PSO Common Terms and Acronyms
Issued March 2017
[Note: Terms used in the Patient Safety Act or Rule are summarized here solely for convenience and may be defined in the statute or rule. You should always rely on the actual definition when making any determination. The following documents are available: the Patient Safety and Quality Improvement Act, the Patient Safety Rule Notice of Proposed Rulemaking and Final Rule, and the Patient Safety Guidance documents.]
Affiliated Provider – With respect to a provider, an affiliated provider is a legally separate provider that is: (1) the parent organization of the provider, (2) under common ownership, management, or control as the provider, or (3) owned, managed, or controlled by the provider. See the definition in section 3.20 of the rule. For additional information on affiliated providers and how to apply the term, please see the AHRQ guide titled: "Guides for PSOs and Providers for Determining Parent Organizations and Affiliated Providers" (PDF, 942 KB).
Agency for Healthcare Research and Quality (AHRQ) – AHRQ is one of 11 operating divisions of the HHS and is responsible for administration and enforcement of the PSO listing process. The AHRQ Director reports directly to the HHS Secretary.
Anonymized Patient Safety Work Product – The term anonymized PSWP describes identifiable PSWP for which certain direct identifiers have been removed as described at 42 CFR 3.206(b)(4)(iv)(A) and (B). The term is used in preamble language, and not the regulatory text, to refer to PSWP that may be disclosed for the conduct of patient safety activities by: (1) a provider to another provider; (2) a PSO to another PSO; or (3) a PSO to providers reporting to the PSO pursuant to 42 CFR 3.206(b)(4)(iv).
Authorized Official – The authorized official is an individual designated by the entity seeking listing as a PSO, who has authority to make commitments on behalf of the entity. When the entity seeking listing or PSO seeks initial or continued listing, the Authorized Official is required to: submit contact information; make certain attestation and certifications demonstrating that the entity is eligible for listing as a PSO; attest that the PSO will notify AHRQ if the PSO can no longer meet its attestations or requirements or if there are any changes to the information the entity submitted for listing; and, provide any other information necessary to make a listing determination. Section 3.102(a)(1) provides further details. See the guide, "What is the Role of the PSO Authorized Official" (PDF, 466 KB).
Bona Fide Contract – A bona fide contract is a written contract between a PSO and a provider that is executed in good faith by officials authorized to execute such contract. For agreements between a Federal, State, local, or Tribal provider and a Federal, State, local, or Tribal PSO, a bona fide contract can also be a written agreement, such as a memorandum of understanding or equivalent recording of mutual commitments. Note that in addition to meeting the definition of a bona fide contract, there are additional conditions that must be satisfied in order for a PSO to meet its two contract requirement in every 24‐month period. See the definition of bona fide contract in section 3.20. The two‐contract requirement is described at section 3.102(b)(2)(i)(C) of the rule.
Business Associate Agreement (BAA) – A written contract or agreement between a HIPAA covered entity and its business associate that clarifies and limits, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate, and to ensure that the business associate will appropriately safeguard protected health information. Generally, a PSO that receives PSWP that contains PHI from a covered entity must have a business associate agreement with the covered entity. A business associate agreement must contain the elements specified at 45 CFR 164.504(e). For more information, see the OCR website.
Center for Quality Improvement and Patient Safety (CQuIPS) – CQuIPS is the home of the PSO Program Office, which administers the PSO‐related provisions of the Patient Safety Act. CQuIPS is one of 4 centers and 4 offices that comprise AHRQ.
Common Formats – Common Formats is the generic term for the standardized reporting formats, using common language and definitions that AHRQ is developing for reporting safety concerns from a variety of healthcare settings and throughout the quality improvement cycle. Common Formats will allow aggregation of comparable data at local, PSO, regional, and national levels. For more information, see the PSOPPC website. Common formats are discussed in the Patient Safety Act at 42 USC 299b‐23(b).
Component Organization – The Patient Safety Rule defines a component organization as a unit or division of a legal entity or an entity that is owned, managed, or controlled by one or more legally separate parent organizations (e.g., a subsidiary of an organization would be considered a component organization under the rule). It may be helpful to review the definition of component organization in conjunction with the definition of parent organization; they can be found in section 3.20 of the rule. For additional information on determining parent organizations and how to apply the term, please see the AHRQ guide titled: "Guides for PSOs and Providers for Determining Parent Organizations and Affiliated Providers" (PDF, 942 KB).
