Skip to Main Content

February 14, 2020

Beyond Quality and Safety: How Patient Safety Organizations Impact Business and Financial Outcomes

This Briefing is brought to you by AHLA’s Enterprise Risk Management Task Force.
  • February 14, 2020
  • Janice Suchyta , Seyfarth Shaw LLP

The past decade has seen the transformation of health care delivery in the United States not experienced since the creation of Medicare and Medicaid. The Affordable Care Act of 2010 (ACA) implemented broad initiatives that changed how health care is reimbursed and delivered. Patient Centered Medical Homes and Accountable Care Organizations are new health care models that emphasize care coordination, quality, and efficiency. For the past decade, the ACA has also ushered in payment reform with the transition from fee-for-service to value-based payments. Both private and government payers use value-based payments to promote the best care at the lowest cost by shifting from volume to value.

Health care organizations are adapting to payment reforms by looking for ways to improve patient outcomes and safety. Many health systems are participating with or sponsoring their own Patient Safety Organizations (PSO) to improve quality-based metrics that incentivize value-based care and enhance reimbursements. This is especially true for Clinically Integrated Networks that must adapt to the new shared financial risk models, as well as value-based reimbursement models.

History and Background

The Patient Safety Quality Improvement Act of 2005 (PSQIA)1 and its implementing regulations, the Patient Safety Rule,2 offer federal legal protection for data sharing between a PSO and medical providers. The legislative history and intent of the PSQIA encourages the collection of patient safety information to detect patterns and themes that explain the underlying reasons for medical errors. The legislators' goal was the creation of a large volume of data that can be analyzed to improve patient safety and health care quality.

Historically, the medical community has been reluctant to report patient safety events because of disciplinary proceedings and legal exposure. By establishing a nationwide federal privilege, the PSQIA encourages medical providers, both individual and institutional, to share patient safety information with a PSO in a protected and efficient manner.

The key elements of the PSQIA include:

  • Defining a PSO as an organization that collects, aggregates, and analyzes confidential information reported by health care providers
  • Creating a process for a PSO to be federally certified
  • Defining Patient Safety Work Product (PSWP) and how patient safety event information is collected, developed, analyzed, and maintained through the Patient Safety Evaluation System (PSES)
  • Defining the federal legal privilege and confidentiality protections
  • Establishing a Network of Patient Safety Databases (NPSD) that is an interactive evidence-based management resource for providers

Why did Congress see the need for federal legislation involving patient safety? The PSQIA was created as a federal overlay to state peer review statutes because of the many challenges present in state laws. These challenges include the limited scope of most state statutes and the fact that many states lack any peer review laws. Additionally, state peer review is often focused on hospital peer review and offers no protection when information is shared outside the organization.

The PSQIA offers a limited federal preemption of a state peer review privilege regarding PSWP. However, if the PSWP is created or reported for any other reason than solely for the purpose of reporting to a PSO, then the federal privilege does not apply, and the data must be reported. Examples of when PSWP is collected for another reason include:

  • State incident reporting requirements
  • Reporting agency requirements
  • Reporting disciplinary actions to the NPSD

Defining a PSO and Operational Reporting

As defined in the PSQIA, a PSO is a public or private organization with the expertise and structure to analyze patient care risks and provide data and/or analysis to improve health care quality.3 When providers report patient safety data and information to a PSO, that is identified as PSWP, the privilege and confidentiality protections of the Act are applied.

The privilege protections in the Act specify that PSWP shall not be:

  • subject to a federal, state, or local civil, criminal, or administrative subpoena or order, including in a federal, state, or local civil or administrative disciplinary proceeding;
  • subject to discovery in connection with a federal, state, or local civil, criminal, or administrative proceeding, including in a federal, state, or local civil or administrative disciplinary proceeding against a provider;
  • subject to disclosure pursuant to a request submitted under the Freedom of Information Act, or any other similar federal, state, or local law;
  • admitted as evidence in any federal, state, or local governmental civil proceeding, criminal proceeding, administrative rulemaking proceeding, or administrative adjudicatory proceeding, including any such proceeding against a provider; or
  • admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under state law.4

All data reported to a PSO is organized via the "Common Formats" structure. The data is then reported to the NPSD which aggregates and analyzes the data.

To preserve the privilege and confidentiality of its patient safety activities, a provider must develop and implement a PSES through formal documentation. The Act defines PSES as the collection, management, or analysis of information for reporting to or by a PSO. The information collected and analyzed within the PSES is defined as the PSWP.5 PSWP may include written or oral reports; oral or written statements; data, records, and memoranda.

Just as important, PSWP does NOT include any information collected, maintained, or developed separately, or that exists separately, from the PSES.6 Typically, this includes data collected for any reason besides patient safety, for example, patient discharge information, billing records, medical records, or any other original records.

