Frequently Asked Questions Concerning the PSQIA Privilege and Confidentiality Protections

Special thanks to Robin Locke Nagele, Post & Schell, P.C., AQIPS’ Litigation Lead Litigation Center Counsel, for her assistance in the preparation of this FAQ document.   

The final rule “encourage(s) persons participating in patient safety activities and subject to this rule to develop and share with others similarly situated in the industry ‘‘best practices’’ for the confidentiality of patient safety work product. (Federal Register at 70789).  This FAQ is not legal advice but contains industry best practice. Consult with counsel prior to implementing any policy and procedure.

What is the scope of the programs or activities that a provider can conduct on a privileged basis within its PSES?

A Provider can conduct Patient Safety Activities within its PSES and that includes, specifically, efforts to improve patient safety and quality of healthcare delivery.  See, 42 U.S.C.§ 299b-21(5)(A).  Examples of such activities include (but are not limited to): 

  • Quality Improvement (e.g, confidential event reporting and investigations)
  • Process Improvement (e.g., confidential systems safety reviews)
  • Clinical Improvement (e.g., confidential clinically directed performance improvement –audit and non-mandatory measures)
  • Care Optimization (e.g., confidential peer support programs)
  • Systems Improvement  (e.g., confidential systems safety RCAs)
  • Quality Assurance (e.g., secret shopper programs).

Is the PSQIA limited to incident reporting?

No.  The terms “incident reporting” and “event reporting” are not mentioned in the PSQIA. The term Patient Safety Event is not defined in the regulation –it is referenced in a footnote to the Notice of Proposed Rulemaking by way of illustration, which is not the same as a regulatory definition.  Proposed Rule, 73 Fed. Reg. 8112, 8113, fn. 7 (Feb. 12, 2008) (“Proposed Rule”).   The definition of PSWP is broadly defined to include many different types of information – date, reports, records, memoranda, analyses (including root cause analyses) and written and oral statements, which could result in improved patient safety, health care quality, or health care outcomes.  42 U.S.C. § 299b-21(7)(A). 

The Eight Patient Safety Activities that PSOs are required to engage in do not specifically include the collection of incident reports, but rather, the collection and analysis of PSWP in all its forms in addition to all of its other patient safety activities. 42 U.S.C. § 299b-21(5)(B).  

Many listed PSOs have programs focusing on round robin RCA programs, audits of medical procedures and other types of safety studies - not simply the collection of incident reports.

Is PSO feedback protected?

Yes. All PSWP is strictly privileged, including information that is “developed by a patient safety organization for the conduct of patient safety activities.” Patient safety activities include, specifically “the provision of feedback to participants in a patient safety evaluation system.”  42 U.S.C. § 299b-21(7)(A)(i)(II) and (5)(H); 42 C.F.R. § 3.20 (Definitions – PSWP – (1)(i)(B) and Patient Safety Activities (8)).  

Does every page/piece of PSWP need to be stamped as PSWP?

No. There is nothing in the definition of PSWP that requires it to be stamped to be protected.  HHS, in the Final Rule stated that there is no “require[ment] that patient safety work product be labeled or that disclosing parties provide recipients of patient safety work product with notice that they are receiving protected information” and that “[w]e believe imposing a labeling or notice requirement would be overly burdensome on entities.”  Final rule, 73 Fed. Reg. 70732, at 70786 (Nov. 21, 2008) (“Final Rule”).  Although the stamping of PSWP can be encouraged as a helpful practice, it should never be specified as a requirement in your PSES Policy. 

What must be reported to the PSO in order to gain privilege protection?    

“Reporting pathway” PSWP that is assembled or developed for purposes of PSO reporting must eventually be reported to the PSO.  42 U.S.C.§ 299b-21(7)(A)(i); 42 C.F.R. § 3.20 (Definitions – PSWP (i)(A)).  However, such information becomes privileged PSWP as soon as it enters the PSES even if not yet reported to the PSO.  There is no deadline within which PSWP must be reported in order to maintain its privilege protection.  42 C.F.R. § 3.20(Definitions – PSWP (ii)).  

