ECRI Institute Special Advisory, March 2008

The federal government has laid the groundwork for the first-ever national system for providers to voluntarily report medical errors, near misses, and other patient safety events to designated organizations while having some assurance that the information will be protected from legal discovery and kept confidential. More than just a reporting system, the program allows providers to seek expert help in understanding these patient safety events and in preventing their recurrence. Also, the program covers more than event data, extending to all “patient safety work product,” a term defined in the federal government’s proposal. The system’s framework is outlined in a notice of proposed rulemaking, issued by the Department of Health and Human Services (HHS) in the February 12 Federal Register. The long-awaited proposed rule—more than 70 pages of small text, of which 10 pages are the actual proposed rule—implements the Patient Safety and Quality Improvement Act of 2005 (PSQIA), signed into law by President Bush in July 2005.

Overview

The proposed rule describes the mechanism for certifying patient safety organizations (PSOs) and for allowing PSOs to receive and analyze patient safety work product (which includes information about adverse events, near misses, and quality-related data), as well as provide feedback to providers about the events—all in a protected legal environment. HHS outlines the intent of the PSO framework in the preamble to the proposed rule. To the extent practical and appropriate, HHS intends that the data will be collected in a standardized format so that it can be aggregated. By analyzing a large volume of information, PSOs may be able to detect patterns and common themes to explain the underlying causes of medical errors.

Providers have been reluctant to participate in efforts to pool data and share experiences because they can lose the peer review protections offered by many (but not all) states for certain activities within the organization. The proposed rule offers federal legal protections to enhance providers’ willingness to voluntarily report patient safety events to PSOs so that the PSOs can analyze the data and provide feedback and recommendations to improve patient safety. The American Hospital Association called the creation of PSOs, as outlined in the proposed rule, “one of the most important tools to spur safe patient care.”

HHS envisions a two-pronged approach to implement the voluntary reporting system. While HHS’s Agency for Healthcare Research and Quality (AHRQ) will certify PSOs and oversee their compliance with statutory and regulatory requirements, HHS’s Office for Civil Rights (OCR) will enforce the confidentiality protections of the law and levy civil monetary penalties of up to $10,000 against PSOs for each breach of PSQIA. AHRQ can also delist PSOs found not complying with the law.

HHS estimates as many as 50 to 100 organizations will be certified as PSOs within the three years following publication of the final rule, with 60% of hospitals nationwide participating in these activities. Many of these PSOs will be what HHS calls “component PSOs,” created as separate entities of larger organizations such as hospital systems or hospital associations. Given that HHS envisions some hospital systems creating their own PSOs to review their patient safety events within the framework of the law’s legal protections, the proposed rule establishes firewalls to keep the activities of the component PSO separate and distinct from the larger organization.

Health insurers (including health maintenance organizations), accrediting organizations, and other entities with regulatory oversight of providers may not become PSOs. As written, however, the proposed rule would allow accrediting organizations and regulatory entities—but not health insurers—to establish subsidiary entities that themselves may become component PSOs. Public disclosure requirements in the proposed rule would enable providers to identify the component PSO’s owner or controlling organization.

There is no federal funding for PSOs; instead, a PSO could be self-funded, funded by its parent organization, or funded by fees charged to providers for its services.

The proposed rule defines providers broadly to include hospitals, nursing facilities, ambulatory surgical centers, physicians and their practices, clinical laboratories, home health agencies, and more. Except for hospitals, many of these providers have not benefited from state peer review protections and will benefit from the federal protections of PSQIA. Nevertheless, AHRQ predicts that hospitals will be the “predominant” type of provider initially interested in working with PSOs.

PSOs do not have the authority to require providers to adopt their patient safety recommendations; it is up to providers to make the suggested patient safety improvements. Nevertheless, HHS predicts that PSOs may be able to reduce preventable adverse events by between 1% and 3% within the first five years of operation.

