On November 21, 2008, The U.S. Department of Health and Human Services (HHS) published a final rule (the Rule) implementing the Patient Safety and Quality Improvement Act of 2005 (PSQIA). Congress’ goal in enacting PSQIA was to create opportunities for providers to share patient safety information with independent entities, called patient safety organizations (PSOs), which can analyze and aggregate patient safety data from multiple providers and use it to identify patterns that suggest underlying causes of patient risks and hazards. To encourage providers to share potentially sensitive information, PSQIA made particular information shared with PSOs, known as patient safety work product (PSWP), both privileged and confidential. The Rule enacts the framework by which HHS will certify PSOs, clarifies the scope of privilege and confidentiality granted to PSWP, and describes how HHS will enforce compliance with these provisions. The Rule takes legal effect on January 19, 2009.
The Rule enacts a simple attestation procedure to become a PSO, and the Rule’s commentary expresses HHS’ intent not to limit the number or variety of PSOs. The Rule defers to the market to regulate the quality of PSO services. The Agency for Healthcare Research and Quality (AHRQ) oversees certification and listing, while the HHS Office for Civil Rights (OCR) oversees investigation and enforcement.
Generally, any private or public entity may become a PSO, subject to two restrictions. First, the entity must devote its primary activities to improving patient safety and quality of health care delivery. Hospitals or other providers may develop an independent organization to become a PSO if the organization’s primary activities are to improve patient safety and quality.
Second, the Rule excludes certain entities from becoming PSOs, including health insurers or components of a health insurer. In a departure from the proposed rule, however, the Rule clarifies that professional liability insurers, risk management service companies, reinsurers, and entities self-insuring their health care benefits are not subject to the broad exclusion applying to health insurance organizations. The Rule also prohibits the following entities from being PSOs:
- Entities that accredit or license health care providers
- Entities (or their agents) that oversee statutory or regulatory requirements applicable to health care
- Entities that operate a governmental patient safety reporting system to receive mandated adverse event reports (except if the reporting requirement only affects the entity’s workforce or practitioners who hold staff privileges)
However, components of these entities can be PSOs only if they adhere to specific additional requirements.
Process for Listing
Entities that seek initial or continued listing must submit a form that certifies to 15 requirements. Of the certifications, eight relate to the patient-safety activities the PSO must perform,1 and seven are criteria for becoming a PSO.2 PSOs that are components of another organization must make three additional certifications relating to the ability of the PSO to maintain separate, confidential PSWP and avoid conflicts of interest. Further requirements exist for PSOs that are components of excluded entities. Documentation is not required to support the certifications, but OCR may conduct unannounced spot checks of listed PSOs or investigate PSOs in response to complaints. Listing lasts for three years, and PSOs must reapply and recertify if they seek continued listing.
The Rule makes it easier for excluded entities to set up a PSO as a component. The originally proposed rule required component organizations to keep separate information systems from their parent organizations and precluded the use of shared staff. The Rule loosens these requirements to make it easier for hospitals or hospital systems to create a component and allows shared information systems so long as they do not permit unauthorized access to PSWP. Shared staff is permitted, except for components of entities that are excluded.
The Rule permits AHRQ to impose conditions on the listing of a PSO and to seek additional information if the entity that submits the certification has been delisted previously. Successful applicants are listed publicly for the duration of their listing.
Obligations of PSOs
Listed PSOs must meet two obligations to notify HHS during the term of their listing. First, a PSO must notify HHS within 45 days of the end of every 24-month period beginning with the date of its initial listing that it has fulfilled the requirement to have two contracts with different providers during the period. Second, a PSO must disclose all current financial, contractual, or reporting relationships with a provider with which it has a contract for patient safety activities, and explain the policies and procedures it has in place to ensure that patient safety activities are performed fairly and accurately.
The Rule also requires PSOs to adopt written policies and procedures to address the security of PSWP. Unlike the proposed rule, the Rule permits PSWP and non-PSWP to be co-located so long as the PSWP is distinguishable. The security requirements include training of the PSO workforce and contractors on policies and procedures regarding the confidentiality and security of PSWP. All PSWP must be secure, and the PSO must have sufficient control and monitoring programs to ensure that security is effective.
The Rule adopts a flexible approach to deal with instances of PSO non-compliance. While the OCR can ultimately delist a PSO, it first must provide the PSO with notice of the deficiency or deficiencies and an opportunity to correct it/them. The Rule also provides that, to the extent practical, the secretary of HHS (Secretary) will seek to obtain compliance cooperatively and may provide technical assistance to help the PSO achieve its goals. If an investigation indicates a violation, however, the Secretary has the authority to issue civil monetary penalties of up to $10,000 per violation.
An expedited revocation process is available for PSOs in narrowly defined situations: (1) when PSOs become excluded entities; (2) when PSOs that are components of excluded entities fail to comply with the requirements to keep PSWP separate; and (3) when adverse consequences could occur if the PSO were to remain listed. The delisting procedure provides the PSO with an opportunity to present a written response to a notice of revocation, but is not granted any rights of appeal once OCR determines delisting is warranted.
Privilege and Confidentiality
The privilege and confidentiality protections of the PSQIA are the foundation of its attempt to create a robust system for reporting potentially sensitive information. Generally, the privilege granted to PSWP protects it against subpoena, discovery, or admission into evidence in connection with a legal proceeding, and the confidentiality granted to PSWP prohibits its “disclosure” to third parties.
