(1) Every organization certified under this part shall, as a part of its administrative functions, establish an internal risk management program which shall include the following components:
(a) The investigation and analysis of the frequency and causes of general categories and specific types of adverse incidents causing injury to patients;
(b) The development of appropriate measures to minimize the risk of injuries and adverse incidents to patients, including risk management and risk prevention education and training of all nonphysician personnel as follows:
1. Such education and training of all nonphysician personnel as part of their initial orientation; and
2. At least 1 hour of such education and training annually for all nonphysician personnel of the organization who work in clinical areas and provide patient care;
(c) The analysis of patient grievances which relate to patient care and the quality of medical services; and
(d) The development and implementation of an incident reporting system based upon the affirmative duty of all providers and all agents and employees of the organization to report injuries and adverse incidents to the risk manager.
(2) The risk management program shall be the responsibility of the governing authority or board of the organization. Every organization which has an annual premium volume of $10 million or more and which directly provides health care in a building owned or leased by the organization shall hire a risk manager, certified under ss. 395.10971-395.10975, who shall be responsible for implementation of the organization’s risk management program required by this section. A part-time risk manager shall not be responsible for risk management programs in more than four organizations or facilities. Every organization which does not directly provide health care in a building owned or leased by the organization and every organization with an annual premium volume of less than $10 million shall designate an officer or employee of the organization to serve as the risk manager.
(3) In addition to the programs mandated by this section, other innovative approaches intended to reduce the frequency and severity of medical malpractice and patient injury claims shall be encouraged and their implementation and operation facilitated. Additional approaches may include extending risk management programs to provider offices or facilities.
(4) The Agency for Health Care Administration shall adopt rules necessary to carry out the provisions of this section, including rules governing the establishment of required internal risk management programs to meet the needs of individual organizations and each specific organization type governed by this part. The office shall assist the agency in preparing these rules. Each internal risk management program shall include the use of incident reports to be filed with the risk manager. The risk manager shall have free access to all organization or provider medical records. The incident reports shall be considered to be a part of the workpapers of the attorney defending the organization in litigation relating thereto and shall be subject to discovery, but not be admissible as evidence in court, nor shall any person filing an incident report be subject to civil suit by virtue of the incident report and the matters it contains. As a part of each internal risk management program, the incident reports shall be utilized to develop categories of incidents which identify problem areas. Once identified, procedures must be adjusted to correct these problem areas.
(5)(a) Each organization subject to this section must submit an annual report to the agency summarizing the incident reports that were filed in the organization during the preceding calendar year pertaining to services rendered on the premises of the organization. The report must be on a form prescribed by rule of the agency and must include, with respect to medical services rendered on the premises of the organization:
1. The total number of adverse incidents causing injury to patients.
2. A listing, by category, of the types of operations, diagnostic or treatment procedures, or other actions causing the injuries and the number of incidents occurring within each category.
3. A listing, by category, of the types of injuries caused and the number of incidents occurring within each category.
4. The name of each provider or a code number using each health care professional’s license number and a separate code number identifying all other individuals directly involved in adverse incidents causing injury to a patient, the relationship of the individual or provider to the organization, and the number of incidents with the organization in which each individual or provider has been directly involved. Each organization must maintain names of the health care professionals and individuals identified by code numbers for purposes of this section.
5. A description of all medical malpractice claims filed against the organization or its providers, including the total number of pending and closed claims and the nature of the incident that led to, the persons involved in, and the status and disposition of each claim. Each report must update status and disposition for all prior reports.
6. A report of all disciplinary actions taken against any provider or any medical staff member of the organization, including the nature and cause of the action.
