Frequently asked questions and definition of terms used in the Patient Safety Act or Rule are summarized here solely for convenience; always rely on the actual text of the Patient Safety Act or Patient Safety Rule in making any determination.
The Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) authorized the creation of PSOs to improve quality and safety by reducing the incidence of events that adversely affect patients. To implement the Patient Safety Act, the Department of Health and Human Services' (HHS) Agency for Healthcare Research and Quality (AHRQ) published the Patient Safety and Quality Improvement Final Rule (Patient Safety Rule).
AHRQ has received many questions regarding the implementation of the Patient Safety Rule and about PSOs. In response to these questions, and in anticipation of additional inquiries, below is a list of frequently asked questions and corresponding answers.
- What is a PSO?
- What are "patient safety activities"?
- Why are the terms "safety" and "quality" used in conjunction when describing the role of PSOs?
- What is the purpose of a PSO?
- What is Patient Safety Work Product?
- Do PSOs receive Federal funding?
- What are the benefits to health care providers who work with a PSO?
- What is the difference between the "Listed PSO" logo and the "AHRQ Common Formats" logo?
- How can a hospital utilize the services of a PSO to help reduce readmission rates for various conditions?
- What if a public entity PSO faces state requirements for disposition of information collected that conflict with the Patient Safety Rule’s disposition requirements for PSWP?
- Which agencies within the Department of Health and Human Services (HHS) implement the Patient Safety Act?
- Why is AHRQ responsible for the regulation of PSOs?
- How does AHRQ ensure that a listed PSO is in compliance with the statutory requirements as outlined in the Patient Safety Rule?
- What role will OCR have regarding the Patient Safety Rule?
- What is AHRQ's role in providing technical assistance?
- Who can seek listing as a PSO?
- What are the requirements to be a PSO?
- Are there additional requirements for a component organization?
- Are any entities excluded from being listed as a PSO?
- What is the primary activity requirement for initial listing as a PSO?
- What can an entity do if it does not meet this primary activity requirement?
- What requirements does a PSO need to meet regarding their staff?
- How does an entity apply to become a PSO?
- What is the deadline for submitting the forms to become a PSO?
- Does a PSO listing expire?
- What are the privacy and confidentiality protections for PSWP?
- Can original provider records be protected as PSWP?
- Can a health care provider work with more than one PSO? If so, is the PSWP protected?
- Is information submitted to the NPSD safe?
- What is the importance of the privacy and confidentiality protections for PSWP?
- What is the relationship between the Patient Safety Rule and the HIPAA Privacy Rule?
- If a PSO is revoked for cause (i.e., noncompliance with the requirements that each PSO must meet) and a health care provider inadvertently submits data to that entity, is the data protected?
- How can a health care provider and a PSO exchange information to promote patient safety and quality, while complying with the provisions of the Patient Safety Act and the Patient Safety Rule?
- What are the Common Formats?
- What is the development and version history of the Common Formats?
- Will the general public ever have access to the trending data collected or aggregated from PSOs?
- Why should PSOs contribute PSWP to the NPSD?
- What information are PSOs required to submit to the NPSD?
- Can PSOs receive information on HIT-related patient safety events?
- Can an electronic health record (EHR) software developer or vendor report an HIT patient safety event to a PSO?
- What are the benefits to providers of reporting an HIT-related patient safety event to a PSO?
- If an HIT-related patient safety event is reported to a PSO by a provider, does this protect from disclosure the name of the software product or its developer?
- If a patient is harmed as a result of an HIT-related patient safety event that is reported to a PSO, are the details of the adverse event protected from disclosure?
- To whom do PSWP protections apply?
- How is the confidentiality of PSWP protected?
Ways in which Software Developers and Vendors Can Work within the Framework of the Patient Safety Act
- If a software developer or vendor wants to serve as a contractor to a PSO or to a provider, what must they understand about the confidentiality protections for PSWP?
- Can an EHR vendor, as a contractor or agent of a provider, submit reports to a PSO on behalf of that provider?
- If a software vendor or developer is a contractor to a provider or PSO from which it receives PSWP containing individually identifiable health information, do HIPAA Privacy and Security Rules also apply?
