. See section 
922(c)(2)(G) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(2)(G). The proposed rule provided that patient safety work 
product disclosed under this provision would remain privileged and 
confidential.
    The proposed rule also provided that the law enforcement entity 
receiving the patient safety work product could use the patient safety 
work product to pursue any law enforcement purposes; however, the 
recipient law enforcement entity could only redisclose the information 
to other law enforcement authorities as needed for law enforcement 
activities related to the event that necessitated the original 
disclosure. The proposed rule sought comment regarding whether these 
provisions would allow for legitimate law enforcement needs, while 
ensuring appropriate protections.
    Overview of Public Comments: Commenters responding to the question 
in the proposed rule regarding whether this disclosure permission would 
allow

[[Page 70785]]

for legitimate law enforcement needs while ensuring that information 
remain appropriately protected stated that the proposed disclosure 
permission was appropriate and did permit legitimate disclosures to law 
enforcement.
    Final Rule: The final rule adopts the proposed provision with 
slight modification for purposes of clarification only. We add the word 
``only'' to the final rule to clarify that law enforcement receiving 
patient safety work product pursuant to this exception may only further 
disclose this information to other law enforcement authorities as 
needed for law enforcement activities related to the event that gave 
rise to the original disclosure.
Response to Other Public Comments
    Comment: Two commenters suggested that the statutory standard of 
reasonable belief was vague and that clarity was needed to reduce the 
uncertainty of disclosures and to further define what could constitute 
a reasonable belief. Another commenter noted that the phrase ``relates 
to a crime and is necessary for criminal law enforcement purposes'' is 
too broad and leaves too much discretion to entities such as PSOs.
    Response: The final rule provision at Sec.  3.206(b)(10) generally 
repeats the statutory provision upon which it is based, which provides 
that the disclosure of patient safety work product be permitted if it 
relates to the commission of a crime and the person making the 
disclosure believes, reasonably under the circumstances, that the 
patient safety work product is necessary for criminal law enforcement 
purposes. See section 922(c)(2)(G) of the Public Health Service Act, 42 
U.S.C. 299b-22(c)(2)(G).
    Comment: One commenter expressed concern regarding the redisclosure 
of patient safety work product to law enforcement under this disclosure 
permission. The commenter stated that there could be successive 
disclosures of protected information to law enforcement without 
consideration of whether there is a reasonable belief that the 
redisclosure is necessary for criminal law enforcement purposes. 
Another commenter recommended that this disclosure permission should 
expressly prohibit patient safety work product from being used against 
patients who are identified in the patient safety work product but who 
are not the subject of the criminal act for which the information was 
originally disclosed.
    Response: We believe Sec.  3.206(b)(10) addresses the commenters' 
concerns by expressly limiting law enforcement's redisclosure of 
patient safety work product received pursuant to the provision to other 
law enforcement authorities as needed for law enforcement activities 
related to the event that gave rise to the initial disclosure. Thus, 
law enforcement is not permitted to further disclose the patient safety 
work product for the enforcement of a crime unrelated to the crime for 
which the patient safety work product was originally disclosed to the 
law enforcement entity.
    Comment: One commenter stated that the proposed rule represented an 
expansion of the statutory language because it allowed persons to 
disclose patient safety work product to law enforcement entities in the 
absence of an active law enforcement investigation and in the absence 
of a request for this information by law enforcement.
    Response: The statute does not require that a law enforcement 
entity be involved in an active investigation or that a law enforcement 
entity request information prior to a person making a disclosure of 
patient safety work product to a law enforcement entity pursuant to 
this disclosure permission. See 922(c)(2)(G) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(2)(G).

(C) Section 3.206(c)--Safe Harbor

    Proposed Rule: Proposed Sec.  3.206(c) would have prohibited the 
disclosure of a subject provider's identity with information, whether 
oral or written, that: (1) assesses that provider's quality of care; or 
(2) identifies specific acts attributable to such provider. See section 
922(c)(2)(H) of the Public Health Service Act, 42 U.S.C. 299b-
22(c)(2)(H). This provision would have been only applicable to 
providers. Patient safety work product disclosed under this exception 
could identify providers, reporters or patients so long as the 
provider(s) that were the subject of the actions described were 
nonidentified. The proposed rule would have required that 
nonidentification be accomplished in accordance with the 
nonidentification standard set forth in proposed Sec.  3.212.
    Overview of Public Comments: We received no comments opposed to 
this provision.
    Final Rule: The final rule adopts the proposed provision.
Response to Other Public Comments
    Comment: Several commenters suggested that the safe harbor 
provision be extended to PSOs as well as providers. One commenter noted 
that there was no reason to exclude PSOs from this provision and 
including PSOs would provide them with the same leeway for inadvertent 
disclosures of patient safety work product as providers.
    Response: The statute expressly limits the safe harbor provision to 
providers. Therefore, we do not have the authority to extend this 
provision to PSOs.

(D) Section 3.206(d)--Implementation and Enforcement of the Patient 
Safety Act

    Proposed Rule: Proposed Sec.  3.206(d) would have permitted the 
disclosure of relevant patient safety work product to or by the 
Secretary as needed for investigating or determining compliance with or 
to seek or impose civil money penalties with respect to this Part or 
for making or supporting PSO certification or listing decisions, under 
the Patient Safety Act. Patient safety work product disclosed under 
this exception would remain confidential.
    Overview of Public Comments: We received no comments in reference 
to this provision.
    Final Rule: Consistent with the changes made to Sec.  3.204(c) with 
respect to privilege, the final rule adopts the proposed provision, but 
expands it to expressly provide that patient safety work product also 
may be disclosed to or by the Secretary as needed to investigate or 
determine compliance with or to impose a civil money penalty under the 
HIPAA Privacy Rule. This new language implements the statutory 
provision at section 922(g)(3) of the Public Health Service Act, 42 
U.S.C. 299b-22(g)(3), which makes clear that the Patient Safety Act is 
not intended to affect implementation of the HIPAA Privacy Rule. As in 
the privilege context, given the significant potential for an alleged 
impermissible disclosure to implicate both this rule's confidentiality 
provisions, as well as the HIPAA Privacy Rule, the Secretary may 
require access to confidential patient safety work product for purposes 
of determining compliance with the HIPAA Privacy Rule. The Secretary 
will use such information consistent with the statutory prohibition 
against imposing civil money penalties under both authorities for the 
same act.
    With respect to this rule, the final rule, as in the proposed rule, 
makes clear that disclosures of patient safety work product to or by 
the Secretary are permitted to investigate or determine compliance with 
this rule, or to make or support decisions with respect to listing of a 
PSO. This may include access to and disclosure of patient safety work 
product to enforce the confidentiality provisions of the rule, to make 
or support decisions regarding the

[[Page 70786]]

acceptance of certification and listing as a PSO, or to revoke such 
acceptance and to delist a PSO, or to assess or verify PSO compliance 
with the rule.
Response to Other Public Comments
    Comment: Several commenters asked the Secretary to use judicious 
restraint when requesting patient safety work product for compliance 
and enforcement activities. Some of these commenters also asked that 
the Secretary reserve his full enforcement power for only the most 
egregious violations of the confidentiality provisions.
    Response: We acknowledge the commenters' concerns regarding the 
disclosure of patient safety work product for enforcement purposes. As 
we explained in the proposed rule, we strongly believe in the 
protection of patient safety work product as provided by the Patient 
Safety Act. However, confidentiality protections are meaningless 
without the ability to enforce breaches of the protections, 
investigations of which may require access to confidential patient 
safety work product. Further, Sec.  3.310 of the final rule provides 
the Secretary with authority to obtain access to only that patient 
safety work product and other information that is pertinent to 
ascertaining compliance with the rule's confidentiality provisions.
    Also, as we explained in the proposed rule, we will seek to 
minimize the risk of improper disclosure of patient safety work product 
by using and disclosing patient safety work product only in limited and 
necessary circumstances, and by limiting the amount of patient safety 
work product disclosed to that necessary to accomplish the purpose. 
Further, Sec.  3.312 of the final rule expressly prohibits the 
Secretary from disclosing identifiable patient safety work product 
obtained by the Secretary in connection with an investigation or 
compliance review except as permitted by Sec.  3.206(d) for compliance 
and enforcement or as otherwise permitted by the rule or the Patient 
Safety Act.
    See the discussion of the provisions of Subpart D of the final rule 
for more information on how the Secretary may exercise discretion in 
enforcement.

(E) Section 3.206(e)--No Limitation on Authority To Limit or Delegate 
Disclosure or use

    Proposed Rule: Proposed Sec.  3.206(e) would have established that 
a person holding patient safety work product may enter into a contract 
that requires greater confidentiality protections or may delegate its 
authority to make a disclosure in accordance with this Subpart. Neither 
the statute nor the proposed rule limited the authority of a provider 
to place limitations on disclosures or uses.
    Overview of Public Comments: We received no comments opposed to 
this provision.
    Final Rule: The final rule adopts the proposed provision.
    Response to Other Public Comments
    Comment: One commenter suggested that providers and PSOs should not 
be able to enter into agreements that would prohibit the disclosure of 
patient safety work product to report a crime or to comply with state 
reporting requirements.
    Response: The Patient Safety Act expressly provides that it does 
not preempt or otherwise affect any State law requiring a provider to 
report information that is not patient safety work product. See section 
922(g)(5) of the Public Health Service Act, 42 U.S.C. 299b-22(g)(5). 
Further, patient safety work product does not include original medical 
and other records. Thus, nothing in the final rule or the statute 
relieves a provider from his or her obligation to disclose information 
from such original records or other information that is not patient 
safety work product to comply with state reporting or other laws. 
Moreover, the final rule at Sec.  3.206(b)(10)(i) permits providers and 
PSOs to disclose patient safety work product to report a crime to a law 
enforcement authority provided that the disclosing person reasonably 
believes that the patient safety work product that is disclosed is 
necessary for criminal law enforcement purposes. However, the 
Department cannot, through this rule, prevent such agreements because 
the Patient Safety Act, at section 922(g)(4) of the Public Health 
Service Act, 42 U.S.C. 299b-22(g)(4), specifically provides that the 
Act cannot be construed ``to limit the authority of any provider, 
patient safety organization, or other entity to enter into a contract 
requiring greater confidentiality'' than that provided under the Act.
3. Section 3.208--Continued Protection of Patient Safety Work Product
    Proposed Rule: Proposed Sec.  3.208 provided that the privilege and 
confidentiality protections would continue to apply to patient safety 
work product following disclosure and also described the narrow 
circumstances when the protections terminate. See section 922(d) of the 
Public Health Service Act, 42 U.S.C. 299b-22(d). In particular, the 
proposed rule would have provided two exceptions to the continued 
protection of patient safety work product. The first was an exception 
to continued confidentiality protection when patient safety work 
product is disclosed for use in a criminal proceeding, pursuant to 
Sec.  3.206(b)(1). See section 922(d)(2)(A), 42 U.S.C. 299b-
22(d)(2)(A). The second exception to continued protection was in 
circumstances where patient safety work product is disclosed in 
nonidentifiable form, pursuant to Sec. Sec.  3.204(b)(4) and 
3.206(b)(5). See section 922(d)(2)(B), 42 U.S.C. 299b-22(d)(2)(B).
    The proposed rule would not have required the labeling of 
information as patient safety work product or that disclosure of 
patient safety work product be accompanied by a notice as to either the 
fact that the information disclosed is patient safety work product or 
that it is confidential. The proposed rule did acknowledge that both 
practices may be prudent business practices.
    Overview of Public Comments: We received several comments 
suggesting that the final rule require that patient safety work product 
be labeled as such or that a recipient of patient safety work product 
be given notice of the protected status of the information received. 
Commenters suggested that putting recipients of patient safety work 
product on notice about the sensitive and confidential nature of the 
information would assure and encourage appropriate treatment of this 
information.
    Final Rule: The final rule adopts this proposed provision but does 
not require that patient safety work product be labeled or that 
disclosing parties provide recipients of patient safety work product 
with notice that they are receiving protected information. We believe 
imposing a labeling or notice requirement would be overly burdensome on 
entities. We do, however, expect providers, PSOs, and responsible 
persons holding patient safety work product to treat and safeguard such 
sensitive information appropriately and encourage such persons to 
consider whether labeling or notice may be an appropriate safeguard in 
certain circumstances. Further, we note that the final rule provides 
that information that is documented as within a patient safety 
evaluation system for reporting to a PSO is patient safety work 
product. In addition, the final rule allows patient safety work product 
to be removed from a patient safety evaluation system and no longer 
considered patient safety work product if it has not yet been reported 
to a PSO and its removal is documented. See the definition of ``patient 
safety work product'' at Sec.  3.20. These

[[Page 70787]]

documentation provisions may assist in identifying, and putting persons 
on notice as to, what is and is not protected information.
Response to Other Public Comments
    Comment: With respect to Sec. Sec.  3.206(b)(2), 3.206(b)(3), 
3.206(b)(8), 3.206(b)(9), and 3.206(b)(10), commenters asked that the 
final rule emphasize the fact that subsequent holders of patient safety 
work product are subject to the privilege and confidentiality 
provisions when they receive the patient safety work product pursuant 
to a privilege or confidentiality exception and that this patient 
safety work product cannot be subpoenaed, ordered, or entered into 
evidence in a civil or criminal proceeding through any of these 
exceptions.
    Response: Section 3.208 makes clear that, with limited exceptions, 
patient safety work product continues to be privileged and confidential 
upon disclosure.
    Comment: One commenter expressed concern over the proposed rule's 
statement that an impermissible disclosure of patient safety work 
product, even if unintentional, does not terminate the confidentiality 
of the information and that individuals and entities receiving this 
patient safety work product may be subject to civil money penalties. 
The commenter stated that the applicability of this broad statement to 
third and fourth party recipients of patient safety work product could 
violate the First Amendment and expressed concern with the possibility 
that the Secretary would seek to impose a civil money penalty upon a 
newspaper for printing patient safety information.
    Response: Section 3.208 implements the statutory provision that 
patient safety work product continues to be privileged and confidential 
upon disclosure, including when in the possession of the person to whom 
the disclosure was made. See section 922(d) of the Public Health 
Service Act, 42 U.S.C. 299b-22(d). To encourage provider reporting of 
sensitive patient safety information, Congress saw a need for strong 
privilege and confidentiality protections that continue to apply 
downstream even after disclosure, regardless of who holds the 
information. With respect to the commenter's concern regarding 
``unintentional'' disclosures, we note that the Secretary has 
discretion to elect not to impose civil money penalties for an 
impermissible disclosure of patient safety work product, in appropriate 
circumstances. Thus, if it is determined, through a complaint 
investigation or a compliance review, that an impermissible disclosure 
of patient safety work product has been made, the Secretary will 
examine each situation based on the individual circumstances and make 
an appropriate determination about whether to impose a civil money 
penalty. See the discussion regarding Subpart D of this final rule for 
a more extensive discussion of the Secretary's enforcement discretion. 
Finally, with respect to the commenter's First Amendment concerns, we 
do not believe the confidentiality provisions afforded to patient 
safety work product in the statute and the rule contravene the First 
Amendment.
4. Section 3.210--Required Disclosure of Patient Safety Work Product to 
the Secretary
    Proposed Rule: Proposed Sec.  3.210 would have required providers, 
PSOs, and other persons holding patient safety work product to disclose 
such information to the Secretary upon a determination by the Secretary 
that such patient safety work product is needed for the investigation 
and enforcement activities related to this Part, or is needed in 
seeking and imposing civil money penalties.
    Overview of Public Comments: We received no comments opposed to 
this provision.
    Final Rule: The final rule adopts the proposed provision but 
expands it to encompass disclosures of patient safety work product 
needed for investigation and enforcement activities with respect to the 
HIPAA Privacy Rule, consistent with changes made to Sec. Sec.  3.204(c) 
and 3.206(d). As in the proposed rule, the final rule makes clear that, 
with respect to this rule, providers, PSOs, and responsible persons 
must disclose patient safety work product to the Secretary upon request 
when needed to investigate or determine compliance with this rule, or 
to make or support decisions with respect to listing of a PSO. This may 
include disclosure of patient safety work product to the Secretary as 
necessary to enforce the confidentiality provisions of the rule, to 
make or support decisions regarding the acceptance of certification and 
listing as a PSO, or to revoke such acceptance and to delist a PSO, or 
to assess or verify PSO compliance with the rule.
Response to Other Public Comments
    Comment: Several commenters suggested that disclosures to the 
Secretary be limited to only the patient safety work product that is 
needed for the Secretary's activities.
    Response: Section 3.210 requires disclosure of patient safety work 
product only in those cases where the Secretary has determined that 
such information is needed for compliance or enforcement of this rule 
or the HIPAA Privacy Rule or for PSO certification or listing. Further, 
during an investigation or compliance review, Sec.  3.310(c) requires a 
respondent to provide the Secretary with access to only that 
information, including patient safety work product, that is pertinent 
to ascertaining compliance with this rule.
5. Section 3.212--Nonidentification of Patient Safety Work Product
    Proposed Rule: Proposed Sec.  3.212 would have established the 
standard by which patient safety work product would be rendered 
nonidentifiable, implementing section 922(c)(2)(B) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(2)(B). Under the Patient Safety Act 
and this Part, identifiable patient safety work product includes 
information that identifies any provider or reporter or contains 
individually identifiable health information under the HIPAA Privacy 
Rule (see 45 CFR 160.103). See section 921(2) of the Public Health 
Service Act, 42 U.S.C. 299b-21(2). By contrast, nonidentifiable patient 
safety work product does not include information that permits 
identification of any provider, reporter or subject of individually 
identifiable health information. See section 921(3) of the Public 
Health Service Act, 42 U.S.C. 299b-21(3).
    The proposed rule explained that because individually identifiable 
health information as defined in the HIPAA Privacy Rule is one element 
of identifiable patient safety work product, the de-identification 
standard provided in the HIPAA Privacy Rule would apply with respect to 
the patient-identifiable information in the patient safety work 
product. Therefore, where patient safety work product contained 
individually identifiable health information, the proposal would have 
required that the information be de-identified in accordance with 45 
CFR 164.514(a)-(c) to qualify as nonidentifiable patient safety work 
product with respect to individually identifiable health information 
under the Patient Safety Act.
    Further, with respect to providers and reporters, the proposal 
imported and adapted the HIPAA Privacy Rule's standards for de-
identification. In particular, the proposal included two methods by 
which nonidentification could be accomplished: (1) A statistical method 
of nonidentification and (2) the removal of 15 specified categories of 
direct identifiers of providers or reporters and of parties related to 
the providers and reporters, including

[[Page 70788]]

corporate parents, subsidiaries, practice partners, employers, 
workforce members, or household members, and that the discloser have no 
actual knowledge that the remaining information, alone or in 
combination with other information reasonably available to the intended 
recipient, could be used to identify any provider or reporter, i.e., a 
contextual nonidentification standard. In addition, the proposal would 
have permitted a provider, PSO, or other disclosing entity or person to 
assign a code or other means of record identification to allow 
information made nonidentifiable to be re-identified by the disclosing 
person, provided certain conditions were met.
    The proposal specifically invited comment on the proposed standards 
and approaches and asked whether it would be possible to include any 
geographical identifiers, and if so, at what level of detail (state, 
county, zip code). We also requested comment regarding whether there 
were alternative approaches to standards for entities determining when 
health information could reasonably be considered nonidentifiable.
    Overview of Public Comments: We received a variety of comments 
addressing the nonidentification standard. One commenter supported the 
proposed methodologies for nonidentification, while several commenters 
expressed concern that the nonidentification standard was too strict 
and rendered patient safety work product useless to its recipients. One 
commenter was concerned that imposing an inflexible, stringent 
nonidentification standard would impede the future disclosures of 
aggregated patient safety information that the commenter currently 
makes. Some of these commenters proposed alternatives to the proposed 
nonidentification standard, such as considering information 
nonidentified even if it contains dates of treatment and geographic 
identifiers as long as data of a certain threshold number of providers 
was aggregated or eliminating the nonidentification standard entirely 
and applying a less stringent anonymization standard. In contrast, 
several other commenters expressed concern that the nonidentification 
standard was too flexible, was inadequate to truly nonidentify 
information and protect provider identities, and could be too easily 
reverse engineered.
    Final Rule: The final rule adopts this proposed provision with only 
a minor technical change to incorporate by reference the direct 
identifiers listed at Sec.  3.206(b)(4)(iv)(A) of the anonymization 
standard, as appropriate, to eliminate unnecessary duplication of such 
elements in the regulatory text. Therefore, persons wishing to 
nonidentify patient safety work product must remove the direct 
identifiers listed in the anonymization standard at Sec.  
3.206(b)(4)(iv)(A)(1) through (13), as well as any additional 
geographic subdivisions smaller than a State that are not required to 
be removed by Sec.  3.206(b)(4)(A)(2), e.g., town or city, all elements 
of dates (except year) that are directly related to a patient safety 
incident or event, and any other unique identifying number, 
characteristic, or code (except as permitted for reidentification). We 
were not persuaded by commenters that changes to the standard were 
necessary, especially given the lack of consensus among commenters as 
to whether the standard was too stringent or not stringent enough. 
Further, commenters did not offer suggestions as to potential 
alternative approaches to nonidentification. Additionally, because this 
rule's nonidentification standard with respect to providers and 
reporters is adapted from the HIPAA Privacy Rule's de-identification 
standard and with respect to individuals, incorporates the HIPAA 
Privacy Rule's de-identification standard, this approach minimizes 
complexity and burden for entities that are subject to both regulatory 
schemes.
Response to Other Public Comments
    Comment: One commenter expressed concern over the possibility that 
provider identities could be derived from nonidentifiable patient 
safety work product and asked that the final rule require a party 
disclosing identifiable information to produce evidence, if challenged, 
of how the information was obtained if not via nonidentifiable patient 
safety work product. Another commenter suggested that the final rule 
include a provision that prohibits the use or disclosure of any 
individually identifiable information that was obtained via the use of 
nonidentifiable patient safety work product. Finally, another commenter 
suggested that keys to reidentification of nonidentifiable patient 
safety work product be protected from discovery and should be protected 
as patient safety work product to prevent reidentification by 
unintended parties.
    Response: We believe that the nonidentification standard in the 
final rule, which is based upon the existing HIPAA Privacy Rule's de-
identification standard, is appropriate and sufficient to protect the 
identities of providers. With respect to protection of reidentification 
keys, we note that Sec.  3.212(a)(3) prohibits a provider, PSO, or 
responsible party disclosing nonidentifiable patient safety work 
product from also disclosing the mechanism for reidentification. If a 
reidentification key is disclosed along with patient safety work 
product that would otherwise be nonidentifiable, then such information 
is identifiable patient safety work product to which the privilege and 
confidentiality protections attach.
    Comment: One commenter asked to whom must patient safety work 
product be made nonidentifiable and if information is adequately 
nonidentifiable despite the ability of a provider or patient involved 
in the event to recognize their case.
    Response: Under Sec.  3.212(a)(1), patient safety work product is 
rendered nonidentifiable if a determination is made, applying generally 
accepted statistical and scientific principles, that the risk is very 
small that the information could be used, alone or in combination with 
other reasonably available information, by an anticipated recipient to 
identify a provider or reporter. Similarly, under Sec.  3.212(a)(2), 
patient safety work product is rendered nonidentifiable if the listed 
identifiers are stripped and the provider, PSO or responsible person 
making the disclosure does not have actual knowledge that the 
information could be used, alone or in combination with other 
information that is reasonably available to the intended recipient, to 
identify the particular provider or reporter. So long as the remaining 
information meets either of these two standards, such information is 
considered nonidentifiable for purposes of this rule, despite the 
hypothetical ability of a provider or patient involved in the event to 
recognize their case.
    Comment: One commenter asked for clarification that 
nonidentification can be accomplished through either the statistical 
method or through the safe harbor method but that entities are not 
required to nonidentify patient safety work product subject to both 
methods.
    Response: We clarify that either method may be used to render 
information nonidentifiable for purposes of this rule.

