U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | InformaciĆ³n en espaƱol | E-mail UpdatesE-mail Updates
www.ahrq.gov
PSO Home Patient Safety Organizations Stethoscope

Patient Safety Organizations: A Compliance Self-Assessment Guide

September 2009

Contents

Executive Summary
Who Can Benefit From Reading This Guide?
How to Use This Guide
Background
Compliance and Technical Assistance
The Scope of This Guide
Table 1. Self-Assessment Sample Questions: Requirements of Section 3.102 for Initial and Continued Listing (Description)
Table 2. Self-Assessment Sample Questions: Requirements of Section 3.106 for Security of Patient Safety Work Product (Description)
Table 3. Required Notifications and Submissions (Description)
Table 4. Reference Table: Patient Safety Rule Requirements For Which Attestations Are Required (Description)

Tables
Table 1
Table 2
Table 3
Table 4

Executive Summary

The Patient Safety and Quality Improvement Final Rule (Patient Safety Rule) implements Public Law 109-41, the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act), which establishes in Subpart B the requirements that an entity must meet to seek listing and remain listed as a Patient Safety Organization (PSO). The rule relies primarily upon a system of attestations that places a significant burden for understanding and complying with these requirements on the PSO. However, the rule also authorizes the Agency for Healthcare Research and Quality (AHRQ) to conduct reviews (including announced or unannounced site visits) to assess PSO compliance. To assist PSOs in making the required attestations and preparing for a compliance review, AHRQ has developed this Guide to suggest approaches for thinking systematically about the scope of these requirements and what compliance may mean for an individual PSO. The Guide provides sample questions that a PSO may want to consider in addressing each of the requirements.

The questions are illustrative. Some of the questions may be applicable to all PSOs, while others may be relevant only to specific types of PSOs, such as those employing sophisticated information technology (IT), to receive and to analyze large volumes of data. These questions do not establish new standards and are not intended to indicate the only way to meet the regulatory standards. An individual PSO—given its mission, the services and expertise it offers providers, and its operational model for carrying out patient safety activities—should use these sample questions as a starting point for assessing whether its approach to compliance has taken into account issues relevant to its operation.

Return to Contents

Who Can Benefit From Reading This Guide?

This Guide may help—

Return to Contents

How to Use This Guide

The Patient Safety Rule provides PSOs latitude in complying with its requirements. In addition, PSOs vary in terms of size, complexity, and sophistication and, over time, PSOs will vary significantly in the breadth and scope of their activities. For example, PSOs can be local, regional, or national in orientation; they can focus narrowly or broadly in terms of the clinical or analytic services they offer providers; they can target their services toward one type of health care facility or multiple health care settings; and, they are likely to vary in the sophistication and complexity of IT employed. As a consequence, individual PSOs are likely to approach compliance from different perspectives.

AHRQ's intent in developing this Guide is to emphasize to each PSO the importance of ensuring that its approach to compliance is logical, systematic, and addresses all aspects of the stated regulatory requirements. The sample questions provided in the Guide's tables are intended to foster such thinking. As a result, this Guide does not represent the only possible approach to thinking about these requirements. It does not establish new standards or new requirements beyond those incorporated in the text of the Patient Safety Rule. This Guide does not confer any rights on any person or entity. Finally, AHRQ may revise this Guide over time as warranted by public comment and experience.

Return to Contents

Background

The goals and major elements of the Patient Safety Act are explained elsewhere on the AHRQ PSO Web site at www.pso.ahrq.gov. Within the framework established by the Act, PSOs are a source of expert advice for providers, enabling them to take advantage of the potential for significant aggregation and analysis of patient safety events and quality concerns within the confidentiality and privilege protections of the Patient Safety Act. As a result, health care providers and those committed to improving the safety and quality of patient care have a vested interest in the integrity of PSOs and their ability to carry out this statutory mission.