Confidentiality Protections – The Patient Safety Act provides confidentiality protections for PSWP at 42 U.S.C. 299b22(b). The confidentiality protections are incorporated into the Patient Safety Rule in Subpart C at section 3.206(a). In addition to reviewing Subpart C of the rule, it may be helpful to review the definitions of disclosure and affiliated provider in section 3.20.
Continued Listing – PSOs are listed for 3‐year renewable periods. All periods after the initial 3‐year period of listing are referred to as periods of continued listing.
Continued Protection – With few exceptions, PSWP that is disclosed to another individual or entity, permissibly or not, remains confidential and privileged in the possession of the recipient. Section 3.208 of the Patient Safety Rule describes the continued privilege and confidentiality requirements and the exceptions to continued confidentiality and privilege protection.
Contractor – The Patient Safety Rule permits a PSO or provider to disclose identifiable PSWP to its contractor to undertake patient safety activities on its behalf. See 42 CFR 3.206(b)(4)(ii).
Copy – The Patient Safety Rule refers to the term “copy” in two ways in the definition of PSWP. First, when information meets all of the applicable requirements of the definition of PSWP, any copy of the PSWP is also privileged and confidential. Second, if information is not eligible for protection as PSWP (e.g., it is from the medical record or a report sent to regulatory authorities), the provider can still send a copy of the information to its PSO. While, if the pertinent Patient Safety Rule requirements are met, the copy in the PSES is protected, that protection does not apply to the original information that exists elsewhere (e.g., the medical record or the copy held by the regulator).
Culture of Safety – A culture of safety encompasses: a blame‐free environment where individuals are able to report errors or near misses without fear of reprimand or punishment; a culture that encourages collaboration across ranks and disciplines to seek solutions to patient safety problems; and, an organizational commitment of resources to address safety concerns.
Date of Initial Listing – The date and time that a PSO’s initial period of listing becomes effective. Listing is for renewable 3‐year periods. This date will be used as the starting point for calculating the successive 24‐month periods in which a PSO must report compliance with the two contract requirement, and it will be the basis for calculating subsequent 3 year periods of continued listing.
De‐identification – De‐identification is the term used for removing identifiers in protected health information (PHI) pursuant to the HIPAA Privacy Rule. The standard is found at 45 CFR 164.514. For more information, see the OCR website.
Deficiency – A deficiency is the term used by the Patient Safety Rule to describe a situation in which a PSO is not in compliance with a requirement of the Patient Safety Rule or the Patient Safety Act. A PSO is required to correct a deficiency to remain listed as a PSO. See section 3.108 of the rule.
Disclosure of Patient Safety Work Product – The Patient Safety Rule governs disclosure of PSWP from an entity or a person holding PSWP to another legally separate entity or person (who is not a member of the workforce of, or a provider holding privileges with, the entity holding PSWP). The rule also regulates disclosures to a person or entity outside a component PSO. Disclosures are only permissible if there is an applicable disclosure permission in the Patient Safety Rule. For a better understanding of what constitutes a disclosure under the Patient Safety Rule, what disclosures are permissible, and the distinction between a use and disclosure of PSWP, review the definitions of disclosure and workforce in section 3.20 of the rule and the permissible disclosures (exceptions) listed in sections 3.204(b) and 3.206(b).
Disclosure Statements – The Patient Safety Rule requires a PSO to file a disclosure statement with AHRQ if the PSO has other relationships (specified in that section) with a provider with which it has a Patient Safety Act contract or if such relationships develop during the time a PSO has a Patient Safety Act contract with the provider. Consult section 3.102(d)(2) of the rule for specifics regarding the relationships that require disclosure, the substantive requirements of a disclosure statement, and the time frame for submission.
Drop‐Out – The Patient Safety Rule provides a limited opportunity for a provider to remove information that was PSWP from its PSES. The drop‐out provision can be used for any reason, provided that the information is eligible for drop out, including that the information that the provider had placed in its PSES has not been reported to a PSO and the provider documents the action and its date. Upon removal, the information is no longer PSWP and is not confidential or privileged under the Patient Safety Act. The drop‐out provision cannot be used if the information has been reported to a PSO, and it does not apply to information that describes or constitutes the deliberations or analyses of a PSES. The drop out provision is in paragraph (2)(ii) of the definition of PSWP in section 3.20 of the Patient Safety Rule.
