The Patient Safety and Quality Improvement Act of 2005 (the “Act”) was enacted in response to reports that preventable medical errors result in billions of dollars in increased health care costs, disability and death. The purpose of the Act is to create a legal structure in which health care providers can voluntarily disclose information about preventable adverse events, learn from mistakes, and avoid them in the future. To do this the Act envisions new “patient safety organizations” (“PSOs”) and a new patient safety work product privilege to prevent the information from being used in lawsuits against the PSO and reporting health care providers. On February 12, 2008, the Department of Health and Human Services, Agency for Healthcare Research and Quality (“Department”) issued proposed regulations to implement the Act. The proposed regulations would create opportunities, but also many hurdles, for those who desire to engage in PSO activity. This article summaries the following key components of the proposed regulations: (1) criteria for becoming a PSO; (2) confidentiality and privilege protections; and (3) enforcement mechanisms.
I. WHO CAN BE A PATIENT SAFETY ORGANIZATION?
The PSO is the primary vehicle to collect adverse event data, analyze it, and assist providers in implementing protocols and practices to avoid preventable adverse events and establish cultures of safety.
Any entity, public or private, nonprofit or for-profit, can be a PSO with limited but important exceptions. A health insurance issuer or a related or “component” entity of an insurer may not be a PSO under the proposed regulations. In addition, a health care regulatory, accreditation or licensure entity may not be a PSO, although a component of any such entity could. An entity desiring to be a PSO must notify the Department and submit a certification that the entity meets all PSO eligibility criteria. The proposed rule requires entities seeking initial or continued PSO listing to meet 15 certification requirements. These 15 requirements are divided into two categories: there are 8 patient safety activity criteria and 7 operational criteria.
The 8 patient safety activity criteria a PSO must perform are: (1) efforts to improve patient safety and quality of health care delivery; (2) collection and analysis of patient safety work product; (3) development and dissemination of information to improve patient safety, such as recommendations, protocols, or information regarding best practices; (4) utilization of patient safety work product to encourage a culture of safety and to provide feedback and assistance to effectively minimize patient risk; (5) utilization of qualified staff; (6) operation of a patient safety evaluation system; (7) provision of appropriate security measures for patient safety work product; and (8) preservation of confidentiality of patient safety work product. A PSO’s “patient safety evaluation system” is the process of collecting, managing or analyzing information the PSO receives from health care providers. The security measures require the PSO to implement and monitor effective written security policies and procedures to protect the confidentiality of patient safety work product and the training of PSO staff and contractors who access patient safety work product.
In addition, the PSO must maintain patient safety work product, whether in electronic or hardcopy form, separately from any other records. The PSO must limit access to authorized users and limit physical and virtual access to places and equipment where the PSO stores the work product. A PSO must also implement significant monitoring and assessment of security systems to detect unauthorized access to work product and to correct deficiencies in security systems.
Among the 7 operational criteria a PSO must meet are: (1) ensuring that its mission and primary activity is patient safety; (2) maintaining appropriately qualified staff, including licensed or certified medical professionals; (3) utilizing patient safety work product for direct feedback and assistance to providers; (4) certifying every 2 years that it has at least 2 contracts with providers for receiving and reviewing patient safety work product; and (5) collecting patient safety work product in a standardized manner to permit valid comparisons of similar cases.
The proposed rule emphasizes the need for PSOs to contract with multiple providers in order to develop a body of meaningful data from which it can identify patterns and cause of errors and to provide advice on avoiding such errors.
The proposed rule places additional criteria on “component” PSOs. A component PSO is any entity that is part of a multi-organizational enterprise, whether a corporate entity or simply an unincorporated division. The additional restrictions on a component PSO intend to shield the component PSO and its activities from its parent or sibling organizations. These proposed restrictions may make it difficult, if not simply undesirable, for a health system to create a subsidiary PSO. First, the proposed rule requires the PSO to maintain the patient safety work product separate from the rest of the organization. The PSO can subcontract with another entity of the organization, e.g., the PSO’s parent organization, to conduct patient safety work product, but the PSO is ultimately responsible to prevent the related organization from unauthorized uses of the patient safety work product.
Second, the component PSO may not share information systems with the rest of the organization. For example, even though a component PSO parent organization may have secure systems to manage and protect personally identifiable patient health information (“PHI”) consistent with the HIPAA Security Standards, the parent organization and its component PSO cannot use those same systems even if there are separate password-protected access points for PHI and PSO activity. Finally, the proposed rule prohibits the component PSO workforce from working for the rest of the related organization if such work could be informed or influenced by the individual’s knowledge of identifiable patient safety work product. A PSO could share accounting and administrative staff with its parent organization, for example, but could not share professional staff, such as physicians who might be involved in the parent organization’s peer review activity. The Department’s concern is that the PSO’s analysis of patient safety work product could impact the decision-making of such personnel. The proposed rule provides a narrow exception for those professionals whose work for the rest of the PSO’s related organization is solely patient care.