The requirements governing PSOs are set forth in Subpart B of the Patient Safety Rule (42 CFR Part 3). These include:

AHRQ administers the provisions of the rule relating to listing and operation of PSOs that are the focus of this Guide. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the confidentiality protections for patient safety work product.

Return to Contents

Compliance and Technical Assistance

For an entity to be listed, and remain listed, as a PSO, the Patient Safety Rule relies primarily upon a system of attestations. An entity seeking listing for a 3-year period as a PSO must submit a form to AHRQ, Certification for Initial Listing, to attest that it meets the Patient Safety Rule's eligibility and listing requirements at the time the entity submits its certifications. During its period of listing, a PSO must submit a form, Two Bona Fide Contracts Requirement, every 24 months attesting that it has at least two contracts with different providers to perform patient safety activities. If the PSO has other relationships not related to patient safety work product, specified in section 3.102(d)(2), with any contracting provider, it must also submit the form, PSO Disclosure Statement, regarding its relationships with the provider and attest to the completeness and accuracy of its disclosures. Finally, to seek continued listing for an additional 3-year period, a PSO must submit the form, Certification for Continued Listing, and attest that it meets the requirements for continued listing. Therefore, these self-attestations should be the starting point for any self-assessment of compliance.

The Patient Safety Rule permits AHRQ to assess or verify PSO compliance with the rule's requirements at any time through requests for information or by conducting announced or unannounced reviews of, or site visits to, PSOs (go to section 3.110). In addition to routine compliance reviews, AHRQ may also conduct a site visit or request additional information if AHRQ has reason to believe that a PSO may not be in compliance with the requirements of the statute or the Patient Safety Rule.1

If AHRQ determines that a PSO is not in compliance with one or more requirements (i.e., a deficiency exists), the Patient Safety Rule enables AHRQ to work with the PSO to correct any deficiencies as promptly as possible, without taking punitive action. While the rule provides AHRQ the authority for delisting a PSO for failure to correct a deficiency, the intent of the rule is to encourage a nonadversarial approach, whenever possible, to bring a PSO back into compliance.

Whenever possible, AHRQ will provide technical assistance to PSOs to foster understanding and compliance with the requirements of the Patient Safety Rule. A PSO can seek technical assistance by outlining the issue(s) in an email to the AHRQ PSO mailbox: pso@ahrq.hhs.gov or by calling toll free 866-403-3697 or local 301-427-1111.

1 Part IV of the Certification for Initial Listing form restates the requirement of section 3.102(a)(1)(vi) of the Patient Safety Rule that a PSO must notify the HHS Secretary promptly if it determines that it can no longer comply with any of its attestations and the applicable requirements of the rule or if there have been any changes in the accuracy of the information submitted. A PSO should also notify AHRQ promptly if its contact information or the name of its authorizing official has changed.

Return to Contents

The Scope of This Guide

What This Guide Addresses. This Guide contains four tables. Table 1 provides sample questions related to the eligibility, listing, and operational requirements that are set forth in section 3.102 of the Patient Safety Rule. Table 2 provides sample questions related to the requirements for the security of patient safety work product set forth in section 3.106. Table 3 is a compilation of the submission and notification requirements that PSOs, and entities seeking listing as a PSO, must meet and indicates whether a specific form must be used and the date by which the requirements must be met, if one is specified in the Patient Safety Rule. Table 4 is a reference table that provides a cross-walk of the attestations required at initial and continued listing, and the corresponding requirements from the Patient Safety Rule. The next four subsections of the Guide provide introductory and additional information related to each of the four tables.

What this Guide Does Not Address. While this Guide occasionally references requirements elsewhere in the Patient Safety Rule, it does not provide a comprehensive review of specific protections and permissible disclosures of patient safety work product with which PSOs and others holding patient safety work product must comply. PSO personnel should be thoroughly familiar with those requirements that are set forth in Subpart C of the rule. Some of those requirements, such as the disclosure of patient safety work product to or by contractors, should be reviewed by a PSO before it develops its operational policies.

For purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, a PSO is considered a business associate of a health care provider if the relationship meets two conditions: (1) the provider meets the HIPAA definition of a covered entity; and (2) the PSO performs a function (such as patient safety activities) on behalf of a covered health care provider that requires the PSO to receive and use patient safety work product that contains protected health information. Since PSOs are likely to work with covered providers and receive and use patient safety work product that contains protected health information (PHI),2 every PSO should determine at the outset when establishing a working relationship with a provider whether it is required by the HIPAA Privacy Rule to enter into a business associate agreement with the provider.

To learn more about the obligations of a business associate and the definitions of related HIPAA terms, consult the Web site for the OCR (http://www.hhs.gov/ocr/). OCR has responsibility for enforcement of the HIPAA Privacy and Security Rules in addition to the confidentiality provisions of the Patient Safety Rule. There are additional business associate security provisions under the HIPAA Security Rule that apply to electronic patient health information held by business associates. For information regarding the Security Rule requirements, go to:
http://www.cms.gov/HIPAAGenInfo/04_PrivacyandSecurityStandards.asp.3

2The Privacy Rule protects information known as PHI that is held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. PHI is a subset of “individually identifiable health information” (IIHI). IIHI is information, including demographic data, that relates to the individual's past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). PHI is all IIHI except for employment records held by a covered entity in its role as employer, education records covered by the Family Educational Rights and Privacy Act (FERPA), and certain other school records.

3On August 3, 2009 HHS announced that responsibility for the enforcement of the HIPAA Security Rule was being transferred from the Centers for Medicare and Medicaid Services, (CMS) to OCR effective immediately. The link provided here is to the CMS Web site. This information will eventually be housed on the OCR Web site (http://www.hhs.gov/ocr/).

Return to Contents

Table 1. Self-Assessment Sample Questions: Requirements of Section 3.102 for Initial and Continued Listing

Table 1 addresses the eligibility, listing, and operational requirements for PSOs that are established by section 3.102 of the Patient Safety Rule. These requirements can be categorized as follows:

Patient Safety Activities

Because there is a specific documentation requirement for patient safety activities in the Patient Safety Rule, this subsection addresses the overall considerations a PSO should take into account in developing and evaluating its written documentation. Clarifications regarding the other eligibility and listing requirements (PSO criteria, component organization requirements, and other regulatory requirements) are addressed in Table 1.

Section 3.102(b)(1) of the Patient Safety Rule requires an entity, at the time it seeks listing as a PSO, to have policies and procedures already in place that address how the entity will perform all eight defined patient safety activities. A PSO that seeks continued listing for an additional 3-year period must attest that it has performed, and will continue to perform, all eight patient safety activities. While the attestation regarding policies and procedures is made at first listing, a PSO is expected to continue to meet this requirement throughout its period(s) of listing.

In developing its policies and procedures, a PSO should ensure that its written documentation reflects the scope of its mission, the activities and services it offers health care providers, and its mode of operation for carrying out patient safety activities. The scope of a PSO's mission may be narrow (e.g., medication safety in nursing homes) or broad (e.g., safety issues throughout acute-care hospitals). In addressing specific patient safety activities, such as the use of qualified personnel or dissemination of information to improve patient safety, the written documentation should reflect the breadth (or targeted nature) of the PSO's mission.

For example, consider a PSO with a mission to improve medication safety. Its documentation regarding the utilization of qualified personnel (go to Table 1, Row #7) should reflect its mission (i.e., focus on the recruitment of personnel with expertise in medication safety and the analysis of medication errors). Similarly, the documentation for how the PSO in this example develops and disseminates information to improve patient safety (go to Table 1, Row #3) would need to address its efforts to develop and disseminate information to improve medication safety. A PSO's documentation can address all of these patient safety activities as broadly as it chooses, but in conducting a self-assessment, a PSO should determine that its documentation fully reflects its mission, activities, and mode of operation.