What Information Is Privileged and Confidential?
To obtain privilege and confidentiality under the PSQIA, documents must meet the definition of PSWP. The types of documents that can qualify as PSWP are expansive and include any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements that can improve patient safety, health care quality, or health care outcomes. HHS’ aim is to encourage “robust exchanges” between providers and PSOs.
However, to qualify as PSWP, provider documents must be developed for the purpose of reporting to a PSO. The simplest way to meet this requirement is through the implementation and use of a “patient safety evaluation system,” the mechanism by which a provider collects, manages, and/or analyzes information for reporting to a PSO. HHS has not defined a patient safety evaluation system (it declined to make this a requirement), but recommends that providers and PSOs document how information enters the patient safety evaluation system, who has access to the system, and the physical space or equipment used by the patient safety evaluation system. If a provider documents entry in a clearly identified patient safety evaluation system, substantial proof exists to support a claim that a document was developed for transmittal to a PSO.
The Rule states that documents that are created, maintained, or developed separately from a patient safety evaluation system are excluded from the definition of PSWP. This includes information such as patient medical records, billing and discharge information, peer review findings, or other “original” patient or provider information developed for a purpose other than reporting to a PSO. These documents are not PSWP even if they, or copies, are entered into a patient safety evaluation system and/or provided to a PSO.
The Rule’s emphasis on documentation constitutes a significant change. Under the proposed rule, a provider’s work product did not receive PSWP status unless it was both developed for reporting and actually reported to a PSO. The Rule now grants PSWP status prior to the actual transfer of information to a PSO, so long as the information is documented within a patient safety evaluation system as well as the date of its entry into the system. This change relieves providers of the burden of continuous transmission(s) and offers more complete protection. Information not yet reported to a PSO may be removed from a patient safety evaluation system and lose its status as PSWP if the provider documents the act and date of removal.
Documents developed by a PSO for the conduct of patient safety activities also are PSWP and therefore confidential and privileged. The Rule defines “patient safety activities” broadly enough to encompass virtually all activities a PSO might take in the course of its work with PSWP. Finally, documents that identify or constitute the deliberations of a patient safety evaluation system also are PSWP.
What Constitutes Disclosure?
The PSQIA’s confidentiality provisions prohibit “disclosure” of PSWP, subject to a number of exceptions. The Rule defines disclosure to mean “the release, transfer, provision of access to, or divulging in any manner of PSWP” by a person who holds PSWP to another person. The Rule also clarifies that: (1) sharing PSWP between a component PSO and the entity of which it is a part is disclosure, but (2) sharing PSWP between a physician with staff privileges and the entity with which the physician holds privileges is not.
In keeping with HHS’ interest in flexibility, the Rule declines to regulate or limit the ways a PSO might use PSWP. For example, the Rule does not place restrictions on the uses for which the PSWP may be shared internally. PSOs may legally use PSWP delivered to them by contracting providers in any way that does not constitute an impermissible disclosure.
Exceptions to Privilege and Confidentiality
The confidentiality and privilege protections afforded to PSWP are not absolute. The Rule contains 10 exceptions to the confidentiality protection, four of which also are exceptions to privilege. Disclosures of PSWP will not violate either confidentiality or privilege in the following four situations:
Disclosure of PSWP is permitted in the following situations (although the privilege remains):
The Secretary’s Immunity
The Rule also grants the Secretary immunity from the PSQIA’s confidentiality and privilege provisions to pursue specific goals, and requires providers and PSOs to disclose the information upon the Secretary’s request. The Secretary may obtain information from providers in order to investigate or ascertain compliance with PSQIA (including decisions with respect to listing PSOs), to investigate or ascertain compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and to seek or impose civil monetary penalties. To activate the immunity, the Secretary must make a determination that the PSWP is needed for these purposes.
A number of entities are already listed by AHRQ as PSOs. The Rule provides greater clarity for entities considering being so certified and for providers interested in obtaining the services of existing PSOs.
1 The eight patient safety activities required of PSOs are: (1) efforts to improve patient safety and the quality of health care delivery; (2) the collection and analysis of PSWP; (3) the development and dissemination of information to improve patient safety such as recommendations, protocols, or information regarding best practices; (4) the utilization of PSWP to encourage a culture of safety and to provide feedback and assistance to minimize patient risk effectively; (5) the maintenance of procedures to preserve the confidentiality of PSWP; (6) the provision of appropriate security measures for PSWP; (7) the utilization of qualified staff; and (8) activities related to the operation of a patient safety evaluation system and the provision of feedback to its participants.
2 The seven criteria for becoming a PSO are: (1) the mission and primary activity of the PSO must be to conduct patient safety activities; and the PSO must: (2) have a qualified workforce, including licensed or certified medical professionals; (3) have two bona fide contracts with different providers for each 24-month sequential period after listing; (4) not be a health insurer or component thereof; (5) make the required disclosures to HHS; (6) collect PSWP in a standardized manner to permit valid comparisons of similar cases among similar providers to the extent practical and appropriate; and (7) utilize PSWP to provide direct feedback and assistance to providers to minimize patient risk effectively.
Legal News Alert is part of our ongoing commitment to providing up-to-the minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:
Janice A. Anderson
Shirley P. Morrigan
Cheryl L. Wagonhurst
J. Mark Waxman