Comments on the proposed rule are due by April 14, 2008. The department seeks comments on 47 questions, some of which are listed in Questions to Consider about PSO Proposed Rule. Although HHS has been vague about when a final rule may be published—other than to say it will move as “rapidly as possible”—others predict that a final rule will be issued by the end of the current administration in January 2009. In the meantime, providers should review the proposed rule—knowing that there could be changes in the final version—and consider the following: whether they have a structure in place to work with PSOs, whether they plan to work with external PSOs, and whether they want to establish a component PSO within their own organization. In preparation for these efforts, this Special Advisory helps providers review the provisions of the proposed rule and its impact on their operations. Remember, however, that there still could be some fine-tuning of the provisions in the final rule and that some of the information in this Special Advisory could change once the rule is finalized.

In addition to issuing this Special Advisory, ECRI Institute will sponsor a free audio conference on the rule on March 31, 2008, at 1 p.m. Eastern Time. A recording of the conference will also be available for free download from ECRI Institute’s Web site at www.ecri.org/pso. See About ECRI Institute for more information about the organization.

What Is a Patient Safety Organization?

A PSO is a public or private organization with expertise to analyze the risks and hazards in patient care and to make recommendations to improve healthcare quality and patient safety. PSOs must be certified as such by HHS; no PSOs will be certified until final regulations are issued. To encourage the creation of PSOs, HHS proposes that the process of becoming a PSO be relatively simple, while letting the marketplace decide which PSOs are effective. The organization completes a form, attesting that it meets 15 requirements for certification as a PSO. The 15 requirements are broken down into 8 patient safety activities and 7 operational activities (see Proposed Certification Requirements for PSOs for a discussion of these requirements). The certification form, which HHS has not yet developed,* will be publicly available along with other materials so that providers can evaluate and choose a PSO (see Publicly Available Information on PSOs Lets Marketplace Decide for a discussion of publicly available information on PSOs). Conceivably, a PSO could cover all types of patient safety events or focus on a particular area such as surgical or obstetrical events.

_______________
* HHS issued a notice in the February 20, 2008, Federal Register describing the forms that it intends to issue to implement the PSQIA.
_______________

There is no requirement that providers work with PSOs; the entire reporting system is voluntary. Nevertheless, providers are already asking whether their Medicare and Medicaid reimbursement or payments from other payers could eventually be conditioned on establishing a relationship with a PSO. At this point, however, there is no such mandate.

PSOs are certified by HHS for three years. Within 24 months of its initial listing, the PSO must enter into at least two contracts with providers lasting “for a reasonable period of time,” according to the proposed rule. The intent of this provision is to prevent a provider such as a hospital from becoming a PSO solely to review its own patient safety activities. Nevertheless, it appears as though a hospital could create a component PSO that enters into separate contracts with the hospital and an affiliated home health agency to meet the two-contract restriction. Similarly, a health system could create a component PSO and enter into separate contracts with its affiliated hospitals. A parent of a health system is included within the definition of provider and, thus, could enter into a contract with a PSO on behalf of the hospitals it covers.

The law establishing PSOs does not require providers to enter into contracts with PSOs; however, HHS advises providers to follow this approach to obtain “clear evidence” that the necessary requirements have been met for the application of the confidentiality and privilege protections of the law. “Contracts offer providers greater certainty that a provider’s claim to these statutory protections will be sustained, if challenged,” the proposal states. Additionally, providers can use the contracts to specify even stricter requirements for the PSO, such as greater confidentiality protections than those outlined by law. PSOs must also enter into business associate agreements with providers, as required by the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), to receive protected health information from providers.

Within 45 days of entering into a contract with a provider, the PSO must disclose information about this relationship to HHS so that the information can be made publicly available. In addition to the contract it may have with the provider to review patient safety work product under the protections of the law, the PSO must “fully disclose” any other contractual, financial, or reporting relationships that it has with the provider. The PSO is required to disclose when it is not managed independently from, not controlled independently from, or not operated independently from any provider that contracts with the entity. The intent of the provision is to give HHS and the public information regarding the ability of the PSO to provide fair and accurate services. For example,  a hospital would have sufficient information to know, for example, that it is not entering into a contract with a PSO or component PSO established by a nearby competing hospital.