In addition to the requirement that, when seeking initial listing, the entity must already have policies and procedures in place, every PSO must perform each patient safety activity at some point during each 3-year period of listing. The Patient Safety Rule recognizes that several of these activities can only be performed when a PSO is receiving patient safety work product from a health care provider [i.e., the requirements related to the analysis, use, and feedback related to patient safety work product (go to Table 1, Rows #2, #4, and #8)]. If a PSO has not received and is not receiving patient safety work product at the time of a compliance review, or the contracts in place at that time do not require the PSO to perform all three of these patient safety work product-dependent patient safety activities, a PSO may not be able to demonstrate that it is performing each of these patient safety activities.

To address this situation, the Patient Safety Rule preamble text accompanying section 3.102(b) draws a distinction between those patient safety activities that are and are not dependent upon the receipt of patient safety work product. With respect to the three patient safety activities listed above that are dependent upon receipt of patient safety work product, a PSO can expect that a compliance review will normally involve a review of its written documentation for these three activities since the PSO attested it had these policies and procedures in place when it sought listing. However, AHRQ may consider the terms of any contracts or agreements that a PSO has or had with providers to determine if it is reasonable to expect demonstration of performance of these three activities at the time a compliance review takes place. A PSO will be expected to demonstrate performance of the other (non-patient-safety-work-product dependent) patient safety activities throughout its period of listing. The preamble notes that there is one exception to this approach of setting different performance expectations based upon whether a patient safety activity is dependent upon receipt of patient safety work product. When a PSO is a component of a provider organization (e.g., a large hospital system creates a component PSO) and this PSO's primary client is its parent organization, the PSO will be expected to perform all patient safety activities during its entire period of listing (go to page 70753 of the November 21, 2008 FR). Entities that are components of provider organizations should note this expectation before seeking listing.

The Patient Safety Rule places the responsibility on each PSO for the development/maintenance of policies and procedures for conducting patient safety activities. If a PSO, after attesting that it has policies and procedures in place, subsequently chooses to contract with another organization for assistance in carrying out one or more of its required patient safety activities, the PSO remains responsible for having in place the required policies and procedures that it attested to at the time it sought listing. In such cases, the PSO should ensure that the contractor's policies and procedures conform to the requirements of the Patient Safety Rule. In establishing such arrangements, a PSO may also want to clarify the locus of decisionmaking (i.e., the PSO or the contractor) when judgments need to be made regarding the performance of the patient safety activity for which the contractor is providing assistance and the level of direction and oversight that the PSO will provide.

Return to Contents

Table 2. Self-Assessment Sample Questions: Requirements of Section 3.106 for Security of Patient Safety Work Product

Table 2 addresses the specific requirements in section 3.106 of the Patient Safety Rule for the security of patient safety work product. A PSO should carefully review these specific requirements in determining its compliance with the general patient safety activity requirements for the confidentiality and security of patient safety work product, which are restated in Rows #5 and #6 of Table 1.

Section 3.106 requires each PSO to develop specific security standards that are appropriate and scalable for the size and complexity of its organization for each element of a four-part framework outlined in subsection (b). Consequently, not all questions in this Guide may be appropriate for all PSOs. While the rule gives a PSO considerable latitude in developing the specific standards it will apply to each element of the framework, a PSO must address every element of the four-part framework. A PSO should note that it must establish security standards that apply to any contractor(s) or vendor(s) to which the PSO entrusts patient safety work product and at all locations at which patient safety work product is held (go to subsection (a)).

PSOs should recognize that the security of patient safety work product is not merely an issue of compliance with the Patient Safety Rule. As discussed above (go to “The Scope of This Guide”), PSOs may also be subject to the requirements of the HIPAA Privacy and Security Rules. Therefore, in addition to addressing the requirements of section 3.106, an entity should consult the HIPAA references provided in that section of this Guide to determine whether the HIPAA rules also apply. If so, the entity may be able to reduce the compliance burden by addressing the HIPAA Privilege and Security Rules and the Patient Safety Rule requirements at the same time.

