The Patient Safety and Quality Improvement Act of 2005 (the Act), was signed into law on July 29, 2005, providing for the improvement of patient safety and the reduction of the incidence of events that adversely affect patient safety. Patient Safety and Quality Improvement Act of 2005, Pub. L. 109-41, 119 Stat. 424. To that end, the Act creates a national database on medical errors, designates individual reports as confidential, and shields participating providers from liability. The Agency for Healthcare Research and Quality (AHRQ) will implement the Act, because the Act amends the sections of the Public Health Service Act for which AHRQ is responsible. It will be the AHRQ, therefore, that will promulgate the regulations under the Act.

Since the publication of the Institute on Medicine's 1999 report, To Err is Human, the issue of medical errors has been on the forefront of patient safety discussions, and Congress has worked to address the issue and develop patient safety legislation. The Act is a significant piece of federal legislation and represents the first time patient safety issues have been addressed at the federal level. The legislation is a result of many years of debate and discussion among legislators and various interest groups. The Act has received the endorsement of groups such as the American Medical Association, the American Hospital Association and the Joint Commission on Accreditation of Healthcare Organizations, who believe this law to be a positive step toward improving patient safety by allowing the reporting and subsequent analysis of medical error information. In creating incentives for providers to analyze and report medical errors, its many supporters see this new law as a catalyst to encouraging open communication among providers and regulators, which could result in improved patient safety, health care quality, and/or health care outcomes. There are, however, issues that remain are unanswered and that are not addressed by the law. Until final regulations are issued, the Act, though already in effect, may not be functional.

Overview
The Act contemplates the establishment of a system for the voluntary reporting of patient safety incidents and near misses, then provides certain privilege and confidentiality protections to the information gathered and reported to Patient Safety Organizations (PSOs). Because providers will enjoy protection under the Act only if the information is actually reported, the Act creates an incentive for providers to report this information. The PSOs will then be able to collect and analyze patient safety data in a confidential manner. After conducting this analysis, PSOs will report back to providers on trends in health care errors and will offer guidance to them on how to eliminate or minimize these errors.

Definitions
The Act contains many new defined terms. Understanding these terms and how they are interrelated is essential to fully comprehend what the Act attempts to achieve.

Patient safety organization (PSO) means a private or public entity or component thereof that is listed by the Secretary of HHS pursuant to the Act.

Patient safety work product (PSWP) is defined as any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements which —

are assembled or developed by a provider for reporting to a PSO and are reported to a PSO or are developed by a PSO for the conduct of patient safety activities and which could result in improved patient safety, health care quality, or health care outcomes; or

identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.

Patient safety work product does not include a patient's medical record, billing and discharge information, or any other original patient or provider record, nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. The Act expressly notes that reporting or submitting information that is excluded from the definition of patient safety work product will not allow such information to be considered PSWP.

Patient Safety Activities means the following activities:

Efforts to improve patient safety and the quality of health care delivery;

The collection and analysis of patient safety work product;

The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;

The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;

The maintenance of procedures to preserve confidentiality with respect to patient safety work product;

The provision of appropriate security measures with respect to patient safety work product;

The utilization of qualified staff;

Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system.

Patient Safety Evaluation System means the collection, management, or analysis of information for reporting to or by a patient safety organization.

Provider means an individual or entity licensed or otherwise authorized under state law to provide health care services, and any other individual or entity specified in regulation promulgated by the Secretary of HHS. Provider includes, among other things, hospitals, nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs, ambulatory surgical centers, physician or health care practitioner's office, pharmacies, clinical laboratories, physicians, physician's assistants, nurse practitioners, certified registered nurse anesthetists, physical or occupational therapists, pharmacists, or other individual health care practitioners.

Privilege and Confidentiality Protections
Once PSWP exists, the Act provides that it is privileged and confidential, which generally prohibits it from being disclosed. Specifically, because PSWP is privileged, it is not:

Subject to a federal, state, or local civil, criminal, or administrative subpoena or order, including in a federal, state, or local civil or administrative disciplinary proceeding against a provider;

Subject to discovery in connection with a federal, state, or local civil or administrative disciplinary proceeding against a provider;

Admitted as evidence in any federal, state, or local governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or

Admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under state law.

Certain disclosures are permitted:

Disclosure of relevant PSWP for use in a criminal proceeding, but only after a court makes an in camera determination that such PSWP contains evidence of a criminal act and that such PSWP is material to the proceeding and is not reasonably available from any other source;

Disclosure of PSWP to the extent required to provide equitable relief to an aggrieved individual pursuant to a private cause of action brought by that individual against whom an impermissible adverse employment action has been taken (discussed further below);

Disclosure of identifiable PSWP if authorized by each provider identified in such work product;

Disclosure of PSWP to carry out patient safety activities;

Disclosure of nonidentifiable PSWP;

Disclosure of PSWP to grantees, contractors, or other entities carrying out research, evaluation, or demonstration projects authorized, funded, certified, or otherwise sanctioned by rule or other means by the Secretary of HHS, for the purpose of conducting research to the extent that disclosure of protected health information would be allowed for such purposes under the HIPAA confidentiality regulations;

Disclosure by a provider to the FDA with respect to a product or activity regulated by the FDA;

Voluntary disclosure of PSWP by a provider to an accrediting body that accredits that provider;

Disclosures that the Secretary of HHS may determine, by rule or other means, are necessary for business operations;

Disclosure of PSWP to law enforcement authorities relating to the commission of a crime (or to an event reasonably believed to be a crime) if the person making the disclosure believes, reasonably under the circumstances, that the PSWP being disclosed is necessary for criminal law enforcement purposes; and

With respect to a person other than a PSO, the disclosure of PSWP that does not include materials that either assess the quality of care of an identifiable provider or describe or pertain to one or more actions or failure to act by an identifiable provider.

