The Rise of Patient Safety Organizations

The 1999 Institute of Medicine (IOM) report, “To Err Is Human,” brought patient safety to the forefront with its alarming findings, most jarringly encapsulated in its conclusion that medical error-related deaths in the United States are the equivalent of crashing one jumbo jet per day. L.T. Kohn, J.M. Corrigan, and M.S. Donaldson, eds., “To Err Is Human: Building a Safer Health System” (National Academies Press, 1999). According to the IOM's report, one factor underlying the high rate of medical errors has been a reluctance on the part of providers to identify and address medical errors due to concerns that such information would be used against them in medical malpractice lawsuits or professional disciplinary actions.

The Patient Safety and Quality Improvement Act

The Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act or Act) was designed to address this concern by creating a mechanism for the reporting and sharing of patient safety information among providers without the fear of liability. See 42 U.S.C. ” 299b-21'299b-26 (2006). To that end, the Patient Safety Act authorizes the creation of a new type of entity, a patient safety organization (PSO), to receive and analyze information relating to patient safety. The Act confers broad federal privilege and confidentiality protections to this information, referred to as “patient safety work product,” with significant penalties for breaches. The PSO program is administered by the Agency for Healthcare Research and Quality (AHRQ) and enforced by the Office of Civil Rights. AHRQ published a final rule implementing the Patient Safety Act in November 2008. See 73 Fed. Reg. 70,732 (Nov. 21, 2008). There are currently 69 PSOs listed with the AHRQ.

The Basics

The heart of the PSO process is the patient safety evaluation system, which includes the mechanisms through which information that becomes patient safety work product is collected by the provider and by which the PSO maintains, analyzes and communicates regarding such patient safety work product. See 42 U.S.C. ' 299b-21(6); 73 Fed. Reg. at 70,798 (to be codified at 42 C.F.R. '3.20).

The patient safety evaluation system is defined by reference to “patient safety activities,” which include:

• Efforts to improve patient safety and the quality of health care delivery;
• The collection and analysis of patient safety work product;
• The development and dissemination of information regarding patient safety, such as recommendations, protocols or Information regarding best practices;
• The utilization of patient safety work product for the purposes of encouraging a culture of safety, as well as providing feedback and assistance to effectively minimize patient risk;
• The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
• The provision of appropriate security measures with respect to patient safety work product;
• The utilization of qualified staff; and
• Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system. 42 U.S.C. ' 299b-21(5); 73 Fed. Reg. at 70,798 (to be codified at 42 C.F.R. ' 3.20).

The concept of the patient safety evaluation system is somewhat nebulous insofar as such a system “exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes.” 73 Fed. Reg. at 70,738. For some providers, the system will represent a distinct space where information destined for the PSO is held. For other providers, the patient safety evaluation system may be less tangible, consisting of a set of procedures that the provider follows in collecting, processing and creating information destined for the PSO.

While the regulations permit either approach in order to accommodate the varying practice needs and preferences of providers, establishing some type of framework around the patient safety evaluation system is key to ensuring information will be treated as patient safety work product, and thus entitled to the privileged and confidential treatment afforded by the Patient Safety Act.

Regardless of the precise approach taken, providers are well-advised to develop documented policies and procedures that define the parameters of the provider's patient safety evaluation system. This documentation can be used to readily demonstrate that specific information is patient safety work product. At a minimum, it should include a description of the processes, physical space(s), policies, personnel and equipment that comprise the patient safety evaluation system. See Id.

Defining Work Product

The protections afforded by the Patient Safety Act all turn on information being characterized as patient safety work product. Conceptually, patient safety work product falls into three general categories:

• Information collected or developed by the provider for reporting to a PSO that is actually reported;
• Information developed by the PSO itself as part of patient safety activities; and
• Information that identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting to, a patient safety evaluation system. See 73 Fed. Reg. 70,739.
• Information that may be classified as patient safety work product includes “any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material)” that “could improve patient safety, health care quality, or health care outcomes.” 73 Fed. Reg. at 70,798 (to be codified at 42 C.F.R.
  ' 3.20).

Certain categories of information are expressly excluded from being patient safety work product, including “a patient's medical record, billing and discharge information, or any other original patient or provider information ' [and] information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.” Id.

