ABA Health eSource
December 2008 Volume 5 Number 4

The Wait is Over, the Patient Safety and Quality Improvement Act Final Rule is Published
By Bill Hopkins, Of Counsel, Brown McCarroll LLP, Austin, TX

AuthorOn November, 21, 2008, the U.S. Department of Health and Human Services (HHS), published the final rule implementing the Patient Safety and Quality Improvement Act (PSQIA). 1Under the Final Rule, effective on January 19, 2009, healthcare providers can establish internal patient safety evaluation systems to collect and analyze patient safety events and voluntarily report such events within a legally secure environment of privilege and confidentiality protections to a Patient Safety Organization (PSO). PSOs will be certified by the Agency for Healthcare Research and Quality (AHRQ) and charged with collecting patient safety data from all participating providers, aggregating the data, and performing detailed analysis of the data to identify patterns of failures in the healthcare system and propose measures to eliminate patient safety risks as a means to improve patient outcomes. Under this system, providers will now have a comfort zone to fully disclose detailed patient safety information to a PSO without the concern of whether that information will be subject to disclosure or discovery in a future regulatory or liability action. The providers will also benefit on the back-end of the transaction as PSOs will also in a position to provide expert advice to healthcare providers regarding best practices derived from analyzing patient safety event data.

  • Using the language of the PSQIA, this process of securing the protection of the PSWP information reported to PSOs will be simple:
  • If a provider, anyone licensed by the state to provide healthcare,
  • As part of a patient safety evaluation system (PSES)
  • Obtains, develops and creates patient safety work product (PSWP), and
  • That information is reported to a patient safety organization (PSO)
  • Then that PSWP will be considered confidential and privileged and will NOT be:

  - Subject to disclosure to federal, state, or local, civil, criminal or administrative subpoena or order, including in a federal, state, or local civil or administrative disciplinary proceeding against a provider;

-Subject to discovery in connection with a federal, state, or local civil, criminal, or administrative disciplinary proceeding against a provider;

-Admissible as evidence in any federal, state or local governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding or administrative adjudicatory proceeding, including any such proceeding against a provider; or

-Admissible in a professional disciplinary proceeding of a professional disciplinary body pursuant to state law.

Overview of the Final Rule

Given the breadth of patient safety activities and these protections, a full understanding of the Final Rule is essential for all involved parties who intend to create and utilize a PSES, and to protect data as PSWP within the definition of the Rule. The Final Rule specifically details what types of information can be considered PSWP and the confidentiality protections and privileges that will be attached to that information if the information gathering and reporting process to a PSO is followed. Under Section 3.20 of the Final Rule, it also illustrates what types of information will never be considered PSWP. Examples of information that will never be considered PSWP are:

  • Original Medical Patient or Provider Records
  • Billing and discharge information
  • Information that is collected, maintained, developed separately or exists separately from, a patient safety evaluation system. 2

In addition, the Final Rule makes it clear that participation in this process does not relieve a provider from its obligation to comply with other federal, state or local laws pertaining to information that is not privileged or confidential under the PSQIA. The Final Rule and the Statute is specific to the interaction between the PSQIA and HIPAA and the necessity for healthcare providers to comply with both in the gathering, reporting and dissemination of patient safety information that may also be considered individually identifiable health information (IIHI). Not surprisingly, many health care providers participating in this program will be covered entities under the HIPAA privacy rule and will be required to comply with the HIPAA Privacy rule when they disclose patient safety work product that contains protected health information. While this interaction is evident, the PSQIA is clear that it is not intended to interfere with the implementation of any provision of the HIPAA privacy rule. 3 The statute also provides that civil money penalties cannot be imposed under both the PSQIA and the HIPAA privacy rule for a single violation. 4 Furthermore, since the patient safety activities conducted in the PSES are considered to be health care operations under the HIPAA privacy rule, there is no requirement that covered providers obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. In addition, under the HIPAA privacy rule, since PSOs are considered business associates of providers, PSOs must abide by the terms of their HIPAA business associate contracts, which require them to notify the provider of any impermissible use or disclosure of the protected health information if they are aware or have knowledge of any such occurrence.

Under Section 3.102 of the Rule and its subsections, significant insight has been provided regarding what types of entities may or may not serve as a PSO 5 , the detailed certification process through AHRQ to become a PSO and the requirements that every PSO must adhere to in order to maintain PSO certification 6 and additional requirements of PSO certification of component organizations. 7 All PSOs will have an automatic expiration date of their certification listing three (3) years after being certified, unless the PSO’s certification is continued by HHS. 8 The Final Rule also provides the process by which a PSO may be de-listed if circumstances, in the discretion of the HHS, require such an action. 9 In the event of such an action, due process procedures will be implemented to allow a PSO to challenge a de-listing decision.

Under the Act, the imposition of civil money penalties in the amount of $10,000 per person per violation by the HHS’ Office of Civil Rights (OCR) may occur for the knowing or reckless impermissible disclosure of PSWP. 10 Due process and contested case provisions are provided in these circumstances.

In response to publishing of the Final Rule, HHS Secretary Mike Leavitt said in HHS’s press release, “I expect the final rule and the creation of Patient Safety Organizations to greatly improve the quality of health care for all Americans. By making it easier for clinicians and health care organizations to report and learn from adverse events without fear of new legal liability, we will be able to improve our Nation’s health care systems and minimize factors that can contribute to mistakes.” 11


Now that the Final Rule is in place, and fifteen PSOs have been certified by AHRQ, only time will tell what long term effects the PSQIA will have on the provision of healthcare in the United States. Given the undisputed prevalence of errors and deficient practices in the U.S. health care system and the pervasive fear and paranoia of providers to document that information, let alone analyze it, there is no question that something has to change if we are ever going to reach a level of best practices in health care. The PSQIA provides a clear and distinct solution to this historical and systemic dilemma. There is definite value to the existence of a process that will allow providers to collect, gather and disclose patient safety information to a PSO, in a confidentially protected and privileged manner, so that the information can be synthesized and processed into best practices data and utilized to improve care, revamp outdated practices and consider systemic changes in the provision of health care. Since the program is voluntary, there is no telling right now how many providers will actually take the first step and participate in these programs. Regardless of the long term effects of the PSQIA, encouraging providers to drop their customary practices of protectionism by creating this confidential and privileged process for the collecting and sharing of data and improving care is definitely a step in the right direction.

1 Federal Register, Volume 73, Number 226, page 70731-70814, Nov. 21, 2008 to be codified at 42 C.F.R. Part 3.

2 Federal Register, Volume 73, Number 226, page 70740, Nov. 21, 2008

3 See 42 U.S.C. 299b-22 (g)(3)

4 See 42 U.S.C. 299b- and 299-22(i)

5 Section 3.102(a)-Eligibility and Process for Being Listed as PSO

6 Section 3.102(b)-Fifteen General PSO Certification Requirements

7 Section 3.102(c)-Additional PSO Certifications Required of Component Organizations

8 Section 3.104(e)-Three Year Period of Listing

9 Section 3.108(a)-Process for Correction of a Deficiency and Revocation

10 Social Security Act§1128(A), 42 U.S.C. §1320a-7a (2000).

11 See http://www.ahrq.gov/news/press/pr2008/psorulepr.htm


The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.