Understanding Patient Safety Confidentiality

Protecting Patient Safety Information

To encourage the reporting and analysis of medical errors, the Patient Safety Act and Rule provide Federal privilege and confidentiality protections for patient safety information called patient safety work product. Patient safety work product includes information collected and created during the reporting and analysis of patient safety events. It may identify patients, health care providers, and individuals that report medical errors or other patient safety events.  This patient safety work product is confidential and may only be disclosed in certain very limited situations.

The confidentiality provisions improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk.  Greater reporting and analysis of patient safety events yield increased data and better understanding of patient safety events.

Filing a Patient Safety Confidentiality Complaint

Anyone can file a patient safety confidentiality complaint. If you believe that a person or organization shared patient safety work product, you may file a complaint with HHS’ Office of Civil Rights (OCR).

File a Complaint

The Patient Safety Act and Rule

The Patient Safety and Quality Improvement Act of 2005 (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues. 

PSQIA authorizes HHS to impose civil money penalties for violations of patient safety confidentiality.  PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs).

PSOs receive reports of patient safety events or concerns from health care providers and to provide analyses of these events to the reporting providers. To the extent that PSOs collect and analyze protected health information for HIPAA covered entities, they are considered business associates under the HIPAA Privacy Rules.

The Patient Safety and Quality Improvement Act of 2005 (the Patient Safety Act or PSQIA) amends the Public Health Service Act (42 U.S.C. 299 et. seq.; P.L. 109-41) by inserting sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26. 

OCR has responsibility for interpretation and implementation of the confidentiality protections and enforcement provisions in section 922.

The Agency for Healthcare Research and Quality (AHRQ) has responsibility for listing of and outreach to patient safety organizations (PSOs) and the creation of a network of patient safety databases in sections 923, 924, and 925.

For more information, see AHRQ's overview of the PSQIA.

The Patient Safety Rule, published in the Federal Register on November 21, 2008, effective on January 19, 2009, is codified at 42 C.F.R. Part 3 (73 FR 70732).  The Patient Safety Rule implements select provisions of PSQIA.

OCR has responsibility for interpreting and implementing the confidentiality protections described in Subpart C and the enforcement provisions described in Subpart D.

AHRQ has responsibility for listing and delisting of patient safety organizations (PSOs) described in Subpart B.

HHS' Office of Civil Rights Authorities

On April 3, 2006, the HHS Secretary delegated to the Director of the Office of Civil Rights (OCR) the authority to enforce patient safety confidentiality protections. The OCR Director primarily:

  • Enforces confidentiality protections for “patient safety work product,” which may include patient, provider and reporter identifying information that is collected, created or used for patient safety activities
  • Imposes civil monetary penalties for impermissible disclosure of that information

Although patient safety work product may contain the Health Insurance Portability and Accountability Act of 1996's (HIPAA) Privacy Rule "protected health information," the statute prohibits dual penalties under both the Act and HIPAA.  

Read the Federal Register Notice of the Delegation of Authority.

Agency for Health Care Research and Quality (AHRQ) Authorities

AHRQ was delegated all other authorities under PSQIA except for those retained by the HHS Secretary. 

Read about AHRQ's work on patient safety.

Enforcement of the Confidentiality Provisions of the Patient Safety Act

Enforcement of the confidentiality of patient safety work product is crucial to maintaining an environment for providers to discuss and analyze patient safety events, identify causes, and improve future outcomes.

The Office of Civil Rights (OCR) enforces the confidentiality provisions of the Patient Safety Act. OCR seeks voluntary compliance with the confidentiality provisions by providers, patient safety organizations (PSOs) and responsible persons that hold patient safety work product.  OCR may conduct compliance reviews and investigate complaints alleging that patient safety work product has been disclosed in violation of the confidentiality provisions.

OCR also provides technical assistance to persons seeking to comply with the confidentiality provisions and public information regarding the administration of the enforcement program.

The enforcement provisions are found at Subpart D of the Patient Safety Rule.

Penalties for Disclosures in Violation of the Protections

If OCR determines that a violation has occurred, OCR may impose a civil money penalty of up to $14,960 per violation (see the Annual Civil Monetary Penalties Inflation Adjustment HHS Rule (October 2023)).

The Federal Civil Penalties Inflation Adjustment Act of 1990 (Inflation Adjustment Act) requires HHS to adjust for inflation the Patient Safety and Quality Improvement Act’s (PSQIA) civil money penalty amount at least once every four years, beginning from the PSQIA’s date of enactment, which was July 29, 2005.

Guidance for the Patient Safety Act and Patient Safety Rule

On May 24, 2016, HHS published guidance for patient safety organizations (PSOs) and providers regarding questions about the Patient Safety and Quality Improvement Act of 2005, 42 USC 299b-21–b-26 (Patient Safety Act), and its implementing regulation, the Patient Safety and Quality Improvement Final Rule, 42 CFR Part 3 (Patient Safety Rule). This guidance clarifies:

  • what information that a provider creates or assembles can become patient safety work product (PSWP)
  • how providers can satisfy external obligations related to information collection activities consistent with the Patient Safety Act and Patient Safety Rule

Read the HHS Guidance Regarding Patient Safety Work Product and Providers' External Obligations (May 2016)

The Guidance states that a patient safety organization (PSO) that is a component of a parent organization that includes an FDA-regulated entity cannot create a conflict of interest for its parent organization by extending patient safety work product (PSWP) protections to information that the regulated entity is required to report to the FDA under the FDCA. Therefore, for such an entity to become listed as a component PSO, the entity must agree to disclose PSWP to both its parent and the FDA, when required.

This guidance applies to all entities that:

  • Have mandatory FDA-reporting obligations under the Food, Drug and Cosmetic Act (FDCA) or
  • Are organizationally related to such FDA-regulated reporting entities (e.g., parent organizations, subsidiaries, sibling organizations).

Read the HHS Guidance Regarding Patient Safety Organizations’ Reporting Obligations to the FDA (December 2010)

Content created by Office for Civil Rights (OCR)
Content last reviewed