Under the statutory definition of patient safety work product, in order for information collected or created by a provider to constitute patient safety work product, it must be “reported” to a PSO. This reporting requirement raises at least two important questions: 1) is there any protection for information that is intended to be reported to a PSO but has not yet been reported; and 2) what constitutes “reporting” for these purposes?

With respect to the first question, the regulations implementing the Patient Safety Act recognize the need to afford some measure of protection to information destined for a PSO that has not yet been reported. To that end, the regulations provide that information collected for reporting to a PSO is treated as patient safety work product upon collection (i.e., prior to reporting) if the provider documents that the information has been collected within a patient safety evaluation system and records the date of collection. Id. Providers can also remove information from the patient safety evaluation system prior to reporting. This approach to protecting information housed in the patient safety evaluation system prior to reporting further highlights the importance of developing and documenting the patient safety evaluation system.

With respect to the second question, the preamble to the regulations authorizes so-called “functional reporting” as an alternative to the actual transmission of information to the PSO. Under this approach, a provider and PSO would enter into an arrangement whereby the PSO is authorized to access, process and analyze information in the provider's patient safety evaluation system. See 73 Fed. Reg. at 70,741. This approach requires the provider to develop a patient safety evaluation system architecture that ensures the PSO has access to all patient safety work product without enabling the PSO to access any non-patient safety work product that may be contained on the provider's systems.

Protections Afforded

The Patient Safety Act confers federal privilege and confidentiality protections on patient safety work product. Some, but not all, states provide some level of protection for peer review activities. By conferring broad federal privilege and confidentiality protections on patient safety work product, the Patient Safety Act effectively levels the playing field across states.

The privileging of patient safety work product protects such information from subpoena by, or discovery and admission into evidence in connection with, any civil, criminal or administrative proceeding before any federal, state, local or tribal body, including disciplinary proceedings against a provider. 42 U.S.C. ' 299b-22(a); 73 Fed. Reg. at 70,805 (to be codified at 42 C.F.R. ' 3.204(a)). The privilege also protects patient safety work product from disclosure under the Freedom of Information Act.

Similarly, the confidentiality protections for patient safety work product prohibit all disclosures that are not expressly authorized by the act or the regulations enacted thereunder. 42 U.S.C. ' 299b-22(b); 73 Fed. Reg. at 70,805 (to be codified at 42 C.F.R. ' 3.206(a)).

The act and the regulations provide for a series of narrowly crafted exceptions to the privilege and confidentiality requirements. These exceptions permit disclosures authorized by providers and limited disclosures in connection with the conduct of patient safety activities between a provider and a PSO, to a contractor of the provider or PSO, among affiliated providers, and to another PSO or provider (provided certain direct identifiers relating to the provider are removed and that patient information is in the form of a HIPAA limited data set). See 73 Fed. Reg. at 70,805-70,806 (to be codified at 42 C.F.R. ' 3.206(b)(3)-(4)).The regulations also provide a pathway to de-identify patient safety work product to create “nonidentifiable patient safety work product,” the disclosure of which is likewise permitted. Id. at ” 3.212, 3.206(b)(5).

In addition, disclosures to various governmental bodies are permitted, including to courts for criminal proceedings (following an in camera review by the judge to determine whether the patient safety work product contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from another source), to the Secretary to enable enforcement of the Patient Safety Act and the HIPAA Privacy Rule, and the FDA regarding FDA-regulated products. 42 U.S.C. ' 299b-22(c); 73 Fed. Reg. at 70,805-70,806 (to be codified at 42 C.F.R. ” 3.204(b), 3.206(b)).

The Patient Safety Act provides for a civil monetary penalty of up to $10,000 for each knowing or reckless violation of the confidentiality protections afforded to patient safety work product. 42 U.S.C. ' 299b-22(f)(1).

What About HIPAA?

In order to avoid any confusion of the intended application of HIPAA to PSOs, Congress clarified in the Patient Safety Act that patient safety activities are considered health care operations under HIPAA and that PSOs need to be business associates of the providers with whom they contract. Id. at ' 299b-22(i). Accordingly, any disclosure of protected health information from a provider to a PSO will need to comply with the HIPAA Privacy Rule. The act further clarifies that a single violation may not result in double sanctions under HIPAA and the Patient Safety Act. Id. at ' 299b-22(f)(3).