Security

PSOs must also follow security requirements when handling providers’ confidential patient safety data and information, referred to as “patient safety work product.” There are four elements to a PSO’s security framework as follows:

• Security management, such as policies and procedures to protect the confidentiality of patient safety information provided to the PSO
• Separation of systems to ensure patient safety work product is separate from any other system or records
• Security monitoring and control, addressing such issues as who is authorized to have access to the system
• System assessment

When evaluating whether to work with a particular PSO, providers should assess the PSO’s security measures by asking about written policies and procedures for security management, measures to periodically assess security risks and controls, and training of PSO workforce and contractors to ensure confidentiality and security of patient safety work product. Additional questions for evaluating PSOs are listed in Questions to Ask a Patient Safety Organization.

Reports and Recommendations

While just a guess, HHS’s proposed rule assumes that hospitals will report about one patient safety event (including a near miss) per bed, per month. As part of PSQIA and the proposed rule, PSOs must provide direct feedback and assistance to providers to effectively minimize patient risk. In other words, the law and the proposed rule were purposely designed to preclude PSOs from being established simply to provide legal protections for patient safety work product without providers receiving the benefit of the analysis and patient safety recommendations derived from the intended information sharing. Any recommendations that the PSO develops for the provider after analysis of the event or information remain protected.

The provider can choose to adopt or reject the recommendations or can implement some or all of them; there is no regulatory requirement for the provider to follow the PSO’s recommendations. The actual changes that the provider implements to improve patient care—including changes in organizational management, the care environment, or processes—are not protected. “In a practical sense, it would be virtually impossible to keep such changes confidential,” HHS remarks in the proposed rule. Legal experts speculate that these remedial actions may be protected by state law or applicable rules of evidence.

Aggregate Data

The proposed rule reiterates the law’s intent to encourage PSOs to aggregate data from multiple providers. By amassing a larger volume of data, a PSO may be able to detect event patterns that would not be apparent with data from just one provider. If the PSO participates in a larger network of patient safety databases, the de-identified data can also be used for national and regional analysis of patient safety events. AHRQ can also use the data analysis to make some findings public.

The proposed rule adopts several measures to permit aggregation to occur. First, HHS intends to give PSOs standardized formats for data collection so that data from different sources can be combined. HHS expects to publish the first version of the common format for public comment by July or August and will continue to update the information as needed. This format will provide, for example, common definitions for patient safety events. HHS proposes that compliance with the common format (to the extent practical and appropriate) be a requirement for PSO certification and seeks comment on this suggestion.

Second, the proposed rule permits PSOs to share data with other PSOs or other providers reporting to the PSO as long as they remove any identifiers of a particular provider or reporter from data in the patient safety work product to be shared. This means removing such identifiers as names, addresses, telephone and fax numbers, e-mail addresses, Social Security numbers, provider credentialing numbers, national provider identification numbers, certificate and license numbers, Web addresses, Internet protocol address numbers, biometric identifiers such as finger and voice prints, and full-face photographs. PSOs’ use and disclosure of protected health information is governed by HIPAA privacy rules.

Component PSO

The proposed rule, consistent with the intent of PSQIA, envisions that some hospitals, health systems, nursing homes, and other providers will establish their own PSOs to review their patient safety events in a protected legal environment. Other organizations such as hospital associations or professional societies could establish a PSO for its member institutions to report patient safety events. Providers and other organizations are able to accomplish this because of the rule’s creation of the concept of a component PSO, which can function as a separate entity of the organization as long as certain firewalls exist between the two. In addition to meeting the 15 certification requirements for PSOs, a component PSO must meet 3 other requirements to maintain a firewall as follows:

• Separate its patient safety work product from the rest of the parent organization. This provision includes having separate computer information systems.
• Require that members of its workforce or other contractor staff not be engaged in work for the parent organization that could be informed or influenced by individuals’ knowledge of identifiable patient safety work product submitted to the component PSO.
• Ensure that the mission of the component PSO does not create a conflict of interest with the parent organization.