Equitable Relief – The Patient Safety Act prohibits a provider from taking an adverse employment action (specified in the Act) against an individual based upon the fact that the individual in good faith reported information to the provider with the intention of having the information reported to a patient safety organization; or directly to a patient safety organization (42 U.S.C. 299b‐22(e)). Equitable relief refers to the relief that an individual may seek in a civil action to redress an adverse employment action that violates this prohibition (42 U.S.C. 299b‐22(f)(4)).
Excluded Entity –The Patient Safety Rule lists entities that are excluded from listing as a PSO. Consult section 3.102(a)(2) of the rule.
FDA‐Regulated Reporting Entity – This is an entity that is required by law to report information to the U.S. Food and Drug Administration. When a PSO is, or is organizationally related to, an FDA‐regulated reporting entity, the Patient Safety Guidance applies. The Guidance can be downloaded here: HHS Guidance Regarding Patient Safety Organizations' Reporting Obligations to the FDA (PDF, 0.4 MB)
HERF – Healthcare Event Reporting Form (HERF); it is one of 3 general forms of AHRQ’s Common Formats. This form is not available in versions after Hospital version 1.2. AHRQ Common Formats are available at the PSOPPC.
HHS – U.S. Department of Health and Human Services.
HIPAA – Health Insurance Portability and Accountability Act of 1996.
HIPAA Privacy Rule – The HIPAA Privacy Rule sets federal standards for the use and disclosure of individually identifiable health information, referred to as protected health information, held and maintained by covered entities, which are health plans, healthcare clearinghouses, and certain healthcare providers. Patient safety work product that contains protected health information (PHI) is subject to the requirements of the HIPAA Privacy Rule as well as the Patient Safety Rule. The HIPAA Security Rule may also apply. For more information, see the OCR website.
Identifiable Patient Safety Work Product – Identifiable PSWP is PSWP that: (1) is presented in a form and manner that: allows the identification of any provider that is a subject of the work product, or any providers that participate in, or are responsible for, activities that are a subject of the work product; (2) constitutes individually identifiable health information as that term is defined in the HIPAA Privacy Rule at 45 CFR 160.103; or (3) is presented in a form or manner that allows the identification of an individual who in good faith reported information directly to a PSO or to a provider with the intention of having the information reported to a PSO ("reporter"). Identifiable PSWP is confidential and privileged and may not be disclosed except as permitted by the Patient Safety Rule.
Listed PSO – A PSO that has submitted its certification submission and has had its submission accepted by AHRQ is deemed “listed” by AHRQ. The list of PSOs is available online here: Listed PSOs.
Network of Patient Safety Databases (NPSD) – The NPSD, required by the Patient Safety Act (42 U.S.C. 299b‐23), will receive, analyze, and report on non‐identifiable and aggregated patient safety event information. The goal of the NPSD is to facilitate aggregation and analyses of patient safety event information to help reduce adverse events and improve healthcare quality. AHRQ awards a contract for the operation of the NPSD.
Non‐identification – The process of removing identifiers in PSWP pursuant to the Patient Safety Rule’s standard at section 3.212 to render PSWP non‐identifiable. Generally, non‐identifiable PSWP is no longer privileged or confidential after being disclosed. The non‐identification standard incorporates and preserves the HIPAA de‐identification standard for application to patient information.
Notice of Proposed Rulemaking (NPRM) – An announcement of a proposed regulation, that includes the proposed rules and a preamble discussion of the proposed rules, which is published in the Federal Register for public comment. The Patient Safety NPRM was issued February 12, 2008 (73 FR 8112‐8183). After reviewing the public comments, HHS issued a final implementing regulation that governs PSOs and the confidentiality protections for PSWP. The final Patient Safety Rule was issued November 21, 2008 (73 FR 70732‐70814) and became effective on January 19, 2009. The NPRM and Final Rule can be downloaded.
Office for Civil Rights (OCR) – The Office for Civil Rights within HHS is responsible for administration and enforcement of the confidentiality provisions of the Patient Safety Act and for administration and enforcement of the HIPAA Privacy, Security, and Breach Notification Rules.
Parent Organization – An organization that: (1) owns a controlling interest or a majority interest in a component organization; (2) has the authority to control or manage agenda setting, project management, or day‐to‐day operations of a component organization; or (3) has the authority to review and override decisions of a component organization. The component organization may be a provider. It may be helpful to review the definition of parent organization in conjunction with the definition of component organization; they can be found in section 3.20 of the rule. For additional information on Parent Organizations and how to apply the term, please see the AHRQ guide titled: "Guides for PSOs and Providers for Determining Parent Organizations and Affiliated Providers" (PDF, 942 KB).
