42 CFR § 3.102 - Process and requirements for initial and continued listing of PSOs.
(a) Eligibility and process for initial and continued listing -
(1) Submission of certification. Any entity, except as specified in paragraph (a)(2) of this section, may request from the Secretary an initial or continued listing as a PSO by submitting a completed certification form that meets the requirements of this section, in accordance with § 3.112. An individual with authority to make commitments on behalf of the entity seeking listing will be required to submit contact information for the entity and:
(v) Attest that the entity has disclosed if the Secretary has ever delisted this entity (under its current name or any other) or refused to list the entity or whether any of its officials or senior managers held comparable positions of responsibility in an entity that was denied listing or delisted and, if any of these circumstances apply, submit with its certifications and related disclosures, the name of the entity or entities that the Secretary declined to list or delisted;
(vi) Attest that the PSO will promptly notify the Secretary during its period of listing if it can no longer comply with any of its attestations and the applicable requirements in §§ 3.102(b) and 3.102(c) or if there have been any changes in the accuracy of the information submitted for listing, along with the pertinent changes; and
(vii) Provide other information that the Secretary determines to be necessary to make the requested listing determination.
(2) Exclusion of certain entities. The following types of entities may not seek listing as a PSO:
(i) A health insurance issuer; a unit or division of a health insurance issuer; or an entity that is owned, managed, or controlled by a health insurance issuer;
(A) An entity that accredits or licenses health care providers;
(D) An entity that operates a Federal, state, local or Tribal patient safety reporting system to which health care providers (other than members of the entity's workforce or health care providers holding privileges with the entity) are required to report information by law or regulation.
(3) Submission of certification for continued listing. To facilitate a timely Secretarial determination regarding acceptance of its certification for continued listing, a PSO must submit the required certification no later than 75 days before the expiration of a PSO's three-year period of listing.
(b) Fifteen general PSO certification requirements. The certifications submitted to the Secretary in accordance with paragraph (a)(1)(ii) of this section must conform to the following 15 requirements:
(1) Required certification regarding eight patient safety activities -
(i) Initial listing. An entity seeking initial listing as a PSO must certify that it has written policies and procedures in place to perform each of the eight patient safety activities, defined in § 3.20. With respect to paragraphs (5) and (6) in the definition of patient safety activities regarding confidentiality and security, the policies and procedures must include and provide for:
(B) Notification of each provider that submitted patient safety work product or data as described in § 3.108(b)(2) to the entity if the submitted work product or data was subject to an unauthorized disclosure or its security was breached.
(ii) Continued Listing. A PSO seeking continued listing must certify that it is performing, and will continue to perform, each of the patient safety activities defined in § 3.20, and is and will continue to comply with the requirements of paragraphs (b)(1)(i)(A) and (B) of this section.
(2) Required certification regarding seven PSO criteria -
(i) Initial Listing. In its initial certification submission, an entity must also certify that, if listed as a PSO, it will comply with the seven requirements in paragraphs (b)(2)(i)(A) through (G) of this section.
(A) The mission and primary activity of the PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery.
(C) The PSO, within the 24-month period that begins on the date of its initial listing as a PSO, and within each sequential 24-month period thereafter, must have 2 bona fide contracts, each of a reasonable period of time, each with a different provider for the purpose of receiving and reviewing patient safety work product.
(D) The PSO is not a health insurance issuer, and is not a component of a health insurance issuer.
(F) To the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.
(ii) Continued Listing. A PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of paragraphs (b)(2)(i)(A) through (G) of this section.
(iii) Compliance with the criterion for collecting patient safety work product in a standardized manner to the extent practical and appropriate. With respect to paragraph (b)(2)(i)(F) of this section, the Secretary will assess compliance by a PSO in the following manner.
(A) A PSO seeking continued listing must:
(3) Provide a clear explanation for why it is not practical or appropriate for the PSO to comply with options (I) or (II) at this time.
(B) The Secretary will consider a PSO to be in compliance if the entity complies with option (I), satisfactorily demonstrates that option (II) permits valid comparisons of similar cases among similar providers, or satisfactorily demonstrates that it is not practical or appropriate for the PSO to comply with options (I) or (II) at this time.
(c) Additional certifications required of component organizations -
(1) Requirements when seeking listing -
(i) Requirements that all component organizations must meet. In addition to meeting the 15 general PSO certification requirements of paragraph (b) of this section, an entity seeking initial listing that is a component of another organization must certify that it will comply with the requirements of paragraph (c)(2) of this section. A component PSO seeking continued listing must certify that it is complying with, and will continue to comply with, the requirements of this same paragraph (c)(2). At initial and continued listing, a component entity must attach to its certifications for listing contact information for its parent organization(s).
(ii) Additional requirements and limitations applicable to components of entities that are excluded from listing. In addition to the requirements under paragraph (c)(1)(i) of this section, a component of an organization excluded from listing under paragraph (a)(2)(ii) of this section must submit the additional certifications and specified information for initial and continued listing and comply with paragraph (c)(4) of this section.
(2) Required component certifications -
(i) Separation of patient safety work product. A component PSO must maintain patient safety work product separately from the rest of the parent organization(s) of which it is a part, and establish appropriate security measures to maintain the confidentiality of patient safety work product. The information system in which the component PSO maintains patient safety work product must not permit unauthorized access by one or more individuals in, or by units of, the rest of the parent organization(s) of which it is a part.
(ii) Nondisclosure of patient safety work product. A component PSO must require that members of its workforce and any other contractor staff not make unauthorized disclosures of patient safety work product to the rest of the parent organization(s) of which it is a part.
(iii) No conflict of interest. The pursuit of the mission of a component PSO must not create a conflict of interest with the rest of the parent organization(s) of which it is a part.
