Assess Compatibility of Anticipated PSO Operations with Patient Safety Rule Requirements

The individual who signs the Certification for Initial Listing Form must be able to accurately attest that the entity will comply with all requirements in the Patient Safety Act and Rule if listed. To prepare, it is important to assess plans for the prospective PSO's operations and services in relation to each requirement in the Certification for Initial Listing Form.

Below are examples of just a few of the Patient Safety Rule requirements that need to be considered when developing plans for a prospective PSO.

Examples of Requirements Related to Security, Confidentiality, and Limitations on the Disclosure of PSWP

Start by reviewing the definitions of PSWP and disclosure; the exceptions to confidentiality (section 3.206(b) and related requirements in section 3.212)); and the security requirements (section 3.106). Identify and carefully consider all anticipated PSO operations that may involve any access to, transfer or release of PSWP. PSWP must remain confidential unless there is an applicable exception to confidentiality (also referred to as a "disclosure permission") in the Patient Safety Rule. PSWP may only be permissibly disclosed if the contemplated disclosure fits all of the requirements of an applicable exception to confidentiality in section 3.206(b). Read carefully, as each exception/disclosure permission is very specific about who can make the disclosure, who can receive the PSWP and under what circumstances, and whether the PSWP must meet specific anonymization or non-identification requirements before it can be disclosed. 

When planning for the security of PSWP, remember that the requirements in section 3.106 must be met at all times and at any location (physical and virtual) at which the PSO, its workforce members, or its contractors receive, access, or handle patient safety work product. Handling PSWP includes its processing, development, use, maintenance, storage, removal, disclosure, transmission, and destruction. The PSO must also address the requirement to physically separate PSWP from non-PSWP or, if co-located with non-patient safety work product, to make it distinguishable so that the appropriate form and level of security can be applied and maintained.

It is also helpful to be aware of the requirements for disposition of PSWP when a PSO is delisted (section 3.108(b)(3)) to be sure they would not preclude any aspects of anticipated PSO operations.

Examples of Requirements That Must Be Met by a PSO Within Certain Timeframes

When developing plans for a prospective PSO, consider how long it is likely to take before the plans can be fully implemented. Once listed, the PSO must meet certain requirements within the specified timeframes in order to remain listed. For example:

  • Within the first 2 years after listing, the PSO must have bona fide contracts with two different providers for the purpose of receiving and reviewing PSWP.
  • Before the end of the first 3-year continued listing period, the PSO must have performed all eight patient safety activities and be able to attest that it will continue to do so.
  • If the PSO has a relationship with a provider fitting the description in section 3.102(d)(2) and enters into a Patient Safety Act contract with the same provider, the PSO must complete and submit the required disclosure statement by the deadlines specified in the Patient Safety Rule.

FDA Reporting Requirements

Another issue to consider is whether the entity seeking listing is subject to any Federal Food, Drug, and Cosmetic Act (FDA) reporting requirements. The Patient Safety Act works in concert with FDA laws promoting patient safety. FDA reporting responsibilities do not change when an entity becomes listed as a PSO or becomes the parent organization of a component PSO. Being an FDA-regulated reporting entity or organizationally related to an FDA-regulated reporting entity may have implications for the confidentiality of PSWP collected and developed as a listed PSO. (see "Department of Health and Human Services Guidance Regarding Patient Safety Organizations' Reporting Obligations and the Patient Safety and Quality Improvement Act of 2005").

Requirements Related to the HIPAA Privacy and Security Rules

If anticipated PSO operations will involve receipt from providers of PSWP that includes patient information, consider obligations that may arise under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. For example, the PSO may need to enter into a business associate agreement with its reporting providers. A PSO is considered a business associate of a healthcare provider if the relationship meets two conditions: (1) the provider meets the HIPAA definition of a covered entity; and (2) the PSO performs a function (such as patient safety activities) on behalf of a covered healthcare provider that requires the PSO to receive and use PSWP that contains protected health information (PHI) as defined in the HIPAA Privacy Rule.

To learn more about the obligations of a PSO that is also a HIPAA business associate and the definitions of related HIPAA terms, consult the website maintained by the Office for Civil Rights. Additional business associate security provisions under the HIPAA Security Rule apply to electronic patient health information held by business associates. See HIPAA Security Rule requirements for information.

Select another topic:


Page last reviewed August 2021
Page originally created July 2021

Internet Citation: Assess Compatibility of Anticipated PSO Operations with Patient Safety Rule Requirements. Content last reviewed August 2021. Agency for Healthcare Research and Quality, Rockville, MD.

Select to copy citation