- If a software vendor or developer is a contractor to a provider or PSO, are there security PSWP requirements that the contractor must meet when handling PSWP?
- If a PSO or a provider intends to contract with a software developer or vendor, what should be considered?
- Can a software developer or vendor become a PSO?
- What does it mean to create a component organization?
A PSO is an entity or a component of another organization (component organization) that is listed by AHRQ based upon a self-attestation by the entity or component organization that it meets certain criteria established in the Patient Safety Rule.
The primary activity of an entity or component organization seeking to be listed as a PSO must be to conduct activities to improve patient safety and health care quality. A PSO's workforce must have expertise in analyzing patient safety events, such as the identification, analysis, prevention, and reduction or elimination of the risks and hazards associated with the delivery of patient care. See Patient Safety Rule Section 3.102 for the complete list of requirements.
There are eight patient safety activities that are carried out by, or on behalf of a PSO, or a health care provider:
Efforts to improve patient safety and the quality of health care delivery
- The collection and analysis of patient safety work product (PSWP)
- The development and dissemination of information regarding patient safety, such as recommendations, protocols, or information regarding best practices
- The utilization of PSWP for the purposes of encouraging a culture of safety as well as providing feedback and assistance to effectively minimize patient risk
- The maintenance of procedures to preserve confidentiality with respect to PSWP
- The provision of appropriate security measures with respect to PSWP
- The utilization of qualified staff
- Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system
The term "safety" refers to reducing risk from harm and injury, while the term "quality" suggests striving for excellence and value. By addressing common, preventable adverse events, a health care setting can become safer, thereby enhancing the quality of care delivered. PSOs create a secure environment where clinicians and health care organizations can collect, aggregate, and analyze data, thus identifying and reducing the risks and hazards associated with patient care and improving quality.
The Patient Safety Rule establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to PSOs, on a privileged and confidential basis, for the aggregation and analysis of patient safety events.
The Patient Safety Rule outlines how PSOs can be a source of confidential and privileged external advice for health care providers seeking to understand and minimize the risks and hazards in delivering patient care.
PSWP is the information protected by the privilege and confidentiality protections of the Patient Safety Act and Patient Safety Rule. PSWP may identify the providers involved in a patient safety event and/or a provider employee that reported the information about the patient safety event. PSWP may also include patient information that is protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (see 45 CFR 160.103).
PSOs do not receive Federal funding.
PSOs serve as independent, external experts who can collect, analyze, and aggregate PSWP locally, regionally, and nationally to develop insights into the underlying causes of patient safety events. Communications with PSOs are protected to allay fears of increased risk of liability because of collection and analysis of patient safety events.
The protections of the Patient Safety Rule enable PSOs that work with multiple providers to routinely aggregate the large number of patient safety events that are needed to understand the underlying causes of patient harm from adverse events and to develop more reliable information on how best to improve patient safety.
AHRQ has published a short brochure, "Choosing a Patient Safety Organization," to help providers select a PSO appropriate to their needs.
The uniform Federal protections that apply to a provider's relationship with a PSO are expected to remove significant barriers that can deter the participation of health care providers in patient safety and quality improvement initiatives, such as fear of legal liability or professional sanctions.
PSOs that are currently listed by the HHS Secretary are entitled to display the "Listed PSO" logo. This logo is intended to identify entities whose PSO certifications have been accepted in accordance with Section 3.104(a) of the Patient Safety Rule. Before working with a PSO, however, health care providers are encouraged to review AHRQ's directory to confirm that the entity being considered is still a listed PSO.
The "AHRQ Common Formats" logo may be displayed by any organization that is using the Common Formats developed by AHRQ. Such entities do not need to be listed as a PSO by the HHS Secretary to employ the Common Formats and thus display the logo. The Common Formats are available in the public domain to facilitate their widespread adoption and implementation. Entities that display the logo should use the Common Formats as a whole; however, entities that have a limited focus may use the Common Formats that pertain only to that area.
How can a hospital utilize the services of a PSO to help reduce readmission rates for various conditions?
For hospitals with high risk-adjusted readmission rates for certain conditions, the Affordable Care Act contains provisions that are aimed at decreasing those rates. The law states that these hospitals may enlist PSOs to help reduce their rates. The PSO readmissions Web page contains helpful information and tools that can be used by such hospitals, and PSOs that work with those hospitals, to address the causes of unnecessary readmissions. In fact, any hospital can work with a PSO on any patient safety issue of the hospital's choice. Because services offered by PSOs to help reduce readmissions will vary, AHRQ recommends consulting a PSO's Web site to determine if that PSO is offering such assistance.
Hospitals that wish to identify factors associated with unnecessary readmissions are encouraged to consider using Common Format–Readmissions Version 0.1 Beta. This standardized Common Format allows hospitals to aggregate data on readmissions. In addition, hospitals can compare their data to others and analyze trends on a community, regional, and national level. To access Common Formats–Readmissions Version 0.1 Beta, go to the Patient Safety Organization Privacy Protection Center (PPC) Web site. Learn more about the Common Formats.
What if a public entity PSO faces state requirements for disposition of information collected that conflict with the Patient Safety Rule’s disposition requirements for PSWP?
The disposition requirements for PSWP preempt any conflicting state requirements for disposition of information. 73 FR 70768.
Which agencies within the Department of Health and Human Services (HHS) implement the Patient Safety Act?
AHRQ is responsible for the provisions dealing with the listing of PSOs such as administering the certification processes for listing; verifying that PSOs meet their obligations under the Patient Safety Rule; working with PSOs to correct any deficiencies in their operations; and, if necessary, revoking the listing of a PSO that remains out of compliance with the requirements. The Office for Civil Rights (OCR) administers and enforces the confidentiality protections provided to PSWP.
Congress vested the authority for implementing the Patient Safety Act with AHRQ by incorporating its provisions into AHRQ's authorizing statute. As the lead Federal agency for patient safety research, AHRQ is an appropriate partner for PSOs and health care providers.
How does AHRQ ensure that a listed PSO is in compliance with the statutory requirements as outlined in the Patient Safety Rule?
The Patient Safety Rule establishes in Subpart B the requirements that an entity must meet to seek listing, and remain listed, as a PSO. The Patient Safety Rule relies primarily upon a system of attestations, which places a significant burden for understanding and complying with these requirements on the PSO. However, the Patient Safety Rule also authorizes AHRQ to conduct reviews (including announced or unannounced site visits) to assess PSO compliance. To assist PSOs in making the required attestations and preparing for a compliance review, AHRQ developed a Patient Safety Organizations: A Compliance Self-Assessment Guide to suggest approaches for thinking systematically about the scope of these requirements and what compliance may mean for an individual PSO.
What role will OCR have regarding the Patient Safety Rule?
OCR is responsible for the investigation and enforcement of the confidentiality provisions of the Patient Safety Rule. OCR will investigate allegations of violations of confidentiality through a complaint-driven system. To the extent practicable, OCR will seek cooperation in obtaining compliance with the confidentiality provisions, including providing technical assistance. When OCR is unable to achieve an informal resolution of an indicated violation through voluntary compliance, the HHS Secretary has the discretion to impose a civil money penalty (CMP) of up to $11,000 against any PSO, provider, or responsible person for each knowing and reckless disclosure that is in violation of the confidentiality provisions.
AHRQ provides additional information and clarification on the PSO listing process, listed PSOs, the Patient Safety Rule, and other PSO activities, such as the Common Formats. PSOs, health care providers, and other interested parties should contact AHRQ with requests for technical assistance.
The Patient Safety Rule permits many types of entities—either an entire organization or a component of an organization, a public or private entity, a for-profit or not-for-profit entity—to seek listing as a PSO. Both the mission and the primary activity of the entity (or component) must be to conduct activities to improve patient safety and the quality of health care delivery (Patient Safety Rule Section 3.102(b)(2)(i)(A) and Patient Safety Rule Section 3.102(b)(2)(ii)).
The Patient Safety Rule requires an entity to certify that it meets 15 distinct statutory requirements; a component of another organization must attest that it meets another three statutory requirements; and each entity or component organization must comply with several additional regulatory requirements.
Every entity seeking to be a PSO must certify to AHRQ that it has policies and procedures in place to perform the eight patient safety activities specified in the Patient Safety Rule.
