AHRQ Regs Create Patient Safety Organizations
By: Steven R. Smith and Chiarra-May E. Stratton*
On November 21, 2008, HHS's Agency for Healthcare Research and Quality (AHRQ) issued final regulations creating patient safety organizations (PSOs) to implement certain provisions of the Patient Safety and Quality Improvement Act of 2005, Pub. L. 109-41, 119 Stat. 424, which was signed into law on July 29, 2005 (the Act). See 73 Fed. Reg. 70,732 (Nov. 21, 2008). The Act addresses the issues of improving patient safety and reducing the incidence of events that adversely affect patient safety, and contemplates the establishment of a system for voluntary reporting of patient safety information to PSOs. The proposed regulations were issued on February 12, 2008, and the comment period ended on April 14, 2008. See 73 Fed. Reg. 8112 (Feb. 12, 2008). The final rule is effective as of January 19, 2009.
While it was a long-awaited piece of legislation by the time it was signed into law, the Act left several issues unanswered — namely how the PSOs would be established; who would be responsible for overseeing the PSOs; how contracting with PSOs would work; and how the confidentiality and privilege protections would specifically apply to information collected for, reported to, and analyzed by the PSOs. The new rule attempts to address and clarify these issues. Specifically, the rule outlines the steps for the establishment and certification of PSOs and discusses in further detail the confidentiality and privilege protections that attach to patient safety work product (PSWP) that is collected for and by the PSOs. Several provisions of the final rule restate and clarify the requirements contained in the Act. Below we discuss three significant aspects of the new PSO rule: (1) certification and listing of PSOs, (2) functional reporting, and (3) patient safety evaluation systems.
The final rule permits various types of entities to become PSOs — public, private, for-profit and not-for-profit organizations. Entities that are listed as PSOs will not receive any sort of federal funding but will be permitted to offer individual and institutional providers the benefits of review and analysis of PSWP that is protected by the confidentiality and privilege protections contained in the regulations. The rule discusses the process by which an entity becomes certified and is listed as a PSO, and how and in what form information would be collected and reported to the PSOs. The PSOs aggregate and analyze the PSWP and report trends to the providers with which they have agreements, and also provide guidance to those providers regarding how to eliminate or minimize the occurrence of such errors within their organizations. Thus, not only will PSOs serve to collect patient safety information but PSOs may also assist providers in establishing effective strategies to improve patient safety as well as approaches for implementing such strategies.
Finally, as a way to encourage providers to undertake patient safety activities, the final rule, as in the Act, specifically provides for confidentiality and privilege protections for patient safety work product and provides for a civil money penalty of up to $10,000 to be imposed on persons who breach these provisions.
PSOs, Certification Requirements, and Procedures for Certification and Listing of PSOs
Who Can Seek Listing as a PSO
AHRQ intends that any provider who is capable of meeting the certification requirement may seek to be listed as a PSO, provided that the provider does not fall within the rule's list of excluded entities. Components of excluded entities (discussed further below), however, may seek to be listed as PSOs but must meet additional certification requirements, which are intended to ensure the separateness of such component organizations from their affiliated excluded entity.
Section 3.102(a)(2) of the final rule retains the statutory exclusions from listing of health insurance issuers and components of health insurance issuers and, for clarity, restates the exclusion to reflect the rule's definition of component so it now references a health insurance issuer, a unit or division of a health insurance issuer, or an entity that is owned, managed, or controlled by a health insurance issuer. The final rule excludes from listing any entity that (1) accredits or licenses health care providers; (2) oversees or enforces statutory or regulatory requirements governing the delivery of health care services; (3) acts as an agent of a regulatory entity by assisting in the conduct of that entity's oversight to enforcement responsibilities visà- vis the delivery of health care services and (4) operates a federal, state, local, or tribal patient safety reporting system to which health care providers are required to report information by law or regulation. The final rule includes two additional exclusions that were not in the proposed rule: (1) entities that serve as agents of a regulatory entity (e.g., by conducting site visits or investigation for the regulatory entity) and (2) entities that operate certain mandatory or voluntary patient safety reporting systems. AHRQ notes, however, that the latter exclusion does not apply to mandatory reporting systems operated by federal, state, local or tribal entities if the reporting requirements affect only their own workforce (defined in the final rule as employees, volunteers, trainees, contractors or other persons whose conduct, in performance of work for a provider, PSO or responsible person, is under direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person) and health care providers holding privileges with the entity. Rather, this exclusion is intended to apply to federal, state, local or tribal health care facilities in which the reporting requirements applies only to its workforce and health care providers holding privileges with the facility or health care system.