Although not required, it may be helpful for providers to develop a system by which “reporting pathway” PSWP is reported to the PSO within a reasonable period, because some courts have (erroneously) cited a long delay in reporting to the PSO as a factor in denying privilege protection.  

Must peer review, root cause analyses (RCAs) and other analysis be reported to the PSO to be protected?

No.  Peer review and RCAs conducted within a provider’s PSES are forms of analysis that are protected under the “analysis pathway” to PSWP described at 42 U.S.C. § 299b-21(7)(A)(ii) and 42 C.F.R. § 3.20 (Definitions – PSWP (1)(ii)).   Analysis does not need to be reported to the PSO to be protected.  

While providers may want to share the results of their analysis, such as learnings and best practices, with a PSO that they closely work with, we recommend that they do so as a provider-to-PSO “disclosure” pursuant to 42 C.F.R. § 3.206(b)(4), rather than as a “reporting” of PSWP pursuant to the “reporting pathway.”  This approach helps avoid confusion between PSWP developed in the reporting pathway and PSWP developed through the analysis pathway.  

Does PSWP lose its protections if it is maintained separately from the PSES or disclosed outside of the PSES?

No.   The Act does not require providers to maintain PSWP within the PSES in order to maintain its privileged status as PSWP.  In fact, the Act specifically contemplates that PSWP will be used within the provider and disclosed externally without losing its status as PSWP or its privilege protection.  42 U.S.C. § 299b-22(c) and (d); 42 C.F.R. § 3.206, 3.208.

Does the Act require providers to maintain PSWP separately from nonPSWP?  

No.  Providers should maintain PSWP securely so as to ensure adherence to the confidentiality requirements, but are not subject to the PSQIA’s specific security requirements, which are applicable only to PSOs.   42 C.F.R. § 3.106(a) and (b).  Final Rule, 73 Fed. Reg. at 70764.  

OCR has jurisdiction over PSWP disclosures, security and confidentiality training.  OCR has taken the position that, as part of their ongoing obligation to comply with the PSQIA, PSOs and providers must conduct annual security audits and PSOs must conduct annual confidentiality training for PSO workforce.  OCR has indicated that providers and others must receive confidentiality training commensurate with their level of access to PSWP.  This is not in the regulations, but is good practice that will help position providers in the event of an enforcement inquiry or investigation by OCR.  

Can PSWP be shared with outside legal counsel to assist in the provider’s defense?

Yes.  The Act includes a specific disclosure permission for business operations, which includes disclosure to attorneys.  42 C.F.R. § 3.206(b)(9).  

Is the government subject to the same privilege restrictions as private entities?   

Yes.  The confidentiality and privilege protections of the PSQIA are strict and preemptive and explicitly prohibit disclosure under any circumstances unless the disclosure is expressly permitted under the exceptions set forth in the PSQIA.  For instance, disclosure is permitted to the FDA for FDA reporting purposes, subject to specific conditions  (42 C.F.R. § 3.206(b)(7)), to law enforcement if it constitutes evidence of a crime (42 C.F.R. § 3.206(b)(10)), and to HHS if necessary for investigation or determination of compliance with the PSQIA, or imposition of penalties for violation of the PSQIA (42 C.F.R. § 3.206(d)).  

CMS and state regulators are not among the entities to which PSWP may be disclosed unless the provider has the consent of all identified providers (42 U.S.C. §299b-22(c)((1)(C).  AQIPS has developed a tool kit for disclosing PSWP to CMS/surveyors on a voluntary basis. 

Are the PSQIA protections redundant to state law protections?

No.  The PSQIA was enacted specifically because Congress perceived that state law privilege protections were being eroded and are not sufficient to achieve the goal of improving patient safety and quality nationwide.  The federal protection is broader than state privilege protections. It enables providers to share PSWP within a protected legal environment, both within and across state lines, without the threat that the information will be used against the subject providers. Final Rule, 73 Fed. Reg. at 70732.  The heart of the PSQIA is protecting information that would not be collected without the protections.

Moreover, unlike many state privilege laws, it has explicit continuing protection/anti-waiver provisions that continue to protect PSWP even after it is externally disclosed.  42 U.S.C.§ 299b-22(d); 42 C.F.R. § 3.208(a).  