In addition, an entity must also, upon listing, certify that it will comply with the following seven additional criteria specified in the Patient Safety Rule:
- The mission and primary activity of the entity are to conduct activities that improve patient safety and the quality of health care delivery
- The entity has appropriately qualified staff (whether directly or through contract), including licensed or certified medical professionals
- The entity, within each 24-month period that begins after the date of the initial listing as a PSO, will establish two bona fide contracts, each of a reasonable period of time, with more than one provider, for the purpose of receiving and reviewing PSWP
- The entity is not, and is not a component of, a health insurance issuer
- The entity shall fully disclose—
- any financial, reporting, or contractual relationship between the entity and any provider that contracts with the entity; and
- if applicable, the fact that the entity is not managed, controlled, and operated independently from any provider that contracts with the entity
- To the extent practical and appropriate, the entity collects PSWP from providers in a standardized manner that permits valid comparisons of similar cases among similar providers
- The entity uses PSWP for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk
The Patient Safety Rule also establishes several additional requirements (see Patient Safety Rule Section 3.102(a)).
If the entity seeking listing is a component of another organization, the entity must also certify that it is, and will be in compliance with, three additional requirements specified in the Patient Safety Rule:
- The entity maintains PSWP separately from the rest of the organization, and establishes appropriate security measures to maintain the confidentiality of the PSWP
- The entity does not make an unauthorized disclosure of PSWP to the rest of the organization in breach of confidentiality
- The mission of the entity does not create a conflict of interest with the rest of the organization
The Patient Safety Act excludes a health insurance issuer or a component of a health insurance issuer from becoming a PSO. The Patient Safety Rule also excludes the following entities: regulatory agencies; organizations that serve as agents of regulatory agencies (e.g., entities that carry out inspections or audits for a regulatory agency); accreditation and licensure entities; and entities that administer a Federal, State, local, or tribal patient safety reporting system to which health care providers are required to report by law or regulation (see Patient Safety Rule Section 3.102(a)(2)(ii)).
Entities submitting certifications for initial listing need to attest that they meet the requirement that both their mission and their primary activity are to conduct activities to improve patient safety and the quality of health care delivery (Patient Safety Rule Section 3.102(b)(2)(i)(A) and Patient Safety Rule Section 3.102(b)(2)(ii)).
A multi-purpose entity with a broader scope can create or designate a component that more clearly meets the mission and primary activity criterion. The component of that entity can then seek listing.
There are two requirements relating to PSO staff in the Patient Safety Rule. PSOs must have policies and procedures in place to conduct each patient safety activity, for which PSOs are required to use qualified staff (Patient Safety Rule Section 3.102(b)(1)(i)). Second, PSOs must have an appropriately qualified workforce, including licensed or certified medical professionals (Patient Safety Rule Section 3.102(b)(2)(i)(B)). AHRQ has interpreted this language to mean that each PSO has a qualified staff with relevant medical experience available. The language does not require every member of a PSO's workforce to have this expertise, but at least one individual must have medical credentials and experience. Such a workforce can include individuals who serve on a volunteer basis, as well as those who are paid as employees or serve under contract.
It is desirable that the medical experience reflects the type of patient safety events reported to and analyzed by the PSO. For example, a PSO that receives patient safety event information related to the delivery of hospital care would want to have a physician as part of their workforce; a PSO that primarily deals in adverse drug events would likely benefit from having a pharmacist as a member of their workforce. The over-arching requirement is that the qualified staff works under the direct supervision of the PSO.
AHRQ has prepared a PSO Certification for Initial Listing form that an entity must use to certify that it meets the requirements to become listed as a PSO.
There is no deadline for applying to be listed as a PSO. Applications for PSO status will be accepted at any time and will be reviewed as expeditiously as possible.
A PSO is listed for a period of 3 years. To renew its listing for an additional 3 years, the PSO will be required to complete and submit a PSO Certification for Continued Listing form before the expiration of its period of listing. The PSO must certify that it is performing, and will continue to perform, each of the patient safety activities and that it is complying with, and will continue to comply with, the other requirements of the Patient Safety Rule. The PSO's 3-year period of listing will automatically expire at midnight of the last day of the PSO's listing period if AHRQ has not received and approved the PSO's continued listing form.