D. Subpart D--Enforcement Program

    Subpart D of the final rule establishes a framework to enable the 
Secretary to monitor and ensure compliance with this Part, a process 
for imposing a civil money penalty for breach of the confidentiality 
provisions, and procedures for a hearing contesting a civil money 
penalty. The provisions in

[[Page 70789]]

Subpart D are modeled largely on the HIPAA Enforcement Rule at 45 CFR 
Part 160, Subparts C, D and E. This will maintain a common approach to 
enforcement and appeals of civil money penalty determinations based on 
section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, upon 
which both the HIPAA and Patient Safety Act penalties are based, as 
well as minimize complexity for entities that are subject to both 
regulatory schemes. This enforcement scheme also provides the Secretary 
maximum flexibility to address confidentiality violations so as to 
encourage participation in patient safety activities and achieve the 
goals of the Patient Safety Act.
    General Comments: Several commenters expressed support for the 
decision to base this rule's enforcement regime on the HIPAA 
Enforcement Rule and noted that the HIPAA Enforcement Rule was properly 
adapted to the patient safety context. However, two commenters 
expressed concern that basing the enforcement regime in this rule on 
the HIPAA Enforcement Rule will be insufficient to adequately address 
and penalize violations of the confidentiality provisions because of 
the Department's approach to enforcement of the HIPAA Privacy Rule. One 
commenter argued that this might cause providers to decide against 
reporting the most serious patient safety events, and therefore, would 
undermine the purpose of the statute.
    Response to General Comments: The Department believes that modeling 
this rule's enforcement provisions on the existing HIPAA Enforcement 
Rule is prudent and appropriate. As noted above, such an approach 
grants the Secretary maximum flexibility to address violations of the 
confidentiality provisions, relies on an existing and established 
enforcement regime, and minimizes complexity for entities subject to 
both the Patient Safety Act and HIPAA.
1. Sections 3.304, 3.306, 3.308, 3.310, 3.312, 3.314--Compliance and 
Investigations
    Proposed Rule: Sections 3.304-3.314 of the proposed rule provided 
the framework by which the Secretary would seek compliance by 
providers, PSOs, and responsible persons with the confidentiality 
provisions of the rule. These proposed requirements included: (1) 
Provisions for the Secretary to seek cooperation from these entities in 
obtaining compliance and to provide technical assistance (proposed 
Sec.  3.304); (2) procedures for any person who believes there has been 
a violation of the confidentiality provisions to file a complaint with 
the Secretary and provisions for the Secretary to investigate such 
complaints (proposed Sec.  3.306); (3) provisions for the Secretary to 
conduct compliance reviews (proposed Sec.  3.308); (4) provisions 
establishing responsibilities of respondents with respect to 
cooperating with the Secretary during investigations or compliance 
reviews and providing access to information necessary and pertinent to 
the Secretary determining compliance (proposed Sec.  3.310); (5) 
provisions describing the Secretary's course of action during 
complaints and compliance reviews, including the circumstances under 
which the Secretary may attempt to resolve compliance matters by 
informal means or issue a notice of proposed determination, as well as 
the circumstances under which the Secretary may use or disclose 
information, including identifiable patient safety work product, 
obtained during an investigation or compliance review (proposed Sec.  
3.312); and (6) provisions and procedures for the Secretary to issue 
subpoenas to require witness testimony and the production of evidence 
and to conduct investigational inquiries (proposed Sec.  3.314).
    Overview of Public Comments: We received no comments opposed to the 
proposed provisions.
    Final Rule: The final rule adopts the provisions of the proposed 
rule, except, where reference was made in the proposed rule to 
provisions of the HIPAA Enforcement Rule, the final rule includes the 
text of such provisions for convenience of the reader.
Response to Other Public Comments
    Comment: One commenter asked how and when the Secretary will 
provide technical assistance to providers, PSOs, and responsible 
persons regarding compliance with the confidentiality provisions.
    Response: The Secretary intends to provide technical assistance 
through a variety of mechanisms. First, as authorized by the Patient 
Safety Act, the Secretary intends, as practical, to convene annual 
meetings for PSOs to discuss methodology, communication, data 
collection, privacy concerns, or other issues relating to their patient 
safety systems. See section 925 of the Public Health Service Act, 42 
U.S.C. 299b-25. Second, the Secretary intends to exercise his 
discretion under Sec.  3.304 by, when practicable and appropriate, 
providing technical assistance to affected persons and entities both on 
an individual basis when such persons or entities are involved in 
complaint investigations or compliance reviews, as well as more 
generally through published guidance that addresses common compliance 
or other questions about the rule. As we noted in the preamble to the 
proposed rule, however, the absence of technical assistance or guidance 
by the Secretary may not be raised as a defense to civil money penalty 
liability. We also encourage persons participating in patient safety 
activities and subject to this rule to develop and share with others 
similarly situated in the industry ``best practices'' for the 
confidentiality of patient safety work product.
    Comment: One commenter requested that the final rule provide 
additional detail on the consideration that will go into the 
determination of whether to pursue an investigation or to conduct a 
compliance review.
    Response: We do not believe that including additional detail in the 
final rule regarding when we will investigate or conduct compliance 
reviews is prudent or feasible. The decision of whether to conduct an 
investigation or compliance review is left to the discretion of the 
Secretary and will be made based on the specific circumstances of each 
individual case. The decision to investigate a complaint is necessarily 
fact specific. For example, some complaints may not allege facts that 
fall within the Secretary's jurisdiction or that constitute a violation 
if true. With respect to compliance reviews, the Secretary needs to 
maintain flexibility to conduct whatever reviews are necessary to 
ensure compliance. Compliance reviews may be initiated based on, for 
example, information that comes to the Department's attention outside 
of the formal complaint process, or trends the Department is seeing as 
a result of its enforcement activities. It would be premature at this 
time to indicate the specific circumstances under which such reviews 
may be conducted, given the absence of any compliance and enforcement 
experience with the rule. Further, making public the Department's 
considerations in this area may undermine the effectiveness of such 
reviews. Thus, we did not propose and do not include in this final rule 
affirmative criteria for conducting compliance reviews.
    Comment: One commenter requested clarification that the Secretary 
may only require respondents to produce records, books, and accounts 
that are reasonably related to an investigation.
    Response: Section 3.310(c) of the proposed rule, which the final 
rule adopts, provided that a respondent must permit the Secretary 
access to the information that is pertinent to ascertaining compliance 
with the

[[Page 70790]]

confidentiality provisions of the rule. Given this provision in the 
final rule, we do not see a need to provide further clarification.
2. Sections 3.402, 3.404, 3.408, 3.414, 3.416, 3.418, 3.420, 3.422, 
3.424, 3.426--Civil Money Penalties
    Proposed Rule: Sections 3.402-3.426 of the proposed rule provided 
the process for the Secretary to impose a civil money penalty for 
noncompliance by a PSO, provider, or responsible person with the 
confidentiality provisions of the rule. These proposed provisions: (1) 
Described the basis for imposing a civil money penalty on a person who 
discloses identifiable patient safety work product in knowing or 
reckless violation of the confidentiality provisions, as well as on a 
principal, in accordance with the federal common law of agency \2\, 
based on the act of its agent acting within the scope of the agency 
(proposed Sec.  3.402); (2) described how a penalty amount would be 
determined, and provided the statutory cap of any such penalty 
(proposed Sec.  3.404); (3) provided the list of factors the Secretary 
may consider as aggravating or mitigating, as appropriate, in 
determining the amount of a civil money penalty, including the nature 
and circumstances of the violation and the degree of culpability of the 
respondent (proposed Sec.  3.408); (4) set forth the 6-year limitations 
period on the Secretary initiating an action for imposition of a civil 
money penalty (proposed Sec.  3.414); (5) set out the Secretary's 
authority to settle any issue or case or to compromise any penalty 
(proposed Sec.  3.416); (6) provided that a civil money penalty imposed 
under this rule would be in addition to any other penalty prescribed by 
law, except that a civil money penalty may not be imposed both under 
this rule and the HIPAA Privacy Rule for the same act (proposed Sec.  
3.418); (7) required that the Secretary provide a respondent with 
written notice of his intent to impose a civil money penalty, prescribe 
the contents of such notice, and provide the respondent with a right to 
request a hearing before an ALJ to contest the proposed penalty 
(proposed Sec.  3.420); (8) provided that if the respondent fails to 
timely request a hearing and the matter is not settled by the 
Secretary, the Secretary may impose the proposed penalty (or any lesser 
penalty) and will notify the respondent of any penalty imposed, and 
that the respondent has no right to appeal such penalty (proposed Sec.  
3.422); (9) provided that once the penalty becomes final, it will be 
collected by the Secretary, unless compromised, and describes the 
methods for collection (proposed Sec.  3.424); and (10) provided that 
the Secretary will notify the public and the appropriate State or local 
medical or professional organizations, appropriate State agencies 
administering or supervising the administration of State health care 
programs, appropriate utilization and quality control peer review 
organizations, and appropriate State or local licensing agencies or 
organizations, of a final penalty and the reason it was imposed 
(proposed Sec.  3.426).
---------------------------------------------------------------------------

    \2\ For more information and guidance about violations of the 
rule attributed to a principal based on the federal common law of 
agency, see the preamble to the proposed rule at 73 FR 8158-8159.
---------------------------------------------------------------------------

    In addition, with respect to the factors at proposed Sec.  3.408, 
we specifically sought comment on whether the factors should be 
expanded to expressly include a factor for persons who self-report 
disclosures that may potentially violate the confidentiality provisions 
such that voluntary self-reporting would be a mitigating consideration 
when assessing a civil money penalty.
    Overview of Public Comments: We received no comments opposed to 
these proposed provisions. With respect to proposed Sec.  3.408, 
commenters generally supported the list of detailed factors, which may 
be aggravating or mitigating depending on the context, for use by the 
Secretary in determining the amount of a civil money penalty. In 
response to the question in the proposed rule regarding whether the 
final rule should include a factor for persons who self-report 
disclosures that may be potential violations, some commenters opposed 
such an expansion, arguing that such a provision could be viewed as an 
additional reporting obligation on persons and entities. Several other 
commenters expressed general support for the consideration of such a 
mitigating factor in the determination of any penalty, and one 
commenter specifically recommended expanding the list of factors to 
include self-reporting.
    Final Rule: The final rule adopts the provisions of the proposed 
rule except, where reference was made in the proposed rule to 
provisions of the HIPAA Enforcement Rule, the final rule includes the 
text of such provisions for convenience of the reader. We do not expand 
the list of factors at Sec.  3.408 to include the fact of self-
reporting by a respondent in the final rule. As we noted in the 
preamble to the proposed rule, while including a factor for voluntary 
self-reporting may encourage persons to report breaches of 
confidentiality, particularly those that may otherwise go unnoticed, as 
well as demonstrate the security practices that led to the discovery of 
the breach and how the breach was remedied, we agree with those 
commenters who argued that including such a factor may be viewed 
incorrectly as an additional and ongoing reporting obligation on 
providers, PSOs, and others to report every potentially impermissible 
disclosure. This would unnecessarily increase administrative burden 
both on the Department and the reporting persons. Additionally, 
inclusion of such a factor may interfere with contractual relationships 
between providers and PSOs that address how parties are to deal with 
breaches.
    However, we note that even though we are not expressly including a 
self-reporting factor in the list at Sec.  3.408, the Secretary retains 
discretion to consider self-reports on a case-by-case basis under Sec.  
3.408(f), which permits the Secretary to consider ``such other matters 
as justice may require'' in determining the amount of a civil money 
penalty.
Response to Other Public Comments
    Comment: One commenter supported the knowing or reckless standard 
for establishing the basis for imposing a civil money penalty for a 
confidentiality violation but also stated that every effort should be 
made to reduce the risk of liability and to encourage provider 
participation. Another commenter supported the Secretary's ability to 
exercise discretion in determining whether to impose a civil money 
penalty for a knowing or reckless violation of the confidentiality 
provisions but also suggested that, in cases where a PSO is compelled 
to disclose patient safety work product by a court and has, in good 
faith, attempted to assert the privilege protection, the PSO 
automatically should be excused from a civil money penalty for the 
impermissible disclosure of patient safety work product to the court.
    Response: We agree that the appropriate basis for imposing a civil 
money penalty is for knowing or reckless disclosures of identifiable 
patient safety work product in violation of the confidentiality 
provisions of the rule and that it is important the Secretary 
ultimately retain discretion as to whether to impose a penalty pursuant 
to this standard. This provision is based on section 922(f) of the 
Public Health Service Act, 42 U.S.C. 299b-22(f). We also agree that 
provider participation is essential to meeting the overall goal of the 
statute to improve patient safety and quality of care, and we believe 
that strong privilege and confidentiality protections for patient 
safety work

[[Page 70791]]

product are fundamental to ensuring this participation. As we explained 
in the preamble to the proposed rule, a civil money penalty under Sec.  
3.402 may only be imposed if the Secretary first establishes a wrongful 
disclosure--that is, the information disclosed was identifiable patient 
safety work product and the manner of the disclosure does not fit 
within any permitted exception. The Secretary must then determine 
whether a person making the disclosure acted ``knowingly'' or 
``recklessly.'' To do so, the Secretary must prove either that: (1) The 
person making the disclosure knew a disclosure was being made (not that 
the person knew he or she was disclosing identifiable patient safety 
work product in violation of the rule or statute); or (2) the person 
acted recklessly in making the disclosure, that is, the person was 
aware, or a reasonable person in his or her situation should have been 
aware, that his or her conduct created a substantial risk of disclosure 
of information and to disregard such risk constituted a gross deviation 
from reasonable conduct. For more guidance on this standard or the 
knowing or reckless standard, see the preamble to the proposed rule at 
73 FR 8157-8158. Once a knowing or reckless violation has been 
established, the Secretary still retains discretion as to whether to 
impose a penalty for a violation and may elect not to do so. Thus, we 
believe the standard at Sec.  3.402 of the final rule strikes the right 
balance in ensuring those who are culpable are subject to penalties, 
while still encouraging maximum participation by providers.
    For example, circumstances where a person who disclosed 
identifiable patient safety work product in violation of the rule can 
show he or she did not know and had no reason to know that the 
information was patient safety work product may warrant discretion by 
the Secretary. Further, as we stated in the preamble to the proposed 
rule, the Secretary may exercise discretion and not pursue a civil 
money penalty against a respondent ordered by a court to produce 
patient safety work product where the respondent has in good faith 
undertaken reasonable steps to avoid production and is, nevertheless, 
compelled to produce the information or be held in contempt of court. 
We do not, however, agree that an automatic exception from liability 
for respondents in such circumstances is appropriate or necessary. The 
Secretary will examine each situation based on the individual 
circumstances and make an appropriate determination about whether to 
impose a civil money penalty.
    Comment: One commenter asked that the final rule state that 
inappropriate disclosures to, for example, the media or to the public, 
would result in civil money penalties.
    Response: Section 3.402(a) of the final rule provides that persons 
who disclose identifiable patient safety work product in knowing or 
reckless violation of the confidentiality provisions are subject to 
civil money penalty liability for such violations. This liability would 
include disclosures to the media or public, to the extent the knowing 
or reckless standard of Sec.  3.402(a) is met.
    Comment: We received two comments stating that the maximum penalty 
of $10,000 for a single violation is insufficient to serve as a 
deterrent against impermissible disclosures. In contrast, one commenter 
expressed concern that the maximum penalty would be far too severe for 
some small providers and in cases in which the impermissible disclosure 
was incidental or accidental.
    Response: In response to those commenters who believe the penalty 
amount is not high enough, the $10,000 maximum penalty for each act 
constituting a violation is prescribed by the statute and thus, cannot 
be increased by the Secretary in this rule. We expect, however, that 
there will be cases where multiple related acts are at issue as 
discrete violations, each of which could result in separate penalties 
up to $10,000. The preamble to the proposed rule indicated that the 
Patient Safety Act provides that a person who violates the Patient 
Safety Act shall be subject to a civil money penalty of ``not more than 
$10,000'' for each act constituting such violation. We note that 
pursuant to the Federal Civil Penalties Inflation Adjustment Act of 
1990, as amended by the Debt Collection Improvement Act of 1996, the 
Department will be required to adjust this civil money penalty amount 
based on increases in the consumer price index (CPI). The Department 
has up to four years to update the civil money penalty amount, and the 
adjustment will be based on the percent increase in the CPI from the 
time the Patient Safety Act was enacted, in accordance with the cost-
of-living adjustment set forth at the Federal Civil Penalties Inflation 
Adjustment Act of 1990 Sec.  5, at 28 U.S.C. 2461 note. However, the 
first adjustment may not exceed ten percent of the penalty. Thus, 
pursuant to this statute, the $10,000 maximum penalty will be adjusted 
upwards periodically to account for inflation.
    With respect to those commenters who were concerned that the 
$10,000 penalty may be too severe in certain circumstances, we 
emphasize that the $10,000 amount is a maximum penalty and the 
Secretary has discretion to impose penalties that are less than that 
amount or can elect not to impose a penalty at all for a violation, 
depending on the circumstances. In particular, Sec.  3.404 provides 
that the amount of any penalty will be determined using the factors at 
Sec.  3.408, which include such factors as the nature and circumstances 
of the violation, the degree of culpability of the respondent including 
whether the violation was intentional, as well as the financial 
condition and size of the respondent.
    Comment: Several commenters asked for clarification regarding the 
Secretary's authority to levy separate fines under the Patient Safety 
Act and HIPAA. Many of these commenters argued that the Secretary 
should be able to impose penalties under both authorities for the same 
act to maximize the enforcement tools at his disposal and to 
effectively penalize bad behavior. In contrast, one commenter supported 
the statutory mandate that civil money penalties not be imposed under 
both the Patient Safety Act and HIPAA for a single violation. One 
commenter asked for clarification as to how civil money penalties may 
be imposed under both the Patient Safety Act and HIPAA when a PSO is a 
business associate of a covered entity for HIPAA Privacy Rule purposes.
    Response: The final rule at Sec.  3.418 reflects the statutory 
prohibition against the Secretary imposing civil money penalties under 
both the Patient Safety Act and HIPAA for a single act that constitutes 
a violation. As the preamble to the proposed rule explained, Congress 
recognized that, because patient safety work product includes 
individually identifiable health information about patients, a HIPAA 
covered entity making a disclosure of patient safety work product could 
be liable for a violation under both the Patient Safety Act and HIPAA, 
and made such penalties mutually exclusive. Thus, in situations in 
which a single violation could qualify as both a violation of the 
Patient Safety Act and HIPAA, the Secretary has discretion to impose a 
civil money penalty under either regulatory scheme, not both. However, 
as we explained in the proposed rule, we interpreted the Patient Safety 
Act as only prohibiting the imposition of a civil money penalty under 
the Patient Safety Act when there has been a civil, as opposed to 
criminal, penalty imposed under HIPAA for the same act. Therefore, a 
person could have a civil money penalty imposed under the Patient 
Safety Act as well as

