31 January 2013
Stealing Secrets: Patient Safety Data Security
Patient Safety and Quality Improvement Act of 2005
3. Section 3.106Security Requirements
Proposed Rule: Section 3.106 of the proposed rule outlined a framework consisting
of four categories for the security of patient safety work product that PSOs
would consider in developing policies and procedures for the protection of
data. Because § 3.106 contains only two subsections and we received
few comments, we will discuss both subsections of the rule together.
Section 3.106(a) proposed that the security requirements of this section
would apply to each PSO, its workforce members, and its contractors whenever
the contractors hold patient safety work product. If contractors cannot meet
these security requirements, we proposed that their tasks be performed at
locations at which the PSO can meet these requirements. We stated that the
rule does not impose these requirements on providers; this Subpart would
only apply to PSOs.
Proposed § 3.106(b) would have established a framework consisting of
four categories for the security of patient safety work product that a PSO
must consider. We proposed that each PSO develop appropriate and scalable
standards that are suitable for the size and complexity of its organization.
The four categories of the framework would have included: security management
issues (documenting its security requirements, ensuring that its workforce
and contractors understand the requirements, and monitoring and improving
the effectiveness of its policies and procedures); separation of systems
(required physical separation of patient safety work product, appropriate
disposal or sanitization of media, and preventing physical access to patient
safety work product by unauthorized users or recipients); security control
and monitoring controls (ability to identify and authenticate users, an audit
capacity to detect unlawful, unauthorized, or inappropriate activities, and
controls to preclude unauthorized removal, transmission or disclosures);
and policies and procedures for periodic assessment of the effectiveness
and weaknesses of its overall approach to security (determine when it needs
to undertake risk assessment exercises and specify how it would assess and
adjust its procedures to ensure the security of its communications involving
patient safety work product to and from providers and other authorized parties).
Overview of Public Comments: There were no public comments that specifically
addressed § 3.106(a) of the rule. Commenters focused instead on the
overall security framework established by § 3.106(b). The majority of
commenters supported the proposed requirements and emphasized the concepts
of scalability and flexibility that were reflected in the proposed rule.
Two commenters urged the Department to adopt the HIPAA Security Rule instead.
Another commenter suggested that the final rule should emphasize the need
for PSOs to maintain up-to-date security processes and urged that the final
rule specifically recognize that PSOs can include HIPAA Security Rule
requirements in their business associate contracts with providers that are
While there were few comments overall on this section of the rule, the specific
provision that elicited the most concern was the requirement in §
3.106(b)(2) that patient safety work product needed to be maintained securely
separate from other systems of records. As discussed above with respect to
obligations of component organizations, commenters expressed concern regarding
the potential burden of such a requirement and several pointed to the analytic
benefits of being able to readily merge data sets for specific analyses.
It was recommended that the final rule permit the patient safety work product
and non-patient safety work product to be stored in the same database as
long as the security requirements are implemented for the database as a whole.
Another commenter pointed to the confusion, inconsistency, and errors that
were likely to result from the rule text in which each paragraph began with
the words that a PSO "must address" each security issue within the framework
while introductory paragraph (b) indicated that PSOs merely needed to "consider"
the security framework.
Final Rule: We have modified the text of § 3.106 both to improve its
clarity in non-substantive ways and to incorporate several substantive
modifications in response to the comments we received. The changes to §
3.106(a) are for clarity. For uniformity and brevity, throughout § 3.106,
we have standardized references regarding the application of security
requirements to the "receipt, access, and handling" of patient safety work
product. The rule text defines "handling" of patient safety work product
as including its processing, development, use, maintenance, storage, removal,
disclosure, transmission and destruction.
We have incorporated several modifications to the text of § 3.106(b).
We have both simplified the text of the opening paragraph of this subsection
and substituted the requirement that "PSOs must have written policies and
procedures that address" for the language of the proposed rule that stated
the "PSO must consider." We agree with the commenter that retention of the
proposed rule language would create confusion regarding what is required
of a PSO. By retaining the language that permits a PSO to develop specific
standards that address the security framework in this section with standards
that are appropriate and scalable, we intend to retain flexibility for PSOs
to determine how they will address each element of the security framework.
The most significant substantive change in the security framework is in §
3.106(b)(2), which had required the separation of patient safety work product
from non-patient safety work product at all times. Based on comments received,
we have modified both the title of § 3.106(b)(2) and the text of §
3.106(b)(2)(i). Section 3.106(b)(2) is now entitled "Distinguishing Patient
Safety Work Product," rather than "Separation of Systems," and §
3.106(b)(2)(i) recognizes that the security of patient safety work product
can be maintained either when patient safety work product is maintained
separately from non-patient safety work product or when it is co-located
with non-patient safety work product, provided that the patient safety work
product is distinguishable. This will ensure that the appropriate form and
level of security can be maintained. This change responds to several comments
that opposed the absolute requirement for separation in the proposed rule.
While we have, thus, allowed greater procedural flexibility, we caution PSOs
to be attentive to ensuring that patient safety work product remains
distinguishable at all times if it is not kept separated. To the extent that
patient safety work product becomes co-mingled with non-protected information,
there is increased risk of impermissible disclosures and violations of the
confidentiality requirements of the rule and the Patient Safety Act.
We have also eliminated a reference to a PSO determination of appropriateness
that was in the text of the proposed rule in § 3.106(b)(4)(i) as redundant,
since the rule permits a PSO to develop appropriate and scalable standards
for each element of the security framework, including this element.