confidentiality, patient safety work product, and psos

Confidentiality, Confidentiality, Patient Safety Work Product, and PSOsPatient Safety Work Product, and PSOs

The Proposed Rule Implementing The Proposed Rule Implementing the Patient Safety and Quality the Patient Safety and Quality

Improvement Act of 2005Improvement Act of 2005

AHRQ Annual Conference AHRQ Annual Conference

September 8, 2008September 8, 2008

2

Presentation Organization

Patient Safety Act: A Brief Overview – Larry Patton

Confidentiality Protections and their Enforcement – Verne Rinker

Confidentiality Protections: Provider Considerations – Larry Patton

What is the Problem?What is the Problem?

Providers fear that patient safety analyses could be used Providers fear that patient safety analyses could be used against them in court (malpractice) or in disciplinary against them in court (malpractice) or in disciplinary proceedingsproceedings

State peer review laws seldom permit large providers to State peer review laws seldom permit large providers to undertake system-wide analysesundertake system-wide analyses

Inability to aggregate data undercuts efforts to improve Inability to aggregate data undercuts efforts to improve patient safety; only by looking at large numbers of events patient safety; only by looking at large numbers of events can patterns of “system” failures be identifiedcan patterns of “system” failures be identified

The Solution in the ActThe Solution in the Act

Authorizes creation of Patient Safety Organizations (PSOs) Authorizes creation of Patient Safety Organizations (PSOs) -- entities with expertise in identifying, analyzing, correcting -- entities with expertise in identifying, analyzing, correcting and preventing risks/harms to patient safetyand preventing risks/harms to patient safety

Provides Federal confidentiality protections for these Provides Federal confidentiality protections for these analyses and significantly limits their use in criminal, civil, analyses and significantly limits their use in criminal, civil, and/or administrative proceedingsand/or administrative proceedings

Requires PSOs to work with more than 1 provider to Requires PSOs to work with more than 1 provider to encourage PSOs to aggregate data across multiple providersencourage PSOs to aggregate data across multiple providers

5

Patient Safety Act Patient Safety Act HHS Division of AuthorityHHS Division of Authority

AHRQ: Patient Safety OrganizationsAHRQ: Patient Safety Organizations- Subpart B: Authority to implement PSO Subpart B: Authority to implement PSO

certification, listing, and revocation procedurescertification, listing, and revocation procedures

OCR: Confidentiality ProtectionsOCR: Confidentiality Protections- Subparts C and D: Establishment of Subparts C and D: Establishment of

confidentiality protections and process for confidentiality protections and process for enforcement; authority extends to all holders of enforcement; authority extends to all holders of patient safety work productpatient safety work product

Subpart A definitions are critical for understanding Subpart A definitions are critical for understanding Subparts B, C, and DSubparts B, C, and D

6

Patient Safety Act:Patient Safety Act:Key ConceptsKey Concepts

Patient Safety Work ProducPatient Safety Work Productt -- Term used by -- Term used by the statute to describe the class of information the statute to describe the class of information that is privileged and confidential.that is privileged and confidential.

Patient Safety Evaluation SystemPatient Safety Evaluation System “means the “means the collection, management, or analysis of collection, management, or analysis of information for reporting to or by a PSO.” information for reporting to or by a PSO.”

7





8

Confidentiality: OCR Approach

Ensure strong protection of PSWP to encourage robust provider participation in reporting of medical errors, while not impeding needed communication and sharing of information/PSWP to achieve patient safety goals

Maximize provider discretion to disclose or not, allowing providers to establish stricter requirements

Minimize complexity or disparity with HIPAA Privacy Rule

9

Patient Safety Work Product

PSWP is any data:

1. Developed by a provider and reported to a PSO

2. Developed by a PSO for the conduct of patient safety activities, or

3. That identifies or constitutes deliberations of or the fact of reporting pursuant to a patient safety evaluation system

Original provider records (e.g., medical, billing) are not PSWP

Nonidentifiable PSWP is not confidential or privileged

10

Confidentiality

The statute provides federal confidentiality and privilege protections to patient safety work product (PSWP) and specifies when disclosures are permitted

Confidentiality and privilege protections continue after disclosure, with limited exceptions