Notably, the PSQIA does not negate stricterstate law privilege protections.  The Act provides that the National Peer Protections preempt state peer laws exceptthose that provide greater privilege or confidentiality protections. This means the PSQIA protections can be used to protect QI activities that are also protected under state law – but the PSQIA can be used to improve those programs because of the broader protections.  42 U.S.C.§ 299b-22(g).

Can the confidentiality and privilege protections for PSWP be waived?  

No.  Under the “continuing protection” provisions of the Act and regulations, PSWP that is disclosed “shall continue to be privileged and confidential” and “such disclosure shall not be treated as a waiver.”  42 U.S.C. § 299b-22(d).  PSWP continues to be privileged when disclosed permissibly or even impermissibly.  42 C.F.R. 3.208(a).  The recipient of identifiable PSWP is a “responsible person” under the Act who is subject to the confidentiality provisions.  42 C.F.R.  3.20 (Definitions – Responsible Person).   The Final Rule states that, to encourage reporting of sensitive patient safety information, “Congress saw a need for strong privilege protections that would continue toapply downstream even after disclosure, regardless of who holds the information.”  Final Rule, 73 Fed. Reg. at 70787.  See, Taylor v. Hy-Vee, 2016 U.S. Dist. LEXIS 177764 (Dec. 22, 2016).   

What does it mean to be a “responsible person” within the meaning of the PSQIA? 

A “responsible person” under the PSQIA is any individual or entity that has possession of  PSWP and consequently is bound by the PSQIA’s confidentiality provisions.  42 C.F.R. § 3.20 (Definitions – Responsible Person). Because the PSQIA is a strict liability statute, that means that anyone to whom identifiable PSWP is disclosed thereby becomes bound by the confidentiality provisions, regardless of how they learned of or received the PSWP or even whether they are aware that it is PSWP or that it is privileged under the PSQIA.  42 U.S.C. § 299b-22(d); 42 C.F.R. § 3.208(a).   PSWP does not lose its privilege protection even when impermissiblydisclosed.  The protection is only lost if the PSWP is non-identifiable within the meaning of the PSQIA.  42 C.F.R.§ 3.208(b)(2).  

This is different from how Protected Health Information (“PHI”) is treated under HIPAA.  HIPAA’s confidentiality regulations only extend to “covered entities” i.e., generally, providers and insurers, and their “business associates.”   Once PHI is outside of the circle of providers, insurers and designated business associates, it is no longer subject to HIPAA regulation and loses its federal confidentiality protection (although it may still be protected under state privacy laws).  Under the PSQIA, in contrast, anyoneto whom PSWP is disclosed, permissibly or impermissibly, becomes a “responsible person” required to keep PSWP confidential. 

Are the privilege provisions the only sources of protection in a civil action?  

No.  In addition to the privilege provisions, the confidentiality provisions are independently binding on the courts; they provide separate layers of protection, and both should be relied on.  

Confidentiality is the bulwark protection for PSWP.  All PSWP is confidential and may not be disclosedunless a statutory or regulatory permission applies.  While some courts may rule thatprivilegeprotection can be waived, the separate confidentialityprovisions are still in force and they are non-waivable.  42 U.S.C. § 299b-22(a)(privilege); 42 U.S.C. § 299b-22(b) (confidentiality); 42 U.S.C. § 299b-22(d); 42 C.F.R. § 3.208 (non-waiver provisions).  

The Office of Civil Rights (OCR) regulates, protects and preserves confidentiality of PSWP.  OCR can issue monetary sanctions of up to $10,000 (plus inflationary increases) for each knowing or reckless violation of the disclosure permissions.  42 U.S.C. § 299b-22(f),§ 1320a-7a.  

If I send identifiable PSWP to someone else in our healthcare organization who is not part of our PSES, could that result in a loss of privilege protection?  