While each PSO is encouraged to undertake an initial risk assessment, the PSO is required to undertake periodic risk assessments subsequently (Table 2, Row #9). An initial risk assessment is likely to serve as a foundation for the PSO's approach to security by enabling a PSO to target its resources to the greatest security threats posed by its mode of operation. It should also provide a baseline for the PSO to assess the effectiveness over time of the policies and standards it adopts.

Finally, before entering contracts for assistance in carrying out patient safety activities, a PSO should be able to demonstrate that it has taken reasonable steps to ensure the protection of patient safety work product that it has entrusted to its contractors. The PSO may want to consider issues such as:

Return to Contents

Table 3. Required Notifications and Submissions

Table 3 provides a compilation of the submission and notification requirements that PSOs, and entities seeking listing as a PSO, must meet. For each requirement, the table notes whether the use of a specific form is required, whether the Patient Safety Rule sets a deadline for compliance, and—if so—whether it specifies the deadline. The requirements include those related to seeking initial or continued listing as a PSO, required notifications during a PSO's period of listing, and requirements that apply to a PSO that is subject to the processes for correction of one or more deficiencies or revocation

Because AHRQ is required by the Patient Safety Act and the Patient Safety Rule to maintain an accurate listing of currently listed PSOs, it is essential that a PSO meet the requirement of the rule (and its attestations) to promptly notify AHRQ of any changes in the accuracy of its contact information, including the names and contact information for the individuals it has designated as its authorized official and point-of-contact.

Each PSO should consult with AHRQ before using another name (“doing business as”) in advertising its services to health care providers and before entering into arrangements with other entities that would have the effect of sharing or conveying partial or complete ownership, management, or control of the PSO. Similarly, a PSO must be vigilant in ensuring that it does not undertake activities that the Patient Safety Rule does not permit PSOs to perform (go to section 3.102(a)(2)). PSOs need to be aware that such actions could create confusion and concern among health care providers and, in some circumstances, would call into question the validity of the PSO's certifications for listing.

During each PSO's period of listing, a PSO is required to notify AHRQ during every 24-month period following its date of initial listing that it has two bona fide Patient Safety Act contracts with different providers for the receipt and review of patient safety work product. PSOs should note that the reference to different providers refers to the provider with which the PSO enters the two contracts. Therefore, entering one contract with the parent organization of a health system to work with its hospitals and another contract with the same parent organization to work with its nursing homes would not meet the requirement since the contracts were entered with the same provider (the parent organization). However, if the PSO entered contracts directly with different providers that have the ability to enter contracts with the PSO on their own behalf, the test would be met.

Finally, all PSOs must submit a disclosure statement if two conditions are met: (1) the PSO enters a Patient Safety Act contract with a health care provider; and (2) the PSO has other relationships specified in section 3.102(d)(2) of the rule with that provider or if any of the specified relationships are established during the period that the contract is in effect with a provider. AHRQ has included information on its PSO Web site (www.pso.ahrq.gov) that summarizes the requirements of the Patient Safety Rule on how the PSO should structure its disclosure statement.

Return to Contents

Table 4. Reference Table: Patient Safety Rule Requirements For Which Attestations Are Required

Table 4 provides a side-by-side comparison of the attestations required at initial and continued listing of a PSO, and the corresponding requirements in section 3.102 of the Patient Safety Rule. The requirements listed in Table 4 parallel those in Table 1. Although one of the requirements in Table 1 (Row #19) is not addressed by either the initial or continued certification forms, it is included here for convenience. The accompanying text notes that there is no comparable attestation on either form.

Return to Contents
Proceed to Next Section

PSO Home
Listed PSOs
Administrative Information/Forms
Common Formats
Hospital Readmissions
Resources
Network of Patient Safety Databases
Legislation, Regulations, and Guidance
PSO FAQs
PSO Contacts
AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only