Patient Safety Act – The Patient Safety Act is an informal name of The Patient Safety and Quality Improvement Act of 2005 (P.L. 109‐41), 42 USC 299b et seq.
Patient Safety Activities (PSAs) – The Patient Safety Rule defines 8 patient safety activities; see section 3.20 of the rule for the list. An entity must attest that it has policies and procedures in place to perform all 8 PSAs at the time it seeks listing as a PSO.
Patient Safety Evaluation System (PSES) – The collection, management, or analysis of information for reporting to or by a PSO. A provider’s PSES is an important determinant of what can, and cannot, become PSWP. It may be helpful to read the definition of PSES in conjunction with the definition of PSWP; they can be found in section 3.20 of the rule.
Patient Safety Act Guidance – HHS issues guidance to describe or explain certain aspects of the Patient Safety Act and Rule. Guidance documents may be found at the AHRQ PSO Web site (www.pso.ahrq.gov).
Patient Safety Rule – The set of regulations at 42 CFR Part 3 that implement provisions of the Patient Safety Act.
Patient Safety Work Product (PSWP) – PSWP is the information that is privileged and confidential under the Patient Safety Rule. For details on what information can, and cannot, become PSWP, the applicable process and purpose requirements, and the important role of the provider’s patient safety evaluation system, see the definition of patient safety work product in section 3.20 of the rule. It may be helpful to read the definition of PSWP in conjunction with the definition of a patient safety evaluation system; they can be found in section 3.20 of the rule.
PIF – Patient Information Form (PIF); it is one of 3 general forms of AHRQ's Common Formats. This form is not available in versions after Hospital version 1.2. AHRQ Common Formats are available at the PSOPPC.
Patient Safety Organization Privacy Protection Center (PSOPPC) – AHRQ established a PSOPPC to provide support and assistance to PSOs for the contextual non‐identification of patient safety event data that is PSWP so that it can meet the confidentiality requirements for submission and information at the NPSD. AHRQ awards a contract for the operation of the PSOPPC and NPSD systems.
Privilege – The Patient Safety Act provides federal privilege protections for patient safety work product (PSWP) at 42 U.S.C. 299b‐22(a). The privilege protections are also included in the Patient Safety Rule for convenience and completeness (see section 3.204(a)); however, HHS does not have authority to enforce breaches of the privilege protections.
Provider – A provider means: (1) an individual or entity licensed or otherwise authorized under State law to provide healthcare services; and (2) a parent organization of one or more entities licensed or otherwise authorized under State law to provide healthcare services. The definition of provider in section 3.20 of the Patient Rule includes additional language specific to Federal, State, local, or Tribal governments. Consult the definition of provider in section 3.20 of the rule for the complete definition.
Revocation – Used in the Patient Safety Rule to refer to AHRQ revoking its acceptance of an entity’s certification submission for listing as a PSO for the entity’s failure to comply with the requirements of the rule or the Patient Safety Act. See section 3.108 of the rule.
SIR – Summary of Initial Report (SIR) Form; it is one of 3 general forms of AHRQ's Common Formats. This form is not available in versions after Hospital version 1.2. AHRQ Common Formats are available at the PSOPPC.
Use – The Patient Safety Rule does not generally regulate the use of PSWP within a legal entity by the workforce of, or providers holding privileges with, an entity holding PSWP. In the case of a component PSO, the rule does not regulate the use of PSWP within the component organization. By contrast, the rule regulates disclosures between separate legal entities, for which there must be an applicable disclosure permission in the rule. For a better understanding of use and disclosure, review the definitions of disclosure and workforce in section 3.20 and the permissible disclosures (exceptions to confidentiality) listed in section 3.206(b) of the rule.
Voluntary Relinquishment – The Patient Safety Rule permits a PSO to notify AHRQ that it wishes to relinquish its status as a PSO. The process is described in section 3.108(c) of the rule.
Workforce – For an individual to be considered a member of a PSO's or reporting provider’s workforce, the Patient Safety Rule requires that the individual’s work performance is under the direct control of the PSO or provider, whether or not the individual is paid. For the complete definition, see section 3.20 of the rule.