[[Page 70792]]

a criminal penalty under HIPAA for the same act.
    With respect to the commenter who requested clarification about 
penalties relating to a PSO that is a business associate of a HIPAA 
covered entity, we note that it is possible for a civil money penalty 
to be imposed under both the Patient Safety Act and HIPAA, where such 
penalty is imposed against different entities. Thus, for example, 
because a PSO will be a business associate of a covered entity under 
HIPAA, any violation involving patient safety work product that 
contains protected health information by the PSO will be a violation of 
the Patient Safety Act and not HIPAA, since the PSO is not a covered 
entity. However, if the PSO notifies the covered entity of the 
impermissible disclosure (as required by the business associate 
contract under HIPAA), and the covered entity does not take the 
appropriate steps to mitigate and address the consequences of the 
impermissible disclosure of protected health information, the covered 
entity may then be liable for a penalty under HIPAA.
3. Section 3.504--Procedures for Hearings
    Proposed Rule: Proposed Sec.  3.504 provided the procedures for an 
administrative hearing to contest a civil money penalty. The proposed 
section set forth the authority of the ALJ, the rights and burdens of 
proof of the parties, requirements for the exchange of information and 
pre-hearing, hearing, and post-hearing processes. This section cross-
referenced the relevant provisions of the HIPAA Enforcement Rule 
extensively. Specifically, Sec. Sec.  3.504(b), (d), (f)-(g), (i)-(k), 
(m), (n), (t), (w) and (x) of the proposed rule incorporated unchanged 
the provisions of the HIPAA Enforcement Rule. Sections 3.504(a), (c), 
(e), (h), (l), (o)-(s), (u) and (v) of the proposed rule incorporated 
the HIPAA Enforcement Rule but included technical changes to adapt 
these provisions to the Patient Safety Act confidentiality provisions. 
These technical changes addressed the following: (1) Proposed 
Sec. Sec.  3.504(a) and 3.504 (v) excluded language from 45 CFR 
160.504(c) and 160.548(e), respectively, relating to an affirmative 
defense under 45 CFR 160.410(b)(1), which is a defense unique to HIPAA 
and not included in the Patient Safety Act; (2) proposed Sec.  3.504(c) 
excluded the provision at 45 CFR 160.508(c)(5) for remedied violations 
based on reasonable cause to be insulated from liability for a civil 
money penalty because there is no such requirement under the Patient 
Safety Act; (3) proposed Sec.  3.504(e) substituted the term 
``identifiable patient safety work product'' for ``individually 
identifiable health information''; (4) proposed Sec.  3.504(h) excluded 
the language in 45 CFR 160.518(a) relating to the provision of a 
statistical expert's report not less than 30 days before a scheduled 
hearing because we did not propose language permitting use of 
statistical sampling to estimate the number of violations; (5) proposed 
Sec.  3.504(o) substituted ``a confidentiality provision'' for ``an 
administrative simplification provision'' in 45 CFR 160.532; (6) 
proposed Sec.  3.504(p) substituted, for language not relevant to the 
Patient Safety Act in 45 CFR 160.534(b)(1), new language stating that 
the respondent has the burden of going forward and the burden of 
persuasion with respect to any challenge to the amount of a proposed 
civil money penalty, including any mitigating factors raised, and 
provided that good cause shown under 45 CFR 160.534(c) may be that 
identifiable patient safety work product has been introduced into 
evidence or is expected to be introduced into evidence; (7) proposed 
Sec.  3.504(s) added language to provide that good cause for making 
redactions to the record would include the presence of identifiable 
patient safety work product; and (8) proposed Sec. Sec.  3.504(l), (q), 
(r), and (u) substituted citations to subpart D of the Patient Safety 
rule, as appropriate.
    We also explained in the proposed rule that we intended to maintain 
the alignment between these provisions and the HIPAA Enforcement Rule 
by incorporating any changes to the HIPAA Enforcement Rule that would 
become final based on the Department's Notice of Proposed Rulemaking 
entitled, ``Revisions to Procedures for the Departmental Appeals Board 
and Other Departmental Hearings'' (see 72 FR 73708 (December 28, 
2007)). That Notice of Proposed Rulemaking proposed to amend the HIPAA 
Enforcement Rule at 45 CFR 160.508(c) and 160.548, and add a new 
provision at 160.554, providing that the Secretary may review all ALJ 
decisions that the Board has declined to review and all Board decisions 
for error in applying statutes, regulations, or interpretive policy. As 
of the publication date of this final rule, however, that regulation is 
not final.
    Overview of Public Comments: We received no comments opposed to 
these provisions.
    Final Rule: The final rule adopts the proposed provisions, except 
renumbers them into individual sections and republishes the referenced 
provisions of the HIPAA Enforcement Rule, as modified by the technical 
changes described above to adapt the provisions to the Patient Safety 
Act confidentiality provisions. The final rule includes the full text 
of such provisions for convenience of the reader.
    Also, we incorporate one additional technical change to better 
adapt the language to this rule's confidentiality provisions, as well 
as one conforming change. In particular, at Sec.  3.512(b)(11), we 
replace the term ``privacy of'' with ``confidentiality of'' in addition 
to replacing ``individually identifiable health information'' with 
``identifiable patient safety work product.'' In addition, at Sec.  
3.504(b), we replace the term ``90 days'' with ``60 days.'' We proposed 
at Sec.  3.420(a)(6) to include in a notice of proposed determination a 
statement that a respondent must request a hearing within 60 days or 
lose its right to a hearing under Sec.  3.504. However, we 
inadvertently omitted from Sec.  3.504 a conforming change to the 
language incorporated from 45 CFR 160.504(b) to change the hearing 
request deadline from 90 days to 60 days. Thus, this change is 
necessary to align the two provisions.
Response to Other Public Comments
    Comment: One commenter asked that the final rule clarify the 
involvement of the Departmental Appeals Board during the hearings and 
appeals processes as well as whether the Secretary has authority to 
review ALJ decisions.
    Response: Sections 3.504-3.552 of the final rule incorporate the 
provisions of the HIPAA Enforcement Rule, which lay out the hearings 
and appeals process. The current process provides that any party, 
including the Secretary, may appeal a decision of the ALJ to the 
Departmental Appeals Board, as well as file a reconsideration request 
with the Board following any Board decision. Unless the ALJ decision is 
timely appealed, such decision becomes final and binding on the parties 
60 days from the date of service of the ALJ's decision.
    Comment: One commenter asked that the final rule provide no 
restrictions to full judicial review for appeals and hearing requests.
    Response: Section 3.548(k) provides respondents the right to 
petition for judicial review of the final decision of the Secretary 
once all administrative appeals have been exhausted, that is, once the 
Departmental Appeals Board has rendered a decision on appeal or 
reconsideration that has become the final decision of the Secretary, as 
appropriate.
    Comment: One commenter suggested that any time patient safety work 
product could be disclosed in an ALJ

[[Page 70793]]

proceeding, the proceeding should be closed to the public.
    Response: The final rule at Sec.  3.534(c) expressly provides that 
the ALJ may close a proceeding to the public for good cause shown, 
which may include the potential for patient safety work product to be 
introduced as evidence in the proceeding. We do not see a need to 
require that proceedings be closed under such circumstances but rather 
will continue to rely on the experienced discretion of the ALJ in 
determining such matters.

IV. Impact Statement and Other Required Analyses

Regulatory Impact Analysis

    AHRQ has previously analyzed the potential economic impact of this 
rule as part of its February 2008 Notice of Proposed Rulemaking 
(proposed rule) as required by Executive Order 12866 (September 1993, 
Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) 
(September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social 
Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), 
and Executive Order 13132. This analysis can be found on pages 8164 to 
8171 of the proposed rule, which was published in the Federal Register 
on February 12, 2008.
    Executive Order 12866 (as amended by Executive Order 13258, 
February 2002, and Executive Order 13422, January 2007), directs 
agencies to assess all costs and benefits of available regulatory 
alternatives and, if regulation is necessary, to select regulatory 
approaches that maximize net benefits (including potential economic, 
environmental, public health and safety effects, distributive impacts, 
and equity). A regulatory impact analysis (RIA) must be prepared for 
major rules with economically significant effects ($100 million or more 
in any 1 year). Although we cannot determine the specific economic 
impact of this final rule, we believe that the economic impact may 
approach $100 million. HHS has determined that the rule is 
``significant'' because it raises novel legal and policy issues with 
the establishment of a new regulatory framework, authorized by the 
Patient Safety Act, and imposes requirements, albeit voluntary, on 
entities that had not been subject to regulation in this area.
    In preparing the regulatory impact analysis for inclusion in the 
proposed rule, AHRQ did not develop an alternative to the statutorily 
authorized voluntary framework. In light of the approach taken in the 
proposed rule, alternatives would have been mandatory or more 
proscriptive as well as inconsistent with statutory intent. The 
proposed rule established a system in which entities would voluntarily 
seek designation (or ``listing'') by the Secretary as a Patient Safety 
Organization (PSO), most PSO requirements would be met by attestation 
and overall compliance assessed by spot-checks rather than document 
submission or routine audits, and the Department would look to the 
marketplace to assess the quality and value of each PSO. PSOs will not 
be Federally funded nor directed; their funding and activities will be 
determined by health care providers who seek their expert assistance in 
identifying the underlying causes of, and the best strategies for 
reducing or eliminating, medical errors. The proposed rule provided a 
foundation of confidentiality and privilege protections for information 
developed and exchanged when health care providers voluntarily choose 
to work with a PSO. We proposed that health care providers could 
receive the confidentiality and privilege protections of the statute by 
reporting information to a PSO occasionally, without entering contracts 
or incurring significant costs. Other health care providers could 
develop more costly internal systems that would serve as the hub of the 
provider's interactions with a PSO with which the provider had a 
contractual relationship; such structured, documented internal systems 
with dedicated personnel would be more costly. To create an ``upper 
bound'' on the analyses in the proposed rule, we assumed that all 
providers that would choose to work with PSOs would follow this more 
costly approach. It should be noted that most hospital providers 
already have patient safety reporting activities in place (98% 
according to a 2006 AHRQ survey). While documenting these activities 
and, it is hoped, expanding them through participation with a PSO will 
result in increased costs, that increase will be marginal, not 
complete, in the hospital community.
    A summary of the AHRQ analysis of costs and benefits of Patient 
Safety Act costs and benefits from the proposed rule follows below. For 
a full discussion of the assumptions underlying these estimates, please 
refer to the proposed rule.

            Table 3--Total Patient Safety Act Costs Including Hospital Costs and PSO Costs: 2009-2013
----------------------------------------------------------------------------------------------------------------
                                                                       Year
                                 -------------------------------------------------------------------------------
                                       2009            2010            2011            2012            2013
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate.......             10%             40%             60%             75%             85%
Hospital Cost...................          $7.5 M         $30.0 M         $45.0 M         $56.2 M         $63.7 M
PSO Cost........................         $61.4 M         $92.1 M        $122.8 M        $122.8 M        $122.8 M
                                 -------------------------------------------------------------------------------
    Total cost..................         $68.9 M        $122.1 M        $167.8 M        $179.0 M       $186.5 M
----------------------------------------------------------------------------------------------------------------
Source: Notice of Proposed Rulemaking published in the Federal Register on February 12, 2008: 73 FR 8112-8183.

    Costs for PSO implementation were calculated by considering two 
components: Costs incurred by hospitals in engaging in PSO activities 
and costs of PSOs themselves. It was assumed that in early years of PSO 
operation, the hospital would be the primary site of PSO-related 
activity. Hospital costs were assumed to be incremental, given that a 
previously-completed survey funded by AHRQ revealed that 98% of U.S. 
hospitals already have adverse event reporting systems, and virtually 
all hospitals have a safety/quality function. We assumed that PSOs 
would be staffed modestly, relying on existing hospital activities in 
reporting adverse events, and that a significant proportion of PSOs are 
likely to be component PSOs, with support and expertise provided by a 
parent organization. Our assumptions were that PSOs will hire dedicated 
staff of 1.5 to 4 FTEs, assuming an average salary rate of $67/hour. We 
also estimated that a significant overhead figure of 100%, coupled with 
20% for General and Administrative (G&A) expenses, will cover the 
appreciable costs anticipated for legal, security, travel, and 
miscellaneous PSO expenses.

[[Page 70794]]

Provider--PSO Costs and Charges
    We have not figured into our calculations any estimates for the 
price of PSO services, amounts paid by hospitals and other health care 
providers to PSOs, PSO revenues, or PSO break-even analyses. We have 
not speculated about subsidies or business models. Regardless of what 
the costs and charges are between providers and PSOs, they will cancel 
each other out, as expenses to providers will become revenue to PSOs.

            Table 4--Total Estimated Cost Savings by Percent Reduction in Adverse Events: 2009-2013 *
----------------------------------------------------------------------------------------------------------------
                                                                       Year
                                 -------------------------------------------------------------------------------
                                       2009            2010            2011            2012            2013
----------------------------------------------------------------------------------------------------------------
Hospital Penetration Rate.......             10%             40%             60%             75%             85%
Percent Reduction in Adverse                  1%            1.5%              2%            2.5%              3%
 Events.........................
Savings.........................         $11.5 M           $69 M          $138 M      $215.625 M      $293.25 M
----------------------------------------------------------------------------------------------------------------
* Source: Baseline figures from IOM Report, To Err Is Human, on total national health care costs associated with
  preventable adverse events (between 8.5 billion and 14.5 billion). Year 1 estimates are based on mid-point
  figures.


                                        Table 5--Net Benefits: 2009-2013
----------------------------------------------------------------------------------------------------------------
                                                                       Year
                                 -------------------------------------------------------------------------------
                                       2009            2010            2011            2012            2013
----------------------------------------------------------------------------------------------------------------
Total Benefits..................         $11.5 M           $69 M          $138 M      $215.625 M       $293.25 M
Total Costs.....................         $68.9 M        $122.1 M        $167.8 M        $179.0 M        $186.5 M
Net Benefits....................       ($57.4) M       ($53.1) M       ($29.8) M       $36.625 M       $106.75 M
Discounted net present value at        ($55.7) M       ($50.0) M       ($27.3) M         $32.5 M         $92.1 M
 3%.............................
Discounted net present value at        ($53.6) M       ($46.4) M       ($24.3) M         $27.9 M         $76.1 M
 7%.............................
----------------------------------------------------------------------------------------------------------------

    The final rule includes several modifications that could alter the 
actual economic impact of the Patient Safety Act, but AHRQ concludes 
that these changes will not exceed the ``upper bound'' established in 
our previous analysis, and we anticipate that the actual economic 
impact may be less. Several changes incorporated in the final rule are 
likely to lower the costs of implementation. For example, the final 
rule has removed a requirement that PSOs that are components of other 
existing organizations must maintain separate information systems and, 
for all but a small category of component PSOs, we have removed 
restrictions on the use of shared staff. As we noted in our economic 
analysis, we expect the most common type of PSO to be ones that are 
established by one or more existing organizations. As commenters 
pointed out, personnel costs are likely to be the most significant cost 
facing a PSO, and the ability to share personnel means that skilled 
personnel are available at significantly less cost, and in some cases 
at no cost, than the PSO would pay to hire or externally contract for 
personnel. Similarly, the costs and administrative burdens associated 
with the development and maintenance were a major focus of commenters. 
These two changes are likely to have the greatest impact on reducing 
costs for PSOs.
    There are two changes in the final rule that might increase costs 
slightly but selectively. The final rule parallels a HIPAA Privacy Rule 
requirement that business associates of covered entities must notify 
the covered entity if any of its protected health information has been 
inappropriately disclosed or its security breached. The final rule 
requires PSOs to notify the providers that submitted patient safety 
work product to the PSO if the work product it submitted has been 
disclosed or its security breached. As we noted in the proposed rule, 
the vast majority of providers reporting data will be covered entities 
under HIPAA and will need to include such notification requirements in 
the business associate agreements they will enter with PSOs. In 
addition, the HIPAA requirement is likely to apply in many disclosure 
or security breach situations because most work product is expected to 
contain protected health information. Nevertheless, this requirement 
may increase costs to the extent that PSOs receive work product from 
non-covered entities, although these potential increased costs will be 
dependent upon the vigilance with which the providers and PSOs meet 
their confidentiality and security requirements.
    With respect to health care providers, the final rule does not 
impose requirements. The final rule does afford increased flexibility 
and protections to providers that voluntarily choose to both establish 
and document a more structured process for working with a PSO, i.e., 
what the rule terms a patient safety evaluation system, and document 
the flow of information into and out of the patient safety evaluation 
system. For providers who choose this option, the information they 
assemble and develop within their patient safety evaluation system will 
be accorded privilege and confidentiality, contingent upon the 
information ultimately being reported to a PSO, from the outset. To the 
extent that this encourages providers, who would not otherwise have 
done so, to establish a structured, documented patient safety 
evaluation system, there would be an increase in costs. As noted above, 
this should not significantly affect our previous analysis since we 
assumed all providers working with a PSO would have established a 
documented patient safety evaluation system.
    Taking advantage of this option will also enable health care 
providers with integrated health information technology systems to 
avoid the requirement in the proposed rule that they maintain the 
assembly and development of patient safety work product separately from 
their routine data collection activities, which would have required a 
number of providers to establish dual information systems. While we 
expect that the costs of developing dual information collection systems 
would exceed the costs of developing and maintaining a structured, 
documented patient safety evaluation system, we do not estimate any 
savings because we cannot be clear how many providers would have 
incurred the dual health information

[[Page 70795]]

technology systems costs or would have simply chosen to forego 
participation.
    After considering the impact of the increased flexibility in the 
final rule for PSOs and health care providers, we now expect the 
implementation costs will be lower than those in our previous analysis.
Final Regulatory Flexibility Analysis
    Since formation of a PSO is voluntary, formation is not likely to 
occur unless the organization believes it is an economically viable 
endeavor. Furthermore, PSOs are not likely to undertake tasks that will 
provide insufficient payment to cover their costs. Therefore, the 
Secretary certifies that the regulation will not impose a significant 
economic burden on a substantial number of small entities.
Unfunded Mandates Reform Act
    Section 202 of the Unfunded Mandates Reform Act requires that a 
covered agency prepare a budgetary impact statement before promulgating 
a rule that includes any Federal mandate that may result in the 
expenditure by State, local, and Tribal governments, in the aggregate, 
or by the private sector, of $100 million or more in any one year. The 
Department has determined that this final rule will not impose a 
mandate that will result in the expenditure by State, Local, and Tribal 
governments, in the aggregate, or by the private sector, of more than 
$100 million in any one year.
Paperwork Reduction Act
    This final rule adding a new Part 3 to volume 42 of the Code of 
Federal Regulations contains information collection requirements. This 
summary includes the estimated costs and assumptions for the paperwork 
requirements related to the final rule.
    With respect to Sec.  3.102 concerning the submission of 
certifications for initial and continued listing as a PSO, and of 
updated information, all such information would be submitted on the 
``Patient Safety Organization: Certification for Initial Listing'' 
form. To maintain its listing, a PSO must also submit a brief 
attestation, once every 24-month period after its initial date of 
listing, submitted on the ``Attestation Regarding the Two Bona Fide 
Contracts Requirement'' form, stating that it has entered contracts 
with two providers. We estimate that the final rule will create an 
average burden of 30 minutes annually for each entity that seeks to 
become a PSO to complete the necessary certification forms. Table 1 
summarizes burden hours.

       Table 1--Total Burden Hours Related to Certification Forms
          [Summary of all burden hours, by provision, for PSOs]
------------------------------------------------------------------------
               Provision                     Annualized  burden hours
------------------------------------------------------------------------
3.112..................................  30 minutes.
------------------------------------------------------------------------

    Under 5 CFR 1320.3(c), a covered collection of information includes 
the requirement by an agency of a disclosure of information to third 
parties by means of identical reporting, recordkeeping, or disclosure 
requirements, imposed on ten or more persons. The final rule reflects 
the previously established reporting requirements for breach of 
confidentiality applicable to business associates under HIPAA 
regulations requiring contracts to contain a provision requiring the 
business associate (in this case, the PSO) to notify providers of 
breaches of their identifiable patient data's confidentiality or 
security. Accordingly, this reporting requirement referenced in the 
regulation previously met Paperwork Reduction Act review requirements.
    The final rule requires in Sec.  3.108(c) that a PSO notify the 
Secretary if it intends to relinquish voluntarily its status as a PSO. 
The entity is required to notify the Secretary that it has, or will 
soon, alert providers and other organizations from which it has 
received patient safety work product or data of its intention and 
provide for the appropriate disposition of the data in consultation 
with each source of patient safety work product or data held by the 
entity. In addition, the entity is asked to provide the Secretary with 
current contact information for further communication from the 
Secretary as the entity ceases operations. The reporting aspect of this 
requirement is essentially an attestation that is equivalent to the 
requirements for listing, continued listing, and meeting the minimum 
contracts requirement. This minimal data requirement would come within 
5 CFR 1320.3(h)(1) which provides an exception from PRA requirements 
for affirmations, certifications, or acknowledgments as long as they 
entail no burden other than that necessary to identify the respondent, 
the date, the respondent's address, and the nature of the instrument. 
In this case, the nature of the instrument is an attestation that the 
PSO is working with its providers for the orderly cessation of 
activities. The following other collections of information that are 
required by the final regulation under Sec.  3.108 are also exempt from 
PRA requirements pursuant to an exception in 5 CFR 1320.4 for 
information gathered as part of administrative investigations and 
actions regarding specific parties: information supplied in response to 
preliminary agency determinations of PSO deficiencies or in response to 
proposed revocation and delisting, e.g., information providing the 
agency with correct facts, reporting corrective actions taken, or 
appealing proposed agency revocation decisions.
    AHRQ and OCR published in the Federal Register their proposed 
information collection forms on February 20, 2008. Following the first, 
60-day comment period, the forms were again published in the Federal 
Register on April 21, 2008, to begin the second, 30-day comment period. 
The forms were not changed following the first comment period, and they 
and the one comment received were sent to OMB, which received them on 
April 25, 2008. Minor changes to the proposed forms will be necessary 
to align them with the final rule. AHRQ and OCR will work with OMB to 
ensure that the forms needed to implement the Patient Safety Act 
conform to the requirements of the final rule.

Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a final rule that imposes 
substantial direct requirement costs on state and local governments, 
preempts State law, or otherwise has Federalism implications. The 
Patient Safety Act upon which the final regulation is based makes 
patient safety work product confidential and privileged. To the extent 
this is inconsistent with any state law, including court decisions, the 
Federal statute preempts such state law or court order. The final rule 
will not have any greater preemptive effect on state or local 
governments than that imposed by the statute. While the Patient Safety 
Act does establish new Federal confidentiality and privilege 
protections for certain information, these protections only apply when 
health care providers work with PSOs and new processes, such as patient 
safety evaluation systems, that do not currently exist. These Federal 
data protections provide a mechanism for protection of sensitive 
information that could improve the quality, safety, and outcomes of 
health care by fostering a non-threatening environment in which 
information about adverse medical events and near misses can be 
discussed. It is hoped that confidential

[[Page 70796]]

analysis of patient safety events will reduce the occurrence of adverse 
medical events and, thereby, reduce the costs arising from such events, 
including costs incurred by state and local governments attributable to 
such events. In addition, the Patient Safety Act and the final rule do 
not relieve health care providers of their responsibilities to comply 
with state reporting requirements.
    AHRQ, in conjunction with OCR, held three public listening sessions 
prior to drafting the proposed rule. Representatives of several states 
participated in these sessions. In particular, states that had begun to 
collect and analyze patient safety event information spoke about their 
related experiences and plans. Following publication of the proposed 
rule, AHRQ consulted with state officials and organizations to review 
the scope of the proposed rule and to specifically seek input on 
federalism issues and a proposal in the rule at proposed Sec.  
3.102(a)(2) that would limit the ability of public or private sector 
regulatory entities to seek listing as a PSO. AHRQ received no 
expressions of concerns regarding the Federalism aspects of the 
proposed rule although several State health departments and commissions 
submitted written comments regarding the PSO eligibility criteria in 
the proposed rule.

OMB Accounting Statement

    The table below summarizes the estimated costs and benefits of 
implementing the Patient Safety and Quality Improvement Act for the 
next five years, beginning with January 1, 2009, by which time it is 
expected that the rule will be effective.
    The figures in the table are derived from the regulatory impact 
analyses outlined above and, more completely, in the February 12, 2008 
NPRM published in the Federal Register, on pages 8164 to 8171. As in 
the previous analyses, the range of benefits derives directly from the 
range of potentially-avoidable incidents cited (estimated) in IOM 
Report, To Err Is Human. The range of costs is the same as was included 
in the NPRM, where minimum and maximum estimates were calculated as 10% 
above and 10% below the Agency's primary estimate of costs.
    All figures are calculated at two discount rates, 7% and 3%, and 
dollars are held constant at the 2008 level. The discount rates, 3% or 
7%, represent two rates of return that might be expected from 
government investments. The purpose is to project the expected future 
costs and benefits in today's dollars. (Future dollars will be worth 
less than today's dollars, barring appropriate investments.) Figures 
are annualized, that is average-per-year over the five years. The 
discount rates, 3% or 7%, represent two rates of return that might be 
expected from government investments. The purpose is to project the 
expected future costs and benefits in today's dollars. (Future dollars 
will be worth less than today's dollars, barring appropriate 
investments.)

----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
OMB :                       Agency/Program Office: AHRQ
������������������������������������
Rule Title: Patient Safety and
 Quality Improvement Act
������������������������������������
RIN :                       Date: 8/25/2008
������������������������������������
              CATEGORY                   Primary         Minimum         Maximum        Source citation (RIA,
                                        estimate        estimate        estimate            preamble, etc.)
                                       (millions)      (millions)      (millions)
                                    ----------------------------------------------------------------------------
BENEFITS...........................          $145.5          $107.5          $183.4  AHRQ Analysis.
������������������������������������
Annualized discounted (5 years):
    @ 7%...........................           111.5            82.4           140.5
    @ 3%...........................           129.4            95.7           163.2  ...........................
COSTS..............................           144.9           130.4           159.3  AHRQ Analysis.
Annualized discounted (5 years):
    @ 7%...........................           115.5           104.0           127.1
    @ 3%...........................           131.1           118.0           144.2  ...........................
������������������������������������
Transfers..........................                                      N/A
Effects on small businesses........                                      N/A
Effects on States and tribes.......                                      N/A
----------------------------------------------------------------------------------------------------------------

List of Subjects in 42 CFR Part 3

    Administrative practice and procedure, Civil money penalty, 
Confidentiality, Conflict of interests, Courts, Freedom of information, 
Health, Health care, Health facilities, Health insurance, Health 
professions, Health records, Hospitals, Investigations, Law 
enforcement, Medical research, Organization and functions, Patient, 
Patient safety, Privacy, Privilege, Public health, Reporting and 
recordkeeping requirements, Safety, State and local governments, 
Technical assistance.

0
For the reasons stated in the preamble, the Department of Health and 
Human Services amends Title 42 of the Code of Federal Regulations by 
adding a new part 3 to read as follows:

PART 3--PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK 
PRODUCT

Subpart A--General Provisions
Sec.
3.10 Purpose.
3.20 Definitions.
Subpart B--PSO Requirements and Agency Procedures
3.102 Process and requirements for initial and continued listing of 
PSOs.
3.104 Secretarial actions.
3.106 Security requirements.
3.108 Correction of deficiencies, revocation, and voluntary 
relinquishment.
3.110 Assessment of PSO compliance.
3.112 Submissions and forms.
Subpart C--Confidentiality and Privilege Protections of Patient Safety 
Work Product
3.204 Privilege of patient safety work product.
3.206 Confidentiality of patient safety work product.
3.208 Continued protection of patient safety work product.
3.210 Required disclosure of patient safety work product to the 
Secretary.
3.212 Nonidentification of patient safety work product.
Subpart D--Enforcement Program
3.304 Principles for achieving compliance.

[[Page 70797]]

3.306 Complaints to the Secretary.
3.308 Compliance reviews.
3.310 Responsibilities of respondents.
3.312 Secretarial action regarding complaints and compliance 
reviews.
3.314 Investigational subpoenas and inquiries.
3.402 Basis for a civil money penalty.
3.404 Amount of a civil money penalty.
3.408 Factors considered in determining the amount of a civil money 
penalty.
3.414 Limitations.
3.416 Authority to settle.
3.418 Exclusivity of penalty.
3.420 Notice of proposed determination.
3.422 Failure to request a hearing.
3.424 Collection of penalty.
3.426 Notification of the public and other agencies.
3.504 Hearings before an ALJ.
3.506 Rights of the parties.
3.508 Authority of the ALJ.
3.510 Ex parte contacts.
3.512 Prehearing conferences.
3.514 Authority to settle.
3.516 Discovery.
3.518 Exchange of witness lists, witness statements, and exhibits.
3.520 Subpoenas for attendance at hearing.
3.522 Fees.
3.524 Form, filing, and service of papers.
3.526 Computation of time.
3.528 Motions.
3.530 Sanctions.
3.532 Collateral estoppel.
3.534 The hearing.
3.538 Witnesses.
3.540 Evidence.
3.542 The record.
3.544 Post hearing briefs.
3.546 ALJ's decision.
3.548 Appeal of the ALJ's decision.
3.550 Stay of the Secretary's decision.
3.552 Harmless error.

    Authority: 42 U.S.C. 216, 299b-21 through 299b-26; 42 U.S.C. 
299c-6.

Subpart A--General Provisions


Sec.  3.10  Purpose.

    The purpose of this Part is to implement the Patient Safety and 
Quality Improvement Act of 2005 (Pub. L. 109-41), which amended Title 
IX of the Public Health Service Act (42 U.S.C. 299 et seq.) by adding 
sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26.


Sec.  3.20  Definitions.

    As used in this Part, the terms listed alphabetically below have 
the meanings set forth as follows:
    Affiliated provider means, with respect to a provider, a legally 
separate provider that is the parent organization of the provider, is 
under common ownership, management, or control with the provider, or is 
owned, managed, or controlled by the provider.
    AHRQ stands for the Agency for Healthcare Research and Quality in 
HHS.
    ALJ stands for an Administrative Law Judge of HHS.
    Board means the members of the HHS Departmental Appeals Board, in 
the Office of the Secretary, which issues decisions in panels of three.
    Bona fide contract means:
    (1) A written contract between a provider and a PSO that is 
executed in good faith by officials authorized to execute such 
contract; or
    (2) A written agreement (such as a memorandum of understanding or 
equivalent recording of mutual commitments) between a Federal, State, 
local, or Tribal provider and a Federal, State, local, or Tribal PSO 
that is executed in good faith by officials authorized to execute such 
agreement.
    Complainant means a person who files a complaint with the Secretary 
pursuant to Sec.  3.306.
    Component organization means an entity that:
    (1) Is a unit or division of a legal entity (including a 
corporation, partnership, or a Federal, State, local or Tribal agency 
or organization); or
    (2) Is owned, managed, or controlled by one or more legally 
separate parent organizations.
    Component PSO means a PSO listed by the Secretary that is a 
component organization.
    Confidentiality provisions means for purposes of Subparts C and D, 
any requirement or prohibition concerning confidentiality established 
by sections 921 and 922(b)-(d), (g) and (i) of the Public Health 
Service Act, 42 U.S.C. 299b-21, 299b-22(b)-(d), (g) and (i) and the 
provisions, at Sec. Sec.  3.206 and 3.208, that implement the statutory 
prohibition on disclosure of identifiable patient safety work product.
    Disclosure means the release, transfer, provision of access to, or 
divulging in any other manner of patient safety work product by:
    (1) An entity or natural person holding the patient safety work 
product to another legally separate entity or natural person, other 
than a workforce member of, or a health care provider holding 
privileges with, the entity holding the patient safety work product; or
    (2) A component PSO to another entity or natural person outside the 
component PSO and within the legal entity of which the component PSO is 
a part.
    Entity means any organization or organizational unit, regardless of 
whether the organization is public, private, for-profit, or not-for-
profit.
    Group health plan means an employee welfare benefit plan (as 
defined in section 3(1) of the Employee Retirement Income Security Act 
of 1974 (ERISA)) to the extent that the plan provides medical care (as 
defined in paragraph (2) of section 2791(a) of the Public Health 
Service Act, including items and services paid for as medical care) to 
employees or their dependents (as defined under the terms of the plan) 
directly or through insurance, reimbursement, or otherwise.
    Health insurance issuer means an insurance company, insurance 
service, or insurance organization (including a health maintenance 
organization, as defined in 42 U.S.C. 300gg-91(b)(3)) which is licensed 
to engage in the business of insurance in a State and which is subject 
to State law which regulates insurance (within the meaning of 29 U.S.C. 
1144(b)(2)). This term does not include a group health plan.
    Health maintenance organization means:
    (1) A Federally qualified health maintenance organization (HMO) (as 
defined in 42 U.S.C. 300e(a));
    (2) An organization recognized under State law as a health 
maintenance organization; or
    (3) A similar organization regulated under State law for solvency 
in the same manner and to the same extent as such a health maintenance 
organization.
    HHS stands for the United States Department of Health and Human 
Services.
    HIPAA Privacy Rule means the regulations promulgated under section 
264(c) of the Health Insurance Portability and Accountability Act of 
1996 (HIPAA), at 45 CFR part 160 and Subparts A and E of Part 164.
    Identifiable patient safety work product means patient safety work 
product that:
    (1) Is presented in a form and manner that allows the 
identification of any provider that is a subject of the work product, 
or any providers that participate in, or are responsible for, 
activities that are a subject of the work product;
    (2) Constitutes individually identifiable health information as 
that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or
    (3) Is presented in a form and manner that allows the 
identification of an individual who in good faith reported information 
directly to a PSO or to a provider with the intention of having the 
information reported to a PSO (``reporter'').
    Nonidentifiable patient safety work product means patient safety 
work product that is not identifiable patient safety work product in 
accordance with the nonidentification standards set forth at Sec.  
3.212.

[[Page 70798]]

    OCR stands for the Office for Civil Rights in HHS.
    Parent organization means an organization that: owns a controlling 
interest or a majority interest in a component organization; has the 
authority to control or manage agenda setting, project management, or 
day-to-day operations; or the authority to review and override 
decisions of a component organization. The component organization may 
be a provider.
    Patient Safety Act means the Patient Safety and Quality Improvement 
Act of 2005 (Pub. L. 109-41), which amended Title IX of the Public 
Health Service Act (42 U.S.C. 299 et seq.) by inserting a new Part C, 
sections 921 through 926, which are codified at 42 U.S.C. 299b-21 
through 299b-26.
    Patient safety activities means the following activities carried 
out by or on behalf of a PSO or a provider:
    (1) Efforts to improve patient safety and the quality of health 
care delivery;
    (2) The collection and analysis of patient safety work product;
    (3) The development and dissemination of information with respect 
to improving patient safety, such as recommendations, protocols, or 
information regarding best practices;
    (4) The utilization of patient safety work product for the purposes 
of encouraging a culture of safety and of providing feedback and 
assistance to effectively minimize patient risk;
    (5) The maintenance of procedures to preserve confidentiality with 
respect to patient safety work product;
    (6) The provision of appropriate security measures with respect to 
patient safety work product;
    (7) The utilization of qualified staff; and
    (8) Activities related to the operation of a patient safety 
evaluation system and to the provision of feedback to participants in a 
patient safety evaluation system.
    Patient safety evaluation system means the collection, management, 
or analysis of information for reporting to or by a PSO.
    Patient safety organization (PSO) means a private or public entity 
or component thereof that is listed as a PSO by the Secretary in 
accordance with Subpart B. A health insurance issuer or a component 
organization of a health insurance issuer may not be a PSO. See also 
the exclusions in Sec.  3.102 of this Part.
    Patient safety work product:
    (1) Except as provided in paragraph (2) of this definition, patient 
safety work product means any data, reports, records, memoranda, 
analyses (such as root cause analyses), or written or oral statements 
(or copies of any of this material)
    (i) Which could improve patient safety, health care quality, or 
health care outcomes; and
    (A) Which are assembled or developed by a provider for reporting to 
a PSO and are reported to a PSO, which includes information that is 
documented as within a patient safety evaluation system for reporting 
to a PSO, and such documentation includes the date the information 
entered the patient safety evaluation system; or
    (B) Are developed by a PSO for the conduct of patient safety 
activities; or
    (ii) Which identify or constitute the deliberations or analysis of, 
or identify the fact of reporting pursuant to, a patient safety 
evaluation system.
    (2)(i) Patient safety work product does not include a patient's 
medical record, billing and discharge information, or any other 
original patient or provider information; nor does it include 
information that is collected, maintained, or developed separately, or 
exists separately, from a patient safety evaluation system. Such 
separate information or a copy thereof reported to a PSO shall not by 
reason of its reporting be considered patient safety work product.
    (ii) Patient safety work product assembled or developed by a 
provider for reporting to a PSO may be removed from a patient safety 
evaluation system and no longer considered patient safety work product 
if:
    (A) The information has not yet been reported to a PSO; and
    (B) The provider documents the act and date of removal of such 
information from the patient safety evaluation system.
    (iii) Nothing in this part shall be construed to limit information 
that is not patient safety work product from being:
    (A) Discovered or admitted in a criminal, civil or administrative 
proceeding;
    (B) Reported to a Federal, State, local or Tribal governmental 
agency for public health or health oversight purposes; or
    (C) Maintained as part of a provider's recordkeeping obligation 
under Federal, State, local or Tribal law.
    Person means a natural person, trust or estate, partnership, 
corporation, professional association or corporation, or other entity, 
public or private.
    Provider means:
    (1) An individual or entity licensed or otherwise authorized under 
State law to provide health care services, including--
    (i) A hospital, nursing facility, comprehensive outpatient 
rehabilitation facility, home health agency, hospice program, renal 
dialysis facility, ambulatory surgical center, pharmacy, physician or 
health care practitioner's office (includes a group practice), long 
term care facility, behavior health residential treatment facility, 
clinical laboratory, or health center; or
    (ii) A physician, physician assistant, registered nurse, nurse 
practitioner, clinical nurse specialist, certified registered nurse 
anesthetist, certified nurse midwife, psychologist, certified social 
worker, registered dietitian or nutrition professional, physical or 
occupational therapist, pharmacist, or other individual health care 
practitioner;
    (2) Agencies, organizations, and individuals within Federal, State, 
local, or Tribal governments that deliver health care, organizations 
engaged as contractors by the Federal, State, local, or Tribal 
governments to deliver health care, and individual health care 
practitioners employed or engaged as contractors by the Federal State, 
local, or Tribal governments to deliver health care; or
    (3) A parent organization of one or more entities described in 
paragraph (1)(i) of this definition or a Federal, State, local, or 
Tribal government unit that manages or controls one or more entities 
described in paragraphs (1)(i) or (2) of this definition.
    Research has the same meaning as the term is defined in the HIPAA 
Privacy Rule at 45 CFR 164.501.
    Respondent means a provider, PSO, or responsible person who is the 
subject of a complaint or a compliance review.
    Responsible person means a person, other than a provider or a PSO, 
who has possession or custody of identifiable patient safety work 
product and is subject to the confidentiality provisions.
    Workforce means employees, volunteers, trainees, contractors, or 
other persons whose conduct, in the performance of work for a provider, 
PSO or responsible person, is under the direct control of such 
provider, PSO or responsible person, whether or not they are paid by 
the provider, PSO or responsible person.

Subpart B--PSO Requirements and Agency Procedures


Sec.  3.102  Process and requirements for initial and continued listing 
of PSOs.

    (a) Eligibility and process for initial and continued listing--(1) 
Submission of certification. Any entity, except as specified in 
paragraph (a)(2) of this section, may request from the Secretary

[[Page 70799]]

an initial or continued listing as a PSO by submitting a completed 
certification form that meets the requirements of this section, in 
accordance with Sec.  3.112. An individual with authority to make 
commitments on behalf of the entity seeking listing will be required to 
submit contact information for the entity and:
    (i) Attest that the entity is not subject to any exclusion in 
paragraph (a)(2) of this section;
    (ii) Provide certifications that the entity meets each requirement 
for PSOs in paragraph (b) of this section;
    (iii) If the entity is a component of another organization, provide 
the additional certifications that the entity meets the requirements of 
paragraph (c)(1)(i) of this section;
    (iv) If the entity is a component of an excluded entity described 
in paragraph (a)(2)(ii), provide the additional certifications and 
information required by paragraph (c)(1)(ii) of this section;
    (v) Attest that the entity has disclosed if the Secretary has ever 
delisted this entity (under its current name or any other) or refused 
to list the entity or whether any of its officials or senior managers 
held comparable positions of responsibility in an entity that was 
denied listing or delisted and, if any of these circumstances apply, 
submit with its certifications and related disclosures, the name of the 
entity or entities that the Secretary declined to list or delisted;
    (vi) Attest that the PSO will promptly notify the Secretary during 
its period of listing if it can no longer comply with any of its 
attestations and the applicable requirements in Sec. Sec.  3.102(b) and 
3.102(c) or if there have been any changes in the accuracy of the 
information submitted for listing, along with the pertinent changes; 
and
    (vii) Provide other information that the Secretary determines to be 
necessary to make the requested listing determination.
    (2) Exclusion of certain entities. The following types of entities 
may not seek listing as a PSO:
    (i) A health insurance issuer; a unit or division of a health 
insurance issuer; or an entity that is owned, managed, or controlled by 
a health insurance issuer;
    (ii) (A) An entity that accredits or licenses health care 
providers;
    (B) An entity that oversees or enforces statutory or regulatory 
requirements governing the delivery of health care services;
    (C) An agent of an entity that oversees or enforces statutory or 
regulatory requirements governing the delivery of health care services; 
or
    (D) An entity that operates a Federal, state, local or Tribal 
patient safety reporting system to which health care providers (other 
than members of the entity's workforce or health care providers holding 
privileges with the entity) are required to report information by law 
or regulation.
    (iii) A component of an entity listed in paragraph (a)(2)(ii) may 
seek listing as a component PSO subject to the requirements and 
restrictions of paragraph (c)(1)(ii) of this section.
    (3) Submission of certification for continued listing. To 
facilitate a timely Secretarial determination regarding acceptance of 
its certification for continued listing, a PSO must submit the required 
certification no later than 75 days before the expiration of a PSO's 
three-year period of listing.
    (b) Fifteen general PSO certification requirements. The 
certifications submitted to the Secretary in accordance with paragraph 
(a)(1)(ii) of this section must conform to the following 15 
requirements:
    (1) Required certification regarding eight patient safety 
activities.
    (i) Initial listing. An entity seeking initial listing as a PSO 
must certify that it has written policies and procedures in place to 
perform each of the eight patient safety activities, defined in Sec.  
3.20. With respect to paragraphs (5) and (6) in the definition of 
patient safety activities regarding confidentiality and security, the 
policies and procedures must include and provide for:
    (A) Compliance with the confidentiality provisions of Subpart C of 
this part and with appropriate security measures as required by Sec.  
3.106 of this subpart.
    (B) Notification of each provider that submitted patient safety 
work product or data as described in Sec.  3.108(b)(2) to the entity if 
the submitted work product or data was subject to an unauthorized 
disclosure or its security was breached.
    (ii) Continued Listing. A PSO seeking continued listing must 
certify that it is performing, and will continue to perform, each of 
the patient safety activities defined in Sec.  3.20, and is and will 
continue to comply with the requirements of paragraphs (b)(1)(i)(A) and 
(B) of this section.
    (2) Required certification regarding seven PSO criteria.
    (i) Initial Listing. In its initial certification submission, an 
entity must also certify that, if listed as a PSO, it will comply with 
the seven requirements in paragraphs (b)(2)(i)(A) through (G) of this 
section.
    (A) The mission and primary activity of the PSO must be to conduct 
activities that are to improve patient safety and the quality of health 
care delivery.
    (B) The PSO must have appropriately qualified workforce members, 
including licensed or certified medical professionals.
    (C) The PSO, within the 24-month period that begins on the date of 
its initial listing as a PSO, and within each sequential 24-month 
period thereafter, must have 2 bona fide contracts, each of a 
reasonable period of time, each with a different provider for the 
purpose of receiving and reviewing patient safety work product.
    (D) The PSO is not a health insurance issuer, and is not a 
component of a health insurance issuer.
    (E) The PSO must make disclosures to the Secretary as required 
under Sec.  3.102(d), in accordance with Sec.  3.112 of this subpart.
    (F) To the extent practical and appropriate, the PSO must collect 
patient safety work product from providers in a standardized manner 
that permits valid comparisons of similar cases among similar 
providers.
    (G) The PSO must utilize patient safety work product for the 
purpose of providing direct feedback and assistance to providers to 
effectively minimize patient risk.
    (ii) Continued Listing. A PSO seeking continued listing must 
certify that it is complying with, and will continue to comply with, 
the requirements of paragraphs (b)(2)(i)(A) through (G) of this 
section.
    (iii) Compliance with the criterion for collecting patient safety 
work product in a standardized manner to the extent practical and 
appropriate. With respect to paragraph (b)(2)(i)(F) of this section, 
the Secretary will assess compliance by a PSO in the following manner.
    (A) A PSO seeking continued listing must:
    (1) Certify that the PSO is using the Secretary's published 
guidance for common formats and definitions in its collection of 
patient safety work product (option (I));
    (2) Certify that the PSO is using an alternative system of formats 
and definitions that permits valid comparisons of similar cases among 
similar providers (option (II)); or
    (3) Provide a clear explanation for why it is not practical or 
appropriate for the PSO to comply with options (I) or (II) at this 
time.
    (B) The Secretary will consider a PSO to be in compliance if the 
entity complies with option (I), satisfactorily demonstrates that 
option (II) permits valid comparisons of similar cases among similar 
providers, or satisfactorily demonstrates that it is not practical or 
appropriate for the PSO to