Generally, PSWP continues to be privileged and confidential even after it has been disclosed. Thus, a person to whom PSWP is disclosed is responsible for ensuring the continued protection of the privilege and confidentiality of the PSWP. In two instances, however, the confidentiality and privilege protections no longer apply: (1) when PSWP is disclosed in a criminal proceeding; and (2) when nonidentifiable PSWP is disclosed.

Limitations on Actions/Disclosure
Certain protections and limitations apply to the disclosure of PSWP and the actions taken pursuant to the reporting of PSWP. A PSO may not be compelled to disclose information collected or developed pursuant to the Act whether or not such information is PSWP unless the information is identified, is not PSWP, and is not reasonably available from another source. This limitation, however, does not apply in an action against a PSO or to certain other permitted disclosures (i.e., disclosure in a criminal proceeding; disclosure in the case of an individual alleging an adverse employment action; and disclosure of identifiable PSWP authorized by providers identified in such work product).

An accrediting body is prohibited from taking accrediting action against a provider based on the provider's good faith participation in the collection, development, reporting, or maintenance of PSWP pursuant to the Act.

The Act also provides whistleblower protection. A provider may not take an adverse employment action against an individual who in good faith reports patient safety information to the provider or directly to the PSO. Adverse employment action includes loss of employment; the failure to promote an individual; the failure to provide any other employment-related benefit for which the individual would otherwise be eligible; or an adverse evaluation or decision made in relation to accreditation, certification, credentialing, or licensing of the individual.

Civil Monetary Penalties
HHS is given the authority to assess a civil monetary penalty (CMP) for violating the confidentiality and privilege provisions of the Act. An individual who knowingly and recklessly discloses identifiable PSWP shall be subject to a civil monetary penalty of not more than $10,000 for each act constituting a violation. The Secretary of HHS has the authority to assess a CMP pursuant to the authority granted under the federal CMP statute. Under the federal CMP statute there is a six-year statute of limitations for a violation under the Act. The Act does not allow for double penalties — that is, sanctions may not be imposed under both the Act and the HIPAA regulations for a single act or omission.

Private Action Permitted
Under the Act, an aggrieved individual may bring a civil action to enjoin an act or practice of or to obtain appropriate equitable relief from a provider that has taken an adverse employment action against that individual subsequent to a report the individual has made to the provider to a PSO.

PSOs and HIPAA
PSOs will be treated as business associates under the HIPAA regulations and patient safety activities of such organizations in relation to a provider constitute health care operations (as defined in the HIPAA regulations) of the provider.

Network of Patient Safety Databases
The Secretary of HHS is authorized to create and maintain a network of patient safety databases that provides an interactive evidence-based management resource for providers, PSOs, and other entities. The network of databases will accept, aggregate across the network, and analyze nonidentifiable PSWP voluntarily reported by PSOs, providers, or other entities. The Secretary will also assess the feasibility of providing a single point of access to the network for qualified researchers for information aggregated across the network and, if feasible, provide for implementation.

To facilitate reporting, the Secretary may create standard reporting formats for reporting to and among the network of patient safety databases, including necessary work product elements, common and consistent definitions, and standardized computer interface for the processing of such work product. The information reported in the network of patient safety databases will be used to analyze the trends and patterns of health care errors nationally and regionally. Error data will be available to the public and will be included in the annual quality reports submitted by providers as required by the Public Health Service Act.

As a means to measure the early effects of the network of databases, the Secretary of HHS is required to submit to the Institute of Medicine for review a draft report on effective strategies for reducing medical errors and increasing patient safety no later than 18 months after any network of patient safety databases is operational. The draft report will include the Secretary's recommendations for the appropriate use of such strategies, including use in any federally funded programs. The draft report also will be made available for public comment. The Secretary must submit a final report to Congress no more than one year later.

Certification of PSOs
To be a PSO, an entity must be certified and listed by HHS. A PSO must renew its certification every three years. To be certified, the entity must meet the following criteria:

The entity's mission and primary activity are to conduct activities that are intended to improve patient safety and the quality of health care delivery.

The entity has appropriately qualified staff (whether directly or under contract), including licensed or certified medical professionals.

The entity, within each 24-month period that begins after the entity is listed, has bona fide contracts, each of a reasonable period of time, with one or more providers for the purpose of receiving and reviewing PSWP.

The entity is not, and is not a component of, a health insurance issuer.

