Frequently Asked Question

1. What is Patient Safety Work Product?

Patient Safety Work Product (PSWP) is information or other data that can be used to improve patient safety or healthcare quality and that is assembled and developed for the purpose of reporting to a PSO and is reported to the PSO as PSWP. 

PSWP does not include a patient’s medical record, billing and discharge information, or any other original patient or provider information.

2. If data are collected for multiple purposes, such as legal defense and patient safety, can they be reported to the PSO as PSWP?

Information that is collected for multiple purposes can be shared with a PSO as a “copy,” but it cannot become PSWP. However, only documents that are actually submitted to an entity outside of the PSO lose their status as PSWP and become discoverable. Documents that are created within the PSES that are submitted to the PSO, even though they may relate to an incident that is also the subject of a report to an entity outside of the PSO, remain confidential as PSWP.

This question raises the issue of using information as part of a legal defense. The Patient Safety Act specifically excludes the admission of PSWP as evidence in any criminal, civil, administrative, and disciplinary proceedings.  Therefore, attempts to introduce PSWP as part of legal defense may be subject to challenge.  However, in most cases information that is needed in a legal defense is likely to be drawn from records that cannot become PSWP (information from the patient’s medical record, billing, and discharge information, or any other original patient or provider record).

3. When is the data considered PSWP – when I collect it through my Patient Safety Evaluation System (PSES) or when it is officially reported to the PSO?

The Patient Safety Rule, which became effective January 19, 2009, clarifies the issue of when PSWP protections apply to information assembled or developed by a provider for reporting to a PSO.  Information documented as collected within a patient safety evaluation system by a provider becomes PSWP upon collection.  Prior to reporting the information to a PSO, a provider may document that it is voluntarily removing information (assembled or developed for reporting to a PSO) from its PSES because it no longer intends to report the documented information to a PSO, in which case there are no protections.

Note that this “drop-out” provision does not apply to analyses or deliberations within the provider’s PSES; the protections apply to PSES deliberations and analyses when they take place.  Thus, a provider cannot turn its PSES deliberations or analyses into non-PSWP.

4. What is a PSES?

A PSES is defined by the Patient Safety Rule as the collection, management or analysis of information for reporting to or by a PSO.

5. Should both a hospital and PSO document their PSES?

The Patient Safety Rule notes that, while documentation of a PSES is not required, it is recommended as a best practice.

6. An event is reviewed through the PSES and it is deemed that it needs to be reported to an external body.  Can I abstract information from the form on which the event was submitted or must I go to the medical record and abstract the data?

The Patient Safety Rule provides an easy solution.  Information regarding an event that is documented as assembled or developed for reporting to a PSO is considered PSWP at the point of assembly or development.  As long as the provider has not yet reported this information to a PSO, the provider can document that it is removing the information from its PSES because it no longer intends to report the information to the PSO. In this case there are no protections for the information; it can then be used in its entirety as the provider chooses, since it is no longer PSWP.

7. Can a provider share PSWP data reported to a PSO with a government agency during an on-site visit? 

PSWP can only be disclosed to external organizations, including government agencies conducting site visits, if there is an applicable disclosure permission in the Patient Safety Rule.   An example is the permission related to enforcement and compliance with the Patient Safety Act and Rule. Sections 204(c) and 206(d) of the Patient Safety Rule describe the right of the HHS Secretary to relevant PSWP to determine compliance with its confidentiality protections and the HIPAA Privacy Rule and decisions related to the listing and delisting of PSOs and PSO compliance with the rule. 

It is important to recognize that the Patient Safety Act does not relieve a provider of its need to meet its reporting requirements or accountability obligations to external authorities.  These obligations can only be met with non-PSWP.  Therefore, information needed for external reporting or sharing with a governmental agency should be assembled or developed outside the provider’s PSES so that the information is not PSWP.

8. What is the difference between disclosure of PSWP and use of PSWP in my organization?

The Patient Safety Rule addresses the distinction in the definition of the terms “disclosure” and “workforce” in Subpart A.  Use of PSWP within an organization means sharing or exchange of PSWP among the workforce members of a legal entity (or a component PSO). 

In general, disclosure means the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product to another legally separate entity or person, other than a workforce member of, or a physician holding privileges with, the entity holding the patient safety work product. 

In the case of a component PSO that is not a legal entity, disclosure is the release of, transfer of, provision of access to, or divulging in any other manner of, patient safety work product by a component PSO to another entity or natural person outside the component PSO.

9. How does de-identified data differ under the PSA vs. HIPAA?  When will the de-identification process be specified by AHRQ?

The Patient Safety Act and Rule require that PSWP be made non-identifiable prior to sending to the NPSD.  The requirement stated in the Patient Safety Rule requires further de-identification than what is required for HIPAA (removal of individually identifiable health information).  Non-identification includes making the PSWP contextually de-identified. Contextual de-identification requires not only stripping specific identifiers but also making an assessment of whether a patient, provider, or facility can be identified through a combination of available data (i.e., can be manipulated to be re-identified). 

AHRQ has established a technical assistance center to assist PSOs with the process of making PSWP non-identifiable.  The technical assistance will be provided by the Privacy Protection Center (PPC).  AHRQ anticipates the process and specifications for making PSWP non-identifiable will be available in 2010.

 10. Can data used for re-appointment decisions be submitted to a PSO as PSWP?

A copy of information assembled or developed for any other purpose – such as reappointment and credentialing – can be shared with a PSO but the information cannot become PSWP.

 11. Is reporting to a PSO limited only to what is in the Common Formats or can I include other areas, e.g., employee health, etc.?

A healthcare provider may report any information to a PSO that meets the statutory definition of Patient Safety Work Product (PSWP). PSWP consists of any information which is generated to improve patient safety, health care quality, or health care outcomes and is assembled or developed for reporting to a PSO and is reported to the PSO.

Information that is submitted to the Network of Patient Safety Databases (NPSD) must be made non-identifiable (contextually de-identified) and must conform to the Common Formats in order to be included in aggregate analysis.

In cases where a provider enters a contract with a PSO, the contracting parties may limit the scope of the information that may be reported.  However, a contract is not required to report information to a PSO.

Important Links