Section 216-RICR-40-10-6.7 - Patient Safety Organization Requirements6.7.1Maintenance of ReportsMaintenance of reports is pursuant to R.I. Gen. Laws § 23-17.21-7(b).
6.7.2Dissemination of InformationDissemination of information is pursuant to R.I. Gen. Laws § 23-17.21-7(c).
6.7.3Safeguards and Security MeasuresA. General Requirements 1. A PSO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any patient safety work product. These safeguards and security measures shall be in place at all times and at any location at which the PSO, its workforce members, or its contractors hold patient safety work product. Such safeguards and security measures shall comply with state and federal confidentiality laws including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations 45 C.F.R. Parts 160 through 164 (2017) incorporated at § 6.2 of this Part and R.I. Gen. Laws Chapter 5-37.3 (Confidentiality of Health Care Communications and Information Act).2. Nothing in the Act or this Part shall be construed to prohibit a PSO from choosing to disclose patient safety work product, or portions of patient safety work product, solely to a reporting entity, in conformity with the PSO's mission and within its contractual obligations to the reporting entity who submitted the information. No patient safety organization shall release protected health information or patient identifying information without meeting the requirements of R.I. Gen. Laws §5-37.3 (Confidentiality of Health Care Communications and Information Act) and the federal Health Insurance Portability and Accountability Act of 1996, and its implementing regulations 45 C.F.R. Parts 160 through 164 (2017) incorporated at § 6.2 of this Part.B. Security Framework. PSOs shall consider the following framework for the security of patient safety work product. The framework includes security management, separation of systems, security monitoring and control, and system assessment. To address the four elements of this framework, a PSO shall develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization. 1. Security Management. A PSO shall address: a. Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is processed, stored, and transmitted; and to monitor and improve the effectiveness of such policies and procedures, andb. Training of the PSO workforce and PSO contractors who access or hold patient safety work product regarding the requirements of the Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.2. Separation of Systems. A PSO shall address: a. Maintenance of patient safety work product, whether in electronic or other media, physically and functionally separate from any other system of records;b. Protection of the media, whether in electronic, paper, or other format, that contain patient safety work product, limiting access to authorized users and sanitizing and destroying such media before disposal or release for reuse; andc. Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is stored or used.3. Security Control and Monitoring. A PSO shall address:a. Identification of those authorized to have access to patient safety work product and an audit capacity to detect unlawful, unauthorized or inappropriate access to patient safety work product, andb. Measures to prevent unauthorized removal, transmission or disclosure of patient safety work product.4. Security Assessment. A PSO shall address: a. Periodic assessments of security risks and controls, as determined appropriate by the PSO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.b. System and communications protection, to monitor, control, and protect PSO uses, communications, and transmissions involving patient safety work product to and from reporting entities and any other responsible persons.6.7.4Required NotificationsA. A PSO shall meet the following notification requirements: 1. Notification Regarding PSO Compliance With Minimum Contract Requirement. No later than forty-five (45) calendar days prior to expiration of the PSO's certification, as specified in §6.8.3(A) of this Part, the PSO shall submit to the Director an attestation as to whether it has met the requirement of §6.8.2(A)(4)(c) of this Part regarding two (2) bona fide contracts.2. Notification Regarding a PSO's Relationships With Its Contracting Reporting Entities. A PSO shall submit a disclosure statement to the Director regarding its relationships with each reporting entity with which the PSO has a contract pursuant to the Act and this Part if the circumstances described in either §§6.7.4(A)(2)(a) or 6.7.4(A)(2)(b) of this Part are applicable. The Director shall receive a disclosure statement within forty-five (45) days of the date on which a PSO enters a contract with a reporting entity if the circumstances are met on the date the contract is entered. During the contract period, if a PSO subsequently enters one or more relationships with a contracting reporting entity that create the circumstances described in §6.7.4(A)(2)(a) of this Part or a reporting entity exerts any control over the PSO of the type described in §6.7.4(A)(2)(b) of this Part, the Director shall receive a disclosure statement from the PSO within forty-five (45) days of the date that the PSO entered each new relationship or of the date on which the reporting entity imposed control of the type described in §6.7.4(A)(2)(b) of this Part. a. Taking into account all relationships that the PSO has with the reporting entity, other than the bona fide contract entered into pursuant to the Act and this Part, the PSO shall fully disclose any other contractual, financial, or reporting relationships described below that it has with that reporting entity. (1) Contractual relationships which are not limited to relationships based on formal contracts but also encompass relationships based on any oral or written agreement or any arrangement that imposes responsibilities on the PSO.(2) Financial relationships including any direct or indirect ownership or investment relationship between the PSO and the contracting reporting entity, shared or common financial interests or direct or indirect compensation arrangement, whether in cash or in-kind.(3) Reporting relationships including any relationship that gives the reporting entity access to information or control, directly or indirectly, over the work of the PSO that is not available to other contracting reporting entities.b. Taking into account all relationships that the PSO has with the reporting entity, the PSO shall fully disclose if it is not independently managed or controlled, or if it does not operate independently from, the contracting reporting entity. In particular, the PSO shall further disclose whether the contracting reporting entity has exercised or imposed any type of management control that could limit the PSO's ability to fairly and accurately perform patient safety activities and fully describe such control(s).c. PSOs may also describe or include in their disclosure statements, as applicable, any agreements, stipulations, or procedural safeguards that have been created to protect the ability of the PSO to operate independently or information that indicates the limited impact or insignificance of its financial, reporting, or contractual relationships with a contracting reporting entity.216 R.I. Code R. § 216-RICR-40-10-6.7