HHS Agency Roles
Why is AHRQ responsible for the regulation of PSOs?
Congress vested the authority for implementing the Patient Safety Act with AHRQ by incorporating its provisions into AHRQ's authorizing statute. As the lead Federal agency for patient safety research, AHRQ is an appropriate partner for PSOs and healthcare providers.
Which agencies within the Department of Health and Human Services (HHS) implement the Patient Safety Act?
AHRQ is responsible for the provisions dealing with the listing of PSOs such as administering the certification processes for listing; verifying that PSOs meet their obligations under the Patient Safety Rule; working with PSOs to correct any deficiencies in their operations; and, if necessary, revoking the listing of a PSO that remains out of compliance with the requirements. The Office for Civil Rights (OCR) administers and enforces the confidentiality protections provided to PSWP.
What is AHRQ's role in providing technical assistance?
AHRQ provides additional information and clarification on the PSO listing process, listed PSOs, the Patient Safety Rule, and other PSO activities, such as the Common Formats. PSOs, healthcare providers, and other interested parties should contact AHRQ with requests for technical assistance.
How does AHRQ ensure that a listed PSO is in compliance with the statutory requirements as outlined in the Patient Safety Rule?
The Patient Safety Rule establishes in Subpart B the requirements that an entity must meet to seek listing, and remain listed, as a PSO. The Patient Safety Rule relies primarily upon a system of attestations, which places a significant burden for understanding and complying with these requirements on the PSO. However, the Patient Safety Rule also authorizes AHRQ to conduct reviews (including announced or unannounced site visits) to assess PSO compliance. To assist PSOs in making the required attestations and preparing for a compliance review, AHRQ developed a Patient Safety Organization (PSO) Listing Guide to suggest approaches for thinking systematically about the scope of these requirements and what compliance may mean for an individual PSO.
What role will OCR have regarding the Patient Safety Rule?
OCR is responsible for the investigation and enforcement of the confidentiality provisions of the Patient Safety Rule. OCR will investigate allegations of violations of confidentiality through a complaint-driven system. To the extent practicable, OCR will seek cooperation in obtaining compliance with the confidentiality provisions, including providing technical assistance. When OCR is unable to achieve an informal resolution of an indicated violation through voluntary compliance, the HHS Secretary has the discretion to impose a civil money penalty (CMP) against any PSO, provider, or responsible person for each knowing and reckless disclosure that is in violation of the confidentiality provisions. The maximum dollar amount of the CMP that can be imposed is updated annually, as described in section 3.404 of the Patient Safety Rule, in accordance with the Federal Civil Monetary Penalty Inflation Adjustment Act of 1990 (Pub. L. 101-140), as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (section 701 of Pub. L. 114-74). The amount, as updated, is published at 45 CFR Part 102.
PSO General Information
What is a PSO?
A Patient Safety Organization (PSO) works with healthcare providers to help them improve patient safety and healthcare quality and encourage a culture of safety. PSOs analyze data voluntarily reported by providers and provide feedback aimed at promoting learning and minimizing patient risk. Working with a PSO makes it possible for information to receive certain legal protections and to be contributed to the Network of Patient Safety Databases (NPSD). PSOs were created by the Patient Safety and Quality Improvement Act of 2005 (the Patient Safety Act). AHRQ, on behalf of the Secretary of the U.S. Department of Health & Human Services, lists entities as PSOs when they meet the applicable requirements in the Patient Safety Act.
What are "patient safety activities"?
There are eight patient safety activities that are carried out by, or on behalf of a PSO, or a healthcare provider:
- Efforts to improve patient safety and the quality of healthcare delivery
- The collection and analysis of patient safety work product (PSWP)
- The development and dissemination of information regarding patient safety, such as recommendations, protocols, or information regarding best practices
- The utilization of PSWP for the purposes of encouraging a culture of safety as well as providing feedback and assistance to effectively minimize patient risk
- The maintenance of procedures to preserve confidentiality with respect to PSWP
- The provision of appropriate security measures with respect to PSWP
- The utilization of qualified staff
- Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system
The term "safety" refers to reducing risk from harm and injury, while the term "quality" suggests striving for excellence and value. By addressing common, preventable adverse events, a healthcare setting can become safer, thereby enhancing the quality of care delivered. PSOs create a secure environment where clinicians and healthcare organizations can collect, aggregate, and analyze data, thus identifying and reducing the risks and hazards associated with patient care and improving quality.