[[Page 70800]]

comply with options (I) or (II) at this time.
    (c) Additional certifications required of component organizations--
(1) Requirements when seeking listing--(i) Requirements that all 
component organizations must meet. In addition to meeting the 15 
general PSO certification requirements of paragraph (b) of this 
section, an entity seeking initial listing that is a component of 
another organization must certify that it will comply with the 
requirements of paragraph (c)(2) of this section. A component PSO 
seeking continued listing must certify that it is complying with, and 
will continue to comply with, the requirements of this same paragraph 
(c)(2). At initial and continued listing, a component entity must 
attach to its certifications for listing contact information for its 
parent organization(s).
    (ii) Additional requirements and limitations applicable to 
components of entities that are excluded from listing. In addition to 
the requirements under paragraph (c)(1)(i) of this section, a component 
of an organization excluded from listing under paragraph (a)(2)(ii) of 
this section must submit the additional certifications and specified 
information for initial and continued listing and comply with paragraph 
(c)(4) of this section.
    (2) Required component certifications--(i) Separation of patient 
safety work product. A component PSO must maintain patient safety work 
product separately from the rest of the parent organization(s) of which 
it is a part, and establish appropriate security measures to maintain 
the confidentiality of patient safety work product. The information 
system in which the component PSO maintains patient safety work product 
must not permit unauthorized access by one or more individuals in, or 
by units of, the rest of the parent organization(s) of which it is a 
part.
    (ii) Nondisclosure of patient safety work product. A component PSO 
must require that members of its workforce and any other contractor 
staff not make unauthorized disclosures of patient safety work product 
to the rest of the parent organization(s) of which it is a part.
    (iii) No conflict of interest. The pursuit of the mission of a 
component PSO must not create a conflict of interest with the rest of 
the parent organization(s) of which it is a part.
    (3) Written agreements for assisting a component PSO in the conduct 
of patient safety activities. Notwithstanding the requirements of 
paragraph (c)(2) of this section, a component PSO may provide access to 
identifiable patient safety work product to one or more individuals in, 
or to one or more units of, the rest of the parent organization(s) of 
which it is a part, if the component PSO enters into a written 
agreement with such individuals or units which requires that:
    (i) The component PSO will only provide access to identifiable 
patient safety work product to enable such individuals or units to 
assist the component PSO in its conduct of patient safety activities, 
and
    (ii) Such individuals or units that receive access to identifiable 
patient safety work product pursuant to such written agreement will 
only use or disclose such information as specified by the component PSO 
to assist the component PSO in its conduct of patient safety 
activities, will take appropriate security measures to prevent 
unauthorized disclosures and will comply with the other certifications 
the component has made pursuant to paragraph (c)(2) of this section 
regarding unauthorized disclosures and conducting the mission of the 
PSO without creating conflicts of interest.
    (4) Required attestations, information and operational limitations 
for components of entities excluded from listing. A component 
organization of an entity that is subject to the restrictions of 
paragraph (a)(2)(ii) of this section must:
    (i) Submit the following information with its certifications for 
listing:
    (A) A statement describing its parent organization's role, and the 
scope of the parent organization's authority, with respect to any of 
the following that apply: Accreditation or licensure of health care 
providers, oversight or enforcement of statutory or regulatory 
requirements governing the delivery of health care services, serving as 
an agent of such a regulatory oversight or enforcement authority, or 
administering a public mandatory patient safety reporting system;
    (B) An attestation that the parent organization has no policies or 
procedures that would require or induce providers to report patient 
safety work product to their component organization once listed as a 
PSO and that the component PSO will notify the Secretary within 5 
calendar days of the date on which the component organization has 
knowledge of the adoption by the parent organization of such policies 
or procedures, and an acknowledgment that the adoption of such policies 
or procedures by the parent organization during the component PSO's 
period of listing will result in the Secretary initiating an expedited 
revocation process in accordance with Sec.  3.108(e); and
    (C) An attestation that the component organization will prominently 
post notification on its Web site and publish in any promotional 
materials for dissemination to providers, a summary of the information 
that is required by paragraph (c)(4)(i)(A) of this section.
    (ii) Comply with the following requirements during its period of 
listing:
    (A) The component organization may not share staff with its parent 
organization(s).
    (B) The component organization may enter into a written agreement 
pursuant to paragraph (c)(3) but such agreements are limited to units 
or individuals of the parent organization(s) whose responsibilities do 
not involve the activities specified in the restrictions in paragraph 
(a)(2)(ii) of this section.
    (d) Required notifications. Upon listing, PSOs must meet the 
following notification requirements:
    (1) Notification regarding PSO compliance with the minimum contract 
requirement. No later than 45 calendar days prior to the last day of 
the pertinent 24-month assessment period, specified in paragraph 
(b)(2)(iii)(C) of this section, the Secretary must receive from a PSO a 
certification that states whether it has met the requirement of that 
paragraph regarding two bona fide contracts, submitted in accordance 
with Sec.  3.112 of this subpart.
    (2) Notification regarding a PSO's relationships with its 
contracting providers.
    (i) Requirement. A PSO must file a disclosure statement regarding a 
provider with which it has a contract that provides the confidentiality 
and privilege protections of the Patient Safety Act (hereinafter 
referred to as a Patient Safety Act contract) if the PSO has any other 
relationships with this provider that are described in paragraphs 
(d)(2)(i)(A) through (D) of this section. The PSO must disclose all 
such relationships. A disclosure statement is not required if all of 
its other relationships with the provider are limited to Patient Safety 
Act contracts.
    (A) The provider and PSO have current contractual relationships, 
other than those arising from any Patient Safety Act contracts, 
including formal contracts or agreements that impose obligations on the 
PSO.
    (B) The provider and PSO have current financial relationships other 
than those arising from any Patient Safety Act contracts. A financial 
relationship may include any direct or indirect ownership or investment 
relationship between the PSO and the contracting provider, shared or 
common

[[Page 70801]]

financial interests or direct or indirect compensation arrangements 
whether in cash or in-kind.
    (C) The PSO and provider have current reporting relationships other 
than those arising from any Patient Safety Act contracts, by which the 
provider has access to information regarding the work and operation of 
the PSO that is not available to other contracting providers.
    (D) Taking into account all relationships that the PSO has with the 
provider, the PSO is not independently managed or controlled, or the 
PSO does not operate independently from, the contracting provider.
    (ii) Content. A PSO must submit to the Secretary the required 
attestation form for disclosures with the information specified below 
in accordance with Sec.  3.112 and this section. The substantive 
information that must be included with each submission has two required 
parts:
    (A) The Required Disclosures. The first part of the substantive 
information must provide a succinct list of obligations between the PSO 
and the contracting provider apart from their Patient Safety Act 
contract(s) that create, or contain, any of the types of relationships 
that must be disclosed based upon the requirements of paragraphs 
(d)(2)(i)(A) through (D) of this section. Each reportable obligation or 
discrete set of obligations that the PSO has with this contracting 
provider should be listed only once; noting the specific aspects of the 
obligation(s) that reflect contractual or financial relationships, 
involve access to information that is not available to other providers, 
or affect the independence of PSO operations, management, or control.
    (B) An Explanatory Narrative. The second required part of the 
substantive information must provide a brief explanatory narrative 
succinctly describing: The policies and procedures that the PSO has in 
place to ensure adherence to objectivity and professionally recognized 
analytic standards in the assessments it undertakes; and any other 
policies or procedures, or agreements with this provider, that the PSO 
has in place to ensure that it can fairly and accurately perform 
patient safety activities.
    (iii) Deadlines for submission. The Secretary must receive a 
disclosure statement within 45 days of the date on which a PSO enters a 
contract with a provider if the circumstances described in any of the 
paragraphs (d)(2)(i)(A) through (D) of this section are met on the date 
the contract is entered. During the contract period, if these 
circumstances subsequently arise, the Secretary must receive a 
disclosure statement from the PSO within 45 days of the date that any 
disclosure requirement in paragraph (d)(2)(i) of this section first 
applies.


Sec.  3.104  Secretarial actions.

    (a) Actions in response to certification submissions for initial 
and continued listing as a PSO. (1) In response to an initial or 
continued certification submission by an entity, pursuant to the 
requirements of Sec.  3.102 of this subpart, the Secretary may--
    (i) Accept the certification submission and list the entity as a 
PSO, or maintain the listing of a PSO, if the Secretary determines that 
the entity meets the applicable requirements of the Patient Safety Act 
and this subpart;
    (ii) Deny acceptance of a certification submission and, in the case 
of a currently listed PSO, remove the entity from the list if the 
entity does not meet the applicable requirements of the Patient Safety 
Act and this subpart; or
    (iii) Condition the listing of an entity or the continued listing 
of a PSO, following a determination made pursuant to paragraph (c) of 
this section or a determination after review of the pertinent history 
of an entity that has been delisted or refused listing and its 
officials and senior managers.
    (2) Basis for determination. In making a determination regarding 
listing, the Secretary will consider the certification submission; any 
prior actions by the Secretary regarding the entity or PSO including 
delisting; any history of or current non-compliance by the entity or 
the PSO or its officials or senior managers with statutory or 
regulatory requirements or requests from the Secretary; the 
relationships of the entity or PSO with providers; and any findings 
made by the Secretary in accordance with paragraph (c) of this section.
    (3) Notification. The Secretary will notify in writing each entity 
of action taken on its certification submission for initial or 
continued listing. The Secretary will provide reasons when an entity's 
certification is conditionally accepted and the entity is conditionally 
listed, when an entity's certification is not accepted and the entity 
is not listed, or when acceptance of its certification is revoked and 
the entity is delisted.
    (b) Actions regarding PSO compliance with the minimum contract 
requirement. After the date on which the Secretary, under Sec.  
3.102(d)(1) of this subpart, must receive notification regarding 
compliance of a PSO with the minimum contract requirement--
    (1) If the PSO has met the minimum contract requirement, the 
Secretary will acknowledge in writing receipt of the notification and 
add information to the list established pursuant to paragraph (d) of 
this section stating that the PSO has certified that it has met the 
requirement.
    (2) If the PSO states that it has not yet met the minimum contract 
requirement by the date specified in Sec.  3.102(d)(1), or if notice is 
not received by that date, the Secretary will issue to the PSO a notice 
of a preliminary finding of deficiency as specified in Sec.  
3.108(a)(2) and establish a period for correction that extends until 
midnight of the last day of the PSO's applicable 24-month period of 
assessment. Thereafter, if the requirement has not been met, the 
Secretary will provide the PSO a written notice of proposed revocation 
and delisting in accordance with Sec.  3.108(a)(3).
    (c) Actions regarding required disclosures by PSOs of relationships 
with contracting providers. The Secretary will review and make findings 
regarding each disclosure statement submitted by a PSO, pursuant to 
Sec.  3.102(d)(2), regarding its relationships with contracting 
provider(s), determine whether such findings warrant action regarding 
the listing of the PSO in accordance with paragraph (c)(2) of this 
section, and make the findings public.
    (1) Basis of findings regarding PSO disclosure statements. In 
reviewing disclosure statements, submitted pursuant to Sec.  
3.102(d)(2) of this subpart, the Secretary will consider the disclosed 
relationship(s) between the PSO and the contracting provider and the 
statements and material submitted by the PSO describing the policies 
and procedures that the PSO has in place to determine whether the PSO 
can fairly and accurately perform the required patient safety 
activities.
    (2) Determination by the Secretary. Based on the Secretary's review 
and findings, he may choose to take any of the following actions:
    (i) For an entity seeking an initial or continued listing, the 
Secretary may list or continue the listing of an entity without 
conditions, list the entity subject to conditions, or deny the entity's 
certification for initial or continued listing; or
    (ii) For a listed PSO, the Secretary may determine that the entity 
will remain listed without conditions, continue the entity's listing 
subject to conditions, or remove the entity from the list of PSOs.
    (3) Release of disclosure statements and Secretarial findings. (i) 
Subject to paragraph (c)(3)(ii) of this section, the Secretary will 
make disclosure statements available to the public along

[[Page 70802]]

with related findings that are made available in accordance with 
paragraph (c) of this section.
    (ii) The Secretary may withhold information that is exempt from 
public disclosure under the Freedom of Information Act, e.g., trade 
secrets or confidential commercial information that are subject to the 
restrictions of 18 U.S.C. 1905.
    (d) Maintaining a list of PSOs. The Secretary will compile and 
maintain a publicly available list of entities whose certifications as 
PSOs have been accepted. The list will include contact information for 
each entity, a copy of all certification forms and disclosure 
statements submitted by each entity in accordance with paragraph 
(c)(3)(ii) of this section, the effective date of the PSO's listing, 
and information on whether a PSO has certified that it has met the two 
contract requirement. The list also will include a copy of the 
Secretary's findings regarding each disclosure statement submitted by 
an entity, information describing any related conditions that have been 
placed by the Secretary on the listing of an entity as a PSO, and other 
information that this Subpart states may be made public. AHRQ may 
maintain a PSO website (or a comparable future form of public notice) 
and may post the list on this website.
    (e) Three-year period of listing. (1) The three-year period of 
listing of a PSO will automatically expire at midnight of the last day 
of this period, unless the listing had been revoked or relinquished 
earlier in accordance with Sec.  3.108 of this subpart, or if, prior to 
this automatic expiration, the PSO seeks a new three-year listing, in 
accordance with Sec.  3.102, and the Secretary accepts the PSO's 
certification for a new three-year listing, in accordance with Sec.  
3.104(a).
    (2) The Secretary plans to send a written notice of imminent 
expiration to a PSO at least 60 calendar days prior to the date on 
which its three-year period of listing expires if the Secretary has not 
yet received a certification for continued listing. The Secretary plans 
to indicate, on the AHRQ PSO website, the PSOs from whom certifications 
for continued listing have not been timely received.
    (f) Effective dates of Secretarial actions. Unless otherwise 
stated, the effective date of each action by the Secretary pursuant to 
this subpart will be specified in the written notice of such action 
that is sent to the entity. When the Secretary sends a notice that 
addresses acceptance or revocation of an entity's certifications or 
voluntary relinquishment by an entity of its status as a PSO, the 
notice will specify the effective date and time of listing or 
delisting.


Sec.  3.106  Security requirements.

    (a) Application. A PSO must secure patient safety work product in 
conformance with the security requirements of paragraph (b) of this 
section. These requirements must be met at all times and at any 
location at which the PSO, its workforce members, or its contractors 
receive, access, or handle patient safety work product. Handling 
patient safety work product includes its processing, development, use, 
maintenance, storage, removal, disclosure, transmission and 
destruction.
    (b) Security framework. A PSO must have written policies and 
procedures that address each of the considerations specified in this 
subsection. In addressing the framework that follows, the PSO may 
develop appropriate and scalable security standards, policies, and 
procedures that are suitable for the size and complexity of its 
organization.
    (1) Security management. A PSO must address:
    (i) Maintenance and effective implementation of written policies 
and procedures that conform to the requirements of this section to 
protect the confidentiality, integrity, and availability of the patient 
safety work product that is received, accessed, or handled; and to 
monitor and improve the effectiveness of such policies and procedures, 
and
    (ii) Training of the PSO workforce and PSO contractors who receive, 
access, or handle patient safety work product regarding the 
requirements of the Patient Safety Act, this Part, and the PSO's 
policies and procedures regarding the confidentiality and security of 
patient safety work product.
    (2) Distinguishing patient safety work product. A PSO must address:
    (i) Maintenance of the security of patient safety work product, 
whether in electronic or other media, through either physical 
separation from non-patient safety work product, or if co-located with 
non-patient safety work product, by making patient safety work product 
distinguishable so that the appropriate form and level of security can 
be applied and maintained;
    (ii) Protection of the media, whether in electronic, paper, or 
other media or format, that contain patient safety work product, 
limiting access to authorized users, and sanitizing and destroying such 
media before their disposal or release for reuse; and
    (iii) Physical and environmental protection, to control and limit 
physical and virtual access to places and equipment where patient 
safety work product is received, accessed, or handled.
    (3) Security control and monitoring. A PSO must address:
    (i) Identification of those authorized to receive, access, or 
handle patient safety work product and an audit capacity to detect 
unlawful, unauthorized, or inappropriate receipt, access, or handling 
of patient safety work product, and
    (ii) Methods to prevent unauthorized receipt, access, or handling 
of patient safety work product.
    (4) Security assessment. A PSO must address:
    (i) Periodic assessments of security risks and controls to 
establish if its controls are effective, to correct any deficiency 
identified, and to reduce or eliminate any vulnerabilities.
    (ii) System and communications protection, to monitor, control, and 
protect PSO receipt, access, or handling of patient safety work product 
with particular attention to the transmission of patient safety work 
product to and from providers, other PSOs, contractors or any other 
responsible persons.


Sec.  3.108  Correction of deficiencies, revocation, and voluntary 
relinquishment.

    (a) Process for correction of a deficiency and revocation--(1) 
Circumstances leading to revocation. The Secretary may revoke his 
acceptance of an entity's certification (``revocation'') and delist the 
entity as a PSO if he determines--
    (i) The PSO is not fulfilling the certifications made to the 
Secretary as required by Sec.  3.102;
    (ii) The PSO has not met the two contract requirement, as required 
by Sec.  3.102(d)(1);
    (iii) Based on a PSO's disclosures made pursuant to Sec.  
3.102(d)(2) , that the entity cannot fairly and accurately perform the 
patient safety activities of a PSO with a public finding to that 
effect; or
    (iv) The PSO is not in compliance with any other provision of the 
Patient Safety Act or this Part.
    (2) Notice of preliminary finding of deficiency and establishment 
of an opportunity for correction of a deficiency. (i) Except as 
provided by paragraph (e) of this section, if the Secretary determines 
that a PSO is not in compliance with its obligations under the Patient 
Safety Act or this Subpart, the Secretary must send a PSO written 
notice of the preliminary finding of deficiency. The notice must state 
the actions or inactions that encompass the deficiency finding, outline 
the evidence that the deficiency exists, specify the

[[Page 70803]]

possible and/or required corrective actions that must be taken, and 
establish a date by which the deficiency must be corrected. The 
Secretary may specify in the notice the form of documentation required 
to demonstrate that the deficiency has been corrected.
    (ii) The notice of a preliminary finding of deficiency is presumed 
received five days after it is sent, absent evidence of the actual 
receipt date. If a PSO does not submit evidence to the Secretary within 
14 calendar days of actual or constructive receipt of such notice, 
whichever is longer, which demonstrates that the preliminary finding is 
factually incorrect, the preliminary finding will be the basis for a 
finding of deficiency.
    (3) Determination of correction of a deficiency. (i) Unless the 
Secretary specifies another date, the Secretary must receive 
documentation to demonstrate that the PSO has corrected any deficiency 
cited in the preliminary finding of deficiency no later than five 
calendar days following the last day of the correction period that is 
specified by the Secretary in such notice.
    (ii) In making a determination regarding the correction of any 
deficiency, the Secretary will consider the documentation submitted by 
the PSO, any assessments under Sec.  3.110, recommendations of program 
staff, and any other information available regarding the PSO that the 
Secretary deems appropriate and relevant to the PSO's implementation of 
the terms of its certification.
    (iii) After completing his review, the Secretary may make one of 
the following determinations:
    (A) The action(s) taken by the PSO have corrected any deficiency, 
in which case the Secretary will withdraw the notice of deficiency and 
so notify the PSO;
    (B) The PSO has acted in good faith to correct the deficiency, but 
the Secretary finds an additional period of time is necessary to 
achieve full compliance and/or the required corrective action specified 
in the notice of a preliminary finding of deficiency needs to be 
modified in light of the experience of the PSO in attempting to 
implement the corrective action, in which case the Secretary will 
extend the period for correction and/or modify the specific corrective 
action required; or
    (C) The PSO has not completed the corrective action because it has 
not acted with reasonable diligence or speed to ensure that the 
corrective action was completed within the allotted time, in which case 
the Secretary will issue to the PSO a notice of proposed revocation and 
delisting.
    (iv) When the Secretary issues a written notice of proposed 
revocation and delisting, the notice will specify the deficiencies that 
have not been timely corrected and will detail the manner in which the 
PSO may exercise its opportunity to be heard in writing to respond to 
the deficiencies specified in the notice.
    (4) Opportunity to be heard in writing following a notice of 
proposed revocation and delisting. The Secretary will afford a PSO an 
opportunity to be heard in writing, as specified in paragraph (a)(4)(i) 
of this section, to provide a substantive response to the deficiency 
finding(s) set forth in the notice of proposed revocation and 
delisting.
    (i) The notice of proposed revocation and delisting is presumed 
received five days after it is sent, absent evidence of actual receipt. 
The Secretary will provide a PSO with a period of time, beginning with 
the date of receipt of the notice of proposed revocation and delisting 
of which there is evidence, or the presumed date of receipt if there is 
no evidence of earlier receipt, and ending at midnight 30 calendar days 
thereafter, during which the PSO may submit a substantive response to 
the deficiency findings in writing.
    (ii) The Secretary will provide to the PSO any rules of procedure 
governing the form or transmission of the written response to the 
notice of proposed revocation and delisting. Such rules may also be 
posted on the AHRQ PSO Web site or published in the Federal Register.
    (iii) If a PSO does not submit a written response to the deficiency 
finding(s) within 30 calendar days of receipt of the notice of proposed 
revocation and delisting, the notice of proposed revocation becomes 
final as a matter of law and the basis for Secretarial action under 
paragraph (b)(1) of this section.
    (5) The Secretary's decision regarding revocation. The Secretary 
will review the entire administrative record pertaining to a notice of 
proposed revocation and delisting and any written materials submitted 
by the PSO under paragraph (a)(4) of this section. The Secretary may 
affirm, reverse, or modify the notice of proposed revocation and 
delisting and will make a determination with respect to the continued 
listing of the PSO.
    (b) Revocation of the Secretary's acceptance of a PSO's 
certifications--(1) Establishing the date and time of revocation and 
delisting. When the Secretary concludes, in accordance with a decision 
made under paragraphs (a)(5), (e)(3)(iii) or (e)(3)(iv)(C) of this 
section, that revocation of the acceptance of a PSO's certification is 
warranted for its failure to comply with requirements of the Patient 
Safety Act or of this Part, the Secretary will establish the effective 
time and date for such prompt revocation and removal of the entity from 
the list of PSOs, so notify the PSO in writing, and provide the 
relevant public notice required by Sec.  3.108(d) of this subpart.
    (2) Required notification of providers and status of data. (i) Upon 
being notified of the Secretary's action pursuant to paragraph (b)(1) 
of this section, the former PSO will take all reasonable actions to 
notify each provider, whose patient safety work product it collected or 
analyzed, of the Secretary's action(s) and the following statutory 
information: Confidentiality and privilege protections that applied to 
patient safety work product while the former PSO was listed continue to 
apply after the entity is removed from listing. Data submitted by 
providers to the former PSO for 30 calendar days following the date and 
time on which the entity was removed from the list of PSOs pursuant to 
paragraph (b)(1) of this section will have the same status as data 
submitted while the entity was still listed.
    (ii) Within 15 days of being notified of the Secretary's action 
pursuant to paragraph (b)(1) of this section, the former PSO shall 
submit to the Secretary confirmation that it has taken the actions in 
paragraph (b)(2)(i) of this section.
    (3) Disposition of patient safety work product and data. Within 90 
days following the effective date of revocation and delisting pursuant 
to paragraph (b)(1) of this section, the former PSO will take one or 
more of the following measures in regard to patient safety work product 
and data described in paragraph (b)(2)(i) of this section:
    (i) Transfer such patient safety work product or data, with the 
approval of the source from which it was received, to a PSO that has 
agreed to receive such patient safety work product or data;
    (ii) Return such work product or data to the source from which it 
was submitted; or
    (iii) If returning such patient safety work product or data to its 
source is not practicable, destroy such patient safety work product or 
data.
    (c) Voluntary relinquishment--(1) Circumstances constituting 
voluntary relinquishment. A PSO will be considered to have voluntarily 
relinquished its status as a PSO if the Secretary accepts a 
notification from a PSO that it wishes to relinquish voluntarily its 
listing as a PSO.

