(a) Privilege. Notwithstanding any other provision of Federal, State, local, or Tribal law and subject to paragraph (b) of this section and § 3.208 of this subpart, patient safety work product shall be privileged and shall not be:

(1) Subject to a Federal, State, local, or Tribal civil, criminal, or administrative subpoena or order, including in a Federal, State, local, or Tribal civil or administrative disciplinary proceeding against a provider;

(2) Subject to discovery in connection with a Federal, State, local, or Tribal civil, criminal, or administrative proceeding, including in a Federal, State, local, or Tribal civil or administrative disciplinary proceeding against a provider;

(3) Subject to disclosure pursuant to section 552 of Title 5, United States Code (commonly known as the Freedom of Information Act) or any other similar Federal, State, local, or Tribal law;

(4) Admitted as evidence in any Federal, State, local, or Tribal governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or

(5) Admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law.

(b) Exceptions to privilege. Privilege shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:

(1) Disclosure of relevant patient safety work product for use in a criminal proceeding, subject to the conditions at § 3.206(b)(1) of this subpart.

(2) Disclosure to the extent required to permit equitable relief subject to the conditions at § 3.206(b)(2) of this subpart.

(3) Disclosure pursuant to provider authorizations subject to the conditions at § 3.206(b)(3) of this subpart.

(4) Disclosure of non-identifiable patient safety work product subject to the conditions at § 3.206(b)(5) of this subpart.

(c) Implementation and enforcement by the Secretary. Privilege shall not apply to (and shall not be construed to prohibit) disclosures of relevant patient safety work product to or by the Secretary if such patient safety work product is needed to investigate or determine compliance, or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.

(a) Confidentiality. Subject to paragraphs (b) through (e) of this section, and §§ 3.208 and 3.210 of this subpart, patient safety work product shall be confidential and shall not be disclosed.

(b) Exceptions to confidentiality. The confidentiality provisions shall not apply to (and shall not be construed to prohibit) one or more of the following disclosures:

(1) Disclosure in criminal proceedings. Disclosure of relevant patient safety work product for use in a criminal proceeding, but only after a court makes an in-camera determination that:

(i) Such patient safety work product contains evidence of a criminal act;

(ii) Such patient safety work product is material to the proceeding; and

(iii) Such patient safety work product is not reasonably available from any other source.

(2) Disclosure to permit equitable relief for reporters. Disclosure of patient safety work product to the extent required to permit equitable relief under section 922 (f)(4)(A) of the Public Health Service Act, provided the court or administrative tribunal has issued a protective order to protect the confidentiality of the patient safety work product in the course of the proceeding.

(3) Disclosure authorized by identified providers. (i) Disclosure of identifiable patient safety work product consistent with a valid authorization if such authorization is obtained from each provider identified in such work product prior to disclosure. A valid authorization must:

(A) Be in writing and signed by the provider from whom authorization is sought; and

(B) Contain sufficient detail to fairly inform the provider of the nature and scope of the disclosures being authorized;

(ii) A valid authorization must be retained by the disclosing entity for six years from the date of the last disclosure made in reliance on the authorization and made available to the Secretary upon request.

(4) Disclosure for patient safety activities—(i) Disclosure between a provider and a PSO. Disclosure of patient safety work product for patient safety activities by a provider to a PSO or by a PSO to that disclosing provider.

(ii) Disclosure to a contractor of a provider or a PSO. A provider or a PSO may disclose patient safety work product for patient safety activities to an entity with which it has contracted to undertake patient safety activities on its behalf. A contractor receiving patient safety work product for patient safety activities may not further disclose patient safety work product, except to the provider or PSO with which it is contracted.

(iii) Disclosure among affiliated providers. Disclosure of patient safety work product for patient safety activities by a provider to an affiliated provider.

(iv) Disclosure to another PSO or provider. Disclosure of patient safety work product for patient safety activities by a PSO to another PSO or to another provider that has reported to the PSO, or, except as otherwise permitted in paragraph (b)(4)(iii) of this section, by a provider to another provider, provided:

(A) The following direct identifiers of any providers and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers are removed:

(1) Names;

(2) Postal address information, other than town or city, State and zip code;

(3) Telephone numbers;

(4) Fax numbers;

(5) Electronic mail addresses;

(6) Social security numbers or taxpayer identification numbers;

(7) Provider or practitioner credentialing or DEA numbers;

(8) National provider identification number;

(9) Certificate/license numbers;

(10) Web Universal Resource Locators (URLs);

(11) Internet Protocol (IP) address numbers;

(12) Biometric identifiers, including finger and voice prints; and

(13) Full face photographic images and any comparable images; and

(B) With respect to any individually identifiable health information in such patient safety work product, the direct identifiers listed at 45 CFR 164.514(e)(2) have been removed.

(5) Disclosure of nonidentifiable patient safety work product. Disclosure of nonidentifiable patient safety work product when patient safety work product meets the standard for nonidentification in accordance with § 3.212 of this subpart.

(6) Disclosure for research. (i) Disclosure of patient safety work product to persons carrying out research, evaluation or demonstration projects authorized, funded, certified, or otherwise sanctioned by rule or other means by the Secretary, for the purpose of conducting research.

(ii) If the patient safety work product disclosed pursuant to paragraph (b)(6)(i) of this section is by a HIPAA covered entity as defined at 45 CFR 160.103 and contains protected health information as defined by the HIPAA Privacy Rule at 45 CFR 160.103, such patient safety work product may only be disclosed under this exception in the same manner as would be permitted under the HIPAA Privacy Rule.

