Confidentiality, Patient Safety Work Product, and PSOs

1
Confidentiality, Patient Safety Work Product,
and PSOs

• The Proposed Rule Implementing the Patient Safety
  and Quality Improvement Act of 2005

AHRQ Annual Conference September 8, 2008
2
Presentation Organization

• Patient Safety Act A Brief Overview
  Larry Patton
• Confidentiality Protections and their Enforcement
  Verne Rinker
• Confidentiality Protections Provider
  Considerations Larry Patton

3
What is the Problem?

• Providers fear that patient safety analyses
  could be used against them in court (malpractice)
  or in disciplinary proceedings
• State peer review laws seldom permit large
  providers to undertake system-wide analyses
• Inability to aggregate data undercuts efforts to
  improve patient safety only by looking at large
  numbers of events can patterns of system
  failures be identified

4
The Solution in the Act

• Authorizes creation of Patient Safety
  Organizations (PSOs) -- entities with expertise
  in identifying, analyzing, correcting and
  preventing risks/harms to patient safety
• Provides Federal confidentiality protections for
  these analyses and significantly limits their use
  in criminal, civil, and/or administrative
  proceedings
• Requires PSOs to work with more than 1 provider
  to encourage PSOs to aggregate data across
  multiple providers

5
Patient Safety Act HHS Division of Authority

• AHRQ Patient Safety Organizations
• Subpart B Authority to implement PSO
  certification, listing, and revocation procedures
• OCR Confidentiality Protections
• Subparts C and D Establishment of
  confidentiality protections and process for
  enforcement authority extends to all holders of
  patient safety work product
• Subpart A definitions are critical for
  understanding Subparts B, C, and D

6
Patient Safety ActKey Concepts

• Patient Safety Work Product -- Term used by the
  statute to describe the class of information that
  is privileged and confidential.
• Patient Safety Evaluation System means the
  collection, management, or analysis of
  information for reporting to or by a PSO.

7
Presentation Organization

• Patient Safety Act A Brief Overview
  Larry Patton
• Confidentiality Protections and their Enforcement
  Verne Rinker
• Confidentiality Protections Provider
  Considerations Larry Patton

8
Confidentiality OCR Approach

• Ensure strong protection of PSWP to encourage
  robust provider participation in reporting of
  medical errors, while not impeding needed
  communication and sharing of information/PSWP to
  achieve patient safety goals
• Maximize provider discretion to disclose or not,
  allowing providers to establish stricter
  requirements
• Minimize complexity or disparity with HIPAA
  Privacy Rule

8
9
Patient Safety Work Product

• PSWP is any data
• Developed by a provider and reported to a PSO
• Developed by a PSO for the conduct of patient
  safety activities, or
• That identifies or constitutes deliberations of
  or the fact of reporting pursuant to a patient
  safety evaluation system
• Original provider records (e.g., medical,
  billing) are not PSWP
• Nonidentifiable PSWP is not confidential or
  privileged

9
10
Confidentiality

• The statute provides federal confidentiality and
  privilege protections to patient safety work
  product (PSWP) and specifies when disclosures are
  permitted
• Confidentiality and privilege protections
  continue after disclosure, with limited
  exceptions
• PSWP may contain protected health information
  (PHI) requiring covered providers to also comply
  with the HIPAA Privacy Rule requirements

10
11
Confidentiality Disclosure Permissions

• Privilege and Confidentiality Exceptions
• For use in a criminal proceeding
• To obtain equitable relief for reporters
• If authorized by identified providers
• Nonidentifiable PSWP

11
12
Confidentiality Disclosure Permissions (contd)

• Confidentiality Only Exceptions
• For Patient Safety Activities (PSAs)
• For research
• To the FDA (regarding regulated products)
• Voluntary disclosure to an accrediting body
• For business operations as determined by the
  Secretary
• For criminal law enforcement purposes (voluntary)
• PSWP that does not include the assessment of
  quality of care or describe or pertain to actions
  / failures to act by an identifiable provider