Purpose of a PSO
What is Patient Safety Work Product?
PSWP is the information protected by the privilege and confidentiality protections of the Patient Safety Act and Patient Safety Rule. PSWP may identify the providers involved in a patient safety event and/or a provider employee that reported the information about the patient safety event. PSWP may also include patient information that is protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (see 45 CFR 160.103).
Do PSOs receive Federal funding?
PSOs do not receive Federal funding.
What are the benefits to healthcare providers who work with a PSO?
PSOs serve as independent, external experts who can assist providers in analyzing data that a provider voluntarily chooses to report to the PSO. Providers that work with a PSO can benefit from the ability of PSOs to aggregate data from all of the providers reporting to the PSO, enabling many PSOs to develop the large numbers of patient safety events essential for identifying the underlying causes of infrequent, but often tragic, adverse events.
The Patient Safety Act and Rule provide protections that are designed to allay fears of providers of increased risk of liability if they voluntarily participate in the collection and analysis of patient safety events. The uniform Federal protections that apply to a provider's relationship with a PSO are expected to remove significant barriers that can deter the participation of healthcare providers in patient safety and quality improvement initiatives, such as fear of legal liability or professional sanctions.
AHRQ has published a short brochure, "Choosing a Patient Safety Organization," to help providers select a PSO appropriate to their needs.
What is the difference between the "Listed PSO" logo and the "AHRQ Common Formats" logo?
PSOs that are currently listed by Secretary are entitled to display the "Listed PSO" logo. This logo is intended to identify entities whose PSO certifications have been accepted in accordance with Section 3.104(a) of the Patient Safety Rule. Before working with a PSO, however, healthcare providers are encouraged to review AHRQ's directory to confirm that the entity being considered is still a listed PSO.
The "AHRQ Common Formats" logo may be displayed by any organization that is using the Common Formats developed by AHRQ. Such entities do not need to be listed as a PSO by the HHS Secretary to employ the Common Formats and thus display the logo. The Common Formats are available in the public domain to facilitate their widespread adoption and implementation. Entities that display the logo should use the Common Formats as a whole; however, entities that have a limited focus may use the Common Formats that pertain only to that area.
How can a hospital utilize the services of a PSO to help reduce readmission rates for various conditions?
For hospitals with high risk-adjusted readmission rates for certain conditions, the Affordable Care Act contains provisions that are aimed at decreasing those rates. The law states that these hospitals may enlist PSOs to help reduce their rates. The PSO readmissions Web page contains helpful information and tools that can be used by such hospitals, and PSOs that work with those hospitals, to address the causes of unnecessary readmissions. In fact, any hospital can work with a PSO on any patient safety issue of the hospital's choice. Because services offered by PSOs to help reduce readmissions will vary, AHRQ recommends consulting a PSO's Web site to determine if that PSO is offering such assistance.
Hospitals that wish to identify factors associated with unnecessary readmissions are encouraged to consider using Common Format–Readmissions Version 0.1 Beta. This standardized Common Format allows hospitals to aggregate data on readmissions. In addition, hospitals can compare their data to others and analyze trends on a community, regional, and national level. To access Common Formats–Readmissions Version 0.1 Beta, go to the Patient Safety Organization Privacy Protection Center (PPC) Web site. Learn more about the Common Formats.
What if a public entity PSO faces state requirements for disposition of information collected that conflict with the Patient Safety Rule's disposition requirements for PSWP?
The disposition requirements for PSWP preempt any conflicting state requirements for disposition of information. 73 FR 70768
Privacy and Confidentiality Protections
What are the privacy and confidentiality protections for PSWP?
The Patient Safety Act and Rule make PSWP privileged and confidential. Subject to certain specific exceptions, PSWP may not be used in criminal, civil, administrative, or disciplinary proceedings. PSWP may only be disclosed pursuant to an applicable disclosure exception (see Patient Safety Rule Section 3.206).