 No.  Sharing of PSWP within a single provider entity is not a “disclosure” but a “use” of PSWP.  The PSQIA does not regulate “uses” of PSWP within a single organization.  HHS makes a clear distinction between “disclosure,” which consists of the release, transfer, provision of access to, or divulging of PSWP by a natural person or entity holding the PSWP outside the entity, and uses within an entity. HHS explained that regulating uses within a single entity would be “unnecessarily intrusive” and “would not further the statutory goal of facilitating the sharing of PSWP. . .”  Final Rule, 73 Fed. Reg. at 70736.  Note, however, that HHS does consider the release or transfer of information by a component PSOto the organization of which it is a part to be a “disclosure” that must comply with a regulatory disclosure permission. Id.  

If identifiable PSWP is used within our healthcare organization for a purpose other than patient safety activities, does that result in a loss or waiver of privilege protection?   

No.  HHS does not regulate “uses” of PSWP within a healthcare provider organization, nor the purposes for which PSWP is used.  HHS has stated that the Act “does not limit the purpose for which PSWP may be shared internal to the entity.”  Final Rule, 73 Fed. Reg. at 70737. 

Entities that have adopted a “Just Culture” may use PSWP in its disciplinary actions to determine whether the caregivers’ actions were reckless or intentional to cause patient harm. 

Entities should consider the extent to which sensitive PSWP is available to members of its workforce as a good business practice.  Entities remain responsible for adhering to the confidentiality requirements of the Act.   

Does AHRQ have jurisdiction to interpret and enforce the privilege protections of the PSQIA? 

No. HHS does not have the authority to interpret and enforce the privilege protections of the statute, and that is why the regulations do not provide as much detail regarding the privilege protections as the confidentiality protections.   HHS’s expectation is that the tribunals before whom proceedings take place will adjudicate the application of the privilege protections under the Act.  Final Rule, 73 Fed. Reg. at 70771.   

Can our hospital use PSWP for credentialing, peer review and disciplinary purposes?  

Yes.  Since the Act does not regulate the uses of PSWP within an entity, PSWP may be used internally for any purpose, including credentialing, peer review or internal discipline.  However, providers should keep in mind the Act’s prohibitions against external disclosure, and make sure that they can conduct such activities without jeopardizing their ability to fully comply with the Act.   Providers also need to keep in mind the prohibition against taking disciplinary action against a workforce member for reporting PSWP to a provider or PSO.  Final Rule, 73 Fed. Reg. at 70779.   

The consent provisions set forth at 42 C.F.R. § 3.206(b)(3) may be useful to help facilitate the use of PSWP in peer review.  Providers may also want to clearly delineate between peer review activities that can be maintained exclusively within the PSES, and peer review activities that may lead to the need for external disclosure and therefore are conducted external to the PSES.  

Can a hospital or other provider conduct its own analysis to improve its quality of care (or must all of its solutions come from its PSO)?    

Yes.  The goal of the Act is to remove “impediments” to quality improvement activities at the provider level.  HHS explained that implementation was expected to “accelerate the development of new, voluntary, provider-drivenopportunities for improvement [and] increase the willingness of health care providersto participate in such efforts . . .”  Proposed Rule, 73 Fed. Reg. at 8113.  

Providers’ needs dictate which patient safety activities will be conducted with their respective PSES and which will be assigned to the PSO.  Final Rule, 73 Fed. Reg. at 70746.  The law and rule are intended to enable health care providers to protect their internal deliberations and analysis of patient safety information because this type of information is patient safety work product.  Proposed Rule, 73 Fed. Reg. at 8113.

The Act permits providers to undertake deliberations and analyses at their facilities that become protected as PSWP immediately as long as they are conducted in the provider’s PSES.  HHS has said that these strong federal privilege protections and OCR’s penalty authority for violations should “give providers the assurances they need to participate in patient safety improvement initiatives and should spur the growth of such initiatives.”   Proposed Rule, 73 Fed. Reg. at 8113.  

Providers should note that, unlike “reporting pathway” information, analysis that is conducted within the PSES may notbe designated as non-PSWP using the “drop-out” provision.  HHS Guidance, 81 Fed. Reg. 32660 (May 2016).  In lieu of disclosing PSWP analysis, providers must conduct, or re-create, the analysis external to the PSES.  

Do the security regulations limit what PSOs can do in order to ensure proper security of PSWP? 