The Patient Safety Act and Rule make PSWP privileged and confidential. Subject to certain specific exceptions, PSWP may not be used in criminal, civil, administrative, or disciplinary proceedings. PSWP may only be disclosed pursuant to an applicable disclosure exception (see Patient Safety Rule Section 3.206).
A patient's original medical record, billing and discharge information, and any other original patient or provider records cannot become PSWP. Copies of selected parts of original provider records may become PSWP.
The Patient Safety Rule permits a health care provider, such as a hospital, to work with more than one PSO. Any information that is eligible to become PSWP reported to a PSO by a health care provider is protected. The definition of PSWP (Patient Safety Rule Section 3.20) provides important detail on what information is eligible for protection and when those protections apply.
Yes. PSWP must be nonidentified before it is submitted to the NPSD. Nonidentification requires that the information identifying individual and institutional providers, patients, and provider employees reporting patient safety events be removed from the PSWP.
The Patient Safety Act makes PSWP privileged and confidential. The Patient Safety Act and the Patient Safety Rule generally bar the use of PSWP in criminal, civil, administrative, or disciplinary proceedings except where specifically permitted. Strong privacy and confidentiality protections are intended to encourage greater participation by providers in the examination of patient safety events. By establishing strong protections, providers may engage in more detailed discussions about the causes of adverse events without the fear of liability from information and analyses generated from those discussions. Greater participation by health care providers will ultimately result in more opportunities to identify and address the causes of adverse events, thereby improving patient safety overall.
What is the relationship between the Patient Safety Rule and the HIPAA Privacy Rule?
PSWP may contain individually identifiable health information as defined in the HIPAA Privacy Rule. Health care providers that are HIPAA-covered entities must comply with the use disclosure exceptions for PSWP as well as the permissions and disclosure requirements concerning protected health information (PHI) set forth by the HIPAA Privacy Rule, as well as the limitations on the disclosure of information found in the Patient Safety Rule when disclosing PSWP. PSOs that are business associates of HIPAA-covered entities are subject to the limitations on the use and disclosure of PHI. Also, a PSO is a business associate of a HIPAA-covered provider subject to the business associate requirements of the HIPAA Privacy Rule.
If a PSO is revoked for cause (i.e., noncompliance with the requirements that each PSO must meet) and a health care provider inadvertently submits data to that entity, is the data protected?
If a PSO's listing is revoked for cause, health care providers may continue to submit data to the delisted PSO for 30 calendar days, beginning on the date and time that the PSO is delisted and ending 30 days thereafter. Data submitted during this 30 day period are treated as PSWP and are subject to the confidentiality and privilege protections of the Patient Safety Act.
For example, if a PSO is delisted for cause at midnight on March 1, a health care provider can continue to submit data to the delisted PSO until midnight on March 31 and the data will be protected. Data submitted to the former PSO after midnight on March 31 would not be protected. All PSWP submitted to a former PSO in accordance with provisions of the Patient Safety Act and Patient Safety Rule remains protected after the PSO ceases operations.
How can a health care provider and a PSO exchange information to promote patient safety and quality, while complying with the provisions of the Patient Safety Act and the Patient Safety Rule?
The diagram below illustrates how information can flow between a provider and its PSO-primarily, between the provider's patient safety evaluation system (PSES) and the PSES of the PSO. A provider PSES manages the collection of information for reporting to a PSO. The diagram shows the flow of protected information, to be handled as PSWP. PSWP analyzed by the PSO forms the basis of protected recommendations from the PSO to the provider. PSWP can undergo nonidentification for combination with data from other PSOs, to become publically accessible.
AHRQ Publication No. 13-PS-018
Common Formats are common definitions and reporting formats used to facilitate the collection and reporting of patient safety events. AHRQ developed Common Formats for use by health care providers, PSOs, and other organizations dedicated to improving care quality.
Currently, the Common Formats are limited to patient safety reporting in two settings of care—acute care hospitals and skilled nursing facilities. Future versions of the Common Formats are being developed for ambulatory settings, such as ambulatory surgery centers and physician and practitioner offices.