(3) Written agreements for assisting a component PSO in the conduct of patient safety activities. Notwithstanding the requirements of paragraph (c)(2) of this section, a component PSO may provide access to identifiable patient safety work product to one or more individuals in, or to one or more units of, the rest of the parent organization(s) of which it is a part, if the component PSO enters into a written agreement with such individuals or units which requires that:
(i) The component PSO will only provide access to identifiable patient safety work product to enable such individuals or units to assist the component PSO in its conduct of patient safety activities, and
(ii) Such individuals or units that receive access to identifiable patient safety work product pursuant to such written agreement will only use or disclose such information as specified by the component PSO to assist the component PSO in its conduct of patient safety activities, will take appropriate security measures to prevent unauthorized disclosures and will comply with the other certifications the component has made pursuant to paragraph (c)(2) of this section regarding unauthorized disclosures and conducting the mission of the PSO without creating conflicts of interest.
(4) Required attestations, information and operational limitations for components of entities excluded from listing. A component organization of an entity that is subject to the restrictions of paragraph (a)(2)(ii) of this section must:
(i) Submit the following information with its certifications for listing:
(A) A statement describing its parent organization's role, and the scope of the parent organization's authority, with respect to any of the following that apply: Accreditation or licensure of health care providers, oversight or enforcement of statutory or regulatory requirements governing the delivery of health care services, serving as an agent of such a regulatory oversight or enforcement authority, or administering a public mandatory patient safety reporting system;
(B) An attestation that the parent organization has no policies or procedures that would require or induce providers to report patient safety work product to their component organization once listed as a PSO and that the component PSO will notify the Secretary within 5 calendar days of the date on which the component organization has knowledge of the adoption by the parent organization of such policies or procedures, and an acknowledgment that the adoption of such policies or procedures by the parent organization during the component PSO's period of listing will result in the Secretary initiating an expedited revocation process in accordance with § 3.108(e); and
(C) An attestation that the component organization will prominently post notification on its Web site and publish in any promotional materials for dissemination to providers, a summary of the information that is required by paragraph (c)(4)(i)(A) of this section.
(ii) Comply with the following requirements during its period of listing:
(A) The component organization may not share staff with its parent organization(s).
(B) The component organization may enter into a written agreement pursuant to paragraph (c)(3) but such agreements are limited to units or individuals of the parent organization(s) whose responsibilities do not involve the activities specified in the restrictions in paragraph (a)(2)(ii) of this section.
(d) Required notifications. Upon listing, PSOs must meet the following notification requirements:
(1) Notification regarding PSO compliance with the minimum contract requirement. No later than 45 calendar days prior to the last day of the pertinent 24-month assessment period, specified in paragraph (b)(2)(iii)(C) of this section, the Secretary must receive from a PSO a certification that states whether it has met the requirement of that paragraph regarding two bona fide contracts, submitted in accordance with § 3.112 of this subpart.
(2) Notification regarding a PSO's relationships with its contracting providers -
(i) Requirement. A PSO must file a disclosure statement regarding a provider with which it has a contract that provides the confidentiality and privilege protections of the Patient Safety Act (hereinafter referred to as a Patient Safety Act contract) if the PSO has any other relationships with this provider that are described in paragraphs (d)(2)(i)(A) through (D) of this section. The PSO must disclose all such relationships. A disclosure statement is not required if all of its other relationships with the provider are limited to Patient Safety Act contracts.
(A) The provider and PSO have current contractual relationships, other than those arising from any Patient Safety Act contracts, including formal contracts or agreements that impose obligations on the PSO.
(B) The provider and PSO have current financial relationships other than those arising from any Patient Safety Act contracts. A financial relationship may include any direct or indirect ownership or investment relationship between the PSO and the contracting provider, shared or common financial interests or direct or indirect compensation arrangements whether in cash or in-kind.
(C) The PSO and provider have current reporting relationships other than those arising from any Patient Safety Act contracts, by which the provider has access to information regarding the work and operation of the PSO that is not available to other contracting providers.
(D) Taking into account all relationships that the PSO has with the provider, the PSO is not independently managed or controlled, or the PSO does not operate independently from, the contracting provider.
(ii) Content. A PSO must submit to the Secretary the required attestation form for disclosures with the information specified below in accordance with § 3.112 and this section. The substantive information that must be included with each submission has two required parts:
(A) The Required Disclosures. The first part of the substantive information must provide a succinct list of obligations between the PSO and the contracting provider apart from their Patient Safety Act contract(s) that create, or contain, any of the types of relationships that must be disclosed based upon the requirements of paragraphs (d)(2)(i)(A) through (D) of this section. Each reportable obligation or discrete set of obligations that the PSO has with this contracting provider should be listed only once; noting the specific aspects of the obligation(s) that reflect contractual or financial relationships, involve access to information that is not available to other providers, or affect the independence of PSO operations, management, or control.
(B) An Explanatory Narrative. The second required part of the substantive information must provide a brief explanatory narrative succinctly describing: The policies and procedures that the PSO has in place to ensure adherence to objectivity and professionally recognized analytic standards in the assessments it undertakes; and any other policies or procedures, or agreements with this provider, that the PSO has in place to ensure that it can fairly and accurately perform patient safety activities.
(iii) Deadlines for submission. The Secretary must receive a disclosure statement within 45 days of the date on which a PSO enters a contract with a provider if the circumstances described in any of the paragraphs (d)(2)(i)(A) through (D) of this section are met on the date the contract is entered. During the contract period, if these circumstances subsequently arise, the Secretary must receive a disclosure statement from the PSO within 45 days of the date that any disclosure requirement in paragraph (d)(2)(i) of this section first applies.