Confidentiality, Confidentiality, Patient Safety Work Product, and PSOsPatient Safety Work Product, and PSOs
The Proposed Rule Implementing The Proposed Rule Implementing the Patient Safety and Quality the Patient Safety and Quality
Improvement Act of 2005Improvement Act of 2005
AHRQ Annual Conference AHRQ Annual Conference
September 8, 2008September 8, 2008
2
Presentation Organization
Patient Safety Act: A Brief Overview – Larry Patton
Confidentiality Protections and their Enforcement – Verne Rinker
Confidentiality Protections: Provider Considerations – Larry Patton
What is the Problem?What is the Problem?
Providers fear that patient safety analyses could be used Providers fear that patient safety analyses could be used against them in court (malpractice) or in disciplinary against them in court (malpractice) or in disciplinary proceedingsproceedings
State peer review laws seldom permit large providers to State peer review laws seldom permit large providers to undertake system-wide analysesundertake system-wide analyses
Inability to aggregate data undercuts efforts to improve Inability to aggregate data undercuts efforts to improve patient safety; only by looking at large numbers of events patient safety; only by looking at large numbers of events can patterns of “system” failures be identifiedcan patterns of “system” failures be identified
The Solution in the ActThe Solution in the Act
Authorizes creation of Patient Safety Organizations (PSOs) Authorizes creation of Patient Safety Organizations (PSOs) -- entities with expertise in identifying, analyzing, correcting -- entities with expertise in identifying, analyzing, correcting and preventing risks/harms to patient safetyand preventing risks/harms to patient safety
Provides Federal confidentiality protections for these Provides Federal confidentiality protections for these analyses and significantly limits their use in criminal, civil, analyses and significantly limits their use in criminal, civil, and/or administrative proceedingsand/or administrative proceedings
Requires PSOs to work with more than 1 provider to Requires PSOs to work with more than 1 provider to encourage PSOs to aggregate data across multiple providersencourage PSOs to aggregate data across multiple providers
5
Patient Safety Act Patient Safety Act HHS Division of AuthorityHHS Division of Authority
AHRQ: Patient Safety OrganizationsAHRQ: Patient Safety Organizations- Subpart B: Authority to implement PSO Subpart B: Authority to implement PSO
certification, listing, and revocation procedurescertification, listing, and revocation procedures
OCR: Confidentiality ProtectionsOCR: Confidentiality Protections- Subparts C and D: Establishment of Subparts C and D: Establishment of
confidentiality protections and process for confidentiality protections and process for enforcement; authority extends to all holders of enforcement; authority extends to all holders of patient safety work productpatient safety work product
Subpart A definitions are critical for understanding Subpart A definitions are critical for understanding Subparts B, C, and DSubparts B, C, and D
6
Patient Safety Act:Patient Safety Act:Key ConceptsKey Concepts
Patient Safety Work ProducPatient Safety Work Productt -- Term used by -- Term used by the statute to describe the class of information the statute to describe the class of information that is privileged and confidential.that is privileged and confidential.
Patient Safety Evaluation SystemPatient Safety Evaluation System “means the “means the collection, management, or analysis of collection, management, or analysis of information for reporting to or by a PSO.” information for reporting to or by a PSO.”