Becoming a PSO

Both public and private entities may be designated as PSOs. In practice, however, the statutory requirement that a PSO's mission and primary activity is the conduct of activities intended to improve patient safety and the quality of health care delivery significantly limits the scope of existing entities that can qualify as PSOs. While many entities can credibly claim a mission relating to quality and patient safety improvement, the statute expressly requires that this focus be the primary activity, thereby excluding many multi-purposed organizations.

In addition, certain types of entities are prohibited from becoming certified as PSOs, including the following: health insurance companies and their affiliates, entities that accredit or license health care providers, entities (or agents thereof) that oversee or enforce statutory and regulatory requirements for the delivery of health care, and entities that operate patient safety reporting systems into which providers are legally required to report information. 73 Fed. Reg. at 70,799 (to be codified at 42 C.F.R.
' 3.102(a)(2)).

PSOs may be completely independent, free-standing entities, or they may be components of other organizations. A component organization is either a unit or division of a legal entity or an entity that is owned, managed or controlled by a parent organization. Id. at 70,797 (to be codified at 42 C.F.R. ' 3.20). Accreditation or licensing organizations, while barred from certification as PSOs themselves, may establish a component organization to operate a PSO.

Listing Requirements

An entity will not be considered a PSO until it is listed as such by AHRQ. In order to be included on the list, an entity must submit an attestation that it meets the 15 criteria set forth in the Patient Safety Act and the regulations enacted thereunder. These criteria include policies and procedures to perform the eight patient safety activities and seven additional criteria, relating to the entity's mission, staff qualifications, standardized data collection methodologies, and a requirement that the entity have contracts with at least two separate providers within each two year period. See 42 U.S.C. ' 299b-24(a)-(b). This final criterion is significant insofar as it prevents a PSO from servicing only one provider. PSOs that are component organizations must certify compliance with additional criteria, including maintaining patient safety work product separately from and not disclosing patient safety work product to the parent organization. 73 Fed. Reg. at 70,800 (to be codified at 42 C.F.R. ' 3.102(c)). In addition, the mission of the component PSO must not create a conflict of interest with the parent organization.

PSOs are listed for a period of three years. Prior to the expiration of the three-year period, a PSO must submit an additional attestation for continued listing, reaffirming that is meets all of the PSO criteria.

Key Considerations

There are some key considerations that are worth emphasizing in light of the implementation of the Patient Safety Act.

• The law and regulations provide for a level playing field with respect to the privilege and confidentiality protections for participating health care facilities throughout the country.
• Providers that may benefit from the privilege and confidentiality protections include hospitals, nursing facilities, outpatient rehabilitation facilities, home health care facilities, pharmacies and physician offices just to name a few. This broad definition provides for protection to entities that would not otherwise have the ability to claim such privilege and confidentiality protections under state laws.
• PSOs can include hospital systems, medical societies, group practices, registries and even large for-profit entities. A PSO can provide numerous benefits to each of these entities.
• As we noted above, patient safety work product with protected health information (PHI) is subject to the HIPAA privacy and security requirements as well as those requirements under the Patient Safety Act. PHI contained in the patient safety work product that identifies a reporting provider is subject to the Patient Safety Act confidentiality and privilege requirements. It is important to note that the Patient Safety Act is more restrictive for disclosures of “business operations” of a PSO than the HIPAA business associate requirements are for “proper administration and management” of a business associate. The bottom line is that it is crucial that a PSO have in place the required PSO regulatory polices and procedures, as well as the appropriate security and privacy policies and procedures. The “walls” of the patient safety evaluation system should be properly defined. From a PSO's standpoint, this means it must define its workforce and have a bona fide contract in place with each of its participating providers. This, among other things, helps to prevent unauthorized disclosure of PSWP.

To accomplish this, we suggest that a PSO enter into a participating provider agreement with each of its providers. Additionally, to reduce start-up capital costs, PSOs typically choose to contract with entities or individuals outside of the PSO for certain administrative services. Administrative services agreements should be in place under these arrangements.

Finally, we suggest that members of the workforce undergo training so they understand how to handle patient safety work product so there is not an unauthorized disclosure.

David S. Ivill is a partner with McDermott Will & Emery and the partner in charge of the health law department in New York. Amy Hooper Kearbey, an associate in the firm's Washington, DC, office, is a member of the health law department. This article first appeared in the New York Law Journal, a sister publication of this newsletter.