In accordance with the Act, the final rule establishes an attestation-based process for initial and continued listing of an entity as a PSO. Among other things, an entity seeking listing must (1) attest that it is not subject to any of the exclusions listed in the regulations (discussed further below) and (2) attest that it will disclose to the Secretary of HHS whether it has ever been denied listing or delisted, or if the officials or senior managers of the entity now seeking listing have held comparable positions in a PSO that has been delisted or has been refused listing by the Secretary.
All entities seeking initial or continued listing as a PSO must meet fifteen general certification requirements: eight requirements relating to patient safety activities (which entities certify that they have policies and procedures to follow at initial listing and at subsequent requests for continued listing) and seven requirements governing their operation (with which an entity seeking initial listing, and a PSO seeking continued listing, must certify that it is complying and will continue to comply). As an additional protection for providers who report information to a PSO, the final rule requires that a PSO inform a provider from which it received PSWP in the event the work product submitted by the provider is inappropriately disclosed or its security is breached.
Among other things, an entity seeking initial listing and an entity seeking continued listing must certify that within the 24-month period that begins on the date of its initial listing as a PSO, and within each subsequent 24-month period thereafter, the PSO must have two bona fide contracts, each of a reasonable time period, each with a different provider for the purpose of receiving and reviewing PSWP. AHRQ states that while one contract with more than one provider would not meet this standard, two contracts with the same hospital system but with different facilities would meet the requirement, because the statutory requirement was intended to encourage PSOs to aggregate data from multiple providers. For example, one contract with a 50- hospital system would not meet this standard; however, two 25-hospital contracts with that same hospital system would meet this requirement.
Additional Certifications for Component Organizations
In addition to the fifteen general certification requirements, the final rule, consistent with the Act, requires that component organizations meet three additional requirements to be listed as PSOs. The three additional certifications address the entity's independent operation and separateness from the larger organization or enterprise of which it is a part; the entity would certify to: (1) the secure maintenance of documents and information separate from the rest of the organization(s) or enterprise of which it is a part; (2) the avoidance of unauthorized disclosure to the organizations( s) or enterprise of which it is a part; and (3) the absence of a conflict of interest between its mission and the rest of the organization(s) or enterprise of which it is a part. A component entity, at initial and continued listing, must also submit contact information for its parent organization( s) with its certifications.
Among the issues not addressed by the Act that the final rule attempts to clarify is the extent of appropriate security measures that an entity seeking listing as a component PSO must take to ensure separation of reported PSWP from the organization of which it is a part. The proposed rule contained two requirements that were deleted from the final rule: (1) the requirement for separate information systems and (2) the restriction on use of shared staff between a component entity and its parent/affiliated organizations(s). With regard to the latter requirement, the prohibition on shared staff is imposed only with respect to components of entities that are excluded from listing.
Compliance with Certification Requirements
In the final rule, AHRQ summarizes its approach to assessing compliance with the certification requirements. In recognition of the fact that for any given contractual arrangement, providers, not PSOs, will determine the tasks PSOs undertake and for which PSOs will get compensated, AHRQ states that, upon a spot check, a PSO must be able to demonstrate that is has performed all eight patient safety activities at some point during its three-year listing period. That is, while the Department will require demonstration that the PSO performed throughout its listing period the patient safety activities that are not dependent on a relationship with a provider or receipt of patient safety work product, compliance will be deemed if the PSO can demonstrate that it performed the requirements that are other-provider- and PSWP-dependent at some point during its listing period.