No.  The security regulations provide minimum requirements for security of PSWP, but do not impose any limitations on the ability of PSOs to incorporate or address additional security requirements or issues as the PSO determines appropriate. Final Rule, 73 Fed. Reg. at 70765.

If we must produce PSWP in litigation pursuant to a court order and to avoid contempt sanctions, will OCR sanction or fine us for violating the confidentiality rules?  

Likely not.  OCR has the authority to impose civil monetary penalties against a provider or PSO that discloses PSWP in “knowing or reckless violation of the confidentiality provisions.”  42 C.F.R. § 3.402(a).  While production of PSWP pursuant to a court order could constitute “knowing” violation of the PSQIA, HHS has indicated that it would not do so in most instances: “it is not the Secretary’s intention to impose a civil money penalty on a provider ordered by a court to produce patient safety work product where the provider has deliberately and in good faith undertaken reasonable steps to avoid such production and is, nevertheless, faced with compelled production or being held in contempt of court.” Proposed Rule, 73 Fed. Reg. at 8158; Final Rule, 73 Fed. Reg. at 70791 (confirming that the Secretary “may exercise discretion and not pursue a civil money penalty” in that situation). 

If we choose to disclose PSWP learnings that are non-identifiable as to individual providers but not as to our hospital or health system, will we face OCR sanctions? 

Likely not. The rules for rendering PSWP non-identifiable require that the PSWP be free of all identifiers of individual providers or entities and their affiliated organizations, corporate parents, subsidiaries, practice partners and so forth.   It also requires that the disclosing person not have actual knowledge that the information disclosed could not be used in combination with other reasonably available information, to identify the provider.  42 C.F.R. § 3.212.  These rules create some degree of risk that a provider that decides to disclose PSWP learnings that it has generated would not be able to render it sufficiently non-identifiable to meet these rigorous standards.  However, the OCR has informally advised that it would exercise its enforcement discretion notto pursue sanctions for PSWP that is generally non-identifiable and released for learning purposes.  

Providers can enhance their legal position by obtaining the consent pursuant to 42 C.F.R. § 3.206(b)(3) of an identifiable affiliate (such as a parent organization) for the release of otherwise non-identifiable PSWP for learning purposes.  

Can a provider or PSO impose stricter confidentiality requirements on workforce members and contractors who have access to PSWP than those required by the PSQIA?  

Yes.  The PSQIA cannot be construed to limit the authority of any provider, PSO or other entity to enter into a contract requiring greater confidentiality than that required under the Act.  42 U.S.C. § 299b-22(g)(4).  It is common practice for contracts to include provisions that provide for penalties similar to the OCR penalties under the PSQIA for unauthorized disclosure of PSWP.

Are we permitted (or required) to provide access to PSWP to AHRQ or OCR when they request to see it?  

Not Always.  There is a specific disclosure permission for information that HHS (through AHRQ or OCR) has determined is “needed to investigate or determine compliance or to seek or impose civil monetary penalties” with respect to PSQIA or HIPAA, or to make or support listing decisions.  42 C.F.R. § 3.206(d).  

If the agency requests PSWP for one of those designated purposes, it must be provided.  If access to PSWP is granted, we recommend that the provider obtain from the agency a confidentiality agreement acknowledging the agency’s obligation to maintain the PSWP as confidential under 42 C.F.R. § 3.208.  

If AHRQ or OCR requests PSWP for any other purpose, the request must be declined unless all identified providers consent pursuant to 42 C.F.R. § 3.206(b)(3).  There is no obligation to seek consent or to provide PSWP in those circumstances.  

Are there any limitations on our ability, as a Provider working with a PSO, to share PSWP with our contractors?  

Yes.  Identifiable PSWP may only be shared with a provider’s contractors for purposes of (i) assisting the provider in carrying out patient safety activities, or (ii) business operations.  42 C.F.R. § 3.206(b)(4)(ii) and (b)(9).  In either case, the contractors must be advised of their obligation to maintain confidentiality of all such PSWP, and not disclose or use it for any purpose other than the engagement itself.  It may also be helpful, prior to engaging a contractor, to consider any potential conflicts of interest that contractor may have in entering into the engagement.  

