GAO-10-281, Patient Safety Act: HHS Is in the Process of Implementing the Act, So Its Effectiveness Cannot Yet Be Evaluated


This is the accessible text file for GAO report number GAO-10-281 
entitled 'Patient Safety Act: HHS Is in the Process of Implementing 
the Act, So Its Effectiveness Cannot Yet Be Evaluated' which was 
released on January 29, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 
GAO: 

January 2010: 

Patient Safety Act: 

HHS Is in the Process of Implementing the Act, So Its Effectiveness 
Cannot Yet Be Evaluated: 

GAO-10-281: 

GAO Highlights: 

Highlights of GAO-10-281, a report to congressional committees. 

Why GAO Did This Study: 

The Institute of Medicine (IOM) estimated in 1999 that preventable 
medical errors cause as many as 98,000 deaths a year among hospital 
patients in the United States. Congress passed the Patient Safety and 
Quality Improvement Act of 2005 (the Patient Safety Act) to encourage 
health care providers to voluntarily report information on medical 
errors and other events—patient safety data—for analysis and to 
facilitate the development of improvements in patient safety using 
these data. The Patient Safety Act directed GAO to report on the law’s 
effectiveness. 

This report describes progress by the Department of Health and Human 
Services, Agency for Healthcare Research and Quality (AHRQ) to 
implement the Patient Safety Act by (1) creating a list of Patient 
Safety Organizations (PSO) so that these entities are authorized under 
the Patient Safety Act to collect patient safety data from health care 
providers to develop improvements in patient safety, and (2) 
implementing the network of patient safety databases (NPSD) to collect 
and aggregate patient safety data. These actions are important to 
complete before the law’s effectiveness can be evaluated. To do its 
work, GAO interviewed AHRQ officials and their contractors. GAO also 
conducted structured interviews with officials from a randomly 
selected sample of PSOs. 

What GAO Found: 

AHRQ has made progress listing 65 PSOs as of July 2009. However, at 
the time of GAO’s review, few of the 17 PSOs randomly selected for 
interviews had entered into contracts to work with providers or had 
begun to receive patient safety data. PSO officials told GAO that some 
PSOs were still establishing aspects of their operations; some were 
waiting for AHRQ to finalize a standardized way for PSOs to collect 
data from providers; and some PSOs were still engaged in educating 
providers about the confidentiality protections offered by the Patient 
Safety Act. 

AHRQ is in the process of developing the NPSD and its associated 
components—(1) the common formats PSOs and providers will be required 
to use when submitting patient safety data to the NPSD and (2) a 
method for making patient safety data non-identifiable, or removing 
all information which could be used to identify a patient, provider, 
or reporter of patient safety information. If each of these components 
is completed on schedule, AHRQ officials expect that the NPSD could 
begin receiving patient safety data from hospitals by February 2011. 
AHRQ officials could not provide a time frame for when they expect the 
NPSD to be able to receive patient safety data from other providers. 
AHRQ also has preliminary plans for how to allow the NPSD to serve as 
an interactive resource for providers and PSOs and for how AHRQ will 
analyze NPSD data to help meet certain reporting requirements 
established by the Patient Safety Act. According to AHRQ officials, 
plans for more detailed analyses that could be useful for identifying 
strategies to reduce medical errors will be developed once the NPSD 
begins to receive data. 

Figure: Intended Flow of Information to and from the NPSD: 

[Refer to PDF for image: illustration] 

Providers (Hospitals, clinics, etc.): Non-identifiable patient safety 
data: to AHRQ: 
Network of patient safety databases; 
Patient safety data: to Patient safety organization (PSO); Analysis of 
patient safety event data. 

Patient safety organization (PSO): 
Feedback and recommendations from PSO to providers; 
Non-identifiable patient safety data: to AHRQ: Network of patient 
safety databases. 

AHRQ: 

Network of patient safety databases: Data analysis: 
National Healthcare Quality Report; 
National Health Disparities Report; 
Other Analyses and Reports. 

Network of patient safety databases: data query process back to 
Patient safety organization (PSO) and Providers (Hospitals, clinics, 
etc.). 

Source: GAO analysis of AHRQ documents. 

[End of figure] 

The Department of Health and Human Services provided technical 
comments on a draft of this report, which we have incorporated as 
appropriate. 

View [hyperlink, http://www.gao.gov/products/GAO-10-281] or key 
components. For more information, contact Linda T. Kohn at (202) 512-
7114 or kohnl@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

AHRQ Has Listed PSOs, but Few PSOs We Interviewed Have Begun Serving 
Providers: 

AHRQ Is in the Process of Implementing the NPSD and Has Developed 
Preliminary Plans for Using NPSD Data: 

Concluding Observations: 

Agency Comments: 

Appendix I: Examples from Established Patient Safety Reporting Systems: 

Appendix II: Selected Statutory Requirements for Listing of Patient 
Safety Organizations: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Figures: 

Figure 1: Intended Flow of Information to and from the NPSD: 

Figure 2: Timeline for Developing the NPSD: 

Abbreviations: 

IOM: Institute of Medicine: 

HHS: Department of Health and Human Services: 

PSO: Patient Safety Organization: 

NPSD: Network of Patient Safety Databases: 

AHRQ: Agency for Healthcare Research and Quality: 

OCR: Office for Civil Rights: 

HIPAA: Health Insurance Portability and Accountability Act of 1996: 

NQF: National Quality Forum: 

IFMC: Iowa Foundation for Medical Care: 

PPC: Privacy Protection Center: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

January 29, 2010: 

The Honorable Tom Harkin: 
Chairman: 
The Honorable Michael B. Enzi: 
Ranking Member: 
Committee on Health, Education, Labor, and Pensions: 
United States Senate: 

The Honorable Henry A. Waxman: 
Chairman: 
The Honorable Joe Barton: 
Ranking Member: 
Committee on Energy and Commerce: 
House of Representatives: 

Research has shown that serious injuries or deaths resulting from 
medical care are both common and often preventable. In a frequently 
cited report, the Institute of Medicine (IOM) estimated in 1999 that 
preventable medical errors cause as many as 98,000 deaths a year among 
hospital patients in the United States.[Footnote 1] The IOM identified 
several mechanisms for improving patient safety, including the use of 
medical error reporting systems to gather and analyze information on 
medical errors in order to prevent them from occurring in the future. 
The IOM report noted, however, that health care providers are often 
reluctant to report or disclose their medical errors and to 
participate in related learning efforts out of fear of incurring legal 
liability or professional sanctions. To address these concerns, the 
IOM report recommended the expanded use of voluntary medical error 
reporting systems that allow confidential reporting. The report also 
recommended that Congress provide legal protections to prevent the 
unauthorized disclosure of information collected and reported by 
providers for the purpose of improving patient safety. 

