United States: "Patient Safety and Quality Improvement Act of 2005" Signed into Law

On July 29, 2005, President Bush signed legislation (Pub. L. No. 109-41) aimed at improving the quality of patient care and encouraging health care providers to voluntarily report medical errors to patient safety organizations ("PSOs"). The Patient Safety and Quality Improvement Act of 2005 ("PSQIA" or the "Act") encourages health care providers to voluntarily report patient safety information, medical errors, and "near misses" to PSOs which are certified by the Secretary of the Department of Health and Human Services (the "Secretary"). Among other things, in order to facilitate such disclosure, the new law creates legal privilege and confidentiality protections for any patient safety work product ("PSWP") either developed by a PSO or prepared by a health care provider and delivered to a PSO. In addition, the Act includes penalties for improper disclosure of PSWP. However, the legal privilege and confidentiality protections for PSWP are not absolute and are limited under the PSQIA in certain situations as discussed below.

The PSQIA is significant in that it is the first legislative attempt to address patient safety issues at the federal level. This memo describes the requirements of the PSQIA and includes a discussion of the potential questions raised by the Act and the impact it may have on our clients.

PSWP is defined as any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements which: (1) are assembled or developed by a provider for reporting to a PSO and are reported to the PSO; or (2) are developed by a PSO for the conduct of patient safety activities. Such information is only classified as PSWP if it may result in improved patient safety, health care quality, or health care outcomes or if it is created or used as part of a "patient safety evaluation system." In addition, PSWP includes work product which identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system.

However, PWSP does not include a patient’s medical record, billing, and discharge information, or any other original patient or provider record. Further, the definition of PSWP under the Act excludes information that is collected, maintained, or developed separately, or exists separately from a patient safety evaluation system. Such separate information reported to a PSO is not, simply by reason of its reporting, considered to be PSWP.

The PSQIA affords protections to PSWP developed by a PSO which engages in certain "patient safety activities." These activities include the collection and analysis of PSWP and the utilization of PSWP for the purposes of encouraging a culture of safety and minimizing patient risk. In addition, the development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices, also qualify as patient safety activities under the Act. Finally, the use of qualified staff, the provision of appropriate security measures, and the maintenance of procedures to preserve confidentiality with respect to PSWP, are all patient safety activities under the Act if engaged in by a PSO.

Under the Act, "patient safety evaluation systems" are created by PSOs to collect, manage, or analyze PSWP for reporting to or by a PSO. All activities engaged in by a PSO related to operating, and providing feedback to participants in, a patient safety evaluation system constitute protected patient safety activities under the Act. 

D. Providers "Providers" are defined under the Act as individuals or entities licensed or otherwise authorized under state law to provide health care services and include:

A hospital, nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, renal dialysis facility, ambulatory surgical center, pharmacy, physician, or health care practitioner’s office, long term care facility, behavior health residential treatment facility, clinical laboratory, or health center; or

A physician, physician assistant, nurse practitioner, clinical nurse specialist, certified registered nurse anesthetist, certified nurse midwife, psychologist, certified social worker, registered dietician, or nutritional professional, physical, or occupational therapist, pharmacist, or other health care practitioner. The definition of provider also encompasses "any other entity specified in regulations promulgated by the Secretary."

An organization seeking to become a PSO must submit a certification to the Secretary in order to be recognized as a PSO, and this certification must be renewed every three years. The certification must document that the organization is performing the patient safety activities enumerated by the Act and that the organization meets the following criteria:

• The mission and primary activity of the entity must be to conduct activities aimed at improving patient safety and the quality of health care delivery;

• The entity must have an appropriately qualified staff (whether directly or through contract) including licensed or certified medical professionals;

• The entity must have contracts with more than one provider for the purpose of receiving and reviewing PSWP;

• The entity is not, and is not a component of, a health insurer;

• The entity must disclose any potential conflict of interest, including any financial, reporting or contractual relationship, between the entity and one of its contracted providers;

• To the extent practical and appropriate, the entity must collect PSWP in a standardized manner from that permits valid comparisons between providers; and

• The entity uses PSWP for providing direct feedback and assistance to providers to effectively minimize patient risk.

In addition to the criteria listed above, if the entity seeking to be a PSO is a component of another organization, the entity must satisfy several additional requirements including: (1) that the entity must maintain PSWP separately from the rest of the organization and establish appropriate security measures to maintain the confidentiality of the PSWP; (2) that the entity must not make unauthorized disclosures of PSWP to the rest of the organization; and (3) that the mission of the entity to promote patient safety and improve the quality of health care delivery must not be in conflict with the rest of the organization’s mission or purpose.

In addition, for the purposes of applying the HIPAA privacy standards to PSOs, PSO are to be treated as business associates of the providers with whom they contract. Further, patient safety activities of PSOs in relation to a provider are considered to be "health care operations" as defined under HIPAA.

As a further step toward enhancing patient safety through the reporting and analysis of patient safety related information, the PSQIA requires the Secretary to facilitate the creation of, and maintain, a "network of patient safety databases" that will provide "an interactive evidence-based management resource for providers, PSOs, and other entities." The Act contemplates that the network of databases will be able to accept, aggregate across the network, and analyze non-identifiable PSWP voluntarily reported by PSOs, providers and other entities. In addition, the goal stated in the PSQIA is that information from this "network" will be used to analyze national and regional statistics, including trends and patterns of health care errors. Finally, the Act envisions some time in the near future when interested parties will be able to access this national database of valuable patient safety information from a single point of access.