Because one of the 15 certification requirements for PSOs is to publicly disclose its parent organization (see Publicly Available Information on PSOs Lets Marketplace Decide), HHS relies on such “transparency” to allow providers to determine whether the organizational affiliation of a component PSO is a concern. Although the proposed rule allows accrediting organizations and regulatory entities to create component PSOs, HHS asks for comment on this provision.

What Is Patient Safety Work Product?

The legal protections that the PSQIA offers providers are linked to the concept of patient safety work product. Indeed, the federal privilege and confidentiality protections apply to any qualifying information that is assembled and developed by the provider for the purpose of reporting to a PSO and is reported to the PSO as patient safety work product. The PSO’s analysis and recommendations are also considered patient safety work product. The information must be collected and analyzed within the context of a patient safety evaluation system to benefit from federal protections. These protections apply to the patient safety evaluation system’s deliberations and analysis whether or not the provider reports the patient safety work product to a PSO (see Patient Safety Evaluation System: Core Concept for Privilege and Confidentiality Protections for more information). However, the underlying information used for the deliberations is only protected when it is reported to a PSO.

To illustrate this concept of protection, HHS uses the example of a list of near misses occurring at a hospital over a 30-day period. The hospital reviews the list within the context of a patient safety evaluation system to decide whether to report any or part of the list to a PSO. This review and analysis has federal legal protections under PSQIA. The unprotected status of the list itself does not change just because the deliberations take place, says HHS. The list does become protected if it is reported to the PSO.

Patient safety work product includes data, reports, records, memoranda, analyses (such as root cause analyses), and written or oral statements that could be used to understand patient safety events and prevent them from recurring. Recommendations to prevent patient safety events—developed by either the PSO or within the patient safety evaluation system—are also protected.

Patient safety work product excludes a patient’s original medical record, billing and discharge information, or any other original patient or provider information. This exclusion includes any information collected or developed for a purpose other than reporting to a PSO. By way of example, HHS explains in the preamble to the proposed rule that copies of such information as an incident report can be provided to a PSO with legal protections in place, but the original incident report used for internal quality assurance or risk management purposes is not protected by the federal protections offered under the PSQIA. Depending on state law, however, other protections may still apply.

Additionally, any data collected for external reporting is not considered patient safety work product and would not receive additional federal protections under PSQIA. Of course, existing federal and state protections for these types of reports would remain. This includes information collected to comply with state incident reporting, U.S. Food and Drug Administration adverse drug event and medical device reporting, state certification and licensing of medical professionals, National Practitioner Data Bank reporting of practitioner disciplinary actions, and disclosure of particular providers or suppliers required by the Medicare program’s conditions of participation.

Permissible Disclosure of Patient Safety Work Product

While patient safety work product is given federal privilege and confidentiality protections, there are exceptions allowing the disclosure of this information. Nevertheless, the recipient of the information must adhere to the same confidentiality provisions as the original recipient of the work product. The exceptions for disclosure are as follows:

