Final regulations to implement and enforce the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) have been published in the Federal Register and go into effect January 19, 2009.

The Patient Safety Act creates a voluntary program through which health care professionals can share information relating to patient safety events, including patient, provider and reporter identifying information that is collected, created or used for patient safety activities with Patient Safety Organizations (PSOs), in order to improve patient safety and quality of care nationwide. The statute terms this information “patient safety work product,” and gives it privilege and confidentiality protections to encourage health care professionals to share this information without fear of liability. The statute also creates PSOs to receive this protected information and analyze patient safety events. These protections will enable all health care professionals to share data within a protected legal environment without the threat that the information will be used against the subject providers. Civil money penalties (CMPs) may be imposed for knowing or reckless impermissible disclosures of patient safety work product.

The final regulation establishes the procedures and requirements for the listing and operation of PSOs, as well as a framework by which hospitals, doctors, and other health care providers may voluntarily report information to PSOs, on a privileged and confidential basis, for the aggregation and analysis of patient safety events.

The protections of the Patient Safety Act do not relieve a health care professional from his or her obligation to comply with other federal, state, or local laws pertaining to information that is not privileged or confidential under the Patient Safety Act. The Patient Safety Act does not affect any state law requiring a provider to report information that is not patient safety work product. The fact that information is collected, developed, or analyzed under the protections of the Patient Safety Act does not shield a health care professional from needing to undertake similar activities, if applicable, outside the ambit of the statute, so that he or she can meet obligations with non-patient safety work product. The Patient Safety Act, while precluding other organizations and entities from requiring providers to provide them with patient safety work product, recognizes that the original records underlying patient safety work product remain available in most instances for the providers to meet these other reporting requirements.

Many health care professionals participating in this program will be covered entities under the HIPAA Privacy Rule and will be required to comply with that rule when they disclose patient safety work product that contains protected health information. The Patient Safety Act is not intended to interfere with the implementation of any provision of the HIPAA Privacy Rule. CMPs cannot be imposed under both the Patient Safety Act and the HIPAA Privacy Rule for a single violation. PSOs shall be treated as business associates, and patient safety activities are deemed to be health care operations under the HIPAA Privacy Rule. Since patient safety activities are deemed to be health care operations, the HIPAA Privacy Rule does not require covered professionals to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. Additionally, as business associates of health care professionals, PSOs must abide by the terms of their HIPAA business associate contracts, which require them to notify the health care professinoal of any impermissible use or disclosure of the protected health information of which they are aware.

To view the final regulations, click here.