Slide Presentation from the AHRQ 2008 Annual Conference
On September 8, 2008, Larry Patton and Verne Rinker made this presentation at the 2008 Annual Conference. Select to access the PowerPoint® presentation (585 KB).
Slide 1
The Proposed Rule Implementing the Patient Safety and Quality Improvement Act of 2005: Confidentiality, Patient Safety Work Product, and Patient Safety Organizations (PSOs)
AHRQ Annual Conference
September 8, 2008
Slide 2
Presentation Organization
- Patient Safety Act: A Brief Overview—Larry Patton.
- Confidentiality Protections and their Enforcement—Verne Rinker.
- Confidentiality Protections: Provider Considerations—Larry Patton.
Slide 3
What is the Problem?
- Providers fear that patient safety analyses could be used against them in court (malpractice) or in disciplinary proceedings.
- State peer review laws seldom permit large providers to undertake system-wide analyses.
- Inability to aggregate data undercuts efforts to improve patient safety; only by looking at large numbers of events can patterns of "system" failures be identified.
Slide 4
The Solution in the Act
- Authorizes creation of Patient Safety Organizations (PSOs)—entities with expertise in identifying, analyzing, correcting and preventing risks/harms to patient safety.
- Provides Federal confidentiality protections for these analyses and significantly limits their use in criminal, civil, and/or administrative proceedings.
- Requires PSOs to work with more than 1 provider to encourage PSOs to aggregate data across multiple providers.
Slide 5
Patient Safety Act Department of Health & Human Services (HHS) Division of Authority
Agency for Healthcare Research and Quality (AHRQ): Patient Safety Organizations:
—Subpart B: Authority to implement PSO certification, listing, and revocation procedures
Office
for Civil Rights (OCR): Confidentiality Protections:
—Subparts C and D: Establishment of confidentiality protections and process for enforcement; authority extends to all holders of patient safety work product.
Subpart A definitions are critical for understanding Subparts B, C, and D.
Slide 6
Patient Safety Act: Key Concepts
Patient Safety Work Product (PSWP)—Term used by the statute to describe the class of information that is privileged and confidential.
Patient Safety Evaluation System (PSEP) "means the collection, management, or analysis of information for reporting to or by a PSO."
Slide 7
Presentation Organization
- Patient Safety Act: A Brief Overview—Larry Patton.
- Confidentiality Protections and their Enforcement—Verne Rinker.
- Confidentiality Protections: Provider Considerations—Larry Patton.
Slide 8
Confidentiality: OCR Approach
- Ensure strong protection of PSWP to encourage robust provider participation in reporting of medical errors, while not impeding needed communication and sharing of information/PSWP to achieve patient safety goals.
- Maximize provider discretion to disclose or not, allowing providers to establish stricter requirements.
- Minimize complexity or disparity with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Slide 9
Patient Safety Work Product
- PSWP is any data:
- Developed by a provider and reported to a PSO.
- Developed by a PSO for the conduct of patient safety activities.
- That identifies or constitutes deliberations of or the fact of reporting pursuant to a patient safety evaluation system.
- Original provider records (e.g., medical, billing) are not PSWP.
- Nonidentifiable PSWP is not confidential or privileged.
Slide 10
Confidentiality
- The statute provides federal confidentiality and privilege protections to patient safety work product (PSWP) and specifies when disclosures are permitted.
- Confidentiality and privilege protections continue after disclosure, with limited exceptions.
- PSWP may contain protected health information (PHI) requiring covered providers to also comply with the HIPAA Privacy Rule requirements.
Slide 11
Confidentiality Disclosure Permissions
Privilege and Confidentiality Exceptions:
- For use in a criminal proceeding.
- To obtain equitable relief for reporters.
- If authorized by identified providers.
- Nonidentifiable PSWP.
Slide 12
Confidentiality Disclosure Permissions (continued)
Confidentiality Only Exceptions:
- For Patient Safety Activities (PSAs).
- For research.
- To the Food and Drug Administration (FDA) (regarding regulated products).
- Voluntary disclosure to an accrediting body.
- For business operations as determined by the Secretary.
- For criminal law enforcement purposes (voluntary).
- PSWP that does not include the assessment of quality of care or describe or pertain to actions/failures to act by an identifiable provider.