• Disclosure of patient safety work product for use in criminal proceedings after a court makes an in camera determination that the material is relevant and “not reasonably available from any other source.”
• Disclosure of patient safety work product to carry out “equitable relief” for an employee who reported information in “good faith”—much like a whistleblower—to a PSO directly or to a provider for intended disclosure to a PSO but is subject to an adverse employment action because of the report.
• Disclosure of patient safety work product if authorized by each provider identified in the work product. HHS proposes that the disclosing entity retain a record of the authorization for six years.
• Disclosure of patient safety work product when information about particular providers or particular reporters is nonidentifiable.
• Disclosure between a provider and a PSO, disclosure to a contractor of a PSO or provider when the contractor is involved in the patient safety activities, or disclosure by a PSO to another PSO or by a provider to another provider—as long as direct identifiers of any providers are removed.
• Disclosure to individuals conducting research that is funded, certified, or otherwise sanctioned by the HHS secretary.
• Disclosure to FDA concerning an FDA-regulated product or disclosure to FDA or to another entity for required reporting about the quality, safety, or effectiveness of an FDA-regulated product.
• Voluntary disclosure by a provider of patient safety work product that identifies the provider to an organization accrediting the provider. The accrediting body may not require the provider to reveal its communications with any PSO.  
• Disclosure to the provider’s or PSO’s lawyer, accountant, or other professional for conducting business operations.
• Disclosure to law enforcement authorities relating to an event that constitutes a crime or that the disclosing person “reasonably believes” constitutes a crime.
• Disclosure to the secretary of HHS for the secretary to conduct compliance reviews and investigations of a PSO’s adherence to PSQIA and its confidentiality measures.

The proposed rule also creates what it calls a “narrow safe harbor” for “harmless” mistakes in disclosing patient safety work product as long as no information is disclosed to assess the quality of care or actions of an identifiable provider. These are likely to be inadvertent disclosures, says HHS. This safe harbor only applies to providers and their responsible parties, such as employees—not to PSOs.

How Is the Law Enforced?

OCR’s enforcement of PSQIA closely matches its approach to enforcing the privacy provisions of HIPAA. As such, OCR will investigate written complaints of confidentiality breaches and, if noncompliance is found, attempt to resolve the matter by informal means. Separately, HHS will conduct spot checks of PSOs to assess compliance and, if noncompliance is found, try to resolve the issue in a similar manner. Complaints and compliance reviews are not disclosed to the public.

PSOs and providers found to disclose identifiable patient safety work product in a “knowing or reckless” violation of the law’s confidentiality provisions could be subject to civil monetary penalties of up to $10,000 for each violation. As an example of a reckless disclosure, HHS describes leaving a laptop with identifiable patient safety work product displayed on the screen unattended in a public area.  “Such a situation would be reckless because it would create a substantial risk of disclosure of the information displayed on the laptop screen.” The person leaving the laptop could be liable for civil monetary penalties. Additionally, the person’s employer or “principal”—such as a provider or PSO—could be separately liable for the same reckless action.

A person or principal who is fined for a confidentiality violation may contest the penalty by requesting an administrative hearing. If a hearing is not requested, HHS will impose the penalty and disclose to the public that the penalty was imposed and the reason for it. HHS will not levy an additional civil monetary penalty under HIPAA privacy rules for the same confidentiality breach.

In Conclusion

One of the most debated aspects of the proposed rule concerns how participation in the federal reporting system would affect providers’ state peer review privileges. Providers can expect extensive comment on these and other matters as the healthcare sector weighs in on HHS’s proposed rule. In the meantime, ECRI Institute recommends that providers review the rule, consider how they could establish patient safety evaluation systems, evaluate whether to become a component PSO or to develop a working relationship with a PSO, consider the criteria necessary in selecting a PSO (see Questions to Ask a Patient Safety Organization), and of course, submit comments to HHS on the proposal.

AHRQ has created a Web site for sharing information about PSOs at www.pso.ahrq.gov. Providers should review the information on the Web site and periodically check back for updates. AHRQ may provide additional technical guidance to PSOs as needed and even envisions holding an annual meeting of PSOs once the voluntary reporting system is in effect.

References

American Hospital Association. Statement on HHS' proposal to establish patient safety organizations [statement online]. 2008 Feb 12 [cited 2008 Mar 9]. Available from Internet: http://www.aha.org/aha/press-release/2008/080212-st-pso.html.