The 1999 Institute of Medicine (IOM) report, “To Err Is Human,” brought patient safety to the forefront with its alarming findings, most jarringly encapsulated in its conclusion that medical error-related deaths in the United States are the equivalent of crashing one jumbo jet per day. L.T. Kohn, J.M. Corrigan, and M.S. Donaldson, eds., “To Err Is Human: Building a Safer Health System” (National Academies Press, 1999). According to the IOM's report, one factor underlying the high rate of medical errors has been a reluctance on the part of providers to identify and address medical errors due to concerns that such information would be used against them in medical malpractice lawsuits or professional disciplinary actions.

The Patient Safety and Quality Improvement Act

The Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act or Act) was designed to address this concern by creating a mechanism for the reporting and sharing of patient safety information among providers without the fear of liability. See 42 U.S.C. ” 299b-21'299b-26 (2006). To that end, the Patient Safety Act authorizes the creation of a new type of entity, a patient safety organization (PSO), to receive and analyze information relating to patient safety. The Act confers broad federal privilege and confidentiality protections to this information, referred to as “patient safety work product,” with significant penalties for breaches. The PSO program is administered by the Agency for Healthcare Research and Quality (AHRQ) and enforced by the Office of Civil Rights. AHRQ published a final rule implementing the Patient Safety Act in November 2008. See 73 Fed. Reg. 70,732 (Nov. 21, 2008). There are currently 69 PSOs listed with the AHRQ.

The Basics

The heart of the PSO process is the patient safety evaluation system, which includes the mechanisms through which information that becomes patient safety work product is collected by the provider and by which the PSO maintains, analyzes and communicates regarding such patient safety work product. See 42 U.S.C. ' 299b-21(6); 73 Fed. Reg. at 70,798 (to be codified at 42 C.F.R. '3.20).

The patient safety evaluation system is defined by reference to “patient safety activities,” which include:

• Efforts to improve patient safety and the quality of health care delivery;
• The collection and analysis of patient safety work product;
• The development and dissemination of information regarding patient safety, such as recommendations, protocols or Information regarding best practices;
• The utilization of patient safety work product for the purposes of encouraging a culture of safety, as well as providing feedback and assistance to effectively minimize patient risk;
• The maintenance of procedures to preserve confidentiality with respect to patient safety work product;
• The provision of appropriate security measures with respect to patient safety work product;
• The utilization of qualified staff; and
• Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system. 42 U.S.C. ' 299b-21(5); 73 Fed. Reg. at 70,798 (to be codified at 42 C.F.R. ' 3.20).

The concept of the patient safety evaluation system is somewhat nebulous insofar as such a system “exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes.” 73 Fed. Reg. at 70,738. For some providers, the system will represent a distinct space where information destined for the PSO is held. For other providers, the patient safety evaluation system may be less tangible, consisting of a set of procedures that the provider follows in collecting, processing and creating information destined for the PSO.

While the regulations permit either approach in order to accommodate the varying practice needs and preferences of providers, establishing some type of framework around the patient safety evaluation system is key to ensuring information will be treated as patient safety work product, and thus entitled to the privileged and confidential treatment afforded by the Patient Safety Act.

Regardless of the precise approach taken, providers are well-advised to develop documented policies and procedures that define the parameters of the provider's patient safety evaluation system. This documentation can be used to readily demonstrate that specific information is patient safety work product. At a minimum, it should include a description of the processes, physical space(s), policies, personnel and equipment that comprise the patient safety evaluation system. See Id.

Defining Work Product

The protections afforded by the Patient Safety Act all turn on information being characterized as patient safety work product. Conceptually, patient safety work product falls into three general categories:

• Information collected or developed by the provider for reporting to a PSO that is actually reported;
• Information developed by the PSO itself as part of patient safety activities; and
• Information that identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting to, a patient safety evaluation system. See 73 Fed. Reg. 70,739.
• Information that may be classified as patient safety work product includes “any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material)” that “could improve patient safety, health care quality, or health care outcomes.” 73 Fed. Reg. at 70,798 (to be codified at 42 C.F.R.
  ' 3.20).

Certain categories of information are expressly excluded from being patient safety work product, including “a patient's medical record, billing and discharge information, or any other original patient or provider information ' [and] information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.” Id.