Slide 13
Patient Safety Activities Disclosure
- Core disclosure permission facilitates open, unfettered communication about patient safety events between providers and PSOs.
- Allows for aggregation of PSWP to identify patterns and trends and to facilitate creation of meaningful nonidentifiable PSWP for a national network of databases.
- Providers control the extent of disclosures they make to PSOs (and may be able, by contract, to limit redisclosures), which should ameliorate concerns by providers of wide-spread and uncontrolled dissemination of PSWP.
Slide 14
Enforcement
- Strong event-driven (complaints and compliance reviews) enforcement program coupled with voluntary compliance.
- Providers and PSOs have own incentives to not disclose impermissibly—which align with enforcement goals and may keep the potential enforcement workload low.
- Enforcement discretion to make appropriate response to situations presented by these new program requirements
- Reduce complexity of enforcement program by basing enforcement regulations on standards familiar to the provider community—the HIPAA Enforcement Rule.
Slide 15
Enforcement (continued)
- Penalty for Violation: A person who discloses identifiable PSWP in knowing or reckless violation of the confidentiality protections is subject to a civil money penalty (CMP) of up to $10,000 per act.
- Disclosures by Agents: Principals are liable for an agent's violation acting within the scope of the agency.
- Prohibition on Dual Penalties: CMPs may not be imposed under both the Patient Safety Act and HIPAA for a single act.
- OCR Access to PSWP for Enforcement: PSWP must be disclosed to HHS for compliance and enforcement purposes.
Slide 16
Presentation Organization
- Patient Safety Act: A Brief Overview—Larry Patton.
- Confidentiality Protections and their Enforcement—Verne Rinker.
- Confidentiality Protections: Provider Considerations—Larry Patton.
Slide 17
Confidentiality Protections: Provider Considerations
- The Patient Safety Act's confidentiality protections have the potential to significantly expand provider-based patient safety initiatives.
- Proposed rule would give a provider great flexibility on how to operate and develop a patient safety evaluation system to meet its needs.
- But providers need to take into account other elements of the statute.
Slide 18
Confidentiality Protections: Provider Considerations (continued)
- Statute requires providers to continue to meet external reporting requirements—with information that is not PSWP.
- Privilege protections not only limit access of others to your PSWP but limit your ability to use PSWP in civil, criminal, administrative, or disciplinary proceedings.
- Statute prohibits a provider from taking an adverse action against an individual based on the fact that the individual reported information in good faith.
- Statute seeks to foster a "culture of safety".
Slide 19
Confidentiality Protections: Provider Considerations (continued)
A provider needs to carefully consider what information is appropriate to protect and what information should not be protected.
For example:
- Is this information needed to meet external reporting, accountability requirements?
- Will this information be needed to justify a disciplinary decision if challenged?
Slide 20
Confidentiality Protections: Provider Considerations (continued)
When PSWP is held by an entity, the proposed rule would not hold entities liable for uses of PSWP within the legal entity (note: component PSOs cannot share PSWP with rest of its parent organization except under certain circumstances).
This permits free flow of PSWP to those who need access within the provider.
But any holder of PSWP—including a provider's employees—can make disclosures of PSWP in conformity with the rule, without incurring a penalty under the rule.
Slide 21
Confidentiality Protections: Provider Considerations (continued)
- Will your workforce be confident that PSWP will not influence privilege, disciplinary or similar decisions?
- Issues to consider:
- Separateness of PSWP from these other administrative processes.
- Extent to which personnel participate in both review of PSWP and these other administrative processes.
Slide 22
Confidentiality Protections: A Final Reminder About HIPAA
If a provider is a covered entity as well as a holder of PSWP, it is NEVER sufficient to disclose information by simply looking at either HIPAA or the Patient Safety Act statute and rule.
A disclosure can only be made if it complies with BOTH.
This has implications for informal case discussions that take place outside the legal entity of the provider.
Current as of January 2009
Internet Citation:
The Proposed Rule Implementing the Patient Safety and Quality Improvement Act of 2005: Confidentiality, Patient Safety Work Product, and PSOs. Slide Presentation from the AHRQ 2008 Annual Conference (Text Version). January 2009.
Agency for Healthcare Research and Quality, Rockville, MD. http://www.ahrq.gov/about/annualmtg08/090808slides/RinkerPatton.htm
540 Gaither Road Rockville, MD 20850