Section 3.20, definition of Patient Safety Activities:

(1) Efforts to improve patient safety and the quality of health care delivery.

Has the PSO documented the patient safety and quality improvement activities that it offers health care providers? For example, does the PSO have descriptive materials that outline the patient safety and quality improvement activities offered to health care providers?

Alternatively, has the PSO already met this requirement as a result of the documentation required by the patient safety activities that follow (Rows #2-#8 in this table)? Those requirements essentially require a PSO to document how it will perform all aspects of the patient safety activities it undertakes. To employ this approach successfully, a PSO should assess whether the documentation for patient safety activities #2-#8 in this table addresses all of the patient safety and quality improvement activities the PSO undertakes.

Section 3.20, definition of Patient Safety Activities:

2) The collection and analysis of patient safety work product.

Has the PSO documented how it will (does) collect patient safety work product from health care providers? For example, will (does) the PSO accept patient safety work product from providers through paper submissions, secure electronic transmission, use of a secure portal system, or a combination of approaches?

Has the PSO documented the range of analytic services that it will (does) offer health care providers? Does the documentation specify the types of problems or tasks of methods, tools, and analytic approaches the PSO will employ to address specific types of problems or tasks?

If the PSO has already undertaken such analyses, can the PSO provide specific examples of the use of analytic techniques to specific data?

If a PSO enters into a contract with another organization or PSO to provide assistance with the collection or analysis of patient safety work product, are the activities, methods, or approaches used by the contractor(s) consistent with the attestations of the contracting PSO?

If the PSO is currently receiving and analyzing patient safety work product, can the PSO provide specific examples that demonstrate or document how the PSO is complying with this requirement?

Section 3.20, definition of Patient Safety Activities:

(3) The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices.

Has the PSO documented how it meets this requirement? For example:

• What is the scope of the PSO's existing and planned dissemination activities (i.e., is it restricted to issues for which it receives patient safety work product or will dissemination address a broader range of patient safety and quality improvement issues)?
• How does the PSO evaluate the validity and reliability of the information it disseminates?
• How does the PSO determine when an intervention or approach constitutes a “best practice” before disseminating the information to providers?

If the PSO has already developed and disseminated such information, can the PSO provide specific examples that demonstrate or document how the PSO is complying with this requirement?

Section 3.20, definition of Patient Safety Activities:

(4) The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk.

Has the PSO documented how it will (does) meet this requirement? For example:

• How will (does) the PSO seek to foster a culture of safety within the institutional providers with which the PSO works?
• Can the PSO provide feedback and assistance that may be used by providers to minimize risk to patients?

If the PSO has undertaken specific activities to comply with this requirement, can the PSO provide specific examples that demonstrate or document how the PSO is complying with this requirement?

Section 3.20, definition of Patient Safety Activities:

(5) The maintenance of procedures to preserve confidentiality with respect to patient safety work product.

Has the PSO established policies to preserve the confidentiality of patient safety work product? For example:

• Do the policies and procedures apply to all workforce members and contractors with access to patient safety work product?
• Do the PSO's confidentiality policies meet the requirement of section 3.102(b)(1)(i)(A) of the rule? This section requires a PSO's confidentiality policies to be consistent with Subpart C of the rule.
• Has the PSO established procedures to ensure compliance with the confidentiality requirements? For example, does the PSO require written acknowledgement of the confidentiality protections by members of its staff and contractors with access to patient safety work product?
• When patient safety work product is entrusted to contractor(s), does the PSO require contractors to acknowledge the limitations on contractor disclosure of patient safety work product (go to section 3.206(b)(4)(ii) of the rule)?
• Does the PSO assist reporting providers in understanding the confidentiality requirements for patient safety work product, including the statutory right (restated in section 3.206(e)) to establish greater confidentiality protections for patient safety work product than are required by the Patient Safety Rule?
• Do the PSO's policies specify how the PSO will implement the Patient Safety Rule requirement (section 3.102(b)(1)(i)(B)) to notify the health care providers if confidentiality of submitted patient safety work product is breached?

If the PSO has received patient safety work product, have there been any impermissible disclosures of patient safety work product?

Section 3.20, definition of Patient Safety Activities:

(6) The provision of appropriate security measures with respect to patient safety work product.

Section 3.102(b)(1)(i)(A) of the Patient Safety Rule clarifies that a PSO's policies for the security of patient safety work product must meet the security requirements of section 3.106. The requirements of section 3.106 and sample self-assessment questions are provided in Table 2.