Department of Health and Human Services. Agency information collection activities: proposed collection; comment request [notice online]. 2008 Feb 20 [cited 2008 Mar 17].  Available from Internet: http://a257.g.akamaitech.net/7/257/2422/01jan20081800/edocket.access.gpo.gov/2008/08-757.htm.  

Department of Health and Human Services. Patient safety and quality improvement [proposed rule online]. 2008 Feb 12 [cited 2008 Mar 9]. Available from Internet: http://www.regulations.gov/fdmspublic/ContentViewer?objectId=09000064803acce8&disposition=attachment&contentType=html.

Patient Safety and Quality Improvement Act of 2005. [public law online]. 2005 Jul 29 [cited 2008 Mar 9]. Available from Internet: http://www.pso.ahrq.gov/statute/pl109-41.htm.

The federal government is seeking comment on specific issues in its proposed rule establishing the framework for hospitals, physicians, and other providers to voluntarily report information about medical errors and other patient safety events to patient safety organizations (PSOs).  In fact, there are 47 questions that the Department of Health and Human Services (HHS) asks those commenting on the proposed rule to address. Comments are due to HHS no later than April 14, 2008. Some of the 47 questions of interest to hospitals, physicians, and other providers are listed below. The complete list of questions is available from the Agency for Healthcare Research and Quality’s (AHRQ’s) PSO Web site at http://www.pso.ahrq.gov/rulemaking/nprm.htm.

• Should the regulation require documentation of a provider’s patient safety evaluation system?
• Should a short period of protection be provided to information assembled for reporting, but not yet reported to a PSO? If so, what is the appropriate time limit for the protection and should the protection be conditioned on a demonstrated intent to report the assembled information?
• Should PSOs be required to notify providers when patient safety work product is impermissibly disclosed or a security breach occurs?
• Should a component PSO be able to contract with a unit of its parent organization for services involving patient safety work product? If so, what restrictions are appropriate or necessary?
• What information should be posted on AHRQ’s PSO Web site to assist PSOs and providers?
• Have the most significant security issues been identified in the security framework that PSOs must address?
• Should HHS take additional steps to ensure providers receive notice when a PSO is delisted other than a posting on its PSO Web site and publishing a notice in the Federal Register?
• Does the regulation sufficiently protect the confidentiality interests of reporters and patients identified in patient safety work product when providers authorize a disclosure?
• Should the regulation include a more stringent standard for disclosures made based on a provider’s authorization?
• Does the proposal permit legitimate law enforcement disclosures of patient safety work product when balanced against the statutory protections?

About ECRI Institute

ECRI Institute is an independent nonprofit dedicated to bringing the discipline of applied scientific research to enable providers to improve patient care. For nearly 40 years, ECRI Institute has operated a voluntary medical device problem reporting system used by hospitals and other providers around the world, and it operates other broad patient safety and reporting systems for public and private entities. ECRI Institute has gained the trust of individuals and institutions reporting problems to us because the name of the reporting individual or institution is never revealed without permission, and we are vigilant about protecting the information from public disclosure. We have a long history of investigating events and publishing authoritative risk-reduction strategies. In addition, ECRI Institute has developed and manages the Pennsylvania Patient Safety Reporting System, a mandatory error and near-miss reporting program for Pennsylvania hospitals and other healthcare facilities, under contract to the Pennsylvania Patient Safety Authority. ECRI Institute is designated a Collaborating Center for Patient Safety, Risk Management, and Healthcare Technology by the World Health Organization and an Evidence-based Practice Center by the U.S. Agency for Healthcare Research and Quality.

ECRI Institute anticipates becoming federally certified as a patient safety organization (PSO) and is reviewing the proposed rule establishing a framework for PSOs. ECRI Institute will submit comments to the Department of Health and Human Services on its proposed rule. As a PSO, ECRI Institute can provide healthcare providers with data collection and analytics, culture-of-safety recommendations, best practices and advisories, and more.