The final rule requires that submissions for continued listing must be received by the Secretary of HHS no later than 75 days before the expiration of a PSO's three-year period of listing. This requirement is intended to protect providers in the event that a PSO decides not to seek continued listing and simply lets its certification expire at the end of the three-year listing period.
The final rule contains provisions, which were not contained in the proposed rule, that establish an expedited revocation process that is available to the Secretary of HHS in three limited circumstances: (1) if the Secretary of HHS determines that a PSO is or is about to become an entity that is excluded from listing; (2) when the parent organization of a PSO is an excluded entity and the parent org uses its authority over providers to require or induce them to use the patient safety services of its component PSO; and (3) when the Secretary has determined that the failure to act promptly would lead to serious adverse consequences (i.e., if a PSO demonstrates reckless or willful misconduct in its protection or use of PSWP, or when the PSO engages in fraudulent or illegal conduct). AHRQ believes that the inclusion of this provision in the final rule will enable providers to have confidence that HHS will act in a timely manner when a PSO chooses not to meet its statutory and regulatory obligations.
Patient Safety Work Product and Functional Reporting
Patient Safety Work Product (PSWP) refers to the information to which the privilege and confidentiality protections apply. The final rule imports the statutory definition of this term. PSWP is any data, reports, records, memoranda, analyses (such as root cause analysis) or written or oral statements (or copies of any of this material) (i) which could improve patient safety, health care quality, or health care outcomes; and (A) which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or (B) are developed by a PSO for the conduct of patient safety activities; or (ii) which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system (discussed further below). Excluded from PSWP are a patient's original medical record, billing and discharge information, or any other original patient or provider information and any information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. With regard to functional reporting, while AHRQ clarifies in the preamble to the final rule that reporting of information to a PSO for the purpose of creating PSWP may include authorizing PSO access, pursuant to a contract or other agreement between a provider and PSO, to specific information in a PSES and the authority to analyze and process such information, AHRQ does not believe that a formal change in the regulatory text is necessary to include such a clarification. Additionally, the final rule's definition of PSWP includes language that protects information based upon reporting to a PSO or documentation that information was collected within a PSES.
The proposed rule provided that reporting to means "the actual transmission or transfer of information to a PSO." Recognizing the significant transmission, management, and storage burdens imposed on providers by requiring the transmission to a PSO of every document or file related to PSWP, AHRQ sought comments on whether alternatives for actual reporting should be recognized as sufficient to meet the reporting requirement. That is, AHRQ asked whether a provider that contracts with a PSO should be deemed to have functionally reported information to a PSO if it provides access to and gives control of information to a PSO without physically transmitting information to the PSO. Though the regulatory language regarding functional reporting is unchanged, AHRQ clarifies in the preamble to the final rule that the reporting of information to a PSO for the purposes of creating PSWP may include authorizing PSO access, pursuant to a contract of equivalent agreement between a provider and a PSO, to specific information in a patient safety evaluation system (PSES) and authority to process and analyze that information, for example, comparable to the authority a PSO would have if the information were physically transmitted to the PSO.
Further recognizing the importance of the shortcomings of a strict reporting requirement in determining when the confidentiality and privilege protections should attach to certain information (thus making it PSWP), and based on the belief that such protections should attach in a manner that is as "administratively flexible as permissible to accommodate the many business processes and systems of providers," the final rule provides that information documented as collected within a PSES by a provider should be protected as PSWP. In other words, the final rule permits functional reporting.
Confidentiality and Privilege Protections
Generally, the privilege and confidentiality provisions contained in the final rule do not differ from those contained in the Act. As in the Act, the rule provides that PSWP is privileged and generally shall not be admitted as evidence in federal, state, local, or tribal civil, criminal, or administrative proceedings and shall not be subject to a subpoena or order, unless an exception (which are enumerated in the final regulation) to the privilege applies. Further, the final rule provides that PSWP is confidential and shall not be disclosed except as permitted in accordance with the disclosures described. Under the final rule, PSWP may continue to be privileged and confidential even after disclosure in certain situations, including, but not limited to, disclosure to or by the Secretary of HHS as necessary to investigate or determine compliance with or to impose a civil monetary penalty under the HIPAA Privacy Rule.