Section 3.20, definition of Patient Safety Activities:

(7) The utilization of qualified personnel.

Has the PSO documented its policies for utilization of qualified staff (either as members of the PSO's workforce or as contractors)? For example, is there a linkage between the job descriptions for staff positions and the clinical, analytic, and improvement expertise needed for the PSO to meet its mission and provide the services the PSO is offering providers?

[Note: questions regarding the match between the skills and expertise of the PSO's workforce and contractors and the clinical, analytic, and implementation services offered by the PSO are raised in #10 below.]

Section 3.20, definition of Patient Safety Activities:

(8) Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system

Has the PSO documented how it will (does) meet this requirement? For example:

• If the PSO only conducts Patient Safety Act activities, does its patient safety evaluation system encompass the entire PSO and all staff? If so, documentation can be more limited and focused on specification of the activities being undertaken.
• If a PSO engages in non-Patient Safety Act activities, does the PSO's documentation describe the space that is allocated for patient safety evaluation system activities and which staff have access to patient safety work product? How is it possible to determine when “shared staff” perform patient safety evaluation system and non-patient safety evaluation system activities?
• Has the PSO documented how it will (does) communicate with, and provide feedback to, participants in each patient safety evaluation system of the providers with which it works?

If the PSO is actually providing feedback to participants on a provider's patient safety work product, can the PSO provide specific examples that demonstrate or document how the PSO is complying with this requirement?

PSO Criteria

All entities seeking listing as a PSO must attest that, upon listing, they will comply, and remain in compliance with the following seven PSO criteria (Rows #9-#15) set forth in section 3.102(b)(2) of the Patient Safety Rule.

Section 3.102(b)(2)(i)(A):

The mission and primary activity of the PSO must be to conduct activities that are to improve patient safety and the quality of health care delivery.

Does the PSO undertake activities other than those authorized or required by the Patient Safety Act? If not, the PSO will automatically meet this requirement.

If a PSO undertakes activities other than those undertaken pursuant to the Patient Safety Act, can the PSO demonstrate, taking into account all of the activities it performs, that the improvement of patient safety and health care delivery constitute its “primary” activity?

Two possible ways of meeting this requirement would be to demonstrate that these activities:

• Account for the “majority” of activity by its workforce; or
• Account for the majority of revenue or expenditures of the entity.

Section 3.102(b)(2)(i)(B):

The PSO must have appropriately qualified workforce members, including licensed or certified medical professionals

Can the PSO document how the expertise and skills of its personnel (either PSO workforce members or contractor staff) are an appropriate match for the clinical, analytic, and improvement activities that the PSO offers providers?

Can the PSO document that it has the services of a licensed or certified medical professional (either PSO workforce members or contractor staff)? Can the PSO document that there is a reasonable relationship between the expertise and skills of its medical professional(s) and the clinical issues the PSO addresses?

Section 3.102(b)(2)(i)(C):

The PSO, within the 24-month period that begins after the date of initial listing as a PSO, and within each sequential 24-month period thereafter, must have two bona fide contracts, each of a reasonable period of time, each with a different provider for the purpose of receiving and reviewing patient safety work product.

If a PSO has submitted certification that it has two contracts with different providers, do the two contracts cited by the PSO meet the regulatory requirements? Specifically:

• Do the contracts meet the definition of bona fide (i.e., the contracts are written and entered in good faith)?
• Do the contracts require receipt and review of patient safety work product by the PSO?
• Were the contracts entered into with different providers? The Patient Safety Rule focuses on the provider entity entering the contract and not the providers covered by the contract. For example, entering two contracts with the same headquarters of a health system (one covering its hospitals and another covering its nursing homes) would not meet the requirement since the contracts are being entered with the same corporate entity.

If the PSO has met the two contract requirement, has the PSO submitted the required notification?

Section 3.102(b)(2)(i)(D):

The PSO is not a health insurance issuer, and is not a component of a health insurance issuer.

Can the PSO confirm its attestation that it is not a health insurance issuer or a component of a health insurance issuer? Is a health insurance issuer involved in the governance or financing of the PSO?

Section 3.102(b)(2)(i)(E):

The PSO must make a disclosure to the Secretary as required under section 3.102(d), in accordance with 3.112 of this subpart.