[[Page 70804]]

    (2) Notification of voluntary relinquishment. A PSO's notification 
of voluntary relinquishment to the Secretary must include the 
following:
    (i) An attestation that all reasonable efforts have been made, or 
will have been made by a PSO within 15 calendar days of this statement, 
to notify the sources from which it received patient safety work 
product of the PSO's intention to cease PSO operations and activities, 
to relinquish voluntarily its status as a PSO, to request that these 
other entities cease reporting or submitting any further information to 
the PSO as soon as possible, and inform them that any information 
reported after the effective date and time of delisting that the 
Secretary sets pursuant to paragraph (c)(3) of this section will not be 
protected as patient safety work product under the Patient Safety Act.
    (ii) An attestation that the entity has established a plan, or 
within 15 calendar days of this statement, will have made all 
reasonable efforts to establish a plan, in consultation with the 
sources from which it received patient safety work product, that 
provides for the disposition of the patient safety work product held by 
the PSO consistent with, to the extent practicable, the statutory 
options for disposition of patient safety work product as set out in 
paragraph (b)(3) of this section; and
    (iii) Appropriate contact information for further communications 
from the Secretary.
    (3) Response to notification of voluntary relinquishment. (i) After 
a PSO provides the notification required by paragraph (c)(2) of this 
section, the Secretary will respond in writing to the entity indicating 
whether the proposed voluntary relinquishment of its PSO status is 
accepted. If the voluntary relinquishment is accepted, the Secretary's 
response will indicate an effective date and time for the entity's 
removal from the list of PSOs and will provide public notice of the 
voluntary relinquishment and the effective date and time of the 
delisting, in accordance with Sec.  3.108(d) of this subpart.
    (ii) If the Secretary receives a notification of voluntary 
relinquishment during or immediately after revocation proceedings for 
cause under paragraphs (a)(4) and (a)(5) of this section, the 
Secretary, as a matter of discretion, may accept voluntary 
relinquishment in accordance with the preceding paragraph or decide not 
to accept the entity's proposed voluntary relinquishment and proceed 
with the revocation for cause and delisting pursuant to paragraph 
(b)(1) of this section.
    (4) Non-applicability of certain procedures and requirements. (i) A 
decision by the Secretary to accept a request by a PSO to relinquish 
voluntarily its status as a PSO pursuant to paragraph (c)(2) of this 
section does not constitute a determination of a deficiency in PSO 
compliance with the Patient Safety Act or with this Subpart.
    (ii) The procedures and requirements of Sec.  3.108(a) of this 
subpart regarding deficiencies including the opportunity to correct 
deficiencies and to be heard in writing, and the procedures and 
requirements of Sec.  3.108(b) are not applicable to determinations of 
the Secretary made pursuant to this subsection.
    (d) Public notice of delisting regarding removal from listing. If 
the Secretary removes an entity from the list of PSOs following 
revocation of acceptance of the entity's certification pursuant to 
Sec.  3.108(b)(1), voluntary relinquishment pursuant to Sec.  
3.108(c)(3), or expiration of an entity's period of listing pursuant to 
Sec.  3.104(e)(1), the Secretary will promptly publish in the Federal 
Register and on the AHRQ PSO website, or in a comparable future form of 
public notice, a notice of the actions taken and the effective dates.
    (e) Expedited revocation and delisting--(1) Basis for expedited 
revocation. Notwithstanding any other provision of this section, the 
Secretary may use the expedited revocation process described in 
paragraph (e)(3) of this section if he determines--
    (i) The PSO is not in compliance with this Part because it is or is 
about to become an entity described in Sec.  3.102(a)(2).
    (ii) The parent organization of the PSO is an entity described in 
Sec.  3.102(a)(2) and requires or induces health care providers to 
report patient safety work product to its component PSO; or
    (iii) The circumstances for revocation in paragraph (a)(1) of this 
section exist, and the Secretary has determined that there would be 
serious adverse consequences if the PSO were to remain listed.
    (2) Applicable provisions. If the Secretary uses the expedited 
revocation process described in paragraph (e)(3) of this section, the 
procedures in paragraphs (a)(2) through (5) of this section shall not 
apply and paragraph (a)(1) and paragraphs (b) and (d) of this section 
shall apply.
    (3) Expedited revocation process. (i) The Secretary must send the 
PSO a written notice of deficiency that:
    (A) Identifies the evidence that the circumstances for revocation 
and delisting under paragraph (a)(1) of this section exist, and any 
corrective action that the PSO must take if the Secretary determines 
that corrective action may resolve the matter so that the entity would 
not be delisted; and
    (B) Provides an opportunity for the PSO to respond in writing to 
correct the facts or the legal bases for delisting found in the notice, 
and to offer any other grounds for its not being delisted.
    (ii) The notice of deficiency will be presumed to be received five 
days after it is sent, absent evidence of the actual receipt date.
    (iii) If the PSO does not submit a written response to the 
Secretary within 14 calendar days of actual or constructive receipt of 
such notice, whichever is longer, the Secretary may revoke his 
acceptance of the PSO's certifications and remove the entity from the 
list of PSOs.
    (iv) If the PSO responds in writing within the required 14-day time 
period, the Secretary may take any of the following actions:
    (A) Withdraw the notice of deficiency;
    (B) Provide the PSO with more time to resolve the matter to the 
Secretary's satisfaction; or
    (C) Revoke his acceptance of the PSO's certifications and remove 
the entity from the list of PSOs.


Sec.  3.110  Assessment of PSO compliance.

    The Secretary may request information or conduct announced or 
unannounced reviews of, or site visits to, PSOs, to assess or verify 
PSO compliance with the requirements of this subpart and for these 
purposes will be allowed to inspect the physical or virtual sites 
maintained or controlled by the PSO. The Secretary will be allowed to 
inspect and/or be given or sent copies of any PSO records deemed 
necessary and requested by the Secretary to implement the provisions of 
this subpart. Such PSO records may include patient safety work product 
in accordance with Sec.  3.206(d) of this part.


Sec.  3.112  Submissions and forms.

    (a) Forms referred to in this subpart may be obtained on the PSO 
Web site (http://www.pso.ahrq.gov) maintained for the Secretary by AHRQ 
or a successor agency or on successor publication technology or by 
requesting them in writing by e-mail at pso@ahrq.hhs.gov, or by mail 
from the Agency for Healthcare Research and Quality, CQuIPS, PSO 
Liaison, 540 Gaither Road, Rockville, MD 20850. A form (including any 
required attachments) must be submitted in accordance with the 
accompanying instructions.

[[Page 70805]]

    (b) Information submitted to AHRQ in writing, but not required to 
be on or attached to a form, and requests for information from AHRQ, 
may be submitted by mail or other delivery to the Agency for Healthcare 
Research and Quality, CQuIPS, PSO Liaison, 540 Gaither Road, Rockville, 
MD 20850, by facsimile at (301) 427-1341, or by e-mail at 
pso@ahrq.hhs.gov.
    (c) If a submission to the Secretary is incomplete or additional 
information is needed to allow a determination to be made under this 
subpart, the submitter will be notified if any additional information 
is required.

Subpart C--Confidentiality and Privilege Protections of Patient 
Safety Work Product


Sec.  3.204  Privilege of patient safety work product.

    (a) Privilege. Notwithstanding any other provision of Federal, 
State, local, or Tribal law and subject to paragraph (b) of this 
section and Sec.  3.208 of this subpart, patient safety work product 
shall be privileged and shall not be:
    (1) Subject to a Federal, State, local, or Tribal civil, criminal, 
or administrative subpoena or order, including in a Federal, State, 
local, or Tribal civil or administrative disciplinary proceeding 
against a provider;
    (2) Subject to discovery in connection with a Federal, State, 
local, or Tribal civil, criminal, or administrative proceeding, 
including in a Federal, State, local, or Tribal civil or administrative 
disciplinary proceeding against a provider;
    (3) Subject to disclosure pursuant to section 552 of Title 5, 
United States Code (commonly known as the Freedom of Information Act) 
or any other similar Federal, State, local, or Tribal law;
    (4) Admitted as evidence in any Federal, State, local, or Tribal 
governmental civil proceeding, criminal proceeding, administrative 
rulemaking proceeding, or administrative adjudicatory proceeding, 
including any such proceeding against a provider; or
    (5) Admitted in a professional disciplinary proceeding of a 
professional disciplinary body established or specifically authorized 
under State law.
    (b) Exceptions to privilege. Privilege shall not apply to (and 
shall not be construed to prohibit) one or more of the following 
disclosures:
    (1) Disclosure of relevant patient safety work product for use in a 
criminal proceeding, subject to the conditions at Sec.  3.206(b)(1) of 
this subpart.
    (2) Disclosure to the extent required to permit equitable relief 
subject to the conditions at Sec.  3.206(b)(2) of this subpart.
    (3) Disclosure pursuant to provider authorizations subject to the 
conditions at Sec.  3.206(b)(3) of this subpart.
    (4) Disclosure of non-identifiable patient safety work product 
subject to the conditions at Sec.  3.206(b)(5) of this subpart.
    (c) Implementation and enforcement by the Secretary. Privilege 
shall not apply to (and shall not be construed to prohibit) disclosures 
of relevant patient safety work product to or by the Secretary if such 
patient safety work product is needed to investigate or determine 
compliance, or to seek or impose civil money penalties, with respect to 
this part or the HIPAA Privacy Rule, or to make or support decisions 
with respect to listing of a PSO.


Sec.  3.206  Confidentiality of patient safety work product.

    (a) Confidentiality. Subject to paragraphs (b) through (e) of this 
section, and Sec. Sec.  3.208 and 3.210 of this subpart, patient safety 
work product shall be confidential and shall not be disclosed.
    (b) Exceptions to confidentiality. The confidentiality provisions 
shall not apply to (and shall not be construed to prohibit) one or more 
of the following disclosures:
    (1) Disclosure in criminal proceedings. Disclosure of relevant 
patient safety work product for use in a criminal proceeding, but only 
after a court makes an in-camera determination that:
    (i) Such patient safety work product contains evidence of a 
criminal act;
    (ii) Such patient safety work product is material to the 
proceeding; and
    (iii) Such patient safety work product is not reasonably available 
from any other source.
    (2) Disclosure to permit equitable relief for reporters. Disclosure 
of patient safety work product to the extent required to permit 
equitable relief under section 922 (f)(4)(A) of the Public Health 
Service Act, provided the court or administrative tribunal has issued a 
protective order to protect the confidentiality of the patient safety 
work product in the course of the proceeding.
    (3) Disclosure authorized by identified providers. (i) Disclosure 
of identifiable patient safety work product consistent with a valid 
authorization if such authorization is obtained from each provider 
identified in such work product prior to disclosure. A valid 
authorization must:
    (A) Be in writing and signed by the provider from whom 
authorization is sought; and
    (B) Contain sufficient detail to fairly inform the provider of the 
nature and scope of the disclosures being authorized;
    (ii) A valid authorization must be retained by the disclosing 
entity for six years from the date of the last disclosure made in 
reliance on the authorization and made available to the Secretary upon 
request.
    (4) Disclosure for patient safety activities--(i) Disclosure 
between a provider and a PSO. Disclosure of patient safety work product 
for patient safety activities by a provider to a PSO or by a PSO to 
that disclosing provider.
    (ii) Disclosure to a contractor of a provider or a PSO. A provider 
or a PSO may disclose patient safety work product for patient safety 
activities to an entity with which it has contracted to undertake 
patient safety activities on its behalf. A contractor receiving patient 
safety work product for patient safety activities may not further 
disclose patient safety work product, except to the provider or PSO 
with which it is contracted.
    (iii) Disclosure among affiliated providers. Disclosure of patient 
safety work product for patient safety activities by a provider to an 
affiliated provider.
    (iv) Disclosure to another PSO or provider. Disclosure of patient 
safety work product for patient safety activities by a PSO to another 
PSO or to another provider that has reported to the PSO, or, except as 
otherwise permitted in paragraph (b)(4)(iii) of this section, by a 
provider to another provider, provided:
    (A) The following direct identifiers of any providers and of 
affiliated organizations, corporate parents, subsidiaries, practice 
partners, employers, members of the workforce, or household members of 
such providers are removed:
    (1) Names;
    (2) Postal address information, other than town or city, State and 
zip code;
    (3) Telephone numbers;
    (4) Fax numbers;
    (5) Electronic mail addresses;
    (6) Social security numbers or taxpayer identification numbers;
    (7) Provider or practitioner credentialing or DEA numbers;
    (8) National provider identification number;
    (9) Certificate/license numbers;
    (10) Web Universal Resource Locators (URLs);
    (11) Internet Protocol (IP) address numbers;

[[Page 70806]]

    (12) Biometric identifiers, including finger and voice prints; and
    (13) Full face photographic images and any comparable images; and
    (B) With respect to any individually identifiable health 
information in such patient safety work product, the direct identifiers 
listed at 45 CFR 164.514(e)(2) have been removed.
    (5) Disclosure of nonidentifiable patient safety work product. 
Disclosure of nonidentifiable patient safety work product when patient 
safety work product meets the standard for nonidentification in 
accordance with Sec.  3.212 of this subpart.
    (6) Disclosure for research. (i) Disclosure of patient safety work 
product to persons carrying out research, evaluation or demonstration 
projects authorized, funded, certified, or otherwise sanctioned by rule 
or other means by the Secretary, for the purpose of conducting 
research.
    (ii) If the patient safety work product disclosed pursuant to 
paragraph (b)(6)(i) of this section is by a HIPAA covered entity as 
defined at 45 CFR 160.103 and contains protected health information as 
defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient 
safety work product may only be disclosed under this exception in the 
same manner as would be permitted under the HIPAA Privacy Rule.
    (7) Disclosure to the Food and Drug Administration (FDA) and 
entities required to report to FDA. (i) Disclosure by a provider of 
patient safety work product concerning an FDA-regulated product or 
activity to the FDA, an entity required to report to the FDA concerning 
the quality, safety, or effectiveness of an FDA-regulated product or 
activity, or a contractor acting on behalf of FDA or such entity for 
these purposes.
    (ii) Any person permitted to receive patient safety work product 
pursuant to paragraph (b)(7)(i) of this section may only further 
disclose such patient safety work product for the purpose of evaluating 
the quality, safety, or effectiveness of that product or activity to 
another such person or the disclosing provider.
    (8) Voluntary disclosure to an accrediting body. (i) Voluntary 
disclosure by a provider of patient safety work product to an 
accrediting body that accredits that provider, provided, with respect 
to any identified provider other than the provider making the 
disclosure:
    (A) The provider agrees to the disclosure; or
    (B) The identifiers at Sec.  3.206(b)(4)(iv)(A) are removed.
    (ii) An accrediting body may not further disclose patient safety 
work product it receives pursuant to paragraph (b)(8)(i) of this 
section.
    (iii) An accrediting body may not take an accrediting action 
against a provider based on a good faith participation of the provider 
in the collection, development, reporting, or maintenance of patient 
safety work product in accordance with this Part. An accrediting body 
may not require a provider to reveal its communications with any PSO.
    (9) Disclosure for business operations. (i) Disclosure of patient 
safety work product by a provider or a PSO for business operations to 
attorneys, accountants, and other professionals. Such contractors may 
not further disclose patient safety work product, except to the entity 
from which they received the information.
    (ii) Disclosure of patient safety work product for such other 
business operations that the Secretary may prescribe by regulation as 
consistent with the goals of this part.
    (10) Disclosure to law enforcement. (i) Disclosure of patient 
safety work product to an appropriate law enforcement authority 
relating to an event that either constitutes the commission of a crime, 
or for which the disclosing person reasonably believes constitutes the 
commission of a crime, provided that the disclosing person believes, 
reasonably under the circumstances, that the patient safety work 
product that is disclosed is necessary for criminal law enforcement 
purposes.
    (ii) Law enforcement personnel receiving patient safety work 
product pursuant to paragraph (b)(10)(i) of this section only may 
disclose that patient safety work product to other law enforcement 
authorities as needed for law enforcement activities related to the 
event that gave rise to the disclosure under paragraph (b)(10)(i) of 
this section.
    (c) Safe harbor. A provider or responsible person, but not a PSO, 
is not considered to have violated the requirements of this subpart if 
a member of its workforce discloses patient safety work product, 
provided that the disclosure does not include materials, including oral 
statements, that:
    (1) Assess the quality of care of an identifiable provider; or
    (2) Describe or pertain to one or more actions or failures to act 
by an identifiable provider.
    (d) Implementation and enforcement by the Secretary. The 
confidentiality provisions shall not apply to (and shall not be 
construed to prohibit) disclosures of relevant patient safety work 
product to or by the Secretary if such patient safety work product is 
needed to investigate or determine compliance or to seek or impose 
civil money penalties, with respect to this part or the HIPAA Privacy 
Rule, or to make or support decisions with respect to listing of a PSO.
    (e) No limitation on authority to limit or delegate disclosure or 
use. Nothing in subpart C of this part shall be construed to limit the 
authority of any person to enter into a contract requiring greater 
confidentiality or delegating authority to make a disclosure or use in 
accordance with this subpart.


Sec.  3.208  Continued protection of patient safety work product.

    (a) Except as provided in paragraph (b) of this section, patient 
safety work product disclosed in accordance with this subpart, or 
disclosed impermissibly, shall continue to be privileged and 
confidential.
    (b)(1) Patient safety work product disclosed for use in a criminal 
proceeding pursuant to section 922(c)(1)(A) of the Public Health 
Service Act, 42 U.S.C. 299b-22(c)(1)(A), and/or pursuant to Sec.  
3.206(b)(1) of this subpart continues to be privileged, but is no 
longer confidential.
    (2) Non-identifiable patient safety work product that is disclosed 
is no longer privileged or confidential and not subject to the 
regulations under this part.
    (3) Paragraph (b) of this section applies only to the specific 
patient safety work product disclosed.


Sec.  3.210  Required disclosure of patient safety work product to the 
Secretary.

    Notwithstanding any other provision in this part, providers, PSOs, 
and responsible persons must disclose patient safety work product upon 
request by the Secretary when the Secretary determines such patient 
safety work product is needed to investigate or determine compliance or 
to seek or impose civil money penalties, with respect to this part or 
the HIPAA Privacy Rule, or to make or support decisions with respect to 
listing of a PSO.


Sec.  3.212  Nonidentification of patient safety work product.