How can a healthcare provider and a PSO exchange information to promote patient safety and quality, while complying with the provisions of the Patient Safety Act and the Patient Safety Rule?
This diagram, Working with a PSO: One Approach, AHRQ Publication No. 13-PS-018, illustrates how information can flow between a provider and its PSO-primarily, between the provider's patient safety evaluation system (PSES) and the PSES of the PSO. A provider PSES manages the collection of information for reporting to a PSO. The diagram shows the flow of protected information, to be handled as PSWP. PSWP analyzed by the PSO forms the basis of protected recommendations from the PSO to the provider. PSWP can undergo nonidentification for combination with data from other PSOs, to become publicly accessible.
If a PSO is revoked for cause (i.e., noncompliance with the requirements that each PSO must meet) and a healthcare provider inadvertently submits data to that entity, is the data protected?
If a PSO's listing is revoked for cause, healthcare providers may continue to submit data to the delisted PSO for 30 calendar days, beginning on the date and time that the PSO is delisted and ending 30 days thereafter. Data submitted during this 30 day period are treated as PSWP and are subject to the confidentiality and privilege protections of the Patient Safety Act.
For example, if a PSO is delisted for cause at midnight on March 1, a healthcare provider can continue to submit data to the delisted PSO until midnight on March 31 and the data will be protected. Data submitted to the former PSO after midnight on March 31 would not be protected. All PSWP submitted to a former PSO in accordance with provisions of the Patient Safety Act and Patient Safety Rule remains protected after the PSO ceases operations.
What is the relationship between the Patient Safety Rule and the HIPAA Privacy Rule?
PSWP may contain individually identifiable health information as defined in the HIPAA Privacy Rule. Healthcare providers that are HIPAA-covered entities must comply with the use disclosure exceptions for PSWP as well as the permissions and disclosure requirements concerning protected health information (PHI) set forth by the HIPAA Privacy Rule, as well as the limitations on the disclosure of information found in the Patient Safety Rule when disclosing PSWP. PSOs that are business associates of HIPAA-covered entities are subject to the limitations on the use and disclosure of PHI. Also, a PSO is a business associate of a HIPAA-covered provider subject to the business associate requirements of the HIPAA Privacy Rule.
What is the importance of the privacy and confidentiality protections for PSWP?
The Patient Safety Act makes PSWP privileged and confidential. The Patient Safety Act and the Patient Safety Rule generally bar the use of PSWP in criminal, civil, administrative, or disciplinary proceedings except where specifically permitted. Strong privacy and confidentiality protections are intended to encourage greater participation by providers in the examination of patient safety events. By establishing strong protections, providers may engage in more detailed discussions about the causes of adverse events without the fear of liability from information and analyses generated from those discussions. Greater participation by healthcare providers will ultimately result in more opportunities to identify and address the causes of adverse events, thereby improving patient safety overall.
Is information submitted to the NPSD safe?
Yes. PSWP must be nonidentified before it is submitted to the NPSD. Nonidentification requires that the information identifying individual and institutional providers, patients, and provider employees reporting patient safety events be removed from the PSWP.
Can a healthcare provider work with more than one PSO? If so, is the PSWP protected?
The Patient Safety Rule permits a healthcare provider, such as a hospital, to work with more than one PSO. Any information that is eligible to become PSWP reported to a PSO by a healthcare provider is protected. The definition of PSWP (Patient Safety Rule Section 3.20) provides important detail on what information is eligible for protection and when those protections apply.
Can original provider records be protected as PSWP?
A patient's original medical record, billing and discharge information, and any other original patient or provider records cannot become PSWP. Copies of selected parts of original provider records may become PSWP.
What specific protections does the Patient Safety Act and Rule provide?
The Patient Safety Act and Rule provide privilege and confidentiality protections to specific types of information developed when a provider works with a PSO, such as the data collected and reported to PSOs by providers and the communications and feedback a provider receives from the PSO. Subject to certain specific exceptions, PSWP may not be used in criminal, civil, administrative, or disciplinary proceedings. PSWP may only be disclosed pursuant to an applicable disclosure permission specified in the rule. (see Patient Safety Rule Section 3.206).