(b) The information reported to the agency under paragraph (a) which relates to providers licensed under chapter 458, chapter 459, chapter 461, or chapter 466 must also be reported to the agency quarterly. The agency shall review the information and determine whether any of the incidents potentially involved conduct by a licensee that is subject to disciplinary action, in which case s. 456.073 applies. (c) Except as otherwise provided in this subsection, any identifying information contained in the annual report and the quarterly reports under paragraphs (a) and (b) is confidential and exempt from s. 119.07(1). This information must not be available to the public as part of the record of investigation for and prosecution in disciplinary proceedings made available to the public by the agency or the appropriate regulatory board. However, the agency shall make available, upon written request by a practitioner against whom probable cause has been found, any such information contained in the records that form the basis of the determination of probable cause under s. 456.073.
(d) The annual report shall also contain the name of the risk manager of the organization, a copy of its policy and procedures governing the measures taken by the organization and its risk manager to reduce the risk of injuries and adverse or untoward incidents, and the result of these measures.
(6) If an adverse or untoward incident, whether occurring in the facilities of the organization or arising from health care prior to enrollment by the organization or admission to the facilities of the organization or in a facility of one of its providers, results in:
(a) The death of a patient;
(b) Severe brain or spinal damage to a patient;
(c) A surgical procedure being performed on the wrong patient; or
(d) A surgical procedure unrelated to the patient’s diagnosis or medical needs being performed on any patient,
the organization must report this incident to the agency within 3 working days after its occurrence. A more detailed followup report must be submitted to the agency within 10 days after the first report. The agency may require an additional, final report. Reports under this subsection must be sent immediately by the agency to the appropriate regulatory board whenever they contain references to a provider licensed under chapter 458, chapter 459, chapter 461, or chapter 466. These reports are confidential and are exempt from s. 119.07(1). This information is not available to the public as part of the record of investigation for and prosecution in disciplinary proceedings made available to the public by the agency or the appropriate regulatory board. However, the agency shall make available, upon written request by a practitioner against whom probable cause has been found, any such information contained in the records that form the basis of the determination of probable cause under s. 456.073. The agency may investigate, as it deems appropriate, any such incident and prescribe measures that must or may be taken by the organization in response to the incident. The agency shall review each incident and determine whether it potentially involved conduct by the licensee which is subject to disciplinary action, in which case s. 456.073 applies.
(7) In addition to any penalty imposed under s. 641.52, the agency may impose an administrative fine, not to exceed $5,000, for any violation of the reporting requirements of subsection (5) or subsection (6). (8) The agency and, upon subpoena issued under s. 456.071, the appropriate regulatory board must be given access to all organization records necessary to carry out the provisions of this section. Any identifying information contained in the records obtained under this section is confidential and exempt from s. 119.07(1). The identifying information contained in records obtained under s. 456.071 is exempt from s. 119.07(1) to the extent that it is part of the record of investigation for and prosecution in disciplinary proceedings made available to the public by the agency or the appropriate regulatory board. However, the agency must make available, upon written request by a practitioner against whom probable cause has been found, any such information contained in the records that form the basis of the determination of probable cause under s. 456.073, except that, with respect to medical review committee records, s. 766.101 controls.
(9) The agency shall review, no less frequently than annually, the risk management program of each organization regulated by this section to determine whether the program meets standards established in statutes and rules, whether the program is being conducted in a manner designed to reduce adverse incidents, and whether the program is appropriately reporting incidents under subsections (5) and (6).
(10) There shall be no monetary liability on the part of, and no cause of action for damages shall arise against, any risk manager certified under part IX of chapter 626 for the implementation and oversight of the risk management program in an organization authorized under this chapter for any act or proceeding undertaken or performed within the scope of the function of such risk management program if the risk manager acts without intentional fraud.
(11) If the agency, through its receipt of the annual reports prescribed in subsection (5) or through any investigation, has a reasonable belief that conduct by a provider, staff member, or employee of an organization may constitute grounds for disciplinary action by the appropriate regulatory board, the agency shall report this fact to the regulatory board.
(12) The agency shall send information bulletins to all organizations as necessary to disseminate trends and preventive data derived from its actions under this section or under s. 395.0197.
The gross data compiled under this section or s. 395.0197 shall be furnished by the agency upon request to organizations to be utilized for risk management purposes. The agency shall adopt rules necessary to carry out the provisions of this section.