AHRQ recently released Common Formats for Surveillance-Hospital for public review and comment. Until now, Common Formats have been designed to support only traditional event reporting. Common Formats for Surveillance-Hospital are designed to provide, through retrospective review of medical records, information that is complementary to that derived from event reporting systems. These Formats will facilitate improved detection of events and calculation of adverse event rates in populations reviewed.
In collaboration with the Federal Patient Safety Workgroup (PSWG), the National Quality Forum (NQF), and the public, AHRQ has developed Common Formats for two settings of care- acute care hospitals and skilled nursing facilities.
To develop the Common Formats, AHRQ first reviewed existing patient safety event reporting systems from a variety of health care organizations. Working with the PSWG and Federal subject matter experts, AHRQ and the PSWG developed, piloted, drafted, and released Version 0.1 Beta of the Common Formats (for acute care hospitals) in August 2008.
Through a contract with AHRQ, NQF solicited feedback on Version 0.1 Beta from private sector organizations and individuals. The NQF, a nonprofit organization that focuses on health care quality, then convened an expert panel to review the comments received and provide feedback. Based on the NQF's feedback, AHRQ, in conjunction with the PSWG, further revised the Common Formats and released Version 1.0 in September 2009.
The review process above was repeated to further refine the Common Formats and to incorporate any public comments on Version 1.0 prior to finalization of the technical specifications for electronic implementation. These modified formats for acute care hospitals were made available as Version 1.1 in March 2010.
In conjunction with the Food and Drug Administration (FDA), the Office of the National Coordinator for Health Information Technology (ONC), and the full PSWG, AHRQ revised the device event-specific Common Format (available in Version 1.1) to include patient safety events related to Health Information Technology (HIT). This Common Format, Device or Medical/Surgical Supply including HIT Device (Version 1.1a), was released in October 2010.
AHRQ and the PSWG released Common Formats for skilled nursing facilities in March 2011, and in November 2011, an additional module (Beta Version) for venous thromboembolism (VTE) was incorporated that includes both deep vein thrombosis (DVT) and pulmonary embolism (PE). In April 2012, AHRQ and the PSWG developed Common Formats-Hospital Version 1.2, which featured new content to incorporate the Eevent-Specific Formats VTE and Device/HIT. In July 2012, Common Formats–Readmissions Version 0.1 Beta was released to allow hospitals to aggregate data and analyze readmission attributes.
Most recently, AHRQ released Common Formats for Surveillance-Hospital. Until now, Common Formats have been designed to support only traditional event reporting. Common Formats for Surveillance-Hospital are designed to provide, through retrospective review of medical records, information that is complementary to that derived from event reporting systems. These formats will facilitate improved detection of events and calculation of adverse event rates in populations reviewed.
The Patient Safety Act authorizes AHRQ to facilitate the development of a network of patient safety databases (NPSD), to which PSOs, health care providers, or others can voluntarily contribute nonidentifiable PSWP. The Patient Safety Act directs AHRQ to incorporate the nonidentifiable trend data from NPSD in its annual National Health Care Quality Report (NHQR). The NHQR is available in hard copy and electronically on the AHRQ Web site at http://www.ahrq.gov/research/findings/nhqrdr/index.html.
By enabling PSOs to aggregate PSWP on their own and to contribute nonidentifiable PSWP to the NPSD, the stage has been set for breakthroughs in our understanding of how best to improve patient safety. The NPSD will facilitate the aggregation of sufficient volumes of patient safety event data to identify more rapidly the underlying patterns and causes of risks and hazards associated with the delivery of health care services. By contributing nonidentifiable PSWP to the NPSD, PSOs can accelerate the pace at which the NPSD can advance our knowledge and provide an important adjunct to a PSO's own analyses.
PSOs are not required to submit any information to the NPSD.
Yes. PSOs can accept HIT-related patient safety events. Patient Safety Act protections for PSWP can apply to information about HIT-related patient safety events that meet the requirements for becoming PSWP.
Can an electronic health record (EHR) software developer or vendor report an HIT patient safety event to a PSO?
Yes. Any individual or entity may send information unsolicited to a PSO; however, only information sent to a PSO by a health care provider (or by an individual or entity delegated such reporting function by a provider) may become protected as PSWP. The Patient Safety Rule provides a definition of a health care provider, which includes an individual or facility that is licensed or otherwise authorized under State law to provide health care services.
