Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NOTE: The Department of Health and Human Services (HHS) issued a final rule (PDF file, 450 KB. PDF Help) to implement the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) on November 21, 2008.  The final rule will become effective on January 19, 2009; on that date, the final rule will supersede the Interim Guidance, below, which will no longer be effective.

Implementing the Patient Safety and Quality Improvement Act of 2005 Including How to Become a Patient Safety Organization: Interim Guidance

SUMMARY: This Interim Guidance explains how the Department of Health and Human Services (HHS) will begin implementing the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act), how an entity can become a Patient Safety Organization (PSO), and how information may be protected as Patient Safety Work Product (PSWP) in the interim period prior to the promulgation of a final regulation. The Patient Safety Act is included here as Appendix A. Except as provided herein, this Guidance neither creates any rights for, nor imposes any legal obligations on, any person or entity or HHS. The Guidance will be effective immediately and will be effective until the effective date of the final Patient Safety Act regulation (i.e., the interim period.) The final regulation will supersede this Interim Guidance. However, any information that became PSWP during this interim period based upon the definition in the Patient Safety Act, shall remain PSWP and, thus, privileged and confidential, after the interim period.

In this Interim Guidance, we explain how we will provide for the listing and delisting of PSOs under the Patient Safety Act, pursuant to Subpart B of the Notice of Proposed Rulemaking (NPRM) published in the Federal Register (FR) on February 12, 2008: 73 FR 8112-8183. This Guidance also explains how we will apply the enforcement provisions of the Patient Safety Act based on Subpart D of the NPRM. We further clarify that the Department will be able to receive and disclose information needed for PSO listing and delisting and enforcement purposes.

The Interim Guidance explains which provisions in the regulatory text of the NPRM will be binding during the interim period1. The other provisions of the regulatory text are not binding and the entire preamble of the NPRM is not binding. All binding provisions are found in Appendix B. In regard to the material that is not binding, individuals and entities may follow alternative approaches, provided that the alternative approach is consistent with, and satisfies the requirements of the Patient Safety Act. Such alternative approaches would not apply after the interim period unless permitted by the final rule.

ADDRESSES: The certification forms and explanatory materials related to the Interim Guidance can be accessed electronically at the AHRQ PSO Web site www.pso.ahrq.gov.

FOR FURTHER INFORMATION CONTACT: Susan Grinder, Center for Quality Improvement and Patient Safety, AHRQ, 540 Gaither Road, Rockville, MD 20850; Telephone (toll free): (866) 403-3697; Telephone (local): (301) 427-1111; TTY (toll free): (866) 438-7231; TTY (local): (301) 427-1130; E-mail: pso@ahrq.hhs.gov

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Overview
   A. Introduction
   B. Upon the Effective Date of this Interim Guidance
   C. Upon the Effective Date of the Final Rule
   D. Relationship to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
II. Key Definitions
III. Certification Forms and Required Certifications
IV. Listing of PSOs and Department Oversight of Listed PSOs
V. Public Notices
VI. Privilege
VII. Confidentiality
VIII. Enforcement Program
IX. Other Key Statutory Provisions
Appendix A. The Patient Safety Act [which is binding during (and after) the interim period]
Appendix B. Applicable Provisions of the Patient Safety NPRM [which identifies the binding provisions of the regulation text]

I. Overview

I-A. Introduction

This document is intended to inform private, public and nonprofit health care communities, the legal community and others of HHS's policies and procedures for implementing the Patient Safety Act, prior to the promulgation of a final regulation. This Interim Guidance interprets the Patient Safety Act2 . (See Appendix A.)

The Patient Safety Act authorizes the listing by the Secretary of statutorily defined PSOs. Statutory definitions are at section 921 of the PHS Act, as amended, 42 U.S.C. 299b-21. PSOs are to carry out statutorily defined patient safety activities for the benefit of providers. To encourage providers to submit information to the PSOs and PSOs to conduct analyses regarding patient safety, the statute establishes privilege and confidentiality protections to protect certain information, including information collected by providers for sharing with PSOs for analysis, analyses performed by the providers and/or the PSOs, and information shared between the PSOs and the health care providers they serve. This information is defined in the statute as "PSWP".

