Effective January 19, 2009, the Patient Safety and Quality Improvement Act of 2005 establishes uniform privilege and confidentiality protections that are applicable U.S.-wide and extend to all health care providers.

The U.S. Department of Health and Human Services (HHS) final rule implementing the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) became effective on January 19, 2009 (Final Rule).  The Final Rule establishes a framework in which health care providers may voluntarily report information to patient safety organizations (PSOs) for the aggregation and analysis of patient safety events.  The information reported to PSOs is secured by confidentiality and privilege protections.  HHS expects the Final Rule to improve the quality of health care by making it easier for health care providers to report and learn from adverse events, without fear of new legal liability. 

The health care industry has been slower than other industries in investigating systemic causes of events that have or could cause harm because of the reluctance of health care providers to participate in quality review activities for fear of liability, professional sanctions or injury to their reputations.  Although many states have implemented peer review protections, those protections vary from state to state and generally do not protect information that is shared outside of the health care institutions.  By providing federal privilege and confidentiality protections for patient safety work product (PSWP), the Patient Safety Act intends to enhance the data available to assess and resolve patient safety and health care quality issues.  

The Patient Safety Act establishes uniform privilege and confidentiality protections that are applicable U.S.-wide and extend to all health care providers.  Once a PSO is listed by HHS pursuant to the Final Rule, providers can submit information to the PSO and seek the PSO’s analysis of patient safety events.

Final Rule

The Final Rule describes how an organization may become a PSO, the procedure for reporting patient safety events confidentially and how providers will receive feedback on improving patient safety.  The Final Rule also describes the privilege and confidentiality protections for information that is assembled and developed by providers and PSOs, the exceptions to those privilege and confidentiality protections, and the procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of PSWP. 

In many respects, the Final Rule reflects the proposed rule that was issued for comment on February 12, 2008 (Proposed Rule).  However, the Final Rule contains some significant changes, which are discussed in more detail below. 

Revised Definitions

The Final Rule altered the Proposed Rule by adding or modifying several definitions.  For example, the Final Rule adds a definition for an “affiliated provider,” which means, “with respect to a provider, a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider or is owned, managed, or controlled by the provider.”  Further, the Final Rule revised the definition of a “component organization.”  The revised definition clarifies HHS’s intent to focus on management or control by others as a defining feature.  The Final Rule defines a “component organization” as “an entity that: (1) is a unit or division of a legal entity (including a corporation, partnership, or a Federal, State, local or Tribal Agency or organization); or (2) is owned, managed, or controlled by one or more legally separate parent organizations.”  The Final Rule also modifies the definition of “patient safety work product” to include information that, while not yet reported to a PSO, is documented as being within a provider’s patient safety evaluation system and that will be reported to a PSO.  This modification will allow providers to voluntarily remove information from the patient safety evaluation system that has not yet been reported to a PSO, in which case, the information will no longer constitute PSWP.

New Requirements for PSOs

The Final Rule contains several new requirement for PSOs, including requiring PSOs to do the following:

  • Notify providers if the PSWP it submits is inappropriately disclosed or its security is breached
  • Maintain separation between itself and its parent organization (if applicable)
  • Comply with requirements regarding the collection of PSWP

Listing and Delisting of PSOs

The Final Rule alters the listing and delisting procedures and the manner in which PSOs must comply with listing requirements by taking the following actions:

  • Expanding the types of entities and organizations excluded from listing as PSOs
  • Revising the manner in which PSOs should disclose relationships with health care providers
  • Clarifying the automatic expiration of listing if certifications for relisting are not timely submitted or approved
  • Expediting the delisting process in certain serious circumstances


Both the Proposed Rule and Final Rule establish the general principle that PSWP is confidential and not to be disclosed except as permitted or required by the rule.  In contrast to the Proposed Rule, however, the Final Rule allows disclosure of identifiable PSWP among affiliated providers for patient safety activities.  In addition, the Final Rule clarifies that disclosures of PSWP are permitted to the U.S. Food and Drug Administration (FDA), entities required to report to the FDA and contractors acting on behalf of the FDA.  The Final Rule also requires institutional providers that voluntarily disclose PSWP to accrediting bodies to either obtain the agreement of the indentified non-disclosing providers, or to make the PSWP anonymous with respect to the non-disclosing providers prior to disclosure.  Moreover, the Final Rule allows disclosures of PSWP to or by the secretary of HHS for the purposes of determining compliance with the Patient Safety Act or the Health Insurance Portability and Accountability Act of 1996 and related regulations (HIPAA).

Requirements for Component Entities

The Final Rule eliminates the requirement in the Proposed Rule for separate information systems and restrictions on shared staff for most component PSOs, but adds additional restrictions and limitations for PSOs that are components of excluded entities. 

Coordination with HIPAA

The Final Rule specifies that PSOs are to be treated as business associates of the covered entity and patient safety activities are deemed to be health care operations for purposes of HIPAA.  Therefore, covered entities will not be required to obtain patient authorizations to disclose PSWP containing protected health information to PSOs.  In addition, the Final Rule provides that civil money penalties cannot be imposed under both the Patient Safety Act and HIPAA for a single violation. 


As of January 19, 2009, all PSOs must comply with the Final Rule.  The Agency for Healthcare Research and Quality (AHRQ) will administer the provisions of the Final Rule governing PSO operations, and the HHS Office for Civil Rights will enforce Final Rule’s confidentiality provisions.  Although the Final Rule supersedes previously released interim guidance, any information that became PSWP during the interim period will remain PSWP (thus, privileged and confidential). 

After collecting and analyzing sufficient non-identifiable data, AHRQ will publish information on national and regional statistics, including trends and patterns of patient safety events.  This information will be published in AHRQ’s annual National Healthcare Quality Report.