PSWP may be admissible in a criminal proceeding, but only after a court, based on in camera review, determines that the PSWP (1) contains evidence of a criminal act, and (2) it is material to the proceeding, and (3) it is not reasonably available from any other source.7

  • PSWP may be disclosed subject to a protective order issued by the court or administrative tribunal in connection with an equitable proceeding under the provisions of the PSQIA that prohibit retaliation (such as adverse employment action) against an individual for reporting patient safety information directly to a PSO, or to the provider with the intention that the information be reported to the PSO.8
  • PSWP may be disclosed if authorized by each provider (and each parent organization) that is identified in the PSWP. Such authorization must be in writing and signed by the provider whose identity is being disclosed, must contain sufficient detail to fairly inform the provider of the nature and scope of the disclosure, and must be retained by the disclosing entity for a period of six years.9

When collecting patient safety information, the PSQIA requires the health care organization to analyze the data within the confines of the PSES through accepted activities, which include the following:

  • Medical error investigations
  • Root cause analysis
  • Risk management activities
  • Outcome/quality data
  • Peer review activities
  • Committee minutes (safety, quality, or peer review)

Sponsoring or Contracting with a PSO

Component PSO

The PSQIA allows health care providers and organizations to either sponsor or contract with a PSO. Typically, a larger health system may form a component PSO to gather and analyze patient safety events occurring at all its facilities (i.e., hospitals, home health, hospice, etc.). The first step in sponsoring a PSO is for the parent organization to create a subsidiary whose primary activity is to improve patient safety and quality care. This is commonly referred to as a "component PSO," which is typically a separate legal entity to insulate liabilities. The PSQIA allows for PSWP to be shared among affiliated providers within a health system.

As part of a component PSO, a "provider" is defined in relevant part as: (1) an individual or entity licensed or otherwise authorized under state law to provide health care services, or (2) a parent organization of one or more such licensed individuals or entities.10 "Parent organization" is broadly defined as an organization that owns a controlling interest or majority interest in a component organization, has the authority to control or manage the agenda setting, project management, or day-to-day operations, or the authority to review and override decisions of a component organization (which may be a provider).11 "Affiliated provider" is defined in the regulations as "a legally separate provider that is the parent organization of the provider, is under common ownership, management, or control with the provider, or is owned, or controlled by the provider."12

The PSQIA requires that all employees involved with PSO activities have specialized skills relating to patient safety analysis. These employees can be directly employed by the entity or be individual contractors. If using individual contractors, the PSO must maintain direct control over the contractor's patient safety activities. Any PSWP disclosed to an individual contractor must be Health Insurance Portability and Accountability Act compliant by using a Business Associate Agreement and requiring no disclosures to third parties. Component PSOs can use employees who are already employed by the parent organization, as long as they possess the requisite expertise in patient safety.

Another important feature of a component PSO is the requirement that the PSWP be maintained separately from the rest of the health system to prevent unauthorized disclosures. This can be accomplished by creating the appropriate governance structure for creating and reporting PSWP apart from the main health system. Once the governance structure and operations are in place, the component PSO must be federally certified by the Agency for Healthcare Research and Quality (AHRQ).

Individual PSO

Smaller organizations, and even some larger health systems, decide to contract with an individual PSO rather than sponsor their own component PSO. An individual PSO is an unaffiliated organization that can serve multiple entities and providers on a contractual basis. A typical Participation Agreement between the PSO and the provider will delineate the services provided. However, the most important element is defining the flow of information between the PSO and the provider. The PSES is the operational design and workflow to identify how patient safety information is managed. Prior to contracting with a PSO, an organization should identify the processes and activities of the PSES. In other words, the emphasis is on identifying the information that will be collected, maintained, or developed by the organization and entered into the PSES for submissions to the PSO. When developing the required policies and procedures for the PSES, it is just as important to identify what is not PSWP, as well as what is PSWP.

Most organizations use a centralized model for developing their PSES. This is accomplished by identifying the organization's current reporting processes and information flow. For example, a review of current data systems used for quality improvement, patient safety activities, and error tracking should be completed. The next issue is identifying how this data is shared and documented within the organization, usually within the current committee structure. A new workflow with a PSO will create a centralized model PSES, rather than individual committees.

Within a centralized model, a PSES work group is usually formed with employees from already established care committees that routinely perform patient safety and quality improvement analysis work. Typical care committees include the patient safety committee, quality improvement committee, etc.

An important task for the PSES work group is creating the appropriate policies and procedures to identify what data is submitted to the PSO. To maintain confidentiality and privilege under the PSQIA, only information collected and analyzed within the PSES can be reported to a PSO. Examples of reportable information includes any safety event or near miss and even specific event types, such as medical or medications. Any analysis conducted within the PSES is protected and privileged, but it cannot be shared outside of PSO reporting structure. Any PSWP not reported to the PSO is not privileged or confidential.

Whether an organization sponsors a component PSO or contracts with one, the PSQIA requires the same governance structure. Creating the right structure ensures compliance with the PSQIA and preserving confidentiality and privilege. Identifying all employees involved in patient safety and quality improvement activities is a key component for compliance. The PSQIA requires that any patient safety events must be reported to employees, identified by appropriate job title, as necessary to meet expectations for quality and safety activities. To preserve the PSQIA's legal confidentiality and privilege protections, identified employees participating in patient safety activities should execute a confidentiality agreement specific to the PSWP.