What is the purpose of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), Public Law 109-41?
The purpose of the Act is to encourage providers to work voluntarily with new organizations, known as Patient Safety Organizations (PSOs), to improve patient safety and to reduce the incidence of events that adversely affect patients. Often referred to as the Patient Safety Act, the provisions of this law dealing with PSOs are administered by the Agency for Healthcare Research and Quality (AHRQ) and the provisions dealing with its confidentiality protections are interpreted and enforced by the Office for Civil Rights (OCR). For more information on the Act and how organizations can become PSOs, go to the Web site: https://pso.ahrq.gov.
Is a PSO required to meet the appropriately qualified workforce requirement when a PSO is not collecting or analyzing patient safety work product?
Yes, a PSO is required to meet the appropriately qualified workforce requirement at all times that a PSO is listed. This includes periods when a PSO is not collecting or analyzing patient safety work product.
Is every PSO required to engage a medical doctor to meet the appropriately qualified workforce requirement?
No, the Patient Safety Rule requires that a PSO's appropriately qualified workforce includes "licensed or certified medical professionals." Medical doctors are just one example of licensed or certified medical professionals who may meet this requirement. HHS interprets the Patient Safety Rule as requiring a PSO to have a qualified workforce that is appropriate for the collection and analysis of patient safety work product performed by that PSO, and the healthcare industry utilizes many individuals with a wide variety of expertise to perform activities and services throughout a wide range of delivery modalities. Depending upon the specific activities and services to be performed by the PSO, medical doctors and/or other licensed or certified medical professionals with sufficient expertise to be able to perform the PSO's patient safety activities may satisfy the PSO's requirement to have appropriately qualified workforce members.
What is an example of how a PSO's collection and analysis of patient safety work product could change requiring additional expertise?
If a PSO only engages in the collection and analysis of patient safety work product involving non-institutional pediatric safety events, the PSO's requirement to have an appropriately qualified workforce would be satisfied by a currently licensed pediatrician who is a member of the PSO's workforce and has sufficient knowledge, expertise, and experience related to non-institutional pediatric safety events. If the PSO were to broaden its scope through a contract for the collection and analysis of patient safety work product at a local nursing home, the PSO should assess whether the medical expertise of the PSO's workforce includes sufficient knowledge, expertise, and experience to address nursing home safety events. If the only workforce member with medical knowledge, expertise, and experience is the pediatrician and the pediatrician has insufficient medical knowledge, expertise, and experience regarding nursing homes, the PSO would not have a qualified workforce that is appropriate to collect and analyze patient safety work product involving nursing homes. By contrast, if the PSO also had a currently licensed geriatrician as a member of the workforce, the PSO may meet the appropriately qualified workforce requirement depending upon the knowledge, expertise, and experience of the geriatrician.
Is a PSO required to engage with additional experts if the PSO adjusts its activities or areas of focus?
A PSO may be required to engage additional qualified workforce members as the activities, services, and subject matter of the collection and analysis of patient safety work product performed by a PSO change. A PSO is required to maintain qualified workforce members that have sufficient expertise to be able to perform the collection and analysis of patient safety work product throughout the duration of the PSO's listing. If the nature of services or subject matter of patient safety work product collected and analyzed by a PSO changes, a PSO is required to ensure that its qualified workforce is appropriate for such changes. A PSO should periodically assess whether its qualified workforce is appropriate for the services it performs to maintain listing.
May a PSO meet the requirement that its appropriately qualified workforce include licensed or certified medical professionals with contracted medical professionals?
Yes, a PSO may meet this aspect of the appropriately qualified workforce requirement by contracting with individuals as long as the individuals are workforce members, meaning they are under the direct control of the PSO. A contractor that is not under the direct control of the PSO is not a workforce member for purposes of the appropriately qualified workforce requirement. For more information about the definition of workforce member and the direct control requirement, see the Notice of Proposed Rule Making preamble discussion at 73 FR 8158-8159 (February 12, 2008) discussing the liability of a principal and the Federal Common Law of Agency.