At the time of the IOM's 1999 report, several states operated 
mandatory systems for the reporting of serious medical errors-those 
resulting in death or serious injury-but these reporting systems were 
primarily used to hold providers accountable for their errors and 
often involved public disclosure. In contrast, confidential, voluntary 
systems for reporting of medical errors, designed primarily for 
developing improvements in patient safety, were less common and less 
widely used. Partially in response to the IOM report, Congress passed 
the Patient Safety and Quality Improvement Act of 2005 (the Patient 
Safety Act) to encourage health care providers to voluntarily report 
information on patient safety events and to facilitate the development 
and adoption of interventions and solutions to improve patient safety. 
[Footnote 2] 

To achieve these goals, the Patient Safety Act directed the Department 
of Health and Human Services (HHS) to create a list of public or 
private organizations known as Patient Safety Organizations (PSO). 
Listing by HHS indicates that PSOs are authorized to serve providers 
as independent patient safety experts and to receive data regarding 
patient safety events that will be considered privileged and 
confidential.[Footnote 3] The Patient Safety Act prohibits the 
unauthorized disclosure of certain types of data regarding patient 
safety events that providers send to listed PSOs.[Footnote 4] To 
facilitate the development of improvements in patient safety, the 
Patient Safety Act also requires PSOs to certify that they will 
analyze data regarding patient safety events, provide feedback to 
providers, and develop and disseminate information on ways providers 
can improve patient safety. By serving multiple providers and 
aggregating data regarding patient safety events, the Patient Safety 
Act intends for PSOs to help providers better understand the 
underlying causes of patient safety events and develop solutions to 
prevent or reduce the frequency of such events. 

To support PSOs and providers in their efforts to develop and adopt 
improvements in patient safety, the Patient Safety Act directed HHS to 
create a network of patient safety databases (NPSD). The Patient 
Safety Act specifies that the NPSD is to collect and aggregate non- 
identifiable data regarding patient safety events voluntarily 
submitted to it by PSOs and providers.[Footnote 5] The law does not 
require PSOs or providers to submit data to the NPSD. The law also 
specifies that the NPSD should serve as a resource that health care 
providers, PSOs, and others can use to develop improvements in patient 
safety. Specifically, by facilitating the aggregation and analysis of 
patient safety data from providers nationwide, the NPSD is intended to 
assist PSOs and providers in identifying underlying patterns and 
trends associated with patient safety events. In addition, the Patient 
Safety Act also requires HHS to use data from the NPSD to analyze 
national and regional statistics, including trends and patterns in 
patient safety events, and to report on effective strategies for 
reducing patient safety events and increasing patient safety. HHS has 
delegated responsibility for listing PSOs, implementing and 
maintaining the NPSD, and analyzing data submitted to the NPSD to the 
Agency for Healthcare Research and Quality (AHRQ). 

The Patient Safety Act requires GAO to report to Congress by February 
1, 2010, on the law's effectiveness in accomplishing its purpose. 
Although the Patient Safety Act was enacted in July 2005, the law did 
not specify a time frame for implementation. Final regulations to 
implement the act became effective on January 19, 2009. In this 
report, we describe the progress AHRQ has made in (1) listing PSOs, 
including PSO efforts to serve providers, and (2) implementing the 
NPSD. These actions by AHRQ are important to complete before the law's 
effectiveness can be evaluated. In addition, because participation-- 
including submission of data on patient safety events--by PSOs and 
providers is voluntary, their actions may also contribute to the law's 
effectiveness in accomplishing its purpose. 

To describe the progress AHRQ has made in listing PSOs, we interviewed 
AHRQ and other HHS officials and reviewed relevant documents, 
including regulations, policies, and guidelines. We also conducted 
structured interviews with officials from 17 randomly selected PSOs, 
representing 26 percent of those listed as of July 2009, to obtain 
information on the extent to which the PSOs have begun to collect and 
analyze patient safety data and provide feedback to providers. 
Although our sample was representative of listed PSOs, our findings 
from these interviews cannot be generalized to all PSOs. Furthermore, 
we did not speak directly with health care providers regarding their 
use, or potential use, of PSOs. To describe the progress AHRQ has made 
in implementing the NPSD, we interviewed officials at AHRQ and its 
contractors, and we reviewed relevant documents including contracts, 
time lines, and progress reports. In addition, we also obtained, for 
context, information on other established patient safety reporting 
systems, as AHRQ's efforts to list PSOs and implement the NPSD are 
relatively new. Specifically, we identified examples of how selected, 
established patient safety reporting systems encourage reporting of 
patient safety event information by providers and facilitate the 
development of improvements in patient safety. We present these 
examples and related methodology in appendix I. 

We conducted our work from March 2009 to January 2010 in accordance 
with all sections of GAO's Quality Assurance Framework that are 
relevant to our objectives. The framework requires that we plan and 
perform the engagement to obtain sufficient and appropriate evidence 
to meet our stated objectives and to discuss any limitations in our 
work. We believe that the information and data obtained, and the 
analysis conducted, provide a reasonable basis for any findings and 
conclusions. 

Background: 

AHRQ and the Office for Civil Rights (OCR) within HHS share 
responsibility for implementing the Patient Safety Act. AHRQ is 
responsible for listing PSOs, providing technical assistance to PSOs, 
implementing and maintaining the NPSD, and analyzing the data 
submitted to the NPSD. OCR has responsibility for interpreting, 
implementing, and enforcing the confidentiality protections.[Footnote 
6] To help implement the Patient Safety Act, AHRQ and OCR developed 
the legislation's implementing regulations, which took effect January 
19, 2009.[Footnote 7] 

PSOs: 

The Patient Safety Act establishes criteria that organizations must 
meet and required patient safety activities that the organizations 
must perform after being listed as PSOs. The criteria include an 
organizational mission to improve patient safety and the quality of 
health care delivery; use of collected data to provide direct feedback 
and assistance to providers to minimize patient risk; staff who are 
qualified to perform analyses on patient safety data; and adequate 
policies and procedures to ensure that patient safety data are kept 
confidential. Required PSO activities include activities such as 
efforts to improve patient safety and the quality of health care 
delivery. (See app. II for the complete list of criteria and required 
PSO activities as specified in the Patient Safety Act.) The criteria 
allow for many types of organizations to apply to AHRQ to be listed as 
a PSO. These organizations may include public and private entities, 
for-profit and not-for-profit organizations, and entities that are a 
component of another organization, such as a hospital association or 
health system. 

A PSO must attest for the initial listing period that it will comply 
with the criteria and that it has policies and procedures in place 
that will allow it to perform the required activities of a PSO. When 
reapplying for subsequent 3-year listing periods, a PSO must attest 
that it is complying with the criteria and that it is in fact 
performing each of the required activities. The regulations require 
AHRQ staff to review written PSO applications documenting PSO 
attestations to each of the statutory criteria and required 
activities. In the case of certain PSOs that are component 
organizations, the regulations also require the applicant to complete 
an additional set of attestations and disclosure statements detailing 
the relationship between the component and parent organizations. The 
regulations require that after AHRQ staff review the application 
materials and related information, the applicant will be listed, 
conditionally listed, or denied.[Footnote 8] 

Legal Protections for Patient Safety Data: 

When a provider elects to use the services of a listed PSO, the 
Patient Safety Act provides privilege and confidentiality protections 
[Footnote 9] for certain types of data regarding patient safety events 
that providers collect for the purposes of reporting to a PSO. 
[Footnote 10] In general, the Patient Safety Act excludes the use of 
patient safety data in civil suits, such as those involving 
malpractice claims, and in disciplinary proceedings against a 
provider. While certain states have laws providing varying levels of 
privilege and confidentiality protections for patient safety data, the 
Patient Safety Act provides a minimum level of protection. 

