These rules and regulations are promulgated pursuant to the authority conferred under R.I. Gen. Laws § 23-17.21-5(c), for the purpose of adopting standards for certification of patient safety organizations and operational requirements for both a reporting entity and a patient safety organization.

These regulations hereby adopt and incorporate 45 C.F.R. Parts 160 through 164 (2017) by reference, not including any further editions or amendments thereof and only to the extent that the provisions therein are not inconsistent with these regulations.

A. Whenever used in these rules and regulations, the following terms shall be construed as follows:

1. “Act” means R.I. Gen. Laws Chapter 23-17.21, entitled “The Rhode Island Patient Safety Act of 2008.”

2. “Bona fide contract” means a written contract between a reporting entity and a PSO that is executed in good faith by officials authorized to execute such contract.

3. “Component organization” means an entity that is either:

a. A unit or division of a corporate organization or of a multi-organizational enterprise; or

b. A separate organization, whether incorporated or not, that is owned, managed or controlled by one or more other organization(s), i.e., its parent organization(s).

4. “Component PSO” means a patient safety organization certified by the Director that is a component organization.

5. “Department” means the Rhode Island Department of Health.

6. “Director" means the Director of the Rhode Island Department of Health.

7. “Document log” means an inventory or record, required pursuant to R.I. Gen. Laws § 23-17.21-6(b), which itemizes the types of documents submitted to the PSO without indicating the content of such documents.

8. “Entity” means any organization or organizational unit, regardless of whether the organization is public, private, for-profit or not-for-profit.

9. “Health care facility” means any corporation, limited liability company, facility, or institution licensed by this state to provide health care or professional services, or an officer, employee or agent thereof acting in the course and scope of his or her employment.

10. “Identifiable patient safety work product” means patient safety work product that:

a. Is presented in a form and manner that allows the identification of any provider or reporting entity that is a subject of the work product, or any providers or reporting entities that participate in activities that are a subject of the work product;

b. Constitutes individually identifiable health information as that term is defined in the Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d-6 and its implementing regulations; or

c. Is presented in a form and manner that allows the identification of an individual.

11. “Near misses” means circumstances in which a patient safety event is narrowly averted.

12. “Nonidentifiable patient safety work product” means patient safety work product that is not identifiable patient safety work product as defined in these regulations.

13. “Patient safety activities” means:

a. Efforts to improve patient safety and the quality of health care delivery;

b. The collection and analysis of patient safety work product;

c. The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;

d. The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;

e. The maintenance of procedures to preserve confidentiality with respect to patient safety work product; and

f. The provision of appropriate security measures with respect to patient safety work product.

14. “Patient safety event” means those events as defined by the national quality forum, institute of medicine, Center for Medicare and Medicaid Services (CMS), and as further defined by the Quality of Care Advisory Committee, as established in this Part pursuant to RI Gen Laws § 23-17.21-5(b), and shall include near misses.

15. “Patient safety organization (PSO)” means any entity certified by the Director whose activity is to improve patient safety and the quality of health care delivery for patients receiving care through the collection, aggregation, analysis, investigation, and/or processing of medical or health care related information submitted to it by reporting entities. A PSO shall not mean any agency or public body as defined in R.I. Gen. Laws § 38-2-2(1).

16. “Patient safety work product" means all reports, records, memoranda, analyses, statements, root cause analyses, and written or oral statements, that:

a. A health care facility or provider prepares for the purpose of disclosing a patient safety event, and is disclosed, to a patient safety organization;

b. Is received from a reporting entity, and is created and analyzed by a patient safety organization; or

c. Directly or indirectly contains deliberations, analytical process, recommendations, conclusions, or other communications of a patient safety organization and between a patient safety organization and health care providers or facilities.

17. “Quality of Care Advisory Committee” means the committee established by the Director, pursuant to R.I. Gen. Laws § 23-17.21-5(b), to advise the Department on PSO-related issues.

