Next Act for Patient Safety: Previewing the Patient Safety and Quality Improvement Final Rule

by Allison F. Viola, MBA, RHIA; Crystal Kallem, RHIA; and June Bronnert, RHIA, CCS, CCS-P


A voluntary quality improvement program just under way will assist organizations in better understanding the underlying causes associated with adverse events.


Publication of the Institute of Medicine’s report To Err Is Human in 2000 placed substantial emphasis on improving patient safety.1 IOM estimates medical errors contribute to between 44,000 and 98,000 deaths in US hospitals each year. Costs associated with these adverse events are estimated to total $17 to $20 billion annually.

Following this groundbreaking report, IOM called for a major redesign of the US healthcare system in Crossing the Quality Chasm .2 Patient safety is one of IOM’s recommended aims for improving the healthcare system.

To address these much-needed improvements, Congress enacted the Patient Safety and Quality Improvement Act of 2005. The act intends to expand voluntary, provider-driven initiatives; promote learning of underlying causes associated with adverse events; and widely disseminate findings in support of rapid cycle improvements.3

In February 2008 the Agency for Healthcare Research and Quality published a notice of proposed rulemaking describing regulations that would implement certain aspects of the act. AHRQ’s draft regulations described a framework by which hospitals, doctors, and other healthcare providers would voluntarily and confidentially report information on patient safety events to be analyzed by newly established entities called patient safety organizations (PSOs).4

Following the public comment period, AHRQ reviewed responses and issued a final rule in November 2008, which took effect on January 19, 2009.

Many components of the Patient Safety Act are of particular interest to the HIM community. Organizations that choose to participate in the program will rely on HIM professionals to help manage the privacy and security of submitted data, ensure data integrity, and determine policies and processes.

A Look at the Act

The focus of the Patient Safety Act is a voluntary program that encourages healthcare providers to share patient safety event information with PSOs, whose analysis can help providers improve patient safety and quality of care. To enable the data sharing, AHRQ developed the concept of a “patient safety work product,” which attaches privileges and confidentiality protections to the organization’s information. Common data formats are intended to smooth the exchange of information between providers, PSOs, and AHRQ.

Patient Safety Work Products

A patient safety work product is material collected and assembled by a provider in preparation for reporting to a PSO. The material may include data, reports, records, analyses, and written or oral statements that serve to improve patient safety, healthcare quality, and healthcare outcomes.

Patient safety work products are entitled to certain privileges and protections. To leverage these benefits, the information must be designated as such through documentation by the provider within the patient safety evaluation system, the tool through which information is collected, maintained, analyzed, and communicated to the PSO. These processes can be conducted in paper, electronic, or any type of hybrid format an organization chooses to use.

Information designated as a patient safety work product is not subject to subpoenas, discovery, or admitted as evidence in connection to disciplinary actions against a provider. It is not subject to disclosure as outlined in the Freedom of Information Act and cannot be admitted into a professional disciplinary proceeding.

As with many protections and privileges, there are exceptions to the rule. The conditions will not apply within a criminal proceeding where patient safety information must be disclosed; for information that has been de-identified and has met certain standards for this process; and when there is an authorized release of the information by the provider.

The act also includes provisions to maintain the confidentiality of the information in patient safety work products. However, confidentiality restrictions are not applied in several instances, and information may be disclosed. Disclosure is allowed in situations where the sharing of information is needed to conduct patient safety activities by a provider to a PSO. In addition, there are certain circumstances where disclosure of the information among other PSOs and providers is allowable when the identifiers have been removed.

To ensure the protections, privileges, and confidentiality of patient safety work products, PSOs must implement security requirements detailed in the final rule. To remain compliant, PSOs must adhere to the requirements at all times in situations where patient safety work products are processed, developed, used, maintained, stored, removed, disclosed, transmitted, and destroyed.

PSOs must develop a security framework that addresses the ability to manage the program, distinguish patient safety work products from other patient information, and conduct security monitoring to ensure controlled access.

Analysis, Trending, and Common Data Formats

Through the Patient Safety Act, the secretary of Health and Human Services (HHS) is authorized to facilitate the development of a network of patient safety databases to collect, aggregate, and analyze de-identified patient safety work products. This information will be used to detect trends and patterns among patient safety initiatives.

The most effective way to collect and analyze patient safety information is by establishing common data definitions and formats. To that end, AHRQ has developed an initial set of common data formats through which providers and PSOs will gather data from the patient safety work products. “Common formats” describe the technical requirements developed for the uniform collection and reporting of patient safety data, including all supporting material, such as:

  • Descriptions of patient safety events and unsafe conditions
  • Delineation of data elements for specific types of events
  • Examples of patient safety population reports
  • A metadata registry with data element attributes and technical specifications
  • Paper forms to allow immediate implementation
  • A users’ guide5

AHRQ partnered with the National Quality Forum to issue a beta version of these formats for public review. The National Quality Forum, a not-for-profit membership organization advancing quality measurement and reporting, facilitated the initial review of the common data formats in August 2008. AHRQ continues to refine the formats for the purposes of establishing a common method for collecting and submitting patient safety event data.