Regulations implementing the Patient Safety Act address the 
circumstances under which patient safety data may be disclosed, such 
as when used in criminal proceedings, authorized by identified 
providers, and among PSOs or affiliated providers.[Footnote 11] OCR 
has the authority to conduct reviews to ensure that PSOs, providers, 
and other entities are complying with the confidentiality protections 
provided by the law. OCR also has the authority to investigate 
complaints alleging that patient safety data has been improperly 
disclosed and to impose a civil money penalty of up to $11,000 per 
violation.[Footnote 12] 

The NPSD and Requirements for Submitting Data to the NPSD: 

The Patient Safety Act requires HHS to create and maintain the NPSD as 
a resource for PSOs, providers, and qualified researchers.[Footnote 
13] The law specifies that the NPSD must have the capacity to accept, 
aggregate, and analyze non-identifiable patient safety data 
voluntarily submitted to the NPSD by PSOs, providers, and other 
entities.[Footnote 14] Providers may submit non-identifiable data 
directly to the NPSD, or work with a PSO to submit patient safety 
data. Neither PSOs nor providers are required by either the Patient 
Safety Act or regulation to submit data to the NPSD. Figure 1 shows 
the intended flow of patient safety data and other information among 
providers, PSOs, and the NPSD. 

Figure 1: Intended Flow of Information to and from the NPSD: 

[Refer to PDF for image: illustration] 

Providers (Hospitals, clinics, etc.): Non-identifiable patient safety 
data: to AHRQ: 
Network of patient safety databases; 
Patient safety data: to Patient safety organization (PSO); Analysis of 
patient safety event data. 

Patient safety organization (PSO): 
Feedback and recommendations from PSO to providers; 
Non-identifiable patient safety data: to AHRQ: Network of patient 
safety databases. 

AHRQ: 

Network of patient safety databases: Data analysis: 
National Healthcare Quality Report; 
National Health Disparities Report; 
Other Analyses and Reports. 

Network of patient safety databases: data query process back to 
Patient safety organization (PSO) and Providers (Hospitals, clinics, 
etc.). 

Source: GAO analysis of AHRQ documents. 

Note: Submission of patient safety data from a provider to a PSO, from 
a provider to the NPSD, or from a PSO to the NPSD is voluntary. Before 
patient safety data can be transmitted to the NPSD, it must be made 
non-identifiable-that is, have any information removed that could be 
used to identify a patient, provider, or reporter of patient safety 
information. 

[End of figure] 

The Patient Safety Act authorizes HHS to develop common formats for 
reporting patient safety data to the NPSD. According to the Patient 
Safety Act, these formats may include the necessary data elements to 
be collected and provide common and consistent definitions and a 
standardized computer interface for processing the data.[Footnote 15] 
While most U.S. hospitals have some type of internal reporting system 
for collecting data on patient safety events,[Footnote 16] they often 
have varying ways of collecting and organizing their data.[Footnote 
17] This variation makes it difficult to accurately compare patient 
safety events across systems and providers[Footnote 18] and can be a 
barrier to developing solutions to improve patient safety.[Footnote 
19] If providers or PSOs choose to submit patient safety data to the 
NPSD, AHRQ requires that these data be submitted using the common 
formats, because using the common formats is necessary so that data in 
the NPSD can be aggregated and analyzed. Aggregation and analysis of 
data is important for developing the "lessons learned" or "best 
practices" across different institutions that may help improve patient 
safety.[Footnote 20] 

The Patient Safety Act and its implementing regulations provide 
additional measures PSOs must follow whether or not they intend to 
submit the data they collect to the NPSD. The Patient Safety Act 
regulations require PSOs to collect patient safety data from providers 
in a standardized manner that permits valid comparisons of similar 
cases among similar providers, to the extent to which these measures 
are practical and appropriate. To meet this requirement, the 
regulation specifies that PSOs must either (1) use the common formats 
developed by AHRQ when collecting patient safety data from providers, 
(2) utilize an alternative format that permits valid comparisons among 
providers, or (3) explain to AHRQ why it would not be practical or 
appropriate to do so. The Patient Safety Act also requires any data 
regarding patient safety events that is submitted to the NPSD be non-
identifiable. According to the Patient Safety Act, users can access 
non-identifiable patient safety data only in accordance with the 
confidentiality protections established by the Patient Safety Act. The 
Patient Safety Act's regulations provide technical specifications for 
making patient safety data non-identifiable.[Footnote 21] 

Finally, the Patient Safety Act states AHRQ must analyze the data that 
are submitted to the NPSD and include these analyses in publicly 
available reports. Specifically, under the Patient Safety Act, AHRQ is 
required to submit a draft report on strategies to improve patient 
safety to the IOM within 18 months of the NPSD becoming operational 
and a final report to Congress 1 year later. The Patient Safety Act 
requires this report to include effective strategies for reducing 
medical errors and increasing patient safety, as well any measures 
AHRQ determines are appropriate to encourage providers to use the 
strategies, including use in any federally funded programs. In 
addition, the Patient Safety Act states HHS must use data in the NPSD 
to analyze national and regional statistics, including trends and 
patterns of health care errors, and include any information resulting 
from such analyses in its annual reports on health care quality. 
[Footnote 22] 

AHRQ Has Listed PSOs, but Few PSOs We Interviewed Have Begun Serving 
Providers: 

AHRQ listed 65 PSOs from November 2008 to July 2009.[Footnote 23] 
However, few of the 17 PSOs we randomly selected to interview had 
entered into contracts or other business agreements with providers to 
serve as their PSO, and only 3 PSOs reported having begun receiving 
patient safety data or providing feedback to providers. PSO officials 
identified several reasons why they have not yet engaged with 
providers. Some PSOs are still establishing various aspects of their 
operations; some are waiting for the common formats for collecting 
patient safety data to be finalized by AHRQ; and some are still 
engaged in marketing their services and educating providers about the 
federal confidentiality protections offered by the Patient Safety Act. 

As of July 2009, AHRQ Had Listed 65 PSOs Representing a Variety of 
Organizations: 

Although the regulations implementing the Patient Safety Act did not 
become effective until January 19, 2009,[Footnote 24] AHRQ began 
listing PSOs earlier, in November 2008.[Footnote 25] By July 2009, 
AHRQ had listed 65 PSOs in 26 states and the District of Columbia. 
[Footnote 26] AHRQ officials told us that in listing PSOs they 
accepted PSOs' attestations that the PSOs met the certification 
requirements established in the Patient Safety Act--that is, to be a 
listed PSO, an entity must have policies and procedures in place to 
perform the required activities of a PSO and will comply with 
additional criteria for listing.[Footnote 27] For continued listing 
beyond the initial period, PSOs must attest that they have contracts 
with more than one provider and are in fact performing each of the 
required activities. 