(7) Disclosure to the Food and Drug Administration (FDA) and entities required to report to FDA. (i) Disclosure by a provider of patient safety work product concerning an FDA-regulated product or activity to the FDA, an entity required to report to the FDA concerning the quality, safety, or effectiveness of an FDA-regulated product or activity, or a contractor acting on behalf of FDA or such entity for these purposes.

(ii) Any person permitted to receive patient safety work product pursuant to paragraph (b)(7)(i) of this section may only further disclose such patient safety work product for the purpose of evaluating the quality, safety, or effectiveness of that product or activity to another such person or the disclosing provider.

(8) Voluntary disclosure to an accrediting body. (i) Voluntary disclosure by a provider of patient safety work product to an accrediting body that accredits that provider, provided, with respect to any identified provider other than the provider making the disclosure:

(A) The provider agrees to the disclosure; or

(B) The identifiers at § 3.206(b)(4)(iv)(A) are removed.

(ii) An accrediting body may not further disclose patient safety work product it receives pursuant to paragraph (b)(8)(i) of this section.

(iii) An accrediting body may not take an accrediting action against a provider based on a good faith participation of the provider in the collection, development, reporting, or maintenance of patient safety work product in accordance with this Part. An accrediting body may not require a provider to reveal its communications with any PSO.

(9) Disclosure for business operations. (i) Disclosure of patient safety work product by a provider or a PSO for business operations to attorneys, accountants, and other professionals. Such contractors may not further disclose patient safety work product, except to the entity from which they received the information.

(ii) Disclosure of patient safety work product for such other business operations that the Secretary may prescribe by regulation as consistent with the goals of this part.

(10) Disclosure to law enforcement. (i) Disclosure of patient safety work product to an appropriate law enforcement authority relating to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes.

(ii) Law enforcement personnel receiving patient safety work product pursuant to paragraph (b)(10)(i) of this section only may disclose that patient safety work product to other law enforcement authorities as needed for law enforcement activities related to the event that gave rise to the disclosure under paragraph (b)(10)(i) of this section.

(c) Safe harbor. A provider or responsible person, but not a PSO, is not considered to have violated the requirements of this subpart if a member of its workforce discloses patient safety work product, provided that the disclosure does not include materials, including oral statements, that:

(1) Assess the quality of care of an identifiable provider; or

(2) Describe or pertain to one or more actions or failures to act by an identifiable provider.

(d) Implementation and enforcement by the Secretary. The confidentiality provisions shall not apply to (and shall not be construed to prohibit) disclosures of relevant patient safety work product to or by the Secretary if such patient safety work product is needed to investigate or determine compliance or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.

(e) No limitation on authority to limit or delegate disclosure or use. Nothing in subpart C of this part shall be construed to limit the authority of any person to enter into a contract requiring greater confidentiality or delegating authority to make a disclosure or use in accordance with this subpart.

(a) Except as provided in paragraph (b) of this section, patient safety work product disclosed in accordance with this subpart, or disclosed impermissibly, shall continue to be privileged and confidential.

(b)(1) Patient safety work product disclosed for use in a criminal proceeding pursuant to section 922(c)(1)(A) of the Public Health Service Act, 42 U.S.C. 299b-22(c)(1)(A), and/or pursuant to § 3.206(b)(1) of this subpart continues to be privileged, but is no longer confidential.

(2) Non-identifiable patient safety work product that is disclosed is no longer privileged or confidential and not subject to the regulations under this part.

(3) Paragraph (b) of this section applies only to the specific patient safety work product disclosed.

Notwithstanding any other provision in this part, providers, PSOs, and responsible persons must disclose patient safety work product upon request by the Secretary when the Secretary determines such patient safety work product is needed to investigate or determine compliance or to seek or impose civil money penalties, with respect to this part or the HIPAA Privacy Rule, or to make or support decisions with respect to listing of a PSO.

(a) Patient safety work product is nonidentifiable with respect to a particular identified provider or a particular identified reporter if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an identified provider or reporter; and

(ii) Documents the methods and results of the analysis that justify such determination; or

(2)(i) The following identifiers of such provider or reporter and of affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers or reporters are removed:

(A) The direct identifiers listed at § 3.206(b)(4)(iv)(A)(1) through (13) of this subpart;

(B) Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people;

(C) All elements of dates (except year) for dates directly related to a patient safety incident or event; and

(D) Any other unique identifying number, characteristic, or code except as permitted for re-identification; and

(ii) The provider, PSO or responsible person making the disclosure does not have actual knowledge that the information could be used, alone or in combination with other information that is reasonably available to the intended recipient, to identify the particular provider or reporter.

(3) Re-identification. A provider, PSO, or responsible person may assign a code or other means of record identification to allow information made nonidentifiable under this section to be re-identified by such provider, PSO, or responsible person, provided that:

(i) The code or other means of record identification is not derived from or related to information about the provider or reporter and is not otherwise capable of being translated so as to identify the provider or reporter; and

(ii) The provider, PSO, or responsible person does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

(b) Patient safety work product is non-identifiable with respect to a particular patient only if the individually identifiable health information regarding that patient is de-identified in accordance with the HIPAA Privacy Rule standard and implementation specifications for the de-identification at 45 CFR 164.514(a) through (c).