Proposed Certification Requirements for PSOs

To be certified as a patient safety organization (PSO) by the Agency for Healthcare Research and Quality, a PSO must meet 15 requirements—eight involving their patient safety activities and seven involving their operations—according to the federal government’s proposed rule establishing a framework for PSOs. A component PSO, which is a separate entity within an organization established to do PSO work, must meet three additional requirements as discussed in the Special Advisory. The 15 requirements for PSOs (which could be modified in the final rule) are listed below.

• Support efforts to improve patient safety and quality of healthcare delivery
• Collect and analyze patient safety work product* 
• Develop and disseminate information to improve patient safety
• Use patient safety work product to encourage a culture of safety and to provide feedback and assistance to minimize patient risk
• Follow procedures to preserve confidentiality with respect to patient safety work product
• Maintain adequate security measures with respect to patient safety work product
• Use qualified staff
• Maintain activities to support the provider’s patient safety evaluation system** and provide feedback to its participants

• Ensure mission and primary activity of PSO is to conduct activities to improve patient safety and quality of care
• Use appropriately qualified staff, including licensed or certified medical professionals
• Within the 24-month period after initial listing as a PSO and within each sequential 24-month period thereafter, have at least two contracts with different providers for a reasonable period of time to receive and review patient safety work product
• Demonstrate that PSO is not a health insurer or a component of a health insurer
• Make disclosures to the Department of Health and Human Services of the PSO’s contracts and PSO’s relationship with contracting providers
• Collect patient safety work product in a standardized manner to permit valid comparisons of similar cases among similar providers
• Use patient safety work product to provide direct feedback and assistance to providers to minimize patient risk

The Department of Health and Human Services (HHS) is letting the marketplace (i.e., providers) select the most effective patient safety organizations (PSOs) to analyze and provide feedback on providers’ patient safety events. HHS’s proposed rule for a voluntary error reporting system involving PSOs creates some measures for providers to access publicly available information about PSOs to evaluate them.  Although HHS says it will conduct “spotchecks” of 5% to 10% of PSOs every year to assess compliance, the proposed rule states that the “marketplace” will be the “principal arbiter of the capabilities of each PSO.” HHS can also delist noncompliant PSOs and levy financial penalties for “knowing or reckless” confidentiality breaches, but much of the responsibility for evaluating PSOs rests with providers.

The proposed rule suggests that the following information about PSOs be publicly available to assist providers in selecting a PSO to review their data on patient safety events:

• PSO certification form, including effective date of listing
• Confirmation that PSO has at least two contracts with providers
• Disclosure of any contractual, financial, or reporting relationships with contracting providers
• Disclosure of a contracting provider’s management control of a PSO
• HHS findings regarding PSO disclosure statements and whether findings warrant action about PSO’s listing
• Any conditions placed on the PSO’s listing by HHS
• Notice of PSO delisting, either as decided by HHS for “cause” or as voluntarily requested by the PSO
• Final determination to impose civil monetary penalties on a PSO

Although the Department of Health and Human Services’ (HHS) rule creating patient safety organizations (PSOs) is not yet final, providers that plan to work with these new entities to review patient safety events should begin developing a list of qualifications for the PSO. Once certified by HHS, PSOs will be able to collect, aggregate, and analyze data and provide feedback to providers to improve healthcare quality and safety. The questions listed below are intended to help providers develop their qualifications for PSOs, although these questions may require modification once the final rule is published.