What should we do when we learn that our PSWP has been impermissibly disclosed?  

The first step is to retrieve or destroy the PSWP so that it cannot be further disclosed.  

If the impermissible disclosure was by a third party that the Provider does not directly control, then this may require court action, a report to OCR, or even the filing of an ethics complaint, depending on the circumstances.   If the third party is a contractor, then the Provider should evaluate its available contractual remedies. 

If a Provider’s workforce member has  impermissibly disclosed PSWP, the Provider should thoroughly investigate and remediate the situation.  With respect to individuals, discipline and/or retraining may be appropriate. With respect to the PSES as a whole, the Provider may need to revise its policies, procedures, practices and training to ensure full adherence to the confidentiality requirements of the PSQIA. 

Are we required to have a written Policy or Plan describing our PSES?

No.  HHS’s position is that a PSES does not need to be documented because it exists whenever a provider engages in patient safety activities for the purpose of reporting to a PSO or a PSO engages in these activities with respect to information for patient safety purposes. The PSES is the mechanism through which information can be collected, maintained, analyzed, and communicated.  Final Rule, 73 Fed. Reg. at 70738. 

AQIPS provides industry standard PSES templates to document what are Patient Safety Activities, how information becomes PSWP, and where PSWP is used throughout the organization.

Are Providers required to store PSWP in a particular way?  

No.  Under the Patient Safety Act, PHI and PSWP must be stored securely (42 U.S.C. § 299b-21(1) HIPAA Confidentiality Regulations; 42 U.S.C. § 299b-21(5)(F); 42 C.F.R. 3.60x).  However, the specific security regulations set forth in 42 C.F.R. § 3.106 apply only to PSOs, not to Providers.  

The Act contemplates that PSWP will be “used” and “disclosed” as part of Patient Safety Activities, and both “use” and “disclosure” require a sharing of the PSWP beyond the PSES in which it was originally created.  

In particular, Patient Safety Activities include efforts to improve patient safety and the quality of health care delivery, as well as the utilization of PSWP for the purposes of encouraging safety culture and of providing feedback and assistance to effectively minimize patient risk (42 U.S.C. § 299b(5)(A) and (D)).  Providers must develop ways of sharing PSWP that assures that the PSWP will remain secure and confidential, but that does not mean that the PSWP must reside at all times within the original PSES space (whether virtual or real).  

Any healthcare provider holding PSWP can disclose PSWP. 42 U.S.C. §3.20 (disclosure). This means that healthcare professionals can share PSWP for purposes of improving patient care to implement a culture of safety.  42 U.S.C. § 3.206(4)(i). (Provider-to-Provider disclosure permission for Patient Safety Activities.)

Must Providers maintain PSWP only in electronic databases that are “separate” from the Providers’ other information?  

No.  HHS has stated, explicitly, that providers “need not maintain duplicate systems to separate information to be reported to a PSO from information that may be required to fulfill state reporting obligations. All of this information, collected in one patient safety evaluation system, is protected as patient safety work productunless the provider determines that certain information must be removed from the patient safety evaluation system for reporting to the state.” Final Rule, 73 Fed. Reg. at 70742.

HHS designed the privilege protections to be “as administratively flexible as permitted to accommodate the many varied business processes and systems of providersand not to run afoul of the statute’s express intent not to interfere with other federal, state or local reporting obligations on providers.” Final Rule, 73 Fed. Reg. at 70741. 

HHS explained that the Act’s protections are “the foundation to furthering the overall goal of the statute to develop a national system for analyzing and learning from patient safety events. To encourage voluntary reporting of patient safety events by providers, the protections must be substantial and broad enough so that providers can participate in the system without fear of liability or harm to reputation.”  Id.  

How does the “drop out” provision help us protect our patient safety information as PSWP?  

Patient safety information becomes privileged PSWP at the moment it enters the Provider’s PSES.  Under the “reporting pathway,” the Provider’s documentation that the information was collected for reportingto a PSO and the date of collectionestablishes that it is within the PSES.  If the Provider then determines that it must be removed from the PSES (e.g., for reporting externally to a state agency), the Provider may then document the removal of the information from the PSES.   The information that is removed is no longer PSWP and no longer has federal privilege protection.   For any information not removed, HHS will presume that that information is intended for reporting to the Provider’s PSO, absent evidence to the contrary.  Final Rule, 73 Fed. Reg. at 70742. 42 C.F.R. § 3.20 (Patient Safety Work Product (2)(ii) Drop-Out provision).

