Client Alert

On Friday, November 21, 2008 the Secretary of Health and Human Services published final rules implementing the Patient Safety and Quality Improvement Act of 2005¹. The Final Rule establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for aggregation and analysis of patient-safety events.

BACKGROUND
The Patient Safety and Quality Improvement Act of 2005 was enacted in direct response to one of the recommendations contained in the Institute of Medicine’s 1999 report “To Err is Human.”² The IOM Report acknowledged that to encourage participation in such a voluntary reporting system, federal legislation would be required to override the inconsistent array of state enacted peer review privilege protections.

The Patient Safety Act established Patient Safety Organizations (PSOs) to which providers can voluntarily report medical errors and patient safety information (“Patient Safety Work Product” or “PSWP”). Proposed rules were published on February 12, 2008. Comments were due by April 14, 2008. Over 150 comments were received and analyzed by DHHS in connection with issuing the final rules.

THE FINAL RULES AMEND TITLE 42 OF THE CODE OF FEDERAL REGULATIONS BY ADDING A NEW PART 3, ENTITLED PATIENT SAFETY ORGANIZATIONS AND PATIENT SAFETY WORK PRODUCT.

The new Part 3 is broken down into four subparts:

A. General Provisions;
B. PSO Requirements and Agency Procedures;
C. Confidentiality and Privilege Protections of Patient Safety Work Product; and
D. Enforcement Program

Subpart A contains several important definitions:

• “Component organization” means an entity that “(1) is a unit or division of a legal entity (including a corporation, partnership or a federal, state, local, or Tribal agency or organization); or (2) is owned, managed, or controlled by one or more legally separate parent organizations.”
• “Parent organization” means “an organization that: owns a controlling interest or a majority interest in a component organization; has the authority to control or manage agenda setting, project management, or day-to-day operations; or the authority to review and override decisions of a component organization. The component organization may be a provider.”
• “Provider” means, in addition to certain governmental agencies, “an individual or entity licensed or otherwise authorized under State law to provide health care services”, including hospitals, nursing facilities, outpatient rehabilitation facilities, home health agencies, hospice programs, dialysis facilities, ambulatory surgery centers, pharmacies, physicians, physician assistants, registered nurses, or virtually any other individual health care practitioner.
• “Patient safety evaluation system” means “the collection, management, or analysis of information for reporting to or by a PSO.”
• “Patient Safety Organization” (PSO) means “a private or public entity or component thereof that is listed as a PSO by the Secretary . . . .” A health insurance issuer or component organization of a health insurance issuer may not be a PSO.
• “Patient safety work product” (PSWP) generally means “any data, reports, records, memoranda, analyses (such as root cause analyses) or written or oral statements (or copies of any of this material) which could improve patient safety, health care quality, or health care outcomes and are assembled or developed by a provider for reporting to a PSO as a part of the patient safety evaluation system or which identify or constitute the deliberations or analysis of or identify the fact of reporting pursuant to a patient-safety evaluation system.” PSWP does not include “a patient’s medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately or exists separately, from a patient safety evaluation system.”

Subpart B establishes a system for qualified entities to request initial or continued listing as a PSO by submitting certifications to the Secretary. There are fifteen (15) general PSO certification requirements - seven (7) relating to PSO criteria and eight (8) relating to patient safety activities. The seven (7) certifications relating PSO criteria are that:

• 1. the mission and primary activity of the PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery;
• 2. the PSO must have appropriately qualified workforce members, including licensed or certified medical professionals;
• 3. the PSO, within each 24-month period, must have at least two bona fide contracts, each for a reasonable period of time, and each with a different provider, for the purpose of receiving and reviewing patient safety work product;
• 4. the PSO must not be a health insurance issuer or a component of the health insurance issuer;
• 5. the PSO must make required disclosures to the secretary;
• 6. to the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers;
• 7. the PSO must use its patient safety work product for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.

The eight (8) certifications relating to patient safety activities are that the PSO has written policies and procedures in place dealing with the PSO’s:

• 1. efforts to improve patient safety and the quality of health care delivery;
• 2. the collection and analysis of PSWP;
• 3. the development and dissemination of information with respect to improving patient safety;
• 4. the utilization of PSWP to encourage a culture of safety and providing feedback and assistance to effectively minimize patient risk;
• 5. the maintenance of specific procedures to preserve confidentiality of PSWP;
• 6. the provision of specific appropriate security measures for PSWP;
• 7. the utilization of qualified staff; and
• 8. activities related to the operation of a patient safety evaluation system and the provision of feedback to participants in such system.

There are additional certifications required of component organizations. In addition to meeting the 15 general PSO certification requirements described above, a component organization entity must also certify (1) that it maintains PSWP separately from the rest of the parent organization of which it is a part and establishes appropriate security measures to maintain the confidentiality of PSWP. The information system in which the component PSO maintains PSWP must not permit unauthorized access by one or more individuals in, or by units of, the rest of the parent organization of which it is a part; (2) require that members of its work force and other contractor staff not make unauthorized disclosures of PSWP to the rest of the parent organization of which it is a part; and (3) that pursuit of its mission of as a component PSO must not create a conflict of interest with the rest of the parent organization of which it is a part.³

Subpart C describes the confidentiality and privilege protections of PSWP. Generally, PSWP is not subject to any federal, state, local, civil, criminal, or administrative subpoena or order in a disciplinary proceeding against the provider nor is it subject to discovery in such actions or disclosure under the Freedom of Information Act.⁴ PSWP is generally held to be confidential and shall not be disclosed.⁵

Subpart D describes the enforcement program in the event persons complain that PSWP has been disclosed in violation of the confidentiality provisions. Generally, this enforcement proceeding is a full administrative hearing process, subject to judicial review, possibly leading to civil money penalties in the amount of $10,000 for each improper disclosure.

Preliminary observations:

1. The PSO program does not eliminate any mandatory reporting that providers are already required to make under various federal and state laws.

2. This is a non-funded program. PSOs will need to develop their own pricing structures. Providers will need to evaluate the potential benefits of contracting with a PSO. For example, will the enhanced privilege and confidentiality provisions produce quantifiable benefits in the form of lower liability insurance premiums or costs of settling patient claims? Will those benefits outweigh the costs of implementing the PSO system?

3. No model contract between a PSO and providers will be developed by the Agency for Healthcare Research and Quality (AHRQ). It is anticipated that each relationship between a provider and PSO will be unique to the existing patient safety activities of the provider and the capabilities of the particular PSO.

This client alert is a publication of the Health Care Practice Group at Womble Carlyle Sandridge & Rice, PLLC. Readers are urged to consult with their regular contacts at the firm or Dick Vincent at (404) 879-2422.

Notes
1. Pub. L. 109-41, 42 U.S.C. 299d-21-b-26
2 Institute of Medicine, To Err is Human: Building a Safer Health System. 1999. See http://www.nap.edu/catalog.php?record_id=9728
3 Notwithstanding these requirements, a component PSO may provide identifiable PSWP to those in the parent organization if it enters into a written agreement that such access is only for the purpose of assisting the component PSO in its conduct of patient safety activities and those receiving the information will only use or disclose it as specified by the component PSO.
4 There are limited conditional exceptions to this privilege – e.g., for use in certain criminal proceedings, etc.
5 Subject to certain exceptions – e.g., after a court makes an in-camera determination that the PSWP contains evidence of a criminal act that is material to the proceeding and not available from any other source, etc.