The 65 PSOs AHRQ had listed represent a wide range of organizations, 
including some that provided patient safety services for many years 
prior to being listed as well as new organizations specifically 
established to function as a PSO under the Patient Safety Act. 
[Footnote 28] AHRQ officials told us that the organizations listed as 
PSOs include consulting firms that have provided patient safety 
services for a range of providers and specialties, as well as 
organizations with a focus on patient safety in a specific area such 
as medical devices, hand hygiene, or pediatric anesthesia. The listed 
PSOs also include vendors of patient safety reporting software and 
components of state hospital associations. 

AHRQ officials told us that the services PSOs deliver to individual 
providers will likely vary, depending on the specific contractual or 
other business agreements the PSOs establish with providers.[Footnote 
29] For example, a small hospital may want to contract with a PSO to 
provide all its internal quality improvement services, while a large 
hospital may just contract with a PSO to obtain the legal protections 
under the Patient Safety Act and to contribute data to the NPSD. While 
officials of 13 of the 17 PSOs we interviewed indicated they provided 
some patient safety services prior to being listed, all 17 PSOs stated 
that the services they planned to make available included the 
collection and analysis of patient safety data, the de-identification 
of patient safety data for submission to the NPSD, feedback, and 
patient safety training. 

Few Listed PSOs We Interviewed Have Begun to Serve Providers: 

While AHRQ has listed 65 PSOs, few PSOs we interviewed have entered 
into contracts or other business agreements with providers to serve as 
their PSO. Only 4 of the 17 listed PSOs we interviewed had any 
contracts or other agreements with providers to serve as their PSO. 
Furthermore, according to PSO officials, only 3 of these PSOs had 
begun to receive patient safety data or provide feedback to providers. 
[Footnote 30] PSO officials identified several reasons why they had 
yet to begin working with providers and receiving patient safety data 
as of July 2009. These reasons include the following: 

The need to complete the development of various components of their 
business operations. Some PSO officials we interviewed told us they 
still need to determine various components of their operations. For 
example, officials from some PSOs told us they have yet to determine 
their fee structure for working with providers. Officials from 6 of 17 
PSOs we interviewed stated they were or would be contracting with 
other PSOs to receive services, such as information technology systems 
support or data security. Nine PSOs reported they had not yet 
determined whether they would be contracting for some services. In 
addition, while officials from most of the PSOs we interviewed 
indicated they planned to submit patient safety data to the NPSD, 4 
had not yet determined how they will make data non-identifiable before 
sending it to the NPSD. 

The need to obtain AHRQ's final common formats for collecting data on 
patient safety events. Officials from some PSOs we interviewed 
indicated they needed the common formats to be finalized by AHRQ 
before beginning to work with providers. While use of AHRQ's common 
formats to collect data from providers is not required under the 
regulations, most PSOs we interviewed plan to use the common formats 
for collecting data on patient safety events and submitting these data 
to the NPSD. Officials from 7 of the 17 PSOs we interviewed said they 
plan to require providers to submit data using the common formats, and 
4 PSOs said they will not require them of providers but will either 
convert the reports they receive to the common formats or adapt their 
existing reporting system to include the common formats.[Footnote 31] 

The need to educate providers about the federal confidentiality 
protections. Officials from several of the 17 PSOs we interviewed told 
us they faced challenges in addressing provider concerns related to 
the scope of the confidentiality protections and that these concerns 
needed to be addressed before providers would be willing to engage the 
services of a PSO. Some of these PSO officials described challenges in 
communicating details of the confidentiality protections. According to 
AHRQ officials, the rules for when, where, and how patient safety data 
are protected from disclosure are both complex and interrelated with 
the privacy rules for protected health information under HIPAA. AHRQ 
officials acknowledged the need to work with PSOs to clarify the rules 
governing the confidentiality of patient safety data so PSOs can 
better communicate these to providers. AHRQ officials indicated they 
would address these issues in upcoming quarterly conference calls they 
hold with PSO representatives. (See appendix I for examples of ways 
established patient safety reporting systems communicate legal 
protections for providers and the data they submit.) 

AHRQ Is in the Process of Implementing the NPSD and Has Developed 
Preliminary Plans for Using NPSD Data: 

AHRQ is in the process of implementing the NPSD and developing its 
associated components that are necessary before the NPSD can receive 
patient safety data--(1) the common formats PSOs and providers will be 
required to use if submitting patient safety data to the NPSD and (2) 
a method for making these data non-identifiable. If each of these 
components is completed on schedule, AHRQ officials expect that the 
NPSD could begin receiving patient safety data from hospitals in 
February 2011. AHRQ officials could not provide a time frame for when 
they expect the NPSD to be able to receive patient safety data from 
other providers. AHRQ also has preliminary plans for how to allow the 
NPSD to serve as an interactive resource for providers and PSOs and 
for how AHRQ will analyze NPSD data to help meet its reporting 
requirements under the Patient Safety Act. 

AHRQ Is in the Process of Developing the NPSD, the Common Formats for 
Hospitals to Submit Data to the NPSD, and a Method for Making Data Non-
identifiable: 

AHRQ is in the process of developing the NPSD, and AHRQ officials 
expect that the NPSD could begin receiving patient safety data from 
hospitals by February 2011. Specifically, AHRQ established a 3-year 
contract with Westat effective September of 2007 to develop the NPSD, 
[Footnote 32] which is being set up as a database that AHRQ officials 
stated is essential for meeting the requirements of the act. AHRQ and 
Westat officials told us that completion of the NPSD depends on both 
the development of the common formats that will be used to submit 
patient safety data to the NPSD and on the development of a method for 
making the data non-identifiable. If each of these components is 
completed on schedule, AHRQ officials expect that the NPSD could begin 
to receive patient safety data from hospitals by February 2011. 

AHRQ is finalizing the common formats that PSOs and hospitals will be 
required to use if submitting patient safety data to the NPSD. AHRQ 
officials expect that the common formats could be available for 
hospitals to use in submitting data electronically to the NPSD by 
September 2010. AHRQ began developing the common formats for hospitals 
in 2005 by reviewing the data collection methods of existing patient 
safety systems. In 2007, AHRQ contracted with the National Quality 
Forum (NQF) to assist with the collection and assessment of public 
comments on a preliminary version of the common formats that was 
released in August 2008.[Footnote 33] These common format forms are 
used to collect information on patient safety events, including 
information about when and where an event occurred, a description of 
the event, and patient demographic information.[Footnote 34] AHRQ 
issued the common formats for hospitals in paper form in September 
2009, and is in the process of making electronic versions available 
for hospitals and PSOs to use when submitting data to the NPSD. 
Specifically, AHRQ officials told us that they are in the process of 
developing technical specifications that private software companies 
and others can use to develop electronic versions of the common 
formats. According to AHRQ officials, hospitals and PSOs will need 
these electronic versions of the common formats in order to submit 
data to the NPSD. Their current project plan indicates that the 
technical specifications will be completed by March 2010. AHRQ 
officials estimate that electronic versions of the common formats 
could be available to hospitals and PSOs by September 2010. 

