Patient Safety and Quality Improvement Act (PSQIA)
The Patient Safety & Quality Improvement Act of 2005 (PSQIA) is a federal ruling protecting both personal health information along with health care organizations and clinicians for the purpose of reviewing healthcare safety events. The regulation implementing the PSQIA published on November 21, 2008 became effective on January 19, 2009.  The act allows for the creation of Patient Safety Organizations permitting these organizations to use privileged and confidential personally identifiable health information for functions of safety and quality improvement.
It is the Department of Health and Human Services (HHS) with the same level of force as Federal Law has the responsibility to implement the PSQIA. Effective on January 19, 2009, the HHS issued the PSQI Final Rule referred to as the Patient Safety Rule. The Patient Safety Rule outlines the criteria for certification as a PSO, the business rules and the framework for the reporting of information to PSOs. 
As the use of electronic devices grew, especially with regards to personal health information, the government realized that these advances in electronic technology could erode the privacy of personal health information (PHI). The Health Insurance Portability and Accountability Act of 1996 (HIPAA)  of April 14, 2003 known as the Privacy Act, addressed three types of covered entities: health plans, health care clearinghouses and health care providers. The greatest threat to PHI is the electronic transactions for business purposes between providers and insurance companies. The HIPAA provisions for protected information did not cover the unique circumstances of reviewing healthcare records for risk management and quality improvement related to injured patients or near misses from drugs, procedures, equipment, staffing, or other health services.
The Institute of Medicine (IOM) in its report To Err is Human,  stated that health care in the United States is unsafe motivating the government to seek ways to investigate errors and design safer systems. The Patient Safety & Quality Improvement Act of 2005 (PSQIA) was one solution for obtaining details of errors, near misses, and adverse events for analysis. "One of the key aspects of the PSQIA is that it implements the Institute of Medicine's recommendation to "break down legal and cultural barriers that impede safety improvement."  To make it safe for providers and organizations to provide full discloser without fear of legal repercussions, this Federal Act, protects not only the personal health information but the reporting organizations and staff involved in these cases. The Patient Safety Act and Patient Safety Rule provide two types of protections, confidentiality and privilege.  Confidentiality protections are critical to voluntary reporting. Breaches of these confidentiality provisions may result in civil money penalties (CMP). Privileged protections enforced by the judicial system limit or prohibit the use of protected information in criminal, civil, administrative, or other proceedings. 
SUMMARY OF PSQIA FINAL RULING
SEC. 922. <<NOTE: 42 USC 299b-22.>> PRIVILEGE AND CONFIDENTIALITY PROTECTIONS."
The Privilege provision states, "patient safety work product shall be privileged" and shall not be subject to a subpoena, order, discovery or admitted as evidence within a Federal, State, or local civil, criminal, or administrative proceeding, including disciplinary hearings against a provider. It is not to be disclosed under the Freedom of Information Act. 
The Confidentiality provision states, "patient safety work product shall be confidential and shall not be disclosed unless the disclosure is:" to carry out patient safety activities; to use non-identifiable PSWP to conduct research extent allowed under the HIPAA; to report to the Food and Drug Administration a product or activity; to an accrediting body by the provider who is a member; to the Secretary for determination as necessary for business operations and are consistent with the goals of this rule; to law enforcement authorities relating to the belief there was a commission of a crime; to others only if PSWP that does not include materials that (i) assess the quality of care of an identifiable provider; or (ii) describe or pertain to one or more actions or failures to act by an identifiable provider.  
Exceptions from privilege and confidentiality
- Patient safety work product contains evidence of a criminal act and is material to the proceeding and not reasonably available from any other source.
- Authorized by each provider identified in such work product.
- Voluntary disclosure of non-identifiable patient safety work product.
- Exceptions include if patient safety work product is disclosed in a criminal proceeding, the confidentiality protections provided for shall no longer apply.
Continued Protection of Information After Disclosure.--
- Any disclosure under Confidentiality is not to be treated as a waiver and a person in possession of PSWP must continue to uphold the privileged and confidential status.