Note: Section 3.102(d)(2) requires that a PSO shall fully disclose—

(i) any financial, reporting, or contractual relationship between the entity and any provider that contracts with the entity; and

(ii) if applicable, the fact that the entity is not managed, controlled, and operated independently from any provider that contracts with the entity

Has the PSO documented how it has complied with this requirement, including being able to demonstrate the following:

• Every time the PSO entered a Patient Safety Act contract with a provider, did the PSO conduct the required assessment to determine whether the PSO had other relationships with that provider that would require the PSO to complete and submit a disclosure statement?
• If the PSO chose not to file a disclosure statement regarding a provider with which it entered a Patient Safety Act contract, can the PSO document that it made the determination that a disclosure statement was not required?
• If the PSO developed any other relationships with that contracting provider during the contract period, did the PSO conduct the required re-assessment to determine whether the PSO needed to complete and submit a new or revised disclosure statement?
• Did each disclosure statement submitted fully comply with the Patient Safety Rule?

Section 3.102(b)(2)(i)(F):

To the extent practical and appropriate, the PSO must collect patient safety work product from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.

Go to section 3.102(b)(2)(iii), which establishes a different standard for continued listing, which is summarized here: At continued listing, the PSO must attest that it is using, and will continue to use, either (A) the Secretary's published guidance for common definitions and reporting formats (AHRQ Common Formats) or (B) an alternate system of formats and definitions in its collection of patient safety work product that permits valid comparisons among similar providers. If the PSO cannot make either attestation, it must attest that it is not practical or appropriate to comply with the options A or B by submitting a clear explanation of why it is not practical or appropriate for the PSO to comply with those options.

Is the PSO collecting patient safety work product in a standardized manner as required by the Patient Safety Rule? If the PSO is not using AHRQ's Common Formats, what system is the PSO using? If it is not using any standardized approach, what is the PSO's rationale?

Once a PSO submits the Certification for Continued Listing, the requirement for compliance changes and the PSO should consider:

• Is the PSO using AHRQ's Common Formats?
• If the PSO is using another system, is the PSO prepared to demonstrate that the system it is using permits valid comparisons of similar cases among similar providers?
• If the PSO is not collecting patient safety work product in a standardized manner, can the PSO provide a compelling rationale for why it is not practical or appropriate to use AHRQ's Common Formats or another standardized system?

Section 3.102(b)(2)(i)(G):

The PSO must utilize patient safety work product for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.

Has the PSO received patient safety work product from a provider seeking review and feedback? If so, can the PSO demonstrate or document how it has complied with this requirement?

Additional Requirements That Apply to All Component PSOs

The following requirements (Rows #16-#19) only apply to PSOs that are component organizations. All component PSOs also must meet requirements applicable to all PSOs (Rows #1-#15). In each case, compliance with these additional requirements is the same at initial and continued listing.

Section 3.102(c)(2)(i), Separation of Patient Safety Work Product:

A component PSO must maintain patient safety work product separately from the rest of the parent organization(s) of which it is a part, and establish appropriate security measures to maintain the confidentiality of patient safety work product.

Can the component PSO demonstrate its compliance with this requirement? For example:

• Does the component PSO have written policies and procedures and security measures in place to prevent access to its patient safety evaluation system and patient safety work product by staff of the parent organization?
• If the component PSO has a shared information system with its parent organization, can the PSO demonstrate how its security controls are effective and/or would be effective in circumstances encompassed by its policies and procedures and operations?
• If the parent organization provides IT support, does the component PSO have written confidentiality, nondisclosure agreements in place (go to Row #19 below) to ensure that they understand and acknowledge restrictions regarding patient safety work product? The agreements could be with the IT support staff or with the parent organization that would have written agreements with the IT support staff. Similarly, if the parent organization provides services that require access to locations where patient safety work product is held, how does the component PSO handle physical security and access issues?
• If the component PSO shares staff with its parent organization, how does the PSO ensure that these individuals fully understand the importance of: (1) maintaining patient safety work product separately from the parent organization, and (2) avoiding unauthorized disclosures? Do the PSO's confidentiality and security policies and procedures (Rows #5 and #6 above) adequately and appropriately address these issues?
• Has the PSO experienced any incidents involving inappropriate access to its patient safety evaluation system or patient safety work product or “close calls” of breaches of security of patient safety work product?

Section 3.102(c)(2)(ii), Nondisclosure of Patient Safety Work Product:

A component PSO must require that members of its workforce and any other contractor staff not make unauthorized disclosures of patient safety work product to the rest of the parent organization(s) of which it is a part.