18. “Reporting entity” means any hospital, nursing facility or freestanding ambulatory surgical center licensed pursuant to R.I. Gen. Laws § 23-17.

A. Ineligible Entities

1. Entities that may not seek certification as a PSO include:

a. Health insurance issuers or components of health insurance issuers.

2. Any other entity, public or private, that conducts regulatory oversight of health care providers, such as accreditation or licensure, may not seek certification, except that a component of such an entity may seek listing as a component PSO.

6.5.1 Privilege

Privilege of patient safety work product and document log is pursuant to R.I. Gen. Laws § 23-17.21-8(a).

6.5.2 Confidentiality of Patient Safety Work Product and Document Log

Confidentiality of patient safety work product and document log is pursuant to R.I. Gen. Laws § 23-17.21-8(b).

6.5.3 Exceptions

A. Exceptions from privilege and confidentiality are pursuant to R.I. Gen. Laws § 23-17.21-8(c)(1).

B. Exceptions from confidentiality are pursuant to R.I. Gen. Laws § 23-17.21-8(c)(2).

C. Continued protection of information after disclosure is pursuant to R.I. Gen. Laws §§ 23-17.21-8(d)(1) through 23-17.21-8(d)(3).

1. Limitations on actions are pursuant to R.I. Gen. Laws § 23-17.21(8)(d)(4).

D. Reporter protection is pursuant to R.I. Gen. Laws § 23-17.21-8(e).

Reporting entity requirements are pursuant to R.I. Gen. Laws § 23-17.21-6.

6.7.1 Maintenance of Reports

Maintenance of reports is pursuant to R.I. Gen. Laws § 23-17.21-7(b).

6.7.2 Dissemination of Information

Dissemination of information is pursuant to R.I. Gen. Laws § 23-17.21-7(c).

6.7.3 Safeguards and Security Measures

A. General Requirements

1. A PSO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any patient safety work product. These safeguards and security measures shall be in place at all times and at any location at which the PSO, its workforce members, or its contractors hold patient safety work product. Such safeguards and security measures shall comply with state and federal confidentiality laws including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations 45 C.F.R. Parts 160 through 164 (2017) incorporated at § 6.2 of this Part and R.I. Gen. Laws Chapter 5-37.3 (Confidentiality of Health Care Communications and Information Act).

2. Nothing in the Act or this Part shall be construed to prohibit a PSO from choosing to disclose patient safety work product, or portions of patient safety work product, solely to a reporting entity, in conformity with the PSO's mission and within its contractual obligations to the reporting entity who submitted the information. No patient safety organization shall release protected health information or patient identifying information without meeting the requirements of R.I. Gen. Laws § 5-37.3 (Confidentiality of Health Care Communications and Information Act) and the federal Health Insurance Portability and Accountability Act of 1996, and its implementing regulations 45 C.F.R. Parts 160 through 164 (2017) incorporated at § 6.2 of this Part.

B. Security Framework. PSOs shall consider the following framework for the security of patient safety work product. The framework includes security management, separation of systems, security monitoring and control, and system assessment. To address the four elements of this framework, a PSO shall develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization.

1. Security Management. A PSO shall address:

a. Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is processed, stored, and transmitted; and to monitor and improve the effectiveness of such policies and procedures, and

b. Training of the PSO workforce and PSO contractors who access or hold patient safety work product regarding the requirements of the Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.

2. Separation of Systems. A PSO shall address:

a. Maintenance of patient safety work product, whether in electronic or other media, physically and functionally separate from any other system of records;

b. Protection of the media, whether in electronic, paper, or other format, that contain patient safety work product, limiting access to authorized users and sanitizing and destroying such media before disposal or release for reuse; and

c. Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is stored or used.

3. Security Control and Monitoring. A PSO shall address:

a. Identification of those authorized to have access to patient safety work product and an audit capacity to detect unlawful, unauthorized or inappropriate access to patient safety work product, and

b. Measures to prevent unauthorized removal, transmission or disclosure of patient safety work product.

