On February 12, 2008, the U. S. Department of Health and Human Services (HHS) issued a proposed rule (Rule) that creates a system for voluntary reporting to Patient Safety Organizations (PSOs) of adverse events, medical errors, or "near misses" by hospitals, doctors, and other health care organizations and practitioners (Providers) on a privileged and confidential basis. The Rule creates a legal quagmire, as discussed below. Written comments on the Rule are due no later than April 14, 2008.

Designed to complement the Patient Safety & Quality Improvement Act of 2005 (Patient Safety Act), the Rule is intended to address current laws that have discouraged Providers from sharing information regarding adverse events, medical errors, or "near misses," which is believed to be essential to improving quality and safety in the health care delivery system. Currently, the state peer review laws constitute the legal framework for protecting information regarding medical errors, adverse events, or "near misses." According to HHS, peer review laws are limited in that they vary between states, apply only to hospitals and other specific health care entities, and largely fail to protect information transmitted outside the protected entity. The Rule seeks to create a forum to allow sharing of this information among facilities by granting privilege and confidentiality to information disclosed to PSOs.

Although well intended, the Rule fails to adequately protect Providers that share information from potential liability. Although the Rule generally protects information disclosed to PSOs, the federal protection is not extended to information other than the precise reports collected for and made to the PSO. The Rule also fails to address the issue of federal pre-emption of state law. This leaves open the question of whether the Provider waives or loses peer review protections for information that it collects through peer review, risk management, or some other function and subsequently reports to a PSO. Furthermore, the Rule provides exceptions to the privilege granted to information disclosed to PSOs, raising the risk that the information could be disclosed subsequently to the detriment of the disclosing Provider. Hospitals and other health care organizations must carefully evaluate whether they risk waiving or losing state peer review protections by participating in this new regulatory scheme.

The Rule sets forth proposed confidentiality and privilege protections for patient safety information, termed Patient Safety Work Product (PSWP). PSWP is defined as information that (i) is gathered for purposes of reporting to a PSO and is actually reported, (ii) is developed by a PSO in the conduct of defined patient safety activities, or (iii) reveals the internal deliberations or analysis regarding reporting pursuant to a patient safety evaluation system. However, a significant limitation of the Rule is that information gathered in another context such as risk management or peer review is not protected, even if it subsequently is reported to a PSO. Nor does the Rule protect original data such as medical records, billing, or discharge information that was collected for purposes other than reporting to a PSO. In short, the Rule protects only the information actually reported to the PSO, the activities of the PSO, and the deliberations about reporting to the PSO.

Although there are many similarities between the regulatory framework of the Rule and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the confidentiality protections apply more narrowly here than under the HIPAA Privacy Rule. The confidentiality provisions of the Rule govern only "disclosures" of the information outside of the reporting entity or the PSO, but do not regulate or limit the "uses" of the PSWP within the Provider or PSO. The Rule establishes procedures for imposing civil monetary penalties of up to $10,000 per violation in the event of a knowing or reckless impermissible disclosure of PSWP.

The Rule also grants a federal privilege to PSWP, making it generally not subject to subpoena, discovery, or disclosure in disciplinary proceedings against a physician or other health care practitioner and inadmissible as evidence in civil, administrative, and criminal proceedings. However, two important exceptions apply. The Rule allows disclosure of PSWP for use in criminal proceedings and for proceedings in which whistleblowers are seeking equitable relief for adverse employment actions. Given these exceptions, the federal privilege granted by the Rule may well afford Providers more limited protection than state peer review laws do.

Under the Rule, Providers are allowed to voluntarily disclose PSWP to accrediting organizations such as The Joint Commission (TJC) without jeopardizing the federal privilege. In this regard, the Rule may be the basis upon which TJC might try to require mandatory reporting of events not currently required for reporting such as sentinel events.

The Rule also governs the requirements and procedures for organizations to become PSOs. The Agency for Healthcare Research and Quality (AHRQ) is designated as the certifying body under an attestation process leading to "listing" of approved PSOs. The types of organizations (public, private, for-profit, and not-for-profit) that can become PSOs are broad, but interestingly, health insurers, components of health insurers, and regulatory or accrediting bodies may not generally qualify as PSOs. Hence, although TJC may receive information from a PSO, it may not itself become a PSO.

The Rule imposes further requirements on organizations that are deemed "component organizations," defined as units of corporations or multi-organizational enterprises or separate organizations that are owned, managed, or controlled by one or more other "parent" organizations. Under the Rule, component organizations are required to disclose publicly their affiliation and certify that they will maintain patient safety information separately and will not share it with the organization of which they are a component. The mandated segregation provision expressly requires that the information technology systems of the PSO also need to be separate from its sponsoring or parent organization. This imposes a much greater cost upon organizations that seek to establish their own PSOs. Further, the component organization may provide access to PSWP to a unit of the parent organization only if it enters into a written agreement that restricts the use of PSWP to assisting the component in its patient safety activities. In addition, PSOs will be required to contract with multiple Providers (at least two) to allow for aggregation and trending of patient safety data.

Importantly, the Rule is silent as to the funding for PSOs. Since PSOs are authorized to perform a wide range of patient safety activities such as patient safety data aggregation, analysis, and consulting services to individual and institutional Providers on quality improvement activities, it can only be assumed that Providers will be required to foot the bill.

In the preamble to the Rule, the Secretary of HHS requests public comment on more than 15 key areas. A representative list of questions upon which HHS is seeking comment is included below:

  • Should Providers be required to have written documentation of a patient safety evaluation system in order to claim privilege for PSWP?
  • What alternative mechanisms for Provider reporting to PSOs should be considered? Should Providers and PSOs be allowed to share patient databases?
  • Can the PSWP be protected before a Provider reports it to a PSO? If so, how much time should be allowed to elapse after the event occurred?
  • Should the definition of a Provider be expanded to include the Provider's corporate parent organization?
  • Should components of parent regulatory or accrediting entities be barred from becoming PSOs?
  • Does the proposal sufficiently protect the interests of reporters and patients?
  • Should protective orders be required for certain disclosures by PSOs?
  • What processes should be used to develop standard reporting formats for PSWP?
  • Should procedures for reporting impermissible uses of PSWP parallel those in the HIPAA Privacy Rule?
  • Is the security framework sufficiently protective and flexible? Does it address the most significant security issues?
  • Should additional exceptions to the confidentiality requirements be considered?
  • Are there additional consultants or contractors to whom disclosure should be allowed for business operation purposes?
  • Are there alternative standards for defining de-identified information?
  • What procedures should HHS use for de-listing PSOs?
  • In what types of situations should PSOs be allowed to "cure" deficiencies rather than being de-listed?
  • What procedures should PSOs follow in disposing of PSWP after they have become de-listed?
  • What types of notice should be given to Providers when a PSO is de-listed?

Although the answers to these and other questions remain unknown, it is clear that the Rule will trigger vigorous debate. Written comments must be received no later than April 14, 2008, by mail, courier, or via the federal e-rulemaking portal at http://www.regulations.gov.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.