Issues • Jul 2003 • Patient Care

Comparison of Patient Safety Bills (H 663 and S 720*) The Patient Safety and Quality Improvement Act - 2003**

PART ONE: Medical Error Reporting and National Database

Topic H 663 S 720
Disclosure of Data Nothing prohibits any of the following voluntary disclosures:
  1. On a general basis (unrelated to patient safety), voluntary disclosure of nonidentifiable information. (p. 14)
  2. Disclosure of identifiable information generally (for purposes unrelated to patient safety) if such disclosure:
    1. is authorized by the provider for the purposes of improving quality and safety;
    2. is to an entity or person subject to the privacy requirements of section 264(e) of the Health Insurance Portability and Accountability Act of 1996; and
    3. is not in conflict with such section or any regulation promulgated under such section (i.e. medical privacy rule).
  3. Disclosures to the Food and Drug Administration or to a federally established patient safety program.
  4. Disclosures of patient safety work product by a provider to a PSO are permitted.

(p. 14-15)

 Exceptions to Privilege and Confidentiality:

Nothing shall be construed to prohibit the following uses or disclosures:

  1. Disclosure by a provider or patient safety organization of relevant patient safety data for use in a criminal proceeding only after a court makes an incamera determination that such patient safety data contains evidence of an intentional act to directly harm the patient.
  2. Voluntary disclosures by a provider or PSO of information to the Food and Drug Administration....
  3. Voluntary disclosure of non-identifiable patient safety data by a provider or a PSO
  4. Voluntary disclosure by a provider of patient safety data to the Centers for Disease Control and Prevention for public health surveillance, investigation, or other public health activities.

Protected Disclosure and Use of Information:

Nothing in this section shall be construed to prohibit one or more of the following uses of disclosures:

  1. Disclosures by a provider or patient safety organization to carry out activities of a PSO.
  2. Use or disclosure by a provider or patient safety organization of patient safety data in connection with providing treatment, improving patient safety, health care quality or administrative efficiency, or any other customary activity of the provider or in obtaining payment.
  3. Disclosure of patient safety data among patient safety organizations.
  4. Disclosure of patient safety data by a provider or patient safety organization to grantees or contractors carrying out patient safety research, evaluation, or demonstration projects authorized by the Director.
  5. Disclosure of patient safety data by a provider to an accrediting body that accredits that provider.

Patient data used or disclosed under this section shall continue to be privileged and confidential and shall not be disclosed by an entity that possessed such information before such use or disclosure or by an entity to which the information was disclosed unless such additional disclosure is permitted by this section.

(p. 25-27)
Patient Safety Organization (PSO) A private or public organization or component thereof that is certified to:
  1. conduct efforts to improve patient safety and the quality of health care delivery,
  2. collect and analyze patient safety work product (defined in next section),
  3. develop and disseminated evidence-based information to providers with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices,
  4. utilization of specific patient data for the purposes of encouraging a culture of safety and of providing direct feedback and assistance to providers to effectively minimize patient risk,
  5. maintain confidentiality of identifiable information,
  6. provide appropriate security measures with respect to data received,
  7. submit nonidentifiable information to the HHS for the National Patient Safety Database.(p. 7-9)

The mission of the PSO is to conduct activities that are to improve patient safety and the quality of health care delivery and is not in conflict of interest with the providers that contract with the patient safety organization.

(p. 23)

 A private or public organization or component thereof that performs all of the following activities (which are deemed to be necessary for the proper management and administration of such organization or component thereof), and that is currently listed by the Secretary as a patient safety organization:
  1. The conduct, as its primary activity, of efforts to improve patient safety and the quality of health care delivery.
  2. The collection and analysis of patient safety data that are submitted by more than one provider.
  3. The development and dissemination of information to providers with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices,
  4. The utilization of patient safety data to encourage a culture of safety and of providing direct feedback and assistance to providers to effectively minimize patient risk.
  5. The maintenance of a process to preserve confidentiality with respect to the information that is not non-identifiable.
  6. The provision of appropriate security measures with respect to patient safety data.
  7. The submittal to the Secretary of a certification that the PSO intends to perform the foregoing activities.