    (a) Patient safety work product is nonidentifiable with respect to 
a particular identified provider or a particular identified reporter 
if:
    (1) A person with appropriate knowledge of and experience with 
generally accepted statistical and scientific principles and methods 
for

[[Page 70807]]

rendering information not individually identifiable:
    (i) Applying such principles and methods, determines that the risk 
is very small that the information could be used, alone or in 
combination with other reasonably available information, by an 
anticipated recipient to identify an identified provider or reporter; 
and
    (ii) Documents the methods and results of the analysis that justify 
such determination; or
    (2)(i) The following identifiers of such provider or reporter and 
of affiliated organizations, corporate parents, subsidiaries, practice 
partners, employers, members of the workforce, or household members of 
such providers or reporters are removed:
    (A) The direct identifiers listed at Sec.  3.206(b)(4)(iv)(A)(1) 
through (13) of this subpart;
    (B) Geographic subdivisions smaller than a State, including street 
address, city, county, precinct, zip code and equivalent geocodes, 
except for the initial three digits of a zip code if, according to the 
current publicly available data from the Bureau of the Census, the 
geographic unit formed by combining all zip codes with the same three 
initial digits contains more than 20,000 people;
    (C) All elements of dates (except year) for dates directly related 
to a patient safety incident or event; and
    (D) Any other unique identifying number, characteristic, or code 
except as permitted for re-identification; and
    (ii) The provider, PSO or responsible person making the disclosure 
does not have actual knowledge that the information could be used, 
alone or in combination with other information that is reasonably 
available to the intended recipient, to identify the particular 
provider or reporter.
    (3) Re-identification. A provider, PSO, or responsible person may 
assign a code or other means of record identification to allow 
information made nonidentifiable under this section to be re-identified 
by such provider, PSO, or responsible person, provided that:
    (i) The code or other means of record identification is not derived 
from or related to information about the provider or reporter and is 
not otherwise capable of being translated so as to identify the 
provider or reporter; and
    (ii) The provider, PSO, or responsible person does not use or 
disclose the code or other means of record identification for any other 
purpose, and does not disclose the mechanism for re-identification.
    (b) Patient safety work product is non-identifiable with respect to 
a particular patient only if the individually identifiable health 
information regarding that patient is de-identified in accordance with 
the HIPAA Privacy Rule standard and implementation specifications for 
the de-identification at 45 CFR 164.514(a) through (c).

Subpart D--Enforcement Program


Sec.  3.304  Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable, 
seek the cooperation of providers, PSOs, and responsible persons in 
obtaining compliance with the applicable confidentiality provisions.
    (b) Assistance. The Secretary may provide technical assistance to 
providers, PSOs, and responsible persons to help them comply 
voluntarily with the applicable confidentiality provisions.


Sec.  3.306  Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes that patient 
safety work product has been disclosed in violation of the 
confidentiality provisions may file a complaint with the Secretary.
    (b) Requirements for filing complaints. Complaints under this 
section must meet the following requirements:
    (1) A complaint must be filed in writing, either on paper or 
electronically.
    (2) A complaint must name the person that is the subject of the 
complaint and describe the act(s) believed to be in violation of the 
applicable confidentiality provision(s).
    (3) A complaint must be filed within 180 days of when the 
complainant knew or should have known that the act complained of 
occurred, unless this time limit is waived by the Secretary for good 
cause shown.
    (4) The Secretary may prescribe additional procedures for the 
filing of complaints, as well as the place and manner of filing, by 
notice in the Federal Register.
    (c) Investigation. The Secretary may investigate complaints filed 
under this section. Such investigation may include a review of the 
pertinent policies, procedures, or practices of the respondent and of 
the circumstances regarding any alleged violation. At the time of 
initial written communication with the respondent about the complaint, 
the Secretary will describe the act(s) that are the basis of the 
complaint.


Sec.  3.308  Compliance reviews.

    The Secretary may conduct compliance reviews to determine whether a 
respondent is complying with the applicable confidentiality provisions.


Sec.  3.310  Responsibilities of respondents.

    (a) Provide records and compliance reports. A respondent must keep 
such records and submit such compliance reports, in such time and 
manner and containing such information, as the Secretary may determine 
to be necessary to enable the Secretary to ascertain whether the 
respondent has complied or is complying with the applicable 
confidentiality provisions.
    (b) Cooperate with complaint investigations and compliance reviews. 
A respondent must cooperate with the Secretary, if the Secretary 
undertakes an investigation or compliance review of the policies, 
procedures, or practices of the respondent to determine whether it is 
complying with the applicable confidentiality provisions.
    (c) Permit access to information. (1) A respondent must permit 
access by the Secretary during normal business hours to its facilities, 
books, records, accounts, and other sources of information, including 
patient safety work product, that are pertinent to ascertaining 
compliance with the applicable confidentiality provisions. If the 
Secretary determines that exigent circumstances exist, such as when 
documents may be hidden or destroyed, a respondent must permit access 
by the Secretary at any time and without notice.
    (2) If any information required of a respondent under this section 
is in the exclusive possession of any other agency, institution, or 
person, and the other agency, institution, or person fails or refuses 
to furnish the information, the respondent must so certify and set 
forth what efforts it has made to obtain the information.


Sec.  3.312  Secretarial action regarding complaints and compliance 
reviews.

    (a) Resolution when noncompliance is indicated. (1) If an 
investigation of a complaint pursuant to Sec.  3.306 of this subpart or 
a compliance review pursuant to Sec.  3.308 of this subpart indicates 
noncompliance, the Secretary may attempt to reach a resolution of the 
matter satisfactory to the Secretary by informal means. Informal means 
may include demonstrated compliance or a completed corrective action 
plan or other agreement.
    (2) If the matter is resolved by informal means, the Secretary will 
so inform the respondent and, if the matter arose from a complaint, the 
complainant, in writing.

[[Page 70808]]

    (3) If the matter is not resolved by informal means, the Secretary 
will--
    (i) So inform the respondent and provide the respondent an 
opportunity to submit written evidence of any mitigating factors. The 
respondent must submit any evidence to the Secretary within 30 days 
(computed in the same manner as prescribed under Sec.  3.526 of this 
subpart) of receipt of such notification; and
    (ii) If, following action pursuant to paragraph (a)(3)(i) of this 
section, the Secretary decides that a civil money penalty should be 
imposed, inform the respondent of such finding in a notice of proposed 
determination in accordance with Sec.  3.420 of this subpart.
    (b) Resolution when no violation is found. If, after an 
investigation pursuant to Sec.  3.306 of this subpart or a compliance 
review pursuant to Sec.  3.308 of this subpart, the Secretary 
determines that further action is not warranted, the Secretary will so 
inform the respondent and, if the matter arose from a complaint, the 
complainant, in writing.
    (c) Uses and disclosures of information obtained. (1) Identifiable 
patient safety work product obtained by the Secretary in connection 
with an investigation or compliance review under this subpart will not 
be disclosed by the Secretary, except in accordance with Sec.  3.206(d) 
of this subpart, or if otherwise permitted by this part or the Patient 
Safety Act.
    (2) Except as provided for in paragraph (c)(1) of this section, 
information, including testimony and other evidence, obtained by the 
Secretary in connection with an investigation or compliance review 
under this subpart may be used by HHS in any of its activities and may 
be used or offered into evidence in any administrative or judicial 
proceeding.


Sec.  3.314  Investigational subpoenas and inquiries.

    (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 
405(d) and (e), and 1320a-7a(j), to require the attendance and 
testimony of witnesses and the production of any other evidence 
including patient safety work product during an investigation or 
compliance review pursuant to this part.
    (1) A subpoena issued under this paragraph must--
    (i) State the name of the person (including the entity, if 
applicable) to whom the subpoena is addressed;
    (ii) State the statutory authority for the subpoena;
    (iii) Indicate the date, time, and place that the testimony will 
take place;
    (iv) Include a reasonably specific description of any documents or 
items required to be produced; and
    (v) If the subpoena is addressed to an entity, describe with 
reasonable particularity the subject matter on which testimony is 
required. In that event, the entity must designate one or more natural 
persons who will testify on its behalf, and must state as to each such 
person that person's name and address and the matters on which he or 
she will testify. The designated person must testify as to matters 
known or reasonably available to the entity.
    (2) A subpoena under this section must be served by--
    (i) Delivering a copy to the natural person named in the subpoena 
or to the entity named in the subpoena at its last principal place of 
business; or
    (ii) Registered or certified mail addressed to the natural person 
at his or her last known dwelling place or to the entity at its last 
known principal place of business.
    (3) A verified return by the natural person serving the subpoena 
setting forth the manner of service or, in the case of service by 
registered or certified mail, the signed return post office receipt, 
constitutes proof of service.
    (4) Witnesses are entitled to the same fees and mileage as 
witnesses in the district courts of the United States (28 U.S.C. 1821 
and 1825). Fees need not be paid at the time the subpoena is served.
    (5) A subpoena under this section is enforceable through the 
district court of the United States for the district where the 
subpoenaed natural person resides or is found or where the entity 
transacts business.
    (b) Investigational inquiries are non-public investigational 
proceedings conducted by the Secretary.
    (1) Testimony at investigational inquiries will be taken under oath 
or affirmation.
    (2) Attendance of non-witnesses is discretionary with the 
Secretary, except that a witness is entitled to be accompanied, 
represented, and advised by an attorney.
    (3) Representatives of the Secretary are entitled to attend and ask 
questions.
    (4) A witness will have the opportunity to clarify his or her 
answers on the record following questioning by the Secretary.
    (5) Any claim of privilege must be asserted by the witness on the 
record.
    (6) Objections must be asserted on the record. Errors of any kind 
that might be corrected if promptly presented will be deemed to be 
waived unless reasonable objection is made at the investigational 
inquiry. Except where the objection is on the grounds of privilege, the 
question will be answered on the record, subject to objection.
    (7) If a witness refuses to answer any question not privileged or 
to produce requested documents or items, or engages in conduct likely 
to delay or obstruct the investigational inquiry, the Secretary may 
seek enforcement of the subpoena under paragraph (a)(5) of this 
section.
    (8) The proceedings will be recorded and transcribed. The witness 
is entitled to a copy of the transcript, upon payment of prescribed 
costs, except that, for good cause, the witness may be limited to 
inspection of the official transcript of his or her testimony.
    (9)(i) The transcript will be submitted to the witness for 
signature.
    (A) Where the witness will be provided a copy of the transcript, 
the transcript will be submitted to the witness for signature. The 
witness may submit to the Secretary written proposed corrections to the 
transcript, with such corrections attached to the transcript. If the 
witness does not return a signed copy of the transcript or proposed 
corrections within 30 days (computed in the same manner as prescribed 
under Sec.  3.526 of this part) of its being submitted to him or her 
for signature, the witness will be deemed to have agreed that the 
transcript is true and accurate.
    (B) Where, as provided in paragraph (b)(8) of this section, the 
witness is limited to inspecting the transcript, the witness will have 
the opportunity at the time of inspection to propose corrections to the 
transcript, with corrections attached to the transcript. The witness 
will also have the opportunity to sign the transcript. If the witness 
does not sign the transcript or offer corrections within 30 days 
(computed in the same manner as prescribed under Sec.  3.526 of this 
part) of receipt of notice of the opportunity to inspect the 
transcript, the witness will be deemed to have agreed that the 
transcript is true and accurate.
    (ii) The Secretary's proposed corrections to the record of 
transcript will be attached to the transcript.


Sec.  3.402  Basis for a civil money penalty.

    (a) General rule. A person who discloses identifiable patient 
safety work product in knowing or reckless violation of the 
confidentiality provisions shall be subject to a civil money penalty 
for each act constituting such violation.
    (b) Violation attributed to a principal. A principal is 
independently liable, in accordance with the federal common law of 
agency, for a civil money penalty based on the act of the principal's 
agent,

[[Page 70809]]

including a workforce member, acting within the scope of the agency if 
such act could give rise to a civil money penalty in accordance with 
Sec.  3.402(a) of this subpart.


Sec.  3.404  Amount of a civil money penalty.

    (a) The amount of a civil money penalty will be determined in 
accordance with paragraph (b) of this section and Sec.  3.408 of this 
subpart.
    (b) The Secretary may impose a civil money penalty in the amount of 
not more than $10,000.


Sec.  3.408  Factors considered in determining the amount of a civil 
money penalty.

    In determining the amount of any civil money penalty, the Secretary 
may consider as aggravating or mitigating factors, as appropriate, any 
of the following:
    (a) The nature of the violation.
    (b) The circumstances, including the consequences, of the 
violation, including:
    (1) The time period during which the violation(s) occurred; and
    (2) Whether the violation caused physical or financial harm or 
reputational damage;
    (c) The degree of culpability of the respondent, including:
    (1) Whether the violation was intentional; and
    (2) Whether the violation was beyond the direct control of the 
respondent.
    (d) Any history of prior compliance with the Patient Safety Act, 
including violations, by the respondent, including:
    (1) Whether the current violation is the same or similar to prior 
violation(s);
    (2) Whether and to what extent the respondent has attempted to 
correct previous violations;
    (3) How the respondent has responded to technical assistance from 
the Secretary provided in the context of a compliance effort; and
    (4) How the respondent has responded to prior complaints.
    (e) The financial condition of the respondent, including:
    (1) Whether the respondent had financial difficulties that affected 
its ability to comply;
    (2) Whether the imposition of a civil money penalty would 
jeopardize the ability of the respondent to continue to provide health 
care or patient safety activities; and
    (3) The size of the respondent.
    (f) Such other matters as justice may require.


Sec.  3.414  Limitations.

    No action under this subpart may be entertained unless commenced by 
the Secretary, in accordance with Sec.  3.420 of this subpart, within 6 
years from the date of the occurrence of the violation.


Sec.  3.416  Authority to settle.

    Nothing in this subpart limits the authority of the Secretary to 
settle any issue or case or to compromise any penalty.


Sec.  3.418  Exclusivity of penalty.

    (a) Except as otherwise provided by paragraph (b) of this section, 
a penalty imposed under this part is in addition to any other penalty 
prescribed by law.
    (b) Civil money penalties shall not be imposed both under this part 
and under the HIPAA Privacy Rule (45 CFR parts 160 and 164).


Sec.  3.420  Notice of proposed determination.

    (a) If a penalty is proposed in accordance with this part, the 
Secretary must deliver, or send by certified mail with return receipt 
requested, to the respondent, written notice of the Secretary's intent 
to impose a penalty. This notice of proposed determination must 
include:
    (1) Reference to the statutory basis for the penalty;
    (2) A description of the findings of fact regarding the violations 
with respect to which the penalty is proposed;
    (3) The reason(s) why the violation(s) subject(s) the respondent to 
a penalty;
    (4) The amount of the proposed penalty;
    (5) Any factors described in Sec.  3.408 of this subpart that were 
considered in determining the amount of the proposed penalty; and
    (6) Instructions for responding to the notice, including a 
statement of the respondent's right to a hearing, a statement that 
failure to request a hearing within 60 days permits the imposition of 
the proposed penalty without the right to a hearing under Sec.  3.504 
of this subpart or a right of appeal under Sec.  3.548 of this subpart, 
and the address to which the hearing request must be sent.
    (b) The respondent may request a hearing before an ALJ on the 
proposed penalty by filing a request in accordance with Sec.  3.504 of 
this subpart.


Sec.  3.422  Failure to request a hearing.

    If the respondent does not request a hearing within the time 
prescribed by Sec.  3.504 of this subpart and the matter is not settled 
pursuant to Sec.  3.416 of this subpart, the Secretary may impose the 
proposed penalty or any lesser penalty permitted by sections 921 
through 926 of the Public Health Service Act, 42 U.S.C. 299b-21 through 
299b-26. The Secretary will notify the respondent by certified mail, 
return receipt requested, of any penalty that has been imposed and of 
the means by which the respondent may satisfy the penalty, and the 
penalty is final on receipt of the notice. The respondent has no right 
to appeal a penalty under Sec.  3.548 of this subpart with respect to 
which the respondent has not timely requested a hearing.


Sec.  3.424  Collection of penalty.

    (a) Once a determination of the Secretary to impose a penalty has 
become final, the penalty will be collected by the Secretary, subject 
to the first sentence of 42 U.S.C. 1320a-7a(f).
    (b) The penalty may be recovered in a civil action brought in the 
United States district court for the district where the respondent 
resides, is found, or is located.
    (c) The amount of a penalty, when finally determined, or the amount 
agreed upon in compromise, may be deducted from any sum then or later 
owing by the United States, or by a State agency, to the respondent.
    (d) Matters that were raised or that could have been raised in a 
hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may 
not be raised as a defense in a civil action by the United States to 
collect a penalty under this part.


Sec.  3.426  Notification of the public and other agencies.

    Whenever a proposed penalty becomes final, the Secretary will 
notify, in such manner as the Secretary deems appropriate, the public 
and the following organizations and entities thereof and the reason it 
was imposed: The appropriate State or local medical or professional 
organization, the appropriate State agency or agencies administering or 
supervising the administration of State health care programs (as 
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and 
quality control peer review organization, and the appropriate State or 
local licensing agency or organization (including the agency specified 
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).


Sec.  3.504  Hearings before an ALJ.

    (a) A respondent may request a hearing before an ALJ. The parties 
to the hearing proceeding consist of--
    (1) The respondent; and
    (2) The officer(s) or employee(s) of HHS to whom the enforcement 
authority involved has been delegated.
    (b) The request for a hearing must be made in writing signed by the 
respondent or by the respondent's attorney and sent by certified mail,

[[Page 70810]]

return receipt requested, to the address specified in the notice of 
proposed determination. The request for a hearing must be mailed within 
60 days after notice of the proposed determination is received by the 
respondent. For purposes of this section, the respondent's date of 
receipt of the notice of proposed determination is presumed to be 5 
days after the date of the notice unless the respondent makes a 
reasonable showing to the contrary to the ALJ.
    (c) The request for a hearing must clearly and directly admit, 
deny, or explain each of the findings of fact contained in the notice 
of proposed determination with regard to which the respondent has any 
knowledge. If the respondent has no knowledge of a particular finding 
of fact and so states, the finding shall be deemed denied. The request 
for a hearing must also state the circumstances or arguments that the 
respondent alleges constitute the grounds for any defense and the 
factual and legal basis for opposing the penalty.
    (d) The ALJ must dismiss a hearing request where--
    (1) On motion of the Secretary, the ALJ determines that the 
respondent's hearing request is not timely filed as required by 
paragraph (b) or does not meet the requirements of paragraph (c) of 
this section;
    (2) The respondent withdraws the request for a hearing;
    (3) The respondent abandons the request for a hearing; or
    (4) The respondent's hearing request fails to raise any issue that 
may properly be addressed in a hearing.


Sec.  3.506  Rights of the parties.

    (a) Except as otherwise limited by this subpart, each party may--
    (1) Be accompanied, represented, and advised by an attorney;
    (2) Participate in any conference held by the ALJ;
    (3) Conduct discovery of documents as permitted by this subpart;
    (4) Agree to stipulations of fact or law that will be made part of 
the record;
    (5) Present evidence relevant to the issues at the hearing;
    (6) Present and cross-examine witnesses;
    (7) Present oral arguments at the hearing as permitted by the ALJ; 
and
    (8) Submit written briefs and proposed findings of fact and 
conclusions of law after the hearing.
    (b) A party may appear in person or by a representative. Natural 
persons who appear as an attorney or other representative must conform 
to the standards of conduct and ethics required of practitioners before 
the courts of the United States.
    (c) Fees for any services performed on behalf of a party by an 
attorney are not subject to the provisions of 42 U.S.C. 406, which 
authorizes the Secretary to specify or limit their fees.


Sec.  3.508  Authority of the ALJ.

    (a) The ALJ must conduct a fair and impartial hearing, avoid delay, 
maintain order, and ensure that a record of the proceeding is made.
    (b) The ALJ may--
    (1) Set and change the date, time and place of the hearing upon 
reasonable notice to the parties;
    (2) Continue or recess the hearing in whole or in part for a 
reasonable period of time;
    (3) Hold conferences to identify or simplify the issues, or to 
consider other matters that may aid in the expeditious disposition of 
the proceeding;
    (4) Administer oaths and affirmations;
    (5) Issue subpoenas requiring the attendance of witnesses at 
hearings and the production of documents at or in relation to hearings;
    (6) Rule on motions and other procedural matters;
    (7) Regulate the scope and timing of documentary discovery as 
permitted by this subpart;
    (8) Regulate the course of the hearing and the conduct of 
representatives, parties, and witnesses;
    (9) Examine witnesses;
    (10) Receive, rule on, exclude, or limit evidence;
    (11) Upon motion of a party, take official notice of facts;
    (12) Conduct any conference, argument or hearing in person or, upon 
agreement of the parties, by telephone; and
    (13) Upon motion of a party, decide cases, in whole or in part, by 
summary judgment where there is no disputed issue of material fact. A 
summary judgment decision constitutes a hearing on the record for the 
purposes of this subpart.
    (c) The ALJ--
    (1) May not find invalid or refuse to follow Federal statutes, 
regulations, or Secretarial delegations of authority and must give 
deference to published guidance to the extent not inconsistent with 
statute or regulation;
    (2) May not enter an order in the nature of a directed verdict;
    (3) May not compel settlement negotiations; or
    (4) May not enjoin any act of the Secretary.


Sec.  3.510  Ex parte contacts.

    No party or person (except employees of the ALJ's office) may 
communicate in any way with the ALJ on any matter at issue in a case, 
unless on notice and opportunity for both parties to participate. This 
provision does not prohibit a party or person from inquiring about the 
status of a case or asking routine questions concerning administrative 
functions or procedures.


Sec.  3.512  Prehearing conferences.

    (a) The ALJ must schedule at least one prehearing conference, and 
may schedule additional prehearing conferences as appropriate, upon 
reasonable notice, which may not be less than 14 business days, to the 
parties.
    (b) The ALJ may use prehearing conferences to discuss the 
following--
    (1) Simplification of the issues;
    (2) The necessity or desirability of amendments to the pleadings, 
including the need for a more definite statement;
    (3) Stipulations and admissions of fact or as to the contents and 
authenticity of documents;
    (4) Whether the parties can agree to submission of the case on a 
stipulated record;
    (5) Whether a party chooses to waive appearance at an oral hearing 
and to submit only documentary evidence (subject to the objection of 
the other party) and written argument;
    (6) Limitation of the number of witnesses;
    (7) Scheduling dates for the exchange of witness lists and of 
proposed exhibits;
    (8) Discovery of documents as permitted by this subpart;
    (9) The time and place for the hearing;
    (10) The potential for the settlement of the case by the parties; 
and
    (11) Other matters as may tend to encourage the fair, just and 
expeditious disposition of the proceedings, including the protection of 
confidentiality of identifiable patient safety work product that may be 
submitted into evidence or otherwise used in the proceeding, if 
appropriate.
    (c) The ALJ must issue an order containing the matters agreed upon 
by the parties or ordered by the ALJ at a prehearing conference.