4. Security Assessment. A PSO shall address:

a. Periodic assessments of security risks and controls, as determined appropriate by the PSO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.

b. System and communications protection, to monitor, control, and protect PSO uses, communications, and transmissions involving patient safety work product to and from reporting entities and any other responsible persons.

6.7.4 Required Notifications

A. A PSO shall meet the following notification requirements:

1. Notification Regarding PSO Compliance With Minimum Contract Requirement. No later than forty-five (45) calendar days prior to expiration of the PSO’s certification, as specified in § 6.8.3(A) of this Part, the PSO shall submit to the Director an attestation as to whether it has met the requirement of § 6.8.2(A)(4)(c) of this Part regarding two (2) bona fide contracts.

2. Notification Regarding a PSO's Relationships With Its Contracting Reporting Entities. A PSO shall submit a disclosure statement to the Director regarding its relationships with each reporting entity with which the PSO has a contract pursuant to the Act and this Part if the circumstances described in either §§ 6.7.4(A)(2)(a) or 6.7.4(A)(2)(b) of this Part are applicable. The Director shall receive a disclosure statement within forty-five (45) days of the date on which a PSO enters a contract with a reporting entity if the circumstances are met on the date the contract is entered. During the contract period, if a PSO subsequently enters one or more relationships with a contracting reporting entity that create the circumstances described in § 6.7.4(A)(2)(a) of this Part or a reporting entity exerts any control over the PSO of the type described in § 6.7.4(A)(2)(b) of this Part, the Director shall receive a disclosure statement from the PSO within forty-five (45) days of the date that the PSO entered each new relationship or of the date on which the reporting entity imposed control of the type described in § 6.7.4(A)(2)(b) of this Part.

a. Taking into account all relationships that the PSO has with the reporting entity, other than the bona fide contract entered into pursuant to the Act and this Part, the PSO shall fully disclose any other contractual, financial, or reporting relationships described below that it has with that reporting entity.

(1) Contractual relationships which are not limited to relationships based on formal contracts but also encompass relationships based on any oral or written agreement or any arrangement that imposes responsibilities on the PSO.

(2) Financial relationships including any direct or indirect ownership or investment relationship between the PSO and the contracting reporting entity, shared or common financial interests or direct or indirect compensation arrangement, whether in cash or in-kind.

(3) Reporting relationships including any relationship that gives the reporting entity access to information or control, directly or indirectly, over the work of the PSO that is not available to other contracting reporting entities.

b. Taking into account all relationships that the PSO has with the reporting entity, the PSO shall fully disclose if it is not independently managed or controlled, or if it does not operate independently from, the contracting reporting entity. In particular, the PSO shall further disclose whether the contracting reporting entity has exercised or imposed any type of management control that could limit the PSO's ability to fairly and accurately perform patient safety activities and fully describe such control(s).

c. PSOs may also describe or include in their disclosure statements, as applicable, any agreements, stipulations, or procedural safeguards that have been created to protect the ability of the PSO to operate independently or information that indicates the limited impact or insignificance of its financial, reporting, or contractual relationships with a contracting reporting entity.

6.8.1 General Requirements

A. Certification Required. A patient safety organization (PSO) shall be certified by the Director pursuant to this Part before entering into a contract with a reporting entity.

B. Submission of Application. Any entity, except as specified in § 6.4(A) of this Part may request an initial or renewal certification as a PSO by submitting a completed application form to the Director on forms provided by the Department. An individual with authority to make commitments on behalf of the entity seeking certification will be required to acknowledge each of the certification requirements, attest that the entity meets each requirement, provide contact information for the entity, and certify that the PSO will promptly notify the Department during its period of certification if it can no longer comply with any of the criteria in this Part.