When is an individual considered a member of a PSO's workforce?
The Patient Safety Rule defines a workforce member as an employee, volunteer, trainee, contractor, or other person whose conduct is under the direct control of an entity. For an individual to be part of a PSO's workforce, the individual must be under the direct control of the PSO. For more information about the direct control requirement, see the Notice of Proposed Rule Making preamble discussion at 73 FR 8158-8159 (February 12, 2008) discussing the Federal Common Law of Agency.
What is the difference between a PSO's overall workforce and appropriately qualified workforce members?
A PSO's workforce includes any individual whose conduct is under the direct control of the PSO. It could include individuals not directly involved with the conduct of patient safety activities, such as workforce members that are involved in routine administrative operations that do not involve or impact the required certifications of a PSO. HHS interprets the Patient Safety Rule's requirement for PSOs to have appropriately qualified workforce members to concern the qualifications possessed by a PSO's workforce to provide appropriate collection and analysis of patient safety work product.
Generally, what are the staffing and personnel requirements of a PSO?
There are two provisions in the Patient Safety Rule that address requirements for a PSO to maintain personnel for PSO operations. First, a PSO must have appropriately qualified workforce members, including licensed or certified medical professionals, as described in the PSO listing criteria at 42 CFR 3.102(b)(2)(i)(B). Second, a PSO is required to conduct patient safety activities, including the utilization of qualified staff, as described at 42 CFR 3.20.
What expertise is required of a PSO's appropriately qualified workforce?
HHS interprets a PSO's requirement to have an appropriately qualified workforce to mean that a PSO is expected to maintain workforce members that have sufficient expertise to be able to perform patient safety activities, such as the analysis of patient safety work product, and other services offered as a PSO.
Is a PSO required to have licensed or certified medical professionals as part of its workforce?
Yes, part of the PSO's requirement to have an appropriately qualified workforce includes that the PSO must have workforce members who are licensed or certified medical professionals, and they must be appropriately qualified. An example of a licensed medical professional being appropriately qualified for the work of the PSO would be a PSO specializing in pediatric safety events that has a currently licensed medical professional with relevant knowledge, expertise, and experience in pediatrics as a workforce member. If the same PSO specializing in pediatric safety events maintains a geriatrician as the only workforce medical professional, the PSO would have an insufficiently qualified workforce.
Component PSOs and Shared Staffing Agreements
Under what circumstances may a component PSO allow its parent organization to have access to PSWP?
A component PSO may only disclose PSWP to its parent organization (emphasis added) if permitted by an applicable exception to confidentiality in section 3.206 of the Patient Safety Rule.
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of patient safety work product by:
(1) An entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a workforce member of, or a healthcare provider holding privileges with, the entity holding the patient safety work product; or
(2) A component PSO to another entity or natural person outside the component PSO and within the legal entity of which the component PSO is a part.
The Patient Safety Rule requires that a component PSO maintain PSWP separately and securely from the rest of the parent organization of which it is a part. A component PSO must require that members of its workforce and any other contractor staff not make unauthorized disclosures of patient safety work product to the parent organization(s).
If the conditions of section 3.102(c)(3) and, when applicable, of section 3.102(c)(4)(ii)(B) of the Patient Safety Rule are met, a component PSO may permit individuals or units from its parent organization to serve in the capacity of PSO workforce member to assist the component PSO in its conduct of patient safety activities.
Workforce means employees, volunteers, trainees, contractors, or other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such provider, PSO or responsible person, whether or not they are paid by the provider, PSO or responsible person.
Access to PSWP by component PSO workforce members within the PSO is considered a use of PSWP and not a disclosure (emphasis added). If individuals or units of the parent organization serve as PSO workforce, they may only use or disclose the PSWP in their capacity as component PSO workforce members.
What are the circumstances in which a component PSO may not engage an individual or unit of its parent organization in the work of the PSO?
