Confidentiality of Patient Safety Work Product — Information for Providers and PSO Workforce

The definition of PSWP is quite broad. Patient safety work product includes any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material), which could improve patient safety, health care quality, or health care outcomes, that are assembled or developed by a provider for reporting to a PSO and are reported to a PSO. It also includes information that is documented as within a patient safety evaluation system that will be sent to a PSO and information developed by a PSO for the conduct of patient safety activities.

However, patient safety work product does not include a patient’s medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.

Patient Safety Work Product must not be disclosed, except in very specific circumstances and subject to very specific restrictions. The most relevant exceptions for healthcare providers and PSO workforce members are as follows:

Note: the Patient Safety Activities Exception (see bold text below) is the most common one that providers and PSOs will be working with. Disclosures pursuant to the other exceptions should have prior review by counsel or other knowledgeable party before permitting any disclosure.

Permitted Disclosures

• Patient Safety Activities — PSWP may be disclosed:
  • Between the Provider and the PSO — i.e.:
    • From the provider to the PSO, for Patient Safety Activities, and
    • From the PSO to the disclosing provider, for Patient Safety Activities
  • To a contractor of a Provider or a PSO
    • For contracted Patient Safety Activities
    • Contractor may not further disclose, except back to the contracted provider or PSO
  • Among affiliated providers, for Patient Safety Activities
  • From one PSO to another PSO or another provider, if
    • Direct identifiers (which are defined in the regulations) of any providers, affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members of such providers are removed; and
    • With respect to any Individually identifiable health information within the PSWP, a limited data set (also defined by regulation) is produced

• Business operations — A provider or PSO may disclose to attorneys, accountants or other professionals for business operations purposes.
  • Further disclosure (except back to the contracting entity) is prohibited

• Authorized by identified providers — Disclosure is permitted if all identified providers authorize the disclosure.
  • Authorization must be in writing, signed by the provider, and
  • Must state the nature and scope of the disclosure

• Accrediting bodies — PSWP may be (but is not required to be) disclosed to an accrediting body if:
  • Any identified provider agrees to the disclosure; or
  • Direct identifiers of any provider (or affiliated organizations, corporate parents, subsidiaries, practice partners, employers, members of the workforce, or household members) are removed

• Nonidentifiable PSWP — May be disclosed
  • The regulations set out specific requirements for “nonidentification.”

• Research — This exception allows disclosure to researchers conducting certain types of research projects. If protected health information is involved, HIPAA also applies.

• Food and Drug Administration — PSWP may be disclosed to the FDA
  • By a provider concerning an FDA-regulated product or activity,
  • By an entity required to report to the FDA about the quality, safety, or effectiveness of an FDA-regulated product or activity, or
  • By a contractor acting on behalf of the FDA or entity for these purposes

• Law enforcement — PSWP may be disclosed to law enforcement personnel
  • If the information relates to an event that either constitutes the commission of a crime, or for which the disclosing person reasonably believes constitutes the commission of a crime, provided that the disclosing person believes, reasonably under the circumstances, that the patient safety work product that is disclosed is necessary for criminal law enforcement purposes

• Criminal proceedings — But only after a court makes an in-camera (in closed chambers) determination that:
  • The PSWP contains evidence of a criminal act;
  • The PSWP is material to the proceedings; and
  • The PSWP is not reasonably available from any other source

• Disclosure to permit equitable relief for reporting individuals — This exception allows use of PSWP by individuals who claim they have been the victim of an adverse employment action because the individual reported information to a PSO (either directly to the PSO or with the intent of having it reported to the PSO)
  • There must be a “protective order” issued by the court or administrative tribunal to protect the confidentiality of PSWP used in the proceeding

Violations & Enforcement

• An individual who knowingly or recklessly violates the confidentiality provisions is subject to a civil money penalty of up to $10,000 for each act constituting such violation.
• Safe Harbor — a provider whose workforce member discloses PSWP is not deemed to have violated the Act if that workforce member disclosure does not include written or oral statements that:
  • Assess the quality of care of an identifiable provider, or
  • Describe or pertain to one or more actions or failures to act by an identifiable provider

Note: the individual workforce member of the provider would still be subject to possible penalties if the disclosure is knowing or reckless. This safe harbor does not apply to the PSO itself — i.e., a PSO workforce member’s disclosure is attributable to the PSO.

• The Act is enforced by the Secretary of Health and Human Services
  • PSWP may be disclosed to (and the Secretary may require disclosure of PSWP) to investigate or determine compliance with the Patient Safety Act or with HIPAA.