Sec.  3.514  Authority to settle.

    The Secretary has exclusive authority to settle any issue or case 
without the consent of the ALJ.


Sec.  3.516  Discovery.

    (a) A party may make a request to another party for production of 
documents for inspection and copying that are relevant and material to 
the issues before the ALJ.
    (b) For the purpose of this section, the term ``documents'' 
includes

[[Page 70811]]

information, reports, answers, records, accounts, papers and other data 
and documentary evidence. Nothing contained in this section may be 
interpreted to require the creation of a document, except that 
requested data stored in an electronic data storage system must be 
produced in a form accessible to the requesting party.
    (c) Requests for documents, requests for admissions, written 
interrogatories, depositions and any forms of discovery, other than 
those permitted under paragraph (a) of this section, are not 
authorized.
    (d) This section may not be construed to require the disclosure of 
interview reports or statements obtained by any party, or on behalf of 
any party, of persons who will not be called as witnesses by that 
party, or analyses and summaries prepared in conjunction with the 
investigation or litigation of the case, or any otherwise privileged 
documents.
    (e)(1) When a request for production of documents has been 
received, within 30 days the party receiving that request must either 
fully respond to the request, or state that the request is being 
objected to and the reasons for that objection. If objection is made to 
part of an item or category, the part must be specified. Upon receiving 
any objections, the party seeking production may then, within 30 days 
or any other time frame set by the ALJ, file a motion for an order 
compelling discovery. The party receiving a request for production may 
also file a motion for protective order any time before the date the 
production is due.
    (2) The ALJ may grant a motion for protective order or deny a 
motion for an order compelling discovery if the ALJ finds that the 
discovery sought--
    (i) Is irrelevant;
    (ii) Is unduly costly or burdensome;
    (iii) Will unduly delay the proceeding; or
    (iv) Seeks privileged information.
    (3) The ALJ may extend any of the time frames set forth in 
paragraph (e)(1) of this section.
    (4) The burden of showing that discovery should be allowed is on 
the party seeking discovery.


Sec.  3.518  Exchange of witness lists, witness statements, and 
exhibits.

    (a) The parties must exchange witness lists, copies of prior 
written statements of proposed witnesses, and copies of proposed 
hearing exhibits, including copies of any written statements that the 
party intends to offer in lieu of live testimony in accordance with 
Sec.  3.538, not more than 60, and not less than 15, days before the 
scheduled hearing.
    (b)(1) If, at any time, a party objects to the proposed admission 
of evidence not exchanged in accordance with paragraph (a) of this 
section, the ALJ must determine whether the failure to comply with 
paragraph (a) of this section should result in the exclusion of that 
evidence.
    (2) Unless the ALJ finds that extraordinary circumstances justified 
the failure timely to exchange the information listed under paragraph 
(a) of this section, the ALJ must exclude from the party's case-in-
chief--
    (i) The testimony of any witness whose name does not appear on the 
witness list; and
    (ii) Any exhibit not provided to the opposing party as specified in 
paragraph (a) of this section.
    (3) If the ALJ finds that extraordinary circumstances existed, the 
ALJ must then determine whether the admission of that evidence would 
cause substantial prejudice to the objecting party.
    (i) If the ALJ finds that there is no substantial prejudice, the 
evidence may be admitted.
    (ii) If the ALJ finds that there is substantial prejudice, the ALJ 
may exclude the evidence, or, if he or she does not exclude the 
evidence, must postpone the hearing for such time as is necessary for 
the objecting party to prepare and respond to the evidence, unless the 
objecting party waives postponement.
    (c) Unless the other party objects within a reasonable period of 
time before the hearing, documents exchanged in accordance with 
paragraph (a) of this section will be deemed to be authentic for the 
purpose of admissibility at the hearing.


Sec.  3.520  Subpoenas for attendance at hearing.

    (a) A party wishing to procure the appearance and testimony of any 
person at the hearing may make a motion requesting the ALJ to issue a 
subpoena if the appearance and testimony are reasonably necessary for 
the presentation of a party's case.
    (b) A subpoena requiring the attendance of a person in accordance 
with paragraph (a) of this section may also require the person (whether 
or not the person is a party) to produce relevant and material evidence 
at or before the hearing.
    (c) When a subpoena is served by a respondent on a particular 
employee or official or particular office of HHS, the Secretary may 
comply by designating any knowledgeable HHS representative to appear 
and testify.
    (d) A party seeking a subpoena must file a written motion not less 
than 30 days before the date fixed for the hearing, unless otherwise 
allowed by the ALJ for good cause shown. That motion must--
    (1) Specify any evidence to be produced;
    (2) Designate the witnesses; and
    (3) Describe the address and location with sufficient particularity 
to permit those witnesses to be found.
    (e) The subpoena must specify the time and place at which the 
witness is to appear and any evidence the witness is to produce.
    (f) Within 15 days after the written motion requesting issuance of 
a subpoena is served, any party may file an opposition or other 
response.
    (g) If the motion requesting issuance of a subpoena is granted, the 
party seeking the subpoena must serve it by delivery to the person 
named, or by certified mail addressed to that person at the person's 
last dwelling place or principal place of business.
    (h) The person to whom the subpoena is directed may file with the 
ALJ a motion to quash the subpoena within 10 days after service.
    (i) The exclusive remedy for contumacy by, or refusal to obey a 
subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).


Sec.  3.522  Fees.

    The party requesting a subpoena must pay the cost of the fees and 
mileage of any witness subpoenaed in the amounts that would be payable 
to a witness in a proceeding in United States District Court. A check 
for witness fees and mileage must accompany the subpoena when served, 
except that, when a subpoena is issued on behalf of the Secretary, a 
check for witness fees and mileage need not accompany the subpoena.


Sec.  3.524  Form, filing, and service of papers.

    (a) Forms. (1) Unless the ALJ directs the parties to do otherwise, 
documents filed with the ALJ must include an original and two copies.
    (2) Every pleading and paper filed in the proceeding must contain a 
caption setting forth the title of the action, the case number, and a 
designation of the paper, such as motion to quash subpoena.
    (3) Every pleading and paper must be signed by and must contain the 
address and telephone number of the party or the person on whose behalf 
the paper was filed, or his or her representative.
    (4) Papers are considered filed when they are mailed.
    (b) Service. A party filing a document with the ALJ or the Board 
must, at the time of filing, serve a copy of the

[[Page 70812]]

document on the other party. Service upon any party of any document 
must be made by delivering a copy, or placing a copy of the document in 
the United States mail, postage prepaid and addressed, or with a 
private delivery service, to the party's last known address. When a 
party is represented by an attorney, service must be made upon the 
attorney in lieu of the party.
    (c) Proof of service. A certificate of the natural person serving 
the document by personal delivery or by mail, setting forth the manner 
of service, constitutes proof of service.


Sec.  3.526  Computation of time.

    (a) In computing any period of time under this subpart or in an 
order issued thereunder, the time begins with the day following the 
act, event or default, and includes the last day of the period unless 
it is a Saturday, Sunday, or legal holiday observed by the Federal 
Government, in which event it includes the next business day.
    (b) When the period of time allowed is less than 7 days, 
intermediate Saturdays, Sundays, and legal holidays observed by the 
Federal Government must be excluded from the computation.
    (c) Where a document has been served or issued by placing it in the 
mail, an additional 5 days must be added to the time permitted for any 
response. This paragraph does not apply to requests for hearing under 
Sec.  3.504.


Sec.  3.528  Motions.

    (a) An application to the ALJ for an order or ruling must be by 
motion. Motions must state the relief sought, the authority relied upon 
and the facts alleged, and must be filed with the ALJ and served on all 
other parties.
    (b) Except for motions made during a prehearing conference or at 
the hearing, all motions must be in writing. The ALJ may require that 
oral motions be reduced to writing.
    (c) Within 10 days after a written motion is served, or such other 
time as may be fixed by the ALJ, any party may file a response to the 
motion.
    (d) The ALJ may not grant a written motion before the time for 
filing responses has expired, except upon consent of the parties or 
following a hearing on the motion, but may overrule or deny the motion 
without awaiting a response.
    (e) The ALJ must make a reasonable effort to dispose of all 
outstanding motions before the beginning of the hearing.


Sec.  3.530  Sanctions.

    The ALJ may sanction a person, including any party or attorney, for 
failing to comply with an order or procedure, for failing to defend an 
action or for other misconduct that interferes with the speedy, orderly 
or fair conduct of the hearing. The sanctions must reasonably relate to 
the severity and nature of the failure or misconduct. The sanctions may 
include--
    (a) In the case of refusal to provide or permit discovery under the 
terms of this part, drawing negative factual inferences or treating the 
refusal as an admission by deeming the matter, or certain facts, to be 
established;
    (b) Prohibiting a party from introducing certain evidence or 
otherwise supporting a particular claim or defense;
    (c) Striking pleadings, in whole or in part;
    (d) Staying the proceedings;
    (e) Dismissal of the action;
    (f) Entering a decision by default;
    (g) Ordering the party or attorney to pay the attorney's fees and 
other costs caused by the failure or misconduct; and
    (h) Refusing to consider any motion or other action that is not 
filed in a timely manner.


Sec.  3.532  Collateral estoppel.

    When a final determination that the respondent violated a 
confidentiality provision has been rendered in any proceeding in which 
the respondent was a party and had an opportunity to be heard, the 
respondent is bound by that determination in any proceeding under this 
part.


Sec.  3.534  The hearing.

    (a) The ALJ must conduct a hearing on the record in order to 
determine whether the respondent should be found liable under this 
part.
    (b)(1) The respondent has the burden of going forward and the 
burden of persuasion with respect to any challenge to the amount of a 
proposed penalty pursuant to Sec. Sec.  3.404 and 3.408, including any 
factors raised as mitigating factors.
    (2) The Secretary has the burden of going forward and the burden of 
persuasion with respect to all other issues, including issues of 
liability and the existence of any factors considered as aggravating 
factors in determining the amount of the proposed penalty.
    (3) The burden of persuasion will be judged by a preponderance of 
the evidence.
    (c) The hearing must be open to the public unless otherwise ordered 
by the ALJ for good cause shown, which may be that identifiable patient 
safety work product has been introduced into evidence or is expected to 
be introduced into evidence.
    (d)(1) Subject to the 15-day rule under Sec.  3.518(a) and the 
admissibility of evidence under Sec.  3.540, either party may 
introduce, during its case in chief, items or information that arose or 
became known after the date of the issuance of the notice of proposed 
determination or the request for hearing, as applicable. Such items and 
information may not be admitted into evidence, if introduced--
    (i) By the Secretary, unless they are material and relevant to the 
acts or omissions with respect to which the penalty is proposed in the 
notice of proposed determination pursuant to Sec.  3.420 of this part, 
including circumstances that may increase penalties; or
    (ii) By the respondent, unless they are material and relevant to an 
admission, denial or explanation of a finding of fact in the notice of 
proposed determination under Sec.  3.420 of this part, or to a specific 
circumstance or argument expressly stated in the request for hearing 
under Sec.  3.504, including circumstances that may reduce penalties.
    (2) After both parties have presented their cases, evidence may be 
admitted in rebuttal even if not previously exchanged in accordance 
with Sec.  3.518.


Sec.  3.538  Witnesses.

    (a) Except as provided in paragraph (b) of this section, testimony 
at the hearing must be given orally by witnesses under oath or 
affirmation.
    (b) At the discretion of the ALJ, testimony of witnesses other than 
the testimony of expert witnesses may be admitted in the form of a 
written statement. The ALJ may, at his or her discretion, admit prior 
sworn testimony of experts that has been subject to adverse 
examination, such as a deposition or trial testimony. Any such written 
statement must be provided to the other party, along with the last 
known address of the witness, in a manner that allows sufficient time 
for the other party to subpoena the witness for cross-examination at 
the hearing. Prior written statements of witnesses proposed to testify 
at the hearing must be exchanged as provided in Sec.  3.518.
    (c) The ALJ must exercise reasonable control over the mode and 
order of interrogating witnesses and presenting evidence so as to:
    (1) Make the interrogation and presentation effective for the 
ascertainment of the truth;
    (2) Avoid repetition or needless consumption of time; and

[[Page 70813]]

    (3) Protect witnesses from harassment or undue embarrassment.
    (d) The ALJ must permit the parties to conduct cross-examination of 
witnesses as may be required for a full and true disclosure of the 
facts.
    (e) The ALJ may order witnesses excluded so that they cannot hear 
the testimony of other witnesses, except that the ALJ may not order to 
be excluded--
    (1) A party who is a natural person;
    (2) In the case of a party that is not a natural person, the 
officer or employee of the party appearing for the entity pro se or 
designated as the party's representative; or
    (3) A natural person whose presence is shown by a party to be 
essential to the presentation of its case, including a person engaged 
in assisting the attorney for the Secretary.


Sec.  3.540  Evidence.

    (a) The ALJ must determine the admissibility of evidence.
    (b) Except as provided in this subpart, the ALJ is not bound by the 
Federal Rules of Evidence. However, the ALJ may apply the Federal Rules 
of Evidence where appropriate, for example, to exclude unreliable 
evidence.
    (c) The ALJ must exclude irrelevant or immaterial evidence.
    (d) Although relevant, evidence may be excluded if its probative 
value is substantially outweighed by the danger of unfair prejudice, 
confusion of the issues, or by considerations of undue delay or 
needless presentation of cumulative evidence.
    (e) Although relevant, evidence must be excluded if it is 
privileged under Federal law.
    (f) Evidence concerning offers of compromise or settlement is 
inadmissible to the extent provided in Rule 408 of the Federal Rules of 
Evidence.
    (g) Evidence of crimes, wrongs, or acts other than those at issue 
in the instant case is admissible in order to show motive, opportunity, 
intent, knowledge, preparation, identity, lack of mistake, or existence 
of a scheme. This evidence is admissible regardless of whether the 
crimes, wrongs, or acts occurred during the statute of limitations 
period applicable to the acts or omissions that constitute the basis 
for liability in the case and regardless of whether they were 
referenced in the Secretary's notice of proposed determination under 
Sec.  3.420.
    (h) The ALJ must permit the parties to introduce rebuttal witnesses 
and evidence.
    (i) All documents and other evidence offered or taken for the 
record must be open to examination by both parties, unless otherwise 
ordered by the ALJ for good cause shown.


Sec.  3.542  The record.

    (a) The hearing must be recorded and transcribed. Transcripts may 
be obtained following the hearing from the ALJ. A party that requests a 
transcript of hearing proceedings must pay the cost of preparing the 
transcript unless, for good cause shown by the party, the payment is 
waived by the ALJ or the Board, as appropriate.
    (b) The transcript of the testimony, exhibits, and other evidence 
admitted at the hearing, and all papers and requests filed in the 
proceeding constitute the record for decision by the ALJ and the 
Secretary.
    (c) The record may be inspected and copied (upon payment of a 
reasonable fee) by any person, unless otherwise ordered by the ALJ for 
good cause shown, which may include the presence in the record of 
identifiable patient safety work product.
    (d) For good cause, which may include the presence in the record of 
identifiable patient safety work product, the ALJ may order appropriate 
redactions made to the record.


Sec.  3.544  Post hearing briefs.

    The ALJ may require the parties to file post-hearing briefs. In any 
event, any party may file a post-hearing brief. The ALJ must fix the 
time for filing the briefs. The time for filing may not exceed 60 days 
from the date the parties receive the transcript of the hearing or, if 
applicable, the stipulated record. The briefs may be accompanied by 
proposed findings of fact and conclusions of law. The ALJ may permit 
the parties to file reply briefs.


Sec.  3.546  ALJ's decision.

    (a) The ALJ must issue a decision, based only on the record, which 
must contain findings of fact and conclusions of law.
    (b) The ALJ may affirm, increase, or reduce the penalties imposed 
by the Secretary.
    (c) The ALJ must issue the decision to both parties within 60 days 
after the time for submission of post-hearing briefs and reply briefs, 
if permitted, has expired. If the ALJ fails to meet the deadline 
contained in this paragraph, he or she must notify the parties of the 
reason for the delay and set a new deadline.
    (d) Unless the decision of the ALJ is timely appealed as provided 
for in Sec.  3.548, the decision of the ALJ will be final and binding 
on the parties 60 days from the date of service of the ALJ's decision.


Sec.  3.548  Appeal of the ALJ's decision.

    (a) Any party may appeal the decision of the ALJ to the Board by 
filing a notice of appeal with the Board within 30 days of the date of 
service of the ALJ decision. The Board may extend the initial 30 day 
period for a period of time not to exceed 30 days if a party files with 
the Board a request for an extension within the initial 30 day period 
and shows good cause.
    (b) If a party files a timely notice of appeal with the Board, the 
ALJ must forward the record of the proceeding to the Board.
    (c) A notice of appeal must be accompanied by a written brief 
specifying exceptions to the initial decision and reasons supporting 
the exceptions. Any party may file a brief in opposition to the 
exceptions, which may raise any relevant issue not addressed in the 
exceptions, within 30 days of receiving the notice of appeal and the 
accompanying brief. The Board may permit the parties to file reply 
briefs.
    (d) There is no right to appear personally before the Board or to 
appeal to the Board any interlocutory ruling by the ALJ.
    (e) The Board may not consider any issue not raised in the parties' 
briefs, nor any issue in the briefs that could have been raised before 
the ALJ but was not.
    (f) If any party demonstrates to the satisfaction of the Board that 
additional evidence not presented at such hearing is relevant and 
material and that there were reasonable grounds for the failure to 
adduce such evidence at the hearing, the Board may remand the matter to 
the ALJ for consideration of such additional evidence.
    (g) The Board may decline to review the case, or may affirm, 
increase, reduce, reverse or remand any penalty determined by the ALJ.
    (h) The standard of review on a disputed issue of fact is whether 
the initial decision of the ALJ is supported by substantial evidence on 
the whole record. The standard of review on a disputed issue of law is 
whether the decision is erroneous.
    (i) Within 60 days after the time for submission of briefs and 
reply briefs, if permitted, has expired, the Board must serve on each 
party to the appeal a copy of the Board's decision and a statement 
describing the right of any respondent who is penalized to seek 
judicial review.
    (j)(1) The Board's decision under paragraph (i) of this section, 
including a decision to decline review of the initial decision, becomes 
the final decision of the Secretary 60 days after

[[Page 70814]]

the date of service of the Board's decision, except with respect to a 
decision to remand to the ALJ or if reconsideration is requested under 
this paragraph.
    (2) The Board will reconsider its decision only if it determines 
that the decision contains a clear error of fact or error of law. New 
evidence will not be a basis for reconsideration unless the party 
demonstrates that the evidence is newly discovered and was not 
previously available.
    (3) A party may file a motion for reconsideration with the Board 
before the date the decision becomes final under paragraph (j)(1) of 
this section. A motion for reconsideration must be accompanied by a 
written brief specifying any alleged error of fact or law and, if the 
party is relying on additional evidence, explaining why the evidence 
was not previously available. Any party may file a brief in opposition 
within 15 days of receiving the motion for reconsideration and the 
accompanying brief unless this time limit is extended by the Board for 
good cause shown. Reply briefs are not permitted.
    (4) The Board must rule on the motion for reconsideration not later 
than 30 days from the date the opposition brief is due. If the Board 
denies the motion, the decision issued under paragraph (i) of this 
section becomes the final decision of the Secretary on the date of 
service of the ruling. If the Board grants the motion, the Board will 
issue a reconsidered decision, after such procedures as the Board 
determines necessary to address the effect of any error. The Board's 
decision on reconsideration becomes the final decision of the Secretary 
on the date of service of the decision, except with respect to a 
decision to remand to the ALJ.
    (5) If service of a ruling or decision issued under this section is 
by mail, the date of service will be deemed to be 5 days from the date 
of mailing.
    (k)(1) A respondent's petition for judicial review must be filed 
within 60 days of the date on which the decision of the Board becomes 
the final decision of the Secretary under paragraph (j) of this 
section.
    (2) In compliance with 28 U.S.C. 2112(a), a copy of any petition 
for judicial review filed in any U.S. Court of Appeals challenging the 
final decision of the Secretary must be sent by certified mail, return 
receipt requested, to the General Counsel of HHS. The petition copy 
must be a copy showing that it has been time-stamped by the clerk of 
the court when the original was filed with the court.
    (3) If the General Counsel of HHS received two or more petitions 
within 10 days after the final decision of the Secretary, the General 
Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation 
of any petitions that were received within the 10 day period.


Sec.  3.550  Stay of the Secretary's decision.

    (a) Pending judicial review, the respondent may file a request for 
stay of the effective date of any penalty with the ALJ. The request 
must be accompanied by a copy of the notice of appeal filed with the 
Federal court. The filing of the request automatically stays the 
effective date of the penalty until such time as the ALJ rules upon the 
request.
    (b) The ALJ may not grant a respondent's request for stay of any 
penalty unless the respondent posts a bond or provides other adequate 
security.
    (c) The ALJ must rule upon a respondent's request for stay within 
10 days of receipt.


Sec.  3.552  Harmless error.

    No error in either the admission or the exclusion of evidence, and 
no error or defect in any ruling or order or in any act done or omitted 
by the ALJ or by any of the parties is ground for vacating, modifying 
or otherwise disturbing an otherwise appropriate ruling or order or 
act, unless refusal to take such action appears to the ALJ or the Board 
inconsistent with substantial justice. The ALJ and the Board at every 
stage of the proceeding must disregard any error or defect in the 
proceeding that does not affect the substantial rights of the parties.

    Dated: September 2, 2008.
Michael O. Leavitt,
Secretary.
 [FR Doc. E8-27475 Filed 11-20-08; 8:45 am]
BILLING CODE 4150-28-P