PSWP may contain protected health information (PHI) requiring covered providers to also comply with the HIPAA Privacy Rule requirements

11

Confidentiality Disclosure Permissions

Privilege and Confidentiality Exceptions

For use in a criminal proceeding

To obtain equitable relief for reporters

If authorized by identified providers

Nonidentifiable PSWP

12

Confidentiality Disclosure Permissions (cont’d)

Confidentiality Only Exceptions

For Patient Safety Activities (PSAs)

For research

To the FDA (regarding regulated products)

Voluntary disclosure to an accrediting body

For business operations as determined by the Secretary

For criminal law enforcement purposes (voluntary)

PSWP that does not include the assessment of quality of care or describe or pertain to actions / failures to act by an identifiable provider

13

Patient Safety Activities Disclosure

Core disclosure permission facilitates open, unfettered communication about patient safety events between providers and PSOs

Allows for aggregation of PSWP to identify patterns and trends and to facilitate creation of meaningful nonidentifiable PSWP for a national network of databases

Providers control the extent of disclosures they make to PSOs (and may be able, by contract, to limit redisclosures), which should ameliorate concerns by providers of wide-spread and uncontrolled dissemination of PSWP

14

Enforcement

Strong event-driven (complaints and compliance reviews) enforcement program coupled with voluntary compliance

Providers and PSOs have own incentives to not disclose impermissibly – which align with enforcement goals and may keep the potential enforcement workload low

Enforcement discretion to make appropriate response to situations presented by these new program requirements

Reduce complexity of enforcement program by basing enforcement regulations on standards familiar to the provider community – the HIPAA Enforcement Rule

15

Enforcement (cont’d)

Penalty for Violation: A person who discloses identifiable PSWP in knowing or reckless violation of the confidentiality protections is subject to a civil money penalty (CMP) of up to $10,000 per act

Disclosures by Agents: Principals are liable for an agent’s violation acting within the scope of the agency

Prohibition on Dual Penalties: CMPs may not be imposed under both the Patient Safety Act and HIPAA for a single act

OCR Access to PSWP for Enforcement: PSWP must be disclosed to HHS for compliance and enforcement purposes

16





17

Confidentiality Protections: Provider Considerations

The Patient Safety Act’s confidentiality protections have the potential to significantly expand provider-based patient safety initiatives

Proposed rule would give a provider great flexibility on how to operate and develop a patient safety evaluation system to meet its needs

But providers need to take into account other elements of the statute

18


Statute requires providers to continue to meet external reporting requirements – with information that is not PSWP

Privilege protections not only limit access of others to your PSWP but limit your ability to use PSWP in civil, criminal, administrative, or disciplinary proceedings

Statute prohibits a provider from taking an adverse action against an individual based on the fact that the individual reported information in good faith

Statute seeks to foster a “culture of safety”

19


A provider needs to carefully consider what information is appropriate to protect and what information should not be protected

For example:

Is this information needed to meet external reporting, accountability requirements?

Will this information be needed to justify a disciplinary decision if challenged?

20


When PSWP is held by an entity, the proposed rule would not hold entities liable for uses of PSWP within the legal entity (note: component PSOs cannot share PSWP with rest of its parent organization except under certain circumstances)

This permits free flow of PSWP to those who need access within the provider

But any holder of PSWP – including a provider’s employees – can make disclosures of PSWP in conformity with the rule, without incurring a penalty under the rule

21


Will your workforce be confident that PSWP will not influence privilege, disciplinary or similar decisions?

Issues to consider:

- Separateness of PSWP from these other administrative processes

- Extent to which personnel participate in both review of PSWP and these other administrative processes

22

Confidentiality Protections: A Final Reminder About HIPAA

If a provider is a covered entity as well as a holder of PSWP, it is NEVER sufficient to disclose information by simply looking at either HIPAA or the Patient Safety Act statute and rule.

A disclosure can only be made if it complies with BOTH.

This has implications for informal case discussions that take place outside the legal entity of the provider

confidentiality, patient safety work product, and psos

Documents

patient safety analyses

privilege protections

robust provider participation

enforcement authority

multiple providers

large providers

providers fear

quality improvement