• Is the PSO certified by HHS’s Agency for Healthcare Research and Quality?
• How long has the PSO been certified?
• Does the PSO understand the intent and purpose of the Patient Safety and Quality Improvement Act?
• What is the PSO’s reputation with its clients?
• Is the PSO regarded as credible and trustworthy?
• What is the PSO’s understanding of the provider environment and the implications that its various patient safety recommendations may have for providers?
• Does the PSO provide opportunities for providers to review and discuss data submitted to the PSO and to ask questions about feedback given to the provider?
• What is the PSO’s experience in analyzing patient safety events?
• What approaches does the PSO use for its analysis?
• Does the PSO enter into written contracts with its providers?
• Who are the PSO’s contracting providers?
• Is the PSO a component of another organization?
• What organization controls the component PSO?
• Does the controlling organization present any potential conflicts for the provider considering a working relationship with the PSO?
• How is the provider’s patient safety work product reported to the PSO?
• What measures are in place to protect the confidentiality of identifiable information in the patient safety work product?
• Is the process for data submission convenient and straightforward for providers?
• Does the PSO intend to aggregate de-identified data to share with other PSOs?
• Has the PSO been fined for violations of the confidentiality provisions of the Patient Safety and Quality Improvement Act or of the privacy provisions of the Health Insurance Portability and Accountability Act?

Patient Safety Evaluation System: Core Concept for Privilege and Confidentiality Protections

The so-called “patient safety evaluation system” is a core concept of the Department of Health and Human Services’ (HHS) proposed rule establishing a process for hospitals, doctors, and other providers to voluntarily submit data about patient safety events to patient safety organizations (PSOs). The provider’s deliberations and analysis of the event within the framework of the patient safety evaluation system is protected from discovery and will be considered confidential—whether or not the provider ultimately decides to submit the data to a PSO. PSOs must also conduct their analysis and reporting back to providers within a patient safety evaluation system to receive federal protections. Providers should note, however, that much of the underlying information used for the analysis and deliberations does not become protected until it is reported to the PSO.

Legal experts say the proposed framework for a patient safety evaluation system offers providers an opportunity to restructure their deliberations about medical errors, near misses, and other patient safety events to benefit from the confidentiality and privilege protections offered by the Patient Safety and Quality Improvement Act of 2005 (PSQIA), the federal law implementing PSOs. These protections may be particularly important to providers in states where such protections are currently limited.

Although HHS does not require providers to “formally . . . identify or define” a patient safety evaluation system, they may find it in their own interest to do so. Because the statute requires providers to continue to meet existing statutory and regulatory requirements for accountability and external reporting with information that is not protected by PSQIA, providers will need to very carefully assess their current patient safety and quality improvement activities in light of the proposed structure outlined in the proposal. What activities does a provider currently conduct that could be part of a patient safety evaluation system? What activities must remain outside the system so that the provider can continue to meet its external reporting obligations with information that is not protected?

Of course, for federal protections to apply to the patient safety evaluation system’s work, it is likely that the provider must have a relationship with a PSO. HHS suggests that “certain indicia” be in place such as the following: Does the provider have a contract with a PSO? Is the process for the patient safety evaluation system documented? Did the provider report its deliberations and the underlying information to the PSO?

The proposed rule suggests that providers address the following elements of a patient safety evaluation system:

• How does information enter the patient safety evaluation system?
• What processes, activities, physical space, and equipment comprise or are used by the patient safety evaluation system?
• Which personnel or categories of personnel need access to patient safety work product to carry out their duties involving operation of the patient safety evaluation system?
• What type of patient safety work product does each person or category of persons need in order to carry out their duties?
• What conditions are in place to ensure appropriate access?
• What procedures or mechanisms are used by the patient safety evaluation system to report information to a PSO or to disseminate information outside the patient safety evaluation system?

In its proposed rule, HHS comments on the significance of a documented patient safety evaluation system for ensuring legal protections. Although not required, documentation will be an important process for providers to follow. By documenting the process for the patient safety evaluation system, providers and PSOs “will have substantial proof to support claims of privilege and confidentiality when resisting requests for production of, or subpoenas for, information constituting patient safety work product or when making requests for protective orders against requests or subpoenas for such patient safety work product. Documentation of a patient safety evaluation system will enable a provider or PSO to provide supportive evidence to a court when claiming privilege protections for patient safety work product. This may be particularly critical since the same activities can be done inside and outside of a patient safety evaluation system.”