In general, a component PSO may not share staff with its parent organization (i.e., utilize individuals or units from its parent organization in the work of the PSO) if the parent organization is ineligible for PSO listing as an excluded entity (i.e., one of the types of entities listed in section 3.102(a)(2) of the Patient Safety Rule). A health insurance issuer may not form a component PSO, but the other excluded entities listed in 3.102(a)(2)(ii) may do so. If the component PSO's parent is an excluded entity that is permitted to form a component PSO, the PSO may utilize only individuals or units of its parent organization that are not involved in the ineligible activities (see 3.102(c)(4)(ii)(B)). All of the requirements at section 3.102(c)(3) must also be met, including the requirement to have a written agreement with each such individual or unit.
What are the requirements if a component PSO wishes to use individuals or units of its parent organization as PSO workforce for assistance in performing patient safety activities?
A component PSO that wishes to use eligible individuals or units of its parent organization as PSO workforce must comply with all of the applicable requirements in section 3.102(c) of the Patient Safety Rule. These include a requirement to enter into written agreements that contain the content specified in section 3.102(c)(3), also known as "shared staffing agreements," and restrictions on entering into such agreements with certain individuals or units if the parent organization is an excluded entity.
What is a shared staffing agreement?
The term "shared staffing agreement" describes the written agreement required by section 3.102(c)(3) of the Patient Safety Rule to permit a component PSO to provide access to identifiable PSWP to an individual or unit of its parent organization for assistance in conducting patient safety activities.
What must be included in a shared staffing agreement?
A shared staffing agreement, executed between the component PSO and the individual(s) or unit(s) from the parent organization, must require that:
- The component PSO will only provide access to identifiable PSWP to enable such individuals or units to assist the component PSO in its conduct of patient safety activities;
- The individuals or units from the parent organization that receive access to identifiable patient safety work product to assist the component PSO with its patient safety activities will:
- only use or disclose such information as specified by the component PSO to assist the component PSO in its conduct of patient safety activities;
- take appropriate security measures to prevent unauthorized disclosures; and
- comply with the other certifications the component PSO has made pursuant to section 3.102(c)(2) with respect to:
- unauthorized disclosures; and
- conducting the mission of the PSO without creating conflicts of interest.
Listing Process and Requirements
Who can seek listing as a PSO?
The Patient Safety Rule permits many types of entities-either an entire organization or a component of an organization, a public or private entity, a for-profit or not-for-profit entity-to seek listing as a PSO. Both the mission and the primary activity of the entity (or component) must be to conduct activities to improve patient safety and the quality of healthcare delivery (Patient Safety Rule Section 3.102(b)(2)(i)(A) and Patient Safety Rule Section 3.102(b)(2)(ii)).
The Patient Safety Rule requires an entity to certify that it meets 15 distinct statutory requirements; a component of another organization must attest that it meets another three statutory requirements; and each entity or component organization must comply with several additional regulatory requirements.
What are the requirements to be a PSO?
Every entity seeking to be a PSO must certify to AHRQ that it has policies and procedures (see Policies and Procedures—Topics to Address; PDF File, 76 KB) in place to perform the eight patient safety activities specified in the Patient Safety Rule.
In addition, an entity must also, upon listing, certify that it will comply with the following seven additional criteria specified in the Patient Safety Rule:
- The mission and primary activity of the entity are to conduct activities that improve patient safety and the quality of healthcare delivery
- The entity has appropriately qualified staff (whether directly or through contract), including licensed or certified medical professionals
- The entity, within each 24-month period that begins after the date of the initial listing as a PSO, will establish two bona fide contracts, each of a reasonable period of time, with more than one provider, for the purpose of receiving and reviewing PSWP
- The entity is not, and is not a component of, a health insurance issuer
- The entity shall fully disclose—
- any financial, reporting, or contractual relationship between the entity and any provider that contracts with the entity; and
- if applicable, the fact that the entity is not managed, controlled, and operated independently from any provider that contracts with the entity
- To the extent practical and appropriate, the entity collects PSWP from providers in a standardized manner that permits valid comparisons of similar cases among similar providers
- The entity uses PSWP for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk
The Patient Safety Rule also establishes several additional requirements (see Patient Safety Rule Section 3.102(a)).
Are there additional requirements for a component organization?