    (p. 22-23)
Identifiable Patient Data PSOs are to collect and analyze the patient safety work product, which is defined as “any document or communication” (including any information, report, record, memorandum, analysis, deliberative work, statement, or root cause analysis) except certain separate information that is developed by a provider for the purpose of reporting to a patient safety organization, created by a PSO, or reveal the deliberations or analytic process of a patient safety evaluation system. (p. 9)

Patient safety work product does not include separate information such as a document or communication (including patient medical records or any other patient or hospital record) developed, maintained, or existing separate from any patient safety evaluation system. (p. 10)

However, patient safety work product “shall not be construed to include such separate information [i.e. patient medical records] merely by reason of inclusion of a copy of the document or communication involved in a submission to, or the fact of submission of such a copy to, a patient safety organization.” (p. 9-10)

PSO responsibilities include “The maintenance of confidentiality with respect to identifiable information” (p. 8)

 PSOs are to collect and analyze patient safety data, which means:
  1. any data, reports, records, memoranda, analyses (such as root cause analyses), or statements that could result in improved patient safety or health care quality, or health outcomes that are:
    1. collected or developed by a provider for reporting to a PSO, provided that they are reported to the PSO within a reasonable period of time;
    2. requested by a PSO (including the contents of the request)
    3. reported to a provider by a PSO; or
    4. collected or developed by a PSO
  2. any deliberative work or process or oral communications with respect to any patient safety data described in (A)

(p. 21-22)

Limitation: “The term ‘patient safety data’ shall not include information (including a patient’s medical record) that is collected of developed separately from and that exists separately from patient safety data. Such separate information or a copy thereof submitted to a PSO shall not itself be considered as patient safety data” (p. 22)
Definition of Providers Hospitals, nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs, physicians, physician assistants, nurse practitioners, clinical nurse specialists, certified nurse midwifes, nurse anesthetists, psychologists, certified social workers, registered dietitians nutrition professionals, physical or occupational therapists, other individual health care practitioners, pharmacists, renal dialysis facilities, ambulatory surgical centers, pharmacies, physician offices, health care practitioner offices, long-term care facilities, behavioral health residential treatment facilities, clinical laboratories, community health centers, or “any other person or entity specified in regulations…”

(p. 10-11)

 A person licensed or otherwise authorized under State law to provide health care services, including:

Hospitals, nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs, renal dialysis facilities, ambulatory surgical centers, pharmacies, physician offices, health care practitioner offices, long-term care facilities, behavioral health residential treatment facilities, clinical laboratories, health centers physicians, physician assistants, nurse practitioners, clinical nurse specialists, certified, registered nurse anesthetists, certified nurse midwifes, psychologists, certified social workers, registered dietitians nutrition professionals, physical or occupational therapists, pharmacists, other individual health care practitioners, or “any other person specified in regulations…”

(p. 23-24)
Privileged Data “Nothing in this section shall be construed to affect privileges, including peer review and confidentiality protections, that are otherwise available under Federal or State law.” (p. 17)

Patient safety work product data will not be:

  1. subject to civil or administrative subpoena or order,
  2. subject to discovery in connection with a civil or administrative proceeding,
  3. subject to disclosure pursuant to section 552 of title 5, U.S. Code (commonly known as the Freedom of Information Act) or any other similar Federal or State law,
  4. required to be admitted as evidence or otherwise disclosed in any State or Federal civil or administrative proceeding; or
  5. if the patient safety work product is identifiable information and is received by a national accreditation organization in its capacity as a patient safety organization:
    1. used by a national accreditation in an accreditation action against the provider that reported the information
    2. shared by such organization with its survey team
    3. required as a condition of accreditation by a national accreditation organization

(p. 11-12)

 “Notwithstanding any other provision of Federal, State, or local law, patient safety data shall be privileged…” (p. 24)

Subject to certain exceptions to privilege and confidentiality (see Disclosure of Data above), patient safety data shall not be:

  1. subject to a Federal State, or local civil, criminal, or administrative subpoena,
  2. subject to discovery in connection with a Federal, State, or local civil, criminal, or administrative proceeding,
  3. disclosed pursuant to section 552 of title 5 U.S. Code (commonly known as the Freedom of Information Act) or any other similar Federal, State, or local law;
  4. admitted as evidence or otherwise disclosed in any Federal State, or local civil, criminal, or administrative proceeding, or
  5. utilized in a disciplinary proceeding against a provider.