C. Notification of Changes. Any PSO certified pursuant to this section shall notify the Department in writing before making any change which would render the information contained in their application for certification no longer accurate.

D. Federal Certification Required. Any entity requesting certification as a PSO pursuant to this Part shall also obtain and maintain certification/listing as a PSO pursuant to the Patient Safety and Quality Improvement Act, 42 U.S.C. §§ 299b-21 through 299b-26, and any implementing regulations promulgated by the U.S. Agency for Healthcare Quality and Research.

1. Any PSO certified pursuant to this Part prior to the establishment of a federal PSO certification/listing program shall be required to obtain such certification when it becomes available. The PSO shall provide copies of all federal PSO certification/listing documents to the Director pursuant to § 6.8.1(C) of this Part.

2. Any entity requesting certification as a PSO pursuant to this Part after the establishment of a federal PSO certification/listing program shall be required to provide copies of all federal PSO certification/listing documents with their application.

3. Renewal. A PSO seeking renewal of certification after the establishment of a federal PSO certification/listing program shall include documentation that the PSO maintains current certification/listing pursuant to that federal PSO program.

6.8.2 Certification Application

A. An application for certification as a PSO shall include, as a minimum, the following information for review by the Department:

1. Certification Regarding Patient Safety Activities. An entity seeking initial certification as a PSO shall attest that it has written policies and procedures in place to perform each of the following eight (8) patient safety activities:

a. Efforts to improve patient safety and the quality of health care delivery;

b. Collection and analysis of patient safety work product;

c. Development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;

d. Utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;

e. Maintenance of procedures to preserve confidentiality with respect to patient safety work product;

f. Provision of appropriate security measures with respect to patient safety work product;

g. Utilization of qualified staff; and

h. Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

2. The policies and procedures referenced in § 6.8.2(A)(1) of this Part shall provide for compliance with the privilege and confidentiality provisions of § 6.5 of this Part and the appropriate safeguards and security measures required by § 6.7.3 of this Part.

3. Renewal. A PSO seeking renewal of certification shall attest that it is performing, and will continue to perform, each of the eight (8) patient safety activities referenced in § 6.8.2(A)(1) of this Part, and is and will continue to comply with the privilege and confidentiality provisions of § 6.5 of this Part and the appropriate safeguards and security measures required by § 6.7.3 of this Part.

4. Certification Regarding PSO Criteria. An entity seeking initial certification as a PSO shall attest that it will comply with each of the following seven (7) criteria:

a. The mission and primary activity of a PSO shall be to conduct activities that are to improve patient safety and the quality of health care delivery.

b. The PSO shall have appropriately qualified workforce members, including licensed or certified medical professionals.

c. The PSO, within the initial two (2) year certification period, and within each sequential two (2) year certification renewal period, shall have entered into at least two (2) bona fide contracts, each of a reasonable period of time, each with a different reporting entity for the purpose of receiving and reviewing patient safety work product.

d. The PSO is not a health insurance issuer, and is not a component of a health insurance issuer.

e. The PSO shall make disclosures to the Director as required under § 6.7.4 of this Part.

f. To the extent practical and appropriate, the PSO shall collect patient safety work product from reporting entities in a standardized manner that permits valid comparisons of similar cases among similar reporting entities.

g. The PSO shall utilize patient safety work product for the purpose of providing direct feedback and assistance to reporting entities to effectively minimize patient risk.

h. Renewal. A PSO seeking renewal of certification shall also attest that it is complying with, and will continue to comply with, each of the seven (7) PSO criteria referenced in § 6.8.2(A)(4) of this Part.