AHRQ officials stated that they expect eventually to develop common 
formats for providers in other health care settings, such as nursing 
homes and ambulatory surgical centers. Furthermore, AHRQ officials 
told us that they plan on developing future versions of the common 
formats capable of collecting data from the results of root cause 
analyses that providers may conduct.[Footnote 35] However, AHRQ 
officials were unable to provide an estimate for when the common 
formats for other providers will be available or when the capability 
to collect information from root cause analyses will be available. 

The Patient Safety Act also requires that data submitted to the NPSD 
be made non-identifiable by removing information that could be used to 
identify individual patients, providers, or facilities. To help PSOs 
and providers meet this requirement, AHRQ contracted with the Iowa 
Foundation for Medical Care (IFMC)[Footnote 36] to operate a PSO 
Privacy Protection Center (PPC) that will develop a method for making 
patient safety data non-identifiable and assist PSOs and providers by 
removing any identifiable patient or provider information from the 
data before submission to the NPSD. Current AHRQ and PPC project plans 
indicate that the PPC should be ready to receive and make patient 
safety data non-identifiable beginning in September 2010. AHRQ 
officials told us that this process involves not only removing 
information from each record that could be used to identify patients, 
providers, or reporters of patient safety information, but also 
determining whether identities could be determined from other 
available information and using appropriate methods to prevent this 
type of identification from occurring.[Footnote 37] AHRQ officials 
told us that PPC officials are working with experts to develop the 
PPC's method for making data non-identifiable.[Footnote 38] 

AHRQ officials stated that their rationale for establishing the PPC 
was to determine a method for making data non-identifiable, provide a 
cost savings for PSOs, encourage data submission to the NPSD, and 
create consistency in the non-identifiable data that are submitted to 
the NPSD. According to AHRQ officials, the PPC will provide its 
services to PSOs at no charge and will submit non-identifiable patient 
safety data on behalf of PSOs to the NPSD.[Footnote 39] However, PSOs 
are not required to use the PPC and may choose to make their patient 
safety data non-identifiable internally or with the help of a 
contractor of their choice. 

AHRQ project plans indicate that the PPC will be able to submit data 
to the NPSD beginning in February 2011, approximately 5 months after 
the PPC begins receiving data from hospitals. AHRQ officials stated 
that this time period is necessary, in part, because the PPC needs to 
begin receiving data before it can determine if its method for 
rendering data non-identifiable is appropriate or needs to be 
adjusted. For example, if the PPC receives a sufficient volume of 
data, then officials expect to be able to submit data on individual 
patient safety events and have it remain non-identifiable. If the 
volume of data is too low, however, PPC officials expect to have to 
aggregate data from individual events so that it remains non-
identifiable once submitted to the NPSD, in which case AHRQ officials 
stated they may delay submission of data to the NPSD until a 
sufficient volume is received. AHRQ officials noted that it is 
impossible to determine in advance the volume of data that will be 
submitted to the PPC due to the voluntary nature of submissions. As a 
result, the level of detail that will exist in the NPSD data cannot be 
determined in advance of data being received and processed by the PPC. 
Figure 2 summarizes key dates in AHRQ's efforts to develop the NPSD 
and its related components. 

Figure 2: Timeline for Developing the NPSD: 

[Refer to PDF for image: timeline] 

July 2005: 
Patient Safety Act signed into law. 

October 2005: 
AHRQ begins work on the common formats. 

August 2007: 
NQF contract for reviewing common formats for hospitals effective. 

September 2007: 
Westat contract to develop the NPSD effective, IFMC contract to 
develop the PPC effective. 

August 2008: 
Preliminary version of common formats for hospitals issued and open 
for comments. 

November 2008: 
AHRQ begins listing PSOs, final regulations published. 

December 2008: 
Comment period for receiving comments on preliminary version of the 
common formats for hospitals closes. 

January 2009: 
Final regulations effective. 

September 2009: 
Paper version of the common formats for hospitals released by AHRQ. 

Projected: 

March-September 2010: 
* AHRQ expects to release technical specifications for development of 
software for electronic versions of the common formats for hospitals 
(estimated); 
* AHRQ expects private vendors and others to build software for 
electronic versions of the common formats for hospitals (estimated); 
* PPC expects to begin receiving data and making decisions about how 
data should be made non-identifiable (estimated). 

February 2011: 
AHRQ expects the NPSD to begin receiving non-identifiable patient 
safety data for hospitals from PPC and PSOs (estimated). 

February 2012: 
Westat expects to implement interactive capabilities of NPSD 
(estimated), Westat expects to complete first analysis of trends and 
patterns in health care errors (estimated and to occur annually 
hereafter). 

Source: GAO. 

Note: The timeline identifies actions that have a focus on hospitals. 
AHRQ officials could not provide a time frame for when they expect 
common formats to be developed for providers other than hospitals, or 
when the NPSD would be able to receive patient safety data from these 
providers. 

[End of figure] 

AHRQ Has Preliminary Plans For How to Meet Requirements for Use of 
NPSD Data, Though AHRQ Officials Have Identified Limitations to the 
Types of Analyses That Will Be Conducted: 

The Patient Safety Act requires that the NPSD serve as an interactive 
resource for providers and PSOs, allowing them to conduct their own 
analyses of patient safety data. To meet this requirement, AHRQ has 
developed plans to allow providers to query the NPSD to obtain 
information on patient safety events, including information on the 
frequencies and trends of such events. AHRQ's contract with Westat to 
construct the NPSD includes a series of tasks for developing, testing, 
and implementing this interactive capability of the NPSD. The contract 
specifies that these interactive capabilities will be available within 
12 months of the NPSD beginning to receive patient safety information. 
Based on AHRQ's estimate that the NPSD may be operational by February 
2011, the interactive capabilities of the NPSD could be available by 
February 2012. However, AHRQ officials indicated that they had not yet 
determined the specific types of information that will be available to 
PSOs and providers as this will depend, in part, on the level of 
detail that is included in the NPSD data after the data are made non- 
identifiable. 

The Patient Safety Act also states that HHS must use the information 
reported into the NPSD to analyze national and regional statistics, 
including trends and patterns of health care errors, and to identify 
and issue reports on strategies for reducing medical errors and 
increasing patient safety after the NPSD becomes operational. To do 
this, AHRQ has developed preliminary plans for analyzing the data that 
will be submitted to the NPSD. According to AHRQ officials, these 
plans specify how the agency will analyze NPSD data to determine 
trends and patterns, such as the frequency with which certain types of 
adverse events happen across providers based on the data they may 
submit to the NPSD. However, AHRQ has yet to develop plans for more 
detailed analyses of NPSD data that could be useful for identifying 
strategies to reduce medical errors. Officials explained that these 
plans will not be developed until the NPSD begins receiving data and 
they are able to determine the level of detail in the data and what 
analyses it will support. 