The entity shall fully disclose:

any financial, reporting, or contractual relationship between the entity and any provider that contracts with the entity; and

if applicable, the fact that the entity is not managed, controlled, and operated independently from any provider that contracts with the entity.

To the extent practical and appropriate, the entity collects PSWP from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.

The utilization of PSWP for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.

If an entity seeking to be a PSO is a component of another organization, it must also meet the following criteria to be certified:

The entity maintains PSWP separately from the rest of the organization, and establishes appropriate security measures to maintain the confidentiality of the PSWP.

The entity does not make an unauthorized disclosure of PSWP to the rest of the organization in breach of confidentiality.

The mission of the entity does not create a conflict of interest with the rest of the organization.

If an entity discloses that it has a financial, reporting, or contractual relationship with any provider that contracts with the entity, and the entity is not managed, controlled, and operated independently from any provider that contracts with the entity, the Secretary of HHS is authorized to determine whether the entity can fairly and accurately perform the patient safety activities of a PSO. Such findings will be taken into consideration by the Secretary when deciding whether to grant the initial and subsequent certification applications submitted by the organization. The Secretary must notify an entity of the reasons for denying the certification.

The Act outlines the process for appeal of the Secretary's determination that an organization no longer meets the PSO requirements. The PSO will be provided a notice of deficiency, be afforded an opportunity for a hearing, and be given a reasonable opportunity for correction of deficiencies. If the Secretary still determines that the organization does not meet the certification criteria, the Secretary is authorized to revoke the organization's certification. Fifteen days after the date of the notice of revocation, the entity must submit a confirmation to the Secretary that the entity has taken reasonable actions to notify each provider that reports PSWP to the entity of the revocation of the organization's certification. Notice of the revocation will be published in the Federal Register.

Status of Data After Removal from Listing
Once an organization is removed, either by HHS or by the entity itself, from the HHS listing of certified PSOs, PSWP submitted while the organization was listed, and data that is submitted within 30 days of the organization's being removed from the listing of certified PSOs, continues to be privileged and confidential. If a PSO received data within 30 days of its removal from the Secretary's listing of certified organizations, the PSO must:

With the approval of the submitting entity and another PSO, transfer the received work product and data to the other PSO;

Return such work product or data to the submitting entity; or

If returning such work product or data to such entity is not practicable, destroy such work product or data.

The Act and State Laws
The Act preempts all inconsistent federal, state, or local laws but permits the application of any federal, state or local law that provides greater privilege and confidentiality protections. Additionally, the Act does not preempt or otherwise affect any state law that requires a provider to report and provides protections for information that is not PSWP.

Issues of Concern for Providers
The Act defines provider very broadly to include any individual or entity licensed by the state to provide health care services. Among this range of providers that fall within the scope of the Act are hospitals, skilled nursing facilities, hospices, home health agencies, renal dialysis facilities, ambulatory surgical centers, physician group practices, clinical laboratories, pharmacists, and certified nurse midwives, to name a few. Many of the issues that are faced by these providers will be similar. Generally:

What is the confidential/privilege status of data prepared through a patient safety evaluation system prior to the certification and listing of PSOs?

If information that is assembled as PSWP is used for other purposes of the institution, i.e., peer review, quality improvement, and/or risk management, that is maintained "separately" from PSWP, does the PSWP lose its confidentiality because of this other use?

Can peer review activities of providers be considered to be PSWP?

How does a provider choose a PSO?

How will contracting with a PSO work?

To what extent are external expert reports that are received by Patient Safety Evaluation Systems protected?

With respect to institutional entities:

How may individual health care providers who are employees of institutional health care entities report patient safety information separately from the entity? Will there be a mechanism by which double reporting of the same event can be avoided?
If an existing law requires that an event be reported (e.g., the reporting of a death in the facility), does the Act supercede the reporting requirement and protect this information from such reporting if it is handled in accordance with the procedures established by the Act?
If the institution wants to create a PSO, what would HHS consider to be an appropriate security measure to separate the reported PSWP from the rest of the organization?
If information about an adverse event and subsequent investigations are considered confidential/privileged, how does a provider deal with the reporting of any adverse events that are discovered through investigations pursuant to the initial adverse event?
Assuming that disclosure of information reported/discovered as a result of surveys or investigations is not in itself protected, would the subse-quent investigation be protected if it otherwise complies with PSWP requirements?

Although there are still many unanswered questions regarding the Act, it is nonetheless an important step in providing the appropriate environment in which to encourage providers to report medical mistakes and near misses. Hopefully, the AHRQ will act quickly to issue draft regulations for comment by the industry and speed the implementation of the Act. Since the definition of PSWP includes the requirement that providers actually report to a PSO, and PSOs cannot be established until implementing regulations are adopted, the protections afforded under the Act most likely are not yet available even though the Act is currently effective. We encourage providers to monitor the development of regulations and to begin reviewing their existing state laws to determine what impact the Act will have on those laws. Finally, providers should begin reviewing their internal adverse event and peer review reporting processes to determine whether changes need to be considered in light of the provisions of the Act.