Section 3.102(c)(2)(iii), No Conflict of Interest.

The pursuit of the mission of a component PSO must not create a conflict of interest with the rest of the parent organization(s) of which it is a part.

Can the component PSO demonstrate how it avoids situations (described in the preamble language accompanying section 3.102(c)(2)(iii) of the Patient Safety Rule) that might create a conflict of interest with its parent organization?

For example, with respect to any staff members whom the component PSO shares with its parent organization, can the PSO point to the steps it took to review the responsibilities of such individuals before sharing identifiable patient safety work product with him or her? The preamble discussion notes that a component PSO would create a conflict of interest by sharing patient safety work product with a member of the parent organization whose job responsibilities would involve taking adverse personnel actions against providers based on the information available to him or her.

Section 3.102(c)(3), Written Agreements for Assisting a Component PSO in the Conduct of Patient Safety Activities (summarized here):

A component PSO may provide access to identifiable patient safety work product to one or more individuals in, or to one or more units of, its parent organization(s) if the component PSO enters into a written agreement with such individuals or units which requires that:

(i) Access to patient safety work product is only provided to enable such individuals or units to assist the component PSO in its conduct of patient safety activities, and

(ii) Such individuals or units may only use or disclose patient safety work product as specified by the component PSO, will take appropriate security measures to prevent unauthorized disclosures and will comply with the other certifications the component PSO has made regarding unauthorized disclosures and conducting the mission of the PSO without creating conflicts of interest.

If the component PSO has asked its parent organization for assistance in conducting patient safety activities, did the PSO enter the required written agreements?

Do these written agreements meet the requirements of this section? For example:

• Are the agreements limited to tasks that assist the PSO in carrying out patient safety activities?
• Do the agreements contain provisions stipulating the required security measures?
• Do the agreements specify how the component PSO will ensure that the individuals or units of the parent organization have met, are meeting, and will meet their responsibilities to avoid unauthorized disclosures?
• Has the PSO ensured that the agreements are with individuals or units of the parent organization that will not pose a conflict of interest (go to previous Row #18)?

Additional Requirements for PSOs that are Component Organizations of Excluded Entities

The following requirements only apply to PSOs that are components of entities excluded by section 3.102(a)(2)(ii) of the Patient Safety Rule. Such PSOs are also responsible for compliance with all of the requirements listed above (Rows #1-#19). In each case, compliance with these additional requirements is the same at initial and continued listing.

Section 3.102(c)(4)(i):
A component organization of an (excluded) entity must: (i) Submit the following information with its certifications for listing:

(A) A statement describing its parent organization's role, and the scope of the parent organization's authority, with respect to any of the following that apply: accreditation or licensure of health care providers, oversight or enforcement of statutory or regulatory requirements governing the delivery of health care services, serving as an agent of such a regulatory oversight or enforcement authority, or administering a public mandatory patient safety reporting system.

Does the component PSO have a mechanism (1) to review if there are changes in the mission or activity of its parent organization and, if so, (2) to revise the written statement, and submit it to AHRQ?

Section 3.102(c)(4)(i): A component organization of an (excluded) entity must: (i) Submit the following information with its certifications for listing:

(B) An attestation that the parent organization has no policies or procedures that would require or induce providers to report patient safety work product to their component organization once listed as a PSO and that the component PSO will notify the Secretary within 5 calendar days of the date on which the component organization has knowledge of the adoption by the parent organization of such policies or procedures, and an acknowledgment that the adoption of such policies or procedures by the parent organization during the component PSO's period of listing will result in the Secretary initiating an expedited revocation process in accordance with §3.108(e).

How does the component organization determine if its parent organization has prohibited policies or incentives?

Section 3.102(c)(4)(i): A component organization of an (excluded) entity must: (i) Submit the following information with its certifications for listing:

(C) An attestation that the component organization will prominently post notification on its Web site and publish in any promotional materials for dissemination to providers, a summary of the information that is required by paragraph (c)(4)(i)(A) of this section. (go to Row #20).

Section 3.102(c)(4)(ii), Comply with the following requirements during its period of listing:

(A) The component organization may not share staff with its parent organization(s).

Section 3.102(c)(4)(ii), Comply with the following requirements during its period of listing:

(B) The component organization may enter into a written agreement pursuant to paragraph (c)(3) but such agreements are limited to units or individuals of the parent organization(s) whose responsibilities do not involve the activities specified in the restrictions in paragraph (a)(2)(ii) of this section.