Much of the impetus for the Patient Safety Act and the information protections that it created grew out of findings released by the Institute of Medicine (IOM) in 1999, in a landmark report, "To Err Is Human"3, which reported that thousands of people in the U.S. die in hospitals each year as a result of preventable medical errors. The report indicated that one of the reasons that - compared to other high-risk industries - the health care system has been slower in investigating systemic causes of events that have harmed or could harm large numbers of individual patients was the reluctance of health care providers to participate in quality review activities for fear of liability, professional sanctions, or injury to their reputations4. Traditional state-based legal protections for such health care quality improvement activities, collectively known as "peer review protections," are varied and limited in scope; none protect the information if it is shared outside the institution, which is often a necessary step to identify systemic problems.

Accordingly, the Patient Safety Act established uniform privilege and confidentiality protections that are applicable nationwide and that extend to all health care practitioners and institutional providers. These protections for PSWP, which are often related to adverse and high risk events and trends, should encourage providers to voluntarily report such sensitive information to PSOs for examination and discussion under statutorily defined circumstances in order to improve patient safety.

Once PSOs are listed by the Secretary, providers can submit information to PSOs and voluntarily seek the PSO's analysis of patient safety events. This should lead to improvement in patient safety. The analytic work of PSOs for providers will be enabled and fostered by the statutory protection of data they receive or create, including data they aggregate regarding patient safety events5 (or regarding other patient safety issues). The protections established by the Patient Safety Act will enable numerous providers to submit pertinent data to PSOs so that the PSOs will be able to aggregate and analyze the data of multiple providers, thus permitting the identification of patterns that could suggest underlying or systemic causes of patient risks and hazards that then can be addressed to improve patient safety.

Upon the listing of PSOs by the Secretary, the Patient Safety Act becomes applicable to such listed PSOs and to the data they exchange with providers. However, the statute does contain a number of provisions that required interpretation and policy decisions regarding their scope and appropriate application. After the enactment of the legislation, the Department considered multiple complex issues concerning how best to carry out the statute's objectives, and published a NPRM: 73 FR 8112-8183. The NPRM, including proposed 42 CFR Part 3 and the preamble text interpreting the Patient Safety Act's provisions, is available on AHRQ's PSO Web site at www.pso.ahrq.gov.

This Interim Guidance offers an interim framework under which the Department will begin to list PSOs and permit implementation of the Patient Safety Act. Upon the effective date of this Interim Guidance and once a PSO is listed by the Secretary, information that meets the definition of PSWP will be PSWP and will be protected by the Patient Safety Act's privilege and confidentiality provisions. The listing of PSOs will also permit the protected analytic activity of the PSOs to begin.

In light of the public interest in, and the anticipated benefits of, beginning as expeditiously as possible, the process of setting up a list of organizations that can carry out the protected health care systems analysis work that was a clear objective of the statute and to make protected PSO services available to providers, the Secretary will begin accepting certifications from entities that wish to berecognized and listed as PSOs immediately, in accordance with the Patient Safety Act and Subpart B of the NPRM regulation text.

The provisions in the Patient Safety Act will govern the listing of PSOs, the interaction between providers and PSOs, and the activities of PSOs. In addition, because the proposed provisions in Subparts B and D of the NPRM are either restatement of statutory provisions, procedural rules, or reflect the Department's inherent authority to establish internal procedures, we will, in this interim period, proceed to list and delist PSOs generally in accordance with the procedures in Subpart B, and enforce the Patient Safety Act in accordance with the procedures proposed in Subpart D of the NPRM regulation text which include procedures for the investigation of complaints regarding the disclosure of PSWP, and procedures for challenges to HHS' imposition of civil monetary penalties (CMPs). In addition, the Department will permit and require the sharing of information in accordance with the provisions proposed in the NPRM related to the Secretary's authority to receive and disclose information as needed for PSO listing and delisting and enforcement purposes.6

I-B. Upon the Effective Date of this Interim Guidance:

  1. The Patient Safety Act is binding. (The Act is included as Appendix A of this Guidance. In addition, the Act's definitions are included in the body of this Guidance.)
  2. Certain provisions of the NPRM are binding - All of the binding provisions can be found in Appendix B of this Guidance.7
  3. Once a PSO is listed by HHS, information that meets the definition of PSWP will be PSWP and will be protected by the Patient Safety Act's privilege and confidentiality provisions.
  4. The remainder of the NPRM regulation text (what is not included in Appendix B) and the entire NPRM preamble are not binding. They reflect HHS's current interpretation of the Patient Safety Act and its current thinking on the topics. As to these parts, where the NPRM provides a particular interpretation of the statute, persons and entities are not bound by this interpretation, and can choose alternative approaches provided those approaches are consistent with the Patient Safety Act.