Under the statutory definition of patient safety work product, in order for information collected or created by a provider to constitute patient safety work product, it must be “reported” to a PSO. This reporting requirement raises at least two important questions: 1) is there any protection for information that is intended to be reported to a PSO but has not yet been reported; and 2) what constitutes “reporting” for these purposes?

With respect to the first question, the regulations implementing the Patient Safety Act recognize the need to afford some measure of protection to information destined for a PSO that has not yet been reported. To that end, the regulations provide that information collected for reporting to a PSO is treated as patient safety work product upon collection (i.e., prior to reporting) if the provider documents that the information has been collected within a patient safety evaluation system and records the date of collection. Id. Providers can also remove information from the patient safety evaluation system prior to reporting. This approach to protecting information housed in the patient safety evaluation system prior to reporting further highlights the importance of developing and documenting the patient safety evaluation system.

With respect to the second question, the preamble to the regulations authorizes so-called “functional reporting” as an alternative to the actual transmission of information to the PSO. Under this approach, a provider and PSO would enter into an arrangement whereby the PSO is authorized to access, process and analyze information in the provider's patient safety evaluation system. See 73 Fed. Reg. at 70,741. This approach requires the provider to develop a patient safety evaluation system architecture that ensures the PSO has access to all patient safety work product without enabling the PSO to access any non-patient safety work product that may be contained on the provider's systems.

Protections Afforded

The Patient Safety Act confers federal privilege and confidentiality protections on patient safety work product. Some, but not all, states provide some level of protection for peer review activities. By conferring broad federal privilege and confidentiality protections on patient safety work product, the Patient Safety Act effectively levels the playing field across states.

The privileging of patient safety work product protects such information from subpoena by, or discovery and admission into evidence in connection with, any civil, criminal or administrative proceeding before any federal, state, local or tribal body, including disciplinary proceedings against a provider. 42 U.S.C. ' 299b-22(a); 73 Fed. Reg. at 70,805 (to be codified at 42 C.F.R. ' 3.204(a)). The privilege also protects patient safety work product from disclosure under the Freedom of Information Act.

Similarly, the confidentiality protections for patient safety work product prohibit all disclosures that are not expressly authorized by the act or the regulations enacted thereunder. 42 U.S.C. ' 299b-22(b); 73 Fed. Reg. at 70,805 (to be codified at 42 C.F.R. ' 3.206(a)).

The act and the regulations provide for a series of narrowly crafted exceptions to the privilege and confidentiality requirements. These exceptions permit disclosures authorized by providers and limited disclosures in connection with the conduct of patient safety activities between a provider and a PSO, to a contractor of the provider or PSO, among affiliated providers, and to another PSO or provider (provided certain direct identifiers relating to the provider are removed and that patient information is in the form of a HIPAA limited data set). See 73 Fed. Reg. at 70,805-70,806 (to be codified at 42 C.F.R. ' 3.206(b)(3)-(4)).The regulations also provide a pathway to de-identify patient safety work product to create “nonidentifiable patient safety work product,” the disclosure of which is likewise permitted. Id. at ” 3.212, 3.206(b)(5).

In addition, disclosures to various governmental bodies are permitted, including to courts for criminal proceedings (following an in camera review by the judge to determine whether the patient safety work product contains evidence of a criminal act, is material to the proceeding, and is not reasonably available from another source), to the Secretary to enable enforcement of the Patient Safety Act and the HIPAA Privacy Rule, and the FDA regarding FDA-regulated products. 42 U.S.C. ' 299b-22(c); 73 Fed. Reg. at 70,805-70,806 (to be codified at 42 C.F.R. ” 3.204(b), 3.206(b)).

The Patient Safety Act provides for a civil monetary penalty of up to $10,000 for each knowing or reckless violation of the confidentiality protections afforded to patient safety work product. 42 U.S.C. ' 299b-22(f)(1).

What About HIPAA?

In order to avoid any confusion of the intended application of HIPAA to PSOs, Congress clarified in the Patient Safety Act that patient safety activities are considered health care operations under HIPAA and that PSOs need to be business associates of the providers with whom they contract. Id. at ' 299b-22(i). Accordingly, any disclosure of protected health information from a provider to a PSO will need to comply with the HIPAA Privacy Rule. The act further clarifies that a single violation may not result in double sanctions under HIPAA and the Patient Safety Act. Id. at ' 299b-22(f)(3).