Eighteen months after any network of patient safety databases in operational, the Secretary, in consultation with the Director of the Agency for Healthcare Research and Quality, is responsible for preparing a draft report on effective strategies for reducing medical errors and increasing patient safety. The Secretary will make the draft report available for public comment and submit the draft report to the Institute of Medicine for review and ultimately to Congress.

To encourage providers to participate in patient safety activities, the PSQIA creates legal privilege and confidentiality protections for most PSWP created by PSOs or shared with PSOs by providers. The specific protections are as follows:

The Act provides that PSWP is privileged and may not be: (1) subject to subpoenas, orders, or discovery requests issued in a federal, state, or local civil or criminal case; (2) subject to disclosure under the Freedom of Information Act or any similar state or local law; (3) admitted as evidence in any governmental proceeding; or (4) admitted in any professional or disciplinary proceeding.

The only exception to the legal privilege for PSWP is for "nonidentifiable" PSWP. PSWP is considered identifiable if it allows for the identification of any provider that is a subject of (or participates in) the work product, is considered to be "individually identifiable health information" as defined under the Health Insurance Portability and Accountability Act ("HIPAA") privacy standards, or allows for identification of the individual who reported information to a provider or a PSO. 

B. Confidentiality of PSWP The Act makes all PSWP confidential and limits any disclosure of PSWP unless the situation constitutes one of several permissible grounds for disclosure of PSWP as listed in the Act. Permissible grounds for disclosing PSWP include but are not limited to disclosures to carry out patient safety activities, disclosure by a provider to an accrediting body that accredits the provider, disclosures determined by the Secretary to be necessary for business operations and consistent with the goals of the Act, and disclosures of PSWP to law enforcement authorities relating to commission of a crime.

In addition to the exceptions listed in the Act, neither the legal privilege nor confidentiality protections under the Act apply to disclosure of relevant PSWP for use in a criminal proceeding in the event that a court determines that the PSWP is material to the proceeding and not reasonably available from another source. In addition, disclosure of PSWP is permitted if necessary for an individual to seek redress for retaliatory action taken against him for reporting information to a PSO. Finally, PSWP is neither privileged nor confidential if disclosure is authorized by each provider identified in the work product.

Under the PSQIA, the "reporter" of relevant patient safety information is protected from actions affecting his or her employment status. A provider may not take an adverse employment action against an individual based on the fact that the individual in good faith reported information either to a provider -6- with the intent of having that information reported to a PSO, or directly to a PSO. This protection also applies to adverse evaluations or decisions made in relation to accreditation, certification, credentialing, or licensing of the individual.

A person who knowingly or recklessly discloses identifiable PSWP in violation of the Act may be subject to a civil monetary penalty of up to $10,000 for each act constituting a violation; however, penalties under the Act may not be imposed in addition to penalties under HIPAA with respect to the same act or omission. Also, an individual may seek equitable relief against a party that improperly takes adverse employment action against the individual for reporting patient-safety related information.

Many states currently have various forms of patient safety and/or events reporting statutes or regulations. The PSQIA addresses its relationship to state laws regarding confidentiality, privilege, and reporting. The PSQIA establishes a floor for certain protections applicable to PSWP, and does not limit or preempt the application of other federal, state, or local laws that provide greater privilege or confidentiality protections that those discussed above. Additionally, the Act does not preempt or affect state laws that require providers to report information that is not PSWP.

Rather than instituting a series of specific reporting rules and requirements, the PSQIA seeks to promote the goal of reducing medical errors and increasing quality of care by encouraging voluntary participation and reporting of patient safety related information and establishing privilege and confidentiality protections for information deemed to be PSWP. While the Act constitutes a significant first step on a federal level to mandate a greater commitment to patient safety, the Act leaves a number of key questions unanswered; some of these questions may be addressed by future regulations. Questions raised by the Act include:

Insurers are excluded from the ability to be certified as PSOs, but otherwise the field is open to a variety of organizations, including hospitals, medical staffs, accreditation bodies, and quality improvement organizations. Entities will need to evaluate PSO requirements. For example, as part of meeting PSO requirements, health care providers must contract with more than one provider in order to receive and review PSWP. Providers may be wary of entering into such arrangements with competitors and may hesitate to become certified PSOs.

In order for the information and data of providers who are not certified as PSOs to receive protection under the Act, the information must be developed for reporting to a PSO and reported to a PSO (emphasis added). Broader protection is provided for information and data of a certified PSO in that all information developed by a PSO for the conduct of patient safety activities is protected under the Act. Structural changes would likely be required to health care providers’ existing committee systems for conducting credentialing, quality, and peer review activities in order for the end result of those activities to constitute protected PSWP.

The Act contemplates the ultimate creation of a national network of patient safety data bases which would be populated with voluntarily reported patient safety information. However, it remains to be seen whether providers will choose to report patient safety data given that the obligation to do so is not mandatory. The voluntary nature of data reporting may compromise these goals and reduce the statistical validity of trending data should less than optimal numbers of providers choose to report.

Some states already require certain health care providers, particularly hospitals, to assemble and report patient safety related data. In such states these health care providers may feel little or no effect of the new federal legislation. However, even in states with existing reporting statutes, the Act may have an impact by broadening beyond hospitals those who may report data to PSOs. In states without reporting statutes, the PSQIA affords new opportunities for reporting and protecting PSWP.

Providers should attempt to understand the PSQIA, what it purports to accomplish, and how the PSQIA meshes with applicable current state laws regarding patient safety, reporting, and peer review. As regulations are issued, some of the issues and questions raised by this new law may be clarified. Time will tell if the PSQIA will be successful in meeting its goals of eliciting the voluntary reporting of patient safety information and creating a national network of databases for analyzing trends in order to minimize health care errors. 

This article is presented for informational purposes only and is not intended to constitute legal advice.