Despite the potential for standardization provided by the common 
formats, AHRQ officials have identified important limitations in the 
types of analyses that can be performed with the data submitted to the 
NPSD. For example, AHRQ officials explained that because submissions 
to the NPSD are voluntary, the trends and patterns produced from the 
NPSD will not be nationally representative and, therefore, any 
analyses conducted cannot be used to generate data that are 
generalizable to the entire U.S. population. In addition, officials 
stated that the results from some analyses may be unreliable because 
there is no way to control for duplicate entries into the NPSD, which 
could occur if a provider submits a single patient safety event report 
to more than one PSO. Finally, AHRQ officials noted that it will be 
difficult to determine the prevalence or incidence of adverse events 
in specific populations. They told us that determining prevalence or 
incidence rates requires information on the total number of people at 
risk for such events, and that the patient safety data submitted to 
the NPSD will not include this information. (See appendix I for more 
information about the ways established patient safety reporting 
systems analyze data to develop solutions that improve patient safety.) 

Concluding Observations: 

AHRQ is still in the early stages of listing PSOs and developing plans 
for how it will analyze NPSD data and report on effective strategies 
for improving patient safety, as required under the Patient Safety 
Act. As a result, we cannot assess whether, or to what extent, the law 
has been effective in encouraging providers to voluntarily report data 
on patient safety events and to facilitate the development and 
adoption of improvements in patient safety. In addition, because 
improvements to patient safety depend on the voluntary participation 
of providers and PSOs, it remains uncertain whether the goals of the 
Patient Safety Act will be accomplished even after AHRQ completes its 
implementation. For example, providers will have to decide whether to 
work with a PSO and the extent to which they will report patient 
safety data to both the PSO and the NPSD. Whether the process results 
in specific recommendations for improving patient safety will depend 
on the volume and quality of the data submitted and on the quality of 
the analyses conducted by both PSOs and by AHRQ. Finally, if these 
recommendations are to lead to patient safety improvements, providers 
must recognize their value and take actions to implement them. 

Agency Comments: 

The Department of Health and Human Services reviewed a draft of this 
report and provided technical comments, which we have incorporated as 
appropriate. 

We will send copies of this report to the Secretary of Health and 
Human Services and other interested parties. In addition, the report 
is available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have questions about this report, please contact 
me at (202) 512-7114 or kohnl@gao.gov. Contact points for our Office 
of Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff members who made key contributions to 
this report are listed in appendix III. 

Signed by: 

Linda T. Kohn: 
Director, Health Care: 

[End of section] 

Appendix I: Examples from Established Patient Safety Reporting Systems: 

Because the Agency for Healthcare Research and Quality's (AHRQ) 
efforts to list Patient Safety Organizations and implement the Network 
of Patient Safety Databases are relatively new but some other patient 
safety reporting systems are already established, we identified 
examples of how selected established patient safety reporting systems 
encourage reporting of patient safety event information by providers 
and facilitate the development of improvements in patient safety. We 
judgmentally selected five established patient safety reporting 
systems from a list of such systems compiled by AHRQ. We selected 
systems that collected data for learning purposes and that appeared in 
a literature review we conducted of 45 relevant articles in peer-
reviewed, trade, or scholarly publications published since January 
2000.[Footnote 40] After selecting the systems, we conducted 
structured interviews with representatives of these systems to 
identify examples of ways that these systems encouraged providers to 
submit patient safety data for analysis and used the data collected by 
their systems to help develop improvements in patient safety. The 
system representatives we interviewed provided common examples that we 
have grouped into four areas: 

* Practices that encourage providers to learn from patient safety 
data, rather than blame individuals; 

* Communication intended to clearly explain legal protections for 
providers and the data they submit; 

* Data collection tools intended to standardize the data providers 
submit; 

* Data analyses that produce actionable feedback. 

Practices that encourage providers to learn from patient safety data, 
rather than blame individuals: Representatives from all five patient 
safety reporting systems we reviewed said their systems encourage 
providers to learn from patient safety data as a way to improve 
patient safety, and not blame individuals for an event.[Footnote 41] 
According to system representatives, one way they did this was to 
emphasize the value of the data collected by the system for learning 
ways to reduce the risk that a certain event will recur. For example, 
representatives from one system said they created posters to hang in 
health care facilities from which the system collected patient safety 
data. Representatives from this system explained that the posters 
described a patient safety event about which the system received data 
as well as the solutions the system developed to improve patient 
safety. Another practice representatives said they used is allowing 
providers to submit data anonymously. Four out of five system 
representatives said their systems offered providers a way to submit 
data anonymously. 

Communication intended to clearly explain legal protections for 
providers and the data they submit: Many of the representatives we 
interviewed from patient safety reporting systems told us that their 
systems communicate information intended to clearly explain the legal 
protections afforded providers and the patient safety data they 
submit. For example, one system in our review provided guidance for 
providers on how to clearly label data to invoke the confidentiality 
protections associated with patient safety data under a law that 
protects data in this system. Representatives from another patient 
safety reporting system told us that communicating information about 
available legal protections can be particularly important for systems 
that collect data from providers in multiple states, because the legal 
protections for providers and patient safety data vary from state to 
state. For example, representatives from two patient safety reporting 
systems with users in multiple states said their systems provided 
customized legal information for providers based on the state 
confidentiality laws that applied to each provider's location. A 
representative from one of these systems also said that the legal 
information the system offered helped providers understand what types 
of data to submit and encouraged them to submit it. 

Data collection tools intended to standardize the data providers 
submit: Representatives from all five systems told us they had 
developed tools intended to standardize the data providers submit to 
their patient safety databases. For some systems these tools include 
common formats and computer systems.[Footnote 42] Some of the 
representatives explained that standardizing the information providers 
submit helps ensure that patient safety events, especially events 
involving clinical terms, are classified in the same way.[Footnote 43] 
Some representatives also said that if a system did not define 
clinical terms for providers, providers may define events differently, 
which can limit the system's ability to analyze submitted patient 
safety data. Furthermore, the representatives said, standardizing 
terms increased the value of the data as it is aggregated, as well as 
any resulting analyses. Representatives from all five systems said the 
ability to collect and aggregate standardized patient safety data 
allowed them to identify patterns in patient safety events, which they 
believed enabled their systems to suggest ways to improve patient 
safety. 

Some system representatives said that standardizing the way providers 
submit patient safety data allowed them to streamline the data 
collection process for providers. Some representatives said they 
designed their data collection protocols to allow providers to fulfill 
additional reporting requirements related to accreditation or quality 
improvement functions, such as submitting data regarding certain 
patient safety events to the Joint Commission.[Footnote 44] 
Representatives from one system said that their systems did this to 
make collecting and submitting patient safety data more efficient for 
providers and thereby increase the likelihood that providers would 
submit such data to the patient safety reporting system. In another 
example, one system built a feature into its computer program that 
allowed providers to transfer data directly from providers' in-house 
databases to the patient safety data collection system, a data 
collection method system representatives said accounted for 
approximately 40 percent of all data received from providers. 

