PSQIA, PSWP & HIPAA Compliance
Written by: AIHC Blogger
This article addresses patient confidentiality and security related to patient safety evaluations systems, investigations, root cause analysis and compliance to rules and regulations. It is a basic introduction to help understand the importance of appropriately managing this type of privileged information.
The goal of achieving quality and patient safety is to improve patient safety outcomes by creating an environment where providers can report and examine patient safety events without fear of increased liability risk. Greater reporting and analysis of patient safety events will help gain a better understanding of patient safety events and result in improvements from lessons learned.
Health care is like “alphabet soup” – filled with acronyms, abbreviations and terms unique to our profession. Let’s define the 3 acronyms used in the title of this article and how these three rules interact from a compliance perspective.
PSQIA - the Patient Safety and Quality Improvement Act
PSQIA established a voluntary reporting system with the government’s intent to enhance the data available to assess and resolve patient safety and health care quality issues.
On July 29, 2005, the President signed the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act, 42 U.S.C. sections 299b-21 to 299b-26) into law. The Patient Safety Act amended Title IX of the Public Health Service Act to provide for the improvement of patient safety and to reduce the incidence of events that adversely affect patient safety by authorizing the creation of patient safety organizations (PSOs).
The Agency for Healthcare Research and Quality (AHRQ) lists patient safety organizations which work with providers to improve quality and safety through the collection and analysis of aggregated, confidential data on patient safety events.
PSQIA authorizes our government’s Health & Human Services (HHS) to impose civil money penalties (CMPs) for violations of patient safety confidentiality. The Office for Civil Rights (OCR) has been delegated the responsibility for interpretation and implementation of the confidentiality protections and enforcement provisions. When OCR is unable to achieve an informal resolution of an indicated violation through such voluntary compliance, the Secretary may impose a CMP of up to $11,000 for each knowing and reckless disclosure of PSWP that is in violation of the confidentiality provisions.
To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information, called patient safety work product (PSWP).
PSWP - the Patient Safety Work Product
PSWP includes patient, provider and reporter identifying information that is collected, created or used for patient safety activities.
The PSWP is both privileged and confidential under the PSQIA. PSWP is confidential and may only be disclosed in certain very limited situations where civil money penalties (CMPs) for impermissible disclosures of this information can be imposed.
What it Includes
PSWP is considered any data, reports, records, memoranda, analyses (such as root cause analyses), gap analysis, 8D approach, written or oral statements that are: assembled for reporting to a Patient Safety Organization (PSO); reported to a PSO; or developed by a PSO for the conduct of patient safety activities that could result in improved patient safety, health care quality, or health care outcomes. It also applies to data used in a patient safety evaluation system (PSES).
PSWP may also include patient information that is protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (see 45 CFR 160.103).
What PSWP Is Not
PSWP differs from HIPAA as PSWP does not include a patient’s medical record, billing and discharge information, or any other original patient or provider record. It does not include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.
HIPAA- the Health Insurance Portability and Accountability Act
According to the final PSQIA rule, the HIPAA Privacy Rule does not require covered providers to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. This is because patient safety activities are considered healthcare operations, typically addressed in the Covered Entity’s Notice of Privacy Practices (NOPP). PSOs are business associates and should be operating under a Business Associate Agreement or BAA to be compliant under HIPAA rules.
As a Covered Entity (CE) or Business Associate (BA) under HIPAA, regulated entities are required to implement a security management process to prevent, detect, contain, and correct security violations. This process includes conducting a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
A regulated entity that has weak cybersecurity practices makes itself an attractive soft target. Hackers can penetrate a regulated entity’s network and gain access to ePHI by exploiting known vulnerabilities. Malicious cyber-attacks targeting the health care sector continue to increase.
PSQIA, PSWP and HIPAA are government regulations working together to link health care quality, patient safety with privacy and security of privileged information.
All health care providers are expected to investigate any patient safety issues and stay HIPAA compliant while doing so. Sharing information to improve quality and safety in our health care environment is needed to mitigate risk and promote improved reimbursement.
Online Training Options:
- CEs and BAs are encouraged to have C-Suite and management teams trained in HIPAA privacy. Register for the online HIPAA Privacy course worth 12 AHIMA/AIHC CEUs.
- Learn more about the basics of Quality, Root Cause Analysis and the 8 Disciplines – Register for the online training Quality, Root Cause Analysis (RCA) & the 8D Approach – Short Course.
Quality and Patient Safety Resources
- For tips on preventing medical errors and promoting patient safety, measuring health care quality, consumer assessment of health plans, evaluation software, report tools, and case studies, visit the Agency for Healthcare Research and Quality (AHRQ) website and sign up for email updates.
- The National Advisory Council (NAC) for Healthcare Research and Quality provides advice and recommendations to AHRQ's director and to the Secretary of the Department of Health and Human Services (HHS) on priorities for a national health services research agenda.
Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved