Understanding Confidentiality of Patient Safety Work Product

Protecting Patient Safety Work Product

To encourage the reporting and analysis of medical errors, the Patient Safety and Quality Improvement Act of 2005 (PSQIA) provides Federal privilege and confidentiality protections for patient safety information called patient safety work product (PSWP). PSWP includes information collected and created during the reporting and analysis of patient safety events. PSWP may identify patients, health care providers, and individuals that report medical errors or other patient safety events. Generally, PSWP is privileged and confidential and may only be disclosed in certain very limited situations.

The confidentiality provisions improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. Greater reporting and analysis of patient safety events yield increased data and better understanding of patient safety events.

On this page

Filing a Patient Safety Confidentiality Complaint

Anyone can file a patient safety confidentiality complaint. If you believe that a person or organization shared patient safety work product in violation of the confidentiality provisions, you may file a complaint with HHS’ Office for Civil Rights (OCR).

File a Complaint

The Patient Safety Act and Final Rule

The Patient Safety and Quality Improvement Act of 2005 (PSQIA) establishes a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues. Patient safety information collected and analyzed as described the statute and final rule may become privileged and confidential as PSWP.

PSQIA provides for the establishment of Patient Safety Organizations (PSOs) to receive reports of patient safety events or concerns from health care providers and to provide analyses of these events to the reporting providers. To the extent that PSOs collect and analyze protected health information for HIPAA covered entities, they are considered business associates under the HIPAA Privacy Rules. The Agency for Healthcare Research and Quality (AHRQ) is responsible for the listing of PSOs.

PSQIA authorizes HHS to impose civil money penalties for violations of PSWP confidentiality.

The Patient Safety and Quality Improvement Act of 2005 (PSQIA)

The Patient Safety and Quality Improvement Act of 2005 (the Patient Safety Act or PSQIA) amends the Public Health Service Act (42 U.S.C. 299 et. seq.; P.L. 109-41) by inserting sections 921 through 926, 42 U.S.C. 299b-21 through 299b-26. 

OCR has responsibility for interpretation and implementation of the confidentiality protections and enforcement provisions in section 922.

The Agency for Healthcare Research and Quality (AHRQ) has responsibility for listing of and outreach to patient safety organizations (PSOs) and the creation of a network of patient safety databases in sections 923, 924, and 925.

For more information, see AHRQ's overview of the PSQIA.

The Patient Safety Rule

The Patient Safety Rule, published in the Federal Register on November 21, 2008, effective on January 19, 2009, is codified at 42 C.F.R. Part 3 (73 FR 70732).  The Patient Safety Rule implements select provisions of PSQIA.

OCR has responsibility for interpreting and implementing the confidentiality protections described in Subpart C and the enforcement provisions described in Subpart D.

AHRQ has responsibility for listing and delisting of patient safety organizations (PSOs) described in Subpart B.

Delegation of Authorities

HHS' Office for Civil Rights Authorities

On April 3, 2006, the HHS Secretary delegated to the Director of the Office for Civil Rights (OCR) the authority to enforce patient safety confidentiality protections. The OCR Director primarily:

  • Enforces confidentiality protections for “patient safety work product,” which may include patient, provider, and reporter identifying information that is collected, created, or used for patient safety activities
  • Imposes civil monetary penalties for impermissible disclosure of that information

Although patient safety work product may contain the Health Insurance Portability and Accountability Act of 1996's (HIPAA) Privacy Rule "protected health information," which is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the statute prohibits dual penalties under both PSQIA and the HIPAA Rules.

Read the Federal Register Notice of the Delegation of Authority.

Agency for Health Care Research and Quality (AHRQ) Authorities

AHRQ was delegated all other authorities under PSQIA except for those retained by the HHS Secretary. Read about AHRQ's work on patient safety.

Enforcement of the Confidentiality Provisions of the Patient Safety Act

Enforcement of the confidentiality of PSWP is crucial to maintaining an environment for providers to discuss and analyze patient safety events, identify causes, and improve future outcomes.

The Office for Civil Rights (OCR) enforces the confidentiality provisions of the Patient Safety Act. OCR seeks voluntary compliance with the confidentiality provisions by providers, patient safety organizations (PSOs), and responsible persons that hold patient safety work product.  OCR may conduct compliance reviews and investigate complaints alleging that patient safety work product has been disclosed in violation of the confidentiality provisions.

OCR also provides technical assistance to persons seeking to comply with the confidentiality provisions and public information regarding the administration of the enforcement program.

The enforcement provisions are found at Subpart D of the Patient Safety Rule.

Penalties for Disclosures in Violation of the Protections

If OCR determines that a violation has occurred, OCR may impose a civil money penalty. See 45 CFR 102.3 for the current civil money penalty amount.

Guidance for the Patient Safety Act and Patient Safety Rule

Below are current federal guidance for patient safety organizations (PSOs) and providers.

Guidance Regarding Patient Safety Work Product and Providers' External Obligations (2016)

On May 24, 2016, HHS published guidance for patient safety organizations (PSOs) and providers regarding questions about the Patient Safety and Quality Improvement Act of 2005, 42 USC 299b-21–b-26 (Patient Safety Act), and its implementing regulation, the Patient Safety and Quality Improvement Final Rule, 42 CFR Part 3 (Patient Safety Rule). This guidance clarifies:

  • what information that a provider creates or assembles can become patient safety work product (PSWP)
  • how providers can satisfy external obligations related to information collection activities consistent with the Patient Safety Act and Patient Safety Rule

Read the HHS Guidance Regarding Patient Safety Work Product and Providers' External Obligations (May 2016)

Guidance Regarding Patient Safety Organizations’ Reporting Obligations to the FDA (2010)

The Guidance states that a patient safety organization (PSO) that is a component of a parent organization that includes an FDA-regulated entity cannot create a conflict of interest for its parent organization by extending patient safety work product (PSWP) protections to information that the regulated entity is required to report to the FDA under the FDCA. Therefore, for such an entity to become listed as a component PSO, the entity must agree to disclose PSWP to both its parent and the FDA, when required.

This guidance applies to all entities that:

  • Have mandatory FDA-reporting obligations under the Food, Drug and Cosmetic Act (FDCA) or
  • Are organizationally related to such FDA-regulated reporting entities (e.g., parent organizations, subsidiaries, sibling organizations).

Read the HHS Guidance Regarding Patient Safety Organizations’ Reporting Obligations to the FDA (December 2010).

For additional information about the rules, read AHRQ’s frequently asked questions.

Content created by Office for Civil Rights (OCR)
Content last reviewed