- There are many essential aspects to HIPAA regulations, and how covered entities and their business associates must work to remain compliant. The Patient Safety and Quality Improvement Act of 2005 (PSQIA) is another important regulation to understand, as there are similarities between that legislation and HIPAA.
The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) not only oversees HIPAA compliance, ensuring that CEs and BAs are properly keeping patient data secure, but it also is in charge of PSQIA. Specifically, OCR is responsible for interpreting and implementing the confidentiality protections and enforcement provisions of PSQIA.
This week, HealthITSecurity.com will discuss the finer points of PSQIA, and why it is important for CEs and BAs to understand. It is separate from HIPAA, but there are still enforcement penalties and critical technological and administrative issues to be aware of in terms of patient security and safety.
What is PSQIA?
The Patient Safety and Quality Improvement Act of 2005 (PSQIA) was published on November 21, 2008, and became effective on January 19, 2009. According to HHS, it “establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues.”
“The confidentiality provisions will improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. Greater reporting and analysis of patient safety events will yield increased data and better understanding of patient safety events.”
In terms of HIPAA regulations, Patient Safety Organizations (PSOs) are created under PSQIA. The PSOs receive reports of patient safety events or concerns from health care providers. From there, they provide analyses of these events to the reporting providers. Because they receive reports with PHI, PSOs are considered business associates under the HIPAA Privacy Rule.
OCR and delegation of authority
As previously mentioned, OCR is responsible for interpreting and implementing the confidentiality protections and enforcement provisions of PSQIA. HHS further explains the importance of patient safety, and how PSQIA is designed for proper patient care:
To encourage the reporting and analysis of medical errors and health care systems, the PSQIA provides Federal privilege and confidentiality protections for "patient safety work product" - including patient, provider and reporter identifying information - that is collected, created or used for patient safety activities and imposes civil money penalties (CMPs) for impermissible disclosures of this information.
However, even though CMPs are a possibility, the statute prohibits dual penalties. This means that a covered entity or business associate could not be penalized under PSQIA as well as for HIPAA violations.
According to HHS, OCR also has the authority to conduct the following:
- To impose civil monetary penalties pursuant to section 922(f) of the Act.
- To administer an enforcement program regarding the privilege and confidentiality protections of section 922 of the Act (the Enforcement Program), including but not limited to investigations of compliance, actions to obtain compliance, and determinations to penalize noncompliance
- To provide technical assistance and public information in the administration of the Enforcement Program
- To make decisions regarding the interpretation of the privilege and confidentiality protections at section 922 of the Act in the administration of the Enforcement Program
- To develop, for issuance by the Secretary, regulations regarding such Enforcement Program
All other authorities are delegated to the Director of the Agency for Healthcare Research and Quality (AHRQ), HHS states.
Differences between PSQIA and HIPAA
It is important to note that HIPAA and PSQIA are meant to work together, and are not conflicting regulations.
“Many health care providers participating in this program will be covered entities under the HIPAA Privacy Rule and will be required to comply with the HIPAA Privacy Rule when they disclose patient safety work product that contains protected health information,” according to the final PSQIA rule. “The Patient Safety Act is clear that it is not intended to interfere with the implementation of any provision of the HIPAA Privacy Rule.”
Along with the prevention of dual penalties, the final PSQIA rule explains that the HIPAA Privacy Rule does not require covered providers to obtain patient authorizations to disclose patient safety work product containing protected health information to PSOs. This is because patient safety activities are considered healthcare operations.
However, it is essential that PSOs adhere to their business associate agreements or contracts. For example, this could include potentially having to notify their provider about any possible unauthorized use or disclosure of PHI.
The Secretary will have great flexibility when it comes to addressing Patient Safety Act violations, according to HHS:
The Department believes that modeling this rule’s enforcement provisions on the existing HIPAA Enforcement Rule is prudent and appropriate. As noted above, such an approach grants the Secretary maximum flexibility to address violations of the confidentiality provisions, relies on an existing and established enforcement regime, and minimizes complexity for entities subject to both the Patient Safety Act and HIPAA.
Overall, healthcare organizations that are deemed to be PSOs, must also remain aware that they still fall under HIPAA regulations, as they are considered a business associate. Patient safety, and patient data security are essential, and it is important for both to be considered when conducting daily operations. A failure to do so could result in an unauthorized disclosure of sensitive information, and lead to financial penalties for the healthcare organization.
Maintaining a comprehensive understanding of all patient safety rules, and how they apply to their facility, will help healthcare organizations keep patients - and their data - safe.