HHS explains that providing privilege protection that starts at the time of data collection will “encourage participation by providers without causing significant administrative burden.” Otherwise, there would be a rush to indiscriminately report information to a PSO in a “race for protection” and that would result in PSOs receiving large volumes of unimportant information.  The drop out provision “permits providers to maximize organizational and system efficiencies and lessens the need to maintain duplicate information for different needs.”  Id. 42 C.F.R. § 3.20 (Patient Safety Work Product (2)(ii) Drop-Out Provision).

Since we are required to report certain categories of safety events to a state authority, is it the case that our patient safety event reports can never be PSWP?  

No.  The report that is required to go to a state authority may not be PSWP.  However, that does not mean that a Provider cannot collect the same information within its PSES as PSWP and report the protected patient safety events to its PSO. Prior to making the PSO report, the Provider may “drop out” the information needed to create and send the state-mandated report.  42 C.F.R. § 3.20 (Patient Safety Work Product (2)(ii)). The state-mandated report will not be PSWP, but it may nevertheless be confidential under the state law reporting statute.   Many, if not most, state laws provide that the reports made to the State are confidential –and those state laws imposing additional confidentiality protection are not preempted by the PSQIA.  42 U.S.C. § 299b-22(g)(1).  Final Rule, 73 Fed. Reg. at 70774.  

How does a Provider establish that its deliberations and analysis constitute privileged PSWP?  

A Provider’s deliberations and analysis are protected while they are occurring, provided they are done within the Provider’s PSES.  To determine whether the protections apply, the primary question is whether a PSES was in existence at the time of the deliberation and analysis.  Proposed Rule, 73 Fed. Reg. at 8122.  

To determine whether a provider had a PSES at the time that the deliberations or analysis took place, these indiciashould be considered: (a) the provider has a contract with a PSO for the receipt and review of PSWP that is in effect at the time of the deliberations and analysis; (b) the provider has documentation of a PSES policy demonstrating the capacity to report to a PSO at the time of the deliberations and analysis; (c) the provider has reported information to the PSO under the “reporting pathway” or has disclosed results of deliberations and analysis under “deliberations and analysis” pathway, or (d) the provider has actually reported the underlying information that was the basis of the deliberations or analysis to a PSO.  Id. 

A provider may still be able to show that information was patient safety work product using other indications, such as labeling the information as Patient Safety Work Product or PSWP.  Proposed Rule, 73 Fed. Reg. at 8123.

Note, also, that it is not just the analysis, but documents that “identify analysis” (such as an email transmitting or describing an RCA) that constitute PSWP.   42 U.S.C. § 299b-21(7)(ii). See, Proposed Rule, 73 Fed. Reg. at 8122.  

If we use AHRQ’s common format or other standardized format developed by our PSO to report PSWP, can that strengthen our claim of PSQIA privilege protection?  

Yes.  Some state courts are reluctant to recognized as PSWP patient safety event reports assembled as PSWP within a Provider’s PSES and reported to its PSO because, according to the court’s logic, such event reports look like “typical incident reports” that have always been discoverable in some jurisdictions.  In such states, it may be helpful to point out that the PSWP at issue is not a “typical incident report,” but rather, a unique set of information developed specifically for reporting to a PSO using the PSO’s “standardized” format (either the AHRQ common format or something else).  HHS noted, in the Final Rule, that a well-documented PSES will provide support for claims of privilege made in the courts and before regulatory agencies. Final Rule, 73 Fed. Reg. at 70738. PSOs are required to collect information in standardized formats to the extent reasonably possible.  42 U.S.C. § 299b-24(b)(1)(F); 42 C.F.R. § 3.102(b)(2)(F).   If the PSO has prescribed to the Provider the nature and format of the PSWP collected for reporting, that fact may help the Provider establish that the information is privileged PSWP.