I-C. Upon the Effective Date of the Final Rule:

  1. The Patient Safety Act is binding.
  2. The final regulation will supersede this Guidance. The Guidance and the NPRM will not be in effect.
  3. Any information that became PSWP during this interim period will remain PSWP and, thus, privileged and confidential, after the interim period.
  4. PSOs that were listed under the Interim Guidance will continue to be PSOs although they will be required to comply with any new requirements in the final rule, and will no longer be required to comply with requirements that were only in the NPRM.

I-D. Relationship to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Patient Safety Act references the Standards for the Privacy of Individually Identifiable Health Information under the HIPAA Privacy Rule, 45 CFR Parts 160 and 164. Many health care providers participating in this program will be covered entities under the HIPAA Privacy Rule and will be required to comply with the HIPAA Privacy Rule when they disclose patient safety work product that contains protected health information. The Patient Safety Act is clear that it is not intended to interfere with the implementation of any provision of the HIPAA Privacy Rule. See Section 922(g)(3) of the PHS Act.

The Patient Safety Act also provides that CMPs cannot be imposed under both the Patient Safety Act and the HIPAA Privacy Rule for a single violation. See Section 922(f)(3) of the PHS Act. In addition, the statute states that PSOs shall be treated as business associates and patient safety activities are deemed to be health care operations under the HIPAA Privacy Rule. See Section 922(i) of the PHS Act. Therefore, the HIPAA Privacy Rule would not prevent health care providers from sharing individually identifiable health information regarding their patients with the provider's patient safety evaluation system (PSES) or with a PSO for patient safety activity purposes, and would not require the provider to obtain the patient's authorization to do so. Providers may only share the minimum amount of individually identifiable health information needed for this purpose.

II. Key Definitions

The following are the terms defined in the Patient Safety Act at section 921 of the PHS Act, 42 USC 299b-21, and some other terms that are used in this Interim Guidance. The language below quotes or paraphrases these statutory definitions. The definitions at 42 CFR § 3.20 in the NPRM (and the corresponding preamble text) provide non-binding guidance as to how we interpret the statutory definitions.

AHRQ stands for the Agency for Healthcare Research and Quality in HHS.

ALJ stands for an Administrative Law Judge of HHS.

Patient Safety Organization (PSO) means a private or public entity or component of such entity that is listed by the Secretary. Federal, State, or local government entities as well as Tribal Organizations may establish a PSO. As indicated above, for purposes of applying the HIPAA Privacy Rule, the Patient Safety Act provides that PSOs are to be treated as business associates when providing services to HIPAA covered entities.

The Patient Safety Act protects PSWP.

Patient Safety Work Product (PSWP) means any data, reports, memoranda, analyses (such as root cause analyses), or written or oral statements

  1. which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or are developed by a PSO for the conduct of patient safety activities; and which could result in improved patient safety, health care quality, or health care outcomes; or
  2. which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a PSES.

The Patient Safety Act's definition of PSWP at section 921(7)(B) of the PHS Act, includes additional important language, which we have included in this footnote.8 Section 921(7)(B) provides, in part, that PSWP does not include a patient's original medical record, billing and discharge information, or any other original patient or provider information and any information that is collected, maintained, or developed separately, or exists separately, from a PSES. The Patient Safety Act applies different rules to identifiable PSWP and to nonidentifiable PSWP.

Identifiable PSWP The statute, in its definition of identifiable PSWP, provides that PSWP is identifiable as to providers if the PSWP is presented in a form and manner that allows the identification of any provider that is a subject of the PSWP, or any providers that participate in activities that are a subject of PSWP. PSWP is identifiable as to patients if the information is individually identifiable health information as that term is defined in the HIPAA Privacy Rule. PSWP is identifiable as to reporters (an individual who in good faith reported information to the provider with the intention of having the information reported to a PSO; or reported directly to a PSO) if the PSWP is presented in a form or manner that allows the identification of such reporter. The NPRM repeats this definition of identifiable PSWP.

Nonidentifiable PSWP The statute defines nonidentifiable PSWP as PSWP that is not identifiable.9

Provider is defined in the Patient Safety Act to mean in part, "an individual or entity licensed or otherwise authorized under State law to provide health care services."