12
13
Patient Safety Activities Disclosure

• Core disclosure permission facilitates open,
  unfettered communication about patient safety
  events between providers and PSOs
• Allows for aggregation of PSWP to identify
  patterns and trends and to facilitate creation of
  meaningful nonidentifiable PSWP for a national
  network of databases
• Providers control the extent of disclosures they
  make to PSOs (and may be able, by contract, to
  limit redisclosures), which should ameliorate
  concerns by providers of wide-spread and
  uncontrolled dissemination of PSWP

13
14
Enforcement

• Strong event-driven (complaints and compliance
  reviews) enforcement program coupled with
  voluntary compliance
• Providers and PSOs have own incentives to not
  disclose impermissibly which align with
  enforcement goals and may keep the potential
  enforcement workload low
• Enforcement discretion to make appropriate
  response to situations presented by these new
  program requirements
• Reduce complexity of enforcement program by
  basing enforcement regulations on standards
  familiar to the provider community the HIPAA
  Enforcement Rule

14
15
Enforcement (contd)

• Penalty for Violation A person who discloses
  identifiable PSWP in knowing or reckless
  violation of the confidentiality protections is
  subject to a civil money penalty (CMP) of up to
  10,000 per act
• Disclosures by Agents Principals are liable for
  an agents violation acting within the scope of
  the agency
• Prohibition on Dual Penalties CMPs may not be
  imposed under both the Patient Safety Act and
  HIPAA for a single act
• OCR Access to PSWP for Enforcement PSWP must be
  disclosed to HHS for compliance and enforcement
  purposes

15
16
Presentation Organization

• Patient Safety Act A Brief Overview
  Larry Patton
• Confidentiality Protections and their Enforcement
  Verne Rinker
• Confidentiality Protections Provider
  Considerations Larry Patton

17
Confidentiality Protections Provider
Considerations

• The Patient Safety Acts confidentiality
  protections have the potential to significantly
  expand provider-based patient safety initiatives
• Proposed rule would give a provider great
  flexibility on how to operate and develop a
  patient safety evaluation system to meet its
  needs
• But providers need to take into account other
  elements of the statute

17
18
Confidentiality Protections Provider
Considerations

• Statute requires providers to continue to meet
  external reporting requirements with
  information that is not PSWP
• Privilege protections not only limit access of
  others to your PSWP but limit your ability to use
  PSWP in civil, criminal, administrative, or
  disciplinary proceedings
• Statute prohibits a provider from taking an
  adverse action against an individual based on the
  fact that the individual reported information in
  good faith
• Statute seeks to foster a culture of safety

18
19
Confidentiality Protections Provider
Considerations

• A provider needs to carefully consider what
  information is appropriate to protect and what
  information should not be protected
• For example
• Is this information needed to meet external
  reporting, accountability requirements?
• Will this information be needed to justify a
  disciplinary decision if challenged?

19
20
Confidentiality Protections Provider
Considerations

• When PSWP is held by an entity, the proposed rule
  would not hold entities liable for uses of PSWP
  within the legal entity (note component PSOs
  cannot share PSWP with rest of its parent
  organization except under certain circumstances)
• This permits free flow of PSWP to those who need
  access within the provider
• But any holder of PSWP including a providers
  employees can make disclosures of PSWP in
  conformity with the rule, without incurring a
  penalty under the rule

20
21
Confidentiality Protections Provider
Considerations

• Will your workforce be confident that PSWP will
  not influence privilege, disciplinary or similar
  decisions?
• Issues to consider
• - Separateness of PSWP from these other
  administrative processes
• - Extent to which personnel participate in both
  review of PSWP and these other administrative
  processes

21
22
Confidentiality Protections A Final Reminder
About HIPAA

• If a provider is a covered entity as well as a
  holder of PSWP, it is NEVER sufficient to
  disclose information by simply looking at either
  HIPAA or the Patient Safety Act statute and rule.
• A disclosure can only be made if it complies with
  BOTH.
• This has implications for informal case
  discussions that take place outside the legal
  entity of the provider

22