If the entity seeking listing is a component of another organization, the entity must also certify that it is, and will be in compliance with, three additional requirements specified in the Patient Safety Rule:
- The entity maintains PSWP separately from the rest of the organization, and establishes appropriate security measures to maintain the confidentiality of the PSWP
- The entity does not make an unauthorized disclosure of PSWP to the rest of the organization in breach of confidentiality
- The mission of the entity does not create a conflict of interest with the rest of the organization
Are any entities excluded from being listed as a PSO?
The Patient Safety Act excludes a health insurance issuer or a component of a health insurance issuer from becoming a PSO. The Patient Safety Rule also excludes the following entities: regulatory agencies; organizations that serve as agents of regulatory agencies (e.g., entities that carry out inspections or audits for a regulatory agency); accreditation and licensure entities; and entities that administer a Federal, State, local, or tribal patient safety reporting system to which healthcare providers are required to report by law or regulation (see Patient Safety Rule Section 3.102(a)(2)).
What is the primary activity requirement for listing as a PSO?
What can an entity do if it does not meet this primary activity requirement?
A multi-purpose entity with a broader scope can create or designate a component that more clearly meets the mission and primary activity criterion. The component of that entity can then seek listing.
How does an entity apply to become a PSO?
What is the deadline for submitting the forms to become a PSO?
There is no deadline for applying to be listed as a PSO. Applications for PSO status will be accepted at any time and will be reviewed as expeditiously as possible.
Does a PSO listing expire?
A PSO is listed for a period of 3 years. To renew its listing for an additional 3 years, the PSO will be required to complete and submit a PSO Certification for Continued Listing form before the expiration of its period of listing. The PSO must certify that it is performing, and will continue to perform, each of the patient safety activities and that it is complying with, and will continue to comply with, the other requirements of the Patient Safety Rule. The PSO's 3-year period of listing will automatically expire at midnight of the last day of the PSO's listing period if AHRQ has not received and approved the PSO's continued listing form.
Does the Patient Safety Rule require a provider, a PSO, or a responsible person to keep patient safety work product (PSWP) for any period of time?
No. The Patient Safety Rule does not require a provider, PSO, or responsible person to retain PSWP for any period of time.
The Patient Safety Rule does require that a disclosing person maintain a provider’s written authorization for the disclosure of PSWP pursuant to 42 CFR 3.206(b)(3), which permits disclosure of PSWP based on provider authorization. The written authorization must be maintained for six years from the date of the last disclosure made based on the authorization.
Also, providers and PSOs that create PSWP should maintain sufficient records to substantiate the valid creation of PSWP, including that PSWP does not contain excluded information.
Prior to delisting, when a PSO is required to dispose of PSWP records pursuant to 42 CFR 3.108(b)(3), providers and PSOs are free to establish their own requirements, including by contract or agreement, for retaining and disposing of PSWP.
Are PSOs required to retain PSWP or other records to meet listing requirements?
The Patient Safety Rule does not specify how long a PSO must retain PSWP or information pertaining to patient safety events. Until a PSO is delisted, and thus must comply with PSWP disposition requirements at 42 CFR 3.108(b)(3), whether a PSO is permitted to retain or to destroy information and PSWP in its possession is generally an issue to be addressed between the PSO and the source of the information. It is therefore important for the PSO to consider both its current and potential future obligations to its reporting providers with respect to retention of PSWP, in addition to its own business and legal circumstances.
What are the Common Formats?
AHRQ's Common Formats are a set of standardized definitions and formats that make it possible to collect, aggregate, and analyze uniformly structured information about patient safety for local, regional, and national learning. They have been developed for use by healthcare providers that choose to work with patient safety organizations (PSOs) listed by AHRQ under the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act). The Common Formats are also available in the public domain to encourage their widespread adoption. An entity does not need to be listed as a PSO or working with one to use the Common Formats. However, the Federal privilege and confidentiality protections only apply to information developed as patient safety work product by providers and PSOs working under the Patient Safety Act.
AHRQ has developed Common Formats for Event Reporting for several healthcare settings and event types. AHRQ has also developed Common Formats for Surveillance and continues to work on developing new Common Formats.