Becoming a PSO

Both public and private entities may be designated as PSOs. In practice, however, the statutory requirement that a PSO's mission and primary activity is the conduct of activities intended to improve patient safety and the quality of health care delivery significantly limits the scope of existing entities that can qualify as PSOs. While many entities can credibly claim a mission relating to quality and patient safety improvement, the statute expressly requires that this focus be the primary activity, thereby excluding many multi-purposed organizations.

In addition, certain types of entities are prohibited from becoming certified as PSOs, including the following: health insurance companies and their affiliates, entities that accredit or license health care providers, entities (or agents thereof) that oversee or enforce statutory and regulatory requirements for the delivery of health care, and entities that operate patient safety reporting systems into which providers are legally required to report information. 73 Fed. Reg. at 70,799 (to be codified at 42 C.F.R.
' 3.102(a)(2)).

PSOs may be completely independent, free-standing entities, or they may be components of other organizations. A component organization is either a unit or division of a legal entity or an entity that is owned, managed or controlled by a parent organization. Id. at 70,797 (to be codified at 42 C.F.R. ' 3.20). Accreditation or licensing organizations, while barred from certification as PSOs themselves, may establish a component organization to operate a PSO.

Listing Requirements

An entity will not be considered a PSO until it is listed as such by AHRQ. In order to be included on the list, an entity must submit an attestation that it meets the 15 criteria set forth in the Patient Safety Act and the regulations enacted thereunder. These criteria include policies and procedures to perform the eight patient safety activities and seven additional criteria, relating to the entity's mission, staff qualifications, standardized data collection methodologies, and a requirement that the entity have contracts with at least two separate providers within each two year period. See 42 U.S.C. ' 299b-24(a)-(b). This final criterion is significant insofar as it prevents a PSO from servicing only one provider. PSOs that are component organizations must certify compliance with additional criteria, including maintaining patient safety work product separately from and not disclosing patient safety work product to the parent organization. 73 Fed. Reg. at 70,800 (to be codified at 42 C.F.R. ' 3.102(c)). In addition, the mission of the component PSO must not create a conflict of interest with the parent organization.

PSOs are listed for a period of three years. Prior to the expiration of the three-year period, a PSO must submit an additional attestation for continued listing, reaffirming that is meets all of the PSO criteria.

Key Considerations

There are some key considerations that are worth emphasizing in light of the implementation of the Patient Safety Act.

• The law and regulations provide for a level playing field with respect to the privilege and confidentiality protections for participating health care facilities throughout the country.
• Providers that may benefit from the privilege and confidentiality protections include hospitals, nursing facilities, outpatient rehabilitation facilities, home health care facilities, pharmacies and physician offices just to name a few. This broad definition provides for protection to entities that would not otherwise have the ability to claim such privilege and confidentiality protections under state laws.
• PSOs can include hospital systems, medical societies, group practices, registries and even large for-profit entities. A PSO can provide numerous benefits to each of these entities.
• As we noted above, patient safety work product with protected health information (PHI) is subject to the HIPAA privacy and security requirements as well as those requirements under the Patient Safety Act. PHI contained in the patient safety work product that identifies a reporting provider is subject to the Patient Safety Act confidentiality and privilege requirements. It is important to note that the Patient Safety Act is more restrictive for disclosures of “business operations” of a PSO than the HIPAA business associate requirements are for “proper administration and management” of a business associate. The bottom line is that it is crucial that a PSO have in place the required PSO regulatory polices and procedures, as well as the appropriate security and privacy policies and procedures. The “walls” of the patient safety evaluation system should be properly defined. From a PSO's standpoint, this means it must define its workforce and have a bona fide contract in place with each of its participating providers. This, among other things, helps to prevent unauthorized disclosure of PSWP.

To accomplish this, we suggest that a PSO enter into a participating provider agreement with each of its providers. Additionally, to reduce start-up capital costs, PSOs typically choose to contract with entities or individuals outside of the PSO for certain administrative services. Administrative services agreements should be in place under these arrangements.

Finally, we suggest that members of the workforce undergo training so they understand how to handle patient safety work product so there is not an unauthorized disclosure.

David S. Ivill is a partner with McDermott Will & Emery and the partner in charge of the health law department in New York. Amy Hooper Kearbey, an associate in the firm's Washington, DC, office, is a member of the health law department. This article first appeared in the N ew York Law Journal , a sister publication of this newsletter.