Data analyses that produce actionable feedback: Representatives from 
all five patient safety reporting systems told us that their systems 
analyzed submitted data to develop actionable steps providers could 
implement to improve patient safety. According to the representatives, 
their systems aggregated data from provider submissions and used these 
data for both quantitative analyses, such as trend or frequency 
analyses, and qualitative analyses, which examine narrative data to 
determine whether there were any common themes across events. 
Representatives from all five systems said they used both qualitative 
and quantitative analyses because neither method alone was completely 
sufficient to develop improvements to patient safety. For example, one 
system's representatives said they conducted qualitative analyses such 
as using a computer program to analyze and group the narrative data 
providers submitted to learn about the factors that contributed to 
patient safety events. The same representatives explained that their 
system also conducted quantitative analyses such as trend analyses on 
events to see how often they occur. 

Representatives from all the systems said they used various methods to 
encourage providers to implement the improvements to patient safety 
the systems helped develop. Examples of methods they used included 
sending an e-mail from the system when new content was published on 
the system's Web site, hosting Web conferences, and publishing 
analyses in trade or scholarly publications. All the representatives 
said their systems collaborated with other organizations to increase 
the likelihood that the improvements they developed were implemented. 
For example, one system worked with a statewide coalition of 
organizations in the quality improvement field to encourage providers 
to implement the patient safety improvements the system developed. 

[End of section] 

Appendix II: Selected Statutory Requirements for Listing of Patient 
Safety Organizations: 

A PSO must certify that it has policies and procedures in place to 
perform each of the following patient safety activities: 

1. Efforts to improve patient safety and the quality of health care 
delivery. 

2. The collection and analysis of patient safety work product. 

3. The development and dissemination of information with respect to 
improving patient safety, such as recommendations, protocols, or 
information regarding best practices. 

4. The utilization of patient safety work product for the purposes of 
encouraging a culture of safety and of providing feedback and 
assistance to effectively minimize patient risk. 

5. The maintenance of procedures to preserve confidentiality with 
respect to patient safety work product. 

6. The provision of appropriate security measures with respect to 
patient safety work product. 

7. The utilization of qualified staff. 

8. Activities related to the operation of a patient safety evaluation 
system and to the provision of feedback to participants in a patient 
safety evaluation system. 

A PSO must certify that upon being listed, it will comply with the 
following criteria: 

1. The mission and primary activity of the entity are to conduct 
activities that are to improve patient safety and the quality of 
health care delivery. 

2. The entity has appropriately qualified staff (whether directly or 
through contract), including licensed or certified medical 
professionals. 

3. The entity, within each 24-month period that begins after the date 
of the initial listing, has bona fide contracts, each of a reasonable 
period of time, with more than 1 provider for the purpose of receiving 
and reviewing patient safety work product. 

4. The entity is not, and is not a component of, a health insurance 
issuer. 

5. The entity shall fully disclose--(i) any financial, reporting, or 
contractual relationship between the entity and any provider that 
contracts with the entity; and (ii) if applicable, the fact that the 
entity is not managed, controlled, and operated independently from any 
provider that contracts with the entity. 

6. To the extent practical and appropriate, the entity collects 
patient safety work product from providers in a standardized manner 
that permits valid comparisons of similar cases among similar 
providers. 

7. The utilization of patient safety work product for the purpose of 
providing direct feedback and assistance to providers to effectively 
minimize patient risk. 

Additional Criteria for Component Organizations: 

8. The entity maintains patient safety work product separately from 
the rest of the organization, and establishes appropriate security 
measures to maintain the confidentiality of the patient safety work 
product. 

9. The entity does not make an unauthorized disclosure under this part 
of patient safety work product to the rest of the organization in 
breach of confidentiality. 

10. The mission of the entity does not create a conflict of interest 
with the rest of the organization. 

Source: The Patient Safety and Quality Improvement Act of 2005, Pub. 
L. No. 109-41, 119 Stat. 424. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Linda T. Kohn at (202) 512-7114 or kohnl@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, William Simerl, Assistant 
Director; Eric R. Anderson; Eleanor M. Cambridge; Krister Friday; 
Kevin Milne; and Andrea E. Richardson made key contributions to this 
report. 

[End of section] 

Footnotes: 

[1] Institute of Medicine, To Err is Human: Building a Safer Health 
System (Washington, D.C.: National Academy Press, 1999). 

[2] Throughout this report, we use the term patient safety events to 
include serious errors or system failures that caused harm to a 
patient, near misses in which an error or system failure occurred but 
the patient was not harmed, and unsafe conditions having the potential 
to cause harm. 

[3] As defined by the Patient Safety Act, the term "provider" includes 
hospitals, health care practitioners, or any other individual or 
entity licensed or otherwise authorized under state law to provide 
health care services, or specified by the Secretary of HHS in 
regulations. 

[4] The Patient Safety Act describes these data. Among other things, 
the data may include information on the type of event that occurred 
such as a medication error, fall, or hospital acquired infection. The 
data may also include the results of analyses conducted by the 
provider, information on whether the patient was harmed or not, and 
factors that may have contributed to the event such as poor staff 
communication, equipment failure, or lack of proper supervision. 

[5] In general, non-identifiable patient safety data are data which 
are not likely to identify a patient, provider, or certain other 
persons who report patient safety information to providers or PSOs. 
See 42 C.F.R. § 3.212. 

[6] AHRQ is the lead federal agency for supporting research designed 
to improve the quality of health care, reduce health care costs, 
improve patient safety, decrease medical errors, and broaden access to 
essential services. AHRQ sponsors and conducts research that provides 
evidence-based information on health care outcomes; quality; and cost, 
use, and access. OCR also has responsibility for enforcing the health 
information privacy and security rules promulgated under the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA). 

[7] AHRQ and OCR developed the implementing regulations as a part of a 
team of officials from the HHS Office of the Secretary. These 
implementing regulations are found at Part 3, title 42, Code of 
Federal Regulations. 

[8] The regulations allow applicants to be conditionally listed if 
they have been denied listing in the past or had a prior listing 
revoked. 

[9] The Patient Safety Act provides that patient safety data are 
privileged and confidential information. In general, privileged and 
confidential data are data to which access is restricted to persons or 
entities with certain legal rights to access the data based on, for 
example, the relationship between a PSO and provider. See 42 U.S.C. § 
299b-22. 

[10] The Patient Safety Act creates a special designation for data 
that meet these criteria-patient safety work product. Patient safety 
work product may include information on the type of event that 
occurred such as a medication error, fall, or hospital acquired 
infection. The data that comprise patient safety work product may also 
include the results of analyses conducted by the provider, information 
on whether the patient was harmed or not, and factors that may have 
contributed to the event such as poor staff communication, equipment 
failure, or lack of proper supervision. Patient safety work product 
under the act includes data regarding patient safety events that (1) 
have been assembled or developed by a provider for reporting to a 
listed PSO or developed by a listed PSO for conducting patient safety 
activities that could result in improved outcomes, quality, or safety, 
or (2) represent an analysis of information that the provider intends 
to submit to a listed PSO. For the purposes of this report, we use the 
term patient safety data to refer to patient safety work product as 
used in the Patient Safety Act. 