- Non-identifiable patient safety work product is no longer held as privileged and confidential.
- Patient safety organizations (PSO) shall not be compelled to disclose information collected or developed, unless such information is not patient safety work product and is not reasonably available from another source. (4) An accrediting body may not require a provider to reveal its communications with any patient safety organization established in accordance with this part. 
Reporter Protection.— a provider may not take an adverse employment action against an individual based upon the fact that the individual in good faith reported information. (loss of employment, failure to promote, provide benefits for which the individual would be eligible, credentialing or licensing of the individual)
Enforcement.– (1)Civil monetary penalty, of not more than $10,000 for each act constituting such violation, can be imposed upon a person who discloses identifiable patient safety work product in knowing or reckless violation. Penalties can be imposed for violations of the PSQIA or HIPAA but not both.  (2) Equitable relief-- A civil action may be brought by any aggrieved individual when the privileged and confidential status of PSWP was violated and to obtain other appropriate, equitable relief (including reinstatement, back pay, and restoration of benefits) to redress such violation.
Clarification of application of HIPAA confidentiality regulations--patient safety organizations shall be treated as business associates, and patient safety activities are deemed to be health care of the provider.
The PSQIA authorized the creation of Patient Safety Organizations (PSO), as independent review organizations, to research events by analyzing for who, what, when, where, how and why around the error.  The focus is on how to prevent such errors from happening again by system changes rather than placing blame on an individual. Types of reports evaluated include Incidents—patient safety events that reached the patient, whether or not there was harm; near misses or close calls—patient safety events that did not reach the patient; and unsafe conditions—circumstances that increase the probability of a patient safety event. 
The Agency for Healthcare Research and Quality (AHRQ), within the Department of Health and Human Services (HHS), administers the provisions of the Patient Safety Act and the Patient Safety Rule.  AHRQ is responsible for certifying and listing entities as PSOs based on their meeting certain criteria, with continued listing contingent upon their continuing to meet such criteria.  The PSOs are listed on the www.pso.ahrq.gov Website with the designation as to whether they are currently listed (81) or delisted (23) along with any reasons for delisting "Failure to correct deficiencies" or "Voluntary Relinquishment." 
Business models for PSOs can be divided into three types; the PSO as part of a large corporation such as a multihospital/clinic enterprise, joined with a consulting company or as part of a professional organization.  The PSOs, independently owned safety review organizations, assist hospitals and other healthcare providers with quality improvement activities. When a PSO receives incident reports from institutions, "Patient Safety Work Product" (PSWP), it reviews them, categorizes them, and then analyzes the cause and effects. Proposed solutions to amend systems are offered. The adapting of improved processes by an institution will prevent further errors of the nature investigated. 
Health care organizations and providers fear the release of potentially incriminating information. This hinders candid discussions, which are necessary, to create safer health care settings. Under PSO, the patient safety work product is not subject to subpoena, discovery or admission into evidence in any legal court.  The Patient Safety Organization Privacy Protection Center (PPC)  has published "Common Formats," which refers to, Standardized data entry elements with definitions limiting variability of information within safety reports submitted to PSOs . the standard definitions and reporting formats specified by AHRQ.
Common Formats: Healthcare Organizations belonging to a PSO can submit reports of patient safety events online though secure web-portals or by using standardized paper forms. Additional details about the conceptual framework for the content and structure of the Common Formats can be found at http://www.pso.ahrq.gov/formats/eventdesc.htm.  AHRQ's Common Formats:  •Event descriptions (descriptions of patient safety events and unsafe conditions to be reported), •Specifications for patient safety aggregate reports and individual event summaries, •Delineation of data elements to be collected for different types of events, •User guide a quick reference guide, •Technical specifications for electronic data collection and reporting. 