Individuals and entities that wish to send information to a PSO should consider any additional legal or contractual limitations that may impact the sending of information to a PSO. For example, if a software vendor or developer has received adverse event information as a contractor of a provider, the software vendor or developer should carefully consider whether the contract permits the disclosure of the adverse event information to a PSO.
PSOs offer a valuable opportunity for providers to benefit from the review of safety events by PSO experts in a confidential and protected manner. When HIT-related patient safety events are relatively rare, even a large health care system may not experience a sufficient volume of events to develop insights into the causal and contributing factors. When a provider works with a PSO that has a large number of providers reporting events to the PSO, the provider can also benefit from the ability of the PSO to aggregate sufficient data to develop insights that would not otherwise be available to the provider. The provider can also benefit from privilege and confidentiality protections afforded to the PSWP.
If an HIT-related patient safety event is reported to a PSO by a provider, does this protect from disclosure the name of the software product or its developer?
The Patient Safety Rule protects, as PSWP, information submitted by a provider to a PSO. However, the Patient Safety Rule permits disclosure of PSWP that is nonidentifiable with respect to a particular identified provider, reporter or patient; that is, information that meets the standard provided at Patient Safety Rule Section 3.212. A PSO would need to make a case-by-case determination as to whether the information they wish to be released has been rendered nonidentifiable. In a given situation, such information may contain identifying details about a patient safety event, such as the name of a software product or vendor, and still be nonidentifiable.
If a patient is harmed as a result of an HIT-related patient safety event that is reported to a PSO, are the details of the adverse event protected from disclosure?
No. Working with a PSO does not relieve a provider of its obligations to collect and maintain information for review by external authorities or to maintain patient records. For example, providers generally have an obligation under other applicable laws, regulations, and internal policies to record the details of a patient's treatment and care in the patient's medical record or other original provider or patient records. A provider may choose to report such information to a PSO where the information may become PSWP, but the original provider records remain unprotected (non-PSWP). If the provider receives a lawful request for information that the provider was required to maintain, the provider must retrieve the information from its unprotected (non-PSWP) source. The provider may not use a copy of the PSWP-protected report sent to the PSO to respond to the request.
The PSWP confidentiality and privilege protections apply to PSWP that is held by an individual or entity. PSWP cannot be disclosed, except in limited circumstances as provided by the Patient Safety Rule. For example, PSWP that is nonidentifiable, as provided at Patient Safety Rule Section 3.212, with respect to an identified provider (such as the facilities or medical group practices and individual clinicians), referenced in the PSWP, the individual who reported the PSWP to a PSO, or a patient, may be disclosed.
The Patient Safety Rule establishes civil money penalties up to $11,000 for impermissible disclosures of PSWP. Interpretation and enforcement of the confidentiality protections is the responsibility of the Office for Civil Rights in the U.S. Department of Health and Human Services.
Ways in which Software Developers and Vendors Can Work within the Framework of the Patient Safety Act
Are there ways that a software developer or vendor can work within the framework of the Act?
Yes. There are three ways in which software developers and vendors might work with providers and PSOs under the framework of the Patient Safety Act:
- serving as a contractor to a PSO;
- serving as a contractor to a provider (note that there are requirements for safeguarding PSWP that go beyond the normal relationship of a provider and software vendor); or
- creating a component organization to seek listing and serve as a PSO. The first two options – serving as a contractor to a PSO or to a provider – are discussed together in the FAQs that follow.
The creation of a component organization to seek listing is addressed separately below.
If a software developer or vendor wants to serve as a contractor to a PSO or to a provider, what must they understand about the confidentiality protections for PSWP?
A software developer or vendor may serve as a contractor for either a PSO or a provider that has a reporting relationship with a PSO for the purpose of assisting the PSO or provider in conducting patient safety activities (such as identifying the causes of an HIT-related patient safety event). The Patient Safety Rule permits a provider or PSO to disclose PSWP for patient safety activities to an entity with which it has contracted to undertake patient safety activities on its behalf. Because of the privileged and confidential nature of PSWP, any contractor should establish procedures for the handling and disclosure of PSWP.