(p. 24-25)

Except with respect to the specific patient safety data that is used or disclosed, the disclosure or use of any patient safety data in accordance with exceptions to privilege and permitted disclosures (see above) shall not be treated as a waiver of any privilege or protection established. (p. 28)

The inadvertent disclosure or use of patient safety data shall not waive any privilege or protection established with respect to such data. (p. 28)
Limitations on Actions Against PSOs and Providers   Except for the exceptions to privilege (see above), no action may be brought or process served against a PSO to compel disclosure of information collected or developed under this part whether or not such information is patient safety data

An accrediting body shall not take an accrediting action against a provider based on the good faith participation of the provider in the collection development reporting or maintenance of patient safety data. It may not require a provider to reveal its communications with any PSO.

(p. 27-28)
Adverse Employment Actions for “Whistle Blowing” Reporter Protection:

In general, a provider may not use against an individual in an adverse employment action the fact that the individual in good faith reported information about medical errors to the provider or a PSO.

An adverse employment action includes:

  1. failure to promote an individual or provide any other employment-related benefit for which the person would otherwise be eligible,
  2. an adverse evaluation or decision made in relation to accreditation, certification, credentialing, or licensing of the individual,
  3. a personnel action that is adverse to the individual.

Remedies: a civil monetary penalty of not more than $20,000 for each such violation. (p. 12-13)

 Reporter Protection:

In general, a provider may not take an adverse employment action against an individual based on the fact that the individual in good faith reported information about medical errors to the provider or a PSO.

An adverse employment action includes: loss of employment, the failure to promote an individual, or the failure to provide any other employment-related benefit for which the individual would otherwise be eligible, or an adverse evaluation or decision made in relation to accreditation, certification, credentialing, or licensing of the individual.

(p. 29)

Except for permitted disclosures (see above), it shall be unlawful for any person to negligently or intentionally disclose any patient safety data. Such employers will be assessed according to section 934(d) (p. 29 - 30)
Patient Safety Database(s) National Patient Safety Database:

HHS “shall provide for the establishment and maintenance of a database to receive relevant nonidentifiable patient safety work product, and may designate entities to collect relevant nonidentifiable patient safety work product that is voluntarily reported by patient safety organization upon request of HHS.

The database shall be referred to a the “National Patient Safety Database”

The data will be used to analyze national and regional statistics, including trends and patterns of health care errors.

HHS shall provide scientific support to patient safety organization, including the dissemination of methodologies and evidence-based information related to root causes and quality improvement. (p. 19-20)

“Only nonidentifiable information may be transferred to any national Patient Safety Database” (p. 21)

 Patient Safety Network of Databases:

HHS “shall maintain a patient safety network of databases that provides an interactive evidence-based management resource for providers, patient safety organizations, and other persons. The network of databases shall have the capacity to accept, aggregate, and analyze nonidentifiable patient safety data voluntarily reported by patient safety organizations, providers or other persons” (p. 32)
Data for the Database HHS shall work with PSOs, providers and the health information technology industry to determine common formats for reporting, including necessary data elements, common and consistent definitions, and a standardized computer interface. (p. 20)

HHS may facilitate the direct link of information between providers and PSOs and between PSOs and the National Patient Safety Database. (p.21)

Technical Assistance: HHS may provide guidance on the type of data to be voluntarily submitted.

