This article addresses patient confidentiality and security related to patient safety evaluation systems, investigations, root cause analyses, and compliance to rules and regulations.  It is a basic introduction to help understand the importance of appropriately managing this type of privileged information.

The goal of achieving quality and patient safety is to improve patient safety outcomes by creating an environment where providers can report and examine patient safety events without fear of increased liability risk.  Greater reporting and analysis of patient safety events will help gain a better understanding of patient safety events and result in improvements from lessons learned.

Healthcare is like "alphabet soup" – filled with acronyms, abbreviations, and terms unique to our profession.  Let's define the three acronyms used in the title of this article and how these three rules interact from a compliance perspective.

PSQIA established a voluntary reporting system with the government's intent to enhance the data available to assess and resolve patient safety and healthcare quality issues.

On July 29, 2005, the president signed the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act, 42 U.S.C. sections 299b-21 to 299b-26) into law. The Patient Safety Act amended Title IX of the Public Health Service Act to provide for the improvement of patient safety and to reduce the incidence of events that adversely affect patient safety by authorizing the creation of patient safety organizations (PSOs).

The Agency for Healthcare Research and Quality (AHRQ) lists patient safety organizations which work with providers to improve quality and safety through the collection and analysis of aggregated, confidential data on patient safety events.

PSQIA authorizes our government's Health & Human Services (HHS) to impose civil money penalties (CMPs) for violations of patient safety confidentiality.  The Office for Civil Rights (OCR) has been delegated the responsibility for interpretation and implementation of the confidentiality protections and enforcement provisions.  When OCR is unable to achieve an informal resolution of an indicated violation through such voluntary compliance, the Secretary may impose a CMP of up to $11,000 for each knowing and reckless disclosure of PSWP that is in violation of the confidentiality provisions.

To encourage the reporting and analysis of medical errors, PSQIA provides federal privilege and confidentiality protections for patient safety information, called patient safety work product (PSWP).

PSWP includes patient, provider, and reporter identifying information that is collected, created, or used for patient safety activities.

The PSWP is both privileged and confidential under the PSQIA.  PSWP is confidential and may only be disclosed in certain, very limited situations, where civil money penalties (CMPs) for impermissible disclosures of this information can be imposed.

PSWP is considered any data, reports, records, memoranda, analyses (such as root cause analyses), gap analysis, 8D approach, and written or oral statements that are: assembled for reporting to a Patient Safety Organization (PSO), reported to a PSO, or developed by a PSO for the conduct of patient safety activities that could result in improved patient safety, healthcare quality, or healthcare outcomes.  It also applies to data used in a patient safety evaluation system (PSES).

PSWP may also include patient information that is protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (see 45 CFR 160.103).

PSWP differs from HIPAA as PSWP does not include a patient's medical record, billing and discharge information, or any other original patient or provider record. It does not include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.

According to the final PSQIA rule, the HIPAA Privacy Rule does not require covered providers to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. This is because patient safety activities are considered healthcare operations, typically addressed in the Covered Entity's Notice of Privacy Practices (NOPP).  PSOs are business associates and should be operating under a Business Associate Agreement or BAA to be compliant under HIPAA rules.

As a Covered Entity (CE) or Business Associate (BA) under HIPAA, regulated entities are required to implement a security management process to prevent, detect, contain, and correct security violations.  This process includes conducting a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

A regulated entity that has weak cybersecurity practices makes itself an attractive soft target.  Hackers can penetrate a regulated entity's network and gain access to ePHI by exploiting known vulnerabilities.  Malicious cyber-attacks targeting the healthcare sector continue to increase. 

PSQIA, PSWP, and HIPAA are government regulations working together to link healthcare quality and patient safety with privacy and security of privileged information.

All healthcare providers are expected to investigate any patient safety issues and stay HIPAA compliant while doing so. Sharing information to improve quality and safety in our healthcare environment is needed to mitigate risk and promote improved reimbursement.