In order for designated PSOs to maintain their status, they are required to use the common data formats and data collection processes set forth in the rule.

Three Program Components

The patient safety program features three main components: providers who voluntarily participate, patient safety organizations that gather and analyze data, and a uniform format for data collection and reporting. The PSOs report aggregate data to the Agency for Healthcare Research and Quality for analysis and trending at a national level.

  • Choose a certified PSO
  • Collect data and establish as a patient safety work product
  • Submit work product to PSO
  • Communicate with PSO to improve patient safety, healthcare quality, and outcomes
  • Modify organization processes and policies to reflect changes
  • Meet criteria to become a certified PSO
  • Establish formal agreement with provider and receive patient safety work product
  • Compile and aggregate information to conduct trending and analysis
  • Submit aggregate information to AHRQ for the National Healthcare Quality Report
  • Details the technical requirements for uniform data collection and reporting within the program
  • Beta version developed and issued by AHRQ
  • Providers and PSOs must use the format
  • AHRQ will continue to refine

Patient Safety Organizations

PSOs are entities or component organizations whose mission and primary activity is to improve patient safety and the quality of care delivery. PSOs must use the patient safety work product for the purpose of providing direct feedback and assistance to providers to effectively minimize patient risk.

The organizations are also expected to collect patient safety work products from providers in a standardized manner that permits valid comparisons of similar cases among similar providers.

Organizations wishing to be approved as PSOs must comply with guidelines set forth in the final rule. Some organizations are not permitted to pursue PSO designation, including health plan issuers, organizations that accredit or license healthcare providers, and entities that oversee or enforce statutory requirements.

Once an organization is deemed eligible for PSO designation, it must regularly certify that it is performing, and will continue to perform, the required functions outlined in the final rule.

Technology Requirements

AHRQ did not propose a specific infrastructure or technology requirements for a patient safety program. However, the regulation requires that policies and procedures demonstrate secure practices for patient safety work products. Providers may maintain their patient safety work products in any medium; however, organizations maintaining electronic versions should consider the storage, maintenance, and staffing needs to support this initiative.

Other considerations must include the PSO’s ability to access patient safety work products for the purposes of reporting the information. Providers that have integrated health IT systems are not required to maintain new systems and processes separate from their current data collection activities. Those organizations that anticipate participating in the program and also expect to implement health IT systems should review the final rule and understand the components of the program. This will enable them to develop necessary policies and procedures and successfully address the specifications outlined in the rule.

Key Terms from the Final Rule

The patient safety program features three main components: providers who voluntarily participate, patient safety organizations that gather and analyze data, and a uniform format for data collection and reporting. The PSOs report aggregate data to the Agency for Healthcare Research and Quality for analysis and trending at a national level.

Common Formats

The technical requirements pertaining to the collection and reporting of patient safety data, including all supporting material, such as:

  • Descriptions of patient safety events and unsafe conditions to be reported
  • Delineation of data to be collected for different types of events
  • Examples of patient safety population reports
  • A metadata registry with data element attributes and technical specifications
  • Paper forms to allow immediate implementation
  • User guide documentation

Disclosure

The release of, transfer of, provision of, access to, or divulging in any other manner of patient safety work product by an entity or natural person holding the patient safety work product to another legally separate entity or natural person, other than a work force member of, or a physician holding privileges with, the entity holding the patient safety work product.

HHS has defined as a disclosure the release of, transfer of, provision of access to, or divulging in any other manner of patient safety work product by a component PSO to another entity or natural person outside the component PSO.

Patient Safety Evaluation System

The collection, management, or analysis of information for reporting to or by a PSO. The patient safety evaluation system is the mechanism through which information can be collected, maintained, analyzed, or communicated. Although not required, documentation of a patient safety evaluation system clearly establishes when information is patient safety

Patient Safety Organization (PSO)

A private or public entity or component thereof that is listed as a PSO by the HHS secretary in accordance with section 3.102 of the final rule.

Patient Safety Work Product

The rule adopted the statutory definition of patient safety work product as defined in the Patient Safety Act. Information becomes a patient safety work product if it is:

  1. Assembled or developed by a provider for the purpose of reporting to a PSO and is reported to a PSO.
  2. Developed by a PSO for the conduct of patient safety activities.
  3. Constitutes the deliberations or analysis of, or identifies the fact of reporting pursuant to, a patient safety evaluation system.

Patient safety work product does not include a patient’s original medical record, billing, and discharge information, or any other original patient or provider record; nor does it include information that is collected, maintained, or developed separately or exists separately from a patient safety evaluation system.