5. Additional Certifications Required of Component Organizations. An entity seeking initial certification as a PSO, that is a component of another organization or enterprise, shall also attest that it will comply with the following requirements:

a. Separation of Patient Safety Work Product. A component PSO shall:

(1) Maintain patient safety work product separately from the rest of the parent organization(s) of which it is a part; and

(2) Not have a shared information system that could permit access to its patient safety work product to an individual(s) in, or unit(s) of, the rest of the parent organization(s) of which it is a part.

b. Notwithstanding the requirements of paragraph § 6.8.2(A)(5)(a) of this Part, a component PSO may provide access to identifiable patient safety work product to an individual(s) in, or a unit(s) of, the rest of the parent organization(s) of which it is a part if the component PSO enters into a written agreement with such individuals or units that requires that:

(1) The component PSO will only provide access to identifiable patient safety work product to enable such individuals or units to assist the component PSO in its conduct of patient safety activities, and

(2) Such individuals or units that receive access to identifiable patient safety work product pursuant to such written agreement will only use or disclose such information as specified by the component PSO to assist the component PSO in its conduct of patient safety activities, will take appropriate security measures to prevent unauthorized disclosures and will comply with the other certifications the component has made pursuant to §§ 6.8.2(A)(5)(c) through (d) of this Part regarding unauthorized disclosures and conflicts with the mission of the component PSO.

c. Nondisclosure of Patient Safety Work Product. A component PSO shall require that members of its workforce and any other contractor staff, or individuals in, or units of, its parent organization(s) that receive access in accordance with § 6.8.2(A)(5)(b) of this Part to its identifiable patient safety work product, not be engaged in work for the parent organization(s) of which it is a part, if the work could be informed or influenced by such individuals' knowledge of identifiable patient safety work product, except for individuals whose other work for the rest of the parent organization(s) is solely the provision of clinical care.

d. Conflict of Interest. The pursuit of the mission of a component PSO shall not create a conflict of interest with the rest of the parent organization(s) of which it is a part.

e. Renewal. A component PSO seeking renewal of certification shall also certify that it is complying with, and will continue to comply with, each of the additional requirements referenced in §§ 6.8.2(A)(5)(a) through (d) of this Part.

6.8.3 Issuance and Renewal of Certification.

A. Issuance of Certification. Pursuant to the provisions of R.I. Gen. Laws § 23-17.21-5(a), the Director shall grant certification to a PSO which meets the certification requirements set forth in this Part. The certification shall expire on the last day of the month two (2) years from the date of issue, unless sooner suspended or revoked.

B. Renewal of Certification. A PSO may renew a certification every two (2) years upon submission of an application in accordance with the provisions of §§ 6.8.2(A)(3), 6.8.2(A)(4)(h), and 6.8.2(A)(5)(e) (if applicable) of this Part. In any case in which the responsible individual of a PSO has filed a renewal application in proper form, including compliance with the notification requirements of § 6.7.4(A)(1) of this Part, not less than forty-five (45) calendar days prior to expiration of its existing certification, the existing certification shall not expire until final action on the renewal application has been taken by the Department.

A. Complaints and Routine Correspondence.

1. Complaints. Any person who desires to register a complaint citing a violation of the Act or this Part shall submit a written and signed letter of complaint to the Director. All complaints shall be directed to:

2. Routine Correspondence. Routine correspondence, including all required notifications and reports, shall also be directed to the address specified above.

B. Penalties.

1. Civil Monetary Penalty. Subject to § 6.5.3(C)(3) of this Part, a person who discloses identifiable patient safety work product and/or document log in a knowing or reckless violation of § 6.5.2 of this Part shall be subject to a civil monetary penalty of not more than ten thousand dollars ($10,000) for each act constituting such violation.

2. Relation to Health Insurance Portability and Accountability Act. Penalties shall not be imposed both under this Part and under the regulations issued pursuant to the Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d-5 for a single act or omission.

Upon due notice in accordance with R.I. Gen. Laws § 42-35, all hearings and reviews required under the provisions of the Act and this Part shall be held in accordance with requirements of the Rules and Regulations of the Rhode Island Department of Health Regarding Practices and Procedures Before the Department of Health and Access to Public Records of the Department of Health.