A key aspect of the Patient Safety Rule is that protections follow the PSWP. PSWP, once disclosed, generally continues to be confidential and privileged in the possession of the person or entity to whom the PSWP is disclosed. A contractor to whom PSWP has been disclosed is not permitted to further disclose the PSWP unless it has been delegated permission to make a specific disclosure by the PSO or provider with which it has a contract. (42 USC 3.206(b)(4)(ii) and 3.206(e)). Permissible disclosures are limited to those stated in the Patient Safety Rule. See also the Department's Guidance regarding mandatory FDA reporting requirements.
Contractors that receive PSWP from a PSO must maintain the security of PSWP. (42 USC 3.106). A PSO is required to have written policies and procedures that address PSWP security management, control, monitoring, and assessment. A PSO must secure PSWP in conformance with the policies and procedures. These requirements must be met at all times and at any location at which the PSO, or its contractors, receive, access, or handle patient safety work product. See the following question for additional information: If a software vendor or developer is a contractor to a provider or PSO, are there security PSWP requirements that the contractor must meet when handling PSWP?
These limitations on disclosure and provisions regarding security reflect the sensitivity of PSWP. While these requirements and limitations can be challenging, they can often be addressed by advance planning between a contractor and the PSO or provider with which it is contracting.
Can an EHR vendor, as a contractor or agent of a provider, submit reports to a PSO on behalf of that provider?
A provider can delegate the reporting of its patient safety events to a contractor, such as an EHR vendor that serves as a contractor to or agent of the provider.
If a software vendor or developer is a contractor to a provider or PSO from which it receives PSWP containing individually identifiable health information, do HIPAA Privacy and Security Rules also apply?
HIPAA Rules apply if the software vendor or developer has contracted with a provider that is a HIPAA-covered entity, and the reported information or PSWP contains protected health information as defined by the HIPAA Rules. Likewise, HIPAA Rules apply if the software vendor or developer has contracted with a PSO that receives information or PSWP from a provider that is a HIPAA covered entity, and the reported information or PSWP contains protected health information as defined by the HIPAA Rules. The provisions of the Patient Safety Act and HIPAA are not always identical and disclosures may only be made if permissible under both regulations.
If a software vendor or developer is a contractor to a provider or PSO, are there security PSWP requirements that the contractor must meet when handling PSWP?
Yes, the Patient Safety Rule requires that a PSO must have written policies and procedures that address PSWP security management, control, monitoring, and assessment. A PSO must secure PSWP in conformance with the policies and procedures. These requirements must be met at all times and at any location at which the PSO, or its contractors and subcontractors receive, access, or handle patient safety work product. The Patient Safety Rule does not establish security requirements that providers or their contractors must meet. A provider can determine the security requirements that apply to its workforce and its contractors.
To the extent that PSWP contains protected health information (as defined by the HIPAA Rules) and is subject to the HIPAA Security Rule, a HIPAA-covered provider and its business associates, such a PSO or their contractors, would be required to comply with the HIPAA Security Rule.
If a PSO or a provider intends to contract with a software developer or vendor, what should be considered?
The contracting parties should consult legal counsel as appropriate and carefully consider all of the areas that are related to compliance with the Patient Safety Rule and any relevant HIPAA requirements (for example, when PSWP contains protected health information [as defined by the HIPAA rules] and HIPAA is applicable). Examples of issues to consider include: determine in advance the potential disclosures that need to be made; ensure that anticipated disclosures are permissible and that appropriate delegations for disclosure are made; identify the contractors who will hold PSWP and specify the required security protections for PSWP; identify the individuals who need access to the PSWP, limit access to PSWP to those individuals, and specify training requirements for those individuals regarding applicable requirements of the Patient Safety Rule.
Yes. While a software developer or vendor cannot itself become listed as a PSO, it can create a component organization that can become a PSO.
The Patient Safety Rule provides two options: an existing organization can
- create a separate legal organization or
- designate a unit or division of the existing organization, either of which may seek listing as a PSO.
Whichever approach is used, a component organization that becomes a PSO must meet the requirements that apply to all PSOs, and additional requirements that apply specifically to components (for example, a PSO that is a component organization must establish the equivalent of a firewall between itself and its parent organization). (See Patient Safety Rule Section 3.102(c).)