The final rule provides that the privilege and confidentiality protections continue to apply to PSWP following disclosure and also describes the narrow circumstances under which the protections terminate. The final rule does not require that PSWP be labeled or that disclosing parties provide recipients of PSWP with notice that they are receiving protected information, because AHRQ views such requirements as overly burdensome. AHRQ states its expectation, however, that providers, PSOs and responsible persons holding PSWP treat and safeguard such sensitive information appropriately and encourages such individuals to consider whether labeling or notice may be an appropriate safeguard in certain circumstances.
Patient Safety Evaluation System and Documentation
Patient Safety Evaluation System refers to the collection, management, or analysis of information for reporting to or by a PSO. The proposed rule sought comment about whether a PSES should be required to be documented. In response to the comments received, the final rule does not require such documentation. AHRQ expressly states, however, its belief that documentation is a best practice, and, therefore, encourages providers to document how information enters the PSES; what processes, activities, physical space(s) and equipment comprise or are used by the PSES; which personnel or categories of personnel need access to PSWP to carry out their duties involving operation of, or interaction with the PSES; the category of PSWP to which access is needed and any conditions appropriate to such access; and what procedures the PSES uses to report information to a PSO or disseminate information outside of the PSES.
Entities are strongly advised to document their PSES. The Act and the regulations provide significant protections for PSWP and documentation would help ensure that providers are able to avail themselves fully of these protections. The definition of PSWP in the final rule clarifies that documentation of a PSES clearly establishes when information is PSWP. Accordingly, providers would be well-served to document their PSES for the following reasons: (1) documentation can give providers greater assurance that the information they intend to be considered PSWP will be, in fact, considered PSWP and thus be considered confidential and privileged; (2) pursuant to such documentation, providers can ensure that the statutory requirements (for ensuring the confidentiality and privilege of their information) are fully met; and (3) documentation offers providers greater certainty that a provider's claim to the statutory protections provided by the Act for certain information, if challenged will be sustained.
PSOs and HIPAA
The final rule states that the opportunity for a provider to report identifiable PSWP to a PSO does not relieve a provider that is a HIPAA covered entity from its obligations under the HIPAA Privacy Rule. In fact, under the PSQIA, PSOs are deemed to be business associates of providers that are HIPAA covered entities. Accordingly, such providers must enter into business associate agreements with the PSOs in accordance with their obligations under the HIPAA Privacy Rule. Such agreements may be entered into simultaneously as an agreement for the conduct of patient safety activities. To receive the protections of the PSQIA, however, a provider is not required to enter into a contract with a PSO.
The final rule requires providers, PSOs and holders of PSWP to disclose PSWP to the Secretary of HHS upon a determination by the Secretary that such PSWP is needed for the investigation and enforcement of activities related to the PSQIA, is needed in seeking and imposing civil monetary penalties, or is needed for investigation and enforcement activities with respect to the HIPAA Privacy Rule.
While there were issues that were left unaddressed when the Patient Safety and Quality Improvement Act was enacted in 2005, the final rule serves to fill many of these gaps with respect to PSOs. With the promulgation of this rule, providers now have a concrete idea of how the PSOs and reporting PSWP to PSOs will work. The final rule further emphasizes to providers HHS's commitment to addressing patient safety issues. With the establishment of PSOs and the confidentiality and privilege protection for PSWP, providers now have a vehicle through which they may address patient safety incidents and near misses without the fear of negative actions resulting from their attempts to better their institutions and practices. It is important for providers to establish relationships with PSOs and to begin to establish their PSESs in order to avail themselves of this opportunity to address patient safety issues and, in doing so, increase the quality of care they provide to their patients.
* Chiarra-May E. Stratton is a former Ober|Kaler Health Law Group attorney.
iComponent Organization refers to an entity that (1) is a unit or division of a legal entity (including a corporation, partnership, or a federal, state, local, or tribal agency or organization); or (2) is owned, managed or controlled by one or more legally separated parent organizations.
iiiSee definition of patient safety activities at n.2.
© 2013 Ober|Kaler All Rights Reserved.