Reimbursement Trends

Since the enactment of the ACA, both government and private payers incentivize reimbursement by linking payments to improved quality of care and patient outcomes. Since 2013, the Value-Based Purchasing Program for hospitals has tied Medicare payments to a defined set of quality measures. In Fiscal Year 2019, two of the quality measures included clinical care and patient safety. In adapting to the new reimbursement models, hospitals and other health care organizations are using data analysis for patient safety and quality improvement. Under financial pressure to deliver higher quality care, hospitals are using the analytical data from PSOs to assist in the adaptation of the new reimbursement models and shared financial risk trends.

Patient safety was first recognized as a major financial challenge for hospitals before the ACA.13 The U.S. health system was analyzed in the report issued by the Institute of Medicine (IOM): To Err is Human: Building a Better Health System.14 The IOM report was the catalyst for the ACA, which led to the new reimbursement models emphasizing improved patient safety and outcomes.

In addition to government payers, employers are also seeking ways to reduce costs and improve quality care. Larger employers, such as Boeing, developed programs with health care organizations to increase efficiency and ensure patients receive the right care.15 The Boeing program incentivized employees to obtain care from providers who had evidence of better patient outcomes.16 These networks utilize providers who deliver lower cost, quality health care.17

Since the implementation of the ACA, insurers are also creating payment models that shift the financial risk to providers. Blue Cross/Blue Shield of Massachusetts developed the Alternative Quality Contract (AQC) to reduce costs and improve outcomes and quality.18 The AQC includes 64 measurements for quality improvement to score and reward quality care.19 The AQC was successful in reducing costs and improving care. A key component of this success was the transparent sharing of data and best practices among providers.20

A challenge for health care organizations is the costs and infrastructure needed to develop the data for value-based reimbursement models. PSOs can be a key tool in obtaining data that can improve performance measures and enhance reimbursement. Some health organizations seek out PSOs that concentrate on specialty care data and/or quality data that is not commonly measured. These are areas that provide quality data that is key to patient outcomes and cost containment.

Patient safety is not only a policy issue, but also an economic one. Health care organizations face the high financial costs of patient harm on an annual basis. Based upon recent studies, evidence suggests that 15% of hospital expenditure and activity can be attributed to treating safety failures.21

The AHRQ annually measures the rates of health care acquired conditions (HACs). According to AHRQ statistics, between 2011–2015 there was a 21% decline in HACs, which resulted in a cumulative savings of $28 billion.22 Per the AHRQ, this is approximately 1.2–1.3% of the total Medicare budget.23

Other studies have also demonstrated the business and financial case for improving patient safety. The Journal of Patient Safety highlighted a program by the Adventist Health Systems that saved the organization $108 million in total cost by identifying and reducing patient harm from 2009–2012.24


With the establishment of value-based reimbursement policies, health care organizations are seeking ways to adapt to new financial models. The knowledge that medical errors cause not only patient harm, but financial harm, is not new. The ACA was built on the idea to improve population health through improving patient safety. The growing participation by health care organizations with an existing PSO or sponsoring a component PSO is fueled by health care policy. Organizations of varying size are looking for ways to be proactive in managing costs associated with patient care across all departments. PSO data analysis from a large pool of providers allows shared learning in a confidential and privileged setting. The advantage of "big data" from a variety of providers is finding issues before they may occur or become embedded within the operational system. This accelerates not only patient safety, but cost savings as well.

1 42 U.S.C. § 299b-21–299b-26.
2 42 C.F.R. § 310, et seq.
3 73 Fed. Reg. 70732.
4 42 U.S.C. § 299b-22(a).
7 42 U.S.C. § 299b-22(c)(1)(A).
8 42 U.S.C. § 299b-22(e), (f)(4)(A).
9 42 U.S.C. § 299b-22(c)(1)(C).
10 42 C.F.R. § 320 (Definitions—Provider).
11 42 C.F.R. § 320 (Definitions—Parent Organization).
12 42 C.F.R. § 320 (Definitions—Affiliated Provider).
13 Adler L et al., Impact of Inpatient Harms on Hospital Finances and Patient Clinical Outcomes, 14(2) J. Patient Safety 67-73 (June 2018).
14 Inst. of Med., To Err is Human: Building A Safer Health System, Institute of Medicine (Nov. 1999).
15 Mark B. McClellan, et al., Payment Reform for Better Value and Medical Innovation: Perspectives, Nat'l Academy of Med. (Mar. 17, 2017).
16 Id.
17 Id.
18 Id.
19 Id.
20 Id.
21 Luke Slawomirski et al., The Economics of Patient Safety, OECD (Mar. 2017).
22 AHRQ, National Scorecard on Rates of Hospital-Acquired Conditions 2010 to 2015: Interim Data From National Efforts To Make Health Care Safer, Exhibit 6,
23 AHRQ, 2016.
24 J. Patient Safety (Mar. 2015).