Health Law: PSOs: What do providers need to know?
March / April 2009
Health Law
PSOs: What do providers need to know?
On November 21, 2008, the U.S. Department of Health and Human Services (DHHS) released final regulations to implement the Patient Safety and Quality Improvement Act of 2005 (PSQIA, or the Act). The final regulations create a national structure by which healthcare providers may voluntarily report information to patient safety organizations (PSOs), on a privileged and confidential basis, for analysis of patient safety events. The regulations are divided into four subparts:
- Subpart A, which consists of definitions;
- Subpart B, which describes the requirements that entities must meet to become PSOs and the processes for DHHS to review and accept certifications and to list PSOs (as of mid-Februrary 2009, DHHS has listed more than 45 PSOs);
- Subpart C, which establishes the confidentiality protections for the information that is assembled and developed by providers and PSOs, termed ”patient safety work product” by the Patient Safety Act; and
- Subpart D, which describes enforcement procedures for the imposition of civil money penalties for the knowing or reckless impermissible disclosure of patient safety work product. The final regulations become effective January 19, 2009.
The PSQIA is intended to promote voluntary reporting by healthcare providers of medical errors and threats to patient safety such that the underlying causes of medical error can be identified, assimilated, and analyzed. After analyzing the data, PSOs will return it to providers together with recommendations for how to avoid similar incidents in the future.
PSWP and Confidentiality
The regulations establish an approval mechanism for the listing of PSOs by DHHS to which providers can then voluntarily report medical errors and patient safety information (patient safety work product or PSWP). PSWP is deemed confidential and privileged when reported to a PSO. Importantly, the scope of PSWP is broadly defined and includes any data that is collected and then reported to a PSO as part of the patient safety evaluation activities of a provider. Providers will now have the ability to fully disclose detailed patient safety information without concern that the information will be subject to disclosure or discovery in a future liability or regulatory action. For many providers, no such protection exists under applicable state law; this federal floor of protection afforded by the PSQIA will mean that such information will come within the purview of confidentiality or privilege protection for the first time.
PSOs and Provider Relationships
The final rule also establishes that the relationship between a PSO and its reporting providers will be contractual in nature and that PSOs will function as the provider’s business associate. PSOs will be required to have, at minimum, two “bona fide contracts” with providers. Providers will therefore need to ensure that any such PSO contractual arrangements incorporate both HIPAA’s business associate requirements and sufficient provider protections to ensure that the PSO properly maintains the confidentiality and security of the reported PSWP. As discussed below, these business associate relationships, as well as the data sharing process itself, must be addressed.
HIPAA and Other Implications
for Providers
The PSQIA has direct implications for providers. First, many providers have not historically been afforded confidentiality or privilege protection under existing state law or have not previously engaged in formal patient safety or risk management activities. Establishing such activities will be an integral initial step for providers who wish to now avail themselves of the confidentiality and privilege protections afforded under the rule. For these providers, reporting to a PSO will necessitate the development of patient safety evaluation systems and the creation of supporting policies and procedures. Because patient safety and quality are considered to be significant compliance related activities, the patient safety evaluation system will require board-of-director approval. The board must also be routinely updated on significant patient safety activities on an ongoing basis.
Providers must examine their existing patient safety and risk management practices and procedures to: 1) identify where potential PSWP is created and; 2) ensure that a formal patient safety evaluation system is in place such that PSWP fits within the purview of the rules and is adequately and appropriately identified and collected in anticipation of reporting it to a PSO.
Certain providers may elect to become listed as PSOs and to engage in PSO activities. Understanding the initial and ongoing PSO certification and listing requirements, as well as how to properly structure the PSO, will be essential.
Providers also have several options in forming their reporting relationships with PSOs. Providers can determine to create component PSOs. For instance, a medical staff of a hospital can choose to create a PSO. Also a hospital system with multiple provider types (skilled nursing facility, rehabilitation center, home health agency) can create component PSOs, which analyze data from each provider. If the providers within the system are separate legal entities with whom the PSO contracts, the PSO will automatically be able to fulfill the two “bona fide contract” requirements.
Providers and PSOs must also be aware of the HIPAA privacy and security implications inherent in that arrangement. The American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama on February 17, 2009, significantly affects HIPAA privacy and security requirements for covered entities and their business associates. Under the ARRA, covered entities must now notify patients of unauthorized acquisition, access, use, or disclosure of their unsecured protected health information. The notice obligation is created when the unauthorized access, acquisition, use, or disclosure occurs either internally or through an outside third party. These notification requirements apply both to covered entities and business associates. Business associates will now be required to notify covered entities of unauthorized acquisition, access, use, or disclosure.
Historically, HIPAA privacy and security rules have not applied directly to business associates — rather, these requirements are contractually imposed through the business associate agreement. Now, through ARRA, business associates, ie. PSOs, will be required to directly comply with HIPAA’s administrative, physical, and technical safegurds.
Further, HIPAA’s enforcement focus has previously been on cooperative resolution of the alleged non-compliance. The ARRA creates a new focus on enforcement through increased penalties and audits. The penalties will now be imposed based upon the level of intent and willful misconduct or willful neglect. For the first time, these penalties are applicable to business associates.
Based on these heightened HIPAA requirements, providers will need to carefully enter into their PSO contractual relationships such that the provider’s interests are sufficiently protected. In particular, the agreements should contain appropriate representations and warranties that the PSO will adhere to the PSQIA and HIPAA business associate requirements. Indemnification provisions should also be considered.
Renee Martin is a partner at Tsoules, Sweeney, Martin & Orr in Exton, Pennsylvania. She is a member of the Editorial Advisory Board for Patient Safety & Quality Healthcare and may be contacted at rmartin@tshealthlaw.com.