II. CONFIDENTIALITY AND PRIVILEGE PROTECTIONS
The proposed privilege and confidentiality protections attempt to balance the protection of providers from liability with the sharing of information related to adverse patient safety events among providers and PSOs for the purpose of learning from those events.
A. Patient Safety Work Product Privilege
The proposed regulations would establish a patient safety work product privilege, thereby ensuring that patient safety work product is not: (1) subject to disclosure in Federal, State or local civil, criminal or administrative proceedings; (2) subject to disclosure under the Freedom of Information Act or similar laws; and (3) admitted into evidence in any Federal, State or local proceeding. These privilege protections will be enforced by the court systems, and the Department would have no authority to enforce breaches of these privilege protections.
The proposed regulations set forth exceptions to the privilege. The proposed exceptions are: (1) disclosure in a criminal proceeding where the patient safety work product contains evidence of a criminal act, is material to the criminal proceeding and is not reasonably available from other sources; (2) disclosure by an employee reporter of information seeking equitable relief from an adverse employment action following a good faith report to a PSO; (3) disclosure where all of the providers identified in the patient safety work product authorize the disclosure; (4) disclosure of patient safety work product in a nonidentifiable form and (5) disclosure to or by the Department as needed to administer the PSO program.
B. Confidentiality Protections
The proposed regulations would also establish the general principle that patient safety work product is confidential and may not be disclosed. Distinct from the privilege protection, the Department would be authorized to investigate and enforce compliance with the confidentiality provisions.
The exceptions to the general rule of confidentiality include all of the exceptions to the privilege protections set forth above as well as: (1) disclosure for patient safety activities, including disclosure by a provider to a PSO (or its contractor), by a PSO to a provider, or by a PSO to another PSO or another provider (or by a provider to another provider) providing that certain direct identifiers are removed from the information; (2) disclosure to entities conducting research funded, certified or sanctioned by the Department; (3) disclosure by a provider to the FDA regarding a product or activity FDA regulates; (4) voluntary disclosure relating to a specific provider by such provider to the provider’s accrediting body; (5) disclosure by a provider or a PSO to professionals such as attorneys and accountants for the business operations purposes of the provider or PSO; and (6) disclosure to law enforcement authorities so long as the person reasonably believes that the patient safety work product disclosed relates to a crime and is necessary for criminal law enforcement purposes
The proposed regulations offer additional guidance on the disclosure of patient safety work product. First, the regulations note that the exceptions merely provide “permitted” disclosures, but that the entities retain full discretion on whether or not to disclose patient safety work product. Second, only the information necessary to achieve the purpose of the disclosure should be disclosed. Third, entities should put limits on the re-disclosure of patient safety work product for other purposes. Finally, any disclosure of patient safety work product which includes individually identifiable health information must also comply with the HIPAA Privacy Rule.
Failures to maintain confidentiality of patient safety work product may discourage providers from participating in PSO programs. The enforcement provisions would enable the Department to monitor and ensure compliance with the Act, and set forth procedures for imposing a civil money penalties for confidentiality violations.
As proposed, any person may file a report with the Department regarding an alleged disclosure of patient safety work product in violation of the confidentiality provisions. Once a complaint is received, the Department will notify the person against whom the complaint is filed, investigate, and seek a resolution to any violations.
The Department could also conduct compliance reviews to determine whether a provider, PSO, or responsible person is in compliance even when a formal complaint is not filed.
Where noncompliance is found the Department may resolve the matter by informal means, such as a corrective action plan. If such efforts fail, the Department could impose a civil monetary penalty of up to $10,000 on any person that discloses identifiable patient safety work product in knowing or reckless violation of the confidentiality provisions.
The proposed rule makes a provider or a PSO responsible, as a principal, for the actions of a workforce member (employee, volunteers, trainees, contractors, and other persons whose conduct is under the direct control of the principal) when such member discloses patient safety work-product in violation of the confidentiality provisions while acting within the scope of the member’s agency relationship.
The proposed rule sets forth a 6-year limitation period on initiating an action for imposition of a civil money penalty. Finally, any penalties imposed under this proposed rule are not intended to be exclusive where violation may also violate another federal or state law. However, a respondent cannot be subject to penalties under both the Patient Safety Act and under HIPAA for the same act or omission.
The proposed regulations are a necessary first step in creating a patient safety reporting and analysis system that can facilitate improvements in patient safety and health care quality. As proposed, however, the rules would force providers to incur significant new systems costs, including separate information systems, in order to create a PSO. These costs may dissuade many provider systems from developing their own PSOs. Hopefully the final rulemaking will include modifications that reduce the overhead costs associated with PSO development, and result in widespread use of the PSO concept