Identifiable Patient Safety Work Product

Patient safety work product that:

  • Is presented in a form and manner that allows the identification of any provider that is a subject of the work product, or any providers that participate in activities that are a subject of the work product.
  • Constitutes individually identifiable health information as that term is defined in the HIPAA privacy rule at 45 CFR 160.103.
  • Is presented in a form and manner that allows the identification of an individual who in good faith reported information directly to a PSO or to a provider with the intention of having the information reported to a PSO (‘‘reporter’’).

Nonidentifiable Patient Safety Work Product

Patient safety work product that is not identifiable in accordance with the nonidentification standards proposed section 3.212 of the final rule. Because the privilege and confidentiality protections of the Patient Safety Act and this part do not apply to nonidentifiable patient safety work product once disclosed, the restrictions and data protection rules in this proposed rule phrased as pertaining to patient safety work product generally only apply to identifiable patient safety work product.

Source: Department of Health and Human Services. Patient Safety and Quality Improvement; Final Rule. 42 CFR Part 3 (2008). Federal Register 73, no. 226 (Nov. 21, 2008): 70732–814. Available online at http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf.

HIM Touch Points

HIM professionals make critical contributions to the success of their organizations’ patient safety initiatives. Communicating these skills within their organizations ensures their role in implementing and managing patient safety programs. A defined HIM role within the organization’s patient safety lifecycle—from the collection and aggregation of data to the protection, management, and reporting of patient safety work products—will ensure the organization is in alignment with the rule and reaps the full benefits of the program.

Key opportunities for HIM professionals within the patient safety lifecycle include the domains of data integrity, data management, privacy, and security.

Privacy and security issues evolve as technology advances, and HIM professionals are important resources in identifying those changes. They serve as a valuable resource for addressing the privacy and security aspects associated with patient safety initiatives, including:

  • Monitoring access, use, and disclosure of patient safety work products
  • Developing and enforcing policies and procedures for protecting patient safety work products
  • Managing identifiable versus nonidentifiable patient safety work products

Other vital aspects of a patient safety program, such as data and records management, are core HIM principles and should be managed by HIM professionals. Data management ensures that information is available at the right time to support internal root cause analysis, intervention, and reporting to a PSO.

HIM professionals support these efforts by establishing necessary documentation guidelines for healthcare services and monitoring compliance. With expertise in how information is documented—whether in an electronic, paper-based, or hybrid environment—HIM professionals can advise on the level of effort necessary to report the data externally.

Lastly, ensuring data quality and integrity is vital to any patient safety initiative. Healthcare providers need to know they are making business decisions based upon accurate health information. Monitoring the quality of the reportable information is another area where HIM professionals can lead. Healthcare organizations should look to HIM for expertise in data validation.

HIM professionals at organizations that are considering participating in this voluntary initiative may take several steps to help ensure the program’s success:

  • Review and understand the final rule
  • Ensure HIM leadership and expertise is recognized and involved in patient safety planning and implementation
  • Understand the current version of the common data formats and participate in future public commenting to further improve the framework
  • Assess the organization’s current and future technology considerations and standards to support management and the reporting of patient safety data
  • Begin the planning for and development of a training and awareness program regarding the patient safety framework
  • Update and maintain policies and procedures to ensure alignment with patient safety privacy and security requirements

Notes

  1. Institute of Medicine (IOM). To Err Is Human: Building a Safer Health System. Washington, DC: National Academy Press, 2000.
  2. IOM. Crossing the Quality Chasm: A New Health System for the 21st Century. Washington, DC: National Academy Press, 2001.
  3. Agency for Healthcare Research and Quality. “Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act): An Overview.” Available online at www.pso.ahrq.gov/regulations/regulations.htm.
  4. Department of Health and Human Services (HHS). Patient Safety and Quality Improvement; Final Rule. 42 CFR Part 3 (2008). Federal Register 73, no. 226 (Nov. 21, 2008): 70732–814. Available online at http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf.
  5. HHS. “Common Formats for Patient Safety Data Collection and Event Reporting.” Federal Register 73, no. 169 (Aug. 29, 2008): 50974–76. Available online at http://edocket.access.gpo.gov/2008/pdf/E8-19910.pdf.

Resources

Agency for Healthcare Research and Quality. “Patient Safety Organizations.” Available online at www.pso.ahrq.gov.

AHIMA. “AHIMA Comments on AHRQ Notice of Proposed Rulemaking for Patient Safety Organization Framework.” April 2008. Available at online at www.ahima.org/dc/.

AHIMA. “AHIMA’s Comments in Response to the Patient Safety Common Formats.” October 2008. Available online at www.ahima.org/dc/CommentsTestimony.asp.

Allison F. Viola (allison.viola@ahima.org) is director of federal relations at AHIMA. Crystal Kallem is director of practice leadership at AHIMA. June Bronnert is a director of professional practice resources at AHIMA.


Article citation:
Viola, Allison F.; Kallem, Crystal; Bronnert, June. "Next Act for Patient Safety: Previewing the Patient Safety and Quality Improvement Final Rule" Journal of AHIMA 80, no.4 (April 2009): 30-35.