(a) Confidentiality. Subject to paragraphs (b) through (e) of this section, and §§3.208 and 3.210 of this subpart, patient safety work product shall be confidential and shall not be disclosed.
(b) Exceptions to confidentiality. The confidentiality provisions shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:
(1) Disclosure in criminal proceedings. Disclosure of relevant patient safety work product for use in a criminal proceeding, but only after a court makes an in-camera determination that:
(i) Such patient safety work product contains evidence of a criminal act;
(ii) Such patient safety work product is material to the proceeding; and
(iii) Such patient safety work product is not reasonably available from any other source.
(2) Disclosure to permit equitable relief for reporters. Disclosure of patient safety work product to the extent required to permit equitable relief under section 922 (f)(4)(A) of the Public Health Service Act, provided the court or administrative tribunal has issued a protective order to protect the confidentiality of the patient safety work product in the course of the proceeding.
(3) Disclosure authorized by identified providers.
(i) Disclosure of identifiable patient safety work product consistent with a valid authorization if such authorization is obtained from each provider identified in such work product prior to disclosure. A valid authorization must:
(A) Be in writing and signed by the provider from whom authorization is sought; and
(B) Contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized;
(ii) A valid authorization must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request.
(4) Disclosure for patient safety activities—(i) Disclosure between a provider and a PSO. Disclosure of patient safety work product for patient safety activities by a provider to a PSO or by a PSO to that disclosing provider.
(ii) Disclosure to a contractor of a provider or a PSO. A provider or a PSO may disclose patient safety work product for patient safety activities to an entity with which it has contracted to undertake patient safety activities on its behalf. A contractor receiving patient safety work product for patient safety activities may not further disclose patient safety work product, except to the provider or PSO with which it is contracted.
(iii) Disclosure among affiliated providers. Disclosure of patient safety work product for patient safety activities by a provider to an affiliated provider.
(iv) Disclosure to another PSO or provider. Disclosure of patient safety work product for patient safety activities by a PSO to another PSO or to another provider that has reported to the PSO, or, except as otherwise permitted in paragraph (b)(4)(iii) of this section, by a provider to another provider, provided:
(A) The following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers are removed:
(1) Names;
(2) Postal address information, other than town or city, State and zip code;
(3) Telephone numbers;
(4) Fax numbers;
(5) Electronic mail addresses;
(6) Social security numbers or taxpayer identification numbers;
(7) Provider or practitioner credentialing or DEA numbers;
(8) National provider identification number;
(9) Certificate/license numbers;
(10) Web Universal Resource Locators (URLs);
(11) Internet Protocol (IP) address numbers;
(12) Biometric identifiers, including finger and voice prints; and
(13) Full face photographic images and any comparable images; and
(B) With respect to any individually identifiable health information in such patient safety work product, the direct identifiers listed at 45 CFR 164.514(e)(2) have been removed.
(5) Disclosure of nonidentifiable patient safety work product. Disclosure of nonidentifiable patient safety work product when patient safety work product meets the standard for nonidentification in accordance with §3.212 of this subpart.
(6) Disclosure for research.
(i) Disclosure of patient safety work product to persons carrying out research, evaluation or demonstration projects authorized, funded, certified, or otherwise sanctioned by rule or other means by the Secretary, for the purpose of conducting research.
(ii) If the patient safety work product disclosed pursuant to paragraph (b)(6)(i) of this section is by a HIPAA covered entity as defined at 45 CFR 160.103 and contains protected health information as defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient safety work product may only be disclosed under this exception in the same manner as would be permitted under the HIPAA Privacy Rule.
(7) Disclosure to the Food and Drug Administration (FDA) and entities required to report to FDA.
(i) Disclosure by a provider of patient safety work product concerning an FDA-regulated product or activity to the FDA, an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, or a contractor acting on behalf of FDA or such entity for these purposes.
(ii) Any person permitted to receive patient safety work product pursuant to paragraph (b)(7)(i) of this section may only further disclose such patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity to another such person or the disclosing provider.
(8) Voluntary disclosure to an accrediting body.
(i) Voluntary disclosure by a provider of patient safety work product to an accrediting body that accredits that provider, provided, with respect to any identified provider other than the provider making the disclosure:
(A) The provider agrees to the disclosure; or
(B) The identifiers at §3.206(b)(4)(iv)(A) are removed.
(ii) An accrediting body may not further disclose patient safety work product it receives pursuant to paragraph (b)(8)(i) of this section.
(iii) An accrediting body may not take an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with this Part. An accrediting body may not require a provider to reveal its communications with any PSO.
(9) Disclosure for business operations.
(i) Disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. Such contractors may not further disclose patient safety work product, except to the entity from which they received the information.
(ii) Disclosure of patient safety work product for such other business operations that the Secretary may prescribe by regulation as consistent with the goals of this part.
(10) Disclosure to law enforcement.
(i) Disclosure of patient safety work product to an appropriate law enforcement authority relating to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes.
(ii) Law enforcement personnel receiving patient safety work product pursuant to paragraph (b)(10)(i) of this section only may disclose that patient safety work product to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the disclosure under paragraph (b)(10)(i) of this section.
(c) Safe harbor. A provider or responsible person, but not a PSO, is not considered to have violated the requirements of this subpart if a member of its workforce discloses patient safety work product, provided that the disclosure does not include materials, including oral statements, that:
(1) Assess the quality of care of an identifiable provider; or
(2) Describe or pertain to one or more actions or failures to act by an identifiable provider.
(d) Implementation and enforcement by the Secretary. The confidentiality provisions shall not apply to (and shall not be construed to prohibit) disclosures of relevant patient safety work product to or by the Secretary if such patient safety work product is needed to investigate or determine compliance or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.
(e) No limitation on authority to limit or delegate disclosure or use. Nothing in subpart C of this part shall be construed to limit the authority of any person to enter into a contract requiring greater confidentiality or delegating authority to make a disclosure or use in accordance with this subpart.