7
Presentation Organization
Patient Safety Act: A Brief Overview – Larry Patton
Confidentiality Protections and their Enforcement – Verne Rinker
Confidentiality Protections: Provider Considerations – Larry Patton
8
Confidentiality: OCR Approach
Ensure strong protection of PSWP to encourage robust provider participation in reporting of medical errors, while not impeding needed communication and sharing of information/PSWP to achieve patient safety goals
Maximize provider discretion to disclose or not, allowing providers to establish stricter requirements
Minimize complexity or disparity with HIPAA Privacy Rule
9
Patient Safety Work Product
PSWP is any data:
1. Developed by a provider and reported to a PSO
2. Developed by a PSO for the conduct of patient safety activities, or
3. That identifies or constitutes deliberations of or the fact of reporting pursuant to a patient safety evaluation system
Original provider records (e.g., medical, billing) are not PSWP
Nonidentifiable PSWP is not confidential or privileged
10
Confidentiality
The statute provides federal confidentiality and privilege protections to patient safety work product (PSWP) and specifies when disclosures are permitted
Confidentiality and privilege protections continue after disclosure, with limited exceptions
PSWP may contain protected health information (PHI) requiring covered providers to also comply with the HIPAA Privacy Rule requirements
11
Confidentiality Disclosure Permissions
Privilege and Confidentiality Exceptions
For use in a criminal proceeding
To obtain equitable relief for reporters
If authorized by identified providers
Nonidentifiable PSWP
12
Confidentiality Disclosure Permissions (cont’d)
Confidentiality Only Exceptions
For Patient Safety Activities (PSAs)
For research
To the FDA (regarding regulated products)
Voluntary disclosure to an accrediting body
For business operations as determined by the Secretary
For criminal law enforcement purposes (voluntary)
PSWP that does not include the assessment of quality of care or describe or pertain to actions / failures to act by an identifiable provider
13
Patient Safety Activities Disclosure
Core disclosure permission facilitates open, unfettered communication about patient safety events between providers and PSOs
Allows for aggregation of PSWP to identify patterns and trends and to facilitate creation of meaningful nonidentifiable PSWP for a national network of databases
Providers control the extent of disclosures they make to PSOs (and may be able, by contract, to limit redisclosures), which should ameliorate concerns by providers of wide-spread and uncontrolled dissemination of PSWP
14
Enforcement
Strong event-driven (complaints and compliance reviews) enforcement program coupled with voluntary compliance
Providers and PSOs have own incentives to not disclose impermissibly – which align with enforcement goals and may keep the potential enforcement workload low
Enforcement discretion to make appropriate response to situations presented by these new program requirements
Reduce complexity of enforcement program by basing enforcement regulations on standards familiar to the provider community – the HIPAA Enforcement Rule
15
Enforcement (cont’d)
Penalty for Violation: A person who discloses identifiable PSWP in knowing or reckless violation of the confidentiality protections is subject to a civil money penalty (CMP) of up to $10,000 per act
Disclosures by Agents: Principals are liable for an agent’s violation acting within the scope of the agency
Prohibition on Dual Penalties: CMPs may not be imposed under both the Patient Safety Act and HIPAA for a single act
OCR Access to PSWP for Enforcement: PSWP must be disclosed to HHS for compliance and enforcement purposes
16
Presentation Organization
Patient Safety Act: A Brief Overview – Larry Patton
Confidentiality Protections and their Enforcement – Verne Rinker
Confidentiality Protections: Provider Considerations – Larry Patton
17
Confidentiality Protections: Provider Considerations
The Patient Safety Act’s confidentiality protections have the potential to significantly expand provider-based patient safety initiatives
Proposed rule would give a provider great flexibility on how to operate and develop a patient safety evaluation system to meet its needs
But providers need to take into account other elements of the statute
18
Confidentiality Protections: Provider Considerations
Statute requires providers to continue to meet external reporting requirements – with information that is not PSWP
Privilege protections not only limit access of others to your PSWP but limit your ability to use PSWP in civil, criminal, administrative, or disciplinary proceedings
Statute prohibits a provider from taking an adverse action against an individual based on the fact that the individual reported information in good faith
Statute seeks to foster a “culture of safety”
19
Confidentiality Protections: Provider Considerations
A provider needs to carefully consider what information is appropriate to protect and what information should not be protected
For example:
Is this information needed to meet external reporting, accountability requirements?
Will this information be needed to justify a disciplinary decision if challenged?
20
Confidentiality Protections: Provider Considerations
When PSWP is held by an entity, the proposed rule would not hold entities liable for uses of PSWP within the legal entity (note: component PSOs cannot share PSWP with rest of its parent organization except under certain circumstances)
This permits free flow of PSWP to those who need access within the provider
But any holder of PSWP – including a provider’s employees – can make disclosures of PSWP in conformity with the rule, without incurring a penalty under the rule
21
Confidentiality Protections: Provider Considerations
Will your workforce be confident that PSWP will not influence privilege, disciplinary or similar decisions?
Issues to consider:
- Separateness of PSWP from these other administrative processes
- Extent to which personnel participate in both review of PSWP and these other administrative processes
22
Confidentiality Protections: A Final Reminder About HIPAA
If a provider is a covered entity as well as a holder of PSWP, it is NEVER sufficient to disclose information by simply looking at either HIPAA or the Patient Safety Act statute and rule.
A disclosure can only be made if it complies with BOTH.
This has implications for informal case discussions that take place outside the legal entity of the provider