Understanding Patient Safety Organizations: A Practical Guide

If you work in the healthcare industry, you have likely heard about Patient Safety Organizations (PSOs) and the Patient Safety and Quality Improvement Act of 2005 (PSQIA). This article breaks down what these frameworks mean and how they can protect sensitive safety information from disclosure in litigation.

In 1999, the Institute of Medicine’s “To Err Is Human” report estimated that preventable medical errors caused up to 98,000 deaths annually in the United States.¹ Crucially, the report found that most errors stem from faulty systems rather than individual recklessness.² The traditional “culture of blame” in healthcare suppressed information sharing and hindered learning from mistakes. Congress recognized that providers needed to discuss safety concerns without fear of legal exposure.³ The PSQIA was enacted in 2005 to encourage a “culture of safety” through broad confidentiality and legal protections for voluntarily reported safety information.²

What Are Patient Safety Organizations?

PSOs are private or public entities authorized by the Secretary of Health and Human Services to collect, analyze, and aggregate data on patient safety events.⁴ They work collaboratively with providers, reviewing voluntarily reported data and proposing improvements.⁵ The Agency for Healthcare Research and Quality (AHRQ) regulates PSOs, with guidance in the Patient Safety Final Rule and regulations at 42 C.F.R. § 3.10-3.112.⁶ Organizations eligible to become PSOs include public or private entities, profit or nonprofit organizations, and provider entities such as hospital chains.⁷

Understanding Patient Safety Work Product

The PSQIA establishes robust legal protections for “patient safety work product” (PSWP), which includes data, reports, memoranda, analyses (such as root cause analyses), and statements assembled or developed for reporting to a PSO.⁸ Information qualifies as PSWP through three pathways: it is assembled by a provider and actually reported to a PSO; it is developed by a PSO for patient safety activities; or it constitutes the deliberations or analysis of a patient safety evaluation system.⁸ Litigation typically centers on the first “reporting pathway.”⁹

Once information qualifies as PSWP, it is privileged and confidential. PSWP may not be subject to subpoena, discovery in any civil, criminal, or administrative proceeding, disclosure under FOIA, or admission as evidence.¹⁰ Courts have held this privilege cannot be waived.¹¹ Importantly, deliberations and analysis within a patient safety evaluation system can be privileged even before reporting to a PSO, though the underlying information itself becomes protected only when actually reported.⁹ ¹²

Limited exceptions exist. Disclosure is permitted if authorized by each identified provider, or in criminal proceedings after in camera review determines the work product contains material evidence of a criminal act unavailable from other sources.¹⁰

Important Exceptions to Keep in Mind

PSWP does not include a patient’s medical record, billing and discharge information, or any other original patient or provider record.¹³ Information collected or developed separately from a patient safety evaluation system also falls outside the protection.¹³

The “dual purpose” exception is the most frequently invoked basis to compel disclosure. When state law requires mandatory reporting of certain information, that information is generally not protected as PSWP, even if also submitted to a PSO. Courts have held that records required by state regulations were not created solely for submission to a patient safety evaluation system.¹⁴ ¹⁵ ¹⁶ However, courts have recognized limits to this exception where reports were submitted to a PSO and were not required by state law.¹⁷ ¹⁸

Why This Matters

The PSQIA offers a powerful tool for improving patient safety while protecting sensitive internal analyses from discovery. When a facility reports root cause analyses and incident reviews to a PSO, it creates a protected space for honest examination of what went wrong.

The key to maximizing these protections is clear documentation. A patient safety evaluation system should be well defined, and information intended for PSO reporting should be kept separate from records maintained for other purposes.¹⁹ Courts have noted that providers should be prepared to explain when a report was created, why, and when and why it was provided to a PSO.²⁰

1. Institute of Medicine, To Err Is Human: Building a Safer Health System (2000).
2. 73 Fed. Reg. 8112-01.
3. S. Rep. No. 108-196, at *2-3 (2003).
4. 42 U.S.C. § 299b-21(4); H.R. Rep. No. 109-197, at 14.
5. 42 U.S.C. § 299b-23.
6. 73 Fed. Reg. 70732 (Nov. 21, 2008); 42 C.F.R. § 3.10-3.112.
7. 42 C.F.R. § 3.20.
8. 42 U.S.C. § 299b-21(7)(A).
9. 81 Fed. Reg. 32655-01.
10. 42 U.S.C. § 299b-22(a), (c).
11. Sunrise Hosp. & Med. Ctr., LLC v. Eighth Jud. Dist. Ct., 544 P.3d 241, 247 (Nev. 2024).
12. Hyams v. CVS Health Corp., 2019 WL 6727536, at *2 (N.D. Cal. Dec. 11, 2019).
13. 42 U.S.C. § 299b-21(7)(B).
14. Tibbs v. Bunnell, 448 S.W.3d 796, 809 (Ky. 2014).
15. Baptist Health Richmond, Inc. v. Clouse, 497 S.W.3d 759, 766 (Ky. 2016).
16. Charles v. S. Baptist Hosp. of Fla., Inc., 209 So. 3d 1199, 1216 (Fla. 2017).
17. Tallahassee Mem'l Healthcare, Inc. v. Wiles, 351 So. 3d 141, 150 (Fla. Dist. Ct. App. 2022).
18. Quimbey by Faure v. Cmty. Health Sys. Pro. Servs. Corp., 222 F. Supp. 3d 1038, 1044 (D.N.M. 2016).
19. 42 C.F.R. § 3.102(b); 42 U.S.C. § 299b-24.
20. Penman v. Correct Care Sols., LLC, 2020 WL 4253214, at *4 (W.D. Ky. July 24, 2020).