Assistance may include annual meetings for PSOs to discuss methodology, communication, information collection, or privacy concerns. (p. 21)

 HHS “may determine common formats for the reporting to the patient safety network of databases …of nonidentifiable patient safety data, including necessary data elements, common and consistent definitions, and a standardized computer interface for the processing of such data. To the extent practicable, such standards shall be consistent with the administrative simplification provisions” of HIPAA. (p. 32)

Technical Assistance: HHS may provide technical assistance to patient safety organization, including annual meetings for patient safety organizations to discuss methodology, communication, data collection, or privacy concerns. (p. 38)
Funds Appropriated for Patient Safety and Quality Improvement “There are authorized to be appropriated such sums as may be necessary for each of the fiscal years 2004 through 2008” (p. 25) “There is authorized to be appropriated such sums as may be necessary to carry out this part” (p. 39)
Penalties Unlawful to disclose patient safety work product if such disclosure constitutes a negligent or knowing breach of confidentiality (p. 15)

Civil monetary penalty of not more than $10,000 for each violation, unless the person is subject to penalties under the HIPAA statute or federal medical privacy rule. (p. 15-16)

Penalties only apply to the first person the breaches confidentiality with respect to particular patient safety work product data. (p. 16)

 Assessed in accordance with section 934(d) (p. 29 - 30)

The penalty shall not apply if the defendant would otherwise be subject to a penalty under the regulation promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note) or under section 1176 of the Social Security Act (42 U.S.C. 1320d-5) for the same disclosure

Without limiting remedies available to other parties, a civil action may be brought by any aggrieved individual to enjoin any act or practice that violates the protections against adverse employment actions, and to obtain other appropriate equitable relief (including reinstatement, back pay, and restoration of benefits) to redress such violation.

The privilege (described above) shall not apply to State employers unless the employer consents, in advance, to be subject to a civil action.

(p. 29 - 30)
Patient Privacy/HIPAA Non-identifiable information means “information that is presented in a form and manner that prevents the identification of any provider, patient, or reporter of patient safety work product. With respect to patients, such information must be de-identified consistent with the regulations promulgated pursuant to” HIPAA. (p. 7)

Nothing would prevent providers, HHS or PSOs from entering into contracts that require greater confidentiality or delegate authority to make an authorized disclosure (p. 17)

For the purposes of the federal medical privacy rule, PSOs are to be business associates (not covered entities, therefore not directly subject to the rule) and sharing of the data is deemed to be health care operations (no patient consent required) (p. 16-17)

Nothing shall be construed to alter of affect the implementation of such regulations or such section 264(c) of HIPAA. (p. 17)

Nothing in this part shall be construed as preempting or otherwise affecting any State law requiring a provider to report information, including information…that is not patient safety work product” (p. 17)

Patient safety work product of an organization that is certified as a PSO shall continue to be privileged and confidential, if the organization’s certification is terminated or revoked or if the organization otherwise ceases to qualify as a PSO. (p. 18)

 Non-identifiable information about patients means that the information has been de-identified so that it is no longer individually identifiable health information as defined in the HIPAA privacy rule (p. 21)

Nothing limits, alters, or affect the requirements of Federal, State, or local law pertaining to patient-related data that is not privileged or confidential under this bill’s provisions. (p. 31)

Nothing alters or affect the implementation of any provision of section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033) section 1176 of the Social Security Act (42 U.S.C. 1320d-5), or any regulation promulgated under such sections. (p. 31)

Nothing limits the authority of any provider, patient safety organization , or other person to enter into a contract requiring greater confidentiality or delegating authority to make a disclosure or use in accordance with the permitted disclosures of this bill. (p. 31)

Nothing prohibits a provider from reporting crime to law enforcement authorities. (p. 31)

Patient Safety Data sent to a PSO whose certification has been revoked, may be transferred to another PSO, returned to the provider, or destroyed. (p. 38)

* This is the amended version of S 720 after passage in the Senate Health, Education, Labor, and Pensions Committee.

** The Patient Safety Organization certification sections of the bills are not in the comparison.

Copyright © Citizens' Council on Health Care 2003
July 24, 2003