The Privacy Protection Center (PPC)  also publishes formats for software developers in order for safety event information to be securely transmitted electronically. One destination of this information is into the Network of Patient Safety Databases (NPSD). The responsibility of the organization is to de-identify personally identifiable information then include it in databases for reviewing extended safety and quality improvement activities. Examples of categories of safety events: Blood or Blood Product, Device or Medical/Surgical Supply, Fall, Healthcare-associated Infection, HERF / PIF / SIR, Medication or Other Substance, Perinatal, Pressure Ulcer, Surgery or Anesthesia. 
There are eight patient safety activities carried out by, or on behalf of a PSO, or a health care provider: 
- Efforts to improve patient safety and the quality of health care delivery.
- The collection and analysis of patient safety work product.
- The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices.
- The utilization of patient safety work product for the purposes of encouraging a culture of safety and of providing feedback and assistance effectively minimizing patient risk.
- The maintenance of procedures to preserve confidentiality with respect to patient safety work product.
- The provision of appropriate security measures with respect to patient safety work product.
- The utilization of qualified staff.
- Activities related to the operation of a patient safety evaluation system and to the provision of feedback to participants in a patient safety evaluation system. 
In order to obtain patient-identified data for quality improvement activities within a PSO, there is no requirement for approval by an Institutional Review Board. 
Security of the information needs to be at the highest level available according to the latest HIPAA security rules.  Any breeches need to be reported with activation of risk management plans.
- AHRQ: Agency for Healthcare Research & Quality
- HIPAA: Health Insurance Portability and Accountability Act of 1996 
- IOM: Institute of Medicine
- NPSD: Network of Patient Safety Databases
- OCR: Office of Civil Rights
- PHI: Personal Health Information
- PSA: Patient safety activities.
- PSQIA: The Patient Safety & Quality Improvement Act of 2005 passed by the United States Congress in July 2005.
- PSO: Patient Safety Organization
- PSWP: Patient Safety Work Product. Patient safety work product is safety data collected and created during the reporting and analysis of patient safety events.
- PSOPPC: The Patient Safety Organization Privacy Protection Center (PPC) created by The Agency for Healthcare Research and Quality (AHRQ) to support the implementation of the Patient Safety and Quality Improvement Act PL-109-41(Patient Safety Act). 
- Department of Health and Human Services (HHS). Patient safety and quality improvement; final rule. 42 CFR Part 3. http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf
- Department of Health and Human Services (HHS). Patient safety and quality improvement; final rule. 42 CFR Part 3 RIN 0919-AA01(2009). http://www.pso.ahrq.gov/regulations/fnlrule01.htm
- IOM To Err is Human: Building a Safer Health System. http://www.iom.edu/~/media/Files/Report%20Files/1999/To-Err-is-Human/To%20Err%20is%20Human%201999%20%20report%20brief.pdf
- Jaffe R. Becoming a Patient Safety Organization Perspective AHRQ WebM&M: Morbidity & Mortality Rounds on the Web. http://webmm.ahrq.gov/perspective.aspx?perspectiveID=106
- Montoya I. Patient safety and quality improvement: a policy assessment. Clinical Laboratory Science
- Howard J, Levy F, Mareiniss DP, Patch M, Craven CK, McCarthy M, Epstein-Peterson ZD, Wong V, Pronovost P New Legal Protections for Reporting Patient Errors Under the Patient Safety and Quality Improvement Act: A Review of the Medical Literature and Analysis J Patient Saf. http://ovidsp.ovid.com.liboff.ohsu.edu
- Agency for Healthcare Research and Quality. Patient safety organizations. http://www.pso.ahrq.gov/regulations/regulations.htm
- Agency for Healthcare Research and Quality. Patient safety organizations Delisted Patient Safety Organizations. http://www.pso.ahrq.gov/delisted/delistedpsos.htm
- Agency for Healthcare Research and Quality. Patient safety organizations, Common Formats. http://www.pso.ahrq.gov/formats/commonfmt.htm
- Department of Health and Human Services. Health Insurance Reform: Security Standards; Final Rule, 45 CFR Parts 160, 162, and 164. http://aspe.hhs.gov/admnsimp/final/fr03-8334.pdf
- PSO Privacy Protection Center. https://psoppc.org/web/patientsafety