Patient safety activities means efforts to improve patient safety and the quality of health care delivery, the collection and analysis of PSWP, the development and dissemination of information with respect to improving patient safety, the utilization of PSWP for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk, the maintenance of procedures to preserve confidentiality with respect to PSWP, the provision of appropriate PSWP security measures, the utilization of qualified staff, and activities related to the operation of a patient safety evaluation system. (Application of HIPAA Privacy Rule: Patient safety activities performed by a PSO for a provider are "health care operations" of the provider.)

Patient safety evaluation system (PSES) means the collection, management, or analysis of information for reporting to or by a PSO. The term PSES is used in the definition of PSWP. It also is used in the definition of patient safety activities. Responsible person means a person, other than a provider or a PSO, who has possession or custody of identifiable patient safety work product and is subject to the confidentiality provisions of the Patient Safety Act.

III. Certification Forms and Required Certifications

We are establishing a process by which the certifications required by the Patient Safety Act in section 924(a) and (b) of the PHS Act10 (see Appendix A) can be easily made, using a streamlined process of completing and signing checkbox forms. Submissions must be provided in paper or electronic format. Where an entity files a paper submission, the Secretary requires three copies. Forms for paper or electronic submission are available at the AHRQ PSO Web site www.pso.ahrq.gov.11 Specific instructions for use of the electronic format may be obtained through explanatory material at www.pso.ahrq.gov.

The brief certification form developed for initial listing requires fifteen certifications. Each one is a statement that requires affirmance. The statutory certifications are found at section 924 (a)(1) and (b)(1) of the PHS Act.12 In accordance with section 924(b)(2) of the PHS Act, three additional certifications are required on the form for entities seeking to be listed as PSOs that are components of other organizations. These three certifications require attestations that pertain to the ability of the component to maintain PSWP separately from the rest of the organization, to establish appropriate security measures to maintain the confidentiality of PSWP, to prevent unauthorized disclosures of PSWP to the rest of the organization, and to ensure that the mission of the entity does not create a conflict of interest with the rest of the organization.

The basic certifications applicable to all PSOs require assurances as to expertise, capacity and purpose to carry out the patient safety activities defined in the Patient Safety Act. The definition of patient safety activities includes maintenance of confidentiality procedures and provision of appropriate security measures.

Until a final rule is promulgated, if the Secretary conducts random oversight of PSOs, including their confidentiality and security procedures, or investigates an allegation of improper disclosures of PSWP, PSO maintenance of confidentiality and security will be assessed in light of the statutory confidentiality and security requirements. Under this Interim Guidance, a PSO may meet the statutory requirement of "providing appropriate security measures" by meeting the scalable standards in the NPRM at 42 CFR § 3.106 or through the adoption of other appropriate security standards. For instance, the PSO may cite its compliance with other existing health care industry data security standards, such as the HIPAA Security Rule or NIST security standards,13 as appropriate.

An entity seeking listing as a PSO must also submit certifications that it will carry out the patient safety activity of "collecting PSWP", "in a standardized manner"14 "to the extent practical and appropriate" and of using PSWP in a manner that fosters a culture of safety (i.e., contributes to creating an environment that protects frank and full discussion of patient safety events) and gives feedback to providers in order to assist them in minimizing patient risk.15

There are two certifications required of all entities seeking listing that respectively involve a commitment to submitting an additional type of information during its PSO listing period. Within the 24-month period following initial listing, a PSO must submit a certification16 that it has entered into at least two bona fide contracts17 to provide PSO services. This same certification requirement also applies with respect to each subsequent 24 month period.18

In addition, if a PSO has or commences other relationships with any provider with whom it has a PSO contract, these additional relationships must be fully disclosed to the Secretary. Because the Patient Safety Act does not provide time limits for such disclosure, the Secretary will be using the time limits proposed in the NPRM, and any deficiencies in timeliness will trigger AHRQ's planned deficiency correction procedures detailed in the NPRM at sections 3.104 and 108.

The statute precludes a health insurance issuer or a component of a health insurance issuer from being listed as a PSO. Therefore, entities seeking to become PSOs must certify that they are not such organizations.

Additional relevant information may be requested by the Secretary beyond the signed certification forms only when deemed necessary to appropriately carry out Secretarial responsibilities under the Act. When a certification is determined to be complete or sufficient, the entity will be listed by the Secretary as a PSO and so notified.

AHRQ intends to review completed certifications promptly after receipt of a complete certification form and request for listing.

Return to Table of Contents
Continue to Next Section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only