How are Common Formats developed?
AHRQ refines existing Common Formats and considers new types for development on an ongoing basis. The first step after development of a new or updated Common Formats is review by the Patient Safety Workgroup (PSWG) to assure consistency with definitions and formats used by other Federal agencies. The PSWG includes representatives from several agencies within the Department of Health and Human Services (HHS) and from patient safety programs in the Department of Defense and Department of Veterans Affairs. After addressing recommendations made by the PSWG, AHRQ seeks input from the public. A Notice of Availability to comment on the draft Common Formats is published in the Federal Register, and the draft is posted on the PSO Privacy Protection Center's (PSOPPC) website. The PSOPPC is developing a tool on their website that any member of the public can use to submit comments.
After the initial comment period, the PSOPPC convenes a meeting of the PSOPPC Common Formats Expert Panel to review comments submitted by the public. These meetings are announced on the same PSOPPC website and are open to the public. The PSOPPC Expert Panel reviews the comments and makes recommendations to AHRQ.
AHRQ then finalizes the Common Formats draft and releases it through the PSOPPC. Once finalized, a version number is assigned, such as "CFER-H V2.0." Final Common Formats are released with a complete set of technical specifications that provide direction to software developers for electronic implementation.
Public comment on the Common Formats can be submitted on an ongoing basis. The comments are periodically reviewed and considered for future updates. At this time, any comments on the Common Formats versions that are active for reporting can be submitted through the firstname.lastname@example.org email.
Why use AHRQ Common Formats?
PSOs are required to collect and analyze patient safety work product in a standardized manner, to the extent practical and appropriate, to permit valid comparisons of similar cases among similar providers. Using the AHRQ Common Formats (common definitions and reporting formats) makes it possible to collect, aggregate, and analyze uniformly structured information about patient safety for local, regional, and national learning.
What are the Common Formats for Event Reporting (CFER)?
Generally, the CFER can be used for:
- Incidents: patient safety events that reached the patient, whether or not there was harm involved.
- Near misses (or close calls): patient safety events that did not reach the patient.
- Unsafe conditions: circumstances that increase the probability of a patient safety event occurring.
Currently, there are CFER that include several event-specific modules for hospitals (CFER-H) and nursing homes (CFER-NH). There is also a CFER designed for community pharmacies (CFER-CP) and development of a CFER for Diagnostic Safety (CFER-DS) is underway.
What are the Common Formats for Event Reporting–Diagnostic Safety (CFER-DS)?
The CFER–DS is designed to help healthcare providers identify and report missed opportunities in the diagnostic process in a standardized manner across healthcare settings and specialties for the purpose of learning about how to improve diagnostic safety and better support clinicians in the diagnostic process. It is intended to facilitate the collection and organization of a basic set of meaningful data about diagnostic safety events that can be used, aggregated, and analyzed for learning and improvement. Having a common frame of reference and standardized data elements is what makes shared learning possible at local, regional, and national levels.
CFER-DS Version 1.0 will be released with a complete set of technical specifications available through the PSO Privacy Protection Center (PSOPPC) website.
What are the Common Formats for Surveillance (CFS)?
The CFS is a set of event descriptions used in retrospective review of medical records to identify whether certain patient safety events occurred. The CFS is designed to provide information that is complementary to that derived from event reporting systems. The term "surveillance" in this context refers to the improved detection of events and calculation of adverse event rates in populations reviewed that will facilitate collection of comparable performance data over time and across populations of patients. A beta version of the CFS, which includes only the event descriptions, designed for hospitals, is currently available. The CFS is used in the AHRQ Quality and Safety Review System (QSRS).
Where can I find more information and the current versions of the Common Formats?
How can I provide feedback on the Common Formats?
Development of the Common Formats is an ongoing process. AHRQ welcomes feedback, especially from all users, to improve the current Common Formats and inform the development of new types of Common Formats. At this time, any comments on the Common Formats versions that are active for reporting can be submitted through the email@example.com email. To learn more about the role the PSO Privacy Protection Center serves for the development of AHRQ Common Formats, please see the Common Formats Background page.