Skip to Content

Patient Safety and Quality Improvement Act (PSQIA)
Confidentiality, Privilege, and Protections Against Disclosure

 

a.)  CONFIDENTIALITY, PRIVILEGE AND PROTECTIONS AGAINST DISCLOSURE

 

PSWP is privileged information, which means it is unavailable for disclosure in the following circumstances, subject to limited exceptions:

  • A judicial or administrative court subpoena or order;57
  • Discovery in connection with a judicial or administrative proceeding against a provider;58
  • Disclosure under the Freedom of Information Act59 or any similar Federal, State or local law;60 and/or
  • Admission as evidence in any civil, criminal or administrative proceeding,61 including a professional disciplinary proceeding.62

PSWP is also considered confidential and may not be disclosed, subject to limited exceptions.

In addition to the privilege and confidentiality requirements surrounding PSWP, a PSO cannot be compelled to disclose information it collects or develops, even if the information is not PSWP, unless such information is identified, is not PSWP, and is not reasonably available from another source.63  PSOs may, of course, be subject to any of the disclosure exceptions applicable to PSWP, as described above.64 Accrediting bodies may not take accrediting actions against providers who participate in the good faith collection, development, reporting, or maintenance of patient safety work product, and may not require providers to reveal their communications with any PSO.65  Employers may not take an adverse employment action66 against an individual based on the following:

  • The individual in good faith reported information to the provider with the intent of having the information reported to a PSO;67 or
  • The individual in good faith reported information directly to a PSO.68

Every PSO must comply with standard security requirements at all times and in any location in which the PSO, its workforce members, or its contractors receive, access, or handle PSWP.69  This requires maintaining policies and procedures that address a number of considerations, including all of the following:

  • Properly training workforce and contractors on security protocols and confidentiality measures;70
  • Distinguishing PSWP from non-PSWP;71
  • Protecting the media that contains PSWP;72
  • Employment of physical and environmental protections to control and limit physical and virtual access to places and equipment where PSWP is received, access, or handled;73
  • Proper identification of those authorized to receive, access or handle PSWP;74
  • Utilization of an audit to detect inappropriate receipt, access, or handling of PSWP;75
  • Implementation of methods to prevent unauthorized receipt, access or handling of PSWP;76 and
  • Conducting periodic security assessments to ensure that its security protocols are effective, to correct any identified deficiencies, and to reduce or eliminate any vulnerability.77

If an entity’s certification as a PSO is revoked, it must notify each provider whose PSWP was collected or analyzed of such revocation within fifteen days.78  For the first thirty days after removal from the accredited PSO list, any data submitted to the entity will remain protected under the relevant privilege and confidentiality requirements.79  If the privilege and confidentiality requirements applied to data while the entity was listed (or to data received within thirty days after its removal), those protections continue to apply after the entity is removed from the listing.80 A de-accredited entity must comply with the following requirements with respect to any data it receives within thirty days of its removal from the listing:

  • The former PSO will transfer such work product or data to another PSO;81
  • The former PSO will return such work product or data to whatever entity originally submitted it;82 or

If returning the product or data to the original submitting entity is not practicable, the former PSO will destroy such work product or data.83

 

Footnotes

  • 57. PSQIA, 42 U.S.C. § 299b-22(a)(1).
  • 58. PSQIA, 42 U.S.C. § 299b-22(a)(2).
  • 59. Please see FOIA section, or go to 5 U.S.C. 552 to access the Act.
  • 60. PSQIA, 42 U.S.C. § 299b-22(a)(3).
  • 61. PSQIA, 42 U.S.C. § 299b-22(a)(4).
  • 62. PSQIA, 42 U.S.C. § 299b-22(a)(5).
  • 63. PSQIA, 42 U.S.C. § 299b-22(d)(4)(A)(i).
  • 64. PSQIA, 42 U.S.C. § 299b-22(d)(4)(A)(ii).
  • 65. PSQIA, 42 U.S.C. § 299b-22(d)(4)(B).
  • 66. Includes the loss of employment, failure to promote, failure to provide any other employment-related benefit for which the individual would have been eligible (PSQIA, 42 U.S.C. § 299b-22(e)(2)(A)) or an adverse evaluation or decision made in relation to the accreditation, certification, credentialing, or licensing of the individual (PSQIA, 42 U.S.C. § 299b-22(e)(2)(B)).
  • 67. PSQIA, 42 U.S.C. § 299b-22(e)(1)(A).
  • 68. PSQIA, 42 U.S.C. § 299b-22(e)(1)(B).
  • 69. 42 CFR § 3.106(a).
  • 70. 42 CFR § 3.106(b)(1)(ii).
  • 71. 42 CFR § 3.106(b)(2)(i).
  • 72. 42 CFR § 3.106(b)(2)(ii).
  • 73. 42 CFR § 3.106(b)(2)(iii).
  • 74. 42 CFR § 3.106(b)(3)(i).
  • 75. 42 CFR § 3.106(b)(3)(i).
  • 76. 42 CFR § 3.106(b)(3)(ii).
  • 77. 42 CFR § 3.106(b)(4)(i).
  • 78. PSQIA, 42 U.S.C. § 299b-24(e)(2).
  • 79. PSQIA, 42 U.S.C. § 299b-24(f)(1).
  • 80. PSQIA, 42 U.S.C. § 299b-24(f)(2).
  • 81. PSQIA, 42 U.S.C. § 299b-24(g)(1) Note: both the transferring entity and the new PSO must approve the transfer.
  • 82. PSQIA, 42 U.S.C. § 299b-24(g)(2).
  • 83. PSQIA, 42 U.S.C. § 299b-24(g)(3).