[11] See 42 C.F.R. § 3.204 et seq. 

[12] See 42 USC § 299(f); 42 C.F.R. § 3.404 (2009). 

[13] The act does not specify what qualifications a researcher should 
have to be able to access the NPSD. 

[14] Certain demonstration projects funded by HHS, such as the Patient 
Safety and Medical Liability Reform Demonstration Projects (2009), 
have posted notices indicating that HHS will require grant recipients 
to submit patient safety data to the NPSD as a part of the evaluation 
phase of the demonstration projects. 

[15] The Patient Safety Act requires the common formats comply to the 
extent practicable with the administrative simplification provisions 
of part C of title XI of the Social Security Act, which provides 
standards for information transactions and data elements. 

[16] In addition, numerous private organizations, such as the 
Institute for Safe Medication Practices and the AABB, operate systems 
for collecting data on patient safety events that also use their own 
ways of collecting data. 

[17] AHRQ, "Common Formats: Facilitating Learning from Patient Safety 
Data. What Are Common Formats?" [hyperlink, 
http://www.pso.ahrq.gov/formats/brochurecmnfmt.htm] (accessed Oct. 21, 
2009). 

[18] Liam J. Donaldson, "In Terms of Safety," International Journal 
for Quality in Health Care, vol. 18, no. 5 2006. 

[19] Richard Thomson, Pierre Lawalle, Heather Sherman, Peter Hibbert, 
and Gerard Castro, "Towards an International Classification for 
Patient Safety: a Delphi survey," International Journal for Quality in 
Health Care, Vol. 21, No.1, 2009, p.9. 

[20] Thomson, et al. p.11. 

[21] See Subpart C, Part 3, title 42 of the Code of Federal 
Regulations. In the preamble to the regulations, HHS notes that, to 
the extent that patient safety data is also protected health 
information under the HIPAA Privacy Rule, a use or disclosure of such 
data would also have to comply with applicable HIPAA Privacy Rule 
requirements. See 73 Fed. Reg. at 70773-74. 

[22] In 1999, Congress directed AHRQ to produce an annual report, 
starting in 2003, on health care quality in the United States (42 
U.S.C. 299b-2(b)(2)). AHRQ's annual National Healthcare Quality Report 
and National Healthcare Disparities Report are designed to summarize 
data across a wide range of patient needs, including staying healthy, 
getting better, living with chronic illness and disability, and coping 
with the end of life. These reports track quality across nine 
condition areas and describe the effectiveness, safety, timeliness, 
extent to which care is patient-centered, and efficiency of medical 
care delivery in the United States. The reports present data at the 
national and state levels, where state-level data are available, and 
also incorporate methodological improvements in quantifying trends in 
health care quality and disparities. 

[23] AHRQ has continued to list additional PSOs since this time. 

[24] HHS released a proposed rule in February 2008. 

[25] HHS issued interim guidance prior to the publication of the final 
rule. PSOs that were listed prior to the publication of the final rule 
on November 21, 2008, were required to complete a supplemental 
attestation process to verify their meeting of the requirements 
contained in the final rule. 

[26] PSOs are not limited to providing services in the state in which 
they are located. While some are targeting providers in a single state 
or region, others plan to offer their services nationwide. 

[27] To balance the streamlined PSO listing process specified in the 
Patient Safety Act, HHS included a provision in the regulations 
allowing it to conduct announced or unannounced reviews or site visits 
to verify PSO compliance with the listing requirements. In September 
2009, AHRQ announced plans to conduct on-site compliance reviews of 
PSOs approximately once every 6 years beginning in 2010 and issued a 
guide to assist PSOs in preparing for such reviews. 

[28] A full list of listed PSOs can be found on the AHRQ Web site at: 
[hyperlink, http://www.pso.ahrq.gov/listing/psolist.htm]. 

[29] The services PSOs provide can vary, as long as the PSO meets the 
requirement that across all the providers it serves, it performs the 
activities specified in the Patient Safety Act. 

[30] While many of the organizations that obtained listing as a PSO 
offered patient safety services prior to being listed, in order to 
remain listed as a PSO they must have a contract with more than one 
provider within each 24-month period that begins on the date the PSO 
was initially listed. 

[31] Three of the 17 PSOs said they will not require use of the common 
formats due to a lack of compatibility with their organization's model 
or the cost associated with adapting their existing system, and 3 
other PSOs said they did not yet know whether they would be requiring 
use of the common formats. 

[32] Westat provides research services under contract to government 
and private sector organizations. 

[33] The National Quality Forum is a nonprofit organization created in 
1999 to promote patient protections and health care quality through 
measurement and public reporting. 

[34] AHRQ has posted the common formats for hospitals at the following 
Web site: [hyperlink, https://www.psoppc.org/web/patientsafety]. 

[35] Root cause analysis involves in-depth analysis by individuals 
most familiar with the patient safety event to determine why the event 
occurred and what can be done to prevent it from occurring again. 

[36] The Iowa Foundation for Medical Care is a health care quality 
improvement and medical information management organization. 

[37] For example, if a patient experienced a rare type of patient 
safety event, it might be possible for identification to be made based 
on news sources or anecdotal information even if the record does not 
include the patient's name. To prevent such identification, 
appropriate adjustments must be made to the data. 

[38] IFMC officials stated that these experts include officials from 
the Census Bureau and the National Center for Health Statistics. 

[39] Patient safety data are only submitted to the NPSD if the 
provider elects to do so. 

[40] To conduct our literature review we used search terms relevant to 
the field of patient safety reporting systems, including terms such as 
patient safety, patient safety organizations, adverse events, 
database, or quality improvement. 

[41] Literature in the field of patient safety identified learning 
from a patient safety event, rather than blaming individuals for the 
event, as a key to supporting a culture of safety. According to the 
literature, a culture of safety holds people accountable for any 
deliberately unsafe acts in the health care they deliver but does not 
blame them for patient safety events that may have causes in the ways, 
or system, through which health care is delivered. 

[42] Common formats are one type of data collection protocol that can 
include a standardized summary of the necessary information to be 
submitted, common and consistent definitions, and a standardized 
computer interface for submitting data to the collection system. 

[43] To ensure that providers are able to correctly use the data 
collection protocols that systems provide to standardize data, 
representatives from all the systems said that they offer training or 
technical support to providers. System representatives said they used 
a range of training, including workshops on collecting patient safety 
data, written materials describing how to conduct root causes analyses 
of events, and Web-based reference guides for using a patient safety 
data collection system. 

[44] The Joint Commission is a nonprofit organization that develops 
standards for quality and safety in health care and accredits 
hospitals and other health care providers. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: